Skip to main content

Non-Functional Requirements

Non-Functional Requirements (NFR): Drop — Fintech Payment App

Project: Drop — Remittance + QR Payments Version: 1.0 Date: 2026-02-23 Author: John (AI Director) Status: Approved Reviewers: Alem Bašić (CEO)

Document History

Version Date Author Changes
0.1 2026-02-23 John Initial draft; targets from security audit + business case

1. NFR Overview

Category # Requirements Highest Priority Owner
Performance 6 Must Have John (Tech Lead)
Scalability 4 Must Have John / DevOps
Availability 6 Must Have John / DevOps
Security 12 Critical John + Security agent
Reliability 5 Must Have John
Usability 5 Should Have John (Designer)
Compatibility 4 Must Have John
Maintainability 5 Should Have John
Compliance 8 Critical John + Legal
Data 5 Must Have John

2. Performance Requirements

ID Requirement Metric Target Measurement Conditions Method Priority
NFR-P01 Page load time (initial) Time to Interactive < 3 seconds 4G connection, cold cache Lighthouse Must Have
NFR-P02 API response time (standard) p95 response time < 500ms Normal load (200 concurrent users) APM / k6 Must Have
NFR-P03 API response time (bcrypt operations) p95 response time < 1,000ms Normal load Benchmark tests Must Have
NFR-P04 Database query time p95 query time < 10ms (SELECT), < 20ms (INSERT) Normal load api-benchmarks.test.ts Must Have
NFR-P05 Core Web Vitals: LCP Largest Contentful Paint < 2.5 seconds Mobile, 4G Lighthouse Must Have
NFR-P06 50 concurrent rate limit checks Total time < 2,000ms total 50 concurrent calls api-benchmarks.test.ts Should Have

3. Scalability Requirements

ID Requirement Metric MVP Target Phase 2 Target Method Priority
NFR-S01 Concurrent users Active sessions 200 users (SQLite limit) 5,000+ users (PostgreSQL) Load testing Must Have
NFR-S02 Database migration trigger Concurrent users Migrate at 200 concurrent PostgreSQL in Phase 2 Monitoring Must Have
NFR-S03 API rate limits Max requests per IP 10 req/min (auth), 60 req/min (general) Same Rate limiter config Must Have
NFR-S04 Storage growth DB size < 1GB on Fly.io persistent volume Managed PostgreSQL Storage monitoring Should Have

4. Availability Requirements

ID Requirement Target Period Exclusions Priority
NFR-A01 System uptime SLA ≥ 99.5% Monthly rolling Scheduled maintenance (advance notice) Must Have
NFR-A02 Scheduled maintenance window Max 4 hours/month Monthly Tue-Thu 02:00-06:00 CET preferred Must Have
NFR-A03 Maintenance notice lead time ≥ 24 hours Per event Emergency patches: ASAP notify Must Have
NFR-A04 RPO (Recovery Point Objective) Max 24 hours data loss Per incident Daily backup schedule Must Have
NFR-A05 RTO (Recovery Time Objective) System restored within 4 hours Per incident For staging; production target 2 hours Must Have
NFR-A06 Database backup Daily automated backup Ongoing Fly.io persistent volume Must Have

SLA Reference:

Uptime % Monthly Downtime
99.9% 43.8 minutes
99.5% 3.6 hours
99.0% 7.3 hours

5. Security Requirements

Context: Drop is a fintech app handling real money flows. Security is Critical priority. See security/drop-security-rapport.md for full audit (score: 57/100 pre-Phase 0.5; target: 80/100 post-hardening).

ID Requirement Category Target / Standard Method Priority
NFR-SEC01 Authentication Auth JWT (jose library) in httpOnly cookie; SameSite=Strict; 7-day expiry Code review + audit Must Have
NFR-SEC02 Password hashing Auth bcrypt, 12 rounds; NO SHA-256 fallback auth.test.ts Must Have
NFR-SEC03 JWT secret Secrets JWT_SECRET must be set via env var — fail fast if missing Code review Must Have
NFR-SEC04 CSRF protection Injection CSRF middleware on all POST/PATCH/DELETE endpoints Code review + test Must Have
NFR-SEC05 Rate limiting Abuse 10 req/min on auth; 60/min general; persistent (DB-backed, not in-memory) middleware.test.ts Must Have
NFR-SEC06 Input validation Injection All inputs sanitized server-side; parameterized SQL (no raw queries) validation.test.ts Must Have
NFR-SEC07 XSS prevention Injection CSP headers (script-src 'self'); no dangerouslySetInnerHTML OWASP ZAP Must Have
NFR-SEC08 Security headers HTTP HSTS, X-Frame-Options: DENY, X-Content-Type-Options: nosniff, CSP securityheaders.com Must Have
NFR-SEC09 Card data PCI-DSS NEVER store or return full card number or CVV; only last_four + token_ref Code review + db.test.ts Must Have
NFR-SEC10 Audit logging Compliance All auth events, transactions, KYC changes logged with user_id + IP + timestamp Code review Must Have
NFR-SEC11 Per-user transaction locks Financial Concurrent transactions from same user serialised; no double-spend Integration test Must Have
NFR-SEC12 Penetration testing Operations External pentest before production launch Third-party report Should Have

6. Reliability Requirements

ID Requirement Metric Target Method Priority
NFR-R01 Application error rate 5xx errors / total requests < 0.1% Monitoring Must Have
NFR-R02 Transaction integrity Atomic transactions ACID compliance; no partial updates db.test.ts Must Have
NFR-R03 MTTR Average recovery time < 4 hours Incident log Must Have
NFR-R04 Data integrity Database constraints Zero orphaned records; FK constraints enabled db.test.ts Must Have
NFR-R05 Health check System observability GET /api/health returns 200 with DB status CI smoke tests Must Have

7. Usability Requirements

ID Requirement Target Method Priority
NFR-U01 Onboarding completion New user completes onboarding (3 steps) in < 3 minutes Usability testing Must Have
NFR-U02 Remittance flow time Registered user sends money in < 2 minutes Usability testing Must Have
NFR-U03 Mobile responsiveness Fully functional on 375px–1440px (primary: 375-428px mobile) Manual + automated Must Have
NFR-U04 Error recovery User can recover from any form error without page reload Manual testing Must Have
NFR-U05 Language Norwegian (primary) and English (secondary) Content audit Should Have

8. Compatibility Requirements

ID Requirement Category Target Priority
NFR-C01 Web browsers Browser Chrome 100+, Firefox 100+, Safari 16+, Edge 100+ Must Have
NFR-C02 Mobile browsers Browser Safari iOS 15+, Chrome Android 100+ (primary platform) Must Have
NFR-C03 Screen resolutions Responsive 375px (iPhone SE) to 1440px (desktop); mobile-first Must Have
NFR-C04 API versioning API Next.js API Routes (no versioning in MVP); semantic versioning in Phase 2 Should Have

9. Maintainability Requirements

ID Requirement Metric Target Method Priority
NFR-M01 Test coverage % code covered ≥ 80% overall; 100% for auth + transaction paths CI coverage (Vitest) Must Have
NFR-M02 CI/CD pipeline Deployment frequency Bug fix to staging in < 30 minutes from merge GitHub Actions Must Have
NFR-M03 Feature flags Feature control All gated features controllable via env vars without redeploy feature-flags.test.ts Should Have
NFR-M04 Documentation currency Doc coverage All API endpoints documented in docs/backend/API-REFERENCE.md Doc review Should Have
NFR-M05 Dependency currency CVE exposure 0 critical CVEs in production dependencies npm audit in CI Must Have

10. Compliance Requirements

ID Regulation Applicability Requirement Technical Implementation Priority
NFR-COMP01 GDPR (EU) Yes — Norwegian users Lawful basis; right to deletion; DPA with BaaS; 72h breach notification Data deletion API; audit logs; DPA contract Must Have
NFR-COMP02 GDPR — Data minimisation Yes Collect only data necessary for stated purpose BA review of DB schema Must Have
NFR-COMP03 PSD2 (EU) Yes — payment initiation PISP/AISP registration with Finanstilsynet; or operate under bank partner licence Finanstilsynet registration Must Have
NFR-COMP04 AML / AMLD6 Yes — money transfer KYC verification before transaction; transaction monitoring; SAR capability Sumsub integration; monitoring alerts Must Have
NFR-COMP05 PCI-DSS Partial (cards feature) No card number/CVV storage; tokenisation only last_four + token_ref only; tokenisation via partner Must Have
NFR-COMP06 DORA (EU) Yes ICT risk management; incident reporting framework Incident report template; business continuity Should Have
NFR-COMP07 Norwegian Personvernloven Yes National GDPR implementation; same requirements Legal review Must Have
NFR-COMP08 Financial licence disclaimer Yes NEVER use "banking" without licence disclaimer in UI UI copy review; /learning-opportunity on violations Must Have

11. Data Requirements

ID Requirement Category Target Implementation Priority
NFR-D01 Data retention — user data Retention User data deleted within 30 days of account deletion request Scheduled deletion job (GDPR Art.17) Must Have
NFR-D02 Data retention — audit logs Retention Audit logs: 5 years (AML requirement) Log rotation policy Must Have
NFR-D03 PII field documentation Privacy All PII fields identified in DATABASE-SCHEMA.md Data dictionary in docs/backend/ Must Have
NFR-D04 Data anonymisation (non-prod) Privacy No real user data in staging/dev environments Seed data only; no prod data migration Must Have
NFR-D05 GDPR data export Portability User can export their data (GDPR Art.20) Data export endpoint Should Have

12. NFR Testing & Verification Plan

NFR Category Testing Method Tools Frequency Pass Criteria
Performance Benchmark tests + load testing api-benchmarks.test.ts, Lighthouse Per sprint + pre-launch All NFR-P targets met
Security Security audit + automated tests validation.test.ts, OWASP ZAP, external pentest Per sprint + pre-launch Score ≥ 80/100; no critical open
Availability Uptime monitoring Fly.io metrics, health endpoint Ongoing ≥ 99.5% monthly
Compliance Legal review + audit Manual + Sumsub Pre-launch + annual All compliance items verified
Reliability Unit + integration tests Vitest (db.test.ts) Per commit Zero failed integrity tests

Approval

Role Name Date Signature
Author John (AI Director) 2026-02-23 Approved (AI)
Tech Lead John 2026-02-23 Approved
AI Director (John) John 2026-02-23 Approved
CEO (Alem) Alem Bašić TBD
Back to top