Non-Functional Requirements (NFRs)
Performance Targets
| Metric | Target | Measurement |
|---|---|---|
| Page load (SSR) | < 2s (P95) | Next.js server response time |
| API response | < 500ms (P95) | REST/GraphQL endpoint latency |
| AI response | < 3s (P95) | RAG query end-to-end time |
| Database query | < 100ms (P95) | MariaDB query execution |
| ZATCA submission | < 5s (P95) | Invoice clearance round-trip |
Scalability Targets
| Metric | Target | Strategy |
|---|---|---|
| Concurrent users | 10,000+ | Auto-scaling compute, Redis caching |
| API throughput | 1,000 req/s | Load balancer, horizontal scaling |
| AI inference | 100 concurrent | GPU instance auto-scaling |
Availability Targets
| Component | SLA | Strategy |
|---|---|---|
| Frontend | 99.9% | Multi-AZ, CDN caching |
| API | 99.9% | Load balancer, auto-scaling |
| Database | 99.95% | Multi-AZ, automated failover |
| AI Service | 99.5% | GPU instance redundancy |
| Overall | 99.9% | DR region failover |
Disaster Recovery
| Metric | Target | Strategy |
|---|---|---|
| RPO | < 1 hour | Async MariaDB replication + Object Storage cross-region |
| RTO | < 4 hours | Automated failover scripts + DNS update |
Security Requirements
- All data encrypted at rest (AES-256) and in transit (TLS 1.3)
- MFA enforced for all admin accounts
- Session timeout after 15 minutes of inactivity
- RBAC with least-privilege principle
- Audit logging for all data access and modifications
- Secret rotation every 90 days via OCI Vault
Compliance Requirements
- ZATCA Phase 2: Full Fatoora compliance (clearance + reporting)
- PDPL: All data in KSA, consent records, data purge capability
- VAT: 15% automatic calculation, input/output tracking
- GOSI: Monthly payroll submissions, social insurance
- NCA ECC: Cybersecurity control compliance