| NFR-SEC-001 | The system shall enforce authentication for protected resources. | High | Confirmed |
| NFR-SEC-002 | The system shall enforce RBAC on backend APIs. | High | Confirmed |
| NFR-SEC-003 | The system shall prevent cross-scope/account data access across schools, suppliers, operators, parents, and students. | High | Confirmed by technical team; Evidence Pending Attachment |
| NFR-SEC-004 | The system shall restrict financial and credential actions with stricter authorization. | High | Confirmed |
| NFR-SEC-005 | The system shall not rely on frontend-only authorization. | High | Confirmed |
| NFR-SEC-006 | Sensitive logs, secrets, and tokens shall not be exposed in documentation. | High | Confirmed |