Non-Functional Requirements

Non-Functional Requirements (NFR): Bilko{{PROJECT_NAME}}

Project: ~~Bilko — Balkan Accounting SaaS~~{{PROJECT_NAME}} Version: ~~1.0~~{{VERSION}} Date: ~~2026-02-25~~{{DATE}} Author: ~~John (AI Director)~~{{AUTHOR}} Status: ~~Final~~Draft | In Review | Approved Reviewers: ~~Alem Bašić (CEO)~~{{REVIEWERS}}

Document History

Version	Date	Author	Changes
0.1	~~2026-02-23~~{{DATE}}	~~John (AI Director)~~{{AUTHOR}}	Initial draft ~~— Phase 1 Serbia MVP~~
~~1.0~~	~~2026-02-25~~	~~John (AI Director)~~	~~Finalized for v1.0 release~~

1. NFR Overview

Category	# Requirements	Highest Priority	Owner
Performance	8{{COUNT}}	~~Critical~~{{HIGH/MED/LOW}}	~~John~~Tech Lead
Scalability	5{{COUNT}}	~~High~~	~~John~~Tech Lead / DevOps ~~agent~~
Availability	6{{COUNT}}	~~Critical~~	~~John /~~ DevOps ~~agent~~
Security	10{{COUNT}}	Critical	~~John~~Tech Lead + Security
Reliability	6{{COUNT}}	~~Critical~~	~~John~~Tech Lead / DevOps
Usability	7{{COUNT}}	~~High~~	~~John /~~ Designer
Compatibility	6{{COUNT}}	~~High~~	~~John~~Tech Lead
Maintainability	6{{COUNT}}	~~Medium~~	~~John~~Tech Lead
Compliance	8{{COUNT}}	~~Critical~~	~~John~~Tech Lead + ~~Asmir~~Legal
Data	8{{COUNT}}	~~Critical~~	~~John~~Tech Lead

2. Performance Requirements

ID	Requirement	Metric	Target	Measurement Conditions	Measurement Method	Priority
NFR-P01	~~Dashboard page~~Page load time (initial)	Time to Interactive	< 3 seconds	4G connection, cold cache	Lighthouse / WebPageTest	Must Have
NFR-P02	~~Dashboard page~~Page load time (subsequent)	Time to Interactive	< 11.5 ~~second~~seconds	Warm ~~cache, average device~~cache	Lighthouse	Must Have
NFR-P03	~~Invoice~~API ~~creation~~response ~~wizard~~time ~~navigation~~(standard)	~~Time~~p95 ~~per~~response ~~step~~time	< 500ms	~~Any~~Normal ~~device,~~load ~~warm~~({{CONCURRENT_USERS}} ~~cache~~users)	~~Lighthouse~~APM tool / k6	Must Have
NFR-P04	API response time (~~standard~~complex ~~CRUD)~~	~~p95 response time~~	~~< 300ms~~	~~≤ 1000 concurrent users~~	~~APM tool / k6~~	~~Must Have~~
~~NFR-P05~~	~~API response time (reports)~~queries)	p95 response time	< 2 seconds	≤Normal ~~1000 concurrent orgs~~load	APM tool	Should Have
NFR-P05	Database query time	p95 query time	< 100ms	Normal load	DB monitoring	Must Have
NFR-P06	~~SEF~~File ~~submission~~upload ~~response~~throughput	~~End-to-end~~Upload ~~latency~~speed	{{SIZE}}MB in < ~~30 seconds~~{{TIME}}s	~~SEF~~Single ~~API~~user	Load testing	{{PRIORITY}}
NFR-P07	Search response time	~~API~~p95 ~~monitoring~~response time	~~Must~~< 1 second	Normal load	APM tool	Should Have
NFR-~~P07~~P08	Report generation	Completion time	< {{TIME}} seconds	Normal load	APM tool	Could Have
NFR-P09	Core Web Vitals: LCP	Largest Contentful Paint	< 2.5 seconds	Mobile, 4G	Lighthouse	Must Have
NFR-~~P08~~P10	Core Web Vitals: CLS	Cumulative Layout Shift	< 0.1	Any device	Lighthouse	Must Have

3. Scalability Requirements

ID	Requirement	Metric	Launch Target	12-Month Target	Measurement Method	Priority
NFR-S01	Concurrent ~~organizations~~users	~~Active~~Simultaneous ~~organizations~~active sessions	~~1,000~~{{X}} users	~~10,000~~{{X}} users	Load testing (~~k6)~~k6/JMeter)	Must Have
NFR-S02	~~Concurrent~~Peak ~~user~~load ~~sessions~~handling	~~Simultaneous~~Requests ~~sessions~~per second	~~500~~{{X}} RPS	~~5,000~~{{X}} RPS	Load testing	Must Have
NFR-S03	~~API throughput~~	~~Requests per second~~	~~200 RPS~~	~~2,000 RPS~~	~~k6 load test~~	~~Must Have~~
~~NFR-S04~~	Data volume ~~per organization~~growth	~~Transactions~~Database ~~per~~size ~~org/~~growth	{{X}}GB/year	~~50,000~~	~~200,000~~{{X}}GB/year	Storage ~~+ query~~ monitoring	Should Have
NFR-S04	API rate limits	Max requests per user/hour	{{X}} requests	{{X}} requests	API gateway metrics	Must Have
NFR-S05	File storage growth	Storage volume	{{X}}GB	{{X}}GB	Storage monitoring	Should Have
NFR-S06	Auto-scaling response	Time to ~~add~~scale ~~new~~out ~~instance~~under load	< 32 minutes	< 32 minutes	Cloud console metrics	Should Have
NFR-S07	Geographic distribution	Regions supported	{{REGIONS}}	{{REGIONS}}	CDN configuration	{{PRIORITY}}

4. Availability Requirements

ID	Requirement	Target	Measurement Period	Exclusions	Priority
NFR-A01	System uptime SLA	≥ {{99.9%5 / 99.9}}%	Monthly rolling	Scheduled maintenance ~~windows~~	Must Have
NFR-A02	Scheduled maintenance window	Max 2{{X}} hours/month	Monthly	~~Preferred: Sunday 02:00-04:00 CET~~{{PREFERRED_WINDOW}}	Must Have
NFR-A03	Maintenance notification lead time	≥ 48 hours notice	Per event	Emergency patches: 4 hours	Must Have
NFR-A04	RPO (Recovery Point Objective)	Max 1{{X}} ~~hour~~hours data loss	Per incident	N/A	Must Have
NFR-A05	RTO (Recovery Time Objective)	System restored within 4{{X}} hours	Per incident	N/A	Must Have
NFR-A06	Database backup frequency	~~Daily~~Every ~~full~~{{X}} ~~+ hourly transaction log~~hours	Ongoing	N/A	Must Have
NFR-A07	Backup retention	{{X}} days rolling	Ongoing	N/A	Must Have
NFR-A08	Disaster recovery test	Pass DR drill	Annually	N/A	Should Have

SLA Calculation Reference:

Uptime %	Annual Downtime	Monthly Downtime
99.9%	8.7 hours	43.8 minutes
99.5%	43.8 hours	3.6 hours
99.0%	87.6 hours	7.3 hours

5. Security Requirements

~~via~~ ~~npm~~inCI

ID	Requirement	Category	Target / Standard	Measurement Method	Priority
NFR-SEC01	Authentication method	Auth	~~JWT (access: 15min TTL)~~{{JWT/OAuth2/OIDC}} + ~~refresh~~MFA ~~token (30d rolling TTL); bcrypt password hashing (cost factor ≥ 12)~~optional	Code review + pentest	Must Have
NFR-SEC02	Password policy	Auth	Min 8 chars, 1 uppercase, 1 number, 1 special ~~character~~	Automated test	Must Have
NFR-SEC03	~~Account~~Session ~~lockout~~management	Auth	5Timeout: ~~failed~~30min ~~attempts~~idle; →absolute: ~~15-min~~8 ~~lockout; logged in LoggedAction~~hours	Automated test	Must Have
NFR-SEC04	Data encryption in transit	Encryption	TLS 1.3 ~~minimum; HTTP → HTTPS redirect enforced~~minimum	SSL Labs scan (grade A+)	Must Have
NFR-SEC05	Data encryption at rest	Encryption	~~Database encryption at rest (cloud provider); bcrypt~~AES-256 for ~~passwords~~PII; database encryption	Infrastructure review	Must Have
NFR-SEC06	Input validation	Injection Prevention	All inputs sanitized server-~~side with Zod;~~side; parameterized queries ~~via Prisma~~	Code review + SAST	Must Have
NFR-SEC07	XSS prevention	Injection Prevention	~~React default encoding +~~ CSP headers; nooutput ~~dangerouslySetInnerHTML~~encoding	OWASP ZAP / ~~code review~~DAST	Must Have
NFR-SEC08	~~Rate~~CSRF ~~limiting~~protection	~~DDoS/Abuse~~Injection Prevention	~~Auth~~CSRF ~~endpoints:~~tokens 5on ~~req/min;~~all ~~General~~state-changing ~~API: 100 req/min per IP~~requests	~~Load~~Code ~~test + monitoring~~review	Must Have
NFR-SEC09	Rate limiting	DDoS/Abuse	API: {{X}} req/min per IP; login: 5 attempts/15min	Load testing	Must Have
NFR-SEC10	Audit logging	Compliance	All auth events, ~~financial~~data mutations logged ~~in LoggedAction (append-only)~~ with user ID + timestamp	Log review	Must Have
NFR-~~SEC10~~SEC11	~~Organization~~Dependency ~~data isolation~~security	~~Multi-tenancy~~Supply Chain	~~All~~No ~~database~~known ~~queries~~critical ~~scoped~~CVEs toin ~~organizationId~~dependencies	Automated ~~middleware;~~scan (Snyk/Dependabot)	Must Have
NFR-SEC12	Secret management	Secrets	No secrets in code/git; use env vars or vault	Code scan + git history check	Must Have
NFR-SEC13	Role-based access control	Authorization	Principle of least privilege; no ~~cross-tenant~~role ~~queries~~escalation	Code review + penetration test	Must Have
NFR-~~SEC11~~SEC14	Security headers	HTTP Security	HSTS, X-Frame-~~Options: DENY,~~Options, X-Content-Type-~~Options: nosniff, CSP~~Options	securityheaders.com scan	Must Have
NFR-~~SEC12~~SEC15	~~Dependency~~Vulnerability ~~security~~scanning	~~Supply Chain~~Operations	~~No known critical CVEs; automated~~Automated scan in CICI; critical issues block deploy	~~Snyk~~CI /pipeline	Should ~~audit~~Have
NFR-SEC16	Penetration testing	Operations	Annual external pentest	Third-party report	Should Have

6. Reliability Requirements

ID	Requirement	Metric	Target	Measurement Method	Priority
NFR-R01	Application error rate	5xx errors / total requests	< 0.1%	APM monitoring	Must Have
NFR-R02	~~ACID~~Client-side ~~compliance~~error rate	~~Transaction~~JS ~~integrity~~errors per session	~~100%~~< —1% ~~all~~of ~~financial transactions ACID-compliant~~sessions	~~PostgreSQL~~Error ~~guarantees~~tracking ~~+ DB tests~~(Sentry)	~~Must~~Should Have
NFR-R03	~~Double-entry~~MTBF ~~balance~~(Mean ~~integrity~~Time Between Failures)	~~Debit~~Average =time ~~Credit~~between ~~for all transactions~~incidents	~~Zero~~> ~~imbalance~~{{X}} ~~events~~days	CIIncident ~~test: balance check on all transactions~~tracking	~~Must~~Should Have
NFR-R04	~~SEF~~MTTR ~~queue~~(Mean ~~reliability~~Time To Recovery)	~~Failed~~Average ~~SEF~~time ~~submissions~~to ~~retried~~restore service	~~Max~~< 3{{X}} ~~retries; success on retry > 99% for transient failures~~hours	~~SEF~~Incident ~~monitoring~~tracking	Must Have
NFR-R05	Data integrity	Zero data corruption events	0 ~~corruption events per 12 months~~incidents	Database integrity checks	Must Have
NFR-R06	Transaction integrity	Atomic transactions	ACID compliance	Database tests	Must Have
NFR-R07	Graceful degradation	Partial failure handling	Non-critical features fail gracefully; core stays up	Chaos testing	Should Have
NFR-R08	Health check endpoint	System health observable	/~~api/~~health returns 200 when healthy	~~Uptime monitoring~~Monitoring	Must Have

7. Usability Requirements

ID	Requirement	Target	Measurement Method	Priority
NFR-U01	Time to ~~create~~complete ~~first~~core ~~invoice~~task	New user ~~creates~~completes ~~first invoice~~{{KEY_TASK}} in < 10{{X}} minutes	~~Beta user~~Usability testing	Must Have
NFR-U02	~~Invoice~~Error ~~wizard completion rate~~recovery	≥User ~~85%~~can ofrecover ~~users~~from ~~who~~any ~~start~~error ~~wizard~~without ~~complete it~~help	~~Analytics~~Usability ~~(funnel)~~testing	Must Have
NFR-U03	WCAG compliance	WCAG 2.1 Level AA	Automated axe-core ~~automated~~ + manual review	Must Have
NFR-U04	Keyboard navigation	All interactive elements reachable by keyboard	Manual testing	Must Have
NFR-U05	Screen reader support	Compatible with NVDA / VoiceOver	Manual testing	Should Have
NFR-U06	Mobile responsiveness	Fully functional on 375px–1440px ~~viewport~~width	Manual + ~~Lighthouse~~	~~Must Have~~
~~NFR-U06~~	~~Language: Serbian~~	~~Full UI in Serbian (Latin script) for Phase 1; Cyrillic toggle~~	~~Manual review by native speaker~~automated	Must Have
NFR-U07	~~Error~~Color ~~messages~~contrast	≥ 4.5:1 for normal text; ≥ 3:1 for large text	Contrast checker	Must Have
NFR-U08	Onboarding completion	{{X}}% of new users complete onboarding	Analytics	Should Have
NFR-U09	Help / documentation	All ~~errors~~key features documented in-app or in ~~Serbian~~help ~~language; actionable advice included~~center	Content audit	~~Must~~Should Have

8. Compatibility Requirements

~~UniCredit,BancaIntesa~~

ID	Requirement	Category	Target	Priority
NFR-C01	Web browsers ~~(desktop)~~	Browser	Chrome 100+, Firefox 100+, Safari 16+, Edge 100+	Must Have
NFR-C02	~~Web~~Mobile browsers ~~(mobile)~~	Browser	Safari iOS 15+, Chrome Android 100+	Must Have
NFR-C03	Mobile operating systems	OS	iOS 15+, Android 11+	Must Have
NFR-C04	~~Screen~~Desktop ~~resolutions~~operating systems	~~Responsive~~OS	~~375px~~Windows to10+, ~~2560px~~macOS ~~viewport~~12+, ~~width~~Ubuntu 20.04+	Must Have
NFR-C05	~~SEF~~Screen ~~API compatibility~~resolutions	~~External API~~Responsive	~~SEF~~375px ~~API~~to v12560px ~~(UBL 2.1 XML, REST)~~width	Must Have
NFR-C06	~~Bank~~Minimum ~~CSV~~device ~~formats~~specs	~~Import~~Performance	~~Serbian~~Works ~~bank~~on ~~CSV~~mid-range ~~formats:~~2020+ ~~Raiffeisen,~~devices	Should ~~OTP,~~Have
NFR-C07	Third-party integrations	API	{{EXTERNAL_SYSTEM}} API version {{VERSION}}	Must Have
NFR-C08	Email clients	Email	Gmail, Outlook, Apple Mail, mobile clients	Should Have

9. Maintainability Requirements

for forerrorrate,

ID	Requirement	Metric	Target	Measurement Method	Priority
NFR-M01	Test coverage ~~(backend)~~	% of code covered by automated tests	≥ 80% overall; ≥ 95% for ~~financial~~critical ~~logic (double-entry, VAT, SEF)~~paths	CI coverage report	Must Have
NFR-M02	~~TypeScript~~Code ~~strict mode~~documentation	~~Type~~% ~~safety~~of public APIs documented	`strict:100% true`of inpublic ~~tsconfig for all packages~~APIs	CICode ~~type-check~~review	Must Have
NFR-M03	Cyclomatic complexity	Per-function complexity	Max 10 per function; refactor if exceeded	Static analysis (SonarQube)	Should Have
NFR-M04	Dependency currency	% of dependencies on current major version	≥ 80% current; 0 dependencies with critical CVEs	Automated scan	Should Have
NFR-M05	Deployment frequency	Time to deploy a bug fix to production	< 1 hour from PR merge	CI/CD metrics	Should Have
NFR-~~M04~~M06	~~Database~~Feature ~~migrations~~flag support	~~Schema~~Ability ~~change~~to ~~process~~disable features without deploy	Available for all major features	Code review	Could Have
NFR-M07	Logging completeness	Log coverage for operations	All ~~changes~~external ~~via~~calls, ~~Prisma~~errors, ~~migration;~~and ~~never~~user ~~edit~~mutations ~~existing migration~~logged	~~Code~~Log review	Must Have
NFR-~~M05~~M08	~~Monorepo~~Monitoring ~~build time~~observability	~~Turborepo~~Dashboards ~~build~~	~~Full build < 3 minutes; incremental < 30 seconds~~	CIkey metrics	~~Should~~Dashboards ~~Have~~
~~NFR-M06~~response time, uptime	~~Logging~~Monitoring ~~completeness~~	~~Log coverage~~	~~All external API calls (SEF, email, FX), all errors, all financial mutations logged~~	~~Log review~~tool	Must Have

10. Compliance Requirements

ID	Regulation	Applicability	Requirement	Technical Implementation	Priority
NFR-COMP01	~~Zakon o elektronskom fakturisanju (Serbia)~~GDPR	~~Yes~~{{YES — ~~mandatory~~if ~~B2B~~handling ~~2023~~EU personal data}}	~~Submit~~Lawful ~~e-invoices~~basis for processing; right to ~~SEF~~deletion; DPA required; breach notification within 72h	User data deletion API; audit logs; DPA in ~~UBL 2.1; sequential numbering; digital signature~~	~~SefService module; UBL 2.1 XML generation~~place	Must Have
NFR-COMP02	~~Zakon~~GDPR o— ~~PDV~~Cookie ~~(Serbia)~~consent	~~Yes~~{{YES — ~~all~~if ~~VAT-registered~~using ~~orgs~~tracking cookies}}	~~20%~~Explicit ~~standard,~~consent ~~10%~~before ~~reduced~~non-essential ~~PDV; monthly filing by 15th; PDV report format for ePorezi~~cookies	~~PDV~~Cookie ~~calculation~~consent ~~engine;~~banner; ~~report~~opt-in ~~export~~only tracking	Must Have
NFR-COMP03	~~Zakon o računovodstvu (Serbia)~~	~~Yes~~	~~Double-entry; 10-year document retention; annual balance sheet; audit trail~~	~~LoggedAction (append-only); DB retention policy~~	~~Must Have~~
~~NFR-COMP04~~	~~GDPR (EU / Norwegian Personvernloven)~~	~~Yes — ALAI Holding AS is Norwegian; processes EU citizen data~~	~~Lawful basis for processing; right to deletion within 30 days; DPA in place; breach notification within 72h; data export (Article 20)~~	~~User data deletion API; audit logs; DPA~~	~~Must Have~~
~~NFR-COMP05~~	GDPR — Data minimization	Yes	Collect only data necessary for ~~accounting~~stated ~~function~~purpose	BA review of data ~~model; field-level PII audit~~model	Must Have
NFR-COMP04	{{HIPAA}}	{{YES/NO — healthcare data}}	PHI protection; audit logs; BAA required	Role-based access; encrypted PHI fields	{{PRIORITY}}
NFR-COMP05	{{PCI-DSS}}	{{YES/NO — payment card data}}	SAQ compliance; tokenization; no card storage	Stripe/payment gateway tokenization	{{PRIORITY}}
NFR-COMP06	~~GDPR~~Norwegian ~~— Cookie consent~~Personvernloven	~~Yes — if tracking cookies used~~{{YES}}	~~Explicit~~Alignment ~~consent~~with ~~before~~GDPR ~~non-essential~~national ~~cookies~~implementation	~~Cookie~~Legal ~~consent banner; opt-in only analytics~~review	Must Have
NFR-COMP07	~~Multi-tenancy data isolation~~	~~Yes — SaaS requirement~~	~~Organization data strictly scoped; no cross-tenant access~~	~~organizationId middleware + DB constraint~~	~~Must Have~~
~~NFR-COMP08~~	WCAG 2.1 AA	~~Yes — accessibility standard~~{{YES}}	Digital accessibility ~~for all users~~	NFR-~~U03,~~U01 to NFR-~~U04~~U07	Must Have

11. Data Requirements

in~~provider~~

ID	Requirement	Category	Target	Implementation	Priority
NFR-D01	~~Monetary~~Data ~~precision~~retention — user data	~~Data type~~Retention	~~ALL~~{{X}} ~~monetary~~years ~~fields:~~active; ~~NUMERIC(19,4)~~deleted —within ~~NEVER~~30 ~~float,~~days ~~NEVER~~of ~~JavaScript~~account ~~number~~deletion request	~~Prisma~~Scheduled ~~schema:~~deletion ~~Decimal type enforced~~job	Must Have
NFR-D02	~~Data retention — financial records~~	~~Retention~~	~~10 years minimum (Serbia); 11 years (Croatia)~~	~~Retention policy in DB; no auto-delete of financial records~~	~~Must Have~~
~~NFR-D03~~	Data retention — logs	Retention	Application logs: 90 days; Audit ~~logs~~logs: ~~(LoggedAction):~~3 ~~retain permanently~~years	Log rotation ~~+ LoggedAction never purged~~policy	Must Have
NFR-~~D04~~D03	Database backup frequency	Backup	Full backup daily; transaction logs every 1{{X}} ~~hour~~hours	Automated backup schedule	Must ~~cloud~~Have
NFR-D04	Backup encryption	Backup	Backups encrypted with AES-256	Infrastructure config	Must Have
NFR-D05	~~Backup~~Data ~~encryption~~integrity checks	~~Backup~~Integrity	~~Backups~~Database ~~encrypted~~constraints; atno ~~rest~~orphaned ~~(AES-256)~~records	~~Cloud~~DB ~~provider~~schema ~~encryption~~+ integration tests	Must Have
NFR-D06	PII identification	Privacy	All PII fields ~~documented;~~identified ~~user~~and ~~email, name, tax ID (PIB) identified~~documented	Data dictionary ~~+ Prisma annotations~~	Must Have
NFR-D07	Data export ~~(portability)~~	Portability	User can export ~~all organization~~their data ~~(invoices, expenses, transactions, contacts)~~ in ~~JSON/CSV~~machine-readable format (GDPR Article 20)	Export API endpoint	Must Have
NFR-D08	~~Exchange~~Data ~~rate immutability~~anonymization	~~Integrity~~Privacy	~~Exchange~~Anonymize ~~rate~~user ~~locked~~data atin ~~transaction~~non-production ~~date; cannot be retroactively edited~~environments	DBDev/staging ~~constraint~~data ~~+ LoggedAction on change attempt~~scripts	Must Have
NFR-D09	Archival strategy	Retention	Data older than {{X}} years archived to cold storage	Archive schedule	Should Have

12. NFR Testing & Verification Plan

NFR Category	Testing Method	Tools	Frequency	Pass Criteria
Performance	~~Lighthouse~~Load ~~+ k6 load test~~testing	~~Lighthouse,~~k6, k6JMeter, Lighthouse	Pre-launch + monthly	All NFR-P targets met ~~at normal load~~
Scalability	k6Stress ~~stress test (2× normal load)~~testing	k6	Pre-launch	~~Graceful~~System ~~degradation;~~gracefully nohandles ~~data~~2× ~~corruption~~peak ~~under stress~~load
Security	SAST + ~~OWASP ZAP~~DAST + ~~manual code review~~Pentest	Snyk, OWASP ~~ZAP~~ZAP, external pentest	CI (SAST), Pre-launch (~~DAST)~~DAST+Pentest), Annual	No critical/high vulnerabilities unresolved ~~vulnerabilities~~
~~Compliance (SEF)~~	~~SEF sandbox end-to-end test~~	~~SEF sandbox API~~	~~Pre-launch~~	~~100% invoice submission success in sandbox~~
~~Compliance (PDV)~~	~~Manual accounting verification + test data~~	~~Test data set~~	~~Pre-launch + each PDV change~~	~~PDV calculations match expected values for 20 test cases~~
~~Compliance (GDPR)~~	~~Manual review + deletion test~~	~~Manual~~	~~Pre-launch + annual~~	~~Right to deletion completes within 30 days; export works~~
Accessibility	~~axe-core~~Automated + ~~keyboard~~ manual ~~test~~	axe-~~core~~core, manual screen reader	Per sprint	WCAG 2.1 AA ~~— 0 critical violations~~
Availability	~~Uptime monitoring~~Monitoring + DR drill	Uptime monitor	Ongoing + ~~quarterly~~annual	SLA ≥targets ~~99.9% monthly~~met
~~Data integrity~~Compliance	DBLegal ~~constraint tests~~review + ~~balance check in CI~~audit	~~Prisma~~Manual + ~~custom tests~~automated	CIPre-launch ~~(every~~+ ~~PR)~~annual	0All ~~debit/credit~~compliance ~~imbalances;~~items ~~0 NUMERIC precision errors~~verified

Approval

Role	Name	Date
Author	~~John (AI Director)~~	~~2026-02-23~~
Reviewer
Tech Lead	~~John~~	~~2026-02-23~~
Business Analyst	~~John~~	~~2026-02-23~~
Product Owner	~~John~~	~~2026-02-23~~
AI Director (John)	~~John~~	~~2026-02-23~~
~~CEO~~Client ~~(Alem)~~Representative	~~Alem Bašić~~