Reports · Tender & delivery verification
Set the bar in the tender. Check it at delivery.
Every bidder claims clean, maintainable, well-tested code — none of it checkable from a slide deck. The tender annex makes quality a requirement instead of a promise: measurable criteria bidders commit to, verified at delivery by an independent rubric neither party owns.
SAMPLE · ANNEX D — CODE-QUALITY REQUIREMENTS
The annex you put in the RFP
- CAI at acceptance — ≥ 80
- Security & compliance lens — ≥ 75 · zero critical CVEs at hand-over
- Measured by — independent scan · rubric frozen at award
- Through maintenance — scheduled scans · buyer owns the subscription
Illustrative, not legal advice. The profile identity (repo + rubric version) carries tender → contract → delivery with no re-negotiation of the bar.
Phase by phase
Measurement at every milestone.
Phase 1
In the tender
Measurable criteria in the RFP — every bidder graded by the same ruler. A bidder's hesitation to accept the clause is also information.
Phase 2
During delivery
Scheduled scans converge on the agreed thresholds. A falling trend is a conversation in week 6 — not a surprise at acceptance.
Phase 3
In hypercare
A daily security watch and regression flags: new CVEs, leaked secrets, score drops — with a changelog every scan.
Phase 4
After
Quarterly oversight for years: trend lines, the changelog, a CycloneDX SBOM and CWE-tagged findings on file.
Regulatory oversight
Demonstrate ICT-supplier oversight for DORA & NIS2.
The audit is the artifact
Scheduled scans are the compliance evidence.
DORA and NIS2 expect you to demonstrate ongoing oversight of your ICT suppliers. A standing, independent, reproducible measurement — dated, signed, on file — is that demonstration. No extra paperwork to invent.
Who pays for the thermometer
The buyer owns the subscription.
Never the supplier. Who pays for the thermometer decides whether the stamp means anything — and the generated contract language states it explicitly.
How it runs
Three steps from RFP to verified delivery.
Put the annex in the RFP
The measurable criteria bidders commit to — the same identity (profile + rubric version) carries straight into the contract on award.
Verify the delivery
At hand-over, the delta verdict confirms the codebase meets the agreed CAI floor and per-lens minimums — pass, fail, or N/A with the reason stated.
Keep oversight
Scheduled scans through the maintenance term show whether the system you depend on is holding its quality or drifting.
Make measurement a requirement. Then check it.
Activate this reportTalk to usPriced per engagement · the verification verdict is a signed, commit-pinned artifact.