Data Processing Addendum (DPA)
Document version: 2026-05-06.v1 · Last updated: 6 May 2026
এই দলিল কখন প্রযোজ্য — আপনি যখন এমন data upload করেন যেটার data subject অন্য কেউ — যেমন আপনার engineer-এর CV, finance personnel-এর NID, অথবা procuring entity-র bidder list — তখন আপনি data controller এবং আমরা data processor। সেই সম্পর্কের শর্তাবলী এই DPA-তে।
One-line — When data you upload describes someone else (key personnel, procuring-entity contacts), you are the controller and we are the processor — this DPA sets the rules.
১ · Scope
This DPA forms part of the Terms of Serviceand applies wherever you (the “Controller”) submit personal data to TenderPulse for processing on your behalf — including but not limited to:
- Key personnel records (name, NID, qualification, CV files)
- Procuring-entity contact information embedded in tender ZIPs
- Third-party signatory or witness details on uploaded vault documents
- Bidder consortium / JV partner personal data
২ · Roles
- Controller — you (or the company you act for). You determine the purpose and means of processing.
- Processor — TICON SYSTEM LIMITED (TenderPulse). We process the data only on your documented instructions.
- Sub-processors — AWS, Anthropic (via Bedrock), Cohere (via Bedrock), EPS Bangladesh — see clause 4 of the Privacy Policy for the full list.
৩ · Documented instructions
Your written instruction to us is: process the personal data only as needed to deliver the TenderPulse service to you — i.e. store it, run eligibility / fit-score / PPR-compliance analysis against it, present it back to you, and retain it per the retention schedule in clause 6 of the Privacy Policy.
We will not use the personal data for any other purpose, including not for our own analytics, not for marketing, and not for model training.
৪ · Confidentiality
Every TICON staff member with access to your tenant data is under a written confidentiality undertaking. Engineering access to a specific tenant’s production data requires audited break-glass approval and is logged in AdminAuditLog.
৫ · Security measures
We implement the security measures listed in clause 8 of the Privacy Policy — including: AES-256-GCM encryption at rest, TLS 1.3 in flight, KMS key management, role-based access control, append-only admin audit log, OTP / password hashing, SOC 2 sub-processors.
৬ · Sub-processor management
- You authorise the sub-processors listed in clause 4 of the Privacy Policy.
- We will give 14 days’ notice before adding a new sub-processor; you may object during that window. If we cannot accommodate the objection, you may close the account and receive a pro-rata refund.
- Each sub-processor is bound by data-protection terms equivalent to this DPA. AWS and Anthropic are SOC 2 Type II certified.
৭ · Data subject rights
If a data subject contacts us directly to exercise their rights (access / rectification / erasure / portability / objection), we will redirect them to you and notify you within 5 business days. You as Controller are responsible for the substantive response. We will assist you with reasonable technical measures.
৮ · Personal-data breach notification
We will notify you without undue delay (target: within 48 hours of becoming aware) of any personal-data breach affecting your tenant. The notification will include — to the extent then known — the nature of the breach, categories of data affected, approximate number of records, likely consequences, and measures taken or proposed.
৯ · Audit
- Once per calendar year, on 30 days’ written notice, you may request a remote audit (review of our security documentation + sub-processor SOC 2 reports) at your cost.
- We will not allow on-premise audits of our shared infrastructure for security reasons; the AWS, Anthropic, and Cohere SOC 2 reports cover the underlying components.
১০ · Cross-border transfers
All personal data we process under this DPA stays in AWS Singapore (ap-southeast-1). We do not transfer it elsewhere without your explicit instruction.
১১ · Termination & return
On termination of the underlying Terms of Service, we will, at your choice and within 30 days, either: (a) delete all personal data you uploaded, or (b) return it to you in a structured machine-readable export. Backups containing the data age out within 35 days of termination.
১২ · Liability
Liability under this DPA is governed by clause 14 of the Terms; the cap there applies to claims under both documents cumulatively, not separately.
১৩ · Governing law
This DPA is governed by Bangladesh law and follows the dispute-resolution clause of the Terms.
See also: Privacy Policy · Terms of Service · EULA