Makkah Chamber Website & Digital Identity - Technical Proposal
Envelope 1 of 2 (Technical). This file is the technical proposal per RFP Section 10 (two-envelope submission). All pricing lives in the matching Financial Proposal file in this folder. The two envelopes share the same scope, timeline and team commitments; only the cost figures are separated to honour the RFP's procurement format.
- Submitted to: Makkah Chamber of Commerce & Industry
- Attn: Procurement Committee
- Submitted by: Riseup Asia LLC
- Email: info@riseup-asia.com
- Company profile: https://docs.rasia.pro/presentation-v1-9x
- Date: June 2026
- Valid for: 60 days from submission
Introduction
The Makkah Chamber needs a modern bilingual website that reflects its institutional identity, governs its content, and gives the business community a fast, reliable digital front door.
This technical proposal responds to the Chamber's June 2026 RFP. Where the RFP is clear, we confirm delivery. Where a single work stream (AI Agent build, NCA-accredited penetration test, Odoo 12 integration, 1,000-article migration) carries a true market cost that is multiples of the published budget, we say so plainly and propose a scoped, honest delivery so the Chamber receives a finished, governed product rather than a half-built one. The corresponding figures sit in the Financial Proposal envelope.
Project Objectives
| # | Objective | Our Approach |
|---|---|---|
| 1 | Sustainable digital and institutional transformation | Custom WordPress site reflecting Chamber identity - see Section 3.1, 3.2 |
| 2 | Automating and governing customer service | Bilingual FAQ + structured contact routing - see Section 3.5; full AI Agent scoped as future phase |
| 3 | Supporting decision-making and committee development | Structured complaint/ticket intake routed by sector - see Section 3.5 |
| 4 | Content and design governance | Chamber Design System + editorial workflow with Roles & Permissions - see Section 3.1, 3.2 |
| 5 | Bilingual Arabic + English with full RTL | Unicode + RTL day one via WPML or Polylang Pro (Chamber-purchased) |
| 6 | Saudi data-protection compliance (SDAIA) | SSL/TLS, reCAPTCHA, OTP 2FA, password hashing - see Section 3.6 |
Scope of Work
Each subsection below mirrors the matching stream of the Chamber's RFP. Tables hold the mechanical checklist. Where a single RFP line implies a much larger build, the load-bearing decisions (AI Agent, penetration test, Odoo integration, migration volume, SLA) are pulled into short prose paragraphs labelled Scope boundary so they are not buried inside a checklist row.
3.1 Institutional Positioning, Content & Design System (Stream 1)
Refine website key messages
One positioning workshop + key-message document (AR/EN)
Organise content to reflect institutional role
Sitemap and page-by-page content brief
Translate positioning into page structure
Wireframes for the 20 main pages
AR/EN content consistency
Bilingual content checklist; Chamber supplies final Arabic copy
Reusable visual component library
Figma component library (buttons, cards, forms, navigation, RTL variants)
Official visual style guide
Colours, typography, icons, buttons, spacing - one PDF style guide
Scope boundary - brand creation vs. brand application. We apply and systemise the Chamber's existing brand into a working Design System. A ground-up rebrand (logo redesign, new typography licensing, full identity book) is a separate creative engagement and is not included in the committed budget.
3.2 Structural Website Development & WordPress CMS Governance (Stream 2)
WordPress 6.x+, PHP 8.1+, MySQL 8+
Custom theme; Gutenberg blocks + Elementor Pro for editors
20 main pages + blog
Built per the RFP page-structure table
Roles & Permissions (writer, reviewer, approver, publisher)
PublishPress Capabilities + approval workflow plugin
SSO restricted to Chamber staff emails
Google Workspace SSO via miniOrange or equivalent
AR + EN with full RTL
WPML or Polylang Pro; verified RTL across all templates
Security and daily backups
Wordfence + UpdraftPlus (daily off-site backup)
Scope boundary - the 5 additional pages. The RFP allows for 5 pages beyond the 20. These are included as templated page slots; bespoke design for each additional page is billed on the rate-card in the Financial Proposal.
3.3 Quantified Content Migration (Stream 3)
Migrate 20 main institutional pages
Manual, bilingual, structured
Migrate historical news items / articles
Up to 200 articles included; see Scope boundary below
Media files, images, PDFs
Optimised, compressed, re-linked
Editorial workshops
One joint workshop with Chamber departments
Pre-launch validation
Content Migration & Auditing Map (spreadsheet)
301 redirects map
Automated; all old URLs preserved
Scope boundary - migration volume. The RFP quotes "500 to 1,000 historical news items". A manually audited bilingual migration of 1,000 articles is a multi-week editorial engagement on its own. We include up to 200 articles in the committed budget. Migration beyond 200 articles is billed on the rate-card in the Financial Proposal; we will quote a fixed price for the remaining volume during discovery.
3.4 Odoo 12 Integration - Events Display Only (Stream 4)
One-way data ingestion from Odoo 12
WordPress reads agenda/events via Chamber-supplied API endpoint
Display only; no write-back to Odoo
Strictly read-only; no modification of Odoo code or plugins
Manual fallback events panel
Admins can add or edit events independent of Odoo
Notifications via Chamber SMTP
Connected to Chamber's existing mail server
Scope boundary - Odoo endpoint readiness. This stream assumes the Chamber delivers stable, documented Odoo 12 API endpoints (authentication, schema, sample payload) before development of this stream begins. If endpoints are not ready by Phase 2, the Odoo stream is deferred and the manual events panel ships first; Odoo wiring is then billed on the rate-card.
3.5 AI Agent (Stream 5) - Phased
| # | Item | Delivery in Phase 1 (this budget) | Future phase |
|---|---|---|---|
| 1 | Knowledge base | Structured bilingual FAQ page (up to 50 Q&A pairs) feeding the site search | Full 200-pair governed knowledge base |
| 2 | Conversational interface | Contact / complaint form with sector-routing (auto-classifies to the right committee) | Live LLM-backed AI Agent (Gemini or equivalent) |
| 3 | Human Handoff | Form submissions are emailed to the assigned committee with full context | Automated in-chat escalation to a human agent |
| 4 | Continuous learning | Manual: resolved tickets are added to FAQ by Chamber staff | Automated: (Problem + Approved Solution) saved into the KB on close |
| 5 | LLM hosting / tokens | n/a in Phase 1 | Chamber bears token costs on its own GCP/Vertex account (see Financial Proposal Table 2, line 12) |
Scope boundary - the full AI Agent is a separate engagement. A production AI Agent (LLM integration, governance log, automated handoff, continuous learning loop, comparable case-study delivery) is a six-figure SAR engineering programme on its own. Phase 1 delivers the governance scaffolding (structured FAQ, sector-routed intake, ticket trail) that the future AI Agent will sit on top of, so the foundation is correct from day one. We would welcome the chance to quote the full AI Agent as a dedicated Phase 2 engagement.
3.5.1 Phase 1 Solution Architecture
The diagram below shows what we build inside the committed budget and where the Phase 2 LLM AI Agent plugs in later without rework.
Flow. A bilingual visitor lands on the WordPress site and either (a) self-serves from the structured FAQ (up to 50 Q&A pairs, sector-tagged, search-indexed) or (b) submits the sector-routed contact form, which auto-classifies the enquiry to the correct Chamber committee. Every submission writes a row to the ticket trail (database) and emails the assigned committee inbox with full context. Chamber staff resolve and, on close, the (Problem + Approved Solution) pair is added back to the FAQ. This is the same data shape a Phase 2 LLM AI Agent needs - intent, sector, resolution - so the Phase 1 trail becomes Phase 2's training and retrieval corpus.
Phase 2 plug-in point. The dashed orange box (LLM AI Agent on Google Vertex / Gemini) attaches to the WordPress site at the same surface as the contact form. No schema migration, no re-platforming: the agent reads the FAQ + ticket trail as its knowledge base, hands off to the same committee inboxes on low confidence, and writes resolutions back to the same store. Token and inference costs sit on the Chamber's own GCP/Vertex account (Financial Proposal Table 2, line 12), so cost ownership is clean from day one.
3.5.2 Comparable Experience and Phase 2 Delivery Partner
We are explicit about what we have shipped versus what Phase 2 requires. The RFP asks for case studies of comparable AI Agent deployments; in good faith, we list only what is true:
| # | Comparable to | What we have actually delivered | Phase 1 / Phase 2 |
|---|---|---|---|
| 1 | Structured bilingual knowledge base with sector routing | CAF Patronato Fondi (Italy) - member-services site with multi-section information architecture and bilingual public-facing content (closest structural analogue to a Chamber). | Phase 1 - directly applicable |
| 2 | Governed editorial workflow + ticket trail | KI Training & Assessing (Australia) - enrolment enquiry routing with auditable trail to the responsible staff. | Phase 1 - directly applicable |
| 3 | Production LLM AI Agent on a governmental member-services site | No comparable engagement delivered to date. We will not fabricate one. | Phase 2 - delivered with a named LLM partner (Google Vertex AI / Gemini) and an AI integration specialist contracted and disclosed to the Chamber at Phase 2 contract signature. |
Honesty clause. Any vendor claiming Chamber-grade AI Agent case studies inside this budget tier is overstating. Our Phase 1 commitment is the governance scaffolding above; our Phase 2 commitment is to bring a named, accountable AI integration partner to the table with full disclosure of credentials before the Chamber signs the Phase 2 engagement.
3.6 Technical, Security & Quality (Section 5 of the RFP)
Page load under 2 seconds
Caching (WP Rocket), image optimisation, CDN; Core Web Vitals reported at handover
100% mobile browsing compatibility
Latest iPhone, iPad, Samsung S-series + 1280/1440/1920 desktop breakpoints
SSL/TLS encryption
HTTPS by default, auto-renewing certificate, HSTS enabled
reCAPTCHA on sensitive pages
Google reCAPTCHA v3 on all forms
Two-factor OTP authentication
WP 2FA plugin; email/TOTP OTP for admin accounts
SDAIA personal-data compliance
Technical controls (encryption, consent capture, data minimisation); legal interpretation remains the Chamber's counsel's responsibility
Scope boundary - performance realism. A blank page scores 100/100 on PageSpeed and is useless; we tune speed against real content and engagement, not a fixed score. Exhaustive cross-device QA on older or non-flagship handsets is a paid add-on if analytics show meaningful traffic.
3.7 Penetration Testing (Stream 6) - Out of Budget
Scope boundary - NCA-accredited pentest cannot fit in the committed budget. The RFP mandates a Black-box & Gray-box penetration test executed by an external consulting firm accredited by the National Cybersecurity Authority (NCA), with the vendor bearing all financial cost. A single NCA-accredited pentest engagement in the KSA market is itself typically multiples of the committed budget. We cannot in good faith promise this stream inside the build budget. Two honest options (figures in the Financial Proposal):
- The Chamber procures the NCA-accredited pentest directly and we remediate findings under warranty at no extra cost.
- We quote the pentest as a ring-fenced additional line at the actual market price of the accredited firm, billed at cost with no markup.
We will not silently drop this stream and we will not pretend to absorb its cost.
3.8 Support, Maintenance & Warranty (Stream 7)
30-day stabilisation period
Free; emergent defects fixed immediately post-launch
12-month warranty
Free; covers performance integrity and codebase bugs
SLA in warranty year
Critical: 4 h response, business hours; Medium: 24 h; Low: 48 h. 24/7 critical-incident cover requires a paid SLA - priced in the Financial Proposal.
Year-2 maintenance
Separate annual contract; priced in the Financial Proposal
Scope boundary - 24/7 SLA realism. Genuine 24/7 critical-incident cover with a 4-hour resolution (not response) target requires a rostered on-call team. That is a paid, ongoing SLA, not a free warranty inclusion. The free warranty year covers business-hours response on the schedule above; 24/7 cover is the Year-2 paid SLA in the Financial Proposal.
Deliverables
| # | Deliverable | Handed over |
|---|---|---|
| 1 | Custom WordPress website (20 pages + blog) | Live bilingual Chamber site covering the streams above |
| 2 | Design System Document | Figma component library + PDF visual style guide |
| 3 | CMS Governance & Editorial Workflow Document | Permissions matrix, approval paths, bilingual content plan |
| 4 | Content Migration Document & Matrix | Audit report, 301 redirects map, pre-launch verification |
| 5 | AI Agent Phase-1 Architecture Document | FAQ structure, sector-routing schema, future-phase integration plan |
| 6 | Source Code | Custom Theme + plugins, no encryption, IP transfers to Chamber |
| 7 | Training and documentation | 6-hour remote training + colored Arabic PDF manual with screenshots |
Stack. We're building this on WordPress + Elementor Pro because it is the only stack where the committed budget delivers a custom bilingual theme, governed editorial workflow, and a usable no-code admin for Chamber staff.
Portfolio
Lead engineer Md Alim Ul Karim brings 15 years of US/EU engineering experience, including systems serving 10M+ daily requests across four continents.
Credentials
- B.Sc. in Computer Science & Engineering, North South University (NSU), Dhaka - Bangladesh's leading private university, ranked in the QS World University Rankings top 900 globally. Graduated in the top 13% of the CSE department.
- Crossover for Work - hired and later promoted at Crossover, which selects from the top 1% of global engineering talent through a multi-stage technical screen.
- Prior senior engineering work for US and EU companies including Crossover and Validata, on systems handling 10M+ daily requests across four continents.
Sample Projects
Dr Arefin
Healthcare / personal brand
Consultant doctor's clinic site with appointment-request flow and patient information.
drarefin.com
Atto Bond Cleaning
Local services, Australia
Bond and steam cleaning company serving Melbourne-area suburbs.
attobondcleaning.store
Developers Organism
B2B staffing & SEO, US
B2B agency site for an engineering-staffing and SEO firm.
developers-organism.com
CAF Patronato Fondi
Non-profit / public assistance, Italy
Member-services organisation with multi-section information architecture and bilingual public-facing content - closest structural analogue to a Chamber site.
cafpatronatofondi.com
KI Training & Assessing
Education, Australia
Registered training organisation with course catalogue and enrolment enquiries.
kita.edu.au
SR Style
Lifestyle / editorial, Bangladesh
Multi-category editorial publication with structured content architecture.
srstyle.com
Delivery Timeline
| Phase | Month | Outcome |
|---|---|---|
| Discovery, positioning, sitemap, Design System | 1 | Key-message document, sitemap, Figma component library, style guide |
| Core build (custom theme, 20 pages, AR/EN, RTL) | 2 | All page templates live in staging; CMS roles configured |
| Migration, Odoo events, FAQ scaffolding, security | 3 | Up to 200 articles migrated, events feed wired, FAQ live, 2FA + reCAPTCHA |
| QA, training, UAT, launch | 4 | Core Web Vitals report, 6-hour training, Arabic PDF manual, go-live |
Pricing (Section 9 BoQ Table 1 + Table 2, payment terms, rate-card) is in the companion Financial Proposal envelope.
Terms & Conditions
| RFP term | Our response |
|---|---|
| Two-envelope submission (technical separate from financial) | Agreed. This file is the technical envelope; the matching financial envelope ships in the same folder. |
| IP ownership (code, design, content, theme, plugins) | Agreed. Source code transfers to the Chamber on final payment, no encryption, no withholding. |
| Source delivery without encryption | Agreed. |
| Saudi data-protection (SDAIA) compliance | Agreed for technical controls. Legal interpretation remains the Chamber's counsel's responsibility. |
| 30-day stabilisation + 12-month warranty | Agreed. |
| SLA in warranty year | Agreed for business-hours response on the schedule in Section 3.8. 24/7 critical cover with a 4-hour resolution target is a paid Year-2 SLA, priced in the Financial Proposal. |
| Pentest by NCA-accredited firm, vendor bears cost | Respectfully not agreed as written within the committed budget. See Section 3.7 for two honest options. |
| Subcontracting disclosure | Agreed. None planned; if needed, the Chamber approves first. |
| Proposal validity & non-selection | Agreed. Valid 60 days; submission does not guarantee award. |
| Rejection of any/all proposals without reasons | Respectfully not agreed as written. See reasoning below for a fair replacement clause. |
Reasoning - on the rejection / cancellation clause.
Tenders commonly reserve the issuer's right to "reject any or all proposals without providing reasons" and, by extension, to cancel an agreement at any time. As a delivery partner committing senior engineering hours, plugin licences, and a fixed price well below market, Riseup Asia cannot accept an open-ended right of cancellation or silent rejection. A construction firm, a law firm, or a hospital supplier would say the same: once work has started against a signed scope, both sides need predictability.
"The Chamber reserves the right to reject any or all proposals at the selection stage; reasons for rejection will be communicated to the bidder in writing within a reasonable period. Once an agreement is signed, either party may terminate only for documented cause (non-performance, breach, or insolvency), with written notice and payment for work completed up to the termination date."
This keeps the Chamber's discretion fully intact at the selection stage, keeps the process fair and professional, and protects both sides during delivery.
Before We Start
A short list of decisions we need from the Chamber so Phase 1 can begin cleanly:
Riseup Asia LLC - info@riseup-asia.com - https://docs.rasia.pro/presentation-v1-9x
Brand assets.
Final Arabic + English logo files, official colour codes, and licensed typography (or approval to substitute open-source equivalents).
Odoo 12 endpoints.
Confirmation of when stable, documented API endpoints for agenda/events will be ready - this gates Stream 4.
Migration volume confirmation.
Final article count to migrate; anything above 200 is quoted on the rate-card.
Pentest path.
Which of the two options in Section 3.7 the Chamber prefers (procure directly, or have us quote the accredited firm at cost).
SSO source of truth.
Confirmation that Chamber staff emails are on Google Workspace (or Microsoft 365 - changes the SSO plugin choice).
Hosting environment.
Whether the Chamber provides hosting (preferred) or wishes us to bundle a managed host as a separate line.