A list of internationally recognized Peppol /e-invoicing, security and compliance certifications and licenses
| Certified Global Peppol Access Point | Publication Peppol.org |
| Europe: Certified Peppol Access Point | Publication European Commission |
| Belgium: Certified Peppol Access Point | Publication BOSA Belgium |
| France: Approved Plateforme Agréé | Publication PA |
| Malaysia: Certified Peppol Access Point | |
| The Netherlands: Certified Peppol Access Point | Publication service providers |
| USA: DBNA Certified Member | DBNA member list |
| ISO / IEC 27001 : 2022 certificate | Download ISMS22 certificate |
| GLEIF Legal Entity Identifier (LEI) certificate | Download LEI certificate |
| Licensed payment institution in EU (regulated under PSD2 - National Bank of Belgium) | View list from NBB |
A non-exhaustive list of controls:
See below the shortlist of international partnerships. See many more on our partner page
| Description | |
|---|---|
| Stripe Certified Service Provider | Stripe Partner Directory |
| KBC/CBC | Partnership with KBC Touch & KBC Mobile |
| ING | Billit and ING Invoice manager |
Agoria: Billit is a member of the organization Agoria , which unites more than 2000 Belgian technology companies from various sectors.
Beltug: Billit is a member of Beltug, the Belgian association of CIOs and leaders in digital technology.
Business Expert Group (BEG): This organization brings together parties such as Billit to find practical solutions around e-invoicing and make arrangements regarding legal obligations. The BEG, in collaboration with governments and the IT sector, works on building broad support for the introduction of electronic invoicing in Belgium.
CEN/TC 434: This technical committee is part of the European Committee for Standardization (CEN) and develops standards in electronic invoicing, including the European standard EN 1631-1. TC 434 also develops related documents according to the European Directive 2014/55/EU. Billit participates in this committee.
CEN/TC 440: TC 440 focuses on developing standards for e-procurement. It supports information flows and electronic processes in the financial and physical supply chain from start to finish. Billit is also a member of this technical committee.
DBNA: The Digital Business Networks Alliance is an open network to exchange B2B documents securely and efficiently in the US. With support from various sectors and members like Billit, DBNA allows American companies to share documents such as e-invoices.
FNFE-MPE: Billit is a member of the French service providers group FNFE-MPE. This organization unites everyone involved with electronic invoicing and procurement to discuss ideas and outline policies.
GENA: As an international trade association, GENA represents a broad and diverse community of service providers from various sectors such as financial services, technology, and network services. Billit is a member of the GENA organization.
OpenPeppol: The OpenPeppol group brings together members from the public and private sectors to develop, maintain, and implement Peppol requirements. Billit participates democratically and transparently in various working groups or pilot projects such as critical infrastructure, ‘Enhanced B2B’, the VIDA pilot project, or International Peppol invoicing.
UBL.be: Billit is a member of UBL.be. UBL.BE is a Belgian non-profit organization. Their goal is to support customers and users in implementing e-invoicing. The focus is on using and processing e-invoices in a secure and compatible manner, specifically supporting the use of Peppol.
UBLReady: Billit is also recognized by the Dutch Peppol Authority and is authorized to carry the UBL Ready certification after successfully completing the UBL chain test.
Billit is certified as compliant with ISO/IEC ISO27001:2022, the premier global information security management system (ISMS) standard.
Billit uses a zero-trust security model. This means that no user or connection is trusted by default. Access is revalidated with every action through strong identity verification, up-to-date devices, restricted permissions, and continuous monitoring. This approach ensures that data is only accessible to authorized and validated entities.
Yes. Billit undergoes yearly internal and external audits to verify compliance, security controls and operational integrity. Billit does not share these audit reports.
Yes. Independent security firms perform penetration tests on Billit’s platform and infrastructure at least once a year. Findings are reviewed, risk-rated and remediated following the Billit security governance process. Billit does not share these audit reports.
Yes. You may perform your own tests on our dedicated test environment, provided you obtain our explicit written consent before starting any activity. Any activity on the test or production environment without consent will be treated as hostile and appropriate actions will be taken.
Billit provides multiple layers of protection for the information you entrust to Billit, including encryption when it's transferred and stored.
Multi-factor authentication (MFA) is designed to prevent anyone but you from accessing your Billit account, even if they know your password. Billit is implementing MFA as the standard method of authentication.
Security controls protect access to and within the Billit environment, including firewalls, intrusion protection systems and network segregation.
Billit uses TransIP & Amazon Web Services (AWS) as its primary hosting provider. Our production environment is hosted in highly secure TransIP & AWS data centers located within the European Union (Netherlands and Ireland). For specific supporting services, limited processing may occur in other AWS regions, always under strict GDPR-compliant safeguards.
Billit has no plans to store customer data outside the EU. GDPR does not require EU data to remain inside the EU, but it does require appropriate safeguards for any international transfer. When limited processing outside the EU is necessary, Billit applies the legally required protections.
A full and up-to-date list of Billit’s sub processors is available on our website. Each sub processor is contractually bound by GDPR-compliant safeguards and security obligations.
If personal data is processed outside the European Economic Area, Billit ensures it remains protected by EU-level safeguards. We rely on officially approved mechanisms such as the European Commission’s Standard Contractual Clauses (SCCs). All sub processors are assessed, onboarded and monitored under strict GDPR, ISO 27001 and DORA policies.
Protecting customer data is central to Billit’s operations. Our security framework includes:
DORA-aligned operational resilience controls
Encrypted data storage and transmission
Strict access management with MFA
Continuous monitoring and incident response
ID & Legal Mandate verification
Billit also operates under regulatory supervision of the National Bank of Belgium for its payment and PSD2-related activities.
Yes. The Billit Data Processing Addendum (DPA) automatically applies as part of the Terms of Use for any customer subject to GDPR. No separate agreement is required.
Billit can only be accessed through modern, fully up-to-date systems & browsers. This requirement ensures security, data protection and full platform functionality for all international customers. If a browser is outdated or unsupported, access may be blocked to safeguard your data and maintain compliance standards.
We do not disclose details about our technical architecture. This policy protects the security and integrity of our platform and aligns with our obligations under ISO 27001, DORA and national supervisory requirements. We only share high-level security assurances and certificates when contractually required. If you need specific evidence for a risk assessment, we can provide it through controlled channels under NDA.
Yes. All staff must accept the acceptable use policy, the confidentiality terms and data breach escalation procedure before they can access Billit systems or data. This is enforced during onboarding and validated through our compliance controls.
Billit stores and retains data in line with legal, regulatory and contractual requirements. Data is hosted in secure, certified environments with encryption active at all times. Retention periods are strictly defined, and data is deleted or anonymised once the relevant period expires. Access is limited to authorised roles only, and all processing follows ISO 27001 and DORA standards. If specific retention terms are needed, we can provide them under NDA.
Billit enforces an inactivity timeout of 15 minutes and a full session timeout of 24 hours to reduce unauthorized access risks.
