// Trust & Security Report
BILL Operations, LLC (Divvy Pay LLC)
BILL Spend & Expense: AI-powered expense management software with corporate credit cards, real-time transaction monitoring, receipt capture, and integration with accounting platforms. Includes BILL Divvy Card (branded credit card), travel management, and rewards program.
Certifications held
7
Maturity
Enterprise
Trains on your data
Unknown
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on bill.com“BILL undergoes an annual SOC 1 and SOC 2 Type II Audit by a leading national CPA Firm.”
Verify on bill.com“BILL undergoes an annual SOC 1 and SOC 2 Type II Audit by a leading national CPA Firm.”
Verify on bill.com“BILL Spend and Expense maintains PCI level 1 compliance by undergoing an annual audit by an independent Qualified Security Assessor (QSA).”
Verify on bill.com“BILL designates itself as 'Controller' and the Service Provider as 'Processor' under GDPR. The agreement incorporates EU Standard Contractual Clauses (Module Two) for cross-border data transfers outside Europe.”
Verify on bill.com“Includes UK-specific Standard Contractual Clauses with jurisdiction transferred to England and Wales courts and the Information Commissioner's Office as the supervisory authority.”
Verify on bill.com“Service Provider certifies it 'shall not sell Personal Information' and commits to assisting BILL with consumer requests and data subject rights.”
Verify on bill.com“BILL has adopted an Anti-Money Laundering (AML)/Office of Foreign Assets Control (OFAC) Program, which is designed to prevent the BILL Service from being used for purposes of money laundering, terrorist financing, violating or subverting OFAC sanctions.”
> Show 2 unconfirmed / not-held certifications
source: bill.comBILL's DPA requires vendors to 'monitor and periodically incorporate reasonable industry-standard security safeguards, such as ISO 27001 or similar' but does not claim BILL itself holds ISO 27001 certification.
source: bill.comBILL Spend & Expense does not offer HIPAA protections and should not be used for PHI. HIPAA protections are available only for BILL AP/AR products with a Business Associate Agreement.
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Offered
Data region
US-West-2 (AWS) with continuous backups to US-East-2
BILL uses data from 300M+ historical transactions and millions of invoices to train AI models, but does not explicitly disclose whether live customer transaction data trains models or provide an opt-out mechanism. Privacy notice lists 'develop new products or features' as a use case but does not specifically mention AI model training. Contact: privacy@hq.bill.com
// Security controls
Multi-Factor Authentication
2FA, multi-factor authentication, strong password policies required
bill.comVulnerability Management
Monthly vulnerability scanning, HackerOne responsible disclosure partnership
bill.comFraud Detection
Real-time transaction monitoring, predictive AI for suspicious activity detection
bill.com// Products & data scope
data: Expense reports, receipt images, transaction data, employee spend data
Main product. AI-powered auto-categorization. Not HIPAA compliant. Integrates with QuickBooks, Sage Intacct, NetSuite, Xero, Microsoft Dynamics.
data: Card transactions, spending limits, cardholder data (masked)
Virtual and physical card options. Issued by Divvy Pay LLC bank partners. PCI Level 1 compliant.
data: Travel bookings, travel expenses, per diem tracking
Integrates with Expense Management for end-to-end travel spend control.
data: Spending history, rewards redemption
Cash back and travel perks based on spend volume.
// What to watch
- ISO 27001 is referenced as a requirement for vendors, not held by BILL itself.
- HIPAA compliance not available for BILL Spend & Expense; only BILL AP/AR products support HIPAA with BAA. Healthcare organizations should not use Spend & Expense for PHI.
- AI training data practices not explicitly disclosed in privacy notice. BILL uses historical transaction data for AI but does not disclose whether live customer data trains models or provide opt-out mechanism.
- No ISO/IEC 42001 (AI governance) or CSA STAR AI certifications mentioned.
- International data transfer requires explicit user consent; data transferred outside home country may have less protection.
- No mention of data deletion or retention limits in privacy notice; only states data retained 'as long as necessary' for service and legal obligations.
// At a glance
Pricing model
Subscription-based (per-user pricing not publicly disclosed; free trial available)
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on BILL Operations, LLC (Divvy Pay LLC)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-07. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
bill.com