| GDPR Summary | Request Data | DPA | Subprocessors | Security |
|---|
Security
Protecting and securing data at TA Developer Pty Ltd is our top priority.
Infrastructure
System Architecture
BillBjorn runs on Google Cloud Platform (GCP) in the us-central1 region. Customer-facing APIs, background processors, and scheduled tasks are deployed to Google Cloud Run, Cloud Functions (Gen 2), and App Engine services that communicate through private service-to-service networking. Secrets (for example payment and OAuth credentials) are fetched at runtime from Google Secret Manager and never stored with the application code. Access keys and service accounts are rotated and scoped following the principle of least privilege.
Failover and Disaster Recovery
Google Cloud automatically distributes managed services such as Cloud Run, Firestore, and Cloud Storage across multiple availability zones within the region. Persistent data is stored on Firestore in Native mode with multi-zone replication and we employ asynchronous backups to separate Cloud Storage buckets. Critical batch workloads are containerised so they can be redeployed rapidly in an alternate region if the primary region experiences a prolonged outage.
Data Centers
BillBjorn is hosted in Google data centers that hold ISO 27001, SOC 1/SOC 2, PCI DSS, and FedRAMP certifications, among others. Additional details are documented at the Google Cloud Security and Compliance Center. Limited supporting services run on Amazon Web Services (SES and S3 for transactional email) and Elastic Cloud (App Search). Those providers are also audited to comparable standards.
Vulnerability Scans & Penetration Testing
We use automated dependency and container scanning in our CI/CD pipelines to flag vulnerable packages. Runtime services are monitored with Google Cloud Security Command Center and custom alerting. We partner with external security specialists for regular penetration testing and follow-up remediation.
Firewall
Ingress traffic terminates at Google Cloud Load Balancers with Web Application Firewall policies. Administrative endpoints are restricted to authenticated service accounts and are not exposed publicly.
Corporate Network
TA Developer Pty Ltd runs a zero-trust corporate network. There are no corporate resources or additional privileges from being on TA Developer Pty Ltd’s corporate network.
Data
Data Storage
Customer metadata, accounting artefacts, and audit trails are stored in Google Firestore. Uploaded documents and generated exports reside in Google Cloud Storage. Inbound purchase documents received by email are briefly staged in an isolated Amazon S3 bucket managed by AWS SES before being transferred to Cloud Storage. Search indexes are hosted on Elastic Cloud App Search. Production and non-production environments are logically separated, with access granted on a need-to-know basis via IAM roles.
International Transfers
All personal data processed by BillBjorn ultimately resides in the United States on Google Cloud Platform. To protect EU/UK data subject rights we implement the 2021 Standard Contractual Clauses together with the UK International Data Transfer Addendum for every non-EEA/UK provider we rely on (Google, FastSpring, Elastic Cloud, and the limited Amazon Web Services components). The commitments are documented in Annex 2 of our DPA and flow down to every approved subprocessor.
Backups
Automated Firestore exports and Cloud Storage versioning provide point-in-time recovery. Backup artefacts are encrypted, stored in separate GCP projects, and kept for a minimum of 30 days before rotation. Deleted data is removed from active systems immediately and from backups during the normal retention cycle.
Logs
Application, access, and audit logs are centralised in Google Cloud Logging with retention controls and tamper detection alerts. Sensitive values (passwords, OAuth tokens, payment credentials) are masked before being written. Logs for regulated workflows are retained for at least 90 days or longer when legally required.
Authentication
Passwords
User authentication is handled by Firebase Authentication. Passwords are stored only as salted, computationally expensive hashes. Sessions are invalidated when critical account identifiers change and are subject to idle timeouts.
Multi-Factor Authentication
BillBjorn supports federated sign-in with Google, Intuit, Xero, and FreshBooks. These identity providers offer built-in multi-factor authentication, which customers can enforce through their respective platforms. Administrators can require staff to authenticate via those SSO providers to benefit from MFA.
Monitoring
Authentication attempts are rate limited and monitored through our dedicated rate-limit service and Google Cloud audit logs. Suspicious sign-in patterns trigger alerts for investigation.
User Roles
We provide multiple user roles with different permissions levels within the product. Roles vary from account owners, to admins, users, and roles that limit visibility of Personally Identifiable Information (PII).
Encryption
HTTPS
All BillBjorn traffic is served over HTTPS with TLS 1.2 or higher. We enforce HSTS, secure cookies, and modern cipher suites for public websites, APIs, and internal service-to-service communication.
Encryption at Rest
Google manages disk-level encryption for Firestore, Cloud Storage, and Compute workloads. Additional application-layer encryption is applied to sensitive payloads before persistence. Backup archives and search indexes are encrypted with AES-256 or stronger algorithms.
Policies
Security Policies
TA Developer Pty Ltd has developed a comprehensive set of security policies covering a range of topics. These policies are updated frequently and shared with employees.
Incident Response
TA Developer Pty Ltd has a defined protocol for responding to security events.
Security Training
All employees complete security training when they join and are continually refreshed.
Confidentiality
All employees have signed a confidentiality agreement with TA Developer Pty Ltd.
PCI Compliance
TA Developer Pty Ltd does not process or store payment card information directly. All payments are handled by FastSpring, a PCI DSS Level 1 compliant payment processor. Their security documentation is available at the FastSpring Trust Center.
Disclosure
If you have any concerns or discover a security issue, please contact us directly. Our Security team will acknowledge receipt of each vulnerability report, conduct a thorough investigation, and then take appropriate action for resolution. We request that you do not publicly disclose any issue you discovered until after we have addressed it.