Non-Functional Requirements

Non-Functional Requirements (NFR): Drop — Fintech Payment App{{PROJECT_NAME}}

Project: ~~Drop — Remittance + QR Payments~~{{PROJECT_NAME}} Version: ~~1.0~~{{VERSION}} Date: ~~2026-02-23~~{{DATE}} Author: ~~John (AI Director)~~{{AUTHOR}} Status: Draft | In Review | Approved Reviewers: ~~Alem Bašić (CEO)~~{{REVIEWERS}}

Document History

Version	Date	Author	Changes
0.1	~~2026-02-23~~{{DATE}}	~~John~~{{AUTHOR}}	Initial ~~draft; targets from security audit + business case~~draft

1. NFR Overview

Category	# Requirements	Highest Priority	Owner
Performance	6{{COUNT}}	~~Must Have~~{{HIGH/MED/LOW}}	~~John (~~Tech ~~Lead)~~Lead
Scalability	4{{COUNT}}	~~Must Have~~	~~John~~Tech Lead / DevOps
Availability	6{{COUNT}}	~~Must Have~~	~~John /~~ DevOps
Security	12{{COUNT}}	Critical	~~John~~Tech Lead + Security ~~agent~~
Reliability	5{{COUNT}}	~~Must Have~~	~~John~~Tech Lead / DevOps
Usability	5{{COUNT}}	~~Should Have~~	~~John (Designer)~~Designer
Compatibility	4{{COUNT}}	~~Must Have~~	~~John~~Tech Lead
Maintainability	5{{COUNT}}	~~Should Have~~	~~John~~Tech Lead
Compliance	8{{COUNT}}	~~Critical~~	~~John~~Tech Lead + Legal
Data	5{{COUNT}}	~~Must Have~~	~~John~~Tech Lead

2. Performance Requirements

ID	Requirement	Metric	Target	Measurement Conditions	Measurement Method	Priority
NFR-P01	Page load time (initial)	Time to Interactive	< 3 seconds	4G connection, cold cache	Lighthouse / WebPageTest	Must Have
NFR-P02	Page load time (subsequent)	Time to Interactive	< 1.5 seconds	Warm cache	Lighthouse	Must Have
NFR-P03	API response time (standard)	p95 response time	< 500ms	Normal load (~~200 concurrent~~{{CONCURRENT_USERS}} users)	APM tool / k6	Must Have
NFR-~~P03~~P04	API response time (~~bcrypt~~complex ~~operations)~~queries)	p95 response time	< ~~1,000ms~~2 seconds	Normal load	~~Benchmark~~APM ~~tests~~tool	~~Must~~Should Have
NFR-~~P04~~P05	Database query time	p95 query time	< ~~10ms (SELECT), < 20ms (INSERT)~~100ms	Normal load	~~api-benchmarks.test.ts~~DB monitoring	Must Have
NFR-~~P05~~P06	File upload throughput	Upload speed	{{SIZE}}MB in < {{TIME}}s	Single user	Load testing	{{PRIORITY}}
NFR-P07	Search response time	p95 response time	< 1 second	Normal load	APM tool	Should Have
NFR-P08	Report generation	Completion time	< {{TIME}} seconds	Normal load	APM tool	Could Have
NFR-P09	Core Web Vitals: LCP	Largest Contentful Paint	< 2.5 seconds	Mobile, 4G	Lighthouse	Must Have
NFR-~~P06~~P10	50Core ~~concurrent~~Web ~~rate~~Vitals: ~~limit checks~~CLS	~~Total~~Cumulative ~~time~~Layout Shift	< ~~2,000ms total~~0.1	50Any ~~concurrent calls~~device	~~api-benchmarks.test.ts~~Lighthouse	~~Should~~Must Have

3. Scalability Requirements

~~PostgreSQL~~

ID	Requirement	Metric	~~MVP~~Launch Target	~~Phase 2~~12-Month Target	Measurement Method	Priority
NFR-S01	Concurrent users	~~Active~~Simultaneous active sessions	~~200~~{{X}} users ~~(SQLite limit)~~	~~5,000+~~{{X}} users	Load testing (~~PostgreSQL)~~k6/JMeter)	Must Have
NFR-S02	Peak load handling	Requests per second	{{X}} RPS	{{X}} RPS	Load testing	Must Have
NFR-~~S02~~S03	Data volume growth	Database ~~migration~~size ~~trigger~~growth	~~Concurrent users~~{{X}}GB/year	~~Migrate at 200 concurrent~~{{X}}GB/year	~~PostgreSQL~~Storage ~~in Phase 2~~monitoring	~~Monitoring~~	~~Must~~Should Have
NFR-~~S03~~S04	API rate limits	Max requests per IPuser/hour	10{{X}} ~~req/min (auth), 60 req/min (general)~~requests	~~Same~~{{X}} requests	~~Rate~~API ~~limiter~~gateway ~~config~~metrics	Must Have
NFR-~~S04~~S05	File storage growth	Storage ~~growth~~	~~DB size~~	~~< 1GB on Fly.io persistent~~ volume	~~Managed~~{{X}}GB	{{X}}GB	Storage monitoring	Should Have
NFR-S06	Auto-scaling response	Time to scale out under load	< 2 minutes	< 2 minutes	Cloud console metrics	Should Have
NFR-S07	Geographic distribution	Regions supported	{{REGIONS}}	{{REGIONS}}	CDN configuration	{{PRIORITY}}

4. Availability Requirements

ID	Requirement	Target	Measurement Period	Exclusions	Priority
NFR-A01	System uptime SLA	≥ {{99.5%5 / 99.9}}%	Monthly rolling	Scheduled maintenance ~~(advance notice)~~	Must Have
NFR-A02	Scheduled maintenance window	Max 4{{X}} hours/month	Monthly	~~Tue-Thu 02:00-06:00 CET preferred~~{{PREFERRED_WINDOW}}	Must Have
NFR-A03	Maintenance ~~notice~~notification lead time	≥ 2448 hours notice	Per event	Emergency patches: ~~ASAP~~4 ~~notify~~hours	Must Have
NFR-A04	RPO (Recovery Point Objective)	Max 24{{X}} hours data loss	Per incident	~~Daily backup schedule~~N/A	Must Have
NFR-A05	RTO (Recovery Time Objective)	System restored within 4{{X}} hours	Per incident	~~For staging; production target 2 hours~~N/A	Must Have
NFR-A06	Database backup frequency	~~Daily~~Every ~~automated~~{{X}} ~~backup~~hours	Ongoing	~~Fly.io persistent volume~~N/A	Must Have
NFR-A07	Backup retention	{{X}} days rolling	Ongoing	N/A	Must Have
NFR-A08	Disaster recovery test	Pass DR drill	Annually	N/A	Should Have

SLA Calculation Reference:

Uptime %	Annual Downtime	Monthly Downtime
99.9%	8.7 hours	43.8 minutes
99.5%	43.8 hours	3.6 hours
99.0%	87.6 hours	7.3 hours

5. Security Requirements

~~Context:~~ ~~Drop is a fintech app handling real money flows. Security is Critical priority. See~~ security/drop-security-rapport.md ~~for full audit (score: 57/100 pre-Phase 0.5; target: 80/100 post-hardening).~~

ID	Requirement	Category	Target / Standard	Measurement Method	Priority
NFR-SEC01	Authentication method	Auth	~~JWT~~{{JWT/OAuth2/OIDC}} ~~(jose~~+ ~~library)~~MFA ~~in httpOnly cookie; SameSite=Strict; 7-day expiry~~optional	Code review + ~~audit~~pentest	Must Have
NFR-SEC02	Password ~~hashing~~policy	Auth	~~bcrypt,~~Min 128 ~~rounds;~~chars, NO1 ~~SHA-256~~uppercase, ~~fallback~~1 number, 1 special	~~auth.test.ts~~Automated test	Must Have
NFR-SEC03	~~JWT~~Session ~~secret~~management	~~Secrets~~Auth	~~JWT_SECRET~~Timeout: ~~must~~30min beidle; ~~set~~absolute: ~~via~~8 ~~env var — fail fast if missing~~hours	~~Code~~Automated ~~review~~test	Must Have
NFR-SEC04	~~CSRF~~Data ~~protection~~encryption in transit	~~Injection~~Encryption	~~CSRF~~TLS ~~middleware~~1.3 ~~on all POST/PATCH/DELETE endpoints~~minimum	~~Code~~SSL ~~review~~Labs +scan ~~test~~(grade A+)	Must Have
NFR-SEC05	~~Rate~~Data ~~limiting~~encryption at rest	~~Abuse~~Encryption	10AES-256 ~~req/min~~for onPII; ~~auth;~~database ~~60/min general; persistent (DB-backed, not in-memory)~~encryption	~~middleware.test.ts~~Infrastructure review	Must Have
NFR-SEC06	Input validation	Injection Prevention	All inputs sanitized server-side; parameterized ~~SQL (no raw queries)~~queries	~~validation.test.ts~~Code review + SAST	Must Have
NFR-SEC07	XSS prevention	Injection Prevention	CSP ~~headers~~headers; ~~(script-src~~output ~~'self'); no dangerouslySetInnerHTML~~encoding	OWASP ZAP / DAST	Must Have
NFR-SEC08	~~Security~~CSRF ~~headers~~protection	~~HTTP~~Injection Prevention	~~HSTS,~~CSRF ~~X-Frame-Options:~~tokens ~~DENY,~~on ~~X-Content-Type-Options:~~all ~~nosniff,~~state-changing ~~CSP~~requests	~~securityheaders.com~~Code review	Must Have
NFR-SEC09	~~Card~~Rate ~~data~~limiting	~~PCI-DSS~~DDoS/Abuse	~~NEVER~~API: ~~store~~{{X}} orreq/min ~~return~~per ~~full~~IP; ~~card~~login: ~~number~~5 ~~or CVV; only last_four + token_ref~~attempts/15min	~~Code~~Load ~~review + db.test.ts~~testing	Must Have
NFR-SEC10	Audit logging	Compliance	All auth events, ~~transactions,~~data ~~KYC changes~~mutations logged with ~~user_id + IP~~user + timestamp	~~Code~~Log review	Must Have
NFR-SEC11	~~Per-user~~Dependency ~~transaction locks~~security	~~Financial~~Supply Chain	~~Concurrent~~No ~~transactions~~known ~~from~~critical ~~same~~CVEs ~~user~~in ~~serialised; no double-spend~~dependencies	~~Integration~~Automated ~~test~~scan (Snyk/Dependabot)	Must Have
NFR-SEC12	Secret management	Secrets	No secrets in code/git; use env vars or vault	Code scan + git history check	Must Have
NFR-SEC13	Role-based access control	Authorization	Principle of least privilege; no role escalation	Code review + penetration test	Must Have
NFR-SEC14	Security headers	HTTP Security	HSTS, X-Frame-Options, X-Content-Type-Options	securityheaders.com scan	Must Have
NFR-SEC15	Vulnerability scanning	Operations	Automated scan in CI; critical issues block deploy	CI pipeline	Should Have
NFR-SEC16	Penetration testing	Operations	~~External~~Annual external pentest ~~before production launch~~	Third-party report	Should Have

6. Reliability Requirements

ID	Requirement	Metric	Target	Measurement Method	Priority
NFR-R01	Application error rate	5xx errors / total requests	< 0.1%	~~Monitoring~~APM monitoring	Must Have
NFR-R02	~~Transaction~~Client-side ~~integrity~~error rate	~~Atomic~~JS ~~transactions~~errors per session	~~ACID~~< ~~compliance;~~1% noof ~~partial updates~~sessions	~~db.test.ts~~Error tracking (Sentry)	~~Must~~Should Have
NFR-R03	~~MTTR~~MTBF (Mean Time Between Failures)	Average ~~recovery~~time ~~time~~between incidents	<> 4{{X}} ~~hours~~days	Incident ~~log~~tracking	~~Must~~Should Have
NFR-R04	~~Data~~MTTR ~~integrity~~(Mean Time To Recovery)	~~Database~~Average ~~constraints~~time to restore service	~~Zero~~< ~~orphaned~~{{X}} ~~records; FK constraints enabled~~hours	~~db.test.ts~~Incident tracking	Must Have
NFR-R05	Data integrity	Zero data corruption events	0 incidents	Database integrity checks	Must Have
NFR-R06	Transaction integrity	Atomic transactions	ACID compliance	Database tests	Must Have
NFR-R07	Graceful degradation	Partial failure handling	Non-critical features fail gracefully; core stays up	Chaos testing	Should Have
NFR-R08	Health check endpoint	System ~~observability~~health observable	~~GET~~ /~~api/~~health returns 200 ~~with~~when ~~DB status~~healthy	~~CI smoke tests~~Monitoring	Must Have

7. Usability Requirements

ID	Requirement	Target	Measurement Method	Priority
NFR-U01	~~Onboarding~~Time ~~completion~~to complete core task	New user completes ~~onboarding (3 steps)~~{{KEY_TASK}} in < 3{{X}} minutes	Usability testing	Must Have
NFR-U02	~~Remittance~~Error ~~flow time~~recovery	~~Registered~~User ~~user~~can ~~sends~~recover ~~money~~from inany <error 2without ~~minutes~~help	Usability testing	Must Have
NFR-U03	~~Mobile~~WCAG ~~responsiveness~~compliance	~~Fully~~WCAG ~~functional~~2.1 onLevel ~~375px–1440px (primary: 375-428px mobile)~~AA	~~Manual~~Automated axe-core + ~~automated~~manual review	Must Have
NFR-U04	~~Error~~Keyboard ~~recovery~~navigation	~~User~~All ~~can~~interactive ~~recover~~elements ~~from~~reachable ~~any~~by ~~form error without page reload~~keyboard	Manual testing	Must Have
NFR-U05	~~Language~~Screen reader support	~~Norwegian~~Compatible ~~(primary)~~with ~~and~~NVDA ~~English~~/ ~~(secondary)~~VoiceOver	Manual testing	Should Have
NFR-U06	Mobile responsiveness	Fully functional on 375px–1440px width	Manual + automated	Must Have
NFR-U07	Color contrast	≥ 4.5:1 for normal text; ≥ 3:1 for large text	Contrast checker	Must Have
NFR-U08	Onboarding completion	{{X}}% of new users complete onboarding	Analytics	Should Have
NFR-U09	Help / documentation	All key features documented in-app or in help center	Content audit	Should Have

8. Compatibility Requirements

~~versioningMVP);semanticversioning~~in2

ID	Requirement	Category	Target	Priority
NFR-C01	Web browsers	Browser	Chrome 100+, Firefox 100+, Safari 16+, Edge 100+	Must Have
NFR-C02	Mobile browsers	Browser	Safari iOS 15+, Chrome Android 100+ ~~(primary platform)~~	Must Have
NFR-C03	~~Screen~~Mobile ~~resolutions~~operating systems	~~Responsive~~OS	~~375px~~iOS ~~(iPhone~~15+, ~~SE)~~Android ~~to 1440px (desktop); mobile-first~~11+	Must Have
NFR-C04	~~API~~Desktop ~~versioning~~operating systems	OS	Windows 10+, macOS 12+, Ubuntu 20.04+	Must Have
NFR-C05	Screen resolutions	Responsive	375px to 2560px width	Must Have
NFR-C06	Minimum device specs	Performance	Works on mid-range 2020+ devices	Should Have
NFR-C07	Third-party integrations	API	~~Next.js~~{{EXTERNAL_SYSTEM}} API ~~Routes~~version ~~(no~~{{VERSION}}	Must inHave
NFR-C08	Email ~~Phase~~clients	Email	Gmail, Outlook, Apple Mail, mobile clients	Should Have

9. Maintainability Requirements

ID	Requirement	Metric	Target	Measurement Method	Priority
NFR-M01	Test coverage	% of code covered by automated tests	≥ 80% overall; ~~100%~~≥ 95% for ~~auth + transaction~~critical paths	CI coverage ~~(Vitest)~~report	Must Have
NFR-M02	~~CI/CD~~Code ~~pipeline~~documentation	~~Deployment~~% ~~frequency~~of public APIs documented	~~Bug~~100% ~~fix~~of topublic ~~staging in < 30 minutes from merge~~APIs	~~GitHub~~Code ~~Actions~~review	Must Have
NFR-M03	~~Feature~~Cyclomatic ~~flags~~complexity	~~Feature~~Per-function ~~control~~complexity	~~All~~Max ~~gated~~10 ~~features~~per ~~controllable~~function; ~~via~~refactor ~~env~~if ~~vars without redeploy~~exceeded	~~feature-flags.test.ts~~Static analysis (SonarQube)	Should Have
NFR-M04	~~Documentation~~Dependency currency	~~Doc~~% ~~coverage~~of dependencies on current major version	~~All~~≥ ~~API~~80% ~~endpoints~~current; ~~documented~~0 independencies ~~docs/backend/API-REFERENCE.md~~with critical CVEs	~~Doc~~Automated ~~review~~scan	Should Have
NFR-M05	~~Dependency~~Deployment ~~currency~~frequency	~~CVE~~Time ~~exposure~~to deploy a bug fix to production	0< ~~critical~~1 ~~CVEs~~hour infrom ~~production dependencies~~merge	~~npm~~CI/CD ~~audit~~metrics	Should CIHave
NFR-M06	Feature flag support	Ability to disable features without deploy	Available for all major features	Code review	Could Have
NFR-M07	Logging completeness	Log coverage for operations	All external calls, errors, and user mutations logged	Log review	Must Have
NFR-M08	Monitoring observability	Dashboards for key metrics	Dashboards for error rate, response time, uptime	Monitoring tool	Must Have

10. Compliance Requirements

ID	Regulation	Applicability	Requirement	Technical Implementation	Priority
NFR-COMP01	GDPR ~~(EU)~~	~~Yes~~{{YES — ~~Norwegian~~if ~~users~~handling EU personal data}}	Lawful ~~basis;~~basis for processing; right to deletion; DPA ~~with BaaS; 72h~~required; breach notification within 72h	~~Data~~User data deletion API; audit logs; DPA ~~contract~~in place	Must Have
NFR-COMP02	GDPR — Cookie consent	{{YES — if using tracking cookies}}	Explicit consent before non-essential cookies	Cookie consent banner; opt-in only tracking	Must Have
NFR-COMP03	GDPR — Data ~~minimisation~~minimization	Yes	Collect only data necessary for stated purpose	BA review of DBdata ~~schema~~	~~Must Have~~
~~NFR-COMP03~~	~~PSD2 (EU)~~	~~Yes — payment initiation~~	~~PISP/AISP registration with Finanstilsynet; or operate under bank partner licence~~	~~Finanstilsynet registration~~model	Must Have
NFR-COMP04	~~AML / AMLD6~~{{HIPAA}}	~~Yes~~{{YES/NO — ~~money~~healthcare ~~transfer~~data}}	~~KYC~~PHI ~~verification~~protection; ~~before~~audit ~~transaction;~~logs; ~~transaction~~BAA ~~monitoring; SAR capability~~required	~~Sumsub~~Role-based ~~integration;~~access; ~~monitoring~~encrypted ~~alerts~~PHI fields	~~Must Have~~{{PRIORITY}}
NFR-COMP05	{{PCI-~~DSS~~DSS}}	~~Partial~~{{YES/NO ~~(cards~~— ~~feature)~~payment card data}}	NoSAQ compliance; tokenization; no card ~~number/CVV storage; tokenisation only~~storage	~~last_four~~Stripe/payment +gateway ~~token_ref only; tokenisation via partner~~tokenization	~~Must Have~~{{PRIORITY}}
NFR-COMP06	~~DORA (EU)~~	~~Yes~~	~~ICT risk management; incident reporting framework~~	~~Incident report template; business continuity~~	~~Should Have~~
~~NFR-COMP07~~	Norwegian Personvernloven	~~Yes~~{{YES}}	~~National~~Alignment with GDPR ~~implementation;~~national ~~same requirements~~implementation	Legal review	Must Have
NFR-~~COMP08~~COMP07	~~Financial~~WCAG ~~licence~~2.1 ~~disclaimer~~AA	~~Yes~~{{YES}}	~~NEVER~~Digital ~~use "banking" without licence disclaimer in UI~~accessibility	UINFR-U01 ~~copy~~to ~~review;~~ `/learning-opportunity` ~~on violations~~NFR-U07	Must Have

11. Data Requirements

~~endpoint~~

ID	Requirement	Category	Target	Implementation	Priority
NFR-D01	Data retention — user data	Retention	~~User~~{{X}} ~~data~~years active; deleted within 30 days of account deletion request	Scheduled deletion job ~~(GDPR Art.17)~~	Must Have
NFR-D02	Data retention — ~~audit~~ logs	Retention	Application logs: 90 days; Audit logs: 53 years ~~(AML requirement)~~	Log rotation policy	Must Have
NFR-D03	~~PII~~Database ~~field~~backup ~~documentation~~frequency	~~Privacy~~Backup	~~All~~Full ~~PII~~backup ~~fields~~daily; ~~identified~~transaction inlogs ~~DATABASE-SCHEMA.md~~every {{X}} hours	~~Data~~Automated ~~dictionary~~backup ~~in docs/backend/~~schedule	Must Have
NFR-D04	~~Data~~Backup ~~anonymisation (non-prod)~~encryption	~~Privacy~~Backup	NoBackups ~~real~~encrypted ~~user~~with ~~data in staging/dev environments~~AES-256	~~Seed~~Infrastructure ~~data only; no prod data migration~~config	Must Have
NFR-D05	~~GDPR~~Data ~~data~~integrity checks	Integrity	Database constraints; no orphaned records	DB schema + integration tests	Must Have
NFR-D06	PII identification	Privacy	All PII fields identified and documented	Data dictionary	Must Have
NFR-D07	Data export	Portability	User can export their data in machine-readable format (GDPR ~~Art.~~Article 20)	Export API endpoint	Must Have
NFR-D08	Data ~~export~~anonymization	Privacy	Anonymize user data in non-production environments	Dev/staging data scripts	Must Have
NFR-D09	Archival strategy	Retention	Data older than {{X}} years archived to cold storage	Archive schedule	Should Have

12. NFR Testing & Verification Plan

NFR Category	Testing Method	Tools	Frequency	Pass Criteria
Performance	~~Benchmark tests + load~~Load testing	~~api-benchmarks.test.ts,~~k6, JMeter, Lighthouse	~~Per sprint~~Pre-launch + ~~pre-launch~~monthly	All NFR-P targets met
Scalability	Stress testing	k6	Pre-launch	System gracefully handles 2× peak load
Security	~~Security audit~~SAST + ~~automated~~DAST ~~tests~~+ Pentest	~~validation.test.ts,~~Snyk, OWASP ZAP, external pentest	CI (SAST), Pre-launch (DAST+Pentest), Annual	No critical/high vulnerabilities unresolved
Accessibility	Automated + manual	axe-core, manual screen reader	Per sprint ~~+ pre-launch~~	~~Score~~WCAG ≥2.1 ~~80/100; no critical open~~AA
Availability	~~Uptime~~Monitoring ~~monitoring~~+ DR drill	~~Fly.io~~Uptime ~~metrics, health endpoint~~monitor	Ongoing + annual	≥SLA ~~99.5%~~targets ~~monthly~~met
Compliance	Legal review + audit	Manual + ~~Sumsub~~automated	Pre-launch + annual	All compliance items verified
~~Reliability~~	~~Unit + integration tests~~	~~Vitest (db.test.ts)~~	~~Per commit~~	~~Zero failed integrity tests~~

Approval

~~(AI)~~

Role	Name	Date	Signature
Author	~~John (AI Director)~~	~~2026-02-23~~	~~Approved~~
Reviewer
Tech Lead	~~John~~	~~2026-02-23~~	~~Approved~~
Business Analyst
Product Owner
AI Director (John)	~~John~~	~~2026-02-23~~	~~Approved~~
~~CEO~~Client ~~(Alem)~~Representative	~~Alem Bašić~~	~~TBD~~