Owner: Chief Operating Officer (COO) and Head of Procurement
Co‑Owners: CISO, DPO, GC, Finance Controller, Regional Operations Leads
Review cadence: Quarterly (and upon material law/market change)
Purpose. Establish a single, conservative procurement and third‑party risk framework across all regional operators, NatCos, and Program SPVs. Goals: value for money, integrity, security, privacy, and continuity. This Annex integrates with: Annex A (Competition), Annex B (Regulatory Perimeter), Annex C (Privacy), Annex D (SDZ/Transfers), Annex E (Security/SLSA/SBOM), Annex F (IR/VM), Annex G (OSS/IP), Annex H (Trademarks).
1) Scope & Equal‑Treatment Baseline
Applies equally to all regions (APAC, Middle East, East Africa, Southern Africa, EU/France, USA, Canada, Brazil/LatAm, Senegal/West Africa, Switzerland/GRF). Where host‑country rules or donor conditions are stricter, the most restrictive applies. Competition hygiene in Annex A is mandatory in all market engagements.
2) Roles & Governance
- Procurement (Owner): Runs sourcing, RFPs, contracting, and vendor register; enforces thresholds.
- PVAS Board (cross‑functional): COO (chair), CISO, DPO, GC, Finance, Regional Lead(s). Approves critical vendor onboarding, exceptions, and sanctions.
- Business Owner: Defines need, budget, and performance KPIs; sponsors vendor performance reviews.
- CISO/DPO/GC: Approve security/privacy/legal schedules; vet DPAs, SDZ clauses, and licensing.
- Finance: Creditworthiness checks; payment terms; fraud controls.
3) Sourcing Thresholds & Methods
| Estimated Total Contract Value (12‑month equivalent) | Method | Minimum Competition | Approvals |
|---|---|---|---|
| ≤ USD 10k | Micro‑purchase | 1 quote; catalogue/price list OK | Business Owner + Procurement log |
| > USD 10k – 100k | Informal bidding | 3 written quotes (like‑for‑like) | Procurement + PVAS Board note |
| > USD 100k – 1M | RFP/RFQ | Open or invited; ≥ 3 qualified bids | PVAS Board approval |
| > USD 1M or Critical | Formal RFP with weighted criteria | Open competitive; conflict declarations; probity advisor optional | PVAS Board + Board/ExCom sign‑off |
Exemptions (sole source, emergencies, strict compatibility, regulated Provider‑of‑Record): document justification, market scan, and PVAS Board approval.
4) Category & Criticality Tiering
- Tier 1 – Critical: Services or suppliers whose failure halts core operations, impacts sovereignty/privacy (SDZ), or triggers regulator/customer obligations (e.g., cloud, identity, payment PoR, core data pipelines).
- Tier 2 – Important: Material business impact but with workarounds (e.g., analytics, support vendors, training, non‑core software).
- Tier 3 – Standard: Low impact, easily substitutable (commodities, office supplies).
Risk lenses: Information Security, Privacy, Business Continuity, Legal/Regulatory, Financial, Reputational, ESG/ethics.
5) Vendor Accreditation — Minimum Entry Checks (PVAS)
Integrity & Legal
- Beneficial ownership disclosure; certificate of incorporation; sanctions/PEP screening; adverse media; litigation checks; anti‑bribery/anti‑corruption policy; conflicts of interest declaration.
- For regulated partners (Annex B): licence numbers, supervisor details, and Partner‑of‑Record confirmation.
Security (Annex E linkages)
- Tier 1: SOC 2 Type II or ISO 27001 (or roadmap), pen‑test report ≤12 months, vulnerability SLAs, incident notice ≤24h, secure SDLC attestations (SLSA level targets).
- All software vendors: SBOM (SPDX/CycloneDX) for each major release; code signing; provenance attestations.
- Cloud/hosting: region residency controls, BYOK/HYOK support, audit logs, CIS benchmarks.
Privacy (Annex C/D linkages)
- DPA signed; RoPA entries; DPIA triggers assessed; cross‑border transfer tools (SCCs/IDTA/TIAs) where applicable; SDZ compute‑to‑data compliance; no PII used in lower environments.
Financial
- Audited financials or equivalent; credit check; tax compliance; insurance certificates (GL, Cyber, PI/E&O) with minimum cover for Tier 1.
Sustainability & Labour
- ESG/modern‑slavery statement where applicable; EPR/environmental compliance for hardware; supplier code of conduct acceptance.
6) RFP/RFQ — Standard Content & Weighting
- Pack: Statement of Work, technical specs, service levels, data flows, SDZ residency, privacy & security schedules, competition hygiene statement, evaluation criteria/weights, submission format, timeline, Q&A process.
- Typical weights: Price (25–35%), Technical fit (25–35%), Security/Privacy (20–25%), Delivery/Experience (10–15%), ESG/Local value (5–10%).
- Evaluation: Scored by panel; conflict declarations; minutes; consensus + recommendation memo to PVAS Board.
7) Contracting Standards (Schedules & Clauses)
-
Master Services Agreement (MSA) + SOW with:
– Security Schedule (controls, SBOM, SLSA, vuln SLAs, pen‑test cadence, incident reporting).
– Privacy/DPA (lawful basis, DSR support, transfers, breach clocks).
– SDZ & Residency Schedule (compute‑to‑data, key custody, disconnect rights).
– Regulatory Perimeter Schedule (roles, PoR obligations, status disclaimers).
– IP & OSS Schedule (license terms, inbound=outbound, third‑party licensing, no contamination).
– Business Continuity/DR (RTO/RPO, backup/restore tests).
– Service Levels & Credits (availability, support response/restore times, data quality).
– Audit & Right to Test (incl. SOC/ISO reports, on‑site with notice, remediation timelines).
– Change Control (CAB for material changes; scope creep guardrails).
– Sub‑processors (approval and flow‑down obligations).
– Termination/Exit (data return/deletion, escrow, transition assistance).
– Ethics & ABAC (anti‑bribery, gifts/hospitality thresholds, whistleblowing).
– Competition Hygiene (no coordination on prices/capacity; clean‑team rules when needed).
8) Service Levels — Minimums (illustrative)
| Area | Tier 1 | Tier 2 | Tier 3 |
|---|---|---|---|
| Availability (monthly) | ≥ 99.9% | ≥ 99.5% | Best‑effort |
| Incident notify | ≤ 24h (P0) | ≤ 48h | 72h |
| Response/Restore (P0) | 15m/4h | 1h/8h | N/A |
| Backup frequency | Daily | Weekly | N/A |
| DR test | Semi‑annual | Annual | N/A |
Vulnerability SLAs: as per Annex E/F (P0 mitigate ≤72h, patch ≤7d; P1 patch ≤14d; etc.).
9) Ordering, Receipting, & Payment Controls
- POs required for all spend except micro‑purchases; 3‑way match (PO‑receipt‑invoice); segregation of duties.
- Payment terms: Net 30–45 standard; early‑pay discounts encouraged; no cash; bank account verification; anti‑fraud controls (call‑back, allow‑listed beneficiaries).
- Currency/Tax: Jurisdictional tax compliance; WHT and VAT/GST treatment; e‑invoicing where mandated.
10) Performance Management & Monitoring
- QBRs (Quarterly Business Reviews) for Tier 1/2 vendors; track KPIs: SLA attainment, incidents, security findings, DSR handling, audit outcomes, delivery quality, roadmap adherence, ESG metrics.
- Scorecards with colour‑coded ratings; improvement plans for amber/red; escalation to PVAS Board for sustained under‑performance.
- Continuous Monitoring: Attack‑surface scans, breach intel feeds, sanctions list updates, financial health watch.
11) Changes, Substitutions & Sub‑processors
- Change requests via formal process; re‑assess risk; update schedules.
- Substitutions require Procurement + Business Owner approval.
- Sub‑processors must be pre‑approved; vendor must flow‑down all obligations (security, privacy, SDZ, audit rights).
12) Offboarding, Exit & Escrow
- Trigger events: end of term, convenience termination, cause (breach, insolvency, sanctions), performance failure.
- Exit plan: Data return/deletion certificate; revoke access; rotate credentials/keys; reassign tickets; transition assistance; decommissioning checklist.
- Escrow: For critical software, require code escrow and annual restore tests (see Annex D §8).
13) Records & Transparency
Maintain: vendor register (tiering, licences, contacts), competition files (agendas, minutes), due‑diligence packs, signed contracts/schedules, POs/invoices, performance scorecards, audit reports, exceptions/waivers, and offboarding certificates. Retain ≥ 7 years or per law/donor.
14) Exceptions & Waivers
Document in PVAS Exception Register with justification, alternatives considered, risk controls, expiry date, and approval by PVAS Board (and Board/ExCom for Tier‑1 deviations).
15) Training & Ethics
- Annual procurement integrity training (conflicts, gifts/hospitality, ABAC, bid‑rigging red flags) and competition hygiene refreshers.
- Security/privacy awareness for requestors and vendor managers; RFP panel briefings before evaluations.
16) KPIs & Reporting (Quarterly)
- Competitive sourcing rate (% above threshold competed).
- Savings vs. budget; TCO variance.
- Vendor tier distribution; critical vendor concentration index.
- SLA attainment; aged security findings; SBOM coverage; % vendors with current SOC/ISO.
- DSR response timeliness (where vendor involved).
- On‑time delivery; dispute resolution time; exception count.
17) Effective Date & Governance
Adopted by the Board(s) of all regional operators on [●] and incorporated by reference into Charters/Bylaws and all contracts. Class B to amend/strengthen; Class A to weaken thresholds or remove security/privacy schedules.
Appendices (Templates)
Appendix I‑1 — RFP Checklist (one‑page)
- SoW & tech specs; evaluation weights; SDZ residency; Security Schedule; DPA; Regulatory Perimeter; draft MSA terms; pricing sheet; bid form; Q&A dates; anti‑collusion declaration; conflict disclosure; submission instructions.
Appendix I‑2 — Integrity Due‑Diligence Questionnaire (IDDQ)
- Ownership; officers; sanctions/PEP; litigation; ABAC policy; code of conduct; ESG/modern‑slavery; tax compliance; references.
Appendix I‑3 — Security & Privacy Schedule (Minimums)
- SOC2/ISO; pen‑test cadence; vuln SLAs; incident reporting; SBOM & provenance; logging; residency; key custody; DSR support; transfer tools; breach clocks.
Appendix I‑4 — SBOM & Supply‑Chain Attestation
- SPDX/CycloneDX required per release; signing/provenance; third‑party licenses; vulnerability disclosure policy link; contact for advisories.
Appendix I‑5 — Vendor Performance Scorecard (QBR)
- SLA, incidents, security findings, privacy/DSR, delivery, roadmap, ESG, customer satisfaction; RAG status; actions & owners.