Independent QA, Security & Portability Reviewer - Python/PostgreSQL/Docker

Python/PostgreSQL/Docker We are seeking an experienced independent reviewer to conduct QA, application-security, database-integrity, portability and restoration verification for a controlled software alpha. The application uses a Python-based backend, PostgreSQL and Docker-compatible containers. Certain governed functions must produce deterministic, traceable and reproducible results. This is an independent technical-assurance assignment, not a primary development, implementation or Technical Lead role. The proposed reviewer must be identified by name, attend the selection interview and personally perform the core review work. Responsibilities The selected reviewer will: • Review the approved requirements, acceptance criteria, implementation package and available technical evidence; • assess the adequacy and independence of the test plan; • independently execute or reproduce material tests; • verify deterministic application behaviour; • review PostgreSQL integrity, constraints, migrations and audit preservation; • assess authentication, authorization, secrets, dependencies and secure configuration; • review Docker builds and environment configuration; • identify hidden Azure or other cloud dependencies; • verify that the application can be reconstructed and operated outside Azure; • classify material defects and required corrections; • verify one authorized correction cycle; • provide an Independent Technical Assurance Recommendation to the Project Owner. The reviewer must not rely solely on: • demonstrations • screenshots • reported test-coverage percentages • implementer conclusions • AI-generated conclusions • the existence of Docker containers • undocumented verbal assurances. Material conclusions must be supported by inspected artifacts and reproducible evidence. Independent Review Boundary The reviewer may create project-specific: • test scripts • test fixtures • approved synthetic test data • checklists • evidence-capture utilities • restoration-verification utilities • technical review records. The reviewer may not modify: • production application code • controlling architecture • production migrations • deployment configuration • governed business or rule logic unless separately authorized in writing by the Project Owner. Any separately authorized remediation work must be clearly separated from the independent review. A reviewer who modifies a material component may not independently approve that same correction without an additional independent verification arrangement. Required Deliverables The engagement must include the following five deliverable groups. 1. Independent Review and Test Plan A written plan confirming: • review scope • controlling inputs • test approach • application-security approach • database and migration approach • portability and restoration approach • evidence requirements • assumptions • exclusions • blockers 2. Classified Findings and Security Record A consolidated record of material findings relating to: • application behaviour • testing • security • data integrity • migrations • dependencies • configuration • containers • documentation. Each material finding must identify: • severity • exact affected component or location • supporting evidence • technical impact • blocking status • required correction • verification method. Severity classifications must distinguish: • Critical • High • Medium • Low • Observation. Preferences and optional enhancements must not be misclassified as defects. 3. Portability and Restoration Verification A reproducible record establishing whether the application can be reconstructed and operated outside Azure. The review must address: • repository preservation • database export and restoration • container reconstruction • configuration • authentication • secrets • hidden cloud dependencies • required workflow execution • deterministic-result verification • restoration evidence. 4. Correction Verification The quotation must include one authorized correction-verification cycle. The reviewer must determine whether each accepted blocking finding was: • corrected • partially corrected • not corrected • accepted as residual risk. Additional verification cycles are not included unless expressly stated in the accepted quotation or later authorized. 5. Independent Technical Assurance Recommendation The final recommendation must use one of the following conclusions: • READY FOR PROJECT OWNER ACCEPTANCE • CONDITIONALLY READY FOR PROJECT OWNER ACCEPTANCE • NOT READY FOR PROJECT OWNER ACCEPTANCE The recommendation must identify: • unresolved Critical findings • unresolved High findings • accepted residual risks • blocked or unexecuted tests • unverified claims • any additional specialist review required. The Project Owner retains final decision authority. Required Experience Candidates must demonstrate strong personal experience in several of the following areas: • independent software QA and acceptance review • application-security and secure-configuration review; • Python and API testing; • PostgreSQL integrity and migration testing; • Docker and OCI containers; • deterministic business or rules-engine testing; • dependency and software-supply-chain review; • backup and restoration testing; • Azure portability or cloud-independence verification • technical findings and assurance reporting. Experience with regulated, high-assurance, audit-oriented or evidence-driven applications is preferred. Candidates must explain the work they personally performed rather than relying on general agency, company or team experience. Shortlisted candidates will be required to explain and defend their screening answers in a live technical discussion. Inability to explain submitted terminology, methodology, evidence or personal contribution may result in disqualification. Independence and Conflict-of-Interest Requirements The reviewer must remain independent from the implementer and Technical Lead. The candidate must disclose whether they, their company, affiliates, proposed subcontractors, business partners or related persons have: • contributed to the application, architecture or specifications • worked with the implementer or Technical Lead • referred the implementer or Technical Lead • received compensation from either party • shared ownership, management or financial interests with either party • participated in prior code or architecture decisions • an expectation of follow-on implementation or remediation work. Material conflicts may result in disqualification unless expressly reviewed and accepted by the Project Owner. The reviewer must: • personally perform the core review; • preserve independent findings despite schedule pressure • distinguish passed, failed, blocked, not executed, inconclusive and not-applicable tests; • avoid representing internal review as formal external certification • avoid using findings to create unauthorized implementation scope. Optional observations do not create mandatory correction work or additional paid scope. Access and Data Boundaries The review is expected to use synthetic or approved non-production data. Access to live client data is not part of the advertised scope. Any access provided will be: • task-specific • least privilege • time limited • revocable • restricted to authorized systems and materials. The reviewer must not request or retain broader access than is reasonably necessary for the assignment. Confidentiality and Intellectual Property Before confidential disclosure, the selected reviewer must sign the required unilateral NDA. Before paid work, protected repository access or creation of deliverables, the reviewer must sign a separate Independent Contractor Services and IP Assignment Agreement. The governing agreements will require: • no unauthorized subcontracting • no portfolio, publicity or case-study use • no external disclosure of project materials • no upload of confidential materials to unapproved AI tools • no undisclosed third-party access • no use of project material to train external models • disclosure and prior approval of proposed background intellectual property • assignment of project-specific work product • sufficient continuing licence rights for any approved background component incorporated into a deliverable • return or secure deletion of project materials when instructed • removal of local repository copies and credentials • written deletion confirmation where required • termination of access at the end of the authorized period. Project-specific work product includes applicable: • test scripts • fixtures • test data created for the engagement; • checklists • findings registers • reports • restoration scripts • evidence-capture utilities • technical notes • supporting documentation. Commercial Submission Candidates must provide one total all-inclusive fixed-price quotation covering the advertised assignment. The quotation must include: • preparation and artifact review • test-plan assessment • material test execution or reproduction • application-security review • PostgreSQL and migration review • Docker and configuration review • portability and restoration verification • required reports and findings • agreed review discussions • one correction-verification cycle • final Independent Technical Assurance Recommendation. The quotation must state: • assumptions • exclusions • proposed schedule • availability • included meetings or review discussions • any third-party or tool costs • any licence or paid-service requirements • any work requiring a separate specialist • quotation-validity period. The candidate must identify any advertised responsibility they believe cannot be completed within the quotation. No tool purchase, subscription or paid service may be assumed. Any proposed paid tool must be disclosed and approved in advance. No paid audition or paid screening test will be used. Any scope change must be documented and approved before additional charges are incurred. Proposal Instructions Begin your proposal with: INDEPENDENT ASSURANCE REVIEWER Include: 1. The full name of the person who will perform the review. 2. Your total all-inclusive quotation. 3. Your proposed schedule and availability. 4. The portions of the assignment you will personally perform. 5. Any proposed involvement by another person or specialist. 6. Answers to all four screening questions. 7. Two or three concise examples of comparable work. 8. All assumptions, exclusions and proposed tool costs. 9. Confirmation of reasonable Eastern Time overlap. The named reviewer must attend the interview and perform the core engagement. Do not include confidential information belonging to previous clients. Screening Question 1 - Independent QA and Security Review Describe one application for which you personally conducted independent QA, application-security, or acceptance review. State: • the application stack • your exact role • what you independently tested • the most important functional or data-integrity defect you identified • the most important security or secure-configuration risk you evaluated • the evidence you required • how an authorized correction was verified. Clearly distinguish personal work from work performed by other team members. Do not provide a general biography. Screening Question 2 - Deterministic Logic and PostgreSQL Integrity Assume a Python/PostgreSQL application produces governed scores or warning states through versioned rules. Explain how you would verify that: • identical controlled inputs produce identical outputs • rule changes are authorized and traceable • expected test results do not simply reproduce production logic • database migrations preserve required records and audit history • incomplete or invalid inputs do not create misleading results • test outcomes are classified correctly as passed, failed, blocked, not executed, inconclusive or not applicable. Screening Question 3 - Azure Independence and Restoration Explain how you would prove that a Python/PostgreSQL/Docker application can operate independently from Azure before Azure resources are removed. Address: • repository preservation • database export and restoration • container reconstruction • configuration • authentication and secrets • hidden cloud dependencies • required workflow execution • deterministic-result verification • restoration evidence. Also state whether you have personally completed a comparable restoration, cloud-exit or independent reconstruction exercise. Where applicable, describe: • your exact role • the system involved • the principal dependency or failure discovered • the evidence produced. Screening Question 4 - Independence, Confidentiality and Terms Confirm whether you can: • remain independent from the implementer and Technical Lead • disclose all actual or potential conflicts • personally perform the core review work • avoid modifying production code within the independent review role • sign the required unilateral NDA • sign a separate services and IP-assignment agreement • work without unauthorized subcontractors • avoid uploading project material to unapproved AI systems; • provide one total all-inclusive quotation • include one correction-verification cycle • disclose all assumptions, exclusions, tool costs and third-party costs; • return or securely delete project materials when instructed. Identify any condition you cannot accept. Automatic Disqualifiers A proposal may be rejected where the candidate: • fails to begin with the required phrase • does not identify the proposed individual reviewer • does not answer all four screening questions • does not provide a total all-inclusive quotation • excludes the initial review, restoration verification, reporting, correction verification or final recommendation • proposes only hourly billing • requires a paid audition or paid screening test • intends to delegate core work without disclosure • cannot remain independent from the implementer or Technical Lead • refuses the required NDA or services and IP-assignment agreement • cannot explain personal contribution to prior work • treats test coverage alone as proof of quality • treats Docker alone as proof of portability • claims formal certification beyond the advertised assignment or their qualifications; • requires undisclosed paid tools or services • cannot provide reasonable Eastern Time overlap; • relies on generic or AI-polished answers that the named reviewer cannot explain during the interview. Scope Boundaries This assignment does not automatically include: • primary implementation responsibility • production-code remediation • product or architecture authority • production deployment • formal legal or regulatory opinion • formal penetration testing • formal third-party certification • destructive Azure actions • access to live client data • release authority • final Project Owner acceptance. Additional work requires express written authorization. Where separately authorized remediation work affects reviewer independence, the Project Owner may require separate re-verification. Selection Standard Selection will be based on demonstrated evidence of: • independent judgment • technical depth • test quality • application-security reasoning • PostgreSQL and migration competence • Docker and portability competence • restoration discipline • precise communication • accountability • personal performance • commercial completeness • fit with the authorized scope. Candidates will not be selected solely on: • geography • lowest price • claimed years of experience • certifications • agency size • proposal polish.