Billit takes security very seriously—Clients trust us with their data. We use a combination of enterprise-class security features and comprehensive audits of our applications, systems, and networks to ensure that your data is always protected, which means every customer can rest easy.
We are committed to ensuring the privacy of your data. We’re further committed to preventing unauthorized access to that data. Our Privacy & Cookie Policy and Data Processing Agreement details what data is collected from our customers, how we use it, and how it is stored.
At Billit, we prioritize the protection of your personal data. We are committed to ensuring compliance with the General Data Protection Regulation (GDPR). The GDPR is a set of regulations designed to safeguard the privacy and control of personal information of individuals within the European Union.
We understand the importance of your privacy and have implemented measures to comply with GDPR requirements. These measures include transparent data collection practices, secure data storage, and ensuring appropriate consent mechanisms for processing personal data.
By adhering to GDPR guidelines, we strive to uphold the highest standards of data protection and privacy. Your trust is important to us, and we want you to feel confident that your personal data is handled with care and in accordance with applicable laws and regulations.
If you have any questions or concerns regarding our GDPR compliance or the handling of your personal information, please do not hesitate to contact our dpo at dpo@billit.eu. We value your privacy and are dedicated to maintaining a secure and compliant environment.
Our privacy policy outlines how we collect, use, and protect the personal information of our users or customers. It covers details such as the types of information we collect, how it is stored, who has access to it, and how it is used or shared.
Our privacy policy is important as it establishes transparency and trust between us and our users. It helps individuals understand how their personal data will be handled and ensures compliance with relevant privacy laws and regulations.
To learn more about our privacy policy and how we handle your personal information you can read the privacy policy here.
Our cookie policy explains how we use cookies and similar technologies on our website. Cookies are small text files stored on your device when you visit our site, and they help improve your browsing experience and provide personalized services.
Our cookie policy provides detailed information about the types of cookies we use, their purpose, and how we utilize the collected data. It also informs you about your rights and options to manage and control your cookie preferences.
You can find our comprehensive cookie policy here.
A data processing agreement is a legal contract that defines the terms and conditions under which a data processor handles personal data on behalf of a data controller. It establishes the responsibilities, obligations, and rights of both parties regarding the processing of personal information.
This agreement is crucial in ensuring that personal data is processed in compliance with applicable data protection laws and regulations. It helps to clarify the roles and responsibilities of the data controller and data processor, while also protecting the rights and privacy of the individuals whose data is being processed.
By having a data processing agreement in place, both parties can maintain transparency, accountability, and legal compliance throughout the data processing activities.
You can find our default DPA here.
Our customers trust us with critical data contained within their finances and related to their business efforts. We work hard to ensure every bit of data is safe and protected.
We provide our users with a service, and they look to us to ensure we have adequate internal controls over our systems and their data. Therefore we engage ourselves to stay compliant by gaining important certifications.
Our ISO / IEC 27001 : 2022 certificate was issued by DQS and insures you as a customer that we have successfully implemented and maintain an Information Security Management System. More information on the standard can be found here or on the ISO website.
Billit is certified as an official Peppol Access Point by OpenPeppol AISBL and is one of the biggest Access Points internationally. More information on Peppol Regulations can be found here.
Billit is also recognised by several local Peppol authorities and communities all over the world, including Belgium, Luxemburg, The Netherlands, Australia, New Zealand and Signapore.
Agoria: Billit is a member of the organization Agoria , which unites more than 2000 Belgian technology companies from various sectors.
Beltug: Billit is a member of Beltug, the Belgian association of CIOs and leaders in digital technology.
Business Expert Group (BEG): This organization brings together parties such as Billit to find practical solutions around e-invoicing and make arrangements regarding legal obligations. The BEG, in collaboration with governments and the IT sector, works on building broad support for the introduction of electronic invoicing in Belgium.
CEN/TC 434: This technical committee is part of the European Committee for Standardization (CEN) and develops standards in electronic invoicing, including the European standard EN 1631-1. TC 434 also develops related documents according to the European Directive 2014/55/EU. Billit participates in this committee.
CEN/TC 440: TC 440 focuses on developing standards for e-procurement. It supports information flows and electronic processes in the financial and physical supply chain from start to finish. Billit is also a member of this technical committee.
DBNA: The Digital Business Networks Alliance is an open network to exchange B2B documents securely and efficiently in the US. With support from various sectors and members like Billit, DBNA allows American companies to share documents such as e-invoices.
FNFE-MPE: Billit is a member of the French service providers group FNFE-MPE. This organization unites everyone involved with electronic invoicing and procurement to discuss ideas and outline policies.
GENA: As an international trade association, GENA represents a broad and diverse community of service providers from various sectors such as financial services, technology, and network services. Billit is a member of the GENA organization.
OpenPeppol: The OpenPeppol group brings together members from the public and private sectors to develop, maintain, and implement Peppol requirements. Billit participates democratically and transparently in various working groups or pilot projects such as critical infrastructure, ‘Enhanced B2B’, the VIDA pilot project, or International Peppol invoicing.
UBL.be: Billit is a member of UBL.be. UBL.BE is a Belgian non-profit organization. Their goal is to support customers and users in implementing e-invoicing. The focus is on using and processing e-invoices in a secure and compatible manner, specifically supporting the use of Peppol.
UBLReady: Billit is also recognized by the Dutch Peppol Authority and is authorized to carry the UBL Ready certification after successfully completing the UBL chain test.
We believe in transparency when it comes to our platform uptime, incidents, and service level agreements, details of which are available on our status page.
We go for 99.99% uptime.
Billit is certified as compliant with ISO/IEC ISO27001:2022, the premier global information security management system (ISMS) standard.
Billit uses a zero-trust security model. This means that no user or connection is trusted by default. Access is revalidated with every action through strong identity verification, up-to-date devices, restricted permissions, and continuous monitoring. This approach ensures that data is only accessible to authorized and validated entities.
Yes. Billit undergoes yearly internal and external audits to verify compliance, security controls and operational integrity. Billit does not share these audit reports.
Yes. Independent security firms perform penetration tests on Billit’s platform and infrastructure at least once a year. Findings are reviewed, risk-rated and remediated following the Billit security governance process. Billit does not share these audit reports.
Yes. You may perform your own tests on our dedicated test environment, provided you obtain our explicit written consent before starting any activity. Any activity on the test or production environment without consent will be treated as hostile and appropriate actions will be taken.
Billit provides multiple layers of protection for the information you entrust to Billit, including encryption when it's transferred and stored.
Multi-factor authentication (MFA) is designed to prevent anyone but you from accessing your Billit account, even if they know your password. Billit is implementing MFA as the standard method of authentication.
Security controls protect access to and within the Billit environment, including firewalls, intrusion protection systems and network segregation.
Billit uses TransIP & Amazon Web Services (AWS) as its primary hosting provider. Our production environment is hosted in highly secure TransIP & AWS data centers located within the European Union (Netherlands and Ireland). For specific supporting services, limited processing may occur in other AWS regions, always under strict GDPR-compliant safeguards.
Billit has no plans to store customer data outside the EU. GDPR does not require EU data to remain inside the EU, but it does require appropriate safeguards for any international transfer. When limited processing outside the EU is necessary, Billit applies the legally required protections.
A full and up-to-date list of Billit’s sub processors is available on our website. Each sub processor is contractually bound by GDPR-compliant safeguards and security obligations.
If personal data is processed outside the European Economic Area, Billit ensures it remains protected by EU-level safeguards. We rely on officially approved mechanisms such as the European Commission’s Standard Contractual Clauses (SCCs). All sub processors are assessed, onboarded and monitored under strict GDPR, ISO 27001 and DORA policies.
Protecting customer data is central to Billit’s operations. Our security framework includes:
DORA-aligned operational resilience controls
Encrypted data storage and transmission
Strict access management with MFA
Continuous monitoring and incident response
ID & Legal Mandate verification
Billit also operates under regulatory supervision of the National Bank of Belgium for its payment and PSD2-related activities.
Yes. The Billit Data Processing Addendum (DPA) automatically applies as part of the Terms of Use for any customer subject to GDPR. No separate agreement is required.
Billit can only be accessed through modern, fully up-to-date systems & browsers. This requirement ensures security, data protection and full platform functionality for all international customers. If a browser is outdated or unsupported, access may be blocked to safeguard your data and maintain compliance standards.
We do not disclose details about our technical architecture. This policy protects the security and integrity of our platform and aligns with our obligations under ISO 27001, DORA and national supervisory requirements. We only share high-level security assurances and certificates when contractually required. If you need specific evidence for a risk assessment, we can provide it through controlled channels under NDA.
Yes. All staff must accept the acceptable use policy, the confidentiality terms and data breach escalation procedure before they can access Billit systems or data. This is enforced during onboarding and validated through our compliance controls.
Billit stores and retains data in line with legal, regulatory and contractual requirements. Data is hosted in secure, certified environments with encryption active at all times. Retention periods are strictly defined, and data is deleted or anonymised once the relevant period expires. Access is limited to authorised roles only, and all processing follows ISO 27001 and DORA standards. If specific retention terms are needed, we can provide them under NDA.
Billit enforces an inactivity timeout of 15 minutes and a full session timeout of 24 hours to reduce unauthorized access risks.
