Security Questionnaire — Standard Responses
Pre-built responses to common procurement security questions. Based on verified product facts and the February 2026 security assessment.
Two deployment models. Most answers below apply to both Direct SaaS (
app.nquiry.ai, JE Vectors-operated) and Licensed (single-tenant, deployed in the customer's AWS account via AWS Marketplace). Where the answer differs materially between channels, a For licensed deployments: sub-answer is provided. See the Enterprise Overview for the deployment-models comparison.
General
Q: Where is data stored? SaaS: US-based AWS data centers in JE Vectors' AWS account. All infrastructure runs on AWS (ECS Fargate, RDS PostgreSQL, S3, CloudFront). No customer data leaves the AWS environment. For licensed deployments: Inside your own AWS account, in the AWS region you select (commercial US region or AWS GovCloud). Investigation data, evidence files, and AI prompts never leave your AWS boundary. Region selection is a Terraform parameter; data residency is enforced via Service Control Policies that prevent resource creation or data transfer outside the deployment region.
Q: Is data shared with third parties? No customer data is shared with third parties. AI processing uses AWS Bedrock, which does not use customer inputs for model training. Payment processing (SaaS only) uses Stripe — Nquiry stores no payment card details. For licensed deployments: No third parties are involved at all. AI inference runs against your own Bedrock access; all infrastructure runs in your account. Stripe is not used (license is purchased through AWS Marketplace).
Q: What is your data retention policy? Customer data is retained as long as the account is active. Investigation data (evidence, analysis, reports) persists until the customer deletes it or the account is closed. On account deletion, all associated data is permanently removed. Automated backups follow defined retention schedules (see Backup & Recovery documentation). For licensed deployments: Retention is set by your organization. The Terraform template configures RDS automated snapshots (7-day retention default, configurable) and S3 versioning with optional lifecycle to Glacier; you adjust these to your policy and operate them in your account.
Q: Do you have a Business Associate Agreement (BAA)? SaaS: A BAA template is available for healthcare organizations. See BAA Template. JE Vectors signs the BAA with the customer; the AWS BAA between AWS and JE Vectors covers the underlying infrastructure. For licensed deployments: Your existing AWS BAA covers Bedrock and the AWS infrastructure (since the deployment runs in your account). JE Vectors executes a BAA with you covering the application itself and any support touchpoints. No multi-party arrangement is required.
Authentication & Access Control
Q: What authentication methods are supported? Email/password with optional multi-factor authentication. MFA options: WebAuthn (passkey/biometric) and TOTP (authenticator app). Authentication managed by Amazon Cognito. For licensed deployments: The Cognito user pool is provisioned in your AWS account by the Terraform template. You can integrate your own identity provider via Cognito federation; SSO/SAML through Cognito IdP federation is supported.
Q: What is your password policy? NIST SP 800-63B compliant: 8-character minimum, 64-character maximum, no arbitrary complexity rules, breached password blocking enabled.
Q: Is SSO/SAML supported? Native SAML/OIDC federation as a first-class product feature is on the roadmap, not yet shipped, on both channels. For licensed deployments: Cognito user pool federation is available today as a configuration option — your customer-deployed Cognito pool can be federated with your enterprise IdP (Okta, Azure AD, ADFS, etc.) without requiring a Nquiry product change.
Q: How is access controlled? Role-based access control with four levels: Owner, Admin, Member, Viewer. All API routes require authentication and organization authorization. Data is strictly isolated by organization — users cannot access data outside their organization. For licensed deployments: Same application-level controls. Single-tenant deployment adds physical infrastructure isolation — there is no shared network, database, or storage with any other Nquiry customer.
Q: Is there an audit trail? Yes. Every state change is logged: user identity, organization, timestamp, action type, IP address, and success/failure status. Audit logs are accessible from the Admin Dashboard. For licensed deployments: Application audit logs are written to your CloudWatch Logs in your account. Combined with your CloudTrail (AWS API audit) and VPC flow logs, you have an end-to-end audit trail under your custody and retention policy.
Encryption & Data Protection
Q: Is data encrypted at rest? Yes. S3 uses server-side encryption (AES-256). RDS PostgreSQL uses encrypted storage. Refresh tokens use AES-256-GCM with keys in AWS Secrets Manager.
Q: Is data encrypted in transit? Yes. TLS 1.2+ is enforced on all connections (CloudFront → ALB → ECS). HSTS headers are set with a 2-year max-age.
Q: Who manages encryption keys?
SaaS: AWS manages encryption keys for S3 (SSE-S3) and RDS storage. Application-level keys (refresh tokens, session data) are stored in AWS Secrets Manager with rotation support.
For licensed deployments: Customer-managed CMK is supported via the kms_key_arn Terraform parameter. When provided, RDS and S3 use your CMK; otherwise AWS-managed keys are used. With a customer-managed CMK you control rotation policy, key access policies, and (if needed) cryptographic deletion. Recommended for IL-4+ deployments. Details in the single-tenant architecture ADR §5.
Q: Is there tenant isolation? Yes. Strict organization-level isolation: all API calls filter by org membership, storage paths include organization ID, search is scoped to the current organization. Users cannot access data outside their organization through any application path. For licensed deployments: "Tenants" in the licensed model are typically internal divisions of a single customer organization, since each customer gets their own dedicated stack. There is no shared infrastructure between Nquiry customers in the licensed model — full physical isolation.
Network Security
Q: What security headers are implemented? Content-Security-Policy (strict), X-Frame-Options (DENY), X-Content-Type-Options (nosniff), Strict-Transport-Security (2 years, includeSubDomains), Referrer-Policy (strict-origin-when-cross-origin), restrictive Permissions-Policy.
Q: Is CSRF protection implemented? Yes. Double-submit cookie pattern.
Q: Is there a WAF? SaaS: Yes. AWS WAF is configured on the CloudFront distribution. For licensed deployments: AWS WAF is included in the Terraform template (optional, recommended). You can add or replace rule sets per your organization's policy. If you operate an existing perimeter WAF/proxy, you can route through that instead.
Q: Is there DDoS protection? SaaS: AWS Shield Standard is included with CloudFront. GuardDuty monitors for threats. For licensed deployments: AWS Shield Standard is included with the ALB and (if enabled) CloudFront. You may upgrade to Shield Advanced under your AWS account. Many licensed deployments use private-only networking with no internet exposure, removing the DDoS surface entirely.
AI & Machine Learning
Q: What AI models are used? Claude (by Anthropic) via AWS Bedrock for analysis generation. Claude Haiku 4.5 for the in-app AI Guide and quality evaluation. Amazon Titan Text Embeddings V2 for semantic search. Cohere Rerank 3.5 for evidence reranking.
Q: Is customer data used for AI training? No. AWS Bedrock does not use customer inputs for model training. Customer data is processed to generate analysis results and is not retained by the AI service beyond the request. For licensed deployments: Bedrock runs in your AWS account, so prompts containing investigation evidence never cross your account boundary. The data-to-AI path stays inside your VPC via the Bedrock VPC endpoint.
Q: Are there content safety guardrails? Yes. AWS Bedrock Guardrails are configured for PHI/PII detection in AI inputs and outputs. The Terraform template (licensed) creates the Guardrail in your account; you can extend or modify the configured detectors per your policy.
Q: Can users verify AI outputs? Yes. Every AI analysis includes: faithfulness scores (% of claims supported by evidence), coverage scores (% of question elements addressed), confidence levels (Established/Probable/Possible/Insufficient), and citations linking every claim to source evidence. Users can agree, disagree, or mark unsure on every finding.
Compliance
Q: Is Nquiry HIPAA compliant? SaaS: Nquiry's architecture is designed with HIPAA requirements in mind. As of the February 2026 assessment, HIPAA readiness is at 70%. Key remaining items: AWS BAA execution and Bedrock PHI processing verification. A BAA template is available. For licensed deployments: The customer's existing AWS BAA covers the underlying infrastructure and Bedrock. JE Vectors executes a BAA with the customer covering the application. The architecture is the same — the gap items in the SaaS readiness percentage are vendor-side execution items that are bypassed when the customer operates the deployment.
Q: Is Nquiry FedRAMP authorized? SaaS: Nquiry SaaS is built on FedRAMP-authorized AWS services but does not hold its own SaaS-level FedRAMP authorization. FedRAMP 20x readiness is assessed at 80%. For licensed deployments: The licensed channel sidesteps the SaaS FedRAMP requirement by running inside the customer's already-authorized AWS boundary. Customers operating in a FedRAMP-Moderate or FedRAMP-High commercial environment, or in AWS GovCloud (IL-4/5), inherit the underlying authorization for the Nquiry deployment. See the single-tenant architecture ADR for the architectural rationale.
Q: Is Nquiry SOC 2 certified? SaaS: Architecture is designed with SOC 2 readiness in mind. Formal SOC 2 audit has not yet been conducted. SOC 2 readiness is assessed at 60%, primarily due to documentation gaps. For licensed deployments: Customer's own SOC 2 program covers the deployed stack. JE Vectors can provide configuration evidence (Terraform template, application controls documentation) to support customer audits.
Q: Do you perform penetration testing? SaaS: Penetration testing is planned but not yet completed. Internal security assessments are conducted regularly (see Security Assessment). For licensed deployments: You may run penetration testing on your deployment under your AWS account's standard pen-test policy. Coordinate with JE Vectors for testing windows and reporting back any application findings.
Infrastructure & Operations
Q: What is your uptime commitment? SaaS: Nquiry targets high availability through AWS infrastructure (ECS Fargate with auto-scaling, RDS with automated failover, CloudFront CDN). Formal SLA terms are defined in enterprise service agreements. For licensed deployments: Uptime is owned by your operations team. The Terraform template provisions multi-AZ RDS and ECS for HA; sizing affects effective uptime. JE Vectors' annual maintenance/support covers application troubleshooting but not 24/7 infrastructure operations.
Q: What is your incident response process? A documented incident response plan covers: detection, containment, eradication, recovery, and post-incident review. See Incident Response. For licensed deployments: Your organization owns first-line incident response (since the infrastructure is in your account). JE Vectors provides application-level incident support and security advisories under the maintenance agreement.
Q: What is your backup strategy? SaaS: Automated daily backups for RDS and S3. Defined RTO and RPO targets. See Backup & Recovery. For licensed deployments: RDS automated daily snapshots (7-day retention default, configurable in the Terraform template) and S3 versioning with optional Glacier lifecycle. Your operations team owns backup verification and restore drills; JE Vectors provides the configuration and runbook.
Q: How is infrastructure managed? All infrastructure is defined in Terraform (infrastructure as code). SaaS: Deployments are automated by JE Vectors via GitHub Actions → ECR → ECS. Changes are auditable through git history and deployment logs. For licensed deployments: You receive a Terraform template parameterized for your environment. You apply updates on your schedule — see Customer Environment Requirements §9 for the release model and zero-downtime update path. New container image versions are published to AWS Marketplace; you pull them when ready.
File Handling
Q: What file types are supported?
PDF, Word (.docx), Excel (.xlsx, .xls, .csv), images (JPEG, PNG, GIF, WebP), Markdown (.md), and text files (.txt). Full file-type matrix in product-facts.md §7.
Q: How are uploaded files validated? Server-side validation checks MIME type, file extension, and magic bytes. Files are stored in S3 with organization-scoped paths and accessed via signed URLs with expiration.
This document reflects the verified state of the Nquiry platform as of April 2026. For the most current information, contact security@nquiry.ai.