Full infrastructure ownership for document programs where control, sovereignty, and auditability are non-negotiable.
Summary: Customer-managed AWS deployment means FormKiQ runs entirely within your own AWS account — your data, your encryption keys, your IAM policies, and your operational boundary. No shared infrastructure, no vendor access to production unless you explicitly grant it, and no dependency on a third-party cloud environment for the governance of your most sensitive documents. For organizations where the deployment model itself is a compliance requirement, this is the architecture that makes the rest of the governance story possible.
Who it's for
Organizations where infrastructure control is a compliance requirement, a contractual obligation, or an internal security policy — not just a preference. This includes:
- Regulated organizations subject to frameworks that require demonstrable control over where data lives and who can access the infrastructure processing it — GDPR, HIPAA, PIPEDA, Quebec Law 25, KSA PDPL, SOC 2, ISO 27001, and others
- Government and public sector bodies with data sovereignty requirements that preclude vendor-managed infrastructure for sensitive document programs
- Financial services and insurance organizations where internal security policy or regulatory mandate prohibits third-party access to production document systems
- Healthcare organizations where HIPAA security rule requirements and internal risk management standards require ownership of the full technical safeguard stack
- Legal and professional services firms where client confidentiality obligations require that document infrastructure be operated within the client organization's own environment
- Technology and SaaS companies building regulated document management into their products and requiring infrastructure control as a condition of their own compliance posture
- Enterprise organizations with existing AWS environments who want FormKiQ to operate as a native component of their existing cloud infrastructure rather than a separate hosted service
When to use it
When the deployment model — who operates the infrastructure and who can access it — is itself a compliance or governance consideration. Specifically:
- When internal security policy, regulatory mandate, or contractual obligation requires that vendor personnel cannot access production document data
- When data sovereignty requirements specify that the operational entity controlling document infrastructure must be subject to the same jurisdiction as the data subjects
- When encryption key ownership must remain with the customer — with no vendor access to key material
- When audit and compliance programs require that document infrastructure be subject to the customer's own security tooling, monitoring, and incident response processes
- When existing AWS infrastructure investment, IAM governance, and cloud operations capability make operating FormKiQ within your own account the natural fit
- When procurement, security review, or legal processes require that a vendor's access to production systems be demonstrably zero
What customer-managed deployment means in practice
Customer-managed deployment is not simply a self-hosted option — it is a specific architectural commitment that FormKiQ is designed to fulfill. Every component of the FormKiQ platform — storage, metadata, search, processing, API, access control, and audit — deploys into your AWS account through AWS CloudFormation, using your account's resources, subject to your account's IAM policies, encryption configuration, and network controls.
Your data, in your account
Documents are stored in S3 buckets in your account. Metadata is stored in DynamoDB tables in your account. Search indexes are maintained in OpenSearch domains in your account. Processing functions run as Lambda functions in your account. Every byte of document content and metadata lives in infrastructure you own and control — not in a shared environment managed by FormKiQ.
Your encryption keys
All data at rest is encrypted using AWS KMS. In a customer-managed deployment, you control the KMS key configuration — whether using AWS-managed keys, customer-managed key stores, or AWS CloudHSM for hardware-level key isolation. FormKiQ has no access to your encryption keys, and cannot decrypt your data without your explicit authorization.
Your IAM policies
All access to FormKiQ's underlying AWS resources is governed by IAM policies in your account. You define who and what can access documents, metadata, processing functions, and administration interfaces — with no IAM policies controlled or modified by FormKiQ without your involvement.
Your network controls
FormKiQ can be deployed within your VPC, with private endpoints, controlled egress, and network security group configurations that reflect your organization's network security architecture. There is no requirement to expose FormKiQ components to public internet endpoints if your security architecture requires fully private deployment.
Your monitoring and audit tooling
CloudTrail, CloudWatch, AWS Security Hub, AWS Config, and GuardDuty all operate across FormKiQ's infrastructure in exactly the same way as they operate across the rest of your AWS environment — because FormKiQ's infrastructure is part of your AWS environment. Security monitoring, compliance checks, and audit log collection require no special configuration or vendor involvement.
Zero vendor access to production
The FormKiQ team has no access to your production environment unless you explicitly grant it. There is no vendor-side administration console, no support tunnel into production, and no FormKiQ-controlled access path to your documents, metadata, or infrastructure. If you choose to invite FormKiQ engineers into a support session, that access is granted and revoked by you, through your IAM configuration.
How customer-managed deployment addresses specific compliance requirements
GDPR and UK GDPR
Customer-managed deployment addresses the infrastructure control dimension of GDPR compliance — ensuring that personal data stored in FormKiQ is processed within infrastructure subject to your organization's data protection policies rather than a vendor's shared environment. Combined with regional deployment in EU or UK AWS regions and FormKiQ's access control and audit capabilities, customer-managed deployment provides the technical and organizational measures that GDPR Article 32 requires.
HIPAA
HIPAA's Security Rule requires covered entities and business associates to implement technical safeguards for protected health information — including access controls, audit controls, integrity controls, and transmission security. Customer-managed deployment in your own AWS account, with your own KMS keys, IAM policies, and audit configuration, gives you direct ownership of these technical safeguards rather than relying on a vendor's representation of their implementation.
Quebec Law 25 and PIPEDA
Canadian privacy frameworks require appropriate security safeguards for personal information. Customer-managed deployment into ca-central-1 (Montreal) or ca-west-1 (Calgary) ensures that Canadian personal information remains within Canadian AWS infrastructure under your organization's control — supporting both the residency and sovereignty dimensions of Canadian privacy compliance.
KSA PDPL and GCC frameworks
Saudi Arabia's PDPL and other GCC privacy frameworks include data localization requirements and restrictions on cross-border data transfers. Customer-managed deployment into me-central-1 (UAE) or me-south-1 (Bahrain) — with your own AWS account subject to local jurisdiction — provides the localization and sovereignty posture these frameworks require.
SOC 2 and ISO 27001
Both frameworks require demonstrable controls over access, encryption, availability, and processing integrity. Customer-managed deployment in your own AWS account allows FormKiQ's infrastructure to be included in your SOC 2 audit scope and ISO 27001 ISMS boundary — with your existing AWS security controls, monitoring, and incident response processes applied directly to FormKiQ's components.
Internal security policy
Many organizations with mature information security programs have internal policies that prohibit third-party access to production systems processing sensitive data — regardless of regulatory mandate. Customer-managed deployment satisfies these policies by design, with zero vendor access to production and no exceptions without explicit customer authorization.
Deployment architecture
FormKiQ deploys via AWS CloudFormation — an infrastructure as code service that provisions all required AWS resources from a tested, versioned template. Deployment is repeatable, consistent, and auditable — the same template produces the same infrastructure every time, with no manual resource creation that could introduce configuration drift.
Core AWS services in a customer-managed FormKiQ deployment
Amazon S3 — document content storage, with versioning enabled for complete document history and protection against accidental overwrites and deletions
Amazon DynamoDB — document metadata storage, providing fast and cost-effective metadata search across collections of any size
AWS Lambda — serverless processing functions for document actions, workflow execution, OCR processing, AI processing, and integration logic
Amazon API Gateway — the secure API endpoint through which all FormKiQ API interactions are routed
Amazon Cognito — identity and access management for user authentication, group assignment, and multi-tenant isolation
AWS CloudFront — content delivery and TLS termination for the FormKiQ Document Console and API endpoints
AWS KMS — encryption key management for data at rest across S3, DynamoDB, and other services
Amazon SNS — document event publication for real-time notification of document lifecycle changes
Amazon OpenSearch — enhanced full-text search (available as an add-on module for Advanced and Enterprise)
Amazon Bedrock — AI processing and KnowledgeBase capabilities (available as add-on modules for Advanced and Enterprise)
AWS CloudTrail — audit logging of all API calls and resource operations across the FormKiQ deployment
Amazon CloudWatch — operational monitoring, logging, and alerting for FormKiQ components
Optional network configuration
- VPC deployment with private subnets for Lambda functions and other compute resources
- VPC endpoints for S3, DynamoDB, and other AWS services to eliminate internet-routed traffic
- Network security groups and NACLs configured to your network security architecture
- AWS WAF integration for API Gateway protection against web-based attacks
Regional deployment
Customer-managed deployment supports any AWS region where FormKiQ services are available — with twenty regions currently supported across North America, Europe, the Middle East, Asia-Pacific, Africa, and Latin America. Organizations with multi-jurisdiction operations can deploy separate FormKiQ instances per region, each within its own customer AWS account or organizational unit, with cross-region authentication but no cross-border data movement.
For organizations with complex multi-region requirements — separate instances per jurisdiction, cross-region authentication, and region-specific retention and access policies — FormKiQ's regional deployment model can be architected to support each jurisdiction's specific requirements within a consistent platform architecture.
See the Data Residency page for the full list of supported AWS regions and their associated regulatory contexts.
Support model in customer-managed deployments
Customer-managed deployment does not mean unsupported deployment. FormKiQ's support model for Advanced and Enterprise customers includes Level 3 engineering support through the FormKiQ Support Portal, Private Slack Channel, and Videoconferencing — with FormKiQ engineers providing technical guidance, issue diagnosis, and resolution support without requiring access to your production environment.
For issues that benefit from direct access to your environment, FormKiQ engineers can be granted temporary, scoped access through your IAM configuration — at your discretion and revocable at any time. This model gives you complete control over when and how FormKiQ accesses your environment, while ensuring that engineering support is available when you need it.
For Enterprise customers, support structures can be customized to reflect the operational requirements of your deployment — including release coordination, change management processes, and compliance documentation support.
Migration to customer-managed deployment
For organizations moving from a legacy ECM platform or a vendor-managed document management service to customer-managed AWS deployment, FormKiQ supports phased migration that preserves existing workflows and business processes rather than requiring a forced redesign.
The migration process typically follows a structured path:
Assessment and planning
FormKiQ works with your architecture, legal, compliance, and operations teams to assess your current environment, document existing workflows and integrations, identify data residency and sovereignty requirements, and design a migration plan that maintains compliance continuity throughout.
Non-production deployment
FormKiQ is deployed in a non-production environment within your AWS account — allowing your team to validate the platform, test integrations, and build operational familiarity before production cutover. In a hybrid model, FormKiQ engineers can work directly in non-production environments to accelerate implementation while production remains in the existing system.
Integration mapping
Existing integrations with ERP, CRM, HRIS, case management, and other systems are mapped to FormKiQ API endpoints and Integration Framework configurations — identifying which connections can be re-pointed directly and which require adapter development.
Document ingestion
Documents are ingested from existing stores — legacy ECM platforms, file servers, cloud storage, or other sources — using FormKiQ's CLI, bulk upload capabilities, and Document Gateway modules. Metadata mapping ensures documents arrive in FormKiQ with governance context intact rather than as raw files requiring reclassification.
Parallel operation
FormKiQ runs alongside the existing system during the transition period — new documents and workflows move to FormKiQ incrementally while existing records remain accessible in place. Teams adopt the new environment at a pace that matches operational readiness.
Phased governance handoff
Governance functions — legal hold, retention management, audit trails, records disposition — are transitioned to FormKiQ in stages, with validation at each phase. Compliance continuity is maintained throughout, with no gap in audit readiness or records accessibility.
Production cutover
When the new environment has been validated and operational confidence is established, production traffic is redirected to the FormKiQ deployment and the legacy system is decommissioned or placed in read-only mode for historical reference.
Comparing deployment models
| Customer-Managed | Vendor-Managed | Hybrid | |
|---|---|---|---|
| Infrastructure location | Your AWS account | Dedicated FormKiQ-hosted account | Split — production in your account |
| FormKiQ access to production | Zero unless granted | Operational access | Zero — non-production only |
| Encryption key ownership | Customer | Shared / negotiated | Customer (production) |
| IAM ownership | Customer | FormKiQ | Split |
| Audit log destination | Customer-owned | FormKiQ-managed | Split |
| Compliance validation ownership | Customer | Shared | Customer |
| AWS account | Your account | FormKiQ account | Your account (production) |
| Best for | Maximum sovereignty and control | Fast start / operational simplicity | Phased adoption / migration support |
Important guardrail
Customer-managed deployment provides the infrastructure control posture that regulated document programs require — but infrastructure control alone does not constitute compliance with any specific regulatory framework. Whether a customer-managed FormKiQ deployment satisfies GDPR, HIPAA, SOC 2, Quebec Law 25, KSA PDPL, or any other framework depends on the complete configuration, operational practices, and governance controls applied to that deployment — which must be validated by your legal, compliance, and security teams. FormKiQ's architecture is designed to support that validation process, not to replace it.