Skip to main content

Compliance Framework

Compliance Framework Document

Project: Bilko — Balkan Accounting SaaS Version: 1.0 Date: 2026-02-23 Author: DPO / Compliance ArchitectOfficer Status: Draft Reviewers: DPO,CTO, Legal Counsel,Counsel CEO(RS, BA, HR) Classification: Confidential

Document History

Version Date Author Changes
0.1 2026-02-23 Compliance ArchitectDPO Initial draft — RS/BA/HR three-country compliance mapping

1. ApplicableCompliance RegulationsScope

ComplianceBilko Owner:is Compliancea Architectcloud ([email protected])accounting LastSaaS Review:operating 2026-02-23in |three Nextjurisdictions. Review:Each 2026-08-23has distinct data protection, accounting, tax, and e-invoicing requirements.

graph
TD subgraph
RegulationCountryPhase
GDPR — Regulation (EU) 2016/679HRPhase 1
Zakon o zaštiti podataka o ličnosti (ZZPL, Sl. glasnik RS 87/2018)RSPhase 2
Zakon o zaštiti ličnih podataka BiH (ZZLP, Sl. glasnik BiH 49/2006)BAPhase 3
Zakon o računovodstvu (Sl. glasnik RS 73/2019)RSPhase 2
Zakon o računovodstvu i reviziji FBiH (Sl. novine FBiH 83/2009)BA (FBiH)Phase 3
Zakon o računovodstvu i reviziji RS BiH (Sl. glasnik RS BiH 96/2005)BA (RS entity)Phase 3
Zakon o računovodstvu HR (NN 78/15, 120/16, 116/18)HRPhase 2
Zakon o PDV RS (Sl. glasnik RS 84/2004 et al.)RSPhase 2
Zakon o PDV BiH (Sl. glasnik BiH 9/2005 et al.)BAPhase 3
Zakon o porezu na dodanu vrijednost HR (NN 73/13 et al.)HRPhase 2
Zakon o elektronskom dokumentu RS (Sl. glasnik RS 51/2009)RSPhase 2
Opći porezni zakon HR (NN 115/16 et al.)HRPhase 2
Pravilnik o kontnom okviru RS (2021)RSPhase 2
FBiH Pravilnik o kontnom okviru (2022)BA (FBiH)Phase 3
RRiF Kontni plan HRHRPhase 2

2. RS["Serbia (RS)Republika Srbija)"] Regulatory Compliance

2.1 Data ProtectionRS_DP["ZZPL — Zakon o zaštiti podataka o ličnostiličnosti\nSl. glasnik RS 87/2018 (ZZPL)

GDPR-aligned)"]

FullRS_ACC["Zakon name:o računovodstvu\nSl. glasnik RS 73/2019"] RS_VAT["Zakon o PDV\n20% / 10% / 0%"] RS_SEF["SEF e-Invoice\nUBL 2.1 XML — B2B mandatory Jan 2023\nPenalty: 50K–2M RSD"] RS_APR["APR Filing\nJune 30 deadline"] end subgraph BA["Bosnia & Herzegovina"] BA_DP["ZZLP BiH — Zakon o zaštiti podatakaličnih podataka\nSl. glasnik BiH 49/2006"] BA_FBiH["FBiH: Zakon o ličnostiračunovodstvu Citation:i reviziji FBiH\nSl. novine FBiH 83/2009 + Pravilnik 2022"] BA_RSBA["RS entitet: Zakon o računovodstvu i reviziji RS BiH\nSl. glasnik RS BiH 96/2005"] BA_VAT["Zakon o PDV BiH\n17% / 0% — UIO authority"] BA_CPF["CPF e-Invoice\nPending ~2027"] end subgraph HR["Croatia (Hrvatska)"] HR_DP["GDPR — directly applicable (EU member)\nUredba (EU) 2016/679"] HR_ACC["Zakon o računovodstvu\nNN 78/15, 116/18, 42/20, 47/20, 114/22"] HR_VAT["Zakon o porezu na dodanu vrijednost\n25% / 13% / 5% / 0%"] HR_FISK["HR-FISK (eRačun B2G/B2B)\nFINA certificate — mandatory Jan 2026\nPenalty: up to EUR 500K"] HR_FINA["FINA RGFI\nApril 30 deadline"] end

2. Data Protection Compliance

2.1 Applicable Laws

87/2018 In force: November 21, 2018 Description: Serbia's GDPR-aligned personal data protection law. Supervisory authority: 
JurisdictionLawSupervisory AuthorityPenalty
SerbiaZZPL (Sl. glasnik RS br.87/2018) Poverenik za informacije od javnog značaja i zaštitu podataka o ličnosti Up to 2M RSD (legal entity)
Bosnia & HerzegovinaZZLP BiH (Sl. glasnik BiH 49/2006)Agencija za zaštitu ličnih podataka (AZLP)Up to 10K BAM
CroatiaGDPR Uredba (EU) 2016/679Agencija za zaštitu osobnih podataka (AZOP)Up to €20M or 4% global turnover

2.2 Legal Basis for Processing

Data CategoryLegal BasisJurisdiction
Account email, nameContract performance (Art. 6(1)(b) GDPR / Art. 12(1)(b) ZZPL)All
Tax IDs (PIB, JMBG, OIB, JIB)Legal obligation — accounting/tax lawRS, BA, HR
IBAN, bank accountsContract performanceAll
IP address, session logsLegitimate interest — securityAll
Financial transaction dataLegal obligation — accounting/tax lawAll

2.3 Data Subject Rights Implementation

RightGDPR ArticleZZPL EquivalentStatus
AccessArt. 15Art. 26Planned — /api/gdpr/export endpoint
RectificationArt. 16Art. 27In-app edit functionality
Erasure ("Right to be forgotten")Art. 17Art. 28Blocked by legal retention requirements
PortabilityArt. 20Art. 30Planned — JSON/CSV export
RestrictionArt. 18Art. 29Planned — account suspension flow
ObjectionArt. 21Art. 31Via support ticket

Website:Note on Erasure: https:Financial data cannot be erased during mandatory retention periods (10 years RS, 10-11 years BA, 11 years HR). Account can be anonymized (name/email) but transaction records must be kept.

2.4 Cross-Border Data Transfers

  • Host: Railway EU West (Amsterdam //www.poverenik.rs Frankfurt) — within EEA
  • HR → Railway: No transfer mechanism needed (EU to EU)
  • RS → Railway: Serbia is on GDPR adequacy list (European Commission Decision 2023/1485)
  • BA → Railway: No EU adequacy decision for BiH. Rely on Standard Contractual Clauses (SCC 2021/914) with Railway as processor.

2.5 DPA Requirements

Data Processing Agreements must be signed with:

  • Railway (primary database host)
  • Cloudflare (WAF, CDN — processes IP addresses)
  • Sentry (error tracking — processes stack traces with potential PII)
  • Any email service provider

3. Accounting & Tax Compliance

3.1 Serbia (RS)

Article required RBAC payroll
Requirement ZZPLLaw Details Bilko Implementation
LawfulChart basisof for processingAccounts Art.Pravilnik 12o kontnom okviru (Sl. glasnik RS 3/2020) ContractStandard (Art.Serbian 12 st. 1 tač. 2)CoAaccounting9 serviceclassesRS-specific CoA template preloaded on org creation
DataVAT minimizationrates Art.Zakon 5o st.PDV 1(Sl. tač.glasnik 3RS 84/2004 + amendments) Email,20% name,standard, PIB/JMBG10% onlyreduced, where0% legallyexempt VAT rate selector on invoice line items
DataFinancial subject rightsstatements Art.Zakon 26-41o računovodstvu GETBilans /account/data,stanja DELETE+ /account,Bilans GETuspeha /account/(BS format)Export to APR-compliant XML/PDF
Mandatory e-invoicingZakon o elektronskom fakturisanju (Sl. glasnik RS 44/2021)B2B mandatory since Jan 1, 2023 (≥4.5M RSD)SEF API integration (UBL 2.1 XML)
APR filing deadlineZakon o računovodstvu Art. 33June 30 (full-year entities), March 31 (other)In-app reminder + export
ProcessingRetention registerperiod Zakon o računovodstvu Art. 5026 Internal10 processingyears registerfor requiredfinancial statements and documentationDelete-prevention lock on records >0 days old
SecurityPausal of processingregime Art.Zakon 50o paušalnom oporezivanju TLS<6M 1.3,RSD AES-256,annual bcrypt,income Simplified invoice mode for pausal firms
BreachPIO/health notificationcontributionsZakon o doprinosimaApplied to Povereniksalaries Art.Future: 56 Within 72 hours of awarenessmodule

BreachSEF notification:Integration: [email protected] | Bulevar kralja Aleksandra 15, 11000 Belgrade

  • Portal: efaktura.mfin.gov.rs
  • Format: UBL 2.1 XML (HR-CIUS compatible subset)
  • Authentication: API key per organization
  • Mandatory fields: seller PIB, buyer PIB, invoice number, date, amounts, VAT breakdown

2.3.2 AccountingBosnia Law& Herzegovina Zakon o računovodstvu(BA)

Full name: Zakon o računovodstvu Citation: Sl. glasnik RS br. 73/2019, 44/2021

+
RequirementLawDetails Bilko Implementation
Double-entryFBiH bookkeepingCoA SchemaFBiH enforcesPravilnik debitAccountIdo računovodstvu (Sl. novine FBiH 89/2016 + creditAccountId2022 revision)FBiH-specific chart of accountsFBiH CoA template
ChartRS entity CoARS BiH PravilnikRS entity chart of accounts: Pravilnik o kontnom okviruaccounts (2021)differs from 10 class (0-9)FBiH) SerbianRS BiH CoA seed datatemplate
BilansVAT stanja (Balance Sheet) + Bilans uspeha (Income Statement)rate PhaseZakon 2o reportsPDV BiH (Sl. glasnik BiH 9/2005)17% standard, 0% exempt — UIO authorityVAT 17% selector
Filing:VAT APR (https://www.apr.gov.rs), deadline June 30filing PDFUIO exportportal Monthly/quarterly remindersPDV prijavaExport to UIO-compatible format
DocumentFiling retention: 10 yearsdeadline Soft delete — never hard delete financial data

2.3 VAT — Zakon o PDV

Citation: Sl. glasnik FBiH/RS br.entity 84/2004 (consolidated)

and
RateDescription
20% (opšta stopa)laws StandardMarch 31 general(most goodsentities) In-app servicesreminder
10%FBiH (snižena stopa)retention ReducedZakon o food,računovodstvu medicines,i utilitiesreviziji FBiH Art. 1710 yearsDelete-prevention lock
0%RS entity retention Exports,Zakon internationalo transportračunovodstvu i reviziji RS BiH Art. 1611 yearsDelete-prevention lock
e-InvoiceCPF platform (pending)Expected mandatory ~2027Roadmap item
CIT rateZakon o porezu na dobit FBiH10% flatFuture: tax calculation module

VATEntity threshold:detection: 8,000,000Bilko RSDmust |determine Return:if Monthlyan (>50Morganization RSD)is in FBiH, RS entity, or QuarterlyBrčko |District Deadline:to 15thapply ofthe nextcorrect month

CoA

2.4and E-Invoiceretention rules. SEFOn (Sistemorg e-Faktura)

creation,

Platform:user https://efaktura.gov.rsselects |entity. Mandatory:Brčko B2B since January 2023 Format: UBL 2.1 XML | Penalties: 50,000–2,000,000 RSD for non-compliance Integration: @bilko/country-rs package (Phase 2)

2.5 APR Filing

Serbian entities file annual financial reports with APR (Agencija za privredne registre). Deadline: June 30. Bilko generates APR-compatible PDF/XML exports.

3. Bosnia & Herzegovina (BA) — Regulatory Compliance

Complexity:follows BiH has two entities (FBiH and Republika Srpska). VAT unified at state state-level via UIO. Direct taxes separate per entity.law.

3.13 Data Protection — Zakon o zaštiti ličnih podataka BiHCroatia (ZZLP)HR)

Full name: Zakon o zaštiti ličnih podataka Bosne i Hercegovine Citation: Sl. glasnik BiH br. 49/2006, 76/2011, 89/2011 Supervisory authority: AZLP — Agencija za zaštitu ličnih podataka Bosne i Hercegovine Website: https://www.azlp.ba

Article
Requirement ZZLPLaw Details Bilko Implementation
Lawful basisCoA Art. 4Contract + legal obligation
Security measuresArt. 14TLS 1.3, AES-256, bcrypt, RBAC
Cross-border transferArt. 18Railway EU West — SCCs mechanism
Breach notification to AZLPArt. 14 + GDPR practice72 hours

Breach notification: [email protected] | Hamdije Čemerlića 2/VI, 71000 Sarajevo

3.2 FBiH — Accounting Law

Full name: Zakon o računovodstvu i reviziji Federacije Bosne i Hercegovine Citation: Sl. novine FBiH br. 83/2009, 56/2023

RequirementBilko Implementation
Double-entry bookkeepingSchema enforced
Chart of accounts: FBiH Pravilnik (2022)BiH CoA seed data
Filing: Agency of Financial Information (FBiH), deadline March 31PDF export
Document retention: 10 yearsImmutable storage

3.3 Republika Srpska (BA Entity)

Citation: Sl. glasnik RS BiH br. 96/2005, 74/2016 Filing: Tax Administration of RS (BiH entity), March 31 Retention: 11 years — maximum applied across BA entities

3.4 VAT — Zakon o PDV BiH

Citation: Sl. glasnik BiH br. 9/2005 (consolidated) Authority: UIO — Uprava za indirektno oporezivanje | https://www.uino.gov.ba

RateDescription
17% (opća stopa)Standard — all goods and services
0%Exports

Threshold: 100,000 BAM | Return: Monthly | No reduced rates

3.5 E-Invoice — CPF (Central Platform for Fiscalisation)

Status: PENDING — technical specifications not published Law adopted: January 2026 (FBiH only) Expected: ~2027

Bilko decision: DO NOT implement CPF until specs published. BiH is Phase 3 launch.

3.6 Corporate Income Tax

EntityRateDeadline
FBiH10%March 31
RS (BiH entity)10%March 31

4. Croatia (HR) — Regulatory Compliance

Note: Croatia is EU member state. GDPR applies directly.

4.1 Data Protection — GDPR

Applicable: GDPR Regulation (EU) 2016/679 (directly applicable) National implementing act: Zakon o provedbi Opće uredbe (NN 42/2018) Supervisory authority: AZOP — Agencija za zaštitu osobnih podataka | https://azop.hr

MSFIfor
RequirementGDPR ArticleBilko Implementation
Lawful basisArt. 6Contract (6.1.b) for service; legal obligation (6.1.c) for tax
Data minimizationArt. 5(1)(c)OIB, name, email only
Right to accessArt. 78/15 GETCroatian standard CoA (HSFI /api/v1/account/data
Rightlarge to erasureArt. 17DELETE /api/v1/account
Right to portabilityArt. 20GET /api/v1/account/export
Security of processingArt. 32TLS 1.3, AES-256, bcrypt, RBAC
Breach notification to AZOPArt. 33Within 72 hours
DPA with processorsArt. 28Railway, Vercel, Cloudflare, SendGrid

Breach notification: [email protected] | https://azop.hr/prijavapovrede | Selska cesta 136, 10000 Zagreb

4.2 Accounting Law — Zakon o računovodstvu HR

Citation: NN 78/15, 120/16, 116/18, 42/20

RequirementBilko Implementation
Double-entry bookkeepingSchema enforced
Chart of accounts: RRiF standardentities) HR CoA seed data
Accounting standards: CFRS (SMEs) or IFRS (PIEs)CFRS-compliant reports
Bilanca + Račun dobiti i gubitkaReport generation Phase 2
Filing: FINA RGFI (https://www.fina.hr), deadline April 30FINA-compatible export
Document retention: 11 yearsImmutable storage

4.3 General Tax Law — Opći porezni zakon HR

Citation: NN 115/16, 106/18, 121/19, 32/20 Document retention 11 years, electronic record acceptance, digital accounting system obligations.

4.4 VAT — Zakon o PDV HR

Citation: NN 73/13 et al. | Portal: ePorezna — https://www.porezna-uprava.hr

RateDescription
25% (opća stopa)Standard — general goods and services
13% (srednja stopa)Intermediate — foods, water, accommodation
5% (snižena stopa)Reduced — books, baby food, medicines
0%Exports, intra-EU supply

Threshold: 60,000 EUR | Return: Monthly | Deadline: Last day of next month

4.5 E-Invoice — HR-FISK / eRačun

Platform: https://hr-fisk.fina.hr | Operator: FINA — Financijska agencija Mandatory since: January 1, 2026 (all B2B, B2G, B2C) Format: UBL 2.1 XML with HR-CIUS | Protocol: AS4 (Peppol-compatible) Certificate: FINA qualified certificate required Penalties: Up to EUR 500,000 for non-compliance Archive: 11 years

Integration: @bilko/country-hr — FINA certificate + API (Phase 2)

4.6 Corporate Income Tax — Croatia

  • Standard rate: 18% | Reduced: 10% (revenue <1M EUR) | Deadline: April 30

5. Cross-Country Compliance Matrix

RequirementSerbia (RS)Bosnia & Herzegovina (BA)Croatia (HR)
Data protection lawZZPL (GDPR-aligned, 2018)ZZLP BiH (2006)GDPR (directly applicable)
Supervisory authorityPoverenikAZLPAZOP
Breach notification deadline72 hours (ZZPL Art. 56)72 hours (best practice)72 hours (GDPR Art. 33)
VAT standard rate20%17%25%
VAT reduced rate10%None13% / 5%
E-invoice platformSEF (mandatory Jan 2023)CPF (pending ~2027)HR-FISK (mandatory Jan 2026)
E-invoice formatUBL 2.1 XMLTBDUBL 2.1 XML (HR-CIUS)
Annual report filingAPR — June 30Agency Fin. Info / Tax Admin — March 31FINA RGFI — April 30
Chart of accountsPravilnik (2021)FBiH Pravilnik (2022)RRiF standard
Document retention10 years10 (FBiH) / 11 (RS entity)11 yearstemplate
Currency RSDSince Jan 2024: EUR only BAMHRK phased out. All amounts in EUR. EUR default for HR orgs
CITVAT raterates 15%Zakon o PDV (NN 73/13) 10%25% standard, 13% (food/hotels), 5% (books/medicines), 0% 18%VAT rate selector per line item
VAT filingPorezna upravaMonthly/quarterly PDV obrazacExport for manual filing (10%Porezna <1Muprava EUR)portal)
HR-FISK (eRačun)Zakon o elektroničkom izdavanju računa u javnoj nabavi (NN 94/18) + amendmentsMandatory Jan 1, 2026 for B2B above threshold. FINA certificate required. UBL 2.1 XML HR-CIUS. Penalty up to EUR 500KHR-FISK API integration — Roadmap P2
FINA RGFI filingZakon o računovodstvu Art. 30April 30In-app reminder + FINA export
RetentionZakon o računovodstvu Art. 10 + Opći porezni zakon11 yearsDelete-prevention lock
Fiscalization 2.0Pravilnik o fiskalizacijiCash register fiscalization (if cash payments)Cash receipt module with Porezna uprava integration

BilkoHR-FISK retention policy:Priority: ApplyCroatia's maximumeRačun acrossmandate all(Jan markets2026) with 11EUR years500K penalty makes this the highest-priority e-invoicing integration. FINA certificate must be obtained during onboarding for allHR financial records. Never hard delete.organizations.

6.4. DataControls Classification SchemeRegister

Applies
LevelControl ID LabelDescription ExamplesType Controls
L1PublicExchange rates, fee schedule, privacy policyNone
L2InternalAggregated analytics, non-PII logsAccess control
L3ConfidentialEmail, name, organization data, invoice amountsEncryption + access control + audit
L4RestrictedPIB/JMBG/OIB/JIB (tax IDs), IBAN, TOTP secrets, password hashesEncryption + RBAC + MFA + audit + 11-year retention

Tax ID types by country:

  • Serbia: PIB (9 digits), JMBG (13 digits)
  • BiH: JIB (13 digits)
  • Croatia: OIB (11 digits)

7. Data Subject Rights Implementation

RightTo EndpointSLAException
Access (GDPR Art. 15 / ZZPL Art. 26)GET /api/v1/account/data30 days
Rectification (Art. 16)PATCH /api/v1/account/profileImmediate
Erasure (Art. 17)DELETE /api/v1/account30 daysFinancial records retained per law
Portability (Art. 20)GET /api/v1/account/export30 days
Restriction (Art. 18)[email protected]30 daysManual

Erasure exception: Invoices, expenses, transactions retained 10-11 years (accounting law). Only PII (email, name, password hash) anonymized.

8. Third-Party Data Processors

West
ProcessorServiceRegionDPA Status
RailwayCC-01 PostgreSQLAES-256-GCM hostingencryption for L4 Restricted fields (PIB, JMBG, OIB, JIB, IBAN) EUTechnical RS, BA, HRPlanned
CC-02Organization-scoped WHERE on all Prisma queriesTechnicalAllPlanned
CC-03RBAC with 4 roles (Frankfurt/Paris)owner/admin/accountant/viewer)TechnicalAllPlanned
CC-04JWT RS256 with 15min expiry + refresh token rotationTechnicalAllPlanned
CC-05TLS 1.3 minimum via CloudflareTechnicalAllActive
CC-06LoggedAction audit trail (append-only, 10-11yr retention)TechnicalAllPlanned
CC-07DPA signed with Railway, Cloudflare, SentryLegalAll Required — sign before pre-launch
VercelCC-08 FrontendSEF hostingintegration for RS B2B e-invoicing EU edgeTechnical RequiredRSP2 Roadmap
CloudflareCC-09 CDN,HR-FISK WAF,integration R2+ storageFINA certificate flow EU regionTechnical RequiredHRP2 Roadmap
SendGridCC-10 TransactionalData emailsubject rights endpoints (/gdpr/export, /gdpr/delete) EUTechnicalAllPlanned
CC-1172-hour breach notification procedure to Poverenik/AZLP/AZOPProceduralAll Required pre-launch
CC-12Privacy Policy in Serbian, Bosnian, CroatianLegalRS, BA, HRRequired pre-launch
CC-13Terms of Service with data processing consentLegalAllRequired pre-launch
CC-14VAT rate validation per jurisdictionTechnicalRS, BA, HRPlanned
CC-15Retention lock preventing deletion of accounting records during mandatory retention periodTechnicalAllPlanned

9.5. Compliance Roadmap

gantt
    title Bilko Compliance Roadmap
    dateFormat  YYYY-MM

    section Phase 1 — Pre-LaunchMVP (GDPRpre-launch)
    baseline)

GDPR/ZZPL
    core
  • controls : 2026-03, 2026-05 DPAs signed : 2026-04, 2026-05 Privacy policyPolicy published
    • (3
  • languages) : 2026-04, 2026-05 Terms of Service published
    • :
  • 2026-04, User2026-05 consentDPIA mechanismcompleted at: registration
    • 2026-04,
  • 2026-05 Datasection deletion + anonymization workflow
  •  Data export endpoint
  •  DPAs signed: Railway, Vercel, Cloudflare, SendGrid
  •  Railway EU West region confirmed
  •  Breach notification process ready

Phase 2 — SerbiaRS Launch +SEF Croatiae-invoice Launch

integration

Serbia:

:

Croatia:

  •  Legal review (Zakon o računovodstvu + GDPR)
  •  Croatian CoA seed data (RRiF)
  •  VAT at 25% / 13% / 5%
  •  FINA certificate for HR-FISK
  •  HR-FISK API integration (mandatory)
  •  FINA RGFI report export

Phase 3 — BiHBA Launch

10. Risk Assessment

HRLaunch FINA2026-10,amounts2026-11Poreznauprava:2026-10,2026-112026-10,2026-11
RiskLikelihoodImpactMitigation
GDPR/ZZPL breach fineLow (if compliant)High (GDPR €20M / ZZPL RSD 2M)Full implementation before first customer
SEF non-compliance (RS)MediumHigh (RSD 2M)Phase 24 SEF integration
HR-FISK non-compliance+ (HR) Highcert (ifflow not: integrated) Critical2026-12 (HR CoA + EUR 500K) Phase: 22026-10, mandatory
FinancialPDV dataexport loss Low Critical 30-dayFINA RailwayRGFI backups,export immutable: audit
Tax calculation errorLowHighConfigurable rates, NUMERIC precision, Zod
BiH CPF delayMediumLowPhase 3 planned, not blocking RS/HR

Approval

Role Name DateSignature SignatureDate
Author DPO / Compliance ArchitectOfficer 2026-02-23
DPOReviewer (CTO)
LegalReviewer Counsel(RS Legal)
CEOReviewer (BA Legal)
Reviewer (HR Legal)
ApproverCEO
Back to top