Your data, our duty of care.

This Data Processing Addendum (“DPA”) forms part of TenderPulse’s Terms of Service and applies whenever you, the customer organisation, submit personal data to TenderPulse for processing on your behalf. It governs the relationship between you as the data controller and TenderPulse as the data processor for all personal data processed under your TenderPulse subscription. GDPR Art. 28(3)

You are the controller.As a procurement firm, tender consultancy, or contractor organisation using TenderPulse, you are the entity that determines the purpose and means of processing the personal data associated with your subscription. This includes your staff members’ names and email addresses, the personnel records you maintain in the platform, and any personal data embedded within the tender documents and ZIP archives you upload. You obtained this data in the normal course of your business operations, and you remain responsible to the data subjects within it.

TenderPulse is the processor.We receive, store, transform, and return data only to the extent necessary to deliver the services described in the Terms of Service. We do not process your data for our own commercial purposes. We do not sell it, cross-analyse it against other customers’ data to generate insights for third parties, or use it to train machine-learning models. Our instructions come from you, not from our own business interests.

Where TenderPulse is also a controller.Our Privacy Policy covers the separate relationship where TenderPulse acts as controller of your user account data — your login credentials, billing records, and directly submitted profile information. That relationship is governed by the Privacy Policy, not this DPA. The DPA governs personal data you submit about third parties — your staff, your clients’ personnel, counterparties identified in tender documents, and any individual whose information appears in content you upload.

This DPA is designed to meet the requirements of a written contract between controller and processor as required by GDPR Art. 28(3)and the spirit of the Bangladesh Digital Security Act 2018’s data security obligations. Where this DPA uses GDPR article references, those references serve as the substantive standard regardless of whether GDPR applies directly to you. We have chosen to build to the higher standard.

Questions about this DPA may be directed to our Data Protection Officer at help@tenderpulse.com.bd. We aim to respond within five business days. If you need a countersigned copy of this DPA for your own records or compliance purposes, email us and we will provide a signed PDF within ten business days.

Subject matter. TenderPulse processes personal data on your behalf for the purpose of delivering the TenderPulse procurement copilot service — specifically: storing documents you upload, extracting structured data from tender archives, computing eligibility and fit scores for individual tenders, generating AI- assisted bid analysis and copilot responses, and presenting data back to you and your authorised users through the platform interface. GDPR Art. 28(3)(a)

Processing that is outside this scope is not authorised under this DPA. If you instruct us to process data for a purpose not described above — for example, to share data with a third party, to produce aggregated reports for external distribution, or to use your data in any capacity beyond the delivery of your subscription — we will treat that as a new documented instruction subject to the process in §4.

Duration. This DPA takes effect on the date you create a TenderPulse account or execute the Terms of Service (whichever is earlier) and continues in force for as long as TenderPulse processes personal data on your behalf. It terminates automatically upon the termination or expiry of the underlying Terms of Service, subject to the 30-day data return window and 30-day secure deletion period described in §9.

Nature of processing. The processing activities covered by this DPA include: collection (receipt of data you submit), storage (persistence in encrypted databases and object storage), retrieval (making data available to you and your authorised users), use (feeding data into eligibility scoring and AI inference pipelines), disclosure (returning data to you through the platform interface or export tools), and erasure (deletion per the retention schedule).

Type of data subjects. The individuals whose personal data TenderPulse processes under this DPA include: your staff members (those with TenderPulse accounts, those listed as key personnel in your company profile), individuals identified in tender documents you upload (procuring entity contacts, consultant names, reference project counterparties), and any other individual whose personal data appears within content you submit to the platform. You are responsible for ensuring that your processing of this data — including the act of submitting it to TenderPulse — has a valid lawful basis under applicable law.

Volume. There is no minimum or maximum data volume specified in this DPA. The obligations apply equally whether you process one personnel record or ten thousand. Processing volume does not affect our security commitments or the timelines we have committed to.

The table below exhaustively identifies the categories of personal data TenderPulse processes under this DPA. We do not process any category of personal data not listed here without first issuing an updated DPA and obtaining your renewed acknowledgement. GDPR Art. 28(3)(b)

Where new categories of personal data are identified as necessary to deliver a new product feature, we will update this DPA with at least 14 days’ advance notice before the feature becomes active for your account, consistent with the sub-processor change notice process in §5.

TenderPulse processes personal data only on your documented instructions. Your primary standing instruction — established by your acceptance of the Terms of Service and this DPA — is: process personal data solely as necessary to deliver the TenderPulse service as described in the Terms of Service and §2 of this DPA. GDPR Art. 28(3)(a)

What counts as a documented instruction. In practice, your instructions reach us through the following channels: (a) your actions within the TenderPulse platform — uploading a document, saving a personnel record, triggering an AI analysis session; (b) explicit written requests to our support or DPO email; and (c) configuration settings you apply within your account. Platform actions are logged and constitute contemporaneous documentation of your instruction.

Out-of-scope instructions. If you instruct us to do something that falls outside the scope of this DPA — for example, to share your data with a named third party, to produce a bulk export for an external analytics tool, or to retain data beyond the periods set out in §9 — we will treat that as a proposed amendment to your instructions. We will confirm the instruction in writing, note the applicable legal basis, and carry it out only after written confirmation from an authorised representative of your organisation.

Controller instructions that implicate employees. Where your instruction concerns personal data relating to your own employees or contractors — for example, adding or removing key personnel records — we process the instruction on the basis that you have a valid lawful basis for that processing under your own controller obligations. We do not independently verify that you have obtained the relevant consents or established the relevant legal basis; that responsibility rests with you. However, if a data subject contacts us directly asserting that their data was submitted without a valid lawful basis, we will notify you immediately so that you can respond.

Instructions that conflict with law. If you instruct us to process data in a manner that would require us to violate applicable data protection law — including instructions that would constitute processing without a valid lawful basis, instructions to delete data that we are legally required to retain, or instructions to transfer data to a jurisdiction in a manner that lacks adequate safeguards — we will inform you of the conflict in writing before processing. We will not carry out the instruction until the conflict is resolved. Where the conflict cannot be resolved, we will carry out the lawful alternative and document the deviation.

TenderPulse engages the sub-processors listed in this section to assist in delivering the service. Each sub-processor is engaged under a data processing agreement that imposes data protection obligations at least equivalent to this DPA. GDPR Art. 28(2) GDPR Art. 28(4) Sub-processors process your data only to the extent necessary to provide their specific service to TenderPulse; they are not permitted to use your data for their own commercial purposes.

Your acceptance of the Terms of Service constitutes general written authorisation for TenderPulse to engage the sub-processors listed below.

Sub-processor security certifications

Our cloud provider holds ISO 27001 certification, SOC 2 Type II, and PCI-DSS Level 1 status for its approved-region infrastructure. Anthropic maintains SOC 2 Type II certification. EPS Bangladesh Limited is licensed by Bangladesh Bank and operates under Bangladesh Bank’s payment system oversight framework. We review updated sub-processor compliance certifications on an annual basis and make summaries available to you on request.

Changes to the sub-processor list

We notify you of any intended change to the sub-processor list — whether adding a new sub-processor or replacing an existing one — at least 14 days before the change takes effect. Notification is delivered by email to the primary account address and by in-app banner. You have the right to object to any new sub-processor during that 14-day window.

TenderPulse stores and processes all operational personal data in the our approved Asia-Pacific region. This is the primary region for all database storage, object storage (documents and uploaded files), serverless compute, and AI inference. GDPR Art. 46

AI inference regional containment.AI inference via managed AI inference platform is restricted to the approved Asia-Pacific region at the infrastructure level. This means that when TenderPulse submits your tender content or copilot prompts for AI analysis, those requests do not leave the approved Asia-Pacific region. This is not merely a contractual commitment on our part — it is a technical boundary enforced by the inference layer’s regional endpoint configuration. Your prompts and extracted tender content are processed entirely within the approved region and discarded after inference without persistent storage.

Standard Contractual Clauses and IDTA.To the extent that any transfer of personal data from a European Economic Area controller to TenderPulse as a processor constitutes a restricted transfer under GDPR Chapter V, TenderPulse relies on the EU Standard Contractual Clauses for controller-to-processor transfers (Module 2) as adopted by the European Commission. For transfers from the United Kingdom, TenderPulse relies on the International Data Transfer Addendum (IDTA) issued by the UK Information Commissioner’s Office. These clauses are incorporated into this DPA by reference. Customers requiring countersigned SCCs or IDTA documentation should contact our DPO.

Resend (development and staging only).Transactional emails sent through Resend during local development and staging environments may be routed through Resend’s EU and US infrastructure. No production user data — no account records, tender content, personnel data, or financial data — is processed through Resend. The Resend integration does not apply to any TenderPulse account in the live production environment.

Google Analytics.Aggregate, anonymised usage metrics collected via Google Analytics 4 may be processed on Google’s global infrastructure per Google’s standard analytics data processing terms. This data consists of hashed user identifiers, page views, session metrics, and feature events. It does not include your name, company identifiers, tender content, financial figures, or any data that would identify an individual to a third party. You can opt out via the Google Analytics opt-out add-on.

No transfers to restricted jurisdictions. TenderPulse does not transfer personal data to any jurisdiction subject to Bangladesh Telecommunication Regulatory Commission (BTRC) restrictions on data flows, or to any territory subject to comprehensive UN or Bangladesh sanctions. Our commitment to approved-region infrastructure is not contingent on pricing or convenience — it is a structural decision we will not reverse without substantial advance notice and your consent.

TenderPulse grants you comprehensive audit rights over our processing activities. These rights exist to give you practical assurance — not just contractual comfort — that TenderPulse is meeting its processor obligations under this DPA. GDPR Art. 28(3)(h)

Annual scheduled audit

Once per calendar year, you may request a scheduled audit of TenderPulse’s data processing activities covering the matters set out in this DPA. The annual audit includes: (a) a review of our current SOC 2-aligned security control documentation; (b) copies of the most recent SOC 2 Type II reports for our primary sub-processors (our cloud provider, Anthropic); (c) a walkthrough of our data processing activities relevant to your account; and (d) responses to up to 25 questions on our security posture, sub-processor management, breach response procedures, and data deletion practices.

The annual audit is conducted remotely and is provided at no additional charge to your subscription. Submit your audit request to help@tenderpulse.com.bd with at least 30 calendar days’ advance notice. We will confirm scheduling within five business days.

Security questionnaire response

If you require TenderPulse to complete a security questionnaire — for example, as part of your vendor due-diligence process, a client contract requirement, or an internal compliance review — we will respond within 10 business days of receipt. Standard questionnaires (CAIQ, SIG Lite, VSAQ) are completed at no charge. For extended questionnaires exceeding 150 questions, we may request a brief scoping call before committing to a response timeline.

Physical and on-premises audit

TenderPulse does not permit on-premises physical audits of our shared infrastructure for security reasons — conducting unsupervised physical access to multi-tenant infrastructure would create risks for other customers. However, we can facilitate a virtual infrastructure walkthrough, share network topology diagrams (with sensitive details redacted for security), and arrange direct communication with our lead engineer for technical questions. The SOC 2 reports from our cloud provider and Anthropic serve as the primary assurance layer for the underlying infrastructure components.

A “personal data breach” for the purposes of this DPA means any confirmed accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed by TenderPulse under this DPA. GDPR Art. 33

Stage 1 — Detection and containment

On detection or credible report of a suspected breach, the TenderPulse on-call engineer immediately activates our incident response runbook. This involves isolating affected systems, revoking any compromised credentials, preserving forensic evidence, and assessing the scope of the breach. Containment takes absolute priority over all other operational activities. A named incident commander is assigned within one hour of detection.

Stage 2 — Assessment (within 24 hours)

Within 24 hours of detecting a suspected breach, TenderPulse completes an initial assessment to determine: (a) whether a breach has in fact occurred; (b) which categories of personal data are involved; (c) the approximate number of data records and individuals affected; (d) the likely consequences for affected individuals; and (e) the initial technical measures taken to contain and remediate. This assessment informs the notifications in Stage 3.

Stage 3 — Notification to you (within 72 hours)

TenderPulse will notify you of a confirmed personal data breach within 72 hours of confirming that a breach has occurred, by email to the primary account address and to any data protection contact you have designated. The notification will contain: (a) a description of the nature of the breach, including categories and approximate number of data records affected; (b) the name and contact details of our DPO; (c) the likely consequences of the breach; (d) the measures we have taken or propose to take to address the breach, including measures to mitigate its possible adverse effects; and (e) specific recommended steps you can take to protect yourself and your data subjects.

Regulatory notification (also within 72 hours)

Where legally required, TenderPulse will notify the relevant supervisory authority within 72 hours of confirming a breach. This regulatory notification obligation is independent of — not substituted for — the notification to you. We notify you AND the regulator, not you OR the regulator. Where notification to a supervisory authority is not legally required (for example, because the breach is unlikely to result in a risk to individuals), we will still inform you of our assessment and retain internal documentation of the breach event.

Your obligations as controller

As the data controller, you bear the primary obligation to notify affected data subjects under GDPR Art. 34 where the breach is likely to result in a high risk to individuals. TenderPulse will provide you with all information in our possession to assist you in making that assessment and carrying out that notification. We can also draft template communications for affected data subjects if you request this assistance.

Upon termination or expiry of the Terms of Service — whether initiated by you, by TenderPulse, or by mutual agreement — TenderPulse will handle personal data processed under this DPA as described in this section. GDPR Art. 28(3)(g)

30-day data return window

For a period of 30 calendar days following termination of the Terms of Service (“the return window”), your account remains in read-only mode. During this period you may: (a) download your complete data export from /settings/data in JSON format plus your original uploaded documents as a ZIP archive; (b) request that TenderPulse return specific categories of data in a structured format by emailing our DPO. We will fulfil specific return requests within 10 business days during the return window.

The export available during the return window covers all personal data TenderPulse processes on your behalf under this DPA: key personnel records, company profile data, tender session data including extracted structured content, copilot conversation history, uploaded document files, and payment metadata.

Secure deletion (within 30 days after return window)

After the 30-day return window closes, TenderPulse will securely delete all personal data processed on your behalf under this DPA within a further 30 calendar days. Deletion means: permanent removal from active databases, deletion of S3 objects including versioned copies, and purging of any cached representations. Data in encrypted backups is overwritten as backup rotation cycles complete; all backups containing your data will have been rotated within 35 days of the return window close.

What survives deletion.The only data retained after the secure deletion period is data subject to a mandatory legal retention obligation under Bangladesh law — specifically, invoice and payment records required by the Income Tax Ordinance 1984 and VAT & Supplementary Duty Act 2012 (seven-year minimum retention). This data is pseudonymised on deletion: it retains financial figures and transaction IDs but the name, email, company identifier, and any other personal identifier is removed. This pseudonymised financial data is not in scope for this DPA after deletion.

Certificate of deletion

On request, TenderPulse will provide a written certificate of deletion confirming that all personal data processed under this DPA (outside of tax-law-retained pseudonymised records) has been permanently deleted, the date on which deletion was completed, and the method of deletion used. Certificate requests should be submitted to help@tenderpulse.com.bd and will be delivered within 10 business days of the deletion completion date.

Early termination by TenderPulse.If TenderPulse terminates the Terms of Service (for example, due to a cessation of business or a material breach by TenderPulse), we will give you 60 calendar days’ advance notice where reasonably practicable, or as much notice as circumstances permit. We will provide the full data export capability throughout the notice period and for 30 days after termination, and we will assist with migration to an alternative service provider at no additional charge.

Under the GDPR controller-processor model, both parties may be liable to data subjects for damage resulting from a breach of the Regulation. GDPR Art. 82 This section sets out how liability is allocated between you and TenderPulse in the controller-processor relationship.

TenderPulse’s liability as processor

TenderPulse is liable for damage caused by processing under this DPA only where: (a) we have failed to comply with obligations specifically directed at processors under applicable data protection law; (b) we have acted outside or contrary to your lawful documented instructions; or (c) we have failed to notify you of a breach in accordance with §8 and that failure caused additional harm to a data subject. In these circumstances, TenderPulse bears full responsibility for the resulting damage and will not seek to pass that liability to you.

Your liability as controller

You are liable for damage that arises from: (a) your determination of the purposes and means of processing — including your decision to submit particular categories of personal data to TenderPulse; (b) your failure to obtain valid lawful basis for the processing activities you instruct; (c) your failure to notify data subjects of processing activities for which you are responsible as controller; and (d) any instruction you gave TenderPulse that we carried out in good faith and that subsequently proved unlawful — except where we were obligated to refuse the instruction under §4 and failed to do so.

Shared liability and apportionment

Where damage results from both parties’ conduct — for example, a breach that was made possible by both a TenderPulse security failure and your inadequate access control practices — liability is apportioned in proportion to each party’s contribution to the harm. Each party will cooperate in good faith with any investigation, regulatory inquiry, or court proceeding to determine the appropriate apportionment. Neither party will seek to shift liability to the other without a factual basis for doing so.

Overall liability cap

TenderPulse’s total aggregate liability under this DPA — whether to you or to data subjects seeking recourse through you — is subject to the liability cap set out in the Terms of Service. This cap applies to all claims arising under this DPA and the Terms of Service cumulatively, not separately. The cap does not apply to: (a) liability for damage caused by TenderPulse’s gross negligence or wilful misconduct; (b) TenderPulse’s obligations under applicable data protection law that cannot be limited by contract; or (c) claims brought directly by data subjects under GDPR Art. 82 against TenderPulse in its capacity as processor.

Data subject claims

Where a data subject brings a claim against TenderPulse in respect of processing carried out under your instructions, TenderPulse will notify you promptly and provide you with the opportunity to take the lead in responding to the claim. Where we are found liable for processing that was carried out on your lawful instructions, we reserve the right to seek indemnification from you for the portion of liability attributable to your controller decisions. This right of recourse does not affect the data subject’s ability to recover compensation from either party.

Governing law and disputes

This DPA is governed by the laws of Bangladesh. Any dispute arising under this DPA that cannot be resolved through the internal escalation process is subject to the dispute resolution procedure in the Terms of Service — specifically, mediation before the Bangladesh International Arbitration Centre before any court proceedings, with costs shared equally unless bad faith is established. The courts of Bangladesh have non-exclusive jurisdiction over disputes that cannot be resolved through mediation. Nothing in this DPA restricts either party’s right to seek urgent interim relief from a court where necessary to prevent irreversible harm.

See also: Privacy Policy · Terms of Service · EULA · Trust Center