Data Protection and Data Security
At Billit, we have two important responsibilities that are sometimes confused. One is to protect your data from being accessed by others (called data protection), and the other is to ensure that you can rely on your data remaining available (called data security/reliability).
It is important to understand that these two sometimes conflict. For example, we could easily solve data protection by deleting all the data we have. This is an extreme example, but we face many similar, though less obvious, choices. We will ALWAYS prioritize data security/reliability because losing your accounting data is so serious.
How We Handle Data Security/Reliability
The approach technically varies depending on which data we are discussing. For the majority of our data, we maintain 3 layers of backups. First, a 90-day point-in-time restore. Then a long-term backup that covers an entire accounting cycle. Finally, we maintain a 30-day backup that we send to another server.
Certain data, such as images and files, is stored differently and uses a different backup solution. This data is protected by our ability to restore it within a certain period after deletion. There is also a long-term backup in place.
All data and backups are replicated across multiple servers and data centers.
Another important aspect is that only certain personnel have access to administer these services, and no single login has access to all backups. We also use multi-factor authentication and monitoring for these logins.
How We Handle Data Protection
All data we store is encrypted both in transit and at rest. Billit uses RSA 2048-bit SSL encryption to secure your data. We have also configured the system so that you as a user must use SSL to access Billit.
Our internal security processes include several measures designed to protect your data:
As few people as possible have access to databases, and these individuals receive special instructions on how to secure their accounts and enhance their security.
We protect our accounts with multi-factor authentication in addition to username and password.
All new code must be reviewed before it can be deployed to production.
We train our employees internally to understand the importance of data security and integrity, and what they are permitted to do.
We specifically train our developers to know when a DPIA (Data Protection Impact Assessment) needs to be conducted.
We work continuously to ensure that both Billit and our subprocessors comply with GDPR.