Executive Summary

Data Residency Commitment: ReqOps does not persist business content in ReqOps-controlled databases or file stores. All requirements, documents, files, attachments, and embeddings are stored in Aramex's database/bucket, under Aramex's control. During normal operation, ReqOps processes business content in memory only for the duration of a request or active user session and is designed not to write that content to persistent storage or application-level logs. ReqOps retains only the technical metadata necessary for authentication, authorisation, and auditability. Any browser-side caching is limited to the user's device and is governed by Aramex's endpoint controls.

1. The Problem

Aramex lacks a unified requirements and delivery governance engine across squads. This creates three bottlenecks:

Delivery Delays: Manual documentation and inconsistent processes extend requirements cycle time
Rework & Quality Issues: Requirements lack standardization, leading to ambiguity and rework after dev/QA review
Compliance Risk: Manual traceability and audit trails create regulatory risk

The Cost: BA capacity redirected from strategic work to manual processes. Opportunity cost compounds across teams.

2. The Solution

ReqOps: A structured schema-driven operating system that accelerates BA productivity through:

AI-powered requirement generation and test case creation (20%+ time reduction)
Context-driven assistance via knowledge agents trained on your domain
Structured governance ensuring consistency, traceability, and compliance

Deployment Model: Hybrid-SaaS with on-prem data residency. Application hosted in ReqOps AWS tenant; database/bucket hosted and controlled by Aramex. Secure private connectivity between systems. ReqOps is a trusted application with read/write access to a dedicated schema/namespace in Aramex's database/bucket. ReqOps remains in the critical path for reads/writes to the ReqOps schema/namespace. Aramex remains the trust anchor for infrastructure, DB/bucket configuration, and revocation.

Application Architecture: ReqOps hosts the full application logic (UI, APIs, agents, workflow). It is not a proxy; it is the primary compute layer for the ReqOps schema/namespace stored in Aramex's database/bucket.

3. Success Metrics

Three KPIs measured objectively:

KPI	Success Threshold
Cycle-Time Reduction	≥20% reduction (median time: elicitation → approved story set)
Rework Reduction	≥20% reduction (stories requiring material rework)
Requirements Quality	≥20% improvement (stories with complete acceptance criteria)

Baseline: Established from 3-5 recent Epics in Week 1. Measurement: Tracked during trial execution. Conversion: If all 3 KPIs meet thresholds → automatic conversion to 12-month subscription.

4. Timeline

8-12 weeks end-to-end (4-6 weeks of actual usage once access is granted):

Weeks 1-2: Procurement & vendor onboarding
Weeks 3-4: Security review & technical setup
Week 5: Kickoff & baseline measurement
Weeks 5-8: Trial execution (4 weeks usage)
Week 9: Assessment & conversion decision

Deliverable: One complete Epic with requirements, test cases, diagrams, and measured performance improvements.

5. Conversion Logic

If all 3 KPIs meet ≥20% thresholds: Trial automatically converts to 12-month enterprise subscription at agreed pricing with 5 licenses (expandable).

If KPIs don't meet thresholds: You still receive all deliverables (Epic, requirements, test cases, insights). No wasted investment—value delivered regardless.

ROI: Illustrative ROI model (assumptions: 5 BAs, $100K/year fully loaded each, 20% productivity uplift based on trial KPIs) → 1 FTE equivalent (~$100K/year). Actual ROI depends on Aramex's cost structure and adherence to new workflows.

6. Risk Boundary

Data Storage: ReqOps does not persist business content in ReqOps-controlled databases or file stores. All requirements, documents, attachments, and embeddings remain inside Aramex's database/bucket, under Aramex control. Business content is processed in memory only for the duration of a request or active user session and is not written to persistent storage or application-level logs by design. Infrastructure logs may contain technical metadata (timestamps, IPs, request IDs) but are configured not to capture business content payloads.

Trust Model: ReqOps connects to a database/bucket owned and operated by Aramex using credentials that are intended to be restricted to a dedicated schema/namespace. If these credentials are configured as recommended, ReqOps code can only read and write within that schema/namespace; it does not require privileges on other schemas/namespaces. ReqOps is a trusted application for that schema/namespace and should be treated accordingly. Network connectivity can be established via Private Link (default) or VPN-based access (optional, can be provided). ReqOps does not persist business content in ReqOps-controlled databases or file stores and retains only technical metadata required for authentication, authorisation, and auditability.

Trust Boundary

Trust boundaries and allowed flows:

flowchart LR Users["Users
Aramex"] Cloudflare["Cloudflare
Protection Layer"] ReqOps["ReqOps SaaS"] DB[("Aramex Database/Bucket")] AI["AI Endpoint
Aramex-Controlled"] Users -->|HTTPS + SSO| Cloudflare Cloudflare -->|Protected HTTPS| ReqOps ReqOps -->|Private Link/VPN
Read/Write| DB ReqOps -->|Private Link
Inference call| AI AI -->|Private Link
Response| ReqOps ReqOps -->|Private Link/VPN
Write results| DB subgraph TrustBoundary["Trust Boundary
Aramex Infrastructure"] DB AI end classDef aramex fill:#ffffff,stroke:#283593,stroke-width:2px,color:#000000 classDef reqops fill:#f5f5f7,stroke:#6e6e73,stroke-width:1.5px,color:#000000 classDef user fill:#ffffff,stroke:#283593,stroke-width:1.5px,color:#000000 classDef cloudflare fill:#f5f5f7,stroke:#6e6e73,stroke-width:1.5px,color:#000000 class DB,AI,TrustBoundary aramex class ReqOps reqops class Users user class Cloudflare cloudflare

Note: Logs may contain technical identifiers (e.g. user IDs, entity IDs) required for auditability. Full business content bodies (requirements text, document contents) are not logged.

Additional diagrams available in Appendix A.

Shared Responsibility Model

Area	Aramex	ReqOps
Database/Bucket security & residency	✓	—
Application security	—	✓
Data residency enforcement	✓	—
Authentication (SSO)	✓	✓
RBAC permissions	✓	✓
Data deletion / retention	✓	—
SaaS operational metadata	—	✓
Incident response collaboration	✓	✓

AI Usage Model: All AI inference runs only against Aramex-controlled endpoints. AI agents operate within the same access controls as the user: they can only retrieve and process content that the user is authorised to access via the ReqOps application. They do not introduce new data access paths or bypass RBAC. However, they can aggregate authorised content more quickly than a human, so Aramex should treat AI responses as operating within the user's existing data access scope, not as a new isolation boundary. Prompt and response bodies are not logged at the ReqOps application layer; only technical metadata is retained for observability. Any additional logging or retention at the AI platform layer is controlled by Aramex.

Security: Cloudflare protection layer (with GEO protection capabilities if needed), SSO integration (your IdP is authoritative), role-based access, encryption (TLS 1.2+, encrypted at rest), comprehensive audit logging with SIEM integration.

Full security details including shared responsibility model, threat model, and control mappings in Appendix A.

↓ Detailed Information in Appendices Below ↓

Appendices

Appendix A: Security & Risk Boundary

Security Summary: All business data remains in Aramex's database/bucket. Detailed security documentation available upon request.

Kill-Switch

Bilateral revocation sequence: Aramex can revoke access unilaterally, or ReqOps can terminate the application and user access immediately.

flowchart TB AramexSec["Aramex Security"] DB["Database/Bucket
Credentials"] Network["Network
Tunnel"] SSO["SSO
Access"] ReqOps["ReqOps
SaaS"] ReqOpsOps["ReqOps Operations"] EC2["EC2 Instances"] Auth0["Auth0
Admin Panel"] AramexSec -->|1. Rotate| DB AramexSec -->|2. Disable| Network AramexSec -->|3. Revoke| SSO Network -->|4. Access fails| ReqOps ReqOpsOps -->|Stop/Terminate| EC2 ReqOpsOps -->|Kill user access| Auth0 EC2 -->|Application stops| ReqOps Auth0 -->|User access revoked| ReqOps classDef aramex fill:#ffffff,stroke:#283593,stroke-width:2px,color:#000000 classDef reqops fill:#f5f5f7,stroke:#6e6e73,stroke-width:1.5px,color:#000000 classDef reqopsops fill:#f5f5f7,stroke:#6e6e73,stroke-width:2px,color:#000000 class AramexSec,DB,Network,SSO aramex class ReqOps reqops class ReqOpsOps,EC2,Auth0 reqopsops

ReqOps can immediately: Stop or terminate EC2 instances (full application shutdown), revoke specific user access via Auth0 admin panel, disable all user sessions, and freeze all operations. This provides immediate containment capability independent of Aramex actions.

Data Residency & Trust Boundaries

Data Storage: All requirements, documents, attachments, and embeddings remain in Aramex's database/bucket, under Aramex control. ReqOps does not persist business content in ReqOps-controlled AWS services. During normal operation, ReqOps processes business content in memory only for the duration of a request or active user session and is designed not to write that content to persistent storage or application-level logs. Infrastructure logs may contain technical metadata (timestamps, IPs, request IDs) but are configured not to capture business content payloads. Business content may be cached temporarily in the user's browser or client session during active use; this resides on Aramex-managed endpoints and is subject to Aramex's endpoint security controls. All long-term storage of business content remains in Aramex's database/bucket.

Database/Bucket Access: The credentials used by ReqOps are intended to be restricted to a dedicated schema/namespace configured by Aramex. If these credentials are configured as recommended, ReqOps code can only read and write within that schema/namespace; it does not require privileges on other schemas/namespaces. If the credentials are misconfigured with broader privileges, compromise of ReqOps could impact a wider data set. Verification of credential scope sits with Aramex's DB/bucket/security teams.

AI Usage Model

All AI inference runs only against Aramex-controlled endpoints. ReqOps makes inference calls directly to Aramex AI endpoints from the ReqOps application layer. The database does not orchestrate AI calls. AI agents operate within the same access controls as the user: they can only retrieve and process content that the user is authorised to access via the ReqOps application. They do not introduce new data access paths or bypass RBAC. All AI retrieval is constrained by the same row-level access logic used for UI/API queries. AI agents cannot issue unrestricted SQL queries or access embeddings outside the user's authorised namespace. However, they can aggregate authorised content more quickly than a human, so Aramex should treat AI responses as operating within the user's existing data access scope, not as a new isolation boundary. Prompt and response bodies are not logged at the ReqOps application layer; only technical metadata is retained for observability. Any additional logging or retention at the AI platform layer is controlled by Aramex.

Network: ReqOps will connect to both the database/bucket and AI endpoint via Private Link (or VPN-based access, optional). Both endpoints must be hosted in a private network segment without a public IP, and be reachable solely via a mutually authenticated Private Link (or VPN) from ReqOps' AWS tenant. Aramex is responsible for implementing and maintaining this configuration. ReqOps will not onboard environments where the database/bucket or AI endpoint are exposed on public endpoints. End-user access is protected by Cloudflare (with GEO protection capabilities if needed) and authenticated via HTTPS + SSO.

Trust Model

ReqOps connects to a database/bucket owned and operated by Aramex using credentials that are intended to be restricted to a dedicated schema/namespace. If these credentials are configured as recommended, ReqOps code can only read and write within that schema/namespace; it does not require privileges on other schemas/namespaces. ReqOps is a trusted application for that schema/namespace and should be treated accordingly. Network connectivity can be established via Private Link (default) or VPN-based access (optional, can be provided). ReqOps hosts the full application layer (UI, APIs, agents, workflow) and executes business logic during active user sessions. It does not persist business content server-side. Aramex can revoke ReqOps access by rotating database/bucket credentials or disabling the VPN/Private Link. ReqOps does not persist business content in ReqOps-controlled databases or file stores and retains only technical metadata required for authentication, authorisation, and auditability.

Kill-Switch (Emergency Containment Procedures)

Aramex executes:

Rotate database/bucket credentials (immediate access revocation)
Disable VPN / Private Link
Disable user access via SSO

ReqOps executes (immediate application shutdown):

EC2 Instance Control: Stop or terminate EC2 instances to completely shut down the application
User Access Revocation: Kill specific user access through Auth0 admin panel (individual or bulk revocation)
Disable SaaS application access
Invalidate all active sessions
Rotate all internal secrets
Freeze deployments

Containment: Runbooks are designed so that, under normal operating conditions, either party can achieve immediate containment. Aramex can revoke ReqOps access within minutes by rotating database/bucket credentials, disabling the VPN/Private Link, and revoking SSO access. ReqOps can achieve immediate containment by stopping/terminating EC2 instances and revoking user access via Auth0 admin panel. Actual containment time depends on the executing party's incident response processes and staffing.

Detailed security documentation including threat model, logging schemas, and control mappings available upon request during onboarding.

Appendix B: Detailed KPIs & ROI

Detailed KPI Definitions

Success is Measured Objectively: We establish baseline metrics in Week 1, measure during trial execution, and compare outcomes. Conversion to 12-month subscription requires all three KPIs meeting ≥20% improvement thresholds.

KPI	Definition	Measurement Method	Success Threshold
Cycle-Time Reduction	Median time from "elicitation notes captured" → "approved story set" (hours/days)	Baseline: 3-5 recent Epics from Jira/Azure DevOps. Trial: ReqOps audit logs tracking first requirement capture → Epic sign-off	≥20% reduction Example: 120h → ≤96h
Rework Reduction	Percentage of user stories requiring material rework (>2 hours OR >1 revision round after initial approval)	Baseline: Review 3-5 recent Epics—count stories with material rework / total stories. Trial: Track rework requests in Jira/Azure DevOps	≥20% reduction Example: 40% → ≤32%
Requirements Quality	Percentage of user stories with complete, testable acceptance criteria (≥3 criteria covering positive, negative, edge cases)	Baseline: Review 3-5 recent Epics—count stories with complete criteria / total stories. Trial: Measure completeness in ReqOps-generated Epic	≥20% improvement Example: 60% → ≥72%

Baseline Measurement Process

Baseline measurements are established in Week 1 (before ReqOps usage begins) to enable objective comparison of trial outcomes.

Data Collection: ReqOps consultant reviews 3-5 recent Epics from Aramex backlog. Extract timestamps, rework counts, and acceptance criteria completeness from Jira/Azure DevOps.
Calculation: Calculate baseline medians/percentages for each KPI using mechanical definitions. Document data sources and methodology.
Validation: Baseline report shared with sponsor before trial execution. Methodology and data sources validated and agreed.

ROI Calculation

Conservative ROI Projection

Assumptions:

5 Business Analysts
Average BA cost: $100K/year (fully loaded)
20% productivity improvement (minimum threshold)
12-month subscription

Value Created:

5 BAs × 20% improvement = 1 FTE equivalent
Value: $100K/year
Plus: Reduced rework, faster delivery, higher quality, compliance risk reduction

Illustrative ROI: 3-5x investment within 12 months
(Actual ROI depends on Aramex's cost structure and adherence to new workflows)

Appendix C: Trial Execution Details

Epic Selection Process

One Epic/Feature will be selected for the trial to be fully developed from a requirements viewpoint. Selection criteria:

Moderate Complexity: Sufficient scope to demonstrate ReqOps capabilities but manageable within trial timeline (typically 5-15 user stories)
Clear Business Value: Meaningful business outcome that stakeholders care about
Available Stakeholders: Key stakeholders available for requirements elicitation, review, and sign-off
Well-Defined Scope: Clear boundaries and objectives; minimal ambiguity
Representative: Typical of organization's requirements work
No Blockers: No external dependencies that would prevent completion within trial timeline

Knowledge Base Setup

Knowledge base setup requires source material provided during prerequisites phase:

Domain Documentation: Policies, standards, procedures, and best practices
Historical Requirements: Sample requirements documents, user stories, and specifications from previous projects
Compliance Documents: Relevant regulations, compliance requirements, and industry standards

Volume: Minimum 20-30 documents recommended (50-100 ideal). More comprehensive knowledge bases yield better results.

Knowledge Agent Training

Three specialized agents are trained on domain-specific knowledge bases:

UX & CX Agent: Focused on user experience and customer experience requirements
Logic and Functional Agent: Specialized in logical flows, functional requirements, and system behavior
Edge Case Agent: Focused on identifying edge cases within workflows

Agents are trained by ingesting relevant documentation, policies, standards, and historical requirements from your organization's knowledge base.

Key Deliverables

Minimum Deliverables (Always Included):

One fully specified Epic (user stories, acceptance criteria, test cases)
KPI measurement report with baseline comparison

Optional Deliverables (Depending on Scope & Time):

Process flow diagrams and sequence diagrams
Trained knowledge agents (UX/CX, Logic/Functional, Edge Cases)
Structured knowledge base with your organizational knowledge
Current state assessment and recommendations

Appendix D: Conversion Path Details

Conversion Criteria

If all three KPIs meet ≥20% thresholds:

Cycle-Time Reduction: ≥20% improvement
Rework Reduction: ≥20% reduction
Requirements Quality: ≥20% improvement

Then: Trial automatically converts to 12-month enterprise subscription at agreed pricing with 5 licenses (expandable to additional licenses).

Conversion Process

Week 9 (Assessment Phase):

Final KPI analysis completed
Epic sign-off obtained
Stakeholder feedback collected
Conversion decision made based on measured outcomes

If KPIs Meet Thresholds: Conversion to 12-month subscription initiated. Pricing and terms agreed. Subscription begins immediately after trial completion.

If Metrics Don't Hit Targets

You Still Win: Even if KPIs don't meet thresholds, you receive:

Complete Epic deliverables (requirements, test cases, diagrams)
Measured baseline and process insights
Proof of concept for future decisions
Clear understanding of what works and what doesn't
No wasted investment—value delivered regardless

Appendix E: Technical Requirements

Database/Bucket Specifications

You provision database/bucket infrastructure (e.g., PostgreSQL 14.12+ or equivalent bucket storage) with the following baseline requirements:

Compute: 4 vCPU, 16 GB RAM minimum (final sizing validated via workload test) - applies to database instances
Storage: 30 GB initial, expandable to 100 GB+, encrypted at rest per organization standards
Extensions: pgvector extension for advanced search and knowledge retrieval capabilities (if using PostgreSQL)
Encryption: TLS 1.2+ for connections, encrypted at rest
Backup: Daily backups per organization policy, 7-30 days retention
Monitoring: 60-second monitoring intervals, comprehensive logging

The database/bucket is hosted in Aramex's infrastructure, controlled by Aramex, and accessible only through secure private connections from ReqOps' AWS tenant.

Infrastructure Requirements

Network Connectivity: ReqOps will connect to both the database/bucket and AI endpoint via Private Link (or VPN-based access, optional). Both endpoints must meet the following requirements:

Hosted in a private network segment without a public IP
Reachable solely via a mutually authenticated Private Link (or VPN) from ReqOps' AWS tenant
Inbound access restricted to ReqOps network ranges over private tunnel
TLS 1.2+ encryption with valid certificates

Onboarding Gate: Aramex is responsible for implementing and maintaining this configuration. ReqOps will not onboard environments where the database/bucket or AI endpoint are exposed on public endpoints.

Integration Requirements

Optional Integrations:

SSO: Azure AD, Okta, or equivalent (if required)
Jira/Azure DevOps: API access credentials and permissions (optional for trial)
Figma: Enterprise edition integration (optional)

Note: Integrations are optional—we can demonstrate value without them initially.

User Access

Provision user accounts for trial participants (5 licenses) with appropriate access levels. We help with setup and configuration.

Next Steps

To proceed: Sponsor confirms (Yes/No) that procurement should initiate ReqOps onboarding.

What We Provide: All vendor information, security documentation, trial agreement templates, technical specifications, and ongoing guidance throughout the process.

To confirm acceptance and initiate the pilot, please contact your primary contact at ReqOps.

Proposal Reference

015/A

Client

Aramex

Project

ReqOps - Trial for 5 Licenses

Vendor

ReqOps

Date Issued

19th November, 2024

Proposal Valid

30 days from date of issue