Are you preparing an RFP (Request for Proposal) for a website or a consultation for a digital platform in Morocco? This specifications template guides you to write a complete and structured document, adapted to public sector, banking, e-commerce, or institutional requirements.
π‘ Public sector: This template is perfectly suited for tenders published on marchespublics.gov.ma (Moroccan Public Procurement Portal), ensuring compliance with public specifications requirements.
β This template covers:
- β Detailed technical specifications
- β Security requirements (OWASP, CNDP)
- β Architecture (Drupal, Next.js, headless)
- β Performance and accessibility (WCAG)
- β Sovereign hosting in Morocco
- β Evaluation criteria
- β Agile phasing and deliverables
- β Bank Al-Maghrib, ACAPS compliance
With 200+ digital projects in Morocco, VOID shares its proven methodology to structure your consultations and obtain quality technical proposals from candidate agencies.
π― Customize your specifications
β Real-time adapted content The sections below will automatically adjust according to your choices
Current configuration:
1. Project Context
1.1. Organization presentation
Briefly present your organization, sector of activity, and strategic objectives.
- βΈName and legal status
- βΈSector : Public, banking, insurance, e-commerce, health...
- βΈSize : Number of employees, national/international presence
- βΈStrategic objectives : Digital transformation, new services, compliance...
1.2. Project objectives
Define precisely what you want to achieve with this new platform.
- βΈFunctional objectives : Information portal, online services, e-commerce, connected space...
- βΈStrategic objectives : Improve user experience, automate processes, reduce costs
- βΈQuantified KPIs : -30% processing time, +50% online conversions, 95% satisfaction...
1.3. Target audiences
Identify main user segments and their specific needs.
π₯ General public
Citizens, consumers, varied digital skills
π’ Professionals
Partners, suppliers, advanced specific needs
π¨βπΌ Internal
Employees, administrators, high security requirements
2. Architecture and Technology
β VOID Recommendation
Favor a headless architecture (Drupal + Next.js) for demanding institutional projects. It guarantees performance, security, and scalability over 5-10 years.
π Learn more: VOID Drupal Expertise Β· React/Next.js Expertise
2.1. Recommended Technology Stack
| Component | Technology | Justification |
|---|---|---|
| CMS / Back-office | Drupal 10+ | Robustness, enterprise security, native multilingual |
| Frontend | Next.js 15 (React) | SSR/SSG, performance, optimal SEO |
| Database | MySQL 8+ | Reliability, banking compliance, performance |
| API | JSON:API / GraphQL | API-First, interoperability |
| Hosting | Docker + VDC Morocco (inwi/nplusone) | Data sovereignty, CNDP compliance |
2.2. Mandatory Technical Requirements
- β API-First architecture with front/back separation
- β Server-side rendering (SSR) for SEO
- β Compliance with W3C standards
- β WCAG 2.1 Level AA compliance (accessibility)
- β Code versioned on Git with branches (dev, staging, prod)
- β Docker containerization for portability
- β Separate environments (Dev, Testing, Pre-production, Production)
2.3. Certification and Expertise
Requirement: The service provider must demonstrate confirmed expertise in Drupal, ideally with Acquia certification or contributions to the Drupal community.
π Discover: Drupal Services in Morocco Β· Vactory Solution (Drupal + Next.js)
3. Functional Requirements
3.1. Multilingualism
Multilingual requirements:
- β Support for [FR / AR / EN] depending on context
- β Multilingual administration interface
- β Content management by language (translation / creation)
- β Automatic language detection (geolocation + browser)
- β
Adapted URLs:
/fr/,/ar/,/en/ - β RTL (Right-to-Left) for Arabic with CSS adjustments
- β Correct hreflang tags for international SEO
3.2. Navigation and Ergonomics
π§ Main Navigation
- β’ Main menu with sub-menus (max 2 levels)
- β’ Mega menu for complex structures
- β’ Responsive mobile menu (hamburger)
- β’ Breadcrumbs on all pages
- β’ Permanent "Home" button
π Search
- β’ Intelligent search engine
- β’ Real-time auto-completion
- β’ Multilingual search
- β’ Filters by content type
- β’ Related search suggestions
3.3. Forms
| Form | Fields | Security |
|---|---|---|
| Contact | Name, Email, Phone, Subject, Message | Captcha, server-side validation |
| Newsletter | Email, GDPR Consent | Double opt-in, unsubscribe |
| Complaint | Specific form + attachments | Secure upload, file type validation |
| Recruitment | CV, Cover letter, Information | Antivirus scan, 5MB limit |
β οΈ Critical Requirement
All forms must include an invisible captcha (reCAPTCHA v3 or hCaptcha), strict server-side validation, and compliance with GDPR/Law 09-08 consent requirements.
π Learn more: GDPR and Compliance in Morocco
4. Design and User Experience
4.1. Graphic Proposal
The service provider must propose at least 2 design directions, including:
- β’ Homepage: Complete desktop + mobile version
- β’ Standard page: Typical content page
- β’ Variations: 3 languages (FR, AR, EN)
- β’ Format: Interactive mockups (Figma / Adobe XD)
4.2. Design System
A complete Design System must be delivered, including:π Read also: UX Design & Design Systems
π¨ Foundations
- β’ Color palette
- β’ Typography
- β’ Grid & spacing
- β’ Iconography
𧩠Components
- β’ Buttons & links
- β’ Forms
- β’ Cards & blocks
- β’ Navigation
π± Responsive
- β’ Defined breakpoints
- β’ Mobile behaviors
- β’ Touch-friendly
- β’ Multi-device testing
4.3. Responsive Design
The website must be 100% responsive and optimized for:
- β Desktop: 1920px, 1366px, 1024px
- β Tablet: 768px (iPad portrait/landscape)
- β Mobile: 375px, 414px (iPhone, Android)
- β Testing on BrowserStack or equivalent
5. Information System Security
π Absolute Priority
Security must be integrated from the design phase (Security by Design). All OWASP Top 10 vulnerabilities must be prevented.
π Complete guide: Web Security, XSS & OWASP 2026
5.1. Authentication and Access
- βΈIndividual accounts: Generic accounts prohibited (admin, root)
- βΈStrong passwords: Minimum 12 characters, forced complexity, 90-day expiration
- βΈTwo-factor authentication (2FA): Mandatory for back-office access (Google Authenticator, SMS)
- βΈPrinciple of least privilege: Granular roles and permissions
- βΈSession management: 15min inactivity timeout, invalidation on logout
5.2. Data Protection
Mandatory requirements:
- π HTTPS/TLS 1.3 mandatory across entire site (SSL/EV certificate)
- π HSTS (HTTP Strict Transport Security) enabled
- π Bcrypt hashing for all passwords (minimum cost 12)
- π At-rest encryption for sensitive database data
- π No sensitive data in logs or URLs
- π CSP (Content Security Policy) strict enforcement
- π Secure cookies: HttpOnly, Secure, SameSite=Strict
5.3. OWASP Top 10 - Prevention
| Vulnerability | Countermeasure |
|---|---|
| SQL Injection | ORM (Eloquent/Doctrine), prepared statements, strict validation |
| XSS (Cross-Site Scripting) | Automatic escaping (React), CSP headers, input validation |
| CSRF (Cross-Site Request Forgery) | CSRF tokens on all forms, SameSite cookies |
| Broken Authentication | 2FA, rate limiting connections, blocking after 5 attempts |
| Sensitive Data Exposure | TLS encryption, no plaintext data, log masking |
| XXE (XML External Entity) | Disable external XML entities, schema validation |
| Broken Access Control | Server-side authorization validation, least privilege principle |
| Security Misconfiguration | Server hardening, disable debug in prod, security headers |
| Vulnerable Components | Dependency scanning (Snyk), regular updates |
| Insufficient Logging | Complete logs, timestamped, secured, automatic alerts |
5.4. Secure Infrastructure
- π‘οΈ WAF (Web Application Firewall): Cloudflare, AWS WAF or equivalent
- π‘οΈ Anti-DDoS Protection: Rate limiting, IP blocking
- π‘οΈ Network segmentation: Public DMZ, private backend network, isolated DB
- π‘οΈ Back-office access: VPN + IP whitelisting + 2FA
- π‘οΈ Environment separation: Dev / Testing / Preprod / Prod isolated
- π‘οΈ Regular patching: Security updates within 48h
5.5. Regulatory Compliance
π²π¦ Law 09-08 (CNDP)
- β’ CNDP declaration if personal data processing
- β’ Explicit user consent
- β’ Right to access, rectification, deletion
- β’ Limited retention period
- β’ Breach notification within 72h
πͺπΊ GDPR (if applicable)
- β’ Privacy by Design & Default
- β’ Processing registry
- β’ DPIA if high risk
- β’ Data portability
- β’ DPO if necessary
5.6. Security Audit
Mandatory requirement: The service provider must deliver a complete security audit report before production launch, including:
- β’ Automated scanning (Acunetix, Netsparker, OWASP ZAP)
- β’ Manual penetration testing (Burp Suite)
- β’ Code review (static analysis)
- β’ Load and resilience testing
- β’ Report with vulnerability remediation plan
π Methodology: Technical SEO Audit Β· Security Testing
6. Performance and Accessibility
6.1. Performance Objectives (Core Web Vitals)
π Learn more: Core Web Vitals & Lighthouse Guide Β· Web Performance Optimization
| Metric | Target | Definition |
|---|---|---|
| LCP (Largest Contentful Paint) | < 2.5s | Loading time of largest visible element |
| FID (First Input Delay) | < 100ms | Response time to first interaction |
| CLS (Cumulative Layout Shift) | < 0.1 | Visual stability during loading |
| TTFB (Time to First Byte) | < 600ms | Initial server response time |
| Lighthouse Score | > 90/100 | Google overall performance score |
6.2. Mandatory Technical Optimizations
β‘ Frontend
- β’ Automatic code splitting (Next.js)
- β’ Lazy loading images and components
- β’ Image optimization (WebP, AVIF, responsive)
- β’ CSS/JS minification
- β’ Tree shaking (dead code removal)
- β’ Preload critical resources
- β’ Service Worker (offline-first)
β‘ Backend
- β’ Redis/Memcached cache
- β’ Global CDN (Cloudflare, Fastly)
- β’ Gzip/Brotli compression
- β’ HTTP/2 or HTTP/3
- β’ Database query optimization
- β’ Drupal cache (BigPipe, Dynamic Page Cache)
- β’ API rate limiting
6.3. Accessibility (WCAG 2.1 AA)
βΏ Mandatory Compliance
The website must comply with WCAG 2.1 Level AA criteria, with RGAA audit if public sector.
π Resource: Web Accessibility in Morocco
- β Compliant color contrasts (minimum 4.5:1 ratio)
- β Complete keyboard navigation (Tab, Shift+Tab, Enter, Esc)
- β Properly implemented ARIA attributes
- β Text alternatives for images (alt)
- β Semantic HTML5 structure (h1-h6, nav, main, footer...)
- β Accessible forms (labels, explicit errors)
- β Screen reader compatibility (NVDA, JAWS)
- β Text zoom up to 200% without loss of functionality
6.4. Browser and Device Compatibility
π₯οΈ Desktop
- β’ Chrome (last 2 versions)
- β’ Firefox (last 2 versions)
- β’ Safari (last 2 versions)
- β’ Edge (last 2 versions)
π± Mobile
- β’ iOS Safari (last 2 versions)
- β’ Android Chrome (last 2 versions)
- β’ Samsung Internet
π» OS
- β’ Windows 10/11
- β’ macOS (last 3 versions)
- β’ iOS 15+
- β’ Android 11+
7. SEO and Analytics
7.1. SEO Fundamentals
π Learn more: SEO Services in Morocco Β· Technical SEO Audit
- βΈSEO-friendly URLs: Clear structure, keywords, no unnecessary parameters
β /services/business-credit/β /node/123?lang=en - βΈOptimized meta tags: Title (50-60 chars), Description (150-160 chars), unique per page
- βΈConsistent Hn structure: Single H1, respected H2-H6 hierarchy
- βΈXML Sitemap: Automatic, multilingual, submitted to Google Search Console
- βΈRobots.txt: Optimized, crawl budget managed
- βΈSchema.org: Organization, Article, BreadcrumbList, FAQPage
- βΈ301 Redirects: Old site migration without SEO loss
- βΈHreflang: Correct tags for international multilingual
7.2. Google Analytics 4
Complete GA4 implementation with:
- β’ Page view tracking, custom events
- β’ Conversion tracking (forms, downloads, CTA clicks)
- β’ Cookie consent compliance (GDPR/Law 09-08)
- β’ IP anonymization enabled
- β’ Internal traffic filtering (office IPs)
- β’ Google Search Console integration
7.3. Tagging Plan and Dashboard
The service provider must deliver:
- π Tagging plan: Comprehensive document of tracked events
- π Looker Studio dashboard: Real-time KPIs (traffic, conversions, journeys)
- π Automated monthly reports: PDF or Google Sheets
- π Automatic alerts: Traffic drops, 404 errors, loading times
β VOID Deliverable
VOID systematically provides a custom Looker Studio dashboard, with real-time business KPI tracking and automatic alerts.
π Learn more: Google Analytics Tagging Plan Β· Google Tag Manager
8. Artificial Intelligence and Automation
π€ AI Serving User Experience
Integrating artificial intelligence into your platform is no longer a "nice-to-have" but a strategic differentiator. In 2026, users expect personalized, instant, and intelligent experiences.
π Learn more: VOID AI Expertise Β· Agentic AI for Platforms
8.1. Intelligent Chatbot and Conversational Support
Essential Features:
π― Level 1: FAQ Chatbot
- β’ Pre-configured responses (decision tree)
- β’ Multilingual support (FR/AR/EN)
- β’ Knowledge base integration
- β’ 24/7 availability
- β’ Escalation to human if needed
π Level 2: Advanced AI Chatbot
- β’ NLP (Natural Language Processing)
- β’ Intent understanding
- β’ Continuous learning (Machine Learning)
- β’ User profile personalization
- β’ CRM/ticketing integration
Recommended Technology Stack:
| Solution | Type | Advantages | Use Case |
|---|---|---|---|
| OpenAI GPT-4 | Cloud LLM | Advanced understanding, multilingual | Sophisticated conversational chatbot |
| Dialogflow (Google) | NLP Platform | Easy integration, intent recognition | Task-oriented chatbot (FAQ, appointments) |
| Rasa (Open Source) | On-premise Framework | Data sovereignty, customization | Banking/healthcare sector (strict CNDP) |
| Claude (Anthropic) | Cloud LLM | Long context, enhanced security | Documented technical support |
β οΈ Chatbot Considerations
- β’ Hallucinations: LLM may invent information β Implement RAG (Retrieval-Augmented Generation)
- β’ Cost: OpenAI GPT-4 charges per token β Estimated monthly budget + rate limiting
- β’ CNDP Compliance: Conversational data = personal data β Consent + retention period
- β’ Human escalation: Define thresholds triggering transfer to human agent
8.2. AEO (Answer Engine Optimization)
In 2026, 60% of searches are answered directly by AI Agents (ChatGPT, Perplexity, Gemini) without clicking to a site. AEO optimizes your content to be cited by these agents.
π Complete guide: AEO: Optimizing for Answer Engines
Technical AEO Requirements:
- βΈEnriched Structured Data: Schema.org (FAQPage, HowTo, Article) to facilitate AI understanding
- βΈConcise direct answers: Optimized Featured Snippets (40-60 word paragraphs)
- βΈVerifiable citations: Sources, dates, quantified data β credibility for LLM
- βΈLLM.txt / AI.txt: Specific files for AI crawlers (instructions for agents)
- βΈContextual links: Strong internal linking β AI understands info architecture
π Example: /ai.txt File
# Instructions for AI Agents (ChatGPT, Claude, Gemini, Perplexity) ## Identity Organization: [ORGANIZATION NAME] Sector: [SECTOR] Mission: [MISSION] ## Priority Content for Citations - Services: /services/ - FAQ: /faq/ - Publications: /publications/ ## Verified Information - Contact: casa@example.ma / +212 XXX - Certifications: ISO 27001, Acquia - Client references: [LIST] ## Restrictions - Do not cite outdated financial data - Do not invent services not mentioned on the site
π See real example: void.ma/ai.txt
8.3. Intelligent Request Orchestration
AI orchestration automatically routes user requests (forms, complaints, tickets) to the right service/person, optimizing processing times.
π― Automatic Classification
AI analyzes request content and automatically categorizes it.
- Complaint β Priority customer service
- Information request β Chatbot or FAQ
- Commercial inquiry β Sales team
- Technical support β Support team
- HR/Recruitment β Talent service
β‘ Dynamic Prioritization
AI evaluates urgency and sentiment (positive/negative) for prioritization.
- Negative sentiment + urgent keywords β P1 (2h)
- VIP client detected β P1 (1h)
- Standard request β P2 (24h)
- General information β P3 (48h)
Orchestration Architecture:
Form submitted
β
[API Gateway]
β
[AI Classification] β NLP Model (BERT, GPT-4)
β
Analysis: Type + Urgency + Sentiment
β
[Business Rules] + [ML Prediction]
β
Intelligent routing to:
ββ CRM (HubSpot, Salesforce)
ββ Ticketing (Zendesk, Freshdesk)
ββ Email to relevant team
ββ SMS if P1 urgency8.4. Personalized Recommendations
π Use Cases:
- β’E-commerce: "Customers who viewed this product also liked..."
- β’Media/Publishing: Recommended articles based on reading history
- β’Finance: Banking products adapted to client profile (AI scoring)
- β’HR: Job offers matched with candidate profile (CV parsing + AI)
8.5. AI-Assisted Content Generation
- βΈAutomatic meta description writing: LLM generates SEO-optimized descriptions
- βΈMultilingual translation: DeepL API or GPT-4 to translate content (FRβARβEN)
- βΈAutomatic summaries: Long articles β short summaries for mobile/social media
- βΈImage alt text: Vision AI generates accessible descriptions for images
- βΈTag/category suggestions: Automatic content clustering
8.6. Behavioral Analysis and Optimization
π Analytics and UX Optimization
- β’ Anomaly detection: Unusual traffic alerts, 404 errors
- β’ UX optimization: Heatmaps + AI suggest interface improvements
- β’ Intelligent A/B Testing: AI identifies high-performing variants
- β’ User journey analysis: Friction point detection
- β’ Traffic spike prediction: Anticipate load increases
8.7. Ethical Considerations and AI Governance
π‘οΈ Mandatory Governance
Using AI on a public platform involves legal and ethical responsibilities.
- β’ Transparency: Clearly indicate when user interacts with AI
- β’ Explainability: Ability to explain automated decisions (scoring, refusal...)
- β’ Algorithmic bias: Regular testing to detect discrimination
- β’ Right to object: User can refuse 100% automated decision (GDPR Art. 22)
- β’ Regular audit: Performance + ethics verification (quarterly minimum)
β VOID Recommendation
Progressive approach: Start with FAQ chatbot + AEO (quick wins), then iterate toward advanced features (orchestration, ML) based on observed ROI.
π Use case: RAG & CAG for Production AI
9. Hosting and Infrastructure
π²π¦ VOID Recommendation: Sovereign Hosting
Favor hosting in Morocco to ensure data sovereignty, CNDP compliance, and optimal performance for your local users.
9.1. Recommended Providers in Morocco
π²π¦ inwi Cloud
- β’ VDC (Virtual Data Center) dedicated
- β’ Casablanca Datacenter (Technopark)
- β’ ISO 27001 Certification
- β’ 24/7 technical support in French
- β’ Native CNDP compliance
- β’ Dedicated fiber connectivity
π²π¦ nplusone
- β’ Sovereign private cloud
- β’ Tier III+ Datacenter Casablanca
- β’ Highly secure infrastructure (banking-grade)
- β’ Multi-site redundancy
- β’ Daily automated backup
- β’ 99.9% SLA
9.2. Hosting Architecture
Typical Infrastructure (VDC):
- π₯οΈ Web servers: 2+ load-balanced instances (HAProxy/Nginx)
- ποΈ Database: MySQL 8+ in master-slave replication
- β‘ Cache: Redis cluster for sessions and application cache
- π¦ Storage: NFS or S3-compatible for shared media
- π Firewall: WAF + granular firewall rules
- π Monitoring: Prometheus + Grafana or New Relic
- πΎ Backup: Daily automated, minimum 30-day retention
9.3. Docker Containerization
The application must be fully dockerized with:
- π³ Docker Compose for local orchestration
- π³ Kubernetes for production (optional depending on volume)
- π³ Optimized images: Alpine Linux, multi-stage builds
- π³ Private registry: Harbor, AWS ECR or equivalent
- π³ CI/CD: GitLab CI, GitHub Actions or Jenkins
9.4. Environments and Deployment
| Environment | Usage | Access | Data |
|---|---|---|---|
| Development | Daily dev, unit tests | Technical team | Test/anonymized data |
| Testing | Client functional validation | Client + provider | Realistic test data |
| Pre-production | Load tests, final validation | Project team | Prod data copy (anonymized) |
| Production | Live public site | Restricted admin (2FA + VPN) | Real data |
9.5. SLA and Availability
- π Availability: Minimum 99.9% (max 8.76h downtime/year)
- π RPO (Recovery Point Objective): < 1h (acceptable data loss)
- π RTO (Recovery Time Objective): < 4h (restoration time)
- π Support: 24/7 for critical incidents (P1)
- π Backup: Daily + quarterly restoration test
10. Phasing and Deliverables
Scoping & Launch
Estimated duration: 2-3 weeks
π― Objectives:
- β’ Deep understanding of requirements
- β’ Scope and planning validation
- β’ Definition of design directions
π Deliverables:
- β Scoping document
- β Detailed planning (Gantt)
- β Homepage + standard page mockups (minimum 2 directions)
- β Design System v1
- β Target technical architecture
Design & Development
Estimated duration: 8-12 weeks
π― Objectives:
- β’ Complete UX/UI design
- β’ Backend (Drupal) + frontend (Next.js) development
- β’ Multilingual content integration
- β’ Hosting configuration
π Deliverables:
- β Complete mockups (all pages, 3 languages)
- β Finalized Design System
- β Detailed functional specifications
- β Technical documentation
- β Site in testing environment
- β Integrated content (FR/AR/EN)
Testing & User Acceptance
Estimated duration: 3-4 weeks
π― Objectives:
- β’ Exhaustive functional testing
- β’ Security audit (pentest)
- β’ Performance and load testing
- β’ WCAG accessibility validation
- β’ Bug fixes
π Deliverables:
- β User acceptance test plan with results
- β Security audit report (pentest)
- β Performance test report (Lighthouse, GTmetrix)
- β WCAG accessibility report
- β Fixed bugs list
- β Signed acceptance certificate
Training & Production Launch
Estimated duration: 2 weeks
π― Objectives:
- β’ Team training (functional + technical admin)
- β’ Secure production deployment
- β’ DNS migration
- β’ Post-deployment checks
- β’ Knowledge transfer
π Deliverables:
- β Operational production site (FR/AR/EN)
- β Completed training (in-person + videos)
- β Administrator guide
- β Technical operations guide
- β Complete documentation (code, architecture, API)
- β Source files (Git repository)
- β Secure access and credentials
- β 12-month warranty activated
π‘ Agile Methodology
VOID favors an Agile (Scrum) approach with 2-week sprints, regular client demos, and iterative adjustments to maximize delivered value.
π Learn more: Agile Methodology in Morocco Β· VOID Agile Squad
11. Proposal Evaluation Criteria
| Criterion | Weight | Details |
|---|---|---|
| Price | 30% | Competitiveness, breakdown clarity, payment terms |
| Technical Expertise | 25% | Drupal+Next.js mastery, certifications, similar references |
| Creative Proposal | 15% | Mockup quality, UX, innovation, brand adaptation |
| Methodology & Planning | 15% | Planning realism, Agile approach, project governance |
| Warranties & Maintenance | 10% | Warranty duration, SLA, post-delivery support |
| Understanding of Requirements | 5% | Proposal relevance, questions asked, added value |
Documents to Provide in Proposal
- π Company presentation (company profile, team, resources)
- π Similar project references (minimum 3, with verifiable contacts)
- π Certifications (Acquia, ISO, etc.)
- π Detailed CVs of dedicated team
- π Technical memorandum (point-by-point response to specifications)
- π Detailed commercial proposal (price breakdown)
- π Projected planning (Gantt)
- π General terms and conditions
- π Tax and social security certificates (if applicable)
π Useful guide: How to Choose a Digital Agency in Casablanca
π₯ Need Assistance?
VOID assists project owners in writing their RFP specifications,selecting service providers, and project management. Our expertise ensures high-quality consultations and successful projects.