Data Protection Impact Assessment (DPIA)

Project: ~~Bilko~~Drop — ~~Balkan~~Fintech ~~Accounting~~Payment ~~SaaS~~App (ALAI Holding AS) Processing Activity: ~~Multi-Tenant~~All ~~Accounting~~personal ~~Data~~data ~~Processing~~processing ~~(invoices,~~in ~~expenses,~~Drop ~~VAT,~~payment ~~tax filings)~~services Version: 1.0 Date: 2026-02-23 Author: ALAI Compliance ~~Architect~~Team DPO: TBD — appointment required (~~[email protected])~~[email protected] — planned) Status: Draft — DPO Review Required Reviewers: DPO, Legal Counsel, ~~Engineering Lead~~CTO Classification: Confidential

Document History

~~SaaSdataprocessing~~

Version	Date	Author	Changes
0.1	2026-02-2312	Compliance ~~Architect~~Agent (ALAI)	Initial DPIA —draft ~~accounting~~(`legal/dpia-vurdering.md`)
1.0	2026-02-23	Security Architect (ALAI)	English compliance template format

Source document: legal/dpia-vurdering.md — DPIA-DROP-001 (v1.0, approved 2026-02-12)

DPIA Trigger Checklist

A DPIA is required under GDPR Art. 35 if ANY of the following apply:

#	Trigger	Applies?	Notes
1	Systematic ~~profiling~~and /extensive evaluation of personal aspects (profiling, automated ~~decisions~~decision-making with ~~legal~~legal/significant ~~effects~~effects)	NOYES	NoAutomated ~~profiling~~AML/fraud ortransaction ~~automated decisions~~monitoring
2	Large-scale processing of special category data ~~(health, religion, ethnicity)~~	NO	~~Financial~~No ~~data~~health, isreligion, ~~not~~or ~~Art. 9~~other special category data
3	Systematic monitoring of publicly accessible areas	NO	~~N/A~~Not applicable
4	~~Biometric~~Processing of biometric or genetic data	NOPARTIAL	~~N/A~~BankID uses biometric identity verification (handled by BankID — not Drop)
5	~~Data~~Processing ~~about~~of data concerning vulnerable data subjects ~~(children, patients)~~	~~PARTIAL~~YES	~~Employees~~General ~~submitting~~population ~~expense~~including ~~claims~~potentially ~~via~~vulnerable ~~employer's Bilko account~~individuals
6	Innovative use of technology with unpredictable privacy impact	NOYES	~~Standard~~Open ~~cloud~~Banking ~~accounting~~(PSD2 ~~SaaS~~PISP/AISP), BankID OIDC integration, QR payments
7	Cross-border transfer outside EEA without adequate protection	YES	~~Serbian~~Remittance ~~(ZZPL)~~to ~~and~~30+ ~~BiH (ZZLP) data subjects~~countries — ~~data~~Serbia, ~~processed~~Bosnia, onTurkey, EUPakistan ~~servers~~lack adequacy decisions
8	Processing data that prevents data subjects from exercising rights	NO	~~Self-service~~Not ~~endpoints provided~~applicable

DPIA Required: YES Reason: ~~Cross-border~~Multiple ~~transfer~~triggers ofapply: ~~RS/BA~~automated ~~data~~transaction ~~subjects~~monitoring, toinnovative ~~EU-hosted~~Open ~~infrastructure;~~Banking ~~processing~~technology, ~~of national tax IDs (PIB/JMBG/OIB/JIB) as sensitive identifiers;~~large-scale financial data ~~for~~processing, ~~thousands~~cross-border oftransfers ~~organizations~~to ~~and~~non-adequate ~~their counterparties.~~countries.

1. Processing Activity Description

1.1 Activity Overview

Activity Name: ~~Multi-Tenant~~Drop ~~Accounting~~Payment Services — All Personal Data Processing System/Product: ~~Bilko~~Drop (~~bilko.io)~~getdrop.no) — Remittance + QR Payment App Business Unit: ~~Product~~ALAI Holding AS — Drop product Processing Owner: ~~Engineering~~CEO ~~Lead~~/ CISO (~~[email protected])~~[email protected])

Description of Processing: ~~Bilko~~Drop ~~processes~~is ~~financial~~a ~~and~~payment ~~personal~~application ~~data~~for onall ~~behalf~~residents of ~~business~~Norway ~~organizations (data controllers) in Serbia, Bosnia & Herzegovina, and Croatia:~~providing:

~~User account data~~Remittance — ~~email,~~international ~~full~~money ~~name,~~transfers ~~bcrypt-hashed~~to ~~password,~~30+ ~~TOTP~~countries ~~secret~~via PSD2 PISP
~~Organization~~QR ~~data~~Payments — ~~legal~~in-store ~~name,~~QR ~~tax~~code IDpayments ~~(PIB/JIB/OIB),~~via ~~address,~~PSD2 ~~banking details~~PISP
~~Contact~~Account ~~data~~Information — ~~customer/supplier names, tax IDs, email, phone, IBAN~~

~~Invoice data — invoice numbers, dates, amounts, VAT, payment status~~

~~Expense data — amounts, categories, descriptions, receipt attachments~~

~~Transaction data —~~reading bank ~~transactions,~~balances ~~double-entry~~via ~~debit/credit~~

PSD2

~~Audit trail — all mutations logged with user ID, IP, timestamp, old/new values~~AISP

Drop operates a pass-through model: it never holds customer funds. All payments are initiated directly from the user's bank account via Open Banking APIs. User authentication occurs via BankID (OIDC, security level "høyt" — eIDAS High).

Trigger / Business Justification: ~~SMBs~~Providing inaccessible, ~~the~~low-cost ~~Balkans~~payment ~~lack~~and ~~affordable,~~remittance ~~compliant cloud accounting software. Processing this data is necessary~~services to ~~deliver~~all ~~the~~Norwegian ~~contracted~~residents. ~~accounting~~Norwegian-registered ~~service~~residents ~~and~~can ~~meet~~send ~~legal~~money ~~obligations~~abroad ~~under~~at ~~RS/BA/HR~~lower ~~accounting~~fees ~~and~~than ~~tax~~traditional ~~laws.~~services. Financial inclusion for all communities.

1.2 Processing Operations

Operation	Data Category	Technology	Location
Collection ~~(registration)~~— Registration	~~Email,~~Identity (name, ~~password~~fødselsnummer, DOB), contact (phone, email)	~~HTTPS~~BankID ~~POST,~~OIDC, ~~Zod~~web ~~validation~~form	~~bilko.io~~Norway ~~— Vercel EU~~(EEA)
Collection ~~(invoicing)~~— AISP	~~Contact~~Financial ~~data,~~(bank ~~tax~~account ~~IDs,~~number, ~~amounts~~balance)	~~HTTPS~~PSD2 Open Banking API (Neonomics)	~~api.bilko.io~~Norway (EEA)
Collection — ~~Railway~~PISP	Financial (bank account, amount, recipient)	PSD2 Open Banking API (Neonomics)	Norway (EEA)
Collection — KYC/AML	Identity documents, PEP status, risk profile	Sumsub SDK	EU ~~West~~(EEA)
Storage	All ~~categories~~above	SQLite (MVP) → PostgreSQL ~~AES-256~~(Phase 2)	~~Railway EU West~~Norway (~~Frankfurt/Paris)~~
~~Storage (files)~~	~~Receipt PDFs/JPGs~~	~~Cloudflare R2 AES-256~~	~~Cloudflare EU region~~EEA)
Processing — AML monitoring	~~VAT~~Transaction ~~calculations,~~patterns, ~~reports~~amounts, corridors	~~Express~~Automated ~~API,~~rules ~~Prisma ORM~~engine	~~Railway~~Norway ~~EU West~~(EEA)
Sharing — Remittance	~~Invoice~~Sender ~~PDFs~~name, recipient name/account, amount	~~SendGrid~~SWIFT/correspondent ~~email~~banks	EUEEA ~~region~~
~~E-invoice submission~~	~~Invoice XML~~	~~UBL 2.1 SEF / HR-FISK~~	~~Serbia (SEF) / Croatia (FINA)~~non-EEA
Deletion / Anonymization	~~User~~All ~~PII~~categories	~~Soft~~Automated ~~delete~~deletion +jobs ~~anonymization~~(planned Phase 2)	~~Railway~~Norway ~~EU West~~(EEA)

2. Necessity & Proportionality Assessment

2.1 Purposes of Processing

~~required~~by~~law~~ risk

Purpose	Specific Description	Legitimate?
~~Account~~Identity ~~authentication~~verification	Verify user ~~identity~~is ~~for~~who ~~organization~~they ~~access~~claim, minimum age 18, Norwegian residency	YES — ~~contract~~required ~~necessity~~by ~~(Art.~~hvitvaskingsloven ~~6.1.b)~~§ 12 and PSD2 SCA
~~Invoice~~Payment ~~generation~~initiation (PISP)	~~Create~~Initiate ~~legally~~payments ~~compliant~~from ~~invoices~~user's bank account	YES — core service delivery
Account information (AISP)	Read bank balances for user dashboard	YES — core service delivery, with ~~tax~~explicit ~~IDs~~consent
AML/transaction monitoring	Detect and prevent money laundering	YES — legal obligation (~~Art.~~hvvl. ~~6.1.c)~~§§ 24-25)
~~VAT~~KYC ~~calculation~~compliance	Customer identification and ~~reporting~~	~~Calculate VAT at RS 20% / BA 17% / HR 25%~~assessment	YES — legal obligation (~~Art.~~hvvl. ~~6.1.c)~~§§ 10-18)
~~Financial~~Fraud ~~record keeping~~detection	~~Double-entry~~Detect ~~books~~unauthorized ~~required by accounting law~~transactions	YES — ~~legal~~legitimate ~~obligation~~interest (PSD2 Art. ~~6.1.c)~~2)
~~Audit~~Technical ~~trail~~logging	~~Immutable~~System ~~log~~error oftracking, ~~financial~~debugging, ~~mutations~~security	YES — ~~legal obligation +~~ legitimate interest (~~Art.~~security ~~6.1.c + 6.1.f)~~
~~E-invoice submission~~	~~Submit to SEF (Serbia) and HR-FISK (Croatia)~~	~~YES — legal obligation (Art. 6.1.c)~~
~~Invoice email delivery~~	~~Deliver invoices to customers~~	~~YES — contract necessity (Art. 6.1.b)~~requirement)

2.2 Data Minimization Assessment

Device — marketing

Data Element	Collected	Strictly Necessary?	~~Alternative~~Justification
`email`Full name	YES	YES ~~— login + invoice delivery~~	~~N/A~~Identity verification (hvvl. § 12), payment routing
`fullName`Fødselsnummer (11 digits)	YES	YES ~~— required on invoices~~	~~N/A~~Unique identification (hvvl. § 12(1)(a)), age verification (min 18)
`passwordHash`Date of birth	YES (derived from fødselsnummer)	YES	Age verification
Email address	YES	YES ~~— authentication~~	~~N/A~~Account ~~(bcrypt~~notifications, ~~hash)~~login
`totpSecret`Phone number (+47)	YES	YES ~~— 2FA~~	~~N/A~~Norwegian residency verification, 2FA (planned)
`organizationTaxId`Bank ~~(PIB/JIB/OIB)~~account number	YES	YES ~~— legally required on invoices~~	~~N/A~~AISP balance reading, PISP payment initiation
`organizationIban`Transaction data (amount, recipient, currency)	YES	YES ~~— payment reference~~	~~N/A~~Service delivery, AML monitoring, Bokføringsloven § 13
`contactTaxId`IP ~~(PIB/JMBG/OIB/JIB)~~address	YES	YES ~~— VAT law requires buyer tax ID~~	~~N/A~~Security monitoring, rate limiting, fraud detection
`contactIban`	~~YES~~	~~PARTIAL — needed only for payment features~~	~~Collect only when payment active~~
`clientIp` ~~(audit log)~~ID	YES	YES	Session ~~security,~~management, fraud detection	~~Retain max 30 days for security entries~~
`userAgent`KYC documents (passport, national ID)	YES	YES	Hvitvaskingsloven § 12 identity verification
PEP status	YES	YES	Hvitvaskingsloven § 18
Marketing preferences	NO	NO ~~— not collected~~	Not collected
`deviceId`	NO	NO — ~~not~~no ~~collected~~	~~Not collected~~processing

Fields recommended for removal: None identified. All fields are necessary for regulatory compliance or service delivery.

2.3 Lawful Basis

~~transaction~~ 10,

Processing Activity	Lawful Basis	Justification
Account ~~management~~creation, identity verification	Contract — (Art. 6.1.bb)	~~Necessary~~Required tofor ~~provide~~service ~~the~~delivery
Payment initiation (PISP)	Contract (Art. 6.1.b)	Core service
~~Invoice~~Bank /account ~~expense~~reading /(AISP)	Consent (Art. 6.1.a)	PSD2 requires explicit PSU consent
AML/KYC processing	Legal obligation — (Art. 6.1.cc)	~~Zakon~~Hvitvaskingsloven o§§ ~~PDV~~4, ~~+ Zakon o računovodstvu~~10-18
~~VAT~~Transaction ~~calculation and reporting~~monitoring	Legal obligation — (Art. 6.1.cc)	~~Mandatory~~Hvitvaskingsloven ~~under~~§§ ~~RS/BA/HR tax laws~~24-25
~~Audit~~Fraud ~~trail~~detection	~~Legal obligation +~~ Legitimate interest — (Art. 6.1.~~c + 6.1.f~~f)	~~Accounting~~PSD2 ~~law~~Art. ~~+ fraud detection~~2
~~IP address~~Security logging	Legitimate interest — (Art. 6.1.ff)	~~Security monitoring, 30-day retention~~
~~E-invoice submission (SEF/HR-FISK)~~	~~Legal obligation —~~DORA Art. ~~6.1.c~~	~~Mandatory~~security ~~electronic submission~~
~~Data retention beyond erasure~~	~~Legal obligation — Art. 6.1.c~~	~~10-11 year retention per accounting law~~requirement

3. Data Subjects & Categories of Data

3.1 Data Subject Groups

target:10,000—Year

Group	Description	Estimated Volume	Vulnerability Level
~~Business~~Registered ~~owners / admins~~users	~~SMB~~Adults ~~owners~~(18+) ~~using~~residing ~~Bilko~~in Norway, all backgrounds	~~1-10~~TBD ~~per~~(launch ~~organization~~	~~Low~~
~~Accountants~~	~~Professional accountants on client accounts~~	~~1-5 per organization~~	~~Low~~
~~Employees~~	~~Submitting expense claims via employer's account~~	~~Variable~~1)	Low-Medium
~~Counterparties~~Merchants	~~Customers/suppliers~~Legal ~~appearing~~entities onregistering ~~invoices~~for QR payment acceptance	~~External~~TBD to(launch ~~Bilko~~target: 500 — Year 1)	Low
Payment recipients	Persons abroad receiving remittances	TBD	Low (~~financial~~data ~~risk~~minimized if— ~~breached)~~name + account only)

3.2 Personal Data Categories

Category	Data Elements	Sensitivity	~~Classification~~Retention
~~Contact~~Identity	~~Name,~~Full ~~email,~~name, ~~phone~~fødselsnummer, date of birth	~~Standard~~High (L4 for fødselsnummer)	L35 ~~Confidential~~years after account closure (hvvl. §30)
~~Authentication~~Contact	~~bcrypt(password),~~Email, ~~TOTP~~phone ~~secret~~number	~~High~~Standard (L3)	L4Duration ~~Restricted~~
~~Tax identity~~	~~PIB, JMBG, OIB, JIB~~	~~High~~	~~L4 Restricted~~years
Financial	~~Invoice~~Bank ~~amounts,~~account ~~IBAN,~~number, ~~bank~~balance ~~transactions~~(AISP), transaction history	High (L3-L4)	L35 ~~Confidential~~years (Bokføringsloven)
KYC/AML	Identity documents, PEP status, risk profile	High (L4)	5 years after account closure (hvvl. §30)
Behavioral ~~/ Audit~~	Transaction patterns, device ID, IP ~~address, action timestamps, old/new values~~address	Standard (L3)	L212-24 ~~Internal~~months (security logs), 5 years (AML)
~~Attachments~~Biometric	~~Receipt~~None ~~PDFs,~~collected ~~invoice~~directly ~~attachments~~(BankID handles)	~~Standard-High~~—	~~L3 Confidential~~—

4. Data Processing Purposes & Legal Basis

Processing Purpose	Personal Data Used	Legal Basis	Retention Period
User registration and authentication	Name, fødselsnummer, email, ~~passwordHash, totpSecret~~phone	Contract (Art. 6.1.b)	~~Until~~Duration ~~account~~+ ~~deletion~~2 years
~~Invoice~~BankID ~~creation~~SCA ~~and delivery~~verification	~~org~~Name, fødselsnummer (via BankID)	Contract + Legal obligation	Session only
AISP bank balance reading	Bank account number, balance	Consent (Art. 6.1.a)	Until consent withdrawn
PISP payment initiation	Bank account, amount, recipient details	Contract (Art. 6.1.b)	5 years (Bokføringsloven)
Remittance — cross-border transfer	Sender name, ~~tax ID, contact~~recipient name/~~tax~~account, ~~ID/address,~~amount	Contract (Art. 6.1.b)	5 years
KYC identity verification	Full identity data, documents, PEP status	Legal obligation (Art. 6.1.c) — hvvl. §§ 10-18	5 years (hvvl. §30)
Transaction monitoring (AML)	Transaction data, patterns, amounts	Legal obligation (Art. 6.1.c) — hvvl. §§ 24-25	~~10 years (RS) / 11 years (HR/BA RS entity)~~
~~VAT calculation~~	~~Invoice amounts, tax rates, tax IDs~~	~~Legal obligation (Art. 6.1.c)~~	~~10-11~~5 years
~~Expense~~Fraud ~~management~~detection	~~Amounts,~~Transaction ~~descriptions,~~patterns, ~~receipt~~IP, ~~images~~device ID	~~Legal~~Legitimate ~~obligation~~interest (Art. 6.1.c)f)	~~10-11~~2 years
~~Financial~~Security ~~reporting~~logging	~~All~~IP, ~~financial~~user_id, action, timestamp	Legitimate interest (Art. 6.1.f)	12 months auth logs, 24 months security
Suspicious Transaction Reporting (EFE)	Identity + transaction data	Legal obligation (Art. 6.1.c) — hvvl. §26	~~10-11~~5 years
~~Audit trail~~	~~userId, IP, timestamp, changedFields~~	~~Legal obligation + Legitimate interest~~	~~Financial: 10-11 years; IP/security: 30 days~~
~~E-invoice (SEF/HR-FISK)~~	~~Invoice XML with buyer/seller data~~	~~Legal obligation (Art. 6.1.c)~~	~~Per SEF/FINA requirements~~
~~Transactional email~~	~~email, invoice PDF~~	~~Contract (Art. 6.1.b)~~	~~Not stored by Bilko~~
~~Data export (portability)~~	~~All data~~	~~GDPR Art. 20 / ZZPL Art. 37~~	~~On demand~~

5. Data Flow Mapping

flowchartUser TD→ DS([DataBankID Subject\nBusiness(SCA user])authentication)
     -->|Registers→ /Drop CreatesPlatform invoice| COLLECT[Web App\nbilko.io(Norway — VercelAWS EU]EEA)
         COLLECT├── -->|HTTPSRegistration POSTdata Zod→ validated|PostgreSQL API[ExpressDB API\napi.bilko.io(Norway)
         ├── KYC data → Sumsub (EU EEA) → Drop DB
         ├── AISP: Bank balance → Neonomics → User's bank → Drop dashboard
         ├── PISP: Payment instruction → Neonomics → User's bank → Recipient bank
         │        └── For remittance: → Correspondent bank → Recipient country bank
         ├── Errors → Sentry (EU EEA)
         └── Suspicious transactions → EFE (Altinn — Railway EU West]
    API -->|Prisma ORM AES-256| DB[(PostgreSQL\nRailway EU West\nFrankfurt/Paris)]
    API -->|Receipt upload| R2[(Cloudflare R2\nEU region AES-256)]
    DB -->|Append-only| AUDIT[(LoggedAction\nImmutable audit trail)]
    API -->|Invoice email| SG[SendGrid\nEU region]
    API -->|UBL 2.1 XML| SEF[SEF efaktura.gov.rs\nSerbia]
    API -->|UBL 2.1 HR-CIUS| FINA[HR-FISK fina.hr\nCroatia]
    DB -->|On deletion| ANON[Anonymization\nPII removed]
    DB -->|On export| EXPORT[JSON export to data subject]
    ANON --> DB

    style DB fill:#ffcccc,stroke:#cc0000
    style AUDIT fill:#ffe4cc,stroke:#cc6600Norway)

Data processors (GDPR Art. 28):

SCCs

Processor	Service	Data Shared	Country	DPA ~~Status~~Signed
~~Railway~~BankID Norge AS	~~PostgreSQL~~Identity verification	Name, fødselsnummer	Norway (EEA)	Required — planned
Sumsub	KYC/AML document verification	ID documents, biometric liveness	EU (EEA)	Yes — `legal/dpa-sumsub.md`
Neonomics	PSD2 AISP/PISP	Bank account data, payment instructions	EU (EEA)	Required — planned
Swan	Banking/payment rails	Transaction data	EU (EEA)	Yes — `legal/dpa-swan.md`
AWS	Infrastructure hosting	All ~~accounting~~data ~~data~~(encrypted)	EU ~~West~~(EEA — Frankfurt/Ireland)	~~Pending~~AWS ~~— sign before launch~~DPA
~~Vercel~~Sentry	~~Frontend~~Error ~~hosting~~monitoring	~~Browser~~Error ~~requests~~context, user IDs	~~Global /~~ EU ~~edge~~(EEA)	~~Pending~~Yes — `legal/dpa-sentry.md`
~~Cloudflare~~Correspondent banks	~~CDN,~~Remittance ~~WAF, R2~~routing	IPSender ~~addresses,~~name, ~~receipt~~amount, ~~files~~recipient	EUNon-EEA ~~region~~(per corridor)	~~Pending~~
~~SendGrid~~	~~Transactional email~~	~~Email, invoice PDFs~~	EU	~~Pending~~required

6. Risk Assessment Matrix

6.1 Risk Scoring Scale

Score	Likelihood	Severity
1	Remote — unlikely to occur	Negligible — minimal impact
2	Unlikely — exceptional circumstances	Limited — short-term, minor inconvenience
3	Possible — could occur	Significant — real impact on rights
4	Likely — will probably occur	Severe — serious impact on rights and freedoms

Risk Score = Likelihood ~~(1-5)~~ × Severity ~~(1-5).~~| ~~Score~~Low: 1-6:4 ~~Low;~~| ~~7-12:~~Medium: ~~Medium;~~5-8 | High: 9-12 | Critical: 13-~~19: High; 20-25: Critical.~~16

6.2 RisksRisk to Data Subjects

nosecondary Manualcomplaint IP

Risk ID	Risk to Data Subjects	Likelihood	Severity	Score	Existing Controls	Residual Risk
R1	Unauthorized access to financial data (~~tax IDs, IBAN, invoice amounts)~~breach)	2	54	108	TLS 1.3, ~~AES-256,~~bcrypt, ~~RBAC,~~JWT ~~org-scoped~~httpOnly, ~~queries~~parameterized SQL, session revocation	MEDIUM
R2	~~Tax~~Data IDbreach ~~(PIB/JMBG/OIB/JIB)~~exposing ~~theft~~PII ~~enabling~~or ~~identity fraud~~fødselsnummer	2	54	108	L4Encryption ~~Restricted,~~at ~~RBAC,~~rest noplanned, ~~JWT~~access ~~exposure, bcrypt~~controls	MEDIUM
R3	~~Cross-tenant~~Unlawful profiling through transaction data	1	3	3	Purpose limitation, data ~~access~~minimization, ~~(IDOR)~~	2	5	10	~~org-scoped WHERE on all queries, UUID PKs~~use	LOW ~~(after mitigation)~~
R4	~~Invoice~~Third-country transfer without adequate protection (remittance corridors)	3	3	9	SCCs planned, data ~~exposure~~minimization to(name ~~wrong~~+ ~~party~~account only in transfer)	HIGH → MEDIUM with TIA
R5	False positive — legitimate transaction blocked by AML rules	2	2	4	8	~~RBAC,~~review ~~org-scope,~~within ~~input~~24h, ~~validation~~	~~MEDIUM~~
R5	~~Financial data manipulation (tampered invoices)~~	2	5	10	~~Immutable LoggedAction, RBAC delete permissions~~handling	LOW ~~(after mitigation)~~
R6	~~PII~~Data retained beyond ~~necessary~~legal ~~period~~requirement	2	2	4	Automated deletion planned Phase 2	LOW
R7	BankID session compromise via phishing/MitM	1	4	4	BankID security (handled by BankID Norge AS), session timeout	LOW
R8	Third-country authorities accessing data via remittance partners	2	3	6	~~Soft delete~~SCCs + ~~anonymization;~~TIA ~~financial~~+ data ~~by law~~	~~LOW~~
R7	~~Cross-border transfer (RS/BA data to EU) without protection~~	3	3	9	~~Railway EU West; ZZPL Art. 65; data stays in EEA~~minimization	MEDIUM
R8	~~User unable to exercise erasure (locked by retention law)~~	3	2	6	~~Clear policy in privacy notice; PII anonymized~~	~~LOW~~
R9	~~Receipt~~Identity ~~with~~fraud ~~sensitive~~— ~~data~~someone ~~(medical~~impersonating ~~receipts) exposed~~user	2	3	6	~~Encrypted R2 storage; RBAC accountant+ access~~	~~LOW~~
~~R10~~	~~Audit log IP retention enabling tracking~~	2	21	4	~~30-day~~4	BankID ~~retention~~Level ~~for~~High ~~security;~~(eIDAS), ~~longer~~Norwegian ~~for~~BankID ~~financial~~only	LOW
~~R11~~	~~SEF/HR-FISK state submission~~	1	2	2	~~Legal obligation — mandated by law~~	~~ACCEPTABLE~~

7. Mitigation Measures

Risk ID	Mitigation Measure	Owner	Deadline	Status
R1	Field-level AES-256-GCM encryption for ~~tax IDs and IBAN at application layer~~fødselsnummer	Engineering	Phase 2	Planned
R1	~~Sentry~~AWS ~~error~~KMS ~~tracking~~key +management ~~Railway~~for ~~anomaly~~database ~~monitoring~~encryption keys	Platform	Phase 12	Planned
R2	~~Tax~~PostgreSQL ~~IDs~~with L4TDE ~~Restricted~~(Transparent —Data ~~never~~Encryption) invia ~~JWT,~~AWS ~~never in logs~~RDS	~~Engineering~~Platform	Phase 12	~~Designed~~Planned
R3R2	~~Integration~~Penetration ~~tests:~~test ~~cross-tenant~~before ~~requests~~production ~~must return 403~~launch	~~Engineering~~Security	~~Phase 1~~Pre-launch	Planned
R4	~~Vitest~~SCCs ~~RBAC tests on~~with all ~~protected~~remittance ~~endpoints~~corridor correspondent banks	~~Engineering~~Legal	Phase 12	Planned
R5R4	~~LoggedAction~~Transfer ~~PostgreSQL~~Impact ~~trigger~~Assessments —per ~~append-only,~~destination ~~no DELETE~~country	~~Engineering~~DPO/Legal	Phase 1	~~Designed~~
R7	~~Privacy notice states Railway EU West data residency; ZZPL Art. 65 transfer basis~~	~~Legal/DPO~~	~~Phase 1~~2	Planned
R7R4	~~Verify~~Minimize ~~Railway~~transferred ~~region~~data =(name, EUaccount, ~~West~~amount ~~before~~ONLY ~~launch~~— no fødselsnummer)	~~Platform~~Engineering	MVP	Implemented
R6	Automated data retention + deletion jobs (5-year AML, 2-year other)	Engineering	Phase 12	Planned
R8	~~Privacy~~TIA ~~notice~~for ~~explains~~high-risk ~~legal~~corridors ~~retention~~(Pakistan, ~~basis~~Turkey, ~~clearly~~Serbia, Bosnia)	~~Legal/DPO~~DPO/Legal	Phase 12	Planned
R9	~~R2 files accessible only to org members with accountant+ role~~	~~Engineering~~	~~Phase 1~~	~~Designed~~

Residual risk ~~conclusion:~~after mitigation: All residual risks ~~are~~assessed as LOW or MEDIUM. No ~~CRITICAL~~HIGH or ~~HIGH~~CRITICAL residual ~~risks.~~risks ~~Processing may proceed subject to DPO approval and~~after Phase 12 mitigations ~~being~~are ~~implemented before first paying customer.~~implemented.

DPO Conclusion: ~~☐ Acceptable — proceed | ☐~~ Conditional — ~~pending~~Processing ~~Phase~~may 1proceed ~~mitigations~~for |MVP ☐(no ~~Escalate~~live transactions). Prior to ~~supervisory~~live ~~authority~~transactions: BankID SCA required, KYC implemented, SCCs in place, DPO appointed.

8. DPO Consultation Record

DPO Name: TBD ~~([email protected])~~— DPO appointment required before Phase 2 launch Consultation Date: ToTBD beDPO ~~scheduled~~Input: ~~before~~Pending ~~first paying customer~~appointment

DPO ~~Input:~~

Recommendation

(required
~~[To~~before belive ~~completed after DPO appointment]~~

~~DPO Recommendation:~~transactions):

Approved — risks are acceptable and adequately mitigated
Conditional approval — subject to implementing Phase 12 mitigations
Rejected — requires redesign ~~required~~

~~Escalate to supervisory authority~~

DPO Signature: _________________________ Date: _____________

9. Supervisory Authority Consultation

Consultation Required: NO — based on current risk assessment (~~pending~~all ~~DPO~~residual ~~review)~~risks LOW-MEDIUM after mitigation) ~~Reason:~~Basis: GDPR Art. 35(7) — Residual risks after mitigations are acceptable. No ~~CRITICAL~~prior orconsultation ~~HIGH~~with ~~residual~~Datatilsynet ~~risks. MEDIUM risks standard for cloud accounting SaaS.~~required.

Monitoring: If ~~required~~Phase —2 ~~relevant~~implementation ~~authorities~~reveals bynew ~~jurisdiction:~~risks (e.g., from real-world transaction data), this assessment will be reviewed and Datatilsynet consultation may be required.

~~HR: AZOP — [email protected] — https://azop.hr~~

~~RS: Poverenik — [email protected] — https://www.poverenik.rs~~

~~BA: AZLP — [email protected] — https://www.azlp.ba~~

10. DPIA Review Schedule

Next scheduled review: 2027-02-2312 (annual) orOR ~~when:~~when any of the following occurs:

~~New~~BankID ~~country~~integration ~~launch~~implemented (RS Phase 2,2)

Live ~~Phase~~PSD2 2,AISP/PISP BAtransactions ~~Phase 3)~~commenced
New ~~government~~remittance ~~integration~~corridors ~~(SEF,~~added

~~HR-FISK,~~

Sumsub ~~CPF)~~or KYC vendor changed
Data breach orincident ~~near-miss~~related to this processing
~~New~~Change ~~data~~in ~~categories~~applicable Norwegian or ~~processors~~EU regulations
~~Regulatory~~DORA ~~changes~~implementation in Norway (~~ZZPL~~expected ~~amendment,~~2026 ~~BiH reform, GDPR updates)~~H2)

Review Owner: DPO (~~[email protected])~~once appointed)

Review Log:

Date	Reviewer	Changes Made	Outcome
2026-02-2312	Compliance ~~Architect~~Agent (ALAI)	Initial DPIA (`legal/dpia-vurdering.md`)	Draft
2026-02-23	Security Architect (ALAI)	English compliance template format	Draft — awaiting DPO review

Approval

Role	Name	Date
Author	~~Compliance~~ALAI ~~Architect~~Security Team	2026-02-23
DPO	TBD — appointment required
~~Engineering~~Processing ~~Lead~~Owner	Alem Bašić (CEO/CISO)
Legal Counsel	TBD
~~CEO~~Management	Alem Bašić