Data Flow Diagram
Product: nquir - Investigation Management Platform Last Updated: January 30, 2026 Version: 1.0
System Overview
┌─────────────────────────────────────────────────────────────────────────────┐
│ AWS Cloud (us-east-1) │
│ │
│ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ ┌───────────┐ │
│ │ Cognito │ │ Amplify │ │ RDS │ │ S3 │ │
│ │ User Pool │◄───►│ (Next.js) │◄───►│ PostgreSQL │ │ Buckets │ │
│ │ │ │ │ │ │ │ │ │
│ │ - Auth │ │ - App Logic │ │ - User Data │ │ - Evidence│ │
│ │ - MFA │ │ - API Routes│ │ - Audit Logs│ │ - Guides │ │
│ │ - Sessions │ │ - SSR │ │ - Orgs │ │ - Exports │ │
│ └─────────────┘ └──────┬──────┘ └─────────────┘ └─────┬─────┘ │
│ │ │ │
│ │ ┌─────────────┐ │ │
│ └────────►│ Bedrock │◄──────────────┘ │
│ │ (Claude) │ │
│ │ │ │
│ │ - Analysis │ │
│ │ - Reports │ │
│ └─────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────────────────┘
▲
│ HTTPS (TLS 1.2+)
▼
┌───────────────┐
│ User │
│ (Browser) │
└───────────────┘
Detailed Data Flows
1. Authentication Flow
User Amplify Cognito RDS
│ │ │ │
│─── Login Request ──────►│ │ │
│ (email, password) │ │ │
│ │── Auth Request ──────►│ │
│ │ (ADMIN_USER_ │ │
│ │ PASSWORD_AUTH) │ │
│ │ │ │
│ │◄─ MFA Challenge ──────│ (if MFA enabled) │
│ │ (session token) │ │
│◄── MFA Prompt ──────────│ │ │
│ │ │ │
│─── TOTP Code ──────────►│ │ │
│ │── Verify MFA ────────►│ │
│ │ │ │
│ │◄─ JWT Tokens ─────────│ │
│ │ (access, refresh, │ │
│ │ id token) │ │
│ │ │ │
│ │── Ensure User ───────────────────────────────►│
│ │ Exists in DB │ │
│ │ │ │
│◄── Session Cookie ──────│ │ │
│ (HTTP-only, 12hr) │ │ │
│ │ │ │
Data Elements:
- Email, password (never stored in app, passed to Cognito)
- TOTP code (6 digits, ephemeral)
- JWT tokens (access: 1hr, refresh: 30 days)
- Session cookie (HTTP-only, secure, 12hr max)
2. Investigation Data Flow
User Amplify RDS Audit Log
│ │ │ │
│─── Create Investigation─►│ │ │
│ (title, focus, │ │ │
│ work_type) │ │ │
│ │── Verify Session ────►│ │
│ │ (JWT validation) │ │
│ │ │ │
│ │── Check Org Access ──►│ │
│ │ (RLS policy) │ │
│ │ │ │
│ │── INSERT ────────────►│ │
│ │ investigation │ │
│ │ │ │
│ │── Log Action ────────────────────────────────►│
│ │ (user_id, org_id, │ │
│ │ action, resource) │ │
│ │ │ │
│◄── Investigation ID ────│ │ │
│ │ │ │
Data Elements:
- Investigation: id, org_id, created_by, title, focus_statement, work_type, status
- Audit log: user_id, org_id, action, resource_type, resource_id, ip_address, user_agent, metadata
3. Evidence Upload Flow
User Amplify S3 RDS
│ │ │ │
│─── Upload Request ─────►│ │ │
│ (file metadata) │ │ │
│ │ │ │
│ │── Create Evidence ───────────────────────────►│
│ │ Record (pending) │ │
│ │ │ │
│ │── Generate Signed ──►│ │
│ │ Upload URL │ │
│ │ (5 min expiry) │ │
│ │ │ │
│◄── Signed URL ──────────│ │ │
│ │ │ │
│─── PUT File ───────────────────────────────────►│ │
│ (direct to S3) │ │ │
│ │ │ (SSE-S3 encryption) │
│ │ │ │
│─── Confirm Upload ─────►│ │ │
│ │── Update Evidence ───────────────────────────►│
│ │ (status: uploaded) │ │
│ │ │ │
│◄── Success ─────────────│ │ │
│ │ │ │
Data Elements:
- Evidence metadata: id, investigation_id, filename, file_type, file_size, storage_path
- S3 object:
{org_id}/{investigation_id}/{evidence_id}/{filename} - Encryption: SSE-S3 (AES-256)
Storage Path Structure:
investigation-app-dev-{account_id}/
├── {organization_id}/
│ ├── {investigation_id}/
│ │ ├── {evidence_id}/
│ │ │ └── document.pdf
│ │ └── {evidence_id}/
│ │ └── image.jpg
4. Evidence Download Flow
User Amplify S3 RDS
│ │ │ │
│─── Download Request ───►│ │ │
│ (evidence_id) │ │ │
│ │ │ │
│ │── Verify Access ─────────────────────────────►│
│ │ (org membership, │ │
│ │ RLS policy) │ │
│ │ │ │
│ │── Get Storage Path ──────────────────────────►│
│ │ │ │
│ │── Generate Signed ──►│ │
│ │ Download URL │ │
│ │ (15 min expiry) │ │
│ │ │ │
│◄── Signed URL ──────────│ │ │
│ │ │ │
│─── GET File ───────────────────────────────────►│ │
│ (direct from S3) │ │ │
│ │ │ │
│◄── File Content ───────────────────────────────│ │
│ (TLS encrypted) │ │ │
│ │ │ │
Security Controls:
- Signed URLs prevent unauthorized access
- Organization-scoped paths prevent cross-tenant access
- Audit log records all downloads
5. AI Analysis Flow
User Amplify Bedrock RDS
│ │ │ │
│─── Generate Analysis ──►│ │ │
│ (investigation_id, │ │ │
│ analysis_type) │ │ │
│ │ │ │
│ │── Fetch Context ─────────────────────────────►│
│ │ (investigation, │ │
│ │ topics, questions,│ │
│ │ evidence notes) │ │
│ │ │ │
│ │── Build Prompt ──────│ │
│ │ (system + user) │ │
│ │ │ │
│ │── Invoke Model ─────►│ │
│ │ (claude-3-5-sonnet)│ │
│ │ │ │
│ │◄─ Streaming Response─│ │
│ │ │ │
│◄── Streamed Analysis ───│ │ │
│ (SSE stream) │ │ │
│ │ │ │
│ │── Save Analysis ─────────────────────────────►│
│ │ (content, tokens, │ │
│ │ model, type) │ │
│ │ │ │
│ │── Record Usage ──────────────────────────────►│
│ │ (ai_usage table) │ │
│ │ │ │
Data Elements:
- Prompt: System instructions + investigation context + user question
- Response: AI-generated analysis (streamed)
- Usage tracking: tokens_in, tokens_out, model, cost estimate
Privacy Note: Customer data sent to Bedrock is:
- Not used for model training (AWS commitment)
- Processed in us-east-1 (same region as app)
- Subject to AWS BAA for HIPAA workloads
6. Multi-Tenant Data Isolation
┌─────────────────────────────────────────────────────────────────────┐
│ PostgreSQL (RDS) │
│ │
│ ┌─────────────────────────────────────────────────────────────┐ │
│ │ Row Level Security │ │
│ │ │ │
│ │ SELECT * FROM investigation │ │
│ │ WHERE organization_id IN ( │ │
│ │ SELECT organization_id FROM organization_member │ │
│ │ WHERE user_id = current_user_id() │ │
│ │ ) │ │
│ │ │ │
│ └─────────────────────────────────────────────────────────────┘ │
│ │
│ Organization A Organization B Organization C │
│ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │
│ │Investigation│ │Investigation│ │Investigation│ │
│ │Evidence │ │Evidence │ │Evidence │ │
│ │Topics │ ✗ │Topics │ ✗ │Topics │ │
│ │Questions │◄──────►│Questions │◄──────►│Questions │ │
│ │Analysis │ No │Analysis │ No │Analysis │ │
│ └─────────────┘ Access └─────────────┘ Access └─────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────────┘
Isolation Mechanisms:
- RLS Policies - Database enforces organization boundaries
- S3 Paths - Evidence stored under
{org_id}/prefix - Application Logic - All queries include org_id filter
- Signed URLs - Scoped to specific object paths
Data at Rest
| Data Type | Storage | Encryption | Retention |
|---|---|---|---|
| User credentials | Cognito | AWS managed | Until account deletion |
| User profiles | RDS | KMS (AES-256) | Until account deletion |
| Investigations | RDS | KMS (AES-256) | Until deletion by user |
| Evidence files | S3 | SSE-S3 (AES-256) | Until deletion by user |
| Audit logs | RDS | KMS (AES-256) | 7 years (compliance) |
| AI analysis | RDS | KMS (AES-256) | Until deletion by user |
| Session data | Browser cookie | N/A (no sensitive data) | 12 hours |
Data in Transit
| Flow | Protocol | Encryption |
|---|---|---|
| User ↔ Amplify | HTTPS | TLS 1.2+ |
| Amplify ↔ RDS | PostgreSQL SSL | TLS 1.2+ |
| Amplify ↔ S3 | HTTPS | TLS 1.2+ |
| Amplify ↔ Cognito | HTTPS | TLS 1.2+ |
| Amplify ↔ Bedrock | HTTPS | TLS 1.2+ |
| User ↔ S3 (signed URL) | HTTPS | TLS 1.2+ |
External Integrations
Current
| Service | Data Shared | Purpose |
|---|---|---|
| AWS Bedrock | Investigation context (anonymized prompts) | AI analysis generation |
| Stripe | Email, subscription status | Billing |
| Sentry | Error traces, user ID | Error monitoring |
Planned (Production)
| Service | Data Shared | Purpose |
|---|---|---|
| AWS CloudTrail | API activity logs | Security audit |
| AWS Config | Resource configurations | Compliance |
| CloudWatch | Application logs, metrics | Monitoring |
Trust Boundaries
┌─────────────────────────────────────────────────────────────────────┐
│ Trust Boundary 1 │
│ (Public Internet) │
│ │
│ ┌─────────┐ │
│ │ User │ │
│ │ Browser │ │
│ └────┬────┘ │
│ │ │
└────────┼────────────────────────────────────────────────────────────┘
│ HTTPS + Auth
▼
┌─────────────────────────────────────────────────────────────────────┐
│ Trust Boundary 2 │
│ (AWS - Amplify Edge) │
│ │
│ ┌─────────────┐ │
│ │ Amplify │ ◄── WAF (planned) │
│ │ Compute │ │
│ └──────┬──────┘ │
│ │ │
└──────────┼──────────────────────────────────────────────────────────┘
│ IAM + VPC (planned)
▼
┌─────────────────────────────────────────────────────────────────────┐
│ Trust Boundary 3 │
│ (AWS - Data Layer) │
│ │
│ ┌─────────┐ ┌─────────┐ ┌─────────┐ ┌─────────┐ │
│ │ Cognito │ │ RDS │ │ S3 │ │ Bedrock │ │
│ │ │ │ (VPC) │ │ │ │ │ │
│ └─────────┘ └─────────┘ └─────────┘ └─────────┘ │
│ │
└─────────────────────────────────────────────────────────────────────┘
Revision History
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.0 | 2026-01-30 | Joe Etherage | Initial version |
References
- AWS Well-Architected Framework - Security Pillar
- FedRAMP Data Flow Requirements
- Architecture Decision:
architecture_decision_aws_migration.md - Compliance Controls:
docs/compliance/compliance_controls.md