Security
Your business data is protected at every layer.
BillRaja handles invoices, payments, attendance, team access, and financial records. Security is built into every layer — authentication, data storage, team permissions, and payment processing.
Authentication & Account Security
- Sign in with Google or phone number (OTP) via Firebase Authentication.
- Single active session enforcement — signing in on a new device revokes the previous session.
- Firebase App Check validates that requests come from the genuine BillRaja app.
- Account deletion is available in-app or via email request.
Data Storage & Encryption
- All data stored on Google Cloud Firestore with automatic encryption at rest.
- All data transmitted over encrypted HTTPS/TLS connections.
- Business logos and files stored on Firebase Storage with access-controlled URLs.
- Offline cache (100 MB) on mobile devices syncs automatically when connected.
- Firebase Crashlytics for crash detection — no business data included in crash reports.
Firestore Security Rules
- Every database read/write is protected by server-side Firestore security rules.
- Users can only access their own data — enforced by account ownership checks.
- Invoice financial fields are validated server-side: grandTotal must equal taxableAmount + totalTax.
- Invoice updates restricted to status changes only — no retroactive data modification.
- Team members access workspace data through validated team membership.
Team Access & Permissions
- Three-role system: Owner, Manager, Staff — each with different access levels.
- Owners control who joins the team and what each member can do.
- Per-member permission overrides for granular control.
- Team data is isolated by workspace — members only see their team's data.
- Role changes and member removals take effect in real time.
Payment & Billing Security
- Android subscription payments are processed through Google Play Billing.
- BillRaja never stores credit/debit card numbers or banking credentials.
- Payment verification and subscription state changes are processed server-side via Cloud Functions.
- Google Play purchase tokens are verified server-side before updating subscription status.
- No payment gateway keys are embedded in the client app.
Attendance & Location Data
- GPS location is collected only during active check-in/check-out — never in the background.
- Location data is stored alongside attendance records and visible only to team owners/managers.
- Geo-fence distance calculations are performed locally on the device.
- Location permission is requested only when the attendance feature is first used.
AI Data Security
- Business data sent to Google's Gemini AI is transmitted over encrypted HTTPS/TLS connections.
- AI queries are processed in real-time — no permanent storage of query/response pairs by BillRaja beyond time-limited caching.
- Cached AI insights are stored in Firestore with automatic expiry to limit data retention.
- AI features operate under Google's Firebase AI terms and data processing agreements.
- No raw business data is exposed in AI responses beyond what the authenticated user already has access to.
Customer Bill Viewing Security
- End-customers verify identity via one-time password (OTP) sent to their registered phone number.
- OTP codes are time-limited and single-use — expired or used codes cannot be reused.
- Customer sessions are strictly read-only — no ability to modify, delete, or create any data.
- Rate limiting prevents brute-force OTP attempts and abuse.
- End-customers see only invoices associated with their phone number — no access to other business data.
- No BillRaja account is created for end-customers.
Responsible Disclosure
If you believe you've found a security vulnerability in BillRaja, please email contact@billraja.com with reproduction steps, impact assessment, and any supporting screenshots or request logs. We review all reports and respond as quickly as possible.
If your business needs a vendor-security assessment or due-diligence review, contact us at the same address and we will provide relevant documentation.