TERMS OF REFERENCE: Strengthening and Upgrading YUWA’s Digital Infrastructure

TERMS OF REFERENCE

Strengthening and Upgrading YUWA’s Digital Infrastructure

INTRODUCTION

Established in 2009, YUWA is a registered not-for-profit, youth-run and led organization working to promote youth participation through empowerment and advocacy. YUWA has three core thematic areas: Sexual and Reproductive Health and Rights (SRHR), Active Citizenship (AC), and Research Unit. This Terms of Reference (ToR) outline the requirements for enhancing YUWA’s digital infrastructure to address current security threats and future-proof its existing platforms.

BACKGROUND

Following a recent cyberattack on YUWA’s e-learning platform, critical vulnerabilities were identified that raised serious concerns about the security and resilience of our digital infrastructure. Given our work on sensitive issues such as gender, SRHR, and young people’s rights, we handle personal and sensitive information. It is identified that we must take immediate steps to safeguard our platforms and data.

To ensure stronger security, service continuity, and long-term sustainability, we are planning to restructure our digital infrastructure. This includes moving away from outdated systems and developing a more secure, scalable, and resilient infrastructure. YUWA currently has four different platforms (YUWA website, e-learning course, Know Your Body and Gaming Platform) and the scope of this work is across all of these four platforms. We also aim to make our websites more inclusive, easy to navigate, youth friendly and accessible to people with disabilities.

OBJECTIVES

To strengthen and upgrade all four platforms for YUWA’s digital infrastructure with a focus on:

• Enhancing cybersecurity and preventing future breaches
• Implementing platform segregation to isolate each platform
• Improving deployment pipelines for rapid response and updates
• Providing a secure and scalable foundation for future upgrades
• Making all platforms interactive, youthful and accessible and people with disabilities friendly. 

SCOPE OF WORK

Phase 1: Critical Security and Infrastructure Enhancements

1. Conduct a comprehensive security audit and vulnerability assessment across all four independent digital platforms.
2. Containerize all existing applications (WordPress, Laravel-based platforms)
3. Establish automated CI/CD pipelines for rapid and secure deployment.
4. Segregate each platform on isolated servers/environments to minimize cross-platform risks.
5. Harden current installations (e.g., WordPress) by updating software, removing unused plugins, and applying best practices.
6. Document all infrastructure, system architecture, and deployment pipelines.
7. Having accessible features across all platforms.
8. SEO Optimization
9. Analytics and Insights
10. Preservation of all current website content, data and necessary functionality.

E-learning Site focused enhancements

• Focus on relaunching e-learning platform first
• Dynamic Certificates
• Course Progress Tracker
• Dynamic Course Catalogue (being able to add and remove courses)
• Secure Backend with Data protection
• Proper data storage and protection of all logged in user

Knowledge Transfer and Training

• Provide user documentation and provide training sessions for YUWA’s team (especially the focal person) on CI/CD processes, container management, and basic maintenance.

Phase 2 (for in-kind continued support for at least a year)

1. Rebuilding platforms using a modular microservices architecture.
2. Migration to a headless CMS alternative to WordPress.
3. Redesign of front-end interfaces.
4. Assist with content updates when changes cannot be made through website’s backend interface.

DELIVERABLES

1. Security Audit Report of all Platforms (YUWA website, e-learning course, Know Your Body and Gaming Platform)
2. Containerized versions of all current platforms.
3. Functional CI/CD pipelines integrated with version control.
4. Isolated environments for each application.
5. Transition from WordPress to a more secure language.
6. Fully functional secure e-learning platform.
7. Accessibility features across all websites.
8. Infrastructure and deployment documentation (PDF + source files).
9. Minimum 2 training sessions for staff (could be virtual).
10. Provide maintenance and rollback procedure guidelines.
11. Website hosting.
12. Provide annual and detailed reports analyzing progress, trends, and areas to be improved. The reports should also include comprehensive and cumulative figures. 

REPORTING

The selected firm/consultant will work closely with the Communications, Documentation, and Learning Officer (CDLO), Ms. Sukriti Tandon and will report to both CDLO and YUWA’s President, Sanskriti Pandey. Regular check-ins will be scheduled to ensure alignment on milestones and deliverables.

INTELLECTUAL PROPERTY OWNERSHIP

YUWA will retain full ownership of all code, documentation, designs, and assets developed under this project.

MINIMUM QUALIFICATIONS FOR SELECTED COMPANY

• Must have a Cyber Security Expert on the team.
• Must use containerized setups for platform deployment.
• Must implement an automated CI/CD pipeline.
• Must have a WordPress/PHP specialist for ongoing support.
• Must offer an alternative modern headless CMS.
• Must have TypeScript-based development expertise.
• Must have completed at least one cyber security-related project in the last 12 months.
• Must have a keen eye for detail and be able to spot inconsistencies or errors in their designs.

REQUIRED DOCUMENTS

• Financial Proposal (detailed budget in NPR, inclusive of all taxes)
• Technical Proposal which also includes portfolio of their relevant work
• CV of Team Members
• VAT Registration, Company Registration, and Latest Tax Clearance Certificates (firms/companies)
• A copy of the latest audited financial reports
• A list of relevant previous work

EVALUATION PROCESS AND CRITERIA

The criteria presented below have been tailored to meet the requirements of this assignment. A total of 100 points are possible for all components of the proposals. The relative importance of each criterion is indicated by approximate weight points.

In evaluating the proposals, the YUWA will examine overall merit and feasibility as well as specific criteria relevant to each component as elaborated below. Up to one subcontract will be made to the overall highest scores of the bidder responsible.

CONFLICT OF INTEREST

Bidders must provide disclosure of any past, present or future relationships with any parties associated with the issuance, review or management of this assignment and anticipated contract. Failure to provide full and open disclosure may result in the YUWA having to re-evaluate the selection of a potential bidder.

ESTIMATED BUDGET

The budget will be determined during the contracting phase and final negotiations and Payment will be made in tranches aligned with deliverables and timeline milestones.

DURATION OF CONTRACT

The anticipated period of performance is 2 months effective from June 15, 2025, and expected to conclude by August 15, 2025.

TYPE OF CONTRACT TO BE ISSUED

The YUWA will determine the appropriate contract mechanism, in consultation with the bidder during the negotiation process.

APPLICATION PROCEDURE

Interested and qualified Nepalese firm or organization or company must be submitted their final proposals (including a technical, estimated budget and all required documents) electronically before/by 5 PM, Sunday, June 8, 2025, to application@yuwanepal.org with the subject line "Proposal for Strengthening and Upgrading YUWA’s Digital Infrastructure"

All questions and other communications regarding this assignment should be submitted in writing to application@yuwanepal.org . Written responses to questions will be made available before/by 5 PM local time on June 6, 2025. to all parties.

Note: - Incomplete or late proposals will be marked as such and will be ineligible for review or contract; however, the YUWA reserves the right to accept and include incomplete or late proposals in the review and contract process when it is considered within the best interest of the YUWA to do so. Proposals that are submitted late or incompletely run the risk of not being considered for review.