# DPA Template — Vedlegg B / Annex B: Sub-Processors for Bilko Archive Feature

⚠️ **DRAFT** — pending final legal sign-off and translations (per Lexicon notes). MC #100045. 2026-05-08. Canonical-facts verified by John post-Lexicon (org.nr 932 516 136, Azure Sweden Central).

---

## Annex B: Sub-Processors for Bilko Archive Feature

This annex applies specifically to the Bilko product when the archive feature is enabled.

### B.1 Cloudflare R2 (Temporary Document Storage)

<table id="bkmrk-fielddetails-sub-pro"><thead><tr><th>Field</th><th>Details</th></tr></thead><tbody><tr><td>**Sub-processor**</td><td>Cloudflare, Inc.</td></tr><tr><td>**Address**</td><td>101 Townsend St, San Francisco, CA 94107, USA</td></tr><tr><td>**Contact**</td><td>privacyquestions@cloudflare.com</td></tr><tr><td>**Purpose**</td><td>Temporary staging of documents for archive pipeline</td></tr><tr><td>**Data Categories Processed**</td><td>Contracts (PDF), Invoices (PDF), Care Plans, Incident Reports, Onboarding Documents</td></tr><tr><td>**Categories of Data Subjects**</td><td>Bilko organization's customers, suppliers, patients (for care organizations)</td></tr><tr><td>**Geographic Location**</td><td>EU region (eu-west R2 storage bucket)</td></tr><tr><td>**Processing Duration**</td><td>Temporary (typically &lt; 5 minutes; documents deleted after successful transfer to Paperless-ngx)</td></tr><tr><td>**Safeguards**</td><td>EU Standard Contractual Clauses (SCC 2021/914/EU) per Cloudflare's published DPA; AES-256 encryption at rest; TLS 1.3 in transit; Cloudflare Zero Trust architecture</td></tr><tr><td>**Sub-sub-processors**</td><td>See Cloudflare's DPA for complete list (https://www.cloudflare.com/cloudflare-customer-dpa/)</td></tr></tbody></table>

### B.2 ALAI Azure VM Paperless-ngx (Long-Term Archive)

<table id="bkmrk-fielddetails-sub-pro-1"><thead><tr><th>Field</th><th>Details</th></tr></thead><tbody><tr><td>**Sub-processor**</td><td>ALAI Holding AS (own infrastructure)</td></tr><tr><td>**Org.No**</td><td>932 516 136</td></tr><tr><td>**Address**</td><td>Tømmerrenna 1B, 2050 Jessheim, Norway</td></tr><tr><td>**Contact**</td><td>dpa@alai.no</td></tr><tr><td>**Purpose**</td><td>Long-term archive of business documents at archive.alai.no</td></tr><tr><td>**Data Categories Processed**</td><td>Same as Cloudflare R2 above</td></tr><tr><td>**Categories of Data Subjects**</td><td>Same as Cloudflare R2 above</td></tr><tr><td>**Geographic Location**</td><td>EU/EEA (Microsoft Azure Sweden Central region)</td></tr><tr><td>**Processing Duration**</td><td>Permanent archive per retention schedule:  
• Financial documents: 7 years (accounting law RS/BA/HR)  
• Care documents: 25 years (UK NHS standard, interim)</td></tr><tr><td>**Safeguards**</td><td>ALAI DPA + Microsoft Azure Standard Contractual Clauses; Azure Disk Encryption (AES-256); TLS 1.3 in transit; Role-Based Access Control (RBAC); Paperless-ngx with OAuth2 authentication; Daily Azure backup with 30-day retention; Immutable audit trail in PostgreSQL</td></tr><tr><td>**Sub-sub-processors**</td><td>Microsoft Azure (infrastructure provider — see Microsoft Customer Agreement + DPA)</td></tr></tbody></table>

### B.3 Data Flow for Archival

```
Bilko Backend (Cloud Run)
    ↓ (POST /archive)
Cloudflare R2 (eu-west bucket)
    ← [5-minute batch job]
Cloud Run Worker
    ↓ (HTTP POST to Paperless-ngx API)
ALAI Azure VM (archive.alai.no)
    → Permanent archive (7–25 years)

```

### B.4 Notice of Sub-Processor Changes

ALAI Holding AS commits to notifying the Data Controller **at least 30 days in advance** via email before:

- New sub-processors are added to the archive pipeline
- Existing sub-processors are replaced
- Geographic location of processing changes

The Data Controller may object within this period if the new sub-processor does not meet data protection requirements.

---

**Company:** ALAI Holding AS (org.nr 932 516 136)  
**DPA Contact:** dpa@alai.no