Compliance Framework Compliance Framework Document Project: Bilko — Balkan Accounting SaaS Version: 1.0 Date: 2026-02-23 Author: DPO / Compliance Officer Status: Draft Reviewers: CTO, Legal Counsel (RS, BA, HR) Classification: Confidential Document History Version Date Author Changes 0.1 2026-02-23 DPO Initial three-country compliance mapping 1. Compliance Scope Bilko is a cloud accounting SaaS operating in three jurisdictions. Each has distinct data protection, accounting, tax, and e-invoicing requirements. graph TD subgraph RS["Serbia (Republika Srbija)"] RS_DP["ZZPL — Zakon o zaštiti podataka o ličnosti\nSl. glasnik RS 87/2018 (GDPR-aligned)"] RS_ACC["Zakon o računovodstvu\nSl. glasnik RS 73/2019"] RS_VAT["Zakon o PDV\n20% / 10% / 0%"] RS_SEF["SEF e-Invoice\nUBL 2.1 XML — B2B mandatory Jan 2023\nPenalty: 50K–2M RSD"] RS_APR["APR Filing\nJune 30 deadline"] end subgraph BA["Bosnia & Herzegovina"] BA_DP["ZZLP BiH — Zakon o zaštiti ličnih podataka\nSl. glasnik BiH 49/2006"] BA_FBiH["FBiH: Zakon o računovodstvu i reviziji FBiH\nSl. novine FBiH 83/2009 + Pravilnik 2022"] BA_RSBA["RS entitet: Zakon o računovodstvu i reviziji RS BiH\nSl. glasnik RS BiH 96/2005"] BA_VAT["Zakon o PDV BiH\n17% / 0% — UIO authority"] BA_CPF["CPF e-Invoice\nPending ~2027"] end subgraph HR["Croatia (Hrvatska)"] HR_DP["GDPR — directly applicable (EU member)\nUredba (EU) 2016/679"] HR_ACC["Zakon o računovodstvu\nNN 78/15, 116/18, 42/20, 47/20, 114/22"] HR_VAT["Zakon o porezu na dodanu vrijednost\n25% / 13% / 5% / 0%"] HR_FISK["HR-FISK (eRačun B2G/B2B)\nFINA certificate — mandatory Jan 2026\nPenalty: up to EUR 500K"] HR_FINA["FINA RGFI\nApril 30 deadline"] end 2. Data Protection Compliance 2.1 Applicable Laws Jurisdiction Law Supervisory Authority Penalty Serbia ZZPL (Sl. glasnik RS 87/2018) Poverenik za informacije od javnog značaja i zaštitu podataka o ličnosti Up to 2M RSD (legal entity) Bosnia & Herzegovina ZZLP BiH (Sl. glasnik BiH 49/2006) Agencija za zaštitu ličnih podataka (AZLP) Up to 10K BAM Croatia GDPR Uredba (EU) 2016/679 Agencija za zaštitu osobnih podataka (AZOP) Up to €20M or 4% global turnover 2.2 Legal Basis for Processing Data Category Legal Basis Jurisdiction Account email, name Contract performance (Art. 6(1)(b) GDPR / Art. 12(1)(b) ZZPL) All Tax IDs (PIB, JMBG, OIB, JIB) Legal obligation — accounting/tax law RS, BA, HR IBAN, bank accounts Contract performance All IP address, session logs Legitimate interest — security All Financial transaction data Legal obligation — accounting/tax law All 2.3 Data Subject Rights Implementation Right GDPR Article ZZPL Equivalent Status Access Art. 15 Art. 26 Planned — /api/gdpr/export endpoint Rectification Art. 16 Art. 27 In-app edit functionality Erasure ("Right to be forgotten") Art. 17 Art. 28 Blocked by legal retention requirements Portability Art. 20 Art. 30 Planned — JSON/CSV export Restriction Art. 18 Art. 29 Planned — account suspension flow Objection Art. 21 Art. 31 Via support ticket Note on Erasure: Financial data cannot be erased during mandatory retention periods (10 years RS, 10-11 years BA, 11 years HR). Account can be anonymized (name/email) but transaction records must be kept. 2.4 Cross-Border Data Transfers Host: Railway EU West (Amsterdam / Frankfurt) — within EEA HR → Railway: No transfer mechanism needed (EU to EU) RS → Railway: Serbia is on GDPR adequacy list (European Commission Decision 2023/1485) BA → Railway: No EU adequacy decision for BiH. Rely on Standard Contractual Clauses (SCC 2021/914) with Railway as processor. 2.5 DPA Requirements Data Processing Agreements must be signed with: Railway (primary database host) Cloudflare (WAF, CDN — processes IP addresses) Sentry (error tracking — processes stack traces with potential PII) Any email service provider 3. Accounting & Tax Compliance 3.1 Serbia (RS) Requirement Law Details Bilko Implementation Chart of Accounts Pravilnik o kontnom okviru (Sl. glasnik RS 3/2020) Standard Serbian CoA — 9 classes RS-specific CoA template preloaded on org creation VAT rates Zakon o PDV (Sl. glasnik RS 84/2004 + amendments) 20% standard, 10% reduced, 0% exempt VAT rate selector on invoice line items Financial statements Zakon o računovodstvu Bilans stanja + Bilans uspeha (BS format) Export to APR-compliant XML/PDF Mandatory e-invoicing Zakon o elektronskom fakturisanju (Sl. glasnik RS 44/2021) B2B mandatory since Jan 1, 2023 (≥4.5M RSD) SEF API integration (UBL 2.1 XML) APR filing deadline Zakon o računovodstvu Art. 33 June 30 (full-year entities), March 31 (other) In-app reminder + export Retention period Zakon o računovodstvu Art. 26 10 years for financial statements and documentation Delete-prevention lock on records >0 days old Pausal regime Zakon o paušalnom oporezivanju <6M RSD annual income Simplified invoice mode for pausal firms PIO/health contributions Zakon o doprinosima Applied to salaries Future: payroll module SEF Integration: Portal: efaktura.mfin.gov.rs Format: UBL 2.1 XML (HR-CIUS compatible subset) Authentication: API key per organization Mandatory fields: seller PIB, buyer PIB, invoice number, date, amounts, VAT breakdown 3.2 Bosnia & Herzegovina (BA) Requirement Law Details Bilko Implementation FBiH CoA FBiH Pravilnik o računovodstvu (Sl. novine FBiH 89/2016 + 2022 revision) FBiH-specific chart of accounts FBiH CoA template RS entity CoA RS BiH Pravilnik RS entity chart of accounts (differs from FBiH) RS BiH CoA template VAT rate Zakon o PDV BiH (Sl. glasnik BiH 9/2005) 17% standard, 0% exempt — UIO authority VAT 17% selector VAT filing UIO portal Monthly/quarterly PDV prijava Export to UIO-compatible format Filing deadline FBiH/RS entity laws March 31 (most entities) In-app reminder FBiH retention Zakon o računovodstvu i reviziji FBiH Art. 17 10 years Delete-prevention lock RS entity retention Zakon o računovodstvu i reviziji RS BiH Art. 16 11 years Delete-prevention lock e-Invoice CPF platform (pending) Expected mandatory ~2027 Roadmap item CIT rate Zakon o porezu na dobit FBiH 10% flat Future: tax calculation module Entity detection: Bilko must determine if an organization is in FBiH, RS entity, or Brčko District to apply the correct CoA and retention rules. On org creation, user selects entity. Brčko follows BiH state-level law. 3.3 Croatia (HR) Requirement Law Details Bilko Implementation CoA Zakon o računovodstvu NN 78/15 Croatian standard CoA (HSFI / MSFI for large entities) HR CoA template Currency Since Jan 2024: EUR only HRK phased out. All amounts in EUR. EUR default for HR orgs VAT rates Zakon o PDV (NN 73/13) 25% standard, 13% (food/hotels), 5% (books/medicines), 0% VAT rate selector per line item VAT filing Porezna uprava Monthly/quarterly PDV obrazac Export for manual filing (Porezna uprava portal) HR-FISK (eRačun) Zakon o elektroničkom izdavanju računa u javnoj nabavi (NN 94/18) + amendments Mandatory Jan 1, 2026 for B2B above threshold. FINA certificate required. UBL 2.1 XML HR-CIUS. Penalty up to EUR 500K HR-FISK API integration — Roadmap P2 FINA RGFI filing Zakon o računovodstvu Art. 30 April 30 In-app reminder + FINA export Retention Zakon o računovodstvu Art. 10 + Opći porezni zakon 11 years Delete-prevention lock Fiscalization 2.0 Pravilnik o fiskalizaciji Cash register fiscalization (if cash payments) Cash receipt module with Porezna uprava integration HR-FISK Priority: Croatia's eRačun mandate (Jan 2026) with EUR 500K penalty makes this the highest-priority e-invoicing integration. FINA certificate must be obtained during onboarding for HR organizations. 4. Controls Register Control ID Description Type Applies To Status CC-01 AES-256-GCM encryption for L4 Restricted fields (PIB, JMBG, OIB, JIB, IBAN) Technical RS, BA, HR Planned CC-02 Organization-scoped WHERE on all Prisma queries Technical All Planned CC-03 RBAC with 4 roles (owner/admin/accountant/viewer) Technical All Planned CC-04 JWT RS256 with 15min expiry + refresh token rotation Technical All Planned CC-05 TLS 1.3 minimum via Cloudflare Technical All Active CC-06 LoggedAction audit trail (append-only, 10-11yr retention) Technical All Planned CC-07 DPA signed with Railway, Cloudflare, Sentry Legal All Required pre-launch CC-08 SEF integration for RS B2B e-invoicing Technical RS P2 Roadmap CC-09 HR-FISK integration + FINA certificate flow Technical HR P2 Roadmap CC-10 Data subject rights endpoints (/gdpr/export, /gdpr/delete) Technical All Planned CC-11 72-hour breach notification procedure to Poverenik/AZLP/AZOP Procedural All Required pre-launch CC-12 Privacy Policy in Serbian, Bosnian, Croatian Legal RS, BA, HR Required pre-launch CC-13 Terms of Service with data processing consent Legal All Required pre-launch CC-14 VAT rate validation per jurisdiction Technical RS, BA, HR Planned CC-15 Retention lock preventing deletion of accounting records during mandatory retention period Technical All Planned 5. Compliance Roadmap gantt title Bilko Compliance Roadmap dateFormat YYYY-MM section Phase 1 — MVP (pre-launch) GDPR/ZZPL core controls : 2026-03, 2026-05 DPAs signed : 2026-04, 2026-05 Privacy Policy (3 languages) : 2026-04, 2026-05 Terms of Service : 2026-04, 2026-05 DPIA completed : 2026-04, 2026-05 section Phase 2 — RS Launch SEF e-invoice integration : 2026-06, 2026-08 RS CoA + APR export : 2026-06, 2026-07 RS VAT reporting : 2026-06, 2026-07 section Phase 3 — BA Launch BA entity detection (FBiH vs RS) : 2026-09, 2026-10 BA CoA templates : 2026-09, 2026-10 UIO VAT export : 2026-09, 2026-10 section Phase 4 — HR Launch HR-FISK + FINA cert flow : 2026-10, 2026-12 HR CoA + EUR amounts : 2026-10, 2026-11 Porezna uprava PDV export : 2026-10, 2026-11 FINA RGFI export : 2026-10, 2026-11 Approval Role Name Signature Date Author DPO / Compliance Officer 2026-02-23 Reviewer (CTO) Reviewer (RS Legal) Reviewer (BA Legal) Reviewer (HR Legal) Approver CEO