This Data Processing Agreement (“DPA”) supplements the Cloud Service Agreement between Provider and Customer. This DPA consists of: (1) the Cover Page below and (2) the Common Paper Data Processing Agreement Standard Terms Version 1.1, which are incorporated by reference.
Cover Page
Provider (Processor): JE Vectors LLC, a Florida limited liability company
Provider Contact: joe@nquiry.ai
Provider DPO Contact: privacy@nquiry.ai
Customer (Controller): As identified in the executed Cover Page
DPA Effective Date: The date the last party signs this Cover Page, or if unsigned, the Effective Date of the Cloud Service Agreement.
Cloud Service Agreement: The JE Vectors LLC Terms of Service (Cloud Service Agreement, Common Paper CSA v2.1), as in effect between the parties.
Cloud Service: As applicable to Customer's subscription:
- Nquiry — AI-powered evidence analysis platform (app.nquiry.ai)
- ConKurrence — Statistical validation framework for AI evaluation (conkurrence.com)
Module Selection
This DPA applies under Module Two (Controller-to-Processor): Customer acts as Controller and Provider acts as Processor with respect to Personal Data processed through the Cloud Service.
Annex I: Processing Details
1A. List of Parties
Data Exporter (Controller): Customer, as identified in the Cover Page.
Data Importer (Processor): JE Vectors LLC, as identified in the Cover Page.
1B. Description of Processing
| Element | Description |
|---|---|
| Categories of Data Subjects | Customer's end users, and individuals whose data appears in Customer-uploaded evidence or datasets |
| Categories of Personal Data | Names, email addresses, account credentials (hashed), IP addresses, professional titles and roles; and within Customer Data: any personal data contained in evidence files, investigation records, or validation datasets uploaded by Customer |
| Sensitive Data | Potentially, depending on Customer's use case: health information, employment records, financial information. Customer controls what data is uploaded. |
| Processing Purposes | Providing the Cloud Service: storing and organizing Customer Data; generating AI-powered analyses, reports, and validation results; maintaining audit logs; providing technical support |
| Duration of Processing | For the term of the Cloud Service Agreement plus the data retention period (30-day export window after termination, followed by deletion) |
| Frequency of Processing | Continuous, as initiated by Customer's use of the Cloud Service |
1C. Competent Supervisory Authority
The supervisory authority of the EU Member State in which the Data Exporter is established.
Annex II: Technical and Organizational Security Measures
Provider implements the following measures to protect Personal Data:
Encryption
- Data at rest: AES-256 encryption (AWS RDS, S3)
- Data in transit: TLS 1.2+ for all connections
- Database credentials and API keys: AWS Secrets Manager
Access Control
- Role-based access control (Owner, Admin, Member, Viewer)
- Organization-level data isolation (all queries scoped to organization_id)
- Authentication via Amazon Cognito with bcrypt password hashing
- Session management with secure, HTTP-only cookies
Infrastructure Security
- All services deployed on Amazon Web Services (us-east-1)
- VPC with private subnets for database and application tiers
- AWS WAF for web application firewall protection
- Automated security patching via managed services
Audit and Monitoring
- Comprehensive audit logging of all data access and state changes
- CloudWatch monitoring and alerting
- Failed authentication attempt tracking
AI Processing
- AI inference via Amazon Bedrock — no customer data used for model training
- No data persistence by AI model providers beyond inference request duration
- Content filtering via Amazon Bedrock Guardrails (best-effort)
Data Minimization
- Customer controls all data uploaded to the platform
- Provider processes only the data necessary to deliver the requested Cloud Service features
- AI processing uses only the specific evidence and questions selected by Customer for each analysis
Annex III: Approved Subprocessors
| Subprocessor | Location | Processing Activity |
|---|---|---|
| Amazon Web Services, Inc. | United States (us-east-1) | Infrastructure: compute, storage, database, authentication, AI inference (Bedrock) |
| Stripe, Inc. | United States | Payment processing for direct SaaS subscriptions |
For ConKurrence only (when Customer configures third-party AI providers):
| Subprocessor | Location | Processing Activity |
|---|---|---|
| OpenAI, Inc. | United States | AI model inference (when selected by Customer) |
| Google LLC | United States | AI model inference via Gemini (when selected by Customer) |
Subprocessor Change Notification
Provider will notify Customer at least 30 days before adding a new Subprocessor. Customer may object within 15 days of notification.
International Data Transfers
Provider processes all data within the United States. For transfers of Personal Data from the EEA, the UK, or Switzerland, this DPA incorporates the EU Standard Contractual Clauses (Module Two: Controller-to-Processor).
CCPA Addendum
To the extent the California Consumer Privacy Act applies, Provider acts as a “Service Provider” under the CCPA. Provider will not sell or share Personal Information, and will not retain, use, or disclose Personal Information for any purpose other than providing the Cloud Service.
Modifications to Standard Terms
None at this time.
To execute this DPA, contact privacy@nquiry.ai.