Nquiry Enterprise Overview
What Nquiry Does
Nquiry is an AI-powered platform for compliance-critical work. It helps professionals conduct structured inquiries, evidence-based assessments, and compliant reporting. The platform follows a four-phase workflow — planning, evidence collection, AI-assisted analysis, and reporting — with built-in quality controls at each stage.
Nquiry is built for organizations handling sensitive matters across government, healthcare, and corporate environments.
Deployment Models
Nquiry ships through two channels. The same application runs in both; what differs is who owns the AWS account and how the software is delivered.
| Aspect | Direct SaaS | Licensed (Single-Tenant) |
|---|---|---|
| Where it runs | JE Vectors' AWS account | Customer's AWS account |
| Where data lives | JE Vectors' AWS boundary, US regions | Customer's AWS boundary, customer-chosen region (commercial or GovCloud) |
| Multi-tenancy | Multi-tenant with strict org isolation | Single-tenant — one customer per stack |
| Delivery | Sign up at app.nquiry.ai | AWS Marketplace container product, deployed via Terraform template |
| Authentication | Cognito (JE Vectors' user pool) | Cognito (customer's user pool); SSO/SAML on roadmap |
| Encryption keys | AWS-managed (SSE-S3, RDS) | Customer-managed CMK supported (RDS, S3) |
| Backups | Operated by JE Vectors | Operated by customer |
| Updates | Continuous deployment by JE Vectors | Customer-initiated; new versions published to Marketplace |
| Compliance posture | Designed for HIPAA/SOC 2/FedRAMP readiness; certifications in progress | Runs inside the customer's already-authorized boundary (e.g., FedRAMP-authorized AWS account, IL-4 GovCloud); customer's existing AWS BAA covers Bedrock |
| Pricing | Subscription (Trial → Core → Pro → Enterprise) | Perpetual license + annual maintenance; customer pays own AWS infrastructure costs |
SaaS is the right fit for organizations that want to be productive on day one with minimal IT involvement, and for whom multi-tenant cloud is acceptable. Trial is self-serve at app.nquiry.ai.
Licensed (single-tenant) is the right fit for federal agencies, healthcare systems, and other organizations that require data sovereignty — investigation data must remain inside the customer's own AWS boundary. Each licensed customer gets a complete, isolated Nquiry stack deployed in their account. See Customer Environment Requirements for prerequisites and sizing.
Architecture Summary
Nquiry is the same application in both deployment models. What differs is whose AWS account it runs in.
SaaS architecture
Users → CloudFront (CDN + TLS) → ALB → ECS Fargate (Next.js)
↓
RDS PostgreSQL
S3 (evidence storage)
Cognito (authentication)
Bedrock (AI analysis)
Licensed (single-tenant) architecture
Customer VPC (private subnets, no internet egress by default)
├── ECS Fargate (Nquiry application)
├── RDS PostgreSQL + pgvector (investigation data)
├── ElastiCache Redis (sessions, queues)
├── ALB (internal or internet-facing, customer's choice)
└── VPC Endpoints (PrivateLink)
└── S3, KMS, Bedrock, Secrets Manager, CloudWatch, ECR, STS
In the licensed model, all AI inference runs against the customer's own Bedrock access; prompts containing investigation evidence never leave the customer's AWS boundary. Marketplace handles container delivery and entitlement; AWS License Manager validates the subscription. Architectural details and rationale are in the single-tenant architecture ADR.
Key architectural properties (both models):
- Strict organization-level data isolation enforced at every layer (API, storage paths, search)
- All infrastructure defined in Terraform (reproducible, auditable)
- CI/CD via GitHub Actions → ECR → ECS (JE Vectors operates this for SaaS; licensed customers pull versioned releases from Marketplace)
- AI processing via AWS Bedrock — customer data is never used for model training
- Stateless application tier (ECS Fargate) — scales horizontally
Security Posture
| Area | Implementation | Status |
|---|---|---|
| Authentication | Amazon Cognito — email/password, WebAuthn (passkey/biometric), TOTP MFA | Production |
| Password Policy | NIST SP 800-63B compliant (8-char min, no complexity rules, breached password blocking) | Production |
| Encryption at Rest | AES-256 (S3 server-side encryption, RDS encryption); customer-managed CMK supported on licensed deployments | Production |
| Encryption in Transit | TLS 1.2+ everywhere (CloudFront → ALB → ECS) | Production |
| Data Isolation | Organization-scoped: all API routes, storage paths, and searches filtered by org membership; licensed deployments add full stack isolation per customer | Production |
| Access Control | Role-based: owner > admin > member > viewer | Production |
| Audit Logging | Every state change logged (user, org, timestamp, action, success/failure) | Production |
| File Validation | Server-side MIME type + extension + magic byte verification | Production |
| Security Headers | CSP, X-Frame-Options DENY, HSTS 2yr, nosniff, strict referrer | Production |
| CSRF Protection | Double-submit cookie pattern | Production |
| PHI/PII Guardrails | AWS Bedrock Guardrails for AI content filtering | Production |
Compliance Readiness
| Framework | SaaS Readiness | Licensed Posture |
|---|---|---|
| HIPAA | 70% — AWS BAA execution and Bedrock PHI verification pending; BAA template available | Customer's existing AWS BAA covers Bedrock and infrastructure; Nquiry executes BAA with customer for the application |
| FedRAMP 20x | 80% — penetration testing pending; full SaaS authorization is a multi-quarter effort | Bypassed at the JE Vectors level — Nquiry runs inside the customer's already-authorized AWS boundary (FedRAMP Moderate/High commercial or IL-4/5 GovCloud), so the customer's existing authorization covers the deployment |
| SOC 2 | 60% — formal documentation and audit process gaps | Architecture is the same; customer's own SOC 2 program covers the deployed stack |
| IL-4 (DOD CUI) | Roadmap | Designed in from day one for the licensed model — see ADR §5 |
The licensed channel is the route to federal procurement on the timeline most agencies need; the SaaS channel is the route for organizations that prefer a vendor-operated solution. See Security Assessment for the SaaS evaluation and Remediation Plan for gap closure timeline.
Data Handling
What data Nquiry stores:
- Investigation content: evidence files, questions, topics, AI analysis results, reports
- Account data: name, email, hashed passwords, MFA settings, preferences
- Organization data: membership, roles, billing (payment details handled by Stripe — Nquiry stores none)
- Audit logs: comprehensive activity trail
Where data is stored:
- SaaS: US-based AWS data centers in JE Vectors' AWS account. Evidence files in S3 with path pattern
{org_id}/{investigation_id}/{evidence_id}/{filename}. Structured data in RDS PostgreSQL. - Licensed: The customer's AWS account, in the customer-chosen region (commercial US, US-West-2, or GovCloud). Same path pattern; customer controls residency via SCPs and resource-level controls.
Data isolation: Strict organization boundaries are enforced in every code path — users only see their organization's data, search is scoped to the current org, API calls filter by org membership. Licensed deployments add a second layer: a full physical stack per customer, so there is no shared infrastructure between customers at all.
Encryption keys:
- SaaS: AWS-managed keys (SSE-S3, RDS encryption with AWS-managed KMS).
- Licensed: Customer-managed CMK is supported via the
kms_key_arnTerraform parameter. RDS and S3 use the customer's CMK when provided; otherwise AWS-managed keys (FIPS 140-3 compliant, sufficient for IL-2). Recommended for IL-4+ deployments.
AI data handling: All AI processing uses AWS Bedrock. Customer data is processed to generate analysis but is never used to train or improve AI models. In the SaaS model, Bedrock runs in JE Vectors' AWS account; in the licensed model, Bedrock runs in the customer's AWS account, so prompts containing investigation evidence never cross the customer's account boundary.
Backups:
- SaaS: Automated daily backups operated by JE Vectors. Defined RTO/RPO targets. See Backup & Recovery.
- Licensed: RDS automated daily snapshots and S3 versioning are configured by the Terraform template (7-day retention default, configurable). The customer operates and verifies backups; JE Vectors provides the configuration and runbook.
Data retention: Customer data is retained as long as the account is active. On account deletion (SaaS) or stack teardown (licensed), all associated data is permanently removed.
Plans and Pricing
Direct SaaS — subscription
| Feature | Trial (Free) | Core ($99/mo) | Pro ($199/mo) | Enterprise |
|---|---|---|---|---|
| Storage | 2 GB | 25 GB | 100 GB | Unlimited |
| AI Generations | 15 total | 25/mo | 50/mo | Unlimited |
| Team Members | Unlimited (full Pro access) | 1 (solo) | Unlimited | Unlimited |
| Support | Community | Priority email | Dedicated |
Trial is 14 days with full Pro access. Annual billing saves 20% on Core and Pro. Enterprise pricing is custom and includes unlimited storage, unlimited AI generations, unlimited members, dedicated support, custom contracts, and invoice billing.
Licensed (single-tenant) — perpetual license + annual maintenance
Licensed customers buy a perpetual license through AWS Marketplace and pay their own AWS infrastructure costs (typically $270–$1,895/month depending on user count — see the Customer Environment Requirements sizing guide). Annual maintenance and support is included with the license. Contact sales for license pricing.
The container image is the same across both channels, so feature parity is maintained — licensed customers do not get a stripped-down build.
Supported Work Types
Nquiry adapts its language and workflow to the selected work type: Investigation, Evaluation, Audit, Review, Inspection, Inquiry, Assessment, Case, or custom.
User Roles
| Role | Capabilities |
|---|---|
| Owner | Full access, delete org, manage billing, manage members |
| Admin | Manage members, create/edit all investigations |
| Member | Create investigations, edit own investigations |
| Viewer | Read-only access to shared investigations |
What's Not Yet Available
Transparency about current limitations:
- SSO/SAML federation: Authentication is currently Cognito-native (email/password + MFA) on both channels. SAML/OIDC federation for enterprise identity providers is on the roadmap but not yet implemented.
- API access: No public API for third-party integrations. All interaction is through the web interface.
- SOC 2 certification (SaaS): Architecture is designed with SOC 2 readiness in mind; formal audit has not yet been conducted.
- FedRAMP authorization (SaaS): SaaS is built on FedRAMP-authorized AWS services but does not hold its own SaaS-level FedRAMP authorization. The licensed channel addresses this market by running inside the customer's own authorized AWS boundary.
- Air-gapped / disconnected deployment (licensed): Requires offline license validation and local AI inference (no Bedrock). Not in scope for v1; revisit on first customer request — see ADR §"What We Explicitly Defer."
Documents in This Package
| Document | Purpose | Audience |
|---|---|---|
| This overview | Architecture, security, data handling summary (both channels) | IT evaluators, procurement |
| Customer Environment Requirements | AWS prerequisites, sizing, deployment process for licensed deployments | IT evaluators, customer cloud team |
| Single-Tenant Architecture ADR | Architectural rationale for the licensed model | Internal — share on request |
| Onboarding Guide | Getting started for new organizations (SaaS sign-up + licensed prerequisites) | IT administrators |
| Authentication | Cognito configuration, MFA, password policies | IT administrators |
| Privacy & Data Protection | Data categories, isolation, encryption details | DPOs, compliance officers |
| Admin Dashboard | System administration interface guide | IT administrators |
| Security Questionnaire | Standard procurement security Q&A (both channels) | Security teams, procurement |
| Security Assessment | Compliance evaluation findings (SaaS) | Security teams |
| HIPAA Risk Assessment | Healthcare compliance evaluation | HIPAA officers |
| Backup & Recovery | Backup procedures and recovery plans | IT administrators |
| Incident Response | Security incident response plan | Security teams |
| BAA Template | Business Associate Agreement (SaaS) | Legal, compliance |
| Privacy Policy | User-facing privacy policy | Legal |
| Terms of Service | User-facing terms | Legal |
| Deployment Flow | CI/CD pipeline and deployment process (JE Vectors-operated SaaS) | DevOps |
Contact
- Support: support@nquiry.ai
- Security concerns: security@nquiry.ai
- Sales & Enterprise inquiries: Contact via nquiry.ai