Provision of a Software Platform For Secure Push-To-Talk Communication for the Ministry of Interior of the Republic of Serbia

New clarification added: Dear potential bidders, We have received the following request:Based on the answers to the questions published on July 30, 2024. we kindly sent you a request to consider the possibility of holding a pre-bid meeting, for the purpose of clarifying numerous doubts regarding the technical request, which cannot be clarified in the best way through written questions and answers?Kindly note that we have taken into consideration possibility to hold a pre-bid meeting. However, please note that all clarifications regarding the technical questions should be in written form so that they are available to all potential bidders considering participation in the tender.Regards

New clarification added: (continuation of the text) •        QR code scanning (related to the workspace of the user)Q20. Could you please clarify this request in more details and provide an example?A20  The QR code scanning feature allows users to connect their application with on-premise servers located at the beneficiary's site. For example, by scanning a QR code, a user can securely link their mobile or desktop application to the local servers, enabling seamless integration and access to the necessary resources and services provided by those servers.  •        Visible biography of the userQ21. Could you please clarify this request in more details and provide an example? What details from user biography should be provided by the app?A21  The basic information about the user should be visible – first name, last name, company and job title. APPENDIX IV: Testing and Quality Assurance RequirementsTest plan1.    A Test Plan must be provided that includes also scenarios for the acceptance of the System2.    The Test Plan must include a description of testing that will be provided e.g.:a.      Functional testingb.      Load testingc.       Stress testingd.      Performance testinge.      Security testingf.       Recovery testingQ22. In order to clarify this requirement do you expect that Load, Stress and Performance testing be done on premise after installation by supplier or does supplier only need to provide reports for these tests?A22  The testing should be done on-premise at the beneficiary's location. Detailed testing must be conducted live, in collaboration with the beneficiary's employees, at the site in Belgrade.4. Maintenance and supportAfter acceptance testing is successfully done the Supplier will provide a 3-year warranty period at no additional charge, which will include free:•    Inclusion of the changes required by regulation changesQ23. Could you please clarify this request in more details and provide an example?A23 Refers to changes that would occur as a result of a change in the law or by-law that would require certain security or organizational changes (new systematization, change of organizational units, request for the implementation of a certain security protocol, etc. • Guaranteed “by-the-end-of-business-day” maximum response time for the regular operation of the software and guaranteed 1 hour maximum response time during the week before the deadline for submitting documents Q24. Could you please clarify what document is needed to be submitted or could you provide an example?A24 There is no document that you need to submit regarding this, by submitting the offer it is considered that the contractor will provide at a minimum the requested services in full scope as per requirements, or better/higher quality than required.(end of text)

New clarification added: (continuation of the text)•      All data is sent via the HTTPS protocolQ13. Our Solution uses HTTPS for web interfaces, certain communication, etc. However, other standard protocols are being used to carry on data such as RTP (for audio/video communication), etc. Can you please confirm that this is in line with the requirement?A13  It must have comparable security level to HTTPS.Security•        The database must record (log) every action, i.e. every access to any of the apps (website, Android, Windows, and Linux) must be recorded including all user activitiesQ14. We store logs of all actions in specific log files. Is this an option or is it mandatory to record all database log transactions?A14  It is mandatory to store all logs in the database. This ensures that all actions, including access to any of the apps (website, Android, Windows, and Linux) and all user activities, are easily accessible and filterable. These logs should be available on the administrative dashboard for comprehensive monitoring and management.•        Enabled selective and dynamic database data encryption (TDE encryption-at-rest)Q15. Could you please clarify this request in more details and provide a use case and example?A15  TDE encryption at rest is security standard and it must be active as part of the security of the complete solution. •        Enabled selective determination of user encryption keyQ16. Could you please clarify this request in more details and provide a use case and example?A16   User data stored in the database must be protected from unauthorized access. Each user should have a specific encryption key to ensure their data is secure and inaccessible to unauthorized individuals. For example, if a user’s personal data or communication logs are stored in the database, only the encryption key associated with that user should be able to decrypt and access that data. This selective determination of encryption keys ensures that even if one key is compromised, the data of other users remains secure. •        Enabled static encryption of the entire program codeQ17. In software development one of the standard processes is to obfuscate the code. Obfuscation does protect the code (i.e., adds an extra layer of security making it more difficult for hackers and malicious individuals to reverse engineer the software and find vulnerabilities (a security flaw, glitch, or weakness found in software code that could be exploited by an attacker). Could you please confirm that this is in line with the requirement?A17   Yes, the process of code obfuscation, as described, aligns with the beneficiary's requirement for static encryption of the entire program code. This method effectively enhances the security of the software by preventing unauthorized access and exploitation of vulnerabilities.User management•        Sector configuration (administrator can set the level of networking for the sector)Q18. Could you please clarify this request in more details regarding what are the levels of the networking for the sector and provide an example? Should we consider the sector being the organization structure (E.g. Police Department, Ambulance department, etc.)?A18o   As previously detailed, the sector configuration allows administrators to set the level of networking for each sector. A sector represents an organizational structure, such as a Department 1 or Department 2. The levels of networking refer to the types of connections that can be established between sectors:o   Incoming: Users from other sectors can initiate communication with this sector.o   Outgoing: Users from this sector can initiate communication with other sectors.o   Bidirectional: Users from both sectors can initiate communication with each other.o   This configuration determines how users in different sectors see and interact with each other.•        Adding an email address for user profile verificationQ19. Could you please clarify this request in more details and provide an example?A19- Email addresses should be used for multiple verification purposes within the user profile. For instance:Registration Links: Emails sent to users for verifying their email addresses during the registration process.Password Resets: Emails sent to users for resetting their passwords.Email Address Changes: If a user changes their email address, a verification email should be sent to the new email address to confirm the change.o   This ensures that all critical account changes are verified and secured through email confirmation. (continued in the following clarifications) 

New clarification added: Dear potential bidders, Please, see below clarifications required:The back-end must be based on the Node.js or equivalent cross-platform, open-source runtime environmentQ1. We can provide back-end module that is equivalent cross-platform and has a high performance, programmable engine supporting internet standard VoIP protocols both on the signalling plane and on the media plane. Can you confirm that you will accept solution that is not open-source?A1  The solution must adhere to our requirements from technical specification both in terms of functionality and in terms of the chosen technology. This applies to all questions.The classic REST API call can be completely replaced with a socket module to enable flexible and secure data transferQ2. We are not completely using REST API because it is not compatible with 3GPP standard. Can you confirm that you will also accept other solution that is compatible with 3GPP standard and are based on standard protocols, such as MCX?A2 Same as Q1, the solution must adhere to our requirements, and we cannot accept anything other than the REST API.•   The possibility of 2FA authentication using any publicly available application or SMS OTP codeQ3. We assume that authentication is performed via OpenID. The OpenID integration offloads the responsibility of authentication and security of user credentials to a central third-party OpenID server. In this Context the beneficiary should provide the OpenID server. Do you already use an OpenID server that will be used, or do you plan to use one for user authentication?A3  We do not plan to use an OpenID server. User management must be included in the platform, with the ability to set up 2FA. Users should have the flexibility to choose between an authenticator application or SMS OTP for two-factor authentication.•   The functionality to communicate with the server via the REST (Representational State Transfer)Q4. Our solution supports REST APIs for communication with external systems (e.g., geolocation servers, subscriber provisioning, etc.). But there are other protocols used such as SIP, RTP, etc that are needed for a Push to Talk solution. Could you please clarify this requirement?A4 All communication with server must be using REST APIs, just during calls where mandatory appropriate protocols can be used, but they must follow strict security standards.•   For the users to be separated by sector where only users in the same sector can communicateQ5. What do you mean by sector? Is that an internal organizational structure? Can you give us some examples.A5  As user management is integrated in this solution, administrators should be able to assign users to specific entities that are sectors and there we should be able to assign 3 types of connections between different sectors - incoming, outgoing, and bidirectional connection - it determines how users in different sectors see each other. •   The possibility of directly connecting users through one-time "pair" tokens, without the use of foreign/external communication media/channels Q6. Can you please clarify this point by giving some examples?Communication Server RequirementsA6 Two users who are in different sectors should have the ability to establish a direct connection between them so they can see each other and communicate when needed. This connection should be facilitated through one-time "pair" tokens and should be established outside of the sector architecture, without the use of any external communication media or channels. •  Anonymization of personal user data during the PTT callQ7. Could you please provide more details what is the purpose of anonymization? What personal user data must be anonymized? It cannot be audit if everything is anonymized, (how do you plan to track different events if all the user data are anonymised?)A7o   Limited Access for Call Servers:o   Call servers should only have access to user IDs, and basic call information during calls. This means they can identify and route calls without accessing personal information. By limiting the data accessible to call servers, you reduce the risk of unauthorized access or leaks.o   Separate Handling of Device Information:o   Device-specific information (such as hardware details) should be handled separately from call servers. Backend servers, which don’t handle calls directly, can manage this device-related data securely.o   Data Exchange with Backend Servers:o   When necessary, user data relevant to calls (such as preferences, settings, or context) can be exchanged with backend servers. Backend servers can handle this data securely without compromising call privacy.•   A three-part technical-logical protection of the structure of the communication API layerQ8. What do you mean by three-part technical-logical protection? Do you refer to a three-tier architecture?A8 Each request to server and between servers has to be encrypted, authorized and all fields must be validated to prevent any errors, SQLi or any similar attacks. •  PTT call access link enabled Q9. Could you clarify this request in more details and provide a use case?A9  This request refers to the ability to generate a PTT (Push-to-Talk) call access link that allows someone outside of the organization to join the PTT call. For example, if an external consultant or partner needs to participate in a critical communication, an access link can be generated and sent to them, enabling them to join the PTT call without being part of the internal organizational structure. •  The protection of user privacy when sharing locationsQ10. Location info is stored in the system that can be configured to be accessible only from local network, not exposed to the Internet or directly to devices. Can you please clarify this requirement?A10  Encryption must be implemented when storing user location information. Additionally, only authorized users involved in a specific PTT call should have access to this information. This ensures the protection of user privacy by restricting access to sensitive location data to authorized personnel only.•      Anonymization of personal user data during callsQ11. Can you please provide more details what personal user data during calls must be anonymize? User data are needed for tracking purposes (e.g. troubleshooting, etc.).A11 The answer is within A7Front-end Architecture RequirementsThe front end of the System must support and/or satisfy the following•      Has to be delivered as a) a web-based application, b) an Android and iOS app, c) a Windows application, and d) a Linux application Q12. We have solution that supports web-based application, Android and iOS. For Windows and Linux platform it can be accessible through web-based application. Is it acceptable for you this kind of technical solution?A12  The application must include a desktop application for both Windows and Linux platforms to ensure easier and more efficient workflow for the beneficiary’s employees and to provide better performance for notifications, which are optimized in desktop applications.(continued in the following clarifications) 

New clarification added: Dear potential bidders, Please, see below clarifications required:1) Can you provide more details on the calendar functionality you require? Are you looking to integrate third-party calendars, or should the app itself have a built-in calendar? If the latter, what specific functionalities are necessary for this calendar? Application should have built in calendar feature, with ability to schedule a meetings and share a join link to other users and guests.2) What are the exact requirements for video creation within the application? Are there any specific tools or features that need to be included?Just a regular video creation/ recording like in any other app without any specific tools or features, i.e. all features are specified in technical documentation. 3) Is the QR code scanning feature intended for login purposes, or is it meant for another function within the application? Please provide more details. QR code is intended for initial login as one time step to connect mobile app with backend servers, in order to prevent to mobile app have preconfigured details built in.  

New clarification added: Dear potential bidders, Please, see below clarification required:Q:Is it acceptable that the Bidder regarding selection criteria (expertise and personnel) relies on capacity of entity which is part of the same groupe as a Bidder (same ownership) but not a member of Joint Venture or Subcontractor? Specific, it would be capacity providing entity which give a statement that the Bidder will have at disposal expertise and personnel needed for realization of this project?A:If a bidder does not have all the expertise required for the provision of the services/goods/works to be provided under the contract, such bidder may submit an offer in association with other entities, particularly with an entity in the country where the goods and/or services are to be provided. In the case of a joint venture, consortium or association:i. All parties of such joint venture, consortium or association shall be jointly and severally liable to UNOPS for any obligations arising from their off er and the contract that may be awarded to them as a result of the solicitation process;ii. The offer shall clearly identify the designated entity to act as the contact point to deal with UNOPS, as detailed in the appropriate returnable form/schedule. Such entity shall have the authority to make decisions binding upon the joint venture, association or consortium during the bidding process and, in the event that a contract is awarded, during the duration of the contract; andiii. The composition or the constitution of the joint venture, consortium or association shall not be altered without the prior consent of UNOPS.When a joint venture, consortium or association submits an offer, the bid submission documents must be submitted in the name of the leading partner. Joint venture, consortia or association formed would guarantee to UNOPS and the beneficiary that the exact resources planned/offered will in fact be employed in the project realisation.

New clarification added: Dear potential bidders,UNOPS had received the suggestion for extension of the deadline due to the complexity of the project and vacation season, and after considering the suggestion it has decided to accept the suggestion. Therefore, new deadline for bids submission is  Monday 19 August 2024 until 3pm latest / Belgrade time.New deadline for requesting clarifications from UNOPS is also extended to Thursday 15 August until 3pm latest / Belgrade time.RegardsTender Evaluation Committee

New amendment added #2: Dear potential bidders, UNOPS hereby amends the tender as follows:Extension of the deadline for bids submission - new deadline is  Monday 19 August 2024 until 3pm latest / Belgrade time.Dedaline for requesting clarifications from UNOPS is also extended - new deadline is Thursday 15 August until 3pm latest / Belgrade time.RegardsTender Evaluation Committtee

New clarification added: Dear potential bidders,Please, see below clarifications required:Q:If our company does not have ISO 27001 certificate can we apply tender and do we have chance to win this tender without this certificate?A:One of the criteria elements is that the bidder is ISO 27001 Standard certified (with certification to be submitted as a proof). This is a "pass/fail" criteria element, meaning that if the bidder does not posess this certificate it can apply to this tender but its bid will not pass technical evaluation phase, as it would lack compliance with one of the criteria. RegardsTender Evaluation Committee 

New amendment added #1: Dear potential bidders, UNOPS hereby amends the tender as follows:Extension of the deadline for bids submission - new deadline is  Monday 05 August 2024 until 3pm latest / Belgrade time.Dedaline for requesting clarifications from UNOPS is also extended - new deadline is Thursday 01 August until 3pm latest / Belgrade time.RegardsTender Evaluation Committtee

New clarification added: Dear bidders representatives, Please be informed that UNOPS is considering extension of the tender based on the request by several bidders.RegardsTender Evaluation Committee

New clarification added: Dear potential bidders, Please, see below clarifications required:Q1. How many Mobile user licenses are required?A1. 250 user licenses are required.Q2. How many dispatcher licenses are required?A2. 25 concurrent dispatcher licenses are required, and option that every user can be promoted to dispatcher.Q3. How many video call licenses are needed for Mobile and dispatcher?A3. All users and dispatchers must have video call option (license).Q4. Is there any integration needed with LMR ((TETRA, P25, DMR)? If yes please specify how many and the relevant details?A4. No, there is no integration with LMR systems.Q5. Who will provide the Hardware (Servers and other needed elements such as switches)?A5. The MoI will provide HW as stated in section 3c.Q6. What smartphone models will be used?A6. Different phone models will be used, so system must be device agnostic.Q7. In case an existing solution complies with the technical requirements and no extra development is needed, what would happen with the technical points related to developers and business analysts?A7. All technical points related to developers and business analysts must be satisfied in any case.