How we protect your data
BillerAPI handles sensitive financial data. We are transparent about what we implement today and where we are headed.
What we implement today
Credential vaulting
Biller credentials are encrypted with per-customer keys managed by AWS KMS. Credentials are decrypted only at the moment of biller portal access in isolated worker processes and deleted when connections are revoked.
Encryption everywhere
AES-256 encryption at rest via AWS DynamoDB managed encryption. TLS for all API and webhook communications in transit. Application secrets stored in AWS Systems Manager Parameter Store (SSM).
Authentication and access control
AWS Cognito user pools with JWT tokens in HTTP-only cookies. API key authentication with scoped permissions. Role-based access controls and separate IAM roles per microservice.
Infrastructure isolation
AWS cloud infrastructure with VPC isolation and security groups. ECS Fargate containers with no shared hosts. No public database access. Automated health checks and restart policies.
Monitoring and logging
CloudWatch alarms on API error rates, latency, and availability. Structured logging across all services. Automated alerting for anomalous patterns.
Application security
Input validation on all API boundaries (schema validation). CORS and CSP headers on web applications. HTTP-only, secure, SameSite cookies for session management. Automated dependency vulnerability scanning.
Security roadmap
We are an early-stage company building toward formal certifications. We do not currently hold SOC 2, PCI DSS, ISO 27001, or HIPAA certifications.
| Initiative | Status | Target |
|---|---|---|
| SOC 2 Type II audit | Planned | Post-funding |
| Penetration testing | Planned | Pre-production launch |
| Bug bounty program | Planned | Post-launch |
| GLBA compliance assessment | Evaluating | TBD |
Report a vulnerability
If you discover a security issue, please report it to security@billerapi.com. We will acknowledge reports within 48 hours and provide a timeline for resolution.