Compliance Framework

Compliance Framework Document

~~Project:~~Project / Organization: ~~Bilko~~ALAI Holding AS — ~~Balkan~~Drop ~~Accounting~~Payment ~~SaaS~~App Policy Number: POL-COMP-FW-001 Version: 1.0 Date: 2026-02-23 Author: ~~Compliance~~Security Architect Status: Draft Reviewers: DPO, Legal Counsel, CEO Classification: Confidential

Document History

Version	Date	Author	Changes
0.1	2026-02-23	~~Compliance~~Security Architect	Initial draft — ~~three-country~~Drop payment app multi-jurisdiction compliance mapping ~~RS/BA/HR~~

1. Applicable Regulations

Compliance Owner: ~~Compliance~~Security Architect / DPO (~~[email protected])~~[email protected]) ~~External Auditor:~~Company: ToALAI beHolding ~~engaged~~AS (~~Phase~~org.nr 2)932 516 136), incorporated in Norway ~~Last Review:~~Domain: ~~2026-02-23 |~~getdrop.no ~~Next~~Business ~~Review:~~Model: ~~2026-08-23~~PSD2 pass-through payment app — NEVER holds customer money; AISP reads bank balances, PISP initiates payments from user's bank account. Service: Remittance to 30+ countries + QR payments in Norway Users: All residents of Norway, 18+ years, with Norwegian BankID

Primary Jurisdiction: Norway

Drop is incorporated in Norway under Norwegian law. All primary regulatory obligations flow from Norwegian legislation and Finanstilsynet supervision.

Regulation	~~Country~~Norwegian Law	~~Applicability~~Relevance
PSD2 (Payment Services)	Betalingstjenesteloven (LOV-2018-11-23-85)	Core — legal basis for payment operations
AML/CFT	Hvitvaskingsloven (LOV-2018-06-01-23) + Hvitvaskingsforskriften (FOR-2018-09-14-1324)	Core — anti-money laundering obligations
GDPR	Personopplysningsloven (LOV-2018-06-15-38)	Core — personal data protection
Financial Enterprises	Finansforetaksloven (LOV-2015-04-10-17)	Licensing, governance, capital requirements
ICT Security	IKT-forskriften (FOR-2003-05-21-630)	ICT security for financial enterprises
Digital Operational Resilience	DORA (EU) 2022/2554	Norway incorporation expected ~2026 H2
Currency Registry	Valutaregisterloven (LOV-2003-06-06-39)	Cross-border payment reporting to SSB
Consumer Protection	Finansavtaleloven (LOV-2020-11-13-125)	Payment terms, user rights, fee transparency
Electronic Signatures	eIDAS / LOV-2001-06-15-81	BankID as qualified electronic identification

Remittance Corridor Jurisdictions

Drop sends remittances to 30+ countries. Regulatory obligations in these corridors:

Destination Region	Key Regulations	Drop Obligations
EU/EEA (Eurozone, Croatia, etc.)	GDPR (free data flow), EU AML	Standard KYC; no SCCs needed for data
Serbia	ZZPL (Zakon o zaštiti podataka, LOV RS 87/2018)	Standard KYC; SCC + TIA for data transfers
Bosnia & Herzegovina	ZZLP (Zakon o zaštiti ličnih podataka, SG BiH 49/06)	Standard KYC; SCC + TIA for data transfers
Turkey	Turkish Personal Data Protection Law (KVKK 6698/2016)	FATF monitoring list — enhanced KYC
Pakistan	Pakistan Personal Data Protection Act	FATF monitoring — enhanced due diligence

Note: Drop's obligations in corridor jurisdictions are primarily fulfilled by the receiving payment institution. Drop's direct obligations are Norwegian-law based, supplemented by GDPR requirements for cross-border data transfers.

2. Licensing

Current Status

Drop is an MVP-stage application. No Finanstilsynet license has been obtained. Live transactions with real money are NOT permitted until a license is in place.

Licensing Pathway

Recommended path: Agent model (Option C) for initial launch, then full license (Option B) for scale.

Option A: Begrenset betalingsforetak (Limited Payment Institution)

Law: Betalingstjenesteloven § 2-10c

Requirement	Detail
Monthly transaction volume	Max 6 million NOK/month (12-month average)
Capital requirement	None
Application timeline	3-6 months
EEA passporting	NO — Norway only
Fit & proper	Directors and beneficial owners
AML	Full compliance required

Drop fit: Initial launch — allows ~3,000 remittances of 2,000 NOK average/month.

Option B: Ordinaert betalingsforetak (Full Payment Institution)

Law: Betalingstjenesteloven §§ 2-3 to 2-10

Requirement	Detail
Initial capital	125,000 EUR (~1.4M NOK) for remittance services
Application timeline	6-12 months
EEA passporting	YES — enables Sweden/Denmark
Governance	Board, compliance officer, internal audit
Safeguarding	Client funds in segregated account or guarantee

Drop fit: Target license for Scandinavian scale.

Option C: Agent Model (recommended for Phase 1)

Law: Betalingstjenesteloven § 2-12

Requirement	Detail
Structure	Drop operates as agent of licensed payment institution
Capital	None required from Drop
Timeline	1-3 months
Liability	Principal (licensed PSP) is responsible

Target partners: Licensed Norwegian PSPs or BaaS providers (Swan, Modulr, Banking Circle).

3. PSD2 / Betalingstjenesteloven

Strong Customer Authentication (SCA)

Law: Betalingstjenesteloven §§ 4-28, 4-29; Delegated Regulation (EU) 2018/389

§ Art.

Requirement	Section	Status
~~GDPR~~Two-factor ~~— Regulation (EU) 2016/679~~authentication	HR	~~Directly applicable — EU member~~4-28	Phase 12: BankID (possession + knowledge)
~~Zakon~~Dynamic ~~o zaštiti podataka o ličnosti (ZZPL, Sl. glasnik RS 87/2018)~~linking	RSArt. 5 (Del. Reg.)	~~GDPR-aligned~~Phase —2: inamount ~~force~~+ ~~Nov~~payee ~~2018~~tied to BankID signing
90-day re-authentication	Art. 10 (Del. Reg.)	Phase 2
~~Zakon~~Low-value ~~o zaštiti ličnih podataka~~exemption (~~ZZLP,~~<500 ~~Sl. glasnik BiH 49/2006, 76/2011)~~NOK)	BA	~~State-level data protection law~~	~~Phase 3~~
~~Zakon o računovodstvu (Sl. glasnik RS 73/2019, 44/2021)~~	RS	~~Accounting law, double-entry, retention~~	~~Phase 2~~
~~Zakon o računovodstvu i reviziji FBiH (Sl. novine FBiH 83/2009, 56/2023)~~	~~BA (FBiH)~~	~~Accounting and audit law~~	~~Phase 3~~
~~Zakon o računovodstvu i reviziji RS BiH (Sl. glasnik RS BiH 96/2005)~~	~~BA (RS)~~	~~Accounting and audit law~~	~~Phase 3~~
~~Zakon o računovodstvu HR (NN 78/15, 120/16, 116/18)~~	HR	~~Accounting law, CFRS, retention~~	~~Phase 2~~
~~Zakon o PDV (Sl. glasnik RS 84/2004 et al.)~~	RS	~~VAT law, 20%/10%/0% rates~~	~~Phase 2~~
~~Zakon o PDV BiH (Sl. glasnik BiH 9/2005 et al.)~~	BA	~~VAT law, 17%/0% rates, UIO~~	~~Phase 3~~
~~Zakon o porezu na dodanu vrijednost HR (NN 73/13 et al.)~~	HR	~~VAT law, 25%/13%/5%/0%, ePorezna~~	~~Phase 2~~
~~Zakon o elektronskom dokumentu (Sl. glasnik RS 51/2009)~~	RS	~~Legal validity of electronic records~~	~~Phase 2~~
~~Opći porezni zakon HR (NN 115/16 et al.)~~	HR	~~General tax law framework~~	~~Phase 2~~
~~Pravilnik o kontnom okviru RS (2021)~~	RS	~~Chart of accounts standard~~	~~Phase 2~~
~~FBiH Pravilnik o kontnom okviru (2022)~~	~~BA (FBiH)~~	~~Chart of accounts standard~~	~~Phase 3~~
~~RRiF Kontni plan HR~~	HR	~~Standard chart of accounts~~10-18	Phase 2

Current

2.state: SerbiaEmail + password only. SCA required for production launch.

Required implementation (RS)Phase —2):
Regulatory
Compliance

BankID OIDC for initial login (Level 4 eID)

Transaction signing with BankID for all payment initiation

Dynamic linking: display amount + payee in BankID signing dialog

Session timeout and re-authentication after 5 minutes inactivity

2.1Open Data Protection — Zakon o zaštiti podataka o ličnostiBanking (ZZPL)AISP/PISP)

~~Full name:~~Law: ~~Zakon~~Betalingstjenesteloven o§§ ~~zaštiti~~4-40 ~~podataka~~to o4-46

~~ličnosti~~

Service	Law	Requirement
AISP (read bank balances)	§ 4-41	AISP license or agent arrangement; explicit user consent
PISP (initiate payments)	§ 4-44	PISP license or agent arrangement; no storing bank credentials
Dedicated interface	§ 4-40	Use banks' PSD2 APIs (Bits, Tink, or direct bank APIs)

Consumer Information Requirements

~~Citation:~~Law: ~~Sl.~~Betalingstjenesteloven ~~glasnik~~kapittel ~~RS br. 87/2018~~ ~~In force:~~ ~~November 21, 2018~~ ~~Description:~~ ~~Serbia's GDPR-aligned personal data protection law. Mirrors GDPR structure~~3 and ~~principles.~~4; ~~Supervisory authority:~~ ~~Poverenik za informacije od javnog značaja i zaštitu podataka o ličnosti (Commissioner for Information of Public Importance and Personal Data Protection)~~ ~~Website:~~ ~~https://www.poverenik.rs~~Finansavtaleloven

Requirement	~~ZZPL Article~~Section	~~Bilko~~Document
Pre-contractual information	§§ 3-1 to 3-8	Framework agreement (rammeavtale)
Per-transaction information	§§ 3-22 to 3-26	Transaction receipts
Fee transparency before authorization	§ 3-23	Pre-auth disclosure screen
Exchange rate disclosure	§ 3-24	FX rate + reference rate shown before confirmation
Execution time (non-EEA)	§ 4-15	Max D+4 business days
Complaint handling	§ 3-60	Klagebehandling procedure

4. AML/KYC — Hvitvaskingsloven

Customer Due Diligence (CDD)

Law: Hvitvaskingsloven §§ 10-18

Requirement	Section	Drop Implementation
~~Lawful~~Identity ~~basis for processing~~verification	~~Art.~~§ 12	~~Contract~~BankID (~~Art.~~covers 12name ~~st.~~+ 1fødselsnummer ~~tač.~~+ ~~2) — accounting service delivery~~DOB)
~~Data~~Electronic ~~minimization~~verification	~~Art.~~§ ~~5 st. 1 tač. 3~~12(3)	~~Collect~~BankID ~~only~~is ~~email,~~approved ~~name,~~electronic ~~tax ID (PIB/JMBG) — required for invoicing~~method
~~Data~~Source ~~subject~~of ~~rights~~funds (~~access,~~large ~~erasure, portability)~~amounts)	~~Art.~~§ ~~26-41~~15	~~Endpoints:~~Trigger ~~GET~~above ~~/account/data, DELETE /account, GET /account/export~~thresholds
~~Register~~Purpose of ~~processing activities~~relationship	~~Art.~~§ 5012(1)d	~~Internal~~Registration ~~processing register — required~~questionnaire
~~Security~~Ongoing ~~of processing~~monitoring	~~Art.~~§ 5024	~~TLS~~Transaction ~~1.3~~monitoring ~~+ AES-256 + bcrypt + RBAC~~system
~~Breach~~Record ~~notification to Poverenik~~retention	~~Art.~~§ 5630	~~Within~~5 72years ~~hours~~after ofrelationship ~~becoming aware~~
~~Cross-border data transfer~~	~~Art. 64-65~~	~~Railway EU West — within ZZPL scope~~ends

~~Breach~~

KYC notification contact:

Authority: Poverenik za informacije od javnog značaja i zaštitu podataka o ličnosti

Address: Bulevar kralja Aleksandra 15, 11000 Belgrade

Email: [email protected]

Deadline: 72 hours from awareness (ZZPL Art. 56)

2.2 Accounting Law — Zakon o računovodstvuTiers

~~Full name:~~ ~~Zakon o računovodstvu~~ ~~Citation:~~ ~~Sl. glasnik RS br. 73/2019, 44/2021~~ ~~Description:~~ ~~Defines accounting obligations for all legal entities in Serbia.~~

~~Implementation~~ of countries/individualsOFAC/UN/EU

~~Requirement~~Tier	~~Bilko~~Limit	Requirements	Corridor Risk
~~Double-entry bookkeeping mandatory~~Basic	~~Prisma~~Up ~~schema~~to ~~enforces~~1,000 ~~debitAccountId~~NOK/transaction, +5,000 ~~creditAccountId~~NOK/month	BankID verification only	Lav (Low) — ~~debit = credit validated~~EU/EEA
~~Chart~~Standard	Up ~~accounts:~~to ~~Pravilnik~~10,000 oNOK/transaction, ~~kontnom~~30,000 ~~okviru~~NOK/month	BankID + address verification	Middels (~~2021)~~Medium) — 10Serbia, ~~class system (0-9)~~	~~Serbian CoA seed data with standard 3-digit accounts~~BiH
~~Financial statements required: Bilans stanja (Balance Sheet), Bilans uspeha (Income Statement)~~Enhanced	~~Report~~Above ~~generation~~10,000 ~~module~~NOK/transaction	Full EDD: source of funds + senior management approval	Høy (~~Phase~~High) 2)— Pakistan, Turkey (FATF)
~~Large entities: Izveštaj o novčanim tokovima (Cash Flow), Napomene (Notes)~~Blocked	~~Phase~~Any 2amount
Sanctioned
~~Filing institution: APR (Agencija za privredne registre)~~Blokkert — ~~https://www.apr.gov.rs~~	~~PDF export in Serbian format~~
~~Annual filing deadline: June 30~~	~~Filing reminders in app~~
~~Document retention:~~ ~~10 years~~	~~Soft delete — financial records never hard deleted~~sanctioned

2.3Transaction VATMonitoring Law — Zakon o PDVRules

~~Full name:~~Law: ~~Zakon~~Hvitvaskingsloven o§§ ~~porezu~~24, na25

~~dodatu~~

Transactions ~~vrednost~~that must trigger investigation:

~~Citation:~~Structuring ~~Sl.~~— ~~glasnik~~multiple RStransactions ~~br.~~just ~~84/2004,~~below ~~86/2004,~~reporting ~~61/2005~~thresholds

Rapid ~~al.~~movement — large in/out within same day

Unusual corridors — sudden change in destination country

Volume spikes — significantly above customer's historical pattern

FATF jurisdiction — any transaction to FATF grey/black list countries

PEP match — customer or recipient on PEP list

Reporting: Suspicious Transaction Reports (~~consolidated)~~STR) ~~Description:~~filed ~~Serbia's~~with ~~VAT~~EFE ~~law.~~(Enheten for finansiell etterretning) via altinn.no. Tipping off the customer is prohibited (§ 28).

AML Risk Classification — Corridor Risk

~~Rate~~Corridor	~~Description~~Risk Level	~~Application~~Rationale
~~20%~~EU/EEA ~~(opšta stopa)~~countries	~~Standard~~Lav ~~rate~~(Low)	~~General~~Strong ~~goods~~AML ~~and~~frameworks, ~~services~~FATF compliant
~~10%~~Croatia (~~snižena stopa)~~HR)	~~Reduced~~Lav ~~rate~~(Low)	~~Food,~~EU ~~medicines,~~member ~~utilities~~state
0%Serbia (RS)	~~Zero~~Middels ~~rate~~(Medium)	~~Exports,~~FATF ~~international~~member, ~~transport~~not EU; targeted remittance risk
Bosnia & Herzegovina (BA)	Middels (Medium)	Enhanced monitoring; cash economy
Turkey (TR)	Høy (High)	FATF grey list (monitoring); elevated corridor risk
Pakistan (PK)	Høy (High)	FATF monitoring; common remittance corridor
OFAC/UN sanctioned countries	Blokkert	Transactions blocked entirely

~~VAT registration threshold:~~Source: ~~8,000,000 RSD annual turnover~~ ~~Return frequency:~~ ~~Monthly (>50M RSD) or Quarterly (<50M RSD)~~ ~~Filing deadline:~~ ~~15th of following month~~ ~~Portal:~~ ~~ePorezi — https:~~~//www.poreskauprava.gov.rs Penalties: 50,000 – 2,000,000 RSD for SEF non-compliance


2.4 E-Invoice — SEF (Sistem e-Faktura)

Platform: https://efaktura.gov.rs
Mandatory since:


B2G (suppliers to government): May 2022

B2B (business-to-business): January 2023


Format: UBL 2.1 XML
Integration: API available — @bilko/country-rsALAI/products/Drop/legal/hvitvaskingsrutiner.md package (Phase 2)
Penalties: 50,000 – 2,000,000 RSD for non-compliance

2.5 Electronic Document Law

Full name: Zakon o elektronskom dokumentu, elektronskoj identifikaciji i uslugama od poverenja u elektronskom poslovanju
Citation: Sl. glasnik RS br. 94/2017
Description: Legal validity of electronic documents and digital signatures.

Bilko-generated invoices and reports constitute valid electronic documents when:


Generated by certified accounting software

Stored immutably with audit trail

Exportable in PDF/XML format


2.6 APR Filing

All Serbian legal entities must file annual financial reports with APR (Agencija za privredne registre). Bilko generates reports in APR-compatible format for export. API integration planned (Phase 3).

3.5. BosniaGDPR &/ Herzegovina (BA) — Regulatory CompliancePersonopplysningsloven
Complexity:
Legal BiHBases hasfor two entities (FBiH and Republika Srpska) with parallel legislation. VAT is unified at state level via UIO. Direct taxes are administered separately per entity.

3.1 Data Protection — Zakon o zaštiti ličnih podataka BiHProcessing
Full name:Law: Zakon o zaštiti ličnih podataka Bosne i Hercegovine
Citation: Sl. glasnik BiH br. 49/2006, 76/2011, 89/2011
Description: State-level personal data protection law. Pre-GDPR butArt. aligned6; in principles.
Supervisory authority: Agencija za zaštitu ličnih podataka Bosne i HercegovinePersonopplysningsloven (AZLP)
Website: https://www.azlp.ba

The same state-level law applies across both FBiH and Republika Srpska.LOV-2018-06-15-38)



§












RequirementProcessing Activity
ZZLPLegal ArticleBasis
BilkoNorwegian ImplementationLaw Reference




LawfulUser basis for processing Art. 4registration
Contract performance Personopplysningsloven § 5, GDPR Art. 6(1)(accounting service delivery) + legal obligation (tax records)b)


DataKYC securityidentity measuresverification
Art.Legal 14obligation
TLSPersonopplysningsloven 1.3§ 6, GDPR Art. 6(1)(c) + AES-256Hvitvaskingsloven +§ bcrypt + RBAC12


Cross-borderPayment transferprocessing
Art.Contract 18performance
RailwayPersonopplysningsloven EU§ West5, —GDPR outsideArt. BiH; SCCs mechanism6(1)(b)


BreachTransaction notificationmonitoring to AZLP(AML)
Legal obligation Personopplysningsloven § 6, GDPR Art. 146(1)(c) + GDPRHvitvaskingsloven practice  72 hours24


DataFødselsnummer subject rightsprocessing
Art.Special 5-10legal basis
SamePersonopplysningsloven endpoints§ as12 RS(requires specific legal basis)
Error monitoring (Sentry) Legitimate interest GDPR Art. 6(1)(f)
Marketing Consent GDPR Art. 6(1)(a)



Breach
Data notificationSubject contact:


Authority: Agencija za zaštitu ličnih podataka Bosne i Hercegovine (AZLP)

Address: Hamdije Čemerlića 2/VI, 71000 Sarajevo

Email: [email protected]

Deadline: 72 hours (following GDPR best practice)


3.2 FBiH — Accounting LawRights

Full name: Zakon o računovodstvu i reviziji Federacije Bosne i Hercegovine
Citation: Sl. novine FBiH br. 83/2009, 56/2023
Description: Accounting and audit law for Federation of BiH.






























RequirementRight
BilkoGDPR Article Drop Implementation


Double-entry bookkeeping Enforced by schema
Chart of accounts: FBiH Pravilnik (2022) — 10 class system (0-9) BiH CoA seed data
Financial statements: Bilans stanja, Bilans uspeha Report generation module (Phase 3)
Filing institution: Agency of Financial Information (FBiH) PDF export
Annual filing deadline: March 31 Filing reminders
Document retention: 10 years Immutable storage

3.3 Republika Srpska (BiH Entity) — Accounting Law

Full name: Zakon o računovodstvu i reviziji Republike Srpske
Citation: Sl. glasnik RS BiH br. 96/2005, 74/2016
Description: Accounting and audit law for Republika Srpska entity of BiH.


























Requirement Bilko Implementation
Double-entry bookkeeping Enforced by schema
Filing institution: Tax Administration of RS (BiH entity) PDF export
Annual filing deadline: March 31 Filing reminders
Document retention: 11 years Maximum retention applied across entities

3.4 VAT — Zakon o PDV BiH

Full name: Zakon o porezu na dodanu vrijednost Bosne i Hercegovine
Citation: Sl. glasnik BiH br. 9/2005, 35/2005, 100/2008 et al.
Description: Unified VAT law administered at state level. No reduced rates.
Administering authority: UIO — Uprava za indirektno oporezivanje (Indirect Taxation Authority)
Portal: https://www.uino.gov.ba


















Rate Description
17% (opća stopa) Standard rate — all goods and services
0% Exports

Registration threshold: 100,000 BAM annual turnover
Return frequency: Monthly
Filing deadline: Check UIO portal

3.5 E-Invoice — CPF (Central Platform for Fiscalisation)

Status: PENDING — technical specifications not yet published
Law adopted: January 2026 (FBiH only)
Expected availability: ~2027

Bilko decision: Do NOT implement CPF integration until technical specs are published. Monitor UIO and FBiH government portals for updates. BiH is Phase 3 launch.

3.6 Corporate Income Tax





















Entity CIT Rate Filing Deadline
FBiH 10% March 31
RS (BiH entity) 10% March 31

Bilko provides CIT calculation support — separate fields for FBiH vs RS entity in organization settings.


4. Croatia (HR) — Regulatory Compliance

Note: Croatia is an EU member state. GDPR applies directly without separate national transposition law.

4.1 Data Protection — GDPR

Applicable law: GDPR — Regulation (EU) 2016/679 (directly applicable)
National implementing act: Zakon o provedbi Opće uredbe o zaštiti podataka (NN 42/2018)
Supervisory authority: AZOP — Agencija za zaštitu osobnih podataka
Website: https://azop.hr
























law)













Requirement GDPR Article Bilko Implementation
Lawful basis Art. 6 Contract (6.1.b) for service; legal obligation (6.1.c) for tax
Data minimization Art. 5(1)(c) Collect OIB (Croatian tax ID), name, email only

Right to access
Art. 15
GETProfile /api/v1/account/page + data export endpoint
Right to rectification Art. 16 Profile edit


Right to erasure
Art. 17
DELETEAccount /api/v1/accountdeletion (PII— anonymized;30-day financialretention recordsfor retainedAML peroverride
Right to restriction Art. 18 Manual processing by DPO


Right to portability
Art. 20
GETJSON /api/v1/account/export (JSON)


SecurityRight ofto processingobject
Art. 3221
TLSOpt-out 1.3for + AES-256 + bcrypt + RBACmarketing


Breach notificationRight to AZOPwithdraw consent
Art. 337(3)
WithinConsent 72management hours
DPIA Art. 35 This document covers accounting data
DPA with processors Art. 28 Required with Railway, Vercel, Cloudflare, SendGridUI



BreachRetention notificationconflict: contact:


Authority: AZOP — Agencija za zaštitu osobnih podataka

Address: Selska cesta 136, 10000 Zagreb

Email: [email protected]

Portal: https://azop.hr/prijavapovrede

Deadline: 72 hours from awareness (GDPR Art. 33)
17 
(erasure) 4.2vs. AccountingHvitvaskingsloven Law§ 30 (5-year AML retention). AML retention takes precedence — Zakon o računovodstvu

Full name: Zakon o računovodstvu
Citation: NN 78/15, 120/16, 116/18, 42/20, 47/20
Description: Croatian accounting law, aligns with EU Accounting Directive.















anonymizedafter























Requirement Bilko Implementation
Double-entry bookkeeping Enforced by schema
Chart of accounts: RRiF standard — 10 class system (0-9) HR CoA seeduser data  
  Accountingaccount standards:close, CFRStransaction (forrecords SMEs)retained or5 IFRS (PIEs) CFRS-compliant reports
Financial statements: Bilanca, Račun dobiti i gubitka, Izvještaj o novčanim tokovima Report generation module (Phase 2)
Filing via RGFI (Registar godišnjih financijskih izvještaja) FINA filing
Filing institution: FINA — Financijska agencija — https://www.fina.hr 
Annual filing deadline: April 30 Filing reminders
Document retention: 11 years Immutable storage

4.3 General Tax Law — Opći porezni zakon

Full name: Opći porezni zakon
Citation: NN 115/16, 106/18, 121/19, 32/20 et al.
Description: Framework tax law governing all Croatian taxes, including penalties for VAT non-compliance.

Relevant to Bilko: Defines document retention (11 years), electronic record acceptance, and obligations for digital accounting systems.years.
4.4 VAT Law — Zakon o porezu na dodanu vrijednost

Full name: Zakon o porezu na dodanu vrijednost
Citation: NN 73/13, 148/13, 143/14 et al.
Description: Croatian VAT law implementing EU VAT Directive.
Portal: ePorezna — https://www.porezna-uprava.hr































Rate Description Application
25% (opća stopa) Standard rate General goods and services
13% (srednja stopa) Intermediate rate Certain foods, water supply, accommodation, newspapers
5% (snižena stopa) Reduced rate Books, baby food, prescription medicines
0% Zero rate Exports, intra-EU supply

Registration threshold: 60,000 EUR annual turnover
Return frequency: Monthly
Filing deadline: Last day of following month

4.5 E-Invoice — HR-FISK / eRačun

Platform: https://hr-fisk.fina.hr
Operator: FINA — Financijska agencija
Status: Mandatory since January 1, 2026 (all B2B, B2G, B2C)
Format: UBL 2.1 XML with HR-CIUS (Croatian Implementation User Specification)
Protocol: AS4 (Peppol-compatible)
Certificate: FINA qualified certificate required

Integration: @bilko/country-hr package (Phase 2) — FINA API integration required
Penalties: Up to 500,000 EUR for non-compliance (severe)
Archive requirement: 11 years

4.6 FINA Reporting

All Croatian legal entities file annual financial reports via FINA RGFI portal. Bilko generates FINA-compatible XML/XBRL reports for export. Deadline: April 30.

4.7 HNB (Hrvatska narodna banka)

For organizations with foreign currency transactions, HNB reporting may apply. Bilko supports EUR (Croatia's official currency since January 2024), with historical HRK support for data migration.


5. Cross-Country Compliance Matrix






































































































Requirement Serbia (RS) Bosnia & Herzegovina (BA) Croatia (HR)
Data protection law ZZPL (GDPR-aligned, 2018) ZZLP BiH (state-level, 2006) GDPR (directly applicable)
Supervisory authority Poverenik AZLP AZOP
Breach notification deadline 72 hours 72 hours (best practice) 72 hours (GDPR Art. 33)
Double-entry bookkeeping ✅ Mandatory ✅ Mandatory ✅ Mandatory
Standard VAT rate 20% 17% 25%
Reduced VAT rate 10% None 13% and 5%
VAT return frequency Monthly/Quarterly Monthly Monthly
VAT filing deadline 15th of next month TBD (UIO) Last day of next month
E-invoice platform SEF (mandatory since Jan 2023) CPF (pending ~2027) HR-FISK (mandatory since Jan 2026)
E-invoice format UBL 2.1 XML TBD UBL 2.1 XML (HR-CIUS)
Annual report filing APR — June 30 Agency of Financial Info / Tax Admin RS — March 31 FINA RGFI — April 30
Chart of accounts Pravilnik (2021) FBiH Pravilnik (2022) RRiF standard
Document retention 10 years 10 years (FBiH) / 11 years (RS entity) 11 years
Currency RSD BAM EUR
Corporate income tax 15% 10% (both entities) 18% (10% if revenue <1M EUR)

Bilko retention policy: Apply maximum retention across all markets — 11 years for all financial records. Financial data is never hard-deleted.


6. Data Classification Scheme



Level
Label
Examples
ControlsEncryption Required




L1
Public
Exchange rates, fee schedule, privacygetdrop.no policycontent
NoneNo


L2
Internal
AggregatedSystem analytics,logs, non-PIIperformance logsmetrics, error traces
AccessNo control(TLS)


L3
Confidential
UserNames, email, name,phone, organizationtransaction data,history, invoicebank amountsbalances
EncryptionTLS + accessAES-256 controlat + audit logrest


L4
Restricted
Tax IDsFødselsnummer (PIB/JMBG/OIB/JIB)national ID), bankKYC accountdocuments, numbers,BankID TOTP secretssub
EncryptionTLS + RBACAES-256-GCM +field MFAencryption +(separate audit + 10-year retentionkey)



Tax ID handling:


Serbia: PIB (Poreski identifikacioni broj) — 9 digits; JMBG (Jedinstveni matični broj građana) — 13 digits

BiH: JIB (Jedinstveni identifikacioni broj) — 13 digits

Croatia: OIB (Osobni identifikacijski broj) — 11 digits


All tax IDs treated as L4 Restricted data. Stored with access logging. Never included in JWT payloads or logs.


7. 
Data Subject Rights Implementation
Inventory























RightData Category
EndpointClassification
SLARetention
NotesLegal Basis




Access (Art. 15 GDPR / ZZPL Art. 26 / ZZLP Art. 8)Name
GETL3 /api/v1/account/dataConfidential
30Life daysof account + 5 years (AML)
Returns user + org + invoices + expensesContract


Rectification (Art. 16)Email
PATCHL3 /api/v1/account/profileConfidential
ImmediateLife of account
Email, nameContract


ErasurePhone (Art. 17)number
DELETEL3 /api/v1/Confidential Life of account
30 days PII anonymized; financial records retained per lawContract


Portability (Art. 20)Fødselsnummer
GETL4 /api/v1/account/exportRestricted
305 daysyears (AML)
JSONLegal exportobligation


RestrictionBankID (Art. 18)sub
[email protected]L4 Restricted
305 daysyears (AML)
ManualLegal processobligation


ObjectionKYC (Art. 21)documents
[email protected]L4 Restricted
305 years (AML) Legal obligation
Transaction records L3 Confidential 5 years (AML) + accounting Legal obligation
Bank account balances L3 Confidential Session only — not persisted Contract
IP addresses / logs L2 Internal 90 days
NotLegitimate applicable for contract processinginterest



DPIA

Erasure exception: Financial records (invoices, expenses, transactions) are retained for the legally required period (10-11 years depending on country) even after user account erasure. Only PII (email, name, password hash) is anonymized.


8. Third-PartyA Data Processors
Protection Impact Assessment (DPIA) has been conducted. Document: data-protection-impact-assessment.md

DPIA trigger: Processing of fødselsnummer at scale, BankID integration, cross-border transfers to Serbia/BiH.

Cross-Border Data Transfers


























ProcessorDestination
ServiceTransfer Mechanism
Data Shared Region DPA RequiredSafeguards




RailwayEU/EEA (AWS Frankfurt, Cloudflare EU)
PostgreSQLFree hostingflow (EEA to EEA)
AllStandard accountingGDPR data EU West (Frankfurt/Paris) Yes — sign before launchprotections


VercelCroatia (HR)
FrontendFree flow (EEA → EU) Standard GDPR protections
Serbia (RS) No adequacy decision SCCs (Standard Contractual Clauses) + Transfer Impact Assessment (TIA)
Bosnia & Herzegovina (BA) No adequacy decision SCCs + Transfer Impact Assessment (TIA)
USA (AWS, Sentry, BetterStack) No adequacy decision SCCs + DPA signed

Note: Serbia and Bosnia & Herzegovina do not have EU adequacy decisions. All data transfers involving these countries require SCCs and a documented TIA before data flows.


6. ICT Security — IKT-forskriften / DORA

IKT-forskriften (FOR-2003-05-21-630)

Currently applicable to financial enterprises in Norway.









































Requirement Sections Status
ICT security policy §§ 5-6 Document: ikt-sikkerhetspolicy.md — Draft
Incident handling § 8 Document: hendelseshaandtering.md — Draft
Business continuity § 9 Document: beredskapsplan.md — Draft
Outsourcing policy § 10 Document: utkontraktering-policy.md — Draft
Access control § 5 Implemented: RBAC, session revocation, JWT
Encryption § 6 Implemented: TLS 1.3, AES-256, bcrypt(12)

DORA (EU) 2022/2554

DORA is expected to be incorporated into Norwegian law approximately 2026 H2 (via EEA Agreement).









































DORA Requirement Article Drop Plan
ICT risk management framework Art. 6 Mapped to IKT-forskriften currently
ICT incident classification Art. 18 Breach response plan covers this
Major incident reporting Art. 19 Finanstilsynet + Datatilsynet within 72h
Digital operational resilience testing Art. 24-25 Annual pentest planned (Phase 3)
ICT third-party risk management Art. 28-44 Outsourcing policy + DPAs
Encryption standards Art. 9(4)(d) AES-256-GCM, TLS 1.3


7. Valutaregisterloven

Law: Valutaregisterloven (LOV-2003-06-06-39)

All cross-border payment service providers must report transactions to Statistisk sentralbyrå (SSB) and Norges Bank.


























Requirement Threshold Reporting Recipient
Cross-border transactions All (> 0 NOK) SSB via Valutaregisteret
Aggregate statistics Monthly Norges Bank
Format XML via SSB API Valutaregisteret

Implementation: Phase 2 — automated reporting pipeline to Valutaregisteret for all completed remittances.


8. Compliance Gap Summary

Overall compliance readiness: 8/100 (MVP stage — expected)














































Area Readiness Gap
Licensing (Finanstilsynet) 0% No license — no live transactions permitted
PSD2 / SCA 10% BankID not implemented; SCA not in place
AML/KYC 5% Mock KYC only; no real identity verification
GDPR 15% Privacy notice + DPIA drafted; no DPO appointed
ICT Security 25% Security hardened (post 2026-02-13); pentest pending
Valutaregisterloven 0% No SSB reporting pipeline
Consumer Protection 20% Terms drafted; no formal complaints process

Phase 2 completion target: 60% (licensing + BankID + real KYC + GDPR implementation)
Phase 3 completion target: 85% (pentest + Valutaregisteret + full GDPR + DPO)


9. Compliance Monitoring Plan

Monthly Checks


 npm audit — dependency vulnerability check

 Review Sentry errors for security-relevant issues

 BetterStack uptime + alert review

 Transaction volume check against license threshold (after licensing)


Quarterly Checks


 KYC data retention audit (5-year AML retention compliance)

 GDPR data subject rights fulfillment review

 JWT_SECRET rotation (quarterly per key management policy)

 Review of AML transaction monitoring rules effectiveness

 Security exceptions review


Annual Checks


 External security penetration test (required before Phase 3 launch)

 AML risk assessment review (Hvitvaskingsloven § 6)

 DPIA review (GDPR Art. 35 — when processing changes materially)

 All encryption keys rotation audit

 Regulatory change review — Finanstilsynet circulars

 DPAs review (AWS, Cloudflare, Sentry, BetterStack, Sumsub, BankID Norge AS)



10. Third-Party Compliance

All third-party processors of personal data require a signed Data Processing Agreement (DPA).














metadata,






















Vendor Role DPA Status Data Transferred
AWS (Frankfurt, Ireland) Infrastructure + hosting
None (static only)Required
GlobalAll (EU edge for EU users) Yesdata


Cloudflare (EU edge)
CDN, WAF, R2 storageDDoS
IP addresses, file attachmentsRequired
EURequest region  YesIPs


SendGridSentry
TransactionalError emailmonitoring
Email addresses, invoice PDFsRequired
EUError regiondata, stack traces
BetterStack
YesUptime + logs Required Log data
Sumsub KYC verification (Phase 2) Required Name, photo ID, fødselsnummer
BankID Norge AS eID authentication (Phase 2) Required Name, fødselsnummer, DOB
Marqeta / Lithic Card issuance (Phase 3) Required Payment data (PCI-DSS)



DPA status:requirement source: AllGDPR DPAsArt. must28; bePersonopplysningsloven signed§ before first paying customer. Railway EU West region must be explicitly configured to ensure EU data residency.5

9.11. ComplianceDocument Roadmap

Phase 1 — Pre-Launch (GDPR baseline)


 Privacy policy published (HR GDPR applicable immediately; RS/BA when launched)

 Terms of Service published

 User consent mechanism at registration

 Data deletion workflow implemented and tested

 Data export endpoint implemented

 DPAs signed with Railway, Vercel, Cloudflare, SendGrid

 Railway EU West region confirmed

 Breach notification process documented


Phase 2 — Serbia Launch (3-6 months)


 Legal review by Serbian lawyer (računovodstveno pravo + ZZPL)

 Serbian CoA seed data (Pravilnik 2021)

 VAT calculation at 20% / 10%

 SEF XML export (UBL 2.1)

 SEF API integration for B2B e-invoicing

 APR financial report export (Bilans stanja, Bilans uspeha)

 ZZPL processing register documented


Phase 2 — Croatia Launch (concurrent or shortly after)


 Legal review by Croatian lawyer (Zakon o računovodstvu + GDPR)

 Croatian CoA seed data (RRiF standard)

 VAT calculation at 25% / 13% / 5%

 FINA certificate acquisition for HR-FISK

 HR-FISK API integration (mandatory for all invoices Jan 2026+)

 FINA RGFI report export

 AZOP processing register documented


Phase 3 — BiH Launch (12-18 months)


 Legal review by BiH lawyer (FBiH + RS entity distinction)

 BiH CoA seed data (FBiH Pravilnik 2022)

 VAT calculation at 17% (UIO)

 Monitor CPF technical specs publication (~2027)

 FBiH vs RS entity distinction in org settings

 AZLP breach notification process confirmed



10. Risk AssessmentRegister
3planned,notSerbia/Croatia


















































































RiskDocument
LikelihoodFile
ImpactStatus
MitigationOwner




GDPR/ZZPLPrivacy data breach finenotice
Low (if compliant)personvernerklaering.md
High (GDPR up to €20M / ZZPL up to RSD 2M)Draft
Full GDPR/ZZPL implementation before first customerDPO


SEF non-compliance (Serbia)DPIA
Medium (if not integrated)dpia-vurdering.md
High (RSD 2M fine)Draft
Phase 2 SEF integration before Serbia B2B launchDPO


HR-FISKTerms non-complianceof (Croatia)service
High (if not integrated)brukervilkar.md
Critical (EUR 500K fine)Draft
Phase 2 HR-FISK integration — mandatoryLegal


FinancialAML data lossprocedures
Lowhvitvaskingsrutiner.md
CriticalDraft
30-day Railway backups, immutable audit trailCompliance


TaxAML calculationrisk error (VAT)assessment
Lowrisikovurdering-hvitvasking.md
High (penalties + reputational)Draft
Configurable tax rates per country, Zod validationCompliance


BiHICT CPFsecurity delaypolicy
Mediumikt-sikkerhetspolicy.md
Low (launch delayed)Draft
PhaseSecurity


Incident blockinghandling
hendelseshaandtering.md Draft Security
Business continuity beredskapsplan.md Draft Operations
Outsourcing policy utkontraktering-policy.md Draft Legal
Internal control internkontroll.md Draft Compliance
Suitability assessment egnethetsvurdering.md Draft Legal
Complaint handling klagebehandling.md Draft Operations
Licensing preparation konsesjonssoknad-forberedelse.md Draft Legal
Gap analysis drop-gap-analysis-v2.md Complete Compliance
Regulatory map drop-regulatory-map-v2.md Complete Legal
Security architecture security-architecture.md Draft Security
Encryption policy data-encryption-policy.md Draft Security
Key management policy key-management-policy.md Draft Security
Breach response plan data-breach-response-plan.md Draft Security
Security testing policy security-testing-policy.md Draft Security




Related Documents


Security Architecture: security-architecture.md

DPIA: data-protection-impact-assessment.md

Breach Response Plan: data-breach-response-plan.md

Bilko Compliance: ../../products/Bilko/docs/security/COMPLIANCE.md

Serbia Regulatory: ../../products/Bilko/docs/regulatory/RS/README.md

BiH Regulatory: ../../products/Bilko/docs/regulatory/BA/README.md

Croatia Regulatory: ../../products/Bilko/docs/regulatory/HR/README.md



Approval



Role
Name
Date
Signature




Author
ComplianceSecurity Architect
2026-02-23



DPO





Legal Counsel





CEO

~~Requirement~~Processing Activity	~~ZZLP~~Legal ~~Article~~Basis	~~Bilko~~Norwegian ~~Implementation~~Law Reference
~~Lawful~~User ~~basis for processing~~	~~Art. 4~~registration	Contract performance	Personopplysningsloven § 5, GDPR Art. 6(1)(~~accounting service delivery) + legal obligation (tax records)~~b)
~~Data~~KYC ~~security~~identity ~~measures~~verification	~~Art.~~Legal 14obligation	~~TLS~~Personopplysningsloven ~~1.3~~§ 6, GDPR Art. 6(1)(c) + ~~AES-256~~Hvitvaskingsloven +§ ~~bcrypt + RBAC~~12
~~Cross-border~~Payment ~~transfer~~processing	~~Art.~~Contract 18performance	~~Railway~~Personopplysningsloven EU§ ~~West~~5, —GDPR ~~outside~~Art. ~~BiH; SCCs mechanism~~6(1)(b)
~~Breach~~Transaction ~~notification~~monitoring ~~to AZLP~~(AML)	Legal obligation	Personopplysningsloven § 6, GDPR Art. 146(1)(c) + ~~GDPR~~Hvitvaskingsloven ~~practice~~	~~72 hours~~24
~~Data~~Fødselsnummer ~~subject rights~~processing	~~Art.~~Special ~~5-10~~legal basis	~~Same~~Personopplysningsloven ~~endpoints~~§ as12 RS(requires specific legal basis)
Error monitoring (Sentry)	Legitimate interest	GDPR Art. 6(1)(f)
Marketing	Consent	GDPR Art. 6(1)(a)

~~Requirement~~Right	~~Bilko~~GDPR Article	Drop Implementation
~~Double-entry bookkeeping~~	~~Enforced by schema~~
~~Chart of accounts: FBiH Pravilnik (2022) — 10 class system (0-9)~~	~~BiH CoA seed data~~
~~Financial statements: Bilans stanja, Bilans uspeha~~	~~Report generation module (Phase 3)~~
~~Filing institution: Agency of Financial Information (FBiH)~~	~~PDF export~~
~~Annual filing deadline: March 31~~	~~Filing reminders~~
~~Document retention:~~ ~~10 years~~	~~Immutable storage~~

~~Requirement~~	~~Bilko Implementation~~
~~Double-entry bookkeeping~~	~~Enforced by schema~~
~~Filing institution: Tax Administration of RS (BiH entity)~~	~~PDF export~~
~~Annual filing deadline: March 31~~	~~Filing reminders~~
~~Document retention:~~ ~~11 years~~	~~Maximum retention applied across entities~~

~~Entity~~	~~CIT Rate~~	~~Filing Deadline~~
~~FBiH~~	~~10%~~	~~March 31~~
~~RS (BiH entity)~~	~~10%~~	~~March 31~~

~~Requirement~~	~~GDPR Article~~	~~Bilko Implementation~~
~~Lawful basis~~	~~Art. 6~~	~~Contract (6.1.b) for service; legal obligation (6.1.c) for tax~~
~~Data minimization~~	~~Art. 5(1)(c)~~	~~Collect OIB (Croatian tax ID), name, email only~~
Right to access	Art. 15	~~GET~~Profile ~~/api/v1/account/~~page + data export endpoint
Right to rectification	Art. 16	Profile edit
Right to erasure	Art. 17	~~DELETE~~Account ~~/api/v1/account~~deletion ~~(PII~~— ~~anonymized;~~30-day ~~financial~~retention ~~records~~for ~~retained~~AML ~~per~~override
Right to restriction	Art. 18	Manual processing by DPO
Right to portability	Art. 20	~~GET~~JSON ~~/api/v1/account/~~export ~~(JSON)~~
~~Security~~Right ofto ~~processing~~object	Art. 3221	~~TLS~~Opt-out ~~1.3~~for ~~+ AES-256 + bcrypt + RBAC~~marketing
~~Breach notification~~Right to ~~AZOP~~withdraw consent	Art. 337(3)	~~Within~~Consent 72management ~~hours~~
~~DPIA~~	~~Art. 35~~	~~This document covers accounting data~~
~~DPA with processors~~	~~Art. 28~~	~~Required with Railway, Vercel, Cloudflare, SendGrid~~UI

~~Rate~~	~~Description~~
~~17% (opća stopa)~~	~~Standard rate — all goods and services~~
0%	~~Exports~~

~~Requirement~~	~~Bilko Implementation~~
~~Double-entry bookkeeping~~	~~Enforced by schema~~
~~Chart of accounts: RRiF standard — 10 class system (0-9)~~	~~HR CoA seed~~user data
~~Accounting~~account ~~standards:~~close, ~~CFRS~~transaction ~~(for~~records ~~SMEs)~~retained or5 ~~IFRS (PIEs)~~	~~CFRS-compliant reports~~
~~Financial statements: Bilanca, Račun dobiti i gubitka, Izvještaj o novčanim tokovima~~	~~Report generation module (Phase 2)~~
~~Filing via RGFI (Registar godišnjih financijskih izvještaja)~~	~~FINA filing~~
~~Filing institution: FINA — Financijska agencija — https://www.fina.hr~~
~~Annual filing deadline: April 30~~	~~Filing reminders~~
~~Document retention:~~ ~~11 years~~	~~Immutable storage~~

~~Rate~~	~~Description~~	~~Application~~
~~25% (opća stopa)~~	~~Standard rate~~	~~General goods and services~~
~~13% (srednja stopa)~~	~~Intermediate rate~~	~~Certain foods, water supply, accommodation, newspapers~~
~~5% (snižena stopa)~~	~~Reduced rate~~	~~Books, baby food, prescription medicines~~
0%	~~Zero rate~~	~~Exports, intra-EU supply~~

~~Requirement~~	~~Serbia (RS)~~	~~Bosnia & Herzegovina (BA)~~	~~Croatia (HR)~~
~~Data protection law~~	~~ZZPL (GDPR-aligned, 2018)~~	~~ZZLP BiH (state-level, 2006)~~	~~GDPR (directly applicable)~~
~~Supervisory authority~~	~~Poverenik~~	~~AZLP~~	~~AZOP~~
~~Breach notification deadline~~	~~72 hours~~	~~72 hours (best practice)~~	~~72 hours (GDPR Art. 33)~~
~~Double-entry bookkeeping~~	~~✅ Mandatory~~	~~✅ Mandatory~~	~~✅ Mandatory~~
~~Standard VAT rate~~	~~20%~~	~~17%~~	~~25%~~
~~Reduced VAT rate~~	~~10%~~	~~None~~	~~13% and 5%~~
~~VAT return frequency~~	~~Monthly/Quarterly~~	~~Monthly~~	~~Monthly~~
~~VAT filing deadline~~	~~15th of next month~~	~~TBD (UIO)~~	~~Last day of next month~~
~~E-invoice platform~~	~~SEF (mandatory since Jan 2023)~~	~~CPF (pending ~2027)~~	~~HR-FISK (mandatory since Jan 2026)~~
~~E-invoice format~~	~~UBL 2.1 XML~~	~~TBD~~	~~UBL 2.1 XML (HR-CIUS)~~
~~Annual report filing~~	~~APR — June 30~~	~~Agency of Financial Info / Tax Admin RS — March 31~~	~~FINA RGFI — April 30~~
~~Chart of accounts~~	~~Pravilnik (2021)~~	~~FBiH Pravilnik (2022)~~	~~RRiF standard~~
~~Document retention~~	~~10 years~~	~~10 years (FBiH) / 11 years (RS entity)~~	~~11 years~~
~~Currency~~	~~RSD~~	~~BAM~~	~~EUR~~
~~Corporate income tax~~	~~15%~~	~~10% (both entities)~~	~~18% (10% if revenue <1M EUR)~~

Level	Label	Examples	~~Controls~~Encryption Required
L1	Public	Exchange rates, fee schedule, ~~privacy~~getdrop.no ~~policy~~content	~~None~~No
L2	Internal	~~Aggregated~~System ~~analytics,~~logs, ~~non-PII~~performance ~~logs~~metrics, error traces	~~Access~~No ~~control~~(TLS)
L3	Confidential	~~User~~Names, email, ~~name,~~phone, ~~organization~~transaction ~~data,~~history, ~~invoice~~bank ~~amounts~~balances	~~Encryption~~TLS + ~~access~~AES-256 ~~control~~at ~~+ audit log~~rest
L4	Restricted	~~Tax IDs~~Fødselsnummer (~~PIB/JMBG/OIB/JIB)~~national ID), ~~bank~~KYC ~~account~~documents, ~~numbers,~~BankID ~~TOTP secrets~~`sub`	~~Encryption~~TLS + ~~RBAC~~AES-256-GCM +field ~~MFA~~encryption +(separate ~~audit + 10-year retention~~key)

~~Right~~Data Category	~~Endpoint~~Classification	~~SLA~~Retention	~~Notes~~Legal Basis
~~Access (Art. 15 GDPR / ZZPL Art. 26 / ZZLP Art. 8)~~Name	~~GET~~L3 ~~/api/v1/account/data~~Confidential	30Life ~~days~~of account + 5 years (AML)	~~Returns user + org + invoices + expenses~~Contract
~~Rectification (Art. 16)~~Email	~~PATCH~~L3 ~~/api/v1/account/profile~~Confidential	~~Immediate~~Life of account	~~Email, name~~Contract
~~Erasure~~Phone ~~(Art. 17)~~number	~~DELETE~~L3 ~~/api/v1/~~Confidential	Life of account	~~30 days~~	~~PII anonymized; financial records retained per law~~Contract
~~Portability (Art. 20)~~Fødselsnummer	~~GET~~L4 ~~/api/v1/account/export~~Restricted	305 ~~days~~years (AML)	~~JSON~~Legal ~~export~~obligation
~~Restriction~~BankID ~~(Art. 18)~~`sub`	~~[email protected]~~L4 Restricted	305 ~~days~~years (AML)	~~Manual~~Legal ~~process~~obligation
~~Objection~~KYC ~~(Art. 21)~~documents	~~[email protected]~~L4 Restricted	305 years (AML)	Legal obligation
Transaction records	L3 Confidential	5 years (AML) + accounting	Legal obligation
Bank account balances	L3 Confidential	Session only — not persisted	Contract
IP addresses / logs	L2 Internal	90 days	~~Not~~Legitimate ~~applicable for contract processing~~interest

~~Processor~~Destination	~~Service~~Transfer Mechanism	~~Data Shared~~	~~Region~~	~~DPA Required~~Safeguards
~~Railway~~EU/EEA (AWS Frankfurt, Cloudflare EU)	~~PostgreSQL~~Free ~~hosting~~flow (EEA to EEA)	~~All~~Standard ~~accounting~~GDPR ~~data~~	~~EU West (Frankfurt/Paris)~~	~~Yes — sign before launch~~protections
~~Vercel~~Croatia (HR)	~~Frontend~~Free flow (EEA → EU)	Standard GDPR protections
Serbia (RS)	No adequacy decision	SCCs (Standard Contractual Clauses) + Transfer Impact Assessment (TIA)
Bosnia & Herzegovina (BA)	No adequacy decision	SCCs + Transfer Impact Assessment (TIA)
USA (AWS, Sentry, BetterStack)	No adequacy decision	SCCs + DPA signed

Requirement	Sections	Status
ICT security policy	§§ 5-6	Document: `ikt-sikkerhetspolicy.md` — Draft
Incident handling	§ 8	Document: `hendelseshaandtering.md` — Draft
Business continuity	§ 9	Document: `beredskapsplan.md` — Draft
Outsourcing policy	§ 10	Document: `utkontraktering-policy.md` — Draft
Access control	§ 5	Implemented: RBAC, session revocation, JWT
Encryption	§ 6	Implemented: TLS 1.3, AES-256, bcrypt(12)

DORA Requirement	Article	Drop Plan
ICT risk management framework	Art. 6	Mapped to IKT-forskriften currently
ICT incident classification	Art. 18	Breach response plan covers this
Major incident reporting	Art. 19	Finanstilsynet + Datatilsynet within 72h
Digital operational resilience testing	Art. 24-25	Annual pentest planned (Phase 3)
ICT third-party risk management	Art. 28-44	Outsourcing policy + DPAs
Encryption standards	Art. 9(4)(d)	AES-256-GCM, TLS 1.3

Requirement	Threshold	Reporting Recipient
Cross-border transactions	All (> 0 NOK)	SSB via Valutaregisteret
Aggregate statistics	Monthly	Norges Bank
Format	XML via SSB API	Valutaregisteret

Area	Readiness	Gap
Licensing (Finanstilsynet)	0%	No license — no live transactions permitted
PSD2 / SCA	10%	BankID not implemented; SCA not in place
AML/KYC	5%	Mock KYC only; no real identity verification
GDPR	15%	Privacy notice + DPIA drafted; no DPO appointed
ICT Security	25%	Security hardened (post 2026-02-13); pentest pending
Valutaregisterloven	0%	No SSB reporting pipeline
Consumer Protection	20%	Terms drafted; no formal complaints process

Vendor	Role	DPA Status	Data Transferred
AWS (Frankfurt, Ireland)	Infrastructure + hosting	~~None (static only)~~Required	~~Global~~All ~~(EU edge for EU users)~~	~~Yes~~data
Cloudflare (EU edge)	CDN, WAF, ~~R2 storage~~DDoS	~~IP addresses, file attachments~~Required	EURequest ~~region~~	~~Yes~~IPs
~~SendGrid~~Sentry	~~Transactional~~Error ~~email~~monitoring	~~Email addresses, invoice PDFs~~Required	EUError ~~region~~data, stack traces
BetterStack	~~Yes~~Uptime + logs	Required	Log data
Sumsub	KYC verification (Phase 2)	Required	Name, photo ID, fødselsnummer
BankID Norge AS	eID authentication (Phase 2)	Required	Name, fødselsnummer, DOB
Marqeta / Lithic	Card issuance (Phase 3)	Required	Payment data (PCI-DSS)

~~Risk~~Document	~~Likelihood~~File	~~Impact~~Status	~~Mitigation~~Owner
~~GDPR/ZZPL~~Privacy ~~data breach fine~~notice	~~Low (if compliant)~~`personvernerklaering.md`	~~High (GDPR up to €20M / ZZPL up to RSD 2M)~~Draft	~~Full GDPR/ZZPL implementation before first customer~~DPO
~~SEF non-compliance (Serbia)~~DPIA	~~Medium (if not integrated)~~`dpia-vurdering.md`	~~High (RSD 2M fine)~~Draft	~~Phase 2 SEF integration before Serbia B2B launch~~DPO
~~HR-FISK~~Terms ~~non-compliance~~of ~~(Croatia)~~service	~~High (if not integrated)~~`brukervilkar.md`	~~Critical (EUR 500K fine)~~Draft	~~Phase 2 HR-FISK integration — mandatory~~Legal
~~Financial~~AML ~~data loss~~procedures	~~Low~~`hvitvaskingsrutiner.md`	~~Critical~~Draft	~~30-day Railway backups, immutable audit trail~~Compliance
~~Tax~~AML ~~calculation~~risk ~~error (VAT)~~assessment	~~Low~~`risikovurdering-hvitvasking.md`	~~High (penalties + reputational)~~Draft	~~Configurable tax rates per country, Zod validation~~Compliance
~~BiH~~ICT ~~CPF~~security ~~delay~~policy	~~Medium~~`ikt-sikkerhetspolicy.md`	~~Low (launch delayed)~~Draft	~~Phase~~Security
Incident ~~blocking~~handling	`hendelseshaandtering.md`	Draft	Security
Business continuity	`beredskapsplan.md`	Draft	Operations
Outsourcing policy	`utkontraktering-policy.md`	Draft	Legal
Internal control	`internkontroll.md`	Draft	Compliance
Suitability assessment	`egnethetsvurdering.md`	Draft	Legal
Complaint handling	`klagebehandling.md`	Draft	Operations
Licensing preparation	`konsesjonssoknad-forberedelse.md`	Draft	Legal
Gap analysis	`drop-gap-analysis-v2.md`	Complete	Compliance
Regulatory map	`drop-regulatory-map-v2.md`	Complete	Legal
Security architecture	`security-architecture.md`	Draft	Security
Encryption policy	`data-encryption-policy.md`	Draft	Security
Key management policy	`key-management-policy.md`	Draft	Security
Breach response plan	`data-breach-response-plan.md`	Draft	Security
Security testing policy	`security-testing-policy.md`	Draft	Security

Compliance Framework

Compliance Framework Document

Document History

1. Applicable Regulations

Primary Jurisdiction: Norway

Remittance Corridor Jurisdictions

2. Licensing

Current Status

Licensing Pathway

Option A: Begrenset betalingsforetak (Limited Payment Institution)

Option B: Ordinaert betalingsforetak (Full Payment Institution)

Option C: Agent Model (recommended for Phase 1)

3. PSD2 / Betalingstjenesteloven

Strong Customer Authentication (SCA)

2.state: SerbiaEmail + password only. SCA required for production launch. Required implementation (RS)Phase —2): Regulatory Compliance

2.1Open Data Protection — Zakon o zaštiti podataka o ličnostiBanking (ZZPL)AISP/PISP)

Consumer Information Requirements

4. AML/KYC — Hvitvaskingsloven

Customer Due Diligence (CDD)

KYC notification contact: Authority: Poverenik za informacije od javnog značaja i zaštitu podataka o ličnosti Address: Bulevar kralja Aleksandra 15, 11000 Belgrade Email: [email protected] Deadline: 72 hours from awareness (ZZPL Art. 56)

2.2 Accounting Law — Zakon o računovodstvuTiers

2.3Transaction VATMonitoring Law — Zakon o PDVRules

AML Risk Classification — Corridor Risk

2.4 E-Invoice — SEF (Sistem e-Faktura)

2.5 Electronic Document Law

2.6 APR Filing

3.5. BosniaGDPR &/ Herzegovina (BA) — Regulatory CompliancePersonopplysningsloven

Legal BiHBases hasfor two entities (FBiH and Republika Srpska) with parallel legislation. VAT is unified at state level via UIO. Direct taxes are administered separately per entity.

3.1 Data Protection — Zakon o zaštiti ličnih podataka BiHProcessing

Data notificationSubject contact: Authority: Agencija za zaštitu ličnih podataka Bosne i Hercegovine (AZLP) Address: Hamdije Čemerlića 2/VI, 71000 Sarajevo Email: [email protected] Deadline: 72 hours (following GDPR best practice)

3.2 FBiH — Accounting LawRights

3.3 Republika Srpska (BiH Entity) — Accounting Law

3.4 VAT — Zakon o PDV BiH

3.5 E-Invoice — CPF (Central Platform for Fiscalisation)

3.6 Corporate Income Tax

4. Croatia (HR) — Regulatory Compliance

4.1 Data Protection — GDPR

4.2vs. AccountingHvitvaskingsloven Law§ 30 (5-year AML retention). AML retention takes precedence — Zakon o računovodstvu

4.3 General Tax Law — Opći porezni zakon

4.4 VAT Law — Zakon o porezu na dodanu vrijednost

4.5 E-Invoice — HR-FISK / eRačun

4.6 FINA Reporting

4.7 HNB (Hrvatska narodna banka)

5. Cross-Country Compliance Matrix

6. Data Classification Scheme

7.

Data Subject Rights Implementation

DPIA

8. Third-PartyA Data Processors

Cross-Border Data Transfers

6. ICT Security — IKT-forskriften / DORA

IKT-forskriften (FOR-2003-05-21-630)

DORA (EU) 2022/2554

7. Valutaregisterloven

8. Compliance Gap Summary

9. Compliance Monitoring Plan

Monthly Checks

Quarterly Checks

Annual Checks

10. Third-Party Compliance

9.11. ComplianceDocument Roadmap

Phase 1 — Pre-Launch (GDPR baseline)

Phase 2 — Serbia Launch (3-6 months)

Phase 2 — Croatia Launch (concurrent or shortly after)

Phase 3 — BiH Launch (12-18 months)

10. Risk AssessmentRegister

Related Documents

Approval

2.state: SerbiaEmail + password only. SCA required for production launch.

Required implementation (RS)Phase —2):
Regulatory
Compliance

KYC notification contact:

Authority: Poverenik za informacije od javnog značaja i zaštitu podataka o ličnosti

Address: Bulevar kralja Aleksandra 15, 11000 Belgrade

Email: [email protected]

Deadline: 72 hours from awareness (ZZPL Art. 56)

Data notificationSubject contact:

Authority: Agencija za zaštitu ličnih podataka Bosne i Hercegovine (AZLP)

Address: Hamdije Čemerlića 2/VI, 71000 Sarajevo

Email: [email protected]

Deadline: 72 hours (following GDPR best practice)