1

Tender for Selection of Bidder for Supply, Implement and Data migration with maintenance of Aadhar Vault solution

Bharat Petroleum Corporation Limited

Tender / CRFQ No: 1000385512 / 93340 dated 02.04.2022

Bharat Petroleum Corporation Limited Corporate Strategy & Business Development Bharat Bhavan III, Walchand Hirachand Marg,

Ballard Estate – Mumbai 400 001

Date of Submission: 07.04.2022 @ 10:00 Hrs

2

Contents Notice Inviting Tender............................................................................................................................. 3

Annexure 1: Bid Evaluation ..................................................................................................................... 6

1.1 Bid Evaluation Methodology ......................................................................................................... 6

1.2 Techno-Commercial Bid Evaluation .............................................................................................. 6

1.3 Price Bid Evaluation ...................................................................................................................... 7

Annexure 2: Terms of Reference ............................................................................................................ 9

2.1 Bidder Scope of Work ................................................................................................................. 10

2.1.1 Context ................................................................................................................................. 10

2.1.2 Scope of work - Implementation, Operation and Maintenance .......................................... 10

2.1.3 Service Level Agreement (SLA) and Penalty: ....................................................................... 20

2.2 Delivery & Implementation Schedule ......................................................................................... 20

2.3 Payment Terms and Performance Bank Guarantee ................................................................... 21

2.4 Service Level Agreement (SLA) and Penalty ............................................................................... 22

2.5 BPCL’s Minimum IT, Digital Security & Governance Requirements: .......................................... 26

2.5 Architecture Guiding Principles and Standard Protocols ............................................................ 27

Annexure 3: Terms and Conditions of the Contract (Attached) ........................................................... 29

Annexure 4: Instructions to Bidders ..................................................................................................... 29

Annexure 6: Pro forma for Non-Disclosure Agreement (NDA) ............................................................. 34

Annexure 7: Pro forma for Performance Bank Guarantee ................................................................... 38

Annexure 8: Response to BQC Criteria A, Proven Track Record ........................................................... 40

Annexure 9: NEFT Mandate Form ......................................................................................................... 41

Annexure 10: Format for CA certificate for MSE bidders ..................................................................... 42

Annexure 11: OEM/ISV Declaration Form ............................................................................................ 43

3

Notice Inviting Tender

1) Bharat Petroleum Corporation Limited (hereafter referred to as “BPCL”) is a Fortune 500 corporate and a vertically integrated Maharatna energy company in India. The company has a strong network of about 18,000 retail outlets spread across India with a market share of more than 25%.

2) BPCL has currently launched a project named “Anubhav” with the objective of driving digital transformation across its marketing department and is planning to launch multiple initiatives to enhance customer engagement and experience, leverage analytics to drive decisions and enhance reporting

3) The LPG Business provides LPG to retails and industrial customer where for retails customer BPCL need to acquire KYC documents such as Aadhar number to process the subsidy.

4) According to the Notification and subsequent circulars by UIDAI, it is mandatory for all the AUAs, KUAs and Sub-AUAs and other entities that are collecting and storing the Aadhaar number for specific purposes, shall have to start using reference keys mapped to Aadhaar numbers through tokenization in all systems. All these above entities are mandatorily required to store the Aadhaar numbers and any connected Aadhaar data on a separate secure database/vault/system which shall be termed as Aadhaar Data Vault.

5) Aadhaar Data Vault is a centralized storage for all the Aadhaar numbers collected by the AUAs/KUAs/Sub-AUAs/ or any other agency for specific purposes under Aadhaar Act and Regulations, 2016. It is a secure system inside the respective agency’s infrastructure accessible only on need to know basis. The Aadhaar data vault consists of reference key, which is a unique token to represent the Aadhaar number in the entire internal ecosystem of the agency. Mapping of reference key and Aadhaar number is to be maintained in the Aadhaar Data Vault. Aadhaar numbers should be encrypted with key and key should be kept in Hardware security module (HSM).

6) Bids are invited from Bidders who will implement Aadhar Vault Solution with HSM implemented in

BPCL’s Datacenters and DR Site including supply of all required components within defined period (“implementation period”) with five (5) years comprehensive quarterly maintenance contract (AMC) as mentioned in Annexure 2. The Bidder shall be solely responsible for implementing and maintaining the solution on behalf of BPCL.

7) Please visit the website https://bpcleproc.in for participating in this tender process and submitting your bids/documents online against E Tender no: 93340

8) BID SECURITY: Bidders shall have to submit an Earnest Money Deposit (EMD) of Rs. 2.5 lakhs. Please refer Annexure 4 for Instructions to Bidders for more details.

9) INTEGRITY PACT (IP): IP is a pact between BPCL (as a purchaser) on one hand and the Bidder on the other hand stating that the two parties are committed to each other in regard to ensuring transparency and fair dealings in this procurement activity. Bidders shall have to mandatorily sign this pact, for participating in this tender, as per the pro-forma given at Annexure 5. The salient features of this pact are:

a. Pro-forma of Integrity Pact shall be uploaded by the Bidders along with the bid documents, duly signed by the same signatory who is authorized to sign the bid documents. All the pages of the Integrity Pact shall be duly signed. Bidder’s failure to return the IP Document duly signed along with the bid documents by the bid submission deadline (given on page 1) shall result in the bid not being considered for further evaluation.

b. If the Bidder has been disqualified from the tender process prior to the award of the contract in accordance with the provisions of the Integrity Pact, BPCL shall be entitled to demand and recover from the Bidder, liquidated damages amount by forfeiting the EMD/Bid security as per provisions of the Integrity Pact.

c. If the contract has been terminated according to the provisions of the Integrity Pact, or if BPCL is entitled to terminate the contract according to the provisions of the Integrity Pact, BPCL shall be entitled to demand and recover from the Bidder, Liquidated Damages amount by forfeiting the Security Deposit/ Performance Bank Guarantee/ Supply and Performance Guarantee as per provisions of the Integrity Pact.

4

10) For any queries / clarification on Tender Technical Specifications / Commercial points and other terms and conditions of the tender, please contact Name of the Procuring Officer (PO) Chetan Goswami, Team Member – Project Anubhav Email ID chetangoswami@bharatpetroleum.in Office Address Bharat Petroleum Corporation Ltd, 4&6 Currimbhoy Road,

Ballard Estate, Mumbai 400001 Contact No. +91 9554961778

Name of the Procuring Head Amit Kumar, Team Lead – Vendor Management, Corporate

Strategy Email ID kumaram@bharatpetroleum.in Office Address Bharat Petroleum Corporation Ltd, 4&6 Currimbhoy Road,

Ballard Estate, Mumbai 400001 Contact No. +91 9051224446

11) Only in case of any complaints regarding the Tender / Tender Conditions, please contact the following Independent External Monitors (IEM)

Name Shri Ramabhadran

Ramanujam Shri Jagadip Narayan Singh Shri Anupam

Kulshreshtha Email ID raamaanuj@gmail.com jagadipsingh@yahoo.com Anupam8@gmail.com Address 44/24, 3rd trust Cross

Street, Mandavelipakkam,

Chennai 600028

C- 54, Bharatendu Harischandra Marg,

Anand Vihar, New Delhi- 110092

B-3/3, ‘Yarrows Apartments’, Plot C-

58/5, Sector 62, Noida, UP -201309

Contact No.

Mob. 9495511954 Mob 9978405930 Mob. No. 9968281160

12) STRUCTURE OF THE TENDER: The tender is proposed to be a THREE part bid system comprising of Techno-commercial qualification Criteria (TQC), Quality Bid and Price Bid. Based on the responses to Techno-Commercial criterion, bidders will be shortlisted for Quality Bid evaluation as well as Price Bid Evaluation. Please visit the website https://bpcleproc.in for online participation in this tender and submitting bid. The E-Tender consists of the following annexures. Bidders are requested to carefully study the same to ensure that their bids are complete in all respects:

Sl. No. Document Type Annexure

1) Bid Evaluation Annexure 1 2) Terms of Reference Annexure 2 3) Terms & Conditions of Contract Annexure 3 4) Instruction to Bidders Annexure 4 5) Pro-forma for Integrity Pact (IP) Annexure 5 6) Pro-forma for Non-Disclosure Agreement (NDA) Annexure 6 7) Pro-forma for Performance Bank Guarantee Annexure 7 8) Response Template for Bid Evaluation - Certificate from

TPIA Annexure 8

9) Common NEFT Mandate Form Annexure 9 10) Format for CA certificate for MSE bidder Annexure 10 11) OEM/ISV Declaration Form Annexure 11

13) BID SUBMISSION: The Bidders are requested to refer Annexure 3 for Bidding Process for E-Tender and may also consult our service provider M/s. E-Procurement Technologies Ltd. (ETL). Bidders have to necessarily log on to our site https://bpcleproc.in and search for the Tender/ System Id (given on Page-1) for participation and submitting the E-Bid. Your online bid should be submitted on or before the due date of this tender.

5

14) LAST DATE FOR BID SUBMISSION: Your bid should be submitted online on or before the Due Date i.e. 7th April 2022, 10:00 hours IST. Bids/Offers shall not be permitted in E-Tender System after the tender due date/time. Hence, no bid can be submitted after the due date and time of submission has elapsed. Vendors are advised in their own interest to ensure that their bids are submitted in E-Procurement System well before the closing date and time of bid submission. No manual bids/offers along with electronic bids/offers shall be permitted. Bids not in the prescribed format, are liable to be rejected.

15) DIGITAL SIGNATURE: The tender documents along with Annexure thereto and Price Bids shall be required to be digitally signed with a Class II B or above digital signature by the authorized signatory. The authorized signatory shall be:

Proprietor in case of proprietary concern. Authorized partner in case of partnership firm. Director, in case of a Limited Company, duly authorized by its Board of Directors to sign.

If for any reason, the proprietor or the authorized partner or director as the case may be, is unable to digitally sign the document, the said document should be digitally signed by the constituted attorney having full authority to sign the tender document and a scanned copy of such authority letter and also the power of attorney (duly signed in the presence of a Notary public) should be uploaded with the tender. Online submission of the tender under the Digital Signature of the authorized signatory shall be considered as token of having read, understood and totally accepted all the terms and conditions of this tender.

16) Bidders, on the Black/Holiday List of BPCL/MoP&NG/Oil PSE shall not be considered. Additionally, bidders who offer Platforms and Other Solutions in this tender of such Black / Holiday listed parties shall also not be considered. BPCL reserves the right to accept or reject any or all the Offers at their sole discretion without assigning any reason whatsoever. BPCL’s decision on any matter shall be final and any Bidder shall not enter into correspondence with BPCL unless asked for. BPCL may call for additional documents if required. BPCL would also consider information already available with them regarding Bidder’s credentials.

17) SUPPORT DESK: In case of any clarification pertaining to E-Procurement Process, the Bidder may contact ETL on Contact Numbers and E-Mail Ids, as appended below.

CONTACT E-MAIL ID CONTACT NO. Sapkale Harshal mumbai.support@eptl.in +91 22 2417 6419 / +91 63518

96636 Gore Mohnish mohnish.gore@eptl.in +91 63518 96637 E-Procurement Technologies Limited, Ahmadabad, Kolkata, Delhi

support@bpcleproc.in 079 6813 6861 / 033 2429 3447 / 0120 247 4951

Thanking you,

Yours faithfully,

For Bharat Petroleum Corporation Ltd.

Amit Kumar Team Lead (Vendor Management) – Project Anubhav

6

Annexure 1: Bid Evaluation

1.1 Bid Evaluation Methodology

It is a TWO-PART-BID E-Tender constituting of:

a. Techno-Commercial Bid b. Price Bid

Price bid shall be opened only for those bidders who qualify the techno-commercial bid

1.2 Techno-Commercial Bid Evaluation

1. Proven Track Record Bidder/OEM should have one experience in implementation of Supply, Implementation (Installation, configuring, testing, commissioning, Maintenance and support) of at least one General purpose HSM with encryption for Aadhar data vault in high availability in India during the past three years and OEM should have presence in India since minimum last 3 years

Bidder to submit/ upload following documents in support of their claim: Annexure 10 duly verified and certified by TPIA which is registered under “NABCB accredited bodies as per requirement of ISO/IEC17020 as Type A” in QCI NABCB website http://nabcb.qci.org.in/accreditation/reg_bod_inspection_bodies.php as on date of verification of documents. All charges of the Third party for attestations and verification shall be borne by the bidder.

2. Financial Capacity

I. The Bidder should have achieved a Minimum Average Annual Financial Turnover of INR 3 Cr per annum as per the Audited Financial Statements (including Balance Sheet and Profit and Loss Account), during the last three consecutive accounting years.

II. Net worth of the bidder should be positive as

per the Audited Financial Statements of latest of the last available three consecutive accounting years. The Net worth is defined as Share Capital + Reserves & Surplus.

Note: Bidders will have to mandatorily furnish audited financial statements from last three consecutive years (i.e. FY18-19, FY19-20, FY20-21) as part this submission.

Bidder to submit/ upload following documents in support of their claim:

Audited Balance Sheets and Profit & Loss accounts of the bidder for the previously available three consecutive accounting years prior to the due date of bid submission (English language only).

Note:

All charges of practicing TPIA, if any, for document attestations and verification shall be borne by the Bidders.

For the purpose of techno-commercial evaluation, BPCL reserves the right to verify information submitted and/or inspect the facilities implemented by the Bidder, and/or request the Bidder to submit additional documents/information/ clarifications as and when required. BPCL also reserves the right to independently assess the capability and capacity of the Bidder for execution of the project.

BPCL decision on any matter regarding evaluation of the Bidders shall be final.

7

BPCL has earlier floated a tender for Selection of Bidder for Supply, Implement and Data migration with maintenance of Aadhar Vault solution, Tender / CRFQ No: 91511 / 1000381624 dated 14.01.2022. Bidders who had participated in the Tender / CRFQ No: 91511 / 1000381624 dated 14.01.2022 are permitted to submit the same BQC documents for the current tender.

1.3 Price Bid Evaluation

Price Bid Template

Sr. No

Item Unit of Measure

Total Qty.

Unit Cost (INR)

Total Cost in INR

(Excl. Tax)

Tax Rate (%)

Total Cost in INR (incl.

tax)

1 Centralized Key Management Platform including 5 year AMC

Set 1

2 Key Management Solution with ADV (Tokenization) Connector for DC in HA and in DR with 5 year AMC

Set

3

3 General Purpose Hardware Security Module (HSM) including 5 year warranty

Nos 3

4 Firewall with 5 year Warranty Nos 3

5 Layer 2 Network Switch with 5 Warranty

Nos 3

6 One-time Implementation ADV Solution including HSM, Firewall and Network switch in HA as mentioned in Annexure 2

Nos

1

7 One Time Data Migration from Exiting ADV to new On-Prem ADV

Nos 1

8 On Site support and Maintenance of Implemented ADV solution including FW, HSM and Switch.

Quarter

20

Note to Bidder:

1. Prices/rates should be quoted strictly as per above format and in no other manner. 2. Implementation cost is onetime at the time of installation of HSM device in BPCL’s Data Centre

at Mumbai location (Primary Data Centre) and Noida Location (DR Data Centre) 3. Data migration (including key migration, if applicable) cost is also one time for migration all

ADV data from existing On Prem to new ADV solution designed and implemented by Bidder. 4. Onsite support means the support provided by Bidder as and when required for any

application/HSM/Firewall/System issue or change request, update, configuration modification or integration will be done at onsite in BPCL Data Centre.

5. All charges towards travel, lodging or boarding etc. shall be borne by the Bidder. 6. The quantities quoted above are not a commitment from BPCL and BPCL reserves the right to

change the quantities

8

7. All required VM’s for deployment of the ADV solution will be provided by BPCL in it’s DC and DR

8. BPCL reserves the rights that they may call for POC at any point of time to check the compliance (Bidder or OEM) and demo of any part of the scope of work, which will be considered as part of evaluation.

9. The break-up of the various items in the price bid should be in line with market reality. In case BPCL finds a mismatch in the bidder’s quote, for payment purpose, it reserves the right to realign the cost components amongst various heads while keeping the total contract value constant.

10. The price quoted by the Bidder shall include all software(s) required to implement the Scope of Work as stated in Terms of Reference (TOR) of tender. If the Bidder requires any additional software to deliver the scope of work as mentioned in Annexure 2 and it is not explicitly mentioned in the price bid, the Successful Bidder will have to provide the required software without any additional commercial implications to BPCL.

11. Location for material Delivery :

a. Corporate Data Centre (CDC), BPCL A Installation, Sewree Fort Road, Sewree East, Mumbai, Maharashtra, 400015

b. Integrated Data center (IDC), BPCL, Plot No.2A, Near Yamaha Chowk, Udyog Kendra, PO Surajpur Greater Noida, Uttar Pradesh, 201308

9

Annexure 2: Terms of Reference

List of Abbreviations and Acronyms

No. Acronym Full Form

1. API Application Programming Interface

2. ADV Aadhaar Data Vault

3. BU Business Unit

4. CEP (BPCL) Customer Engagement Portal

5. Cr Crore

6. CRM Customer Relationship Management

7. ERP Enterprise Resource Planning

8. KPI Key Performance Indicator

9. LDAP Lightweight Directory Access Protocol

10. Mn Million

11. OEM Original Equipment Manufacturer

12. OTP One time password

13. OWASP Open Web Application Security Project

14. PO Purchase Order

15. QR code Quick Response code

16. RO Retail Outlet (Petrol Pump)

17. SOAP Simple Object Access Protocol

18. SKU Stock keeping unit

19. SOP Standard Operating Procedure

20. SSO Single Sign On

21. UAT User Acceptance Testing

22. HSM Hardware Security Module

23.

10

2.1 Bidder Scope of Work

2.1.1 Context

BPCL has to setup Aadhar data vault as per the guideline provided by UIDAI where Aadhar vault has to be implemented and maintained by selected bidder as part of scope of work.

2.1.2 Scope of work - Implementation, Operation and Maintenance

The Successful Bidder shall, supply and implement the entire Aadhar Vault solution in On-Prem with 5 years of comprehensive Quarterly AMC.

The scope of work for Aadhar vault solution implementation is as below:

General Scope:

Preparation of architecture design, documentation, and project plan for Implementation of Aadhar Vault solution as mentioned in scope of work section.

Installation & Configuration of the supplied Hardware, Software, implementation and Integration.

Instructor led Training to BPCL team (2 person) and Handing over of final configuration document.

Facilitate and comply with all requirements / recommendation for certification of the BPCL ADV installation from a UIDAI/MeITY certified Auditor.

Implementation Scope:

Details of works to be delivered by selected bidder for ADV Solution with Hardware implementation in BPCL DC and DR available On-Prim

A) On BPCL On-Prem, ADV Solution with Centralized Key manager platform with Tokenization and another required license if any):

Selected bidder shall implement the key management Platform from same OEM of HSM for better integration & with all associated components of tokenization, licenses etc.

Every Component of the solution proposed by the bidder shall be fully compliant with any and all specifications / requirements / guidelines of UIDAI.

BPCL shall only be providing the following infrastructure required for prerequisite: MSSQL Database, File storage, VM for deployment and segregated network to fulfil all compliance requirement of Aadhar vault released by UIDAI.

Secure key storage storing of the encryption/decryption keys protected by a FIPS 140-2 Level-3 and fully compliant with al UIDAI requirements and there must be restriction of direct access to the keys. The proposed HSM should preferably EAL 4+ compliant and if not compliant, then as and when any mandatory guideline from UIDAI are issued for compliance with EAL 4+, the bidder should provide the requisite certifications / compliant HSM at no additional cost to BPCL.

Encryption of Aadhaar number providing an interface using REST API calls to encrypt Aadhaar numbers upon proper validation of credentials.

There should be a common set of services which would expose ADV to upstream and downstream systems. These APIs should be co-located in the same location where the ADV is deployed.

The database and platform settings chosen for the ADV should have auto-scaling capability however ADV solution implemented by bidder must be able to support any size of DB and have in-build data classification capability and File storage. Solution should also provide read-replicas or equivalent technologies so that we can load balance our reads.

The VNet for the ADV should be completely separate from existing ones. Generation of random token for each Aadhaar stored in the Data Vault as per the encryption &

implementation specifications of UIDAI and return the specific token for reference.

11

Storing of encrypted Aadhaar and corresponding reference token. Allow storing of encrypted Aadhaar number in the respective Data Vault of each User Application along with the generated reference token and returning the token to the User Application.

Decryption of Aadhaar number - Providing an interface using API calls to decrypt Aadhaar number corresponding to the provided reference token and upon proper validation of credentials.

Upon receiving request for storing an Aadhaar number already stored in the data vault of the particular application the existing token should be returned and a new one should not be generated.

Service to check existence of an Aadhaar number in Data Vault Allows searching for an (encrypted) Aadhaar number in a Data Vault based on the token/reference key provided.

Every application that will be on-boarded to the service must have a unique cryptographic key associated with it for encryption/decryption which is to be stored in a Key Management Software secured with a FIPS 140-2 level-3 certified Hardware Security Module at all times. Unauthorized access to the keys should be restricted.

Each user application must be able to store the encrypted Aadhaar numbers and/or related eKYC data on a separate Data Vault (database) separate from other user applications as per the requirement of BPCL.

Offered solution must ensure unique random number or token is generated for each Aadhaar number to be stored and that it should not be possible to retrieve the original number with the token.

Proposed solution should allow encryption/decryption only after successful verification of credentials which should be certificate based or any other such secure robust mechanism not prone to tampering or eavesdropping.

The solution must have inherent support for Format Preserving Encryption (FPE) and FF1 / FF3 as per NIST standards.

Solution should allow user-specified/customized formats for reference key/token (Numeric/Alphanumeric Variable length).

Proposed solution should have inbuilt support for on-boarding multiple user applications (UA) and each UA must have an independent database (Vault) with its own unique keys for encryption such that '1 User Application-1 key-1 database (Vault) where the databases of individual user applications can reside on different locations/systems. The proposed solution should be able to communicate with at least 4 different vaults at the same time.

Each application server instance (of ADV) in the proposed solution should be capable of communicating with multiple databases residing on different locations simultaneously for storing of tokenized data.

Proposed solution should be capable of encrypting sensitive personal data (PII PHI Aadhaar etc. protection). Such encrypted data should be able to be protected using a simple transparent encryption agent which should not require any downtime while the encryption process is implemented.

There should be no root or super-user access to HSM appliance possible in any way. No access to bash, ksh or any default terminal shells should be possible and support all OS.

Detailed logging and audit tracking of all key state changes administrator access and policy changes. Support for multiple log formats (RFC-5424, CEF, LEEF) for easy integration that can be consumed by leading 3rd party SIEM tools. Option to extract raw logs must be available.

The chosen Reference Key generation method is to ensure that the recovery of the original Aadhaar number must not be computationally feasible knowing only the reference key or number of reference keys. It is suggested that a UUID (Universally Unique Identifier represented via hex string) scheme be used to create such reference key so that from such reference key Aadhaar number can neither can be guessed nor reverse engineered.

Applications should be restricted by roles (user and application) to control who can encrypt decrypt or perform search operations.

Granular authorization capabilities that enable constraints to be placed on user operations based on specific key permissions

HSM should have the ability to enable / disable policies by HSM commands which will be applicable for Application Users. This feature should not need any Application User login or credentials.

Only trusted and encrypted communications must be permitted in and out of the vault. This should ideally be done via API/Microservice dedicated to get the mapping and controlling

12

access to the API/Micro-service at application level. Any authorized users needing to access this mapping must go via applications allowing them to view/ access this data with appropriate user authentication and logging.

The Aadhaar Data Vault must implement strong access controls authentication measures monitoring and logging of access and raising necessary alerts for unusual and/ or unauthorized attempts to access.

The Aadhaar Data Vault should support mechanisms for secure soft deletion / updating of Aadhaar number and corresponding data if any as required by the data retention policy of the entities

The Aadhaar Data Vault containing Aadhaar number / data and the referencing system must be kept in a highly restricted network zone that is isolated from any untrusted zone and other internal network zones.

Access to Aadhaar Data Vault shall be made secure and accessed through internal systems only with each access attempt clearly logged and the audit logs should be accessible to a designated set of users defined by BPCL in a dashboard from where the reports can be downloaded in PDF/XL/Word formats based on user requirements

Bidder has to propose HSM having minimum 1000 TPS on RSA 2048. Each Aadhaar number is to be referred by an additional key called as Reference Key. Mapping

of reference key and Aadhaar number is to be maintained m the Aadhaar Data Vault. Solution should support APIs for single and bulk encryption/decryption of Aadhaar number. On-Prem ADV solution will be communicating with cloud based application- SAP Hybris

implemented in BPCL to authenticate the Aadhar number in secure and dedicated network.

On Prem at BPCL Data Centre and DR (Firewall, Network Switch and HSM in HA)

Supply, implementation and maintenance of Firewall, Network Switch, HSM Appliance and other required components with the specification given below.

Bidder has to setup local network to deploy HSM in high availability in load balancing mode at the locations specified by BPCL (Data Centre (DC), & Disaster Recovery (DR)) mentioned in Annexure I. Any external device / application / software required for load balancing shall be provided by the bidder at no additional cost to BPCL. Bidder shall be responsible for the service / uptime for these additional devices (if any) for the entire period of the contract.

Bidder has to establish VPN Tunnel between implemented firewalls and SAP Cloud for secure communication between HSM and Key manager platform.

Store the private master keys used for digital signing of Auth XML and Decryption of electronic “know your customers” (e-KYC) data received from UIDAI in on-prem HSM.

Supply updates and upgrades including new versions of all the software licenses supplied as part of this tender during the entire contract period.

Establish key replication process between Primary to Primary and Primary to DR site HSM such that the same keys are accessible from both the DC(Primary) and DR(Backup) instances without ANY change to application code or authentication methods

Failover from DC (Primary) to DR (Backup) should happen instantaneously without any loss of sessions or data. Similarly the state should return to DC (Primary) as soon as the DC is restored with no delays or downtimes.

Migration Scope:

BPCL has Aadhar data available in the existing On Prem Aadhaar Data Vault where MSSQL is the database used to store the Aadhar data.

BPCL also has file server where Aadhar files of their customer has been stored and entire Aadhar vault solution is currently in use.

As part of data migration Bidder has to migrate this all data (including files) and database from Existing On Prem Aadhar Vault to new ADV solution implemented by successful bidder.

After migration all available data using new Crypto keys and solution implemented by bidder must be available to use by BPCL platform without having any issue.

For existing on-prem Aadhaar data, decryption related support will be provided by BPCL Database license will be provided by BPCL to store Aadhar information.

13

Integration Scope:

All integration will be via Restful API with BPCL systems. Any development required for fulfilment of ADV implementation has to be done by Bidder at no

additional cost. Any Other future requirement such as common data vault integration has to be delivered by

Bidder at no additional cost to BPCL during the contract period.

The proposed ADV solution components must have the technical specifications mentioned below at minimum:

Bidders are required to upload technical specifications sheet for all the items in the bid

Aadhar Data Vault Solution:

Sr.No. Required Minimum Specifications Bidder's Compliance (Yes/No)

1. Solution to be designed and implemented is required to comply with UIDAI Aadhaar storage, encryption and authentication guidelines issued by UIDAI, GOI vide their Circular No 11020/205/2017-UIDAI (Auth-I) dated 25.7.2017 , 11020/217/2018-UIDAI (Auth I) dated 01.05.2018 and any other UIDAI ADV guidelines to all AUA/KUA/Sub AUA Solution to comply with any & all future government regulations related to storage and usage of Aadhaar data at no extra cost to BPCL during the tenure of the contract

2. Aadhaar Number and any connected Aadhaar data e.g. eKYC XML data will be stored on a separate secure database /vault/ system termed as ‘Aadhaar Data Vault’

3. Solution should have provision to store any relevant demographic data and/or photo of the Aadhaar Number Holder

4. Each Aadhaar number is to be referred by an additional key called as Reference Key. Mapping of reference key and Aadhaar number is to be maintained in the Aadhaar Data Vault

5. Access to Aadhaar Data Vault shall be made secure and accessed through internal systems only

6. The Aadhaar number and any connected data maintained on the Aadhaar Data Vault shall always be kept encrypted and access to it strictly controlled only for authorized systems. Keys for encryption are to be stored in HSM devices only.

7. Only trusted communications must be permitted in and out of the vault. This should be done via API /Microservice dedicated to get the mapping and controlling access to the API/Microservice at application level. Any authorized users needing to access this mapping must go via applications allowing them to view/access this data with appropriate user authentication and logging.

8. All Aadhaar data vault APIs should be REST based with Content type as JSON data.

9. The Aadhaar Data vault must implement strong access controls, authentication measures, monitoring and logging of access and raising necessary alerts for unusual and/or unauthorized attempts to access.

10. The Aadhaar Data Vault should support mechanisms for secure updation of Aadhaar number and corresponding data if any as required by the data retention policy of the entities.

14

11. Solution should support APIs for single and bulk operations with encryption/decryption of Aadhaar by providing reference number and vice versa.

12. The chosen Reference Key generation method is to ensure that the recovery of the original Aadhaar number must not be computationally feasible knowing only the reference key or number of reference keys. It is suggested that a UUID (Universally Unique Identifier represented via hex string) scheme be used to create such reference key so that from such reference key in such a way that Aadhaar number can neither can be guessed nor reverse engineered.

13. Provisions of Regulation 14(n) of the Aadhaar (Authentic ation) Regulations, 2016 and Regulations 5 and 6 of Aadhaar (Sharing of Information) Regulations, 2016

14. Administrative UI to register applications which can all Aadhaar Data Vault API’s

15. Admin access to ADV (UI) on the separate port with provision to maintain users, application, access and logging etc. It is preferred to have different ports for admin access and application access (configurable)

16. Key Management in ADV implementation as per the recommendation of UIDAI

17. Provision for creating Reference key or Token policy like length of reference key or token via UI or scripts

18. UI for Create , Store, Use, Rotate and destroy encryption keys 19. Automatic encryption Key Rotation without hampering the current system 20. UI for User Access rights management for access various logs, policy

definition , etc.

21. Bidder will permit the Solution to be audited by Cert-In or UIDAI Empaneled Auditor brought by BPCL in addition to certifications being provided by the bidder as part of this tender

22. Vendor is responsible for complying with UIDAI regulations if there is any change in future at no extra cost to BPCL

23. Vendor is responsible commercially/legally for any non-compliance with GOI regulations current/future

24. Solution provided should comply to IT Act 2000 of GOI and any future provisions/regulations/rules specified by the government at no extra cost to BPCL during the entire tenure of the contract.

General Purpose HSM:

Sr.No. Required Minimum Specifications Bidder's

Compliance (Yes/No)

Functional Specifications

1

The HSM solution should ensure high availability with standby appliance at DC & DR via the HSM libraries and HSM should come with minimum 5 client licenses.

Technical Specifications

2

Ability to generate and store at least 800 Private RSA keys (2048 and 4096) onboard on demand and shall be secured inside HSM FIPS 140-2 LEVEL 3 certified memory. The proposed HSM must have 1000 TPS.

15

3

The proposed HSM should come with minimum 5 partitions and each partition should be protected with unique set of user id and password to grant access as per CCA IVG guidelines.

4 Key Exchange Symmetric Algorithm: AES, Triple DES without any additional license

5

Support for PKCS#11, CAPI, OpenSSL, JCE/JCA and REST API for administration and Hash Message Digest HMAC, SHA1, SHA2 (512) and SM3

6

Support for various cryptographic algorithms : Full Suite B support, Asymmetric Key RSA (1024-4096 bits), DSA , ECDSA , ECDH, Ed25519, ECIES, ECC (No separate license of Algorithm to be charged)

7 Random Number Generation: should be designed to comply with AIS 20/31 to DRG.4 and also compliant to NIST 800-90A , CTR-DRBG

8

HSM should be scalable to support more signatures per second i.e. usable in cluster mode via HSM library internal load balancing with in HSM

9

HSM should synchronize the keys realtime between Primary & Backup ADV platforms so as to ensure high availability of the ADV setup at BPCL

NGFW Firewall:

# Firewall Capabilities Bidder's

Compliance (Yes/No)

1. Ethernet Interfaces 10/100/1000 – min 4 numbers of 1Gbps Copper ports with Min session of 2 Lac, with Min 2 Number of WAN ports

2. Firewall Throughput - Min 2 GBPS,VPN Throughput - Min 200 Mbps min 10 Tunnels.

3. Configurable WAN/LAN/DMZ ports should be available 4. Firewall must have integrated Bandwidth Management on incoming and out

bound traffic

5. Firewall should provide Users & Group wise Bandwidth allocation 6. Firewall must be able to create Bandwidth Policies based on applications, IP

address & Users / User Group, support bandwidth management on browsing, for URL, Category & external IP.

7. Firewall should support Guaranteed, shared, protocol based, IP based Bandwidth

8. Intrusion Prevention system should be appliance based. 9. Encryption supported (Blowfish, 3DES & AES) for data exchange. 10. Firewall should have configuration options to prevent all the common DOS

and DDOS attacks like syn flood, ICMP flood, UDP flood, Ping of death. Should have prevention option for more than 30 common attacks. Real-time intrusion detection for minimum 5000+ signatures.

11. The proposed solution should provide the capability of complete threat protection, including firewall, gateway anti malware, intrusion prevention system (IPS), URL Filtering and application control and all license must be part of system

12. Firewall should have integrated multiple ISP load balancing and failover for outbound traffic

13. Firewall should support load balancing and failover for minimum 2 WAN links & maximum up to the interfaces available on the appliance.

14. Firewall should be able to detect link failure based on user configurable set of rules based on ICMP and TCP probe.

15. Firewall should be able to do weighted round robin based load balancing of traffic over multiple links

16

16. Firewall should be able to detect link failure and alert admin on email. 17. Firewall OEM should be ICSA Labs Certified from last 10 years and ISO

9001-2015 & ISO 140001:2015 Certified OEM, Provide latest certificate

Managed Layer 2 Network Switch :

#. Network Switch Capabilities Bidder's

Compliance (Yes/No)

1 Switch should be supplied with the all-necessary components like Power cord, Rack-mount bracket, Installation Guide, etc. and necessary software image file to fulfil all above mention feature set from day 1.

2 Switch with at least 24 X RJ-45 POE + Gigabit Ethernet Ports having 24 x 10/100/1000BASE-T PoE-plus(RJ45) and 4 x 10G SFP+ uplink ports, should have support for 9 switch Stacking with bandwidth of minimum 120 Gbps. Should support min 512 MB internal DRAM, 128 MBinternal Flash memory, 32K MAC address, 4k Multicast Routes, should have static Routing from day 1 and upgradable to support OSPF and VRRP with 5 year support.

3 1 U Rack mountable and should provide stacking/uplik of minimum 4 switches with min 100 Gbps of dedicated stacking/ equivalent bandwidth (All the stacking accessories should be included from day 1).

4 240 Gbps or higher Backplane capacity and minimum 90 Mpps of forwarding rate with Non-blocking hardware architecture support

5 All interfaces should provide wire speed forwarding for both Fiber and copper modules

6 Support for at least 2000 VLANs & 32k MAC address and IGMP snooping v1,v2 & v3

7 should support static IP routing and should be upgradable to support OSPF and PIM and support 8 hardware queues per port

8 Dynamic Host Configuration Protocol (DHCP) snooping and support LLDP capabilities

9 Should support IP Source Guard , DAI and IPv6 Security feature like IPv6 RA Guard and IPv6 Neighbour Discovery Inspection

10 Should support Secure Shell (SSH) Protocol and Simple Network Management Protocol Version 3 (SNMPv3).

11 Switch needs to have console port for administration & management supported by CLI, GUI using Web interface

12 FTP/TFTP for upgrading the operating System 13 IEEE 802.1x support ,IEEE 802.1D Spanning-Tree Protocol, IEEE 802.1p

class-of-service (CoS) prioritization, IEEE 802.1Q VLAN,IEEE 802.3 10BASE-T specification, IEEE 802.3u 100BASE-TX specification

14 Switch should have internal redundant power supply and Hot swappable fans and support Energy Efficient Ethernet

15 SNMP v1,v2,v3 and manageable through both IPv4 & IPv6. 16 Switch should be UL-UL60950-1,FCC Part 15, VCCI Class A, EN 55022, EN

55024, EN 300386, CAN/CSA 22.2 No.60950-1, Reduction of Hazardous Substances (ROHS) certified

17 Switch should be IPv6 Logo Certified and Common Criteria NDPP/NDcPP certified

17

Key Manager :

Sr. No Required Minimum Specifications Bidder's

Compliance (Yes/No)

1.

Key Management Platform should be available as both Virtual and physical. The virtual appliance should support VMware, OpenStack, Microsoft Hyper-V or any Enterprise compatible formats

2.

Key Manager should support Transparent Encryption for large scale high performance file system encryption - including specific support for Oracle, Teradata, Pure Storage, HADOOP, PostGres, MySQL and many others

3. The System shall support Multi-tenancy using multiple domains, Clustering and high availability and Backup.

4. The system shall never transmit sensitive key material over an insecure channel.

5.

The system should support separation-of-duties and policies to be enforced and integrate with existing users and groups from AD and LDAP

6.

Platform should support, built-in Data Discovery and Classification with both agent as well as agentless discovery of sensitive PII data using pre-built and customized templates including detection of datatypes within images with OCR feature.

7. The Transparent Encryption should not require any downtime while data encryption occurs.

8.

The system can be configured to send e-mail notifications to specific addresses when system alarms are triggered and able to trigger automatic notifications for certificate expiry.

9. The system should support REST API Tokens (JWT) that are short lived and are used for accessing the REST API.

10. The solution should support vaulted and vault less tokenization and FPE for Government Identities and PII data.

11.

The Virtual Appliance should be able to Integrate with provided HSM to store master key in Hardware Root of trust and should be from same OEM.

12.

Should be able to Streamline provisioning of licenses through a licensing portal. The management console should offer better visibility and control of licenses in use.

13.

The Solution should have inbuild data classification capability of classification profile based on current mandates Like GDPR , PCI DSS etc

14.

The Solution supports capability to protect data through encryption or tokenization using a FIPS 140-2 level 3 compliant solution (provide Certificate).

18

15. The Solution should support Intelligent Remediation of discovered sensitive data by encryption.

16.

The Solution should support agent based and agent less/proxy scanning of large volumes of data, stored on premise. This includes the scanning of local disks, network file shares and big data like Hadoop.

17.

The Solution should support capability of PDF exporting of Scanned data report.

18.

The Solution should provide the ability to run scheduled scans to automatically classify files and also have option to pause during peak hours of data traffic.

19.

The System should support key synchronization across multiple CSP's along with the ability to support automated scheduled key rotation and key expiry via a simple easy to use GUI or REST API.

20. The Platform should support scheduler capabilities for Key rotation, system backup

21.

The Solution should support selection of an on premise FIPS 140-2 compliant Key Source for generation , storage and backup of Customer Managed Keys

22.

The Solution should support key synchronization along with the ability to support automated scheduled key rotation and key expiry via a simple easy to use GUI or REST API.

Onsite Support by Bidder during AMC period at BPCL:

Successful Bidder shall provide on-site support as and when required by BPCL in case of issues related to hardware, software, configuration, integration, operations, bugs etc. during the warranty and AMC period.

Call logging with back-end support and issue resolution as per SLA timelines (mentioned in later part of document)

Remote OEM support during Warranty period at BPCL:

The OEM should have a facility to log a call using web interface wherein all the support contract details should be linked. This interface should provide the incident number for monitoring the progress of the call/support ticket. The OEM should have flexibility to log the calls using either emails / telephone.

The OEM should provide resolution of any Hardware/software issues, any software configuration issue and provide RCA of software & hardware related issues.

The OEM should have a comprehensive known error database or knowledge database in the form of a web access which is accessible to BPCL team for resolving first level issues. This is not a local database maintained to track incidents. This repository is the knowledge base of all the incidents resolved worldwide by the vendor support teams.

The OEM should proactively notify BPCL about any new releases of patches and firmware for the products covered in the contract and plan with BPCL for the deployment of the same.

OEM should have it’s own warehouse in India for better support and availability of equipment’s

In the event of major equipment failure which may lead to business loss for BPCL, OEM should facilitate highest level of expert availability (24x7x365) in India.

Comprehensive Maintenance for all ADV Components:

19

1. All equipment and materials supplied by the Bidder shall be provided with 5 years warranty against defects of design and manufacturing and against faults and failures associated with workmanship of Bidder and its sub-contractors commencing from the date of operational acceptance of the respective system. Any equipment found to be defective during the period of contract shall be repaired or replaced by the Bidder at no additional cost to BPCL.

2. Bidder shall be responsible for updates and implementation of new versions for any software and operating systems when released by the respective OEM at no additional cost to BPCL during entire duration of contract. Requisite adjustments / changes in the configuration for implementing different versions of system solution and/or its components shall also be done by Bidder at no additional cost to BPCL.

3. The Bidder shall also ensure timely application of patches and updates to the licensed software across appropriate system component software, operating system, databases and other software/applications. Any changes to the software during the period of contract must have been subjected to comprehensive and integrated testing by Bidder to ensure that changes implemented in system meets the specified requirements and doesn’t impact any other functions of the overall system. Issue log for errors and bugs identified in the solution and any change done in solution shall be submitted to the BPCL on a periodic basis.

4. In the event of any defect in the material, the Bidder will replace / repair the material at BPCL’s concerned location at Bidder’s risk and cost on due notice.

5. In case, Bidder does not replace / repair the material on due notice, rejected material will be sent to the Bidder on “Freight to pay” basis for free replacement. Material after rectification of defects shall be dispatched by the Bidder on “Freight Paid” basis. Alternatively, BPCL reserves the right to have the material repaired / replaced at the locations concerned, at the Bidder’s risk, cost and responsibility.

Project Management and Governance

1. Bidder shall be responsible for providing an end to end project management for the implementation and maintenance of Aadhar Vault Solution.

2. The bidder must provide a Project/Delivery Manager who shall be the single point of contact and shall assume overall responsibility of the Project to ensure end to end working of the Project. The Project Manager shall function as the primary channel of communication for all BPCL’s requirements to the implementation team. In case of any absence of the Project Manager (vacation or sickness), the Bidder shall ensure that an alternate project manager shall be provided during the absence period.

3. The schedule shall also capture BPCL and any third-party responsibilities along with the activities in the timeline.

4. Bidder shall conduct daily and weekly meetings between BPCL (and its representative) and the ‘key personnel’ to discuss project progress and implementation at desired location. All key personnel associated with the project shall also be available for meetings whenever asked by BPCL or its representative. BPCL may also request for core

5. Bidder shall also be responsible for effective risk and issue management and escalation procedures along with matrix as part of project management. Bidder shall identify, analyse, and evaluate the project risks and shall develop appropriate strategies and action plan for mitigation of risks. As part of the Project, Bidder shall monitor, report and update risk management plans and shall be discussed during project meetings.

6. Bidder shall prepare minutes of every meeting which takes place and submit to BPCL or its representative for tracking of the Project. Bidder shall propose a suitable progress reporting mechanism for the project duration.

7. All the tools required by Bidder for project management, configuration management, issue and risk management, escalation procedure and matrix document repository etc. shall be factored in the proposal submitted by Bidder.

8. Based on progress reports, Bidder shall also accordingly update the master schedule of work on a continuous basis during the period of the contract.

9. Bidder shall also be responsible for all activities related to Quality Assurance and Control such as adhering to guidelines and standards of quality, compliance with the functional requirements enclosed as part of this RFQ

20

2.1.3 Service Level Agreement (SLA) and Penalty: Service Level Agreement (SLA): Mandatory & Non-negotiable

1. Successful bidder must ensure 24 x7 remote support by OEM for all hardware & software issue and it will be the responsibility of the bidder to ensure that BPCL gets all necessary support from the OEM Technical Assistance Centre team to address technical issues for timely resolution.

2. Successful bidder shall ensure onsite availability of its support engineer whenever such presence is warranted in the event of a hardware & software issue.

3. Successful bidder shall ensure response time within 4 hours from the time ticket is logged on OEM support portal in case of any issue related to software configuration

4. The successful bidder must provide Return Merchandise Authorization (RMA) support for replacing the faulty hardware within next business day of any hardware failure once reported.

Implementation, Operation & Maintenance Phase related performance levels:

# Service Level Objective

Definition Target Penalty as indicated below (per occurrence)

On Site Support 1

Delay in Call resolution related to hardware (Firewall, Network, Switch and HSM)

Any issue related to hardware replacement

Resolution of the issue by replacement has to be done by next business day

a) 1.5% per day Quarterly Onsite Support cost up to 10% of Quarterly Onsite Support cost

2 Delay in call resolution related to Key Manager Platform and related configuration issues

Any issue related to software configuration

Resolution of issue by rectification has to be done within 4 hours from the time ticket is logged

a) 0.5% per hour delay of Quarterly Onsite Support cost up to 10% of Quarterly Onsite Support cost

Maximum Penalty: Three instances of violations resulting in maximum of penalty of hardware and/ or software as mentioned above, during a year, may result in initiation of action by BPCL for termination of contract by serving 30 days’ notice.

2.2 Delivery & Implementation Schedule Deliverables in the table below are indicative only and shall be read in conjunction with the Scope of Work section and Standard Form of Contract of the RFQ for detailed requirements. BPCL or its authorized representative reserves the right to ask for additional information, documents and deliverables throughout the Project.

21

# Parameter Timelines 1 Firewall, Network Switch and HSM delivery and racking, power-on at

each location (Mumbai and Noida) T+ 21 days

2 One-time Implementation ADV Solution including: Architecture design document preparation Firewall, Network switch, including VPN setup for secure

communication Central Key manager deployment with all tokenization

license deployment and configured Aadhar Data vault configuration and setup

T+ 45 Days

3 One Time Data Migration Database migration completion Data/Files Migration completion

T+ 65 Days

4 On Site Support at both location (T + 65 day) + 60 Months

Note: T= Date of Indent (LOI) from BPCL

2.3 Payment Terms and Performance Bank Guarantee To ensure performance of the contract and due discharge of the contractual obligations, the successful contractor will have to provide security deposit of 3% of the basic value of contract unless otherwise specified in the Special Conditions of Contract. Amount received/retained towards this clause will be considered as security deposit. Payment Terms: The Company, in consideration of the Successful Bidder carrying out and executing the said work to the satisfaction of the Company, shall pay the Successful Bidder as per the said schedule of Rates, subject to deductions, retentions and abatements, if any to be made therefrom in accordance with the provisions of this Agreement after validation of BPCL officer

Payment will be released based on following Cost Heads as per scope and implementation plan:

1. 100% of payment for item 1 to 6 of price bid on successful certification from UIDAI/Meity certified auditor

2. 100% payment for item 7 of price bid on complete Data Migration from On-Prim existing Aadhar Vault to New ADV and testing and verification of availability of data.

3. Support shall be applicable and payment will be done on quarterly basis after successful completion of data migration from existing ADV to new On-Prem ADV.

4. All Licenses required to implement and deliver the solution have to be procured in the name of BPCL.

Payment shall be made within 30 days from the date of receipt and acceptance of the bills. Payment will be made through NEFT mode.

a) The payment will be made against invoices submitted monthly (for implementation phase) or quarterly (post Go-Live phase) and duly approved by a BPCL official.

b) The billing would start from the date of operational acceptance by BPCL.

c) No advance payment shall be made for any activity.

d) The price quoted in the price bid should cover all charges as mentioned deliverable in the SOW.

22

e) If the Bidder is liable for any penalty as per the SLA (refer to the related clause of this agreement), the same shall be adjusted from payments due to the Successful Bidder.

f) BPCL will release the payment within 30 days of submission of valid invoice subject to the condition that invoice and all supporting documents produced are in order and work is performed as per the scope of the project and meeting the SLA Criteria. BPCL shall be entitled to delay or withhold the payment of a disputed invoice or part of it delivered by Bidder, when BPCL disputes such invoice or part of it, provided that such dispute is bona fide.

g) Payments would be released by our office at BPEC, KHARGHAR through NEFT. The invoice should be addressed to BPEC.

2.4 Service Level Agreement (SLA) and Penalty

1) Service Level Agreements

SLAs would be applicable for Implementation and Operations & Maintenance (O&M) phases of the project. The penalties applicable for Implementation and Operations & Maintenance Phase of the project shall be on the payment associated with the Implementation and Operation & Maintenance Phases as mentioned in Payment Terms (Annexure 2, clause 2.1.3) of the tender.

2) Service Levels Monitoring

a) Service Level Agreement (SLA) shall become the part of the Contract between the BPCL and the Bidder. SLA defines the terms of Bidder’s responsibility in ensuring the timely delivery of the deliverables and the correctness of the deliverables based on the agreed performance indicators as detailed in this section.

b) The Bidder shall comply with the SLAs to ensure adherence to project timelines, quality and availability of services throughout the duration of the Contract, i.e., during the Implementation Phase and the Operation & Maintenance Phase.

c) The Service Level parameters defined in this section shall be monitored on a periodic basis, as per the individual parameter requirements. Bidder shall be responsible for providing an appropriate format for SLA measurement and monitoring

Implementation Stage: Bidder shall furnish a monthly report containing the summary of delivery against agreed targets along-with any issues, risks, mitigation steps and support required.

Post Go-Live: Bidder shall furnish a monthly report, as well as a quarterly report at the end of every quarter, containing the summary of all incidents reported and associated performance measurement for that period.

BPCL may also appoint an independent technical auditor or third party for monitoring the service levels. Bidder shall be expected to take immediate corrective action for any breach in SLA. In case issues are not rectified to the complete satisfaction of BPCL, within a reasonable period of time defined in this RFQ, then BPCL shall have the right to take appropriate penalizing actions, or terminate the Contract.

d) For the purpose of the SLA, definitions and terms as specified in the document along with the following terms shall have the meanings set forth below:

(i) “Total Time” – Total number of hours in consideration for evaluation of SLA performance.

(ii) “Downtime” – Time period for which the specified services/ components/ system/ equipment become unavailable (due to any reason whatsoever) for business processing to the end user in the concerned period, being considered for evaluation of SLA, which shall exclude downtime owing to Force Majeure and reasons beyond control of the Bidder.

Note 1: Any downtime for maintenance shall be with prior written intimation & confirmation of BPCL.

23

Note 2: Please note that continuous downtime of every 2 hours (from 7am to 12 midnight) would raise the severity by one level. E.g. the severity level will raise from 0 to 1

Note 3: Please note that continuous downtime of every 4 hours (from midnight to 7am) would raise the severity by one level. E.g. the severity level will raise from 0 to 1

(iii) “Scheduled Maintenance Time” – Time period for which the specified services/components/system with specified technical and service standards are not available due to scheduled maintenance activity. The Bidder shall take at least 15 days prior approval from the BPCL for any such activity. The scheduled maintenance shall be carried out during non-peak hours and shall not exceed more than four (4) hours and not more than four (4) times in a year.

(iv) “Uptime” – Time period for which the specified services are available in the period being considered for evaluation of SLA. Uptime (%) = [1- {(Total Downtime - Scheduled Maintenance Time) / (Total Time - Scheduled Maintenance Time)}]*100.

(v) Penalties shall be applied for each criterion individually and then added together for the total penalty for any particular payment.

(vi) “Incident” – Any event/abnormalities in the service/system being provided that may lead to disruption in regular/normal operations and services to the end user.

(vii) “Response Time” – Time elapsed from the moment an incident is reported to the Helpdesk either manually or automatically through the system to the time when a resource is assigned for the resolution of the same.

(viii) “Resolution Time” – Time elapsed from the moment incident is reported to the Helpdesk either manually or automatically through system, to the time by which the incident is resolved completely and services as per the Contract are restored.

3) Service Level and Penalties

Indicative severity definition has been provided below:

Service Level – Critical: Environment is down, or major malfunction resulting in an inoperative condition or disrupts critical business functions and requires immediate attention. A significant number of end users (includes business users) are unable to reasonably perform their normal activities as essential functions and critical programs are either not working or are not available.

Service Level – Medium: Loss of performance resulting in users (includes public users) being unable to perform their normal activities as essential functions and critical programs are partially available or severely restricted. Inconvenient workaround or no workaround exists. The environment is usable but severely limited.

Service Level – Low: Moderate loss of performance resulting in multiple users (includes public users) impacted in their normal functions.

a) Performance Penalty for not meeting a measurement parameter for any two months in consecutive quarters shall result in twice the penalty percentage of that respective measurement parameter in the third quarter for all the three months

b) Maximum Penalty applicable for any quarter shall not exceed 10% of the ‘applicable fees’ for the respective quarter.

c) Three consecutive quarterly deductions of 10% of the applicable fee on account of any reasons shall be deemed to be an event of default and termination as per RFQ.

d) The payment to the Bidder shall be on Quarterly basis for O&M phase and based on implementation timelines specified in Delivery & Implementation Schedule (section 2.2 of the tender) the penalty shall be calculated on Quarterly basis as per the SLAs stated in the RFP.

4) Measurements and Targets: The SLA metrics provided specifies performance parameters as baseline performance, lower performance and breach. All SLA calculations for Part A shall be as per Delivery & Implementation Schedule (section 2.2 of this tender document) and Part B shall be

24

done on quarterly basis. The SLA also specifies the liquidated damages for lower performance and breach conditions.

a) The SLA parameters shall be measured as per the individual SLA parameter requirements and measurement methods through the system generated reports to be provided by the Bidder and approved and audited by the BPCL or its appointed Consultant or authorized representative for accuracy and reliability.

b) BPCL shall also have the right to conduct, either itself or through any other agency as it may deem fit, an audit / revision of the SLA parameters. The SLAs defined, shall be reviewed by the BPCL on an annual basis after consulting the Bidder and other experts. All the changes would be made by the BPCL after consultation with the Bidder and might include some corrections to reduce undue relaxation in Service levels or some corrections to avoid unrealistic position of liquidated damages, which are noticed after project has gone live.

Implementation, Operation & Maintenance Phase related performance levels:

# Service Level

Objective Definition Target Penalty as indicated below (per

occurrence) Part A: Implementation

1

Delay Hardware Delivery and implementation

Any late delivery which impacts the availability of the solution for the usage to BPCL as per release requirement and deployment scope

Delay in any release >= 7 days for production instance

a) Up to 7 days: 0.5% of respective release of implementation payment

b) >=7 days but <= 15 days: 1% of respective release of implementation payment

c) >=15 days but <= 30 days: 2% of respective release of implementation payment

d) < 30 Days: 5% of respective release of implementation payment

In case the delay is more than 3 months, BPCL reserves the right to terminate the contract

Part B: Operation and Maintenance Solution Availability

2

Availability of application software BPCL DC

Availability means, the aggregate number of hours in a calendar month during which the application is actually available for use through command line interface, user / admin portal and APIs (which ever applicable)

Application Uptime% >= 99.7% for production instance

a) <99.7% to >= 99.00%: 0.5% of Quarterly Payment (QP)

b) <99.00% to >= 98.50%: 1% of QP

c) <98.50% to >= 98.00% : 2%

of QP

d) <98% : 3% of the QP In case the services are not available for a continuous period of 8 Business Hours on any day, penalty shall be 5% of the QP In case of <95%, BPCL reserves the right for termination

Support Channels – Incident and Helpdesk

25

4 Response Time

Average Time taken to acknowledge and respond, once a ticket / incident is logged through one of the agreed channels. This is calculated for all tickets/incidents reported within the reporting month.

Service level – Critical: 10 Business Minutes Service level – Medium: 8 Business Hours Service level – Low: 24 Business Hours

Service level – Critical: 2.5% of QP for every 10 minutes of delay beyond permissible time Service level – Medium: 10% of QP for every hour of delay beyond permissible time Service level – Low: 5% of QP for every hour of delay beyond permissible time

5 Resolution Time

Time taken to resolve the reported ticket / incident from the time of logging.

Service level – Critical: Within 4 hours of request Service level – Medium: Within 24 hours of request Service level – Low: Within 96 hours of request

Service level – Critical: 15% of QP for every hour of delay beyond permissible time Service level – Medium: 10% of QP for every hour of delay beyond permissible time Service level – Low: 5% of QP per hour for every hour of delay beyond permissible time

Note:

Availability of application software will be dependent on BPCL’s Data Canter services availability, Bidder is not responsible for application non availability due to unavailability of BPCL DC.

Reporting Procedure: Bidder representative shall prepare and distribute Service level performance reports in a mutually agreed format by the 5th working day of subsequent month. The reports shall include “actual versus target” Service Level Performance, a variance analysis and discussion of appropriate issues or significant events. Performance reports shall be distributed to BPCL management personnel as directed by BPCL. Also, Bidder may be required to get the Service Level performance report audited by a third-party Auditor appointed by the BPCL.

Reports of incidents reported, etc. must be submitted by Bidder on weekly basis.

Post Award of Contract, Bidder and BPCL shall jointly list of keys (possible) incidents and define criticality levels (High / Medium / Low) for each. These will be signed off by BPCL and shall be used for assessing performance against SLA points 4 and 5 above

Software solution shall allow for logging complaints / incidents and allow for tracking resolution.

26

2.5 BPCL’s Minimum IT, Digital Security & Governance Requirements: Successful Bidder must comply with the following

i. The Successful Bidder’s solution shall meet data protection, data privacy and legal requirements in BPCL markets

ii. The bidder’s solution shall be approved by BPCL iii. Half Yearly Risk Assessment and Compliance: BPCL will get risk assessment carried out by

independent 3rd party. Compliance to finding and recommendation of each assessment must be done by the Successful Bidder before the next audit.

iv. Change Management System: All changes must be supported by BPCL’s approval v. Data Privacy Framework for Enterprise: Data collected must be maintained in conjunction with

relevant governmental/state/local laws as applicable as follows: a. The Indian Penal Code, 1860 o Government of India, Information Technology Act 2000

& IT (Amendment) Act 2008 o The Successful Bidder warrants that BPCL’s data shall be used by the Service Provider solely for the purpose of providing BPCL the scope of services set out in this RFQ document

b. The Successful Bidder warrants that BPCL data shall not be removed from the approved hosting facilities unless with the specific authorization of BPCL or as part of agreed backup procedures

vi. The Successful Bidder warrants that solutions designed including the platform and all its contents including applications and data will be hosted in BPCL approved facilities that conform to BPCL security requirements

vii. Information Classification Framework: BPCL’s approval is required on final data classification. Information must be maintained as per necessary controls for a specific class of information to ensure the confidentiality, integrity and availability.

viii. Cloud Application Security Policy: Successful Bidder needs to provide architecture diagram of proposed service model. Management procedures for governance, operations, security and compliance are to be shared.

ix. Secure Remote Access Methodologies: Details on architecture and process ensuring the Secure Remote Access on need basis to be provided.

x. Application Security Assessment & Compliance Framework: Application security testing and compliance methodologies are to be shared with BPCL. User authentication and access control processes are to be specified and implemented to meet our security requirements.

xi. Security Logs provisioning and Integration with SIEM: Process to ensure that security logs are generated to adhere to the standard process so that it can be integrated with monitoring and incident management system. Method to enable BPCL team to check for compliance and required reports is to be shared.

xii. The Successful Bidder warrants that all staff engaged on the project shall comply with BPCL’s IT, digital security and governance policy requirements and ethical practices

xiii. The Successful Bidder warrants that upon transition or termination of the contract, all the data will be transition to BPCL and the Successful Bidder will permanently destroy all data at their end based on mutually agreed terms and conditions

xiv. Compliance to IT Security Policies and Cyber Law: Processes to be used for monitoring the deviations and exceptions if any w.r.t. BPCL ISP and Cyber Law (i.e. IT Act2000/2008) applicable are to be elaborated and shared with BPCL for validation.

xv. Ensuring data security: Successful Bidder needs to prepare a framework and share with BPCL for validation. Framework should entail how data will be secured during storage, transfer and inter-process exchange.

27

2.5 Architecture Guiding Principles and Standard Protocols

The proposed solution should be designed and implemented as per the following guiding principles as applicable:

1. Architecture -

a. Use of Open Standard for evolving Technology – The application software should be built by leveraging open standards (open API, plug-n-play capabilities)

b. Use of the latest and best available standards to avoid locking in obsolescent technologies.

c. Framework – Service Oriented Architecture (SOA) Framework:

A single unified application software to be built to govern both services and APIs such as REST, SOAP and others, Instruments and legacy systems.

Facilitate integration of the ADV Solution with existing systems prevailing at BPCL as per the RFQ document.

The SOA Policy Manager making it easy to create and apply policies to ensure security, quality, and compliance in platform implementation.

Development and Enablement of APIs, Web Services for integration with external systems and access by external systems

2. Availability - Components of the architecture should be resilient across any software, hardware or network and must provide redundancy and ensure that are no single point of failures in the key project components.

The solution in its entirety should support SLA as defined in the RFQ scope. The solution should provide tools or interfaces to facilitate application performance tuning. The solution should support software upgrades / configuration without impact on availability. Considering the high sensitivity of the system, the design should be in such a way as to be

resilient to technological sabotage.

3. Manageability - Ease of configuration, ongoing health monitoring, and failure detection are vital to the goals of scalability, availability, and security and must be able to match the scalability of the system.

4. Interoperability - Keeping in view the evolving needs of interoperability, especially the possibility that the solution shall become the focal point of delivery of services, and may also involve cross-functionality with other Government projects in the future, the solution should be built on Open Standards. The code should not build a dependency on any proprietary software, particularly, through the use of proprietary ‘stored procedures’ belonging to a specific database product.

The application solution provided by the Bidder must confirm to Policy on Open Application Programming Interfaces (APIs) for Government of India and Policy on Open Standards (ref- http://egovstandards.gov.in/frameworkinstitutional-mechanism-and-policies).

In addition, the Bidder’s solution must comply with standards, guidelines and notification published by the Government of India. http://egovstandards.gov.in/guidelines

5. Scalability Requirements:

The solution should be highly scalable to support the current and projected end user and account base volume across the geographical expanse of the country.

The solution should have an architecture that supports scalability beyond the mentioned volumes in the RFQ.

The architecture should be scalable (cater to increasing load of internal and external users and their transactions) and capable of delivering high performance until the system is operational. In this context, it is required that the application and deployment architecture should provide for

28

Scale-Up and Scale out on the Application and Web Servers, Database Servers and all other solution components

The solution should support variations in load patterns based on various factors The Bidder should provide details on horizontal and vertical scalability and provide details of

how this would be implemented for the BPCL. The Bidder should, as part of the solution architecture documentation provide details of

horizontal and vertical scalability. The system should be scalable and modular enough to cater to future requirements.

6. Standards and Protocols Requirements

The solution should adhere to industry standards and best practices. This is inclusive of all the guidelines contained in the below mentioned:

Digital Preservation Standards: http://egovstandards.gov.in/guidelines Metadata and Data Standards : http://egovstandards.gov.in/metadata-and-data-standard Mobile Governance : http://egovstandards.gov.in/mobile-governance Open APIs/Open Standards: https://egovstandards.gov.in Information Security: ISO 27001 Service Management: ITSM/ISO 2000 specifications Information security standards framework and guidelines standards under e-Governance

standards (http://egovstandards.gov.in),

Information Security guidelines as published by Data Security Council of India (DSCI) and shall comply with IT (Amendment) Act 2008

29

Annexure 3: Terms and Conditions of the Contract (Attached)

Annexure 4: Instructions to Bidders

1. All prices quoted should in Indian Rupees (Rs.)

2. For step by step procedure please visit BPCL E-Proc web site https://bpcleproc.in/EPROC/ and open “Instruction to Bidder” link

3. Interested parties may download the tender from BPCL website (http://www.bharatpetroleum.in) or the CPP portal (http://eprocure.gov.in) or from the e-tendering website (https://bpcleproc.in) and participate in the tender as per the instructions given therein, on or before the “Due Date of the Tender”. The tender available on the BPCL website and the CPP portal can be downloaded for reading purpose only. For participation in the tender, please fill up the tender online on the e-tender system available on https://bpcleproc.in

4. For registration on the e-tender site https://bpcleproc.in, you can be guided by the “Instructions to Vendors” available under the download section of the homepage of the website. As the first step, bidder shall have to click the “Register” link and fill in the requisite information in the “Bidder Registration Form”. Kindly remember your e-mail id (which will also act as the login ID) and the password entered therein. Once you complete this process correctly, you shall get a system generated mail. Login in to the portal using your credentials. When you log in for the first time, system will ask you to add your Digital Signature. Once you have added the Digital Signature, please inform us by mail to the vendor administrator vendoradmin@bpcleproc.in with a copy to support@bpcleproc.in for approval. Once approved, bidders can login in to the system as and when required.

5. As a pre-requisite for participation in the tender, vendors are required to obtain a valid Digital Certificate of Class IIB and above (having both signing and encryption certificates) as per Indian IT Act from the licensed Certifying Authorities operating under the Root Certifying Authority of India (RCIA), Controller of Certifying Authorities (CCA). The cost of obtaining the digital certificate shall be borne by the vendor. In case any vendor so desires, he may contact our e-procurement service provider M/s. E-Procurement Technologies Ltd., Ahmedabad (Contact no. Tel: +91 79 4001 6868 for obtaining the digital signature certificate.

6. Corrigendum/ Amendment, if any, shall be notified on the site https://bpcleproc.in. In case any Corrigendum/ Amendment is issued after the submission of the bid, then such Bidders who have submitted their bids, shall be intimated about the Corrigendum/ Amendment by a system-generated email. It shall be assumed that the information contained therein has been taken into account by the Bidder. They have the choice of making changes in their bid before the due date and time.

7. To maintain secrecy and security of bids and the data exchanged, the system operates with the “Digitally signed Certificate” from buyer as well as seller. Data exchanged in the system shall have double encryption which is enabled by a “Digitally signed Certificate”. This ensures maximum possible security and the bids can be viewed only after the tender opening by BPCL / participating Bidders.

8. As a pre-requisite for participation in the tender, Bidders are required to obtain a valid Digital Certificate of Class IIB and above (having both signing and encryption certificates) as per Indian IT Act from the Licensed Certifying Authorities operating under the Root Certifying Authority of India (RCIA), Controller of Certifying Authorities (CCA). The cost of obtaining the digital certificate shall be borne by the Bidder.

9. Directions for submitting online offers, electronically, against e-procurement tenders directly through internet: a. Vendors are advised to log on to the website (https://bpcleproc.in) and arrange to register themselves at the earliest, if not done earlier. b. The system time (IST) that will be displayed on e-Procurement web page shall be the time considered for determining the expiry of due date and time of the tender and no other time shall be taken into cognizance.

30

c. Vendors are advised in their own interest to ensure that their bids are submitted in e-Procurement system well before the closing date and time of bid. If the vendor intends to change/revise the bid already submitted, they shall have to withdraw their bid already submitted, change / revise the bid and submit once again. In case vendor is not able to complete the submission of the changed/revised bid within due date & time, the system would consider it as no bid has been received from the vendor against the tender and consequently the vendor will be out of contention. The process of change / revise may do so any number of times till the due date and time of submission deadline. However, no bid can be modified after the deadline for submission of bids. d. Once the entire process of submission of online bid is complete, they will get an auto mail from the system stating you have successfully submitted your bid in the following tender with tender details. e. Bids / Offers shall not be permitted in e-procurement system after the due date / time of tender. Hence, no bid can be submitted after the due date and time of submission has elapsed.

f. No manual bids/offers along with electronic bids/offers shall be permitted.

10. The entire tender document along with Annexure, Bid Qualification Criteria (if any), Techno-commercial and other Details, Price Bid as well as all the uploaded documents shall form the part of the tender. Offers should strictly be in accordance with the tender terms & conditions and our specifications. Tenderers are requested to carefully study all the documents/ annexure and understand the conditions, specifications etc., before submitting the tender and quoting rates. In case of doubt, written clarifications should be obtained, but this shall not be a justification for request for extension of due date for submission of bids.

11. Earnest Money Deposit (EMD)

11.1. The Bidder shall submit an interest-free Earnest Money Deposit of Rs. 10 lakh (Rupees Ten Lakh only) by crossed account payee Demand Draft drawn on any nationalized / scheduled bank in favor of “BHARAT PETROLEUM CORPORATION LTD” payable at Mumbai. The earnest money can also be deposited in the form of Demand Draft or Bank Guarantee in favour of Bharat Petroleum Corporation Limited or Electronic Funds Transfer to BPCL’s Bank Account (As per Annexure 14)

II. Bank Guarantee (BG) executed by any Scheduled Bank approved by Reserve Bank of India as per the proforma. The BG shall remain valid for a period of six months from the due date of opening the tender.. The Bank Guarantee so furnished by the bidder shall be in the proforma prescribed by BPCL.

11.2. EMD should be submitted in physical form in a sealed cover addressed to Team Member (Corporate Strategy), boldly super-scribed on the outer cover:

Tender Name

CRFQ number

Closing date/Time

Name of the tenderer

It should be dropped in the tender box or sent by Registered Post/Courier to the following address so as to reach on or before the due date & time of the tender:

Amit Kumar Team Leader (Vendor Management) – Project Anubhav Bharat Petroleum Corporation Limited, Bharat Bhavan III (2nd Floor), 4 & 6, Currimbhoy Road, Ballard Estate, Mumbai-400001

BPCL will not be responsible for non-receipt of instrument(s) due to postal delay/loss in transit etc.

31

11.3. Cheques, cash, Money Orders, Fixed deposit Receipts, etc. towards EMD are not acceptable. Similarly, request for adjustment against any previously deposited EMD/Pending Dues/Bills/Security Deposits of other contracts etc. will not be accepted towards EMD.

11.4. Bid received without the EMD is liable to be rejected.

11.5. Units registered with National Small Industries Corporation (NSIC) and/or Micro or Small Enterprises (MSE) are exempted from payment of EMD, subject to:

The unit being registered with NSIC for the item tendered.

Registration certificate being valid as on date of quotation.

Such Bidders must upload a photocopy of valid NSIC Registration Certificate/ Review certificate duly attested by a gazette officer/notarized, (photocopy of application for registration as NSIC or for renewal will not be acceptable) and/or a valid MSE registration with any notified body specified by Ministry of Micro, Small and Medium Enterprises, failing which such bid will be treated as bid received without EMD and liable to be rejected.

11.6. Registration with DGS&D will not entitle the Bidder to claim exemption from payment of EMD.

11.7. EMD is liable to be forfeited (in addition to “Holiday Listing” as applicable in line with clause 36 of Contract Terms and Conditions) in the event of:

Withdrawal of offers during the validity period of the offer.

Non-acceptance of LOI/order, if and when placed.

Any unilateral revision in the offer made by the Bidder during the validity of the offer.

11.8. EMD shall be refunded to all the unsuccessful Bidders after finalization of order on the Successful Bidder.

11.9. EMD shall be refunded to the Successful Bidder upon submission of the entire amount of performance security deposit.

12. If the Bidder intends to change/ revise the bid already submitted, they shall have to withdraw their bid already submitted, change/ revise the bid and submit once again. However, if the Bidder is not able to complete the submission of the changed/ revised bid within due date & time, the system would consider it as no bid has been received from the Bidder against the tender and consequently the Bidder will be out of contention. The process of change/ revise may do so any number of times till the due date and time of submission deadline. However, no bid can be modified after the deadline for submission of bids. Once the entire process of online bid submission is complete, Bidders will get an auto mail from the system stating they have successfully submitted their bid in the following tender with tender details.

13. No responsibility will be taken by BPCL and/or the e-procurement service provider for any delay due to connectivity and availability of website. They shall not have any liability to Bidders for any interruption or delay in access to the site irrespective of the cause. Bidders are advised to start filling up the tenders much before the due date/ time so that sufficient time is available with him/ her to get acquaint with all the steps and seek help if they so require. It should be noted that the bids become viewable only after opening of the bids on/ after the due date/ time. Please be reassured that your bid will be viewable only to you and nobody else (including E-Tendering Service Provider as well as BPCL Officials) till the tender is opened. BPCL and/or the E-Procurement Service Provider shall not be responsible for any direct or indirect loss or damages and or consequential damages, arising out of the bidding process including but not limited to systems problems, inability to use the system, loss of electronic information etc. No claims on this account shall be entertained.

14. Bid Validity: Tender submitted by Bidders shall remain valid for acceptance for a period of 120 days from the date of opening of the tender (Technical Bid in the case of two-part bid). The Bidder shall not be entitled during the said period of 120 days, without the consent in writing of the Owner, to revoke, or cancel his tender or vary the tender given or any term thereof. In case of Bidder revoking or cancelling his tender, varying any terms in regard thereof without the consent of Owner in writing, appropriate penal action will be taken by BPCL as deemed fit including putting the Bidder/contractor on ‘Holiday listing’/’Delisting’ barring the Bidder/contractor from participating in future tenders for an appropriate period from the date of revocation/cancellation/varying the terms. Further in the case of contractors who are not registered with BPCL, the earnest money deposited

32

by him will be forfeited. Once the quotation is accepted the rates quoted shall be firm till the entire work is completed.

15. Bidder should complete the entire tender and submit it online

16. The complete process for submitting the bid is as follows:

i. Techno-Commercial Criteria 1. Accept the contents of the following annexures in toto by selecting the appropriate option

in the forms provided for this purpose: a. Terms of Reference - Annexure 2 b. Instructions to Bidders - Annexure 3

2. Proforma of Integrity Pact (IP) has been uploaded as Annexure 5 of tender documents.

Bidder shall be required to download and print it such that it is legible. All pages of the printed copy of IP should be duly signed by the authorized signatory and witnessed. Thereafter, that copy should be scanned and uploaded by tenderer along with other bid documents

b) Proforma of Non-Disclosure Agreement (NDA) has been uploaded as Annexure 7 of tender documents. This will be entered into with the successful bidder

3. Upload a scanned copy (in pdf or jpg format) of the following documents. a. Document as per Annexure 9 against response to BQC, Criteria a, Proven Track

Record. b. Document as per Annexure 10 against response to BQC, Criteria a, Proven Track

Record. c. Copies of audited P & L A/c and Balance Sheet for the last three accounting years

preceding the due date of the tender in response to BQC, Criteria b, Financial Capacity 4. Online fill the Holiday listing declaration form 5. Submission of Bid Declaration form as per Annexure 12 (on company letter head) and

Annexure 13 on CA letter head (if applicable) 6. Online fill the Nil Deviations form

ii. Quality Score bid Document as per Annexure 8 and 9 against response to Quality Bid Criteria 1

iii. Price Bid All bidders shall have to submit the quotes online in the price bid form.

16. ACCEPTANCE OF BIDS BY THE CORPORATION: For qualifying in the Techno-Commercial Bid

16.1 BPCL should have received the Bid Security Declaration

16.2 Bidder should have completed the entire bidding process (as detailed in Annexure 3, clause 15) and the proposal submitted by the Bidder should be in line with Terms of Reference given as Annexure 2.

16.3 Bidder should not have been debarred or holiday listed by BPCL and/or Oil PSEs and/or MOP&NG for a period that is not over as on the due date of this tender.

16.4 The Bidder should not be under liquidation, Court-receivership or similar proceeding.

16.5 Bidder should have submitted the Integrity Pact duly signed and witnessed.

16.6 Bidders should qualify in the BQC and also meet all Technical Requirement as detailed in Annexure 1 above.

16.7 Bidder should not have given any deviation as this is a nil deviation tender.

16.8 Quality Bid (i.e. 2nd Part of the tender) of only those Bidders shall be opened who qualify in the Techno-Commercial Bid. Such bidders shall be required to make a presentation to obtain

33

their Quality Score. For this purpose they may be required to come to BPCL’s office or any other location in India as decided by BPCL. All costs including cost of travel, cost for set up for the demonstration, presentation, etc shall be borne by the Bidder.

16.9 Price bid (i.e. 3rd Part of the tender) of only those Bidders would be opened who obtain a Quality Score of at least 70 marks (out of a total of 100). BPCL will follow the Quality and Cost Based Selection Process (QCBS). The overall evaluation shall carry 80% weightage to Quality Score and 20% weightage to Price Bid. Thereby, the Bidder with the highest score on Quality and Cost based (QCBS) evaluation will qualify as the Successful Bidder.

17. BPCL reserves the right to accept any offer in whole or part or reject any or all offers without assigning any reason. We are also not bound to accept the lowest Bid. Corporation reserves the right to reject any offer which in the opinion of the Corporation is below the normal cost of Containers based on the current cost of inputs.

18. No counter terms and conditions shall be acceptable to us.

19. It shall be understood that every endeavor has been made to avoid error which can materially affect the basis of Tender and the Successful Bidder shall take upon himself and provide for risk of any error which may subsequently be discovered and shall make no subsequent claim on account thereof. No advantage is to be taken either by the Corporation or the Bidder of any clerical error or mistake may occur in the general specification, schedules and plans.

20. If any of the information submitted by the tenderer is found to be incorrect at any time including the contract period, BPCL reserves the right to reject the tender/ terminate the contract and reserves all rights and remedies available.

21. Bidders are advised not to enclose unwanted and unasked documents with the tender. Any such documents if received shall not be considered.

22. An offer may not be considered, if BPCL is unable to evaluate that offer for want of any Information.

23. Bidders who are MSE’s, MSE’s owned by Women entrepreneurs and MSE’s owned by SC/ST shall be allowed purchase preference as per the government guidelines / instructions on the subject in force from time to time. MSE Participants are required to upload certificate as per Annexure 13 along with copy of MSE certificate.

24. In case a Start-up is interested in supplying a tendered item but does not meet the Pre-Qualification Criteria(PQC)/Proven Track Record (PTR) of prior Turnover norm as indicated in the tender document, the Start-up may write a detailed proposal separately and not against the present tender requirement, to the tender issuing authority about its product. Such proposal should be accompanied by relevant documents in support of Start-ups as under:

I. Certificate of Recognition issued by Department of Industrial Policy and Promotion (DIPP), Ministry of Commerce and Industry, GOI

II. Certificate of Incorporation/ Registration III. Audited P&L Statement of all the financial years since incorporation IV. In case where balance sheet has not been prepared, bidder shall submit a certificate in

Original from its CEO/CFO stating the turnover of the bidding entity separately for each Financial Year Since incorporation along with declaration stating the reason for not furnishing the audited P&L statement. The Certificate shall be endorsed by Chartered Accountant/ Statutory Auditor.

34

Annexure 6: Pro forma for Non-Disclosure Agreement (NDA)

NON DISCLOSURE AGREEMENT

This Agreement is made as of the ------------- 2020 between BHARAT PETROLEUM CORPORATION LTD. (BPCL) a Government of India Enterprise, having its registered office and Corporate office at Bharat Bhavan, 4&6, Currimbhoy Road, Ballard Estate, Mumbai -400001 hereinafter referred as First Part which expression shall unless repugnant to the subject or the context mean and included its successors, nominees or assigns and M/s ------------------ -------- -----------------------------------------------------a company incorporated under the Indian Companies Act, 1956, and having its registered office at ------------------------------------ ------------------------------------------------------ herein after called “-Second Part ” which expression shall unless repugnant to the subject or the context mean and include its successors, nominees or assigns.

Whereas in order to pursue the business purpose of this particular project as specified in Annexure A (the “Business Purpose”), M/s----------------------------------------------------- ----------------------------------------- recognize that there is a need to disclose certain information, as defined in para 1 below, to be used only for the Business Purpose and to protect such confidential information from unauthorized use and disclosure.

In consideration of First Part’s disclosure of such information, Second Part agrees as follows:

1. This Agreement will apply to all confidential and proprietary information disclosed by First part to Second part, including information which the disclosing party identifies in writing or otherwise as Confidential before or within thirty days after disclosure to the receiving party (“Confidential Information”).

Confidential Information consists of certain specifications, designs, plans, drawings, software, prototypes and/or technical information, and all copies and derivatives containing such Information, that may be disclosed to other part by first part for and during the Purpose, which disclosing party considers proprietary or confidential (“Information”). Confidential Information may be in any form or medium, tangible or intangible, and may be communicated/disclosed in writing, orally, or through visual observation or by any other means by other part (hereinafter referred to as the receiving party) by the First Part (hereinafter referred to as one disclosing party). Information shall be subject to this Agreement, if it is in tangible form, only if clearly marked as proprietary or confidential as the case may be, when disclosed to the receiving party or, if not in tangible form, its proprietary nature must first be announced, and it must be reduced to writing and furnished to the receiving party within thirty (30) days of the initial disclosure.

2. M/s --------------------------- i.e. Second Part ----------------------------------hereby agreed that during the Confidentiality Period:

a. The receiving party shall use Information only for the Purpose, shall hold Information in confidence using the same degree of care as it normally exercises to protect its own proprietary information, but not less than reasonable care, taking into account the nature of the Information, and shall grant access to Information only to its employees who have a need to know, but only to the extent necessary to carry out the business purpose of this project as defined in exhibit A, shall cause its employees to comply with the provisions of this Agreement applicable to the receiving party, shall reproduce Information only to the extent essential to fulfilling the Purpose, and shall prevent disclosure of Information to third parties. The receiving party may, however, disclose the Information to its Service Providers and contractors with a need to know; provided that by doing so, the receiving party agrees to bind those Service Providers and contractors to terms at least as restrictive as those stated herein, advise them of their obligations, and indemnify the disclosing party for any breach of those obligations.

35

b. Upon the disclosing party's request, the receiving party shall either return to the disclosing party all Information or shall certify to the disclosing party that all media containing Information have been destroyed.

3. The foregoing restrictions on each party's use or disclosure of Information shall not apply to Information that the receiving party can demonstrate:

a. Was independently developed by or for the receiving party without reference to the Information, or was received without restrictions; or

b. Has become generally available to the public without breach of confidentiality obligations of the receiving party. The information shall not be deemed to be available to the general public merely because it is embraced by more general information in the prior possession of Recipient or of others, or merely because it is expressed in public literature in general terms not specifically in accordance with the Confidential Information; or

c. Was in the receiving party's possession without restriction or was known by the receiving party without restriction at the time of disclosure and receiving party declare of possession of such confidential information within a day upon such disclosure by disclosing party ; or

d. Pursuant to a court order or is otherwise required by law to be disclosed', provided that Recipient has notified the disclosing party immediately upon learning of the possibility of any such court order or legal requirement and has given the disclosing party a reasonable opportunity and co-operate with disclosing party to contest or limit the scope of such required disclosure including application for a protective order.

e. Is disclosed with the prior consent of the disclosing party; or f. The receiving party obtains or has available from a source other than the disclosing

party without breach by the receiving party or such source of any obligation of confidentiality or non-use towards the disclosing party.

4. Receiving party agrees not to remove any of the other party’s Confidential Information from the premises of the disclosing party without the disclosing party’s prior written approval and exercise extreme care in protecting the confidentiality of any Confidential Information which is removed, only with the disclosing party’s prior written approval, from the disclosing party’s premises. Receiving party agrees to comply with any and all terms and conditions the disclosing party may impose upon any such approved removal, such as conditions that the removed Confidential Information and all copies must be returned by a certain date, and that no copies are to be make off of the premises.

5. Upon the disclosing party’s request, the receiving party will promptly return to the disclosing party all tangible items containing or consisting of the disclosing party’s Confidential Information all copies thereof.

6. Receiving party recognizes and agrees that all of the disclosing party’s Confidential Information is owned solely by the disclosing party (or its licensors) and that the unauthorized disclosure or use of such Confidential Information would cause irreparable harm and significant injury, the degree of which may be difficult to ascertain. Accordingly, receiving party agrees that the disclosing party will have the right to obtain an immediate injunction enjoining any breach of this Agreement, as well as the right to pursue any and all other rights and remedies available at law or in equity for such a breach.

7. As between the parties, all Information shall remain the property of the disclosing party. By disclosing Information or executing this Agreement, the disclosing party does not grant any license, explicitly or implicitly, under any trademark, patent, copyright, mask work protection right, trade secret or any other intellectual property right. The disclosing party disclaims all warranties regarding the information, including all warranties with respect to infringement of intellectual property rights and all warranties as to the accuracy or utility of such information. Execution of this Agreement and the disclosure of Information pursuant to this Agreement does

36

not constitute or imply any commitment, promise, or inducement by disclosing party to make any purchase or sale, or to enter into any additional agreement of any kind.

8. Disclosing party’s failure to enforce any provision, right or remedy under this agreement shall not constitute a waiver of such provision, right or remedy.

9. This Agreement will be construed in, interpreted and applied in accordance with the laws of India.

10. This Agreement and Exhibit A attached hereto constitutes the entire agreement of the parties with respect to the parties' respective obligations in connection with Information disclosed hereunder and supersedes all prior oral and written agreements and discussions with respect thereto. The parties can amend or modify this Agreement only by a writing duly executed by their respective authorized representatives. Neither party shall assign this Agreement without first securing the other party's written consent.

11. This Agreement will remain in effect for three years from the date of the last disclosure of Confidential Information, at which time it will terminate, unless extended by the disclosing party in writing.

12. With regard to the confidential information of M/s disclosed to BPCL, BPCL agrees to comply with all the obligations of receiving party mentioned in this Agreement.

IN WITNESS WHEREOF, the parties hereto have executed this Agreement by their duly authorized officers or representatives.

M/S ----------------------------- BHARAT PETROLEUM

CORPORATION LIMITED

Signature: _____________ Signature: ____________

Printed Name: _________ Printed Name: ___________

Designation: ________________ Designation: _________________

37

Exhibit A

1. Business Purpose:………………………… …………………………………………………………… …………………………………………………………………………………….

2. Confidential Information of M/s ------------------------------------------------ a. All communication/ information submitted to the BPCL relating to the proposal of M/s

_______________ for the purpose of procurement and subsequent integration with existing infrastructure of BPCL, marked as confidential.

3. Confidential Information of BPCL: a. All details relating to architecture and other Network infrastructure details of BPCL etc. b. All information shared in oral or in written form by BPCL with M/s----------------------------

--------------------------------------------------. c. Any information desired by M/s ----------------------------- shall be justified for. d. Information downloaded or taken in physical form shall be returned/ destroyed after

use and not copied. e. Draft Technical specifications for the various projects and Tender documents for the

same.

BPCL: ___________________ M/s-------------------------------------------

Signed Signed

38

Annexure 7: Pro forma for Performance Bank Guarantee

(On non-judicial paper of appropriate value) FOR EARNEST MONEY / SECURITY DEPOSIT TOWARDS PERFORMANCE

To,

Bharat Petroleum Corporation Ltd.

Dear Sirs,

M/s. ____________________________have taken tender for the work _________________ CRFQ No/PO No______________ for Bharat Petroleum Corporation Ltd.

The tender Conditions of Contract provide that the Contractor shall pay a sum of Rs._______________ (Rupees_______________________________) as earnest money/security deposit in the form therein mentioned. The form of payment of earnest money/security deposit includes guarantee executed by Scheduled Bank, undertaking full responsibility to indemnify Bharat Petroleum Corporation Ltd. in case of default.

The said __________________have approached us and at their request and in consideration of the premises we ____________________having our office at ___________________ have agreed to give such guarantee as hereinafter mentioned.

1. We ______________________ hereby undertake and agree with you that if default shall be made by M/s.______________________ in performing any of the terms and conditions of the tender or in payment of any money payable to Bharat Petroleum Corporation Ltd. We shall on demand pay to you in such matter as to you may direct the said amount of Rupees_____________________ only or such portion thereof not exceeding the said sum as you may from time to time require.

2. You will have the full liberty without reference to us and without effecting this guarantee postpones for any time or from time to time the exercise of any of the powers and rights conferred on you under the contract with the said_________________________ and to enforce or to for bear from endorsing any power of rights or by reason of time being given to the said which under law relating to the sureties would but for provision have the effect of releasing us.

3. Your right to recover the said sum of Rs. ________(Rupees _________________) from us in manner aforesaid will not be affected or suspended by reason of the fact that any dispute or disputes have been raised by the said M/s._______________________ and/or that any dispute or disputes are pending before any officer, tribunal or court.

4. The guarantee herein contained shall not be determined or affected by the liquidation or winding up, dissolution or change of constitution or insolvency of the said__________________ but shall in all respects and for all purposes be binding operative units payment of all money due to you in respect of such liabilities is paid.

5. Our liability under this guarantee is restricted to Rupees___________ Our guarantees shall remain in force until ______________unless a suit or action to enforce a claim under ____________________Guarantee is filed against us within six months from_______________(which is date of expiry of guarantee) all our rights under the said guarantee shall be forfeited and shall be relieved and discharged from all liabilities thereunder.

39

6. We have power to issue this guarantee in your favour under Memorandum and Articles of Association and the undersigned has full power to do under the Power of Attorney dated __________________ granted to him by the Bank.

Yours faithfully

_____________________________Bank by its Constituted Attorney Signature of a person duly authorized to sign on behalf of the bank.

40

Annexure 8: Response to BQC Criteria A, Proven Track Record

<On TPIA letter head>

To The Chief General Manager – Project Anubhav Bharat Petroleum Corporation Limited, 2nd Floor, Bharat Bhavan 3, Walchand Hirachand Marg, Ballard Estate, Mumbai – 400001

Dear Sir,

Sub: Statement Pursuant to the Application for RFQ for Selection of Bidder for Supply, Implement and Data migration with maintenance of Aadhar Vault solution

We hereby certify the following as true and correct for Bidder (name) ____________________:

Details of contracts entered into by the company (before Due Date of Submission) along with the original contract values are as follows:

No. Client Name

Bidder has carried out Supply, Implement and Data migration with maintenance of Aadhar Vault solution (Y/N)

Date of Contract

1. 2. 3.

The aforementioned list is verified against the original documents and found true. Contracts clearly indicate services being rendered by the company and the project period.

For <TPIA>

Authorised Signatory:

Place:_______

Date: _______

41

Annexure 9: NEFT Mandate Form

42

Annexure 10: Format for CA certificate for MSE bidders

Date:___________

CERTIFICATE CONFIRMING ELIGIBILTY FOR BENEFITS OF PUBLIC PROCUREMENT POLICY AS PER MSMED ACT 2006

Ref: Tender No………….. for……………………………………………………………

This is to confirm that we have verified the investment limits, turnover and other details of M/s ________ and certify that they satisfy the eligibility criteria as per MSMED Act, 2006 and other notifications/circulars/amendments issued time to time in this regard. Accordingly, M/s _______ is a Micro/Small enterprise (kindly tick in appropriate box) under the said Act and are eligible to claim the benefits of public procurement policy as per MSMED Act 2006 and Public Procurement Policy Order 2012 and their revisions for the tender mentioned above.

Micro enterprise -

Small enterprise -

In case applicable:

Based on our verification of share holding pattern and other details, it is certified that M/s ________ meets the eligibility criteria under SC/ST provision of Public Procurement Policy Order 2012 and other notifications/circulars issued time to time in this regard and are hence eligible to claim benefits pertaining to SC/ST under the Public Procurement Policy Order 2012 and its revision.

In case applicable:

Based on our verification of share holding pattern and other details, it is certified that M/s _________ meets the eligibility criteria under Women Entrepreneur provision of Public Procurement Policy Order 2012 and other notifications/circulars issued time to time in this regard and are hence eligible to claim benefits pertaining to Women Entrepreneur under the Public Procurement Policy Order 2012 and its revision.

(Membership No. of CA along with certification / stamp)

43

Annexure 11: OEM/ISV Declaration Form

(This form has to be provided by the OEMs of the hardware proposed (Firewall, Network Switch, G-HSM, Key manager platform). This letter of authority should be on the letterhead of the manufacturer and should be signed by a person competent and having the power of attorney to bind the manufacturer.)

Date:

To The General Manager - Corporate Strategy Bharat Petroleum Corporation Limited, 2nd Floor, Bharat Bhavan 3, Walchand Hirachand Marg, Ballard Estate, Mumbai – 400001

Subject: Manufacturer Authorization Form / OEM Declaration Form

Ref: CRFQ No. XXXXXXXXX dated XXXXXXX

Dear Sir,

Subject: Manufacturing Authorization Form for Tender no XXX, CRFQ No. XXXXXXX

We _____________________ (name and address of the OEM) are established and reputable manufacturers of_______ (List of Goods) having product development centres at the locations__________ as per list attached. M/s ____________ (Name and address of the Bidder) is authorised to bid for the product/services offered by us and is an Authorized Partner / Distributor.

I/we hereby certify that the products or technology proposed in the RFQ is not end-of-life as well as end-of-sale and we hereby undertake to support these equipment / software / service for the duration of minimum 5 years from the date of submission of bid. We confirm and undertake that OEM is present in India since last 5 years (Certification on incorporation attached).

I/we hereby declare that we are confirming and adhering to full compliance towards all the technical and functional requirements mentioned in XXXXXXX Section 2.1 under Annexure 2 of the tender with CRFQ No. XXXXXXXXX. I/we hereby also declare that our full support is extended to them in all respects for supply and installation for our product.

We have not been blacklisted by any State / Central Government Department or Central /State PSUs.

I/we hereby declare that the details furnished above are true and correct to the best of my/our knowledge and belief and I/we undertake to inform you of any changes therein, immediately. In case any of the above information is found to be false or untrue or misleading or misrepresenting, I/we am/are aware that I/we may be held liable for it and BPCL has the right to reject the offer in full or part without assigning any reasons, whatsoever.

Thanking you, Yours faithfully,

(Signature) For and on behalf of: _________ (Name of the OEM)

Authorised Signatory

Name:

Designation:

Note: this letter of authority should be on the letterhead of the OEM and should be signed & stamped by Legal Officer / HR Head / Company Secretary / authorized signatory of OEM Company.