1. Introduction

The purpose of this document is to define the practices used in the operation and management of the ComprasPT electronic public procurement platform.
2. Declaration of Practices

2.1 The principles described in the legislation in force are respected. These are:

• Non-discrimination, free access, interoperability, compatibility, confidentiality, integrity, non-repudiation, availability and security, as well as other related principles.

2.2 The rules and legal provisions introduced by the CCP (Public Contracts Code) and the applicable ancillary legislation are scrupulously complied with.

2.3 All the technical and support conditions necessary for the operation of the electronic formalities relating to public procurement procedures of any of the procurement instruments or procedures defined by the CCP (Public Procurement Code) are guaranteed.

2.4 The platform does not intervene as an autonomous entity in the public procurement procedure.

2.5 Interconnection is ensured, both in technical terms and in terms of compliance with the synchronisation rules necessary for transferring the required data, with:

• Public Contracts Portal;
• Electronic Diário da República portal, through a protocol with Imprensa Nacional-Casa da Moeda, S. A. (INCM).

2.6 The entire user interface is available in Portuguese at www.compraspt.com. In addition, it is possible to access and visualise the content of the electronic platform in English, where the following information is provided:

• Technical support contacts;
• Technical requirements;
• Problem-solving guides (frequently asked questions, technical requirements, alerts, etc.).

2.7 The platform provides activity reports when requested by the Contracting Authority.

2.8 All the information that makes up the proposals, applications or solutions is encrypted before being uploaded to the platform.

2.9 The rules for coding are complied with in accordance with the legislation in force.

2.10. Tenders are encrypted automatically by the electronic platform:

• The electronic platform provides the interested party with a computer application that allows them to encrypt and affix an electronic signature to the files of a tender, locally, on their own computer, when uploading;
• When the interested party uploads a tender file to the electronic platform, it will already be encrypted and signed using a qualified electronic signature.

2.11. Notifications are sent automatically:

• Directly via an area specifically created for this purpose on the electronic platform;
• Via e-mail. ComprasPT will not be held responsible for the non-receipt of notifications sent via external e-mail.

2.12. Strong authentication of users is guaranteed through Qualified Digital Certificates, or authentication through the use of a Digital Certificate, thus complying with the principles of the legislation currently in force:

• All access to the platform is carried out using a digital certificate;
• Authentication certificates issued by ComprasPT, Multicert, DigitalSign, GTS – Global Trusted Sign, CEGER and Cartão do Cidadão are recognised. In addition, and subject to validation, any other that appears on the list of the National Accreditation Authority (Autoridade Nacional de Segurança): “List of Trusted List information as notified by Member States”;
• The mechanism for validating user certificates is based on the certificate in question and the respective certification chain.

2.13. The electronic signature is guaranteed, thus complying with the requirements established in the legislation in force:

• All documents are submitted on the electronic platform using qualified electronic signature certificates (digital certificates issued by a certifying body of the State Electronic Certification System);
• Details of digital signatures can be consulted directly on the ComprasPT platform. Mechanisms are also available to check the integrity and validity of digital signatures in real time;
• All documents uploaded to the electronic platform and all communications are digitally signed.

2.14. Chronological validation is guaranteed, thus complying with the requirements established in the legislation in force:

• A timestamp is affixed to all transactions subject to deadlines in order to guarantee the date of their realisation. Details of the time stamps issued can be consulted directly on the ComprasPT platform. Mechanisms are also available to check the integrity and validity of the time stamps issued in real time;
• Under the terms of paragraph 5 of Order 10563/2014, the acceptance of chronological validation certificates originating from entities registered with the TSL of the National Security Agency is publicised on the central website www.compraspt.com and on the electronic platform when they are used.

2.15. Encryption and decryption are guaranteed, thus complying with the requirements established in current legislation:

• All the information that makes up the proposals, applications or solutions is encrypted directly on the Economic Operator’s computer the moment before this information is uploaded to the ComprasPT platform;
• Documents uploaded to the platforms are encrypted using asymmetric cryptography based on the use of key exchange;
  Interested parties encrypt their documents with the public key of the certificate referred to in the previous paragraph.

2.16. All accesses, as well as all transactions carried out by users of the platform, are recorded in an audit file. Audit files are digitally signed and time-stamped to guarantee their authenticity, integrity and date of creation. These audit files are also intended for the digital preservation provided for in the legislation in force, and as such can be used in any litigation situation at the service of the Economic Operators, as well as the Contracting Authorities.

2.17. The platform provides technologies that enable technical and compliance audits to be carried out.

2.18. The platform appoints a security auditor who is accredited by the National Security Office to carry out their work.

2.19. The security auditor referred to in the previous paragraph draws up a compliance document attesting to the compliance of the electronic platform with the rules of this Ordinance. The compliance document includes a description of the functions and identification of the technical human resources profiles that operate the platforms, a detailed technical description of the electronic platform’s systems and architectures and a security report attesting to the platform’s compliance.

2.20. For the purposes of maintaining the platform in operation, the safety auditor draws up an annual safety report, which must be sent to the supervisory body by 31 March of each calendar year.

2.21. In the event of termination or cancellation of the contract for the provision of electronic platform services, the managing body of the ComprasPT platform guarantees the delivery of information. All elements relating to public procurement procedures, whether already concluded or in progress, as well as all audit files, are transferred to the respective Awarding Organisation(s) for safekeeping purposes, ensuring the conditions for accessing and reading the documents and other information.

2.22. With regard to archiving and digital preservation, the platform ensures the procedures currently in force and is available to implement new practices that may be determined by the competent authorities.

2.23. The audit files are organised and compiled on a daily basis, digitally signed with a time stamp to guarantee their authenticity, integrity and date of creation. These files guarantee the digital preservation required by current legislation.