BBillRaja
Security

Your business data is protected at every layer.

BillRaja handles invoices, payments, attendance, team access, and financial records. Security is built into every layer — authentication, data storage, team permissions, and payment processing.

Authentication & Account Security

  • Sign in with Google or phone number (OTP) via Firebase Authentication.
  • Single active session enforcement — signing in on a new device revokes the previous session.
  • Firebase App Check validates that requests come from the genuine BillRaja app.
  • Account deletion is available in-app or via email request.

Data Storage & Encryption

  • All data stored on Google Cloud Firestore with automatic encryption at rest.
  • All data transmitted over encrypted HTTPS/TLS connections.
  • Business logos and files stored on Firebase Storage with access-controlled URLs.
  • Offline cache (100 MB) on mobile devices syncs automatically when connected.
  • Firebase Crashlytics for crash detection — no business data included in crash reports.

Firestore Security Rules

  • Every database read/write is protected by server-side Firestore security rules.
  • Users can only access their own data — enforced by account ownership checks.
  • Invoice financial fields are validated server-side: grandTotal must equal taxableAmount + totalTax.
  • Invoice updates restricted to status changes only — no retroactive data modification.
  • Team members access workspace data through validated team membership.

Team Access & Permissions

  • Three-role system: Owner, Manager, Staff — each with different access levels.
  • Owners control who joins the team and what each member can do.
  • Per-member permission overrides for granular control.
  • Team data is isolated by workspace — members only see their team's data.
  • Role changes and member removals take effect in real time.

Payment & Billing Security

  • All subscription payments processed by Razorpay — PCI DSS compliant.
  • BillRaja never stores credit/debit card numbers or banking credentials.
  • Payment verification and subscription state changes are processed server-side via Cloud Functions.
  • Razorpay webhook events are validated before updating subscription status.
  • Razorpay API keys are stored in Firebase Remote Config, not in client code.

Attendance & Location Data

  • GPS location is collected only during active check-in/check-out — never in the background.
  • Location data is stored alongside attendance records and visible only to team owners/managers.
  • Geo-fence distance calculations are performed locally on the device.
  • Location permission is requested only when the attendance feature is first used.

Responsible Disclosure

If you believe you've found a security vulnerability in BillRaja, please email contact@billraja.com with reproduction steps, impact assessment, and any supporting screenshots or request logs. We review all reports and respond as quickly as possible.

If your business needs a vendor-security assessment or due-diligence review, contact us at the same address and we will provide relevant documentation.