Security and Compliance Certifications

Learn how we keep your data safe and secure

As a cloud service provider for its products and services, Billtrust stores and manages our client data in compliance with applicable laws and regulations to help you meet your obligations. Our enterprise cloud services are independently validated through third-party audits, continual self-assessment and legal oversight.

SSAE 18 SOC 1 and SOC 2

Since Billtrust is a cloud service provider (CSP) that clients utilize to outsource its products and services, we conduct annually a SSAE 18 SOC 1 Type 2 and SOC 2 Type 2 audit.  Our audits are performed by an accredited, independent third party.

A SOC 1 audit evaluates the effectiveness of a CSP’s internal controls that affect the financial reports of a customer using the provider’s cloud services. The Statement on Standards for Attestation Engagements (SSAE 18) is the standard under which the audit is performed, and is the basis of the SOC 1 report.

A SOC 2 audit gauges the effectiveness of a CSP’s system, based on the AICPA Trust Service Criteria. An Attestation Engagement under Attestation Standards (AT) Section 101 is the basis of SOC 2 report.  At a minimum, Billtrust includes Security, Confidentiality, and Availability in the SOC 2 audit.

Billtrust ISO 27001:2022

ISO 27001:2022 is an international standard for managing information security. It provides a systematic approach to managing sensitive company information, ensuring its confidentiality, integrity, and availability. The standard outlines the requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS). Billtrust's achievement of ISO 27001:2022 certification demonstrates our organization’s global commitment to managing information security effectively, which can enhance trust with customers and partners for all Billtrust products and services across the US and EU.

Our Commitment

Billtrust is an organization with strong values, including responsibility and integrity. Our Code of Conduct contains general guidelines for conducting business with the highest standards of ethics.

Billtrust is committed to an environment where open, honest communications are the expectation, not the exception. We want you to feel comfortable in approaching your manager or Human Resources in instances where you believe violations of policies or standards have occurred.

In situations where you feel uncomfortable or prefer to place an anonymous report in confidence, you are encouraged to use this hotline, hosted by a third-party hotline provider, EthicsPoint. You are encouraged to submit reports relating to violations stated in our Code of Conduct, as well as to ask for guidance and provide positive suggestions.

The information you provide will be sent to us by EthicsPoint on a confidential and anonymous basis if you should choose. You have our guarantee that your comments will be heard.

See the EthicsPoint FAQs for more information.

To Make a Report

You may use either of the following two methods to submit a report:

Click here to "Make a Report"
OR
• Dial toll-free, within the United States, Guam, Puerto Rico and Canada: 844-629-2890

After you complete your report you will be assigned a unique code called a "report key." Write down your report key and password and keep them in a safe place. After 5-6 business days, use your report key and password to check your report for feedback or questions.

PCI Compliance

Visa Global Registry of Service Providers badge

The Payment Card Industry (PCI) Data Security Standards (DSS) is a global information security standard designed to prevent fraud through increased control of credit card data. Organizations of all sizes must follow PCI DSS standards if they accept payment cards from the five major credit card brands—Visa, MasterCard, American Express, Discover, and the Japan Credit Bureau (JCB). Compliance with PCI DSS is required for any organization that stores, processes, or transmits payment and cardholder data.

Billtrust completes an annual PCI DSS assessment using an approved Qualified Security Assessor (QSA). The assessment culminates with an Attestation of Compliance (AoC) and Report on Compliance (RoC) issued by the QSA. The effective period for compliance is prospective and begins upon passing the audit and receiving the AoC from the assessor, and ends one year from the date the AoC is signed. Billtrust is certified as compliant under PCI DSS version 3.2.1 at Service Provider Level 1.

Clients who utilize Billtrust’s PCI complaint products and services significantly reduce the scope, cost and effort of their own PCI compliance assessments.

Billtrust is listed as a compliant service provider on VISA approved service provider lists.

HIPAA Privacy

HIPAA Compliant logo

The Health Insurance Portability and Accountability Act (HIPAA) is a US healthcare law that establishes requirements for the use, disclosure, and safeguarding of individually identifiable health information. It applies to covered entities—doctors’ offices, hospitals, health insurers, and other healthcare companies—with access to patients’ protected health information (PHI), as well as to business associates, such as cloud service and IT providers, that process PHI on their behalf. (Most covered entities do not carry out functions such as claims or data processing on their own; they rely on business associates to do so.)

Billtrust is a business associate for some of our clients, who are the covered entities.

HIPAA regulations require that covered entities and their business associates—in this case, Billtrust when it provides services to covered entities—enter into contracts to ensure that those business associates will adequately protect PHI. These contracts, or Business Associate Agreements (BAA), clarify and limit how the business associate can handle PHI, and set forth each party’s adherence to the security and privacy provisions set forth in HIPAA and the HITECH Act. Currently there is no official certification for HIPAA or HITECH Act compliance, however; Billtrust undergoes an annual risk assessment.

NACHA Compliance

NACHA logo

NACHA is the trustee of the ACH Network, managing the development, administration and rules for the payment network that universally connects financial institutions in the U.S. The Network, which moves money and information directly from one bank account to another, supports more than 90 percent of the total value of all electronic payments in the U.S. NACHA facilitates the expansion and diversification of electronic payments, supporting Direct Deposit and Direct Payment via ACH transactions, including ACH credit and debit payments; recurring and one-time payments; government, consumer and business transactions; international payments; and payments plus payment-related information. The NACHA Operating Rules & Guidelines is an annual publication produced by NACHA — The Electronic Payments Association.

Billtrust processes ACH payments on behalf of our clients both as a Third Party Service Provider as well as a Third Party Sender Billtrust performs an annual, independent, external audit of our ACH Operations as required by the ACH Operating Rules

Pandemic Readiness, Business Continuity and Disaster Recovery

Billtrust performs an annual Business Continuity and Disaster Recovery risk assessment. Our plans are based on NFPA1600 Standard for Disaster/Emergency Management and Business Continuity/Continuity of Operations (2022 edition).

Billtrust also maintains a pandemic plan which is tested annually and was successfully implemented due to the COVID-19 pandemic.  Over 90% of Billtrust’s workforce successfully fulfilled our business functions and roles while working remotely. Billtrust continues to employ this as a continued business strategy.

Anti-Money Laundering

Billtrust maintains a documented Anti-Money Laundering (AML) program designed to meet its contractual obligations with its sponsor banks. The purpose of our AML program is to establish the general framework for the fight against money laundering, terrorism, corruption and other financial crimes; to prevent money laundering and terrorist financing and to train specific personnel on legal and internal procedures. AML may also be called Know Your Customer (KYC), Customer Due Diligence (CDD) or Customer Identification Program (CIP).

Data Privacy Framework

Data Privacy Framework Program Logo

Billtrust complies with the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (“Swiss-U.S. DPF”) as set forth by the U.S. Department of Commerce. We have certified to the U.S. Department of Commerce that we adhere to the EU-U.S. Data Privacy Framework Principles with regard to the processing of Personal Data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. We have also certified to the U.S. Department of Commerce that we adhere to the Swiss-U.S. Data Privacy Framework Principles with regard to the processing of Personal Data received from Switzerland in reliance on the Swiss-U.S. DPF (collectively, the “DPF Principles”).

To learn more about the DPF, and to view our certification, please visit Data Privacy Framework.