Skip to main content

Non-Functional Requirements

Non-Functional Requirements (NFR): {{PROJECT_NAME}}Drop — Fintech Payment App

Project: {{PROJECT_NAME}}Drop — Remittance + QR Payments Version: {{VERSION}}1.0 Date: {{DATE}}2026-02-23 Author: {{AUTHOR}}John (AI Director) Status: Draft | In Review | Approved Reviewers: {{REVIEWERS}}Alem Bašić (CEO)

Document History

Version Date Author Changes
0.1 {{DATE}}2026-02-23 {{AUTHOR}}John Initial draftdraft; targets from security audit + business case

1. NFR Overview

Category # Requirements Highest Priority Owner
Performance {{COUNT}}6 {{HIGH/MED/LOW}}Must Have John (Tech LeadLead)
Scalability {{COUNT}}4 Must Have Tech LeadJohn / DevOps
Availability {{COUNT}}6 Must Have John / DevOps
Security {{COUNT}}12 Critical Tech LeadJohn + Security agent
Reliability {{COUNT}}5 Must Have Tech Lead / DevOpsJohn
Usability {{COUNT}}5 Should Have DesignerJohn (Designer)
Compatibility {{COUNT}}4 Must Have Tech LeadJohn
Maintainability {{COUNT}}5 Should Have Tech LeadJohn
Compliance {{COUNT}}8 Critical Tech LeadJohn + Legal
Data {{COUNT}}5 Must Have Tech LeadJohn

2. Performance Requirements

ID Requirement Metric Target Measurement Conditions Measurement Method Priority
NFR-P01 Page load time (initial) Time to Interactive < 3 seconds 4G connection, cold cache Lighthouse / WebPageTest Must Have
NFR-P02Page load time (subsequent)Time to Interactive< 1.5 secondsWarm cacheLighthouseMust Have
NFR-P03 API response time (standard) p95 response time < 500ms Normal load ({{CONCURRENT_USERS}}200 concurrent users) APM tool / k6 Must Have
NFR-P04P03 API response time (complexbcrypt queries)operations) p95 response time < 2 seconds1,000ms Normal load APMBenchmark tooltests ShouldMust Have
NFR-P05P04 Database query time p95 query time < 100ms10ms (SELECT), < 20ms (INSERT) Normal load DB monitoringapi-benchmarks.test.ts Must Have
NFR-P06File upload throughputUpload speed{{SIZE}}MB in < {{TIME}}sSingle userLoad testing{{PRIORITY}}
NFR-P07Search response timep95 response time< 1 secondNormal loadAPM toolShould Have
NFR-P08Report generationCompletion time< {{TIME}} secondsNormal loadAPM toolCould Have
NFR-P09P05 Core Web Vitals: LCP Largest Contentful Paint < 2.5 seconds Mobile, 4G Lighthouse Must Have
NFR-P10P06 Core50 Webconcurrent Vitals:rate CLSlimit checks CumulativeTotal Layout Shifttime < 0.12,000ms total Any50 deviceconcurrent calls Lighthouseapi-benchmarks.test.ts MustShould Have

3. Scalability Requirements

Managed
ID Requirement Metric LaunchMVP Target 12-MonthPhase 2 Target Measurement Method Priority
NFR-S01 Concurrent users Simultaneous activeActive sessions {{X}}200 users (SQLite limit) {{X}}5,000+ usersLoad testing (k6/JMeter)Must Have
NFR-S02Peak load handlingRequests per second{{X}} RPS{{X}} RPSPostgreSQL) Load testing Must Have
NFR-S03Data volume growthS02 Database sizemigration growthtrigger {{X}}GB/yearConcurrent users {{X}}GB/yearMigrate at 200 concurrent StoragePostgreSQL monitoringin Phase 2 ShouldMonitoringMust Have
NFR-S04S03 API rate limits Max requests per user/hourIP {{X}}10 requestsreq/min (auth), 60 req/min (general) {{X}} requestsSame APIRate gatewaylimiter metricsconfig Must Have
NFR-S05S04 File storageStorage growth StorageDB size< 1GB on Fly.io persistent volume {{X}}GB {{X}}GBPostgreSQL Storage monitoring Should Have
NFR-S06Auto-scaling responseTime to scale out under load< 2 minutes< 2 minutesCloud console metricsShould Have
NFR-S07Geographic distributionRegions supported{{REGIONS}}{{REGIONS}}CDN configuration{{PRIORITY}}

4. Availability Requirements

ID Requirement Target Measurement Period Exclusions Priority
NFR-A01 System uptime SLA {{99.5 / 99.9}}%5% Monthly rolling Scheduled maintenance (advance notice) Must Have
NFR-A02 Scheduled maintenance window Max {{X}}4 hours/month Monthly {{PREFERRED_WINDOW}}Tue-Thu 02:00-06:00 CET preferred Must Have
NFR-A03 Maintenance notificationnotice lead time 4824 hours notice Per event Emergency patches: 4ASAP hoursnotify Must Have
NFR-A04 RPO (Recovery Point Objective) Max {{X}}24 hours data loss Per incident N/ADaily backup schedule Must Have
NFR-A05 RTO (Recovery Time Objective) System restored within {{X}}4 hours Per incident N/AFor staging; production target 2 hours Must Have
NFR-A06 Database backup frequency EveryDaily {{X}}automated hoursbackup Ongoing N/AFly.io persistent volume Must Have
NFR-A07Backup retention{{X}} days rollingOngoingN/AMust Have
NFR-A08Disaster recovery testPass DR drillAnnuallyN/AShould Have

SLA Calculation Reference:

Uptime %Annual Downtime Monthly Downtime
99.9% 8.7 hours43.8 minutes
99.5% 43.8 hours3.6 hours
99.0%87.6 hours 7.3 hours

5. Security Requirements

Context: Drop is a fintech app handling real money flows. Security is Critical priority. See security/drop-security-rapport.md for full audit (score: 57/100 pre-Phase 0.5; target: 80/100 post-hardening).

ID Requirement Category Target / Standard Measurement Method Priority
NFR-SEC01 Authentication method Auth {{JWT/OAuth2/OIDC}}JWT +(jose MFAlibrary) optionalin httpOnly cookie; SameSite=Strict; 7-day expiry Code review + pentestaudit Must Have
NFR-SEC02 Password policyhashing Auth Minbcrypt, 812 chars,rounds; 1NO uppercase,SHA-256 1 number, 1 specialfallback Automated testauth.test.ts Must Have
NFR-SEC03 SessionJWT managementsecret AuthSecrets Timeout:JWT_SECRET 30minmust idle;be absolute:set 8via hoursenv var — fail fast if missing AutomatedCode testreview Must Have
NFR-SEC04 DataCSRF encryption in transitprotection EncryptionInjection TLSCSRF 1.3middleware minimumon all POST/PATCH/DELETE endpoints SSLCode Labsreview scan+ (grade A+)test Must Have
NFR-SEC05 DataRate encryption at restlimiting EncryptionAbuse AES-25610 forreq/min PII;on databaseauth; encryption60/min general; persistent (DB-backed, not in-memory) Infrastructure reviewmiddleware.test.ts Must Have
NFR-SEC06 Input validation Injection Prevention All inputs sanitized server-side; parameterized queriesSQL (no raw queries) Code review + SASTvalidation.test.ts Must Have
NFR-SEC07 XSS prevention Injection Prevention CSP headers;headers output(script-src encoding'self'); no dangerouslySetInnerHTML OWASP ZAP / DAST Must Have
NFR-SEC08 CSRFSecurity protectionheaders Injection PreventionHTTP CSRFHSTS, tokensX-Frame-Options: onDENY, allX-Content-Type-Options: state-changingnosniff, requestsCSP Code reviewsecurityheaders.com Must Have
NFR-SEC09 RateCard limitingdata DDoS/AbusePCI-DSS API:NEVER {{X}}store req/minor perreturn IP;full login:card 5number attempts/15minor CVV; only last_four + token_ref LoadCode testingreview + db.test.ts Must Have
NFR-SEC10 Audit logging Compliance All auth events, datatransactions, mutationsKYC changes logged with useruser_id + IP + timestamp LogCode review Must Have
NFR-SEC11 DependencyPer-user securitytransaction locks Supply ChainFinancial NoConcurrent knowntransactions criticalfrom CVEssame inuser dependenciesserialised; no double-spend AutomatedIntegration scan (Snyk/Dependabot)test Must Have
NFR-SEC12 Secret managementSecretsNo secrets in code/git; use env vars or vaultCode scan + git history checkMust Have
NFR-SEC13Role-based access controlAuthorizationPrinciple of least privilege; no role escalationCode review + penetration testMust Have
NFR-SEC14Security headersHTTP SecurityHSTS, X-Frame-Options, X-Content-Type-Optionssecurityheaders.com scanMust Have
NFR-SEC15Vulnerability scanningOperationsAutomated scan in CI; critical issues block deployCI pipelineShould Have
NFR-SEC16Penetration testing Operations Annual externalExternal pentest before production launch Third-party report Should Have

6. Reliability Requirements

ID Requirement Metric Target Measurement Method Priority
NFR-R01 Application error rate 5xx errors / total requests < 0.1% APM monitoringMonitoring Must Have
NFR-R02 Client-sideTransaction error rateintegrity JSAtomic errors per sessiontransactions <ACID 1%compliance; ofno sessionspartial updates Error tracking (Sentry)db.test.ts ShouldMust Have
NFR-R03 MTBF (Mean Time Between Failures)MTTR Average recovery time between incidents >< {{X}}4 dayshours Incident trackinglog ShouldMust Have
NFR-R04 MTTRData (Mean Time To Recovery)integrity AverageDatabase time to restore serviceconstraints <Zero {{X}}orphaned hoursrecords; FK constraints enabled Incident trackingdb.test.ts Must Have
NFR-R05 Data integrityZero data corruption events0 incidentsDatabase integrity checksMust Have
NFR-R06Transaction integrityAtomic transactionsACID complianceDatabase testsMust Have
NFR-R07Graceful degradationPartial failure handlingNon-critical features fail gracefully; core stays upChaos testingShould Have
NFR-R08Health check endpoint System health observableobservability GET /api/health returns 200 whenwith healthyDB status MonitoringCI smoke tests Must Have

7. Usability Requirements

ID Requirement Target Measurement Method Priority
NFR-U01 TimeOnboarding to complete core taskcompletion New user completes {{KEY_TASK}}onboarding (3 steps) in < {{X}}3 minutes Usability testing Must Have
NFR-U02 ErrorRemittance recoveryflow time UserRegistered canuser recoversends frommoney anyin error< without2 helpminutes Usability testing Must Have
NFR-U03 WCAGMobile complianceresponsiveness WCAGFully 2.1functional Levelon AA375px–1440px (primary: 375-428px mobile) Automated axe-coreManual + manual reviewautomated Must Have
NFR-U04 KeyboardError navigationrecovery AllUser interactivecan elementsrecover reachablefrom byany keyboardform error without page reload Manual testing Must Have
NFR-U05 Screen reader supportLanguage CompatibleNorwegian with(primary) NVDAand /English VoiceOverManual testingShould Have
NFR-U06Mobile responsivenessFully functional on 375px–1440px widthManual + automatedMust Have
NFR-U07Color contrast≥ 4.5:1 for normal text; ≥ 3:1 for large textContrast checkerMust Have
NFR-U08Onboarding completion{{X}}% of new users complete onboardingAnalyticsShould Have
NFR-U09Help / documentationAll key features documented in-app or in help center(secondary) Content audit Should Have

8. Compatibility Requirements

(noinMVP);semanticversioningPhase
ID Requirement Category Target Priority
NFR-C01 Web browsers Browser Chrome 100+, Firefox 100+, Safari 16+, Edge 100+ Must Have
NFR-C02 Mobile browsers Browser Safari iOS 15+, Chrome Android 100+ (primary platform) Must Have
NFR-C03 MobileScreen operating systemsresolutions OSResponsive iOS375px 15+,(iPhone AndroidSE) 11+to 1440px (desktop); mobile-first Must Have
NFR-C04 DesktopAPI operating systemsOSWindows 10+, macOS 12+, Ubuntu 20.04+Must Have
NFR-C05Screen resolutionsResponsive375px to 2560px widthMust Have
NFR-C06Minimum device specsPerformanceWorks on mid-range 2020+ devicesShould Have
NFR-C07Third-party integrationsversioning API {{EXTERNAL_SYSTEM}}Next.js API versionRoutes {{VERSION}} Mustversioning Have
NFR-C08 Emailin clients EmailGmail, Outlook, Apple Mail, mobile clients2 Should Have

9. Maintainability Requirements

audit
ID Requirement Metric Target Measurement Method Priority
NFR-M01 Test coverage % of code covered by automated tests ≥ 80% overall; ≥ 95%100% for criticalauth + transaction paths CI coverage report(Vitest) Must Have
NFR-M02 CodeCI/CD documentationpipeline %Deployment of public APIs documentedfrequency 100%Bug offix publicto APIsstaging in < 30 minutes from merge CodeGitHub reviewActions Must Have
NFR-M03 CyclomaticFeature complexityflags Per-functionFeature complexitycontrol MaxAll 10gated perfeatures function;controllable refactorvia ifenv exceededvars without redeploy Static analysis (SonarQube)feature-flags.test.ts Should Have
NFR-M04 DependencyDocumentation currency %Doc of dependencies on current major versioncoverage All 80%API current;endpoints 0documented dependenciesin with critical CVEsdocs/backend/API-REFERENCE.md AutomatedDoc scanreview Should Have
NFR-M05 DeploymentDependency frequencycurrency TimeCVE to deploy a bug fix to productionexposure <0 1critical hourCVEs fromin mergeproduction dependencies CI/CDnpm metrics Shouldin Have
NFR-M06Feature flag supportAbility to disable features without deployAvailable for all major featuresCode reviewCould Have
NFR-M07Logging completenessLog coverage for operationsAll external calls, errors, and user mutations loggedLog reviewMust Have
NFR-M08Monitoring observabilityDashboards for key metricsDashboards for error rate, response time, uptimeMonitoring toolCI Must Have

10. Compliance Requirements

ID Regulation Applicability Requirement Technical Implementation Priority
NFR-COMP01 GDPR (EU) {{YESYesifNorwegian handling EU personal data}}users Lawful basis for processing;basis; right to deletion; DPA required;with BaaS; 72h breach notification within 72h User dataData deletion API; audit logs; DPA in placecontract Must Have
NFR-COMP02 GDPR — Cookie consent{{YES — if using tracking cookies}}Explicit consent before non-essential cookiesCookie consent banner; opt-in only trackingMust Have
NFR-COMP03GDPR — Data minimizationminimisation Yes Collect only data necessary for stated purpose BA review of dataDB modelschemaMust Have
NFR-COMP03PSD2 (EU)Yes — payment initiationPISP/AISP registration with Finanstilsynet; or operate under bank partner licenceFinanstilsynet registration Must Have
NFR-COMP04 {{HIPAA}}AML / AMLD6 {{YES/NOYeshealthcaremoney data}}transfer PHIKYC protection;verification auditbefore logs;transaction; BAAtransaction requiredmonitoring; SAR capability Role-basedSumsub access;integration; encryptedmonitoring PHI fieldsalerts {{PRIORITY}}Must Have
NFR-COMP05 {{PCI-DSS}}DSS {{YES/NOPartial (cards paymentfeature)No card data}}number/CVV storage; tokenisation only SAQlast_four compliance;+ tokenization;token_ref noonly; cardtokenisation storagevia partner Stripe/paymentMust gateway tokenization{{PRIORITY}}Have
NFR-COMP06 DORA (EU)YesICT risk management; incident reporting frameworkIncident report template; business continuityShould Have
NFR-COMP07Norwegian Personvernloven {{YES}}Yes Alignment withNational GDPR nationalimplementation; implementationsame requirements Legal review Must Have
NFR-COMP07COMP08 WCAGFinancial 2.1licence AAdisclaimer {{YES}}Yes DigitalNEVER accessibilityuse "banking" without licence disclaimer in UI NFR-U01UI tocopy NFR-U07review; /learning-opportunity on violations Must Have

11. Data Requirements

export
ID Requirement Category Target Implementation Priority
NFR-D01 Data retention — user data Retention {{X}}User years active;data deleted within 30 days of account deletion request Scheduled deletion job (GDPR Art.17) Must Have
NFR-D02 Data retention — audit logs Retention Application logs: 90 days; Audit logs: 35 years (AML requirement) Log rotation policy Must Have
NFR-D03 DatabasePII backupfield frequencydocumentation BackupPrivacy FullAll backupPII daily;fields transactionidentified logsin every {{X}} hoursDATABASE-SCHEMA.md AutomatedData backupdictionary schedulein docs/backend/ Must Have
NFR-D04 BackupData encryptionanonymisation (non-prod) BackupPrivacy BackupsNo encryptedreal withuser AES-256data in staging/dev environments InfrastructureSeed configdata only; no prod data migration Must Have
NFR-D05 DataGDPR integrity checksIntegrityDatabase constraints; no orphaned recordsDB schema + integration testsMust Have
NFR-D06PII identificationPrivacyAll PII fields identified and documentedData dictionaryMust Have
NFR-D07Datadata export Portability User can export their data in machine-readable format (GDPR Article Art.20)Export API endpointMust Have
NFR-D08 Data anonymization PrivacyAnonymize user data in non-production environmentsDev/staging data scriptsMust Have
NFR-D09Archival strategyRetentionData older than {{X}} years archived to cold storageArchive scheduleendpoint Should Have

12. NFR Testing & Verification Plan

nocritical
NFR Category Testing Method Tools Frequency Pass Criteria
Performance LoadBenchmark tests + load testing k6, JMeter,api-benchmarks.test.ts, Lighthouse Pre-launchPer sprint + monthlypre-launch All NFR-P targets met
ScalabilityStress testingk6Pre-launchSystem gracefully handles 2× peak load
Security SASTSecurity audit + DASTautomated + Pentesttests Snyk,validation.test.ts, OWASP ZAP, external pentest CIPer (SAST),sprint Pre-+ pre-launch (DAST+Pentest), Annual NoScore critical/high vulnerabilities80/100; unresolved
AccessibilityAutomated + manualaxe-core, manual screen readerPer sprintWCAG 2.1 AAopen
Availability MonitoringUptime + DR drillmonitoring UptimeFly.io monitormetrics, health endpoint Ongoing + annual SLA targets99.5% metmonthly
Compliance Legal review + audit Manual + automatedSumsub Pre-launch + annual All compliance items verified
ReliabilityUnit + integration testsVitest (db.test.ts)Per commitZero failed integrity tests

Approval

Approved
Role Name Date Signature
Author John (AI Director) 2026-02-23
Reviewer(AI)
Tech Lead John 2026-02-23
Business Analyst
Product OwnerApproved
AI Director (John) John 2026-02-23 Approved
ClientCEO Representative(Alem) Alem Bašić TBD
Back to top