Functional & Non-Functional Requirements¶
Overview¶
This document defines the complete requirements specification for CalcBridge, organized into functional requirements (what the system does) and non-functional requirements (how well it does it). Version 2.0 expands coverage to include data reconciliation, operational resilience, data intelligence, and formula engine capabilities.
Requirements Summary¶
| Category | Count | Implemented | In Progress | Planned |
|---|---|---|---|---|
| Core Features | 10 | 10 | 0 | 0 |
| Supporting Features | 10 | 8 | 1 | 1 |
| Administrative Features | 5 | 4 | 1 | 0 |
| Compliance Testing | 10 | 9 | 1 | 0 |
| What-If Scenarios | 10 | 8 | 1 | 1 |
| API Features | 5 | 4 | 0 | 1 |
| Data Reconciliation | 10 | 8 | 1 | 1 |
| Data Intelligence | 10 | 6 | 2 | 2 |
| Operational Resilience | 10 | 8 | 1 | 1 |
| Formula Engine | 10 | 10 | 0 | 0 |
| Column Mapping | 5 | 5 | 0 | 0 |
| Total | 95 | 80 | 8 | 7 |
Functional Requirements¶
Core Features (FR-001 to FR-010)¶
| ID | Requirement | Description | Priority | Status |
|---|---|---|---|---|
| FR-001 | Workbook Upload | System shall accept Excel workbook uploads (.xlsx, .xls, .xlsm) up to 100MB with automatic validation | P0 - Critical | Implemented |
| FR-002 | Sheet Parsing | System shall parse all worksheets, extracting cell values, formulas, and metadata | P0 - Critical | Implemented |
| FR-003 | Holdings Extraction | System shall identify and extract CLO holdings data with configurable column mapping | P0 - Critical | Implemented |
| FR-004 | Calculation Engine | System shall evaluate Excel formulas with 100% accuracy compared to Excel output using safe AST-based evaluation | P0 - Critical | Implemented |
| FR-005 | Compliance Test Execution | System shall execute all configured compliance tests and return pass/fail results with cushion analysis | P0 - Critical | Implemented |
| FR-006 | What-If Scenario Creation | System shall allow users to create hypothetical scenarios based on workbook data | P0 - Critical | Implemented |
| FR-007 | Scenario Comparison | System shall compare base data with scenarios showing delta for all metrics including compliance impact | P0 - Critical | Implemented |
| FR-008 | Compliance Test in Scenarios | System shall re-run compliance tests within scenarios to evaluate proposed changes | P0 - Critical | Implemented |
| FR-009 | Multi-tenant Isolation | System shall ensure complete data isolation between tenants with Row-Level Security (RLS) | P0 - Critical | Implemented |
| FR-010 | Audit Trail | System shall log all data changes, calculations, and user actions with timestamp and attribution | P0 - Critical | Implemented |
Supporting Features (FR-011 to FR-020)¶
| ID | Requirement | Description | Priority | Status |
|---|---|---|---|---|
| FR-011 | Compliance Dashboard | System shall display real-time compliance status with drill-down to individual tests | P1 - High | Implemented |
| FR-012 | Trend Analysis | System shall track compliance metrics over time and display historical trends | P1 - High | Implemented |
| FR-013 | Alert Configuration | System shall allow users to configure threshold-based alerts for compliance metrics | P1 - High | Implemented |
| FR-014 | Email Notifications | System shall send email notifications when alerts are triggered | P1 - High | Implemented |
| FR-015 | Report Generation | System shall generate PDF/Excel reports of compliance status and portfolio metrics | P1 - High | In Progress |
| FR-016 | Column Mapping UI | System shall provide visual interface for mapping source columns to system fields | P1 - High | Implemented |
| FR-017 | Mapping Templates | System shall allow saving and reusing column mapping configurations | P2 - Medium | Implemented |
| FR-018 | Data Validation Rules | System shall validate uploaded data against configurable business rules | P1 - High | Implemented |
| FR-019 | Error Reporting | System shall provide detailed error messages with suggestions for resolution | P2 - Medium | Implemented |
| FR-020 | Bulk Operations | System shall support bulk upload and processing of multiple workbooks | P2 - Medium | Planned |
Administrative Features (FR-021 to FR-025)¶
| ID | Requirement | Description | Priority | Status |
|---|---|---|---|---|
| FR-021 | Tenant Management | System shall allow super-admin to create, configure, and deactivate tenants | P0 - Critical | Implemented |
| FR-022 | User Management | System shall allow tenant admins to manage users and role assignments | P0 - Critical | Implemented |
| FR-023 | Role-Based Access | System shall enforce permissions based on user roles (Admin, Analyst, Manager, Viewer, Owner) | P0 - Critical | Implemented |
| FR-024 | Audit Log Access | System shall provide searchable access to audit logs for authorized users | P1 - High | Implemented |
| FR-025 | System Configuration | System shall allow configuration of global settings (retention, limits, features) | P2 - Medium | In Progress |
Compliance Testing Features (FR-026 to FR-035)¶
| ID | Requirement | Description | Priority | Status |
|---|---|---|---|---|
| FR-026 | OC Test Calculation | System shall calculate Overcollateralization tests (Senior, Mezzanine, Subordinate) with trigger and target thresholds | P0 - Critical | Implemented |
| FR-027 | IC Test Calculation | System shall calculate Interest Coverage tests for all tranches with cushion analysis | P0 - Critical | Implemented |
| FR-028 | WARF Test | System shall calculate and validate Weighted Average Rating Factor using Moody's rating factors | P0 - Critical | Implemented |
| FR-029 | WAL Test | System shall calculate Weighted Average Life and compare against indenture limits | P0 - Critical | Implemented |
| FR-030 | WAS Test | System shall calculate Weighted Average Spread and validate against minimums | P0 - Critical | Implemented |
| FR-031 | Concentration Tests | System shall calculate industry, issuer, and geographic concentration limits | P0 - Critical | Implemented |
| FR-032 | CCC Bucket Test | System shall track CCC-rated holdings exposure against portfolio limits (typically 7.5%) | P1 - High | Implemented |
| FR-033 | Defaulted Asset Test | System shall identify and calculate exposure to defaulted and credit risk assets | P1 - High | Implemented |
| FR-034 | Diversity Score | System shall calculate Moody's diversity score for the portfolio | P1 - High | Implemented |
| FR-035 | Custom Test Definition | System shall allow users to define custom compliance tests via formula with configurable thresholds | P2 - Medium | In Progress |
Extended Compliance Tests¶
| Test ID | Test Name | Category | Description |
|---|---|---|---|
| OC-001 | Senior OC | Overcollateralization | Senior tranche coverage ratio |
| OC-002 | Mezzanine OC | Overcollateralization | Mezzanine tranche coverage ratio |
| OC-003 | Subordinate OC | Overcollateralization | Subordinate tranche coverage ratio |
| IC-001 | Senior IC | Interest Coverage | Senior tranche interest coverage |
| IC-002 | Mezzanine IC | Interest Coverage | Mezzanine tranche interest coverage |
| IC-003 | Subordinate IC | Interest Coverage | Subordinate tranche interest coverage |
| CQ-001 | WARF | Credit Quality | Weighted Average Rating Factor |
| CQ-002 | Average Rating | Credit Quality | Average credit rating |
| CQ-003 | Rating Distribution | Credit Quality | Distribution across rating buckets |
| CQ-004 | CCC Exposure | Credit Quality | Exposure to CCC/Caa rated assets |
| WA-001 | WAL | Weighted Averages | Weighted Average Life |
| WA-002 | WAS | Weighted Averages | Weighted Average Spread |
| WA-003 | WAM | Weighted Averages | Weighted Average Maturity |
| CON-001 | Single Obligor | Concentration | Largest single obligor exposure |
| CON-002 | Top 5 Obligors | Concentration | Top 5 obligors combined exposure |
| CON-003 | Industry | Concentration | Largest industry exposure |
| CON-004 | Geography | Concentration | Geographic concentration |
| CON-005 | Second Lien | Concentration | Second lien loan exposure |
| CON-006 | Covenant Lite | Concentration | Covenant lite loan exposure |
| CON-007 | Fixed Rate | Concentration | Fixed rate asset exposure |
| CON-008 | DIP/Debtor | Concentration | DIP and debtor-in-possession exposure |
| DIV-001 | Diversity Score | Diversity | Moody's diversity equivalent |
| DEF-001 | Defaulted Assets | Defaults | Defaulted position exposure |
What-If Scenario Features (FR-036 to FR-045)¶
| ID | Requirement | Description | Priority | Status |
|---|---|---|---|---|
| FR-036 | Trade Simulation | System shall simulate adding, removing, or modifying positions with automatic metric recalculation | P0 - Critical | Implemented |
| FR-037 | Price Change Simulation | System shall simulate market value changes across portfolio with P&L impact | P0 - Critical | Implemented |
| FR-038 | Rating Change Simulation | System shall simulate credit rating migrations and calculate WARF/compliance impact | P0 - Critical | Implemented |
| FR-039 | Multi-Trade Scenarios | System shall support multiple simultaneous trades in a single scenario with order-dependent calculations | P1 - High | Implemented |
| FR-040 | Scenario Templates | System shall allow saving scenario configurations as reusable templates | P2 - Medium | Planned |
| FR-041 | Scenario Versioning | System shall maintain version history of scenarios with diff capability | P1 - High | Implemented |
| FR-042 | Scenario Sharing | System shall allow sharing scenarios between users within a tenant | P2 - Medium | In Progress |
| FR-043 | Scenario Export | System shall export scenario details and results to Excel/PDF with full audit trail | P2 - Medium | Implemented |
| FR-044 | Scenario Comparison Matrix | System shall display side-by-side comparison of multiple scenarios (up to 5) | P1 - High | Implemented |
| FR-045 | Scenario Impact Summary | System shall summarize key metric changes between base and scenario with visual indicators | P0 - Critical | Implemented |
What-If Scenario Types¶
| Type | Description | Supported Operations |
|---|---|---|
| Trade - Buy | Add new position or increase existing | Par amount, price, spread, rating, maturity |
| Trade - Sell | Remove or reduce position | Par amount (partial or full), settlement price |
| Price Change | Market value adjustment | New price or percentage change |
| Rating Change | Credit rating migration | New Moody's/S&P/Fitch rating |
| Spread Change | Spread adjustment | New spread (bps) or change |
| Maturity Extension | Maturity date change | New maturity date |
| Default Event | Mark position as defaulted | Default flag, recovery rate |
| Paydown | Principal reduction | Paydown amount |
API Features (FR-046 to FR-050)¶
| ID | Requirement | Description | Priority | Status |
|---|---|---|---|---|
| FR-046 | RESTful Endpoints | System shall provide REST API for all core operations with JSON payloads | P0 - Critical | Implemented |
| FR-047 | API Versioning | System shall support API versioning (v1, v2) with 12-month deprecation cycle | P1 - High | Implemented |
| FR-048 | API Authentication | System shall require JWT or API key authentication for all endpoints | P0 - Critical | Implemented |
| FR-049 | Rate Limiting | System shall enforce rate limits per tenant/user with tier-based quotas | P1 - High | Implemented |
| FR-050 | Webhook Support | System shall support webhooks for event notifications (compliance, scenarios, alerts) | P2 - Medium | Planned |
Data Reconciliation Features (FR-051 to FR-060) - NEW¶
| ID | Requirement | Description | Priority | Status |
|---|---|---|---|---|
| FR-051 | Trustee Data Import | System shall import trustee report data from Excel, CSV, and XML formats | P0 - Critical | Implemented |
| FR-052 | Automated Matching | System shall automatically match internal positions to trustee data using CUSIP, ISIN, or issuer name | P0 - Critical | Implemented |
| FR-053 | Variance Detection | System shall detect and categorize variances by type (par, price, rating, identity) | P0 - Critical | Implemented |
| FR-054 | Tolerance Configuration | System shall allow configurable tolerance thresholds for variance detection (absolute and percentage) | P1 - High | Implemented |
| FR-055 | Exception Management | System shall provide workflow for reviewing, explaining, and resolving variances | P1 - High | Implemented |
| FR-056 | Variance History | System shall maintain complete history of reconciliation runs and variance resolutions | P1 - High | Implemented |
| FR-057 | Reconciliation Reports | System shall generate reconciliation summary reports with variance breakdown | P1 - High | Implemented |
| FR-058 | Auto-Resolution Rules | System shall support configurable rules for automatic variance resolution | P2 - Medium | Implemented |
| FR-059 | Multi-Source Reconciliation | System shall support reconciliation against multiple data sources (trustee, Geneva, Bloomberg) | P2 - Medium | In Progress |
| FR-060 | Reconciliation Scheduling | System shall support scheduled automatic reconciliation runs | P2 - Medium | Planned |
Reconciliation Variance Categories¶
| Category | Description | Example |
|---|---|---|
| Par Variance | Difference in par/face amount | Internal: $5M, Trustee: $5.1M |
| Price Variance | Difference in market price | Internal: 98.5, Trustee: 98.25 |
| Rating Variance | Difference in credit rating | Internal: B2, Trustee: B1 |
| Identity Mismatch | Position exists in one source only | Missing from trustee report |
| Issuer Name Mismatch | Same security, different issuer name | "ABC Corp" vs "ABC Corporation" |
| Settlement Variance | Trade not yet settled in one system | Pending settlement |
| Accrued Interest | Difference in accrued interest calculation | Calculation date difference |
Tolerance Thresholds (Default)¶
| Metric | Absolute Tolerance | Percentage Tolerance |
|---|---|---|
| Par Amount | $1,000 | 0.01% |
| Market Value | $5,000 | 0.05% |
| Price | 0.125 | 0.15% |
| Spread | 5 bps | 1% |
| Accrued Interest | $100 | 0.5% |
Data Intelligence Features (FR-061 to FR-070) - NEW¶
| ID | Requirement | Description | Priority | Status |
|---|---|---|---|---|
| FR-061 | Anomaly Detection | System shall detect data anomalies using statistical methods (Z-score, IQR) | P1 - High | Implemented |
| FR-062 | Data Quality Scoring | System shall calculate and track data quality scores for each workbook | P1 - High | Implemented |
| FR-063 | Pattern Recognition | System shall identify patterns in compliance test results and portfolio changes | P2 - Medium | Implemented |
| FR-064 | Insight Generation | System shall generate actionable insights from portfolio data analysis | P1 - High | Implemented |
| FR-065 | Trend Forecasting | System shall forecast compliance metrics based on historical trends | P2 - Medium | In Progress |
| FR-066 | Outlier Highlighting | System shall highlight outliers in holdings data (price, spread, rating) | P1 - High | Implemented |
| FR-067 | Schema Drift Detection | System shall detect changes in source data schemas across uploads | P1 - High | Implemented |
| FR-068 | Correlation Analysis | System shall identify correlations between portfolio metrics | P2 - Medium | In Progress |
| FR-069 | Predictive Compliance | System shall predict potential compliance breaches before they occur | P2 - Medium | Planned |
| FR-070 | Natural Language Insights | System shall present insights in natural language summaries | P3 - Low | Planned |
Anomaly Detection Methods¶
| Method | Application | Threshold |
|---|---|---|
| Z-Score | Numeric outliers (price, spread) | > 3 standard deviations |
| IQR (Interquartile Range) | Robust outlier detection | > 1.5x IQR from quartiles |
| Isolation Forest | Complex anomaly patterns | Anomaly score > 0.7 |
| Time Series (ARIMA) | Trend anomalies | Residual > 2 std dev |
| Categorical Frequency | Unusual category values | < 1% frequency |
Data Quality Dimensions¶
| Dimension | Description | Weight |
|---|---|---|
| Completeness | Missing required fields | 25% |
| Accuracy | Values within expected ranges | 25% |
| Consistency | Cross-field validation | 20% |
| Timeliness | Data freshness | 15% |
| Uniqueness | Duplicate detection | 15% |
Operational Resilience Features (FR-071 to FR-080) - NEW¶
| ID | Requirement | Description | Priority | Status |
|---|---|---|---|---|
| FR-071 | Dead Letter Queue | System shall capture failed tasks in DLQ for manual review and retry | P0 - Critical | Implemented |
| FR-072 | Task Retry Logic | System shall automatically retry failed tasks with exponential backoff | P0 - Critical | Implemented |
| FR-073 | Circuit Breaker | System shall implement circuit breaker pattern for external service calls | P1 - High | Implemented |
| FR-074 | Graceful Degradation | System shall continue core operations when non-critical services fail | P1 - High | Implemented |
| FR-075 | Health Monitoring | System shall expose health endpoints for liveness and readiness probes | P0 - Critical | Implemented |
| FR-076 | Distributed Tracing | System shall support distributed tracing with OpenTelemetry | P1 - High | Implemented |
| FR-077 | Prometheus Metrics | System shall expose Prometheus-compatible metrics for monitoring | P1 - High | Implemented |
| FR-078 | Alerting Rules | System shall support configurable alerting rules for operational metrics | P1 - High | Implemented |
| FR-079 | Bulkhead Isolation | System shall isolate workloads to prevent cascade failures | P2 - Medium | In Progress |
| FR-080 | Chaos Engineering | System shall support controlled failure injection for resilience testing | P3 - Low | Planned |
Dead Letter Queue Operations¶
| Operation | Description | API Endpoint |
|---|---|---|
| List DLQ Items | View all failed tasks | GET /api/v1/dlq |
| Get DLQ Item | View task details and error | GET /api/v1/dlq/{id} |
| Retry Task | Re-attempt failed task | POST /api/v1/dlq/{id}/retry |
| Delete Task | Remove from DLQ | DELETE /api/v1/dlq/{id} |
| Bulk Retry | Retry multiple tasks | POST /api/v1/dlq/bulk-retry |
| DLQ Stats | Get DLQ statistics | GET /api/v1/dlq/stats |
Circuit Breaker States¶
| State | Description | Behavior |
|---|---|---|
| Closed | Normal operation | All requests pass through |
| Open | Circuit tripped | All requests fail fast |
| Half-Open | Testing recovery | Limited requests allowed |
Retry Configuration¶
| Setting | Default | Description |
|---|---|---|
| Max Retries | 3 | Maximum retry attempts |
| Initial Delay | 1s | First retry delay |
| Max Delay | 60s | Maximum retry delay |
| Backoff Multiplier | 2x | Exponential backoff factor |
| Jitter | 10% | Random delay variation |
Formula Engine Features (FR-081 to FR-090) - NEW¶
| ID | Requirement | Description | Priority | Status |
|---|---|---|---|---|
| FR-081 | AST-Based Parsing | System shall parse Excel formulas into Abstract Syntax Trees for safe evaluation | P0 - Critical | Implemented |
| FR-082 | Safe Evaluation | System shall evaluate formulas without using unsafe code execution methods | P0 - Critical | Implemented |
| FR-083 | Vectorized Functions | System shall implement Excel functions using vectorized pandas/numpy operations | P0 - Critical | Implemented |
| FR-084 | Cross-Sheet References | System shall resolve formulas referencing other sheets within a workbook | P0 - Critical | Implemented |
| FR-085 | Formula Validation | System shall validate formula syntax before evaluation | P1 - High | Implemented |
| FR-086 | Dependency Analysis | System shall analyze formula dependencies for optimal calculation order | P1 - High | Implemented |
| FR-087 | Formula Translation | System shall translate Excel formulas to equivalent Python/pandas code | P1 - High | Implemented |
| FR-088 | Calculation Caching | System shall cache formula results for performance optimization | P1 - High | Implemented |
| FR-089 | Formula Builder UI | System shall provide visual formula construction interface | P2 - Medium | Implemented |
| FR-090 | Custom Function Registry | System shall allow registration of custom calculation functions | P2 - Medium | Implemented |
Supported Excel Functions (50+)¶
| Category | Functions |
|---|---|
| Logical | IF, IFS, IFERROR, IFNA, AND, OR, NOT, XOR, TRUE, FALSE, SWITCH, CHOOSE, LET |
| Lookup | VLOOKUP, HLOOKUP, XLOOKUP, LOOKUP, INDEX, MATCH, XMATCH, OFFSET, INDIRECT |
| Math | SUM, SUMIF, SUMIFS, SUMPRODUCT, ABS, ROUND, ROUNDUP, ROUNDDOWN, INT, TRUNC, MOD, POWER, SQRT, EXP, LN, LOG, LOG10, CEILING, FLOOR, SIGN, RAND, RANDBETWEEN |
| Statistical | COUNT, COUNTA, COUNTBLANK, COUNTIF, COUNTIFS, AVERAGE, AVERAGEIF, AVERAGEIFS, MIN, MINIFS, MAX, MAXIFS, MEDIAN |
| Text | CONCATENATE, CONCAT, TEXTJOIN, TEXT, VALUE, LEFT, RIGHT, MID, LEN, FIND, SEARCH, REPLACE, SUBSTITUTE, TRIM, CLEAN, UPPER, LOWER, PROPER |
| Date | DATE, TODAY, NOW, YEAR, MONTH, DAY, HOUR, MINUTE, SECOND, WEEKDAY, DATEDIF, EDATE, EOMONTH |
| Information | ISBLANK, ISERROR, ISERR, ISNA, ISTEXT, ISNUMBER, ISLOGICAL, NA |
Column Mapping & Alias Features (FR-091 to FR-095) - NEW¶
| ID | Requirement | Description | Priority | Status |
|---|---|---|---|---|
| FR-091 | Alias Profiles | System shall support configurable column alias profiles for servicer normalization | P0 - Critical | Implemented |
| FR-092 | Auto-Detection | System shall automatically detect column mappings from uploaded data | P1 - High | Implemented |
| FR-093 | Mapping Persistence | System shall persist mapping configurations for reuse across uploads | P1 - High | Implemented |
| FR-094 | Mapping Versioning | System shall maintain version history of mapping configurations | P2 - Medium | Implemented |
| FR-095 | Ingest Diagnostics | System shall provide diagnostics for schema drift and mapping issues | P1 - High | Implemented |
Supported Alias Profiles¶
| Profile | Description | Source |
|---|---|---|
| default | Standard CLO holdings fields | System default |
| everest_extended | Everest platform extended fields | Customer specific |
| ratings_export | Credit rating agency exports | Industry standard |
| etfcom_clo_holdings | ETF.com CLO holdings format | ETF.com |
| invesco_clo_holdings | Invesco CLO fund format | Invesco |
| ft_tearsheet_holdings | Financial Times tearsheet | FT |
| hartford_trpa_holdings | Hartford TRPA format | Hartford |
| stockanalysis_clox_holdings | Stock Analysis CLOX | Stock Analysis |
| boe_sme | Bank of England SME template | Regulatory |
| rba_rmbs | RBA RMBS reporting template | Regulatory |
| ecb_rmbs | ECB RMBS template | Regulatory |
| ecb_decc | ECB DECC public sector/SME | Regulatory |
Non-Functional Requirements¶
Performance Requirements¶
| ID | Requirement | Target | Measurement |
|---|---|---|---|
| NFR-001 | API Response Time (P50) | < 100ms | Datadog APM |
| NFR-002 | API Response Time (P95) | < 200ms | Datadog APM |
| NFR-003 | API Response Time (P99) | < 500ms | Datadog APM |
| NFR-004 | Workbook Upload Time | < 10s for 10MB file | Processing metrics |
| NFR-005 | Calculation Time | < 5s for 10,000 holdings | Processing metrics |
| NFR-006 | Compliance Test Execution | < 3s for all tests | Processing metrics |
| NFR-007 | What-If Calculation | < 3s per scenario | Processing metrics |
| NFR-008 | Dashboard Load Time | < 2s initial load | Frontend metrics |
| NFR-009 | Search Response Time | < 500ms | API metrics |
| NFR-010 | Report Generation | < 30s for full report | Processing metrics |
| NFR-011 | Reconciliation Run | < 60s for 1,000 positions | Processing metrics |
| NFR-012 | Formula Evaluation | < 50ms per formula | Calculation metrics |
| NFR-013 | DLQ Processing | < 1s per retry | Task metrics |
Scalability Requirements¶
| ID | Requirement | Target | Notes |
|---|---|---|---|
| NFR-014 | Concurrent Users | 1,000 per tenant | Peak load capacity |
| NFR-015 | Request Throughput | 1,000 req/s | Sustained capacity |
| NFR-016 | Workbook Storage | 100GB per tenant | Configurable limit |
| NFR-017 | Holdings Capacity | 1M holdings per workbook | Max supported |
| NFR-018 | Tenant Count | 500 tenants | Platform capacity |
| NFR-019 | Scenario Count | 1,000 per workbook | Per-workbook limit |
| NFR-020 | Historical Data | 7 years retention | Configurable |
| NFR-021 | Audit Log Retention | 7 years | Compliance requirement |
| NFR-022 | DLQ Capacity | 10,000 items | Auto-purge after 30 days |
| NFR-023 | Reconciliation History | 90 days | Per workbook |
Availability Requirements¶
| ID | Requirement | Target | Notes |
|---|---|---|---|
| NFR-024 | System Uptime | 99.9% | Monthly SLA |
| NFR-025 | Planned Downtime | < 4 hours/month | Maintenance window |
| NFR-026 | Recovery Time Objective (RTO) | < 1 hour | Disaster recovery |
| NFR-027 | Recovery Point Objective (RPO) | < 15 minutes | Data loss tolerance |
| NFR-028 | Failover Time | < 30 seconds | Auto-failover |
| NFR-029 | Circuit Breaker Recovery | < 60 seconds | Service recovery |
| NFR-030 | DLQ Alert Time | < 5 minutes | Failure notification |
Security Requirements¶
Authentication & Authorization¶
| ID | Requirement | Description | Priority | Status |
|---|---|---|---|---|
| SEC-001 | Authentication Protocol | System shall use OAuth 2.0 / OpenID Connect for authentication | P0 - Critical | Implemented |
| SEC-002 | MFA Support | System shall support multi-factor authentication | P0 - Critical | Implemented |
| SEC-003 | SSO Integration | System shall integrate with enterprise SSO providers (SAML, OIDC) | P1 - High | Implemented |
| SEC-004 | Session Management | System shall enforce session timeout (configurable, default 8 hours) | P0 - Critical | Implemented |
| SEC-005 | Password Policy | System shall enforce strong password requirements (12+ chars, complexity) | P0 - Critical | Implemented |
| SEC-006 | Role Hierarchy | System shall support hierarchical roles (Super Admin > Tenant Admin > User > Viewer) | P0 - Critical | Implemented |
| SEC-007 | Permission Granularity | System shall support feature-level and resource-level permissions | P1 - High | Implemented |
| SEC-008 | API Key Management | System shall allow generation, rotation, and revocation of API keys | P1 - High | Implemented |
Data Protection¶
| ID | Requirement | Description | Priority | Status |
|---|---|---|---|---|
| SEC-009 | Encryption at Rest | All data shall be encrypted at rest using AES-256 | P0 - Critical | Implemented |
| SEC-010 | Encryption in Transit | All communications shall use TLS 1.3 | P0 - Critical | Implemented |
| SEC-011 | Key Management | Encryption keys shall be managed via AWS KMS or equivalent HSM | P0 - Critical | Implemented |
| SEC-012 | Data Masking | PII shall be masked in logs and non-production environments | P0 - Critical | Implemented |
| SEC-013 | Backup Encryption | All backups shall be encrypted with separate keys | P0 - Critical | Implemented |
| SEC-014 | Secure Deletion | Data deletion shall use secure wipe procedures (NIST 800-88) | P1 - High | Implemented |
Audit & Logging¶
| ID | Requirement | Description | Priority | Status |
|---|---|---|---|---|
| SEC-015 | Access Logging | All access attempts shall be logged (success and failure) | P0 - Critical | Implemented |
| SEC-016 | Change Logging | All data modifications shall be logged with before/after values | P0 - Critical | Implemented |
| SEC-017 | Admin Action Logging | All administrative actions shall be logged with user context | P0 - Critical | Implemented |
| SEC-018 | Log Integrity | Audit logs shall be tamper-evident with cryptographic verification | P0 - Critical | Implemented |
| SEC-019 | Log Retention | Logs shall be retained for 7 years minimum per regulatory requirements | P0 - Critical | Implemented |
| SEC-020 | Log Export | Audit logs shall be exportable in SIEM-compatible formats | P1 - High | Implemented |
Vulnerability Management¶
| ID | Requirement | Description | Priority | Status |
|---|---|---|---|---|
| SEC-021 | Dependency Scanning | All dependencies shall be scanned for vulnerabilities weekly | P0 - Critical | Implemented |
| SEC-022 | Code Scanning | Static analysis shall be performed on all code changes (SAST) | P0 - Critical | Implemented |
| SEC-023 | Penetration Testing | Annual penetration testing by certified third party | P1 - High | Implemented |
| SEC-024 | Vulnerability Disclosure | Security vulnerability reporting process shall be documented | P1 - High | Implemented |
| SEC-025 | Patch Management | Critical vulnerabilities shall be patched within 24 hours | P0 - Critical | Implemented |
| SEC-026 | Secret Detection | Automated secret detection in code repositories | P0 - Critical | Implemented |
Compliance Requirements¶
SOC 2 Type II¶
| Control | Requirement | Status |
|---|---|---|
| CC1.1 | Integrity and ethical values defined and communicated | Compliant |
| CC1.2 | Board oversight of internal controls | Compliant |
| CC1.3 | Management structure and reporting lines | Compliant |
| CC2.1 | Information for internal use is accurate and complete | Compliant |
| CC2.2 | Internal communication of control responsibilities | Compliant |
| CC3.1 | Risk assessment objectives defined | Compliant |
| CC3.2 | Risk identification and analysis procedures | Compliant |
| CC4.1 | Control activities selection and development | Compliant |
| CC5.1 | Control activities over technology | Compliant |
| CC6.1 | Logical access security implementation | Compliant |
| CC6.2 | Access provisioning procedures | Compliant |
| CC6.3 | Access removal procedures | Compliant |
| CC7.1 | System monitoring implementation | Compliant |
| CC7.2 | Incident response procedures | Compliant |
| CC8.1 | Change management procedures | Compliant |
| CC9.1 | Risk mitigation procedures | Compliant |
Data Residency¶
| Region | Data Center | Compliance |
|---|---|---|
| United States | AWS us-east-1, us-west-2 | SOC 2, HIPAA eligible |
| European Union | AWS eu-west-1 | GDPR compliant |
| United Kingdom | AWS eu-west-2 | UK GDPR compliant |
Usability Requirements¶
| ID | Requirement | Target |
|---|---|---|
| USE-001 | Time to First Upload | < 5 minutes for new user |
| USE-002 | Task Completion Rate | > 95% for common tasks |
| USE-003 | Error Recovery Time | < 30 seconds to resolve |
| USE-004 | Learning Curve | Productive within 1 day |
| USE-005 | Accessibility | WCAG 2.1 AA compliant |
| USE-006 | Browser Support | Chrome, Firefox, Safari, Edge (latest 2 versions) |
| USE-007 | Screen Size Support | 1280px minimum width |
| USE-008 | Mobile Support | Responsive design for tablets |
| USE-009 | Keyboard Navigation | Full keyboard accessibility |
| USE-010 | Screen Reader Support | Compatible with NVDA, JAWS, VoiceOver |
Integration Requirements¶
| ID | Integration | Protocol | Priority | Status |
|---|---|---|---|---|
| INT-001 | Geneva | XML Upload / SFTP | P1 - High | Implemented |
| INT-002 | Bloomberg | REST API | P2 - Medium | Planned |
| INT-003 | Intex | File Import | P2 - Medium | Planned |
| INT-004 | Moody's | REST API | P2 - Medium | Planned |
| INT-005 | S&P | REST API | P2 - Medium | Planned |
| INT-006 | Active Directory | LDAP/SAML | P1 - High | Implemented |
| INT-007 | Okta | OIDC | P1 - High | Implemented |
| INT-008 | Azure AD | OIDC | P1 - High | Implemented |
| INT-009 | Slack | Webhook | P3 - Low | Planned |
| INT-010 | Email (SMTP) | SMTP | P1 - High | Implemented |
| INT-011 | Prometheus | Metrics Scrape | P1 - High | Implemented |
| INT-012 | OpenTelemetry | OTLP | P1 - High | Implemented |
| INT-013 | Grafana | Dashboard | P1 - High | Implemented |
| INT-014 | Alertmanager | Alerting | P1 - High | Implemented |
Requirement Traceability¶
Priority Legend¶
| Priority | Definition | SLA |
|---|---|---|
| P0 - Critical | Core functionality, no workaround | Must be in MVP |
| P1 - High | Important functionality, difficult workaround | Within 3 months |
| P2 - Medium | Useful functionality, acceptable workaround | Within 6 months |
| P3 - Low | Nice to have, easy workaround | Backlog |
Status Legend¶
| Status | Icon | Definition |
|---|---|---|
| Implemented | Feature complete and in production | |
| In Progress | Currently being developed | |
| Planned | Scheduled for future development | |
| Deprecated | Removed or replaced |
Appendix: Requirement-to-Feature Matrix¶
| Feature | Requirements | API Endpoints |
|---|---|---|
| Workbook Management | FR-001, FR-002, FR-003 | /workbooks/* |
| Compliance Testing | FR-005, FR-026-035 | /compliance/* |
| What-If Scenarios | FR-006-008, FR-036-045 | /scenarios/* |
| Reconciliation | FR-051-060 | /reconciliation/* |
| Data Intelligence | FR-061-070 | /insights/* |
| Formula Engine | FR-004, FR-081-090 | /calculations/* |
| Column Mapping | FR-016-017, FR-091-095 | /mappings/* |
| Operational | FR-071-080 | /dlq/, /health/ |
| Alerts | FR-013-014 | /alerts/* |
| Reports | FR-015 | /reports/* |
Last Updated: 2026-02-01 | Version 2.0.0