# Non-Functional Requirements (NFR): Drop — Fintech Payment App

# Non-Functional Requirements (NFR): Drop — Fintech Payment App

> **Project:** Drop — Remittance + QR Payments
> **Version:** 1.0
> **Date:** 2026-02-23
> **Author:** John (AI Director)
> **Status:** Approved
> **Reviewers:** Alem Bašić (CEO)

## Document History
| Version | Date | Author | Changes |
|---------|------|--------|---------|
| 0.1 | 2026-02-23 | John | Initial draft; targets from security audit + business case |

---

## 1. NFR Overview

| Category | # Requirements | Highest Priority | Owner |
|----------|---------------|-----------------|-------|
| Performance | 6 | Must Have | John (Tech Lead) |
| Scalability | 4 | Must Have | John / DevOps |
| Availability | 6 | Must Have | John / DevOps |
| Security | 12 | Critical | John + Security agent |
| Reliability | 5 | Must Have | John |
| Usability | 5 | Should Have | John (Designer) |
| Compatibility | 4 | Must Have | John |
| Maintainability | 5 | Should Have | John |
| Compliance | 8 | Critical | John + Legal |
| Data | 5 | Must Have | John |

---

## 2. Performance Requirements

| ID | Requirement | Metric | Target | Measurement Conditions | Method | Priority |
|----|------------|--------|--------|----------------------|--------|----------|
| NFR-P01 | Page load time (initial) | Time to Interactive | < 3 seconds | 4G connection, cold cache | Lighthouse | Must Have |
| NFR-P02 | API response time (standard) | p95 response time | < 500ms | Normal load (200 concurrent users) | APM / k6 | Must Have |
| NFR-P03 | API response time (bcrypt operations) | p95 response time | < 1,000ms | Normal load | Benchmark tests | Must Have |
| NFR-P04 | Database query time | p95 query time | < 10ms (SELECT), < 20ms (INSERT) | Normal load | api-benchmarks.test.ts | Must Have |
| NFR-P05 | Core Web Vitals: LCP | Largest Contentful Paint | < 2.5 seconds | Mobile, 4G | Lighthouse | Must Have |
| NFR-P06 | 50 concurrent rate limit checks | Total time | < 2,000ms total | 50 concurrent calls | api-benchmarks.test.ts | Should Have |

---

## 3. Scalability Requirements

| ID | Requirement | Metric | MVP Target | Phase 2 Target | Method | Priority |
|----|------------|--------|-----------|----------------|--------|----------|
| NFR-S01 | Concurrent users | Active sessions | 200 users (SQLite limit) | 5,000+ users (PostgreSQL) | Load testing | Must Have |
| NFR-S02 | Database migration trigger | Concurrent users | Migrate at 200 concurrent | PostgreSQL in Phase 2 | Monitoring | Must Have |
| NFR-S03 | API rate limits | Max requests per IP | 10 req/min (auth), 60 req/min (general) | Same | Rate limiter config | Must Have |
| NFR-S04 | Storage growth | DB size | < 1GB on Fly.io persistent volume | Managed PostgreSQL | Storage monitoring | Should Have |

---

## 4. Availability Requirements

| ID | Requirement | Target | Period | Exclusions | Priority |
|----|------------|--------|--------|------------|----------|
| NFR-A01 | System uptime SLA | ≥ 99.5% | Monthly rolling | Scheduled maintenance (advance notice) | Must Have |
| NFR-A02 | Scheduled maintenance window | Max 4 hours/month | Monthly | Tue-Thu 02:00-06:00 CET preferred | Must Have |
| NFR-A03 | Maintenance notice lead time | ≥ 24 hours | Per event | Emergency patches: ASAP notify | Must Have |
| NFR-A04 | RPO (Recovery Point Objective) | Max 24 hours data loss | Per incident | Daily backup schedule | Must Have |
| NFR-A05 | RTO (Recovery Time Objective) | System restored within 4 hours | Per incident | For staging; production target 2 hours | Must Have |
| NFR-A06 | Database backup | Daily automated backup | Ongoing | Fly.io persistent volume | Must Have |

**SLA Reference:**
| Uptime % | Monthly Downtime |
|----------|----------------|
| 99.9% | 43.8 minutes |
| 99.5% | 3.6 hours |
| 99.0% | 7.3 hours |

---

## 5. Security Requirements

**Context:** Drop is a fintech app handling real money flows. Security is Critical priority. See `security/drop-security-rapport.md` for full audit (score: 57/100 pre-Phase 0.5; target: 80/100 post-hardening).

| ID | Requirement | Category | Target / Standard | Method | Priority |
|----|------------|----------|------------------|--------|----------|
| NFR-SEC01 | Authentication | Auth | JWT (jose library) in httpOnly cookie; SameSite=Strict; 7-day expiry | Code review + audit | Must Have |
| NFR-SEC02 | Password hashing | Auth | bcrypt, 12 rounds; NO SHA-256 fallback | auth.test.ts | Must Have |
| NFR-SEC03 | JWT secret | Secrets | JWT_SECRET must be set via env var — fail fast if missing | Code review | Must Have |
| NFR-SEC04 | CSRF protection | Injection | CSRF middleware on all POST/PATCH/DELETE endpoints | Code review + test | Must Have |
| NFR-SEC05 | Rate limiting | Abuse | 10 req/min on auth; 60/min general; persistent (DB-backed, not in-memory) | middleware.test.ts | Must Have |
| NFR-SEC06 | Input validation | Injection | All inputs sanitized server-side; parameterized SQL (no raw queries) | validation.test.ts | Must Have |
| NFR-SEC07 | XSS prevention | Injection | CSP headers (script-src 'self'); no dangerouslySetInnerHTML | OWASP ZAP | Must Have |
| NFR-SEC08 | Security headers | HTTP | HSTS, X-Frame-Options: DENY, X-Content-Type-Options: nosniff, CSP | securityheaders.com | Must Have |
| NFR-SEC09 | Card data | PCI-DSS | NEVER store or return full card number or CVV; only last_four + token_ref | Code review + db.test.ts | Must Have |
| NFR-SEC10 | Audit logging | Compliance | All auth events, transactions, KYC changes logged with user_id + IP + timestamp | Code review | Must Have |
| NFR-SEC11 | Per-user transaction locks | Financial | Concurrent transactions from same user serialised; no double-spend | Integration test | Must Have |
| NFR-SEC12 | Penetration testing | Operations | External pentest before production launch | Third-party report | Should Have |

---

## 6. Reliability Requirements

| ID | Requirement | Metric | Target | Method | Priority |
|----|------------|--------|--------|--------|----------|
| NFR-R01 | Application error rate | 5xx errors / total requests | < 0.1% | Monitoring | Must Have |
| NFR-R02 | Transaction integrity | Atomic transactions | ACID compliance; no partial updates | db.test.ts | Must Have |
| NFR-R03 | MTTR | Average recovery time | < 4 hours | Incident log | Must Have |
| NFR-R04 | Data integrity | Database constraints | Zero orphaned records; FK constraints enabled | db.test.ts | Must Have |
| NFR-R05 | Health check | System observability | GET /api/health returns 200 with DB status | CI smoke tests | Must Have |

---

## 7. Usability Requirements

| ID | Requirement | Target | Method | Priority |
|----|------------|--------|--------|----------|
| NFR-U01 | Onboarding completion | New user completes onboarding (3 steps) in < 3 minutes | Usability testing | Must Have |
| NFR-U02 | Remittance flow time | Registered user sends money in < 2 minutes | Usability testing | Must Have |
| NFR-U03 | Mobile responsiveness | Fully functional on 375px–1440px (primary: 375-428px mobile) | Manual + automated | Must Have |
| NFR-U04 | Error recovery | User can recover from any form error without page reload | Manual testing | Must Have |
| NFR-U05 | Language | Norwegian (primary) and English (secondary) | Content audit | Should Have |

---

## 8. Compatibility Requirements

| ID | Requirement | Category | Target | Priority |
|----|------------|----------|--------|----------|
| NFR-C01 | Web browsers | Browser | Chrome 100+, Firefox 100+, Safari 16+, Edge 100+ | Must Have |
| NFR-C02 | Mobile browsers | Browser | Safari iOS 15+, Chrome Android 100+ (primary platform) | Must Have |
| NFR-C03 | Screen resolutions | Responsive | 375px (iPhone SE) to 1440px (desktop); mobile-first | Must Have |
| NFR-C04 | API versioning | API | Next.js API Routes (no versioning in MVP); semantic versioning in Phase 2 | Should Have |

---

## 9. Maintainability Requirements

| ID | Requirement | Metric | Target | Method | Priority |
|----|------------|--------|--------|--------|----------|
| NFR-M01 | Test coverage | % code covered | ≥ 80% overall; 100% for auth + transaction paths | CI coverage (Vitest) | Must Have |
| NFR-M02 | CI/CD pipeline | Deployment frequency | Bug fix to staging in < 30 minutes from merge | GitHub Actions | Must Have |
| NFR-M03 | Feature flags | Feature control | All gated features controllable via env vars without redeploy | feature-flags.test.ts | Should Have |
| NFR-M04 | Documentation currency | Doc coverage | All API endpoints documented in docs/backend/API-REFERENCE.md | Doc review | Should Have |
| NFR-M05 | Dependency currency | CVE exposure | 0 critical CVEs in production dependencies | npm audit in CI | Must Have |

---

## 10. Compliance Requirements

| ID | Regulation | Applicability | Requirement | Technical Implementation | Priority |
|----|-----------|--------------|-------------|------------------------|----------|
| NFR-COMP01 | GDPR (EU) | Yes — Norwegian users | Lawful basis; right to deletion; DPA with BaaS; 72h breach notification | Data deletion API; audit logs; DPA contract | Must Have |
| NFR-COMP02 | GDPR — Data minimisation | Yes | Collect only data necessary for stated purpose | BA review of DB schema | Must Have |
| NFR-COMP03 | PSD2 (EU) | Yes — payment initiation | PISP/AISP registration with Finanstilsynet; or operate under bank partner licence | Finanstilsynet registration | Must Have |
| NFR-COMP04 | AML / AMLD6 | Yes — money transfer | KYC verification before transaction; transaction monitoring; SAR capability | Sumsub integration; monitoring alerts | Must Have |
| NFR-COMP05 | PCI-DSS | Partial (cards feature) | No card number/CVV storage; tokenisation only | last_four + token_ref only; tokenisation via partner | Must Have |
| NFR-COMP06 | DORA (EU) | Yes | ICT risk management; incident reporting framework | Incident report template; business continuity | Should Have |
| NFR-COMP07 | Norwegian Personvernloven | Yes | National GDPR implementation; same requirements | Legal review | Must Have |
| NFR-COMP08 | Financial licence disclaimer | Yes | NEVER use "banking" without licence disclaimer in UI | UI copy review; `/learning-opportunity` on violations | Must Have |

---

## 11. Data Requirements

| ID | Requirement | Category | Target | Implementation | Priority |
|----|------------|----------|--------|---------------|----------|
| NFR-D01 | Data retention — user data | Retention | User data deleted within 30 days of account deletion request | Scheduled deletion job (GDPR Art.17) | Must Have |
| NFR-D02 | Data retention — audit logs | Retention | Audit logs: 5 years (AML requirement) | Log rotation policy | Must Have |
| NFR-D03 | PII field documentation | Privacy | All PII fields identified in DATABASE-SCHEMA.md | Data dictionary in docs/backend/ | Must Have |
| NFR-D04 | Data anonymisation (non-prod) | Privacy | No real user data in staging/dev environments | Seed data only; no prod data migration | Must Have |
| NFR-D05 | GDPR data export | Portability | User can export their data (GDPR Art.20) | Data export endpoint | Should Have |

---

## 12. NFR Testing & Verification Plan

| NFR Category | Testing Method | Tools | Frequency | Pass Criteria |
|-------------|---------------|-------|-----------|---------------|
| Performance | Benchmark tests + load testing | api-benchmarks.test.ts, Lighthouse | Per sprint + pre-launch | All NFR-P targets met |
| Security | Security audit + automated tests | validation.test.ts, OWASP ZAP, external pentest | Per sprint + pre-launch | Score ≥ 80/100; no critical open |
| Availability | Uptime monitoring | Fly.io metrics, health endpoint | Ongoing | ≥ 99.5% monthly |
| Compliance | Legal review + audit | Manual + Sumsub | Pre-launch + annual | All compliance items verified |
| Reliability | Unit + integration tests | Vitest (db.test.ts) | Per commit | Zero failed integrity tests |

---

## Approval

| Role | Name | Date | Signature |
|------|------|------|-----------|
| Author | John (AI Director) | 2026-02-23 | Approved (AI) |
| Tech Lead | John | 2026-02-23 | Approved |
| AI Director (John) | John | 2026-02-23 | Approved |
| CEO (Alem) | Alem Bašić | TBD | |