Proposal · 21 May 2026

SciRec Psychometric Assessment Platform

Full-stack rebuild from Bubble to production code — designed, built, tested, and launched by TKX Media.

Prepared forDavid Ryan & Brian Harward
SciRec
Submitted byStephen Krain
Co-Founder & Partner, TKX Media
In response toSciRec RFP v1.1
SRS v6
Contactinfo@tkxmedia.com
tkxmedia.com
§ 1

Executive Summary

TKX Media will design, build, test, and launch a production-ready replacement for SciRec's Bubble-based psychometric assessment platform. We will preserve the workflows and business logic that already work in your prototype, and deliver a faster, more secure, and more scalable system on a modern code stack.

This proposal covers every item in Section 8 of the RFP and addresses all MVP scope in Section 3 of the SRS — the three portals, eight question types, role-based access, Stripe credit ledger, weighted composite scoring, candidate-safe deployments, PDF reporting, proctoring, GDPR compliance, and the MVP foundations that put WCAG 2.2 AA and SOC 2 Type II within reach in Phase 2.

MVP Fixed Price
$58,500

All-in for the MVP base scope as defined in SRS v6. Three milestone payments. No invoicing for work not yet delivered.

⏱ 15 weeks to launch 🛟 12 weeks post-launch support 📋 Fixed price + change control

Recommended stack

§ 2

About TKX Media

TKX Media is a full-service digital agency based in South Jordan, Utah. We build and operate production web applications for clients across legal, healthcare, ecommerce, B2B services, and multi-location franchise operators. We hold Clutch-recognized standing, maintain a 95% client satisfaction rate, and ship work 1.8x faster than the industry average.

We work as an extension of our clients' teams rather than as an outside vendor. SciRec will work with the same people week to week — including the partner who signs this proposal.

Why we are a strong fit for this build

The technical work is in our wheelhouse

Full-stack web applications on Next.js, Postgres, Stripe, and managed cloud hosting are core to what we deliver. Multi-portal role-based access, secure data handling, credit ledgers, transactional email, PDF generation, and GDPR-aware data flows are problems we solve regularly.

We have done the no-code-to-production migration before

A working Bubble app is a proven business case with a clear technical reason to rebuild — that is exactly the kind of engagement we want. The workflows are validated; the work is translating them into code that scales, hardens, and performs under load.

We operate the kind of internal tooling you want to build

Beyond client-facing sites, we run our own production systems: dashboards backed by Supabase, Stripe-integrated billing flows, scheduled jobs, audit-logged admin tools, and reporting layers. The architecture we are proposing here is built on the same patterns we use ourselves.

§ 3

Technical Approach

3.1 Recommended stack

LayerChoiceWhy
FrontendNext.js 15 (App Router, TypeScript)Server components reduce data over the wire (RFP §4.1); strong accessibility primitives; first-class Vercel deployment.
UI libraryTailwind CSS + shadcn/ui (Radix primitives)Radix ships accessible primitives (keyboard nav, focus, ARIA) out of the box — less WCAG remediation in Phase 2.
Backend / APINext.js Route Handlers + tRPCOne TypeScript type system across client and server reduces integration bugs and shortens QA cycles.
DatabasePostgreSQL via SupabaseRelational model fits assessments, weights, candidates, scores, audit logs. Row Level Security enforces tenant isolation in the database.
AuthSupabase AuthStandards-based. OAuth-ready for Phase 2 Google/Apple sign-in. Integrates with RLS for portal-level access.
StorageSupabase Storage (S3-compatible)Candidate document uploads, company logos, generated reports — signed-URL access with audit trail.
PaymentsStripe (Checkout, Customer Portal, Webhooks)RFP-specified. PCI scope minimized via hosted Checkout. Webhook-driven credit ledger.
EmailResend with React EmailTemplates are version-controlled and previewable in CI. Strong deliverability for candidate invitations.
PDF generationReact-PDF + Puppeteer fallbackDeterministic layout for candidate and client report variants.
HostingVercel + Supabase + AWS S3 (cold backups)Region-aware edge delivery for the geographic spread in SRS §2.5.
ObservabilitySentry · PostHog (PII-masked) · Better StackCovers RFP §8.2 error tracking, session replay, user behavior — GDPR-compatible defaults.
InfrastructureTerraform + GitHub ActionsIaC required for SOC 2 readiness (RFP §4.3).
Background jobsInngest or Supabase Edge FunctionsEmail scheduling, reminders, scheduled deletions.

3.2 Database selection rationale

The SRS asks for written justification of the database choice. We recommend PostgreSQL via Supabase over document or key-value alternatives for three concrete reasons:

  1. The data model is relational. Companies own jobs; jobs reference assessments and batteries with per-assessment weights; assessments contain ordered questions; candidates produce scored responses joined back to questions. These joins are first-class in Postgres and awkward in document stores.
  2. Row Level Security is the cleanest tenant isolation model. Supabase exposes Postgres RLS policies that map directly onto the four client roles (Super-Admin, Admin, Editor, Reviewer), the internal SciRec staff role, and the Phase 2 Organizations sub-unit model. RLS is enforced in the database, not in the application — which materially reduces the risk of access-control bugs.
  3. Audit logging is straightforward. Postgres trigger functions write to an append-only audit table on every significant action, serving the SOC 2 readiness requirement in RFP §4.3 directly.

3.3 High-level architecture

The platform is a single Next.js application serving three logical portals (Candidate, Client, Internal), differentiated by authenticated role. Server components fetch data through a thin tRPC layer that calls Supabase via the service role for trusted operations and via the user role (with RLS) for everything else. Stripe webhooks drive the credit ledger. Resend handles transactional email through background functions. PDF generation runs server-side and is stored in Supabase Storage with signed-URL access.

Key architectural choices, mapped to RFP non-negotiables:

3.4 GDPR compliance

3.5 Security

3.6 Accessibility

The MVP foundations in RFP §4.2 and SRS §3.4 are table stakes:

Full WCAG 2.2 AA compliance — including third-party audit and remediation — is quoted separately in §9.3.

3.7 SOC 2 readiness

We will build the MVP so that SOC 2 Type II certification in Phase 2 is a documentation and observation exercise, not a re-architecture:

When Phase 2 begins, we will recommend an experienced SOC 2 auditor partner. Building to the criteria from day one is the work that matters; the audit itself is structured once the foundation is in place.

3.8 Monitoring, error tracking, and session replay

RFP §8.2 asks specifically about production monitoring, session replay, user-behavior understanding, and GDPR implications. Our recommendation:

Candidate consent for analytics is captured at session start; the candidate runtime can be configured to disable replay entirely if you prefer a more conservative posture. The final posture is agreed in discovery.

§ 4

Development Process

4.1 Methodology

Two-week sprints with a fixed cadence: planning Monday, mid-sprint check-in on Wednesday of the following week, demo and retrospective on the closing Friday. Each sprint produces a deployable increment in a staging environment that SciRec can review at any time.

4.2 Requirements breakdown

SRS requirements are translated into epics → user stories → implementation tasks. Each user story carries explicit acceptance criteria written in Given/When/Then form. Stories are not considered done until acceptance criteria pass and code is reviewed by a second engineer.

Example user story — Assessment Builder

Story. As a Client Admin, I want to add an assessment to a job vacancy with a custom weight so that the candidate's composite score reflects the relative importance of each test.

Acceptance criteria:

  • Given I am signed in as a Client Admin with a draft job vacancy open, when I select an assessment from the test library and enter a weight, then the assessment is added to the job with the specified weight visible on the vacancy detail view.
  • Given I attempt to enter a negative weight, when I save, then the form rejects the input with a labelled error message identifying the field and the constraint.
  • Given a weight of zero is permitted per SRS §2.2, when I enter a weight of zero and save, then the assessment is saved and excluded from the composite calculation but remains visible in the vacancy assessment list.
  • Given two or more assessments with different weights are added, when a candidate completes all assigned assessments, then the composite score is computed as the weighted sum of individual scores divided by the sum of weights, displayed to two decimal places.
  • Given only some assigned assessments are completed, when the composite score view loads, then a partial composite score is displayed alongside an explicit completion-percentage indicator, consistent with SRS §2.2.

4.3 Workflow and communication

4.4 Testing

§ 5

Project Plan

5.1 Phases and milestones

Phase 1Weeks 1–2

Discovery & planning

SRS walkthrough, Bubble app review, architecture document, finalized stack and data model, design brief.

📌 Milestone trigger: architecture document accepted.

Phase 2Weeks 2–4

Design

UI/UX designs for all three portals, design system tokens, accessibility color validation.

📌 Milestone trigger: designs accepted (kick-off payment covers phases 1–2).

Phase 3Weeks 4–7

Foundations

Auth, role model, RLS policies, audit logging, internal portal scaffold, design system implemented.

📌 Milestone trigger: demoable foundations in staging.

Phase 4Weeks 7–10

Client portal

Assessment Builder, Battery Builder, job vacancy flow, candidate invitation, credit ledger, Stripe purchase.

📌 Milestone trigger: mid-project payment (see §9.4).

Phase 5Weeks 10–12

Candidate portal

Candidate runtime for all eight question types, proctoring, autosave, candidate-safe deployment behavior.

📌 Milestone trigger: candidate runtime feature-complete in staging.

Phase 6Weeks 12–13

Reporting & exports

Scoring engine, composite and partial scores, PDF report variants, CSV/Excel/PDF exports.

📌 Milestone trigger: reports validated against SRS scoring rules.

Phase 7Weeks 13–14

Testing, hardening & UAT

Penetration test, accessibility self-audit, full E2E suite green, UAT window with SciRec.

📌 Milestone trigger: UAT sign-off.

Phase 8Week 15

Deployment & handover

Production launch, runbook, repository handover, training session.

📌 Milestone trigger: launch payment.

5.2 Effort estimates by area

Area of workHours
Discovery, architecture, planning60
UI/UX design (three portals, design system)120
Foundations: auth, RLS, audit logging, internal portal scaffold100
Client portal: assessment builder, battery builder, job vacancies180
Stripe integration and credit ledger60
Candidate portal and assessment runtime (all eight question types)180
Scoring engine, composite and partial scores60
Reporting and exports (PDF variants, CSV/Excel/PDF)80
Internal portal extensions (FAQ/tooltip CMS, automated email, app-update controls)70
Email templates, transactional flows30
Testing (unit, integration, E2E, accessibility self-audit)120
Penetration test coordination and remediation30
Deployment, IaC, observability setup50
Documentation, handover, training40
Project management and weekly cadence60
Total1,240

5.3 Assumptions and dependencies

5.4 Risks and items to clarify

§ 6

Proposed Team

A four-person delivery team led by a TKX Media partner, supplemented by external specialists for the accessibility audit and penetration test (see §6.2 and §9.2). Named team members are confirmed before contract signature and any time a team member changes.

RoleResponsibilitiesAllocation
Lead Engineer & Engagement LeadArchitecture, code review, day-to-day SciRec point of contact, sprint planning. Senior partner-level engineer.70%
Full-Stack EngineerPrimary delivery on client and candidate portals, scoring engine, Stripe and email integrations.100%
Frontend Engineer & DesignerUI/UX design, design system implementation, accessibility implementation, frontend delivery.80%
QA & DevOpsTest automation, cross-browser and accessibility QA, IaC, observability, release coordination.40%

6.1 Primary point of contact

Stephen Krain, Co-Founder & Partner at TKX Media, is the primary commercial point of contact for this proposal. The day-to-day delivery lead (the Lead Engineer above) is named when the team is confirmed, ahead of contract signature.

6.2 Subcontracting

TKX may engage external specialists for two specific scopes within the fixed price: a third-party penetration test (§9.1) and, in Phase 2, a third-party WCAG 2.2 AA accessibility audit. Any subcontractor we engage will be named and disclosed before that work begins. No other subcontracting is anticipated.

§ 7

Scope Summary

The MVP fixed price covers the full set of capabilities described in Section 3 of the SRS, with the clarifications below. Items the SRS explicitly descopes (organizations, dimensions, candidate anonymization, tags, multiple stages, and the others listed in SRS §6) are excluded from the MVP fixed price and addressed in §9.3 (Phase 2 pricing).

✓ In scope — MVP

  • Three portals (Candidate, Client, Internal) with role-based access (Super-Admin, Admin, Editor, Reviewer, SciRec staff)
  • Eight question types from SRS §3.1.4 (text, multiple choice + variants, ranking, dropdown, file upload, picture choice, matrix)
  • Assessment Builder, Battery Builder, cloning, preview, draft and published states
  • Job vacancy lifecycle (draft, published, expired at 60 days, manually closed), candidate caps, deadlines, custom weighting
  • Candidate invitation by spreadsheet upload, manual entry, link sharing, existing candidates — with duplicate detection
  • Proctoring: forced fullscreen, paste disable, copy disable (always on), window/tab change monitoring, with company- and job-level overrides
  • Scoring engine: weighted composite scores, partial scores, manual scoring with configurable scale, automatic scoring, unscored options
  • Reporting: candidate and client PDF report variants; CSV, Excel, PDF exports
  • Stripe credit purchase (pay-as-you-go + bulk), credit ledger, transaction history
  • Automated email (invites, reminders) via Resend with versioned templates
  • FAQ and tooltip content management, user-type targeting for FAQs
  • Candidate-safe deployment mechanism (replaces Bubble Variables toggles)
  • Autosave for text input across the platform
  • Accessibility MVP foundations per RFP §4.2 and SRS §3.4
  • SOC 2 readiness foundations per RFP §4.3
  • GDPR compliance: subject access, deletion, consent capture, DPA
  • Observability: Sentry, PostHog (PII-masked), Better Stack
  • Production deployment, IaC, technical documentation, training
  • 12 weeks of post-launch support (see §8)

○ Out of scope — Phase 2

  • Migration of data from the existing Bubble app
  • Organizations sub-units
  • Dimensions (sub-test scoring)
  • Questions tab + Existing Question feature in Assessment Builder
  • Candidate anonymization
  • Random question selection from a larger bank with mandatory flags
  • Tags on jobs, assessments, batteries
  • Full WCAG 2.2 Level AA audit + remediation
  • SOC 2 Type II certification
  • ATS integrations (Greenhouse, Workday, BambooHR, Zoho Recruit)
  • Public API
  • White labelling
  • Camera/audio candidate identity verification
  • Google / Apple sign-in

7.3 Items worth considering for MVP inclusion

Two Phase 2 items are unusually cheap to include now:

Sign in with Google. Adding Google sign-in alongside email/password during MVP development costs roughly one engineering day. Doing it later requires a data-model migration of existing users. Recommended addition: $1,200.
Tags on questions and assessments. The Bubble app has them; the MVP descopes them; reinstating them later requires backfill. If they are valuable for navigation today, building them in now costs less than retrofitting later. Recommended addition: $2,400.

These are recommendations, not assumptions. The MVP fixed price in §9 excludes them.

§ 8

Post-Launch Support

Twelve (12) weeks of post-launch support are included in the fixed price, commencing on the date of production launch. This exceeds the RFP minimum of four weeks because three months is when most genuine production issues surface.

8.1 Covered

8.2 Not covered

8.3 Response time commitments

SeverityDefinitionResponseTarget resolution
Sev 1Production down or candidates unable to take assessments.Within 2 business hours.Same business day.
Sev 2Significant feature broken; workaround exists.Within 1 business day.Within 3 business days.
Sev 3Minor defect; cosmetic or low-impact.Within 2 business days.Next available sprint.

8.4 Continued support after twelve weeks

§ 9

Pricing

9.1 MVP fixed price

Total — MVP base scope
$58,500

Full SRS v6 MVP scope. Three milestone payments. Includes 12 weeks of post-launch support and a third-party penetration test.

Phase of workFixed price
Discovery and planning$4,500
Design$9,000
Development$30,500
Testing (including third-party penetration test)$6,000
Deployment and infrastructure$3,500
Handover, documentation, training, 12 weeks post-launch support$5,000
Total$58,500

9.2 Hosting and infrastructure costs

Estimated ongoing monthly costs for production infrastructure, paid by SciRec directly to providers:

ServiceMonthly (USD)Notes
Vercel (Pro)$20Required for production deployments and analytics.
Supabase (Pro)$25Plus usage at low volumes; reserve allocation grows with traffic.
Stripeper tx2.9% + 30¢ per successful card charge; no platform fees beyond that.
Resend$20Up to 50K emails/month on the Pro plan.
Sentry$26Team plan.
PostHog$0–50Free below 1M events / 5K replays per month.
Better Stack$25Uptime and logs.
Domain, DNS$2Roughly $15–20/year.
Estimated total at launch~$120–170+ Stripe fees. Scales with traffic; revisited quarterly.

9.3 Phase 2 indicative pricing

Each item is quoted as indicative; final pricing is confirmed at the start of each Phase 2 sprint. Prices assume work undertaken within twelve months of MVP launch.

Phase 2 itemIndicative price
Bubble data migration (users, companies, assessments, batteries)$6,000 – $12,000
Organizations sub-units (with credit sharing and visibility rules)$8,500
Dimensions (sub-test scoring and per-dimension weighting)$7,000
Questions tab + Existing Question feature$5,500
Candidate anonymization (pseudonym scheme, toggleable)$3,500
Random question selection from larger bank with mandatory flags$4,500
Tags on jobs, assessments, batteries$2,400
WCAG 2.2 Level AA audit + remediation (third-party audit included)$9,500
SOC 2 Type II readiness audit and remediation (auditor fees separate)$12,000
ATS integration framework + first integration (Greenhouse or Workday)$14,000
Each additional ATS integration$5,500
Public API$9,000
White-label capability$8,000
Camera / audio candidate identity verification$11,000
Sign in with Google + Sign in with Apple$2,800

9.4 Payment schedule

Three milestone payments tied to verifiable completion criteria. TKX does not invoice for work not yet delivered.

Milestone%AmountTrigger
1. Kick-off30%$17,550Contract countersigned and discovery phase started.
2. Mid-project40%$23,400Client portal (Assessment Builder, Battery Builder, job vacancy flow, Stripe credit purchase) demoable in staging and signed off by SciRec founders.
3. Launch30%$17,550Production launch complete, all SRS acceptance criteria met, 12-week post-launch support window begins.

Invoices are due net-15 from milestone sign-off.

9.5 Change control

The fixed price assumes the SRS v6 scope as written. Changes are handled as follows:

  1. Either party raises a change request in writing (Slack or email) describing the change.
  2. TKX produces a written change-impact assessment within three business days, covering scope, effort in hours, price impact, timeline impact, and dependencies.
  3. SciRec approves, modifies, declines, or defers. Approvals are logged in the project change log.
  4. Changes under $1,500 of impact, not affecting the critical path, are absorbed without modifying the milestone schedule.
  5. Changes over $1,500 of impact are added to the contract as a written amendment and invoiced separately on the next applicable milestone.
  6. Changes that materially affect timeline trigger a revised milestone schedule, agreed in writing.

9.6 Break points

Either party may pause or terminate at three pre-defined break points without penalty, paying only for work completed to date:

Outside of break points, the engagement may be terminated with 30 days' written notice. SciRec pays for all work delivered to the termination date, plus a 15% wind-down fee against the next unstarted milestone. Source code, designs, and documentation are handed over in their current state.

§ 10

Intellectual Property

TKX Media accepts SciRec's IP terms in RFP §7 in full. All source code, designs, schemas, documentation, and other deliverables produced under this engagement become the sole property of SciRec on payment of the relevant milestone.

We will reuse only general-purpose open-source libraries and frameworks, all of which are listed in a third-party-license inventory delivered with the source code. We are not reusing any TKX Media proprietary tooling that would create future dependency.

§ 11

Questions and Clarifications

The following are best discussed during discovery. None are blockers to proposal evaluation.

11.1 SRS clarifications

11.2 Operational clarifications

11.3 Items we recommend descoping or adjusting

Ready to start. We can begin discovery within two weeks of contract signature, and we are available for a video call at your convenience to walk through this proposal and discuss the items above. All questions before submission may be directed to Stephen Krain at TKX Media.