RFP#29: API Management Platform, Implementation and Support Services

Location: Islamabad



 RFP No.29

Issue Date: 07-August-2017

Deadline for Questions: 11-August-2017

Deadline for Karandaaz Pakistan Responses: 18-August-2017

Deadline for submission for proposals: 28-August-2017





Request for Proposal




RFP No.29

07-August-2017, Islamabad


  1. The purpose of this RFP is to solicit bids from companies interested in providing API Management platform, implementation and support services. The RFP is designed to assess whether organizations are able to provide the services required, and through a competitive and fair assessment, select a winning vendor for a goods and services year-long contract.


  1. Karandaaz Pakistan invites sealed proposals from interested and eligible organizations. More details on the Services required are provided in the Terms of Reference (Section 4 of RFP).


  1. The company will be selected under open competitive procedures, in accordance with the procurement policies and procedures of Karandaaz Pakistan.
  1. The full RFP is available at karandaaz.com.pk.


  1. Both financial and technical proposals must be submitted before 17:00 PM Pakistan Standard Time on 28th August, 2017. Offerors must prepare four hard copies of the technical proposal and one hard copy of the cost proposals, and submit in separate sealed envelopes to the attention of ‘The Procurement Department’ 1-E, Ali Plaza, D Chowk, Mezzanine Floor, Naziumudin Road, Blue Area, Islamabad




Yours sincerely,

The Procurement Department

Karandaaz Pakistan



  1. General
  • Scope of Proposal

Karandaaz Pakistan issues this Request for Proposal (RFP) for the following Product & services:

“API Management platform, implementation and support services”


Throughout this RFP:

  1. The term “in writing” means communicated in written form (e.g., by mail, e-mail, fax)
  2. “Day” means calendar day


  • Fraud and Corruption

Firms shall comply with Karandaaz Pakistan’s policy regarding fraud and corruption given in Section 3 of the RFP.


  • Eligibility

Karandaaz Pakistan may specify certain minimum qualification criteria in the Terms of Reference e.g. minimum years of relevant experience.

The firm has an obligation to disclose to Karandaaz Pakistan any situation of actual or potential conflict that impacts its capacity to serve Karandaaz Pakistan’s best interests. Failure to disclose such situations may lead to the disqualification of the firm or the termination of its Contract. Karandaaz Pakistan’s policy with regard to conflict of interest is given Section 3 of the RFP.

Firms shall provide such evidence of their continued eligibility satisfactory to Karandaaz Pakistan, upon request.


  • One Proposal Per Firm

Each firm shall submit only one proposal, either individually or as a partner in a joint venture. A firm that submits or participates in more than one proposal shall cause all the proposals with the firm’s participation to be disqualified. However, this does not limit the participation of subcontractors and individual experts in more than one proposal.


  • Cost of Preparation of Proposal

The firm shall bear all costs associated with the preparation and submission of its proposal. Karandaaz Pakistan shall not be responsible or liable for those costs, regardless of the conduct or outcome of the bidding process.






  1. Request for Proposal
  • Contents of the RFP

The RFP includes the documents listed below and any Addendum issued in pursuant to point 8 of this section ‘Amendment of RFP’.

Section 1 – Letter of Invitation

Section 2 – Instructions to firms

Section 3 – Procurement Policy – vendor conduct

Section 4 – Terms of Reference

Annexure A – Proposal Submission Form


  • Clarification of RFP

All questions and/or clarifications regarding this RFP must be submitted via email to Procurement@karandaaz.com.pk no later than 5:00PM local time on August 11, 2017. All correspondence and/or inquiries regarding this solicitation must reference the RFP number.  No phone calls or in-person inquiries will be entertained; all questions and inquiries must be in writing


Questions and requests for clarification—and the responses thereto—will be circulated to all RFP recipients who have indicated an interest in bidding by 5:00PM on August 18, 2017.


Only the written answers will be considered official and carry weight in the RFP process and subsequent evaluation. Any verbal information received from a Karandaaz employee or other entity should not be considered as an official response to any questions regarding this RFP.


  • Amendment of RFP

At any time prior to the deadline for submission of bids, Karandaaz Pakistan may amend the RFP by issuing an Addendum.

Any Addendum issued shall be part of the RFP and will be communicated via the Karandaaz Pakistan website. Firms are advised to monitor the site for updates.

To give prospective firms reasonable time in which to take an Addendum into account in preparing their bids, Karandaaz Pakistan may, at its discretion, extend the deadline for the submission of bids, pursuant to point 17 ‘Deadline for Submission of Proposals’ of this section.



  1. Preparation and Submission of Proposals


  • Language of proposal

All documents relating to the proposal shall be written in the English language.


  • Documents Comprising the Proposal

The documents and the required information mentioned below must be provided with the respective technical and financial proposals.



Sr. No Required Documents Checkbox
1 Name, address, website, and contact information
2 Number and location of all offices (local and international)
3 Year of incorporation or registration, and details of registration
4 Tax registration number (if applicable)
5 Letter of participation for Request for Proposal
6 Client References
7 Brief of completed and on-going projects (local  and international)
8 Organogram of Project Team – List of staff with brief bios
9 Management Team – List of staff with brief bios
10 Audited Financial Statement of last three years
11 Technical Proposal
12 Filled Compliance Matrix
13 Any other document attached, please specify








  • Currencies of Bid and Payment

Firms may express the price only in PKR.


  • Proposal Validity

Proposal shall remain valid for ninety (90) days after the proposal submission deadline date established by Karandaaz Pakistan. A proposal valid for a shorter period shall be rejected as non-responsive.


In exceptional circumstances, prior to the expiration of the proposal validity period, Karandaaz Pakistan may request all firms who submitted their proposals to extend the period of validity of their proposal for a specified additional period. The request and the responses shall be made in writing. If the firm agrees to extend the validity of its proposal, it shall be done without any change in the original proposal and with the confirmation of the availability of the key experts. The firm has the right to refuse to extend the validity of its proposal in which case such proposal will not be further evaluated.


If any of the Key Experts become unavailable for the extended validity period, the firm shall provide a written adequate justification and evidence satisfactory to the Client together with the substitution request. In such case, a replacement Key Expert shall have equal or better qualifications and experience than those of the originally proposed Key Expert. The technical evaluation score, however, will remain to be based on the evaluation of the CV of the original Key Expert.


If the firm fails to provide a replacement Key Expert with equal or better qualifications, or if the provided reasons for the replacement or justification are unacceptable to the Client, such Proposal will be rejected.


  • Proposal Security

In this procurement, a proposal security is not required.


  • Alternative Proposals

Alternative proposals shall not be considered.


  • Format, Signing, and Submission of Proposals of Proposal

The firm shall prepare and email a scanned copy of the documents comprising the Proposal as described in point 10 on official company letterhead. Each document shall be signed by a person duly authorized to sign on behalf of the firm. All pages of the proposal shall be initialled by the person or persons signing the proposal.


Both financial and technical proposals must be submitted before 12:00 noon Pakistan Standard Time on August 28, 2017. Offerors must prepare four hard copies of the technical proposal and one hard copy of the cost proposals, and submit in separate sealed envelopes to the attention of ‘The Procurement Department’ 1-E, Ali Plaza, D Chowk, Mezzanine Floor, Naziumudin Road, Blue Area, Islamabad.

The proposal should also be sent to the following email address: procurement@karandaaz.com.pk with the subject line: Responding to RFP for “API Management platform, implementation and support services”.


The Proposal shall contain no alterations or additions, except those to comply with instructions issued by Karandaaz Pakistan, or as necessary to correct errors made by the firm, in which case such corrections shall be initialled by the person or persons signing the Proposal.


  • Deadline for Submission of Proposals

Proposals must be received by Karandaaz Pakistan no later than 17:00 HRS Pakistan Standard Time on August 28, 2017.


Karandaaz Pakistan may extend the deadline for submission of proposals by issuing an amendment in accordance with point 8 ‘Amendment of RFP’, in which case all rights and obligations of Karandaaz Pakistan and the firms previously subject to the original deadline shall then be subject to the new deadline.


  • Late Proposals

Any Proposal received late by Karandaaz Pakistan will be considered only at the discretion of the evaluation team.


  • Withdrawal, Substitution, and Modification of Proposals

Firms may withdraw, substitute or modify their proposals by giving notice in writing before the deadline for submission of proposals prescribed in point 16 ‘Deadline for Submission of Proposal’ of this section.


Each firm’s withdrawal, substitution or modification notice shall be prepared, sealed, marked, and delivered in accordance with point 15 ‘Format, Signing, and Submission of Proposals of Proposal’, with the subject line as: Responding to RFP for “API Management platform, implementation and support services- “WITHDRAWAL,” SUBSTITUTION” or “MODIFICATION” as appropriate. No Proposal may be substituted or modified after the deadline for submission of proposals.


  1. Proposal Opening and Evaluation
  • Proposal Opening

Karandaaz Pakistan shall open the proposals, including modifications made pursuant to point 18, on the business day following the deadline, as per point 16.


  • Confidentiality

Information relating to the examination, evaluation, comparison, and post-qualification of proposals, and recommendation of contract award, shall not be disclosed to firms or any other persons not officially concerned with such process until publication of the contract award. Any effort by a firm to influence Karandaaz Pakistan in the examination, evaluation, comparison, and post-qualification of the Proposals or contract award decisions may result in the rejection of its Bid. Notwithstanding the above, from the time of proposal opening to the time of contract award, if any firm wishes to contact Karandaaz Pakistan on any matter related to the bidding process, it should do so in writing at the address indicated in point 7 ‘Clarification of RFP’.


  • Clarification of Bids

To assist in the examination, evaluation, and comparison of proposals, Karandaaz Pakistan may, at its discretion, ask any firm for clarification of the firm’s proposal. The request for clarification and the response shall be in writing, but no change in the price or substance of the proposal shall be sought, offered, or permitted except as required to confirm the correction of arithmetic errors discovered by Karandaaz Pakistan in the evaluation of the proposals in accordance with point 25 ‘Correction of Errors’.


  • Preliminary Examination of Proposals

Prior to the detailed evaluation of proposals, Karandaaz Pakistan shall first review each Proposal and check the power of attorney or any other form demonstrating that the representative has been duly authorized to sign the proposal, initialization of all pages, etc.


  • Determination of Firm’s Eligibility and Qualifications

Then Karandaaz Pakistan shall determine whether the firm meets the eligibility and qualification requirements of the bidding documents. Firms failing to comply with the eligibility criteria indicated in point 3 ‘Eligibility’ shall be disqualified.


Further, Karandaaz Pakistan shall determine whether the proposal is substantially responsive to the requirements of the bidding documents.


Karandaaz Pakistan’s determination of a proposal’s responsiveness is to be based on the contents of the proposal itself. A substantially responsive proposal is one, which conforms to all the terms, conditions, and specifications of the RFP, without material deviation or reservation. A material deviation or reservation is one (a) which affects in any substantial way the scope, quality, or performance of the service; (b) which limits in any substantial way, inconsistent with the RFP, Karandaaz Pakistan’s rights or firm’s obligations under the contract; or (c) whose rectification would affect unfairly the competitive position of other firms presenting substantially responsive Proposals.


  • Evaluation of Technical Proposal

The procurement model that will be used is “Two Stage – Two Envelope bidding procedure”. The bid shall comprise of two separate envelopes – Technical and Financial. In Stage One, only the Technical Proposal shall be opened and reviewed. The review feedback will be provided to the applicants in order to explain expected requirements and based on the feedback each bidder will be allowed to submit a revised Technical and Financial proposals for Stage Two. In Stage Two, the revised Technical proposal shall be opened, reviewed and evaluated. Once the Technical evaluations are finalized, the ranking will be shared with Procurement for Quality Based Selection. Procurement will open the financial proposal of the highest technically ranked bidder.



Technical Proposal



The technical proposal will be evaluated on the following criteria:


  • Experience and Clientele
  • Qualification and Experience of team
  • Scope of Work
  • Audited Financial Statements of last three years.
  • Correction of Errors

Proposals determined to be substantially responsive shall be checked by Karandaaz Pakistan for any arithmetic errors. Errors shall be corrected by Karandaaz Pakistan as follows:


Where there is a discrepancy between the amounts in figures and in words, the amount in words shall govern.


The amount stated in the proposal shall be adjusted by Karandaaz Pakistan in accordance with the above procedure for the correction of errors and, with the concurrence of the firm, shall be considered as binding upon the firm. If the firm does not accept the corrected amount, the proposal shall be rejected.


  • Currency for Price Evaluation

For evaluation and comparison purposes, Karandaaz Pakistan shall convert all proposal prices expressed in US Dollars into an equivalent amount in PKR, using the selling exchange rates established by the State Bank of Pakistan on the date of proposal opening specified in point 19 ‘Proposal Opening’.



  1. Award of Contract
  • Award Criteria

Subject to 31 below, Karandaaz Pakistan shall award the contract to the firm whose proposal has been determined to be substantially responsive to the RFP and which has the highest technical score, provided that such firm has been determined to be eligible in accordance with point 3.


  • Karandaaz Pakistan’s right to accept Any proposal and to reject any or all proposals

Notwithstanding point 28 above, Karandaaz Pakistan reserves the right to accept or reject any proposal, and to cancel the bidding process and reject all bids, at any time prior to the award of contract, without thereby incurring any liability to the affected firm or firms or any obligation to inform the affected firm or firms of the grounds for Karandaaz Pakistan’s action.


  • Notification of Award and Signing of Agreement

The firm whose Proposal has been accepted shall be notified of the award by Karandaaz Pakistan prior to expiration of the proposal validity period in writing. This letter (hereinafter and in the contract called the “Letter of Acceptance”) shall state the sum that Karandaaz Pakistan shall pay the contractor in consideration of the services as prescribed by the contract.


The Agreement shall incorporate all agreements between Karandaaz Pakistan and the successful firm. It shall be signed by Karandaaz Pakistan and sent to the successful firm, within seven (7) days following the Letter of Acceptance’s date. Within seven (7) days of receipt, the successful firm shall sign the Form of Agreement and deliver it to Karandaaz Pakistan.


Karandaaz Pakistan will also promptly notify in writing each unsuccessful firm. After publication of the award, unsuccessful firms may request in writing to Karandaaz Pakistan seeking explanations of the grounds on which their Proposals were not selected. Also, Karandaaz Pakistan shall entertain a complaint from any firm that claims to have suffered or that may suffer, loss or injury due to a breach of a duty by the company in the conduct of this bidding process. Such requests shall be addressed and delivered in writing to:


Karandaaz Pakistan

Attention: Chief Executive Officer

Re: “API Management platform, implementation and support services.”

1 E, Ali Plaza, Nazimuddin Road, D-Chowk, Islamabad


Any requests via email seeking this explanation will not be answered.


  • Corrupt or fraudulent practices

Bidders, suppliers, contractors and their agents (whether declared or not), sub-contractors, sub-consultants, firms or suppliers, and any personnel thereof, shall observe the highest standard of ethics during the procurement and execution of contracts.


Karandaaz Pakistan shall not award contract if it is determined that the bidder, or any of its personnel, or its agents, or its sub-consultants, sub-contractors, firms, suppliers and/or their employees, has, directly or indirectly, engaged in corrupt, fraudulent, collusive, coercive, or obstructive practices in competing for the contract in question. As part of bidding/ solicitation documents, Karandaaz Pakistan will seek declaration of ‘Non collusive non corrupt practices’ from each bidder. Format for such declaration is prescribed in section 3 of the standard bidding document. In pursuance of this policy, following terms are defined as follows:


  1. “Corrupt practice” is the offering, giving, receiving, or soliciting, directly or indirectly, of anything of value to influence improperly the actions of another party;
  2. “Fraudulent practice” is any act or omission, including a misrepresentation, that knowingly or recklessly misleads, or attempts to mislead, a party to obtain a financial or other benefit or to avoid an obligation;
  3. “Collusive practice” is an arrangement between two or more parties designed to achieve an improper purpose, including to influence improperly the actions of another party;
  4. “Coercive practice” is impairing or harming, or threatening to impair or harm, directly or indirectly, any party or the property of the party to influence improperly the actions of a party;
  5. “Obstructive practice” is deliberately destroying, falsifying, altering, or concealing of evidence material to the investigation or making false statements to investigators in order to materially impede investigation into allegations of a corrupt, fraudulent, coercive or collusive practice; and/or threatening, harassing or intimidating any party to prevent it from disclosing its knowledge of matters relevant to the investigation or from pursuing the investigation.


  • Avoidance of conflict of interest

Any firm participating in the procurement process should disclose any actual or perceived conflict of interest situation/condition. Any firm found to have a conflict of interest shall be ineligible for award of a contract.


A firm shall be considered to have a conflict of interest in a procurement process if:

  1. Such firm is providing goods, works, or non-consulting services resulting from or directly related to consulting services for the preparation or implementation of a project that it provided or were provided by any affiliate that directly or indirectly controls, is controlled by, or is under common control with that firm; or
  2. Such firm submits more than one bid, either individually or as a joint venture partner in another bid, except for permitted alternative bids. This will result in the disqualification of all bids in which the bidder is involved. However, this does not limit the inclusion of a firm as a sub-contractor in more than one bid. Only for certain types of procurement, the participation of a bidder as a sub-contractor in another bid may be permitted subject to the company’s no objection and as allowed by the standard bidding documents applicable to such types of procurement; or
  3. Such firm (including its personnel) has a close business or family relationship with a professional staff of the company who: (i) are directly or indirectly involved in the preparation of the bidding documents or specifications of the contract, and/or the bid evaluation process of such contract; or (ii) would be involved in the implementation or supervision of such contract unless the conflict stemming from such relationship has been resolved in a manner acceptable to the company throughout the procurement process and execution of the contract; or
  4. Such firm does not comply with any other conflict of interest situation as specified in the standard bidding documents relevant to the specific procurement process.


  • Duty of care

The supplier in performance of services for Karandaaz Pakistan shall exercise duty of care. Duty of care holds the supplier responsible for the safety and well-being of its personnel and any third party affected by its activities.





Thematic Area:

Project Title: API Management platform, implementation and support services              

Expected Start Date:      September, 2017

End Date:                            June 2018

Task Manager:                  Director DFS


About Karandaaz Pakistan

KARANDAAZ PAKISTAN, a private company established in August 2014, promotes access to finance for small businesses through a commercially directed investment platform, and financial inclusion for individuals by employing technology enabled digital solutions. The Company has financial and institutional support from leading international development finance institutions; principally the United Kingdom Department for International Development (UKAid) and the Bill & Melinda Gates Foundation. The Consultative Group to Assist the Poor (CGAP), a member of the World Bank Group, provides technical support to Karandaaz Pakistan.


Karandaaz Pakistan has three core work streams:

  • Corporate Investment and Credit (CIC) focuses on providing credit and capital to high impact small and medium-size businesses, and business models that have potential to generate sustainable employment and offer attractive risk-adjusted financial returns.
  • Digital Financial Services (DFS) focuses on expanding the poor’s access to digital financial services in Pakistan by working across the ecosystem of local actors – policy-makers, regulators, government departments, businesses, researchers and academics. The DFS Unit facilitates digitization of government and other payment streams, encourages experimentation with businesses, and provides support to innovative DFS start-ups.
  • Knowledge Management and Communications focuses developing and communicating credible data to inform the core themes of the Company, including DFS innovation, women’s empowerment and youth employment.

This work will fall under the Digital Financial Services department.


About the Project

The transaction volume of Person to Government (P2G) and Government to Person (G2P) payments that goes through banking system collectively amounts to approximately PKR 4.4 trillion. These payments are collected and disbursed on a cash basis. The split is roughly PKR 2.8 trillion and PKR 1.6 trillion per year for P2G and G2P, respectively. The management costs of collecting and disbursing this vast volume of payments manually, and in-cash places a large financial burden on the national exchequer. The current system offers little information/visibility on transaction and branch working and hence impedes effective decision-making while creating accountability gaps and lost efficiencies.

As part of Digitization effort, Karandaaz Pakistan is supporting in implementing an API Management platform with a partner bank. An API Management platform enables an enterprise to create, publish, analyse and manage APIs to external consumers in a secure and scalable environment. This would empower the partner bank to expose its internal backend services for the consumption of government institutions and Digital Financial Services operators.

For the partner bank it is a significant opportunity to improve public service delivery by digitizing a range of government payment flows, including social welfare transfers and government payments. There is substantial evidence that digitizing government payments reduces delivery costs, connects citizens to digital financial systems, cuts leakages at each step in the payment process, improves transparency and reduces the risk of payments being delivered to ghost (i.e. fake) recipients. Moreover, the intervention holds immense potential for increasing digital financial inclusion for the unbanked by working with the largest publicly owned commercial bank


Target Audience

The effort is to facilitate existing bank customers and also provide an opportunity to the unbanked population to access financial service through digital channels. Government payments and collections provide huge opportunity for the bank to provide access to financial service to the unbanked population.


Scope of Work

Provision of Software Licenses of API management platform

  • API Management Platform Software Licenses
  • API Management Platform Annual Software Support

Implementation Services

  1. High level objectives:

Following are the main objectives for the client’s API Management solution:

  1. Implementation of API Gateway using existing backend system services of client for five business Use Cases
    1. API Proxies Management
    2. API Lifecycle Management
    3. API Platform Installation
    4. User Requirements Analysis & Design
    5. Integrations between multiple systems
    6. Quota Management of sessions for externals systems
    7. APIs Throttling control
    8. API Security
    9. API Analytics and Reporting
    10. API Monitoring
    11. Support for multiple Data formats and protocols


  1. API Gateway Architecture Deployment & Configurations
    1. Developer and Partner On-boarding via API Portal
    2. Multiple Deployments support
    3. Flexible and scalable architecture
    4. Support seamless platform upgrades
    5. Data backup and restore
    6. Capacity planning
    7. Platform Monitoring Capabilities
    8. Performance Testing


  1. Platform Security
    1. Out of the box implementation of API security
    2. Should meet the robust security Standards of the industry
    3. Support End to End 1-way and mutual SSL/TLS Support


  1. Operations and Maintenance

The Supplier is expected to provide Operations and Maintenance post Go-Live support. The terms of support services are as under:

  1. Software Service Level Agreement
    1. The Supplier will agree upon an SLA with concise definitions of the various categories and priorities of incidents
  2. Roles and Responsibilities
    1. A Split of Responsibilities (SoR) is to be established between the Client and Supplier clearly specifying the roles that will be Responsible, Accountable, Consulted, and/or Informed
  3. Supplier’s Support Organization
    1. The Supplier should share the support organizational chart that will take effect once the project implementation is concluded
  4. Tiered Escalation Matrix for Operations and Maintenance
  5. On-site Support for Level One and Level Two Operations and Maintenance
    1. The Supplier should provide on-site support along with training dissemination to the client’s staff for Level One and Level Two Operations and Maintenance
  6. Incident and Problem Reporting
  7. Root Cause Analysis (RCA) Reporting
  8. Support Meetings at Client’s premises
    1. Weekly and Monthly meetings to be established after the project implementation phase
    2. Daily War Room sessions to be established in case of system and/or service unavailability due to Priority 1 and/or Priority 2 incidents
  1. Project Management
  1. A baseline Project Implementation Plan (PIP)
  2. A PMO unit is required to manage the project’s implementation
  3. Managing the Project Implementation Plan (PIP), Timelines, and Milestones
  4. Weekly and Monthly progress meetings to be established during the project implementation phase
  5. During the project implementation phase, the Supplier should ensure the presence of dedicated on-site personnel
  6. Tiered Escalation Matrix for Project Implementation Phase
  7. Acceptance Criteria for the Provisional Acceptance Certificate (PAC) and Final Acceptance Certificate (FAC)
  1. Process Management

The Supplier is expected to share and implement the documented processes for the following:

  1. Service Level Management and Reporting
  2. Business Continuity Management and Disaster Recovery
  3. Backup and Restoration Management
  4. Capacity Management
  5. Incident Management
  6. Configuration Management
  7. Change Management
  8. Release Management
  9. Report and Job Scheduling
  10. Log Management
  1. Training and Development
  1. Training Workshops for the resources of the Client
  2. Capacity Development over a period of 6 months post Go-Live for Level One and Level Two Operations and Maintenance support teams of the Client
  3. Capacity Development over a period of 6 months post Go-Live for the in-house development teams of the Client to manage any new developments and CRs
  4. Product Manuals and Technical Specification Documentation
  5. User Guides
  6. Training Videos
  1. Change Management and Release Management
  1. Change Management process for any new developments (other than initial five Use Cases) post Go-Live requested by the Client
  2. Change Management process for any new developments (other than initial five Use Cases) post Go-Live proposed by the Supplier
  3. Change request categories
  4. Deliverables of Change Management process
  5. Release Management process for the upgrade of the core product
  1. Detailed Functional Deliverables of API Gateway Platform

API Platform Installation

  1. End to end installation of API Management platform. Vendor to provide deployment topology and hardware specifications

User Requirements Analysis & Design

  1. Technical & functional requirement gathering workshop
  2. Security requirement workshop
  • Interface & integration requirement workshop
  1. Infrastructure requirement study


 API Gateway

  1. Development of five business Use Cases
  2. Application of standard and agreed security measures
  • Quota and Traffic management of APIs
  1. API Packages definition and exposure


Developer and Partner On-boarding via API Portal

  1. Customer/Partner registration and on-boarding workflow for both test and production environments
  2. Data Loading and Data Migration of KYC details for both individual customers and partners
  • Developer registration as a configurable control
  1. Developer support forums/discussion boards
  2. Developer dashboard
  3. Creation of custom fields to capture more information including attachments at time of developer registration or transition to production (e.g. for extra KYC purposes)
  • Support for specifying an on-boarding fee using provided payment solution
  • API Explorer & Online testing facility
  1. API key distribution
  2. Suspend and/or revoke API keys
  3. Associate an API key with a developer’s application
  • Generate an API certificate or token (in addition to an API key)



Compliance Matrix


FC: Fully Compliant means that platform fully meets the requirement out of the box

PC: Partially Compliant means that some customization would be required to meet the requirement

NC: Non-Compliant means that this requirement cannot be met by the platform


 S.No Requirement Compliance Supplier Response
1 Does the proposed platform support SaaS, customer-managed, and hybrid deployments?
2 Is the on premises deployment operate correctly without making any external or outbound calls?
3 Does the platform use the same code base for On Premises and Cloud deployment
4 Does the platform architecture support multi-tenancy
5 Does the platform allow multiple teams to work independently with runtime isolation?
6 Does the platform support a multi-region, multi-data centre deployment to ensure the highest level of availability and distribution?
7 Does the platform support continuous integration and deployment practices?
8 Explain how the platform supports flexible scaling and describe what is needed to provision additional capacity per API / per team / per region / per organization.
9 Does the platform provide a centralized UI for multiple data centre deployments or do we need to manage them independently?
10 Does the platform support zero downtime patching and updates?
API Gateway
S.No Requirement Compliance Supplier Response
1 Does the platform support different standards for design APIs and documentation?
2 Does the platform support API mock-ups
3 Is it possible for a company to enforce behaviour for all APIs exposed by the system?
4 Does the platform support existing back-end SOAP services
5 Does the platform support automated deployment of assets for development lifecycle
6 Does the platform have the ability to reference existing assets such as encryption libraries, schema validations tools, data validation libraries, etc.
7 Does the platform offer threat detection against fraudulent data injections at API level
8 Does the platform offer protection from traffic spikes
9 Are API quotas available in the platform, if yes please describe the quota polices.
10 Can quotas be synchronized across multi-region deployments?
11 Does the platform support publishing existing services in various formats – for example SOAP, REST (JSON, XML, and other), JMS, OData – as APIs?
12 Does the product support API virtualization and mashups?
13 Please describe the platforms ability to enhance API functionality through both configuration and code.
14 Does the platform support the following function out of the box at API Level

Traffic Throttling



Payload transformation

API level security



15 Are the following transformation supported by the platform





16 Does the platform support proxy compression
17 Does the platform proxies support HTTP & HTTPS
18 Can the platform be connected to JMS based system
19 Are streaming connections supported?
20 Does the platform offer built-in debugging tools
21 Can the debugging tool show a “before” and “after” of each policy during replay? Also can the debugging be performed in an off-line mode to minimize any overhead to the runtime API traffic?
22 Does the platform support versioning, Please explain
23 Does the platform store the policies and system configurations in standard XML and published schemes?
24 Does the platform support caching?
25 In addition to an expiration, can the cache be manipulated programmatically?
26 Does the platform support multi-level cache model?
27 Does the platform support payload information based caching? Is this available through built in policies.
28 Does the proxy have rate limiting, quotas, and spike arrests?
29 Can API mediation behaviour change dynamically based upon factors such as user credentials, location, device type, or even external factors, or combinations of all of these?
30 Does the proxy support dynamic routing (orchestration—or intelligent routing to a second system based upon the response from a first system)?
31 What out of the box backend services for APIs for common application functionalities such as user management, data storage & synchronization, messaging and locations are available in the platform
32 Does the platform support identity integration with popular social networks and Internet services and if so, which ones?
33 Does the platform allow the storing and querying of arbitrary schema-less JSON data?
34 Can data be tagged and queried by location?
35 Does the platform support storage of binary objects such as files and images.
36 Does the platform provide user management and social relationship functionality for building personalized applications?
37 Are push notifications for various mobile platforms supported
38 Can the core functionalities of the platform customizable? If yes to what extent.
39 Does the platform support extensions using common languages like Java, Python, or JavaScript?
40 Does the platform have the ability to host and fun unmodified Node.js applications in order to implement custom APIs without the need for a separate application server
41 Does the platform have wizards to generate APIs from OpenAPI (formerly Swagger), SOAP services, and other backend services?
42 What are the standard governance features available in the product?
43 How does the product support API Lifecycle governance?
44 Can your product publish APIs for external and internal consumers? How are these managed independently?
45 How do you manage API visibility and restrict access to consumers? Is this configuration in the platform or built as part of the APIs enablement?
47 Does the platform support the ability for an API to call another API out of the box, without incurring network penalties?
API Analytics
S.No Requirement Compliance Supplier Response
1 Are analytical reports available out of the box?
2 Does the UI allow for drill down on each of the charts?
3 Does the tool provide a wizard for creating custom reports?
4 Are there maps for detailing geo-location of API calls?
5 Are the analytics collected asynchronously (so as not to impede runtime traffic)?
6 Do the analytics data, once collected, provide an API for easy access and export?
7 Can the solution be used to provide business level visibility?
8 What level of operational visibility can the solution provide based on API traffic flowing through the system?
9 What tools are available out of the box to do various kinds of trend analysis and inspection of anomalies?
10 Can reports be created on-demand?
11 What metrics and dimensions are supported by the tool?
12 Do you provide service performance monitoring, reporting, and analysis?
13 If payload data is captured, can this data be used for reporting?
14 What are the exception management reporting capabilities?
15 Does your product provide end-to-end visibility and trending performance statistics?
16 Does your solution support billing based on a period of time and/or aggregate transactions for each developer/application.
17 Solution must provide performance management data with counters per application type and per API message type.
18 What level of reporting is available to the developer? (call latency, SLA compliance, other metrics)
19 Does the product provide easy-to-use custom reporting capabilities over multiple dimensions and filters?
20 Does your product provide the ability to report using the payload of the messages?
21 Does your product provide the ability to easily integrate with other systems, for instance through API calls?
22 Does your product provide flexibility to extend the functionality and implement attribute specific runtime enforcements for API?
23 Does the platform allow billing and developer data to be integrated with existing systems via APIs
24 Does the platform capture payload data to create custom metrics for reports?
API Security
S.No Requirement Compliance Supplier Response
1 Does the platform support single sign on?
2 Which industry standard security certifications are available for the platform?
3 Does the platform use open standards for delegation of authentication capabilities?
4 What mechanisms are used for API security
5 Does the Platform support OAuth? If yes then which versions are supported?
6 Does the platform support Active Directory and LDAP?
7 Does the platform support secure channels and secure payloads
8 Does the platform proxies provide support for CORS
9 Does the platform offer protection against XML or JSON attacks?
10 Does the platform offer security features as self-service via configuration?
11 Does the platform offer role based access control?
12 Is your public cloud offering PCI DSS certified?  If so, what versions are certified?
13 Is your public cloud offering HIPAA compliant?
14 Can the product be extended to support custom/proprietary implementations?
15 Does the platform allow APIs to be secured at API level?
Developer Portal
S.No Requirement Compliance Supplier Response
1 Please describe how the platform facilitates on-boarding.
2 Are interactive documentations available for the API consumer?
3 Does each developer (or team) get their own personalized metrics?
4 Is the registration form customizable?
5 Does the platform allow customer to customize, skin and modify the portal without the help of vendor
6 Does the portal leverage standard CMS technologies to ensure easy to find skill sets and pre-existing modules?
7 Can the developer keys suspended or revoked using the platform?
8 Does the platform allows enterprises to let their partners manage their own pool of developers and allow access to enterprise’s APIs?
9 Does the platform allow monetization? If yes what are revenue models are supported?
10 Does the platform offer configurable pricing models?
11 Does the platform support integration with third party payment systems



Ownership/Control of Work and Product/Publication  

The ownership of all copyright and other intellectual property rights in respect of any data compilations, research, spreadsheets, graphs, reports, diagrams, designs, work products, software, or any other documents, developed in connection with this Contract will exclusively vest in and remain with Karandaaz which shall have all proprietary rights therein, notwithstanding that the Contractor or its employees may be the author of the intellectual property. All documents relating to the intellectual property or otherwise connected with this Contract, the services, or duties must be returned or delivered to Karandaaz at the time of the expiration or termination of this Contract. The Contractor agrees not to publish or make use of any of the intellectual property, or documents relating thereto, without the prior written approval of Karandaaz, and where approval is granted, without proper attribution to Karandaaz.


Task Manager/Reporting                                                            

Reporting Line:                                                 Director DFS

Location:                                             Islamabad

Duration:                                             up to 12 months (6 months implementation / 6 months Post implementation Services)

Project:                                                                API Management platform, implementation and support services



Karandaaz will pay the Contractor’s invoice within thirty (30) business days after  a) Karandaaz’ approval of the Contractor’s Deliverables, or b) Karandaaz’ receipt of the Contractor’s invoice, whichever is later.  Payment will be made in PKR or USD, as agreed, to the account specified in the Contractor’s invoice.





Dear Sir/Madam,


Having examined the Solicitation Documents, the receipt of which is hereby duly acknowledged, “THE FIRM NAME” undersigned, offer to provide consulting for “INSERT REFERENCE NUMBER” to Karandaaz Pakistan in accordance with the Price Schedule attached herewith and made part of this proposal. “THE FIRM NAME” undertake, if our proposal is accepted, to commence and complete delivery of all services specified in the contract within the time frame stipulated.


“THE FIRM NAME” agree to abide by this proposal for a period of 90 days from date fixed for opening of proposal in the invitation for proposal, and it shall remain binding upon us and may be accepted at any time before the expiration of that period.


We understand that you are not bound to accept any proposal you may receive.


Dated: this——day of ——-2015





Name, Designation and Signature of the “firm Representative”

Copyrights © 2021 Karandaaz Pakistan
Non-profit company registered under Section 42 of the Companies Act, 2017