Skip to main content

Compliance Framework

Compliance Framework Document

Project: Bilko — Balkan Accounting SaaS Version: 1.0 Date: 2026-02-23 Author: Compliance Architect Status: Draft Reviewers: DPO, Legal Counsel, CEO Classification: Confidential

Document History

Version Date Author Changes
0.1 2026-02-23 Compliance Architect Initial draft — three-country compliance mapping RS/BA/HR

1. Applicable Regulations

Compliance Owner: Compliance Architect ([email protected]) External Auditor: To be engaged (Phase 2) Last Review: 2026-02-23 | Next Review: 2026-08-23

Regulation Country Applicability Status
GDPR — Regulation (EU) 2016/679 HR Directly applicable — EU member Phase 1
Zakon o zaštiti podataka o ličnosti (ZZPL, Sl. glasnik RS 87/2018) RS GDPR-aligned — in force Nov 2018 Phase 2
Zakon o zaštiti ličnih podataka (ZZLP, Sl. glasnik BiH 49/2006, 76/2011) BA State-level data protection law Phase 3
Zakon o računovodstvu (Sl. glasnik RS 73/2019, 44/2021) RS Accounting law, double-entry, retention Phase 2
Zakon o računovodstvu i reviziji FBiH (Sl. novine FBiH 83/2009, 56/2023) BA (FBiH) Accounting and audit law Phase 3
Zakon o računovodstvu i reviziji RS BiH (Sl. glasnik RS BiH 96/2005) BA (RS) Accounting and audit law Phase 3
Zakon o računovodstvu HR (NN 78/15, 120/16, 116/18) HR Accounting law, CFRS, retention Phase 2
Zakon o PDV (Sl. glasnik RS 84/2004 et al.) RS VAT law, 20%/10%/0% rates Phase 2
Zakon o PDV BiH (Sl. glasnik BiH 9/2005 et al.) BA VAT law, 17%/0% rates, UIO Phase 3
Zakon o porezu na dodanu vrijednost HR (NN 73/13 et al.) HR VAT law, 25%/13%/5%/0%, ePorezna Phase 2
Zakon o elektronskom dokumentu (Sl. glasnik RS 51/2009) RS Legal validity of electronic records Phase 2
Opći porezni zakon HR (NN 115/16 et al.) HR General tax law framework Phase 2
Pravilnik o kontnom okviru RS (2021) RS Chart of accounts standard Phase 2
FBiH Pravilnik o kontnom okviru (2022) BA (FBiH) Chart of accounts standard Phase 3
RRiF Kontni plan HR HR Standard chart of accounts Phase 2

2. Serbia (RS) — Regulatory Compliance

2.1 Data Protection — Zakon o zaštiti podataka o ličnosti (ZZPL)

Full name: Zakon o zaštiti podataka o ličnosti Citation: Sl. glasnik RS br. 87/2018 In force: November 21, 2018 Description: Serbia's GDPR-aligned personal data protection law. Mirrors GDPR structure and principles. Supervisory authority: Poverenik za informacije od javnog značaja i zaštitu podataka o ličnosti (Commissioner for Information of Public Importance and Personal Data Protection) Website: https://www.poverenik.rs

Requirement ZZPL Article Bilko Implementation
Lawful basis for processing Art. 12 Contract (Art. 12 st. 1 tač. 2) — accounting service delivery
Data minimization Art. 5 st. 1 tač. 3 Collect only email, name, tax ID (PIB/JMBG) — required for invoicing
Data subject rights (access, erasure, portability) Art. 26-41 Endpoints: GET /account/data, DELETE /account, GET /account/export
Register of processing activities Art. 50 Internal processing register — required
Security of processing Art. 50 TLS 1.3 + AES-256 + bcrypt + RBAC
Breach notification to Poverenik Art. 56 Within 72 hours of becoming aware
Cross-border data transfer Art. 64-65 Railway EU West — within ZZPL scope

Breach notification contact:

  • Authority: Poverenik za informacije od javnog značaja i zaštitu podataka o ličnosti
  • Address: Bulevar kralja Aleksandra 15, 11000 Belgrade
  • Email: [email protected]
  • Deadline: 72 hours from awareness (ZZPL Art. 56)

2.2 Accounting Law — Zakon o računovodstvu

Full name: Zakon o računovodstvu Citation: Sl. glasnik RS br. 73/2019, 44/2021 Description: Defines accounting obligations for all legal entities in Serbia.

Requirement Bilko Implementation
Double-entry bookkeeping mandatory Prisma schema enforces debitAccountId + creditAccountId — debit = credit validated
Chart of accounts: Pravilnik o kontnom okviru (2021) — 10 class system (0-9) Serbian CoA seed data with standard 3-digit accounts
Financial statements required: Bilans stanja (Balance Sheet), Bilans uspeha (Income Statement) Report generation module (Phase 2)
Large entities: Izveštaj o novčanim tokovima (Cash Flow), Napomene (Notes) Phase 2
Filing institution: APR (Agencija za privredne registre) — https://www.apr.gov.rs PDF export in Serbian format
Annual filing deadline: June 30 Filing reminders in app
Document retention: 10 years Soft delete — financial records never hard deleted

2.3 VAT Law — Zakon o PDV

Full name: Zakon o porezu na dodatu vrednost Citation: Sl. glasnik RS br. 84/2004, 86/2004, 61/2005 et al. (consolidated) Description: Serbia's VAT law.

Rate Description Application
20% (opšta stopa) Standard rate General goods and services
10% (snižena stopa) Reduced rate Food, medicines, utilities
0% Zero rate Exports, international transport

VAT registration threshold: 8,000,000 RSD annual turnover Return frequency: Monthly (>50M RSD) or Quarterly (<50M RSD) Filing deadline: 15th of following month Portal: ePorezi — https://www.poreskauprava.gov.rs Penalties: 50,000 – 2,000,000 RSD for SEF non-compliance

2.4 E-Invoice — SEF (Sistem e-Faktura)

Platform: https://efaktura.gov.rs Mandatory since:

  • B2G (suppliers to government): May 2022
  • B2B (business-to-business): January 2023

Format: UBL 2.1 XML Integration: API available — @bilko/country-rs package (Phase 2) Penalties: 50,000 – 2,000,000 RSD for non-compliance

2.5 Electronic Document Law

Full name: Zakon o elektronskom dokumentu, elektronskoj identifikaciji i uslugama od poverenja u elektronskom poslovanju Citation: Sl. glasnik RS br. 94/2017 Description: Legal validity of electronic documents and digital signatures.

Bilko-generated invoices and reports constitute valid electronic documents when:

  • Generated by certified accounting software
  • Stored immutably with audit trail
  • Exportable in PDF/XML format

2.6 APR Filing

3. Bosnia & Herzegovina (BA) — Regulatory Compliance

Complexity: BiH has two entities (FBiH and Republika Srpska) with parallel legislation. VAT is unified at state level via UIO. Direct taxes are administered separately per entity.

3.1 Data Protection — Zakon o zaštiti ličnih podataka BiH

Full name: Zakon o zaštiti ličnih podataka Bosne i Hercegovine Citation: Sl. glasnik BiH br. 49/2006, 76/2011, 89/2011 Description: State-level personal data protection law. Pre-GDPR but aligned in principles. Supervisory authority: Agencija za zaštitu ličnih podataka Bosne i Hercegovine (AZLP) Website: https://www.azlp.ba

The same state-level law applies across both FBiH and Republika Srpska.

Requirement ZZLP Article Bilko Implementation
Lawful basis for processing Art. 4 Contract (accounting service delivery) + legal obligation (tax records)
Data security measures Art. 14 TLS 1.3 + AES-256 + bcrypt + RBAC
Cross-border transfer Art. 18 Railway EU West — outside BiH; SCCs mechanism
Breach notification to AZLP Art. 14 + GDPR practice 72 hours
Data subject rights Art. 5-10 Same endpoints as RS

Breach notification contact:

  • Authority: Agencija za zaštitu ličnih podataka Bosne i Hercegovine (AZLP)
  • Address: Hamdije Čemerlića 2/VI, 71000 Sarajevo
  • Email: [email protected]
  • Deadline: 72 hours (following GDPR best practice)

3.2 FBiH — Accounting Law

Full name: Zakon o računovodstvu i reviziji Federacije Bosne i Hercegovine Citation: Sl. novine FBiH br. 83/2009, 56/2023 Description: Accounting and audit law for Federation of BiH.

Requirement Bilko Implementation
Double-entry bookkeeping Enforced by schema
Chart of accounts: FBiH Pravilnik (2022) — 10 class system (0-9) BiH CoA seed data
Financial statements: Bilans stanja, Bilans uspeha Report generation module (Phase 3)
Filing institution: Agency of Financial Information (FBiH) PDF export
Annual filing deadline: March 31 Filing reminders
Document retention: 10 years Immutable storage

3.3 Republika Srpska (BiH Entity) — Accounting Law

Full name: Zakon o računovodstvu i reviziji Republike Srpske Citation: Sl. glasnik RS BiH br. 96/2005, 74/2016 Description: Accounting and audit law for Republika Srpska entity of BiH.

Requirement Bilko Implementation
Double-entry bookkeeping Enforced by schema
Filing institution: Tax Administration of RS (BiH entity) PDF export
Annual filing deadline: March 31 Filing reminders
Document retention: 11 years Maximum retention applied across entities

3.4 VAT — Zakon o PDV BiH

Full name: Zakon o porezu na dodanu vrijednost Bosne i Hercegovine Citation: Sl. glasnik BiH br. 9/2005, 35/2005, 100/2008 et al. Description: Unified VAT law administered at state level. No reduced rates. Administering authority: UIO — Uprava za indirektno oporezivanje (Indirect Taxation Authority) Portal: https://www.uino.gov.ba

Rate Description
17% (opća stopa) Standard rate — all goods and services
0% Exports

Registration threshold: 100,000 BAM annual turnover Return frequency: Monthly Filing deadline: Check UIO portal

3.5 E-Invoice — CPF (Central Platform for Fiscalisation)

Status: PENDING — technical specifications not yet published Law adopted: January 2026 (FBiH only) Expected availability: ~2027

Bilko decision: Do NOT implement CPF integration until technical specs are published. Monitor UIO and FBiH government portals for updates. BiH is Phase 3 launch.

3.6 Corporate Income Tax

Entity CIT Rate Filing Deadline
FBiH 10% March 31
RS (BiH entity) 10% March 31

Bilko provides CIT calculation support — separate fields for FBiH vs RS entity in organization settings.

4. Croatia (HR) — Regulatory Compliance

Note: Croatia is an EU member state. GDPR applies directly without separate national transposition law.

4.1 Data Protection — GDPR

Applicable law: GDPR — Regulation (EU) 2016/679 (directly applicable) National implementing act: Zakon o provedbi Opće uredbe o zaštiti podataka (NN 42/2018) Supervisory authority: AZOP — Agencija za zaštitu osobnih podataka Website: https://azop.hr

Requirement GDPR Article Bilko Implementation
Lawful basis Art. 6 Contract (6.1.b) for service; legal obligation (6.1.c) for tax
Data minimization Art. 5(1)(c) Collect OIB (Croatian tax ID), name, email only
Right to access Art. 15 GET /api/v1/account/data
Right to erasure Art. 17 DELETE /api/v1/account (PII anonymized; financial records retained per law)
Right to portability Art. 20 GET /api/v1/account/export (JSON)
Security of processing Art. 32 TLS 1.3 + AES-256 + bcrypt + RBAC
Breach notification to AZOP Art. 33 Within 72 hours
DPIA Art. 35 This document covers accounting data
DPA with processors Art. 28 Required with Railway, Vercel, Cloudflare, SendGrid

Breach notification contact:

  • Authority: AZOP — Agencija za zaštitu osobnih podataka
  • Address: Selska cesta 136, 10000 Zagreb
  • Email: [email protected]
  • Portal: https://azop.hr/prijavapovrede
  • Deadline: 72 hours from awareness (GDPR Art. 33)

4.2 Accounting Law — Zakon o računovodstvu

Full name: Zakon o računovodstvu Citation: NN 78/15, 120/16, 116/18, 42/20, 47/20 Description: Croatian accounting law, aligns with EU Accounting Directive.

Requirement Bilko Implementation
Double-entry bookkeeping Enforced by schema
Chart of accounts: RRiF standard — 10 class system (0-9) HR CoA seed data
Accounting standards: CFRS (for SMEs) or IFRS (PIEs) CFRS-compliant reports
Financial statements: Bilanca, Račun dobiti i gubitka, Izvještaj o novčanim tokovima Report generation module (Phase 2)
Filing via RGFI (Registar godišnjih financijskih izvještaja) FINA filing
Filing institution: FINA — Financijska agencija — https://www.fina.hr
Annual filing deadline: April 30 Filing reminders
Document retention: 11 years Immutable storage

4.3 General Tax Law — Opći porezni zakon

Full name: Opći porezni zakon Citation: NN 115/16, 106/18, 121/19, 32/20 et al. Description: Framework tax law governing all Croatian taxes, including penalties for VAT non-compliance.

Relevant to Bilko: Defines document retention (11 years), electronic record acceptance, and obligations for digital accounting systems.

4.4 VAT Law — Zakon o porezu na dodanu vrijednost

Full name: Zakon o porezu na dodanu vrijednost Citation: NN 73/13, 148/13, 143/14 et al. Description: Croatian VAT law implementing EU VAT Directive. Portal: ePorezna — https://www.porezna-uprava.hr

Rate Description Application
25% (opća stopa) Standard rate General goods and services
13% (srednja stopa) Intermediate rate Certain foods, water supply, accommodation, newspapers
5% (snižena stopa) Reduced rate Books, baby food, prescription medicines
0% Zero rate Exports, intra-EU supply

Registration threshold: 60,000 EUR annual turnover Return frequency: Monthly Filing deadline: Last day of following month

4.5 E-Invoice — HR-FISK / eRačun

Platform: https://hr-fisk.fina.hr Operator: FINA — Financijska agencija Status: Mandatory since January 1, 2026 (all B2B, B2G, B2C) Format: UBL 2.1 XML with HR-CIUS (Croatian Implementation User Specification) Protocol: AS4 (Peppol-compatible) Certificate: FINA qualified certificate required

Integration: @bilko/country-hr package (Phase 2) — FINA API integration required Penalties: Up to 500,000 EUR for non-compliance (severe) Archive requirement: 11 years

4.6 FINA Reporting

4.7 HNB (Hrvatska narodna banka)

For organizations with foreign currency transactions, HNB reporting may apply. Bilko supports EUR (Croatia's official currency since January 2024), with historical HRK support for data migration.

5. Cross-Country Compliance Matrix

Requirement Serbia (RS) Bosnia & Herzegovina (BA) Croatia (HR)
Data protection law ZZPL (GDPR-aligned, 2018) ZZLP BiH (state-level, 2006) GDPR (directly applicable)
Supervisory authority Poverenik AZLP AZOP
Breach notification deadline 72 hours 72 hours (best practice) 72 hours (GDPR Art. 33)
Double-entry bookkeeping ✅ Mandatory ✅ Mandatory ✅ Mandatory
Standard VAT rate 20% 17% 25%
Reduced VAT rate 10% None 13% and 5%
VAT return frequency Monthly/Quarterly Monthly Monthly
VAT filing deadline 15th of next month TBD (UIO) Last day of next month
E-invoice platform SEF (mandatory since Jan 2023) CPF (pending ~2027) HR-FISK (mandatory since Jan 2026)
E-invoice format UBL 2.1 XML TBD UBL 2.1 XML (HR-CIUS)
Annual report filing APR — June 30 Agency of Financial Info / Tax Admin RS — March 31 FINA RGFI — April 30
Chart of accounts Pravilnik (2021) FBiH Pravilnik (2022) RRiF standard
Document retention 10 years 10 years (FBiH) / 11 years (RS entity) 11 years
Currency RSD BAM EUR
Corporate income tax 15% 10% (both entities) 18% (10% if revenue <1M EUR)

Bilko retention policy: Apply maximum retention across all markets — 11 years for all financial records. Financial data is never hard-deleted.

6. Data Classification Scheme

Level Label Examples Controls Required
L1 Public Exchange rates, fee schedule, privacy policy None
L2 Internal Aggregated analytics, non-PII logs Access control
L3 Confidential User email, name, organization data, invoice amounts Encryption + access control + audit log
L4 Restricted Tax IDs (PIB/JMBG/OIB/JIB), bank account numbers, TOTP secrets Encryption + RBAC + MFA + audit + 10-year retention

Tax ID handling:

  • Serbia: PIB (Poreski identifikacioni broj) — 9 digits; JMBG (Jedinstveni matični broj građana) — 13 digits
  • BiH: JIB (Jedinstveni identifikacioni broj) — 13 digits
  • Croatia: OIB (Osobni identifikacijski broj) — 11 digits

All tax IDs treated as L4 Restricted data. Stored with access logging. Never included in JWT payloads or logs.

7. Data Subject Rights Implementation

Right Endpoint SLA Notes
Access (Art. 15 GDPR / ZZPL Art. 26 / ZZLP Art. 8) GET /api/v1/account/data 30 days Returns user + org + invoices + expenses
Rectification (Art. 16) PATCH /api/v1/account/profile Immediate Email, name
Erasure (Art. 17) DELETE /api/v1/account 30 days PII anonymized; financial records retained per law
Portability (Art. 20) GET /api/v1/account/export 30 days JSON export
Restriction (Art. 18) [email protected] 30 days Manual process
Objection (Art. 21) [email protected] 30 days Not applicable for contract processing

Erasure exception: Financial records (invoices, expenses, transactions) are retained for the legally required period (10-11 years depending on country) even after user account erasure. Only PII (email, name, password hash) is anonymized.

8. Third-Party Data Processors

Processor Service Data Shared Region DPA Required
Railway PostgreSQL hosting All accounting data EU West (Frankfurt/Paris) Yes — sign before launch
Vercel Frontend hosting None (static only) Global (EU edge for EU users) Yes
Cloudflare CDN, WAF, R2 storage IP addresses, file attachments EU region Yes
SendGrid Transactional email Email addresses, invoice PDFs EU region Yes

DPA status: All DPAs must be signed before first paying customer. Railway EU West region must be explicitly configured to ensure EU data residency.

9. Compliance Roadmap

Phase 1 — Pre-Launch (GDPR baseline)

  • Privacy policy published (HR GDPR applicable immediately; RS/BA when launched)
  • Terms of Service published
  • User consent mechanism at registration
  • Data deletion workflow implemented and tested
  • Data export endpoint implemented
  • DPAs signed with Railway, Vercel, Cloudflare, SendGrid
  • Railway EU West region confirmed
  • Breach notification process documented

Phase 2 — Serbia Launch (3-6 months)

Phase 2 — Croatia Launch (concurrent or shortly after)

Phase 3 — BiH Launch (12-18 months)

  • Legal review by BiH lawyer (FBiH + RS entity distinction)
  • BiH CoA seed data (FBiH Pravilnik 2022)
  • VAT calculation at 17% (UIO)
  • Monitor CPF technical specs publication (~2027)
  • FBiH vs RS entity distinction in org settings
  • AZLP breach notification process confirmed

10. Risk Assessment

Risk Likelihood Impact Mitigation
GDPR/ZZPL data breach fine Low (if compliant) High (GDPR up to €20M / ZZPL up to RSD 2M) Full GDPR/ZZPL implementation before first customer
SEF non-compliance (Serbia) Medium (if not integrated) High (RSD 2M fine) Phase 2 SEF integration before Serbia B2B launch
HR-FISK non-compliance (Croatia) High (if not integrated) Critical (EUR 500K fine) Phase 2 HR-FISK integration — mandatory
Financial data loss Low Critical 30-day Railway backups, immutable audit trail
Tax calculation error (VAT) Low High (penalties + reputational) Configurable tax rates per country, Zod validation
BiH CPF delay Medium Low (launch delayed) Phase 3 planned, not blocking Serbia/Croatia

Approval

Role Name Date Signature
Author Compliance Architect 2026-02-23
DPO
Legal Counsel
CEO
Back to top