Compliance and trust

Our customers trust us to help them protect their most valuable assets by using our secure e-invoice platform. Billit, and Peppol is built on trust. That trust must be earned through transparency, security, privacy, compliance, and more. We start with the belief that no organization is 100% secure. Then we do everything we can to make your organization and ours as secure as possible.


Our business is security

It's built on trust. Here's how we earn it.







We are committed to ensuring the privacy of your data. We’re further committed to preventing unauthorized access to that data. Our Privacy Policy details what data is collected from our customers, how we use it, and how it is stored.



Our customers trust us with critical data contained within their finances and related to their business efforts. We work hard to ensure every bit of data is safe and protected.

  • All commits go through mandatory code and security review, along with examination by static analysis.
  • Our architecture implements safe-by-default principles to consolidate user input, authorization, and business logic.
  • All data access and mutation goes through a framework utilizing strong typing and parameterization to eliminate SQL Injection attacks, as well as enforcing the presence of an anti-CSRF token prior to any data mutation.
  • We utilize a strict Content Security Policy and a safe-by-default templating language to effectively neutralize Cross-Site Scripting (XSS).
  • We encrypt all network communications with SSL/TLS accompanied HTTP Strict Transport Security (HSTS), including being HSTS preloaded in most major browsers.
  • All requests pass through multiple rate-limiting methods to protect against brute-force attacks.
  • We don't store passwords; we store hashes
  • Two-factor authentication is available to further restrict access to accounts.
  • Role-based access control allows for granular permissions for team members.


We provide our users with a service, and they look to us to ensure we have adequate internal controls over our systems and their data.

We’ve engaged respected third-party firms to audit our infrastructure and security practices, resulting in a ISO 27001 certification.


ISO 27001 provides requirements for an information security management system within the context of an organization.

Our certification can be viewed here.

Peppol Compliance Policy can be viewed here.



How we improve our own security

We believe in transparency when it comes to our platform uptime, incidents, and service level agreements, details of which are available on our status page.

We go for 99.99% uptime.



Important information should be kept accessible and reusable for years to come, regardless of the system used to store it.

  1. a specific .XML structure of the e-archive should be provided. In particular, the e-archive should be divided into “information packages” that are as “containers of one or more objects to be stored (e.g. e-invoice), or just the related metadata"; Billit stores all invoices as UBL + PDF.
  2. also specific metadata related to the documents stored (e.g. e-invoices) should be e-archived; Billit stores all metadata.
  3. a search function has to be implemented in order to allow downloading of the information from the e-archive (based at least on the company name, VAT number, fiscal code, date or other information); Billit provides state of the art search capabilities.
  4. the server in which the invoices are e-archived can be located abroad, but only in country for which Italy has an agreement of mutual assistance (i.e. as a general rule, in the EU). In case of storage in the EU, a notification should be provided by the Italian tax authorities. However, even if the e-archiving is located abroad, Italian technical and tax rules related to e-archiving should be met; Billit runs on EU based, ISO 9001, ISO 27001 and NEN 7510 certified servers.
  5. a full on-line access has to be guaranteed from the legal seat of the Company and all the data stored must be made available without undue delay to the Italian Tax Authorities whenever they request them; Regulators, law enforcement bodies, government agencies, courts or other third parties where we think it’s necessary to comply with applicable laws or regulations, or to exercise, establish or defend our legal rights. Where possible and appropriate.
  6. the documents have to be printable and portable to another computer device without undue delay; Billit empowers their users to download their documents (PDF) at any given moment.
  7. the e-archiving process should be completed within three months from the deadline of the relevant return by affixing a time stamp token on the e-archiving package; We don't explicitely archive, the data stays available in the platform for the user.
  8. an e-archiving manual that describes the procedures, softwares, and roles for e-archiving should be kept; We don't explicitely archive, the data stays available in the platform for the user.
  9. the e-invoices should be stored in a server located in Italy or in the EU;Billit runs on EU based, ISO 9001, ISO 27001 and NEN 7510 certified servers.