Per-clause mapping to Bangladesh law.

Our other Trust Center pages cite Bangladesh statutes alongside their international counterparts. This page reverses the ordering: it walks through each Bangladesh statute that applies to TenderPulse and explains, clause by clause, what the statute requires, what we do to satisfy it, and where the evidence sits in our published policies and product.

This is the page enterprise procurement officers, in-house counsel at Bangladesh banks, and CPTU compliance reviewers tend to ask for first. We have written it to answer their questions directly.

The Digital Security Act 2018 is the primary information-security statute applicable to digital service providers in Bangladesh. Digital Security Act 2018

§29 — Identity verification of users

We require every paid account to provide verified company information (RJSC registration number, TIN, BIN, e-GP user ID where applicable) at onboarding. This data is verified against public registers where available. Anonymous or pseudonymous accounts are not permitted on paid tiers.

§30 — Prohibition of illegal content

Customer-uploaded content (tender ZIPs, supporting documents) is subject to our Acceptable Use Policy at /trust/acceptable-use. Content we identify or are notified of as violating the DSA is processed under the takedown procedure described in §3 below.

§31 — Government request handling

We handle government requests for user information through the process described in our Transparency Report. Requests must be in writing on official letterhead, signed by an authorised officer, citing the specific statutory authority. We refuse oral requests and informal channels.

§32 — Notification of users

When we receive a government request affecting a specific user, we notify the user within 30 days unless the request includes a legally-binding gag order. Where a gag order is imposed, we challenge it where reasonable and notify the user as soon as the gag is lifted. The transparency report aggregates this activity.

The ICT Act 2006 (as amended) establishes legal recognition for electronic records and signatures and criminalises a range of digital misconduct. ICT Act 2006

Our core touch-points:

• §5–§9 (Electronic signatures and records) — our audit log entries, consent records, and submission artefacts are designed to be legally-admissible electronic records under this section
• §54 (Hacking and unauthorised access) — our controls against unauthorised access are described in our Security & Infrastructure page
• §57 (Repealed by DSA 2018) — formerly criminalised certain online speech; superseded but the principle of moderating obviously-illegal content is preserved in our Acceptable Use Policy

The Public Procurement Rules 2008 (and successive amendments) define the legal framework for public procurement in Bangladesh. Public Procurement Rules 2008 Our product is designed around this framework: our eligibility-scoring engine maps tender ITB criteria to PPR 2008 evaluation principles, our bid drafting templates incorporate the standard forms (Form Tech-1 through Tech-9), and our deadline-tracking respects the submission timing rules under PPR 2008 Schedule II.

Specific touch-points:

• Rule 16 (Procurement Plan) — we surface plan schedules where published by the procuring entity
• Rule 31 (Tender notice) — our tender feed mirrors the official CPTU notice format
• Rule 80–82 (Evaluation) — our scoring engine applies these as published, including the Lowest Evaluated Tender principle
• Rule 127 (Debarment) — debarred firms are blocked at our acceptable-use sanctions screen

The draft Personal Data Protection Act 2023 is not yet enacted. We have designed our data-protection posture to be GDPR-aligned on the assumption that the BD-DPA, when enacted, will follow the same general structure. Our Privacy Policy already cites this draft Act extensively. BD Data Protection Act 2023 (draft)

Where the enacted version of the Act diverges from our current design, we will publish the gap analysis and the remediation plan in our changelogwithin 30 days of the Act’s passage and update affected policies in line with the statutory transition window.

Specific points where we anticipate the BD-DPA will impose new obligations: a possible localisation requirement for sensitive personal data, registration with a future Data Protection Commission, and annual data-protection-impact-assessment submissions for high-risk processing.

BTRC may issue notices to digital-service providers operating in Bangladesh requiring takedown of specific content, blocking of specific accounts, or disclosure of user information. Our handling protocol:

1. Validity check — within 24 hours, our legal team confirms the notice is on official BTRC letterhead, references the specific statutory authority, identifies the specific content or account, and is signed by an authorised officer. Informal contacts (phone calls, WhatsApp messages, personal emails) are not actioned.
2. Scope review— we review whether the request is properly scoped. Over-broad requests (e.g. “all data on all users from district X”) are pushed back with a request for narrower scope.
3. User notification — affected users are notified within 30 days unless the notice contains a legally-binding gag order. Gag orders are themselves reviewed for legality and challenged where reasonable.
4. Authorised compliance signoff — only the Compliance Officer can authorise action on a BTRC notice. Operations / engineering / sales staff cannot.
5. Public reporting — aggregated counts of BTRC notices received, complied with, partially complied with, and refused are published in our annual transparency report.

Payment processing for cards, mobile-banking wallets (bKash, Nagad, Rocket), and internet banking goes through EPS Bangladesh Limited — a Bangladesh Bank-licensed payment service provider and PCI DSS compliant in their card-handling environment.

The architectural commitment: TenderPulse never receives card numbers, CVV codes, PINs, OTPs, or mobile-banking authentication tokens. Customers are redirected from our checkout flow to EPS’s hosted payment page, complete the transaction in EPS’s environment, and we receive only the transaction outcome (success / failure plus a reference). This significantly reduces our PCI DSS scope.

For corporate customers paying by bank transfer, our invoicing captures the standard fields required for VAT and TIN reconciliation under Bangladesh tax law. Refunds to bank transfers are processed within 7 business days.

TenderPulse operates under the trade name of Public Pulse Agency, with VAT registration and TIN issued by the Bangladesh National Board of Revenue. Every paid invoice we issue is a valid VAT challan supporting customer input-VAT claims at the standard 15% rate where applicable.

Invoice retention: per NBR rules, we retain invoice records for 7 years from the date of issue. Customer-side invoice export is available at any time from the billing settings page.