+254 709 557 000
help@tendersure.co.ke
Two Rivers, South Tower, 2nd Floor

Privacy Notice

Tendersure > Privacy Notice

Privacy Notice

TENDERSURE DATA PRIVACY AND PROTECTION NOTICE

1. PREAMBLE

TendersureTM is a cloud-based supplier sourcing solution offered by QED Solutions Limited (QED), which operates the Tendersure website and system. QED acts in the capacity of both data processor and controller when collecting and processing personal data on Tendersure on behalf of clients, typically buyers wishing to prequalify suppliers in order to engage them. Tendersure interacts with your personal data based on the specific instructions of our clients and will not share your information outside of contractual obligations relevant to the client’s stated instructions. The subject-matter and duration of the processing, the nature and purposes of the processing, the type of personal data and categories of data subjects, together with the rights and obligations of the parties with respect to such processing is covered by a data processing agreement (or equivalent terms) agreed between QED and our customer.

If you choose to use QED, then you agree to the collection, processing, and use of your personal information as stated in this Notice.

Reading this Notice will help you understand your privacy rights and choices. IF YOU DO NOT AGREE WITH OUR POLICIES AND PRACTICES, PLEASE DO NOT USE OUR SERVICES.

This Notice must be read together with the Tendersure Terms and Conditions (ref: TS/POL/T&C/0001).

2. DEFINITIONS

As used in this Notice,

  1. “Personal Information” generally has the same meaning as personal data or personal identifiable information (PII). Personal Information is defined in the data privacy laws applicable in your country. It includes any information relating to an identified or identifiable natural person.
  2. “Non-Disclosure Agreement” is a legally binding contract that establishes a confidential relationship. The party or parties signing the agreement agree that sensitive information they may obtain will not be made available to any others.
  • “Data controller” is a natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purpose and means of processing of personal data.
  1. “Data processor” is a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the data controller.
  2. “Data owner” is an individual or a group of individuals with responsibility for making classification and control decisions regarding use of information.

3. PURPOSE

QED Solutions Limited holds propriety rights for the Tendersure platform under exclusive license from the developer Tendersure Pty Limited, South Africa. The purpose of this document is to outline the data handling practices QED Solutions Limited employs to ensure the privacy and protection of personally identifiable information collected on Tendersure. This applies to data collected on the Tendersure website and on the Tendersure system.

4. SCOPE OF NOTICE

This data privacy and protection notice covers the following scope:

4.1.  Tendersure Website Data

Section 5 below explains in detail how QED safeguards the privacy and security of the data that is collected through the Tendersure website.

4.2.  Tendersure System Data

Section 6 below explains in detail how QED safeguards the privacy and security of the data that is collected through the Tendersure system.

5. TENDERSURE WEBSITE DATA

This section explains how data collected by the Tendersure website is handled in compliance with the Kenya Data Protection Act.

5.1.  Introduction

Data, such as Internet Protocol (IP) address and/or browser and device characteristics, is collected automatically when users visit the website. This information does not reveal the user’s specific identity (like name or contact information), but may include device usage information, such as IP address, browser and device characteristics, operating system, language preferences, referring URLs, device name, country, location, and other technical information. The information is primarily needed to maintain the security and operation of our website. None of this information is processed or stored.

The Tendersure website collects data in two distinct ways namely:

  1. Data collected from the contact page.
  2. Data collected from the demo request page.
  3. Data collected from the supplier tender notification page.

The sections below illustrate how the privacy and protection of the data is safeguarded. The tables in each section describe how the data on the Tendersure website is collected, used, stored, protected, accessed, and destroyed.

5.2.  Tendersure Website Contact Page Data

Please see table 1 below that illustrates how contact page data on the Tendersure website is handled. Data handling includes how the data is collected, used, stored, protected, accessed, and destroyed.

Table 1: Contact Page Data

Data Collected

Data Use

Data Storage

Data Protection Measures

Data Access and Disclosure

Data Destruction

Name

For identification purposes

 

The data is stored securely in the company’s secure, access restricted drive
  •  Data encryption.
  • Access controls.
  • Continuous anti-virus scanning.
  • Proactive security alerts.

Data access is only permitted to the QED employees whose access is necessary, the data owner and by court order

Data is deleted off the drive one (1) year after receipt.

Email

To respond to the website user’s queries.

 

The data is stored securely in the company’s secure, access restricted drive
  •  Data encryption.
  • Access controls.
  • Continuous anti-virus scanning.
  • Proactive security alerts.

Data access is only permitted to the QED employees whose access is necessary, the data owner and by court order

Data is deleted off the drive one (1) year after receipt.

5.3.  Tendersure Website Demo Request Data

Please see table 2 below which illustrates how data collected from the demo request Tendersure website page is handled. Data handling includes how the data is collected, used, stored, protected, accessed and destroyed.

Table 2: Demo Request Page Data

Data Collected

Data Use

Data Storage

Data Protection Measures

Data Access and Disclosure

Data Destruction

Name

For identification purposes

 

The data is stored securely in the company’s secure, access restricted drive
  •  Data encryption.
  • Access controls.
  • Continuous anti-virus scanning.
  • Proactive security alerts.

Data access is only permitted to the QED employees whose access is necessary, the data owner and by court order

Data is deleted off the drive one (1) year after receipt.

Phone Number

To respond to the website user’s demo requests.

The data is stored securely in the company’s secure, access restricted drive
  •  Data encryption.
  • Access controls.
  • Continuous anti-virus scanning.
  • Proactive security alerts.

Data access is only permitted to the QED employees whose access is necessary, the data owner and by court order

Data is deleted off the drive one (1) year after receipt.

Email

To respond to the website user’s demo requests.

The data is stored securely in the company’s secure, access restricted drive
  •  Data encryption.
  • Access controls.
  • Continuous anti-virus scanning.
  • Proactive security alerts.

Data access is only permitted to the QED employees whose access is necessary, the data owner and by court order

Data is deleted off the drive one (1) year after receipt.

5.4.  Tendersure Website Supplier Tender Notification Data

Please see table 3 below which illustrates how data collected from the supplier tender notification Tendersure website page is handled. Data handling includes how the data is collected, used, stored, protected, accessed, and destroyed

Table 3: Supplier Tender Notification Page Data

Data Collected

Data Use

Data Storage

Data Protection Measures

Data Access and Disclosure

Data Destruction

Name

For identification purposes

 

The data is stored securely in the company’s secure, access restricted drive
  •  Data encryption.
  • Access controls.
  • Continuous anti-virus scanning.
  • Proactive security alerts.

Data access is only permitted to the QED employees whose access is necessary, the data owner and by court order

Data is deleted off the drive after the expiration of the annual subscription (every 12 months)

Phone Number

To enable the website user to receive tender alerts

The data is stored securely in the company’s secure, access restricted drive
  •  Data encryption.
  • Access controls.
  • Continuous anti-virus scanning.
  • Proactive security alerts.

Data access is only permitted to the QED employees whose access is necessary, the data owner and by court order

Data is deleted off the drive after the expiration of the annual subscription (every 12 months)

Email

To enable the website user to receive tender alerts

The data is stored securely in the company’s secure, access restricted drive
  •  Data encryption.
  • Access controls.
  • Continuous anti-virus scanning.
  • Proactive security alerts.

Data access is only permitted to the QED employees whose access is necessary, the data owner and by court order

Data is deleted off the drive after the expiration of the annual subscription (every 12 months)

5.5.  Tendersure Website Cookies

The Tendersure Website employs the use of the following cookies:

  1. Strictly necessary – session cookie relevant to the website’s chat functionality
  2. Performance – Google analytics
  3. Targeting – Google analytics and YouTube
  4. Functionality – Language translator
  5. Unclassified – Device info; Tendersure consent

Cookies are managed based on user preference. A first-time visitor to the Tendersure website is presented with options to manage their cookies.

6. TENDERSURE SYSTEM DATA

6.1.  Introduction

This section deals with how the privacy and protection of data collected by the Tendersure system is managed. All personally identifiable information collected by Tendersure is submitted on a voluntary basis by individuals who have selected to participate in a supplier prequalification, tender, or other supplier-sourcing process. Submission of such data is predicated on the data provider first consenting to the Tendersure terms and conditions, as well as the Tendersure Data Privacy and Protection Notice. This section explains how data collected by the Tendersure system is handled in compliance with the Data Protection Act. Specifically, this section deals with how Tendersure system data is collected, used, stored, protected, accessed and destroyed as follows:

  1. Company data
  2. Sole proprietor data
  3. Payment data
  4. Supplier sourcing data
  5. Data processing
  6. Data security
  7. Data storage
  8. Data archival
  9. Data access control
  10. Data destruction

6.2.  Tendersure System Company Registration Data

Please see table 4 below that illustrates how supplier registration data for companies on the Tendersure system is handled. Data handling includes how the data is collected, used, stored, protected, accessed, and destroyed.

Table 4: Tendersure Supplier Registration Data for Companies

Data Collected

Data Use

Data Storage

Data Protection Measures

Data Access and Disclosure

Data Destruction

Name

For identification purposes

 

The data is stored securely in the company’s database.
  • AXES
  • User logs
  • Cross site scripting protection
  • Cross site request forgery protection
  • SQL injection protection
  • Clickjacking protection
  • Host header validation
  • Session security
  • Referrer Policy

Data access is only permitted to the QED employees whose access is necessary, the data owner and by court order

Data is deleted off the database after the seven (7) year archival period.

Phone Number

To facilitate communication

The data is stored securely in the company’s database.
  • AXES
  • User logs
  • Cross site scripting protection
  • Cross site request forgery protection
  • SQL injection protection
  • Clickjacking protection
  • Host header validation
  • Session security
  • Referrer Policy

Data access is only permitted to the QED employees whose access is necessary, the data owner and by court order

Data is deleted off the database after the seven (7) year archival period.

Email

To facilitate communication

The data is stored securely in the company’s database.
  • AXES
  • User logs
  • Cross site scripting protection
  • Cross site request forgery protection
  • SQL injection protection
  • Clickjacking protection
  • Host header validation
  • Session security
  • Referrer Policy

Data access is only permitted to the QED employees whose access is necessary, the data owner and by court order

Data is deleted off the database after the seven (7) year archival period.

6.3.  Tendersure System Sole Proprietor Data

Please see table 5 below that illustrates how supplier registration data for sole proprietors on the Tendersure system is handled. Data handling includes how the data is collected, used, stored, protected, accessed, and destroyed.

Table 5: Tendersure Supplier Registration Data for Sole proprietors

Data Collected

Data Use

Data Storage

Data Protection Measures

Data Access and Disclosure

Data Destruction

Name

For identification purposes

 

The data is stored securely in the system’s database.
  • AXES
  • User logs
  • Cross site scripting protection
  • Cross site request forgery protection
  • SQL injection protection
  • Clickjacking protection
  • Host header validation
  • Session security
  • Referrer Policy

Data access is only permitted to the QED employees whose access is necessary, the data owner and by court order

Data is deleted off the database after the seven (7) year archival period.

Phone Number

To facilitate communication

The data is stored securely in the system’s database.
  • AXES
  • User logs
  • Cross site scripting protection
  • Cross site request forgery protection
  • SQL injection protection
  • Clickjacking protection
  • Host header validation
  • Session security
  • Referrer Policy

Data access is only permitted to the QED employees whose access is necessary, the data owner and by court order

Data is deleted off the database after the seven (7) year archival period.

Email

To facilitate communication

The data is stored securely in the system’s database.
  • AXES
  • User logs
  • Cross site scripting protection
  • Cross site request forgery protection
  • SQL injection protection
  • Clickjacking protection
  • Host header validation
  • Session security
  • Referrer Policy

Data access is only permitted to the QED employees whose access is necessary, the data owner and by court order

Data is deleted off the database after the seven (7) year archival period.

Postal Address

For contact purposes

The data is stored securely in the system’s database.
  • AXES
  • User logs
  • Cross site scripting protection
  • Cross site request forgery protection
  • SQL injection protection
  • Clickjacking protection
  • Host header validation
  • Session security
  • Referrer Policy

Data access is only permitted to the QED employees whose access is necessary, the data owner and by court order

Data is deleted off the database after the seven (7) year archival period.

Tax Identification Details

For compliance with legal and regulatory requirements

The data is stored securely in the system’s database.
  • AXES
  • User logs
  • Cross site scripting protection
  • Cross site request forgery protection
  • SQL injection protection
  • Clickjacking protection
  • Host header validation
  • Session security
  • Referrer Policy

Data access is only permitted to the QED employees whose access is necessary, the data owner and by court order

Data is deleted off the database after the seven (7) year archival period.

Location/County Information

To enable TendersureTM to customize their services in accordance with your location

The data is stored securely in the system’s database.
  • AXES
  • User logs
  • Cross site scripting protection
  • Cross site request forgery protection
  • SQL injection protection
  • Clickjacking protection
  • Host header validation
  • Session security
  • Referrer Policy

Data access is only permitted to the QED employees whose access is necessary, the data owner and by court order

Data is deleted off the database after the seven (7) year archival period.

Country Information

To enable TendersureTM to customize their services in accordance with your country

The data is stored securely in the system’s database.
  • AXES
  • User logs
  • Cross site scripting protection
  • Cross site request forgery protection
  • SQL injection protection
  • Clickjacking protection
  • Host header validation
  • Session security
  • Referrer Policy

Data access is only permitted to the QED employees whose access is necessary, the data owner and by court order

Data is deleted off the database after the seven (7) year archival period.

6.4.  Tendersure Payment Data

From time to time, suppliers wishing to participate in a hosted prequalification, tender, EOI, etc., will be required to make payment in order to access the hosted job. In such instances, the data collected necessary to process payment may include, but is not limited to, the instrument number (for example, credit card number; phone number for mobile money payments) and security code associated with the payment instrument. Depending on the jurisdiction from which payment is being made, payment data is stored by the following respective vendor(s):

Table 6: Tendersure Payment

Vendor Name

Privacy Policy Link

Cellulant

Cellulant Privacy Policy

DPO Group

DPO Group Privacy Policy.

Safaricom (M-Pesa)

Safaricom Data Privacy Statement

6.5.  Tendersure System Supplier Sourcing Data

The table below demonstrates how Tendersure collects, uses, stores, and destroys data after its use in the following business activities:

  1. Prequalification of suppliers
  2. Request for quotation (RFQ)
  3. Tenders
  4. Reverse auction
  5. Disposal of assets
  6. Risk management
  7. Forward auction
  8. Contract management
Table 7: Tendersure System Supplier Sourcing Data

Data Collected

Data Use

Data Storage

Data Protection Measures

Data Access and Disclosure

Data Destruction

Name

For identification purposes

 

The data is stored securely in the system’s database.
  • AXES
  • User logs
  • Cross site scripting protection
  • Cross site request forgery protection
  • SQL injection protection
  • Clickjacking protection
  • Host header validation
  • Session security
  • Referrer Policy

Data access is only permitted to the QED employees whose access is necessary, the data owner and by court order

Data is deleted off the database after the seven (7) year archival period.

Phone Number

For communication purposes

The data is stored securely in the system’s database.
  • AXES
  • User logs
  • Cross site scripting protection
  • Cross site request forgery protection
  • SQL injection protection
  • Clickjacking protection
  • Host header validation
  • Session security
  • Referrer Policy

Data access is only permitted to the QED employees whose access is necessary, the data owner and by court order

Data is deleted off the database after the seven (7) year archival period.

Email

For communication purposes

The data is stored securely in the system’s database.
  • AXES
  • User logs
  • Cross site scripting protection
  • Cross site request forgery protection
  • SQL injection protection
  • Clickjacking protection
  • Host header validation
  • Session security
  • Referrer Policy

Data access is only permitted to the QED employees whose access is necessary, the data owner and by court order

Data is deleted off the database after the seven (7) year archival period.

Postal Address

For contact purposes

The data is stored securely in the system’s database.
  • AXES
  • User logs
  • Cross site scripting protection
  • Cross site request forgery protection
  • SQL injection protection
  • Clickjacking protection
  • Host header validation
  • Session security
  • Referrer Policy

Data access is only permitted to the QED employees whose access is necessary, the data owner and by court order

Data is deleted off the database after the seven (7) year archival period.

Identification Card Details

For identification purposes

 

The data is stored securely in the system’s database.
  • AXES
  • User logs
  • Cross site scripting protection
  • Cross site request forgery protection
  • SQL injection protection
  • Clickjacking protection
  • Host header validation
  • Session security
  • Referrer Policy

Data access is only permitted to the QED employees whose access is necessary, the data owner and by court order

Data is deleted off the database after the seven (7) year archival period.

Tax Identification Details

For compliance with legal and regulatory requirements

The data is stored securely in the system’s database.
  • AXES
  • User logs
  • Cross site scripting protection
  • Cross site request forgery protection
  • SQL injection protection
  • Clickjacking protection
  • Host header validation
  • Session security
  • Referrer Policy

Data access is only permitted to the QED employees whose access is necessary, the data owner and by court order

Data is deleted off the database after the seven (7) year archival period.

Bank Details

For compliance with legal and regulatory requirements

The data is stored securely in the system’s database.
  • AXES
  • User logs
  • Cross site scripting protection
  • Cross site request forgery protection
  • SQL injection protection
  • Clickjacking protection
  • Host header validation
  • Session security
  • Referrer Policy

Data access is only permitted to the QED employees whose access is necessary, the data owner and by court order

Data is deleted off the database after the seven (7) year archival period.

6.6.  Tendersure System Data Processing

Personal information is processed for a variety of reasons, depending on the specific requirements of the data owner. The overarching use of personal identifiable information on Tendersure is for the purposes of evaluating applications or expressions of interest by individuals or entities seeking to be suppliers of a particular buyer. As such, information submitted by individuals or entities must be subjected to an evaluation process to determine suitability. The following are the reasons why personal data may be processed by Tendersure:

  1. To facilitate account creation and authentication, and to otherwise manage user accounts.
  2. To authenticate user-supplied information (such as name, tax compliance status, professional certifications, etc.) for purposes of determining veracity of information with respect to user’s desired outcome of being engaged as a supplier by the data owner.
  3. To respond to user inquiries and to offer support to users.
  4. To send administrative information to you.

Tendersure processes personal data based on established valid and legal basis, including but not limited to, consent from the user, to provide you with our services, to enter into or fulfil our contractual obligations, to protect your rights, to comply with laws, or to fulfil our legitimate business interests.

Tendersure acknowledges the following rights of a data owner to:

  1. Object to the processing of all or part of their personal data.
  2. Correction of false or misleading data about them.
  3. Deletion of false or misleading data about them

Tendersure does not process any personal data belonging to a minor (under the age of 18).

6.7.  Tendersure System Data Security

Tendersure utilizes identity and access network management as well role-based access to ensure that employees’ privileges are limited to the data necessary for performing their job functions. All employees are subject to a non-disclosure agreement and receive frequent training on Tendersure’s information security policies and procedures, including appropriate data handling, storage, and disposal practices.

All QED devices are equipped with a firewall, anti-virus software, and access controls to limit employee access to the data necessary for performing their job functions.

All passwords submitted to the Tendersure system are encrypted before being stored in the database making them unreadable and/or unusable by any unauthorized users. Passwords are periodically changed every 90 days to prevent account compromise and facilitate password strength.

All sensitive data submitted to the Tendersure system is encrypted before being stored in the database making them unreadable and/or unusable by any other user rather than the data’s owners and intended recipient of the information.

The Tendersure platform is configured with data protection measures such as:

  1. AXES
  2. User logs
  3. Cross site scripting (XSS) protection
  4. Cross site request forgery (CSRF) protection
  5. SQL injection protection
  6. Clickjacking protection
  7. Host header validation
  8. Session security
  9. Referrer Policy

Additional security measures employed by Tendersure include preventative and detective controls, an SSL certification and password requirements.

6.8.  Tendersure System Data Storage

All data collected from the Tendersure system is transferred to our secure, dedicated Amazon S3 Console located in Ireland for storage.

Amazon Cloud Storage service offers a secure cloud storage platform which protects data from accidental or unlawful destruction, loss or alteration and unauthorized disclosure or access.

The Amazon Cloud services are configured with data protection measures such as:

  1. Automatic anti-virus scanning
  2. AWS Managed Rules Linux Rule Set
  3. AWS Managed Rules Known Bad Inputs Rule Set
  4. AWS Managed Rules SQL I Rule Set
  5. AWS Managed Rules Anonymous Ip List
  6. AWS Managed Rules Amazon Ip Reputation List
  7. Access keys
  8. SSL certificate
  9. Firewalls
  10. Private IP Addresses
  11. Reset Password Policy.

Amazon Cloud Storage service ensures the safety of data by saving the data across redundant servers. QED monitors the data to access clear and concise information of what is happening to the stored data at any given time.

6.9.  Tendersure System Data Archival

Retention of data is determined by business requirements, both operational and strategic, whilst also considering data security and risk, and abiding by any legal, regulatory and jurisdiction obligations. 

When a dataset no longer needs to be as immediately available as other related data for example, data relating to completed projects compared to projects that are still in progress but there remains a legitimate business, legal, or regulatory requirement to retain that dataset then it is archived.

In accordance with the Kenyan Law, data must be kept for a minimum period of seven (7) years, Therefore, from the date of collection, all Kenyan data is securely stored in the Tendersure database for a period of seven (7) years.

For all other jurisdictions, data is archived in compliance with their respective requirements for a period depending on the data owner’s domicile.

6.10. Tendersure System Data Access Control

Access to data stored on Tendersure is as follows:

  1. QED employees – whose access is necessary for proper management and monitoring of the data. All personnel are contractually obligated to keep all customer/user data, including all personal data, confidential and undergo regular training on proper data handling practices, a security assessment and sign our Non-Disclosure Agreements.
  2. Data owners – To data owners upon their request or written consent.
  3. Court order – By court order stemming from a legal or regulatory requirement.

In some circumstances, QED may also engage service providers/partners to help provide services to customers. All service providers/partners are extensively vetted and, if they may access any personal data while performing the services, are required to undergo a security assessment and sign QED’s Non-Disclosure Agreement.

6.11.  Tendersure System Data Destruction

Destruction of archived user data is done periodically after the stipulated seven (7) years for Kenyans and depending on the data owner’s domicile for international data owners.

Tendersure can however continue to archive data after the stipulated time period, upon the request of the data owner.

Tendersure ensures the proper destruction of data as stated in the Data Destruction Policy.

7. LINKS TO OTHER SITES

Tendersure may contain links to other sites. If you click on a third-party link, you will be directed to that site. Note that these external sites are not operated by us. Therefore, it is strongly advised that you review the Privacy Policy of these websites. Tendersure has no control over, and assumes no responsibility, for the content, privacy policies, or practices of any third-party sites or services.

8. CHANGES TO THIS NOTICE

This Notice on Data Privacy and Protection is reviewed by Tendersure every two years to ensure its continuing suitability, adequacy, and effectiveness in fulfilment of Clause 9.3 of the ISO 27001:2013

Changes to this Notice will also occur in the fulfilment of any future change to relevant laws and/or regulations.

9. CONTACT US

If you have any questions or concerns about the Tendersure Data Privacy and Protection Notice, do not hesitate to contact Tendersure through:

  1. Live chat on the Tendersure Website
  2. Phone number: +254 709 557 000
  3. WhatsApp number: +254 114 892 485
  4. Email: help@tendersure.co.ke