# Bilko — Legal Pack

Legal documents, GDPR compliance, and sub-processor disclosures for Bilko (Balkan Accounting SaaS). MC #100045 (2026-05-08).

# Bilko Terms of Service — Section 16 Sub-Processors (GDPR Art. 28(4))

<div id="bkmrk-%E2%9A%A0%EF%B8%8F-statusmc%3A-%23100045" style="background-color:#FFF3CD;border-left:4px solid #FFC107;padding:16px;margin-bottom:24px;">**⚠️ STATUS**  
**MC:** #100045 | **Date:** 2026-05-08  
**Draft Status:** Pending final legal review and translations (per Lexicon S1-S4)  
**Corrections Applied:** Org.nr 932 516 136 (corrected from hallucinated 933 534 262), Azure Sweden Central (corrected from Norway East)</div># Terms of Service

> **Project:** Bilko — Balkan Accounting SaaS

> **Company:** ALAI Holding AS (org.nr 932 516 136)

> **Version:** 1.0

> **Last Updated:** 2026-03-07

> **Author:** ALAI Documentation Team

> **Status:** DRAFT — Pending Legal Review

> **Reviewers:** Legal Counsel (RS, BA, HR), CEO

> **Classification:** Internal Draft (not for public use until legal sign-off)

---

## Table of Contents

- [Acceptance of Terms](#1-acceptance-of-terms)
- [Definitions](#2-definitions)
- [Description of Service](#3-description-of-service)
- [Account Terms](#4-account-terms)
- [Subscription and Billing](#5-subscription-and-billing)
- [Acceptable Use](#6-acceptable-use)
- [Data Handling and Privacy](#7-data-handling-and-privacy)
- [Intellectual Property](#8-intellectual-property)
- [Warranties and Disclaimers](#9-warranties-and-disclaimers)
- [Limitation of Liability](#10-limitation-of-liability)
- [Indemnification](#11-indemnification)
- [Term and Termination](#12-term-and-termination)
- [Service Availability and Changes](#13-service-availability-and-changes)
- [Governing Law and Dispute Resolution](#14-governing-law-and-dispute-resolution)
- [General Provisions](#15-general-provisions)
- [Contact](#16-contact)

--- ## 1. Acceptance of Terms

By registering for, accessing, or using the Bilko platform (the "Service") available at **app.bilko.io**, you ("Customer" or "you") agree to be bound by these Terms of Service ("Terms"). If you are accepting these Terms on behalf of a legal entity (a company, partnership, or other organization), you represent that you have the authority to bind that entity to these Terms.

**If you do not agree to these Terms, you must not use the Service.**

These Terms form a binding legal agreement between you and **ALAI Holding AS** (org.nr 932 516 136), a company incorporated in Norway, trading as Bilko ("Bilko", "we", "our", or "us").

By clicking "Create Account", "Start Free Trial", or similar acceptance mechanism, or by using the Service after any update to these Terms, you confirm your acceptance.

> ⚠️ LEGAL REVIEW REQUIRED: Confirm whether Norwegian law governs this contract, or whether Serbian, BiH, or Croatian law should govern for users in those jurisdictions (see Section 14). Consider whether click-wrap acceptance is sufficient under each jurisdiction's contract law (Serbian Zakon o obligacionim odnosima, BiH equivalent, Croatian Zakon o obveznim odnosima).

---

## 2. Definitions

<table id="bkmrk-termmeaning---------"><tr><td>Term</td><td>Meaning</td></tr><tr><td>---------------------</td><td>--------------------------------------------------------------------------------------------------------------------------------------------------</td></tr><tr><td>**Service**</td><td>The Bilko cloud accounting platform, including the web application at app.bilko.io, the API, and all features therein</td></tr><tr><td>**Account**</td><td>A registered Bilko account belonging to an Organization</td></tr><tr><td>**Organization**</td><td>A legal entity or individual registered on Bilko for accounting purposes</td></tr><tr><td>**Authorized User**</td><td>A person granted access to an Organization's Bilko account (owner, admin, accountant, or viewer)</td></tr><tr><td>**Customer Data**</td><td>All data submitted by Authorized Users into the Service, including invoices, expenses, contacts, financial records, and tax identification numbers</td></tr><tr><td>**Subscription Plan**</td><td>The paid tier under which the Service is provided, as described on bilko.io/pricing</td></tr><tr><td>**Billing Period**</td><td>The monthly or annual period for which a Subscription Plan is purchased</td></tr><tr><td>**Trial Period**</td><td>A limited-period free access to the Service, as offered by Bilko at its discretion</td></tr><tr><td>**Content**</td><td>All text, data, software, functionality, graphics, and other materials provided by Bilko as part of the Service</td></tr></table>

## 3. Description of Service

Bilko is a cloud-based accounting and invoicing platform designed for small and medium businesses (SMBs) operating in Serbia, Bosnia &amp; Herzegovina, and Croatia. The Service includes:

- **Double-entry bookkeeping** with Balkan-standard chart of accounts (Serbian, FBiH, RS entity, and Croatian formats)
- **Invoice creation and management** — PDF generation, email delivery, status tracking
- **E-invoice submission** — SEF integration for Serbia (B2B mandatory since 2023); HR-FISK integration for Croatia (Phase 2)
- **VAT/PDV calculation** — Serbia (20%/10%/0%), BiH (17%/0%), Croatia (25%/13%/5%/0%)
- **Expense tracking** — with receipt storage and approval workflow
- **Bank reconciliation** — CSV import of bank statements
- **Financial reporting** — P&amp;L, Balance Sheet, Cash Flow, VAT reports
- **Multi-currency support** — EUR, RSD, BAM, and other currencies with exchange rate locking
- **Multi-user collaboration** — Role-based access control (owner, admin, accountant, viewer)
- **Data export** — JSON, CSV, and compliance formats for tax authority filing

The specific features available depend on the Subscription Plan. Bilko reserves the right to modify, add, or discontinue features with reasonable notice. ---

## 4. Account Terms

### 4.1 Registration

To use the Service, you must:

- Register and create an Organization account
- Provide accurate, complete, and current information
- Maintain and promptly update your account information when it changes

You are responsible for ensuring that all information you provide, including organizational details, tax identification numbers, and financial data, is accurate. Bilko is not responsible for regulatory penalties arising from inaccurate data entered by you. ### 4.2 Account Security

You are responsible for:

- Maintaining the confidentiality of your account credentials
- All activities that occur under your account
- Immediately notifying Bilko of any unauthorized use at security@bilko.io

Bilko enforces security measures including two-factor authentication (optional), JWT-based session management with 15-minute access token expiry, and automatic lockout after 5 failed login attempts per 15 minutes. You must not share your login credentials with unauthorized persons. ### 4.3 Account Roles

The Organization owner controls access. Users may be granted one of four roles:

- **Owner** — Full control, including billing and account deletion
- **Admin** — All features except billing and certain account settings
- **Accountant** — Can create and manage financial records; cannot delete
- **Viewer** — Read-only access

You are responsible for managing the roles of your Authorized Users appropriately. ### 4.4 One Organization Per Subscription

Each Subscription Plan covers one (1) Organization. Accountants managing multiple clients must purchase a separate subscription per client organization, or use a multi-organization plan if offered.

> ⚠️ LEGAL REVIEW REQUIRED: Determine whether multi-organization accountant accounts require specific terms under Serbian/BiH/Croatian professional accounting regulations.

---

## 5. Subscription and Billing

### 5.1 Subscription Plans

Bilko offers paid Subscription Plans as published at bilko.io/pricing. All plans are billed in **EUR**. By subscribing to a paid plan, you authorize Bilko to charge your payment method for the applicable fees.

> ⚠️ LEGAL REVIEW REQUIRED: Confirm pricing strategy and all plan tiers. Confirm whether local currency (RSD for Serbia, BAM for BiH) invoicing is required under local consumer/business protection law.

### 5.2 Free Trial

Bilko may offer a free trial period at its discretion. At the end of the trial, your account will require a paid subscription to continue. Bilko will notify you before the trial ends.

### 5.3 Billing Cycle

- Monthly plans: billed on the same calendar day each month
- Annual plans: billed once per year; a proportional refund may be offered for cancellations (see Section 5.6)
- Billing date may shift by up to 1 day due to calendar month-end variations

### 5.4 Payment Methods

Bilko accepts payment methods as listed at checkout. You must provide a valid payment method and maintain it current. Bilko uses a PCI-compliant payment processor — your card data is never stored on Bilko servers.

> ⚠️ LEGAL REVIEW REQUIRED: Confirm payment processor (Stripe, Paddle, or other), confirm PCI-DSS scope, and ensure payment terms comply with Serbian Law on Payment Services (Zakon o platnim uslugama), BiH payment law, and Croatian payment law.

### 5.5 Late Payment

If payment fails, Bilko will:

- Retry payment up to 3 times over 7 days
- Send email notifications at each failure
- Suspend the account after 14 days of non-payment (read-only access preserved)
- Terminate the account after 30 days of non-payment, with data export offered

### 5.6 Cancellation and Refunds

- **Monthly plans:** You may cancel at any time. Cancellation takes effect at the end of the current Billing Period. No refunds are issued for partial months.
- **Annual plans:** Cancellation within 14 days of purchase qualifies for a full refund. After 14 days, a pro-rated refund for remaining full months may be provided at Bilko's discretion.
- **Legal minimum:** To the extent mandatory consumer protection law in your jurisdiction requires different refund terms, those terms apply.

> ⚠️ LEGAL REVIEW REQUIRED: Confirm refund obligations under Serbian Zakon o zaštiti potrošača, BiH equivalent, and Croatian Zakon o zaštiti potrošača. Determine whether B2B SaaS customers are covered by consumer protection or only commercial contract law in each jurisdiction.

### 5.7 Price Changes

Bilko may change Subscription Plan pricing with 30 days' written notice. If you do not cancel before the new pricing takes effect, you accept the new pricing.

### 5.8 Taxes

All prices are exclusive of applicable value-added tax (VAT/PDV). Bilko will add applicable VAT/PDV to invoices where legally required. You are responsible for any additional taxes applicable in your jurisdiction.

---

## 6. Acceptable Use

### 6.1 Permitted Use

You may use the Service only for lawful business accounting purposes within your registered Organization, in accordance with applicable law in your jurisdiction.

### 6.2 Prohibited Activities

You must not:

- Use the Service to commit fraud, tax evasion, or money laundering
- Enter false, fabricated, or fraudulent financial records or invoice data
- Attempt to gain unauthorized access to other organizations' data
- Reverse-engineer, decompile, or disassemble any part of the Service
- Use the Service to process data belonging to a different legal entity without authorization
- Attempt to circumvent the multi-tenancy isolation measures
- Use automated scrapers, bots, or scripts against the Service without prior written consent from Bilko
- Resell or sublicense the Service without a separate reseller agreement

### 6.3 Compliance with Local Law

You are responsible for ensuring that your use of Bilko complies with all applicable local laws, including:

- Tax filing obligations (Serbian Poreska uprava, BiH UIO, Croatian Porezna uprava)
- E-invoicing mandates (SEF for Serbia, HR-FISK/FINA for Croatia)
- Accounting record requirements
- Data protection obligations for data you enter about your clients

Bilko provides the technical tools to help you meet these obligations, but **Bilko is not your tax advisor or accountant**. The accuracy of the data entered is your responsibility. ---

## 7. Data Handling and Privacy

### 7.1 Your Data

All Customer Data you enter into Bilko remains your property. Bilko processes Customer Data solely to provide and improve the Service.

### 7.2 Data Processing Agreement

By accepting these Terms, you also enter into a Data Processing Agreement (DPA) with Bilko, incorporated by reference, governing the processing of personal data within Customer Data. The DPA is available at bilko.io/dpa.

> ⚠️ LEGAL REVIEW REQUIRED: Draft and publish the Data Processing Agreement separately. The DPA must meet requirements of GDPR Art. 28 (for Croatian users), ZZPL Art. 45 (for Serbian users), and ZZLP BiH equivalents.

### 7.3 Privacy Policy

Bilko's Privacy Policy (available at bilko.io/privacy) is incorporated into these Terms by reference. It describes what personal data Bilko collects about you and your Authorized Users, and how it is processed.

### 7.4 Data Retention

Bilko retains financial data in accordance with mandatory accounting and tax retention periods:

- **Serbia:** 10 years (Zakon o računovodstvu)
- **Bosnia &amp; Herzegovina:** 10–11 years (depending on entity)
- **Croatia:** 11 years (Zakon o računovodstvu)

This means that even after account cancellation, Bilko retains your financial records for the legally required period. User account data (name, email) will be anonymized upon account deletion; financial transaction records are retained in anonymized form. ### 7.5 Data Export

You may export all your Customer Data in JSON and CSV formats at any time through the Bilko interface. We will also provide your data upon account termination via a one-time export link, valid for 30 days.

---

## 8. Intellectual Property

### 8.1 Bilko's IP

The Service, including its software, design, features, documentation, branding ("Bilko", logo, color system), and all associated intellectual property, is owned by ALAI Holding AS (org.nr 932 516 136) or its licensors and is protected under applicable intellectual property laws. These Terms do not grant you any ownership rights in the Service.

You receive a limited, non-exclusive, non-transferable, revocable license to use the Service during your Subscription.

### 8.2 Your Data

You retain all ownership rights to Customer Data. You grant Bilko a limited license to store, process, and transmit Customer Data solely to provide the Service.

### 8.3 Feedback

If you provide feedback, suggestions, or ideas about the Service, you grant Bilko a perpetual, royalty-free license to use that feedback without compensation or attribution.

---

## 9. Warranties and Disclaimers

### 9.1 Bilko's Warranty

Bilko warrants that:

- The Service will materially conform to the documentation at bilko.io/docs during the Subscription
- Bilko will implement commercially reasonable security measures as described in its Security documentation

### 9.2 Disclaimers

**THE SERVICE IS PROVIDED "AS IS" AND "AS AVAILABLE" TO THE MAXIMUM EXTENT PERMITTED BY LAW.** Bilko specifically disclaims:

- **No accounting or tax advice:** Bilko is software, not an accountant or tax advisor. Bilko provides tools to help you create compliant records, but you are responsible for the accuracy of your data and for complying with all tax obligations. Consult a qualified accountant or tax advisor.
- **No guarantee of regulatory compliance:** While Bilko is designed for compliance with Serbian, BiH, and Croatian accounting law, regulations change frequently. Bilko will make reasonable efforts to update the Service but cannot guarantee compliance at all times.
- **No uptime guarantee for e-government portals:** Bilko's SEF and HR-FISK integrations depend on Serbian and Croatian government portal availability. Bilko is not responsible for failures caused by those external systems.

> ⚠️ LEGAL REVIEW REQUIRED: Confirm that disclaimer clauses are enforceable under Serbian Zakon o obligacionim odnosima, BiH equivalent, and Croatian Zakon o obveznim odnosima. Some consumer-protective jurisdictions limit disclaimer enforceability.

---

## 10. Limitation of Liability

### 10.1 Exclusion of Consequential Damages

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, BILKO SHALL NOT BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES, INCLUDING:

- Lost profits or revenue
- Tax penalties or regulatory fines arising from inaccurate data you entered
- Lost business opportunities
- Data loss (beyond Bilko's obligations under these Terms)
- Costs of alternative accounting software

### 10.2 Cap on Liability

TO THE MAXIMUM EXTENT PERMITTED BY LAW, BILKO'S TOTAL LIABILITY TO YOU FOR ANY CLAIMS ARISING UNDER THESE TERMS SHALL NOT EXCEED THE GREATER OF:

- The total fees paid by you to Bilko in the **12 months prior** to the event giving rise to the claim; OR
- €100

### 10.3 Exceptions

The limitations in this Section do not apply to:

- Bilko's liability for gross negligence or willful misconduct
- Bilko's liability for death or personal injury caused by Bilko's negligence
- Any liability that cannot be excluded under mandatory applicable law

> ⚠️ LEGAL REVIEW REQUIRED: Liability caps must be reviewed for enforceability under each jurisdiction's mandatory law. Croatian and Serbian consumer/commercial law may impose minimum liability floors.

---

## 11. Indemnification

You agree to indemnify, defend, and hold harmless Bilko and its officers, directors, employees, and agents from and against any claims, liabilities, damages, fines, penalties, and expenses (including reasonable legal fees) arising from:

- Your violation of these Terms
- Your violation of applicable law (including tax law, accounting law, or data protection law)
- Inaccurate Customer Data entered by you or your Authorized Users
- Your infringement of third-party rights
- Any regulatory penalty resulting from errors in data you provided

--- ## 12. Term and Termination

### 12.1 Term

These Terms take effect when you accept them and continue for as long as you maintain a Bilko account.

### 12.2 Termination by You

You may terminate your account at any time by:

- Cancelling your subscription through account settings
- Exporting your data before the termination date
- Contacting support@bilko.io

### 12.3 Termination by Bilko

Bilko may suspend or terminate your account with:

- **Immediate effect** for: fraud, unauthorized access attempts, illegal use, or material breach
- **30 days' notice** for: non-payment (after cure period), violation of Acceptable Use policy
- **90 days' notice** for: discontinuation of the Service

### 12.4 Effect of Termination

Upon termination:

- Your access to the Service ends immediately (or at the notice period expiry)
- A data export link is provided, valid for 30 days
- Bilko retains financial data for mandatory retention periods per Section 7.4
- All rights and licenses granted to you terminate

--- ## 13. Service Availability and Changes

### 13.1 Availability Target

Bilko targets **99.9% monthly uptime** for the production environment (app.bilko.io). Planned maintenance windows will be announced with at least 48 hours' notice via email and status page.

### 13.2 Changes to the Service

Bilko may modify, add, or remove features at any time. For material changes that negatively affect your use of the Service, Bilko will provide at least 30 days' advance notice.

### 13.3 Changes to These Terms

Bilko may update these Terms. Material changes will be notified by email with at least 30 days' notice. Your continued use of the Service after the effective date constitutes acceptance. If you do not accept the new Terms, you may terminate your account before the effective date.

---

## 14. Governing Law and Dispute Resolution

### 14.1 Governing Law

> ⚠️ LEGAL REVIEW REQUIRED: This is a critical section requiring legal input. The following options must be evaluated:

**Option A (Norwegian Law — for ALAI operating entity):** These Terms are governed by the laws of Norway. Disputes are resolved in Norwegian courts. This may be unenforceable for consumers under EU law (Croatia) or Serbian/BiH mandatory jurisdiction rules.

**Option B (Jurisdiction-specific):** For Serbian users — Serbian law applies; for Croatian users — Croatian law applies (EU mandatory); for BiH users — BiH law applies.

**Recommended approach (pending legal review):** For business (B2B) customers, Norwegian law may be specified. For any consumer accounts, local mandatory law applies in each jurisdiction.

### 14.2 Dispute Resolution

Before initiating formal proceedings, the parties agree to attempt good-faith resolution through:

- Written notice to the other party describing the dispute
- 30-day negotiation period
- Formal proceedings if unresolved

### 14.3 Language

These Terms are provided in English. Translations into Serbian, Bosnian, and Croatian will be provided for informational purposes. In the event of conflict between language versions, the English version governs.

> ⚠️ LEGAL REVIEW REQUIRED: Confirm whether Croatian consumer protection law requires Croatian-language Terms to be legally binding in Croatia. Serbian and BiH law may have similar requirements for consumer-facing contracts.

---

## 15. General Provisions

### 15.1 Entire Agreement

These Terms, together with the Privacy Policy and Data Processing Agreement, constitute the entire agreement between you and Bilko regarding the Service and supersede all prior agreements.

### 15.2 Severability

If any provision of these Terms is found unenforceable, the remaining provisions remain in full force.

### 15.3 Waiver

Bilko's failure to enforce any provision of these Terms does not constitute a waiver of that provision.

### 15.4 Assignment

You may not assign your rights or obligations under these Terms without Bilko's prior written consent. Bilko may assign these Terms in connection with a merger, acquisition, or sale of assets, with 30 days' notice to you.

### 15.5 Force Majeure

Neither party shall be liable for delays or failures in performance caused by events beyond their reasonable control, including government actions, natural disasters, or internet infrastructure failures.

### 15.6 Electronic Communications

By using the Service, you consent to receive communications from Bilko electronically. You agree that electronic communications satisfy any legal requirement that communications be in writing.

---

## 16. Sub-Processors (GDPR Art. 28(4))

Bilko uses the following sub-processors to provide the Service:

### 16.1 Document Archive Pipeline

When you enable the document archival feature, Bilko processes certain document types through the following sub-processors:

Sub-ProcessorLegal EntityPurposeData CategoriesGeographic LocationSafeguards --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- **Cloudflare R2**Cloudflare, Inc., USATemporary document staging for archive pipelineContract PDFs, invoices, care plans, incident reports, onboarding documentsEU region (eu-west storage bucket)Standard Contractual Clauses (SCCs) per Cloudflare's published DPA **ALAI Azure VM (Paperless-ngx)**ALAI Holding AS (org.nr 932 516 136), NorwayLong-term document archive at archive.alai.noSame document categories as aboveEU/EEA (Microsoft Azure Sweden Central region)ALAI Data Processing Agreement + Azure Standard Contractual Clauses ### 16.2 Document Flow and Retention

**Document types processed:**

- Contracts and agreements
- Invoices (issued and received)
- Care plans (for care organizations)
- Incident reports
- Onboarding documents

**Processing flow:**- Documents are written to Cloudflare R2 staging bucket (temporary storage, typically &lt; 5 minutes)
- Cloud Run worker uploads documents to Paperless-ngx archive every 5 minutes
- Documents are retained in archive per retention schedule (see Section 7.4)

**Retention by document class (interim defaults, subject to legal review):**- Financial documents (invoices, contracts): 7 years (Serbian, BiH, Croatian accounting law)
- Care-related documents (care plans, incident reports): 25 years (UK NHS standard, pending Balkan legal review)

### 16.3 Sub-Processor Change Notification

Bilko will provide **30 days' advance written notice** via email before adding or replacing any sub-processor. You have the right to object to a new sub-processor within the notice period. If you object and Bilko cannot offer an alternative, you may terminate your subscription without penalty.

Bilko maintains an up-to-date list of sub-processors at **bilko.io/sub-processors** (to be published).

### 16.4 GDPR Compliance Reference

This sub-processor disclosure complies with GDPR Article 28(4), which requires the data controller (you) to authorize the data processor (Bilko) to engage sub-processors. By accepting these Terms, you provide such authorization for the sub-processors listed above.

---

## 17. Contact

**Bilko / ALAI Holding AS** (org.nr 932 516 136)

ChannelContact -------------------------------------------------------------------------------------------------------------------------- General supportsupport@bilko.io Legal / compliancelegal@bilko.io Privacy / data protectionprivacy@bilko.io Data Processing Agreementdpa@alai.no Security vulnerabilitiessecurity@bilko.io Postal addressPending — registered address to be confirmed upon company formation (see legal review note above) > ⚠️ LEGAL REVIEW REQUIRED: Confirm company address for legal notices. Determine whether Serbian, BiH, or Croatian regulations require a local postal address or registered agent for consumer-facing contracts.

---

## Approval

RoleNameSignatureDate ---------------------------------------------------------- AuthorALAI Documentation Team2026-02-25 RS Legal Counsel BA Legal Counsel HR Legal Counsel CEO ApprovalAlem Bašić---

## Related Documents

- [Bilko Privacy Notice — Section 8.1 Sub-Processors](https://docs.alai.no/books/bilko-legal-pack/page/bilko-privacy-notice-section-81-document-archive-sub-processors)
- [DPA Template — Annex B Sub-Processors](https://docs.alai.no/books/bilko-legal-pack/page/dpa-template-annex-b-sub-processors-for-bilko-archive-feature)
- [Sub-Processor Notification Email Template](https://docs.alai.no/books/bilko-legal-pack/page/sub-processor-notification-email-template-bilko)

# Bilko Privacy Notice — Section 8.1 Document Archive Sub-Processors

<div id="bkmrk-%E2%9A%A0%EF%B8%8F-statusmc%3A-%23100045" style="background-color:#FFF3CD;border-left:4px solid #FFC107;padding:16px;margin-bottom:24px;">**⚠️ STATUS**  
**MC:** #100045 | **Date:** 2026-05-08  
**Draft Status:** Pending final legal review and translations (per Lexicon S1-S4)  
**Corrections Applied:** Org.nr 932 516 136 (corrected from hallucinated 933 534 262 + wrong DPO org.nr 932 953 736), Azure Sweden Central (corrected from Norway East)</div># Privacy Policy

> **Project:** Bilko — Balkan Accounting SaaS

> **Version:** 1.1

> **Last Updated:** 2026-03-02

> **Author:** ALAI Documentation Team

> **Status:** Final (Pending Legal Review)

> **Reviewers:** DPO, Legal Counsel (RS, BA, HR), CEO

> **Classification:** Public (upon legal sign-off)

---

## Table of Contents

- [Introduction and Data Controller](#1-introduction-and-data-controller)
- [Scope and Applicability](#2-scope-and-applicability)
- [Legal Framework](#3-legal-framework)
- [Data We Collect](#4-data-we-collect)
- [Legal Basis for Processing](#5-legal-basis-for-processing)
- [How We Use Your Data](#6-how-we-use-your-data)
- [Data Retention Periods](#7-data-retention-periods)
- [Data Sharing and Third-Party Processors](#8-data-sharing-and-third-party-processors)
- [Cross-Border Data Transfers](#9-cross-border-data-transfers)
- [Your Rights as a Data Subject](#10-your-rights-as-a-data-subject)
- [Security Measures](#11-security-measures)
- [Cookies and Tracking](#12-cookies-and-tracking)
- [Children's Privacy](#13-childrens-privacy)
- [Changes to This Policy](#14-changes-to-this-policy)
- [Contact and Data Protection Officer](#15-contact-and-data-protection-officer)
- [Jurisdiction-Specific Notices](#16-jurisdiction-specific-notices)

--- ## 1. Introduction and Data Controller

Bilko is a cloud-based accounting and invoicing platform for small and medium businesses (SMBs) operating in Serbia, Bosnia &amp; Herzegovina, and Croatia. Bilko is developed and operated by **Basic Consulting AS** (trading as ALAI), a company registered in Norway.

**Data Controller:**

<table id="bkmrk-fielddetails--------"><tr><td>Field</td><td>Details</td></tr><tr><td>------------</td><td>-----------------------------------------------------------------------------------------</td></tr><tr><td>Entity name</td><td>Basic Consulting AS (ALAI)</td></tr><tr><td>Registration</td><td>Pending — Norwegian company register number (to be confirmed upon legal entity formation)</td></tr><tr><td>Address</td><td>Pending — registered address to be confirmed upon legal entity formation</td></tr><tr><td>Email</td><td>privacy@bilko.io</td></tr><tr><td>Website</td><td>https://bilko.io</td></tr></table>

> ⚠️ LEGAL REVIEW REQUIRED: Confirm whether Bilko must establish local legal entities in Serbia (Bilko d.o.o. RS), Bosnia &amp; Herzegovina (Bilko d.o.o. Sarajevo), and Croatia (Bilko d.o.o. Zagreb) as co-controllers or separate controllers for purposes of local data protection law compliance. ZZPL Serbia and ZZLP BiH may require a locally registered representative.

**Data Protection Officer (DPO):**

FieldDetails ------------------------------------------------------------------------------------ DPO nameAlem Bašić DPO contactalem@alai.no Phone+47 40 47 42 51 CompanyALAI Holding AS (org.nr 932 516 136) RoleResponsible for data protection compliance across all three jurisdictions Appointed2026-03-02 ---

## 2. Scope and Applicability

This Privacy Policy applies to:

- All users of the Bilko platform accessible at **app.bilko.io**
- All organizations registered on Bilko, including their authorized users (owners, admins, accountants, viewers)
- All data processed by Bilko in connection with providing cloud accounting services in Serbia, Bosnia &amp; Herzegovina, and Croatia

This policy applies to **data subjects** in three categories: - **Business owners and employees** who register and use Bilko directly
- **Clients and contacts** whose data is entered into Bilko by our users (e.g., customers listed on invoices)
- **Website visitors** to bilko.io

--- ## 3. Legal Framework

Bilko processes personal data in compliance with the following data protection laws:

JurisdictionApplicable LawSupervisory Authority -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- **Serbia**Zakon o zaštiti podataka o ličnosti (ZZPL), Sl. glasnik RS 87/2018 — aligned with GDPRPoverenik za informacije od javnog značaja i zaštitu podataka o ličnosti **Bosnia &amp; Herzegovina**Zakon o zaštiti ličnih podataka (ZZLP BiH), Sl. glasnik BiH 49/2006Agencija za zaštitu ličnih podataka (AZLP) **Croatia**GDPR — Uredba (EU) 2016/679 (directly applicable as EU member state)Agencija za zaštitu osobnih podataka (AZOP) Where GDPR principles are referenced in this policy, they apply directly to Croatian users and serve as the compliance standard for Serbian users (ZZPL is GDPR-aligned). For Bosnian users, equivalent provisions of ZZLP BiH apply.

---

## 4. Data We Collect

### 4.1 Account and Registration Data

When you register an organization on Bilko, we collect:

Data ElementPurposeClassification --------------------------------------------------------------------------------------------- Email addressAccount authentication, notificationsL2 Internal Full nameUser identification within organizationL2 Internal Password (bcrypt-hashed)Authentication — never stored in plaintextL2 Internal Organization nameMulti-tenant account setupL2 Internal Country of operationJurisdiction-specific compliance rules (VAT rates, CoA)L2 Internal Base currencyFinancial calculationsL2 Internal ### 4.2 Financial and Tax Data

When you use Bilko to create invoices, track expenses, and manage accounting:

Data ElementJurisdictionClassificationEncryption ------------------------------------------------------------------------------------------------------------------------- PIB (Poreski identifikacioni broj — Serbia)RSL4-B RestrictedDisk-level AES-256 JMBG (Jedinstveni matični broj građana — Serbia/BiH)RS, BAL4-A RestrictedAES-256-GCM field-level OIB (Osobni identifikacijski broj — Croatia)HRL4-A RestrictedAES-256-GCM field-level JIB (Jedinstveni identifikacioni broj — BiH)BAL4-B RestrictedDisk-level AES-256 IBAN / Bank account numbersAllL4-B RestrictedDisk-level AES-256 + API masking Invoice amounts (subtotal, VAT, total)AllL3 ConfidentialAES-256 at rest Transaction records (debit/credit entries)AllL3 ConfidentialAES-256 at rest Expense recordsAllL3 ConfidentialAES-256 at rest Contact details (clients/vendors: name, email, phone, address)AllL2 InternalTLS 1.3 in transit > **Note on JMBG processing:** The JMBG is a sensitive personal identifier unique to each Serbian and Bosnian citizen. Bilko only collects JMBG when a user explicitly confirms that an invoice is being issued to a natural person (not a legal entity). This is a voluntary user action gated by a UI confirmation checkbox.

### 4.3 Technical and Operational Data

Data ElementRetentionPurpose ---------------------------------------------------------------------------------------------------------------- IP address30 daysSecurity monitoring, fraud detection Browser user-agent30 daysSecurity monitoring Session tokens (JWT, refresh tokens)15 minutes (access) / 7 days (refresh)Authentication Audit log entries (LoggedAction table)10–11 yearsLegal compliance, accounting law API request logs30 daysSecurity and debugging ### 4.4 Data Entered by Users About Third Parties

Bilko is an accounting tool. Our users enter data about their clients and vendors (third parties). This includes names, contact details, and tax identification numbers of those third parties. **Bilko acts as a data processor** for this third-party data — the organization using Bilko is the data controller for their clients' data and is responsible for ensuring they have an appropriate legal basis for entering that data into Bilko.

---

## 5. Legal Basis for Processing

Data CategoryLegal BasisGDPR ArticleZZPL ArticleZZLP BiH --------------------------------------------------------------------------------------------------------------------------------------- Account email, full namePerformance of contractArt. 6(1)(b)Art. 12(1)(b)Art. 7(1)(b) Organization detailsPerformance of contractArt. 6(1)(b)Art. 12(1)(b)Art. 7(1)(b) Tax IDs (PIB, JIB)Legal obligation — accounting and tax lawArt. 6(1)(c)Art. 12(1)(c)Art. 7(1)(c) JMBG, OIBLegal obligation — accounting and tax law (only when legally required)Art. 6(1)(c)Art. 12(1)(c)Art. 7(1)(c) IBANPerformance of contract (for payment processing)Art. 6(1)(b)Art. 12(1)(b)Art. 7(1)(b) Invoice and transaction dataLegal obligation — accounting/tax retention requirementsArt. 6(1)(c)Art. 12(1)(c)Art. 7(1)(c) IP address, session logsLegitimate interest — platform securityArt. 6(1)(f)Art. 12(1)(f)Art. 7(1)(f) Audit trail (LoggedAction)Legal obligation — accounting law requires immutable audit recordsArt. 6(1)(c)Art. 12(1)(c)Art. 7(1)(c) > ⚠️ LEGAL REVIEW REQUIRED: Confirm the specific Serbian, Bosnian, and Croatian accounting and tax laws that constitute the "legal obligation" basis for each data category listed above. Reference: Zakon o računovodstvu RS (Sl. glasnik RS 73/2019), Zakon o PDV RS, Zakon o računovodstvu i reviziji FBiH, Zakon o porezu na dohodak FBiH, Zakon o računovodstvu HR (NN 78/15 et seq.).

---

## 6. How We Use Your Data

We use the data we collect exclusively to:

- **Provide the Bilko service** — create and manage invoices, expenses, transactions, financial reports
- **Ensure legal compliance** — submit e-invoices to SEF (Serbia) and HR-FISK (Croatia), maintain accounting records per mandatory retention periods
- **Secure the platform** — authenticate users, prevent unauthorized access, detect and investigate fraud and security incidents
- **Communicate with you** — send invoice notifications, payment reminders, service announcements, and support responses
- **Improve the service** — analyze usage patterns (in aggregated, anonymized form) to improve features

We do **not**: - Sell your data to third parties
- Use your financial data for advertising or profiling
- Process your data for any purpose beyond providing the accounting service and meeting legal obligations

--- ## 7. Data Retention Periods

Data retention is governed by accounting and tax laws in each jurisdiction. We are legally required to retain certain financial records even if you delete your account.

Data CategorySerbia (RS)Bosnia &amp; Herzegovina (BA)Croatia (HR)Basis -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Financial statements and accounting records10 yearsFBiH: 10 years; RS entity: 11 years11 yearsZakon o računovodstvu (RS/BA/HR) Invoice records10 years10–11 years11 yearsAccounting and VAT law Expense records10 years10–11 years11 yearsAccounting law Audit trail (LoggedAction)10 years10–11 years11 yearsAccounting law VAT/PDV records10 years10–11 years11 yearsTax law User account data (name, email)Account lifetime + 30 days after closureAccount lifetime + 30 daysAccount lifetime + 30 daysContract performance IP addresses and session logs30 days30 days30 daysLegitimate interest JWT refresh tokens7 days7 days7 daysContract performance **Important — Right to Erasure Limitation:** Under accounting and tax law in all three jurisdictions, financial records (invoices, transactions, expense records) cannot be deleted during the mandatory retention period. If you close your Bilko account, your personal identifiers (name, email) can be anonymized in your user account record, but the underlying financial transaction data must be retained for the legally required period. See Section 10 for full details on data subject rights.

---

## 8. Data Sharing and Third-Party Processors

Bilko shares your data only with the following categories of third parties, all of whom are bound by Data Processing Agreements (DPAs):

ProcessorRoleData SharedLocationTransfer Mechanism ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ RailwayCloud infrastructure (PostgreSQL database, API hosting)All Bilko dataEU West (Amsterdam / Frankfurt)DPA — see Section 9 CloudflareCDN, WAF, DDoS protectionIP addresses, HTTP headersUSA (but data transits EU PoPs)DPA + Standard Contractual Clauses SentryError tracking and monitoringError traces, stack traces (may contain PII in error messages)USADPA + Standard Contractual Clauses Email service providerTransactional email (invoice delivery, notifications)Email addresses, invoice PDFsTBDDPA > ⚠️ LEGAL REVIEW REQUIRED: Select and confirm the transactional email service provider. Confirm DPA is in place with all processors above before launch. Cloudflare and Sentry are US-based — confirm SCC adequacy is sufficient for ZZPL and ZZLP BiH purposes, not just GDPR.

### 8.1 Document Archive Sub-Processors

When you enable the **document archival feature** in Bilko, the following additional sub-processors are used:

Sub-ProcessorPurposeData CategoriesLocationSafeguards ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- **Cloudflare R2** (Cloudflare, Inc., USA)Temporary staging for archive pipelineContract PDFs, invoices, care plans, incident reports, onboarding documentsEU region (eu-west bucket)Standard Contractual Clauses (SCCs) **ALAI Azure VM Paperless-ngx** (ALAI Holding AS, org.nr 932 516 136, Norway)Long-term document archive at archive.alai.noSame categories as aboveEU/EEA (Microsoft Azure Sweden Central)ALAI DPA + Azure SCCs **How document archival works:**

- **Upload:** When you mark a document for archival in Bilko (contracts, invoices, care plans, incident reports, onboarding documents), Bilko's backend writes the document to a Cloudflare R2 staging bucket in the EU region.

- **Transfer:** Every 5 minutes, a Cloud Run worker retrieves documents from R2 and uploads them to Paperless-ngx, a document management system hosted on ALAI's Azure VM (archive.alai.no) located in the Azure Sweden Central region (EU/EEA).

- **Retention:** Documents are retained in the archive according to the following schedule:

 - **Financial documents** (invoices, contracts): **7 years** (Serbian Zakon o računovodstvu, BiH accounting law, Croatian Zakon o računovodstvu) - **Care-related documents** (care plans, incident reports): **25 years** (UK NHS retention standard; pending Balkan legal review for care organizations) - **Deletion:** Documents are automatically deleted from Cloudflare R2 after successful upload to Paperless-ngx (typically within 5 minutes). Documents remain in Paperless-ngx for the retention period specified above.

**Your rights regarding sub-processors (GDPR Art. 28(4)):**- You will receive **30 days' advance notice** by email before Bilko adds or replaces any sub-processor.
- You have the right to **object** to a new sub-processor within the notice period.
- If you object and Bilko cannot offer an alternative, you may terminate your subscription without penalty.
- Contact **dpa@alai.no** to exercise this right.
- This disclosure complies with GDPR Article 28(4), Serbian ZZPL Art. 31(4), and BiH ZZLP equivalent provisions.

**Government Authorities:**When legally required, Bilko transmits e-invoice data to:

- **SEF portal** (efaktura.mfin.gov.rs) — Serbian Ministry of Finance — for RS users' B2B e-invoices
- **HR-FISK/FINA** — Croatian government e-invoicing authority — for HR users' B2B e-invoices (Phase 2)
- Tax and regulatory authorities in response to lawful requests

--- ## 9. Cross-Border Data Transfers

Bilko hosts all data on Railway's EU West infrastructure (Amsterdam/Frankfurt). Data transfer mechanisms per jurisdiction:

FromToMechanism ---------------------------------------------------------------------------------------------------------------------------------------------------- Croatia (HR)Railway EU WestNo transfer mechanism needed — EU to EU transfer Serbia (RS)Railway EU WestSerbia is on the European Commission's adequacy list (Decision 2023/1485) — no additional mechanism required Bosnia &amp; Herzegovina (BA)Railway EU WestStandard Contractual Clauses (SCC 2021/914/EU) — BiH has no EU adequacy decision For Cloudflare and Sentry (US-based processors): Standard Contractual Clauses (SCC) apply, combined with a Transfer Impact Assessment.

> ⚠️ LEGAL REVIEW REQUIRED: Confirm that Serbia's adequacy decision (2023/1485) is still current and applies to the data categories Bilko processes. Prepare and sign SCCs with Railway for BiH user data before accepting Bosnian users. Conduct Transfer Impact Assessment for Cloudflare and Sentry.

---

## 10. Your Rights as a Data Subject

Depending on your jurisdiction, you have the following rights regarding your personal data:

### 10.1 Rights Table

RightGDPR (Croatia)ZZPL (Serbia)ZZLP BiHHow to Exercise ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ **Right of access** — obtain a copy of your dataArt. 15Art. 26Art. 16Export via `/api/gdpr/export` (planned) or email privacy@bilko.io **Right to rectification** — correct inaccurate dataArt. 16Art. 27Art. 17Edit directly in Bilko settings, or email privacy@bilko.io **Right to erasure** — "right to be forgotten"Art. 17Art. 28Art. 18Email privacy@bilko.io — **subject to retention limitations below****Right to data portability** — export in machine-readable formatArt. 20Art. 30N/A (not in ZZLP BiH)JSON/CSV export via Bilko (planned) **Right to restriction** — limit processingArt. 18Art. 29Art. 20Email privacy@bilko.io **Right to object** — object to processing based on legitimate interestArt. 21Art. 31Art. 21Email privacy@bilko.io **Right not to be subject to automated decisions**Art. 22Art. 38Art. 24Bilko does not make automated decisions with legal effect ### 10.2 Erasure Limitation (Financial Data)

The right to erasure does not apply to financial records that we are legally required to retain:

- In **Serbia**: Accounting records must be kept for **10 years** (Zakon o računovodstvu Art. 26)
- In **Bosnia &amp; Herzegovina**: Records must be kept for **10–11 years** depending on entity
- In **Croatia**: Records must be kept for **11 years** (Zakon o računovodstvu Art. 10)

If you request erasure: your personal account information (name, email, password) can be deleted or anonymized, but underlying financial transaction records (invoices, expenses, journal entries) will be retained for the legally required period in anonymized or minimal form. ### 10.3 Response Times

We will respond to data subject rights requests within:

- **30 days** (standard) — may be extended by 2 additional months for complex requests with notification

### 10.4 Right to Complain

You have the right to lodge a complaint with your supervisory authority:

JurisdictionAuthorityWebsite -------------------------------------------------------- SerbiaPoverenik za informacijepoverenik.rs Bosnia &amp; HerzegovinaAZLPazlp.gov.ba CroatiaAZOPazop.hr ---

## 11. Security Measures

Bilko implements the following technical and organizational security measures to protect your data:

MeasureDescription -------------------------------------------------------------------------------------------------------------------------------------- Encryption in transitTLS 1.3 (minimum TLS 1.2) for all connections via Cloudflare Encryption at restAES-256 disk-level encryption on all Railway infrastructure Field-level encryptionAES-256-GCM for JMBG (Serbia/BiH) and OIB (Croatia) — most sensitive personal identifiers IBAN maskingOnly last 4 digits shown in list views; full IBAN accessible only to authorized users Password securitybcrypt with cost factor 12; breached password check via HaveIBeenPwned API Authentication tokensJWT RS256, 15-minute access token lifetime, 7-day refresh with rotation Multi-tenancy isolationEvery database query is scoped to your organization — cross-tenant access is technically impossible by design Role-based access control4 roles (owner, admin, accountant, viewer) — users see only what their role permits Rate limiting5 failed authentication attempts per 15 minutes triggers lockout Immutable audit logAll data modifications are recorded in an append-only audit trail Breach notification72-hour notification to supervisory authorities in the event of a personal data breach ---

## 12. Cookies and Tracking

Bilko uses minimal cookies necessary to provide the service:

CookiePurposeDuration ---------------------------------------------------------------------------- `bilko_session`Stores encrypted session reference for authenticationSession `bilko_refresh`HTTP-only refresh token for session renewal7 days > ⚠️ LEGAL REVIEW REQUIRED: Confirm cookie consent requirements under Croatian GDPR (ePrivacy Directive applies in Croatia as EU member state). Serbia and BiH may have different requirements. Determine if a cookie consent banner is required.

We do not use third-party advertising cookies or tracking pixels.

---

## 13. Children's Privacy

Bilko is a business accounting platform intended for use by business owners and accounting professionals. We do not knowingly collect data from children under 16 years of age. If you believe a child has registered on Bilko, please contact privacy@bilko.io.

---

## 14. Changes to This Policy

We may update this Privacy Policy to reflect changes to our data practices or legal requirements. We will notify you of material changes by:

- Email to your registered account email address (at least 30 days before the change takes effect)
- Prominent notice on the Bilko platform

The date of the most recent revision is shown at the top of this document. ---

## 15. Contact and Data Protection Officer

For any privacy-related questions, requests, or complaints:

**Privacy inquiries:** privacy@bilko.io **Data Protection Officer:** Alem Bašić — alem@alai.no — +47 40 47 42 51 **DPO company:** ALAI Holding AS (org.nr 932 516 136) **Postal address:** Pending — to be confirmed upon company formation (see legal review note in Section 1)

> ⚠️ LEGAL REVIEW REQUIRED: Confirm postal address for privacy contact in each jurisdiction. Consider whether a local representative must be designated in Serbia and BiH under their data protection laws.

---

## 16. Jurisdiction-Specific Notices

### 16.1 Serbia — Notice under ZZPL

This section applies specifically to users in the Republic of Serbia.

Bilko processes personal data in accordance with the **Zakon o zaštiti podataka o ličnosti** (Sl. glasnik RS 87/2018 — "ZZPL"). Your rights under ZZPL Articles 26–38 are described in Section 10 of this policy.

The supervisory authority for data protection in Serbia is the **Poverenik za informacije od javnog značaja i zaštitu podataka o ličnosti** (poverenik.rs).

Tax identification data (PIB) is processed pursuant to the **Zakon o poreskom postupku i poreskoj administraciji** and **Zakon o PDV**. Accounting records are retained pursuant to **Zakon o računovodstvu** (Sl. glasnik RS 73/2019) — minimum 10 years.

E-invoice data is submitted to the **SEF portal** (efaktura.mfin.gov.rs) pursuant to the **Zakon o elektronskom fakturisanju** (Sl. glasnik RS 44/2021). This transmission constitutes a legal obligation — no separate consent is required.

### 16.2 Bosnia &amp; Herzegovina — Obavještenje prema ZZLP BiH

This section applies specifically to users in Bosnia &amp; Herzegovina.

Bilko processes personal data in accordance with the **Zakon o zaštiti ličnih podataka** (Sl. glasnik BiH 49/2006 — "ZZLP BiH"). The supervisory authority is the **Agencija za zaštitu ličnih podataka (AZLP)** (azlp.gov.ba).

BiH has no EU adequacy decision. Data transferred to Railway (EU West) is protected by Standard Contractual Clauses (SCC 2021/914/EU).

Accounting records are retained pursuant to: FBiH — **Zakon o računovodstvu i reviziji FBiH** (minimum 10 years); RS entity — **Zakon o računovodstvu i reviziji RS BiH** (minimum 11 years). The correct retention period depends on the entity jurisdiction selected during organization registration.

> ⚠️ LEGAL REVIEW REQUIRED: Confirm that the ZZLP BiH (2006 law) is still the governing framework or if amendments/successor legislation applies. Confirm AZLP registration requirements for Bilko as a data controller operating from outside BiH.

### 16.3 Croatia — Napomena prema GDPR-u

This section applies specifically to users in the Republic of Croatia.

As an EU member state, Croatia is subject to the **GDPR (Uredba (EU) 2016/679)** directly. The supervisory authority is the **Agencija za zaštitu osobnih podataka (AZOP)** (azop.hr).

Accounting records are retained pursuant to the **Zakon o računovodstvu** (NN 78/15, 116/18, 42/20, 47/20, 114/22) and **Opći porezni zakon** — minimum 11 years.

E-invoice data (when HR-FISK integration is active) is transmitted to **FINA** pursuant to the **Zakon o elektroničkom izdavanju računa u javnoj nabavi** and related legislation. This constitutes a legal obligation.

---

## Approval

RoleNameSignatureDate ---------------------------------------------------------- AuthorALAI Documentation Team2026-02-25 DPO Review RS Legal Counsel BA Legal Counsel HR Legal Counsel CEO ApprovalAlem Bašić 

# DPA Template — Annex B: Sub-Processors for Bilko Archive Feature

<div id="bkmrk-%E2%9A%A0%EF%B8%8F-statusmc%3A-%23100045" style="background-color:#FFF3CD;border-left:4px solid #FFC107;padding:16px;margin-bottom:24px;">**⚠️ STATUS**  
**MC:** #100045 | **Date:** 2026-05-08  
**Draft Status:** Pending final legal review and translations (per Lexicon S1-S4)  
**Corrections Applied:** Org.nr 932 516 136 (corrected from hallucinated 933 534 262), Azure Sweden Central (corrected from Norway East)</div># Databehandleravtale / Data Processing Agreement (DPA)

**Template Version:** 1.0 **Last Updated:** 2026-02-10 **Compliance:** GDPR Article 28, Norwegian Personal Data Act

---

## NO: Databehandleravtale

### 1. Parter

**Dataansvarlig (Data Controller):**

- Navn: ALAI Holding AS
- Org.nr: 932 516 136
- Adresse: Tømmerrenna 1B, 2050 Jessheim, Norge
- Kontaktperson: Alem Akšamija
- E-post: alem@alai.no

**Databehandler (Data Processor):**- Navn: \[PROCESSOR\_NAME\]
- Org.nr: \[PROCESSOR\_ORG\_NUMBER\]
- Adresse: \[PROCESSOR\_ADDRESS\]
- Kontaktperson: \[PROCESSOR\_CONTACT\_PERSON\]
- E-post: \[PROCESSOR\_EMAIL\]

### 2. Avtalens omfang og formål

**2.1 Formål**Databehandler skal behandle personopplysninger på vegne av Dataansvarlig i forbindelse med levering av følgende tjenester:

\[DESCRIPTION\_OF\_SERVICES\]

**2.2 Varighet**Denne avtalen trer i kraft \[START\_DATE\] og gjelder til \[END\_DATE\] eller til tjenesteavtalen mellom partene opphører.

**2.3 Personopplysningenes karakter**Behandlingen omfatter følgende typer personopplysninger:

- \[DATA\_TYPE\_1\] (f.eks. navn, e-postadresse)
- \[DATA\_TYPE\_2\] (f.eks. fakturainformasjon)
- \[DATA\_TYPE\_3\] (f.eks. kontakthistorikk)

**2.4 Kategorier av registrerte**- \[CATEGORY\_1\] (f.eks. kunder)
- \[CATEGORY\_2\] (f.eks. ansatte)
- \[CATEGORY\_3\] (f.eks. leverandører)

### 3. Databehandlers plikter

**3.1 Behandlingsinstrukser**Databehandler skal kun behandle personopplysninger etter dokumentert instruks fra Dataansvarlig. Denne avtalen og tilhørende tjenesteavtale utgjør den initiale instruksen.

**3.2 Konfidensialitet**Databehandler skal sikre at personer som er autorisert til å behandle personopplysningene har forpliktet seg til konfidensialitet eller er underlagt passende lovpålagt taushetsplikt.

**3.3 Sikkerhetstiltak**Databehandler skal implementere egnede tekniske og organisatoriske tiltak for å sikre et sikkerhetsnivå som er egnet med hensyn til risikoen, jf. GDPR artikkel 32:

- Pseudonymisering og kryptering av personopplysninger
- Evne til å sikre vedvarende konfidensialitet, integritet, tilgjengelighet og robusthet
- Evne til å gjenopprette tilgjengelighet og tilgang til personopplysninger ved fysiske eller tekniske hendelser
- Prosess for regelmessig testing, vurdering og evaluering av effektiviteten

**3.4 Underleverandører (Sub-processors)**Databehandler kan kun benytte underleverandører etter forutgående skriftlig samtykke fra Dataansvarlig. Liste over godkjente underleverandører følger i Vedlegg A. Ved endring av underleverandører skal Databehandler varsle Dataansvarlig minst 30 dager i forveien. Dataansvarlig kan protestere innen denne fristen.

**3.5 Bistand til Dataansvarlig**Databehandler skal bistå Dataansvarlig med å:

- Gjennomføre personvernkonsekvensvurderinger (DPIA)
- Svare på forespørsler fra registrerte om utøvelse av deres rettigheter
- Håndtere personvernbrudd
- Gjennomføre sikkerhetstiltak

**3.6 Personvernbrudd**Databehandler skal varsle Dataansvarlig uten ugrunnet opphold og senest innen 24 timer etter å ha blitt kjent med personvernbrudd som berører de behandlede personopplysningene. **3.7 Sletting eller retur**Ved opphør av behandlingen skal Databehandler, etter Dataansvarligs valg, slette eller returnere alle personopplysninger og slette eksisterende kopier, med mindre lagring er påkrevd i henhold til EU-retten eller norsk rett.

### 4. Dataansvarligs plikter

**4.1 Instrukser**Dataansvarlig skal sikre at instruksene til Databehandler er i overensstemmelse med gjeldende personvernlovgivning.

**4.2 Tilsyn**Dataansvarlig har rett til å gjennomføre revisjoner og inspeksjoner for å verifisere at Databehandler overholder denne avtalen.

### 5. Dataoverføring til tredjeland

**5.1 Overføring utenfor EØS**Personopplysninger skal kun behandles innenfor EØS, med mindre Dataansvarlig har gitt forhåndsgodkjenning. Ved overføring til tredjeland skal følgende sikkerhetstiltak anvendes:

- EU-standardavtaler for dataoverføring
- Passende garantier i henhold til GDPR artikkel 46
- \[ADDITIONAL\_SAFEGUARDS\]

### 6. Ansvarsfordeling

**6.1 Dataansvarligs ansvar**Dataansvarlig er ansvarlig overfor registrerte og tilsynsmyndigheter for behandlingen av personopplysninger.

**6.2 Databehandlers ansvar**Databehandler er ansvarlig for skade som følge av brudd på denne avtalen eller behandling utover instruksene fra Dataansvarlig.

**6.3 Begrensning**Databehandlers samlede ansvar under denne avtalen er begrenset til \[AMOUNT\] NOK, med mindre skaden er forårsaket av grov uaktsomhet eller forsett.

### 7. Avslutning

**7.1 Oppsigelse**Avtalen kan sies opp av Dataansvarlig med øyeblikkelig virkning dersom Databehandler:

- Bryter vesentlige bestemmelser i denne avtalen
- Ikke implementerer nødvendige sikkerhetstiltak
- Overfører data til tredjeland uten godkjenning

**7.2 Overgangsperiode**Ved opphør gis Databehandler 30 dager til å returnere eller slette alle personopplysninger. ### 8. Diverse

**8.1 Lovvalg**Denne avtalen er underlagt norsk rett.

**8.2 Verneting**Tvister skal løses ved Romerike og Glåmdal tingrett.

**8.3 Endringer**Endringer i denne avtalen må være skriftlige og godkjent av begge parter.

---

## Vedlegg A: Godkjente underleverandører

<table id="bkmrk-underleverand%C3%B8rtjene"><tr><td>Underleverandør</td><td>Tjeneste</td><td>Lokasjon</td><td>Sikkerhetstiltak</td></tr><tr><td>----------------</td><td>----------</td><td>----------</td><td>------------------</td></tr><tr><td>\[SUB\_PROCESSOR\_1\]</td><td>\[SERVICE\_1\]</td><td>\[LOCATION\_1\]</td><td>\[SAFEGUARDS\_1\]</td></tr><tr><td>\[SUB\_PROCESSOR\_2\]</td><td>\[SERVICE\_2\]</td><td>\[LOCATION\_2\]</td><td>\[SAFEGUARDS\_2\]</td></tr></table>

## Vedlegg B: Underleverandører for Bilko Arkivfunksjon

Dette vedlegget gjelder spesifikt for Bilko-produktet når arkivfunksjonen er aktivert.

### B.1 Cloudflare R2 (Midlertidig dokumentlagring)

FeltDetaljer ---------------- **Underleverandør**Cloudflare, Inc. **Adresse**101 Townsend St, San Francisco, CA 94107, USA **Kontakt**privacyquestions@cloudflare.com **Formål**Midlertidig staging av dokumenter for arkivpipeline **Datakategorier behandlet**Kontrakter (PDF), Fakturaer (PDF), Omsorgsplaner, Hendelsesrapporter, Onboarding-dokumenter **Kategorier av registrerte**Bilko-organisasjonens kunder, leverandører, pasienter (for omsorgsorganisasjoner) **Geografisk plassering**EU-region (eu-west R2 storage bucket) **Behandlingsvarighet**Midlertidig (typisk &lt; 5 minutter; dokumenter slettes etter vellykket overføring til Paperless-ngx) **Sikkerhetstiltak**EU Standard Contractual Clauses (SCC 2021/914/EU) per Cloudflares publiserte DPA; AES-256 kryptering ved lagring; TLS 1.3 i transit; Cloudflare Zero Trust-arkitektur **Underunderleverandører**Se Cloudflares DPA for fullstendig liste (https://www.cloudflare.com/cloudflare-customer-dpa/) ### B.2 ALAI Azure VM Paperless-ngx (Langtidsarkiv)

FeltDetaljer ---------------- **Underleverandør**ALAI Holding AS (egen infrastruktur) **Org.nr**932 516 136 **Adresse**Tømmerrenna 1B, 2050 Jessheim, Norge **Kontakt**dpa@alai.no **Formål**Langtidsarkiv av forretningsdokumenter ved archive.alai.no **Datakategorier behandlet**Samme som Cloudflare R2 ovenfor **Kategorier av registrerte**Samme som Cloudflare R2 ovenfor **Geografisk plassering**EU/EØS (Microsoft Azure Sweden Central region) **Behandlingsvarighet**Permanent arkiv per oppbevaringsplan:  
• Finansielle dokumenter: 7 år (regnskapsloven RS/BA/HR)  
• Omsorgsdokumenter: 25 år (UK NHS-standard, foreløpig) **Sikkerhetstiltak**ALAI DPA + Microsoft Azure Standard Contractual Clauses; Azure Disk Encryption (AES-256); TLS 1.3 i transit; Rolle-basert tilgangskontroll (RBAC); Paperless-ngx med OAuth2-autentisering; Daglig Azure-backup med 30-dagers oppbevaring; Immutabel revisjonsspor i PostgreSQL **Underunderleverandører**Microsoft Azure (infrastrukturleverandør — se Microsoft Customer Agreement + DPA) ### B.3 Dataflyt for arkivering

```

Bilko Backend (Cloud Run)
    ↓ (POST /archive)
Cloudflare R2 (eu-west bucket)
    ← [5-minutters batch-jobb]
Cloud Run Worker
    ↓ (HTTP POST til Paperless-ngx API)
ALAI Azure VM (archive.alai.no)
    → Permanent arkiv (7–25 år)

```

### B.4 Varsel om endring av underleverandører

ALAI Holding AS forplikter seg til å varsle Dataansvarlig **minst 30 dager på forhånd** via e-post før:

- Nye underleverandører legges til i arkivpipelinen
- Eksisterende underleverandører erstattes
- Geografisk plassering av behandling endres

Dataansvarlig kan protestere innen denne fristen dersom den nye underleverandøren ikke oppfyller databeskyttelseskrav. ---

## Signaturer

**For Dataansvarlig (ALAI Holding AS):**

Navn: \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_ Dato: \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_ Signatur: \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_

**For Databehandler (\[PROCESSOR\_NAME\]):**

Navn: \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_ Dato: \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_ Signatur: \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_

---

---

# EN: Data Processing Agreement (DPA)

### 1. Parties

**Data Controller:**

- Name: ALAI Holding AS
- Org.No: 932 516 136
- Address: Tømmerrenna 1B, 2050 Jessheim, Norway
- Contact Person: Alem Akšamija
- Email: alem@alai.no

**Data Processor:**- Name: \[PROCESSOR\_NAME\]
- Org.No: \[PROCESSOR\_ORG\_NUMBER\]
- Address: \[PROCESSOR\_ADDRESS\]
- Contact Person: \[PROCESSOR\_CONTACT\_PERSON\]
- Email: \[PROCESSOR\_EMAIL\]

### 2. Scope and Purpose

**2.1 Purpose**The Data Processor shall process personal data on behalf of the Data Controller in connection with the delivery of the following services:

\[DESCRIPTION\_OF\_SERVICES\]

**2.2 Duration**This agreement enters into force on \[START\_DATE\] and applies until \[END\_DATE\] or until the service agreement between the parties terminates.

**2.3 Nature of Personal Data**The processing covers the following types of personal data:

- \[DATA\_TYPE\_1\] (e.g., name, email address)
- \[DATA\_TYPE\_2\] (e.g., billing information)
- \[DATA\_TYPE\_3\] (e.g., contact history)

**2.4 Categories of Data Subjects**- \[CATEGORY\_1\] (e.g., customers)
- \[CATEGORY\_2\] (e.g., employees)
- \[CATEGORY\_3\] (e.g., suppliers)

### 3. Data Processor's Obligations

**3.1 Processing Instructions**The Data Processor shall only process personal data in accordance with documented instructions from the Data Controller. This agreement and the associated service agreement constitute the initial instructions.

**3.2 Confidentiality**The Data Processor shall ensure that persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

**3.3 Security Measures**The Data Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in accordance with GDPR Article 32:

- Pseudonymization and encryption of personal data
- Ability to ensure ongoing confidentiality, integrity, availability, and resilience
- Ability to restore availability and access to personal data in a timely manner in the event of physical or technical incidents
- Process for regularly testing, assessing, and evaluating the effectiveness of measures

**3.4 Sub-processors**The Data Processor may only use sub-processors after prior written consent from the Data Controller. A list of approved sub-processors is provided in Annex A. When changing sub-processors, the Data Processor shall notify the Data Controller at least 30 days in advance. The Data Controller may object within this period.

**3.5 Assistance to Data Controller**The Data Processor shall assist the Data Controller in:

- Conducting data protection impact assessments (DPIA)
- Responding to requests from data subjects exercising their rights
- Handling personal data breaches
- Implementing security measures

**3.6 Personal Data Breaches**The Data Processor shall notify the Data Controller without undue delay and at the latest within 24 hours after becoming aware of a personal data breach affecting the processed personal data. **3.7 Deletion or Return**Upon termination of the processing, the Data Processor shall, at the Data Controller's choice, delete or return all personal data and delete existing copies, unless storage is required under EU or Norwegian law.

### 4. Data Controller's Obligations

**4.1 Instructions**The Data Controller shall ensure that instructions to the Data Processor comply with applicable data protection legislation.

**4.2 Supervision**The Data Controller has the right to conduct audits and inspections to verify that the Data Processor complies with this agreement.

### 5. Data Transfer to Third Countries

**5.1 Transfer Outside EEA**Personal data shall only be processed within the EEA unless the Data Controller has given prior approval. For transfers to third countries, the following safeguards shall be applied:

- EU Standard Contractual Clauses for data transfer
- Appropriate safeguards in accordance with GDPR Article 46
- \[ADDITIONAL\_SAFEGUARDS\]

### 6. Liability Distribution

**6.1 Data Controller's Liability**The Data Controller is responsible to data subjects and supervisory authorities for the processing of personal data.

**6.2 Data Processor's Liability**The Data Processor is liable for damage resulting from breach of this agreement or processing beyond the instructions from the Data Controller.

**6.3 Limitation**The Data Processor's total liability under this agreement is limited to \[AMOUNT\] NOK, unless the damage is caused by gross negligence or intent.

### 7. Termination

**7.1 Termination**The agreement may be terminated by the Data Controller with immediate effect if the Data Processor:

- Breaches material provisions of this agreement
- Does not implement necessary security measures
- Transfers data to third countries without approval

**7.2 Transition Period**Upon termination, the Data Processor is given 30 days to return or delete all personal data. ### 8. Miscellaneous

**8.1 Governing Law**This agreement is governed by Norwegian law.

**8.2 Venue**Disputes shall be resolved at Romerike and Glåmdal District Court.

**8.3 Amendments**Amendments to this agreement must be in writing and approved by both parties.

---

## Annex A: Approved Sub-processors

Sub-processorServiceLocationSafeguards --------------------------------------------- \[SUB\_PROCESSOR\_1\]\[SERVICE\_1\]\[LOCATION\_1\]\[SAFEGUARDS\_1\] \[SUB\_PROCESSOR\_2\]\[SERVICE\_2\]\[LOCATION\_2\]\[SAFEGUARDS\_2\] ---

## Annex B: Sub-Processors for Bilko Archive Feature

This annex applies specifically to the Bilko product when the archive feature is enabled.

### B.1 Cloudflare R2 (Temporary Document Storage)

FieldDetails ---------------- **Sub-processor**Cloudflare, Inc. **Address**101 Townsend St, San Francisco, CA 94107, USA **Contact**privacyquestions@cloudflare.com **Purpose**Temporary staging of documents for archive pipeline **Data Categories Processed**Contracts (PDF), Invoices (PDF), Care Plans, Incident Reports, Onboarding Documents **Categories of Data Subjects**Bilko organization's customers, suppliers, patients (for care organizations) **Geographic Location**EU region (eu-west R2 storage bucket) **Processing Duration**Temporary (typically &lt; 5 minutes; documents deleted after successful transfer to Paperless-ngx) **Safeguards**EU Standard Contractual Clauses (SCC 2021/914/EU) per Cloudflare's published DPA; AES-256 encryption at rest; TLS 1.3 in transit; Cloudflare Zero Trust architecture **Sub-sub-processors**See Cloudflare's DPA for complete list (https://www.cloudflare.com/cloudflare-customer-dpa/) ### B.2 ALAI Azure VM Paperless-ngx (Long-Term Archive)

FieldDetails ---------------- **Sub-processor**ALAI Holding AS (own infrastructure) **Org.No**932 516 136 **Address**Tømmerrenna 1B, 2050 Jessheim, Norway **Contact**dpa@alai.no **Purpose**Long-term archive of business documents at archive.alai.no **Data Categories Processed**Same as Cloudflare R2 above **Categories of Data Subjects**Same as Cloudflare R2 above **Geographic Location**EU/EEA (Microsoft Azure Sweden Central region) **Processing Duration**Permanent archive per retention schedule:  
• Financial documents: 7 years (accounting law RS/BA/HR)  
• Care documents: 25 years (UK NHS standard, interim) **Safeguards**ALAI DPA + Microsoft Azure Standard Contractual Clauses; Azure Disk Encryption (AES-256); TLS 1.3 in transit; Role-Based Access Control (RBAC); Paperless-ngx with OAuth2 authentication; Daily Azure backup with 30-day retention; Immutable audit trail in PostgreSQL **Sub-sub-processors**Microsoft Azure (infrastructure provider — see Microsoft Customer Agreement + DPA) ### B.3 Data Flow for Archival

```

Bilko Backend (Cloud Run)
    ↓ (POST /archive)
Cloudflare R2 (eu-west bucket)
    ← [5-minute batch job]
Cloud Run Worker
    ↓ (HTTP POST to Paperless-ngx API)
ALAI Azure VM (archive.alai.no)
    → Permanent archive (7–25 years)

```

### B.4 Notice of Sub-Processor Changes

ALAI Holding AS commits to notifying the Data Controller **at least 30 days in advance** via email before:

- New sub-processors are added to the archive pipeline
- Existing sub-processors are replaced
- Geographic location of processing changes

The Data Controller may object within this period if the new sub-processor does not meet data protection requirements. ---

## Signatures

**For Data Controller (ALAI Holding AS):**

Name: \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_ Date: \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_ Signature: \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_

**For Data Processor (\[PROCESSOR\_NAME\]):**

Name: \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_ Date: \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_ Signature: \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_

---

## Related Documents

- [Bilko Terms of Service — Section 16 Sub-Processors](https://docs.alai.no/books/bilko-legal-pack/page/bilko-terms-of-service-section-16-sub-processors-gdpr-art-284)
- [Bilko Privacy Notice — Section 8.1 Sub-Processors](https://docs.alai.no/books/bilko-legal-pack/page/bilko-privacy-notice-section-81-document-archive-sub-processors)
- [Sub-Processor Notification Email Template](https://docs.alai.no/books/bilko-legal-pack/page/sub-processor-notification-email-template-bilko)

# Sub-Processor Notification Email Template (Bilko)

<div id="bkmrk-%E2%9A%A0%EF%B8%8F-statusmc%3A-%23100045" style="background-color:#FFF3CD;border-left:4px solid #FFC107;padding:16px;margin-bottom:24px;">**⚠️ STATUS**  
**MC:** #100045 | **Date:** 2026-05-08  
**Draft Status:** Pending final legal review and translations (per Lexicon S1-S4)  
**Corrections Applied:** Org.nr 932 516 136 (corrected from hallucinated 933 534 262), Azure Sweden Central (corrected from Norway East)</div># Sub-Processor Notification Email Template

**Version:** 1.0 **Last Updated:** 2026-05-08 **Purpose:** Notify Bilko tenants of new sub-processors per GDPR Art. 28(4) **Language:** English (Norwegian translation pending)

---

## Email Template — English

**Subject:** Bilko Sub-Processor Update — Effective {{DATE\_PLUS\_30\_DAYS}}

---

**Dear {{TENANT\_NAME}},**

We are writing to inform you of changes to our sub-processor list for the Bilko accounting platform, in accordance with our Data Processing Agreement (DPA) and GDPR Article 28(4).

### New Sub-Processors

Effective **{{DATE\_PLUS\_30\_DAYS}}**, Bilko will use the following sub-processors for the **document archival feature**:

<table id="bkmrk-sub-processorpurpose"><tr><td>Sub-Processor</td><td>Purpose</td><td>Data Categories</td><td>Geographic Location</td><td>Safeguards</td></tr><tr><td>-----------------------------------------------------------------------------</td><td>---------------------------------------------</td><td>---------------------------------------------------------------------------</td><td>-------------------------------------------</td><td>------------------------------------------------------------------</td></tr><tr><td>**Cloudflare R2** (Cloudflare, Inc., USA)</td><td>Temporary staging for archive pipeline</td><td>Contract PDFs, invoices, care plans, incident reports, onboarding documents</td><td>EU region (eu-west storage bucket)</td><td>Standard Contractual Clauses (SCCs) per Cloudflare's published DPA</td></tr><tr><td>**ALAI Azure VM Paperless-ngx** (ALAI Holding AS, org.nr 932 516 136, Norway)</td><td>Long-term document archive at archive.alai.no</td><td>Same categories as above</td><td>EU/EEA (Microsoft Azure Sweden Central region)</td><td>ALAI DPA + Azure Standard Contractual Clauses</td></tr></table>

### What This Means for You

- **If you have enabled the document archival feature** in Bilko, documents you mark for archival (contracts, invoices, care plans, incident reports, onboarding documents) will be processed through these sub-processors.
- **Data flow:** Documents are temporarily staged in Cloudflare R2 (typically &lt; 5 minutes), then transferred to ALAI's Paperless-ngx archive system hosted on Microsoft Azure (Sweden Central region).
- **Retention:** Financial documents are retained for 7 years; care-related documents for 25 years (per applicable accounting and care regulations).
- **Security:** All sub-processors are bound by Data Processing Agreements and Standard Contractual Clauses. Data is encrypted at rest (AES-256) and in transit (TLS 1.3).

### Your Right to Object

Under GDPR Article 28(4), you have the right to **object to the use of these sub-processors** within **30 days** of receiving this notice.

**If you object:**

- Send your objection in writing to **dpa@alai.no** by **{{DATE\_PLUS\_30\_DAYS}}**.
- We will work with you to find an alternative solution or, if not possible, allow you to terminate your Bilko subscription without penalty.

**If you do not object** by {{DATE\_PLUS\_30\_DAYS}}, this will constitute your consent to the use of these sub-processors. ### 30-Day Advance Notice

This notice is provided **30 days in advance** of the effective date ({{DATE\_PLUS\_30\_DAYS}}) in accordance with our DPA Section 3.4 and your Terms of Service Section 16.3.

### Questions or Concerns

If you have any questions about these sub-processors or our data processing practices, please contact:

- **Data Protection Officer:** Alem Bašić — alem@alai.no — +47 40 47 42 51
- **DPA Inquiries:** dpa@alai.no
- **General Support:** support@bilko.io

### Company Information

**ALAI Holding AS**

- Org.nr: 932 516 136
- Address: Tømmerrenna 1B, 2050 Jessheim, Norway
- Email: dpa@alai.no
- Website: https://bilko.io

We appreciate your trust in Bilko and remain committed to protecting your data in accordance with the highest standards of data protection law. Best regards,

**The Bilko Team**ALAI Holding AS

---

## Email Template — Norwegian (DRAFT — Translation Pending)

**Emne:** Bilko oppdatering av underleverandører — Trer i kraft {{DATE\_PLUS\_30\_DAYS}}

---

**Kjære {{TENANT\_NAME}},**

Vi skriver for å informere deg om endringer i vår liste over underleverandører for Bilko regnskapsplattform, i samsvar med vår databehandleravtale (DPA) og GDPR Artikkel 28(4).

### Nye underleverandører

Med virkning fra **{{DATE\_PLUS\_30\_DAYS}}** vil Bilko bruke følgende underleverandører for **dokumentarkivfunksjonen**:

UnderleverandørFormålDatakategorierGeografisk plasseringSikkerhetstiltak ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ **Cloudflare R2** (Cloudflare, Inc., USA)Midlertidig staging for arkivpipelineKontrakter (PDF), fakturaer, omsorgsplaner, hendelsesrapporter, onboarding-dokumenterEU-region (eu-west lagringsbucket)Standard Contractual Clauses (SCC) per Cloudflares publiserte DPA **ALAI Azure VM Paperless-ngx** (ALAI Holding AS, org.nr 932 516 136, Norge)Langtidsarkiv ved archive.alai.noSamme kategorier som ovenforEU/EØS (Microsoft Azure Sweden Central-region)ALAI DPA + Azure Standard Contractual Clauses ### Hva betyr dette for deg?

- **Hvis du har aktivert dokumentarkivfunksjonen** i Bilko, vil dokumenter du markerer for arkivering (kontrakter, fakturaer, omsorgsplaner, hendelsesrapporter, onboarding-dokumenter) bli behandlet gjennom disse underleverandørene.
- **Dataflyt:** Dokumenter lagres midlertidig i Cloudflare R2 (typisk &lt; 5 minutter), deretter overført til ALAIs Paperless-ngx arkivsystem hostet på Microsoft Azure (Sverige Central-region).
- **Oppbevaring:** Finansielle dokumenter oppbevares i 7 år; omsorgsdokumenter i 25 år (per gjeldende regnskaps- og omsorgsreguleringer).
- **Sikkerhet:** Alle underleverandører er bundet av databehandleravtaler og Standard Contractual Clauses. Data krypteres ved lagring (AES-256) og i transitt (TLS 1.3).

### Din rett til å protestere

I henhold til GDPR Artikkel 28(4) har du rett til å **protestere mot bruken av disse underleverandørene** innen **30 dager** etter mottak av denne varslingen.

**Hvis du protesterer:**

- Send din protest skriftlig til **dpa@alai.no** innen **{{DATE\_PLUS\_30\_DAYS}}**.
- Vi vil samarbeide med deg for å finne en alternativ løsning eller, hvis ikke mulig, tillate deg å avslutte Bilko-abonnementet uten straff.

**Hvis du ikke protesterer** innen {{DATE\_PLUS\_30\_DAYS}}, vil dette utgjøre ditt samtykke til bruken av disse underleverandørene. ### 30-dagers forhåndsvarsel

Dette varslet gis **30 dager i forveien** for ikrafttredelsesdatoen ({{DATE\_PLUS\_30\_DAYS}}) i samsvar med vår DPA Seksjon 3.4 og dine Tjenestevilkår Seksjon 16.3.

### Spørsmål eller bekymringer

Hvis du har spørsmål om disse underleverandørene eller våre databehandlingspraksis, vennligst kontakt:

- **Personvernombud:** Alem Bašić — alem@alai.no — +47 40 47 42 51
- **DPA-henvendelser:** dpa@alai.no
- **Generell støtte:** support@bilko.io

### Selskapsinformasjon

**ALAI Holding AS**

- Org.nr: 932 516 136
- Adresse: Tømmerrenna 1B, 2050 Jessheim, Norge
- E-post: dpa@alai.no
- Nettside: https://bilko.io

Vi setter pris på din tillit til Bilko og forblir forpliktet til å beskytte dine data i samsvar med de høyeste standardene for databeskyttelseslov. Vennlig hilsen,

**Bilko-teamet**ALAI Holding AS

---

## Usage Instructions

### Placeholders to Replace

PlaceholderDescriptionExample -------------------------------------------------------------------------------------- `{{TENANT_NAME}}`Organization name from Bilko database"Acme Accounting d.o.o." `{{DATE_PLUS_30_DAYS}}`Effective date (30 days from send date)"2026-06-07" ### When to Send

This template should be sent:

- **30 days before** enabling the archive feature for existing tenants
- **30 days before** adding any new sub-processor to the archive pipeline
- **30 days before** replacing an existing sub-processor

### Sending Method

- **Email:** Send to organization owner's registered email address
- **In-app notification:** Display banner in Bilko UI with link to full notice
- **Audit log:** Record sending timestamp and recipient in Bilko's audit trail

### Follow-Up Actions

- **Track objections:** If tenant objects within 30 days, flag their account and escalate to ALAI DPO (alem@alai.no).
- **Auto-consent:** If no objection received by {{DATE\_PLUS\_30\_DAYS}}, record implicit consent in tenant's DPA compliance record.
- **Termination support:** If tenant objects and no alternative is available, process subscription cancellation per ToS Section 12.2 with data export provided.

--- ## Legal Review Notes

> ⚠️ **NORWEGIAN TRANSLATION:** This template is provided in English only. A professional Norwegian translation must be prepared before sending to Norwegian-speaking tenants or tenants in Norway.

> ⚠️ **SERBIAN/BOSNIAN/CROATIAN TRANSLATIONS:** For Balkan tenants, consider whether local-language versions are required under ZZPL (Serbia), ZZLP BiH (Bosnia &amp; Herzegovina), or GDPR (Croatia). Consult local legal counsel.

> ⚠️ **EFFECTIVE DATE PLACEHOLDER:** Ensure automated email system calculates {{DATE\_PLUS\_30\_DAYS}} dynamically from send date to guarantee 30-day notice period.

> ⚠️ **DPA REFERENCE:** Confirm that all Bilko tenant contracts include DPA Section 3.4 (sub-processor change notice clause) and ToS Section 16.3 (sub-processor disclosure) before sending this notice.

---

## Approval

RoleNameDate ---------------------------------------------------------- AuthorLexicon (ALAI Legal &amp; Documentation)2026-05-08 Legal ReviewPending DPO ApprovalPending (Alem Bašić) CEO ApprovalPending