Development Proposal — Capital Compass

1. Executive Summary

The Challenge

Organizations face slow, inconsistent, and untraceable capital allocation processes. Investment proposals arrive in disparate formats, evaluations depend on individual biases, and there is no auditable record of the decisions made. The manual review cycle takes weeks, with information scattered across emails, documents, and meetings, preventing objective comparisons and organizational learning.

The Solution

Capital Compass is an intelligent platform that standardizes and accelerates the complete investment proposal evaluation process. Zulunity will audit and complete the existing backend codebase — reviewing, fixing, and building the remaining functionality needed to deliver an AI-guided conversational intake in 4 phases, structured data extraction, multidimensional deterministic scoring, and a financial approval workflow — all backed by an immutable ledger that guarantees complete traceability and comprehensive SOC 2 preparation.

4

Weeks

$34,000

Investment MXN

7

Modules

4

Roles

💬

Conversational Intake

AI-guided chat with Gemini 2.0 Flash. 4 structured phases: Identity, Hypothesis, Impact, Economics. Real-time streaming via SSE.

📊

Deterministic Scoring

4-dimension evaluation (25 pts each = 100 max): hypothesis quality, impact clarity, cost confidence, execution readiness. Anti-gaming flags.

✅

Approval Workflow

Full lifecycle: draft → AI review → finance review → decision. Approve, reject, or revision requested with mandatory justification.

📚

Ledger & Audit

Append-only ledger with monotonic sequence. Recomputable materialized snapshot. Full audit log. Immutable original hypothesis.

📄

Reports & PDF API

Backend API for CFO Capital Allocation Brief PDF generation. AI-assisted comment refinement Lambda with streaming SSE.

🔒

Security & Compliance

Technical security controls: encryption at rest (KMS), Multi-AZ database, CloudTrail audit, CloudWatch monitoring, Secrets Manager, VPC Flow Logs.

📋

SOC 2 Preparation

Readiness assessment, gap analysis, control implementation documentation, policy creation, and evidence collection framework for SOC 2 Type II audit preparation.

2. Solution Overview

Platform Architecture

Capital Compass is built on a 100% serverless, multi-tenant architecture on AWS. Each organization operates within its own isolated PostgreSQL schema, identified via subdomain (e.g., acme.capitalcompass.com), ensuring complete data separation while sharing infrastructure:

Client-developed React SPA consuming documented REST APIs

proposal-chat (SSE) extract-proposal-data analyze-proposal proposal-decision comment-assist (SSE) ledger-write-event quarterly-rollup data-api (CRUD) cognito-post-confirm

Schema-per-tenant isolation 9 tables per tenant Encryption at rest (KMS) Multi-AZ deployment 30-day backup retention Append-only ledger Materialized snapshot

Gemini 2.0 Flash Conversational intake Structured extraction Deterministic scoring Comment assistance Anti-gaming flags

AWS KMS (encryption keys) Secrets Manager CloudTrail (API audit) CloudWatch Alarms VPC Flow Logs 30-day automated backups

Infrastructure Interaction Map

The following diagram shows how services communicate with each other at runtime, including protocols and data flow direction:

Infrastructure Interaction Map

Frontend (Client)

Compute (Lambda)

Database

AI

Auth

AWS Services

Architectural Principles

Serverless-first: Lambda + RDS eliminate server management and scale with demand.
Event sourcing lite: Append-only ledger as the source of truth; snapshot as a materialized projection.
Dual auth: Cognito for email/password + Firebase for Google Sign-In, both verified with JWT.
Structured schema: InitiativeData v1.0.0 as the contract between AI intake and deterministic scoring.
Streaming-first for AI: SSE for chat and comment responses, minimizing perceived latency.
Immutability: Original hypothesis captured on first submission; ledger with no UPDATE/DELETE.
Multi-tenant by design: Schema-per-tenant isolation in PostgreSQL with subdomain-based routing. Shared connection pool, per-request schema switching, and cross-tenant security validation.
SOC 2 Ready: Encryption at rest via AWS KMS, centralized logging (CloudTrail + CloudWatch), extended backups (30 days), automated secrets rotation, and documented security controls ready for Type II audit.
SOC 2 Preparation: Comprehensive readiness assessment, gap analysis, policy and controls documentation, and evidence collection framework to prepare for formal Type II audit engagement.
Audit & Complete: Zulunity reviews, audits, and fixes the client's existing backend codebase, then builds the remaining functionality to complete the platform.

System Roles

Role	Description	Key Permissions
Submitter	Investment requestor	Create proposals, AI chat, edit drafts, view own status
Finance Reviewer	Financial reviewer	Review queue, approve/reject, score override, AI comments
Admin	Platform administrator	Full access, user/role management, audit log, ledger

3. Scope & Deliverables

Engagement Model: Zulunity will audit the client's existing backend codebase, identify and fix issues, and build the remaining functionality to complete the platform. Frontend development is the client's responsibility.

Deliverables

#	Deliverable	Module	Description
1	AWS Infrastructure (Audit & Completion)	Platform	Audit existing VPC, RDS PostgreSQL 16, Lambda Functions (9), Cognito User Pool, EventBridge Scheduler setup. Fix issues and complete missing IaC with SAM/CloudFormation.
2	Dual Auth (Audit & Fix)	Platform	Review and fix existing Cognito email/password and Firebase Google Sign-In implementation. JWT verification in Lambda. PostConfirmation trigger.
3	AI Conversational Intake (Audit & Completion)	Intake	Audit existing intake Lambda, fix issues, and complete guided chat with Gemini 2.0 Flash across 4 phases (Identity, Hypothesis, Impact, Economics). Real-time SSE streaming.
4	Structured Data Extraction (Audit & Completion)	Intake	Review and complete Lambda that extracts JSON from transcript into InitiativeData v1.0.0 schema with 7 JSONB sections.
5	Deterministic Scoring (Audit & Completion)	Scoring	Audit and complete scoring engine: 4 dimensions (hypothesis quality, impact clarity, cost confidence, execution readiness) × 25 pts. Anti-gaming flags. AI narrative.
6	Financial Decision Workflow (Audit & Completion)	Workflow	Review and complete approve/reject/revision_requested workflow. Score override with justification. Materiality band, strategic alignment, portfolio fit.
7	Append-Only Ledger (Audit & Completion)	Ledger	Audit and complete 6 immutable event types with monotonic sequence. Recomputable materialized snapshot from events.
8	PDF Generation API	Reports	Backend API endpoint for CFO Capital Allocation Brief PDF generation: executive summary, scores, financial breakdown, risks, timeline.
9	AI-Assisted Comments API	Reports	Backend comment-assist Lambda with AI refinement via streaming SSE. AI-generated content flag. Threaded comment CRUD endpoints.
10	Automated Quarterly Rollup	Ledger	Quarterly EventBridge job that detects proposals in HOLD >90 days and flags them as resolution_required.
11	Multi-Tenant Architecture (Audit & Fix)	Platform	Audit and fix schema-per-tenant isolation in PostgreSQL. Subdomain-based tenant identification (acme.capitalcompass.com). Tenant provisioning, user-tenant mapping, and cross-tenant security validation.
12	Encryption at Rest & Key Management	Security	RDS encryption via AWS KMS with automated key rotation. Secrets Manager for database credentials and API keys with rotation policies.
13	High Availability Database	Security	Multi-AZ RDS deployment with automated failover. Extended backup retention (30 days) with point-in-time recovery.
14	Centralized Logging & Monitoring	Security	CloudTrail for API audit trail, CloudWatch dashboards and alarms for Lambda/RDS metrics, VPC Flow Logs for network monitoring.
15	SOC 2 Readiness Assessment & Gap Analysis	SOC 2 Prep	Comprehensive assessment against SOC 2 Trust Service Criteria. Gap analysis identifying control deficiencies, remediation roadmap, and current state evaluation.
16	SOC 2 Policy & Controls Documentation	SOC 2 Prep	Access control policies, incident response procedure, data retention schedule, change management process, vendor management policy, and risk assessment framework aligned with SOC 2 Trust Service Criteria.
17	SOC 2 Evidence Collection Framework	SOC 2 Prep	Templates and processes for collecting and maintaining audit evidence. Control testing procedures, evidence repository structure, and ongoing compliance monitoring setup.
18	Backend Deployment & API Documentation	Platform	Backend deployment on SAM. Comprehensive API documentation for frontend integration. Operations manual and technical documentation.

Out of Scope (Future Phases)

The following items are not included in this phase and may be addressed in subsequent phases:

Frontend Development

The client will develop the frontend application (React SPA) independently. Zulunity will provide documented REST API endpoints, authentication flows, and integration guides to support frontend development.

ERP/Accounting Integrations

Connection with SAP, Oracle, NetSuite, or other financial systems for automatic budget data synchronization.

Native Mobile App

Dedicated mobile application for iOS/Android. The platform is responsive but does not include a native app.

Advanced Analytics & ML

Predictive models for proposal success, automated industry benchmarking, portfolio clustering.

SOC 2 Formal Certification Audit

SOC 2 preparation activities (readiness assessment, gap analysis, control documentation, evidence collection framework) are included in scope. The formal Type II audit engagement with a certified auditor is not included.

4. Timeline

The project is executed in 5 phases over 4 weeks, with incremental deliveries and validations at the end of each phase.

Phase

W1

W2

W3

W4

Code Audit & Infrastructure

Backend Core (Intake, Scoring, Workflow)

Ledger, APIs & Remaining Lambdas

SOC 2 Prep & Security Hardening

QA, Deploy & Delivery

Phase Details

Phase	Duration	Key Activities
1. Code Audit & Infrastructure	1 week (W1)	Comprehensive audit of existing backend codebase. Fix VPC, RDS PostgreSQL Multi-AZ, encryption at rest (KMS), schema-per-tenant isolation, Secrets Manager, SAM template, Cognito User Pool, Firebase Auth (Google), subdomain routing, CloudTrail, VPC Flow Logs.
2. Backend Core (Intake, Scoring, Workflow)	2 weeks (W1–W2)	Audit and complete AI conversational intake Lambda (Gemini 2.0 Flash, 4 phases, SSE streaming), structured data extraction, deterministic scoring engine (4 dimensions), anti-gaming flags, AI narrative, financial decision workflow (approve/reject/revise).
3. Ledger, APIs & Remaining Lambdas	2 weeks (W2–W3)	Append-only ledger implementation, materialized snapshot, PDF generation API, AI-assisted comments Lambda, quarterly rollup, data-api CRUD Lambda. API documentation for frontend integration.
4. SOC 2 Prep & Security Hardening	2 weeks (W3–W4)	SOC 2 readiness assessment and gap analysis, CloudWatch dashboards and alarms, encryption validation, access control policies, incident response procedure, change management process, data retention policies, evidence collection framework setup.
5. QA, Deploy & Delivery	1 week (W4)	End-to-end testing (Vitest), cross-tenant isolation tests, security validation, production deployment (SAM), API integration guide for client frontend team, technical documentation, formal delivery.

5. Investment

Weekly Payment Schedule

Week	Amount
Week 1	$8,500 MXN + IVA
Week 2	$8,500 MXN + IVA
Week 3	$8,500 MXN + IVA
Week 4	$8,500 MXN + IVA
Total	$34,000 MXN + IVA

Payment Terms

Weekly payment of $8,500 MXN + IVA — Billed at the start of each week for a total of 4 weeks.

Infrastructure Costs (client responsibility)

Service	Free Tier	Post-Free Tier Cost
AWS RDS db.t4g.micro (Multi-AZ)	750h/month (12 months)	~$26/month
AWS Cognito	10,000 MAU (permanent)	$0
AWS Lambda	1M req/month (permanent)	$0
AWS Amplify Hosting (client-managed)	12 months free	~$0.01/month
AWS NAT Gateway	No free tier	~$32/month
AWS KMS (encryption key)	No free tier	~$1/month
AWS Secrets Manager	No free tier	~$1/month
AWS CloudTrail + CloudWatch	Management events free	~$3–5/month
Google AI Studio (Gemini)	Generous free tier	Usage-based
Estimated monthly total		~$75 – $95/month

6. Support & Maintenance

Included Post-Delivery Support

30 days of corrective support at no additional cost after formal project delivery. Includes:

Bug fixes reported during the support period
Minor configuration adjustments
Support via dedicated channel (Slack/email)
Basic AWS infrastructure monitoring

Weekly Maintenance Plan

After the included 30-day period, ongoing support and maintenance is available for $1,500 MXN + IVA per week. Includes:

Continuous monitoring of Lambda, RDS, and CloudWatch alarms
Security updates and dependency upgrades
Technical support with defined SLA
AWS performance and cost optimization
Scoring model and AI prompt adjustments
SOC 2 compliance monitoring and annual control review preparation
Database backup verification and disaster recovery testing
Secrets rotation and KMS key management
Tenant provisioning and onboarding support
API documentation updates for frontend integration changes

Referral Bonus: For every referral that results in a new signed contract, you earn 1 free week of support and maintenance.

7. Terms & Conditions

Infrastructure and Third-Party Services: Costs for Google Cloud, domains, certificates, storage, transactional email, and any external services are not included in this proposal and will be the client's responsibility.
Functional Validation: This proposal contemplates an initial functional landing to finalize fields, rules, and pilot exceptions. If structural changes to the process or new undocumented rules arise during development, their impact on scope, timeline, and cost will be evaluated.
Intellectual Property: Once 100% of the project is paid in full, intellectual property of the developed source code will be transferred to the client.
Scope Changes: Any additional functionality not contemplated in this proposal will be analyzed and quoted separately.
Migrations and Integrations: This phase does not include automatic historical data migration, ERP/accounting integrations, or external automations, unless explicitly stated in the scope.
Frontend Development: The client is responsible for all frontend application development, deployment, and hosting. Zulunity will provide documented API endpoints and integration support but does not develop, test, or maintain the frontend application.
Confidentiality: All information shared during the project will be treated under principles of confidentiality between both parties.
Disclaimer of Liability: After formal delivery of the solution and corresponding settlement, Zulunity is released from future responsibilities regarding operation, evolution, or maintenance of the system, except under express engagement of the optional support service.

8. Next Steps

Proposal Approval — Internal validation of terms, scope, and investment.
Contract Signing — Formalization of the project kickoff.
Advance Payment — Resource activation and team scheduling.
Kick-Off Session — Review of existing backend codebase, initial audit findings discussion. Finalize mandatory fields, stakeholders, exception rules, and base catalogs for the pilot.
Development Start — Formal kickoff with periodic follow-ups and incremental deliveries.

Zulunity

Transforming complex operations into scalable software.

Contact: Business Development Team

Email: contact@zulunity.com

Web: zulunity.com | zulunity.info