Request for Proposals: Penetration Testing Consultancy for the Tiko Platform At Tiko

1. Introduction/background of Tiko

Tiko Africa is an organisation that uses its digital platform called Tiko to motivate users – primarily young women and adolescent girls – to make positive choices. We use nudges like reminders, discounts, in person and digital follow-ups, and reward points to encourage our users to access and use healthy products and services. We also support them in becoming entrepreneurs and adding value to their economies. Tiko Africa’s reward points can be used to redeem products and services at local shops, or as subsidies to cover the cost of sexual and reproductive health (SRH) services, removing the cost to access for the users, who are primarily 15-24 year old adolescent girls and young women (AGYW).

Tiko Africa has operations in the following countries either by having offices or by working through local partners in Kenya, Uganda, Ethiopia, Burkina Faso and South Africa.

Tiko Africa is sourcing consulting services from a recognised company to perform penetration testing on our systems. The report generated from the test results should identify system flaws and highlight the steps that need to be taken to address them. The consultancy will advise on the penetration testing methodology, process and phases, which should be included in the proposal.

2. Scope of work

The scope of the penetration test will include a comprehensive assessment of the Tiko platform:

  • Testing of an Android mobile application and respective APIs.
  • Testing of web-based configuration interface and respective APIs.
  • Evaluation of backend services, databases, and server infrastructure.
  • Exclusion of physical security assessments or social engineering attacks.
  • Testing to be conducted on staging environments to minimise impact on production systems.

The penetration testing should follow a combination of automated scanning tools and manual testing procedures. Testing methodologies will align with OWASP standards, focusing on common vulnerabilities such as injection flaws, authentication bypass, and insecure data storage.

Bidders should clearly state any assumptions used in preparing their technical and financial proposals and identify any additional information required from Tiko Africa to finalise the testing approach. Detailed technical information that may present a security risk will be shared only with the selected supplier, or with shortlisted bidders where necessary and subject to appropriate confidentiality arrangements.

3. Deliverables

The following to be presented in a report:

1. Comprehensive vulnerability assessment report

2. Executive summary highlighting critical findings and recommendations

3. Technical report detailing identified vulnerabilities, severity levels, and remediation steps

4. Summary of unsuccessful and successful penetration testing methods used.

5. Post-engagement support for addressing queries or concerns relating to the findings and remediation recommendations for an agreed period following submission of the final report.

6. Retesting of remediated critical and high-severity vulnerabilities and provision of a final retest/closure report.

4. Evaluation criteria

Proposals will be evaluated based on the bidder’s experience, skills and ability; technical approach and execution plan; financial quotation; and references, in accordance with the criteria and weightings below.

  • Proposals should make clear about the relevant skills, experience and capacity of the participant, in respect of this particular RFP.
  • Proposals must contain the details of the proposed approach to be adopted in order to deliver the service in accordance with the RFP.
  • Proposals should clearly indicate whether or not bid participants have the capacity to meet the requirements of the RFP.
  • Proposal should clearly indicate compliance with the appropriate data protection, privacy, legal, social, tax and ethical issues applicable to the country

1. Experience, Skills and Ability — 30

  • Past experience in similar work of this nature.
  • Team member experience (accompanied by brief CV’s).
  • Ability of the bidder to fulfil Tiko Africa’s requirements.

2. Technical Approach and Execution Plan — 40

  • Proposals must contain the details of the proposed approach to be adopted in order to deliver the service in accordance with the RFP.

3. Financial quotation — 15

  • Proposals should include a detailed cost breakdown of proposed budget.

4. References — 15

  • Did the bidder submit at least three relevant and contactable clients that were serviced in the past 36 months.

Totals — 100

How to apply

5. Submission of quotation timeline and mode

Firms and individuals are invited to submit proposals for this engagement. Proposals should include the contents below and not exceed a maximum length of 15 pages, excluding annexures (budget and summary profiles of proposed personnel).

  • Cover page: Summary with basic information such as names, address, contact information, proposed budget, etc.
  • Capacity statement: A brief capacity statement as to why your firm and the team you are proposing is well positioned to undertake the engagement
  • Qualification to the scope of work: Any qualifications that you may have regarding the scope of work
  • Proposed approach: Your proposed approach to delivering on the scope of work requirements
  • Proposed personnel: The qualifications and experience of the proposed personnel.
  • Work plan: proposed work plan with tasks, responsible person/s and timeline
  • Budget: Total budget envelope required to deliver the work (in Euro), and line-item breakdown of direct costs and overheads
  • References: at least 3 similar engagements undertaken in the past 3 years, including relevant and contactable client references.

Clarification questions

Any questions or requests for clarification regarding this RFP should be submitted by email to bidding@tiko.org by end of day 13 July 2026. Tiko Africa will consolidate and respond to clarification questions by 16 July 2026.

To ensure a fair and transparent procurement process, bidders should direct all questions relating to this RFP through the email address above.

Submission of proposals

Applicants are requested to submit their technical and financial proposals by email to bidding@tiko.org by end of day 21 July 2026. The email subject line should clearly reference: RFP – Penetration Testing Consultancy 2026.

Financial proposals should be submitted in EUR and should clearly state whether quoted amounts are inclusive or exclusive of applicable taxes. Bidders should clearly identify all assumptions on which their financial proposal is based.

Late or incomplete submissions may not be considered