Non-Functional Requirements (NFR): Drop — Fintech Payment App
Non-Functional Requirements (NFR): Drop — Fintech Payment App
Project: Drop — Remittance + QR Payments
Version: 1.0
Date: 2026-02-23
Author: John (AI Director)
Status: Approved
Reviewers: Alem Bašić (CEO)
Document History
| Version |
Date |
Author |
Changes |
| 0.1 |
2026-02-23 |
John |
Initial draft; targets from security audit + business case |
1. NFR Overview
| Category |
# Requirements |
Highest Priority |
Owner |
| Performance |
6 |
Must Have |
John (Tech Lead) |
| Scalability |
4 |
Must Have |
John / DevOps |
| Availability |
6 |
Must Have |
John / DevOps |
| Security |
12 |
Critical |
John + Security agent |
| Reliability |
5 |
Must Have |
John |
| Usability |
5 |
Should Have |
John (Designer) |
| Compatibility |
4 |
Must Have |
John |
| Maintainability |
5 |
Should Have |
John |
| Compliance |
8 |
Critical |
John + Legal |
| Data |
5 |
Must Have |
John |
| ID |
Requirement |
Metric |
Target |
Measurement Conditions |
Method |
Priority |
| NFR-P01 |
Page load time (initial) |
Time to Interactive |
< 3 seconds |
4G connection, cold cache |
Lighthouse |
Must Have |
| NFR-P02 |
API response time (standard) |
p95 response time |
< 500ms |
Normal load (200 concurrent users) |
APM / k6 |
Must Have |
| NFR-P03 |
API response time (bcrypt operations) |
p95 response time |
< 1,000ms |
Normal load |
Benchmark tests |
Must Have |
| NFR-P04 |
Database query time |
p95 query time |
< 10ms (SELECT), < 20ms (INSERT) |
Normal load |
api-benchmarks.test.ts |
Must Have |
| NFR-P05 |
Core Web Vitals: LCP |
Largest Contentful Paint |
< 2.5 seconds |
Mobile, 4G |
Lighthouse |
Must Have |
| NFR-P06 |
50 concurrent rate limit checks |
Total time |
< 2,000ms total |
50 concurrent calls |
api-benchmarks.test.ts |
Should Have |
3. Scalability Requirements
| ID |
Requirement |
Metric |
MVP Target |
Phase 2 Target |
Method |
Priority |
| NFR-S01 |
Concurrent users |
Active sessions |
200 users (SQLite limit) |
5,000+ users (PostgreSQL) |
Load testing |
Must Have |
| NFR-S02 |
Database migration trigger |
Concurrent users |
Migrate at 200 concurrent |
PostgreSQL in Phase 2 |
Monitoring |
Must Have |
| NFR-S03 |
API rate limits |
Max requests per IP |
10 req/min (auth), 60 req/min (general) |
Same |
Rate limiter config |
Must Have |
| NFR-S04 |
Storage growth |
DB size |
< 1GB on Fly.io persistent volume |
Managed PostgreSQL |
Storage monitoring |
Should Have |
4. Availability Requirements
| ID |
Requirement |
Target |
Period |
Exclusions |
Priority |
| NFR-A01 |
System uptime SLA |
≥ 99.5% |
Monthly rolling |
Scheduled maintenance (advance notice) |
Must Have |
| NFR-A02 |
Scheduled maintenance window |
Max 4 hours/month |
Monthly |
Tue-Thu 02:00-06:00 CET preferred |
Must Have |
| NFR-A03 |
Maintenance notice lead time |
≥ 24 hours |
Per event |
Emergency patches: ASAP notify |
Must Have |
| NFR-A04 |
RPO (Recovery Point Objective) |
Max 24 hours data loss |
Per incident |
Daily backup schedule |
Must Have |
| NFR-A05 |
RTO (Recovery Time Objective) |
System restored within 4 hours |
Per incident |
For staging; production target 2 hours |
Must Have |
| NFR-A06 |
Database backup |
Daily automated backup |
Ongoing |
Fly.io persistent volume |
Must Have |
SLA Reference:
| Uptime % |
Monthly Downtime |
| 99.9% |
43.8 minutes |
| 99.5% |
3.6 hours |
| 99.0% |
7.3 hours |
5. Security Requirements
Context: Drop is a fintech app handling real money flows. Security is Critical priority. See security/drop-security-rapport.md for full audit (score: 57/100 pre-Phase 0.5; target: 80/100 post-hardening).
| ID |
Requirement |
Category |
Target / Standard |
Method |
Priority |
| NFR-SEC01 |
Authentication |
Auth |
JWT (jose library) in httpOnly cookie; SameSite=Strict; 7-day expiry |
Code review + audit |
Must Have |
| NFR-SEC02 |
Password hashing |
Auth |
bcrypt, 12 rounds; NO SHA-256 fallback |
auth.test.ts |
Must Have |
| NFR-SEC03 |
JWT secret |
Secrets |
JWT_SECRET must be set via env var — fail fast if missing |
Code review |
Must Have |
| NFR-SEC04 |
CSRF protection |
Injection |
CSRF middleware on all POST/PATCH/DELETE endpoints |
Code review + test |
Must Have |
| NFR-SEC05 |
Rate limiting |
Abuse |
10 req/min on auth; 60/min general; persistent (DB-backed, not in-memory) |
middleware.test.ts |
Must Have |
| NFR-SEC06 |
Input validation |
Injection |
All inputs sanitized server-side; parameterized SQL (no raw queries) |
validation.test.ts |
Must Have |
| NFR-SEC07 |
XSS prevention |
Injection |
CSP headers (script-src 'self'); no dangerouslySetInnerHTML |
OWASP ZAP |
Must Have |
| NFR-SEC08 |
Security headers |
HTTP |
HSTS, X-Frame-Options: DENY, X-Content-Type-Options: nosniff, CSP |
securityheaders.com |
Must Have |
| NFR-SEC09 |
Card data |
PCI-DSS |
NEVER store or return full card number or CVV; only last_four + token_ref |
Code review + db.test.ts |
Must Have |
| NFR-SEC10 |
Audit logging |
Compliance |
All auth events, transactions, KYC changes logged with user_id + IP + timestamp |
Code review |
Must Have |
| NFR-SEC11 |
Per-user transaction locks |
Financial |
Concurrent transactions from same user serialised; no double-spend |
Integration test |
Must Have |
| NFR-SEC12 |
Penetration testing |
Operations |
External pentest before production launch |
Third-party report |
Should Have |
6. Reliability Requirements
| ID |
Requirement |
Metric |
Target |
Method |
Priority |
| NFR-R01 |
Application error rate |
5xx errors / total requests |
< 0.1% |
Monitoring |
Must Have |
| NFR-R02 |
Transaction integrity |
Atomic transactions |
ACID compliance; no partial updates |
db.test.ts |
Must Have |
| NFR-R03 |
MTTR |
Average recovery time |
< 4 hours |
Incident log |
Must Have |
| NFR-R04 |
Data integrity |
Database constraints |
Zero orphaned records; FK constraints enabled |
db.test.ts |
Must Have |
| NFR-R05 |
Health check |
System observability |
GET /api/health returns 200 with DB status |
CI smoke tests |
Must Have |
7. Usability Requirements
| ID |
Requirement |
Target |
Method |
Priority |
| NFR-U01 |
Onboarding completion |
New user completes onboarding (3 steps) in < 3 minutes |
Usability testing |
Must Have |
| NFR-U02 |
Remittance flow time |
Registered user sends money in < 2 minutes |
Usability testing |
Must Have |
| NFR-U03 |
Mobile responsiveness |
Fully functional on 375px–1440px (primary: 375-428px mobile) |
Manual + automated |
Must Have |
| NFR-U04 |
Error recovery |
User can recover from any form error without page reload |
Manual testing |
Must Have |
| NFR-U05 |
Language |
Norwegian (primary) and English (secondary) |
Content audit |
Should Have |
8. Compatibility Requirements
| ID |
Requirement |
Category |
Target |
Priority |
| NFR-C01 |
Web browsers |
Browser |
Chrome 100+, Firefox 100+, Safari 16+, Edge 100+ |
Must Have |
| NFR-C02 |
Mobile browsers |
Browser |
Safari iOS 15+, Chrome Android 100+ (primary platform) |
Must Have |
| NFR-C03 |
Screen resolutions |
Responsive |
375px (iPhone SE) to 1440px (desktop); mobile-first |
Must Have |
| NFR-C04 |
API versioning |
API |
Next.js API Routes (no versioning in MVP); semantic versioning in Phase 2 |
Should Have |
9. Maintainability Requirements
| ID |
Requirement |
Metric |
Target |
Method |
Priority |
| NFR-M01 |
Test coverage |
% code covered |
≥ 80% overall; 100% for auth + transaction paths |
CI coverage (Vitest) |
Must Have |
| NFR-M02 |
CI/CD pipeline |
Deployment frequency |
Bug fix to staging in < 30 minutes from merge |
GitHub Actions |
Must Have |
| NFR-M03 |
Feature flags |
Feature control |
All gated features controllable via env vars without redeploy |
feature-flags.test.ts |
Should Have |
| NFR-M04 |
Documentation currency |
Doc coverage |
All API endpoints documented in docs/backend/API-REFERENCE.md |
Doc review |
Should Have |
| NFR-M05 |
Dependency currency |
CVE exposure |
0 critical CVEs in production dependencies |
npm audit in CI |
Must Have |
10. Compliance Requirements
| ID |
Regulation |
Applicability |
Requirement |
Technical Implementation |
Priority |
| NFR-COMP01 |
GDPR (EU) |
Yes — Norwegian users |
Lawful basis; right to deletion; DPA with BaaS; 72h breach notification |
Data deletion API; audit logs; DPA contract |
Must Have |
| NFR-COMP02 |
GDPR — Data minimisation |
Yes |
Collect only data necessary for stated purpose |
BA review of DB schema |
Must Have |
| NFR-COMP03 |
PSD2 (EU) |
Yes — payment initiation |
PISP/AISP registration with Finanstilsynet; or operate under bank partner licence |
Finanstilsynet registration |
Must Have |
| NFR-COMP04 |
AML / AMLD6 |
Yes — money transfer |
KYC verification before transaction; transaction monitoring; SAR capability |
Sumsub integration; monitoring alerts |
Must Have |
| NFR-COMP05 |
PCI-DSS |
Partial (cards feature) |
No card number/CVV storage; tokenisation only |
last_four + token_ref only; tokenisation via partner |
Must Have |
| NFR-COMP06 |
DORA (EU) |
Yes |
ICT risk management; incident reporting framework |
Incident report template; business continuity |
Should Have |
| NFR-COMP07 |
Norwegian Personvernloven |
Yes |
National GDPR implementation; same requirements |
Legal review |
Must Have |
| NFR-COMP08 |
Financial licence disclaimer |
Yes |
NEVER use "banking" without licence disclaimer in UI |
UI copy review; /learning-opportunity on violations |
Must Have |
11. Data Requirements
| ID |
Requirement |
Category |
Target |
Implementation |
Priority |
| NFR-D01 |
Data retention — user data |
Retention |
User data deleted within 30 days of account deletion request |
Scheduled deletion job (GDPR Art.17) |
Must Have |
| NFR-D02 |
Data retention — audit logs |
Retention |
Audit logs: 5 years (AML requirement) |
Log rotation policy |
Must Have |
| NFR-D03 |
PII field documentation |
Privacy |
All PII fields identified in DATABASE-SCHEMA.md |
Data dictionary in docs/backend/ |
Must Have |
| NFR-D04 |
Data anonymisation (non-prod) |
Privacy |
No real user data in staging/dev environments |
Seed data only; no prod data migration |
Must Have |
| NFR-D05 |
GDPR data export |
Portability |
User can export their data (GDPR Art.20) |
Data export endpoint |
Should Have |
12. NFR Testing & Verification Plan
| NFR Category |
Testing Method |
Tools |
Frequency |
Pass Criteria |
| Performance |
Benchmark tests + load testing |
api-benchmarks.test.ts, Lighthouse |
Per sprint + pre-launch |
All NFR-P targets met |
| Security |
Security audit + automated tests |
validation.test.ts, OWASP ZAP, external pentest |
Per sprint + pre-launch |
Score ≥ 80/100; no critical open |
| Availability |
Uptime monitoring |
Fly.io metrics, health endpoint |
Ongoing |
≥ 99.5% monthly |
| Compliance |
Legal review + audit |
Manual + Sumsub |
Pre-launch + annual |
All compliance items verified |
| Reliability |
Unit + integration tests |
Vitest (db.test.ts) |
Per commit |
Zero failed integrity tests |
Approval
| Role |
Name |
Date |
Signature |
| Author |
John (AI Director) |
2026-02-23 |
Approved (AI) |
| Tech Lead |
John |
2026-02-23 |
Approved |
| AI Director (John) |
John |
2026-02-23 |
Approved |
| CEO (Alem) |
Alem Bašić |
TBD |
|