Security as a design constraint.

TenderPulse is hosted in our approved Asia-Pacific region. Every byte of customer data — your account, your company profile, your uploaded tender ZIPs, your AI bid drafts, your invoices — lives inside that region. We do not replicate customer data to any other region. We do not back up to a different country. The data residency line is geographic and absolute.

The high-level architecture: stateless application logic in our cloud Lambda, document storage on S3 with KMS-managed envelope encryption, relational data on RDS PostgreSQL with column-level encryption for high-risk fields (bank account numbers, NID numbers, mobile-banking tokens), an application-layer audit log written to a separate tamper-resistant S3 bucket, and CloudFront in front of every public surface. AI inference goes through managed AI inference platform — the request leaves the Lambda, hits the AI inference layer inside the same region, and returns. Your prompt content never crosses a regional boundary. ISO/IEC 27001

Defense-in-depth is not a slogan here — it is structurally how we have laid the system out. The CloudFront distribution refuses non-TLS connections at the edge. The Lambda functions are inside a VPC with no inbound public access. The RDS instance is in a private subnet, reachable only from the Lambdas. The S3 buckets are private with bucket policies enforcing TLS-only access. KMS keys have key policies restricting decrypt operations to specific IAM roles. Every layer has its own gate, and an attacker who compromised one layer would still be stopped by the next.

Every persistence layer in TenderPulse uses AES-256-GCM with keys managed by managed-key service. There is no opt-in toggle for encryption — it is the default and the only mode we operate in. RDS storage encryption is on at the volume level. S3 buckets have default encryption with a customer-managed KMS key (one CMK per environment; we explicitly do not use per-tenant CMKs because the marginal security gain does not justify the linear cost increase, and KMS policy isolation gives us the same tenancy guarantee in practice). EBS volumes attached to any compute (including ephemeral Lambda execution environments where applicable) are encrypted.

For the highest-risk fields — bank account numbers, NID numbers, mobile-banking tokens, OTP secrets — we layer a second encryption step at the application layer using a separate KMS-derived data key. This means a database dump alone cannot reveal these values: the attacker would need both the database dump and the KMS data-key derivation logic, which lives in code and is gated behind IAM. We treat this as an investment in defence-in-depth, not as a regulatory checkbox.

Backups are encrypted with the same KMS keys and stored in S3 with object-lock retention. Backup restoration is a controlled procedure requiring two-engineer approval recorded in our admin audit log. ISO/IEC 27001 GDPR Art. 32

Every public-facing endpoint enforces TLS 1.3, with TLS 1.2 as the fallback only for clients that genuinely cannot speak 1.3. We publish strong cipher preferences and disable known-weak suites. The apex domain tenderpulse.com.bd is HSTS-preloaded with a 2-year max-age and the includeSubDomains directive — your browser refuses to make a plaintext HTTP request to us before the network ever sees the URL.

Internal service-to-service traffic — Lambda to RDS, Lambda to S3, Lambda to the AI inference layer — also runs over TLS, even though it never leaves the cloud internal network. We don’t treat the VPC as a safe zone where plaintext is acceptable; we apply the same encryption hygiene to every hop.

Mutual TLS is enforced for inbound webhooks from EPS Bangladesh (our payment gateway). Webhook signatures are also validated against a shared secret, and the signature check is constant-time to defeat timing attacks. ISO/IEC 27001

Customer data is row-level isolated by company ID at every query boundary. There is no SQL path that returns rows from two tenants; every model has a WHERE tenant_id = ? clause baked into the data-access layer, and code review enforces this.

TenderPulse staff engineers do not have routine access to customer data. The default IAM policy denies SELECT against customer tables. Reading a specific customer’s data for debugging requires invoking a documented “break-glass” procedure: a staff member files a written justification in the internal ticket system, a second engineer approves, the access is time-limited (typically 1 hour), and an entry is written to the admin audit log capturing who, what, why, and for how long.

You have the right to request a copy of every admin audit log entry that touched your account at any time. Email the DPO and we will return the log within five business days. GDPR Art. 15

Multi-factor authentication is available to every account using either SMS one-time passwords delivered to a Bangladesh mobile number, or a TOTP authenticator app such as Google Authenticator or Authy. We will add WebAuthn / passkeys in 2026 — the implementation is in our roadmap and is a stated commitment.

For accounts with the admin or billing role, MFA is mandatory. The admin user cannot dismiss the MFA enrolment prompt. This is a hard product gate, not a policy recommendation.

OTP codes for both sign-up and password reset are delivered via SMS, expire in 10 minutes, are stored hashed (never plaintext), and cannot be reused. The plaintext OTP is never written to any log. Failed OTP attempts are rate-limited per phone number.

Our build pipeline runs Dependabot / Renovate alerts on every dependency. CVE alerts are triaged within one business day, patches are merged the same week unless they are breaking, and urgent CVEs (CVSS ≥ 9.0) are patched within 72 hours of public disclosure regardless of breaking-change risk.

Static application security testing runs on every pull request. Findings labelled critical or high block the merge until resolved or explicitly waived with documented rationale. Secret-detection scanning runs on the same pipeline and a leaked credential triggers immediate rotation.

We engage an external security firm to conduct a black-box penetration test at least once per twelve months. The current test cycle was completed in 2026-02. We do not publish full pen test reports for security reasons, but enterprise customers under NDA can request a redacted summary. Remediation timelines for findings: Critical 7 days, High 30 days, Medium 90 days, Low best-effort. ISO/IEC 27001

We log every authentication attempt (success and failure), every access to customer data via the admin console, every privileged operation (refund, plan change, manual override), every configuration change in production, and every webhook delivery. These logs go to CloudWatch Logs in the same region, are replicated to a separate S3 bucket with object-lock retention, and are signed at the log-stream level.

Hot retention is 90 days. Cold retention is 1 year for general application logs and 7 years for financial/audit records (matching our tax-record retention obligations under Bangladesh law). Customers can request an export of audit log entries relevant to their tenant at any time.

Anomaly alerts (impossible-travel logins, brute-force patterns, mass-export attempts) trigger PagerDuty notifications to the on-call engineer and an automated lockdown of the affected account if the signal is high-confidence.

Our incident response runbook covers detection (automated alerting + customer reports), triage (severity assignment within one hour of detection), containment (lockdown of affected systems, credential rotation, key rotation), eradication (root- cause fix + regression test), recovery (controlled service restoration), and post-mortem (blameless review within two business days, customer-facing report within five).

For any personal data breach affecting customer data, we notify affected customers within 72 hours of becoming aware of the breach. GDPR Art. 33 GDPR Art. 34The notification will describe what happened, what data was affected, what we have done, and what you should do. We do not adopt a case-by- case judgement about whether a breach is “notifiable enough” — the 72-hour rule is our floor, not our ceiling.

Every sub-processor that handles customer data must complete a security questionnaire and execute a Data Processing Agreement before we send them any data. The questionnaire covers encryption, access control, breach history, certification posture, sub-sub-processor disclosure, and data residency commitments.

We maintain a live list of every sub-processor at /trust/sub-processors with purpose, location, and certification status for each. New sub-processors are added with at least 14 days advance notice to customers, who have the right to object during that window.

Our cloud provider holds ISO/IEC 27001, SOC 2 Type II, and PCI DSS certifications, reviewed annually. Anthropic provides model inference under enterprise agreements that prohibit training on customer inputs. EPS Bangladesh Limited is Bangladesh Bank-licensed and PCI DSS compliant in their card-handling environment.