Privacy and Data Protection

Overview

Nquiry is designed with privacy and data protection at its core. This document explains how user data is handled, protected, and controlled within the application.

Data Categories

Investigation Data

Data Type	Description
Evidence	Uploaded documents, files, and evidence content
Questions/Topics	Investigation structure and questions
Analysis	AI-generated analysis results
Reports	Generated investigation reports
Notes	Investigator notes and annotations

Account Data

Data Type	Description
Profile	Name, email address
Authentication	Hashed passwords, MFA settings, security keys
Preferences	App settings and preferences
Audit logs	Activity history for security

Organization Data

Data Type	Description
Membership	Who belongs to which organization
Roles	Permission levels
Billing	Subscription and payment info (via Stripe)
Invitations	Pending team invitations

Data Isolation

Organization Boundaries

Data is strictly isolated by organization:

Users only see their organization's investigations
Evidence cannot be accessed across organizations
Search is scoped to current organization
API calls are filtered by organization membership

User-Level Access

Within organizations, access is controlled by role:

Owners and Admins can access all investigations
Members can access their own + shared investigations
Viewers have read-only access

Data Encryption

At Rest

All data is encrypted at rest:

Storage	Encryption
Database (RDS)	AES-256 encryption
File storage (S3)	Server-side encryption (SSE-S3)
Backups	Encrypted with same keys
Redis cache	In-transit encryption

In Transit

All data is encrypted in transit:

TLS 1.2 or higher required
HTTPS enforced for all connections
Secure WebSocket for real-time features

Data Retention

Active Data

Active investigation data is retained indefinitely while:

Subscription is active
Account is in good standing
User hasn't requested deletion

Deleted Data

When investigations or accounts are deleted:

Data is hard-deleted (not soft-deleted)
File attachments are removed from S3
Database records are permanently removed
Deletion is not reversible

Audit Logs

Audit logs are retained for compliance:

Standard retention: 1 year
Extended retention available (Enterprise)
Logs cannot be modified or deleted by users

User Rights

Data Export

Users can export their data:

Full investigation export (JSON + files)
Account data export
Available in Settings → Account

Data Deletion

Users can delete their data:

Individual investigations
Entire account (all data)
Confirmed deletion is permanent

Access Requests

For data access requests:

Contact support@nquiry.ai
Provide account verification
Response within 30 days

AI and Data Processing

How AI Uses Data

When generating analysis:

Relevant evidence is retrieved via semantic search
Evidence chunks are sent to Claude (via AWS Bedrock)
AI generates analysis based on evidence
Results are stored in your database

AI Data Handling

Aspect	Policy
Training	Your data is NOT used to train AI models
Retention	Bedrock doesn't retain prompts or outputs
Logging	Request IDs logged for debugging (no content)
Third parties	Only AWS Bedrock processes AI requests

PHI/PII Detection

Bedrock Guardrails can detect sensitive information:

Social Security Numbers
Medical Record Numbers
Phone numbers, emails
Credit card numbers
Other PHI identifiers

When detected, content may be blocked or anonymized.

Compliance

HIPAA

For healthcare customers:

Technical safeguards implemented
Access controls enforced
Audit logging enabled
Business Associate Agreement available

For EU users:

Data processing basis: Contract performance
Right to access, rectify, delete
Data portability supported
EU data residency available (Enterprise)

Nquiry uses minimal cookies:

Cookie	Purpose	Required
Session	Authentication	Yes
CSRF token	Security	Yes
Preferences	User settings	Optional
Analytics	Usage tracking	Optional

Users can reject optional cookies via the consent banner.

Third-Party Services

AWS (Infrastructure)

All infrastructure runs on AWS:

Compute (Amplify, Lambda)
Database (RDS PostgreSQL)
Storage (S3)
AI (Bedrock)

AWS is SOC 2 Type II certified and HIPAA-eligible.

Stripe (Billing)

Payment processing via Stripe:

Nquiry doesn't store card numbers
Stripe is PCI DSS Level 1 certified
Billing data stored by Stripe

Sentry (Error Tracking)

Error monitoring via Sentry:

Captures errors and performance data
No PHI/PII in error reports
Used for debugging and improvement

Security Practices

Access Control

Role-based access control (RBAC)
Organization isolation
Session management with timeouts
Multi-factor authentication

Monitoring

Real-time security monitoring
Automated vulnerability scanning
Penetration testing (periodic)
Incident response plan

Development

Secure development practices
Code review requirements
Dependency scanning
Security testing in CI/CD

Reporting Security Issues

If you discover a security vulnerability:

Email: security@nquiry.ai
Do not disclose publicly until resolved
We aim to respond within 48 hours

Authentication - Login and MFA
Team Collaboration - Access control
Billing - Subscription data

Overview​

Data Categories​

Investigation Data​

Account Data​

Organization Data​

Data Isolation​

Organization Boundaries​

User-Level Access​

Data Encryption​

At Rest​

In Transit​

Data Retention​

Active Data​

Deleted Data​

Audit Logs​

User Rights​

Data Export​

Data Deletion​

Access Requests​

AI and Data Processing​

How AI Uses Data​

AI Data Handling​

PHI/PII Detection​

Compliance​

HIPAA​

GDPR​

Cookie Policy​

Third-Party Services​

AWS (Infrastructure)​

Stripe (Billing)​

Sentry (Error Tracking)​

Security Practices​

Access Control​

Monitoring​

Development​

Reporting Security Issues​

Related Documentation​