# RACI Matrix: Drop — Fintech Payment App

# RACI Matrix: Drop — Fintech Payment App

> **Project:** Drop — Remittance + QR Payments
> **Version:** 1.0
> **Date:** 2026-02-23
> **Author:** John (AI Director)
> **Status:** Approved
> **Reviewers:** Alem Bašić (CEO)

## Document History
| Version | Date | Author | Changes |
|---------|------|--------|---------|
| 0.1 | 2026-02-23 | John | Initial draft — Drop-specific roles and activities |

---

## 1. Purpose

This RACI matrix defines responsibility assignments for all Drop project activities. Drop is an AI-native internal product of ALAI Holding AS. Most "team" roles are filled by AI agents coordinated by John (AI Director). Alem Bašić (CEO) is the sole human, responsible for strategic decisions, partnerships, and regulatory submissions.

**Conflict resolution:** Disputes escalate to John (AI Director), then Alem (CEO) for strategic/financial issues.

---

## 2. RACI Definitions

| Letter | Role | Definition |
|--------|------|------------|
| **R** | **Responsible** | Does the work |
| **A** | **Accountable** | Ultimately answerable; one per activity |
| **C** | **Consulted** | Provides input; two-way communication |
| **I** | **Informed** | Kept updated; one-way communication |

---

## 3. Project Roles

| Role Code | Role Title | Person / Agent | Notes |
|-----------|-----------|---------------|-------|
| CEO | Chief Executive Officer | Alem Bašić | Strategic decisions, partnerships, budget, regulatory submissions |
| JD | AI Director | John (Claude Opus) | Delivery accountability, architecture, agent coordination |
| BUILD | Builder Agent | Claude Sonnet (per-task) | Feature implementation, API routes, frontend |
| VAL | Validator Agent | Claude Sonnet (per-task) | Testing, validation, code review (read-only) |
| SEC | Security Agent | Claude (per-sprint) | Threat modelling, security audit, compliance checks |
| LEGAL | Legal Agent | Claude (as needed) | Regulatory review, document drafting |
| FIN | Finance Agent | Claude (as needed) | Budget analysis, financial projections |
| EXT | External Advisor | TBD (human) | Legal advisor for Finanstilsynet, BaaS contracts |

---

## 4. RACI Matrix — Project Phases & Activities

### 4.1 Project Initiation & Planning

| Activity / Deliverable | CEO | JD | BUILD | VAL | SEC | LEGAL | FIN | EXT |
|------------------------|-----|----|----|----|----|----|----|-----|
| Project Charter | I | A | | | | C | | |
| Project Brief | I | A | | | | C | C | |
| Budget approval | A | C | | | | | R | |
| Risk Register (initial) | I | A | | | C | C | C | |
| RACI Matrix | I | A | | | | | | |
| Stakeholder identification | C | A | | | | R | | |
| Communication Plan | I | A | | | | | | |

### 4.2 Requirements & Analysis

| Activity / Deliverable | CEO | JD | BUILD | VAL | SEC | LEGAL | FIN | EXT |
|------------------------|-----|----|----|----|----|----|----|-----|
| Business Requirements Document (BRD) | C | A | | | | R | R | |
| Functional Requirements (FRS) | C | A | R | | C | | | |
| Non-Functional Requirements | C | A | R | | C | | | |
| User Stories | I | A | R | | | | | |
| Acceptance Criteria | I | A | R | C | | | | |
| Requirements Traceability Matrix | I | A | R | C | | | | |
| Regulatory requirements mapping | C | C | | | | A | | R |

### 4.3 Architecture & Design

| Activity / Deliverable | CEO | JD | BUILD | VAL | SEC | LEGAL | FIN | EXT |
|------------------------|-----|----|----|----|----|----|----|-----|
| System architecture (ADRs) | I | A | R | | C | | | |
| Database schema design | I | A | R | | C | | | |
| API contract design | I | A | R | | C | | | |
| Security architecture | I | C | | | A | | | |
| PSD2 pass-through model design | I | A | R | | C | | | C |
| UI/UX design (Figma) | I | A | | | | | | |
| Infrastructure design (Fly.io / Docker) | I | A | R | | | | | |

### 4.4 Development

| Activity / Deliverable | CEO | JD | BUILD | VAL | SEC | LEGAL | FIN | EXT |
|------------------------|-----|----|----|----|----|----|----|-----|
| Backend API routes (26 endpoints) | | A | R | | C | | | |
| Frontend pages (Next.js — 10 screens) | | A | R | | | | | |
| Database schema + migrations | | A | R | | C | | | |
| Authentication (JWT + BankID mock) | | A | R | | C | | | |
| Remittance flow implementation | | A | R | | C | | | |
| QR payment flow implementation | | A | R | | C | | | |
| Merchant dashboard implementation | | A | R | | | | | |
| Feature flags implementation | | A | R | | | | | |
| CI/CD pipeline (GitHub Actions) | | A | R | | | | | |
| Docker containerisation | | A | R | | | | | |
| Code review | | A | | R | | | | |
| Unit test writing | | A | R | C | | | | |

### 4.5 Security Hardening (Phase 0.5)

| Activity / Deliverable | CEO | JD | BUILD | VAL | SEC | LEGAL | FIN | EXT |
|------------------------|-----|----|----|----|----|----|----|-----|
| Security audit (full codebase) | I | C | | | A | | | |
| JWT secret hardening | | A | R | | C | | | |
| CVV/card data removal | | A | R | | C | | | |
| CSRF protection implementation | | A | R | | C | | | |
| Rate limiting (persistent) | | A | R | | C | | | |
| CSP headers implementation | | A | R | | C | | | |
| Session management | | A | R | | C | | | |
| Demo credential removal | | A | R | | C | | | |
| Compliance documentation (gap analysis) | I | C | | | A | R | | |
| Penetration testing (pre-launch) | I | C | | | C | | | A |

### 4.6 Testing & QA

| Activity / Deliverable | CEO | JD | BUILD | VAL | SEC | LEGAL | FIN | EXT |
|------------------------|-----|----|----|----|----|----|----|-----|
| Test strategy | I | A | C | R | C | | | |
| Test plan | I | A | C | R | | | | |
| Unit tests (Vitest — 40 tests) | | A | R | C | | | | |
| Integration tests (20+ tests) | | A | R | C | | | | |
| E2E tests (Playwright — 3 projects) | | A | C | R | | | | |
| Performance tests (benchmarks) | | A | C | R | C | | | |
| Security tests (input chaos) | | A | C | R | A | | | |
| Regression tests | | A | R | C | | | | |
| Definition of Done validation | | A | | R | | | | |
| Go/No-Go decision | A | C | | R | C | | | |

### 4.7 Compliance & Regulatory

| Activity / Deliverable | CEO | JD | BUILD | VAL | SEC | LEGAL | FIN | EXT |
|------------------------|-----|----|----|----|----|----|----|-----|
| PSD2 regulatory gap analysis | C | C | | | R | A | | |
| GDPR compliance review | C | C | | | C | A | | |
| AML/KYC compliance setup | C | C | | | C | A | | R |
| Finanstilsynet PISP/AISP registration | A | C | | | | C | | R |
| Legal terms + privacy policy | C | C | | | | A | | |
| BaaS partner contract negotiation | A | C | | | | C | | R |

### 4.8 Deployment & Launch

| Activity / Deliverable | CEO | JD | BUILD | VAL | SEC | LEGAL | FIN | EXT |
|------------------------|-----|----|----|----|----|----|----|-----|
| Deployment checklist | I | A | C | C | C | | | |
| Staging deployment (Fly.io) | I | A | R | C | | | | |
| Production deployment | I | A | R | R | C | | | |
| Monitoring + alerting setup | I | A | R | | | | | |
| App Store submission (iOS) | I | A | R | | | | | |
| Google Play submission (Android) | I | A | R | | | | | |
| Go-live communication | A | C | | | | | | |
| Merchant onboarding (200 targets) | A | I | | | | | | |
| Post-launch monitoring (48h) | I | A | | R | | | | |

### 4.9 Post-Launch & Maintenance

| Activity / Deliverable | CEO | JD | BUILD | VAL | SEC | LEGAL | FIN | EXT |
|------------------------|-----|----|----|----|----|----|----|-----|
| Post-launch review (30 days) | C | A | R | R | | | | |
| Bug fix triage + resolution | I | A | R | C | | | | |
| Performance optimisation | I | A | R | C | | | | |
| Lessons learned documentation | I | A | R | R | C | C | C | |
| Incident response | I | A | R | | C | | | |
| Monthly financial reporting | A | C | | | | | R | |
| User feedback analysis | C | A | R | | | | | |
| Project closure sign-off | A | C | | | | | | |

---

## 5. Escalation Matrix

| Escalation Level | Trigger | Escalate To | Response Time |
|-----------------|---------|-------------|--------------|
| L1 | Task-level blocker | John (JD) | 4 hours |
| L2 | Architecture/scope dispute | John (JD) | 4 hours |
| L3 | Strategic/financial decision | Alem (CEO) | 24 hours |
| L4 | Legal/regulatory blocker | Alem + External Advisor | 48 hours |

---

## Approval

| Role | Name | Date | Signature |
|------|------|------|-----------|
| Author | John (AI Director) | 2026-02-23 | Approved (AI) |
| AI Director (John) | John | 2026-02-23 | Approved |
| Project Sponsor / CEO | Alem Bašić | TBD | |