Non-Functional Requirements Non-Functional Requirements (NFR): {{PROJECT_NAME}} Project: {{PROJECT_NAME}} Version: {{VERSION}} Date: {{DATE}} Author: {{AUTHOR}} Status: Draft | In Review | Approved Reviewers: {{REVIEWERS}} Document History Version Date Author Changes 0.1 {{DATE}} {{AUTHOR}} Initial draft 1. NFR Overview Category # Requirements Highest Priority Owner Performance {{COUNT}} {{HIGH/MED/LOW}} Tech Lead Scalability {{COUNT}} Tech Lead / DevOps Availability {{COUNT}} DevOps Security {{COUNT}} Critical Tech Lead + Security Reliability {{COUNT}} Tech Lead / DevOps Usability {{COUNT}} Designer Compatibility {{COUNT}} Tech Lead Maintainability {{COUNT}} Tech Lead Compliance {{COUNT}} Tech Lead + Legal Data {{COUNT}} Tech Lead 2. Performance Requirements ID Requirement Metric Target Measurement Conditions Measurement Method Priority NFR-P01 Page load time (initial) Time to Interactive < 3 seconds 4G connection, cold cache Lighthouse / WebPageTest Must Have NFR-P02 Page load time (subsequent) Time to Interactive < 1.5 seconds Warm cache Lighthouse Must Have NFR-P03 API response time (standard) p95 response time < 500ms Normal load ({{CONCURRENT_USERS}} users) APM tool / k6 Must Have NFR-P04 API response time (complex queries) p95 response time < 2 seconds Normal load APM tool Should Have NFR-P05 Database query time p95 query time < 100ms Normal load DB monitoring Must Have NFR-P06 File upload throughput Upload speed {{SIZE}}MB in < {{TIME}}s Single user Load testing {{PRIORITY}} NFR-P07 Search response time p95 response time < 1 second Normal load APM tool Should Have NFR-P08 Report generation Completion time < {{TIME}} seconds Normal load APM tool Could Have NFR-P09 Core Web Vitals: LCP Largest Contentful Paint < 2.5 seconds Mobile, 4G Lighthouse Must Have NFR-P10 Core Web Vitals: CLS Cumulative Layout Shift < 0.1 Any device Lighthouse Must Have 3. Scalability Requirements ID Requirement Metric Launch Target 12-Month Target Measurement Method Priority NFR-S01 Concurrent users Simultaneous active sessions {{X}} users {{X}} users Load testing (k6/JMeter) Must Have NFR-S02 Peak load handling Requests per second {{X}} RPS {{X}} RPS Load testing Must Have NFR-S03 Data volume growth Database size growth {{X}}GB/year {{X}}GB/year Storage monitoring Should Have NFR-S04 API rate limits Max requests per user/hour {{X}} requests {{X}} requests API gateway metrics Must Have NFR-S05 File storage growth Storage volume {{X}}GB {{X}}GB Storage monitoring Should Have NFR-S06 Auto-scaling response Time to scale out under load < 2 minutes < 2 minutes Cloud console metrics Should Have NFR-S07 Geographic distribution Regions supported {{REGIONS}} {{REGIONS}} CDN configuration {{PRIORITY}} 4. Availability Requirements ID Requirement Target Measurement Period Exclusions Priority NFR-A01 System uptime SLA ≥ {{99.5 / 99.9}}% Monthly rolling Scheduled maintenance Must Have NFR-A02 Scheduled maintenance window Max {{X}} hours/month Monthly {{PREFERRED_WINDOW}} Must Have NFR-A03 Maintenance notification lead time ≥ 48 hours notice Per event Emergency patches: 4 hours Must Have NFR-A04 RPO (Recovery Point Objective) Max {{X}} hours data loss Per incident N/A Must Have NFR-A05 RTO (Recovery Time Objective) System restored within {{X}} hours Per incident N/A Must Have NFR-A06 Database backup frequency Every {{X}} hours Ongoing N/A Must Have NFR-A07 Backup retention {{X}} days rolling Ongoing N/A Must Have NFR-A08 Disaster recovery test Pass DR drill Annually N/A Should Have SLA Calculation Reference: Uptime % Annual Downtime Monthly Downtime 99.9% 8.7 hours 43.8 minutes 99.5% 43.8 hours 3.6 hours 99.0% 87.6 hours 7.3 hours 5. Security Requirements ID Requirement Category Target / Standard Measurement Method Priority NFR-SEC01 Authentication method Auth {{JWT/OAuth2/OIDC}} + MFA optional Code review + pentest Must Have NFR-SEC02 Password policy Auth Min 8 chars, 1 uppercase, 1 number, 1 special Automated test Must Have NFR-SEC03 Session management Auth Timeout: 30min idle; absolute: 8 hours Automated test Must Have NFR-SEC04 Data encryption in transit Encryption TLS 1.3 minimum SSL Labs scan (grade A+) Must Have NFR-SEC05 Data encryption at rest Encryption AES-256 for PII; database encryption Infrastructure review Must Have NFR-SEC06 Input validation Injection Prevention All inputs sanitized server-side; parameterized queries Code review + SAST Must Have NFR-SEC07 XSS prevention Injection Prevention CSP headers; output encoding OWASP ZAP / DAST Must Have NFR-SEC08 CSRF protection Injection Prevention CSRF tokens on all state-changing requests Code review Must Have NFR-SEC09 Rate limiting DDoS/Abuse API: {{X}} req/min per IP; login: 5 attempts/15min Load testing Must Have NFR-SEC10 Audit logging Compliance All auth events, data mutations logged with user + timestamp Log review Must Have NFR-SEC11 Dependency security Supply Chain No known critical CVEs in dependencies Automated scan (Snyk/Dependabot) Must Have NFR-SEC12 Secret management Secrets No secrets in code/git; use env vars or vault Code scan + git history check Must Have NFR-SEC13 Role-based access control Authorization Principle of least privilege; no role escalation Code review + penetration test Must Have NFR-SEC14 Security headers HTTP Security HSTS, X-Frame-Options, X-Content-Type-Options securityheaders.com scan Must Have NFR-SEC15 Vulnerability scanning Operations Automated scan in CI; critical issues block deploy CI pipeline Should Have NFR-SEC16 Penetration testing Operations Annual external pentest Third-party report Should Have 6. Reliability Requirements ID Requirement Metric Target Measurement Method Priority NFR-R01 Application error rate 5xx errors / total requests < 0.1% APM monitoring Must Have NFR-R02 Client-side error rate JS errors per session < 1% of sessions Error tracking (Sentry) Should Have NFR-R03 MTBF (Mean Time Between Failures) Average time between incidents > {{X}} days Incident tracking Should Have NFR-R04 MTTR (Mean Time To Recovery) Average time to restore service < {{X}} hours Incident tracking Must Have NFR-R05 Data integrity Zero data corruption events 0 incidents Database integrity checks Must Have NFR-R06 Transaction integrity Atomic transactions ACID compliance Database tests Must Have NFR-R07 Graceful degradation Partial failure handling Non-critical features fail gracefully; core stays up Chaos testing Should Have NFR-R08 Health check endpoint System health observable /health returns 200 when healthy Monitoring Must Have 7. Usability Requirements ID Requirement Target Measurement Method Priority NFR-U01 Time to complete core task New user completes {{KEY_TASK}} in < {{X}} minutes Usability testing Must Have NFR-U02 Error recovery User can recover from any error without help Usability testing Must Have NFR-U03 WCAG compliance WCAG 2.1 Level AA Automated axe-core + manual review Must Have NFR-U04 Keyboard navigation All interactive elements reachable by keyboard Manual testing Must Have NFR-U05 Screen reader support Compatible with NVDA / VoiceOver Manual testing Should Have NFR-U06 Mobile responsiveness Fully functional on 375px–1440px width Manual + automated Must Have NFR-U07 Color contrast ≥ 4.5:1 for normal text; ≥ 3:1 for large text Contrast checker Must Have NFR-U08 Onboarding completion {{X}}% of new users complete onboarding Analytics Should Have NFR-U09 Help / documentation All key features documented in-app or in help center Content audit Should Have 8. Compatibility Requirements ID Requirement Category Target Priority NFR-C01 Web browsers Browser Chrome 100+, Firefox 100+, Safari 16+, Edge 100+ Must Have NFR-C02 Mobile browsers Browser Safari iOS 15+, Chrome Android 100+ Must Have NFR-C03 Mobile operating systems OS iOS 15+, Android 11+ Must Have NFR-C04 Desktop operating systems OS Windows 10+, macOS 12+, Ubuntu 20.04+ Must Have NFR-C05 Screen resolutions Responsive 375px to 2560px width Must Have NFR-C06 Minimum device specs Performance Works on mid-range 2020+ devices Should Have NFR-C07 Third-party integrations API {{EXTERNAL_SYSTEM}} API version {{VERSION}} Must Have NFR-C08 Email clients Email Gmail, Outlook, Apple Mail, mobile clients Should Have 9. Maintainability Requirements ID Requirement Metric Target Measurement Method Priority NFR-M01 Test coverage % of code covered by automated tests ≥ 80% overall; ≥ 95% for critical paths CI coverage report Must Have NFR-M02 Code documentation % of public APIs documented 100% of public APIs Code review Must Have NFR-M03 Cyclomatic complexity Per-function complexity Max 10 per function; refactor if exceeded Static analysis (SonarQube) Should Have NFR-M04 Dependency currency % of dependencies on current major version ≥ 80% current; 0 dependencies with critical CVEs Automated scan Should Have NFR-M05 Deployment frequency Time to deploy a bug fix to production < 1 hour from merge CI/CD metrics Should Have NFR-M06 Feature flag support Ability to disable features without deploy Available for all major features Code review Could Have NFR-M07 Logging completeness Log coverage for operations All external calls, errors, and user mutations logged Log review Must Have NFR-M08 Monitoring observability Dashboards for key metrics Dashboards for error rate, response time, uptime Monitoring tool Must Have 10. Compliance Requirements ID Regulation Applicability Requirement Technical Implementation Priority NFR-COMP01 GDPR {{YES — if handling EU personal data}} Lawful basis for processing; right to deletion; DPA required; breach notification within 72h User data deletion API; audit logs; DPA in place Must Have NFR-COMP02 GDPR — Cookie consent {{YES — if using tracking cookies}} Explicit consent before non-essential cookies Cookie consent banner; opt-in only tracking Must Have NFR-COMP03 GDPR — Data minimization Yes Collect only data necessary for stated purpose BA review of data model Must Have NFR-COMP04 {{HIPAA}} {{YES/NO — healthcare data}} PHI protection; audit logs; BAA required Role-based access; encrypted PHI fields {{PRIORITY}} NFR-COMP05 {{PCI-DSS}} {{YES/NO — payment card data}} SAQ compliance; tokenization; no card storage Stripe/payment gateway tokenization {{PRIORITY}} NFR-COMP06 Norwegian Personvernloven {{YES}} Alignment with GDPR national implementation Legal review Must Have NFR-COMP07 WCAG 2.1 AA {{YES}} Digital accessibility NFR-U01 to NFR-U07 Must Have 11. Data Requirements ID Requirement Category Target Implementation Priority NFR-D01 Data retention — user data Retention {{X}} years active; deleted within 30 days of account deletion request Scheduled deletion job Must Have NFR-D02 Data retention — logs Retention Application logs: 90 days; Audit logs: 3 years Log rotation policy Must Have NFR-D03 Database backup frequency Backup Full backup daily; transaction logs every {{X}} hours Automated backup schedule Must Have NFR-D04 Backup encryption Backup Backups encrypted with AES-256 Infrastructure config Must Have NFR-D05 Data integrity checks Integrity Database constraints; no orphaned records DB schema + integration tests Must Have NFR-D06 PII identification Privacy All PII fields identified and documented Data dictionary Must Have NFR-D07 Data export Portability User can export their data in machine-readable format (GDPR Article 20) Export API endpoint Must Have NFR-D08 Data anonymization Privacy Anonymize user data in non-production environments Dev/staging data scripts Must Have NFR-D09 Archival strategy Retention Data older than {{X}} years archived to cold storage Archive schedule Should Have 12. NFR Testing & Verification Plan NFR Category Testing Method Tools Frequency Pass Criteria Performance Load testing k6, JMeter, Lighthouse Pre-launch + monthly All NFR-P targets met Scalability Stress testing k6 Pre-launch System gracefully handles 2× peak load Security SAST + DAST + Pentest Snyk, OWASP ZAP, external pentest CI (SAST), Pre-launch (DAST+Pentest), Annual No critical/high vulnerabilities unresolved Accessibility Automated + manual axe-core, manual screen reader Per sprint WCAG 2.1 AA Availability Monitoring + DR drill Uptime monitor Ongoing + annual SLA targets met Compliance Legal review + audit Manual + automated Pre-launch + annual All compliance items verified Approval Role Name Date Signature Author Reviewer Tech Lead Business Analyst Product Owner AI Director (John) Client Representative