Skip to main content

Non-Functional Requirements

Non-Functional Requirements (NFR): Bilko

Project: Bilko — Balkan Accounting SaaS Version: 1.0 Date: 2026-02-25 Author: John (AI Director) Status: Final Reviewers: Alem Bašić (CEO)

Document History

Version Date Author Changes
0.1 2026-02-23 John (AI Director) Initial draft — Phase 1 Serbia MVP
1.0 2026-02-25 John (AI Director) Finalized for v1.0 release

1. NFR Overview

Category # Requirements Highest Priority Owner
Performance 8 Critical John
Scalability 5 High John / DevOps agent
Availability 6 Critical John / DevOps agent
Security 10 Critical John
Reliability 6 Critical John
Usability 7 High John / Designer
Compatibility 6 High John
Maintainability 6 Medium John
Compliance 8 Critical John + Asmir
Data 8 Critical John

2. Performance Requirements

ID Requirement Metric Target Measurement Conditions Measurement Method Priority
NFR-P01 Dashboard page load (initial) Time to Interactive < 3 seconds 4G connection, cold cache Lighthouse / WebPageTest Must Have
NFR-P02 Dashboard page load (subsequent) Time to Interactive < 1 second Warm cache, average device Lighthouse Must Have
NFR-P03 Invoice creation wizard navigation Time per step < 500ms Any device, warm cache Lighthouse Must Have
NFR-P04 API response time (standard CRUD) p95 response time < 300ms ≤ 1000 concurrent users APM tool / k6 Must Have
NFR-P05 API response time (reports) p95 response time < 2 seconds ≤ 1000 concurrent orgs APM tool Must Have
NFR-P06 SEF submission response End-to-end latency < 30 seconds SEF API response time API monitoring Must Have
NFR-P07 Core Web Vitals: LCP Largest Contentful Paint < 2.5 seconds Mobile, 4G Lighthouse Must Have
NFR-P08 Core Web Vitals: CLS Cumulative Layout Shift < 0.1 Any device Lighthouse Must Have

3. Scalability Requirements

ID Requirement Metric Launch Target 12-Month Target Measurement Method Priority
NFR-S01 Concurrent organizations Active organizations 1,000 10,000 Load testing (k6) Must Have
NFR-S02 Concurrent user sessions Simultaneous sessions 500 5,000 Load testing Must Have
NFR-S03 API throughput Requests per second 200 RPS 2,000 RPS k6 load test Must Have
NFR-S04 Data volume per organization Transactions per org/year 50,000 200,000 Storage + query monitoring Should Have
NFR-S05 Auto-scaling response Time to add new instance < 3 minutes < 3 minutes Cloud console metrics Should Have

4. Availability Requirements

ID Requirement Target Measurement Period Exclusions Priority
NFR-A01 System uptime SLA ≥ 99.9% Monthly rolling Scheduled maintenance windows Must Have
NFR-A02 Scheduled maintenance window Max 2 hours/month Monthly Preferred: Sunday 02:00-04:00 CET Must Have
NFR-A03 Maintenance notification lead time ≥ 48 hours notice Per event Emergency patches: 4 hours Must Have
NFR-A04 RPO (Recovery Point Objective) Max 1 hour data loss Per incident N/A Must Have
NFR-A05 RTO (Recovery Time Objective) System restored within 4 hours Per incident N/A Must Have
NFR-A06 Database backup frequency Daily full + hourly transaction log Ongoing N/A Must Have

SLA Calculation Reference:

Uptime % Annual Downtime Monthly Downtime
99.9% 8.7 hours 43.8 minutes
99.5% 43.8 hours 3.6 hours
99.0% 87.6 hours 7.3 hours

5. Security Requirements

ID Requirement Category Target / Standard Measurement Method Priority
NFR-SEC01 Authentication Auth JWT (access: 15min TTL) + refresh token (30d rolling TTL); bcrypt password hashing (cost factor ≥ 12) Code review Must Have
NFR-SEC02 Password policy Auth Min 8 chars, 1 uppercase, 1 number, 1 special character Automated test Must Have
NFR-SEC03 Account lockout Auth 5 failed attempts → 15-min lockout; logged in LoggedAction Automated test Must Have
NFR-SEC04 Data encryption in transit Encryption TLS 1.3 minimum; HTTP → HTTPS redirect enforced SSL Labs scan (grade A+) Must Have
NFR-SEC05 Data encryption at rest Encryption Database encryption at rest (cloud provider); bcrypt for passwords Infrastructure review Must Have
NFR-SEC06 Input validation Injection Prevention All inputs sanitized server-side with Zod; parameterized queries via Prisma Code review + SAST Must Have
NFR-SEC07 XSS prevention Injection Prevention React default encoding + CSP headers; no dangerouslySetInnerHTML OWASP ZAP / code review Must Have
NFR-SEC08 Rate limiting DDoS/Abuse Auth endpoints: 5 req/min; General API: 100 req/min per IP Load test + monitoring Must Have
NFR-SEC09 Audit logging Compliance All auth events, financial mutations logged in LoggedAction (append-only) with user ID + timestamp Log review Must Have
NFR-SEC10 Organization data isolation Multi-tenancy All database queries scoped to organizationId via middleware; no cross-tenant queries Code review + penetration test Must Have
NFR-SEC11 Security headers HTTP Security HSTS, X-Frame-Options: DENY, X-Content-Type-Options: nosniff, CSP securityheaders.com scan Must Have
NFR-SEC12 Dependency security Supply Chain No known critical CVEs; automated scan in CI Snyk / npm audit in CI Should Have

6. Reliability Requirements

ID Requirement Metric Target Measurement Method Priority
NFR-R01 Application error rate 5xx errors / total requests < 0.1% APM monitoring Must Have
NFR-R02 ACID compliance Transaction integrity 100% — all financial transactions ACID-compliant PostgreSQL guarantees + DB tests Must Have
NFR-R03 Double-entry balance integrity Debit = Credit for all transactions Zero imbalance events CI test: balance check on all transactions Must Have
NFR-R04 SEF queue reliability Failed SEF submissions retried Max 3 retries; success on retry > 99% for transient failures SEF monitoring Must Have
NFR-R05 Data integrity Zero data corruption 0 corruption events per 12 months Database integrity checks Must Have
NFR-R06 Health check endpoint System health observable /api/health returns 200 when healthy Uptime monitoring Must Have

7. Usability Requirements

ID Requirement Target Measurement Method Priority
NFR-U01 Time to create first invoice New user creates first invoice in < 10 minutes Beta user testing Must Have
NFR-U02 Invoice wizard completion rate ≥ 85% of users who start wizard complete it Analytics (funnel) Must Have
NFR-U03 WCAG compliance WCAG 2.1 Level AA axe-core automated + manual Must Have
NFR-U04 Keyboard navigation All interactive elements reachable by keyboard Manual testing Must Have
NFR-U05 Mobile responsiveness Fully functional on 375px–1440px viewport Manual + Lighthouse Must Have
NFR-U06 Language: Serbian Full UI in Serbian (Latin script) for Phase 1; Cyrillic toggle Manual review by native speaker Must Have
NFR-U07 Error messages All errors in Serbian language; actionable advice included Content audit Must Have

8. Compatibility Requirements

ID Requirement Category Target Priority
NFR-C01 Web browsers (desktop) Browser Chrome 100+, Firefox 100+, Safari 16+, Edge 100+ Must Have
NFR-C02 Web browsers (mobile) Browser Safari iOS 15+, Chrome Android 100+ Must Have
NFR-C03 Mobile operating systems OS iOS 15+, Android 11+ Must Have
NFR-C04 Screen resolutions Responsive 375px to 2560px viewport width Must Have
NFR-C05 SEF API compatibility External API SEF API v1 (UBL 2.1 XML, REST) Must Have
NFR-C06 Bank CSV formats Import Serbian bank CSV formats: Raiffeisen, UniCredit, OTP, Banca Intesa Should Have

9. Maintainability Requirements

ID Requirement Metric Target Measurement Method Priority
NFR-M01 Test coverage (backend) % code covered by automated tests ≥ 80% overall; ≥ 95% for financial logic (double-entry, VAT, SEF) CI coverage report Must Have
NFR-M02 TypeScript strict mode Type safety strict: true in tsconfig for all packages CI type-check Must Have
NFR-M03 Deployment frequency Time to deploy bug fix to production < 1 hour from PR merge CI/CD metrics Should Have
NFR-M04 Database migrations Schema change process All changes via Prisma migration; never edit existing migration Code review Must Have
NFR-M05 Monorepo build time Turborepo build Full build < 3 minutes; incremental < 30 seconds CI metrics Should Have
NFR-M06 Logging completeness Log coverage All external API calls (SEF, email, FX), all errors, all financial mutations logged Log review Must Have

10. Compliance Requirements

ID Regulation Applicability Requirement Technical Implementation Priority
NFR-COMP01 Zakon o elektronskom fakturisanju (Serbia) Yes — mandatory B2B 2023 Submit e-invoices to SEF in UBL 2.1; sequential numbering; digital signature SefService module; UBL 2.1 XML generation Must Have
NFR-COMP02 Zakon o PDV (Serbia) Yes — all VAT-registered orgs 20% standard, 10% reduced PDV; monthly filing by 15th; PDV report format for ePorezi PDV calculation engine; report export Must Have
NFR-COMP03 Zakon o računovodstvu (Serbia) Yes Double-entry; 10-year document retention; annual balance sheet; audit trail LoggedAction (append-only); DB retention policy Must Have
NFR-COMP04 GDPR (EU / Norwegian Personvernloven) Yes — ALAI Holding AS is Norwegian; processes EU citizen data Lawful basis for processing; right to deletion within 30 days; DPA in place; breach notification within 72h; data export (Article 20) User data deletion API; audit logs; DPA Must Have
NFR-COMP05 GDPR — Data minimization Yes Collect only data necessary for accounting function BA review of data model; field-level PII audit Must Have
NFR-COMP06 GDPR — Cookie consent Yes — if tracking cookies used Explicit consent before non-essential cookies Cookie consent banner; opt-in only analytics Must Have
NFR-COMP07 Multi-tenancy data isolation Yes — SaaS requirement Organization data strictly scoped; no cross-tenant access organizationId middleware + DB constraint Must Have
NFR-COMP08 WCAG 2.1 AA Yes — accessibility standard Digital accessibility for all users NFR-U03, NFR-U04 Must Have

11. Data Requirements

ID Requirement Category Target Implementation Priority
NFR-D01 Monetary precision Data type ALL monetary fields: NUMERIC(19,4) — NEVER float, NEVER JavaScript number Prisma schema: Decimal type enforced Must Have
NFR-D02 Data retention — financial records Retention 10 years minimum (Serbia); 11 years (Croatia) Retention policy in DB; no auto-delete of financial records Must Have
NFR-D03 Data retention — logs Retention Application logs: 90 days; Audit logs (LoggedAction): retain permanently Log rotation + LoggedAction never purged Must Have
NFR-D04 Database backup Backup Full backup daily; transaction logs every 1 hour Automated backup schedule in cloud provider Must Have
NFR-D05 Backup encryption Backup Backups encrypted at rest (AES-256) Cloud provider encryption Must Have
NFR-D06 PII identification Privacy All PII fields documented; user email, name, tax ID (PIB) identified Data dictionary + Prisma annotations Must Have
NFR-D07 Data export (portability) Portability User can export all organization data (invoices, expenses, transactions, contacts) in JSON/CSV Export API endpoint Must Have
NFR-D08 Exchange rate immutability Integrity Exchange rate locked at transaction date; cannot be retroactively edited DB constraint + LoggedAction on change attempt Must Have

12. NFR Testing & Verification Plan

NFR Category Testing Method Tools Frequency Pass Criteria
Performance Lighthouse + k6 load test Lighthouse, k6 Pre-launch + monthly All NFR-P targets met at normal load
Scalability k6 stress test (2× normal load) k6 Pre-launch Graceful degradation; no data corruption under stress
Security SAST + OWASP ZAP + manual code review Snyk, OWASP ZAP CI (SAST), Pre-launch (DAST) No critical/high unresolved vulnerabilities
Compliance (SEF) SEF sandbox end-to-end test SEF sandbox API Pre-launch 100% invoice submission success in sandbox
Compliance (PDV) Manual accounting verification + test data Test data set Pre-launch + each PDV change PDV calculations match expected values for 20 test cases
Compliance (GDPR) Manual review + deletion test Manual Pre-launch + annual Right to deletion completes within 30 days; export works
Accessibility axe-core + keyboard manual test axe-core Per sprint WCAG 2.1 AA — 0 critical violations
Availability Uptime monitoring + DR drill Uptime monitor Ongoing + quarterly SLA ≥ 99.9% monthly
Data integrity DB constraint tests + balance check in CI Prisma + custom tests CI (every PR) 0 debit/credit imbalances; 0 NUMERIC precision errors

Approval

Role Name Date Signature
Author John (AI Director) 2026-02-23
Reviewer
Tech Lead John 2026-02-23
Business Analyst John 2026-02-23
Product Owner John 2026-02-23
AI Director (John) John 2026-02-23
CEO (Alem) Alem Bašić
Back to top