Non-Functional Requirements Non-Functional Requirements (NFR): Bilko Project: Bilko — Balkan Accounting SaaS Version: 0.1 Date: 2026-02-23 Author: John (AI Director) Status: Draft Reviewers: Alem Bašić (CEO) Document History Version Date Author Changes 0.1 2026-02-23 John (AI Director) Initial draft — Phase 1 Serbia MVP 1. NFR Overview Category # Requirements Highest Priority Owner Performance 8 Critical John Scalability 5 High John / DevOps agent Availability 6 Critical John / DevOps agent Security 10 Critical John Reliability 6 Critical John Usability 7 High John / Designer Compatibility 6 High John Maintainability 6 Medium John Compliance 8 Critical John + Asmir Data 8 Critical John 2. Performance Requirements ID Requirement Metric Target Measurement Conditions Measurement Method Priority NFR-P01 Dashboard page load (initial) Time to Interactive < 3 seconds 4G connection, cold cache Lighthouse / WebPageTest Must Have NFR-P02 Dashboard page load (subsequent) Time to Interactive < 1 second Warm cache, average device Lighthouse Must Have NFR-P03 Invoice creation wizard navigation Time per step < 500ms Any device, warm cache Lighthouse Must Have NFR-P04 API response time (standard CRUD) p95 response time < 300ms ≤ 1000 concurrent users APM tool / k6 Must Have NFR-P05 API response time (reports) p95 response time < 2 seconds ≤ 1000 concurrent orgs APM tool Must Have NFR-P06 SEF submission response End-to-end latency < 30 seconds SEF API response time API monitoring Must Have NFR-P07 Core Web Vitals: LCP Largest Contentful Paint < 2.5 seconds Mobile, 4G Lighthouse Must Have NFR-P08 Core Web Vitals: CLS Cumulative Layout Shift < 0.1 Any device Lighthouse Must Have 3. Scalability Requirements ID Requirement Metric Launch Target 12-Month Target Measurement Method Priority NFR-S01 Concurrent organizations Active organizations 1,000 10,000 Load testing (k6) Must Have NFR-S02 Concurrent user sessions Simultaneous sessions 500 5,000 Load testing Must Have NFR-S03 API throughput Requests per second 200 RPS 2,000 RPS k6 load test Must Have NFR-S04 Data volume per organization Transactions per org/year 50,000 200,000 Storage + query monitoring Should Have NFR-S05 Auto-scaling response Time to add new instance < 3 minutes < 3 minutes Cloud console metrics Should Have 4. Availability Requirements ID Requirement Target Measurement Period Exclusions Priority NFR-A01 System uptime SLA ≥ 99.9% Monthly rolling Scheduled maintenance windows Must Have NFR-A02 Scheduled maintenance window Max 2 hours/month Monthly Preferred: Sunday 02:00-04:00 CET Must Have NFR-A03 Maintenance notification lead time ≥ 48 hours notice Per event Emergency patches: 4 hours Must Have NFR-A04 RPO (Recovery Point Objective) Max 1 hour data loss Per incident N/A Must Have NFR-A05 RTO (Recovery Time Objective) System restored within 4 hours Per incident N/A Must Have NFR-A06 Database backup frequency Daily full + hourly transaction log Ongoing N/A Must Have SLA Calculation Reference: Uptime % Annual Downtime Monthly Downtime 99.9% 8.7 hours 43.8 minutes 99.5% 43.8 hours 3.6 hours 99.0% 87.6 hours 7.3 hours 5. Security Requirements ID Requirement Category Target / Standard Measurement Method Priority NFR-SEC01 Authentication Auth JWT (access: 15min TTL) + refresh token (30d rolling TTL); bcrypt password hashing (cost factor ≥ 12) Code review Must Have NFR-SEC02 Password policy Auth Min 8 chars, 1 uppercase, 1 number, 1 special character Automated test Must Have NFR-SEC03 Account lockout Auth 5 failed attempts → 15-min lockout; logged in LoggedAction Automated test Must Have NFR-SEC04 Data encryption in transit Encryption TLS 1.3 minimum; HTTP → HTTPS redirect enforced SSL Labs scan (grade A+) Must Have NFR-SEC05 Data encryption at rest Encryption Database encryption at rest (cloud provider); bcrypt for passwords Infrastructure review Must Have NFR-SEC06 Input validation Injection Prevention All inputs sanitized server-side with Zod; parameterized queries via Prisma Code review + SAST Must Have NFR-SEC07 XSS prevention Injection Prevention React default encoding + CSP headers; no dangerouslySetInnerHTML OWASP ZAP / code review Must Have NFR-SEC08 Rate limiting DDoS/Abuse Auth endpoints: 5 req/min; General API: 100 req/min per IP Load test + monitoring Must Have NFR-SEC09 Audit logging Compliance All auth events, financial mutations logged in LoggedAction (append-only) with user ID + timestamp Log review Must Have NFR-SEC10 Organization data isolation Multi-tenancy All database queries scoped to organizationId via middleware; no cross-tenant queries Code review + penetration test Must Have NFR-SEC11 Security headers HTTP Security HSTS, X-Frame-Options: DENY, X-Content-Type-Options: nosniff, CSP securityheaders.com scan Must Have NFR-SEC12 Dependency security Supply Chain No known critical CVEs; automated scan in CI Snyk / npm audit in CI Should Have 6. Reliability Requirements ID Requirement Metric Target Measurement Method Priority NFR-R01 Application error rate 5xx errors / total requests < 0.1% APM monitoring Must Have NFR-R02 ACID compliance Transaction integrity 100% — all financial transactions ACID-compliant PostgreSQL guarantees + DB tests Must Have NFR-R03 Double-entry balance integrity Debit = Credit for all transactions Zero imbalance events CI test: balance check on all transactions Must Have NFR-R04 SEF queue reliability Failed SEF submissions retried Max 3 retries; success on retry > 99% for transient failures SEF monitoring Must Have NFR-R05 Data integrity Zero data corruption 0 corruption events per 12 months Database integrity checks Must Have NFR-R06 Health check endpoint System health observable /api/health returns 200 when healthy Uptime monitoring Must Have 7. Usability Requirements ID Requirement Target Measurement Method Priority NFR-U01 Time to create first invoice New user creates first invoice in < 10 minutes Beta user testing Must Have NFR-U02 Invoice wizard completion rate ≥ 85% of users who start wizard complete it Analytics (funnel) Must Have NFR-U03 WCAG compliance WCAG 2.1 Level AA axe-core automated + manual Must Have NFR-U04 Keyboard navigation All interactive elements reachable by keyboard Manual testing Must Have NFR-U05 Mobile responsiveness Fully functional on 375px–1440px viewport Manual + Lighthouse Must Have NFR-U06 Language: Serbian Full UI in Serbian (Latin script) for Phase 1; Cyrillic toggle Manual review by native speaker Must Have NFR-U07 Error messages All errors in Serbian language; actionable advice included Content audit Must Have 8. Compatibility Requirements ID Requirement Category Target Priority NFR-C01 Web browsers (desktop) Browser Chrome 100+, Firefox 100+, Safari 16+, Edge 100+ Must Have NFR-C02 Web browsers (mobile) Browser Safari iOS 15+, Chrome Android 100+ Must Have NFR-C03 Mobile operating systems OS iOS 15+, Android 11+ Must Have NFR-C04 Screen resolutions Responsive 375px to 2560px viewport width Must Have NFR-C05 SEF API compatibility External API SEF API v1 (UBL 2.1 XML, REST) Must Have NFR-C06 Bank CSV formats Import Serbian bank CSV formats: Raiffeisen, UniCredit, OTP, Banca Intesa Should Have 9. Maintainability Requirements ID Requirement Metric Target Measurement Method Priority NFR-M01 Test coverage (backend) % code covered by automated tests ≥ 80% overall; ≥ 95% for financial logic (double-entry, VAT, SEF) CI coverage report Must Have NFR-M02 TypeScript strict mode Type safety strict: true in tsconfig for all packages CI type-check Must Have NFR-M03 Deployment frequency Time to deploy bug fix to production < 1 hour from PR merge CI/CD metrics Should Have NFR-M04 Database migrations Schema change process All changes via Prisma migration; never edit existing migration Code review Must Have NFR-M05 Monorepo build time Turborepo build Full build < 3 minutes; incremental < 30 seconds CI metrics Should Have NFR-M06 Logging completeness Log coverage All external API calls (SEF, email, FX), all errors, all financial mutations logged Log review Must Have 10. Compliance Requirements ID Regulation Applicability Requirement Technical Implementation Priority NFR-COMP01 Zakon o elektronskom fakturisanju (Serbia) Yes — mandatory B2B 2023 Submit e-invoices to SEF in UBL 2.1; sequential numbering; digital signature SefService module; UBL 2.1 XML generation Must Have NFR-COMP02 Zakon o PDV (Serbia) Yes — all VAT-registered orgs 20% standard, 10% reduced PDV; monthly filing by 15th; PDV report format for ePorezi PDV calculation engine; report export Must Have NFR-COMP03 Zakon o računovodstvu (Serbia) Yes Double-entry; 10-year document retention; annual balance sheet; audit trail LoggedAction (append-only); DB retention policy Must Have NFR-COMP04 GDPR (EU / Norwegian Personvernloven) Yes — ALAI Holding AS is Norwegian; processes EU citizen data Lawful basis for processing; right to deletion within 30 days; DPA in place; breach notification within 72h; data export (Article 20) User data deletion API; audit logs; DPA Must Have NFR-COMP05 GDPR — Data minimization Yes Collect only data necessary for accounting function BA review of data model; field-level PII audit Must Have NFR-COMP06 GDPR — Cookie consent Yes — if tracking cookies used Explicit consent before non-essential cookies Cookie consent banner; opt-in only analytics Must Have NFR-COMP07 Multi-tenancy data isolation Yes — SaaS requirement Organization data strictly scoped; no cross-tenant access organizationId middleware + DB constraint Must Have NFR-COMP08 WCAG 2.1 AA Yes — accessibility standard Digital accessibility for all users NFR-U03, NFR-U04 Must Have 11. Data Requirements ID Requirement Category Target Implementation Priority NFR-D01 Monetary precision Data type ALL monetary fields: NUMERIC(19,4) — NEVER float, NEVER JavaScript number Prisma schema: Decimal type enforced Must Have NFR-D02 Data retention — financial records Retention 10 years minimum (Serbia); 11 years (Croatia) Retention policy in DB; no auto-delete of financial records Must Have NFR-D03 Data retention — logs Retention Application logs: 90 days; Audit logs (LoggedAction): retain permanently Log rotation + LoggedAction never purged Must Have NFR-D04 Database backup Backup Full backup daily; transaction logs every 1 hour Automated backup schedule in cloud provider Must Have NFR-D05 Backup encryption Backup Backups encrypted at rest (AES-256) Cloud provider encryption Must Have NFR-D06 PII identification Privacy All PII fields documented; user email, name, tax ID (PIB) identified Data dictionary + Prisma annotations Must Have NFR-D07 Data export (portability) Portability User can export all organization data (invoices, expenses, transactions, contacts) in JSON/CSV Export API endpoint Must Have NFR-D08 Exchange rate immutability Integrity Exchange rate locked at transaction date; cannot be retroactively edited DB constraint + LoggedAction on change attempt Must Have 12. NFR Testing & Verification Plan NFR Category Testing Method Tools Frequency Pass Criteria Performance Lighthouse + k6 load test Lighthouse, k6 Pre-launch + monthly All NFR-P targets met at normal load Scalability k6 stress test (2× normal load) k6 Pre-launch Graceful degradation; no data corruption under stress Security SAST + OWASP ZAP + manual code review Snyk, OWASP ZAP CI (SAST), Pre-launch (DAST) No critical/high unresolved vulnerabilities Compliance (SEF) SEF sandbox end-to-end test SEF sandbox API Pre-launch 100% invoice submission success in sandbox Compliance (PDV) Manual accounting verification + test data Test data set Pre-launch + each PDV change PDV calculations match expected values for 20 test cases Compliance (GDPR) Manual review + deletion test Manual Pre-launch + annual Right to deletion completes within 30 days; export works Accessibility axe-core + keyboard manual test axe-core Per sprint WCAG 2.1 AA — 0 critical violations Availability Uptime monitoring + DR drill Uptime monitor Ongoing + quarterly SLA ≥ 99.9% monthly Data integrity DB constraint tests + balance check in CI Prisma + custom tests CI (every PR) 0 debit/credit imbalances; 0 NUMERIC precision errors Approval Role Name Date Signature Author John (AI Director) 2026-02-23 Reviewer Tech Lead John 2026-02-23 Business Analyst John 2026-02-23 Product Owner John 2026-02-23 AI Director (John) John 2026-02-23 CEO (Alem) Alem Bašić