Billby
Start for free

Security

Last updated: 4 May 2026

We take security seriously and try not to oversell what we do. Here's what's actually in place — and what we don't (yet) claim.

Authentication

  • Passwords are hashed with bcrypt. The plaintext is never stored or logged.
  • Sessions use a signed JWT, expiry-bound (currently 7 days). The token lives in your browser's localStorage and is sent as a Bearer token on every API request.
  • Rate limits protect login and registration endpoints to slow down brute-force attempts.

Transport

All traffic is served over HTTPS. TLS certificates are issued by Let's Encrypt and renewed automatically by cert-manager.

Data isolation

Every API endpoint is scoped to the current user. Your clients, projects, time entries, and invoices are invisible to other users — there's no cross-account data sharing.

Hosting

Billby runs on a small Kubernetes cluster we operate. Database and disk backups are managed by us; if you have a specific compliance question, get in touch and we'll answer honestly.

What we don't claim

  • No SOC 2, ISO 27001, or HIPAA certifications
  • No formal SLA or uptime guarantee while in beta
  • No bug bounty program (yet)

Reporting a vulnerability

If you find a security issue, please contact usbefore disclosing it publicly. We'll acknowledge within a few business days and work with you to fix it.