OPEN TENDER – REQUEST FOR BIDDERS (RFB)

Provision of Vulnerability Assessment & Penetration Testing (VAPT) and Data Protection Impact Assessment (DPIA) Services

For Prime Life Insurance Ltd & Prime Insurance Ltd

Tender Reference No.:002/PLI/PI/ICT/OT/2025/11
Tender Type:Open Tender
Issue Date: November 26, 2025
Closing Date & Time:December 04, 2025 @15:30

1. Background

Prime Life Insurance Ltd and Prime Insurance Ltd (hereinafter referred to as “the Companies”) are regulated financial institutions operating under the laws of the Republic of Rwanda. In line with regulatory requirements, cybersecurity best practices, and data protection obligations, the Companies invite eligible and qualified bidders to submit proposals under this Open Tender for the provision of one (1) Vulnerability Assessment & Penetration Testing (VAPT) and one (1) Data Protection Impact Assessment (DPIA).

This engagement is in compliance with:

• National Bank of Rwanda (BNR) Cybersecurity Regulation
• Rwanda Data Protection and Privacy Law (Law No. 058/2021)
• ISO/IEC 27001, 27005
• PRIME IT Policies

2. Scope of Services

The successful bidder shall provide the following professional services:

2.1 Vulnerability Assessment & Penetration Testing (VAPT) – One (1) Engagement

• External and internal network vulnerability assessment
• Web application security testing
• Server, database, and perimeter security testing
• Manual and automated penetration testing
• Risk rating and exploit validation
• Detailed technical report with:
  • Identified vulnerabilities
  • Risk severity (CVSS scoring)
  • Impact analysis
  • Remediation recommendations
• Executive management summary

2.2 Data Protection Impact Assessment (DPIA) – One (1) Engagement

• Assessment of personal data processing activities
• Identification of privacy risks to data subjects
• Evaluation of:
  • Lawfulness
  • Purpose limitation
  • Data minimization
  • Storage limitation
  • Security safeguards
• Compliance check with:
  • Rwanda Data Protection Law
  • Sectoral regulatory requirements
• DPIA report including:
  • Risk register
  • Mitigation measures
  • Residual risk assessment
  • Compliance recommendations
• Final management presentation

3. Deliverables

The bidder shall provide:

• Comprehensive VAPT Technical Report
• VAPT Executive Summary
• Comprehensive DPIA Report
• DPIA Risk Assessment Matrix
• Final Presentation to Management
• All reports to be delivered in both soft copy and signed hard copy

4. Engagement Period

• The total engagement period shall not exceed 15 working days from contract signing.
• Proposed timeline must be clearly indicated in the financial proposal.

5. Bidder Eligibility & Qualification Requirements

Bidders must submit:

1. Valid RDBCompany Registration Certificate
2. Valid Tax Clearance Certificate
3. At least three (3) similar VAPT and/or DPIA assignments in the last five (5) years
4. Profiles and professional certifications of the proposed consultants, such as:
   • CEH, OSCP, CISSP, CISA (for VAPT)
   • CDPSE, DPO Certification, ISO 27701 Lead Implementer, CIPP/E (for DPIA)
5. Methodology and tools to be used
6. Non-blacklisting declaration
7. Evidence of professional indemnity insurance.

6. Financial Proposal Requirements

The financial proposal must clearly indicate:

• Cost for one (1) VAPT
• Cost for one (1) DPIA
• Applicable taxes (VAT)
• Total price (VAT exclusive & inclusive)
• Payment terms
• Validity of the financial offer (minimum 90 days)

7. Confidentiality & Data Protection

• All information accessed during the assignment shall be treated as strictly confidential.
• The bidder shall sign a Non-Disclosure Agreement (NDA) prior to engagement.
• No test data or reports shall be shared with third parties without prior written consent of the Companies.

8. Evaluation Criteria

9. Submission Requirements

Bidders must submit:

• One (1) Technical Proposal
• One (1) Financial Proposal
• Both sealed and clearly marked

Submissions must be addressed to:

Prime Life Insurance Ltd & Prime Insurance Ltd

MIC Building, KN2 Av, Kigali – Rwanda

Second Floors

002/PLI/PI/ICT/OT/2025/11
Provision of Vulnerability Assessment & Penetration Testing (VAPT) and Data Protection Impact Assessment (DPIA) Services
Do Not Open Before: December 4th 2025 @ 15:30 

Late bids will not be accepted.

Submission deadline:04- December-2025 15:30

Late submissions shall not be accepted.

Clarifications

All clarification requests must be submitted in writing to:

Dieudonné UWAMBAJIMANA, dieudonne.uwambajimana@prime.rw, 0786 138 376

Note:PRIME INSURANCE LTD and PRIME LIFE INSURANCE LTD reserve the right to accept or reject any bid, in whole or in part, without providing reasons, and to annul the tender process at any stage before contract award.