# Compliance Framework # Compliance Framework Document > **Project:** Bilko — Balkan Accounting SaaS > **Version:** 1.0 > **Date:** 2026-02-23 > **Author:** Compliance Architect > **Status:** Draft > **Reviewers:** DPO, Legal Counsel, CEO > **Classification:** Confidential ## Document History | Version | Date | Author | Changes | |---------|------|--------|---------| | 0.1 | 2026-02-23 | Compliance Architect | Initial draft — RS/BA/HR three-country compliance mapping | --- ## 1. Applicable Regulations **Compliance Owner:** Compliance Architect (compliance@bilko.io) **Last Review:** 2026-02-23 | **Next Review:** 2026-08-23 | Regulation | Country | Phase | |-----------|---------|-------| | GDPR — Regulation (EU) 2016/679 | HR | Phase 1 | | Zakon o zaštiti podataka o ličnosti (ZZPL, Sl. glasnik RS 87/2018) | RS | Phase 2 | | Zakon o zaštiti ličnih podataka BiH (ZZLP, Sl. glasnik BiH 49/2006) | BA | Phase 3 | | Zakon o računovodstvu (Sl. glasnik RS 73/2019) | RS | Phase 2 | | Zakon o računovodstvu i reviziji FBiH (Sl. novine FBiH 83/2009) | BA (FBiH) | Phase 3 | | Zakon o računovodstvu i reviziji RS BiH (Sl. glasnik RS BiH 96/2005) | BA (RS entity) | Phase 3 | | Zakon o računovodstvu HR (NN 78/15, 120/16, 116/18) | HR | Phase 2 | | Zakon o PDV RS (Sl. glasnik RS 84/2004 et al.) | RS | Phase 2 | | Zakon o PDV BiH (Sl. glasnik BiH 9/2005 et al.) | BA | Phase 3 | | Zakon o porezu na dodanu vrijednost HR (NN 73/13 et al.) | HR | Phase 2 | | Zakon o elektronskom dokumentu RS (Sl. glasnik RS 51/2009) | RS | Phase 2 | | Opći porezni zakon HR (NN 115/16 et al.) | HR | Phase 2 | | Pravilnik o kontnom okviru RS (2021) | RS | Phase 2 | | FBiH Pravilnik o kontnom okviru (2022) | BA (FBiH) | Phase 3 | | RRiF Kontni plan HR | HR | Phase 2 | --- ## 2. Serbia (RS) — Regulatory Compliance ### 2.1 Data Protection — Zakon o zaštiti podataka o ličnosti (ZZPL) **Full name:** Zakon o zaštiti podataka o ličnosti **Citation:** Sl. glasnik RS br. 87/2018 **In force:** November 21, 2018 **Description:** Serbia's GDPR-aligned personal data protection law. **Supervisory authority:** Poverenik za informacije od javnog značaja i zaštitu podataka o ličnosti **Website:** https://www.poverenik.rs | Requirement | ZZPL Article | Bilko Implementation | |------------|-------------|---------------------| | Lawful basis for processing | Art. 12 | Contract (Art. 12 st. 1 tač. 2) — accounting service | | Data minimization | Art. 5 st. 1 tač. 3 | Email, name, PIB/JMBG only where legally required | | Data subject rights | Art. 26-41 | GET /account/data, DELETE /account, GET /account/export | | Processing register | Art. 50 | Internal processing register required | | Security of processing | Art. 50 | TLS 1.3, AES-256, bcrypt, RBAC | | Breach notification to Poverenik | Art. 56 | Within 72 hours of awareness | **Breach notification:** office@poverenik.rs | Bulevar kralja Aleksandra 15, 11000 Belgrade ### 2.2 Accounting Law — Zakon o računovodstvu **Full name:** Zakon o računovodstvu **Citation:** Sl. glasnik RS br. 73/2019, 44/2021 | Requirement | Bilko Implementation | |------------|---------------------| | Double-entry bookkeeping | Schema enforces debitAccountId + creditAccountId | | Chart of accounts: Pravilnik o kontnom okviru (2021) — 10 class (0-9) | Serbian CoA seed data | | Bilans stanja (Balance Sheet) + Bilans uspeha (Income Statement) | Phase 2 reports | | Filing: APR (https://www.apr.gov.rs), deadline June 30 | PDF export + reminders | | Document retention: **10 years** | Soft delete — never hard delete financial data | ### 2.3 VAT — Zakon o PDV **Citation:** Sl. glasnik RS br. 84/2004 (consolidated) | Rate | Description | |------|-------------| | 20% (opšta stopa) | Standard — general goods and services | | 10% (snižena stopa) | Reduced — food, medicines, utilities | | 0% | Exports, international transport | **VAT threshold:** 8,000,000 RSD | **Return:** Monthly (>50M RSD) or Quarterly | **Deadline:** 15th of next month ### 2.4 E-Invoice — SEF (Sistem e-Faktura) **Platform:** https://efaktura.gov.rs | **Mandatory:** B2B since January 2023 **Format:** UBL 2.1 XML | **Penalties:** 50,000–2,000,000 RSD for non-compliance **Integration:** `@bilko/country-rs` package (Phase 2) ### 2.5 APR Filing Serbian entities file annual financial reports with APR (Agencija za privredne registre). Deadline: June 30. Bilko generates APR-compatible PDF/XML exports. --- ## 3. Bosnia & Herzegovina (BA) — Regulatory Compliance **Complexity:** BiH has two entities (FBiH and Republika Srpska). VAT unified at state level via UIO. Direct taxes separate per entity. ### 3.1 Data Protection — Zakon o zaštiti ličnih podataka BiH (ZZLP) **Full name:** Zakon o zaštiti ličnih podataka Bosne i Hercegovine **Citation:** Sl. glasnik BiH br. 49/2006, 76/2011, 89/2011 **Supervisory authority:** AZLP — Agencija za zaštitu ličnih podataka Bosne i Hercegovine **Website:** https://www.azlp.ba | Requirement | ZZLP Article | Bilko Implementation | |------------|-------------|---------------------| | Lawful basis | Art. 4 | Contract + legal obligation | | Security measures | Art. 14 | TLS 1.3, AES-256, bcrypt, RBAC | | Cross-border transfer | Art. 18 | Railway EU West — SCCs mechanism | | Breach notification to AZLP | Art. 14 + GDPR practice | 72 hours | **Breach notification:** info@azlp.ba | Hamdije Čemerlića 2/VI, 71000 Sarajevo ### 3.2 FBiH — Accounting Law **Full name:** Zakon o računovodstvu i reviziji Federacije Bosne i Hercegovine **Citation:** Sl. novine FBiH br. 83/2009, 56/2023 | Requirement | Bilko Implementation | |------------|---------------------| | Double-entry bookkeeping | Schema enforced | | Chart of accounts: FBiH Pravilnik (2022) | BiH CoA seed data | | Filing: Agency of Financial Information (FBiH), deadline March 31 | PDF export | | Document retention: **10 years** | Immutable storage | ### 3.3 Republika Srpska (BA Entity) **Citation:** Sl. glasnik RS BiH br. 96/2005, 74/2016 **Filing:** Tax Administration of RS (BiH entity), March 31 **Retention: 11 years** — maximum applied across BA entities ### 3.4 VAT — Zakon o PDV BiH **Citation:** Sl. glasnik BiH br. 9/2005 (consolidated) **Authority:** UIO — Uprava za indirektno oporezivanje | https://www.uino.gov.ba | Rate | Description | |------|-------------| | 17% (opća stopa) | Standard — all goods and services | | 0% | Exports | **Threshold:** 100,000 BAM | **Return:** Monthly | **No reduced rates** ### 3.5 E-Invoice — CPF (Central Platform for Fiscalisation) **Status:** PENDING — technical specifications not published **Law adopted:** January 2026 (FBiH only) **Expected:** ~2027 **Bilko decision:** DO NOT implement CPF until specs published. BiH is Phase 3 launch. ### 3.6 Corporate Income Tax | Entity | Rate | Deadline | |--------|------|---------| | FBiH | 10% | March 31 | | RS (BiH entity) | 10% | March 31 | --- ## 4. Croatia (HR) — Regulatory Compliance **Note:** Croatia is EU member state. GDPR applies directly. ### 4.1 Data Protection — GDPR **Applicable:** GDPR Regulation (EU) 2016/679 (directly applicable) **National implementing act:** Zakon o provedbi Opće uredbe (NN 42/2018) **Supervisory authority:** AZOP — Agencija za zaštitu osobnih podataka | https://azop.hr | Requirement | GDPR Article | Bilko Implementation | |------------|-------------|---------------------| | Lawful basis | Art. 6 | Contract (6.1.b) for service; legal obligation (6.1.c) for tax | | Data minimization | Art. 5(1)(c) | OIB, name, email only | | Right to access | Art. 15 | GET /api/v1/account/data | | Right to erasure | Art. 17 | DELETE /api/v1/account | | Right to portability | Art. 20 | GET /api/v1/account/export | | Security of processing | Art. 32 | TLS 1.3, AES-256, bcrypt, RBAC | | Breach notification to AZOP | Art. 33 | Within 72 hours | | DPA with processors | Art. 28 | Railway, Vercel, Cloudflare, SendGrid | **Breach notification:** azop@azop.hr | https://azop.hr/prijavapovrede | Selska cesta 136, 10000 Zagreb ### 4.2 Accounting Law — Zakon o računovodstvu HR **Citation:** NN 78/15, 120/16, 116/18, 42/20 | Requirement | Bilko Implementation | |------------|---------------------| | Double-entry bookkeeping | Schema enforced | | Chart of accounts: RRiF standard | HR CoA seed data | | Accounting standards: CFRS (SMEs) or IFRS (PIEs) | CFRS-compliant reports | | Bilanca + Račun dobiti i gubitka | Report generation Phase 2 | | Filing: FINA RGFI (https://www.fina.hr), deadline April 30 | FINA-compatible export | | Document retention: **11 years** | Immutable storage | ### 4.3 General Tax Law — Opći porezni zakon HR **Citation:** NN 115/16, 106/18, 121/19, 32/20 Document retention 11 years, electronic record acceptance, digital accounting system obligations. ### 4.4 VAT — Zakon o PDV HR **Citation:** NN 73/13 et al. | **Portal:** ePorezna — https://www.porezna-uprava.hr | Rate | Description | |------|-------------| | 25% (opća stopa) | Standard — general goods and services | | 13% (srednja stopa) | Intermediate — foods, water, accommodation | | 5% (snižena stopa) | Reduced — books, baby food, medicines | | 0% | Exports, intra-EU supply | **Threshold:** 60,000 EUR | **Return:** Monthly | **Deadline:** Last day of next month ### 4.5 E-Invoice — HR-FISK / eRačun **Platform:** https://hr-fisk.fina.hr | **Operator:** FINA — Financijska agencija **Mandatory since:** January 1, 2026 (all B2B, B2G, B2C) **Format:** UBL 2.1 XML with HR-CIUS | **Protocol:** AS4 (Peppol-compatible) **Certificate:** FINA qualified certificate required **Penalties:** Up to EUR 500,000 for non-compliance **Archive:** 11 years **Integration:** `@bilko/country-hr` — FINA certificate + API (Phase 2) ### 4.6 Corporate Income Tax — Croatia - Standard rate: 18% | Reduced: 10% (revenue <1M EUR) | Deadline: April 30 --- ## 5. Cross-Country Compliance Matrix | Requirement | Serbia (RS) | Bosnia & Herzegovina (BA) | Croatia (HR) | |-------------|------------|--------------------------|-------------| | Data protection law | ZZPL (GDPR-aligned, 2018) | ZZLP BiH (2006) | GDPR (directly applicable) | | Supervisory authority | Poverenik | AZLP | AZOP | | Breach notification deadline | 72 hours (ZZPL Art. 56) | 72 hours (best practice) | 72 hours (GDPR Art. 33) | | VAT standard rate | 20% | 17% | 25% | | VAT reduced rate | 10% | None | 13% / 5% | | E-invoice platform | SEF (mandatory Jan 2023) | CPF (pending ~2027) | HR-FISK (mandatory Jan 2026) | | E-invoice format | UBL 2.1 XML | TBD | UBL 2.1 XML (HR-CIUS) | | Annual report filing | APR — June 30 | Agency Fin. Info / Tax Admin — March 31 | FINA RGFI — April 30 | | Chart of accounts | Pravilnik (2021) | FBiH Pravilnik (2022) | RRiF standard | | Document retention | **10 years** | **10 (FBiH) / 11 (RS entity)** | **11 years** | | Currency | RSD | BAM | EUR | | CIT rate | 15% | 10% | 18% (10% <1M EUR) | **Bilko retention policy:** Apply maximum across all markets — **11 years** for all financial records. Never hard delete. --- ## 6. Data Classification Scheme | Level | Label | Examples | Controls | |-------|-------|---------|---------| | L1 | Public | Exchange rates, fee schedule, privacy policy | None | | L2 | Internal | Aggregated analytics, non-PII logs | Access control | | L3 | Confidential | Email, name, organization data, invoice amounts | Encryption + access control + audit | | L4 | Restricted | PIB/JMBG/OIB/JIB (tax IDs), IBAN, TOTP secrets, password hashes | Encryption + RBAC + MFA + audit + 11-year retention | **Tax ID types by country:** - Serbia: PIB (9 digits), JMBG (13 digits) - BiH: JIB (13 digits) - Croatia: OIB (11 digits) --- ## 7. Data Subject Rights Implementation | Right | Endpoint | SLA | Exception | |-------|---------|-----|-----------| | Access (GDPR Art. 15 / ZZPL Art. 26) | GET /api/v1/account/data | 30 days | — | | Rectification (Art. 16) | PATCH /api/v1/account/profile | Immediate | — | | Erasure (Art. 17) | DELETE /api/v1/account | 30 days | Financial records retained per law | | Portability (Art. 20) | GET /api/v1/account/export | 30 days | — | | Restriction (Art. 18) | compliance@bilko.io | 30 days | Manual | **Erasure exception:** Invoices, expenses, transactions retained 10-11 years (accounting law). Only PII (email, name, password hash) anonymized. --- ## 8. Third-Party Data Processors | Processor | Service | Region | DPA Status | |---------|---------|--------|-----------| | Railway | PostgreSQL hosting | EU West (Frankfurt/Paris) | Required — sign before launch | | Vercel | Frontend hosting | EU edge | Required | | Cloudflare | CDN, WAF, R2 storage | EU region | Required | | SendGrid | Transactional email | EU | Required | --- ## 9. Compliance Roadmap ### Phase 1 — Pre-Launch (GDPR baseline) - [ ] Privacy policy published - [ ] Terms of Service published - [ ] User consent mechanism at registration - [ ] Data deletion + anonymization workflow - [ ] Data export endpoint - [ ] DPAs signed: Railway, Vercel, Cloudflare, SendGrid - [ ] Railway EU West region confirmed - [ ] Breach notification process ready ### Phase 2 — Serbia Launch + Croatia Launch **Serbia:** - [ ] Legal review (accounting law + ZZPL) - [ ] Serbian CoA seed data (Pravilnik 2021) - [ ] VAT at 20% / 10% - [ ] SEF XML export + API integration - [ ] APR report export (Bilans stanja, Bilans uspeha) **Croatia:** - [ ] Legal review (Zakon o računovodstvu + GDPR) - [ ] Croatian CoA seed data (RRiF) - [ ] VAT at 25% / 13% / 5% - [ ] FINA certificate for HR-FISK - [ ] HR-FISK API integration (mandatory) - [ ] FINA RGFI report export ### Phase 3 — BiH Launch - [ ] Legal review (FBiH + RS entity distinction) - [ ] BiH CoA seed data (FBiH Pravilnik 2022) - [ ] VAT at 17% (UIO) - [ ] Monitor CPF specs (~2027) - [ ] FBiH vs RS entity org settings --- ## 10. Risk Assessment | Risk | Likelihood | Impact | Mitigation | |------|-----------|--------|------------| | GDPR/ZZPL breach fine | Low (if compliant) | High (GDPR €20M / ZZPL RSD 2M) | Full implementation before first customer | | SEF non-compliance (RS) | Medium | High (RSD 2M) | Phase 2 SEF integration | | HR-FISK non-compliance (HR) | High (if not integrated) | Critical (EUR 500K) | Phase 2 mandatory | | Financial data loss | Low | Critical | 30-day Railway backups, immutable audit | | Tax calculation error | Low | High | Configurable rates, NUMERIC precision, Zod | | BiH CPF delay | Medium | Low | Phase 3 planned, not blocking RS/HR | --- ## Related Documents - Security Architecture: [security-architecture.md](security-architecture.md) - DPIA: [data-protection-impact-assessment.md](data-protection-impact-assessment.md) - Breach Response Plan: [data-breach-response-plan.md](data-breach-response-plan.md) - Bilko Compliance: [../../products/Bilko/docs/security/COMPLIANCE.md](../../products/Bilko/docs/security/COMPLIANCE.md) - Serbia Regulatory: [../../products/Bilko/docs/regulatory/RS/README.md](../../products/Bilko/docs/regulatory/RS/README.md) - BiH Regulatory: [../../products/Bilko/docs/regulatory/BA/README.md](../../products/Bilko/docs/regulatory/BA/README.md) - Croatia Regulatory: [../../products/Bilko/docs/regulatory/HR/README.md](../../products/Bilko/docs/regulatory/HR/README.md) --- ## Approval | Role | Name | Date | Signature | |------|------|------|-----------| | Author | Compliance Architect | 2026-02-23 | | | DPO | | | | | Legal Counsel | | | | | CEO | | | |