DPA Template — Vedlegg B / Annex B: Sub-Processors for Bilko Archive Feature ⚠️ DRAFT — pending final legal sign-off and translations (per Lexicon notes). MC #100045. 2026-05-08. Canonical-facts verified by John post-Lexicon (org.nr 932 516 136, Azure Sweden Central). Annex B: Sub-Processors for Bilko Archive Feature This annex applies specifically to the Bilko product when the archive feature is enabled. B.1 Cloudflare R2 (Temporary Document Storage) Field Details Sub-processor Cloudflare, Inc. Address 101 Townsend St, San Francisco, CA 94107, USA Contact privacyquestions@cloudflare.com Purpose Temporary staging of documents for archive pipeline Data Categories Processed Contracts (PDF), Invoices (PDF), Care Plans, Incident Reports, Onboarding Documents Categories of Data Subjects Bilko organization's customers, suppliers, patients (for care organizations) Geographic Location EU region (eu-west R2 storage bucket) Processing Duration Temporary (typically < 5 minutes; documents deleted after successful transfer to Paperless-ngx) Safeguards EU Standard Contractual Clauses (SCC 2021/914/EU) per Cloudflare's published DPA; AES-256 encryption at rest; TLS 1.3 in transit; Cloudflare Zero Trust architecture Sub-sub-processors See Cloudflare's DPA for complete list (https://www.cloudflare.com/cloudflare-customer-dpa/) B.2 ALAI Azure VM Paperless-ngx (Long-Term Archive) Field Details Sub-processor ALAI Holding AS (own infrastructure) Org.No 932 516 136 Address Tømmerrenna 1B, 2050 Jessheim, Norway Contact dpa@alai.no Purpose Long-term archive of business documents at archive.alai.no Data Categories Processed Same as Cloudflare R2 above Categories of Data Subjects Same as Cloudflare R2 above Geographic Location EU/EEA (Microsoft Azure Sweden Central region) Processing Duration Permanent archive per retention schedule: • Financial documents: 7 years (accounting law RS/BA/HR) • Care documents: 25 years (UK NHS standard, interim) Safeguards ALAI DPA + Microsoft Azure Standard Contractual Clauses; Azure Disk Encryption (AES-256); TLS 1.3 in transit; Role-Based Access Control (RBAC); Paperless-ngx with OAuth2 authentication; Daily Azure backup with 30-day retention; Immutable audit trail in PostgreSQL Sub-sub-processors Microsoft Azure (infrastructure provider — see Microsoft Customer Agreement + DPA) B.3 Data Flow for Archival Bilko Backend (Cloud Run) ↓ (POST /archive) Cloudflare R2 (eu-west bucket) ← [5-minute batch job] Cloud Run Worker ↓ (HTTP POST to Paperless-ngx API) ALAI Azure VM (archive.alai.no) → Permanent archive (7–25 years) B.4 Notice of Sub-Processor Changes ALAI Holding AS commits to notifying the Data Controller at least 30 days in advance via email before: New sub-processors are added to the archive pipeline Existing sub-processors are replaced Geographic location of processing changes The Data Controller may object within this period if the new sub-processor does not meet data protection requirements. Company: ALAI Holding AS (org.nr 932 516 136) DPA Contact: dpa@alai.no