Contact person: Business Client

Phone:Show

Email:Show

Location: Hillah, Iraq

Budget: Recommended by industry experts

Time to start: As soon as possible

Project description:
"MesoPay – Full Technical Specification & Security Requirements

Software Development Request Document

1. Project Overview

MesoPay is a premium Iraqi fintech application designed for instant domestic transfers and international remittances to Turkey, Jordan, and the UAE.
The platform must reflect reliability, speed, simplicity, and bank-grade security.
Brand colors must follow a premium identity:

Dark Royal Blue (#0E1F40)

Gold (#D9A441)

2. Core Features
A. Authentication

Phone number login

OTP verification

Device binding (account tied to device)

PIN code inside the app

Biometric authentication for transfers

B. KYC Verification

Capture personal information

Upload ID documents (front & back)

Selfie + liveness detection

KYC review dashboard for admins

Return results: pending / verified / rejected

C. Wallet System

Real-time wallet balance

Add balance (top-up)

Withdraw balance to a bank account

Double-entry accounting ledger

Limits based on KYC level

D. Internal Transfers (Domestic)

Instant transfers between users

Search by phone or MesoID

Real-time notifications

Full compliance data stored

E. International Transfers

Supported corridors: Turkey, Jordan, UAE

Automatic FX calculation

Fee calculation

Beneficiary management

Integration with external partners (API + Webhooks)

F. Transaction History

Filters by type

Transaction details

Ledger entries included

G. Notifications Center

Incoming/outgoing transfers

System notifications

Mark-as-read

H. Merchant Dashboard

Merchant profile

View collected payments

Withdrawal requests

Export reports

3. UI/UX Requirements

Premium fintech identity

Full Figma UI/UX delivery

Arabic (RTL) and English support

All core actions reachable within 2–3 taps

Clean layouts, strong hierarchy, minimalistic design

Required Screens:
Splash, Welcome, Phone Input, OTP, Home, Add Balance, Withdraw, Internal Transfer, International Transfer, Beneficiary Setup, Transaction History, Notifications, Profile, KYC, Merchant Dashboard, Settings, Success/Error screens.

4. Mobile App Requirements (Flutter)

Development in Flutter (Android + iOS)

State management: Bloc or Riverpod

Clean Architecture structure

Secure local storage

App integrity checks (anti-root, anti-jailbreak)

Screen recording blocked on sensitive pages

5. Backend Architecture
Recommended Technology Stack

Node.js (NestJS) or GoLang

PostgreSQL (main database)

Redis (cache + rate limiting)

Message Queue: Redis Streams or RabbitMQ

S3 storage for documents

JWT authentication

Separation of services (modular or microservices)

Core Backend Services

Authentication Service

User & KYC Service

Wallet & Ledger Service

Transfer Engine (Domestic & International)

FX & Fee Engine

Notification Service

Fraud & Risk Engine

Admin Panel Backend

6. Database Schema (Key Tables)

users

otp_codes

user_devices

kyc_profiles

wallets

ledger_entries

transfers

beneficiaries

notifications

audit_logs

fraud_flags

merchants

merchant_settlements

7. Transfer Engine Logic
Domestic Transfers

Validate sender & recipient

Check available balance

Perform double-entry ledgering

Create immutable audit log

Capture device + IP + KYC data

Notify both users instantly

Store data for a minimum of 5 years

International Transfers

Get FX rate

Calculate fees

Deduct balance via ledger

Send request to external partner

Update status through partner webhook

Auto-refund on failure

**8. Mandatory Data Requirements

(Domestic + International Compliance)**

Sender Data

Full legal name

Phone number

National ID number

Date of birth

Device ID

IP address during transaction

KYC level

Address (if applicable)

Recipient Data

Full name

Phone number

Country

Account/IBAN (for international transfers)

Transaction Data

Unique Transaction ID (UUID)

Timestamp

Amount

Fees

FX rate

Status

Purpose of transfer

Partner reference (if international)

Risk score

Full ledger trail

Retention Requirements

All records must be stored for 5–10 years

No deletion or modifications allowed

Travel Rule Compliance (for international transfers)

Must include:

Sender name + ID

Recipient name + account

Country of destination

Transfer amount and purpose

9. Highest Security Standards (Bank-Grade Level)
Encryption

TLS 1.3 only

AES-256 encryption

Field-level encryption for sensitive data

Encrypted local storage

Key Management

Hardware-backed keys (HSM/KMS)

Automatic key rotation

Authentication Security

Multi-Factor Authentication (OTP + PIN + Biometrics)

Device binding

Session timeout policies

App Security

SSL Pinning

Anti-reverse engineering

Anti-debugging

Jailbreak/root detection

Integrity checks

Fraud Detection

Behavioral analytics

Velocity checks

Geo-IP anomaly detection

AML red-flag patterns

Suspicious Activity Report (SAR) generation

Audit Logging

Immutable logs

All updates tracked

Combined user + admin log trails

Infrastructure

Private VPC

WAF firewall

Secure CI/CD

Secrets not stored in code

Multi-region backups

DRP with recovery < 60 minutes

10. Admin Panel Requirements
Admin Features

User management

KYC review

Transaction monitoring

AML & fraud dashboard

Transfer control (refund, block, investigate)

FX rate management

System configuration

Exportable reports (CSV/PDF)

11. API Requirements
Authentication

/auth/request-otp

/auth/verify-otp

/auth/refresh

User/KYC

/kyc/submit

/kyc/status

Wallet

/wallet

/wallet/add

/wallet/withdraw

Domestic Transfers

/transfers/internal

International Transfers

/transfers/international

/transfers/quote

History

/transfers/history

Notifications

/notifications

Merchant APIs

/merchant/overview

/merchant/withdraw

Partner Webhooks

/partners/{id}/webhook

Admin APIs

/admin/users

/admin/kyc

/admin/transfers

/admin/reports

12. Required Deliverables from the Software Company

The selected development company must deliver:

Full Flutter mobile apps (Android & iOS)

Complete backend with all services

Admin Panel dashboard

Full Figma UX/UI design

Database schema and ERD

API documentation (Swagger)

Security implementation (bank-grade)

QA testing + penetration testing

Deployment guide + CI/CD

Full source code ownership

13. Final Statement for the Development Company

MesoPay must be built as a bank-grade financial system,
with a non-modifiable ledger, immutable audit logs,
full AML/KYC compliance, Travel Rule support,
and the highest level of encryption and security.
All transaction data—domestic and international—must be stored
for at least 5 years and be fully exportable for regulatory authorities." (client-provided description)