Data Protection
How Bila protects your data and maintains privacy
Data Protection
At Bila, protecting your data and your customers’ data is a fundamental priority. This guide explains our data protection measures, privacy practices, and how we help you maintain compliance with global regulations.
Data Protection Framework
Bila Data Protection Framework
Our comprehensive data protection framework includes:
- Data Classification: Categorizing data based on sensitivity
- Access Controls: Strict permissions for data access
- Encryption: Protecting data in transit and at rest
- Data Minimization: Collecting only necessary information
- Retention Policies: Defining how long data is stored
- Secure Deletion: Properly removing data when no longer needed
Data Encryption
Encryption at Rest
All sensitive data stored in our systems is encrypted using industry-standard encryption:
- Database Encryption: AES-256 encryption for all database content
- File Storage Encryption: Encrypted file systems for document storage
- Backup Encryption: All backups are encrypted before storage
Encryption in Transit
Data transmitted between systems is protected with:
- TLS 1.2+: All API connections require TLS 1.2 or higher
- HTTPS Only: We enforce HTTPS for all web connections
- Secure Internal Communications: Encrypted communication between internal services
Bila will never support insecure connections. All API requests must use HTTPS.
Data Minimization
We follow data minimization principles to reduce risk:
- Collect Only What’s Needed: We only collect data necessary for providing our services
- Limited Retention: We don’t store data longer than necessary
- Tokenization: We use tokenization to minimize exposure of sensitive data
- Redaction: We redact sensitive information in logs and displays
PCI DSS Compliance
For payment card data, we maintain PCI DSS Level 1 compliance:
Tokenization
Card details are tokenized immediately upon receipt
Tokenization Process
Limited Storage
We never store full card numbers or CVV codes
Secure Processing
All card processing occurs in PCI-compliant environments
Regular Audits
Our systems undergo regular PCI compliance audits
Access Controls
We implement strict access controls to protect your data:
Employee Access
- Least Privilege Principle: Employees only have access to data necessary for their role
- Role-Based Access Control: Permissions are assigned based on job function
- Multi-Factor Authentication: Required for all employee access
- Access Logging: All data access is logged and monitored
- Regular Reviews: Access permissions are regularly reviewed and updated
Customer Data Access
- Account Isolation: Your data is logically isolated from other customers
- API Authentication: Strong authentication for all API access
- Team Access Controls: Granular permissions for your team members
Team Access Controls
Data Retention and Deletion
Retention Policies
We maintain clear data retention policies:
| Data Type | Retention Period | Justification |
|---|---|---|
| Transaction Records | 7 years | Regulatory requirements |
| Customer Information | Duration of relationship + 2 years | Business relationship |
| Authentication Logs | 1 year | Security monitoring |
| API Logs | 90 days | Troubleshooting |
| Session Data | 24 hours after session end | User experience |
Secure Deletion
When data reaches the end of its retention period:
- Data is marked for deletion
- Secure deletion processes remove data from active systems
- Backup retention policies ensure data is removed from backups
- Confirmation of deletion is logged
Privacy Compliance
Global Privacy Regulations
Bila helps you comply with global privacy regulations:
GDPR
European Union General Data Protection Regulation
CCPA/CPRA
California Consumer Privacy Act/California Privacy Rights Act
LGPD
Brazil’s Lei Geral de Proteção de Dados
POPIA
South Africa’s Protection of Personal Information Act
Data Subject Rights
We support data subject rights requests:
- Access: Providing copies of personal data
- Rectification: Correcting inaccurate data
- Deletion: Removing personal data when requested
- Portability: Providing data in a portable format
- Restriction: Limiting processing of personal data
Contact our support team to initiate data subject rights requests for your customers.
Data Processing Agreements
For businesses that require formal data processing agreements:
Standard DPA
Our standard Data Processing Agreement is available in the Bila Console
Download DPA
Custom Agreements
Enterprise customers can request custom data processing terms
Subprocessors
We maintain a current list of subprocessors on our website
Updates
We notify customers of material changes to our data processing terms
Data Breach Response
In the unlikely event of a data breach:
- Rapid Response: Our security team immediately investigates and contains the breach
- Impact Assessment: We determine what data was affected
- Notification: We notify affected customers within legally required timeframes
- Remediation: We take steps to prevent similar breaches in the future
- Transparency: We provide detailed information about the breach and our response
International Data Transfers
For international data transfers:
- We maintain compliance with cross-border data transfer requirements
- We implement appropriate safeguards for international transfers
- We offer data residency options for customers with specific requirements
Best Practices for Customers
To enhance data protection in your integration:
- Minimize Data Collection: Only collect the data you need from your customers
- Use Tokenization: Leverage Bila’s tokenization for sensitive data
- Implement Access Controls: Restrict access to Bila dashboard and API keys
- Monitor Activity: Regularly review logs for unusual activity
- Maintain Privacy Notices: Ensure your privacy notices cover Bila integration