Security and Compliance Certifications
Learn how we keep your data safe and secure
SSAE 18 SOC 1 and SOC 2
Since Billtrust is a cloud service provider (CSP) that clients utilize to outsource its products and services, we conduct annually a SSAE 18 SOC 1 Type 2 and SOC 2 Type 2 audit. Our audits are performed by an accredited, independent third party.
A SOC 1 audit evaluates the effectiveness of a CSP’s internal controls that affect the financial reports of a customer using the provider’s cloud services. The Statement on Standards for Attestation Engagements (SSAE 18) is the standard under which the audit is performed, and is the basis of the SOC 1 report.
A SOC 2 audit gauges the effectiveness of a CSP’s system, based on the AICPA Trust Service Criteria. An Attestation Engagement under Attestation Standards (AT) Section 101 is the basis of SOC 2 report. At a minimum, Billtrust includes Security, Confidentiality, and Availability in the SOC 2 audit.
Billtrust is an organization with strong values, including responsibility and integrity. Our Code of Conduct contains general guidelines for conducting business with the highest standards of ethics.
Billtrust is committed to an environment where open, honest communications are the expectation, not the exception. We want you to feel comfortable in approaching your manager or Human Resources in instances where you believe violations of policies or standards have occurred.
In situations where you feel uncomfortable or prefer to place an anonymous report in confidence, you are encouraged to use this hotline, hosted by a third-party hotline provider, EthicsPoint. You are encouraged to submit reports relating to violations stated in our Code of Conduct, as well as to ask for guidance and provide positive suggestions.
The information you provide will be sent to us by EthicsPoint on a confidential and anonymous basis if you should choose. You have our guarantee that your comments will be heard.
See the EthicsPoint FAQs for more information.
To Make a Report
You may use either of the following two methods to submit a report:
• Click here to "Make a Report"
• Dial toll-free, within the United States, Guam, Puerto Rico and Canada: 844-629-2890
After you complete your report you will be assigned a unique code called a "report key." Write down your report key and password and keep them in a safe place. After 5-6 business days, use your report key and password to check your report for feedback or questions.
The Payment Card Industry (PCI) Data Security Standards (DSS) is a global information security standard designed to prevent fraud through increased control of credit card data. Organizations of all sizes must follow PCI DSS standards if they accept payment cards from the five major credit card brands—Visa, MasterCard, American Express, Discover, and the Japan Credit Bureau (JCB). Compliance with PCI DSS is required for any organization that stores, processes, or transmits payment and cardholder data.
Billtrust completes an annual PCI DSS assessment using an approved Qualified Security Assessor (QSA). The assessment culminates with an Attestation of Compliance (AoC) and Report on Compliance (RoC) issued by the QSA. The effective period for compliance is prospective and begins upon passing the audit and receiving the AoC from the assessor, and ends one year from the date the AoC is signed. Billtrust is certified as compliant under PCI DSS version 3.2.1 at Service Provider Level 1.
Clients who utilize Billtrust’s PCI complaint products and services significantly reduce the scope, cost and effort of their own PCI compliance assessments.
Billtrust is listed as a compliant service provider on VISA approved service provider lists.
The Health Insurance Portability and Accountability Act (HIPAA) is a US healthcare law that establishes requirements for the use, disclosure, and safeguarding of individually identifiable health information. It applies to covered entities—doctors’ offices, hospitals, health insurers, and other healthcare companies—with access to patients’ protected health information (PHI), as well as to business associates, such as cloud service and IT providers, that process PHI on their behalf. (Most covered entities do not carry out functions such as claims or data processing on their own; they rely on business associates to do so.)
Billtrust is a business associate for some of our clients, who are the covered entities.
HIPAA regulations require that covered entities and their business associates—in this case, Billtrust when it provides services to covered entities—enter into contracts to ensure that those business associates will adequately protect PHI. These contracts, or Business Associate Agreements (BAA), clarify and limit how the business associate can handle PHI, and set forth each party’s adherence to the security and privacy provisions set forth in HIPAA and the HITECH Act. Currently there is no official certification for HIPAA or HITECH Act compliance, however; Billtrust undergoes an annual risk assessment.
NACHA is the trustee of the ACH Network, managing the development, administration and rules for the payment network that universally connects financial institutions in the U.S. The Network, which moves money and information directly from one bank account to another, supports more than 90 percent of the total value of all electronic payments in the U.S. NACHA facilitates the expansion and diversification of electronic payments, supporting Direct Deposit and Direct Payment via ACH transactions, including ACH credit and debit payments; recurring and one-time payments; government, consumer and business transactions; international payments; and payments plus payment-related information. The NACHA Operating Rules & Guidelines is an annual publication produced by NACHA — The Electronic Payments Association.
Billtrust processes ACH payments on behalf of our clients both as a Third Party Service Provider as well as a Third Party Sender Billtrust performs an annual, independent, external audit of our ACH Operations as required by the ACH Operating Rules
Pandemic Readiness, Business Continuity and Disaster Recovery
Billtrust performs an annual Business Continuity and Disaster Recovery risk assessment. Our plans are based on NFPA1600 Standard for Disaster/Emergency Management and Business Continuity/Continuity of Operations (2022 edition).
Billtrust also maintains a pandemic plan which is tested annually and was successfully implemented due to the COVID-19 pandemic. Over 90% of Billtrust’s workforce successfully fulfilled our business functions and roles while working remotely. Billtrust continues to employ this as a continued business strategy.
Data Privacy Framework
Billtrust complies with the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (“Swiss-U.S. DPF”) as set forth by the U.S. Department of Commerce. We have certified to the U.S. Department of Commerce that we adhere to the EU-U.S. Data Privacy Framework Principles with regard to the processing of Personal Data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. We have also certified to the U.S. Department of Commerce that we adhere to the Swiss-U.S. Data Privacy Framework Principles with regard to the processing of Personal Data received from Switzerland in reliance on the Swiss-U.S. DPF (collectively, the “DPF Principles”).
To learn more about the DPF, and to view our certification, please visit https://www.dataprivacyframework.gov/.