// Trust & Security Report
BILL Operations, LLC
AI-powered financial operations platform with accounts payable (AP) automation, accounts receivable (AR) automation, spend & expense management, corporate cards, and business payments processing. Integrates with QuickBooks, Xero, Sage Intacct, and 30+ accounting systems.
Certifications held
5
Maturity
Enterprise
Trains on your data
Unknown
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on bill.com“BILL undergoes an annual SOC 1 and SOC 2 Type II Audit by a leading national CPA Firm”
Verify on bill.com“BILL undergoes an annual SOC 1 and SOC 2 Type II Audit by a leading national CPA Firm”
Verify on bill.com“BILL Spend and Expense maintains PCI level 1 compliance by undergoing an annual audit by an independent Qualified Security Assessor (QSA), and BILL Accounts Payable and Accounts Receivable achieved PCI Level 1 Compliance for virtual card and Pay by Card offerings”
Verify on bill.com“Bill.com uses Standard Contractual Clauses including the European Commission's standard contractual clauses for GDPR and UK GDPR compliance. BILL Operations, LLC maintains GDPR representatives in the UK and Ireland. When personal information is transferred outside the EEA, Bill.com takes steps to ensure data is subject to appropriate safeguards”
Verify on bill.com“BILL has adopted an Anti-Money Laundering (AML)/Office of Foreign Assets Control (OFAC) Program designed to prevent money laundering, terrorist financing, and sanctions violations”
> Show 2 unconfirmed / not-held certifications
source: bill.comBill.com is currently working towards becoming HIPAA compliant, although it does not have a definitive ETA. BILL offers safeguards for electronic protected health information (ePHI) and requires healthcare organizations to sign a Business Associate Agreement (BAA) if they plan to enter ePHI into BILL, but the platform has not undergone full HIPAA certification
source: bill.comNo public evidence of ISO 27001 certification on bill.com domain. Bill.com's DPA mentions ISO 27001 as an industry-standard security framework that service providers should monitor and incorporate, but does not claim Bill.com holds this certification
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Offered
Data region
Primarily US-based; data can be transferred outside EEA/UK under Standard Contractual Clauses with appropriate safeguards
Privacy policy does not mention using customer data for AI model training. Bill.com explicitly prohibits service providers from using BILL information for their own purposes without written consent
// Security controls
Encryption at Rest
Sensitive Personal Information encrypted when stored on Bill.com systems (on-premises or cloud-based) using financial services industry-standard encryption techniques
bill.comEncryption in Transit
Transport Layer Security (TLS) encryption; bank-level protection during data transfer; all data in motion encrypted
bill.comVulnerability Management
Monthly vulnerability scans and scanning after post-configuration changes; penetration testing attestations
bill.comAccess Controls
Role-based access controls limiting what different team members can see and do; firewalls with restricted administrative access; access limited to authorized personnel only
bill.comVulnerability Disclosure
HackerOne vulnerability disclosure program for responsible security reporting
bill.com// Products & data scope
data: Invoice data, vendor information, payment instructions, banking details, approval workflows, approval matrices
SOC 2 Type II, PCI DSS Level 1 (virtual card), HIPAA-compatible with BAA (not certified), integrates with 30+ accounting systems
data: Customer invoices, payment records, receivables data, customer contact information, payment processing data
SOC 2 Type II, PCI DSS Level 1 (virtual card/Pay by Card), HIPAA-compatible with BAA (not certified)
data: Employee spending data, receipt information, expense reports, corporate card transactions, budget allocations, virtual card data
SOC 2 Type II, PCI DSS Level 1 (highest tier), includes corporate cards (Divvy Card via Visa), budget controls, travel management
data: Payment instructions, ACH routing information, international payment data, card payment data, transaction records
Processes $345B annually (~1% US GDP). ACH, international payments, card-based payments, network payments across 8M+ connected businesses
data: Client financial data (AP, AR, expense), client bank information, bookkeeping records, client audit trails
Dedicated console for accounting firms; enables outsourced bookkeeping and client management
// What to watch
- HIPAA: Bill.com is NOT fully HIPAA compliant. Platform offers safeguards for ePHI and requires BAA for healthcare orgs, but certification is absent and company is still 'working towards' compliance. Over-claim risk if listed as 'HIPAA compliant' without caveat.
- ISO 27001: Third-party vendor profiles (e.g., Nudge Security) claim ISO 27001 certification, but this is NOT confirmed on bill.com's own domain. DPA mentions ISO 27001 as an industry standard for service providers to follow, not as Bill.com's own certification.
- FedRAMP / CSA STAR: Third-party sources claim these, but bill.com domain has no public evidence. Do not list these without direct vendor confirmation.
- Data Residency: Not explicitly stated; only mentioned as 'cloud-based.' Confirm directly with Bill.com if specific US or multi-region hosting is required.
- GDPR: Bill.com has strong compliance posture (DPA, SCCs, EU reps) but is not 'GDPR certified' — they comply with legal requirements. List as 'GDPR compliant' not 'GDPR certified.'
- AI Training: Privacy policy silent on customer data use for AI training. Recommend explicit confirmation, especially given Bill.com's marketing of AI-powered features.
// At a glance
Pricing model
Subscription-based SaaS with usage/transaction-based components; separate pricing for AP, AR, Spend & Expense, and payment volumes
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on BILL Operations, LLC's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
bill.com