Functional & Non-Functional Requirements Overview This document defines the complete requirements specification for CalcBridge, organized into functional requirements (what the system does) and non-functional requirements (how well it does it).
Functional Requirements Core Features (FR-001 to FR-010) ID Requirement Description Priority Status FR-001 Workbook Upload System shall accept Excel workbook uploads (.xlsx, .xls) up to 50MB with automatic validation P0 - Critical FR-002 Sheet Parsing System shall parse all worksheets, extracting cell values, formulas, and metadata P0 - Critical FR-003 Holdings Extraction System shall identify and extract CLO holdings data with configurable column mapping P0 - Critical FR-004 Calculation Engine System shall evaluate Excel formulas with 100% accuracy compared to Excel output P0 - Critical FR-005 Compliance Test Execution System shall execute all configured compliance tests and return pass/fail results P0 - Critical FR-006 What-If Scenario Creation System shall allow users to create hypothetical scenarios based on workbook data P0 - Critical FR-007 Scenario Comparison System shall compare base data with scenarios showing delta for all metrics P0 - Critical FR-008 Compliance Test in Scenarios System shall re-run compliance tests within scenarios to evaluate proposed changes P0 - Critical FR-009 Multi-tenant Isolation System shall ensure complete data isolation between tenants with zero cross-access P0 - Critical FR-010 Audit Trail System shall log all data changes, calculations, and user actions with timestamp and attribution P0 - Critical
Supporting Features (FR-011 to FR-020) ID Requirement Description Priority Status FR-011 Compliance Dashboard System shall display real-time compliance status with drill-down to individual tests P1 - High FR-012 Trend Analysis System shall track compliance metrics over time and display historical trends P1 - High FR-013 Alert Configuration System shall allow users to configure threshold-based alerts for compliance metrics P1 - High FR-014 Email Notifications System shall send email notifications when alerts are triggered P1 - High FR-015 Report Generation System shall generate PDF/Excel reports of compliance status and portfolio metrics P1 - High FR-016 Column Mapping UI System shall provide visual interface for mapping source columns to system fields P1 - High FR-017 Mapping Templates System shall allow saving and reusing column mapping configurations P2 - Medium FR-018 Data Validation Rules System shall validate uploaded data against configurable business rules P1 - High FR-019 Error Reporting System shall provide detailed error messages with suggestions for resolution P2 - Medium FR-020 Bulk Operations System shall support bulk upload and processing of multiple workbooks P2 - Medium
Administrative Features (FR-021 to FR-025) ID Requirement Description Priority Status FR-021 Tenant Management System shall allow super-admin to create, configure, and deactivate tenants P0 - Critical FR-022 User Management System shall allow tenant admins to manage users and role assignments P0 - Critical FR-023 Role-Based Access System shall enforce permissions based on user roles (Admin, Analyst, Viewer) P0 - Critical FR-024 Audit Log Access System shall provide searchable access to audit logs for authorized users P1 - High FR-025 System Configuration System shall allow configuration of global settings (retention, limits, features) P2 - Medium
Compliance Testing Features (FR-026 to FR-035) ID Requirement Description Priority Status FR-026 OC Test Calculation System shall calculate Overcollateralization tests (Senior, Mezzanine, Subordinate) P0 - Critical FR-027 IC Test Calculation System shall calculate Interest Coverage tests for all tranches P0 - Critical FR-028 WARF Test System shall calculate and validate Weighted Average Rating Factor P0 - Critical FR-029 WAL Test System shall calculate Weighted Average Life and compare against limits P0 - Critical FR-030 WAS Test System shall calculate Weighted Average Spread P0 - Critical FR-031 Concentration Tests System shall calculate industry, issuer, and geographic concentration limits P0 - Critical FR-032 CCC Bucket Test System shall track CCC-rated holdings against portfolio limits P1 - High FR-033 Defaulted Asset Test System shall identify and calculate exposure to defaulted assets P1 - High FR-034 Diversity Score System shall calculate Moody's diversity score for the portfolio P1 - High FR-035 Custom Test Definition System shall allow users to define custom compliance tests via formula P2 - Medium
What-If Scenario Features (FR-036 to FR-045) ID Requirement Description Priority Status FR-036 Trade Simulation System shall simulate adding, removing, or modifying positions P0 - Critical FR-037 Price Change Simulation System shall simulate market value changes across portfolio P0 - Critical FR-038 Rating Change Simulation System shall simulate credit rating migrations and impact P0 - Critical FR-039 Multi-Trade Scenarios System shall support multiple simultaneous trades in a single scenario P1 - High FR-040 Scenario Templates System shall allow saving scenario configurations as reusable templates P2 - Medium FR-041 Scenario Versioning System shall maintain version history of scenarios P1 - High FR-042 Scenario Sharing System shall allow sharing scenarios between users within a tenant P2 - Medium FR-043 Scenario Export System shall export scenario details and results to Excel/PDF P2 - Medium FR-044 Scenario Comparison Matrix System shall display side-by-side comparison of multiple scenarios P1 - High FR-045 Scenario Impact Summary System shall summarize key metric changes between base and scenario P0 - Critical
API Features (FR-046 to FR-050) ID Requirement Description Priority Status FR-046 RESTful Endpoints System shall provide REST API for all core operations P0 - Critical FR-047 API Versioning System shall support API versioning (v1, v2) with backward compatibility P1 - High FR-048 API Authentication System shall require JWT authentication for all API endpoints P0 - Critical FR-049 Rate Limiting System shall enforce rate limits per tenant/user P1 - High FR-050 Webhook Support System shall support webhooks for event notifications P2 - Medium
Non-Functional Requirements ID Requirement Target Measurement NFR-001 API Response Time (P50) < 100ms Datadog APM NFR-002 API Response Time (P95) < 200ms Datadog APM NFR-003 API Response Time (P99) < 500ms Datadog APM NFR-004 Workbook Upload Time < 10s for 10MB file Processing metrics NFR-005 Calculation Time < 5s for 10,000 holdings Processing metrics NFR-006 Compliance Test Execution < 3s for all tests Processing metrics NFR-007 What-If Calculation < 3s per scenario Processing metrics NFR-008 Dashboard Load Time < 2s initial load Frontend metrics NFR-009 Search Response Time < 500ms API metrics NFR-010 Report Generation < 30s for full report Processing metrics
Scalability Requirements ID Requirement Target Notes NFR-011 Concurrent Users 1,000 per tenant Peak load capacity NFR-012 Request Throughput 1,000 req/s Sustained capacity NFR-013 Workbook Storage 100GB per tenant Configurable limit NFR-014 Holdings Capacity 1M holdings per workbook Max supported NFR-015 Tenant Count 500 tenants Platform capacity NFR-016 Scenario Count 1,000 per workbook Per-workbook limit NFR-017 Historical Data 7 years retention Configurable NFR-018 Audit Log Retention 7 years Compliance requirement
Availability Requirements ID Requirement Target Notes NFR-019 System Uptime 99.9% Monthly SLA NFR-020 Planned Downtime < 4 hours/month Maintenance window NFR-021 Recovery Time Objective (RTO) < 1 hour Disaster recovery NFR-022 Recovery Point Objective (RPO) < 15 minutes Data loss tolerance NFR-023 Failover Time < 30 seconds Auto-failover
Security Requirements Authentication & Authorization ID Requirement Description Priority Status SEC-001 Authentication Protocol System shall use OAuth 2.0 / OpenID Connect for authentication P0 - Critical SEC-002 MFA Support System shall support multi-factor authentication P0 - Critical SEC-003 SSO Integration System shall integrate with enterprise SSO providers (SAML, OIDC) P1 - High SEC-004 Session Management System shall enforce session timeout (configurable, default 8 hours) P0 - Critical SEC-005 Password Policy System shall enforce strong password requirements P0 - Critical SEC-006 Role Hierarchy System shall support hierarchical roles (Super Admin > Tenant Admin > User > Viewer) P0 - Critical SEC-007 Permission Granularity System shall support feature-level permissions P1 - High SEC-008 API Key Management System shall allow generation and revocation of API keys P1 - High
Data Protection ID Requirement Description Priority Status SEC-009 Encryption at Rest All data shall be encrypted at rest using AES-256 P0 - Critical SEC-010 Encryption in Transit All communications shall use TLS 1.3 P0 - Critical SEC-011 Key Management Encryption keys shall be managed via AWS KMS or equivalent P0 - Critical SEC-012 Data Masking PII shall be masked in logs and non-production environments P0 - Critical SEC-013 Backup Encryption All backups shall be encrypted P0 - Critical SEC-014 Secure Deletion Data deletion shall use secure wipe procedures P1 - High
Audit & Logging ID Requirement Description Priority Status SEC-015 Access Logging All access attempts shall be logged (success and failure) P0 - Critical SEC-016 Change Logging All data modifications shall be logged with before/after values P0 - Critical SEC-017 Admin Action Logging All administrative actions shall be logged P0 - Critical SEC-018 Log Integrity Audit logs shall be tamper-evident P0 - Critical SEC-019 Log Retention Logs shall be retained for 7 years minimum P0 - Critical SEC-020 Log Export Audit logs shall be exportable for external analysis P1 - High
Vulnerability Management ID Requirement Description Priority Status SEC-021 Dependency Scanning All dependencies shall be scanned for vulnerabilities weekly P0 - Critical SEC-022 Code Scanning Static analysis shall be performed on all code changes P0 - Critical SEC-023 Penetration Testing Annual penetration testing by third party P1 - High SEC-024 Vulnerability Disclosure Security vulnerability reporting process shall be documented P1 - High SEC-025 Patch Management Critical vulnerabilities shall be patched within 24 hours P0 - Critical
Compliance Requirements SOC 2 Type II Control Requirement Status CC1.1 Integrity and ethical values CC1.2 Board oversight CC1.3 Management structure CC2.1 Information for internal use CC2.2 Internal communication CC3.1 Risk assessment objectives CC3.2 Risk identification CC4.1 Control activities selection CC5.1 Control activities over technology CC6.1 Logical access security CC6.2 Access provisioning CC6.3 Access removal CC7.1 System monitoring CC7.2 Incident response CC8.1 Change management CC9.1 Risk mitigation
Data Residency Region Data Center Compliance United States AWS us-east-1, us-west-2 SOC 2, HIPAA eligible European Union AWS eu-west-1 GDPR compliant United Kingdom AWS eu-west-2 UK GDPR compliant
Usability Requirements ID Requirement Target USE-001 Time to First Upload < 5 minutes for new user USE-002 Task Completion Rate > 95% for common tasks USE-003 Error Recovery Time < 30 seconds to resolve USE-004 Learning Curve Productive within 1 day USE-005 Accessibility WCAG 2.1 AA compliant USE-006 Browser Support Chrome, Firefox, Safari, Edge (latest 2 versions) USE-007 Screen Size Support 1280px minimum width USE-008 Mobile Support Responsive design for tablets
Integration Requirements ID Integration Protocol Priority Status INT-001 Geneva XML Upload P1 - High INT-002 Bloomberg REST API P2 - Medium INT-003 Intex File Import P2 - Medium INT-004 Moody's REST API P2 - Medium INT-005 S&P REST API P2 - Medium INT-006 Active Directory LDAP/SAML P1 - High INT-007 Okta OIDC P1 - High INT-008 Azure AD OIDC P1 - High INT-009 Slack Webhook P3 - Low INT-010 Email (SMTP) SMTP P1 - High
Requirement Traceability Priority Legend Priority Definition SLA P0 - Critical Core functionality, no workaround Must be in MVP P1 - High Important functionality, difficult workaround Within 3 months P2 - Medium Useful functionality, acceptable workaround Within 6 months P3 - Low Nice to have, easy workaround Backlog
Status Legend Status Icon Definition Implemented Feature complete and in production In Progress Currently being developed Planned Scheduled for future development Deprecated Removed or replaced
Last Updated: 2026-01-25 | Version 1.0.0