Legal & Compliance Bilko Terms of Service (with Sub-Processor disclosure GDPR Art. 28(4)) ⚠️ DRAFT — pending final legal sign-off and translations (per Lexicon notes). MC #100045. 2026-05-08. Canonical-facts verified by John post-Lexicon (org.nr 932 516 136, Azure Sweden Central). Table of Contents Acceptance of Terms Definitions Description of Service Account Terms Subscription and Billing Acceptable Use Data Handling and Privacy Intellectual Property Warranties and Disclaimers Limitation of Liability Indemnification Term and Termination Service Availability and Changes Governing Law and Dispute Resolution General Provisions Sub-Processors (GDPR Art. 28(4)) Contact 1. Acceptance of Terms By registering for, accessing, or using the Bilko platform (the "Service") available at app.bilko.io , you ("Customer" or "you") agree to be bound by these Terms of Service ("Terms"). If you are accepting these Terms on behalf of a legal entity (a company, partnership, or other organization), you represent that you have the authority to bind that entity to these Terms. If you do not agree to these Terms, you must not use the Service. These Terms form a binding legal agreement between you and ALAI Holding AS (org.nr 932 516 136), a company incorporated in Norway, trading as Bilko ("Bilko", "we", "our", or "us"). 16. Sub-Processors (GDPR Art. 28(4)) Bilko uses the following sub-processors to provide the Service: 16.1 Document Archive Pipeline When you enable the document archival feature, Bilko processes certain document types through the following sub-processors: Sub-Processor Legal Entity Purpose Data Categories Geographic Location Safeguards Cloudflare R2 Cloudflare, Inc., USA Temporary document staging for archive pipeline Contract PDFs, invoices, care plans, incident reports, onboarding documents EU region (eu-west storage bucket) Standard Contractual Clauses (SCCs) per Cloudflare's published DPA ALAI Azure VM (Paperless-ngx) ALAI Holding AS (org.nr 932 516 136), Norway Long-term document archive at archive.alai.no Same document categories as above EU/EEA (Microsoft Azure Sweden Central region) ALAI Data Processing Agreement + Azure Standard Contractual Clauses 16.2 Document Flow and Retention Document types processed: Contracts and agreements Invoices (issued and received) Care plans (for care organizations) Incident reports Onboarding documents Processing flow: Documents are written to Cloudflare R2 staging bucket (temporary storage, typically < 5 minutes) Cloud Run worker uploads documents to Paperless-ngx archive every 5 minutes Documents are retained in archive per retention schedule (see Section 7.4) Retention by document class (interim defaults, subject to legal review): Financial documents (invoices, contracts): 7 years (Serbian, BiH, Croatian accounting law) Care-related documents (care plans, incident reports): 25 years (UK NHS standard, pending Balkan legal review) 16.3 Sub-Processor Change Notification Bilko will provide 30 days' advance written notice via email before adding or replacing any sub-processor. You have the right to object to a new sub-processor within the notice period. If you object and Bilko cannot offer an alternative, you may terminate your subscription without penalty. Bilko maintains an up-to-date list of sub-processors at bilko.io/sub-processors (to be published). 16.4 GDPR Compliance Reference This sub-processor disclosure complies with GDPR Article 28(4), which requires the data controller (you) to authorize the data processor (Bilko) to engage sub-processors. By accepting these Terms, you provide such authorization for the sub-processors listed above. Company: ALAI Holding AS (org.nr 932 516 136) Contact: support@bilko.io | legal@bilko.io | privacy@bilko.io | dpa@alai.no Bilko Privacy Notice (with Document Archive Sub-Processors §8.1) ⚠️ DRAFT — pending final legal sign-off and translations (per Lexicon notes). MC #100045. 2026-05-08. Canonical-facts verified by John post-Lexicon (org.nr 932 516 136, Azure Sweden Central). Table of Contents Introduction and Data Controller Scope and Applicability Legal Framework Data We Collect Legal Basis for Processing How We Use Your Data Data Retention Periods Data Sharing and Third-Party Processors Cross-Border Data Transfers Your Rights as a Data Subject 1. Introduction and Data Controller Bilko is a cloud-based accounting and invoicing platform for small and medium businesses (SMBs) operating in Serbia, Bosnia & Herzegovina, and Croatia. Bilko is developed and operated by ALAI Holding AS (org.nr 932 516 136), a company registered in Norway. Data Protection Officer (DPO): Field Details DPO name Alem Bašić DPO contact alem@alai.no Phone +47 40 47 42 51 Company ALAI Holding AS (org.nr 932 516 136) Role Responsible for data protection compliance across all three jurisdictions Appointed 2026-03-02 8. Data Sharing and Third-Party Processors Bilko shares your data only with the following categories of third parties, all of whom are bound by Data Processing Agreements (DPAs): 8.1 Document Archive Sub-Processors When you enable the document archival feature in Bilko, the following additional sub-processors are used: Sub-Processor Purpose Data Categories Location Safeguards Cloudflare R2 (Cloudflare, Inc., USA) Temporary staging for archive pipeline Contract PDFs, invoices, care plans, incident reports, onboarding documents EU region (eu-west bucket) Standard Contractual Clauses (SCCs) ALAI Azure VM Paperless-ngx (ALAI Holding AS, org.nr 932 516 136, Norway) Long-term document archive at archive.alai.no Same categories as above EU/EEA (Microsoft Azure Sweden Central region) ALAI DPA + Azure SCCs How document archival works: Upload: When you mark a document for archival in Bilko (contracts, invoices, care plans, incident reports, onboarding documents), Bilko's backend writes the document to a Cloudflare R2 staging bucket in the EU region. Transfer: Every 5 minutes, a Cloud Run worker retrieves documents from R2 and uploads them to Paperless-ngx, a document management system hosted on ALAI's Azure VM (archive.alai.no) located in the Azure Sweden Central region (EU/EEA). Retention: Documents are retained in the archive according to the following schedule: Financial documents (invoices, contracts): 7 years (Serbian Zakon o računovodstvu, BiH accounting law, Croatian Zakon o računovodstvu) Care-related documents (care plans, incident reports): 25 years (UK NHS retention standard; pending Balkan legal review for care organizations) Deletion: Documents are automatically deleted from Cloudflare R2 after successful upload to Paperless-ngx (typically within 5 minutes). Documents remain in Paperless-ngx for the retention period specified above. Your rights regarding sub-processors (GDPR Art. 28(4)): You will receive 30 days' advance notice via email before Bilko adds or replaces any sub-processor. You have the right to object to a new sub-processor within the notice period. If you object and Bilko cannot offer an alternative, you may terminate your subscription without penalty. Contact dpa@alai.no to exercise this right. This disclosure complies with GDPR Article 28(4), Serbian ZZPL Art. 31(4), and BiH ZZLP equivalent provisions. Company: ALAI Holding AS (org.nr 932 516 136) Privacy Contact: privacy@bilko.io | DPO: alem@alai.no | DPA: dpa@alai.no DPA Template — Vedlegg B / Annex B: Sub-Processors for Bilko Archive Feature ⚠️ DRAFT — pending final legal sign-off and translations (per Lexicon notes). MC #100045. 2026-05-08. Canonical-facts verified by John post-Lexicon (org.nr 932 516 136, Azure Sweden Central). Annex B: Sub-Processors for Bilko Archive Feature This annex applies specifically to the Bilko product when the archive feature is enabled. B.1 Cloudflare R2 (Temporary Document Storage) Field Details Sub-processor Cloudflare, Inc. Address 101 Townsend St, San Francisco, CA 94107, USA Contact privacyquestions@cloudflare.com Purpose Temporary staging of documents for archive pipeline Data Categories Processed Contracts (PDF), Invoices (PDF), Care Plans, Incident Reports, Onboarding Documents Categories of Data Subjects Bilko organization's customers, suppliers, patients (for care organizations) Geographic Location EU region (eu-west R2 storage bucket) Processing Duration Temporary (typically < 5 minutes; documents deleted after successful transfer to Paperless-ngx) Safeguards EU Standard Contractual Clauses (SCC 2021/914/EU) per Cloudflare's published DPA; AES-256 encryption at rest; TLS 1.3 in transit; Cloudflare Zero Trust architecture Sub-sub-processors See Cloudflare's DPA for complete list (https://www.cloudflare.com/cloudflare-customer-dpa/) B.2 ALAI Azure VM Paperless-ngx (Long-Term Archive) Field Details Sub-processor ALAI Holding AS (own infrastructure) Org.No 932 516 136 Address Tømmerrenna 1B, 2050 Jessheim, Norway Contact dpa@alai.no Purpose Long-term archive of business documents at archive.alai.no Data Categories Processed Same as Cloudflare R2 above Categories of Data Subjects Same as Cloudflare R2 above Geographic Location EU/EEA (Microsoft Azure Sweden Central region) Processing Duration Permanent archive per retention schedule: • Financial documents: 7 years (accounting law RS/BA/HR) • Care documents: 25 years (UK NHS standard, interim) Safeguards ALAI DPA + Microsoft Azure Standard Contractual Clauses; Azure Disk Encryption (AES-256); TLS 1.3 in transit; Role-Based Access Control (RBAC); Paperless-ngx with OAuth2 authentication; Daily Azure backup with 30-day retention; Immutable audit trail in PostgreSQL Sub-sub-processors Microsoft Azure (infrastructure provider — see Microsoft Customer Agreement + DPA) B.3 Data Flow for Archival Bilko Backend (Cloud Run) ↓ (POST /archive) Cloudflare R2 (eu-west bucket) ← [5-minute batch job] Cloud Run Worker ↓ (HTTP POST to Paperless-ngx API) ALAI Azure VM (archive.alai.no) → Permanent archive (7–25 years) B.4 Notice of Sub-Processor Changes ALAI Holding AS commits to notifying the Data Controller at least 30 days in advance via email before: New sub-processors are added to the archive pipeline Existing sub-processors are replaced Geographic location of processing changes The Data Controller may object within this period if the new sub-processor does not meet data protection requirements. Company: ALAI Holding AS (org.nr 932 516 136) DPA Contact: dpa@alai.no Sub-Processor Notification Email Template (Bilko) ⚠️ DRAFT — pending final legal sign-off and translations (per Lexicon notes). MC #100045. 2026-05-08. Canonical-facts verified by John post-Lexicon (org.nr 932 516 136, Azure Sweden Central). Sub-Processor Notification Email Template (Bilko) Version: 1.0 Last Updated: 2026-05-08 Purpose: Notify Bilko tenants of new sub-processors per GDPR Art. 28(4) Language: English (Norwegian translation below) Email Template — English Subject: Bilko Sub-Processor Update — Effective {{DATE_PLUS_30_DAYS}} Dear {{TENANT_NAME}}, We are writing to inform you of changes to our sub-processor list for the Bilko accounting platform, in accordance with our Data Processing Agreement (DPA) and GDPR Article 28(4). New Sub-Processors Effective {{DATE_PLUS_30_DAYS}} , Bilko will use the following sub-processors for the document archival feature : Sub-Processor Purpose Data Categories Geographic Location Safeguards Cloudflare R2 (Cloudflare, Inc., USA) Temporary staging for archive pipeline Contract PDFs, invoices, care plans, incident reports, onboarding documents EU region (eu-west storage bucket) Standard Contractual Clauses (SCCs) per Cloudflare's published DPA ALAI Azure VM Paperless-ngx (ALAI Holding AS, org.nr 932 516 136, Norway) Long-term document archive at archive.alai.no Same categories as above EU/EEA (Microsoft Azure Sweden Central region) ALAI DPA + Azure Standard Contractual Clauses What This Means for You If you have enabled the document archival feature in Bilko, documents you mark for archival (contracts, invoices, care plans, incident reports, onboarding documents) will be processed through these sub-processors. Data flow: Documents are temporarily staged in Cloudflare R2 (typically < 5 minutes), then transferred to ALAI's Paperless-ngx archive system hosted on Microsoft Azure (Sweden Central region). Retention: Financial documents are retained for 7 years; care-related documents for 25 years (per applicable accounting and care regulations). Security: All sub-processors are bound by Data Processing Agreements and Standard Contractual Clauses. Data is encrypted at rest (AES-256) and in transit (TLS 1.3). Your Right to Object Under GDPR Article 28(4), you have the right to object to the use of these sub-processors within 30 days of receiving this notice. If you object: Send your objection in writing to dpa@alai.no by {{DATE_PLUS_30_DAYS}} . We will work with you to find an alternative solution or, if not possible, allow you to terminate your Bilko subscription without penalty. If you do not object by {{DATE_PLUS_30_DAYS}}, this will constitute your consent to the use of these sub-processors. 30-Day Advance Notice This notice is provided 30 days in advance of the effective date ({{DATE_PLUS_30_DAYS}}) in accordance with our DPA Section 3.4 and your Terms of Service Section 16.3. Questions or Concerns If you have any questions about these sub-processors or our data processing practices, please contact: Data Protection Officer: Alem Bašić — alem@alai.no — +47 40 47 42 51 DPA Inquiries: dpa@alai.no General Support: support@bilko.io Company Information ALAI Holding AS Org.nr: 932 516 136 Address: Tømmerrenna 1B, 2050 Jessheim, Norway Email: dpa@alai.no Website: https://bilko.io We appreciate your trust in Bilko and remain committed to protecting your data in accordance with the highest standards of data protection law. Best regards, The Bilko Team ALAI Holding AS Email Template — Norwegian (Norsk oversettelse — UTKAST) Emne: Bilko oppdatering av underleverandører — Trer i kraft {{DATE_PLUS_30_DAYS}} Kjære {{TENANT_NAME}}, Vi skriver for å informere deg om endringer i vår liste over underleverandører for Bilko regnskapsplattform, i samsvar med vår databehandleravtale (DPA) og GDPR Artikkel 28(4). Nye underleverandører Med virkning fra {{DATE_PLUS_30_DAYS}} vil Bilko bruke følgende underleverandører for dokumentarkivfunksjonen : Underleverandør Formål Datakategorier Geografisk plassering Sikkerhetstiltak Cloudflare R2 (Cloudflare, Inc., USA) Midlertidig staging for arkivpipeline Kontrakter (PDF), fakturaer, omsorgsplaner, hendelsesrapporter, onboarding-dokumenter EU-region (eu-west lagringsbucket) Standard Contractual Clauses (SCC) per Cloudflares publiserte DPA ALAI Azure VM Paperless-ngx (ALAI Holding AS, org.nr 932 516 136, Norge) Langtidsarkiv ved archive.alai.no Samme kategorier som ovenfor EU/EØS (Microsoft Azure Sweden Central-region) ALAI DPA + Azure Standard Contractual Clauses Selskapsinfo: ALAI Holding AS (org.nr 932 516 136) • dpa@alai.no • https://bilko.io Usage Instructions Placeholders to Replace Placeholder Description Example {{TENANT_NAME}} Organization name from Bilko database "Acme Accounting d.o.o." {{DATE_PLUS_30_DAYS}} Effective date (30 days from send date) "2026-06-07" When to Send This template should be sent: 30 days before enabling the archive feature for existing tenants 30 days before adding any new sub-processor to the archive pipeline 30 days before replacing an existing sub-processor Sending Method Email: Send to organization owner's registered email address In-app notification: Display banner in Bilko UI with link to full notice Audit log: Record sending timestamp and recipient in Bilko's audit trail Company: ALAI Holding AS (org.nr 932 516 136) Contact: dpa@alai.no | support@bilko.io