Accountability: Audit trails must exist for key actions like authentication attempts and role changes. Edit: Audit trails must exist for key actions like authentication attempts (admins, captains and customers), trip bookings and trip status change ------------------------------------------------------------------------------------------------------------------------------------------------ 1.2 Minimal Compliance & Local Best Practices Apply the best security and privacy practices feasible in Syria within local constraints. Focus on protecting sensitive data, OTP processes, payments, and user permissions. Full compliance with GDPR or ISO/IEC 27001 is not mandatory due to local limitations. Edit: this section is a little bit ambiguous, and must be clarified more .. also GDBR is only related to the EU region .. and it is not related to Syria at all ------------------------------------------------------------------------------------------------------------------------------------------------ 1.3 Browser Compatibility Standards Desktop: Chrome, Edge, Firefox, Safari (latest versions) Mobile: Android Chrome (8+), iOS Safari (14+) Tablet: Android Chrome, iPadOS Safari Edit: Mobile android chrome and ios safari doesn't make sense, system versions must be specified as the project is a mobile app .. not a website ------------------------------------------------------------------------------------------------------------------------------------------------ Manual Testing: Manual testing will be executed on all features of the Passenger App, Driver App, and Admin Dashboard. Manual testing includes: Functional Testing Device & Browser Compatibility Integration with critical external services (Payment, OTP) User Experience (UX) Edit: Integration with ALL external services should be tested .. also UI should be tested side by side with UX ------------------------------------------------------------------------------------------------------------------------------------------------ Automated testing doesn't cover captain flows at all .. must be considered ------------------------------------------------------------------------------------------------------------------------------------------------ 2.2 API Testing Strategy Only critical endpoints and critical third-party integrations will be tested using Postman. Scope: Testing will ensure that critical API calls work correctly and responses are valid. Testing Approach: Critical endpoints organized in Postman Collections per service. Use Assertions to validate: Response codes (2xx, 4xx, 5xx) Response time JSON schema/structure Tests will be executed after every major backend update. Edit: Test every endpoint a basic test .. not just the critical endpoints ------------------------------------------------------------------------------------------------------------------------------------------------ 2.3 Performance Testing Limited performance testing will be executed using JMeter to ensure system stability within available infrastructure in Syria. Focus Areas: Ride Creation API: 30 requests per minute OTP Service: 20 concurrent requests Payment Gateway: 10 consecutive payment transactions Performance Goal: Ensure that response time does not exceed 5 seconds in the worst-case scenario. Edit: Very low number of requests .. limits should be increased significantly .. also 5 seconds is a VERY big number and should be decreased to 2 seconds max ------------------------------------------------------------------------------------------------------------------------------------------------ Unit testing for the integrations must be clarified more in