# Legal & Compliance # Bilko Terms of Service (with Sub-Processor disclosure GDPR Art. 28(4)) ⚠️ **DRAFT** — pending final legal sign-off and translations (per Lexicon notes). MC #100045. 2026-05-08. Canonical-facts verified by John post-Lexicon (org.nr 932 516 136, Azure Sweden Central). --- ## Table of Contents 1. [Acceptance of Terms](#bkmrk-1.-acceptance-of-ter) 2. [Definitions](#2-definitions) 3. [Description of Service](#3-description-of-service) 4. [Account Terms](#4-account-terms) 5. [Subscription and Billing](#5-subscription-and-billing) 6. [Acceptable Use](#6-acceptable-use) 7. [Data Handling and Privacy](#7-data-handling-and-privacy) 8. [Intellectual Property](#8-intellectual-property) 9. [Warranties and Disclaimers](#9-warranties-and-disclaimers) 10. [Limitation of Liability](#10-limitation-of-liability) 11. [Indemnification](#11-indemnification) 12. [Term and Termination](#12-term-and-termination) 13. [Service Availability and Changes](#13-service-availability-and-changes) 14. [Governing Law and Dispute Resolution](#14-governing-law-and-dispute-resolution) 15. [General Provisions](#15-general-provisions) 16. [Sub-Processors (GDPR Art. 28(4))](#bkmrk-16.-sub-processors-%28) 17. [Contact](#17-contact) --- ## 1. Acceptance of Terms By registering for, accessing, or using the Bilko platform (the "Service") available at **app.bilko.io**, you ("Customer" or "you") agree to be bound by these Terms of Service ("Terms"). If you are accepting these Terms on behalf of a legal entity (a company, partnership, or other organization), you represent that you have the authority to bind that entity to these Terms. **If you do not agree to these Terms, you must not use the Service.** These Terms form a binding legal agreement between you and **ALAI Holding AS** (org.nr 932 516 136), a company incorporated in Norway, trading as Bilko ("Bilko", "we", "our", or "us"). ## 16. Sub-Processors (GDPR Art. 28(4)) Bilko uses the following sub-processors to provide the Service: ### 16.1 Document Archive Pipeline When you enable the document archival feature, Bilko processes certain document types through the following sub-processors:

Sub-Processor	Legal Entity	Purpose	Data Categories	Geographic Location	Safeguards
Cloudflare R2	Cloudflare, Inc., USA	Temporary document staging for archive pipeline	Contract PDFs, invoices, care plans, incident reports, onboarding documents	EU region (eu-west storage bucket)	Standard Contractual Clauses (SCCs) per Cloudflare's published DPA
ALAI Azure VM (Paperless-ngx)	ALAI Holding AS (org.nr 932 516 136), Norway	Long-term document archive at archive.alai.no	Same document categories as above	EU/EEA (Microsoft Azure Sweden Central region)	ALAI Data Processing Agreement + Azure Standard Contractual Clauses

### 16.2 Document Flow and Retention **Document types processed:** - Contracts and agreements - Invoices (issued and received) - Care plans (for care organizations) - Incident reports - Onboarding documents **Processing flow:** 1. Documents are written to Cloudflare R2 staging bucket (temporary storage, typically < 5 minutes) 2. Cloud Run worker uploads documents to Paperless-ngx archive every 5 minutes 3. Documents are retained in archive per retention schedule (see Section 7.4) **Retention by document class (interim defaults, subject to legal review):** - Financial documents (invoices, contracts): 7 years (Serbian, BiH, Croatian accounting law) - Care-related documents (care plans, incident reports): 25 years (UK NHS standard, pending Balkan legal review) ### 16.3 Sub-Processor Change Notification Bilko will provide **30 days' advance written notice** via email before adding or replacing any sub-processor. You have the right to object to a new sub-processor within the notice period. If you object and Bilko cannot offer an alternative, you may terminate your subscription without penalty. Bilko maintains an up-to-date list of sub-processors at **bilko.io/sub-processors** (to be published). ### 16.4 GDPR Compliance Reference This sub-processor disclosure complies with GDPR Article 28(4), which requires the data controller (you) to authorize the data processor (Bilko) to engage sub-processors. By accepting these Terms, you provide such authorization for the sub-processors listed above. --- **Company:** ALAI Holding AS (org.nr 932 516 136) **Contact:** support@bilko.io | legal@bilko.io | privacy@bilko.io | dpa@alai.no # Bilko Privacy Notice (with Document Archive Sub-Processors §8.1) ⚠️ **DRAFT** — pending final legal sign-off and translations (per Lexicon notes). MC #100045. 2026-05-08. Canonical-facts verified by John post-Lexicon (org.nr 932 516 136, Azure Sweden Central). --- ## Table of Contents 1. [Introduction and Data Controller](#bkmrk-1.-introduction-and-) 2. [Scope and Applicability](#2-scope-and-applicability) 3. [Legal Framework](#3-legal-framework) 4. [Data We Collect](#4-data-we-collect) 5. [Legal Basis for Processing](#5-legal-basis-for-processing) 6. [How We Use Your Data](#6-how-we-use-your-data) 7. [Data Retention Periods](#7-data-retention-periods) 8. [Data Sharing and Third-Party Processors](#bkmrk-8.-data-sharing-and-) 9. [Cross-Border Data Transfers](#9-cross-border-data-transfers) 10. [Your Rights as a Data Subject](#10-your-rights-as-a-data-subject) --- ## 1. Introduction and Data Controller Bilko is a cloud-based accounting and invoicing platform for small and medium businesses (SMBs) operating in Serbia, Bosnia & Herzegovina, and Croatia. Bilko is developed and operated by **ALAI Holding AS** (org.nr 932 516 136), a company registered in Norway. **Data Protection Officer (DPO):**

Field	Details
DPO name	Alem Bašić
DPO contact	alem@alai.no
Phone	+47 40 47 42 51
Company	ALAI Holding AS (org.nr 932 516 136)
Role	Responsible for data protection compliance across all three jurisdictions
Appointed	2026-03-02

## 8. Data Sharing and Third-Party Processors Bilko shares your data only with the following categories of third parties, all of whom are bound by Data Processing Agreements (DPAs): ### 8.1 Document Archive Sub-Processors When you enable the **document archival feature** in Bilko, the following additional sub-processors are used:

Sub-Processor	Purpose	Data Categories	Location	Safeguards
Cloudflare R2 (Cloudflare, Inc., USA)	Temporary staging for archive pipeline	Contract PDFs, invoices, care plans, incident reports, onboarding documents	EU region (eu-west bucket)	Standard Contractual Clauses (SCCs)
ALAI Azure VM Paperless-ngx (ALAI Holding AS, org.nr 932 516 136, Norway)	Long-term document archive at archive.alai.no	Same categories as above	EU/EEA (Microsoft Azure Sweden Central region)	ALAI DPA + Azure SCCs

**How document archival works:** 1. **Upload:** When you mark a document for archival in Bilko (contracts, invoices, care plans, incident reports, onboarding documents), Bilko's backend writes the document to a Cloudflare R2 staging bucket in the EU region. 2. **Transfer:** Every 5 minutes, a Cloud Run worker retrieves documents from R2 and uploads them to Paperless-ngx, a document management system hosted on ALAI's Azure VM (archive.alai.no) located in the Azure Sweden Central region (EU/EEA). 3. **Retention:** Documents are retained in the archive according to the following schedule: - **Financial documents** (invoices, contracts): **7 years** (Serbian Zakon o računovodstvu, BiH accounting law, Croatian Zakon o računovodstvu) - **Care-related documents** (care plans, incident reports): **25 years** (UK NHS retention standard; pending Balkan legal review for care organizations) 4. **Deletion:** Documents are automatically deleted from Cloudflare R2 after successful upload to Paperless-ngx (typically within 5 minutes). Documents remain in Paperless-ngx for the retention period specified above. **Your rights regarding sub-processors (GDPR Art. 28(4)):** - You will receive **30 days' advance notice** via email before Bilko adds or replaces any sub-processor. - You have the right to **object** to a new sub-processor within the notice period. - If you object and Bilko cannot offer an alternative, you may terminate your subscription without penalty. - Contact **dpa@alai.no** to exercise this right. - This disclosure complies with GDPR Article 28(4), Serbian ZZPL Art. 31(4), and BiH ZZLP equivalent provisions. --- **Company:** ALAI Holding AS (org.nr 932 516 136) **Privacy Contact:** privacy@bilko.io | DPO: alem@alai.no | DPA: dpa@alai.no # DPA Template — Vedlegg B / Annex B: Sub-Processors for Bilko Archive Feature ⚠️ **DRAFT** — pending final legal sign-off and translations (per Lexicon notes). MC #100045. 2026-05-08. Canonical-facts verified by John post-Lexicon (org.nr 932 516 136, Azure Sweden Central). --- ## Annex B: Sub-Processors for Bilko Archive Feature This annex applies specifically to the Bilko product when the archive feature is enabled. ### B.1 Cloudflare R2 (Temporary Document Storage)

Field	Details
Sub-processor	Cloudflare, Inc.
Address	101 Townsend St, San Francisco, CA 94107, USA
Contact	privacyquestions@cloudflare.com
Purpose	Temporary staging of documents for archive pipeline
Data Categories Processed	Contracts (PDF), Invoices (PDF), Care Plans, Incident Reports, Onboarding Documents
Categories of Data Subjects	Bilko organization's customers, suppliers, patients (for care organizations)
Geographic Location	EU region (eu-west R2 storage bucket)
Processing Duration	Temporary (typically < 5 minutes; documents deleted after successful transfer to Paperless-ngx)
Safeguards	EU Standard Contractual Clauses (SCC 2021/914/EU) per Cloudflare's published DPA; AES-256 encryption at rest; TLS 1.3 in transit; Cloudflare Zero Trust architecture
Sub-sub-processors	See Cloudflare's DPA for complete list (https://www.cloudflare.com/cloudflare-customer-dpa/)

### B.2 ALAI Azure VM Paperless-ngx (Long-Term Archive)

Field	Details
Sub-processor	ALAI Holding AS (own infrastructure)
Org.No	932 516 136
Address	Tømmerrenna 1B, 2050 Jessheim, Norway
Contact	dpa@alai.no
Purpose	Long-term archive of business documents at archive.alai.no
Data Categories Processed	Same as Cloudflare R2 above
Categories of Data Subjects	Same as Cloudflare R2 above
Geographic Location	EU/EEA (Microsoft Azure Sweden Central region)
Processing Duration	Permanent archive per retention schedule: • Financial documents: 7 years (accounting law RS/BA/HR) • Care documents: 25 years (UK NHS standard, interim)
Safeguards	ALAI DPA + Microsoft Azure Standard Contractual Clauses; Azure Disk Encryption (AES-256); TLS 1.3 in transit; Role-Based Access Control (RBAC); Paperless-ngx with OAuth2 authentication; Daily Azure backup with 30-day retention; Immutable audit trail in PostgreSQL
Sub-sub-processors	Microsoft Azure (infrastructure provider — see Microsoft Customer Agreement + DPA)

### B.3 Data Flow for Archival ``` Bilko Backend (Cloud Run) ↓ (POST /archive) Cloudflare R2 (eu-west bucket) ← [5-minute batch job] Cloud Run Worker ↓ (HTTP POST to Paperless-ngx API) ALAI Azure VM (archive.alai.no) → Permanent archive (7–25 years) ``` ### B.4 Notice of Sub-Processor Changes ALAI Holding AS commits to notifying the Data Controller **at least 30 days in advance** via email before: - New sub-processors are added to the archive pipeline - Existing sub-processors are replaced - Geographic location of processing changes The Data Controller may object within this period if the new sub-processor does not meet data protection requirements. --- **Company:** ALAI Holding AS (org.nr 932 516 136) **DPA Contact:** dpa@alai.no # Sub-Processor Notification Email Template (Bilko) ⚠️ **DRAFT** — pending final legal sign-off and translations (per Lexicon notes). MC #100045. 2026-05-08. Canonical-facts verified by John post-Lexicon (org.nr 932 516 136, Azure Sweden Central). --- ## Sub-Processor Notification Email Template (Bilko) **Version:** 1.0 **Last Updated:** 2026-05-08 **Purpose:** Notify Bilko tenants of new sub-processors per GDPR Art. 28(4) **Language:** English (Norwegian translation below) --- ### Email Template — English **Subject:** Bilko Sub-Processor Update — Effective {{DATE\_PLUS\_30\_DAYS}} --- **Dear {{TENANT\_NAME}},** We are writing to inform you of changes to our sub-processor list for the Bilko accounting platform, in accordance with our Data Processing Agreement (DPA) and GDPR Article 28(4). #### New Sub-Processors Effective **{{DATE\_PLUS\_30\_DAYS}}**, Bilko will use the following sub-processors for the **document archival feature**:

Sub-Processor	Purpose	Data Categories	Geographic Location	Safeguards
Cloudflare R2 (Cloudflare, Inc., USA)	Temporary staging for archive pipeline	Contract PDFs, invoices, care plans, incident reports, onboarding documents	EU region (eu-west storage bucket)	Standard Contractual Clauses (SCCs) per Cloudflare's published DPA
ALAI Azure VM Paperless-ngx (ALAI Holding AS, org.nr 932 516 136, Norway)	Long-term document archive at archive.alai.no	Same categories as above	EU/EEA (Microsoft Azure Sweden Central region)	ALAI DPA + Azure Standard Contractual Clauses

#### What This Means for You - **If you have enabled the document archival feature** in Bilko, documents you mark for archival (contracts, invoices, care plans, incident reports, onboarding documents) will be processed through these sub-processors. - **Data flow:** Documents are temporarily staged in Cloudflare R2 (typically < 5 minutes), then transferred to ALAI's Paperless-ngx archive system hosted on Microsoft Azure (Sweden Central region). - **Retention:** Financial documents are retained for 7 years; care-related documents for 25 years (per applicable accounting and care regulations). - **Security:** All sub-processors are bound by Data Processing Agreements and Standard Contractual Clauses. Data is encrypted at rest (AES-256) and in transit (TLS 1.3). #### Your Right to Object Under GDPR Article 28(4), you have the right to **object to the use of these sub-processors** within **30 days** of receiving this notice. **If you object:** 1. Send your objection in writing to **dpa@alai.no** by **{{DATE\_PLUS\_30\_DAYS}}**. 2. We will work with you to find an alternative solution or, if not possible, allow you to terminate your Bilko subscription without penalty. **If you do not object** by {{DATE\_PLUS\_30\_DAYS}}, this will constitute your consent to the use of these sub-processors. #### 30-Day Advance Notice This notice is provided **30 days in advance** of the effective date ({{DATE\_PLUS\_30\_DAYS}}) in accordance with our DPA Section 3.4 and your Terms of Service Section 16.3. #### Questions or Concerns If you have any questions about these sub-processors or our data processing practices, please contact: - **Data Protection Officer:** Alem Bašić — alem@alai.no — +47 40 47 42 51 - **DPA Inquiries:** dpa@alai.no - **General Support:** support@bilko.io #### Company Information **ALAI Holding AS** - Org.nr: 932 516 136 - Address: Tømmerrenna 1B, 2050 Jessheim, Norway - Email: dpa@alai.no - Website: https://bilko.io We appreciate your trust in Bilko and remain committed to protecting your data in accordance with the highest standards of data protection law. Best regards, **The Bilko Team** ALAI Holding AS --- ### Email Template — Norwegian (Norsk oversettelse — UTKAST) **Emne:** Bilko oppdatering av underleverandører — Trer i kraft {{DATE\_PLUS\_30\_DAYS}} **Kjære {{TENANT\_NAME}},** Vi skriver for å informere deg om endringer i vår liste over underleverandører for Bilko regnskapsplattform, i samsvar med vår databehandleravtale (DPA) og GDPR Artikkel 28(4). #### Nye underleverandører Med virkning fra **{{DATE\_PLUS\_30\_DAYS}}** vil Bilko bruke følgende underleverandører for **dokumentarkivfunksjonen**:

Underleverandør	Formål	Datakategorier	Geografisk plassering	Sikkerhetstiltak
Cloudflare R2 (Cloudflare, Inc., USA)	Midlertidig staging for arkivpipeline	Kontrakter (PDF), fakturaer, omsorgsplaner, hendelsesrapporter, onboarding-dokumenter	EU-region (eu-west lagringsbucket)	Standard Contractual Clauses (SCC) per Cloudflares publiserte DPA
ALAI Azure VM Paperless-ngx (ALAI Holding AS, org.nr 932 516 136, Norge)	Langtidsarkiv ved archive.alai.no	Samme kategorier som ovenfor	EU/EØS (Microsoft Azure Sweden Central-region)	ALAI DPA + Azure Standard Contractual Clauses

**Selskapsinfo:** ALAI Holding AS (org.nr 932 516 136) • dpa@alai.no • https://bilko.io --- ### Usage Instructions #### Placeholders to Replace

Placeholder	Description	Example
`{{TENANT_NAME}}`	Organization name from Bilko database	"Acme Accounting d.o.o."
`{{DATE_PLUS_30_DAYS}}`	Effective date (30 days from send date)	"2026-06-07"

#### When to Send This template should be sent: 1. **30 days before** enabling the archive feature for existing tenants 2. **30 days before** adding any new sub-processor to the archive pipeline 3. **30 days before** replacing an existing sub-processor #### Sending Method - **Email:** Send to organization owner's registered email address - **In-app notification:** Display banner in Bilko UI with link to full notice - **Audit log:** Record sending timestamp and recipient in Bilko's audit trail --- **Company:** ALAI Holding AS (org.nr 932 516 136) **Contact:** dpa@alai.no | support@bilko.io