Skip to main content
BILLITRON
Start free
Menu

Security

Money moves through Billitron. The bar matches.

Pay-apps. Bank account numbers. Tax IDs. Lien-rights filings. Billitron sits on top of the most sensitive financial data in your business. We treat it that way.

Transport & storage

  • TLS 1.3 by default for all API and webhook traffic. HSTS preload, no insecure ciphers.
  • At-rest encryption on Postgres for credentials, bank account numbers, tax IDs, and document storage.
  • Tokenized banking data — we don't store raw account / routing numbers; we tokenize via our payment processor.
  • BYOK for document storage on Scale and Enterprise — bring your own KMS / customer-managed keys.

Identity & access

  • SSO via SAML and OIDC. SCIM provisioning on Scale and above.
  • RBAC with role-scoped permissions: owner, controller, PM, foreman, AP, AR, viewer.
  • Per-job permissioning so subcontractors and admin staff see what they need to.
  • Two-factor authentication required for any user with payment-initiation permissions.

Payment compliance

  • NACHA-compliant ACH origination with full return-code handling.
  • PCI DSS Level 4 attestation (we don't store card data — tokenized via our processor).
  • OFAC screening on payment recipients.
  • BSA / AML controls on customer onboarding above transaction thresholds.

Auditability

  • Every administrative action — config change, user access change, payment initiation, lien filing — recorded with actor, timestamp, before/after diff.
  • Document version history with immutable per-version hashes.
  • Hash-chained audit log on Scale and Enterprise — tamper-evident, exportable for legal / compliance.

Build & supply chain

  • Reproducible builds. SBOM published per release.
  • Container images signed with Cosign.
  • Pinned dependencies, automated CVE scans, automated OSS license auditing.
  • SOC 2 Type II audit in progress, target 2026 H2.

Hosting

  • Billitron Cloud: US (Virginia + Oregon) regions on tier-1 providers.
  • Self-hosted: not supported — payment rails require shared infrastructure for compliance and speed.

Responsible disclosure

Found a security issue? Email security@billitron.com. We respond within one business day, triage within three, and credit researchers in the changelog (with permission).

Our security.txt has the latest contacts and PGP key.

Get started

Stop chasing payments. Start collecting them.

Free under $50k annual invoiced. No credit card. Set up your first quote and pay-app in under an hour.

Start free See pricing Talk to a human →