// Trust & Security Report

    BILL Operations, LLC (Divvy Pay LLC) logo

    BILL Operations, LLC (Divvy Pay LLC)

    BILL Spend & Expense: AI-powered expense management software with corporate credit cards, real-time transaction monitoring, receipt capture, and integration with accounting platforms. Includes BILL Divvy Card (branded credit card), travel management, and rewards program.

    Certifications held

    7

    Maturity

    Enterprise

    Trains on your data

    Unknown

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    BILL undergoes an annual SOC 1 and SOC 2 Type II Audit by a leading national CPA Firm.

    Verify on bill.com
    SOC 1 Type II
    HELD

    BILL undergoes an annual SOC 1 and SOC 2 Type II Audit by a leading national CPA Firm.

    Verify on bill.com
    PCI DSS Level 1
    HELD

    BILL Spend and Expense maintains PCI level 1 compliance by undergoing an annual audit by an independent Qualified Security Assessor (QSA).

    Verify on bill.com
    GDPR Compliant
    HELD

    BILL designates itself as 'Controller' and the Service Provider as 'Processor' under GDPR. The agreement incorporates EU Standard Contractual Clauses (Module Two) for cross-border data transfers outside Europe.

    Verify on bill.com
    UK GDPR Compliant
    HELD

    Includes UK-specific Standard Contractual Clauses with jurisdiction transferred to England and Wales courts and the Information Commissioner's Office as the supervisory authority.

    Verify on bill.com
    CCPA Compliant
    HELD

    Service Provider certifies it 'shall not sell Personal Information' and commits to assisting BILL with consumer requests and data subject rights.

    Verify on bill.com
    AML/OFAC Program
    HELD

    BILL has adopted an Anti-Money Laundering (AML)/Office of Foreign Assets Control (OFAC) Program, which is designed to prevent the BILL Service from being used for purposes of money laundering, terrorist financing, violating or subverting OFAC sanctions.

    Verify on bill.com
    > Show 2 unconfirmed / not-held certifications
    ISO 27001
    NOT CONFIRMED

    BILL's DPA requires vendors to 'monitor and periodically incorporate reasonable industry-standard security safeguards, such as ISO 27001 or similar' but does not claim BILL itself holds ISO 27001 certification.

    source: bill.com
    HIPAA Compliant
    NOT CONFIRMED

    BILL Spend & Expense does not offer HIPAA protections and should not be used for PHI. HIPAA protections are available only for BILL AP/AR products with a Business Associate Agreement.

    source: bill.com

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Offered

    Data region

    US-West-2 (AWS) with continuous backups to US-East-2

    BILL uses data from 300M+ historical transactions and millions of invoices to train AI models, but does not explicitly disclose whether live customer transaction data trains models or provide an opt-out mechanism. Privacy notice lists 'develop new products or features' as a use case but does not specifically mention AI model training. Contact: privacy@hq.bill.com

    // Security controls

    Encryption in Transit

    TLS with industry standard cipher suites

    bill.com

    Encryption at Rest

    Implemented per DPA requirements

    bill.com

    Multi-Factor Authentication

    2FA, multi-factor authentication, strong password policies required

    bill.com

    Access Controls

    Role-based access controls, separation of duties, timestamped audit trails

    bill.com

    Penetration Testing

    Annual penetration testing required per SSAE 18 SOC audits

    bill.com

    Vulnerability Management

    Monthly vulnerability scanning, HackerOne responsible disclosure partnership

    bill.com

    Data Backup

    Minimum weekly backups, continuous replication to secondary region

    bill.com

    Fraud Detection

    Real-time transaction monitoring, predictive AI for suspicious activity detection

    bill.com

    Vendor Management

    Formal vendor management program with security assessments

    bill.com

    // Products & data scope

    BILL Spend & ExpenseExpense Management / Corporate Cards

    data: Expense reports, receipt images, transaction data, employee spend data

    Main product. AI-powered auto-categorization. Not HIPAA compliant. Integrates with QuickBooks, Sage Intacct, NetSuite, Xero, Microsoft Dynamics.

    BILL Divvy CardCorporate Credit Card

    data: Card transactions, spending limits, cardholder data (masked)

    Virtual and physical card options. Issued by Divvy Pay LLC bank partners. PCI Level 1 compliant.

    Travel ManagementTravel Expense Management

    data: Travel bookings, travel expenses, per diem tracking

    Integrates with Expense Management for end-to-end travel spend control.

    Rewards ProgramCash Back / Incentives

    data: Spending history, rewards redemption

    Cash back and travel perks based on spend volume.

    // What to watch

    • ISO 27001 is referenced as a requirement for vendors, not held by BILL itself.
    • HIPAA compliance not available for BILL Spend & Expense; only BILL AP/AR products support HIPAA with BAA. Healthcare organizations should not use Spend & Expense for PHI.
    • AI training data practices not explicitly disclosed in privacy notice. BILL uses historical transaction data for AI but does not disclose whether live customer data trains models or provide opt-out mechanism.
    • No ISO/IEC 42001 (AI governance) or CSA STAR AI certifications mentioned.
    • International data transfer requires explicit user consent; data transferred outside home country may have less protection.
    • No mention of data deletion or retention limits in privacy notice; only states data retained 'as long as necessary' for service and legal obligations.

    // At a glance

    Pricing model

    Subscription-based (per-user pricing not publicly disclosed; free trial available)

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on BILL Operations, LLC (Divvy Pay LLC)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-07. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    bill.com

    > Browse all vendor trust reports