// Trust & Security Report

    BILL Operations, LLC logo

    BILL Operations, LLC

    AI-powered financial operations platform with accounts payable (AP) automation, accounts receivable (AR) automation, spend & expense management, corporate cards, and business payments processing. Integrates with QuickBooks, Xero, Sage Intacct, and 30+ accounting systems.

    Certifications held

    5

    Maturity

    Enterprise

    Trains on your data

    Unknown

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    BILL undergoes an annual SOC 1 and SOC 2 Type II Audit by a leading national CPA Firm

    Verify on bill.com
    SOC 1
    HELD

    BILL undergoes an annual SOC 1 and SOC 2 Type II Audit by a leading national CPA Firm

    Verify on bill.com
    PCI DSS Level 1
    HELD

    BILL Spend and Expense maintains PCI level 1 compliance by undergoing an annual audit by an independent Qualified Security Assessor (QSA), and BILL Accounts Payable and Accounts Receivable achieved PCI Level 1 Compliance for virtual card and Pay by Card offerings

    Verify on bill.com
    GDPR Compliance
    HELD

    Bill.com uses Standard Contractual Clauses including the European Commission's standard contractual clauses for GDPR and UK GDPR compliance. BILL Operations, LLC maintains GDPR representatives in the UK and Ireland. When personal information is transferred outside the EEA, Bill.com takes steps to ensure data is subject to appropriate safeguards

    Verify on bill.com
    AML/OFAC Compliance
    HELD

    BILL has adopted an Anti-Money Laundering (AML)/Office of Foreign Assets Control (OFAC) Program designed to prevent money laundering, terrorist financing, and sanctions violations

    Verify on bill.com
    > Show 2 unconfirmed / not-held certifications
    HIPAA
    NOT CONFIRMED

    Bill.com is currently working towards becoming HIPAA compliant, although it does not have a definitive ETA. BILL offers safeguards for electronic protected health information (ePHI) and requires healthcare organizations to sign a Business Associate Agreement (BAA) if they plan to enter ePHI into BILL, but the platform has not undergone full HIPAA certification

    source: bill.com
    ISO 27001
    NOT CONFIRMED

    No public evidence of ISO 27001 certification on bill.com domain. Bill.com's DPA mentions ISO 27001 as an industry-standard security framework that service providers should monitor and incorporate, but does not claim Bill.com holds this certification

    source: bill.com

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Offered

    Data region

    Primarily US-based; data can be transferred outside EEA/UK under Standard Contractual Clauses with appropriate safeguards

    Privacy policy does not mention using customer data for AI model training. Bill.com explicitly prohibits service providers from using BILL information for their own purposes without written consent

    // Security controls

    Encryption at Rest

    Sensitive Personal Information encrypted when stored on Bill.com systems (on-premises or cloud-based) using financial services industry-standard encryption techniques

    bill.com

    Encryption in Transit

    Transport Layer Security (TLS) encryption; bank-level protection during data transfer; all data in motion encrypted

    bill.com

    Vulnerability Management

    Monthly vulnerability scans and scanning after post-configuration changes; penetration testing attestations

    bill.com

    Data Backups

    Weekly data backups in secure facilities

    bill.com

    Access Controls

    Role-based access controls limiting what different team members can see and do; firewalls with restricted administrative access; access limited to authorized personnel only

    bill.com

    Data Destruction

    Secure destruction of printed materials containing sensitive information

    bill.com

    Vulnerability Disclosure

    HackerOne vulnerability disclosure program for responsible security reporting

    bill.com

    // Products & data scope

    BILL Accounts Payable (AP)Financial Operations

    data: Invoice data, vendor information, payment instructions, banking details, approval workflows, approval matrices

    SOC 2 Type II, PCI DSS Level 1 (virtual card), HIPAA-compatible with BAA (not certified), integrates with 30+ accounting systems

    BILL Accounts Receivable (AR)Financial Operations

    data: Customer invoices, payment records, receivables data, customer contact information, payment processing data

    SOC 2 Type II, PCI DSS Level 1 (virtual card/Pay by Card), HIPAA-compatible with BAA (not certified)

    BILL Spend & ExpenseFinancial Operations

    data: Employee spending data, receipt information, expense reports, corporate card transactions, budget allocations, virtual card data

    SOC 2 Type II, PCI DSS Level 1 (highest tier), includes corporate cards (Divvy Card via Visa), budget controls, travel management

    BILL Payments ServicesPayments Processing

    data: Payment instructions, ACH routing information, international payment data, card payment data, transaction records

    Processes $345B annually (~1% US GDP). ACH, international payments, card-based payments, network payments across 8M+ connected businesses

    BILL Accountant Partner ProgramSaaS for Professionals

    data: Client financial data (AP, AR, expense), client bank information, bookkeeping records, client audit trails

    Dedicated console for accounting firms; enables outsourced bookkeeping and client management

    // What to watch

    • HIPAA: Bill.com is NOT fully HIPAA compliant. Platform offers safeguards for ePHI and requires BAA for healthcare orgs, but certification is absent and company is still 'working towards' compliance. Over-claim risk if listed as 'HIPAA compliant' without caveat.
    • ISO 27001: Third-party vendor profiles (e.g., Nudge Security) claim ISO 27001 certification, but this is NOT confirmed on bill.com's own domain. DPA mentions ISO 27001 as an industry standard for service providers to follow, not as Bill.com's own certification.
    • FedRAMP / CSA STAR: Third-party sources claim these, but bill.com domain has no public evidence. Do not list these without direct vendor confirmation.
    • Data Residency: Not explicitly stated; only mentioned as 'cloud-based.' Confirm directly with Bill.com if specific US or multi-region hosting is required.
    • GDPR: Bill.com has strong compliance posture (DPA, SCCs, EU reps) but is not 'GDPR certified' — they comply with legal requirements. List as 'GDPR compliant' not 'GDPR certified.'
    • AI Training: Privacy policy silent on customer data use for AI training. Recommend explicit confirmation, especially given Bill.com's marketing of AI-powered features.

    // At a glance

    Pricing model

    Subscription-based SaaS with usage/transaction-based components; separate pricing for AP, AR, Spend & Expense, and payment volumes

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on BILL Operations, LLC's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    bill.com

    > Browse all vendor trust reports