Skip to content
Reports · Tender & delivery verification

Set the bar in the tender. Check it at delivery.

Every bidder claims clean, maintainable, well-tested code — none of it checkable from a slide deck. The tender annex makes quality a requirement instead of a promise: measurable criteria bidders commit to, verified at delivery by an independent rubric neither party owns.

SAMPLE · ANNEX D — CODE-QUALITY REQUIREMENTS

The annex you put in the RFP

CAI at acceptance≥ 80
Security & compliance lens≥ 75 · zero critical CVEs at hand-over
Measured byindependent scan · rubric frozen at award
Through maintenancescheduled scans · buyer owns the subscription

Illustrative, not legal advice. The profile identity (repo + rubric version) carries tender → contract → delivery with no re-negotiation of the bar.

Phase by phase

Measurement at every milestone.

Phase 1

In the tender

Measurable criteria in the RFP — every bidder graded by the same ruler. A bidder's hesitation to accept the clause is also information.

Phase 2

During delivery

Scheduled scans converge on the agreed thresholds. A falling trend is a conversation in week 6 — not a surprise at acceptance.

Phase 3

In hypercare

A daily security watch and regression flags: new CVEs, leaked secrets, score drops — with a changelog every scan.

Phase 4

After

Quarterly oversight for years: trend lines, the changelog, a CycloneDX SBOM and CWE-tagged findings on file.

Regulatory oversight

Demonstrate ICT-supplier oversight for DORA & NIS2.

The audit is the artifact

Scheduled scans are the compliance evidence.

DORA and NIS2 expect you to demonstrate ongoing oversight of your ICT suppliers. A standing, independent, reproducible measurement — dated, signed, on file — is that demonstration. No extra paperwork to invent.

Who pays for the thermometer

The buyer owns the subscription.

Never the supplier. Who pays for the thermometer decides whether the stamp means anything — and the generated contract language states it explicitly.

How it runs

Three steps from RFP to verified delivery.

Put the annex in the RFP

The measurable criteria bidders commit to — the same identity (profile + rubric version) carries straight into the contract on award.

Verify the delivery

At hand-over, the delta verdict confirms the codebase meets the agreed CAI floor and per-lens minimums — pass, fail, or N/A with the reason stated.

Keep oversight

Scheduled scans through the maintenance term show whether the system you depend on is holding its quality or drifting.

Make measurement a requirement. Then check it.

Priced per engagement · the verification verdict is a signed, commit-pinned artifact.