Security & Compliance
UC-NFR-003: Encryption at Rest
Purpose: Protect sensitive customer data.
| Property | Value |
|---|---|
| Actor | System |
| Trigger | Data write |
| Priority | P0 |
Main Success Scenario:
- App writes customer PII to database.
- Database storage engine encrypts block/row using AES-256.
- Key management service handles key rotation.
Acceptance Criteria:
- [ ] Compliance with local data protection laws.
- [ ] Keys rotated every 90 days.
UC-NFR-004: Role-Based Access Control (RBAC)
Purpose: Restrict access based on user role.
| Property | Value |
|---|---|
| Actor | System |
| Trigger | User attempts action |
| Priority | P0 |
Main Success Scenario:
- "Receptionist" user attempts to "Export All Data".
- System checks permissions.
- Access denied (HTTP 403).
Acceptance Criteria:
- [ ] Granular permissions per module.
- [ ] Default deny for all resources.