Provision of Independent Information Security Review Services - Tirana / Albania

New amendment added #2: Deadline for submissions extended until Monday, 6th of October 2025.

New clarification added: Dear Team, If it is a sole tenderer, how the form D: should be completed? Thank youDear bidderIf there is a sole tenderer, Form D is not applicable and should therefore not be submitted.Thank you

New clarification added: Dear Procurement team, If a company will participate in the tender as sole tenderer not a JV, will it be mandatory to fulfill Form D: Joint Venture Partner Information Form?If no, how should we fulfill it in the document checklist? As we see is a Mandatory criteria. Looking forward hearing from you,Dear BidderForm D is to be completed and returned with your Proposal if the Proposal is submitted as a Joint Venture/Consortium/Association. If the proposal is a sole tender, the Form B: Checklist Form should indicate ☐ NA when asked about Form D: Joint Venture Partner Information Form.Thank you 

New clarification added: Dear team,Under Stage 3. Validation, Section 3.1 describes the activity: ‘Perform a security assessment after CMS development is complete, ensuring security requirements are met.’For clarification, does this activity refer specifically to verifying that the security requirements defined in Section 2.1 have been correctly implemented, or does it also include verification of additional requirements provided through other channels?Thank  you!Dear Bidder,We can confirm that the activities outlined in Section 3.1 specifically refer to the security advisory activities defined in Section 2.1.Best regards,Procurement Team

New clarification added: Dear team,In Section IV: Schedule of Requirements, the RFP refers to a “lump sum, all-inclusive” financial proposal. Could UNOPS please clarify whether this wording requires us to include international/local travel expenses (airfare, accommodation, per diem, local transport, translation/interpretation, etc.) within the lump-sum proposal price, or whether such travel costs will be reimbursed separately in accordance with UNOPS travel policy and applicable UN DSA rates?Our understanding is that, under UNOPS rules, professional service fees are to be included in the financial proposal lump sum, while official duty travel costs are normally treated as reimbursables and paid at actual cost against receipts. We would appreciate confirmation of the intended approach for this RFP.Thanks in advance. Best regards,Dear BidderThe term "lump-sum, all-inclusive" requires bidders to include all necessary costs to provide the service at their own risk; no additional expenses will be reimbursed.Best RegardsProcurement team 

New clarification added: Dear team,1. Could you, please, provide clarification regarding the procedure for changing key personnel, as stipulated in Clause 4.3 of the "Contract for Professional Services".The clause states that "any changes in the above key personnel shall require prior written approval of the Director, [insert name of Director] RO/OC UNOPS".Could you, please, provide details on the defined procedure for such requests? Specifically, the formal process for submitting a request for a personnel change, the applicable notice periods and expected timeframes for the review and approval process.2. With reference to Clause 4.5, which stipulates that "The Contractor shall submit to UNOPS the deliverables specified hereunder according to the following schedule", we would like to inquire about the possibility of a deadline extension for certain deliverables (if needed). Could you please clarify the formal process and applicable terms for requesting such an extension? 3. With reference to Clause 4.6., "All reports shall be written in the English language, and shall describe in detail the services rendered under the Contract during the period of time covered in such report. All reports shall be transmitted by the Contractor by [MAIL, COURIER AND/OR FAX] to the address specified in clause 6.1 below".E-mail is not mentioned as a possible means for report submission. Please, confirm if electronic submission via email is also an acceptable method. Additionally, to ensure our complete compliance, could you please confirm the required periodicity for these reports (e.g., monthly, quarterly or upon completion of the stage).Thank you in advance. Best regards,Dear BidderPlease find below UNOPS' responses:1. Clause 4.3 outlines the requirement for prior written approval for any changes in key personnel. The detailed procedure for such requests will be communicated to the selected contractor during contract implementation. In general, this would involve a formal written request justifying the proposed change and submitting the CV of the proposed replacement for review and approval by the designated UNOPS official. However, please note that the full procedural details will be confirmed upon contract award.2. The contract schedule is expected to be adhered to as agreed upon. That said, in exceptional circumstances where changes are necessary, the contractor may submit a justified written request. Any decision on deadline extensions remains at the discretion of UNOPS and will be assessed on a case-by-case basis after contract award.3. While the clause mentions mail, courier, or fax, please note that UNOPS generally accepts report submission via email, unless otherwise specified in the final contract. The specific frequency of reporting requirements (monthly, quarterly, etc.) will be clearly stated in the contract deliverables schedule.Please note that the above clarifications are provided for information purposes only and do not constitute a modification of the solicitation documents or contract terms. The final terms and conditions will be those agreed upon in the signed contract.Best regards,Procurement team

New clarification added: Dear Team,Could you kindly provide Bidder’s Questions (1–18) that you responded to on 19 September 2025? It is currently unclear which specific questions your answers refer to.Thank you in advance.Dear BidderPlease find here below the questions 1-18:SUBMISSION OF TENDER:1. Alternative proposals. Alternatives are allowed; how do you want them packaged and labelled (e.g., “Technical Option A/B” under the same RFP case)? Will you evaluate each alternative end-to-end (tech + price) or select a preferred technical alternative before opening the corresponding Financial?SCOPE, ACCESS & DELIVERABLES:2. Full scope confirmation. RFP says the audit covers “most” of GPO’s ICT estate across 14 sites plus the future CMS/BI—not only the new CMS/BI. Please confirm final in-scope boundaries and provide the latest inventory (devices/servers/OS versions/DBs/apps), network diagrams, WAN topology and counts (e.g., ~50 network devices; ~700 endpoints are mentioned as indicative only).3. Rules of engagement (RoE) for testing.What testing is allowed on production (if any), what’s strictly prohibited (e.g., social engineering/phishing, DoS), and what are the typical maintenance windows and minimum lead time for approvals?Will UNOPS/GPO issue a written “safe-harbor” authorization letter?Are background checks required for our onsite testers; if yes, what level and lead time?​4. CMS vendor interface. Since CMS tech stack is “TBD” and will be procured later, how will our advisory synchronize with the CMS developer’s milestones? Who arbitrates conflicts (e.g., when we flag controls that affect scope/cost/timeline of the CMS build)?5. Cloud/tooling constraints. CMS hosting must be on-prem (no public cloud). Are we allowed to use cloud-hosted tools for analysis/reporting (e.g., external VA/PT platforms, secure report portals), and if so, with what data-handling constraints?6. Deliverables & acceptance. RFP lists nine deliverables (assessment, guidelines, VA plan, PT report, training plans, docs, compliance summary, monitoring/IR plan, continuous improvement). Please define acceptance criteria, number of review/iteration cycles included, approval timeframes, and whether “deemed acceptance” applies after a set period (important because payments require UNOPS acceptance).7. Language. The docs say all reports in English, yet team should be able to provide documentation/training in Albanian. Please confirm required language(s) per deliverable and who is responsible for translation/interpreting on site.8. On-site presence. Which phases must be onsite, expected number/duration of trips, and whether UNOPS/GPO provides workspace, visitor badges, and controlled Internet access.TIMELINE:9. Contract period & start. You indicate a 36-month engagement (Oct 2025–May 2028) with flexible/part-time cadence that intensifies at the start and end. Please confirm target start date, the high-level phasing you expect, and whether timeline shifts caused by CMS procurement/delivery will trigger equitable schedule and payment adjustments.10. Retesting & remediation support. How many re-tests are expected/required within the price, and how will additional re-tests be ordered/paid? (This affects planning for VA/PT and “Validation” stage.)11. Scenarios in evaluation. The ToR includes scenario-based evaluation items (legacy vulnerabilities, breach during testing, emerging ransomware). Are you expecting us to operationalize those playbooks during delivery, and should we price any specific tabletop exercises or incident drill(s)?PRICING:12. Pricing basis. Form F references a “Cost breakdown per deliverable/output.” Do you require a pure deliverable-based lump sum, or may we include time-based lines (e.g., T&M day-rates) under each deliverable for transparency?13. Travel & ODCs. How should travel and other direct costs be handled—embedded in deliverable prices or itemized as reimbursables? Any caps, per-diems, or UNOPS travel policy constraints to apply?14. Payment triggers. Payment is within 30 days of UNOPS acceptance; please confirm acceptance timeframe per deliverable, invoice documentation required, and whether partial payments are allowed for multi-part deliverables.15. Price adjustment. Given the 36-month term, will UNOPS consider limited price indexation for out-years, or must pricing remain firm/fixed throughout (the template suggests “no adjustment”)?COMPLIANCE:16. Certifications & team mix. You list CISSP/CISM/CISA/OSCP/CEH/ISO 27001 LA/Implementer, GDPR (CIPP/E), CCNA/CCNP, plus a 5-expert minimum and >20 total staff. Please confirm whether all key roles must carry certifications at contract start or within a mobilization period.17. Gender & local presence. Team should be “as gender-balanced as possible” (4 points). What evidence is expected? Also, what qualifies as “local presence” (own branch vs. local partner vs. dedicated onsite staff), and must we be registered in Albania?DATA PROTECTION:18. GDPR & data residency. Please confirm applicable data-protection regime(s) (Albanian law + GDPR alignment), approved data transfer/storage locations for working materials, and retention/destruction expectations for test data and evidence.Best regardsProcurement Team 

New clarification added: Dear team, we wold like to ask if is there an affordability threshold or maximum budget range UNOPS will apply in evaluation (even if not published)?Thanks in advance. Best regards,Dear Bidder As per Procurement Manual, art.6.5.5.3 Financial Criteria, iv, UNOPS cannot disclose the available budget for the contract.Procurement team

New clarification added: Dear team, please clarify the following questions:19. Breach protocols. The scenarios imply formal breach communications. Can you share the GPO/UNOPS incident response & notification workflow, RACI, and SLA timers we must follow during testing?GOVERNANCE & KPI:20. KPIs/SLA. The RFP says performance may be evaluated via KPIs/SLA - please provide the KPI set (if predefined) and reporting cadence.21. Project governance. Who are the UNOPS and GPO focal points? Will there be a steering committee; what is the meeting cadence; what change-control process will be used for scope/timeline adjustments?Here below follow the answers 19 onwards:19 The scenarios in Section 2.7 of the RFP are designed to assess the bidder's "practical skills and ability to navigate real-world challenges".The bidder is expected to propose their firm's immediate internal and external response protocol for a security breach discovered during testing.The bidder's proposal must detail a communication plan for informing both UNOPS and the General Prosecutor's Office (GPO), including what information would be shared, with whom, and at what frequency.The bid should also include the immediate mitigating actions and documentation protocols for such an incident.In short, the RFP requires the bidder to propose and demonstrate their own detailed breach protocols as part of their technical submission. It does not require the client's pre-defined protocols that the bidder must follow.20. Due to flexbile nature of project timeline and delivery based approach no KPI/SLA was defined in Section IV: Schedule of Requirements. However industry-wide practice of at least bi-weekly status meetings are expected. Detailed status progress monitoring approach will be discussed and agreed with contracted bidder during the project start.21. The focal point on UNOPS side will  be the EU4DJ Project Manager, who will be responsible for the change control. Focal points on GPO side will be disclosed to winning bidder after the contract signing. EU4DJ Project as a whole has steering commitee with regular committee meetings at least twice a year.Procurement Team

New clarification added: Dear Bidder1. Please refer to tha article 15&30 Section II:Instructions to bidders, of the RFP document, for the of alternative proposals.2. In-scope boundaries are described in section Scope of Work and Activities of the RFP document. Exact HW inventory is proprietary and would be confirmed during the initial phase of the engagement.3. Disruptive testing is prohibited on production environemnt. Defining the specific list of planned testing activities is left up to consideration of Bidder who is ex[ected to propose specific activities deemed most appropriate as a part of Approach and Implementation Plan. Any planned testing activites and required maintenance windows will be reviewed and confirmed by UNOPS/GPO during the initial phase of the engagement. UNOPS reserves the right to conduct background checks and due diligence on the Offeror recommended for an award. This may include a review of any criminal history for personnel who will access sensitive data. While at the moment security clearance for onsite testers is not expected, the possibility of background checks exist.4.Please refer to General details Item e) Engagement Model and Project Dependencies. Final arbiter of any conflicts will be the UNOPS EU4DJ Project Manager.5. Usage of public cloud tools for testing purposes is allowed as long as personal data is not stored in it.6. The RFP does not explicitly define specific acceptance criteria, the number of review/iteration cycles, or strict approval timeframes for the nine listed deliverables. In general -  the acceptance criteria will be tied to the deliverables themselves, such as the comprehensive nature of the security assessment reports, the clarity of the remediation plans, and the effectiveness of the training materials. We  encourage bidders to detail their proposed methodologies in their technical proposal, which would be the appropriate place to define a review and the number of review and iteration cycles they are including within their proposed price.Given that payments are contingent on UNOPS acceptance, the bidder should not assume that deliverables will be automatically accepted after a set period. The standard UNOPS contract terms would govern the approval process, and it's typical for the client to have a reasonable amount of time to review and approve submitted work before payment is released. The financial proposal form (Form F) asks for a detailed breakdown of costs per deliverable, which reinforces that payment is linked to the delivery and acceptance of each specific item.7. As per Schedule of requirements D) Access, Logistics, and Testing "All reports and presentations must be in English, but Albanian language proficiency within the consulting team is highly beneficial for communication with stakeholder staff". Responsibility of providing required translation is on Bidder and is being evaluated under Section 3.2..8. The on-site presence is expected for intensive phases of the project. The RFP states that administrative access will be provided under control and with direct GPO supervision, which  requires an on-site presence. Defining the planed list of required visits is left up to Bidder who is expected to propose schedule of presence deemed most appropriate as a part of Approach and Implementation Plan.UNOPS/GPO will provide workspace and required access to GPO office for the comfirmed tasks wich should be completed under control and with direct GPO supervision.9. The expected start date for this project is November 2025, contingent on the contract signing date.The most resource-intensive phases are anticipated to be:Initial security assessment, vulnerability analysis, and penetration testing (Stages 1 and 3).The design and delivery of security awareness and incident response training.Expected outline of the timeline is:Stage 1 is expected to be completed within three months of the contract signing.Stage 2 will be executed concurrently with the CMS/BI design process.Stages 3 and 4 are scheduled to begin in the second half of 2027.Please note that this timeline and the associated payment schedule are subject to possible shifts due to the project's dependencies and evolving requirements. As listed in "General details" Item E: bidders must account for intensive periods and propose solutions for potential CMS development delays affecting timelines and payments.10. No additional re-tests or remediation support is expected excepr requested deliveries: Vulnerability Assessment Report & Remediation Plan. At the moment there is no separate budget for implementing remediation recommendations; costs will be reviewed and budgeted after the audit report, likely through future tenders or internal GPO budgets. 11. please refer to Scope of Work - Stage 3.4. Bidders are expected to include the design and execution of such exercises as part of proposed methodology and training plan, and should price them accordingly within the lump sum for the "Training Plans" deliverable. The detailed cost breakdown in Form F should be used to show how these activities are factored into the overall price.12. The "Financial Proposal Form" (Form F) asks for a lump sum price for each deliverable in Table 1. It also asks for a detailed cost breakdown, allowing bidders to itemize costs for personnel, travel, and other expenses in Table 2.13. No UNOPS travel policy constraints to apply. Please provide your quotations as per returnable bidding form F: Financial Proposal Form.14. The payment will be done as per deliverables, Form F: Financial Proposal Form, based on the weight inserted by the bidder. Timeframes will be established with the recomended bidder for award, in the Contract for Professional Services, art.5 Price and Payment.15. No adjustment will be considered, as stated in the template.16. Possession of relevant international certifications as a key evaluation criterion for the proposed team, and it is part of the Technical Proposal Evaluation section. While not mandatory,  the bidder's proposal is expected to demonstrate that the team lead and key technical professionals have these certifications, along with at least five years of experience in information security analysis both during the contract start and within a mobilization period. Bidders are strobgly advised to demostrate internal capacity to maintain the professional level of the team through the whole assignment period in case of staff retention.17. For the gener balanced evaluation you can provide an Organizational chart with gender identifiers.18. The primary law governing data privacy in Albania is Law No. 124/2024 "On Personal Data Protection". This law, which came into force in early 2025, is fully aligned with the European Union's General Data Protection Regulation (GDPR).Please pay your attention that the bidder is expected to:- Confirm their expertise and demonstrate a plan to comply with both GDPR and relevant Albanian data protection laws.- Propose a methodology for securely handling, transferring, and storing sensitive data, adhering to the on-site, no-public-cloud requirement.- Detail their procedures for data retention and destruction as part of their technical proposal, showing how they will manage test data and evidence records throughout the engagement and upon project completion. (question 19 onwards on a separate section..)

New clarification added: Dear UNOPS Procurement Team,We kindly request clarification regarding the structure of Form G (Technical Proposal). Specifically, the form provides a tabular format with rows for response. Our question is:Are bidders required to respond to each row in the table as-is?Or, is it acceptable to provide a customized, tailored section presented in a non-tabular format, but still structured in the same sequence and referencing each section/criterion as outlined in the ToR and Form G?Our intent is to ensure full compliance while also improving readability and evaluation. For example, we propose to present our response using a combination of narrative text and structured tools such as tables, compliance matrices, stakeholder engagement frameworks, personnel qualification matrices, organizational charts, and infographics.We presume this approach would be acceptable given that Form G states: “Adjust the section and criteria, below are just examples linked to the example criteria added in Section III.”Could you please confirm whether this flexible formatting is permissible, provided that all required sections and criteria are clearly addressed in sequence?Dear Bidder,Flexible formatting is permissible however it's in Bidder interest to ensure that all information required for evaluation of the bid is easily accessible, can be clearly identified and linked to specific parts of RFP and does not require additional efforts to be summarized, clarified or guessed.Procurement Team

New clarification added: Dear team,For better understanding and clarity, could you kindly answer the following questions:​Under Section IV: Schedule of Requirements, Scope of Work and Activities:1) Stage 1. Audit, 1.2 Perform a Vulnerability Analysis:a. As this activity will be performed by using a vulnerability scanner, can you confirm that it is expected for results to be manually verified (i.e. to remove false positives)?b. Should results be incorporated in the final report for Stage 1, or treated as a separate report?c. Do you expect that these activities will need to be performed outside of business hours?2) Stage 3. Validation, 3.3 Perform Penetration Testing:a. As the CMS and BI systems are still under development and the technology stack has not been defined yet, it is difficult to assess required engagement for penetration testing activities.Would it be possible to at least get a high-level overview of functionality of both systems (i.e. modules that will be implemented) with an approximate number of rules?b. It is mentioned that blockchain will be used to maintain audit trails. Can you specify more information about the blockchain technology that will be used?c. Will it be possible to receive source code of both the CMS application and used blockchain in order to combine penetration testing with a SAST/source code audit?d. In Testing scenario scope, phishing attacks are mentioned. This would typically not be included in methodology for penetration testing of applications (i.e. OWASP). Can you clarify if this activity should involve also employees/people, meaning that it is more like a red team engagement as opposed to a standard network and application penetration test?e. Will this test be performed on test environment or production? If on production, can it be performed during regular business hours?Thank you in advance!Dear Bidder,Please find here below the answers for your questions:1) a. It is left up to bidder's consideration to propose the aproach and most relevant combination of tools required .b. The results of the initial vulnerability analysis for Stage 1 are to be included in the Security Assessment Report for Stage 1.c. At the moment there is no strict requirement that this activity must be performed outside of business hours. However given the nature of a vulnerability scan, it is expected that possibility to schedule this activity during off-hours to minimize any potential impact on network performance should be considered.2)a. At the moment it is expected that both systems should cover Case Management, Document Management, Evidence Management, Enforcement, Surveilance,  Juvenile, Security Measures, Bi& Reporting, Users Management, Integrations. Due to the early stage of business requirements it's impossible to provide information on approximate number of rules.b. Specific blockchain technology is not identified yet however as per results of needs assessment it is expected that it will be used to avoid data tempering across audit trails/logsc. It is expected that source code access may be granted for the purpose of conducting static analysis and a source code audit of the CMS applicationd. Exact list of testing scenarios is left up to bidder's consideration to propose. If phishing attacks tesing is proposed it is intended to include social engineering techniques, which are typically part of a red team engagement, to simulate a real-world, multi-faceted attack and test the human factor.e.  The penetration test for the CMS is expected to be performed on a pre-production environment "after development completion" and before the system is in "production mode".Best regardsProcurement team

New clarification added: Under Contract_for_professional_services, Anex 2 UNOPS General Conditions of Contract for the provision of Services, we have few questions:1. The General Conditions of Contract for the Provision of Services (Annex 2 of the Contract) in Article 5.1 and Article 6.1 regulates the Contractor’s unlimited liability for damages.Our question is: Is it possible to limit the Contractor’s liability for damages caused by ordinary negligence to the value of the contract, while liability in cases of intent or gross negligence would remain unlimited?Limitation of liability for damages in cases of ordinary negligence is permitted by law, as ordinary negligence is recognized as lower degree of fault. On our side, the Contractor may propose a limitation of liability exceeding the total contract value.Proposal for added clause: Without prejudice to Article 5 and Article 6 of the General Conditions of Contract for the Provision of services, the Contractor’s total liability for damages arising from ordinary negligence shall be limited to the total value of the Contract. However, in cases where the damage results from the Contractor’s intent or gross negligence, such liability shall be unlimited.2. Article 6.2 of the General Terms and Conditions sets out which insurance policies the Contractor is required to maintain and under what conditions during the performance of the contract.If, in a specific case, the Contractor holds a valid professional liability insurance policy covering damages arising from the performance of professional activities, and a public liability insurance policy (covering third-party claims arising from its operations—including employer’s liability towards its own employees) but does not meet all the insurance requirements under Article 6 (e.g., the policies are not endorsed in favor of UNOPS (6.5.1), the policy does not cover subcontractors (6.3), etc.), is it possible to adapt the Article 6 to reflect the terms of the Contractor’s existing insurance policies?These are valid insurance policies that the Contractor renews annually, and which are applicable within the EU. The Contractor can provide to UNOPS copies of these insurance policies for review.Proposal for amended clause:6.2 Prior to commencement of performance of any other obligations under the Contract, and subject to any limits set forth in the Contract, the Contractor shall take out and shall maintain for the entire term of the Contract, for any extension thereof, and for a period following any termination of the Contract reasonably adequate to deal with losses:6.2.1 professional liability insurance policy6.2.2 public liability insurance policy To be deleted: Article 6.3, Article 6.5, Article 6.8.Thank you in advanceDear BidderPlease find here below our answers:- Limitation of Liability (Articles 5.1 and 6.1):Please note that the liquidated damages clause, as stated in the tender documents, reflects UNOPS standard contractual terms. Specifically:“UNOPS will deduct from the Contract price, as liquidated damages, a sum equivalent to the percentage of 0.3% of the original total Contract price for each day of delay until actual delivery or performance, up to a maximum deduction of 10%. Once the maximum is reached, UNOPS may terminate the Contract pursuant to the General Conditions of Contract.”This clause will apply as issued and cannot be modified at the solicitation stage.- Insurance Requirements (Article 6):While we note your existing insurance coverage, UNOPS requires full compliance with the insurance provisions set out in Article 6. These requirements—including coverage of subcontractors and endorsement in favor of UNOPS—are mandatory. Substantial amendments or deletions (e.g., to Articles 6.3, 6.5, or 6.8) cannot be considered during the solicitation process.Should your firm be selected for award, insurance documentation will be reviewed for compliance prior to contract signature.We appreciate your understanding of UNOPS standard requirements.Procurement team

New clarification added: Dear team,Under FORM G: Technical Proposal Form, Section 3: Proposed Team, there is a list of four positions to be assumed under the Contract (Security lead, Security audiotr, Penetration tester and Data privacy expert). I would like to confirm whether it is permissible to adjust the listed positions or add additional positions in order to better align the team structure with our proposed approach for Technical form.Thank you for your clarification.Dear BidderTeam strucutre can be adjusted as per bidder's consideration and justification accordingly to the proposed implementation approach and plan.Thank youProcurement Team 

New clarification added: Dear team,Under Section III: Evaluation Criteria – Technical Proposal Evaluation, Section 1: Offeror’s Qualification, Capacity, and Expertise, the criterion states:"Relevance of specialised knowledge and experience on similar engagements. Proven experience in cybersecurity audits, penetration testing, and secure system design for public institutions, justice systems, financial services, or critical infrastructures of at least 5 years. Provision of references from previous or current clients – from 3 (three) to 5 (five) similar contracts."Can you please clarify whether the 5-year minimum experience requirement refers to cumulative experience across all the mentioned services (cybersecurity audits, penetration testing, and secure system design), or if each of the listed services must independently have been provided for at least 5 years. In other words, can references cover a combination of these services provided during the 5-year period, rather than requiring 5 years of experience in each individual service?Thank you.Dear BidderWe can confirm that 5-year cumulative experience is acceptable.Thank youProcurement Team

New clarification added: Dear team,According to point 5 " Price and payment" of the "Contract for professional service" you offer two options:1) fixed price, and 2) cost reimbursement. Could you please clarify who will choose the option - the contractor or the organizer, and when should the choice be made?Thank you in advance!Dear BidderWe would like to let you know that the option 2) cost reimbursement, is applicable in this case. Please refer also to the Form F: Financial Proposal Form where there is cost breakdown table.Best regardsThe Procurement Team

New amendment added #1: - Deadline for bid submissions was extended by 5 days, from 26th of September 2025 to 1st of October 2025;- Deadline for clarifications was extenbded by 5 days, from 18th of September 2025 to 23rd of September 2025.

New clarification added: Dear team,We would like to kindly clarify the requirements regarding the translation of supporting documents submitted with the proposal.Our proposal will be submitted under a legal entity whose official corporate documents are issued in the national language of its country of registration, which is not English. Could you please confirm whether:Certified translations of such documents into English are required; orSimple translations (non-certified), prepared internally or using professional translation tools, would be considered sufficient for compliance.We would be grateful if you could specify the acceptable format of translations to ensure our submission meets the formal requirements.Dear BidderWe can confirm that we do not need certified translations.Thank youProcurement Team

New clarification added: Dear procurement office, I wanted to know whether there is a new version of the Contract for Professional Services? The version in the tender documents is over a year old, and in the document, it specifies to ensure that there is no other new version.Thank you in advance! Dear bidderWe confirm that the uploaded version of the Contract for Professional Services, in the documents section, is the last updated version.Thank you

New clarification added: In Section III: Evaluation Criteria (Qualification Criteria), the RFP requires submission of audited financial statements for the last five years as evidence of positive net worth and turnover. -  Can you clarify if it is acceptable to submit financial statements without auditors certification because as a US based company we are not legally bound to conduct statutory audits of our financial statements.Dear BidderWe would like to thank you for the intereset shown in this tender and we confirm  that you can submit financial statements without auditors certification as per US law.Best regardsProcurement Unit.Request for Extension of Proposal Submission Deadline – RFP/2025/58978Dear UNOPS Procurement Officer,We respectfully request a seven (7) day extension to the current submission deadline.The scope of work involves significant technical complexity, requiring careful alignment with multiple international standards (ISO 27001, NIST Cybersecurity Framework, GDPR, OWASP) as well as consideration of Albania’s justice sector context (sensitivity to data). To ensure proposals are both comprehensive and fully compliant with UNOPS requirements, we request additional time for internal quality review, ensuring quality assurance and proper risk analysis/management for implementation. We thank you for your consideration and remain fully committed to submitting a strong and compliant proposal.Dear BidderWe would like to thank you for the interest in this tender, and we would like to inform you that we are going to extend ethe tender with 5 days. However you are going to receive a automated notification email regarding this.Best regardsProcurement UnitDear procurement office, I wanted to know whether there is a new version of the Contract for Professional Services? The version in the tender documents is over a year old, and in the document, it specifies to ensure that there is no other new version.Thank you in advance! Dear BidderWe would like to thank you for the interest in this tender, and we confirm that the uploaded version on the Contract for Professinal Services is the latest updated one.Best regardsThe Procurement Team

New clarification added: Dear team,In Section III: Evaluation Criteria (Qualification Criteria), the RFP requires submission of audited financial statements for the last five years as evidence of positive net worth and turnover.We would like to kindly clarify whether it is acceptable to submit financial statements for the past five years without audit certification, given that under Polish law our company is not legally obliged to conduct statutory audits of its financial statements.Please confirm if non-audited financial statements, duly signed and approved according to Polish regulations, will be considered compliant with this requirement.Thank you in advance for your guidance.Kind regards,Dear BidderYes, we confirm that non-audited financial statements, duly signed and approved according to Polish regulations, will be considered compliant with this requirement.Thank youProcurement Team

New clarification added: Dear team, In Form G: Technical Proposal Form in Section 3: Proposed team is indicated that we need to provide form K: Statement of Exclusivity and Availability. But there is no this form in tender documents, as well as in response system. Is it correct that we don't need to submit this form?Dear BidderWe would like to confirm that you don't need to submit the Form K: Statement of Exclusivity and Availability.Best RegardsProcurement unit

New clarification added: Dear team,We would like to kindly seek clarification regarding the financial statements requirement stated in Section III: Evaluation Criteria (Qualification Criteria).Our legal entity we usually work at Albanian region is part of a large international group established in 2007. Legal entity itself was incorporated in 2019. However, this entity only started financial operations in 2021. Therefore, we are able to provide financial statements only for the years 2021–2024.Could you please confirm if such documentation (covering 2021–2024) would be considered acceptable for compliance with the requirements?Alternatively, we could submit our proposal under a different legal entity of the group, which has a longer financial history. Thus, please clarify what option would be more acceptable to the Evaluation Committee.Kind regards,Dear BidderPlease submit your proposal under e different legal entity of the group, which has a longer financial entity. Thank youProcurement Unit

New clarification added: Dear team,In Section III: Evaluation Criteria (Qualification Criteria), the RFP requires submission of audited financial statements for the last five years as evidence of positive net worth and turnover.We would like to kindly clarify whether it is acceptable to submit financial statements for the past five years without audit certification, given that under Polish law our company is not legally obliged to conduct statutory audits of its financial statements.Please confirm if non-audited financial statements, duly signed and approved according to Polish regulations, will be considered compliant with this requirement.Thank you in advance for your guidance.Kind regards,Dear BidderYes, we confirm that non-audited financial statements, duly signed and approved according to Polish regulations, will be considered compliant with this requirement.Thank youProcurement Team 

New clarification added: Dear team, In Form G: Technical Proposal Form in Section 3: Proposed team is indicated that we need to provide form K: Statement of Exclusivity and Availability. But there is no this form in tender documents, as well as in response system. Is it correct that we don't need to submit this form?Dear BidderWe would like to thank you for your interest in the tender and we do confirm that you don't need to submit the Form K: Statement of Exclusivity and Availability.Best RegardsProcurement unit