Security

Security practices designed for real business workflows

BillRaja handles invoices, customer data, team access, attendance records, and payment-related workflows. Security is built into storage, authentication, and permission checks so business data stays controlled as your operations grow.

Authentication & account controls

  • Google Sign-In and phone authentication are handled through Firebase Authentication.
  • Single-session enforcement helps reduce the risk of account sharing and unexpected concurrent access.
  • App Check helps validate that requests originate from genuine BillRaja clients.
  • Owners stay in control of business workspaces, team invitations, and role access.

Data storage & access protection

  • Business records are stored on Google Firebase infrastructure with encryption in transit and at rest.
  • Firestore security rules restrict access so users can only read and write data they are allowed to manage.
  • Invoice shape and financial invariants are validated to reduce tampering risk in billing records.
  • Offline data sync keeps the app usable in low-connectivity environments while reconnecting safely later.

Payments & subscription security

  • Subscription payments are processed through Razorpay rather than stored directly by BillRaja.
  • Server-side verification is used before payment-related subscription status changes are applied.
  • BillRaja does not store card numbers, UPI PINs, or raw payment credentials.
  • Billing and plan state changes are handled through backend workflows instead of client-only checks.

Team, attendance & location data

  • Attendance locations are collected only when users actively perform check-in or check-out flows.
  • Location data is intended for geo-attendance verification and business operations, not background tracking.
  • Team roles and member permissions help separate owner, manager, and staff access.
  • Workspace data is isolated so teams only see the records available to their business context.

Responsible disclosure

If you believe you found a security issue in BillRaja, email contact@billraja.com with reproduction details, expected impact, and any supporting screenshots or logs. We review reports as quickly as possible.

Please avoid accessing data that does not belong to you, disrupting live services, or attempting destructive tests. The fastest way to help is a clear report with minimal-impact reproduction steps.