Provision of services for Development and implementation of a System for Electronic Document Exchange between Institutions signatories of the Agreement on Enhancing Cooperation in the field of crime suppression in Montenegro(UNOPS-MNEMig-2025-S-003)

New amendment added #2: Extension of the deadline for offer submission, the new deadline for offer submission is 24 September 2025, 10:00 UTC

New clarification added: Question: Question related to the architecture - the requirement that all institutions have separate servers, according to the documentation it turns out that this applies to the DMS server as well. Does it have to be that way? And then what about licenses, does it apply to every institution?Answer: Section 3.1. of the RfP stipulates that the Document Management System with the subsystem for electronic exchange of data and documents (the System) shall consist of multiple instances, each belonging to one Signatory Party. Such architecture is influenced by the provisions of the Agreement for the Enhancement of Cooperation in the Area of Crime Suppression and can not be changed.Section 7.1. defines that the vendor is required to include, within their proposal, all necessary accompanying software licences essential for the operation of the System in accordance with this Technical Specification. This means that all System components should be licensed for each of its instances (institutions).

New clarification added: Question1.     Regarding page 9, section "3. Cryptography/Key recovery", as well as page 32, section "Data and file encryption":Doesn't the request to upload "Systems for storage and recovery of E2EE keys" directly violate the concept of privacy insisted upon by the introduction of E2EE, because an employee (who has access to the aforementioned repository) can decrypt a message from the database, although it is requested that "Encryption must be implemented in such a manner that ... messages can only be accessed by the authorized officials for whom they are intended."? Also, although the documentation does not specify which E2EE algorithms are meant, the point of any E2EE handshake protocol is that a third party cannot technically discover the agreed encryption and decryption key –Does this mean that the client software should explicitly send the agreed E2EE key to the server?Answer 1: The RfP does not define mandatory encryption algorithms. The use of all valid and modern algorithms that are not obsolete and for which no known security vulnerabilities exist at the time of implementation is acceptable. When it comes to the encryption of messages/documents, etc., as specified in the RfP, the technological implementation must be designed by the selected bidder. The implementation must ensure: non-repudiation (to verify whether someone accessed the message content, refused to receive the message, etc.), the ability to create/use encryption key(s), and that the generated key can only be used by the key owner. Although the user may lose the generated key for various reasons, such a loss must not lead to the loss of previous messages, i.e. it must not prevent message decryption. Both the institution and the user must be immune to key loss. In case of key reconstruction/restore, a technical procedure must be implemented, documented, and logged, and it must not be possible for a single person to carry it out. The result of the implemented procedure must be the ability to decrypt the encrypted content. Question 2. Regarding page 32 and paragraph "Dynamic Watermarks": Given that today there are also free online AI tools for automatically removing watermarks from the page, is an alternative/additional solution of implementing some of the steganographic methods to hide the mentioned user information on the displayed page acceptable?Answer 2:The bidder may implement an additional solution or method that will enable the identification/detection of the source of information leakage, rather than hiding such information. Question 3. Could all client applications be implemented as Windows desktop applications?Answer 3: Client applications can be implemented either as Windows desktop applications or as web applications.Question 4. "The selected vendor is required to establish the development/build environment on hardware owned by the MoI. All versions of the application must be compiled (built) within this environment located at the MoI."Does this mean that development must be done on-site at the MoI?Answer 4:The selected bidder may develop the System in their own development environment, but all changes and versions of the application’s source code must be committed to the development environment established within the Ministry of Interior (MoI). For any version of the application to be deployed to the test or production environment, it must be built/generated in the MoI’s development environment.   Question 5. Page 35: ,, The Supplier shall deploy a testing environment on the MoI server infrastructure. The testing environment shall be maintained separately from the production environment at the network level." Given that data exchange is an important aspect of the System, will the Test environment include all or at least two separate instances of the system that would simulate the signatory institutions? Regarding the implementation of the new version of the server software components on Production, is it planned to be done on-site for each of the signatory institutions or will there be some "network hub" from which that deployment could be done remotely?Answer 5: The test environment will include at least two separate instances of the System that would simulate the institutions of the Signatory Parties. Regarding the implementation of new versions of the server software components in the production environment, this must be carried out on-site for each of the signatory institutions.Question 6. In the section "5.12 Generation of electronic forms (templates)", does "electronic form (template)" mean a digital document with interactive fields that the user can fill out electronically, such as a "PDF form"?Answer 6: An electronic form (template) refers to a digital document with interactive fields that the user can fill in electronically or that will be automatically populated with data from the System’s database. When creating the final document, the user must have the ability to modify both the static and the interactive parts of the template.

New clarification added: Question:In Annex 1, Examples of narrative description of workflow, section ”Electronic Signing and Validation” you state the following: ”The System verifies document compliance with relevant laws and regulations (e.g., GDPR). regulations”. Can you provide a specific example of how the System should verify document compliance with relevant laws, considering that e.g. GDPR is a comprehensive law? Please be as specific as possible with the example so that we fully understand the expected scope of this functionality.Answer:When the narrative description of the workflow states that “The System verifies document compliance with relevant laws and regulations (e.g., GDPR). regulations” this, in the context of the RfP, refers to technical and procedural checks that ensure:Integrity and authenticityWhen electronically signing and later validating the document, the system automatically verifies:whether the document has been altered after signing (integrity),the validity of the electronic signature, including verification of the certificate used for signing, its revocation status, and the trust chain.Access logs (logging)The system keeps detailed and non-repudiable logs of every action performed on the document (access, modification, signing, validation).The status of the user’s action is also recorded (whether the document was received/reviewed/rejected).GDPR principles and data protection – In practice, “verifying compliance with GDPR” means that the system, at the business logic level, automatically enforces the following:Data retention periods: documents and data cannot be stored indefinitely; the system must have built-in mechanisms for automatic deletion or anonymization after the prescribed retention period expires.Lawfulness and purpose limitation: a user may access the document only if authorized in accordance with the purpose of processing (the system checks user roles and permissions).Abuse preventionWhen displaying the document in the system, a dynamic watermark with the user’s identifier and access timestamp is embedded, thus ensuring traceability in case of unauthorized printing or distribution. 

New clarification added: We have carefully reviewed the RFP documentation and would like to request clarifications on the following points:Question 1. Separate instances for each institutionThe RFP specifies that each signatory institution must have its own dedicated system instance:Ministry of Interior (Police Directorate)Ministry of Justice, Human and Minority Rights (Directorate for Execution of Criminal Sanctions)Ministry of Finance and Social Welfare – Revenue and Customs AdministrationMinistry of Finance and Social Welfare – Cadastre and State Property AdministrationSupreme Court of MontenegroSupreme State Prosecutor's OfficeJudicial CouncilCentral Bank of MontenegroFinancial Intelligence Unit of the Police DirectorateConsidering that each institution has specific processes and integrations, and given the implementation timeline of 9 months, is there a possibility for a phased approach (e.g., one central instance with gradual replication) or prioritization of institutions?Excerpt from the RFP:“The Document Management System with the subsystem for electronic exchange of data and documents (the System) shall consist of multiple instances, each belonging to one Signatory Party. Each instance of the System shall comprise the following components.”Answer 1:Bidder is obliged to implement the Document Management System with the subsystem for electronic exchange of data and documents at all specified instances within the project implementation timeline defined in the Section 9.1 of the Schedule of Requirements. Bidder is free to choose the implementation approach as long as it fits the project implementation timeline and meets requirements set by the Schedule of Requirements.Question 2. Microservices architectureThe RFP states that the architecture must be microservices-based.Given that there are already existing DMS implementations with modular architectures that successfully scale, is microservices architecture strictly mandatory, or could it be considered as recommended, provided that performance and scalability can be demonstrated?Excerpt from the RFP:“The architecture of the System must be microservices-based. All software components of the System must operate on the latest officially released stable versions.”Answer 2: Microservices architecture of the System will not be considered as mandatory but recommended. Question 3. Encrypted index (search over encrypted content)The RFP requires that documents and databases must be encrypted in a way that administrators cannot access the content.At the same time, it requires indexing and search over the content. Would it be acceptable to implement partial encryption of metadata to enable indexing, given that a fully “encrypted index” significantly complicates implementation?Excerpt from the RFP:“All data stored in the database must be encrypted. The database administrator will only have access to encrypted data, while the real content of the data will remain inaccessible. All files stored in the system must be encrypted. The server should not have access to the actual contents of the files.”Answer 3: It is acceptable to implement partial encryption of metadata with the remark that Section 7.5. defines that metadata such as sender and recipient information, time of transmission, subject, etc., shall be visible to administrators; however, the content of messages and files shall remain encrypted.Question 4. Licenses for OS and DBThe RFP states that the vendor must provide all necessary licenses without limitations on duration, number of servers, or capacity.Question 4.1. Does this also apply to operating system and database licenses (e.g., Windows Server, Oracle, MS SQL), or exclusively to the DMS system and any supporting tools?Answer 4.1. This provision does not apply for Operating system licenses because Signatory Parties or MoI (for those institutions that lack the necessary infrastructure) will provide necessary underlying IT infrastructure including operating system for all System components. However, it applies for all software components of the System, meaning that the vendor must provide all necessary licenses without limitations on duration, number of servers, or capacity for all software components of the System including but not limited to database licenses.Question 4.2. We believe that requiring unlimited OS/DB licenses is not realistic and may affect the competitiveness of the bids.Additionally, could there be a situation where an institution insists on a specific type and version of operating system and/or database?Answer 4.2. There could not be a situation where an institution insists on a specific type and version of operating system and/or database.The selected vendor shall not be restricted in terms of the technologies utilised within the System, provided that they are current and widely supported technologies. Bidder with proven experience in developing software applications using technologies currently utilised by the Ministry of Interior for the development and administration of existing solutions such as .NET, C#, DevExpress libraries, and Oracle and Microsoft SQL database management systems will be awarded 2 additional points during technical evaluation as it is stated in the Technical Proposal Evaluation section 1.3.Excerpt from the RFP:“The vendor is required to include, within their proposal, all necessary accompanying software licences essential for the operation of the System in accordance with this Technical Specification. These licences must be free from limitations such as duration, number of application servers, storage capacity, and similar constraints.” 

New amendment added #1: Extension of the deadline for offer submission, the new deadline for offer submission is 16 September 2025, 10:00 UTC

New clarification added: QuestionWe kindly request an extension of the submission deadline by one week until 2025-09-16 10:00 UTC in order to have enough time for preparing the offer after the summer break.Answer:Please note that the deadline for offer submission will be extended, and the new deadline for offer submission will be 16 September 2025, 10:00 UTC

New clarification added: Question:  Regarding the Evaluation criteria point 1.4, we would like to have a clarification for the mentioned Question: We have a Consortium with a local company and according to point 1.4 : Proven experience in working in the Balkan region and Montenegro with the police/judicial/government bodies and the UN: (All joint venture/consortia members combined must meet it).So our question is Should Each member of the Consortium meet this criteria indivudually or will it suffice if any one member has the said criteria ?Answer:As stated in the Schedule of requirements, criteria point 1.4. Proven experience in working in the Balkan region and Montenegro with the police/judicial/government bodies and the UN: (All joint venture/consortia members combined must meet it) means that any of JV/Consortium members can fulfil this criterion, not each member of JV/Consortium.