Skip to main content

SDLC 01: Requirements Specification

Revision history: Updated May 2026 — reflects AWS EC2 hosting migration, PawaPay + Flutterwave payment architecture, and Zambian regulatory compliance.

1. Functional Requirements

1.1 B2B Layer (Merchants, Vendors, Distributors)

  • Multi-tenant vendor onboarding with KYC (NRC upload, TPIN, business registration via PACRA).
  • Product catalogue management: CRUD, bulk import/export, variant support (options & values).
  • Inventory and pricing tier management (wholesale pricing, volume discounts).
  • Order management and fulfilment tracking (delivery status, not "shipping").
  • Payout and settlement reporting; vendors receive proceeds after delivery confirmation.
  • Role-based access control: PLATFORM_ADMIN, SHOP_OWNER, BUYER.
  • Seller application workflow with multi-phase review, document upload, and admin approval.

1.2 B2C Layer (End Consumers)

  • User registration and authentication: email/password, OAuth (Google), magic link, OTP via Resend.
  • Product browsing, search (full-text via searchText), filtering, and category navigation.
  • Shopping cart and checkout workflow with Zambia-specific delivery address collection.
  • Payment via MTN Mobile Money, Airtel Money, Zamtel Kwacha (USSD push) and Visa/Mastercard (hosted card page).
  • Order history, status tracking, and receipt generation.
  • File uploads for custom requests or returns (via Cloudinary, moderated by Sightengine).
  • Email notifications for order confirmations, password reset, welcome, and delivery updates.
  • In-app notifications via the notification microservice.

1.3 Cross-Cutting Functional Requirements

  • Unified admin dashboard: user management, order management, seller applications, broadcast notifications.
  • SEO integration with Google Search Console; meta tags managed per page.
  • Email hosting for customer support via Zoho Mail; transactional email via Resend.
  • Domain via GoDaddy (registrar); DNS/CDN/WAF via Cloudflare.
  • Content moderation for all uploaded images via Sightengine (NSFW, violence detection).
  • Observability via Middleware.io (traces, logs, metrics across all services).

2. Non-Functional Requirements

CategoryRequirement
PerformanceAPI response time < 200 ms (p95); homepage load < 1.5 s (Cloudflare-cached)
Availability99.9% uptime; multi-service redundancy on AWS EC2
SecurityJWT-based authentication; WAF via Cloudflare; PCI-DSS SAQ A (no raw card data)
ScalabilityHorizontal EC2 scaling; Redis caching for sessions, cart, rate-limiting
ComplianceBank of Zambia NPS Act; Zambia Data Protection Act 2021; PCI-DSS SAQ A
MaintainabilityPrisma schema versioning; environment separation (dev/staging/prod)
Zambian MarketZMW currency only; 16% VAT displayed; mobile money as primary payment; "delivery" (not "shipping") throughout

3. Technology Stack

ComponentTechnology
FrontendNext.js (App Router), React, Tailwind-compatible CSS
Backend APINode.js + Express (hosted on AWS EC2)
Database ORMPrisma
DatabasePostgreSQL (hosted on AWS EC2 or managed RDS)
CachingRedis (sessions, cart, rate-limiting, payment status)
DNS / CDN / WAFCloudflare
Domain RegistrarGoDaddy
Transactional EmailResend (OTPs, order confirmations, password reset)
Email HostingZoho Mail (customer support)
File Storage / CDNCloudinary
SEO MonitoringGoogle Search Console
APM / ObservabilityMiddleware.io (OpenTelemetry-based)
Content ModerationSightengine API
Mobile Money (primary)PawaPay (MTN, Airtel, Zamtel)
Card / MoMo FailoverFlutterwave

4. Regulatory & Compliance Requirements

RegulationRequirement
Bank of Zambia NPS ActPayments routed through licensed providers (PawaPay, Flutterwave); delayed settlement model to avoid escrow licence requirement
Zambia Data Protection Act 2021Consent collection; data minimisation; breach notification within 72 hours; DPA agreements with processors
PCI-DSS SAQ ACard data never collected or stored by Pakashop; all card entry via Flutterwave hosted pages
ZRA / VAT16% VAT displayed and calculated on all transactions