Compliance Framework

Compliance Framework Document

~~Project / Organization:~~Project: ~~ALAI Holding AS~~Bilko — ~~Drop~~Balkan ~~Payment~~Accounting ~~App~~ ~~Policy Number:~~ ~~POL-COMP-FW-001~~SaaS Version: 1.0 Date: 2026-02-23 Author: ~~Security~~Compliance Architect Status: Draft Reviewers: DPO, Legal Counsel, CEO Classification: Confidential

Document History

Version	Date	Author	Changes
0.1	2026-02-23	~~Security~~Compliance Architect	Initial draft — ~~Drop~~RS/BA/HR ~~payment app multi-jurisdiction~~three-country compliance mapping

1. Applicable Regulations

Compliance Owner: ~~Security~~Compliance Architect ~~/ DPO~~ (~~[email protected])~~[email protected]) ~~Company:~~Last Review: ~~ALAI~~2026-02-23 ~~Holding AS (org.nr 932 516 136), incorporated in Norway~~| ~~Domain:~~Next Review: ~~getdrop.no~~ ~~Business Model:~~ ~~PSD2 pass-through payment app — NEVER holds customer money; AISP reads bank balances, PISP initiates payments from user's bank account.~~ ~~Service:~~ ~~Remittance to 30+ countries + QR payments in Norway~~ ~~Users:~~ ~~All residents of Norway, 18+ years, with Norwegian BankID~~

Primary Jurisdiction: Norway

~~Drop is incorporated in Norway under Norwegian law. All primary regulatory obligations flow from Norwegian legislation and Finanstilsynet supervision.~~2026-08-23

Regulation	~~Norwegian Law~~Country	~~Relevance~~Phase
~~PSD2~~GDPR — Regulation (~~Payment~~EU) ~~Services)~~2016/679	~~Betalingstjenesteloven (LOV-2018-11-23-85)~~HR	~~Core~~Phase ~~— legal basis for payment operations~~1
~~AML/CFT~~	~~Hvitvaskingsloven (LOV-2018-06-01-23) + Hvitvaskingsforskriften (FOR-2018-09-14-1324)~~	~~Core — anti-money laundering obligations~~
~~GDPR~~	~~Personopplysningsloven (LOV-2018-06-15-38)~~	~~Core — personal data protection~~
~~Financial Enterprises~~	~~Finansforetaksloven (LOV-2015-04-10-17)~~	~~Licensing, governance, capital requirements~~
~~ICT Security~~	~~IKT-forskriften (FOR-2003-05-21-630)~~	~~ICT security for financial enterprises~~
~~Digital Operational Resilience~~	~~DORA (EU) 2022/2554~~	~~Norway incorporation expected ~2026 H2~~
~~Currency Registry~~	~~Valutaregisterloven (LOV-2003-06-06-39)~~	~~Cross-border payment reporting to SSB~~
~~Consumer Protection~~	~~Finansavtaleloven (LOV-2020-11-13-125)~~	~~Payment terms, user rights, fee transparency~~
~~Electronic Signatures~~	~~eIDAS / LOV-2001-06-15-81~~	~~BankID as qualified electronic identification~~

Remittance Corridor Jurisdictions

~~Drop sends remittances to 30+ countries. Regulatory obligations in these corridors:~~

~~Destination Region~~	~~Key Regulations~~	~~Drop Obligations~~
~~EU/EEA (Eurozone, Croatia, etc.)~~	~~GDPR (free data flow), EU AML~~	~~Standard KYC; no SCCs needed for data~~
~~Serbia~~	~~ZZPL (~~Zakon o zaštiti ~~podataka,~~podataka ~~LOV~~o ličnosti (ZZPL, Sl. glasnik RS 87/2018)	~~Standard KYC; SCC + TIA for data transfers~~
~~Bosnia & Herzegovina~~	~~ZZLP (Zakon o zaštiti ličnih podataka, SG BiH 49/06)~~	~~Standard KYC; SCC + TIA for data transfers~~
~~Turkey~~	~~Turkish Personal Data Protection Law (KVKK 6698/2016)~~	~~FATF monitoring list — enhanced KYC~~
~~Pakistan~~	~~Pakistan Personal Data Protection Act~~	~~FATF monitoring — enhanced due diligence~~

~~Note:~~ Drop's obligations in corridor jurisdictions are primarily fulfilled by the receiving payment institution. Drop's direct obligations are Norwegian-law based, supplemented by GDPR requirements for cross-border data transfers.

2. Licensing

Current Status

~~Drop is an MVP-stage application. No Finanstilsynet license has been obtained. Live transactions with real money are NOT permitted until a license is in place.~~

Licensing Pathway

~~Recommended path:~~ ~~Agent model (Option C) for initial launch, then full license (Option B) for scale.~~

Option A: Begrenset betalingsforetak (Limited Payment Institution)

~~Law:~~ ~~Betalingstjenesteloven § 2-10c~~

~~Requirement~~	~~Detail~~
~~Monthly transaction volume~~	~~Max 6 million NOK/month (12-month average)~~
~~Capital requirement~~	~~None~~
~~Application timeline~~	~~3-6 months~~
~~EEA passporting~~	~~NO — Norway only~~
~~Fit & proper~~	~~Directors and beneficial owners~~
~~AML~~	~~Full compliance required~~

~~Drop fit:~~ ~~Initial launch — allows ~3,000 remittances of 2,000 NOK average/month.~~

Option B: Ordinaert betalingsforetak (Full Payment Institution)

~~Law:~~ ~~Betalingstjenesteloven §§ 2-3 to 2-10~~

~~Requirement~~	~~Detail~~
~~Initial capital~~	~~125,000 EUR (~1.4M NOK) for remittance services~~
~~Application timeline~~	~~6-12 months~~
~~EEA passporting~~	~~YES — enables Sweden/Denmark~~
~~Governance~~	~~Board, compliance officer, internal audit~~
~~Safeguarding~~	~~Client funds in segregated account or guarantee~~

~~Drop fit:~~ ~~Target license for Scandinavian scale.~~

Option C: Agent Model (recommended for Phase 1)

~~Law:~~ ~~Betalingstjenesteloven § 2-12~~

~~Requirement~~	~~Detail~~
~~Structure~~	~~Drop operates as agent of licensed payment institution~~
~~Capital~~	~~None required from Drop~~
~~Timeline~~	~~1-3 months~~
~~Liability~~	~~Principal (licensed PSP) is responsible~~

~~Target partners:~~ ~~Licensed Norwegian PSPs or BaaS providers (Swan, Modulr, Banking Circle).~~

3. PSD2 / Betalingstjenesteloven

Strong Customer Authentication (SCA)

~~Law:~~ ~~Betalingstjenesteloven §§ 4-28, 4-29; Delegated Regulation (EU) 2018/389~~

~~10-18~~

~~Requirement~~	~~Section~~	~~Status~~
~~Two-factor authentication~~	~~§ 4-28~~	~~Phase 2: BankID (possession + knowledge)~~
~~Dynamic linking~~	~~Art. 5 (Del. Reg.)~~	~~Phase 2: amount + payee tied to BankID signing~~
~~90-day re-authentication~~	~~Art. 10 (Del. Reg.)~~RS	Phase 2
~~Low-value~~Zakon ~~exemption~~o zaštiti ličnih podataka BiH (~~<500~~ZZLP, ~~NOK)~~Sl. glasnik BiH 49/2006)	~~Art.~~BA	Phase 3
Zakon o računovodstvu (Sl. glasnik RS 73/2019)	RS	Phase 2
Zakon o računovodstvu i reviziji FBiH (Sl. novine FBiH 83/2009)	BA (FBiH)	Phase 3
Zakon o računovodstvu i reviziji RS BiH (Sl. glasnik RS BiH 96/2005)	BA (RS entity)	Phase 3
Zakon o računovodstvu HR (NN 78/15, 120/16, 116/18)	HR	Phase 2
Zakon o PDV RS (Sl. glasnik RS 84/2004 et al.)	RS	Phase 2
Zakon o PDV BiH (Sl. glasnik BiH 9/2005 et al.)	BA	Phase 3
Zakon o porezu na dodanu vrijednost HR (NN 73/13 et al.)	HR	Phase 2
Zakon o elektronskom dokumentu RS (Sl. glasnik RS 51/2009)	RS	Phase 2
Opći porezni zakon HR (NN 115/16 et al.)	HR	Phase 2
Pravilnik o kontnom okviru RS (2021)	RS	Phase 2
FBiH Pravilnik o kontnom okviru (2022)	BA (FBiH)	Phase 3
RRiF Kontni plan HR	HR	Phase 2

~~Current~~

~~state:~~

2. Email + password only. SCA required for production launch.

Required implementationSerbia (PhaseRS) 2):
—
Regulatory
BankIDCompliance

~~OIDC~~

2.1 forData initialProtection login— Zakon o zaštiti podataka o ličnosti (Level 4 eID)
Transaction signing with BankID for all payment initiation

Dynamic linking: display amount + payee in BankID signing dialog

Session timeout and re-authentication after 5 minutes inactivity

Open Banking (AISP/PISP)ZZPL)

~~Law:~~Full name: ~~Betalingstjenesteloven~~Zakon §§o ~~4-40~~zaštiti topodataka ~~4-46~~

o ličnosti

~~Service~~	~~Law~~	~~Requirement~~
~~AISP (read bank balances)~~	~~§ 4-41~~	~~AISP license or agent arrangement; explicit user consent~~
~~PISP (initiate payments)~~	~~§ 4-44~~	~~PISP license or agent arrangement; no storing bank credentials~~
~~Dedicated interface~~	~~§ 4-40~~	~~Use banks' PSD2 APIs (Bits, Tink, or direct bank APIs)~~

Consumer Information Requirements

~~Law:~~Citation: ~~Betalingstjenesteloven~~Sl. ~~kapittel~~glasnik 3RS ~~and~~br. 4;87/2018 ~~Finansavtaleloven~~In force: November 21, 2018 Description: Serbia's GDPR-aligned personal data protection law. Supervisory authority: Poverenik za informacije od javnog značaja i zaštitu podataka o ličnosti Website: https://www.poverenik.rs

Requirement	~~Section~~ZZPL Article	~~Document~~Bilko Implementation
~~Pre-contractual~~Lawful ~~information~~basis for processing	§§Art. ~~3-1 to 3-8~~12	~~Framework agreement~~Contract (~~rammeavtale)~~Art. 12 st. 1 tač. 2) — accounting service
~~Per-transaction~~Data ~~information~~minimization	§§Art. ~~3-22~~5 tost. ~~3-26~~1 tač. 3	~~Transaction~~Email, ~~receipts~~name, PIB/JMBG only where legally required
~~Fee~~Data ~~transparency~~subject ~~before authorization~~rights	§Art. ~~3-23~~26-41	~~Pre-auth~~GET ~~disclosure~~/account/data, ~~screen~~DELETE /account, GET /account/export
~~Exchange~~Processing ~~rate disclosure~~register	§Art. ~~3-24~~50	FXInternal ~~rate~~processing +register ~~reference rate shown before confirmation~~required
~~Execution~~Security ~~time~~of ~~(non-EEA)~~processing	§Art. ~~4-15~~50	~~Max~~TLS ~~D+4~~1.3, ~~business~~AES-256, ~~days~~bcrypt, RBAC
~~Complaint~~Breach ~~handling~~notification to Poverenik	§Art. ~~3-60~~56	~~Klagebehandling~~Within ~~procedure~~72 hours of awareness

Breach notification: [email protected] | Bulevar kralja Aleksandra 15, 11000 Belgrade

2.2 Accounting Law — Zakon o računovodstvu

Full name: Zakon o računovodstvu Citation: Sl. glasnik RS br. 73/2019, 44/2021

Requirement	Bilko Implementation
Double-entry bookkeeping	Schema enforces debitAccountId + creditAccountId
Chart of accounts: Pravilnik o kontnom okviru (2021) — 10 class (0-9)	Serbian CoA seed data
Bilans stanja (Balance Sheet) + Bilans uspeha (Income Statement)	Phase 2 reports
Filing: APR (https://www.apr.gov.rs), deadline June 30	PDF export + reminders
Document retention: 10 years	Soft delete — never hard delete financial data

2.3 VAT — Zakon o PDV

Citation: Sl. glasnik RS br. 84/2004 (consolidated)

Rate	Description
20% (opšta stopa)	Standard — general goods and services
10% (snižena stopa)	Reduced — food, medicines, utilities
0%	Exports, international transport

VAT threshold: 8,000,000 RSD | Return: Monthly (>50M RSD) or Quarterly | Deadline: 15th of next month

2.4 E-Invoice — SEF (Sistem e-Faktura)

Platform: https://efaktura.gov.rs | Mandatory: B2B since January 2023 Format: UBL 2.1 XML | Penalties: 50,000–2,000,000 RSD for non-compliance Integration: @bilko/country-rs package (Phase 2)

2.5 APR Filing

Serbian entities file annual financial reports with APR (Agencija za privredne registre). Deadline: June 30. Bilko generates APR-compatible PDF/XML exports.

3. Bosnia & Herzegovina (BA) — Regulatory Compliance

Complexity: BiH has two entities (FBiH and Republika Srpska). VAT unified at state level via UIO. Direct taxes separate per entity.

3.1 Data Protection — Zakon o zaštiti ličnih podataka BiH (ZZLP)

Full name: Zakon o zaštiti ličnih podataka Bosne i Hercegovine Citation: Sl. glasnik BiH br. 49/2006, 76/2011, 89/2011 Supervisory authority: AZLP — Agencija za zaštitu ličnih podataka Bosne i Hercegovine Website: https://www.azlp.ba

Requirement	ZZLP Article	Bilko Implementation
Lawful basis	Art. 4	Contract + legal obligation
Security measures	Art. 14	TLS 1.3, AES-256, bcrypt, RBAC
Cross-border transfer	Art. 18	Railway EU West — SCCs mechanism
Breach notification to AZLP	Art. 14 + GDPR practice	72 hours

Breach notification: [email protected] | Hamdije Čemerlića 2/VI, 71000 Sarajevo

3.2 FBiH — Accounting Law

Full name: Zakon o računovodstvu i reviziji Federacije Bosne i Hercegovine Citation: Sl. novine FBiH br. 83/2009, 56/2023

Requirement	Bilko Implementation
Double-entry bookkeeping	Schema enforced
Chart of accounts: FBiH Pravilnik (2022)	BiH CoA seed data
Filing: Agency of Financial Information (FBiH), deadline March 31	PDF export
Document retention: 10 years	Immutable storage

3.3 Republika Srpska (BA Entity)

Citation: Sl. glasnik RS BiH br. 96/2005, 74/2016 Filing: Tax Administration of RS (BiH entity), March 31 Retention: 11 years — maximum applied across BA entities

3.4 VAT — Zakon o PDV BiH

Citation: Sl. glasnik BiH br. 9/2005 (consolidated) Authority: UIO — Uprava za indirektno oporezivanje | https://www.uino.gov.ba

Rate	Description
17% (opća stopa)	Standard — all goods and services
0%	Exports

Threshold: 100,000 BAM | Return: Monthly | No reduced rates

3.5 E-Invoice — CPF (Central Platform for Fiscalisation)

Status: PENDING — technical specifications not published Law adopted: January 2026 (FBiH only) Expected: ~2027

Bilko decision: DO NOT implement CPF until specs published. BiH is Phase 3 launch.

3.6 Corporate Income Tax

Entity	Rate	Deadline
FBiH	10%	March 31
RS (BiH entity)	10%	March 31

4. AML/KYCCroatia (HR) — HvitvaskingslovenRegulatory Compliance

Note: Croatia is EU member state. GDPR applies directly.

Customer4.1 DueData DiligenceProtection (CDD)— GDPR

Requirement	~~Section~~GDPR Article	~~Drop~~Bilko Implementation
~~Identity~~Lawful ~~verification~~basis	§Art. 126	~~BankID~~Contract (~~covers~~6.1.b) ~~name~~for +service; ~~fødselsnummer~~legal +obligation ~~DOB)~~(6.1.c) for tax
~~Electronic~~Data ~~verification~~minimization	§Art. ~~12(3)~~5(1)(c)	~~BankID~~OIB, isname, ~~approved electronic method~~
~~Source of funds (large amounts)~~	~~§ 15~~	~~Trigger above thresholds~~
~~Purpose of relationship~~	~~§ 12(1)d~~	~~Registration questionnaire~~
~~Ongoing monitoring~~	~~§ 24~~	~~Transaction monitoring system~~
~~Record retention~~	~~§ 30~~	~~5 years after relationship ends~~

KYC Tiers

~~Tier~~	~~Limit~~	~~Requirements~~	~~Corridor Risk~~
~~Basic~~	~~Up to 1,000 NOK/transaction, 5,000 NOK/month~~	~~BankID verification~~email only	~~Lav (Low) — EU/EEA~~
~~Standard~~	~~Up to 10,000 NOK/transaction, 30,000 NOK/month~~	~~BankID + address verification~~	~~Middels (Medium) — Serbia, BiH~~
~~Enhanced~~	~~Above 10,000 NOK/transaction~~	~~Full EDD: source of funds + senior management approval~~	~~Høy (High) — Pakistan, Turkey (FATF)~~
~~Blocked~~	~~Any amount~~	~~Sanctioned countries/individuals~~	~~Blokkert — OFAC/UN/EU sanctioned~~

Transaction Monitoring Rules

~~Law:~~ ~~Hvitvaskingsloven §§ 24, 25~~

~~Transactions that must trigger investigation:~~

~~Structuring~~ ~~— multiple transactions just below reporting thresholds~~

~~Rapid movement~~ ~~— large in/out within same day~~

~~Unusual corridors~~ ~~— sudden change in destination country~~

~~Volume spikes~~ ~~— significantly above customer's historical pattern~~

~~FATF jurisdiction~~ ~~— any transaction to FATF grey/black list countries~~

~~PEP match~~ ~~— customer or recipient on PEP list~~

~~Reporting:~~ ~~Suspicious Transaction Reports (STR) filed with EFE (Enheten for finansiell etterretning) via altinn.no. Tipping off the customer is prohibited (§ 28).~~

AML Risk Classification — Corridor Risk

~~Corridor~~	~~Risk Level~~	~~Rationale~~
~~EU/EEA countries~~	~~Lav (Low)~~	~~Strong AML frameworks, FATF compliant~~
~~Croatia (HR)~~	~~Lav (Low)~~	~~EU member state~~
~~Serbia (RS)~~	~~Middels (Medium)~~	~~FATF member, not EU; targeted remittance risk~~
~~Bosnia & Herzegovina (BA)~~	~~Middels (Medium)~~	~~Enhanced monitoring; cash economy~~
~~Turkey (TR)~~	~~Høy (High)~~	~~FATF grey list (monitoring); elevated corridor risk~~
~~Pakistan (PK)~~	~~Høy (High)~~	~~FATF monitoring; common remittance corridor~~
~~OFAC/UN sanctioned countries~~	~~Blokkert~~	~~Transactions blocked entirely~~

~~Source:~~ ~/ALAI/products/Drop/legal/hvitvaskingsrutiner.md

Legal Bases for Processing

~~Processing Activity~~	~~Legal Basis~~	~~Norwegian Law Reference~~
~~User registration~~	~~Contract performance~~	~~Personopplysningsloven § 5, GDPR Art. 6(1)(b)~~
~~KYC identity verification~~	~~Legal obligation~~	~~Personopplysningsloven § 6, GDPR Art. 6(1)(c) + Hvitvaskingsloven § 12~~
~~Payment processing~~	~~Contract performance~~	~~Personopplysningsloven § 5, GDPR Art. 6(1)(b)~~
~~Transaction monitoring (AML)~~	~~Legal obligation~~	~~Personopplysningsloven § 6, GDPR Art. 6(1)(c) + Hvitvaskingsloven § 24~~
~~Fødselsnummer processing~~	~~Special legal basis~~	~~Personopplysningsloven § 12 (requires specific legal basis)~~
~~Error monitoring (Sentry)~~	~~Legitimate interest~~	~~GDPR Art. 6(1)(f)~~
~~Marketing~~	~~Consent~~	~~GDPR Art. 6(1)(a)~~

Data Subject Rights

~~Right~~	~~GDPR Article~~	~~Drop Implementation~~
Right to access	Art. 15	~~Profile~~GET ~~page +~~ /api/v1/account/data ~~export endpoint~~
~~Right to rectification~~	~~Art. 16~~	~~Profile edit~~
Right to erasure	Art. 17	~~Account~~DELETE ~~deletion — 30-day retention for AML override~~
~~Right to restriction~~	~~Art. 18~~	~~Manual processing by DPO~~/api/v1/account
Right to portability	Art. 20	~~JSON~~GET /api/v1/account/export
~~Right~~Security toof ~~object~~processing	Art. 2132	~~Opt-out~~TLS ~~for~~1.3, ~~marketing~~AES-256, bcrypt, RBAC
~~Right~~Breach notification to ~~withdraw consent~~AZOP	Art. ~~7(3)~~33	~~Consent~~Within ~~management~~72 UIhours
DPA with processors	Art. 28	Railway, Vercel, Cloudflare, SendGrid

~~Retention~~Breach ~~conflict:~~notification: [email protected] | https://azop.hr/prijavapovrede | Selska cesta 136, 10000 Zagreb

4.2 Accounting Law — Zakon o računovodstvu HR

Citation: NN 78/15, 120/16, 116/18, 42/20

Requirement	Bilko Implementation
Double-entry bookkeeping	Schema enforced
Chart of accounts: RRiF standard	HR CoA seed data
Accounting standards: CFRS (SMEs) or IFRS (PIEs)	CFRS-compliant reports
Bilanca + Račun dobiti i gubitka	Report generation Phase 2
Filing: FINA RGFI (https://www.fina.hr), deadline April 30	FINA-compatible export
Document retention: 11 years	Immutable storage

4.3 General Tax Law — Opći porezni zakon HR

Citation: NN 115/16, 106/18, 121/19, 32/20 Document retention 11 years, electronic record acceptance, digital accounting system obligations.

4.4 VAT — Zakon o PDV HR

Citation: NN 73/13 et al. | Portal: ePorezna — https://www.porezna-uprava.hr

Rate	Description
25% (opća stopa)	Standard — general goods and services
13% (srednja stopa)	Intermediate — foods, water, accommodation
5% (snižena stopa)	Reduced — books, baby food, medicines
0%	Exports, intra-EU supply

Threshold: 60,000 EUR | Return: Monthly | Deadline: Last day of next month

4.5 E-Invoice — HR-FISK / eRačun

Platform: https://hr-fisk.fina.hr | Operator: FINA — Financijska agencija Mandatory since: January 1, 2026 (all B2B, B2G, B2C) Format: UBL 2.1 XML with HR-CIUS | Protocol: AS4 (Peppol-compatible) Certificate: FINA qualified certificate required Penalties: Up to EUR 500,000 for non-compliance Archive: 11 years

Integration: @bilko/country-hr — FINA certificate + API (Phase 2)

4.6 Corporate Income Tax — Croatia

Standard rate: 18% | Reduced: 10% (revenue <1M EUR) | Deadline: April 30

5. Cross-Country Compliance Matrix

§ ~~AML~~

Requirement	Serbia (RS)	Bosnia & Herzegovina (BA)	Croatia (HR)
Data protection law	ZZPL (GDPR-aligned, 2018)	ZZLP BiH (2006)	GDPR (directly applicable)
Supervisory authority	Poverenik	AZLP	AZOP
Breach notification deadline	72 hours (ZZPL Art. 56)	72 hours (best practice)	72 hours (GDPR Art. 1733)
VAT standard rate	20%	17%	25%
VAT reduced rate	10%	None	13% / 5%
E-invoice platform	SEF (~~erasure)~~mandatory ~~vs.~~Jan ~~Hvitvaskingsloven~~2023)	CPF (pending ~2027)	HR-FISK (mandatory Jan 2026)
E-invoice format	UBL 2.1 XML	TBD	UBL 2.1 XML (HR-CIUS)
Annual report filing	APR — June 30	Agency Fin. Info / Tax Admin — March 31	FINA RGFI — April 30
Chart of accounts	Pravilnik (~~5-year~~2021)	FBiH ~~retention).~~Pravilnik ~~AML~~(2022)	RRiF standard
Document retention	10 years	10 (FBiH) / 11 (RS entity)	11 years
Currency	RSD	BAM	EUR
CIT rate	15%	10%	18% (10% <1M EUR)

Bilko retention ~~takes~~policy: ~~precedence~~Apply maximum across all markets — ~~user~~11 ~~data~~years ~~anonymized~~for ~~after~~all ~~account~~financial ~~close,~~records. ~~transaction~~Never ~~records~~hard ~~retained 5 years.~~delete.

6. Data Classification

Scheme

Level	Label	Examples	~~Encryption Required~~Controls
L1	Public	Exchange rates, fee schedule, ~~getdrop.no~~privacy ~~content~~policy	NoNone
L2	Internal	~~System~~Aggregated ~~logs,~~analytics, ~~performance~~non-PII ~~metrics, error traces~~logs	NoAccess ~~(TLS)~~control
L3	Confidential	~~Names,~~Email, ~~email,~~name, ~~phone,~~organization ~~transaction~~data, ~~history,~~invoice ~~bank balances~~amounts	~~TLS~~Encryption + ~~AES-256~~access atcontrol ~~rest~~+ audit
L4	Restricted	~~Fødselsnummer~~PIB/JMBG/OIB/JIB (~~national~~tax ~~ID)~~IDs), ~~KYC~~IBAN, ~~documents,~~TOTP ~~BankID~~secrets, `sub`password hashes	~~TLS~~Encryption + ~~AES-256-GCM~~RBAC ~~field~~+ ~~encryption~~MFA ~~(separate~~+ ~~key)~~audit + 11-year retention

Tax ID types by country:

Serbia: PIB (9 digits), JMBG (13 digits)

BiH: JIB (13 digits)

Croatia: OIB (11 digits)

7. Data Inventory

Subject Rights Implementation

~~Data Category~~Right	~~Classification~~Endpoint	~~Retention~~SLA	~~Legal Basis~~Exception
~~Name~~Access (GDPR Art. 15 / ZZPL Art. 26)	L3GET ~~Confidential~~/api/v1/account/data	~~Life~~30 ~~of account + 5 years (AML)~~days	~~Contract~~—
~~Email~~Rectification (Art. 16)	L3PATCH ~~Confidential~~/api/v1/account/profile	~~Life of account~~Immediate	~~Contract~~—
~~Phone~~Erasure ~~number~~(Art. 17)	L3DELETE ~~Confidential~~	~~Life of~~ /api/v1/account	~~Contract~~30 days	Financial records retained per law
~~Fødselsnummer~~Portability (Art. 20)	L4GET ~~Restricted~~/api/v1/account/export	530 ~~years (AML)~~days	~~Legal obligation~~—
~~BankID~~Restriction `sub`(Art. 18)	~~L4 Restricted~~[email protected]	~~5 years (AML)~~	~~Legal obligation~~
~~KYC documents~~	~~L4 Restricted~~	~~5 years (AML)~~	~~Legal obligation~~
~~Transaction records~~	~~L3 Confidential~~	~~5 years (AML) + accounting~~	~~Legal obligation~~
~~Bank account balances~~	~~L3 Confidential~~	~~Session only — not persisted~~	~~Contract~~
~~IP addresses / logs~~	~~L2 Internal~~	9030 days	~~Legitimate interest~~

DPIA

~~A Data Protection Impact Assessment (DPIA) has been conducted.~~ ~~Document:~~ data-protection-impact-assessment.md

~~DPIA trigger:~~ ~~Processing of fødselsnummer at scale, BankID integration, cross-border transfers to Serbia/BiH.~~

Cross-Border Data Transfers

~~Destination~~	~~Transfer Mechanism~~	~~Safeguards~~
~~EU/EEA (AWS Frankfurt, Cloudflare EU)~~	~~Free flow (EEA to EEA)~~	~~Standard GDPR protections~~
~~Croatia (HR)~~	~~Free flow (EEA → EU)~~	~~Standard GDPR protections~~
~~Serbia (RS)~~	~~No adequacy decision~~	~~SCCs (Standard Contractual Clauses) + Transfer Impact Assessment (TIA)~~
~~Bosnia & Herzegovina (BA)~~	~~No adequacy decision~~	~~SCCs + Transfer Impact Assessment (TIA)~~
~~USA (AWS, Sentry, BetterStack)~~	~~No adequacy decision~~	~~SCCs + DPA signed~~Manual

~~Note:~~Erasure exception: ~~Serbia~~Invoices, ~~and~~expenses, ~~Bosnia~~transactions &retained ~~Herzegovina~~10-11 doyears ~~not~~(accounting ~~have~~law). EUOnly ~~adequacy~~PII ~~decisions.~~(email, ~~All~~name, ~~data~~password ~~transfers~~hash) ~~involving these countries require SCCs and a documented TIA before data flows.~~anonymized.

6.8. ICTThird-Party SecurityData — IKT-forskriften / DORAProcessors

IKT-forskriften (FOR-2003-05-21-630)

~~Currently applicable to financial enterprises in Norway.~~

~~— Draft— Draft~~

~~Requirement~~Processor	~~Sections~~Service	Region	DPA Status
~~ICT security policy~~Railway	§§PostgreSQL ~~5-6~~hosting	~~Document:~~EU `ikt-sikkerhetspolicy.md`West (Frankfurt/Paris)	Required — ~~Draft~~sign before launch
~~Incident handling~~Vercel	§Frontend 8hosting	~~Document:~~EU `hendelseshaandtering.md`edge	Required
~~Business continuity~~Cloudflare	§CDN, 9WAF, R2 storage	~~Document:~~EU `beredskapsplan.md`region	Required
~~Outsourcing policy~~SendGrid	§Transactional 10email	~~Document:~~ `utkontraktering-policy.md` ~~— Draft~~
~~Access control~~EU	~~§ 5~~	~~Implemented: RBAC, session revocation, JWT~~
~~Encryption~~	~~§ 6~~	~~Implemented: TLS 1.3, AES-256, bcrypt(12)~~Required

9. Compliance Roadmap

DORAPhase 1 — Pre-Launch (EU)GDPR 2022/2554baseline)

User consent mechanism at registration

Data deletion + anonymization workflow

Data export endpoint

DPAs signed: Railway, Vercel, Cloudflare, SendGrid

Railway EU West region confirmed

Breach notification process ready

Phase 2 — Serbia Launch + Croatia Launch

~~DORA~~Serbia:

~~expected~~

toLegal bereview ~~incorporated into Norwegian~~(accounting law ~~approximately~~+ ~~2026~~ZZPL)

Serbian CoA seed data (~~via~~Pravilnik ~~EEA~~2021)

~~Agreement).~~

VAT at 20% / 10%

SEF XML export + API integration

APR report export (Bilans stanja, Bilans uspeha)

Croatia:

Legal review (Zakon o računovodstvu + GDPR)

Croatian CoA seed data (RRiF)

VAT at 25% / 13% / 5%

FINA certificate for HR-FISK

HR-FISK API integration (mandatory)

FINA RGFI report export

Phase 3 — BiH Launch

Legal review (FBiH + RS entity distinction)

BiH CoA seed data (FBiH Pravilnik 2022)

VAT at 17% (UIO)

Monitor CPF specs (~2027)

FBiH vs RS entity org settings

10. Risk Assessment

~~Plan~~ ~~coverswithinpentestpolicyTLS~~

~~DORA Requirement~~Risk	~~Article~~Likelihood	~~Drop~~Impact	Mitigation
~~ICT~~GDPR/ZZPL ~~risk~~breach ~~management framework~~fine	~~Art.~~Low 6(if compliant)	~~Mapped~~High to(GDPR ~~IKT-forskriften~~€20M ~~currently~~/ ZZPL RSD 2M)	Full implementation before first customer
~~ICT~~SEF ~~incident~~non-compliance ~~classification~~(RS)	~~Art. 18~~Medium	~~Breach~~High ~~response~~(RSD ~~plan~~2M)	Phase ~~this~~2 SEF integration
~~Major~~HR-FISK ~~incident~~non-compliance ~~reporting~~(HR)	~~Art.~~High 19(if not integrated)	~~Finanstilsynet~~Critical +(EUR ~~Datatilsynet~~500K)	Phase ~~72h~~2 mandatory
~~Digital~~Financial ~~operational~~data ~~resilience testing~~loss	~~Art. 24-25~~Low	~~Annual~~Critical	30-day ~~planned~~Railway ~~(Phase~~backups, 3)immutable audit
~~ICT~~Tax ~~third-party~~calculation ~~risk management~~error	~~Art. 28-44~~Low	~~Outsourcing~~High	Configurable +rates, ~~DPAs~~NUMERIC precision, Zod
~~Encryption~~BiH ~~standards~~CPF delay	~~Art. 9(4)(d)~~Medium	~~AES-256-GCM,~~Low	Phase 1.3 planned, not blocking RS/HR

~~Law:~~ ~~Valutaregisterloven (LOV-2003-06-06-39)~~

~~All cross-border payment service providers must report transactions to Statistisk sentralbyrå (SSB) and Norges Bank.~~

~~Requirement~~	~~Threshold~~	~~Reporting Recipient~~
~~Cross-border transactions~~	~~All (> 0 NOK)~~	~~SSB via Valutaregisteret~~
~~Aggregate statistics~~	~~Monthly~~	~~Norges Bank~~
~~Format~~	~~XML via SSB API~~	~~Valutaregisteret~~

~~Implementation:~~ ~~Phase 2 — automated reporting pipeline to Valutaregisteret for all completed remittances.~~

8. Compliance Gap Summary

~~Overall compliance readiness: 8/100~~ ~~(MVP stage — expected)~~

~~Area~~	~~Readiness~~	~~Gap~~
~~Licensing (Finanstilsynet)~~	0%	~~No license — no live transactions permitted~~
~~PSD2 / SCA~~	~~10%~~	~~BankID not implemented; SCA not in place~~
~~AML/KYC~~	5%	~~Mock KYC only; no real identity verification~~
~~GDPR~~	~~15%~~	~~Privacy notice + DPIA drafted; no DPO appointed~~
~~ICT Security~~	~~25%~~	~~Security hardened (post 2026-02-13); pentest pending~~
~~Valutaregisterloven~~	0%	~~No SSB reporting pipeline~~
~~Consumer Protection~~	~~20%~~	~~Terms drafted; no formal complaints process~~

~~Phase 2 completion target: 60%~~ ~~(licensing + BankID + real KYC + GDPR implementation)~~ ~~Phase 3 completion target: 85%~~ ~~(pentest + Valutaregisteret + full GDPR + DPO)~~

9. Compliance Monitoring Plan

Monthly Checks

Security ~~npm~~Architecture: ~~audit — dependency vulnerability check~~security-architecture.md
DPIA: ~~Review Sentry errors for security-relevant issues~~data-protection-impact-assessment.md
~~BetterStack uptime + alert review~~

~~Transaction volume check against license threshold (after licensing)~~

Quarterly Checks

~~KYC data retention audit (5-year AML retention compliance)~~

~~GDPR data subject rights fulfillment review~~

~~JWT_SECRET rotation (quarterly per key management policy)~~

~~Review of AML transaction monitoring rules effectiveness~~

~~Security exceptions review~~

Annual Checks

~~External security penetration test (required before Phase 3 launch)~~

~~AML risk assessment review (Hvitvaskingsloven § 6)~~

~~DPIA review (GDPR Art. 35 — when processing changes materially)~~

~~All encryption keys rotation audit~~

~~Regulatory change review — Finanstilsynet circulars~~

~~DPAs review (AWS, Cloudflare, Sentry, BetterStack, Sumsub, BankID Norge AS)~~

10. Third-Party Compliance

~~All third-party processors of personal data require a signed Data Processing Agreement (DPA).~~

~~Vendor~~	~~Role~~	~~DPA Status~~	~~Data Transferred~~
~~AWS (Frankfurt, Ireland)~~	~~Infrastructure + hosting~~	~~Required~~	~~All data~~
~~Cloudflare (EU edge)~~	~~CDN, WAF, DDoS~~	~~Required~~	~~Request metadata, IPs~~
~~Sentry~~	~~Error monitoring~~	~~Required~~	~~Error data, stack traces~~
~~BetterStack~~	~~Uptime + logs~~	~~Required~~	~~Log data~~
~~Sumsub~~	~~KYC verification (Phase 2)~~	~~Required~~	~~Name, photo ID, fødselsnummer~~
~~BankID Norge AS~~	~~eID authentication (Phase 2)~~	~~Required~~	~~Name, fødselsnummer, DOB~~
~~Marqeta / Lithic~~	~~Card issuance (Phase 3)~~	~~Required~~	~~Payment data (PCI-DSS)~~

~~DPA requirement source:~~ ~~GDPR Art. 28; Personopplysningsloven § 5~~

11. Document Register

Plan:

Bilko

Compliance:../../products/Bilko/docs/security/COMPLIANCE.md

Serbia

BiH

Croatia

Regulatory:../../products/Bilko/docs/regulatory/HR/README.md

~~Document~~	~~File~~	~~Status~~	~~Owner~~
~~Privacy notice~~	`personvernerklaering.md`	~~Draft~~	~~DPO~~
~~DPIA~~	`dpia-vurdering.md`	~~Draft~~	~~DPO~~
~~Terms of service~~	`brukervilkar.md`	~~Draft~~	~~Legal~~
~~AML procedures~~	`hvitvaskingsrutiner.md`	~~Draft~~	~~Compliance~~
~~AML risk assessment~~	`risikovurdering-hvitvasking.md`	~~Draft~~	~~Compliance~~
~~ICT security policy~~	`ikt-sikkerhetspolicy.md`	~~Draft~~	~~Security~~
~~Incident handling~~	`hendelseshaandtering.md`	~~Draft~~	~~Security~~
~~Business continuity~~	`beredskapsplan.md`	~~Draft~~	~~Operations~~
~~Outsourcing policy~~	`utkontraktering-policy.md`	~~Draft~~	~~Legal~~
~~Internal control~~	`internkontroll.md`	~~Draft~~	~~Compliance~~
~~Suitability assessment~~	`egnethetsvurdering.md`	~~Draft~~	~~Legal~~
~~Complaint handling~~	`klagebehandling.md`	~~Draft~~	~~Operations~~
~~Licensing preparation~~	`konsesjonssoknad-forberedelse.md`	~~Draft~~	~~Legal~~
~~Gap analysis~~	`drop-gap-analysis-v2.md`	~~Complete~~	~~Compliance~~
~~Regulatory map~~	`drop-regulatory-map-v2.md`	~~Complete~~	~~Legal~~
~~Security architecture~~	`security-architecture.md`	~~Draft~~	~~Security~~
~~Encryption policy~~	`data-encryption-policy.md`	~~Draft~~	~~Security~~
~~Key management policy~~	`key-management-policy.md`	~~Draft~~	~~Security~~
Breach ~~response~~Response ~~plan~~	`data-breach-response-plan.md`	~~Draft~~	~~Security~~
~~Security~~Regulatory: ~~testing~~../../products/Bilko/docs/regulatory/RS/README.md ~~policy~~	`security-testing-policy.Regulatory: ../../products/Bilko/docs/regulatory/BA/README.md`	~~Draft~~	~~Security~~

Approval

Role	Name	Date
Author	~~Security~~Compliance Architect	2026-02-23
DPO
Legal Counsel
CEO