Data processing review
Data processing review note
A structured review of customer data categories, processors, retention, export, deletion, and AI/integration boundaries.
Last reviewed: 2026-05-18. Final contractual commitments must be reviewed before signature.
Data categories to classify
ERP deployments handle operational and commercial data across many departments. Buyers should classify what is in scope before go-live.
- Customer, supplier, product, pricing, invoice, payment, purchase, shipment, quality, and production records.
- User account data, role assignments, audit events, request IDs, and support metadata.
- Attachments, imports, exports, AI prompts/responses where enabled, and integration payloads.
Processing boundaries
The review should document which systems process customer data and whether each integration is mandatory or optional.
- Backend hosting, managed database, object storage, frontend hosting, email, monitoring, payment, AI, and statutory integration providers.
- Credential ownership and rotation process for Stripe, LHDN, SMTP, object storage, Redis, and AI providers.
- Data minimization expectations for AI prompts, support access, logs, and exported reports.
Exit and deletion path
ERP buyers need to know how they can leave safely. Data export and deletion should be explicit before production use.
- Customer export format, export owner, export deadline, and verification method.
- Cancellation access window, deletion timeline, backup retention, and legal hold exceptions.
- Procedure for revoking integrations and deleting attachments or imported files.
Buyer checks
Questions this document should help answer.
What customer data is processed and where?
Which subprocessors are optional?
How does the customer export operational data?
What happens to backups and attachments after cancellation?