# Non-Functional Requirements

# Non-Functional Requirements (NFR): {{PROJECT_NAME}}

> **Project:** {{PROJECT_NAME}}
> **Version:** {{VERSION}}
> **Date:** {{DATE}}
> **Author:** {{AUTHOR}}
> **Status:** Draft | In Review | Approved
> **Reviewers:** {{REVIEWERS}}

## Document History
| Version | Date | Author | Changes |
|---------|------|--------|---------|
| 0.1     | {{DATE}} | {{AUTHOR}} | Initial draft |

---

<!-- GUIDANCE: Non-functional requirements define HOW WELL the system performs its functions.
They are quality attributes — measurable SLAs and constraints that must be met in production.
Every NFR must have a specific, measurable target (not "fast" but "< 2 seconds at p95").
NFRs drive architecture decisions; involve the Tech Lead in defining targets. -->

## 1. NFR Overview

| Category | # Requirements | Highest Priority | Owner |
|----------|---------------|-----------------|-------|
| Performance | {{COUNT}} | {{HIGH/MED/LOW}} | Tech Lead |
| Scalability | {{COUNT}} | | Tech Lead / DevOps |
| Availability | {{COUNT}} | | DevOps |
| Security | {{COUNT}} | Critical | Tech Lead + Security |
| Reliability | {{COUNT}} | | Tech Lead / DevOps |
| Usability | {{COUNT}} | | Designer |
| Compatibility | {{COUNT}} | | Tech Lead |
| Maintainability | {{COUNT}} | | Tech Lead |
| Compliance | {{COUNT}} | | Tech Lead + Legal |
| Data | {{COUNT}} | | Tech Lead |

---

## 2. Performance Requirements

<!-- GUIDANCE: Performance requirements prevent "it works but it's slow" deployments.
Define targets under realistic load conditions, not best-case empty-server scenarios.
p95 = 95th percentile (95% of requests must complete within this time). -->

| ID | Requirement | Metric | Target | Measurement Conditions | Measurement Method | Priority |
|----|------------|--------|--------|----------------------|-------------------|----------|
| NFR-P01 | Page load time (initial) | Time to Interactive | < 3 seconds | 4G connection, cold cache | Lighthouse / WebPageTest | Must Have |
| NFR-P02 | Page load time (subsequent) | Time to Interactive | < 1.5 seconds | Warm cache | Lighthouse | Must Have |
| NFR-P03 | API response time (standard) | p95 response time | < 500ms | Normal load ({{CONCURRENT_USERS}} users) | APM tool / k6 | Must Have |
| NFR-P04 | API response time (complex queries) | p95 response time | < 2 seconds | Normal load | APM tool | Should Have |
| NFR-P05 | Database query time | p95 query time | < 100ms | Normal load | DB monitoring | Must Have |
| NFR-P06 | File upload throughput | Upload speed | {{SIZE}}MB in < {{TIME}}s | Single user | Load testing | {{PRIORITY}} |
| NFR-P07 | Search response time | p95 response time | < 1 second | Normal load | APM tool | Should Have |
| NFR-P08 | Report generation | Completion time | < {{TIME}} seconds | Normal load | APM tool | Could Have |
| NFR-P09 | Core Web Vitals: LCP | Largest Contentful Paint | < 2.5 seconds | Mobile, 4G | Lighthouse | Must Have |
| NFR-P10 | Core Web Vitals: CLS | Cumulative Layout Shift | < 0.1 | Any device | Lighthouse | Must Have |

---

## 3. Scalability Requirements

<!-- GUIDANCE: Scalability requirements ensure the system grows with usage.
Define targets for launch AND for projected growth 12-24 months out.
Horizontal scaling (more instances) is generally preferred over vertical (bigger server). -->

| ID | Requirement | Metric | Launch Target | 12-Month Target | Measurement Method | Priority |
|----|------------|--------|-------------|----------------|-------------------|----------|
| NFR-S01 | Concurrent users | Simultaneous active sessions | {{X}} users | {{X}} users | Load testing (k6/JMeter) | Must Have |
| NFR-S02 | Peak load handling | Requests per second | {{X}} RPS | {{X}} RPS | Load testing | Must Have |
| NFR-S03 | Data volume growth | Database size growth | {{X}}GB/year | {{X}}GB/year | Storage monitoring | Should Have |
| NFR-S04 | API rate limits | Max requests per user/hour | {{X}} requests | {{X}} requests | API gateway metrics | Must Have |
| NFR-S05 | File storage growth | Storage volume | {{X}}GB | {{X}}GB | Storage monitoring | Should Have |
| NFR-S06 | Auto-scaling response | Time to scale out under load | < 2 minutes | < 2 minutes | Cloud console metrics | Should Have |
| NFR-S07 | Geographic distribution | Regions supported | {{REGIONS}} | {{REGIONS}} | CDN configuration | {{PRIORITY}} |

---

## 4. Availability Requirements

<!-- GUIDANCE: Availability requirements define uptime expectations and maintenance windows.
Calculate SLA targets carefully: 99.9% = 8.7 hours downtime/year; 99.5% = 43.8 hours/year.
Scheduled maintenance windows are EXCLUDED from SLA calculations if agreed in advance. -->

| ID | Requirement | Target | Measurement Period | Exclusions | Priority |
|----|------------|--------|-------------------|------------|----------|
| NFR-A01 | System uptime SLA | ≥ {{99.5 / 99.9}}% | Monthly rolling | Scheduled maintenance | Must Have |
| NFR-A02 | Scheduled maintenance window | Max {{X}} hours/month | Monthly | {{PREFERRED_WINDOW}} | Must Have |
| NFR-A03 | Maintenance notification lead time | ≥ 48 hours notice | Per event | Emergency patches: 4 hours | Must Have |
| NFR-A04 | RPO (Recovery Point Objective) | Max {{X}} hours data loss | Per incident | N/A | Must Have |
| NFR-A05 | RTO (Recovery Time Objective) | System restored within {{X}} hours | Per incident | N/A | Must Have |
| NFR-A06 | Database backup frequency | Every {{X}} hours | Ongoing | N/A | Must Have |
| NFR-A07 | Backup retention | {{X}} days rolling | Ongoing | N/A | Must Have |
| NFR-A08 | Disaster recovery test | Pass DR drill | Annually | N/A | Should Have |

**SLA Calculation Reference:**
| Uptime % | Annual Downtime | Monthly Downtime |
|----------|----------------|-----------------|
| 99.9% | 8.7 hours | 43.8 minutes |
| 99.5% | 43.8 hours | 3.6 hours |
| 99.0% | 87.6 hours | 7.3 hours |

---

## 5. Security Requirements

<!-- GUIDANCE: Security requirements are non-negotiable. Define concrete measures, not aspirations.
Every web application must address at minimum: authentication, authorization, data encryption,
input validation, audit logging, and secure dependency management.
Reference OWASP Top 10 for web; adjust for your specific context. -->

| ID | Requirement | Category | Target / Standard | Measurement Method | Priority |
|----|------------|----------|------------------|-------------------|----------|
| NFR-SEC01 | Authentication method | Auth | {{JWT/OAuth2/OIDC}} + MFA optional | Code review + pentest | Must Have |
| NFR-SEC02 | Password policy | Auth | Min 8 chars, 1 uppercase, 1 number, 1 special | Automated test | Must Have |
| NFR-SEC03 | Session management | Auth | Timeout: 30min idle; absolute: 8 hours | Automated test | Must Have |
| NFR-SEC04 | Data encryption in transit | Encryption | TLS 1.3 minimum | SSL Labs scan (grade A+) | Must Have |
| NFR-SEC05 | Data encryption at rest | Encryption | AES-256 for PII; database encryption | Infrastructure review | Must Have |
| NFR-SEC06 | Input validation | Injection Prevention | All inputs sanitized server-side; parameterized queries | Code review + SAST | Must Have |
| NFR-SEC07 | XSS prevention | Injection Prevention | CSP headers; output encoding | OWASP ZAP / DAST | Must Have |
| NFR-SEC08 | CSRF protection | Injection Prevention | CSRF tokens on all state-changing requests | Code review | Must Have |
| NFR-SEC09 | Rate limiting | DDoS/Abuse | API: {{X}} req/min per IP; login: 5 attempts/15min | Load testing | Must Have |
| NFR-SEC10 | Audit logging | Compliance | All auth events, data mutations logged with user + timestamp | Log review | Must Have |
| NFR-SEC11 | Dependency security | Supply Chain | No known critical CVEs in dependencies | Automated scan (Snyk/Dependabot) | Must Have |
| NFR-SEC12 | Secret management | Secrets | No secrets in code/git; use env vars or vault | Code scan + git history check | Must Have |
| NFR-SEC13 | Role-based access control | Authorization | Principle of least privilege; no role escalation | Code review + penetration test | Must Have |
| NFR-SEC14 | Security headers | HTTP Security | HSTS, X-Frame-Options, X-Content-Type-Options | securityheaders.com scan | Must Have |
| NFR-SEC15 | Vulnerability scanning | Operations | Automated scan in CI; critical issues block deploy | CI pipeline | Should Have |
| NFR-SEC16 | Penetration testing | Operations | Annual external pentest | Third-party report | Should Have |

---

## 6. Reliability Requirements

<!-- GUIDANCE: Reliability is the probability of the system performing its intended function
without failure over a specified period. Define acceptable error rates and failure recovery. -->

| ID | Requirement | Metric | Target | Measurement Method | Priority |
|----|------------|--------|--------|-------------------|----------|
| NFR-R01 | Application error rate | 5xx errors / total requests | < 0.1% | APM monitoring | Must Have |
| NFR-R02 | Client-side error rate | JS errors per session | < 1% of sessions | Error tracking (Sentry) | Should Have |
| NFR-R03 | MTBF (Mean Time Between Failures) | Average time between incidents | > {{X}} days | Incident tracking | Should Have |
| NFR-R04 | MTTR (Mean Time To Recovery) | Average time to restore service | < {{X}} hours | Incident tracking | Must Have |
| NFR-R05 | Data integrity | Zero data corruption events | 0 incidents | Database integrity checks | Must Have |
| NFR-R06 | Transaction integrity | Atomic transactions | ACID compliance | Database tests | Must Have |
| NFR-R07 | Graceful degradation | Partial failure handling | Non-critical features fail gracefully; core stays up | Chaos testing | Should Have |
| NFR-R08 | Health check endpoint | System health observable | /health returns 200 when healthy | Monitoring | Must Have |

---

## 7. Usability Requirements

<!-- GUIDANCE: Usability requirements ensure the system is accessible and easy to use.
These directly impact user adoption (KPI-02) and satisfaction (KPI-04). -->

| ID | Requirement | Target | Measurement Method | Priority |
|----|------------|--------|-------------------|----------|
| NFR-U01 | Time to complete core task | New user completes {{KEY_TASK}} in < {{X}} minutes | Usability testing | Must Have |
| NFR-U02 | Error recovery | User can recover from any error without help | Usability testing | Must Have |
| NFR-U03 | WCAG compliance | WCAG 2.1 Level AA | Automated axe-core + manual review | Must Have |
| NFR-U04 | Keyboard navigation | All interactive elements reachable by keyboard | Manual testing | Must Have |
| NFR-U05 | Screen reader support | Compatible with NVDA / VoiceOver | Manual testing | Should Have |
| NFR-U06 | Mobile responsiveness | Fully functional on 375px–1440px width | Manual + automated | Must Have |
| NFR-U07 | Color contrast | ≥ 4.5:1 for normal text; ≥ 3:1 for large text | Contrast checker | Must Have |
| NFR-U08 | Onboarding completion | {{X}}% of new users complete onboarding | Analytics | Should Have |
| NFR-U09 | Help / documentation | All key features documented in-app or in help center | Content audit | Should Have |

---

## 8. Compatibility Requirements

<!-- GUIDANCE: Define supported platforms explicitly. "It should work everywhere" is not a requirement.
Use market share data to prioritize browser/OS targets. -->

| ID | Requirement | Category | Target | Priority |
|----|------------|----------|--------|----------|
| NFR-C01 | Web browsers | Browser | Chrome 100+, Firefox 100+, Safari 16+, Edge 100+ | Must Have |
| NFR-C02 | Mobile browsers | Browser | Safari iOS 15+, Chrome Android 100+ | Must Have |
| NFR-C03 | Mobile operating systems | OS | iOS 15+, Android 11+ | Must Have |
| NFR-C04 | Desktop operating systems | OS | Windows 10+, macOS 12+, Ubuntu 20.04+ | Must Have |
| NFR-C05 | Screen resolutions | Responsive | 375px to 2560px width | Must Have |
| NFR-C06 | Minimum device specs | Performance | Works on mid-range 2020+ devices | Should Have |
| NFR-C07 | Third-party integrations | API | {{EXTERNAL_SYSTEM}} API version {{VERSION}} | Must Have |
| NFR-C08 | Email clients | Email | Gmail, Outlook, Apple Mail, mobile clients | Should Have |

---

## 9. Maintainability Requirements

<!-- GUIDANCE: Maintainability requirements ensure the codebase can be evolved over time without
exponential cost increases. These protect the long-term investment. -->

| ID | Requirement | Metric | Target | Measurement Method | Priority |
|----|------------|--------|--------|-------------------|----------|
| NFR-M01 | Test coverage | % of code covered by automated tests | ≥ 80% overall; ≥ 95% for critical paths | CI coverage report | Must Have |
| NFR-M02 | Code documentation | % of public APIs documented | 100% of public APIs | Code review | Must Have |
| NFR-M03 | Cyclomatic complexity | Per-function complexity | Max 10 per function; refactor if exceeded | Static analysis (SonarQube) | Should Have |
| NFR-M04 | Dependency currency | % of dependencies on current major version | ≥ 80% current; 0 dependencies with critical CVEs | Automated scan | Should Have |
| NFR-M05 | Deployment frequency | Time to deploy a bug fix to production | < 1 hour from merge | CI/CD metrics | Should Have |
| NFR-M06 | Feature flag support | Ability to disable features without deploy | Available for all major features | Code review | Could Have |
| NFR-M07 | Logging completeness | Log coverage for operations | All external calls, errors, and user mutations logged | Log review | Must Have |
| NFR-M08 | Monitoring observability | Dashboards for key metrics | Dashboards for error rate, response time, uptime | Monitoring tool | Must Have |

---

## 10. Compliance Requirements

<!-- GUIDANCE: Compliance requirements are legal obligations — failure can result in penalties.
Identify which apply to your system and document specific technical implementations required. -->

| ID | Regulation | Applicability | Requirement | Technical Implementation | Priority |
|----|-----------|--------------|-------------|------------------------|----------|
| NFR-COMP01 | GDPR | {{YES — if handling EU personal data}} | Lawful basis for processing; right to deletion; DPA required; breach notification within 72h | User data deletion API; audit logs; DPA in place | Must Have |
| NFR-COMP02 | GDPR — Cookie consent | {{YES — if using tracking cookies}} | Explicit consent before non-essential cookies | Cookie consent banner; opt-in only tracking | Must Have |
| NFR-COMP03 | GDPR — Data minimization | Yes | Collect only data necessary for stated purpose | BA review of data model | Must Have |
| NFR-COMP04 | {{HIPAA}} | {{YES/NO — healthcare data}} | PHI protection; audit logs; BAA required | Role-based access; encrypted PHI fields | {{PRIORITY}} |
| NFR-COMP05 | {{PCI-DSS}} | {{YES/NO — payment card data}} | SAQ compliance; tokenization; no card storage | Stripe/payment gateway tokenization | {{PRIORITY}} |
| NFR-COMP06 | Norwegian Personvernloven | {{YES}} | Alignment with GDPR national implementation | Legal review | Must Have |
| NFR-COMP07 | WCAG 2.1 AA | {{YES}} | Digital accessibility | NFR-U01 to NFR-U07 | Must Have |

---

## 11. Data Requirements

<!-- GUIDANCE: Data requirements define how the system handles data throughout its lifecycle.
Often overlooked — data governance failures are costly (GDPR fines, data loss). -->

| ID | Requirement | Category | Target | Implementation | Priority |
|----|------------|----------|--------|---------------|----------|
| NFR-D01 | Data retention — user data | Retention | {{X}} years active; deleted within 30 days of account deletion request | Scheduled deletion job | Must Have |
| NFR-D02 | Data retention — logs | Retention | Application logs: 90 days; Audit logs: 3 years | Log rotation policy | Must Have |
| NFR-D03 | Database backup frequency | Backup | Full backup daily; transaction logs every {{X}} hours | Automated backup schedule | Must Have |
| NFR-D04 | Backup encryption | Backup | Backups encrypted with AES-256 | Infrastructure config | Must Have |
| NFR-D05 | Data integrity checks | Integrity | Database constraints; no orphaned records | DB schema + integration tests | Must Have |
| NFR-D06 | PII identification | Privacy | All PII fields identified and documented | Data dictionary | Must Have |
| NFR-D07 | Data export | Portability | User can export their data in machine-readable format (GDPR Article 20) | Export API endpoint | Must Have |
| NFR-D08 | Data anonymization | Privacy | Anonymize user data in non-production environments | Dev/staging data scripts | Must Have |
| NFR-D09 | Archival strategy | Retention | Data older than {{X}} years archived to cold storage | Archive schedule | Should Have |

---

## 12. NFR Testing & Verification Plan

<!-- GUIDANCE: Every NFR must have a defined testing approach. NFRs without test plans
are aspirations, not requirements. -->

| NFR Category | Testing Method | Tools | Frequency | Pass Criteria |
|-------------|---------------|-------|-----------|---------------|
| Performance | Load testing | k6, JMeter, Lighthouse | Pre-launch + monthly | All NFR-P targets met |
| Scalability | Stress testing | k6 | Pre-launch | System gracefully handles 2× peak load |
| Security | SAST + DAST + Pentest | Snyk, OWASP ZAP, external pentest | CI (SAST), Pre-launch (DAST+Pentest), Annual | No critical/high vulnerabilities unresolved |
| Accessibility | Automated + manual | axe-core, manual screen reader | Per sprint | WCAG 2.1 AA |
| Availability | Monitoring + DR drill | Uptime monitor | Ongoing + annual | SLA targets met |
| Compliance | Legal review + audit | Manual + automated | Pre-launch + annual | All compliance items verified |

---

## Approval

| Role | Name | Date | Signature |
|------|------|------|-----------|
| Author | | | |
| Reviewer | | | |
| Tech Lead | | | |
| Business Analyst | | | |
| Product Owner | | | |
| AI Director (John) | | | |
| Client Representative | | | |