Conditions of participation
The below are mandatory requirements to bid and deliver the project (extract from ITT Documentatio):
- Ensure you are registered on the Central Digital Platform (https://supplierregistration.cabinetoffice.gov.uk/faq/en_GB/Central_Digital_Platform) and complete all relevant sections, we are not able to award to a company who are not on the CDP.
1. Single partner commitment: must act as a single partner for CMS, hosting, website design and build, integrations, migration, training and service, as set out in the brief?
2. Any Subcontractors must have the same levels as the main contractor and be able to provide evidence if asked, therefore they must have the valid levels at time of being included in the bid. (All DP questions must be answered from the perspective of the Bidder and any sub subcontractor where relevant).
3. Proposed CMS must operate as a fully managed, cloud‑native SaaS platform and not a self‑hosted or developer‑maintained system such as Drupal, Umbraco, WordPress, Joomla, or any CMS that requires the University to install, host, patch, upgrade, or technically maintain the platform.
4. Mandatory System Integrations: proposed solution must support mandatory API-based integration with all of the following University systems:
CRM: Azorus
Course Records: SITS Tribal (cloud‑hosted)
Research Profiles: Symplectic Elements
Intranet: Microsoft SharePoint
Identity: Microsoft Entra ID
5. Scope of requirements: proposed solution must fully meet the scope of requirements outlined in the briefing document (avialable free of charge n the etendering portal)
6. Architecture & Platform Options: solution must offer both a Headless CMS capability and a traditional enterprise CMS option
7. Non‑Production Environments: dedicated development, test/staging and production environments, including seeded test data for validation and training must be included.
8. Structured Content & Workflows: CMS support structured content types, governed components, draft/review/approval workflows, scheduled publishing, and full audit trails
9. Migration Safety & SEO Protection: structured migration approach (audit → prune → rewrite → redirect) — not lift‑and‑shift — including full 301 redirect mapping, parallel‑run and rollback protections to safeguard rankings, link equity and user journeys? Must have proven experience of delivering complex, content‑heavy website migrations.
10. Accessibility (WCAG 2.2 AA Minimum): website, components and templates delivered to WCAG 2.2 AA compliance at minimum, with CI‑driven checks and periodic expert audits, and with AAA targeted where feasible.
11. Mobile Responsiveness: support full mobile, tablet and desktop responsiveness across all key breakpoints and devices.
12. Security Assurance: conduct regular vulnerability assessments and penetration testing aligned to OWASP Top 10, supported by a documented incident response plan.
13. Operational Reporting & Alerts: provide operational and governance reporting (accessibility issues, broken links, content expiry, overdue reviews, workflow queues, editor activity) as well as automated alerts for downtime, publishing failures and integration errors.
14. Relevant Delivery Experience: must have delivered at least two platform upgrades of comparable complexity within the last three years (Higher Education or commercial).
15. Delivery Capacity: have capacity to commence delivery in 2026 and meet a full implementation schedule culminating in a go live by end of January 2027. In‑house capacity, resourcing and processes to directly manage the full content migration without operational dependency on the University.
16. Contractual Documents (GTCs & DSA): Expected GTCs and DSA have been provided for information in the tender pack. The successful supplier will be required to complete these prior to contract award.
17. GDPR & Data Protection Compliance: comply with GDPR, including consent and cookie tracking, data minimisation, retention and deletion practices, data subject rights (DSR) processes, and relevant documentation.
18. Data Residency (UK & EEA Only): confirm that all personal data will be stored and processed exclusively within the UK and EEA.
19. Data Security: Bidders (and any subcontractor) must hold a current and valid certification for ISO27001, Cyber Essentials (Plus preferred), or an equivalent recognised standard.