Security and compliance
Effective Date:
11th April 2023
For prior version, please click here.
Billsby background
Billsby is at the heart of your business – collating all the details of your products, plans, promotions, customers and payments in one place, and managing the sharing and routing of data between all your tools. With crucial business information and data constantly flowing through our platform, we know you expect a highly secure solution. And because Billsby holds your customers’ personal data too, you owe your customers the promise that all of this data will be handled safely and securely and only shared with their consent.
The Billsby promise
At Billsby, we take data integrity and security extremely seriously. We acknowledge our responsibilities as both a data processor and a data controller, storing you and your customers data with the care it deserves and ensuring compliance so you can be trusted whilst using Billsby to deliver a great customer experience. Security is an essential part of our product. Every member of our team is constantly working to keep your data as secure and available as possible. All of our facilities and systems are reliable, robust and resilient and we’re always looking to make our product even better.In short, we promise to let you deliver a secure subscription billing experience by:
  • Securing your customers personal and payment data in a way that’s compliant with GDPR and PCI-DSS
  • Ensuring that all internal data security measures meet the exacting standards you would expect from a Software-as-a-Service provider
  • Following best practice standards for our physical and network security at all times
PCI-DSS compliance
The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard administered by the PCI Security Standards Council, which was founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. PCI DSS applies to all entities that store, process or transmit cardholder data (CHD) or sensitive authentication data (SAD), including merchants, processors, acquirers, issuers, and service providers. The PCI DSS is mandated by the card brands and administered by the Payment Card Industry Security Standards Council. All payment cards processed through Billsby are stored in the Billsby Vault. The Billsby Vault is powered by Spreedly, and Billsby hold no credit card data, transmit no credit card data and at no stage have access to any credit card data, other than tokenised data in the Billsby Vault powered by Spreedly.
Data protection
The EU General Data Protection Regulation (EU GDPR) is a European privacy law which became enforceable on May 25, 2018 and is intended to harmonize data protection laws throughout the European Union (EU) by applying a single data protection law that is binding throughout each member state. In 2018 the EU GDPR was incorporated into United Kingdom (UK) domestic law. At the beginning of 2021, in the UK, the EU GDPR was replaced entirely by the UK General Data Protection Regulation (UK GDPR). Billsby is compliant with the EU GDPR, the UK GDPR and its obligations under the California Consumer Privacy Act 2018 (as amended by the California Privacy Act 2020). We are committed to protecting the personal data of our customers. We only collect and store data that is necessary to offer our service, and we do this with the consent of our customers. Our approach to privacy, security and data protection align with the goals of applicable data protection laws, and tools within Billsby make it easier for customers to comply with their obligations under applicable laws. Our standard Data Processing Addendum (DPA) (which is incorporated into our Terms of Service by reference) is available for you to read here.
Network security
Billsby uses Google Cloud’s platform and infrastructure, and our employees do not have any physical access to our production environment.
You can read more about
Google Cloud’s industry leading security
on their website

In addition to physical security, the Google Cloud platform helps protect us from traditional network security issues like:
  • Distributed Denial of Service (DDoS) attacks
  • Man in the middle attacks
  • Port scanning
  • Packet sniffing by other tenants
The Billsby Vault, hosted by our partner Spreedly, uses Amazon AWS platform and infrastructure. Neither Billsby or Spreedly employees have any physical access to the production environment.
You can read more about
Amazon’s security practices
on their website.
Admin operations
One of the ways we keep your account secure is by limiting who can access it. We take a stringent approach to ensuring only users with specific access need can access our production environments and databases. If you need help with your account, only you can grant access to our customer service staff, and you can revoke this access at any time. Administrative access to our systems is logged, and the reasons for access documented. Changes are not typically performed to any data in the production environment by members of our team.
Application security
Secure access
Billsby’s application services can only be accessed by HTTPS, and we use industry standard encryption for data traversing to and from the application servers.
All user input is properly encoded when displayed to ensure that XSS vulnerabilities are mitigated.
SQL injection
We use prepared statements for database access to avoid SQL injection attacks.
Encrypted data storage
We do not store sensitive card details on any Billsby network. The keys for third party services like payment gateways and integrations are stored in our database in encrypted form, and we encrypt data whenever possible and technically feasible.
Storage redundancy
We use Google Cloud SQL for our database. For each instance, data is backed up each day. To ensure redundancy, data is backed up in two regions within the same continent. In addition, our entire application is geo-replicated and load balanced across multiple data centers, so in the event of a weather event or power interruption, our services will continue to be available.
If you find any security issues, please email
and we will work to resolve the problem as soon as possible.
Data Processing Addendum
In the course of providing our service, Billsby may process personal data on your behalf. In order to outline specifics of how we will perform this processing and what our obligations are as well as the obligations of our users/customers we’ve developed a DPA that we enter into with anyone that uses our service. This document forms part of a contract of service with Billsby (as the data processor) and our users/customers (as the controllers). The DPA reflects the parties’ agreement with regard to the processing of personal data performed using our service. The DPA is incorporated into our Terms of Service and is available to read here.