Security and compliance (2019)

The importance of data security at Billsby

Billsby is at the heart of your business – collating all of the details of your products, plans, promotions, customers and payments in one place, and managing the sharing and routing of data between all of your tools. With crucial business information and data constantly flowing through our platform, we know you expect a highly secure solution.

And because Billsby holds your customers personal data too, you owe your customers the promise that all of this data will be handled safely and securely and only shared with their consent.

The Billsby Promise

At Billsby, we take data integrity and security extremely seriously. We acknowledge our responsibilities as both a data processor and a data controller, storing you and your customers data with the care it deserves and ensuring compliance so you can be trusted whilst using Billsby to deliver a great customer experience.

Security is an essential part of our product. Every member of our team is constantly working to keep your data as secure and available as possible. All of our facilities and systems are reliable, robust and resilient and we’re always looking to make our product even better.

In short, we promise to let you deliver a secure subscription billing experience by:

  • Securing your customers personal and payment data in a way that’s compliant with GDPR and PCI DSS
  • Ensuring that all internal data security measures meet the exacting standards you would expect from a Software-as-a-Service provider
  • Following best practice standards for our physical and network security at all times

PCI DSS Compliance

The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard administered by the PCI Security Standards Council, which was founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc.

PCI DSS applies to all entities that store, process or transmit cardholder data (CHD) or sensitive authentication data (SAD), including merchants, processors, acquirers, issuers, and service providers. The PCI DSS is mandated by the card brands and administered by the Payment Card Industry Security Standards Council.

All payment cards processed through Billsby are stored in the Billsby Vault. The Billsby Vault is powered by Spreedly, and Billsby hold no credit card data, transmit no credit card data and at no stage have access to any credit card data, other than tokenised data in the Billsby Vault powered by Spreedly.

You can view Spreedly’s PCI DSS compliance here.

EU-US Privacy Shield

Billsby complies with the EU-U.S. Privacy Shield and U.S.- Swiss Privacy Shield by adhering to the principles of protecting the rights of anyone in the EU whose personal data is transferred to the United States as well as bringing legal clarity for businesses relying on transatlantic data transfers.

GDPR

The General Data Protection Regulation (GDPR) is a European privacy law which became enforceable on May 25, 2018 and is intended to harmonize data protection laws throughout the European Union (EU) by applying a single data protection law that is binding throughout each member state.

At our core, Billsby are committed to protecting the personal data of our customers. We only collect and store data that is necessary to offer our service, and we do this with the consent of our customers. Our approach to privacy, security and data protection align with the goals of the General Data Protection Regulation, and tools within Billsby make it easier for you to comply with your obligations under the act.

Our standard Data Processing Addendum is available for you to sign where required by your organisation.

Network security

Billsby uses Google Cloud’s platform and infrastructure, and our employees do not have any physical access to our production environment. You can read more about Google Cloud’s industry leading security on their website.

In addition to physical security, the Google Cloud platform helps protect us from traditional network security issues like:

Distributed Denial of Service (DDoS) attacks
Man in the middle attacks
Port scanning
Packet sniffing by other tenants
The Billsby Vault, hosted by our partner Spreedly, uses Amazon AWS platform and infrastructure. Neither Billsby or Spreedly employees have any physical access to the production environment.

You can read more about Amazon’s security practices on their website.

Admin operations

One of the ways we keep your account secure is by limiting who can access it. We take a stringent approach to ensuring only users with specific access need can access our production environments and databases.

If you need help with your account, only you can grant access to our customer service staff, and you can revoke this access at any time.

Administrative access to our systems is logged, and the reasons for access documented. Changes are not typically performed to any data in the production environment by members of our team.

Application security

Secure access

Billsby’s application services can only be accessed by HTTPS, and we use industry standard encryption for data traversing to and from the application servers.

XSS

All user input is properly encoded when displayed to ensure that XSS vulnerabilities are mitigated.

SQL injection

We use prepared statements for database access to avoid SQL injection attacks.

Encrypted data storage

We do not store sensitive card details on any Billsby network. The keys for third party services like payment gateways and integrations are stored in our database in encrypted form, and we encrypt data whenever possible and technically feasible.

Storage and redundancy

We use Google Cloud SQL for our database. For each instance, data is backed up each day. To ensure redundancy, data is backed up in two regions within the same continent.

In addition, our entire application is geo-replicated and load balanced across multiple data centers, so in the event of a weather event or power interruption, our services will continue to be available

Disclosure

If you find any security issues, please email [email protected] and we will work to resolve the problem as soon as possible.

Data Processing Addendum

In the course of providing our service, Billsby may process personal data on your behalf. In order to outline specifics of how we will perform this processing and what our obligations are as well as the obligations of our users/customers we’ve developed a Data Processing Agreement (DPA) that we enter into free of charge with anyone that uses our service and requests it.

This document forms part of a contract of service with Billsby (as the data processor) and our users/customers (as the controllers). The DPA reflects the parties’ agreement with regard to the processing of personal data performed using our service.

As a controller, in order to sign this agreement, you must review and digitally sign a copy of the Data Processing Agreement. Once you sign the agreement, you will immediately receive a fully executed downloadable copy via email.

Upon Billsby’s receipt of the validly completed and digitally signed agreement, this agreement shall be in full force and effect.

Previous Data Processing Addendum