Trust Centre

Security, compliance and ethical AI commitments from BillSource AI and our infrastructure partners. We believe trust is earned through transparency.

Ethical & Responsible AI Commitment
Our commitment: Billi is built on the principle that AI should augment human decision-making, not replace it. We adhere to responsible AI practices across every layer of our platform — from the models we use to how we handle your data.
👁
Transparency
Billi always discloses when you are interacting with AI. Responses are clearly attributed and we never impersonate human advisors.
🔒
Data Privacy
Your conversations are never used to train AI models. Your billing data and documents remain your intellectual property at all times.
Human Oversight
Billi is an advisory tool. All financial, legal and collection decisions remain with qualified human professionals.
Bias Mitigation
Our knowledge base is curated from authoritative South African legislation, industry standards and established best practices — not biased internet sources.
📊
Accuracy First
When Billi is uncertain, it says so. We actively discourage over-reliance on AI for regulated financial and legal advice.
🌏
Regulatory Alignment
Our AI practices align with the EU AI Act principles, South Africa's POPIA, and the NCR's consumer protection requirements.
Billi AI — The Six Associate Team

Billi operates as six distinct specialist roles. Each role draws from a curated South African knowledge base. All responses are clearly attributed to the relevant associate.

Bean Counter (CFO) — Financial health, cash flow analysis, ratio interpretation, debtor management, dunning strategy and EBPP. Knowledge base: SA financial standards, IFRS for SMEs, NCR credit guidelines.
The Rule Book (CGO) — Regulatory guidance covering POPIA, PAIA, NCA, NCR, CIPC obligations, B-BBEE requirements, King IV governance, labour relations and sector-specific compliance. Always frames guidance as regulatory context — never legal advice.
Brand Guru (CMO) — Brand positioning, marketing strategy, social media, content planning, customer acquisition and SA market context including ASA/ASASA advertising standards.
Deal Maker (CSO) — Sales pipeline management, proposal writing, pricing strategy, objection handling, client retention and CRM guidance.
The Fixer (COO) — Operations, supply chain, vendor management, SOP design, business continuity planning and workflow automation advice.
The IT Guy — 1st line support (password resets, device issues, connectivity, printers, email), 2nd line support (cloud account setup, VPN, Active Directory, MDM, licences, backups) and 3rd line AI-assisted guidance (Claude prompting for coding, architecture, DevOps, design systems and technology selection). SA market-aware — recommends local retailers and load-shedding resilient solutions. Available across all plans; 2nd line unlocks on Professional+, 3rd line on Enterprise.
Infrastructure Security Certifications

BillSource AI is hosted on Railway — a certified enterprise-grade cloud infrastructure platform. The following certifications apply to our hosting environment.

✓ Certified
SOC 2 Type II
Railway · Audited by independent CPA
Validates security controls, availability, processing integrity, confidentiality and privacy practices over a sustained audit period — the highest level of SOC assurance.
View Railway Trust Centre ↗
✓ Certified
SOC 3
Railway · Public attestation report
Public-facing summary of SOC 2 Type II controls — independently verified security posture available without NDA.
View Railway Trust Centre ↗
✓ Compliant
HIPAA
Railway · Healthcare data compliance
HIPAA attestation confirming appropriate technical safeguards including data encryption at rest, SSL in transit, SSO and automatic DDoS protection.
View Railway Trust Centre ↗
✓ Compliant
GDPR
Railway · EU Data Protection
Data Processing Agreement available. Full subprocessor list published for transparency. EU-US Data Privacy Framework certified.
View Railway Trust Centre ↗
🕐 In Progress
ISO 27001
Railway · International ISMS standard
Railway has publicly committed to ISO 27001 certification as their next compliance milestone following SOC 2 Type II completion.
View Railway Trust Centre ↗
✓ Compliant
POPIA
AnyABEX (Pty) Ltd · South Africa
BillSource AI processes personal information in compliance with the Protection of Personal Information Act, 2013 (Act 4 of 2013) of South Africa.
Technology & Service Providers
✓ Enterprise Grade
Anthropic Claude API
Claude Haiku 4.5 · claude-haiku-4-5
Billi is powered by Anthropic's Claude — built with Constitutional AI principles. Anthropic explicitly does not train on API customer data. Your conversations are private.
Anthropic Privacy Policy ↗
✓ Open Source
Flowise AI Orchestration
Flowise · Apache 2.0 License
Our AI agent orchestration layer uses Flowise — an open-source, auditable framework. No vendor lock-in. Full source code transparency.
Flowise Platform ↗
✓ PCI DSS Compliant
Paystack Payments
Paystack · A Stripe Company
All subscription and merchandise payments are processed by Paystack — PCI DSS Level 1 certified. BillSource AI never stores card numbers or sensitive payment data. Paystack is licensed by the CBN and regulated in South Africa.
Paystack Compliance ↗
✓ SOC 2 Compliant
Resend Email Infrastructure
Resend · DKIM & SPF verified
Transactional emails (order confirmations, plan upgrades) are sent via Resend — a SOC 2 compliant email platform. Emails are sent from verified domain billi@billsource.ai with DKIM and SPF authentication to prevent spoofing.
Resend Security ↗
Change Management & Operational Controls
ISO-aligned practices: AnyABEX (Pty) Ltd follows ISO 27001-aligned change management practices. We are not yet ISO 27001 certified but actively work toward this standard.
Version Control via GitHub — All application code, configuration changes and documentation are managed through GitHub with full commit history, pull request reviews and audit trails. Every change to billsource.ai is traceable to a specific commit, author and timestamp.
Automated Deployment Pipeline — Changes to production are deployed via Railway's automated CI/CD pipeline triggered only from approved GitHub commits. No direct server access for deployments.
Knowledge Base Version Control — AI training documents are version-controlled and changes to the knowledge base follow a review process before being embedded into the vector store.
Data Persistence — User accounts and session data are stored in-memory during the current phase, with PostgreSQL database persistence being introduced progressively. No financial documents or chat content are retained beyond your active session unless you have explicitly requested report storage.
Environment Separation — Development and production environments are strictly separated. No untested changes reach production.
Incident Response — Security incidents are logged, triaged and resolved with documented root cause analysis. Contact security@billsource.ai to report a vulnerability.
Security Contact
Report a security concern
📧 security@billsource.ai
📞 +27 12 661 0385
We aim to respond to all security disclosures within 48 hours and to resolve critical issues within 7 days.