Bilko — Legal Pack
Legal documents, GDPR compliance, and sub-processor disclosures for Bilko (Balkan Accounting SaaS). MC #100045 (2026-05-08).
- Bilko Terms of Service — Section 16 Sub-Processors (GDPR Art. 28(4))
- Bilko Privacy Notice — Section 8.1 Document Archive Sub-Processors
- DPA Template — Annex B: Sub-Processors for Bilko Archive Feature
- Sub-Processor Notification Email Template (Bilko)
Bilko Terms of Service — Section 16 Sub-Processors (GDPR Art. 28(4))
MC: #100045 | Date: 2026-05-08
Draft Status: Pending final legal review and translations (per Lexicon S1-S4)
Corrections Applied: Org.nr 932 516 136 (corrected from hallucinated 933 534 262), Azure Sweden Central (corrected from Norway East)
Terms of Service
Project: Bilko — Balkan Accounting SaaS
Company: ALAI Holding AS (org.nr 932 516 136)
Version: 1.0
Last Updated: 2026-03-07
Author: ALAI Documentation Team
Status: DRAFT — Pending Legal Review
Reviewers: Legal Counsel (RS, BA, HR), CEO
Classification: Internal Draft (not for public use until legal sign-off)
Table of Contents
- Acceptance of Terms
- Definitions
- Description of Service
- Account Terms
- Subscription and Billing
- Acceptable Use
- Data Handling and Privacy
- Intellectual Property
- Warranties and Disclaimers
- Limitation of Liability
- Indemnification
- Term and Termination
- Service Availability and Changes
- Governing Law and Dispute Resolution
- General Provisions
- Contact
1. Acceptance of Terms
By registering for, accessing, or using the Bilko platform (the "Service") available at app.bilko.io, you ("Customer" or "you") agree to be bound by these Terms of Service ("Terms"). If you are accepting these Terms on behalf of a legal entity (a company, partnership, or other organization), you represent that you have the authority to bind that entity to these Terms.
If you do not agree to these Terms, you must not use the Service.
These Terms form a binding legal agreement between you and ALAI Holding AS (org.nr 932 516 136), a company incorporated in Norway, trading as Bilko ("Bilko", "we", "our", or "us").
By clicking "Create Account", "Start Free Trial", or similar acceptance mechanism, or by using the Service after any update to these Terms, you confirm your acceptance.
⚠️ LEGAL REVIEW REQUIRED: Confirm whether Norwegian law governs this contract, or whether Serbian, BiH, or Croatian law should govern for users in those jurisdictions (see Section 14). Consider whether click-wrap acceptance is sufficient under each jurisdiction's contract law (Serbian Zakon o obligacionim odnosima, BiH equivalent, Croatian Zakon o obveznim odnosima).
2. Definitions
| Term | Meaning |
| --------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------- |
| Service | The Bilko cloud accounting platform, including the web application at app.bilko.io, the API, and all features therein |
| Account | A registered Bilko account belonging to an Organization |
| Organization | A legal entity or individual registered on Bilko for accounting purposes |
| Authorized User | A person granted access to an Organization's Bilko account (owner, admin, accountant, or viewer) |
| Customer Data | All data submitted by Authorized Users into the Service, including invoices, expenses, contacts, financial records, and tax identification numbers |
| Subscription Plan | The paid tier under which the Service is provided, as described on bilko.io/pricing |
| Billing Period | The monthly or annual period for which a Subscription Plan is purchased |
| Trial Period | A limited-period free access to the Service, as offered by Bilko at its discretion |
| Content | All text, data, software, functionality, graphics, and other materials provided by Bilko as part of the Service |
3. Description of Service
Bilko is a cloud-based accounting and invoicing platform designed for small and medium businesses (SMBs) operating in Serbia, Bosnia & Herzegovina, and Croatia. The Service includes:
- Double-entry bookkeeping with Balkan-standard chart of accounts (Serbian, FBiH, RS entity, and Croatian formats)
- Invoice creation and management — PDF generation, email delivery, status tracking
- E-invoice submission — SEF integration for Serbia (B2B mandatory since 2023); HR-FISK integration for Croatia (Phase 2)
- VAT/PDV calculation — Serbia (20%/10%/0%), BiH (17%/0%), Croatia (25%/13%/5%/0%)
- Expense tracking — with receipt storage and approval workflow
- Bank reconciliation — CSV import of bank statements
- Financial reporting — P&L, Balance Sheet, Cash Flow, VAT reports
- Multi-currency support — EUR, RSD, BAM, and other currencies with exchange rate locking
- Multi-user collaboration — Role-based access control (owner, admin, accountant, viewer)
- Data export — JSON, CSV, and compliance formats for tax authority filing
4. Account Terms
4.1 Registration
To use the Service, you must:
- Register and create an Organization account
- Provide accurate, complete, and current information
- Maintain and promptly update your account information when it changes
4.2 Account Security
You are responsible for:
- Maintaining the confidentiality of your account credentials
- All activities that occur under your account
- Immediately notifying Bilko of any unauthorized use at security@bilko.io
4.3 Account Roles
The Organization owner controls access. Users may be granted one of four roles:
- Owner — Full control, including billing and account deletion
- Admin — All features except billing and certain account settings
- Accountant — Can create and manage financial records; cannot delete
- Viewer — Read-only access
4.4 One Organization Per Subscription
Each Subscription Plan covers one (1) Organization. Accountants managing multiple clients must purchase a separate subscription per client organization, or use a multi-organization plan if offered.
⚠️ LEGAL REVIEW REQUIRED: Determine whether multi-organization accountant accounts require specific terms under Serbian/BiH/Croatian professional accounting regulations.
5. Subscription and Billing
5.1 Subscription Plans
Bilko offers paid Subscription Plans as published at bilko.io/pricing. All plans are billed in EUR. By subscribing to a paid plan, you authorize Bilko to charge your payment method for the applicable fees.
⚠️ LEGAL REVIEW REQUIRED: Confirm pricing strategy and all plan tiers. Confirm whether local currency (RSD for Serbia, BAM for BiH) invoicing is required under local consumer/business protection law.
5.2 Free Trial
Bilko may offer a free trial period at its discretion. At the end of the trial, your account will require a paid subscription to continue. Bilko will notify you before the trial ends.
5.3 Billing Cycle
- Monthly plans: billed on the same calendar day each month
- Annual plans: billed once per year; a proportional refund may be offered for cancellations (see Section 5.6)
- Billing date may shift by up to 1 day due to calendar month-end variations
5.4 Payment Methods
Bilko accepts payment methods as listed at checkout. You must provide a valid payment method and maintain it current. Bilko uses a PCI-compliant payment processor — your card data is never stored on Bilko servers.
⚠️ LEGAL REVIEW REQUIRED: Confirm payment processor (Stripe, Paddle, or other), confirm PCI-DSS scope, and ensure payment terms comply with Serbian Law on Payment Services (Zakon o platnim uslugama), BiH payment law, and Croatian payment law.
5.5 Late Payment
If payment fails, Bilko will:
- Retry payment up to 3 times over 7 days
- Send email notifications at each failure
- Suspend the account after 14 days of non-payment (read-only access preserved)
- Terminate the account after 30 days of non-payment, with data export offered
5.6 Cancellation and Refunds
- Monthly plans: You may cancel at any time. Cancellation takes effect at the end of the current Billing Period. No refunds are issued for partial months.
- Annual plans: Cancellation within 14 days of purchase qualifies for a full refund. After 14 days, a pro-rated refund for remaining full months may be provided at Bilko's discretion.
- Legal minimum: To the extent mandatory consumer protection law in your jurisdiction requires different refund terms, those terms apply.
⚠️ LEGAL REVIEW REQUIRED: Confirm refund obligations under Serbian Zakon o zaštiti potrošača, BiH equivalent, and Croatian Zakon o zaštiti potrošača. Determine whether B2B SaaS customers are covered by consumer protection or only commercial contract law in each jurisdiction.
5.7 Price Changes
Bilko may change Subscription Plan pricing with 30 days' written notice. If you do not cancel before the new pricing takes effect, you accept the new pricing.
5.8 Taxes
All prices are exclusive of applicable value-added tax (VAT/PDV). Bilko will add applicable VAT/PDV to invoices where legally required. You are responsible for any additional taxes applicable in your jurisdiction.
6. Acceptable Use
6.1 Permitted Use
You may use the Service only for lawful business accounting purposes within your registered Organization, in accordance with applicable law in your jurisdiction.
6.2 Prohibited Activities
You must not:
- Use the Service to commit fraud, tax evasion, or money laundering
- Enter false, fabricated, or fraudulent financial records or invoice data
- Attempt to gain unauthorized access to other organizations' data
- Reverse-engineer, decompile, or disassemble any part of the Service
- Use the Service to process data belonging to a different legal entity without authorization
- Attempt to circumvent the multi-tenancy isolation measures
- Use automated scrapers, bots, or scripts against the Service without prior written consent from Bilko
- Resell or sublicense the Service without a separate reseller agreement
6.3 Compliance with Local Law
You are responsible for ensuring that your use of Bilko complies with all applicable local laws, including:
- Tax filing obligations (Serbian Poreska uprava, BiH UIO, Croatian Porezna uprava)
- E-invoicing mandates (SEF for Serbia, HR-FISK/FINA for Croatia)
- Accounting record requirements
- Data protection obligations for data you enter about your clients
7. Data Handling and Privacy
7.1 Your Data
All Customer Data you enter into Bilko remains your property. Bilko processes Customer Data solely to provide and improve the Service.
7.2 Data Processing Agreement
By accepting these Terms, you also enter into a Data Processing Agreement (DPA) with Bilko, incorporated by reference, governing the processing of personal data within Customer Data. The DPA is available at bilko.io/dpa.
⚠️ LEGAL REVIEW REQUIRED: Draft and publish the Data Processing Agreement separately. The DPA must meet requirements of GDPR Art. 28 (for Croatian users), ZZPL Art. 45 (for Serbian users), and ZZLP BiH equivalents.
7.3 Privacy Policy
Bilko's Privacy Policy (available at bilko.io/privacy) is incorporated into these Terms by reference. It describes what personal data Bilko collects about you and your Authorized Users, and how it is processed.
7.4 Data Retention
Bilko retains financial data in accordance with mandatory accounting and tax retention periods:
- Serbia: 10 years (Zakon o računovodstvu)
- Bosnia & Herzegovina: 10–11 years (depending on entity)
- Croatia: 11 years (Zakon o računovodstvu)
7.5 Data Export
You may export all your Customer Data in JSON and CSV formats at any time through the Bilko interface. We will also provide your data upon account termination via a one-time export link, valid for 30 days.
8. Intellectual Property
8.1 Bilko's IP
The Service, including its software, design, features, documentation, branding ("Bilko", logo, color system), and all associated intellectual property, is owned by ALAI Holding AS (org.nr 932 516 136) or its licensors and is protected under applicable intellectual property laws. These Terms do not grant you any ownership rights in the Service.
You receive a limited, non-exclusive, non-transferable, revocable license to use the Service during your Subscription.
8.2 Your Data
You retain all ownership rights to Customer Data. You grant Bilko a limited license to store, process, and transmit Customer Data solely to provide the Service.
8.3 Feedback
If you provide feedback, suggestions, or ideas about the Service, you grant Bilko a perpetual, royalty-free license to use that feedback without compensation or attribution.
9. Warranties and Disclaimers
9.1 Bilko's Warranty
Bilko warrants that:
- The Service will materially conform to the documentation at bilko.io/docs during the Subscription
- Bilko will implement commercially reasonable security measures as described in its Security documentation
9.2 Disclaimers
THE SERVICE IS PROVIDED "AS IS" AND "AS AVAILABLE" TO THE MAXIMUM EXTENT PERMITTED BY LAW. Bilko specifically disclaims:
- No accounting or tax advice: Bilko is software, not an accountant or tax advisor. Bilko provides tools to help you create compliant records, but you are responsible for the accuracy of your data and for complying with all tax obligations. Consult a qualified accountant or tax advisor.
- No guarantee of regulatory compliance: While Bilko is designed for compliance with Serbian, BiH, and Croatian accounting law, regulations change frequently. Bilko will make reasonable efforts to update the Service but cannot guarantee compliance at all times.
- No uptime guarantee for e-government portals: Bilko's SEF and HR-FISK integrations depend on Serbian and Croatian government portal availability. Bilko is not responsible for failures caused by those external systems.
⚠️ LEGAL REVIEW REQUIRED: Confirm that disclaimer clauses are enforceable under Serbian Zakon o obligacionim odnosima, BiH equivalent, and Croatian Zakon o obveznim odnosima. Some consumer-protective jurisdictions limit disclaimer enforceability.
10. Limitation of Liability
10.1 Exclusion of Consequential Damages
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, BILKO SHALL NOT BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES, INCLUDING:
- Lost profits or revenue
- Tax penalties or regulatory fines arising from inaccurate data you entered
- Lost business opportunities
- Data loss (beyond Bilko's obligations under these Terms)
- Costs of alternative accounting software
10.2 Cap on Liability
TO THE MAXIMUM EXTENT PERMITTED BY LAW, BILKO'S TOTAL LIABILITY TO YOU FOR ANY CLAIMS ARISING UNDER THESE TERMS SHALL NOT EXCEED THE GREATER OF:
- The total fees paid by you to Bilko in the 12 months prior to the event giving rise to the claim; OR
- €100
10.3 Exceptions
The limitations in this Section do not apply to:
- Bilko's liability for gross negligence or willful misconduct
- Bilko's liability for death or personal injury caused by Bilko's negligence
- Any liability that cannot be excluded under mandatory applicable law
⚠️ LEGAL REVIEW REQUIRED: Liability caps must be reviewed for enforceability under each jurisdiction's mandatory law. Croatian and Serbian consumer/commercial law may impose minimum liability floors.
11. Indemnification
You agree to indemnify, defend, and hold harmless Bilko and its officers, directors, employees, and agents from and against any claims, liabilities, damages, fines, penalties, and expenses (including reasonable legal fees) arising from:
- Your violation of these Terms
- Your violation of applicable law (including tax law, accounting law, or data protection law)
- Inaccurate Customer Data entered by you or your Authorized Users
- Your infringement of third-party rights
- Any regulatory penalty resulting from errors in data you provided
12. Term and Termination
12.1 Term
These Terms take effect when you accept them and continue for as long as you maintain a Bilko account.
12.2 Termination by You
You may terminate your account at any time by:
- Cancelling your subscription through account settings
- Exporting your data before the termination date
- Contacting support@bilko.io
12.3 Termination by Bilko
Bilko may suspend or terminate your account with:
- Immediate effect for: fraud, unauthorized access attempts, illegal use, or material breach
- 30 days' notice for: non-payment (after cure period), violation of Acceptable Use policy
- 90 days' notice for: discontinuation of the Service
12.4 Effect of Termination
Upon termination:
- Your access to the Service ends immediately (or at the notice period expiry)
- A data export link is provided, valid for 30 days
- Bilko retains financial data for mandatory retention periods per Section 7.4
- All rights and licenses granted to you terminate
13. Service Availability and Changes
13.1 Availability Target
Bilko targets 99.9% monthly uptime for the production environment (app.bilko.io). Planned maintenance windows will be announced with at least 48 hours' notice via email and status page.
13.2 Changes to the Service
Bilko may modify, add, or remove features at any time. For material changes that negatively affect your use of the Service, Bilko will provide at least 30 days' advance notice.
13.3 Changes to These Terms
Bilko may update these Terms. Material changes will be notified by email with at least 30 days' notice. Your continued use of the Service after the effective date constitutes acceptance. If you do not accept the new Terms, you may terminate your account before the effective date.
14. Governing Law and Dispute Resolution
14.1 Governing Law
⚠️ LEGAL REVIEW REQUIRED: This is a critical section requiring legal input. The following options must be evaluated:
Option A (Norwegian Law — for ALAI operating entity): These Terms are governed by the laws of Norway. Disputes are resolved in Norwegian courts. This may be unenforceable for consumers under EU law (Croatia) or Serbian/BiH mandatory jurisdiction rules.
Option B (Jurisdiction-specific): For Serbian users — Serbian law applies; for Croatian users — Croatian law applies (EU mandatory); for BiH users — BiH law applies.
Recommended approach (pending legal review): For business (B2B) customers, Norwegian law may be specified. For any consumer accounts, local mandatory law applies in each jurisdiction.
14.2 Dispute Resolution
Before initiating formal proceedings, the parties agree to attempt good-faith resolution through:
- Written notice to the other party describing the dispute
- 30-day negotiation period
- Formal proceedings if unresolved
14.3 Language
These Terms are provided in English. Translations into Serbian, Bosnian, and Croatian will be provided for informational purposes. In the event of conflict between language versions, the English version governs.
⚠️ LEGAL REVIEW REQUIRED: Confirm whether Croatian consumer protection law requires Croatian-language Terms to be legally binding in Croatia. Serbian and BiH law may have similar requirements for consumer-facing contracts.
15. General Provisions
15.1 Entire Agreement
These Terms, together with the Privacy Policy and Data Processing Agreement, constitute the entire agreement between you and Bilko regarding the Service and supersede all prior agreements.
15.2 Severability
If any provision of these Terms is found unenforceable, the remaining provisions remain in full force.
15.3 Waiver
Bilko's failure to enforce any provision of these Terms does not constitute a waiver of that provision.
15.4 Assignment
You may not assign your rights or obligations under these Terms without Bilko's prior written consent. Bilko may assign these Terms in connection with a merger, acquisition, or sale of assets, with 30 days' notice to you.
15.5 Force Majeure
Neither party shall be liable for delays or failures in performance caused by events beyond their reasonable control, including government actions, natural disasters, or internet infrastructure failures.
15.6 Electronic Communications
By using the Service, you consent to receive communications from Bilko electronically. You agree that electronic communications satisfy any legal requirement that communications be in writing.
16. Sub-Processors (GDPR Art. 28(4))
Bilko uses the following sub-processors to provide the Service:
16.1 Document Archive Pipeline
When you enable the document archival feature, Bilko processes certain document types through the following sub-processors:
Sub-ProcessorLegal EntityPurposeData CategoriesGeographic LocationSafeguards --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Cloudflare R2Cloudflare, Inc., USATemporary document staging for archive pipelineContract PDFs, invoices, care plans, incident reports, onboarding documentsEU region (eu-west storage bucket)Standard Contractual Clauses (SCCs) per Cloudflare's published DPA ALAI Azure VM (Paperless-ngx)ALAI Holding AS (org.nr 932 516 136), NorwayLong-term document archive at archive.alai.noSame document categories as aboveEU/EEA (Microsoft Azure Sweden Central region)ALAI Data Processing Agreement + Azure Standard Contractual Clauses16.2 Document Flow and Retention
Document types processed:
- Contracts and agreements
- Invoices (issued and received)
- Care plans (for care organizations)
- Incident reports
- Onboarding documents
- Documents are written to Cloudflare R2 staging bucket (temporary storage, typically < 5 minutes)
- Cloud Run worker uploads documents to Paperless-ngx archive every 5 minutes
- Documents are retained in archive per retention schedule (see Section 7.4)
- Financial documents (invoices, contracts): 7 years (Serbian, BiH, Croatian accounting law)
- Care-related documents (care plans, incident reports): 25 years (UK NHS standard, pending Balkan legal review)
16.3 Sub-Processor Change Notification
Bilko will provide 30 days' advance written notice via email before adding or replacing any sub-processor. You have the right to object to a new sub-processor within the notice period. If you object and Bilko cannot offer an alternative, you may terminate your subscription without penalty.
Bilko maintains an up-to-date list of sub-processors at bilko.io/sub-processors (to be published).
16.4 GDPR Compliance Reference
This sub-processor disclosure complies with GDPR Article 28(4), which requires the data controller (you) to authorize the data processor (Bilko) to engage sub-processors. By accepting these Terms, you provide such authorization for the sub-processors listed above.
17. Contact
Bilko / ALAI Holding AS (org.nr 932 516 136)
ChannelContact -------------------------------------------------------------------------------------------------------------------------- General supportsupport@bilko.io Legal / compliancelegal@bilko.io Privacy / data protectionprivacy@bilko.io Data Processing Agreementdpa@alai.no Security vulnerabilitiessecurity@bilko.io Postal addressPending — registered address to be confirmed upon company formation (see legal review note above)⚠️ LEGAL REVIEW REQUIRED: Confirm company address for legal notices. Determine whether Serbian, BiH, or Croatian regulations require a local postal address or registered agent for consumer-facing contracts.
Approval
RoleNameSignatureDate ---------------------------------------------------------- AuthorALAI Documentation Team2026-02-25 RS Legal Counsel BA Legal Counsel HR Legal Counsel CEO ApprovalAlem BašićRelated Documents
- Bilko Privacy Notice — Section 8.1 Sub-Processors
- DPA Template — Annex B Sub-Processors
- Sub-Processor Notification Email Template
Bilko Privacy Notice — Section 8.1 Document Archive Sub-Processors
MC: #100045 | Date: 2026-05-08
Draft Status: Pending final legal review and translations (per Lexicon S1-S4)
Corrections Applied: Org.nr 932 516 136 (corrected from hallucinated 933 534 262 + wrong DPO org.nr 932 953 736), Azure Sweden Central (corrected from Norway East)
Privacy Policy
Project: Bilko — Balkan Accounting SaaS
Version: 1.1
Last Updated: 2026-03-02
Author: ALAI Documentation Team
Status: Final (Pending Legal Review)
Reviewers: DPO, Legal Counsel (RS, BA, HR), CEO
Classification: Public (upon legal sign-off)
Table of Contents
- Introduction and Data Controller
- Scope and Applicability
- Legal Framework
- Data We Collect
- Legal Basis for Processing
- How We Use Your Data
- Data Retention Periods
- Data Sharing and Third-Party Processors
- Cross-Border Data Transfers
- Your Rights as a Data Subject
- Security Measures
- Cookies and Tracking
- Children's Privacy
- Changes to This Policy
- Contact and Data Protection Officer
- Jurisdiction-Specific Notices
1. Introduction and Data Controller
Bilko is a cloud-based accounting and invoicing platform for small and medium businesses (SMBs) operating in Serbia, Bosnia & Herzegovina, and Croatia. Bilko is developed and operated by Basic Consulting AS (trading as ALAI), a company registered in Norway.
Data Controller:
| Field | Details |
| ------------ | ----------------------------------------------------------------------------------------- |
| Entity name | Basic Consulting AS (ALAI) |
| Registration | Pending — Norwegian company register number (to be confirmed upon legal entity formation) |
| Address | Pending — registered address to be confirmed upon legal entity formation |
| privacy@bilko.io | |
| Website | https://bilko.io |
⚠️ LEGAL REVIEW REQUIRED: Confirm whether Bilko must establish local legal entities in Serbia (Bilko d.o.o. RS), Bosnia & Herzegovina (Bilko d.o.o. Sarajevo), and Croatia (Bilko d.o.o. Zagreb) as co-controllers or separate controllers for purposes of local data protection law compliance. ZZPL Serbia and ZZLP BiH may require a locally registered representative.
Data Protection Officer (DPO):
FieldDetails ------------------------------------------------------------------------------------ DPO nameAlem Bašić DPO contactalem@alai.no Phone+47 40 47 42 51 CompanyALAI Holding AS (org.nr 932 516 136) RoleResponsible for data protection compliance across all three jurisdictions Appointed2026-03-022. Scope and Applicability
This Privacy Policy applies to:
- All users of the Bilko platform accessible at app.bilko.io
- All organizations registered on Bilko, including their authorized users (owners, admins, accountants, viewers)
- All data processed by Bilko in connection with providing cloud accounting services in Serbia, Bosnia & Herzegovina, and Croatia
- Business owners and employees who register and use Bilko directly
- Clients and contacts whose data is entered into Bilko by our users (e.g., customers listed on invoices)
- Website visitors to bilko.io
3. Legal Framework
Bilko processes personal data in compliance with the following data protection laws:
JurisdictionApplicable LawSupervisory Authority -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- SerbiaZakon o zaštiti podataka o ličnosti (ZZPL), Sl. glasnik RS 87/2018 — aligned with GDPRPoverenik za informacije od javnog značaja i zaštitu podataka o ličnosti Bosnia & HerzegovinaZakon o zaštiti ličnih podataka (ZZLP BiH), Sl. glasnik BiH 49/2006Agencija za zaštitu ličnih podataka (AZLP) CroatiaGDPR — Uredba (EU) 2016/679 (directly applicable as EU member state)Agencija za zaštitu osobnih podataka (AZOP)Where GDPR principles are referenced in this policy, they apply directly to Croatian users and serve as the compliance standard for Serbian users (ZZPL is GDPR-aligned). For Bosnian users, equivalent provisions of ZZLP BiH apply.
4. Data We Collect
4.1 Account and Registration Data
When you register an organization on Bilko, we collect:
Data ElementPurposeClassification --------------------------------------------------------------------------------------------- Email addressAccount authentication, notificationsL2 Internal Full nameUser identification within organizationL2 Internal Password (bcrypt-hashed)Authentication — never stored in plaintextL2 Internal Organization nameMulti-tenant account setupL2 Internal Country of operationJurisdiction-specific compliance rules (VAT rates, CoA)L2 Internal Base currencyFinancial calculationsL2 Internal4.2 Financial and Tax Data
When you use Bilko to create invoices, track expenses, and manage accounting:
Data ElementJurisdictionClassificationEncryption ------------------------------------------------------------------------------------------------------------------------- PIB (Poreski identifikacioni broj — Serbia)RSL4-B RestrictedDisk-level AES-256 JMBG (Jedinstveni matični broj građana — Serbia/BiH)RS, BAL4-A RestrictedAES-256-GCM field-level OIB (Osobni identifikacijski broj — Croatia)HRL4-A RestrictedAES-256-GCM field-level JIB (Jedinstveni identifikacioni broj — BiH)BAL4-B RestrictedDisk-level AES-256 IBAN / Bank account numbersAllL4-B RestrictedDisk-level AES-256 + API masking Invoice amounts (subtotal, VAT, total)AllL3 ConfidentialAES-256 at rest Transaction records (debit/credit entries)AllL3 ConfidentialAES-256 at rest Expense recordsAllL3 ConfidentialAES-256 at rest Contact details (clients/vendors: name, email, phone, address)AllL2 InternalTLS 1.3 in transitNote on JMBG processing: The JMBG is a sensitive personal identifier unique to each Serbian and Bosnian citizen. Bilko only collects JMBG when a user explicitly confirms that an invoice is being issued to a natural person (not a legal entity). This is a voluntary user action gated by a UI confirmation checkbox.
4.3 Technical and Operational Data
Data ElementRetentionPurpose ---------------------------------------------------------------------------------------------------------------- IP address30 daysSecurity monitoring, fraud detection Browser user-agent30 daysSecurity monitoring Session tokens (JWT, refresh tokens)15 minutes (access) / 7 days (refresh)Authentication Audit log entries (LoggedAction table)10–11 yearsLegal compliance, accounting law API request logs30 daysSecurity and debugging4.4 Data Entered by Users About Third Parties
Bilko is an accounting tool. Our users enter data about their clients and vendors (third parties). This includes names, contact details, and tax identification numbers of those third parties. Bilko acts as a data processor for this third-party data — the organization using Bilko is the data controller for their clients' data and is responsible for ensuring they have an appropriate legal basis for entering that data into Bilko.
5. Legal Basis for Processing
Data CategoryLegal BasisGDPR ArticleZZPL ArticleZZLP BiH --------------------------------------------------------------------------------------------------------------------------------------- Account email, full namePerformance of contractArt. 6(1)(b)Art. 12(1)(b)Art. 7(1)(b) Organization detailsPerformance of contractArt. 6(1)(b)Art. 12(1)(b)Art. 7(1)(b) Tax IDs (PIB, JIB)Legal obligation — accounting and tax lawArt. 6(1)(c)Art. 12(1)(c)Art. 7(1)(c) JMBG, OIBLegal obligation — accounting and tax law (only when legally required)Art. 6(1)(c)Art. 12(1)(c)Art. 7(1)(c) IBANPerformance of contract (for payment processing)Art. 6(1)(b)Art. 12(1)(b)Art. 7(1)(b) Invoice and transaction dataLegal obligation — accounting/tax retention requirementsArt. 6(1)(c)Art. 12(1)(c)Art. 7(1)(c) IP address, session logsLegitimate interest — platform securityArt. 6(1)(f)Art. 12(1)(f)Art. 7(1)(f) Audit trail (LoggedAction)Legal obligation — accounting law requires immutable audit recordsArt. 6(1)(c)Art. 12(1)(c)Art. 7(1)(c)⚠️ LEGAL REVIEW REQUIRED: Confirm the specific Serbian, Bosnian, and Croatian accounting and tax laws that constitute the "legal obligation" basis for each data category listed above. Reference: Zakon o računovodstvu RS (Sl. glasnik RS 73/2019), Zakon o PDV RS, Zakon o računovodstvu i reviziji FBiH, Zakon o porezu na dohodak FBiH, Zakon o računovodstvu HR (NN 78/15 et seq.).
6. How We Use Your Data
We use the data we collect exclusively to:
- Provide the Bilko service — create and manage invoices, expenses, transactions, financial reports
- Ensure legal compliance — submit e-invoices to SEF (Serbia) and HR-FISK (Croatia), maintain accounting records per mandatory retention periods
- Secure the platform — authenticate users, prevent unauthorized access, detect and investigate fraud and security incidents
- Communicate with you — send invoice notifications, payment reminders, service announcements, and support responses
- Improve the service — analyze usage patterns (in aggregated, anonymized form) to improve features
- Sell your data to third parties
- Use your financial data for advertising or profiling
- Process your data for any purpose beyond providing the accounting service and meeting legal obligations
7. Data Retention Periods
Data retention is governed by accounting and tax laws in each jurisdiction. We are legally required to retain certain financial records even if you delete your account.
Data CategorySerbia (RS)Bosnia & Herzegovina (BA)Croatia (HR)Basis -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Financial statements and accounting records10 yearsFBiH: 10 years; RS entity: 11 years11 yearsZakon o računovodstvu (RS/BA/HR) Invoice records10 years10–11 years11 yearsAccounting and VAT law Expense records10 years10–11 years11 yearsAccounting law Audit trail (LoggedAction)10 years10–11 years11 yearsAccounting law VAT/PDV records10 years10–11 years11 yearsTax law User account data (name, email)Account lifetime + 30 days after closureAccount lifetime + 30 daysAccount lifetime + 30 daysContract performance IP addresses and session logs30 days30 days30 daysLegitimate interest JWT refresh tokens7 days7 days7 daysContract performanceImportant — Right to Erasure Limitation: Under accounting and tax law in all three jurisdictions, financial records (invoices, transactions, expense records) cannot be deleted during the mandatory retention period. If you close your Bilko account, your personal identifiers (name, email) can be anonymized in your user account record, but the underlying financial transaction data must be retained for the legally required period. See Section 10 for full details on data subject rights.
8. Data Sharing and Third-Party Processors
Bilko shares your data only with the following categories of third parties, all of whom are bound by Data Processing Agreements (DPAs):
ProcessorRoleData SharedLocationTransfer Mechanism ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ RailwayCloud infrastructure (PostgreSQL database, API hosting)All Bilko dataEU West (Amsterdam / Frankfurt)DPA — see Section 9 CloudflareCDN, WAF, DDoS protectionIP addresses, HTTP headersUSA (but data transits EU PoPs)DPA + Standard Contractual Clauses SentryError tracking and monitoringError traces, stack traces (may contain PII in error messages)USADPA + Standard Contractual Clauses Email service providerTransactional email (invoice delivery, notifications)Email addresses, invoice PDFsTBDDPA⚠️ LEGAL REVIEW REQUIRED: Select and confirm the transactional email service provider. Confirm DPA is in place with all processors above before launch. Cloudflare and Sentry are US-based — confirm SCC adequacy is sufficient for ZZPL and ZZLP BiH purposes, not just GDPR.
8.1 Document Archive Sub-Processors
When you enable the document archival feature in Bilko, the following additional sub-processors are used:
Sub-ProcessorPurposeData CategoriesLocationSafeguards ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Cloudflare R2 (Cloudflare, Inc., USA)Temporary staging for archive pipelineContract PDFs, invoices, care plans, incident reports, onboarding documentsEU region (eu-west bucket)Standard Contractual Clauses (SCCs) ALAI Azure VM Paperless-ngx (ALAI Holding AS, org.nr 932 516 136, Norway)Long-term document archive at archive.alai.noSame categories as aboveEU/EEA (Microsoft Azure Sweden Central)ALAI DPA + Azure SCCsHow document archival works:
- Upload: When you mark a document for archival in Bilko (contracts, invoices, care plans, incident reports, onboarding documents), Bilko's backend writes the document to a Cloudflare R2 staging bucket in the EU region.
- Transfer: Every 5 minutes, a Cloud Run worker retrieves documents from R2 and uploads them to Paperless-ngx, a document management system hosted on ALAI's Azure VM (archive.alai.no) located in the Azure Sweden Central region (EU/EEA).
- Retention: Documents are retained in the archive according to the following schedule:
- Deletion: Documents are automatically deleted from Cloudflare R2 after successful upload to Paperless-ngx (typically within 5 minutes). Documents remain in Paperless-ngx for the retention period specified above.
- You will receive 30 days' advance notice by email before Bilko adds or replaces any sub-processor.
- You have the right to object to a new sub-processor within the notice period.
- If you object and Bilko cannot offer an alternative, you may terminate your subscription without penalty.
- Contact dpa@alai.no to exercise this right.
- This disclosure complies with GDPR Article 28(4), Serbian ZZPL Art. 31(4), and BiH ZZLP equivalent provisions.
When legally required, Bilko transmits e-invoice data to:
- SEF portal (efaktura.mfin.gov.rs) — Serbian Ministry of Finance — for RS users' B2B e-invoices
- HR-FISK/FINA — Croatian government e-invoicing authority — for HR users' B2B e-invoices (Phase 2)
- Tax and regulatory authorities in response to lawful requests
9. Cross-Border Data Transfers
Bilko hosts all data on Railway's EU West infrastructure (Amsterdam/Frankfurt). Data transfer mechanisms per jurisdiction:
FromToMechanism ---------------------------------------------------------------------------------------------------------------------------------------------------- Croatia (HR)Railway EU WestNo transfer mechanism needed — EU to EU transfer Serbia (RS)Railway EU WestSerbia is on the European Commission's adequacy list (Decision 2023/1485) — no additional mechanism required Bosnia & Herzegovina (BA)Railway EU WestStandard Contractual Clauses (SCC 2021/914/EU) — BiH has no EU adequacy decisionFor Cloudflare and Sentry (US-based processors): Standard Contractual Clauses (SCC) apply, combined with a Transfer Impact Assessment.
⚠️ LEGAL REVIEW REQUIRED: Confirm that Serbia's adequacy decision (2023/1485) is still current and applies to the data categories Bilko processes. Prepare and sign SCCs with Railway for BiH user data before accepting Bosnian users. Conduct Transfer Impact Assessment for Cloudflare and Sentry.
10. Your Rights as a Data Subject
Depending on your jurisdiction, you have the following rights regarding your personal data:
10.1 Rights Table
RightGDPR (Croatia)ZZPL (Serbia)ZZLP BiHHow to Exercise ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ Right of access — obtain a copy of your dataArt. 15Art. 26Art. 16Export via/api/gdpr/export (planned) or email privacy@bilko.io
Right to rectification — correct inaccurate dataArt. 16Art. 27Art. 17Edit directly in Bilko settings, or email privacy@bilko.io
Right to erasure — "right to be forgotten"Art. 17Art. 28Art. 18Email privacy@bilko.io — subject to retention limitations below
Right to data portability — export in machine-readable formatArt. 20Art. 30N/A (not in ZZLP BiH)JSON/CSV export via Bilko (planned)
Right to restriction — limit processingArt. 18Art. 29Art. 20Email privacy@bilko.io
Right to object — object to processing based on legitimate interestArt. 21Art. 31Art. 21Email privacy@bilko.io
Right not to be subject to automated decisionsArt. 22Art. 38Art. 24Bilko does not make automated decisions with legal effect
10.2 Erasure Limitation (Financial Data)
The right to erasure does not apply to financial records that we are legally required to retain:
- In Serbia: Accounting records must be kept for 10 years (Zakon o računovodstvu Art. 26)
- In Bosnia & Herzegovina: Records must be kept for 10–11 years depending on entity
- In Croatia: Records must be kept for 11 years (Zakon o računovodstvu Art. 10)
10.3 Response Times
We will respond to data subject rights requests within:
- 30 days (standard) — may be extended by 2 additional months for complex requests with notification
10.4 Right to Complain
You have the right to lodge a complaint with your supervisory authority:
JurisdictionAuthorityWebsite -------------------------------------------------------- SerbiaPoverenik za informacijepoverenik.rs Bosnia & HerzegovinaAZLPazlp.gov.ba CroatiaAZOPazop.hr11. Security Measures
Bilko implements the following technical and organizational security measures to protect your data:
MeasureDescription -------------------------------------------------------------------------------------------------------------------------------------- Encryption in transitTLS 1.3 (minimum TLS 1.2) for all connections via Cloudflare Encryption at restAES-256 disk-level encryption on all Railway infrastructure Field-level encryptionAES-256-GCM for JMBG (Serbia/BiH) and OIB (Croatia) — most sensitive personal identifiers IBAN maskingOnly last 4 digits shown in list views; full IBAN accessible only to authorized users Password securitybcrypt with cost factor 12; breached password check via HaveIBeenPwned API Authentication tokensJWT RS256, 15-minute access token lifetime, 7-day refresh with rotation Multi-tenancy isolationEvery database query is scoped to your organization — cross-tenant access is technically impossible by design Role-based access control4 roles (owner, admin, accountant, viewer) — users see only what their role permits Rate limiting5 failed authentication attempts per 15 minutes triggers lockout Immutable audit logAll data modifications are recorded in an append-only audit trail Breach notification72-hour notification to supervisory authorities in the event of a personal data breach12. Cookies and Tracking
Bilko uses minimal cookies necessary to provide the service:
CookiePurposeDuration ----------------------------------------------------------------------------bilko_sessionStores encrypted session reference for authenticationSession
bilko_refreshHTTP-only refresh token for session renewal7 days
⚠️ LEGAL REVIEW REQUIRED: Confirm cookie consent requirements under Croatian GDPR (ePrivacy Directive applies in Croatia as EU member state). Serbia and BiH may have different requirements. Determine if a cookie consent banner is required.
We do not use third-party advertising cookies or tracking pixels.
13. Children's Privacy
Bilko is a business accounting platform intended for use by business owners and accounting professionals. We do not knowingly collect data from children under 16 years of age. If you believe a child has registered on Bilko, please contact privacy@bilko.io.
14. Changes to This Policy
We may update this Privacy Policy to reflect changes to our data practices or legal requirements. We will notify you of material changes by:
- Email to your registered account email address (at least 30 days before the change takes effect)
- Prominent notice on the Bilko platform
15. Contact and Data Protection Officer
For any privacy-related questions, requests, or complaints:
Privacy inquiries: privacy@bilko.io Data Protection Officer: Alem Bašić — alem@alai.no — +47 40 47 42 51 DPO company: ALAI Holding AS (org.nr 932 516 136) Postal address: Pending — to be confirmed upon company formation (see legal review note in Section 1)
⚠️ LEGAL REVIEW REQUIRED: Confirm postal address for privacy contact in each jurisdiction. Consider whether a local representative must be designated in Serbia and BiH under their data protection laws.
16. Jurisdiction-Specific Notices
16.1 Serbia — Notice under ZZPL
This section applies specifically to users in the Republic of Serbia.
Bilko processes personal data in accordance with the Zakon o zaštiti podataka o ličnosti (Sl. glasnik RS 87/2018 — "ZZPL"). Your rights under ZZPL Articles 26–38 are described in Section 10 of this policy.
The supervisory authority for data protection in Serbia is the Poverenik za informacije od javnog značaja i zaštitu podataka o ličnosti (poverenik.rs).
Tax identification data (PIB) is processed pursuant to the Zakon o poreskom postupku i poreskoj administraciji and Zakon o PDV. Accounting records are retained pursuant to Zakon o računovodstvu (Sl. glasnik RS 73/2019) — minimum 10 years.
E-invoice data is submitted to the SEF portal (efaktura.mfin.gov.rs) pursuant to the Zakon o elektronskom fakturisanju (Sl. glasnik RS 44/2021). This transmission constitutes a legal obligation — no separate consent is required.
16.2 Bosnia & Herzegovina — Obavještenje prema ZZLP BiH
This section applies specifically to users in Bosnia & Herzegovina.
Bilko processes personal data in accordance with the Zakon o zaštiti ličnih podataka (Sl. glasnik BiH 49/2006 — "ZZLP BiH"). The supervisory authority is the Agencija za zaštitu ličnih podataka (AZLP) (azlp.gov.ba).
BiH has no EU adequacy decision. Data transferred to Railway (EU West) is protected by Standard Contractual Clauses (SCC 2021/914/EU).
Accounting records are retained pursuant to: FBiH — Zakon o računovodstvu i reviziji FBiH (minimum 10 years); RS entity — Zakon o računovodstvu i reviziji RS BiH (minimum 11 years). The correct retention period depends on the entity jurisdiction selected during organization registration.
⚠️ LEGAL REVIEW REQUIRED: Confirm that the ZZLP BiH (2006 law) is still the governing framework or if amendments/successor legislation applies. Confirm AZLP registration requirements for Bilko as a data controller operating from outside BiH.
16.3 Croatia — Napomena prema GDPR-u
This section applies specifically to users in the Republic of Croatia.
As an EU member state, Croatia is subject to the GDPR (Uredba (EU) 2016/679) directly. The supervisory authority is the Agencija za zaštitu osobnih podataka (AZOP) (azop.hr).
Accounting records are retained pursuant to the Zakon o računovodstvu (NN 78/15, 116/18, 42/20, 47/20, 114/22) and Opći porezni zakon — minimum 11 years.
E-invoice data (when HR-FISK integration is active) is transmitted to FINA pursuant to the Zakon o elektroničkom izdavanju računa u javnoj nabavi and related legislation. This constitutes a legal obligation.
Approval
RoleNameSignatureDate ---------------------------------------------------------- AuthorALAI Documentation Team2026-02-25 DPO Review RS Legal Counsel BA Legal Counsel HR Legal Counsel CEO ApprovalAlem BašićDPA Template — Annex B: Sub-Processors for Bilko Archive Feature
MC: #100045 | Date: 2026-05-08
Draft Status: Pending final legal review and translations (per Lexicon S1-S4)
Corrections Applied: Org.nr 932 516 136 (corrected from hallucinated 933 534 262), Azure Sweden Central (corrected from Norway East)
Databehandleravtale / Data Processing Agreement (DPA)
Template Version: 1.0 Last Updated: 2026-02-10 Compliance: GDPR Article 28, Norwegian Personal Data Act
NO: Databehandleravtale
1. Parter
Dataansvarlig (Data Controller):
Databehandler (Data Processor):2. Avtalens omfang og formål
2.1 Formål Databehandler skal behandle personopplysninger på vegne av Dataansvarlig i forbindelse med levering av følgende tjenester:
[DESCRIPTION_OF_SERVICES]
2.2 Varighet Denne avtalen trer i kraft [START_DATE] og gjelder til [END_DATE] eller til tjenesteavtalen mellom partene opphører.
2.3 Personopplysningenes karakter Behandlingen omfatter følgende typer personopplysninger:
- [DATA_TYPE_1] (f.eks. navn, e-postadresse)
- [DATA_TYPE_2] (f.eks. fakturainformasjon)
- [DATA_TYPE_3] (f.eks. kontakthistorikk)
- [CATEGORY_1] (f.eks. kunder)
- [CATEGORY_2] (f.eks. ansatte)
- [CATEGORY_3] (f.eks. leverandører)
3. Databehandlers plikter
3.1 Behandlingsinstrukser Databehandler skal kun behandle personopplysninger etter dokumentert instruks fra Dataansvarlig. Denne avtalen og tilhørende tjenesteavtale utgjør den initiale instruksen.
3.2 Konfidensialitet Databehandler skal sikre at personer som er autorisert til å behandle personopplysningene har forpliktet seg til konfidensialitet eller er underlagt passende lovpålagt taushetsplikt.
3.3 Sikkerhetstiltak Databehandler skal implementere egnede tekniske og organisatoriske tiltak for å sikre et sikkerhetsnivå som er egnet med hensyn til risikoen, jf. GDPR artikkel 32:
- Pseudonymisering og kryptering av personopplysninger
- Evne til å sikre vedvarende konfidensialitet, integritet, tilgjengelighet og robusthet
- Evne til å gjenopprette tilgjengelighet og tilgang til personopplysninger ved fysiske eller tekniske hendelser
- Prosess for regelmessig testing, vurdering og evaluering av effektiviteten
Ved endring av underleverandører skal Databehandler varsle Dataansvarlig minst 30 dager i forveien. Dataansvarlig kan protestere innen denne fristen.
3.5 Bistand til Dataansvarlig Databehandler skal bistå Dataansvarlig med å:
- Gjennomføre personvernkonsekvensvurderinger (DPIA)
- Svare på forespørsler fra registrerte om utøvelse av deres rettigheter
- Håndtere personvernbrudd
- Gjennomføre sikkerhetstiltak
3.7 Sletting eller retur Ved opphør av behandlingen skal Databehandler, etter Dataansvarligs valg, slette eller returnere alle personopplysninger og slette eksisterende kopier, med mindre lagring er påkrevd i henhold til EU-retten eller norsk rett.
4. Dataansvarligs plikter
4.1 Instrukser Dataansvarlig skal sikre at instruksene til Databehandler er i overensstemmelse med gjeldende personvernlovgivning.
4.2 Tilsyn Dataansvarlig har rett til å gjennomføre revisjoner og inspeksjoner for å verifisere at Databehandler overholder denne avtalen.
5. Dataoverføring til tredjeland
5.1 Overføring utenfor EØS Personopplysninger skal kun behandles innenfor EØS, med mindre Dataansvarlig har gitt forhåndsgodkjenning. Ved overføring til tredjeland skal følgende sikkerhetstiltak anvendes:
- EU-standardavtaler for dataoverføring
- Passende garantier i henhold til GDPR artikkel 46
- [ADDITIONAL_SAFEGUARDS]
6. Ansvarsfordeling
6.1 Dataansvarligs ansvar Dataansvarlig er ansvarlig overfor registrerte og tilsynsmyndigheter for behandlingen av personopplysninger.
6.2 Databehandlers ansvar Databehandler er ansvarlig for skade som følge av brudd på denne avtalen eller behandling utover instruksene fra Dataansvarlig.
6.3 Begrensning Databehandlers samlede ansvar under denne avtalen er begrenset til [AMOUNT] NOK, med mindre skaden er forårsaket av grov uaktsomhet eller forsett.
7. Avslutning
7.1 Oppsigelse Avtalen kan sies opp av Dataansvarlig med øyeblikkelig virkning dersom Databehandler:
- Bryter vesentlige bestemmelser i denne avtalen
- Ikke implementerer nødvendige sikkerhetstiltak
- Overfører data til tredjeland uten godkjenning
8. Diverse
8.1 Lovvalg Denne avtalen er underlagt norsk rett.
8.2 Verneting Tvister skal løses ved Romerike og Glåmdal tingrett.
8.3 Endringer Endringer i denne avtalen må være skriftlige og godkjent av begge parter.
Vedlegg A: Godkjente underleverandører
| Underleverandør | Tjeneste | Lokasjon | Sikkerhetstiltak |
| ---------------- | ---------- | ---------- | ------------------ |
| [SUB_PROCESSOR_1] | [SERVICE_1] | [LOCATION_1] | [SAFEGUARDS_1] |
| [SUB_PROCESSOR_2] | [SERVICE_2] | [LOCATION_2] | [SAFEGUARDS_2] |
Vedlegg B: Underleverandører for Bilko Arkivfunksjon
Dette vedlegget gjelder spesifikt for Bilko-produktet når arkivfunksjonen er aktivert.
B.1 Cloudflare R2 (Midlertidig dokumentlagring)
FeltDetaljer ---------------- UnderleverandørCloudflare, Inc. Adresse101 Townsend St, San Francisco, CA 94107, USA Kontaktprivacyquestions@cloudflare.com FormålMidlertidig staging av dokumenter for arkivpipeline Datakategorier behandletKontrakter (PDF), Fakturaer (PDF), Omsorgsplaner, Hendelsesrapporter, Onboarding-dokumenter Kategorier av registrerteBilko-organisasjonens kunder, leverandører, pasienter (for omsorgsorganisasjoner) Geografisk plasseringEU-region (eu-west R2 storage bucket) BehandlingsvarighetMidlertidig (typisk < 5 minutter; dokumenter slettes etter vellykket overføring til Paperless-ngx) SikkerhetstiltakEU Standard Contractual Clauses (SCC 2021/914/EU) per Cloudflares publiserte DPA; AES-256 kryptering ved lagring; TLS 1.3 i transit; Cloudflare Zero Trust-arkitektur UnderunderleverandørerSe Cloudflares DPA for fullstendig liste (https://www.cloudflare.com/cloudflare-customer-dpa/)B.2 ALAI Azure VM Paperless-ngx (Langtidsarkiv)
FeltDetaljer ---------------- UnderleverandørALAI Holding AS (egen infrastruktur) Org.nr932 516 136 AdresseTømmerrenna 1B, 2050 Jessheim, Norge Kontaktdpa@alai.no FormålLangtidsarkiv av forretningsdokumenter ved archive.alai.no Datakategorier behandletSamme som Cloudflare R2 ovenfor Kategorier av registrerteSamme som Cloudflare R2 ovenfor Geografisk plasseringEU/EØS (Microsoft Azure Sweden Central region) BehandlingsvarighetPermanent arkiv per oppbevaringsplan:• Finansielle dokumenter: 7 år (regnskapsloven RS/BA/HR)
• Omsorgsdokumenter: 25 år (UK NHS-standard, foreløpig) SikkerhetstiltakALAI DPA + Microsoft Azure Standard Contractual Clauses; Azure Disk Encryption (AES-256); TLS 1.3 i transit; Rolle-basert tilgangskontroll (RBAC); Paperless-ngx med OAuth2-autentisering; Daglig Azure-backup med 30-dagers oppbevaring; Immutabel revisjonsspor i PostgreSQL UnderunderleverandørerMicrosoft Azure (infrastrukturleverandør — se Microsoft Customer Agreement + DPA)
B.3 Dataflyt for arkivering
Bilko Backend (Cloud Run)
↓ (POST /archive)
Cloudflare R2 (eu-west bucket)
← [5-minutters batch-jobb]
Cloud Run Worker
↓ (HTTP POST til Paperless-ngx API)
ALAI Azure VM (archive.alai.no)
→ Permanent arkiv (7–25 år)
B.4 Varsel om endring av underleverandører
ALAI Holding AS forplikter seg til å varsle Dataansvarlig minst 30 dager på forhånd via e-post før:
- Nye underleverandører legges til i arkivpipelinen
- Eksisterende underleverandører erstattes
- Geografisk plassering av behandling endres
Signaturer
For Dataansvarlig (ALAI Holding AS):
For Databehandler ([PROCESSOR_NAME]):
EN: Data Processing Agreement (DPA)
1. Parties
Data Controller:
- Name: ALAI Holding AS
- Org.No: 932 516 136
- Address: Tømmerrenna 1B, 2050 Jessheim, Norway
- Contact Person: Alem Akšamija
- Email: alem@alai.no
- Name: [PROCESSOR_NAME]
- Org.No: [PROCESSOR_ORG_NUMBER]
- Address: [PROCESSOR_ADDRESS]
- Contact Person: [PROCESSOR_CONTACT_PERSON]
- Email: [PROCESSOR_EMAIL]
2. Scope and Purpose
2.1 Purpose The Data Processor shall process personal data on behalf of the Data Controller in connection with the delivery of the following services:
[DESCRIPTION_OF_SERVICES]
2.2 Duration This agreement enters into force on [START_DATE] and applies until [END_DATE] or until the service agreement between the parties terminates.
2.3 Nature of Personal Data The processing covers the following types of personal data:
- [DATA_TYPE_1] (e.g., name, email address)
- [DATA_TYPE_2] (e.g., billing information)
- [DATA_TYPE_3] (e.g., contact history)
- [CATEGORY_1] (e.g., customers)
- [CATEGORY_2] (e.g., employees)
- [CATEGORY_3] (e.g., suppliers)
3. Data Processor's Obligations
3.1 Processing Instructions The Data Processor shall only process personal data in accordance with documented instructions from the Data Controller. This agreement and the associated service agreement constitute the initial instructions.
3.2 Confidentiality The Data Processor shall ensure that persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
3.3 Security Measures The Data Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in accordance with GDPR Article 32:
- Pseudonymization and encryption of personal data
- Ability to ensure ongoing confidentiality, integrity, availability, and resilience
- Ability to restore availability and access to personal data in a timely manner in the event of physical or technical incidents
- Process for regularly testing, assessing, and evaluating the effectiveness of measures
When changing sub-processors, the Data Processor shall notify the Data Controller at least 30 days in advance. The Data Controller may object within this period.
3.5 Assistance to Data Controller The Data Processor shall assist the Data Controller in:
- Conducting data protection impact assessments (DPIA)
- Responding to requests from data subjects exercising their rights
- Handling personal data breaches
- Implementing security measures
3.7 Deletion or Return Upon termination of the processing, the Data Processor shall, at the Data Controller's choice, delete or return all personal data and delete existing copies, unless storage is required under EU or Norwegian law.
4. Data Controller's Obligations
4.1 Instructions The Data Controller shall ensure that instructions to the Data Processor comply with applicable data protection legislation.
4.2 Supervision The Data Controller has the right to conduct audits and inspections to verify that the Data Processor complies with this agreement.
5. Data Transfer to Third Countries
5.1 Transfer Outside EEA Personal data shall only be processed within the EEA unless the Data Controller has given prior approval. For transfers to third countries, the following safeguards shall be applied:
- EU Standard Contractual Clauses for data transfer
- Appropriate safeguards in accordance with GDPR Article 46
- [ADDITIONAL_SAFEGUARDS]
6. Liability Distribution
6.1 Data Controller's Liability The Data Controller is responsible to data subjects and supervisory authorities for the processing of personal data.
6.2 Data Processor's Liability The Data Processor is liable for damage resulting from breach of this agreement or processing beyond the instructions from the Data Controller.
6.3 Limitation The Data Processor's total liability under this agreement is limited to [AMOUNT] NOK, unless the damage is caused by gross negligence or intent.
7. Termination
7.1 Termination The agreement may be terminated by the Data Controller with immediate effect if the Data Processor:
- Breaches material provisions of this agreement
- Does not implement necessary security measures
- Transfers data to third countries without approval
8. Miscellaneous
8.1 Governing Law This agreement is governed by Norwegian law.
8.2 Venue Disputes shall be resolved at Romerike and Glåmdal District Court.
8.3 Amendments Amendments to this agreement must be in writing and approved by both parties.
Annex A: Approved Sub-processors
Sub-processorServiceLocationSafeguards --------------------------------------------- [SUB_PROCESSOR_1][SERVICE_1][LOCATION_1][SAFEGUARDS_1] [SUB_PROCESSOR_2][SERVICE_2][LOCATION_2][SAFEGUARDS_2]Annex B: Sub-Processors for Bilko Archive Feature
This annex applies specifically to the Bilko product when the archive feature is enabled.
B.1 Cloudflare R2 (Temporary Document Storage)
FieldDetails ---------------- Sub-processorCloudflare, Inc. Address101 Townsend St, San Francisco, CA 94107, USA Contactprivacyquestions@cloudflare.com PurposeTemporary staging of documents for archive pipeline Data Categories ProcessedContracts (PDF), Invoices (PDF), Care Plans, Incident Reports, Onboarding Documents Categories of Data SubjectsBilko organization's customers, suppliers, patients (for care organizations) Geographic LocationEU region (eu-west R2 storage bucket) Processing DurationTemporary (typically < 5 minutes; documents deleted after successful transfer to Paperless-ngx) SafeguardsEU Standard Contractual Clauses (SCC 2021/914/EU) per Cloudflare's published DPA; AES-256 encryption at rest; TLS 1.3 in transit; Cloudflare Zero Trust architecture Sub-sub-processorsSee Cloudflare's DPA for complete list (https://www.cloudflare.com/cloudflare-customer-dpa/)B.2 ALAI Azure VM Paperless-ngx (Long-Term Archive)
FieldDetails ---------------- Sub-processorALAI Holding AS (own infrastructure) Org.No932 516 136 AddressTømmerrenna 1B, 2050 Jessheim, Norway Contactdpa@alai.no PurposeLong-term archive of business documents at archive.alai.no Data Categories ProcessedSame as Cloudflare R2 above Categories of Data SubjectsSame as Cloudflare R2 above Geographic LocationEU/EEA (Microsoft Azure Sweden Central region) Processing DurationPermanent archive per retention schedule:• Financial documents: 7 years (accounting law RS/BA/HR)
• Care documents: 25 years (UK NHS standard, interim) SafeguardsALAI DPA + Microsoft Azure Standard Contractual Clauses; Azure Disk Encryption (AES-256); TLS 1.3 in transit; Role-Based Access Control (RBAC); Paperless-ngx with OAuth2 authentication; Daily Azure backup with 30-day retention; Immutable audit trail in PostgreSQL Sub-sub-processorsMicrosoft Azure (infrastructure provider — see Microsoft Customer Agreement + DPA)
B.3 Data Flow for Archival
Bilko Backend (Cloud Run)
↓ (POST /archive)
Cloudflare R2 (eu-west bucket)
← [5-minute batch job]
Cloud Run Worker
↓ (HTTP POST to Paperless-ngx API)
ALAI Azure VM (archive.alai.no)
→ Permanent archive (7–25 years)
B.4 Notice of Sub-Processor Changes
ALAI Holding AS commits to notifying the Data Controller at least 30 days in advance via email before:
- New sub-processors are added to the archive pipeline
- Existing sub-processors are replaced
- Geographic location of processing changes
Signatures
For Data Controller (ALAI Holding AS):
Name: _______________________ Date: _______________________ Signature: ___________________
For Data Processor ([PROCESSOR_NAME]):
Name: _______________________ Date: _______________________ Signature: ___________________
Related Documents
- Bilko Terms of Service — Section 16 Sub-Processors
- Bilko Privacy Notice — Section 8.1 Sub-Processors
- Sub-Processor Notification Email Template
Sub-Processor Notification Email Template (Bilko)
MC: #100045 | Date: 2026-05-08
Draft Status: Pending final legal review and translations (per Lexicon S1-S4)
Corrections Applied: Org.nr 932 516 136 (corrected from hallucinated 933 534 262), Azure Sweden Central (corrected from Norway East)
Sub-Processor Notification Email Template
Version: 1.0 Last Updated: 2026-05-08 Purpose: Notify Bilko tenants of new sub-processors per GDPR Art. 28(4) Language: English (Norwegian translation pending)
Email Template — English
Subject: Bilko Sub-Processor Update — Effective {{DATE_PLUS_30_DAYS}}
Dear {{TENANT_NAME}},
We are writing to inform you of changes to our sub-processor list for the Bilko accounting platform, in accordance with our Data Processing Agreement (DPA) and GDPR Article 28(4).
New Sub-Processors
Effective {{DATE_PLUS_30_DAYS}}, Bilko will use the following sub-processors for the document archival feature:
| Sub-Processor | Purpose | Data Categories | Geographic Location | Safeguards |
| ----------------------------------------------------------------------------- | --------------------------------------------- | --------------------------------------------------------------------------- | ------------------------------------------- | ------------------------------------------------------------------ |
| Cloudflare R2 (Cloudflare, Inc., USA) | Temporary staging for archive pipeline | Contract PDFs, invoices, care plans, incident reports, onboarding documents | EU region (eu-west storage bucket) | Standard Contractual Clauses (SCCs) per Cloudflare's published DPA |
| ALAI Azure VM Paperless-ngx (ALAI Holding AS, org.nr 932 516 136, Norway) | Long-term document archive at archive.alai.no | Same categories as above | EU/EEA (Microsoft Azure Sweden Central region) | ALAI DPA + Azure Standard Contractual Clauses |
What This Means for You
- If you have enabled the document archival feature in Bilko, documents you mark for archival (contracts, invoices, care plans, incident reports, onboarding documents) will be processed through these sub-processors.
- Data flow: Documents are temporarily staged in Cloudflare R2 (typically < 5 minutes), then transferred to ALAI's Paperless-ngx archive system hosted on Microsoft Azure (Sweden Central region).
- Retention: Financial documents are retained for 7 years; care-related documents for 25 years (per applicable accounting and care regulations).
- Security: All sub-processors are bound by Data Processing Agreements and Standard Contractual Clauses. Data is encrypted at rest (AES-256) and in transit (TLS 1.3).
Your Right to Object
Under GDPR Article 28(4), you have the right to object to the use of these sub-processors within 30 days of receiving this notice.
If you object:
- Send your objection in writing to dpa@alai.no by {{DATE_PLUS_30_DAYS}}.
- We will work with you to find an alternative solution or, if not possible, allow you to terminate your Bilko subscription without penalty.
30-Day Advance Notice
This notice is provided 30 days in advance of the effective date ({{DATE_PLUS_30_DAYS}}) in accordance with our DPA Section 3.4 and your Terms of Service Section 16.3.
Questions or Concerns
If you have any questions about these sub-processors or our data processing practices, please contact:
- Data Protection Officer: Alem Bašić — alem@alai.no — +47 40 47 42 51
- DPA Inquiries: dpa@alai.no
- General Support: support@bilko.io
Company Information
ALAI Holding AS
- Org.nr: 932 516 136
- Address: Tømmerrenna 1B, 2050 Jessheim, Norway
- Email: dpa@alai.no
- Website: https://bilko.io
Best regards,
The Bilko Team ALAI Holding AS
Email Template — Norwegian (DRAFT — Translation Pending)
Emne: Bilko oppdatering av underleverandører — Trer i kraft {{DATE_PLUS_30_DAYS}}
Kjære {{TENANT_NAME}},
Vi skriver for å informere deg om endringer i vår liste over underleverandører for Bilko regnskapsplattform, i samsvar med vår databehandleravtale (DPA) og GDPR Artikkel 28(4).
Nye underleverandører
Med virkning fra {{DATE_PLUS_30_DAYS}} vil Bilko bruke følgende underleverandører for dokumentarkivfunksjonen:
UnderleverandørFormålDatakategorierGeografisk plasseringSikkerhetstiltak ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ Cloudflare R2 (Cloudflare, Inc., USA)Midlertidig staging for arkivpipelineKontrakter (PDF), fakturaer, omsorgsplaner, hendelsesrapporter, onboarding-dokumenterEU-region (eu-west lagringsbucket)Standard Contractual Clauses (SCC) per Cloudflares publiserte DPA ALAI Azure VM Paperless-ngx (ALAI Holding AS, org.nr 932 516 136, Norge)Langtidsarkiv ved archive.alai.noSamme kategorier som ovenforEU/EØS (Microsoft Azure Sweden Central-region)ALAI DPA + Azure Standard Contractual ClausesHva betyr dette for deg?
- Hvis du har aktivert dokumentarkivfunksjonen i Bilko, vil dokumenter du markerer for arkivering (kontrakter, fakturaer, omsorgsplaner, hendelsesrapporter, onboarding-dokumenter) bli behandlet gjennom disse underleverandørene.
- Dataflyt: Dokumenter lagres midlertidig i Cloudflare R2 (typisk < 5 minutter), deretter overført til ALAIs Paperless-ngx arkivsystem hostet på Microsoft Azure (Sverige Central-region).
- Oppbevaring: Finansielle dokumenter oppbevares i 7 år; omsorgsdokumenter i 25 år (per gjeldende regnskaps- og omsorgsreguleringer).
- Sikkerhet: Alle underleverandører er bundet av databehandleravtaler og Standard Contractual Clauses. Data krypteres ved lagring (AES-256) og i transitt (TLS 1.3).
Din rett til å protestere
I henhold til GDPR Artikkel 28(4) har du rett til å protestere mot bruken av disse underleverandørene innen 30 dager etter mottak av denne varslingen.
Hvis du protesterer:
- Send din protest skriftlig til dpa@alai.no innen {{DATE_PLUS_30_DAYS}}.
- Vi vil samarbeide med deg for å finne en alternativ løsning eller, hvis ikke mulig, tillate deg å avslutte Bilko-abonnementet uten straff.
30-dagers forhåndsvarsel
Dette varslet gis 30 dager i forveien for ikrafttredelsesdatoen ({{DATE_PLUS_30_DAYS}}) i samsvar med vår DPA Seksjon 3.4 og dine Tjenestevilkår Seksjon 16.3.
Spørsmål eller bekymringer
Hvis du har spørsmål om disse underleverandørene eller våre databehandlingspraksis, vennligst kontakt:
- Personvernombud: Alem Bašić — alem@alai.no — +47 40 47 42 51
- DPA-henvendelser: dpa@alai.no
- Generell støtte: support@bilko.io
Selskapsinformasjon
ALAI Holding AS
- Org.nr: 932 516 136
- Adresse: Tømmerrenna 1B, 2050 Jessheim, Norge
- E-post: dpa@alai.no
- Nettside: https://bilko.io
Vennlig hilsen,
Bilko-teamet ALAI Holding AS
Usage Instructions
Placeholders to Replace
PlaceholderDescriptionExample --------------------------------------------------------------------------------------{{TENANT_NAME}}Organization name from Bilko database"Acme Accounting d.o.o."
{{DATE_PLUS_30_DAYS}}Effective date (30 days from send date)"2026-06-07"
When to Send
This template should be sent:
- 30 days before enabling the archive feature for existing tenants
- 30 days before adding any new sub-processor to the archive pipeline
- 30 days before replacing an existing sub-processor
Sending Method
- Email: Send to organization owner's registered email address
- In-app notification: Display banner in Bilko UI with link to full notice
- Audit log: Record sending timestamp and recipient in Bilko's audit trail
Follow-Up Actions
- Track objections: If tenant objects within 30 days, flag their account and escalate to ALAI DPO (alem@alai.no).
- Auto-consent: If no objection received by {{DATE_PLUS_30_DAYS}}, record implicit consent in tenant's DPA compliance record.
- Termination support: If tenant objects and no alternative is available, process subscription cancellation per ToS Section 12.2 with data export provided.
Legal Review Notes
⚠️ NORWEGIAN TRANSLATION: This template is provided in English only. A professional Norwegian translation must be prepared before sending to Norwegian-speaking tenants or tenants in Norway.
⚠️ SERBIAN/BOSNIAN/CROATIAN TRANSLATIONS: For Balkan tenants, consider whether local-language versions are required under ZZPL (Serbia), ZZLP BiH (Bosnia & Herzegovina), or GDPR (Croatia). Consult local legal counsel.
⚠️ EFFECTIVE DATE PLACEHOLDER: Ensure automated email system calculates {{DATE_PLUS_30_DAYS}} dynamically from send date to guarantee 30-day notice period.
⚠️ DPA REFERENCE: Confirm that all Bilko tenant contracts include DPA Section 3.4 (sub-processor change notice clause) and ToS Section 16.3 (sub-processor disclosure) before sending this notice.