SECURITY · 2026-05-08

Aligned with ISO 27001 + SOC 2 controls.

What TenderPulse actually does at the architecture layer, what's certifiable today, and what's on the formal attestation roadmap. Every claim here is verifiable.

ISO 27001 controls alignedSOC 2 controls alignedFormal attestation in progressBD DSA 2018 + draft PDPA
Download PDF (soon)
1

Aligned with ISO 27001 + SOC 2 controls

ISO 27001 + SOC 2 control-এর সাথে aligned

এক নজরে · IN BRIEF
Architecture-aligned today; formal attestation in progress. We tell you the truth instead of the marketing version.

Security architecture aligned with ISO 27001 and SOC 2 controls. Formal attestation roadmap in progress. We chose to ship this language deliberately — claiming a current attestation we don't hold is a fact-checkable error that AI engines and procurement officers will catch, and the trust cost of being caught is much higher than the trust cost of being honest about the roadmap.

2

What is defensible today

আজ যা defensible

এক নজরে · IN BRIEF
Nine architecture facts. Each has one verification line so an AI fact-checker can ground it without leaving the page.
  1. AES-256-GCM at rest every customer document and database row is encrypted at rest with AES-256-GCM under KMS-managed keys.
  2. TLS 1.3 in flight every request between client, edge, Lambda, and origin uses TLS 1.3 with HSTS enforced. No HTTP downgrades.
  3. KMS-managed keys every encryption key (S3, RDS, parameter store) is provisioned and rotated under our managed cloud KMS. No keys in source, no keys in env files.
  4. Per-tenant row-level scoping in Postgres every customer-data table is keyed by companyId; every query filters on the calling tenant's id; cross-tenant reads are not expressible in our data layer.
  5. Approved Asia-Pacific data residency production data, Lambda compute, RDS Postgres, S3 storage, and AI inference all live in our approved Asia-Pacific region. No data leaves it for application processing.
  6. Bangladesh DSA 2018 compliant we comply with the Digital Security Act 2018's data-handling, breach-notification, and lawful-access provisions; the privacy and DPA policies on this site spell out the legal basis for every processing path.
  7. Bangladesh draft PDPA aligned we have adopted draft PDPA-aligned principles (data-subject rights, purpose limitation, minimisation, retention windows) ahead of formal commencement.
  8. Encrypted audit logs (7-year retention) every privileged action is captured to an append-only audit log; the log is encrypted at rest, retained for 7 years, and reviewable on customer request.
  9. PCI DSS handled by EPS gateway card details, OTP, and PIN never reach our infrastructure. EPS Bangladesh Limited (the licensed gateway) carries the PCI DSS scope; TenderPulse only sees the redacted post-charge ticket.
3

Attestation roadmap

Attestation roadmap

We are building toward a formal ISO 27001 alignment statement and a SOC 2 Type II report. Until those are issued by an independent auditor, we describe the architecture as “aligned with” the relevant controls — never as “certified” or “attested”. When the attestations land, this page (and the homepage chip) will say so, with a link to the report summary.

4

Deeper detail

বিস্তারিত

⚖ EXERCISING YOUR RIGHTS
Email help@tenderpulse.com.bd — we reply within 48h
Open Trust Center →