Legal & Compliance
- Bilko Terms of Service (with Sub-Processor disclosure GDPR Art. 28(4))
- Bilko Privacy Notice (with Document Archive Sub-Processors §8.1)
- DPA Template — Vedlegg B / Annex B: Sub-Processors for Bilko Archive Feature
- Sub-Processor Notification Email Template (Bilko)
Bilko Terms of Service (with Sub-Processor disclosure GDPR Art. 28(4))
⚠️ DRAFT — pending final legal sign-off and translations (per Lexicon notes). MC #100045. 2026-05-08. Canonical-facts verified by John post-Lexicon (org.nr 932 516 136, Azure Sweden Central).
Table of Contents
- Acceptance of Terms
- Definitions
- Description of Service
- Account Terms
- Subscription and Billing
- Acceptable Use
- Data Handling and Privacy
- Intellectual Property
- Warranties and Disclaimers
- Limitation of Liability
- Indemnification
- Term and Termination
- Service Availability and Changes
- Governing Law and Dispute Resolution
- General Provisions
- Sub-Processors (GDPR Art. 28(4))
- Contact
1. Acceptance of Terms
By registering for, accessing, or using the Bilko platform (the "Service") available at app.bilko.io, you ("Customer" or "you") agree to be bound by these Terms of Service ("Terms"). If you are accepting these Terms on behalf of a legal entity (a company, partnership, or other organization), you represent that you have the authority to bind that entity to these Terms.
If you do not agree to these Terms, you must not use the Service.
These Terms form a binding legal agreement between you and ALAI Holding AS (org.nr 932 516 136), a company incorporated in Norway, trading as Bilko ("Bilko", "we", "our", or "us").
16. Sub-Processors (GDPR Art. 28(4))
Bilko uses the following sub-processors to provide the Service:
16.1 Document Archive Pipeline
When you enable the document archival feature, Bilko processes certain document types through the following sub-processors:
| Sub-Processor | Legal Entity | Purpose | Data Categories | Geographic Location | Safeguards |
|---|---|---|---|---|---|
| Cloudflare R2 | Cloudflare, Inc., USA | Temporary document staging for archive pipeline | Contract PDFs, invoices, care plans, incident reports, onboarding documents | EU region (eu-west storage bucket) | Standard Contractual Clauses (SCCs) per Cloudflare's published DPA |
| ALAI Azure VM (Paperless-ngx) | ALAI Holding AS (org.nr 932 516 136), Norway | Long-term document archive at archive.alai.no | Same document categories as above | EU/EEA (Microsoft Azure Sweden Central region) | ALAI Data Processing Agreement + Azure Standard Contractual Clauses |
16.2 Document Flow and Retention
Document types processed:
- Contracts and agreements
- Invoices (issued and received)
- Care plans (for care organizations)
- Incident reports
- Onboarding documents
Processing flow:
- Documents are written to Cloudflare R2 staging bucket (temporary storage, typically < 5 minutes)
- Cloud Run worker uploads documents to Paperless-ngx archive every 5 minutes
- Documents are retained in archive per retention schedule (see Section 7.4)
Retention by document class (interim defaults, subject to legal review):
- Financial documents (invoices, contracts): 7 years (Serbian, BiH, Croatian accounting law)
- Care-related documents (care plans, incident reports): 25 years (UK NHS standard, pending Balkan legal review)
16.3 Sub-Processor Change Notification
Bilko will provide 30 days' advance written notice via email before adding or replacing any sub-processor. You have the right to object to a new sub-processor within the notice period. If you object and Bilko cannot offer an alternative, you may terminate your subscription without penalty.
Bilko maintains an up-to-date list of sub-processors at bilko.io/sub-processors (to be published).
16.4 GDPR Compliance Reference
This sub-processor disclosure complies with GDPR Article 28(4), which requires the data controller (you) to authorize the data processor (Bilko) to engage sub-processors. By accepting these Terms, you provide such authorization for the sub-processors listed above.
Company: ALAI Holding AS (org.nr 932 516 136)
Contact: support@bilko.io | legal@bilko.io | privacy@bilko.io | dpa@alai.no
Bilko Privacy Notice (with Document Archive Sub-Processors §8.1)
⚠️ DRAFT — pending final legal sign-off and translations (per Lexicon notes). MC #100045. 2026-05-08. Canonical-facts verified by John post-Lexicon (org.nr 932 516 136, Azure Sweden Central).
Table of Contents
- Introduction and Data Controller
- Scope and Applicability
- Legal Framework
- Data We Collect
- Legal Basis for Processing
- How We Use Your Data
- Data Retention Periods
- Data Sharing and Third-Party Processors
- Cross-Border Data Transfers
- Your Rights as a Data Subject
1. Introduction and Data Controller
Bilko is a cloud-based accounting and invoicing platform for small and medium businesses (SMBs) operating in Serbia, Bosnia & Herzegovina, and Croatia. Bilko is developed and operated by ALAI Holding AS (org.nr 932 516 136), a company registered in Norway.
Data Protection Officer (DPO):
| Field | Details |
|---|---|
| DPO name | Alem Bašić |
| DPO contact | alem@alai.no |
| Phone | +47 40 47 42 51 |
| Company | ALAI Holding AS (org.nr 932 516 136) |
| Role | Responsible for data protection compliance across all three jurisdictions |
| Appointed | 2026-03-02 |
8. Data Sharing and Third-Party Processors
8.1 Document Archive Sub-Processors
When you enable the document archival feature in Bilko, the following additional sub-processors are used:
| Sub-Processor | Purpose | Data Categories | Location | Safeguards |
|---|---|---|---|---|
| Cloudflare R2 (Cloudflare, Inc., USA) | Temporary staging for archive pipeline | Contract PDFs, invoices, care plans, incident reports, onboarding documents | EU region (eu-west bucket) | Standard Contractual Clauses (SCCs) |
| ALAI Azure VM Paperless-ngx (ALAI Holding AS, org.nr 932 516 136, Norway) | Long-term document archive at archive.alai.no | Same categories as above | EU/EEA (Microsoft Azure Sweden Central region) | ALAI DPA + Azure SCCs |
How document archival works:
- Upload: When you mark a document for archival in Bilko (contracts, invoices, care plans, incident reports, onboarding documents), Bilko's backend writes the document to a Cloudflare R2 staging bucket in the EU region.
- Transfer: Every 5 minutes, a Cloud Run worker retrieves documents from R2 and uploads them to Paperless-ngx, a document management system hosted on ALAI's Azure VM (archive.alai.no) located in the Azure Sweden Central region (EU/EEA).
- Retention: Documents are retained in the archive according to the following schedule:
- Financial documents (invoices, contracts): 7 years (Serbian Zakon o računovodstvu, BiH accounting law, Croatian Zakon o računovodstvu)
- Care-related documents (care plans, incident reports): 25 years (UK NHS retention standard; pending Balkan legal review for care organizations)
- Deletion: Documents are automatically deleted from Cloudflare R2 after successful upload to Paperless-ngx (typically within 5 minutes). Documents remain in Paperless-ngx for the retention period specified above.
Your rights regarding sub-processors (GDPR Art. 28(4)):
- You will receive 30 days' advance notice via email before Bilko adds or replaces any sub-processor.
- You have the right to object to a new sub-processor within the notice period.
- If you object and Bilko cannot offer an alternative, you may terminate your subscription without penalty.
- Contact dpa@alai.no to exercise this right.
- This disclosure complies with GDPR Article 28(4), Serbian ZZPL Art. 31(4), and BiH ZZLP equivalent provisions.
Company: ALAI Holding AS (org.nr 932 516 136)
Privacy Contact: privacy@bilko.io | DPO: alem@alai.no | DPA: dpa@alai.no
DPA Template — Vedlegg B / Annex B: Sub-Processors for Bilko Archive Feature
⚠️ DRAFT — pending final legal sign-off and translations (per Lexicon notes). MC #100045. 2026-05-08. Canonical-facts verified by John post-Lexicon (org.nr 932 516 136, Azure Sweden Central).
Annex B: Sub-Processors for Bilko Archive Feature
This annex applies specifically to the Bilko product when the archive feature is enabled.
B.1 Cloudflare R2 (Temporary Document Storage)
| Field | Details |
|---|---|
| Sub-processor | Cloudflare, Inc. |
| Address | 101 Townsend St, San Francisco, CA 94107, USA |
| Contact | privacyquestions@cloudflare.com |
| Purpose | Temporary staging of documents for archive pipeline |
| Data Categories Processed | Contracts (PDF), Invoices (PDF), Care Plans, Incident Reports, Onboarding Documents |
| Categories of Data Subjects | Bilko organization's customers, suppliers, patients (for care organizations) |
| Geographic Location | EU region (eu-west R2 storage bucket) |
| Processing Duration | Temporary (typically < 5 minutes; documents deleted after successful transfer to Paperless-ngx) |
| Safeguards | EU Standard Contractual Clauses (SCC 2021/914/EU) per Cloudflare's published DPA; AES-256 encryption at rest; TLS 1.3 in transit; Cloudflare Zero Trust architecture |
| Sub-sub-processors | See Cloudflare's DPA for complete list (https://www.cloudflare.com/cloudflare-customer-dpa/) |
B.2 ALAI Azure VM Paperless-ngx (Long-Term Archive)
| Field | Details |
|---|---|
| Sub-processor | ALAI Holding AS (own infrastructure) |
| Org.No | 932 516 136 |
| Address | Tømmerrenna 1B, 2050 Jessheim, Norway |
| Contact | dpa@alai.no |
| Purpose | Long-term archive of business documents at archive.alai.no |
| Data Categories Processed | Same as Cloudflare R2 above |
| Categories of Data Subjects | Same as Cloudflare R2 above |
| Geographic Location | EU/EEA (Microsoft Azure Sweden Central region) |
| Processing Duration | Permanent archive per retention schedule: • Financial documents: 7 years (accounting law RS/BA/HR) • Care documents: 25 years (UK NHS standard, interim) |
| Safeguards | ALAI DPA + Microsoft Azure Standard Contractual Clauses; Azure Disk Encryption (AES-256); TLS 1.3 in transit; Role-Based Access Control (RBAC); Paperless-ngx with OAuth2 authentication; Daily Azure backup with 30-day retention; Immutable audit trail in PostgreSQL |
| Sub-sub-processors | Microsoft Azure (infrastructure provider — see Microsoft Customer Agreement + DPA) |
B.3 Data Flow for Archival
Bilko Backend (Cloud Run)
↓ (POST /archive)
Cloudflare R2 (eu-west bucket)
← [5-minute batch job]
Cloud Run Worker
↓ (HTTP POST to Paperless-ngx API)
ALAI Azure VM (archive.alai.no)
→ Permanent archive (7–25 years)
B.4 Notice of Sub-Processor Changes
ALAI Holding AS commits to notifying the Data Controller at least 30 days in advance via email before:
- New sub-processors are added to the archive pipeline
- Existing sub-processors are replaced
- Geographic location of processing changes
The Data Controller may object within this period if the new sub-processor does not meet data protection requirements.
Company: ALAI Holding AS (org.nr 932 516 136)
DPA Contact: dpa@alai.no
Sub-Processor Notification Email Template (Bilko)
⚠️ DRAFT — pending final legal sign-off and translations (per Lexicon notes). MC #100045. 2026-05-08. Canonical-facts verified by John post-Lexicon (org.nr 932 516 136, Azure Sweden Central).
Sub-Processor Notification Email Template (Bilko)
Version: 1.0
Last Updated: 2026-05-08
Purpose: Notify Bilko tenants of new sub-processors per GDPR Art. 28(4)
Language: English (Norwegian translation below)
Email Template — English
Subject: Bilko Sub-Processor Update — Effective {{DATE_PLUS_30_DAYS}}
Dear {{TENANT_NAME}},
We are writing to inform you of changes to our sub-processor list for the Bilko accounting platform, in accordance with our Data Processing Agreement (DPA) and GDPR Article 28(4).
New Sub-Processors
Effective {{DATE_PLUS_30_DAYS}}, Bilko will use the following sub-processors for the document archival feature:
| Sub-Processor | Purpose | Data Categories | Geographic Location | Safeguards |
|---|---|---|---|---|
| Cloudflare R2 (Cloudflare, Inc., USA) | Temporary staging for archive pipeline | Contract PDFs, invoices, care plans, incident reports, onboarding documents | EU region (eu-west storage bucket) | Standard Contractual Clauses (SCCs) per Cloudflare's published DPA |
| ALAI Azure VM Paperless-ngx (ALAI Holding AS, org.nr 932 516 136, Norway) | Long-term document archive at archive.alai.no | Same categories as above | EU/EEA (Microsoft Azure Sweden Central region) | ALAI DPA + Azure Standard Contractual Clauses |
What This Means for You
- If you have enabled the document archival feature in Bilko, documents you mark for archival (contracts, invoices, care plans, incident reports, onboarding documents) will be processed through these sub-processors.
- Data flow: Documents are temporarily staged in Cloudflare R2 (typically < 5 minutes), then transferred to ALAI's Paperless-ngx archive system hosted on Microsoft Azure (Sweden Central region).
- Retention: Financial documents are retained for 7 years; care-related documents for 25 years (per applicable accounting and care regulations).
- Security: All sub-processors are bound by Data Processing Agreements and Standard Contractual Clauses. Data is encrypted at rest (AES-256) and in transit (TLS 1.3).
Your Right to Object
Under GDPR Article 28(4), you have the right to object to the use of these sub-processors within 30 days of receiving this notice.
If you object:
- Send your objection in writing to dpa@alai.no by {{DATE_PLUS_30_DAYS}}.
- We will work with you to find an alternative solution or, if not possible, allow you to terminate your Bilko subscription without penalty.
If you do not object by {{DATE_PLUS_30_DAYS}}, this will constitute your consent to the use of these sub-processors.
30-Day Advance Notice
This notice is provided 30 days in advance of the effective date ({{DATE_PLUS_30_DAYS}}) in accordance with our DPA Section 3.4 and your Terms of Service Section 16.3.
Questions or Concerns
If you have any questions about these sub-processors or our data processing practices, please contact:
- Data Protection Officer: Alem Bašić — alem@alai.no — +47 40 47 42 51
- DPA Inquiries: dpa@alai.no
- General Support: support@bilko.io
Company Information
ALAI Holding AS
- Org.nr: 932 516 136
- Address: Tømmerrenna 1B, 2050 Jessheim, Norway
- Email: dpa@alai.no
- Website: https://bilko.io
We appreciate your trust in Bilko and remain committed to protecting your data in accordance with the highest standards of data protection law.
Best regards,
The Bilko Team
ALAI Holding AS
Email Template — Norwegian (Norsk oversettelse — UTKAST)
Emne: Bilko oppdatering av underleverandører — Trer i kraft {{DATE_PLUS_30_DAYS}}
Kjære {{TENANT_NAME}},
Vi skriver for å informere deg om endringer i vår liste over underleverandører for Bilko regnskapsplattform, i samsvar med vår databehandleravtale (DPA) og GDPR Artikkel 28(4).
Nye underleverandører
Med virkning fra {{DATE_PLUS_30_DAYS}} vil Bilko bruke følgende underleverandører for dokumentarkivfunksjonen:
| Underleverandør | Formål | Datakategorier | Geografisk plassering | Sikkerhetstiltak |
|---|---|---|---|---|
| Cloudflare R2 (Cloudflare, Inc., USA) | Midlertidig staging for arkivpipeline | Kontrakter (PDF), fakturaer, omsorgsplaner, hendelsesrapporter, onboarding-dokumenter | EU-region (eu-west lagringsbucket) | Standard Contractual Clauses (SCC) per Cloudflares publiserte DPA |
| ALAI Azure VM Paperless-ngx (ALAI Holding AS, org.nr 932 516 136, Norge) | Langtidsarkiv ved archive.alai.no | Samme kategorier som ovenfor | EU/EØS (Microsoft Azure Sweden Central-region) | ALAI DPA + Azure Standard Contractual Clauses |
Selskapsinfo: ALAI Holding AS (org.nr 932 516 136) • dpa@alai.no • https://bilko.io
Usage Instructions
Placeholders to Replace
| Placeholder | Description | Example |
|---|---|---|
{{TENANT_NAME}} | Organization name from Bilko database | "Acme Accounting d.o.o." |
{{DATE_PLUS_30_DAYS}} | Effective date (30 days from send date) | "2026-06-07" |
When to Send
This template should be sent:
- 30 days before enabling the archive feature for existing tenants
- 30 days before adding any new sub-processor to the archive pipeline
- 30 days before replacing an existing sub-processor
Sending Method
- Email: Send to organization owner's registered email address
- In-app notification: Display banner in Bilko UI with link to full notice
- Audit log: Record sending timestamp and recipient in Bilko's audit trail
Company: ALAI Holding AS (org.nr 932 516 136)
Contact: dpa@alai.no | support@bilko.io