Non-Functional Requirements

Non-Functional Requirements (NFR): {{PROJECT_NAME}}Bilko

Project: ~~{{PROJECT_NAME}}~~Bilko — Balkan Accounting SaaS Version: ~~{{VERSION}}~~1.0 Date: ~~{{DATE}}~~2026-02-25 Author: ~~{{AUTHOR}}~~John (AI Director) Status: ~~Draft | In Review | Approved~~Final Reviewers: ~~{{REVIEWERS}}~~Alem Bašić (CEO)

Document History

Version	Date	Author	Changes
0.1	~~{{DATE}}~~2026-02-23	~~{{AUTHOR}}~~John (AI Director)	Initial draft — Phase 1 Serbia MVP
1.0	2026-02-25	John (AI Director)	Finalized for v1.0 release

1. NFR Overview

Category	# Requirements	Highest Priority	Owner
Performance	~~{{COUNT}}~~8	~~{{HIGH/MED/LOW}}~~Critical	~~Tech Lead~~John
Scalability	~~{{COUNT}}~~5	High	~~Tech Lead~~John / DevOps agent
Availability	~~{{COUNT}}~~6	Critical	John / DevOps agent
Security	~~{{COUNT}}~~10	Critical	~~Tech Lead + Security~~John
Reliability	~~{{COUNT}}~~6	Critical	~~Tech Lead / DevOps~~John
Usability	~~{{COUNT}}~~7	High	John / Designer
Compatibility	~~{{COUNT}}~~6	High	~~Tech Lead~~John
Maintainability	~~{{COUNT}}~~6	Medium	~~Tech Lead~~John
Compliance	~~{{COUNT}}~~8	Critical	~~Tech Lead~~John + ~~Legal~~Asmir
Data	~~{{COUNT}}~~8	Critical	~~Tech Lead~~John

2. Performance Requirements

ID	Requirement	Metric	Target	Measurement Conditions	Measurement Method	Priority
NFR-P01	~~Page~~Dashboard page load ~~time~~ (initial)	Time to Interactive	< 3 seconds	4G connection, cold cache	Lighthouse / WebPageTest	Must Have
NFR-P02	~~Page~~Dashboard page load ~~time~~ (subsequent)	Time to Interactive	< ~~1.5~~1 ~~seconds~~second	Warm ~~cache~~cache, average device	Lighthouse	Must Have
NFR-P03	~~API~~Invoice ~~response~~creation ~~time~~wizard ~~(standard)~~navigation	~~p95~~Time ~~response~~per ~~time~~step	< 500ms	~~Normal~~Any ~~load~~device, ~~({{CONCURRENT_USERS}}~~warm ~~users)~~cache	~~APM tool / k6~~Lighthouse	Must Have
NFR-P04	API response time (~~complex~~standard ~~queries)~~CRUD)	p95 response time	< 300ms	≤ 1000 concurrent users	APM tool / k6	Must Have
NFR-P05	API response time (reports)	p95 response time	< 2 seconds	~~Normal~~≤ ~~load~~1000 concurrent orgs	APM tool	~~Should Have~~
~~NFR-P05~~	~~Database query time~~	~~p95 query time~~	~~< 100ms~~	~~Normal load~~	~~DB monitoring~~	Must Have
NFR-P06	~~File~~SEF ~~upload~~submission ~~throughput~~response	~~Upload~~End-to-end ~~speed~~latency	~~{{SIZE}}MB in~~ < ~~{{TIME}}s~~30 seconds	~~Single~~SEF ~~user~~	~~Load testing~~	~~{{PRIORITY}}~~
~~NFR-P07~~	~~Search~~API response time	~~p95~~API ~~response time~~monitoring	~~< 1 second~~	~~Normal load~~	~~APM tool~~	~~Should~~Must Have
NFR-~~P08~~	~~Report generation~~	~~Completion time~~	~~< {{TIME}} seconds~~	~~Normal load~~	~~APM tool~~	~~Could Have~~
~~NFR-P09~~P07	Core Web Vitals: LCP	Largest Contentful Paint	< 2.5 seconds	Mobile, 4G	Lighthouse	Must Have
NFR-~~P10~~P08	Core Web Vitals: CLS	Cumulative Layout Shift	< 0.1	Any device	Lighthouse	Must Have

3. Scalability Requirements

ID	Requirement	Metric	Launch Target	12-Month Target	Measurement Method	Priority
NFR-S01	Concurrent ~~users~~organizations	~~Simultaneous~~Active ~~active sessions~~organizations	~~{{X}} users~~1,000	~~{{X}} users~~10,000	Load testing (~~k6/JMeter)~~k6)	Must Have
NFR-S02	~~Peak~~Concurrent ~~load~~user ~~handling~~sessions	~~Requests~~Simultaneous ~~per second~~sessions	~~{{X}} RPS~~500	~~{{X}} RPS~~5,000	Load testing	Must Have
NFR-S03	API throughput	Requests per second	200 RPS	2,000 RPS	k6 load test	Must Have
NFR-S04	Data volume ~~growth~~per organization	~~Database~~Transactions ~~size~~per ~~growth~~	~~{{X}}GB/~~org/year	~~{{X}}GB/year~~50,000	200,000	Storage + query monitoring	Should Have
NFR-~~S04~~	~~API rate limits~~	~~Max requests per user/hour~~	~~{{X}} requests~~	~~{{X}} requests~~	~~API gateway metrics~~	~~Must Have~~
~~NFR-~~S05	~~File storage growth~~	~~Storage volume~~	~~{{X}}GB~~	~~{{X}}GB~~	~~Storage monitoring~~	~~Should Have~~
~~NFR-S06~~	Auto-scaling response	Time to ~~scale~~add ~~out~~new ~~under load~~instance	< 23 minutes	< 23 minutes	Cloud console metrics	Should Have
~~NFR-S07~~	~~Geographic distribution~~	~~Regions supported~~	~~{{REGIONS}}~~	~~{{REGIONS}}~~	~~CDN configuration~~	~~{{PRIORITY}}~~

4. Availability Requirements

ID	Requirement	Target	Measurement Period	Exclusions	Priority
NFR-A01	System uptime SLA	≥ {{99.~~5 / 99.9}}%~~9%	Monthly rolling	Scheduled maintenance windows	Must Have
NFR-A02	Scheduled maintenance window	Max ~~{{X}}~~2 hours/month	Monthly	~~{{PREFERRED_WINDOW}}~~Preferred: Sunday 02:00-04:00 CET	Must Have
NFR-A03	Maintenance notification lead time	≥ 48 hours notice	Per event	Emergency patches: 4 hours	Must Have
NFR-A04	RPO (Recovery Point Objective)	Max ~~{{X}}~~1 ~~hours~~hour data loss	Per incident	N/A	Must Have
NFR-A05	RTO (Recovery Time Objective)	System restored within ~~{{X}}~~4 hours	Per incident	N/A	Must Have
NFR-A06	Database backup frequency	~~Every~~Daily ~~{{X}}~~full ~~hours~~+ hourly transaction log	Ongoing	N/A	Must ~~Have~~
~~NFR-A07~~	~~Backup retention~~	~~{{X}} days rolling~~	~~Ongoing~~	~~N/A~~	~~Must Have~~
~~NFR-A08~~	~~Disaster recovery test~~	~~Pass DR drill~~	~~Annually~~	~~N/A~~	~~Should~~ Have

SLA Calculation Reference:

Uptime %	Annual Downtime	Monthly Downtime
99.9%	8.7 hours	43.8 minutes
99.5%	43.8 hours	3.6 hours
99.0%	87.6 hours	7.3 hours

5. Security Requirements

organizationId

ID	Requirement	Category	Target / Standard	Measurement Method	Priority
NFR-SEC01	Authentication ~~method~~	Auth	~~{{JWT/OAuth2/OIDC}}~~JWT (access: 15min TTL) + ~~MFA~~refresh ~~optional~~token (30d rolling TTL); bcrypt password hashing (cost factor ≥ 12)	Code review ~~+ pentest~~	Must Have
NFR-SEC02	Password policy	Auth	Min 8 chars, 1 uppercase, 1 number, 1 special character	Automated test	Must Have
NFR-SEC03	~~Session~~Account ~~management~~lockout	Auth	~~Timeout:~~5 ~~30min~~failed ~~idle;~~attempts ~~absolute:~~→ 815-min ~~hours~~lockout; logged in LoggedAction	Automated test	Must Have
NFR-SEC04	Data encryption in transit	Encryption	TLS 1.3 ~~minimum~~minimum; HTTP → HTTPS redirect enforced	SSL Labs scan (grade A+)	Must Have
NFR-SEC05	Data encryption at rest	Encryption	~~AES-256~~Database encryption at rest (cloud provider); bcrypt for ~~PII; database encryption~~passwords	Infrastructure review	Must Have
NFR-SEC06	Input validation	Injection Prevention	All inputs sanitized server-~~side;~~side with Zod; parameterized queries via Prisma	Code review + SAST	Must Have
NFR-SEC07	XSS prevention	Injection Prevention	React default encoding + CSP headers; ~~output~~no ~~encoding~~dangerouslySetInnerHTML	OWASP ZAP / ~~DAST~~code review	Must Have
NFR-SEC08	~~CSRF~~Rate ~~protection~~limiting	~~Injection Prevention~~DDoS/Abuse	~~CSRF~~Auth ~~tokens~~endpoints: on5 ~~all~~req/min; ~~state-changing~~General ~~requests~~API: 100 req/min per IP	~~Code~~Load ~~review~~test + monitoring	Must Have
NFR-SEC09	~~Rate limiting~~	~~DDoS/Abuse~~	~~API: {{X}} req/min per IP; login: 5 attempts/15min~~	~~Load testing~~	~~Must Have~~
~~NFR-SEC10~~	Audit logging	Compliance	All auth events, ~~data~~financial mutations logged in LoggedAction (append-only) with user ID + timestamp	Log review	Must Have
NFR-~~SEC11~~SEC10	~~Dependency~~Organization ~~security~~data isolation	~~Supply Chain~~Multi-tenancy	NoAll ~~known~~database ~~critical~~queries ~~CVEs~~scoped into ~~dependencies~~	~~Automated~~via ~~scan (Snyk/Dependabot)~~	~~Must Have~~
~~NFR-SEC12~~	~~Secret management~~	~~Secrets~~	~~No secrets in code/git; use env vars or vault~~	~~Code scan + git history check~~	~~Must Have~~
~~NFR-SEC13~~	~~Role-based access control~~	~~Authorization~~	~~Principle of least privilege;~~middleware; no ~~role~~cross-tenant ~~escalation~~queries	Code review + penetration test	Must Have
NFR-~~SEC14~~SEC11	Security headers	HTTP Security	HSTS, X-Frame-~~Options,~~Options: DENY, X-Content-Type-~~Options~~Options: nosniff, CSP	securityheaders.com scan	Must Have
NFR-~~SEC15~~SEC12	~~Vulnerability~~Dependency ~~scanning~~security	~~Operations~~Supply Chain	~~Automated~~No known critical CVEs; automated scan in ~~CI; critical issues block deploy~~CI	Snyk / npm audit in CI ~~pipeline~~	~~Should Have~~
~~NFR-SEC16~~	~~Penetration testing~~	~~Operations~~	~~Annual external pentest~~	~~Third-party report~~	Should Have

6. Reliability Requirements

ID	Requirement	Metric	Target	Measurement Method	Priority
NFR-R01	Application error rate	5xx errors / total requests	< 0.1%	APM monitoring	Must Have
NFR-R02	~~Client-side~~ACID ~~error rate~~compliance	JSTransaction ~~errors per session~~integrity	<100% 1%— ofall ~~sessions~~financial transactions ACID-compliant	~~Error~~PostgreSQL ~~tracking~~guarantees ~~(Sentry)~~+ DB tests	~~Should~~Must Have
NFR-R03	~~MTBF~~Double-entry ~~(Mean~~balance ~~Time Between Failures)~~integrity	~~Average~~Debit ~~time~~= ~~between~~Credit ~~incidents~~for all transactions	>Zero ~~{{X}}~~imbalance ~~days~~events	~~Incident~~CI ~~tracking~~test: balance check on all transactions	~~Should~~Must Have
NFR-R04	~~MTTR~~SEF ~~(Mean~~queue ~~Time To Recovery)~~reliability	~~Average~~Failed ~~time~~SEF tosubmissions ~~restore service~~retried	<Max ~~{{X}}~~3 ~~hours~~retries; success on retry > 99% for transient failures	~~Incident~~SEF ~~tracking~~monitoring	Must Have
NFR-R05	Data integrity	Zero data corruption ~~events~~	0 ~~incidents~~corruption events per 12 months	Database integrity checks	Must Have
NFR-R06	~~Transaction integrity~~	~~Atomic transactions~~	~~ACID compliance~~	~~Database tests~~	~~Must Have~~
~~NFR-R07~~	~~Graceful degradation~~	~~Partial failure handling~~	~~Non-critical features fail gracefully; core stays up~~	~~Chaos testing~~	~~Should Have~~
~~NFR-R08~~	Health check endpoint	System health observable	/api/health returns 200 when healthy	~~Monitoring~~Uptime monitoring	Must Have

7. Usability Requirements

ID	Requirement	Target	Measurement Method	Priority
NFR-U01	Time to ~~complete~~create ~~core~~first ~~task~~invoice	New user ~~completes~~creates ~~{{KEY_TASK}}~~first invoice in < ~~{{X}}~~10 minutes	~~Usability~~Beta user testing	Must Have
NFR-U02	~~Error~~Invoice ~~recovery~~wizard completion rate	~~User~~≥ ~~can~~85% ~~recover~~of ~~from~~users ~~any~~who ~~error~~start ~~without~~wizard ~~help~~complete it	~~Usability~~Analytics ~~testing~~(funnel)	Must Have
NFR-U03	WCAG compliance	WCAG 2.1 Level AA	~~Automated~~ axe-core automated + manual ~~review~~	Must Have
NFR-U04	Keyboard navigation	All interactive elements reachable by keyboard	Manual testing	Must Have
NFR-U05	~~Screen reader support~~	~~Compatible with NVDA / VoiceOver~~	~~Manual testing~~	~~Should Have~~
~~NFR-U06~~	Mobile responsiveness	Fully functional on 375px–1440px ~~width~~viewport	Manual + ~~automated~~Lighthouse	Must Have
NFR-U06	Language: Serbian	Full UI in Serbian (Latin script) for Phase 1; Cyrillic toggle	Manual review by native speaker	Must Have
NFR-U07	~~Color~~Error ~~contrast~~	~~≥ 4.5:1 for normal text; ≥ 3:1 for large text~~	~~Contrast checker~~	~~Must Have~~
~~NFR-U08~~	~~Onboarding completion~~	~~{{X}}% of new users complete onboarding~~	~~Analytics~~	~~Should Have~~
~~NFR-U09~~	~~Help / documentation~~messages	All ~~key features documented in-app or~~errors in ~~help~~Serbian ~~center~~language; actionable advice included	Content audit	~~Should~~Must Have

8. Compatibility Requirements

Raiffeisen,OTP,Banca

ID	Requirement	Category	Target	Priority
NFR-C01	Web browsers (desktop)	Browser	Chrome 100+, Firefox 100+, Safari 16+, Edge 100+	Must Have
NFR-C02	~~Mobile~~Web browsers (mobile)	Browser	Safari iOS 15+, Chrome Android 100+	Must Have
NFR-C03	Mobile operating systems	OS	iOS 15+, Android 11+	Must Have
NFR-C04	~~Desktop~~Screen ~~operating systems~~resolutions	OSResponsive	~~Windows~~375px ~~10+,~~to ~~macOS~~2560px ~~12+,~~viewport ~~Ubuntu 20.04+~~width	Must Have
NFR-C05	~~Screen~~SEF ~~resolutions~~API compatibility	~~Responsive~~External API	~~375px~~SEF toAPI ~~2560px~~v1 ~~width~~(UBL 2.1 XML, REST)	Must Have
NFR-C06	~~Minimum~~Bank ~~device~~CSV ~~specs~~formats	~~Performance~~Import	~~Works~~Serbian onbank ~~mid-range~~CSV ~~2020+~~formats: ~~devices~~	~~Should~~UniCredit, ~~Have~~
~~NFR-C07~~	~~Third-party integrations~~	~~API~~	~~{{EXTERNAL_SYSTEM}} API version {{VERSION}}~~	~~Must Have~~
~~NFR-C08~~	~~Email clients~~	~~Email~~	~~Gmail, Outlook, Apple Mail, mobile clients~~Intesa	Should Have

9. Maintainability Requirements

~~key~~ ~~errorrate,response time, uptime~~

ID	Requirement	Metric	Target	Measurement Method	Priority
NFR-M01	Test coverage (backend)	% of code covered by automated tests	≥ 80% overall; ≥ 95% for ~~critical~~financial ~~paths~~logic (double-entry, VAT, SEF)	CI coverage report	Must Have
NFR-M02	~~Code~~TypeScript ~~documentation~~strict mode	%Type ~~of public APIs documented~~safety	~~100%~~`strict: oftrue` ~~public~~in ~~APIs~~tsconfig for all packages	~~Code~~CI ~~review~~type-check	Must Have
NFR-M03	~~Cyclomatic complexity~~	~~Per-function complexity~~	~~Max 10 per function; refactor if exceeded~~	~~Static analysis (SonarQube)~~	~~Should Have~~
~~NFR-M04~~	~~Dependency currency~~	~~% of dependencies on current major version~~	~~≥ 80% current; 0 dependencies with critical CVEs~~	~~Automated scan~~	~~Should Have~~
~~NFR-M05~~	Deployment frequency	Time to deploy a bug fix to production	< 1 hour from PR merge	CI/CD metrics	Should Have
NFR-~~M06~~M04	~~Feature~~Database ~~flag support~~migrations	~~Ability~~Schema tochange ~~disable features without deploy~~	~~Available for all major features~~	~~Code review~~	~~Could Have~~
~~NFR-M07~~	~~Logging completeness~~	~~Log coverage for operations~~process	All ~~external~~changes ~~calls,~~via ~~errors,~~Prisma ~~and~~migration; ~~user~~never ~~mutations~~edit ~~logged~~existing migration	~~Log~~Code review	Must Have
NFR-~~M08~~M05	~~Monitoring~~Monorepo ~~observability~~build time	~~Dashboards~~Turborepo ~~for~~build	Full build < 3 minutes; incremental < 30 seconds	CI metrics	~~Dashboards~~Should ~~for~~Have
NFR-M06	~~Monitoring~~Logging ~~tool~~completeness	Log coverage	All external API calls (SEF, email, FX), all errors, all financial mutations logged	Log review	Must Have

10. Compliance Requirements

ID	Regulation	Applicability	Requirement	Technical Implementation	Priority
NFR-COMP01	~~GDPR~~Zakon o elektronskom fakturisanju (Serbia)	~~{{YES~~Yes — ifmandatory ~~handling~~B2B ~~EU personal data}}~~2023	~~Lawful~~Submit ~~basis for processing; right~~e-invoices to ~~deletion;~~SEF ~~DPA~~in ~~required;~~UBL ~~breach~~2.1; ~~notification~~sequential ~~within~~numbering; ~~72h~~digital signature	~~User~~SefService ~~data~~module; ~~deletion~~UBL ~~API;~~2.1 ~~audit~~XML ~~logs; DPA in place~~generation	Must Have
NFR-COMP02	Zakon o PDV (Serbia)	Yes — all VAT-registered orgs	20% standard, 10% reduced PDV; monthly filing by 15th; PDV report format for ePorezi	PDV calculation engine; report export	Must Have
NFR-COMP03	Zakon o računovodstvu (Serbia)	Yes	Double-entry; 10-year document retention; annual balance sheet; audit trail	LoggedAction (append-only); DB retention policy	Must Have
NFR-COMP04	GDPR (EU / Norwegian Personvernloven)	Yes — ALAI Holding AS is Norwegian; processes EU citizen data	Lawful basis for processing; right to deletion within 30 days; DPA in place; breach notification within 72h; data export (Article 20)	User data deletion API; audit logs; DPA	Must Have
NFR-COMP05	GDPR — Data minimization	Yes	Collect only data necessary for accounting function	BA review of data model; field-level PII audit	Must Have
NFR-COMP06	GDPR — Cookie consent	~~{{YES~~Yes — if ~~using~~ tracking ~~cookies}}~~cookies used	Explicit consent before non-essential cookies	Cookie consent banner; opt-in only ~~tracking~~	~~Must Have~~
~~NFR-COMP03~~	~~GDPR — Data minimization~~	~~Yes~~	~~Collect only data necessary for stated purpose~~	~~BA review of data model~~	~~Must Have~~
~~NFR-COMP04~~	~~{{HIPAA}}~~	~~{{YES/NO — healthcare data}}~~	~~PHI protection; audit logs; BAA required~~	~~Role-based access; encrypted PHI fields~~	~~{{PRIORITY}}~~
~~NFR-COMP05~~	~~{{PCI-DSS}}~~	~~{{YES/NO — payment card data}}~~	~~SAQ compliance; tokenization; no card storage~~	~~Stripe/payment gateway tokenization~~	~~{{PRIORITY}}~~
~~NFR-COMP06~~	~~Norwegian Personvernloven~~	~~{{YES}}~~	~~Alignment with GDPR national implementation~~	~~Legal review~~analytics	Must Have
NFR-COMP07	Multi-tenancy data isolation	Yes — SaaS requirement	Organization data strictly scoped; no cross-tenant access	organizationId middleware + DB constraint	Must Have
NFR-COMP08	WCAG 2.1 AA	~~{{YES}}~~Yes — accessibility standard	Digital accessibility for all users	NFR-~~U01 to~~U03, NFR-~~U07~~U04	Must Have

11. Data Requirements

Prisma cloud

ID	Requirement	Category	Target	Implementation	Priority
NFR-D01	Monetary precision	Data ~~retention~~type	ALL monetary fields: NUMERIC(19,4) — ~~user~~NEVER ~~data~~float, NEVER JavaScript number	~~Retention~~	~~{{X}}~~schema: ~~years~~Decimal ~~active;~~type ~~deleted within 30 days of account deletion request~~	~~Scheduled deletion job~~enforced	Must Have
NFR-D02	Data retention — financial records	Retention	10 years minimum (Serbia); 11 years (Croatia)	Retention policy in DB; no auto-delete of financial records	Must Have
NFR-D03	Data retention — logs	Retention	Application logs: 90 days; Audit ~~logs:~~logs 3(LoggedAction): ~~years~~retain permanently	Log rotation ~~policy~~+ LoggedAction never purged	Must Have
NFR-~~D03~~D04	Database backup ~~frequency~~	Backup	Full backup daily; transaction logs every ~~{{X}}~~1 ~~hours~~hour	Automated backup schedule	~~Must~~in ~~Have~~
~~NFR-D04~~	~~Backup encryption~~	~~Backup~~	~~Backups encrypted with AES-256~~	~~Infrastructure config~~provider	Must Have
NFR-D05	~~Data~~Backup ~~integrity checks~~encryption	~~Integrity~~Backup	~~Database~~Backups ~~constraints;~~encrypted noat ~~orphaned~~rest ~~records~~(AES-256)	DBCloud ~~schema~~provider ~~+ integration tests~~encryption	Must Have
NFR-D06	PII identification	Privacy	All PII fields documented; user email, name, tax ID (PIB) identified ~~and documented~~	Data dictionary + Prisma annotations	Must Have
NFR-D07	Data export (portability)	Portability	User can export ~~their~~all organization data (invoices, expenses, transactions, contacts) in ~~machine-readable format (GDPR Article 20)~~JSON/CSV	Export API endpoint	Must Have
NFR-D08	~~Data~~Exchange ~~anonymization~~rate immutability	~~Privacy~~Integrity	~~Anonymize~~Exchange ~~user~~rate ~~data~~locked inat ~~non-production~~transaction ~~environments~~date; cannot be retroactively edited	~~Dev/staging~~DB ~~data~~constraint ~~scripts~~+ LoggedAction on change attempt	Must ~~Have~~
~~NFR-D09~~	~~Archival strategy~~	~~Retention~~	~~Data older than {{X}} years archived to cold storage~~	~~Archive schedule~~	~~Should~~ Have

12. NFR Testing & Verification Plan

~~unresolved~~

NFR Category	Testing Method	Tools	Frequency	Pass Criteria
Performance	~~Load~~Lighthouse ~~testing~~+ k6 load test	~~k6,~~Lighthouse, ~~JMeter, Lighthouse~~k6	Pre-launch + monthly	All NFR-P targets met at normal load
Scalability	~~Stress~~k6 ~~testing~~stress test (2× normal load)	k6	Pre-launch	~~System~~Graceful ~~gracefully~~degradation; ~~handles~~no 2×data ~~peak~~corruption ~~load~~under stress
Security	SAST + ~~DAST~~OWASP ZAP + ~~Pentest~~manual code review	Snyk, OWASP ~~ZAP, external pentest~~ZAP	CI (SAST), Pre-launch (~~DAST+Pentest), Annual~~DAST)	No critical/high unresolved vulnerabilities
Compliance (SEF)	SEF sandbox end-to-end test	SEF sandbox API	Pre-launch	100% invoice submission success in sandbox
Compliance (PDV)	Manual accounting verification + test data	Test data set	Pre-launch + each PDV change	PDV calculations match expected values for 20 test cases
Compliance (GDPR)	Manual review + deletion test	Manual	Pre-launch + annual	Right to deletion completes within 30 days; export works
Accessibility	~~Automated~~axe-core + keyboard manual test	axe-~~core, manual screen reader~~core	Per sprint	WCAG 2.1 AA — 0 critical violations
Availability	~~Monitoring~~Uptime monitoring + DR drill	Uptime monitor	Ongoing + ~~annual~~quarterly	SLA ~~targets~~≥ ~~met~~99.9% monthly
~~Compliance~~Data integrity	~~Legal~~DB ~~review~~constraint tests + ~~audit~~balance check in CI	~~Manual~~Prisma + ~~automated~~custom tests	~~Pre-launch~~CI +(every ~~annual~~PR)	~~All~~0 ~~compliance~~debit/credit ~~items~~imbalances; ~~verified~~0 NUMERIC precision errors

Approval

Role	Name	Date
Author	John (AI Director)	2026-02-23
Reviewer
Tech Lead	John	2026-02-23
Business Analyst	John	2026-02-23
Product Owner	John	2026-02-23
AI Director (John)	John	2026-02-23
~~Client~~CEO ~~Representative~~(Alem)	Alem Bašić