Data Protection Impact Assessment (DPIA)

Project: ~~Drop~~Bilko — ~~Fintech~~Balkan ~~Payment~~Accounting ~~App (ALAI Holding AS)~~SaaS Processing Activity: ~~All~~Multi-Tenant ~~personal~~Accounting ~~data~~Data ~~processing~~Processing in(invoices, ~~Drop~~expenses, ~~payment~~VAT, ~~services~~tax filings) Version: 1.0 Date: 2026-02-23 Author: ~~ALAI~~ Compliance ~~Team~~Architect DPO: TBD ~~— appointment required~~ (~~[email protected] — planned)~~[email protected]) Status: Draft ~~— DPO Review Required~~ Reviewers: DPO, Legal Counsel, ~~CTO~~Engineering Lead Classification: Confidential

Document History

accountingSaaSdata

Version	Date	Author	Changes
0.1	2026-02-1223	Compliance ~~Agent (ALAI)~~Architect	Initial DPIA ~~draft~~— (`legal/dpia-vurdering.md`)
~~1.0~~	~~2026-02-23~~	~~Security Architect (ALAI)~~	~~English compliance template format~~processing

~~Source document:~~ legal/dpia-vurdering.md ~~— DPIA-DROP-001 (v1.0, approved 2026-02-12)~~

DPIA Trigger Checklist

~~A DPIA is required under GDPR Art. 35 if ANY of the following apply:~~

#	Trigger	Applies?	Notes
1	Systematic ~~and~~profiling ~~extensive evaluation of personal aspects (profiling,~~/ automated ~~decision-making~~decisions with ~~legal/significant~~legal ~~effects)~~effects	~~YES~~NO	~~Automated~~No ~~AML/fraud~~profiling ~~transaction~~or ~~monitoring~~automated decisions
2	Large-scale ~~processing of~~ special category data (health, religion, ethnicity)	NO	NoFinancial ~~health,~~data ~~religion,~~is ornot ~~other~~Art. 9 special category ~~data~~
3	Systematic monitoring of publicly accessible areas	NO	~~Not applicable~~N/A
4	~~Processing of biometric~~Biometric or genetic data	~~PARTIAL~~NO	~~BankID uses biometric identity verification (handled by BankID — not Drop)~~N/A
5	~~Processing~~Data ~~of data concerning~~about vulnerable ~~data~~subjects ~~subjects~~(children, patients)	~~YES~~PARTIAL	~~General~~Employees ~~population~~submitting ~~including~~expense ~~potentially~~claims ~~vulnerable~~via ~~individuals~~employer's Bilko account
6	Innovative ~~use of~~ technology with unpredictable privacy impact	~~YES~~NO	~~Open~~Standard ~~Banking~~cloud ~~(PSD2~~accounting ~~PISP/AISP), BankID OIDC integration, QR payments~~SaaS
7	Cross-border transfer outside EEA without adequate protection	YES	~~Remittance~~Serbian to(ZZPL) ~~30+~~and ~~countries~~BiH (ZZLP) data subjects — ~~Serbia,~~data ~~Bosnia,~~processed ~~Turkey,~~on ~~Pakistan~~EU ~~lack adequacy decisions~~servers
8	Processing ~~data~~ that prevents data subjects from exercising rights	NO	~~Not~~Self-service ~~applicable~~endpoints provided

DPIA Required: YES Reason: ~~Multiple~~Cross-border ~~triggers~~transfer ~~apply:~~of ~~automated~~RS/BA ~~transaction~~data ~~monitoring,~~subjects ~~innovative~~to ~~Open~~EU-hosted ~~Banking~~infrastructure; ~~technology,~~processing ~~large-scale~~of national tax IDs (PIB/JMBG/OIB/JIB) as sensitive identifiers; financial data ~~processing,~~for ~~cross-border~~thousands ~~transfers~~of toorganizations ~~non-adequate~~and ~~countries.~~their counterparties.

1. Processing Activity Description

1.1 Activity Overview

Activity Name: ~~Drop~~Multi-Tenant ~~Payment Services — All Personal~~Accounting Data Processing System/Product: ~~Drop~~Bilko (~~getdrop.no) — Remittance + QR Payment App~~bilko.io) Business Unit: ~~ALAI Holding AS — Drop product~~Product Processing Owner: ~~CEO~~Engineering ~~/ CISO~~Lead (~~[email protected])~~[email protected])

Description of Processing: ~~Drop~~Bilko isprocesses afinancial ~~payment~~and ~~application~~personal ~~for~~data ~~all~~on ~~residents~~behalf of ~~Norway~~business ~~providing:~~organizations (data controllers) in Serbia, Bosnia & Herzegovina, and Croatia:

~~Remittance~~User account data — ~~international~~email, ~~money~~full ~~transfers~~name, tobcrypt-hashed ~~30+~~password, ~~countries~~TOTP ~~via PSD2 PISP~~secret
QROrganization ~~Payments~~data — ~~in-store~~legal QRname, ~~code~~tax ~~payments~~ID ~~via~~(PIB/JIB/OIB), ~~PSD2~~address, ~~PISP~~banking details
~~Account~~Contact ~~Information~~data — ~~reading~~customer/supplier names, tax IDs, email, phone, IBAN

Invoice data — invoice numbers, dates, amounts, VAT, payment status

Expense data — amounts, categories, descriptions, receipt attachments

Transaction data — bank ~~balances~~transactions, ~~via~~double-entry ~~PSD2~~debit/credit

~~AISP~~

Audit trail — all mutations logged with user ID, IP, timestamp, old/new values

~~Drop operates a~~ ~~pass-through model~~: it never holds customer funds. All payments are initiated directly from the user's bank account via Open Banking APIs. User authentication occurs via BankID (OIDC, security level "høyt" — eIDAS High).

~~Trigger /~~ Business Justification: ~~Providing~~SMBs ~~accessible,~~in ~~low-cost~~the ~~payment~~Balkans lack affordable, compliant cloud accounting software. Processing this data is necessary to deliver the contracted accounting service and ~~remittance~~meet ~~services~~legal toobligations ~~all~~under ~~Norwegian~~RS/BA/HR ~~residents.~~accounting ~~Norwegian-registered~~and ~~residents~~tax ~~can send money abroad at lower fees than traditional services. Financial inclusion for all communities.~~laws.

1.2 Processing Operations

Railway ~~non-EEA~~

Operation	Data Category	Technology	Location
Collection ~~— Registration~~(registration)	~~Identity~~Email, (name, ~~fødselsnummer, DOB), contact (phone, email)~~password	~~BankID~~HTTPS ~~OIDC,~~POST, ~~web~~Zod ~~form~~validation	~~Norway~~bilko.io ~~(EEA)~~— Vercel EU
Collection ~~— AISP~~(invoicing)	~~Financial~~Contact ~~(bank~~data, ~~account~~tax ~~number,~~IDs, ~~balance)~~amounts	~~PSD2 Open Banking~~HTTPS API ~~(Neonomics)~~	~~Norway (EEA)~~
~~Collection~~api.bilko.io — ~~PISP~~	~~Financial (bank account, amount, recipient)~~	~~PSD2 Open Banking API (Neonomics)~~	~~Norway (EEA)~~
~~Collection — KYC/AML~~	~~Identity documents, PEP status, risk profile~~	~~Sumsub SDK~~	EU ~~(EEA)~~West
Storage	All ~~above~~categories	~~SQLite (MVP) →~~ PostgreSQL ~~(Phase 2)~~AES-256	~~Norway~~Railway EU West (~~EEA)~~Frankfurt/Paris)
Storage (files)	Receipt PDFs/JPGs	Cloudflare R2 AES-256	Cloudflare EU region
Processing ~~— AML monitoring~~	~~Transaction~~VAT ~~patterns,~~calculations, ~~amounts, corridors~~reports	~~Automated~~Express ~~rules~~API, ~~engine~~Prisma ORM	~~Norway~~Railway ~~(EEA)~~EU West
Sharing ~~— Remittance~~	~~Sender~~Invoice ~~name, recipient name/account, amount~~PDFs	~~SWIFT/correspondent~~SendGrid ~~banks~~email	~~EEA~~EU +region
E-invoice submission	Invoice XML	UBL 2.1 SEF / HR-FISK	Serbia (SEF) / Croatia (FINA)
Deletion / Anonymization	~~All~~User ~~categories~~PII	~~Automated~~Soft ~~deletion~~delete ~~jobs~~+ ~~(planned Phase 2)~~anonymization	~~Norway~~Railway ~~(EEA)~~EU West

2. Necessity & Proportionality Assessment

2.1 Purposes of Processing

IDsrequiredby

Purpose	Specific Description	Legitimate?
~~Identity~~Account ~~verification~~authentication	Verify user isidentity ~~who~~for ~~they~~organization ~~claim, minimum age 18, Norwegian residency~~access	YES — ~~required~~contract bynecessity ~~hvitvaskingsloven~~(Art. ~~§ 12 and PSD2 SCA~~6.1.b)
~~Payment~~Invoice ~~initiation (PISP)~~generation	~~Initiate~~Create ~~payments~~legally ~~from~~compliant ~~user's bank account~~	~~YES — core service delivery~~
~~Account information (AISP)~~	~~Read bank balances for user dashboard~~	~~YES — core service delivery,~~invoices with ~~explicit~~tax ~~consent~~
~~AML/transaction monitoring~~	~~Detect and prevent money laundering~~law	YES — legal obligation (~~hvvl.~~Art. ~~§§ 24-25)~~6.1.c)
~~KYC~~VAT ~~compliance~~calculation and reporting	~~Customer~~Calculate ~~identification~~VAT ~~and~~at ~~risk~~RS ~~assessment~~20% / BA 17% / HR 25%	YES — legal obligation (~~hvvl.~~Art. ~~§§ 10-18)~~6.1.c)
~~Fraud~~Financial ~~detection~~record keeping	~~Detect~~Double-entry ~~unauthorized~~books ~~transactions~~required by accounting law	YES — ~~legitimate~~legal ~~interest~~obligation (~~PSD2~~ Art. 2)6.1.c)
~~Technical~~Audit ~~logging~~trail	~~System~~Immutable ~~error~~log ~~tracking,~~of ~~debugging,~~financial ~~security~~mutations	YES — legal obligation + legitimate interest (~~security~~Art. ~~requirement)~~6.1.c + 6.1.f)
E-invoice submission	Submit to SEF (Serbia) and HR-FISK (Croatia)	YES — legal obligation (Art. 6.1.c)
Invoice email delivery	Deliver invoices to customers	YES — contract necessity (Art. 6.1.b)

2.2 Data Minimization Assessment

ID ~~processing~~

Data Element	Collected	Strictly Necessary?	~~Justification~~Alternative
~~Full name~~`email`	YES	YES — login + invoice delivery	~~Identity verification (hvvl. § 12), payment routing~~N/A
~~Fødselsnummer (11 digits)~~`fullName`	YES	YES — required on invoices	~~Unique identification (hvvl. § 12(1)(a)), age verification (min 18)~~N/A
~~Date of birth~~	~~YES (derived from fødselsnummer)~~	~~YES~~	~~Age verification~~
~~Email address~~`passwordHash`	YES	YES — authentication	~~Account~~N/A ~~notifications,~~(bcrypt ~~login~~hash)
~~Phone number (+47)~~`totpSecret`	YES	YES — 2FA	~~Norwegian residency verification, 2FA (planned)~~N/A
~~Bank~~`organizationTaxId` ~~account number~~(PIB/JIB/OIB)	YES	YES — legally required on invoices	~~AISP balance reading, PISP payment initiation~~N/A
~~Transaction data (amount, recipient, currency)~~`organizationIban`	YES	YES — payment reference	~~Service delivery, AML monitoring, Bokføringsloven § 13~~N/A
IP`contactTaxId` ~~address~~(PIB/JMBG/OIB/JIB)	YES	YES — VAT law requires buyer tax ID	~~Security monitoring, rate limiting, fraud detection~~N/A
~~Device~~`contactIban`	YES	PARTIAL — needed only for payment features	Collect only when payment active
`clientIp` (audit log)	YES	YES	~~Session~~— ~~management,~~security, fraud detection	Retain max 30 days for security entries
~~KYC documents (passport, national ID)~~	~~YES~~	~~YES~~	~~Hvitvaskingsloven § 12 identity verification~~
~~PEP status~~	~~YES~~	~~YES~~	~~Hvitvaskingsloven § 18~~
~~Marketing preferences~~`userAgent`	NO	NO — not collected	Not collected
`deviceId`	NO	NO — nonot ~~marketing~~collected	Not collected

~~Fields recommended for removal:~~ ~~None identified. All fields are necessary for regulatory compliance or service delivery.~~

2.3 Lawful Basis

/ ~~security~~

Processing Activity	Lawful Basis	Justification
Account ~~creation, identity verification~~management	Contract (— Art. 6.1.b)b	~~Required~~Necessary ~~for~~to ~~service~~provide ~~delivery~~
~~Payment initiation (PISP)~~	~~Contract (Art. 6.1.b)~~	~~Core~~the service
~~Bank~~Invoice ~~account~~/ ~~reading~~expense ~~(AISP)~~	~~Consent (Art. 6.1.a)~~	~~PSD2 requires explicit PSU consent~~
~~AML/KYC~~transaction processing	Legal obligation (— Art. 6.1.c)c	~~Hvitvaskingsloven~~Zakon §§o 4,PDV ~~10-18~~+ Zakon o računovodstvu
~~Transaction~~VAT ~~monitoring~~calculation and reporting	Legal obligation (— Art. 6.1.c)c	~~Hvitvaskingsloven~~Mandatory §§under ~~24-25~~RS/BA/HR tax laws
~~Fraud~~Audit ~~detection~~trail	Legal obligation + Legitimate interest (— Art. 6.1.f)c + 6.1.f	~~PSD2~~Accounting ~~Art.~~law 2+ fraud detection
~~Security~~IP address logging	Legitimate interest (— Art. 6.1.f)f	~~DORA~~Security monitoring, 30-day retention
E-invoice submission (SEF/HR-FISK)	Legal obligation — Art. ~~10,~~6.1.c	Mandatory ~~requirement~~electronic submission
Data retention beyond erasure	Legal obligation — Art. 6.1.c	10-11 year retention per accounting law

3. Data Subjects & Categories of Data

3.1 Data Subject Groups

~~10,000~~—~~Year~~1)

Group	Description	Estimated Volume	Vulnerability ~~Level~~
~~Registered~~Business ~~users~~owners / admins	~~Adults~~SMB ~~(18+)~~owners ~~residing~~using ~~in Norway, all backgrounds~~Bilko	~~TBD~~1-10 ~~(launch~~per ~~target:~~organization	Low
Accountants	Professional accountants on client accounts	1-5 per organization	Low
Employees	Submitting expense claims via employer's account	Variable	Low-Medium
~~Merchants~~Counterparties	~~Legal~~Customers/suppliers ~~entities~~appearing ~~registering~~on ~~for QR payment acceptance~~invoices	~~TBD~~External ~~(launch~~to ~~target: 500 — Year 1)~~	~~Low~~
~~Payment recipients~~	~~Persons abroad receiving remittances~~	~~TBD~~Bilko	Low (~~data~~financial ~~minimized~~risk —if ~~name + account only)~~breached)

3.2 Personal Data Categories

2~~years~~

Category	Data Elements	Sensitivity	~~Retention~~Classification
~~Identity~~Contact	~~Full~~Name, ~~name,~~email, ~~fødselsnummer, date of birth~~phone	~~High (L4 for fødselsnummer)~~Standard	5L3 ~~years after account closure (hvvl. §30)~~Confidential
~~Contact~~Authentication	~~Email,~~bcrypt(password), ~~phone~~TOTP ~~number~~secret	~~Standard (L3)~~High	~~Duration~~L4 +Restricted
Tax identity	PIB, JMBG, OIB, JIB	High	L4 Restricted
Financial	~~Bank~~Invoice ~~account~~amounts, ~~number,~~IBAN, ~~balance~~bank ~~(AISP), transaction history~~transactions	High ~~(L3-L4)~~	5L3 ~~years (Bokføringsloven)~~
~~KYC/AML~~	~~Identity documents, PEP status, risk profile~~	~~High (L4)~~	~~5 years after account closure (hvvl. §30)~~Confidential
Behavioral / Audit	~~Transaction patterns, device ID,~~ IP ~~address~~address, action timestamps, old/new values	Standard ~~(L3)~~	~~12-24~~L2 ~~months (security logs), 5 years (AML)~~Internal
~~Biometric~~Attachments	~~None~~Receipt ~~collected~~PDFs, ~~directly~~invoice ~~(BankID handles)~~attachments	—Standard-High	—L3 Confidential

4. Data Processing Purposes & Legal Basis

Processing Purpose	Personal Data Used	Legal Basis	Retention Period
User ~~registration and~~ authentication	~~Name, fødselsnummer,~~ email, ~~phone~~passwordHash, totpSecret	Contract (Art. 6.1.b)	~~Duration~~Until +account ~~2 years~~deletion
~~BankID~~Invoice ~~SCA~~creation ~~verification~~and delivery	~~Name, fødselsnummer (via BankID)~~	~~Contract + Legal obligation~~	~~Session only~~
~~AISP bank balance reading~~	~~Bank account number, balance~~	~~Consent (Art. 6.1.a)~~	~~Until consent withdrawn~~
~~PISP payment initiation~~	~~Bank account, amount, recipient details~~	~~Contract (Art. 6.1.b)~~	~~5 years (Bokføringsloven)~~
~~Remittance — cross-border transfer~~	~~Sender~~org name, ~~recipient~~tax ID, contact name/~~account,~~tax ~~amount~~	~~Contract (Art. 6.1.b)~~	~~5 years~~
~~KYC identity verification~~	~~Full identity data, documents, PEP status~~	~~Legal obligation (Art. 6.1.c) — hvvl. §§ 10-18~~	~~5 years (hvvl. §30)~~
~~Transaction monitoring (AML)~~	~~Transaction data, patterns,~~ID/address, amounts	Legal obligation (Art. 6.1.c) ~~— hvvl. §§ 24-25~~	510 years (RS) / 11 years (HR/BA RS entity)
VAT calculation	Invoice amounts, tax rates, tax IDs	Legal obligation (Art. 6.1.c)	10-11 years
~~Fraud~~Expense ~~detection~~management	~~Transaction~~Amounts, ~~patterns,~~descriptions, ~~IP,~~receipt ~~device ID~~images	~~Legitimate~~Legal ~~interest~~obligation (Art. 6.1.f)c)	210-11 years
~~Security~~Financial ~~logging~~reporting	~~IP,~~All ~~user_id, action, timestamp~~	~~Legitimate interest (Art. 6.1.f)~~	~~12 months auth logs, 24 months security~~
~~Suspicious Transaction Reporting (EFE)~~	~~Identity + transaction~~financial data	Legal obligation (Art. 6.1.c) ~~— hvvl. §26~~	510-11 years
Audit trail	userId, IP, timestamp, changedFields	Legal obligation + Legitimate interest	Financial: 10-11 years; IP/security: 30 days
E-invoice (SEF/HR-FISK)	Invoice XML with buyer/seller data	Legal obligation (Art. 6.1.c)	Per SEF/FINA requirements
Transactional email	email, invoice PDF	Contract (Art. 6.1.b)	Not stored by Bilko
Data export (portability)	All data	GDPR Art. 20 / ZZPL Art. 37	On demand

5. Data Flow Mapping

Userflowchart →TD
    BankIDDS([Data (SCASubject\nBusiness authentication)user]) →-->|Registers Drop/ PlatformCreates (Norwayinvoice| COLLECT[Web App\nbilko.io — AWSVercel EEA)EU]
    ├──COLLECT Registration-->|HTTPS POST Zod validated| API[Express API\napi.bilko.io — Railway EU West]
    API -->|Prisma ORM AES-256| DB[(PostgreSQL\nRailway EU West\nFrankfurt/Paris)]
    API -->|Receipt upload| R2[(Cloudflare R2\nEU region AES-256)]
    DB -->|Append-only| AUDIT[(LoggedAction\nImmutable audit trail)]
    API -->|Invoice email| SG[SendGrid\nEU region]
    API -->|UBL 2.1 XML| SEF[SEF efaktura.gov.rs\nSerbia]
    API -->|UBL 2.1 HR-CIUS| FINA[HR-FISK fina.hr\nCroatia]
    DB -->|On deletion| ANON[Anonymization\nPII removed]
    DB -->|On export| EXPORT[JSON export to data →subject]
    PostgreSQLANON --> DB

    (Norway)
         ├── KYC data → Sumsub (EU EEA) → Dropstyle DB ├──fill:#ffcccc,stroke:#cc0000
    AISP:style BankAUDIT balance → Neonomics → User's bank → Drop dashboard
         ├── PISP: Payment instruction → Neonomics → User's bank → Recipient bank
         │        └── For remittance: → Correspondent bank → Recipient country bank
         ├── Errors → Sentry (EU EEA)
         └── Suspicious transactions → EFE (Altinn — Norway)fill:#ffe4cc,stroke:#cc6600

Data processors (GDPR Art. 28):

Processor	Service	Data Shared	Country	DPA ~~Signed~~Status
~~BankID Norge AS~~Railway	~~Identity~~PostgreSQL ~~verification~~hosting	~~Name,~~All ~~fødselsnummer~~accounting data	~~Norway~~EU ~~(EEA)~~West	~~Required~~Pending — ~~planned~~sign before launch
~~Sumsub~~Vercel	~~KYC/AML~~Frontend ~~document verification~~hosting	IDBrowser ~~documents, biometric liveness~~requests	Global / EU ~~(EEA)~~edge	~~Yes —~~ `legal/dpa-sumsub.md`Pending
~~Neonomics~~Cloudflare	~~PSD2~~CDN, ~~AISP/PISP~~WAF, R2	~~Bank~~IP ~~account~~addresses, ~~data,~~receipt ~~payment instructions~~files	EU ~~(EEA)~~region	~~Required — planned~~Pending
~~Swan~~SendGrid	~~Banking/payment~~Transactional ~~rails~~email	~~Transaction~~Email, ~~data~~invoice PDFs	EU ~~(EEA)~~	~~Yes —~~ `legal/dpa-swan.md`
~~AWS~~	~~Infrastructure hosting~~	~~All data (encrypted)~~	~~EU (EEA — Frankfurt/Ireland)~~	~~AWS DPA~~
~~Sentry~~	~~Error monitoring~~	~~Error context, user IDs~~	~~EU (EEA)~~	~~Yes —~~ `legal/dpa-sentry.md`
~~Correspondent banks~~	~~Remittance routing~~	~~Sender name, amount, recipient~~	~~Non-EEA (per corridor)~~	~~SCCs required~~Pending

6. Risk Assessment Matrix

6.1 Risk Scoring Scale

~~Score~~	~~Likelihood~~	~~Severity~~
1	~~Remote — unlikely to occur~~	~~Negligible — minimal impact~~
2	~~Unlikely — exceptional circumstances~~	~~Limited — short-term, minor inconvenience~~
3	~~Possible — could occur~~	~~Significant — real impact on rights~~
4	~~Likely — will probably occur~~	~~Severe — serious impact on rights and freedoms~~

Risk Score = Likelihood (1-5) × Severity |(1-5). ~~Low:~~Score 1-46: |Low; ~~Medium:~~7-12: ~~5-8 | High: 9-12 | Critical:~~Medium; 13-1619: High; 20-25: Critical.

6.2 RiskRisks to Data Subjects

~~legal requirement~~

Risk ID	Risk ~~to Data Subjects~~	Likelihood	Severity	Score	~~Existing~~ Controls	Residual ~~Risk~~
R1	Unauthorized access to financial data (~~breach)~~tax IDs, IBAN, invoice amounts)	2	5	10	TLS 1.3, AES-256, RBAC, org-scoped queries	MEDIUM
R2	Tax ID (PIB/JMBG/OIB/JIB) theft enabling identity fraud	2	5	10	L4 Restricted, RBAC, no JWT exposure, bcrypt	MEDIUM
R3	Cross-tenant data access (IDOR)	2	5	10	org-scoped WHERE on all queries, UUID PKs	LOW (after mitigation)
R4	Invoice data exposure to wrong party	2	4	8	~~TLS~~RBAC, ~~1.3,~~org-scope, ~~bcrypt,~~input ~~JWT httpOnly, parameterized SQL, session revocation~~validation	MEDIUM
R2R5	~~Data~~Financial ~~breach~~data ~~exposing~~manipulation ~~PII~~(tampered ~~or fødselsnummer~~invoices)	2	45	810	~~Encryption~~Immutable atLoggedAction, ~~rest~~RBAC ~~planned,~~delete ~~access controls~~permissions	~~MEDIUM~~LOW (after mitigation)
R3R6	~~Unlawful~~PII ~~profiling~~retained ~~through~~beyond ~~transaction~~necessary ~~data~~period	12	3	36	~~Purpose~~Soft ~~limitation,~~delete + anonymization; financial data ~~minimization,~~by ~~no secondary use~~law	LOW
R4R7	~~Third-country~~Cross-border transfer (RS/BA data to EU) without ~~adequate~~ protection ~~(remittance corridors)~~	3	3	9	~~SCCs~~Railway ~~planned,~~EU West; ZZPL Art. 65; data ~~minimization (name + account only~~stays in ~~transfer)~~EEA	~~HIGH →~~ MEDIUM ~~with TIA~~
R5R8	~~False~~User ~~positive~~unable —to ~~legitimate~~exercise ~~transaction~~erasure ~~blocked~~(locked by ~~AML~~retention ~~rules~~law)	3	2	6	Clear policy in privacy notice; PII anonymized	LOW
R9	Receipt with sensitive data (medical receipts) exposed	2	3	6	Encrypted R2 storage; RBAC accountant+ access	LOW
R10	Audit log IP retention enabling tracking	2	2	4	~~Manual~~30-day ~~review~~IP ~~within~~retention ~~24h,~~for ~~complaint~~security; ~~handling~~longer for financial	LOW
R6R11	~~Data~~SEF/HR-FISK ~~retained~~state ~~beyond~~submission	1	2	2	4Legal obligation — mandated by law	~~Automated deletion planned Phase 2~~	~~LOW~~
R7	~~BankID session compromise via phishing/MitM~~	1	4	4	~~BankID security (handled by BankID Norge AS), session timeout~~	~~LOW~~
R8	~~Third-country authorities accessing data via remittance partners~~	2	3	6	~~SCCs + TIA + data minimization~~	~~MEDIUM~~
R9	~~Identity fraud — someone impersonating user~~	1	4	4	~~BankID Level High (eIDAS), Norwegian BankID only~~	~~LOW~~ACCEPTABLE

7. Mitigation Measures

Risk ID	Mitigation ~~Measure~~	Owner	Deadline	Status
R1	Field-level ~~AES-256-GCM~~ encryption for ~~fødselsnummer~~tax IDs and IBAN at application layer	Engineering	Phase 2	Planned
R1	~~AWS~~Sentry ~~KMS~~error ~~key~~tracking ~~management~~+ ~~for~~Railway ~~database~~anomaly ~~encryption keys~~monitoring	Platform	Phase 21	Planned
R2	~~PostgreSQL~~Tax ~~with~~IDs ~~TDE~~L4 ~~(Transparent~~Restricted ~~Data~~— ~~Encryption)~~never ~~via~~in ~~AWS~~JWT, ~~RDS~~never in logs	~~Platform~~Engineering	Phase 21	~~Planned~~Designed
R2R3	~~Penetration~~Integration ~~test~~tests: ~~before~~cross-tenant ~~production~~requests ~~launch~~must return 403	~~Security~~Engineering	~~Pre-launch~~Phase 1	Planned
R4	~~SCCs~~Vitest ~~with~~RBAC tests on all ~~remittance~~protected ~~corridor correspondent banks~~endpoints	~~Legal~~Engineering	Phase 21	Planned
R4R5	~~Transfer~~LoggedAction ~~Impact~~PostgreSQL ~~Assessments~~trigger ~~per~~— ~~destination~~append-only, ~~country~~no DELETE	~~DPO/Legal~~Engineering	Phase 21	Designed
R7	Privacy notice states Railway EU West data residency; ZZPL Art. 65 transfer basis	Legal/DPO	Phase 1	Planned
R4R7	~~Minimize~~Verify ~~transferred~~Railway ~~data~~region ~~(name,~~= ~~account,~~EU ~~amount~~West ~~ONLY~~before ~~— no fødselsnummer)~~launch	~~Engineering~~	~~MVP~~	~~Implemented~~
R6	~~Automated data retention + deletion jobs (5-year AML, 2-year other)~~	~~Engineering~~Platform	Phase 21	Planned
R8	~~TIA~~Privacy ~~for~~notice ~~high-risk~~explains ~~corridors~~legal ~~(Pakistan,~~retention ~~Turkey,~~basis ~~Serbia, Bosnia)~~clearly	~~DPO/Legal~~Legal/DPO	Phase 21	Planned
R9	R2 files accessible only to org members with accountant+ role	Engineering	Phase 1	Designed

Residual risk ~~after mitigation:~~conclusion: All residual risks ~~assessed as~~are LOW or MEDIUM. No ~~HIGH~~CRITICAL or ~~CRITICAL~~HIGH residual ~~risks~~risks. ~~after~~Processing may proceed subject to DPO approval and Phase 21 mitigations ~~are~~being ~~implemented.~~implemented before first paying customer.

DPO Conclusion: ☐ Acceptable — proceed | ☐ Conditional — ~~Processing~~pending ~~may~~Phase ~~proceed~~1 ~~for~~mitigations ~~MVP~~| ~~(no~~☐ ~~live transactions). Prior~~Escalate to ~~live~~supervisory ~~transactions: BankID SCA required, KYC implemented, SCCs in place, DPO appointed.~~authority

8. DPO Consultation Record

DPO Name: TBD ~~— DPO appointment required before Phase 2 launch~~([email protected]) Consultation Date: ~~TBD~~To ~~DPO~~be ~~Input:~~scheduled ~~Pending~~before ~~appointment~~first paying customer

DPO ~~Recommendation~~Input:

~~(required~~

~~before~~
[To ~~live~~be ~~transactions):~~completed after DPO appointment]

DPO Recommendation:

Approved — risks ~~are~~ acceptable and adequately mitigated
Conditional approval — subject to ~~implementing~~ Phase 21 mitigations
Rejected — ~~requires~~redesign ~~redesign~~required

Escalate to supervisory authority

DPO Signature: _________________________ Date: _____________

9. Supervisory Authority Consultation

Consultation Required: NO —(pending ~~based~~DPO onreview) ~~current~~Reason: ~~risk~~No ~~assessment~~CRITICAL ~~(all~~or HIGH residual ~~risks~~risks. ~~LOW-~~MEDIUM ~~after mitigation)~~ ~~Basis:~~ ~~GDPR Art. 35(7) — Residual~~ risks ~~after~~standard ~~mitigations~~for ~~are~~cloud ~~acceptable.~~accounting ~~No prior consultation with Datatilsynet required.~~SaaS.

~~Monitoring:~~ If ~~Phase~~required 2— ~~implementation~~relevant ~~reveals~~authorities ~~new~~by ~~risks~~jurisdiction:

~~(e.g.,~~

~~from~~

HR: ~~real-world~~AZOP ~~transaction~~— ~~data),~~[email protected] ~~this~~— ~~assessment~~https://azop.hr

~~will~~

RS: bePoverenik ~~reviewed~~— ~~and~~[email protected] ~~Datatilsynet~~— ~~consultation~~https://www.poverenik.rs

~~may~~

BA: beAZLP ~~required.~~
— [email protected] — https://www.azlp.ba

10. DPIA Review Schedule

Next ~~scheduled~~ review: 2027-02-1223 (annual) ORor ~~when any of the following occurs:~~when:

~~BankID~~New ~~integration~~country ~~implemented~~launch (RS Phase 2)

~~Live~~HR ~~PSD2~~Phase ~~AISP/PISP~~2, ~~transactions~~BA ~~commenced~~Phase 3)
New ~~remittance~~government ~~corridors~~integration ~~added~~

(SEF,

~~Sumsub~~HR-FISK, ~~or KYC vendor changed~~CPF)
Data breach ~~incident~~or ~~related to this processing~~near-miss
~~Change~~New indata ~~applicable Norwegian~~categories or ~~EU regulations~~processors
~~DORA~~Regulatory ~~implementation in Norway~~changes (~~expected~~ZZPL ~~2026~~amendment, ~~H2)~~BiH reform, GDPR updates)

Review Owner: DPO (~~once~~[email protected]) ~~appointed)~~

Review Log:

Date	Reviewer	Changes ~~Made~~	Outcome
2026-02-1223	Compliance ~~Agent (ALAI)~~Architect	Initial DPIA (`legal/dpia-vurdering.md`)	~~Draft~~
~~2026-02-23~~	~~Security Architect (ALAI)~~	~~English compliance template format~~	Draft — awaiting DPO ~~review~~

Approval

Role	Name	Date
Author	~~ALAI~~Compliance ~~Security Team~~Architect	2026-02-23
DPO	~~TBD — appointment required~~
~~Processing~~Engineering ~~Owner~~Lead	~~Alem Bašić (CEO/CISO)~~
Legal Counsel	~~TBD~~
~~Management~~CEO	~~Alem Bašić~~