DPA Template — Vedlegg B / Annex B: Sub-Processors for Bilko Archive Feature
⚠️ DRAFT — pending final legal sign-off and translations (per Lexicon notes). MC #100045. 2026-05-08. Canonical-facts verified by John post-Lexicon (org.nr 932 516 136, Azure Sweden Central).
Annex B: Sub-Processors for Bilko Archive Feature
This annex applies specifically to the Bilko product when the archive feature is enabled.
B.1 Cloudflare R2 (Temporary Document Storage)
| Field | Details |
|---|---|
| Sub-processor | Cloudflare, Inc. |
| Address | 101 Townsend St, San Francisco, CA 94107, USA |
| Contact | privacyquestions@cloudflare.com |
| Purpose | Temporary staging of documents for archive pipeline |
| Data Categories Processed | Contracts (PDF), Invoices (PDF), Care Plans, Incident Reports, Onboarding Documents |
| Categories of Data Subjects | Bilko organization's customers, suppliers, patients (for care organizations) |
| Geographic Location | EU region (eu-west R2 storage bucket) |
| Processing Duration | Temporary (typically < 5 minutes; documents deleted after successful transfer to Paperless-ngx) |
| Safeguards | EU Standard Contractual Clauses (SCC 2021/914/EU) per Cloudflare's published DPA; AES-256 encryption at rest; TLS 1.3 in transit; Cloudflare Zero Trust architecture |
| Sub-sub-processors | See Cloudflare's DPA for complete list (https://www.cloudflare.com/cloudflare-customer-dpa/) |
B.2 ALAI Azure VM Paperless-ngx (Long-Term Archive)
| Field | Details |
|---|---|
| Sub-processor | ALAI Holding AS (own infrastructure) |
| Org.No | 932 516 136 |
| Address | Tømmerrenna 1B, 2050 Jessheim, Norway |
| Contact | dpa@alai.no |
| Purpose | Long-term archive of business documents at archive.alai.no |
| Data Categories Processed | Same as Cloudflare R2 above |
| Categories of Data Subjects | Same as Cloudflare R2 above |
| Geographic Location | EU/EEA (Microsoft Azure Sweden Central region) |
| Processing Duration | Permanent archive per retention schedule: • Financial documents: 7 years (accounting law RS/BA/HR) • Care documents: 25 years (UK NHS standard, interim) |
| Safeguards | ALAI DPA + Microsoft Azure Standard Contractual Clauses; Azure Disk Encryption (AES-256); TLS 1.3 in transit; Role-Based Access Control (RBAC); Paperless-ngx with OAuth2 authentication; Daily Azure backup with 30-day retention; Immutable audit trail in PostgreSQL |
| Sub-sub-processors | Microsoft Azure (infrastructure provider — see Microsoft Customer Agreement + DPA) |
B.3 Data Flow for Archival
Bilko Backend (Cloud Run)
↓ (POST /archive)
Cloudflare R2 (eu-west bucket)
← [5-minute batch job]
Cloud Run Worker
↓ (HTTP POST to Paperless-ngx API)
ALAI Azure VM (archive.alai.no)
→ Permanent archive (7–25 years)
B.4 Notice of Sub-Processor Changes
ALAI Holding AS commits to notifying the Data Controller at least 30 days in advance via email before:
- New sub-processors are added to the archive pipeline
- Existing sub-processors are replaced
- Geographic location of processing changes
The Data Controller may object within this period if the new sub-processor does not meet data protection requirements.
Company: ALAI Holding AS (org.nr 932 516 136)
DPA Contact: dpa@alai.no