# Bilko Terms of Service (with Sub-Processor disclosure GDPR Art. 28(4))

⚠️ **DRAFT** — pending final legal sign-off and translations (per Lexicon notes). MC #100045. 2026-05-08. Canonical-facts verified by John post-Lexicon (org.nr 932 516 136, Azure Sweden Central).

---

## Table of Contents

1. [Acceptance of Terms](#bkmrk-1.-acceptance-of-ter)
2. [Definitions](#2-definitions)
3. [Description of Service](#3-description-of-service)
4. [Account Terms](#4-account-terms)
5. [Subscription and Billing](#5-subscription-and-billing)
6. [Acceptable Use](#6-acceptable-use)
7. [Data Handling and Privacy](#7-data-handling-and-privacy)
8. [Intellectual Property](#8-intellectual-property)
9. [Warranties and Disclaimers](#9-warranties-and-disclaimers)
10. [Limitation of Liability](#10-limitation-of-liability)
11. [Indemnification](#11-indemnification)
12. [Term and Termination](#12-term-and-termination)
13. [Service Availability and Changes](#13-service-availability-and-changes)
14. [Governing Law and Dispute Resolution](#14-governing-law-and-dispute-resolution)
15. [General Provisions](#15-general-provisions)
16. [Sub-Processors (GDPR Art. 28(4))](#bkmrk-16.-sub-processors-%28)
17. [Contact](#17-contact)

---

## 1. Acceptance of Terms

By registering for, accessing, or using the Bilko platform (the "Service") available at **app.bilko.io**, you ("Customer" or "you") agree to be bound by these Terms of Service ("Terms"). If you are accepting these Terms on behalf of a legal entity (a company, partnership, or other organization), you represent that you have the authority to bind that entity to these Terms.

**If you do not agree to these Terms, you must not use the Service.**

These Terms form a binding legal agreement between you and **ALAI Holding AS** (org.nr 932 516 136), a company incorporated in Norway, trading as Bilko ("Bilko", "we", "our", or "us").

## 16. Sub-Processors (GDPR Art. 28(4))

Bilko uses the following sub-processors to provide the Service:

### 16.1 Document Archive Pipeline

When you enable the document archival feature, Bilko processes certain document types through the following sub-processors:

<table id="bkmrk-sub-processor-legal-"><thead><tr><th>Sub-Processor</th><th>Legal Entity</th><th>Purpose</th><th>Data Categories</th><th>Geographic Location</th><th>Safeguards</th></tr></thead><tbody><tr><td>**Cloudflare R2**</td><td>Cloudflare, Inc., USA</td><td>Temporary document staging for archive pipeline</td><td>Contract PDFs, invoices, care plans, incident reports, onboarding documents</td><td>EU region (eu-west storage bucket)</td><td>Standard Contractual Clauses (SCCs) per Cloudflare's published DPA</td></tr><tr><td>**ALAI Azure VM (Paperless-ngx)**</td><td>ALAI Holding AS (org.nr 932 516 136), Norway</td><td>Long-term document archive at archive.alai.no</td><td>Same document categories as above</td><td>EU/EEA (Microsoft Azure Sweden Central region)</td><td>ALAI Data Processing Agreement + Azure Standard Contractual Clauses</td></tr></tbody></table>

### 16.2 Document Flow and Retention

**Document types processed:**

- Contracts and agreements
- Invoices (issued and received)
- Care plans (for care organizations)
- Incident reports
- Onboarding documents

**Processing flow:**

1. Documents are written to Cloudflare R2 staging bucket (temporary storage, typically &lt; 5 minutes)
2. Cloud Run worker uploads documents to Paperless-ngx archive every 5 minutes
3. Documents are retained in archive per retention schedule (see Section 7.4)

**Retention by document class (interim defaults, subject to legal review):**

- Financial documents (invoices, contracts): 7 years (Serbian, BiH, Croatian accounting law)
- Care-related documents (care plans, incident reports): 25 years (UK NHS standard, pending Balkan legal review)

### 16.3 Sub-Processor Change Notification

Bilko will provide **30 days' advance written notice** via email before adding or replacing any sub-processor. You have the right to object to a new sub-processor within the notice period. If you object and Bilko cannot offer an alternative, you may terminate your subscription without penalty.

Bilko maintains an up-to-date list of sub-processors at **bilko.io/sub-processors** (to be published).

### 16.4 GDPR Compliance Reference

This sub-processor disclosure complies with GDPR Article 28(4), which requires the data controller (you) to authorize the data processor (Bilko) to engage sub-processors. By accepting these Terms, you provide such authorization for the sub-processors listed above.

---

**Company:** ALAI Holding AS (org.nr 932 516 136)  
**Contact:** support@bilko.io | legal@bilko.io | privacy@bilko.io | dpa@alai.no
Sub-Processor	Legal Entity	Purpose	Data Categories	Geographic Location	Safeguards
Cloudflare R2	Cloudflare, Inc., USA	Temporary document staging for archive pipeline	Contract PDFs, invoices, care plans, incident reports, onboarding documents	EU region (eu-west storage bucket)	Standard Contractual Clauses (SCCs) per Cloudflare's published DPA
ALAI Azure VM (Paperless-ngx)	ALAI Holding AS (org.nr 932 516 136), Norway	Long-term document archive at archive.alai.no	Same document categories as above	EU/EEA (Microsoft Azure Sweden Central region)	ALAI Data Processing Agreement + Azure Standard Contractual Clauses