SaaS Eligibility for Government Projects: Criteria and Compliance

A SaaS company must be a legally registered entity in India, typically as a Private Limited Company, Limited Liability Partnership, or Public Limited Company, to be eligible for most government projects. The company must also have a valid Goods and Services Tax (GST) registration and a Permanent Account Number (PAN). Beyond these foundational requirements, the government often mandates a minimum number of years of operational experience, usually three to five years, and a proven track record of delivering similar software solutions.

The specific eligibility criteria are outlined in each Request for Proposal (RFP) or tender document issued by the procuring authority, such as a central ministry, state government department, or public sector undertaking (PSU). These documents will specify the required turnover, past project experience, and technical qualifications. For example, a tender for a cloud-based HR management system for a state government may require the bidder to have implemented a similar system for at least two other government entities or large private organizations.

Additionally, the company must comply with the General Financial Rules (GFR) 2017 and the Manual for Procurement of Goods, 2017, issued by the Department of Expenditure. These rules govern the procurement process for all central government entities. For state-level projects, the respective state's procurement rules will apply. It is crucial to read the tender document carefully, as non-compliance with any stated eligibility criterion can lead to immediate disqualification.

The Ministry of Electronics and Information Technology (MeitY) has issued several key policies and guidelines that directly impact SaaS providers bidding for government projects. The most critical is the MeitY Policy on Adoption of Open Source Software for Government of India, which encourages the use of open source software. However, for proprietary SaaS solutions, the provider must demonstrate that their software is secure, interoperable, and compliant with government standards.

The Indian Computer Emergency Response Team (CERT-In) directions under the Information Technology Act, 2000, are mandatory. SaaS providers must ensure their services are auditable and can report cybersecurity incidents to CERT-In within the stipulated timeframe. Furthermore, the National Cyber Security Policy, 2013 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 require the implementation of reasonable security practices, such as ISO 27001 certification, to protect government data.

Another critical compliance is the Data Localisation requirement. The government has increasingly mandated that all data generated by government projects must be stored within India. SaaS providers must have data centres located in India or a clear plan to ensure data residency. The Digital Personal Data Protection Act, 2023 (DPDP Act) will further tighten these requirements once its rules are fully notified. Providers must also comply with the National Informatics Centre (NIC) guidelines for cloud services, which often require specific security certifications and audit trails.

The government evaluates security and data privacy through a multi-layered process, starting with the submission of a Security Compliance Checklist as part of the tender response. This checklist typically covers areas like access control, encryption (both at rest and in transit), vulnerability management, incident response, and data backup. The procuring authority may also require the SaaS provider to undergo a Vulnerability Assessment and Penetration Testing (VAPT) by an empanelled auditor.

A key requirement is ISO 27001:2013 (or the latest version) certification for the Information Security Management System (ISMS). This certification demonstrates that the provider has a systematic approach to managing sensitive information. Additionally, the SOC 2 Type II report is often requested, which provides assurance over the service organization's controls related to security, availability, processing integrity, confidentiality, and privacy.

The government also scrutinises the Data Processing Agreement (DPA) and the Service Level Agreement (SLA) . The DPA must clearly define data ownership, processing purposes, data retention, and deletion policies. The SLA must guarantee uptime, performance, and support. The provider must also demonstrate compliance with the IT Act, 2000 and the upcoming DPDP Act, 2023, particularly regarding consent management, data breach notification, and the rights of data principals (citizens). Any failure to meet these security and privacy standards can result in the bid being rejected.

Financially, the government typically requires a minimum average annual turnover from software services over the last three financial years. This threshold varies by project value but is often set at 1.5 to 2 times the estimated project cost. For example, for a project worth ₹5 crore, the bidder may need a minimum average turnover of ₹7.5 crore. The bidder must also submit audited balance sheets and profit and loss statements for the last three years. A positive net worth is almost always a mandatory requirement.

Technically, the bidder must demonstrate experience in delivering similar projects. This is usually measured by the number of projects of a certain value completed in the last five to seven years. For instance, the tender may require the bidder to have completed at least two projects of a similar nature, each with a value of at least 50% of the current project's estimated cost. The bidder must provide Project Completion Certificates from the clients for these projects.

The technical evaluation also includes the qualifications and experience of the proposed project team. The government will assess the CVs of the Project Manager, Technical Lead, and other key personnel. Certifications like PMP (Project Management Professional) , AWS/Azure/GCP Certified Architect, and Certified Information Systems Security Professional (CISSP) can add significant weight. The bidder must also submit a detailed Project Implementation Plan and a Quality Assurance Plan as part of the technical proposal.

One of the most common pitfalls is incomplete or incorrect documentation. Government tenders are highly procedural, and any missing document, such as a notarised affidavit, a valid GST registration certificate, or a Power of Attorney, can lead to immediate disqualification. It is crucial to create a checklist from the tender document and ensure every required document is submitted in the specified format.

Another major pitfall is non-compliance with the tender's specific technical requirements. Many SaaS providers try to offer a generic solution that does not fully meet the detailed functional requirements outlined in the RFP. The government's evaluation committee will strictly check each functional requirement. If the proposed solution fails to meet even a few critical requirements, it may be rejected. It is better to submit a "No Deviation" or "Partial Deviation" statement clearly, rather than claiming compliance where it does not exist.

Pricing errors are also a frequent cause of disqualification. The tender may require a specific pricing format (e.g., per user per month, lump sum, or milestone-based). Any arithmetic error, incorrect GST calculation, or failure to include all applicable taxes and duties can invalidate the bid. Finally, failure to meet the experience or turnover criteria is a hard stop. Bidders often overestimate their past project value or try to use experience from a different domain. The evaluation committee will verify all claims against the submitted certificates and audited financials.

If you are a SaaS provider looking to enter the government market, start by thoroughly reviewing the MeitY guidelines and the General Financial Rules (GFR) 2017. Then, identify a specific tender that matches your solution's capabilities and carefully prepare your bid, ensuring all documentation is complete and compliant. For complex tenders or if you are unsure about any compliance requirement, consult a qualified legal or procurement professional who specialises in government contracts.

---

This page provides preliminary information. It is not legal advice. For your matter, consult a qualified professional.