Data Protection Impact Assessment (DPIA)

Project: ~~Drop~~Bilko — ~~PSD2~~Balkan ~~Pass-Through~~Accounting ~~Payment App~~SaaS Processing Activity: ~~All~~Multi-Tenant ~~personal~~Accounting ~~data~~Data ~~processing~~Processing in(invoices, ~~Drop~~expenses, ~~payment~~VAT, ~~service~~tax filings) Version: 1.0 Date: 2026-02-23 Author: ~~Security~~Compliance Architect DPO: ~~DPO~~TBD (~~[email protected])~~[email protected]) Status: Draft Reviewers: DPO, Legal Counsel, ~~CTO~~Engineering Lead Classification: Confidential ~~Document-ID:~~ ~~DPIA-DROP-001~~

Document History

accountingSaaSdata

Version	Date	Author	Changes
0.1	2026-02-1223	~~ALAI~~Compliance ~~Holding AS~~Architect	Initial DPIA ~~assessment~~— (`legal/dpia-vurdering.md`)
~~1.0~~	~~2026-02-23~~	~~Security Architect~~	~~Formalized in compliance template format~~processing

DPIA Trigger Checklist

~~A DPIA is required if ANY of the following apply (GDPR Art. 35):~~

#	Trigger	Applies?	Notes
1	Systematic ~~and~~profiling ~~extensive evaluation of personal aspects (profiling,~~/ automated ~~decision-making~~decisions with ~~legal/significant~~legal ~~effects)~~effects	~~YES~~NO	~~Automated~~No ~~fraud~~profiling ~~detection~~or ~~and~~automated ~~AML transaction monitoring — flags transactions with legal/financial consequences for data subjects~~decisions
2	Large-scale ~~processing of~~ special category data (health, religion, ethnicity)	NO	~~No health/religion/ethnicity~~Financial data ~~processed~~is not Art. 9 special category
3	Systematic monitoring of publicly accessible areas ~~(CCTV, tracking)~~	NO	~~Not applicable~~N/A
4	~~Processing of biometric~~Biometric or genetic data	NO	~~BankID is not biometric in Drop's processing scope~~N/A
5	~~Processing~~Data ~~of data concerning~~about vulnerable ~~data~~subjects ~~subjects~~(children, patients)	~~YES~~PARTIAL	~~General~~Employees ~~population~~submitting ~~including~~expense ~~financially vulnerable users; minimum age 18 enforced~~claims via ~~BankID~~employer's ~~fødselsnummer~~Bilko account
6	Innovative ~~use of~~ technology with unpredictable privacy impact	~~YES~~NO	~~Open~~Standard ~~Banking~~cloud ~~PSD2~~accounting ~~AISP/PISP integration; BankID OIDC — new technology combination~~SaaS
7	Cross-border transfer outside EEA without adequate protection	YES	~~Remittance~~Serbian to(ZZPL) ~~Serbia,~~and ~~BiH,~~BiH ~~Turkey,~~(ZZLP) ~~Pakistan~~data subjects — nodata ~~adequacy~~processed ~~decisions~~on EU servers
8	~~Large-scale~~Processing ~~processing~~that ~~of financial~~prevents data subjects from exercising rights	~~YES~~NO	~~Transaction~~Self-service ~~data,~~endpoints ~~bank account numbers, cross-border payment flows~~provided

DPIA Required: YES Reason: ~~Triggers~~Cross-border ~~1, 5, 6, 7, and 8 confirmed. Processing~~transfer of RS/BA data subjects to EU-hosted infrastructure; processing of national tax IDs (PIB/JMBG/OIB/JIB) as sensitive identifiers; financial data atfor ~~scale~~thousands ~~with~~of ~~cross-border transfers to non-EEA countries~~organizations and ~~automated~~their ~~decision-making (fraud/AML systems).~~

~~Regulatory basis:~~ ~~GDPR Art. 35, personopplysningsloven (LOV-2018-06-15-38), Datatilsynets retningslinjer for DPIA~~counterparties.

1. Processing Activity Description

1.1 Activity Overview

Activity Name: ~~Drop~~Multi-Tenant ~~Payment~~Accounting ~~Service — Full~~Data Processing ~~Scope~~ System/Product: ~~Drop — PSD2 pass-through payment app~~Bilko (~~getdrop.no)~~bilko.io) Business Unit: ~~ALAI Holding AS (org.nr. 932 516 136)~~Product Processing Owner: ~~CEO~~Engineering /Lead ~~Compliance Officer~~([email protected])

Description of Processing: ~~Drop~~Bilko isprocesses afinancial ~~payment~~and ~~service~~personal ~~for~~data ~~all~~on ~~residents~~behalf of ~~Norway.~~business Itorganizations ~~uses~~(data acontrollers) ~~pass-through~~in ~~model~~Serbia, ~~under~~Bosnia ~~PSD2~~& —Herzegovina, ~~Drop~~and ~~never holds customer money. Processing includes:~~Croatia:

User ~~registration~~account ~~and identity verification~~ ~~via BankID OIDC~~data — ~~collection~~email, offull name, ~~fødselsnummer~~bcrypt-hashed ~~(national~~password, ~~ID),~~TOTP ~~birthdate (age verification), mobile number~~secret
~~PSD2~~Organization ~~AISP~~data — ~~reading~~legal name, tax ID (PIB/JIB/OIB), address, banking details

Contact data — customer/supplier names, tax IDs, email, phone, IBAN

Invoice data — invoice numbers, dates, amounts, VAT, payment status

Expense data — amounts, categories, descriptions, receipt attachments

Transaction data — bank ~~account~~transactions, ~~balances~~double-entry ~~from~~debit/credit

~~user's~~

Audit ~~bank~~trail ~~via~~— ~~Open~~all ~~Banking~~mutations ~~API~~logged (with ~~explicit~~ user ~~consent)~~

ID,

~~PSD2~~IP, ~~PISP~~timestamp, —old/new ~~initiating payments from user's bank account (remittance to 30+ countries, QR payments in-store)~~

~~KYC/AML compliance~~ ~~— customer due diligence per hvitvaskingsloven, transaction monitoring, PEP/sanctions screening~~

~~Transaction history~~ ~~— storing remittance and QR payment records per bokføringsloven~~values

~~Trigger /~~ Business Justification: ~~Provide~~SMBs in the Balkans lack affordable, ~~accessible~~compliant ~~international~~cloud ~~remittance~~accounting software. Processing this data is necessary to deliver the contracted accounting service and QRmeet ~~payment~~legal ~~services~~obligations ~~for~~under ~~all~~RS/BA/HR ~~residents of Norway, compliant with PSD2, hvitvaskingsloven,~~accounting and ~~GDPR.~~tax laws.

1.2 Processing Operations

EU RailwayEU

Operation	Data Category	Technology	Location
Collection (~~BankID)~~registration)	~~Name,~~Email, ~~fødselsnummer,~~name, ~~birthdate~~password	~~BankID~~HTTPS ~~OIDC~~POST, Zod validation	~~Norway~~bilko.io ~~(BankID~~— ~~Norge~~Vercel ~~AS)~~EU
Collection (~~user-entered)~~invoicing)	~~Mobile~~Contact ~~number,~~data, ~~email,~~tax ~~recipient~~IDs, ~~details~~amounts	~~Next.js~~HTTPS API	~~Norway~~api.bilko.io — Railway EU West
Storage	All categories	PostgreSQL AES-256	Railway EU West (~~AWS App Runner)~~Frankfurt/Paris)
Storage (~~identity)~~files)	~~Encrypted~~Receipt ~~fødselsnummer, name, KYC status~~PDFs/JPGs	~~SQLite~~Cloudflare →R2 ~~PostgreSQL~~AES-256	~~EEA~~Cloudflare ~~(AWS)~~
~~Storage (transactions)~~	~~Amount, corridor, timestamp, recipient~~	~~SQLite → PostgreSQL~~	~~EEA (AWS)~~region
Processing ~~(AISP)~~	~~Bank~~VAT ~~balance,~~calculations, ~~account number~~reports	~~PSD2~~Express ~~API~~API, →Prisma ~~user's bank~~ORM	~~EEA~~
~~Processing (PISP)~~	~~Payment instruction, amount, recipient IBAN~~	~~Open Banking API~~	~~EEA → remittance destination~~West
Sharing ~~(remittance)~~	~~Sender~~Invoice ~~name, recipient name/IBAN, amount~~PDFs	~~SWIFT~~SendGrid ~~/ correspondent bank~~email	~~EEA~~EU ~~→ Serbia/BiH/HR/other~~region
~~KYC/AML~~E-invoice ~~processing~~submission	~~Name,~~Invoice ~~fødselsnummer, PEP/sanctions status~~XML	~~Sumsub~~UBL +2.1 ~~internal~~SEF ~~rules~~/ HR-FISK	~~EEA~~Serbia (~~Sumsub)~~SEF) / Croatia (FINA)
Deletion / Anonymization	~~All~~User ~~categories~~PII	~~Automated~~Soft ~~retention~~delete ~~job~~+ anonymization	~~EEA~~Railway EU West

2. Necessity & Proportionality Assessment

2.1 Purposes of Processing

IDs

Purpose	Specific Description	Legitimate?
~~User~~Account authentication	~~BankID~~Verify ~~OIDC to verify~~user identity ~~and~~for ~~age~~organization ~~(≥18)~~access	YES — ~~mandatory~~contract ~~for~~necessity ~~financial~~(Art. ~~services; hvitvaskingsloven § 12~~6.1.b)
~~Payment~~Invoice ~~execution~~generation	~~PISP~~Create ~~from~~legally ~~user's~~compliant ~~bank~~invoices ~~account~~with ~~for~~tax ~~remittance/QR~~	~~YES~~required —by ~~core service delivery~~
~~Balance reading~~	~~AISP to show user their bank balance~~	~~YES — explicit consent; Art. 6(1)(a)~~
~~KYC/AML compliance~~	~~Customer due diligence, transaction monitoring~~law	YES — legal ~~obligation;~~obligation ~~hvitvaskingsloven §§ 4, 10-18~~
~~Transaction history~~	~~Records for user and for accounting~~	~~YES — bokføringsloven § 13;~~ (Art. ~~6(1)(~~6.1.c)
~~Fraud~~VAT ~~prevention~~calculation and reporting	~~Automated~~Calculate ~~fraud~~VAT ~~detection~~at onRS ~~transactions~~20% / BA 17% / HR 25%	YES — legal obligation (Art. 6.1.c)
Financial record keeping	Double-entry books required by accounting law	YES — legal obligation (Art. 6.1.c)
Audit trail	Immutable log of financial mutations	YES — legal obligation + legitimate ~~interest;~~interest ~~PSD2~~ (Art. 956.1.c + 6.1.f)
E-invoice submission	Submit to SEF (Serbia) and HR-FISK (Croatia)	YES — legal obligation (Art. 6.1.c)
Invoice email delivery	Deliver invoices to customers	YES — contract necessity (Art. 6.1.b)

2.2 Data Minimization Assessment

~~collected~~

Data Element	Collected	Strictly Necessary?	Alternative ~~If Not Necessary~~
`name`	~~YES~~	~~YES — required for identity, required on wire transfers (FATF Rec. 16)~~	~~N/A~~
`fødselsnummer` ~~(national ID)~~	~~YES~~	~~YES — required for unique identification per hvitvaskingsloven § 12(1)(a)~~	~~N/A — BankID provides it~~
`birthdate`	~~YES (derived from fødselsnummer)~~	~~YES — age verification ≥18, required~~	~~Only birthdate stored (not full fødselsnummer in plaintext)~~
`mobile_number`	~~YES~~	~~YES — authentication factor, notification~~	~~N/A~~
`email`	YES	YES — ~~account~~login ~~management,~~+ ~~receipts~~invoice delivery	N/A
`bank_account_number`	~~YES (via AISP)~~	~~YES — balance display; PISP requires source account~~	~~Masked in API responses (last 4 only)~~
`account_balance`	~~YES (AISP, session only)~~	~~YES — user requested feature; PSD2 consent~~	~~Not persisted; ephemeral read only~~
`ip_addressfullName`	YES	YES — ~~fraud~~required ~~prevention,~~on ~~rate limiting, GDPR accountability~~	~~Hashed/pseudonymized in logs after 3 months~~
`device_id`	~~YES~~	~~YES — session binding, fraud detection~~invoices	N/A
`transaction_historypasswordHash`	YES	YES — ~~bokføringsloven § 13; customer transparency~~authentication	~~Retention~~N/A ~~limited~~(bcrypt ~~to 5 years~~hash)
`kyc_documentstotpSecret`	YES ~~(EDD cases)~~	YES — ~~hvitvaskingsloven §§ 17-18~~2FA	~~Only~~N/A
`organizationTaxId` (PIB/JIB/OIB)	YES	YES — legally required on invoices	N/A
`organizationIban`	YES	YES — payment reference	N/A
`contactTaxId` (PIB/JMBG/OIB/JIB)	YES	YES — VAT law requires buyer tax ID	N/A
`contactIban`	YES	PARTIAL — needed only for payment features	Collect only when ~~EDD~~payment ~~required~~active
`clientIp` (audit log)	YES	YES — security, fraud detection	Retain max 30 days for security entries
`userAgent`	NO	NO — not collected	Not collected
`deviceId`	NO	NO — not collected	Not collected

~~Fields recommended for removal / minimization:~~

ip_address ~~in logs: Pseudonymize after 3 months~~

user_agent~~: Retain for security analysis only, not customer-facing~~

2.3 Lawful Basis

Processing Activity	Lawful Basis	Justification
~~User~~Account ~~registration + BankID verification~~management	Contract (— Art. ~~6(1)(b)) + Legal obligation (Art. 6(1)(c))~~6.1.b	~~Required~~Necessary to provide the service ~~+ hvitvaskingsloven § 12~~
~~Payment~~Invoice ~~execution~~/ ~~(PISP)~~expense / transaction processing	~~Contract~~Legal (obligation — Art. ~~6(1)(b))~~6.1.c	~~Core~~Zakon ~~service~~o ~~delivery~~PDV + Zakon o računovodstvu
~~Account~~VAT ~~balance~~calculation ~~reading~~and ~~(AISP)~~reporting	~~Consent~~Legal (obligation — Art. ~~6(1)(a))~~6.1.c	~~PSD2~~Mandatory ~~requires~~under ~~explicit~~RS/BA/HR ~~consent~~tax ~~for AISP~~laws
~~KYC/AML~~Audit ~~data collection~~trail	Legal obligation (+ Legitimate interest — Art. ~~6(1)(c))~~6.1.c + 6.1.f	~~Hvitvaskingsloven~~Accounting §§law 4,+ ~~10-18,~~fraud 30detection
~~Fraud~~IP ~~detection~~address ~~and monitoring~~logging	Legitimate interest (— Art. ~~6(1)(f))~~6.1.f	~~LIA:~~Security ~~fraud~~monitoring, ~~prevention~~30-day ~~necessity outweighs privacy intrusion; data minimized~~retention
~~Technical~~E-invoice ~~logs~~submission (~~IP, device)~~SEF/HR-FISK)	~~Legitimate~~Legal ~~interest~~obligation (— Art. ~~6(1)(f))~~6.1.c	~~LIA:~~Mandatory ~~security~~electronic ~~and accountability; pseudonymized after 3 months~~submission
~~Transaction~~Data ~~history~~retention ~~storage~~beyond erasure	Legal obligation (— Art. ~~6(1)(c))~~6.1.c	~~Bokføringsloven~~10-11 §year 13retention ~~— 5-year~~per accounting ~~retention~~law

3. Data Subjects & Categories of Data

3.1 Data Subject Groups

Group	Description	Estimated Volume	Vulnerability ~~Level~~
~~Norwegian~~Business ~~residents~~owners ~~(users)~~/ admins	~~All~~SMB ~~Drop~~owners ~~users~~using ~~— BankID-verified, age ≥18~~Bilko	Up1-10 toper ~~all Norwegian residents~~organization	~~Medium (financial data)~~Low
~~Merchants~~Accountants	~~Businesses~~Professional ~~using~~accountants ~~Drop~~on QRclient ~~payments~~accounts	~~Smaller~~1-5 ~~subset~~per organization	Low
Employees	Submitting expense claims via employer's account	Variable	Low-Medium
~~Remittance recipients~~Counterparties	~~Individuals~~Customers/suppliers inappearing ~~30+~~on ~~countries receiving money~~invoices	External —to ~~minimal data held~~Bilko	Low (~~only~~financial ~~name~~risk +if ~~IBAN stored)~~breached)

3.2 Personal Data Categories

~~account~~

Category	Data Elements	Sensitivity	~~Retention~~Classification
~~Identity (Norwegian)~~Contact	Name, ~~fødselsnummer~~email, ~~(encrypted), BankID reference~~phone	~~High — unique national identifier~~Standard	5L3 ~~years after account closure~~Confidential
~~Contact~~Authentication	~~Mobile number (+47)~~bcrypt(password), ~~email~~TOTP secret	~~Standard~~High	~~Duration~~L4 ofRestricted
Tax identity	PIB, JMBG, OIB, JIB	High	L4 Restricted
Financial ~~— transactions~~	~~Amount,~~Invoice ~~corridor,~~amounts, ~~timestamp,~~IBAN, ~~currency~~bank transactions	High	5L3 ~~years (bokføringsloven)~~
~~Financial — banking (AISP)~~	~~Account number (last 4 shown), balance (session)~~	~~High~~	~~Not persisted; session only~~
~~Recipient data~~	~~Name, IBAN/account number, country~~	~~Standard~~	~~5 years~~
~~KYC/AML~~	~~Risk classification, PEP status, EDD documents~~	~~Restricted~~	~~5 years (hvvl. § 30)~~
~~Technical~~	~~IP address, device ID, session tokens~~	~~Standard~~	~~IP: 3 months; session: 24h~~Confidential
Behavioral / Audit	~~Login~~IP ~~times,~~address, ~~transaction~~action ~~patterns~~timestamps, ~~(for~~old/new ~~AML)~~values	Standard	5L2 ~~years~~Internal
Attachments	Receipt PDFs, invoice attachments	Standard-High	L3 Confidential

4. Data Processing Purposes & Legal Basis

ID,ID/address, ~~years)~~

Processing Purpose	Personal Data Used	Legal Basis	Retention Period
User authentication ~~(BankID)~~	~~Name,~~email, ~~fødselsnummer,~~passwordHash, ~~birthdate~~	~~Contract + Legal obligation~~	~~Account duration + 5 years~~
~~Remittance execution~~	~~Name, recipient IBAN, amount, currency~~totpSecret	Contract (Art. ~~6(1)(~~6.1.b))	5Until ~~years~~account ~~(bokføringsloven § 13)~~deletion
QRInvoice ~~payment~~creation ~~execution~~and delivery	~~Amount,~~org ~~merchant~~name, ~~ref,~~tax ~~timestamp~~	~~Contract~~contact ~~(Art.~~name/tax ~~6(1)(b))~~	~~5 years~~
~~Balance display (AISP)~~	~~Account number (masked), balance~~	~~Consent (Art. 6(1)(a))~~	~~Session only — not persisted~~
~~KYC customer due diligence~~	~~Name, fødselsnummer, risk classification~~amounts	Legal obligation (Art. ~~6(1)(~~6.1.c))	510 years ~~after~~(RS) ~~account~~/ ~~closure~~11 years (~~hvvl.~~HR/BA §RS ~~30)~~entity)
~~AML~~VAT ~~transaction monitoring~~calculation	~~Transaction patterns,~~Invoice amounts, ~~corridors~~tax rates, tax IDs	Legal obligation (Art. ~~6(1)(~~6.1.c))	510-11 years
~~Fraud~~Expense ~~detection~~management	~~IP,~~Amounts, ~~device~~descriptions, ~~ID,~~receipt ~~behavioral patterns~~images	~~Legitimate~~Legal ~~interest~~obligation (Art. ~~6(1)(f))~~6.1.c)	310-11 years ~~after event~~
~~Technical operations~~	~~IP address, system logs~~	~~Legitimate interest (Art. 6(1)(f))~~	~~6 months (technical); 12 months (auth logs)~~
~~Legal compliance~~Financial reporting	~~Transaction~~All ~~data, identity~~financial data	Legal obligation (Art. ~~6(1)~~6.1.c)	10-11 years
Audit trail	userId, IP, timestamp, changedFields	Legal obligation + Legitimate interest	Financial: 10-11 years; IP/security: 30 days
E-invoice (SEF/HR-FISK)	Invoice XML with buyer/seller data	Legal obligation (Art. 6.1.c))	Per ~~relevant~~SEF/FINA ~~law~~requirements
Transactional email	email, invoice PDF	Contract (~~min~~Art. 56.1.b)	Not stored by Bilko
Data export (portability)	All data	GDPR Art. 20 / ZZPL Art. 37	On demand

5. Data Flow Mapping

flowchart TD
    DS([Drop User / Data Subject]Subject\nBusiness user]) -->|BankIDRegisters OIDC|/ BANKID[BankIDCreates Norgeinvoice| AS\nNorwayCOLLECT[Web App\nbilko.io — Name,Vercel fødselsnummer,EU]
    birthdate]
    BANKIDCOLLECT -->|id_token|HTTPS POST Zod validated| API[DropExpress API\nAWS App Runnernapi.bilko.io — Norway/EEA]Railway DSEU -->|Mobile, email, recipient details| APIWest]
    API -->|EncryptedPrisma fødselsnummer\nName,ORM contact, KYC status|AES-256| DB[(PostgreSQL\nEEAnRailway —EU AES-256)West\nFrankfurt/Paris)]
    API -->|PaymentReceipt instruction\nSenderupload| nameR2[(Cloudflare +R2\nEU recipientregion IBANAES-256)]
    + amount| PISP[Open Banking PISP\nUser's bank — EEA]
    PISPDB -->|WireAppend-only| transfer\nSenderAUDIT[(LoggedAction\nImmutable nameaudit + recipient IBAN| CORR[Correspondent Bank\nDestination country]
    CORR -->|Payment to recipient| RECIP([Recipient\nSerbia / BiH / HR / Other])trail)]
    API -->|BalanceInvoice reademail| request|SG[SendGrid\nEU AISP[Open Banking AISP\nUser's bank — EEA]
    AISP -->|Balance + masked account| APIregion]
    API -->|KYCUBL check|2.1 SUMSUB[Sumsub\nKYC/AMLXML| —SEF[SEF EEA]efaktura.gov.rs\nSerbia]
    API -->|ErrorUBL events|2.1 SENTRY[Sentry\nErrorHR-CIUS| monitoringFINA[HR-FISK — EEA]
    API -->|Uptime + logs| BETTERSTACK[BetterStack\nLog monitoring — EEA]fina.hr\nCroatia]
    DB -->|On erasure request|deletion| ANON[Anonymization job\nPersonal dataAnonymization\nPII removed]
    DB -->|On data request|export| EXPORT[DataJSON export to user\nJSON/CSV]data subject]
    ANON --> DB

    style DB fill:#ffcccc,stroke:#cc0000
    style CORRAUDIT fill:#ffe4cc
    style SUMSUB fill:#ffe4cc#ffe4cc,stroke:#cc6600

Data processors (GDPR Art. 28):

Processor	Service	Data Shared	Country	DPA Status
~~BankID Norge AS~~Railway	~~Norwegian~~PostgreSQL ~~eID authentication~~hosting	~~Name,~~All ~~fødselsnummer,~~accounting ~~birthdate~~data	~~Norway~~EU West	~~Required~~Pending — sign before launch
~~AWS (Amazon Web Services)~~Vercel	~~Application~~Frontend hosting ~~+ database~~	~~All~~Browser ~~app data~~requests	~~EEA~~Global ~~(Frankfurt)~~/ EU edge	~~AWS DPA (standard)~~
~~Sumsub~~	~~KYC/AML identity verification~~	~~Name, fødselsnummer, KYC docs~~	~~EEA~~	~~Required~~Pending
Cloudflare	~~WAF~~CDN, +WAF, ~~CDN + DDoS~~R2	IP addresses, ~~request~~receipt ~~metadata~~files	~~EEA~~EU ~~edge~~region	~~Cloudflare DPA~~Pending
~~Sentry~~SendGrid	~~Error~~Transactional ~~monitoring~~email	~~Anonymized~~Email, ~~error~~invoice ~~data, no PII in events~~PDFs	~~EEA~~EU	~~Sentry DPA~~
~~BetterStack~~	~~Uptime + log monitoring~~	~~System logs (PII masked)~~	~~EEA~~	~~BetterStack DPA~~Pending

6. Risk Assessment Matrix

6.1 Risk Scoring Scale

~~Score~~	~~Likelihood~~	~~Severity~~
1	~~Remote~~	~~Negligible~~
2	~~Unlikely~~	~~Limited — short-term minor impact~~
3	~~Possible~~	~~Significant — real non-negligible impact~~
4	~~Likely~~	~~Severe — serious impact on rights~~

Risk Score = Likelihood (1-5) × Severity

(1-5).

Score 1-4:6: ~~Low~~Low; ~~| 5-8: Medium | 9-~~7-12: ~~High |~~Medium; 13-~~16:~~19: ~~Critical~~

High;

20-25: Critical.

6.2 RiskRisks to Data Subjects

~~limitation~~ ~~decisions~~ ~~necessary period~~

Risk ID	Risk ~~to Data Subjects~~	Likelihood	Severity	Score	~~Existing~~ Controls	Residual ~~Risk~~
R1	Unauthorized access to financial data /(tax ~~breach~~IDs, IBAN, invoice amounts)	2	5	10	TLS 1.3, AES-256, RBAC, org-scoped queries	MEDIUM
R2	Tax ID (PIB/JMBG/OIB/JIB) theft enabling identity fraud	2	5	10	L4 Restricted, RBAC, no JWT exposure, bcrypt	MEDIUM
R3	Cross-tenant data access (IDOR)	2	5	10	org-scoped WHERE on all queries, UUID PKs	LOW (after mitigation)
R4	Invoice data exposure to wrong party	2	4	8	~~TLS 1.3, AES-256,~~ RBAC, ~~bcrypt,~~org-scope, ~~session~~input ~~revocation~~validation	MEDIUM ~~→ 4 after controls~~
R2R5	~~Data~~Financial ~~used~~data manipulation (tampered invoices)	2	5	10	Immutable LoggedAction, RBAC delete permissions	LOW (after mitigation)
R6	PII retained beyond ~~stated~~necessary ~~purpose (purpose creep)~~period	12	3	6	Soft delete + anonymization; financial data by law	LOW
R7	Cross-border transfer (RS/BA data to EU) without protection	3	3	~~Purpose~~9	Railway ~~policy,~~EU ~~audit~~West; ~~logs,~~ZZPL ~~DPA~~Art. ~~contracts~~65; data stays in EEA	MEDIUM
R8	User unable to exercise erasure (locked by retention law)	3	2	6	Clear policy in privacy notice; PII anonymized	LOW
R3R9	~~Inaccurate~~Receipt with sensitive data ~~causing~~(medical ~~wrong~~receipts) ~~financial~~exposed	2	3	6	Encrypted R2 storage; RBAC accountant+ access	LOW
R10	Audit log IP retention enabling tracking	2	2	4	~~BankID~~30-day ~~provides~~IP ~~verified~~retention ~~identity;~~for ~~balance~~security; ~~read~~longer ~~from~~for ~~bank directly~~financial	LOW
R4R11	~~Data~~SEF/HR-FISK ~~retained~~state ~~beyond~~submission	1	2	2	4Legal obligation — mandated by law	~~Automated retention/deletion policy~~	~~LOW~~
R5	~~Cross-border transfer without adequate protection (Serbia, BiH)~~	3	3	9	~~SCCs + TIA + data minimization + encryption in transit~~	~~MEDIUM → 6 after SCCs~~
R6	~~Automated AML/fraud decision adversely affects data subject~~	2	2	4	~~Manual review on automated blocks; klageadgang (complaint right)~~	~~LOW~~
R7	~~BankID session compromise / phishing~~	1	4	4	~~BankID Level 4, session timeout, device binding, anti-phishing info~~	~~LOW~~
R8	~~Fødselsnummer exposure — high-sensitivity data~~	2	4	8	~~AES-256-GCM field-level encryption, separate KMS key, compliance-only access~~	~~MEDIUM → 4 after controls~~
R9	~~Third-country government data access (Serbia, BiH authorities)~~	2	3	6	~~Minimal data transferred; only name + IBAN; SCCs; TIA~~	~~MEDIUM~~
~~R10~~	~~Data subject unable to exercise rights (erasure)~~	2	2	4	~~DPO process, 30-day SLA; AML retention exceptions documented~~	~~LOW~~ACCEPTABLE

7. Mitigation Measures

Risk ID	Mitigation ~~Measure~~	Owner	Deadline	Status
R1	Field-level ~~AES-256-GCM~~ encryption for ~~fødselsnummer~~tax IDs and IBAN at application layer	Engineering	Phase 2	Planned
R1	~~Implement~~Sentry ~~audit_log~~error ~~table~~tracking ~~for~~+ ~~all~~Railway ~~sensitive~~anomaly ~~operations~~monitoring	~~Engineering~~Platform	~~Pre-production~~Phase 1	Planned
R1R2	~~External~~Tax ~~penetration~~IDs ~~test~~L4 Restricted — never in JWT, never in logs	~~Security~~Engineering	~~2026-Q3~~Phase 1	Designed
R3	Integration tests: cross-tenant requests must return 403	Engineering	Phase 1	Planned
R4	Vitest RBAC tests on all protected endpoints	Engineering	Phase 1	Planned
R5	~~Execute~~LoggedAction ~~SCCs~~PostgreSQL ~~with~~trigger ~~all~~— ~~non-EEA~~append-only, ~~correspondent~~no ~~banks~~DELETE	~~Legal / DPO~~Engineering	~~Pre-launch~~Phase 1	~~In progress~~Designed
R5R7	~~Conduct~~Privacy ~~Transfer~~notice ~~Impact~~states ~~Assessments~~Railway ~~for~~EU ~~Serbia,~~West ~~BiH,~~data ~~Turkey,~~residency; ~~Pakistan~~ZZPL Art. 65 transfer basis	~~Compliance~~Legal/DPO	~~Pre-launch~~Phase 1	~~In progress~~Planned
R5R7	~~Minimize~~Verify ~~transferred~~Railway ~~data~~region —= ~~sender~~EU ~~name~~West ~~only,~~before ~~no fødselsnummer~~launch	~~Engineering~~Platform	✓Phase ~~Architecture decision~~1	~~Done~~Planned
R8	~~Separate~~Privacy ~~KMS~~notice ~~key~~explains ~~for~~legal ~~fødselsnummer~~retention —basis ~~not shared with other data~~clearly	~~Engineering~~Legal/DPO	Phase 21	Planned
R9	~~TIA~~R2 ~~per~~files ~~country~~accessible ~~assessing~~only ~~surveillance~~to ~~law~~org members with accountant+ role	~~DPO~~Engineering	~~Pre-launch~~Phase 1	~~Planned~~
R9	~~Consider pseudonymization of sender reference for non-EEA wires (where legally permissible)~~	~~Legal~~	~~Review~~	~~Planned~~Designed

Residual risk ~~after mitigation:~~conclusion: All residual risks ~~assessed as~~are LOW or ~~MEDIUM (max 6).~~MEDIUM. No CRITICAL or HIGH residual ~~risks~~risks. ~~remain~~Processing ~~after~~may ~~planned~~proceed ~~mitigations.~~subject to DPO approval and Phase 1 mitigations being implemented before first paying customer.

DPO Conclusion: ☐ Acceptable — proceed ~~with~~| ~~processing~~☐ ~~(subject~~Conditional — pending Phase 1 mitigations | ☐ Escalate to ~~planned~~supervisory ~~mitigations being implemented before launch)~~authority

8. DPO Consultation Record

DPO Name: ~~DPO / personvernombud~~TBD (~~[email protected])~~[email protected]) Consultation Date: ~~2026-02-12~~To ~~(initial);~~be ~~ongoing~~scheduled before first paying customer

DPO Input:

~~DPIA~~[To ~~confirms~~be ~~that~~completed ~~processing~~after ofDPO fødselsnummer, bank account data, and cross-border transfers creates medium-level risks manageable with described controls. BankID integration is privacy-enhancing (reduces need to collect separate identity documents). Key pre-launch requirements: SCCs with non-EEA correspondent banks, TIAs for Serbia/BiH/Turkey/Pakistan, audit_log implementation, and formal registration with Datatilsynet behandlingsprotokoll (Art. 30).appointment]

DPO Recommendation:

Approved — risks acceptable and adequately mitigated

Conditional approval — subject to ~~implementing~~Phase 1 mitigations ~~before production launch~~
Rejected — redesign required
Escalate to supervisory authority

DPO Signature: _________________________ Date: _____________

9. Supervisory Authority Consultation (if required)

Consultation Required: NO (pending DPO review) Reason: ~~After~~No ~~planned~~CRITICAL ~~mitigations,~~or noHIGH residual risks. MEDIUM risks ~~exceed the HIGH threshold. GDPR Art. 36 prior consultation not required. Datatilsynet will be engaged as part of~~ standard ~~Finanstilsynet~~for ~~licensing~~cloud ~~process.~~accounting SaaS.

If required — relevant authorities by jurisdiction:

HR: AZOP — [email protected] — https://azop.hr

RS: Poverenik — [email protected] — https://www.poverenik.rs

BA: AZLP — [email protected] — https://www.azlp.ba

10. DPIA Review Schedule

Next ~~scheduled~~ review: 2027-02-23 (annual) ORor ~~when any of the following occurs:~~when:

~~BankID~~New ~~integration~~country ~~implemented~~launch (RS Phase 2)

~~Open~~HR ~~Banking AISP/PISP integration implemented (~~Phase 2)2, BA Phase 3)
New ~~remittance~~government ~~corridor added~~integration (~~new~~SEF, ~~TIA~~HR-FISK, ~~required)~~CPF)
~~Real~~Data ~~KYC/AML~~breach ~~system~~or ~~integrated (Sumsub production)~~

~~Migration from SQLite to PostgreSQL completed~~near-miss
New ~~regulations~~data ~~enter~~categories ~~into~~or ~~force (DORA, updated hvitvaskingsloven)~~processors
~~Any~~Regulatory ~~data~~changes ~~breach~~(ZZPL ~~related~~amendment, toBiH ~~this~~reform, ~~processing~~GDPR updates)

Review Owner: DPO ([email protected]) Review Log:

Date	Reviewer	Changes ~~Made~~	Outcome
2026-02-1223	~~ALAI~~Compliance ~~Holding AS~~Architect	Initial DPIA ~~(dpia-vurdering.md)~~	~~Approved with conditions~~
~~2026-02-23~~	~~Security Architect~~	~~Formalized in compliance template~~	Draft — awaiting DPO ~~review pending~~

Approval

Role	Name	Date
Author	~~Security~~Compliance Architect	2026-02-23
DPO
~~Processing~~Engineering ~~Owner~~Lead	~~CEO / Daglig leder~~
Legal Counsel
~~Management~~CEO