Q37
Do you have a current SOC 2 Type II report?
SOC 2 Type II: claimed_with_trust_page
Bill.com Vendor Risk Assessment — Full Report
Before you share customer data with Bill.com, your compliance team needs documented proof they can be trusted. ThirdProof investigated Bill.com across 27 intelligence sources — here's what we found.
⚠ FedRAMP Status: Not found in the FedRAMP Marketplace. Vendors handling government data or CUI must be FedRAMP authorized.
Risk Tier
Tier 4 — Low RiskSOC 2
⚠ Vendor AttestedFedRAMP
— Not AuthorizedLast Assessed
Apr 17, 2026🟢IP Reputation: Abuse score: 0%, 0 reports🟡SSL/TLS: TLSv1.2🟢Domain Age: 31.5 years🟢Infrastructure: 1 open port, 0 CVEs
- FedRAMP Status
- Bill.com is not listed on the FedRAMP Marketplace as of March 2026.
- SOC 2 Status
- Bill.com has a SOC 2 claim detected on their trust page. Claim is vendor-attested — no public registry exists for independent verification.
- Sanctions Screening
- Bill.com returned no matches in OFAC SDN, EU Consolidated, and UN sanctions screening.
- Risk Tier
- ThirdProof assigned Bill.com a Low Risk tier with 96% confidence across 27 intelligence sources.
27 sources queried. 96% confidence. Every Bill.com investigation produces both a risk report and an auto-filled security questionnaire — no vendor follow-up required.
Get Bill.com's Full Report Free →5 free investigations|Risk report + auto-filled questionnaire|Avg. 7 minutes
Certification & Compliance Status
Security Questionnaire — Auto-Filled
89 of 133 questions answered for Bill.com
Auto-filled from public evidence • 67% complete
Q38
Do you have ISO 27001 certification?
According to Nudge Security's security profile, Bill.com is ISO 27001 Compliant.
Source: External Autohigh confidence
Q41
Are you FedRAMP authorized? At what level?
Not found in FedRAMP marketplace
Source: External Automedium confidence
Q42
Are you GDPR compliant? Do you have a DPA available?
Bill.com has a documented Data Processing Agreement (DPA) available at bill.com/legal/infosec-dpa that governs handling of Personal Information and GDPR compliance.
Q39
Are you PCI DSS compliant? At what level?
Nudge Security's security profile indicates Bill.com is PCI Compliant, and additional sources confirm SOC 2 and HIPAA compliance.
+ 7 more compliance questions answered in the full report
Every investigation produces a full PDF report plus the complete 133-question questionnaire, mapped to SOC 2, HIPAA, PCI DSS, SIG, and more.
Get Bill.com's Full Report Free →✗Not Listed on FedRAMP Marketplace
Verified against FedRAMP Marketplace API as of March 2026
Organizations with federal compliance requirements should verify this directly at marketplace.fedramp.gov.
Bill.com is not listed on the FedRAMP Marketplace.
◇27 data sources queried per assessment
◷Reports generated in an average of 7 minutes
◈SHA-256 verified for audit integrity
✓Deterministic risk scoring — no AI guesswork
4Tier
Low Risk
Bill.com
Vendor Risk Assessment
Confidence Score96%
Based on data availability and source coverage
27
Sources Queried
25
Sources With Data
April 17, 2026
Last Assessed
Executive Summary
AI-generated analysis for Bill.com
Bill.com (operating as BILL Holdings, Inc.) is a financial operations platform serving businesses and accounting firms with accounts payable, accounts receivable, and spend management capabilities. ThirdProof's rule engine has assigned a Tier 4 (Low Risk) rating with 96% confidence, supported by strong independent signal coverage across 24 data sources and automated questionnaire mapping covering 66% of assessed controls. Bill.com presents a robust set of positive security signals across the domains most material to a financial software vendor:
Key Findings
- The domain has been registered since 1994 and archived since 1998, reflecting over three decades of established presence
- Domain reputation is clean across all blacklist checks (SURBL, Spamhaus DBL, URLhaus) with a 0/100 IP abuse confidence score and no Malware detection service threats
- Infrastructure exposure is minimal, with only port 443 exposed and no known CVEs detected
- The published security page documents intrusion detection and prevention systems, role-based access control with least-privilege enforcement, separation of duties, firewalls, continuous monitoring, and an immutable audit trail
- A named CISO (Rinki Sethi, VP and CISO) leads the security program
- A Data Processing Agreement is publicly available, breach notification obligations are documented, and Bill.com explicitly states it does not sell customer data for marketing purposes
- SOC 1 and SOC 2 Type II audits are claimed as annual engagements performed by a national CPA firm, per the trust page Three areas merit procurement attention before finalization. First, the HTTP security headers scan of the marketing site (bill.com) returned a D+ grade (40/100), driven by the absence of HSTS, Content Security Policy, and X-Frame-Options — this is inconsistent with the otherwise strong TLS posture and warrants verification at the application endpoint (app.bill.com). Second, SOC 1 and SOC 2 certifications are vendor-attested only; no independent registry confirmation is available, and the full Type II report and a current bridge letter should be requested directly. Third, no public AI data usage policy was found at standard paths — given that Bill.com's machine learning models have been trained on customer invoice data, buyers should request the vendor's AI-specific terms or Data Protection Addendum to understand opt-out rights and data handling commitments. Overall, Bill.com represents a well-established, low-risk financial software vendor with a mature security posture and strong public documentation. The open items identified are process gaps rather than structural concerns, and are addressable through standard vendor due diligence steps.
Independence Statement
All evidence in this report was independently sourced from public registries, external threat intelligence feeds, DNS and TLS inspection, web archive data, and automated document scanning — without vendor participation, notification, or input at any stage of the assessment.
Investigation Findings
4 findings identified for Bill.com
4 medium
medium
LEI Registration Lapsed
The LEI registration for BILL HOLDINGS, INC. has status "LAPSED". This may indicate the entity no longer maintains its regulatory filings.
medium
Missing Security Headers
bill.com is missing 3 recommended security headers: Strict-Transport-Security, Content-Security-Policy, X-Frame-Options.
Source:Domain Analysisdns.google →
medium
HTTP Security Grade: D+ (Marketing Site)
bill.com received a poor grade (D+) from Mozilla HTTP Observatory. Multiple security headers or configurations are missing. Note: This scan was performed on the marketing site (bill.com). The application endpoint (app.bill.com) may have different security headers. Verify the application domain separately.
medium
AI Data Usage Policy Not Discoverable at Standard Paths
An AI-specific data usage policy was not discoverable for bill.com through automated scanning of common policy paths and web search. The vendor may publish relevant data handling commitments in enterprise agreement documents (DPAs, product terms, licensing portals) that are not indexed at standard public URLs. Request the vendor's Data Protection Addendum or AI-specific terms directly.
✓
Security Strengths
25 positive signals verified
✓
No Sanctions Matches Found
Sanctions & Watchlist Screening →✓
Legal Entity Actively Registered
Business Registration →✓
No Adverse Media Found
Adverse Media Scan →✓
No Recent News Coverage
Adverse Media Scan (Fallback)
✓
Firmographic Data Available
Company Intelligence →✓
Valid SSL Certificate
Domain Analysis →✓
1 Open Port Detected
Infrastructure Exposure →✓
Established Domain (31+ years)
Domain Registration →✓
Clean domain reputation
Threat Intelligence →✓
Minimal Tech Community Discussion
Tech Community Sentiment →✓
Certificate Data from TLS Handshake
Certificate Transparency →✓
Established Web Presence (27+ years)
Web Archive History →✓
No Threat Intelligence Pulses
Threat Intelligence (OTX) →✓
Clean IP Reputation
IP Reputation →✓
Clean Safe Browsing Status
Malware & Phishing Check →✓
Clean Website Security Scan
Website Security Scan →✓
Certification Claimed: SOC 2
Trust & Compliance Page Scan →✓
Certification Claimed: SOC 1
Trust & Compliance Page Scan →✓
Subprocessor Page Found, No Entries Parsed
Supply Chain & Subprocessor Discovery →✓
Not Found as FDIC-Insured Institution
FDIC Institution Check →✓
No SEC Enforcement Filings Found
SEC Filing Search →✓
No Historical Adverse Media Found
Historical Media Search →✓
HITRUST Directory Match — Manual Verification Required
Certification Registry Verification →✓
SOC 2 Compliance Claimed on Trust Page
Certification Registry Verification →✓
Deep Document Crawler Results
Deep Document Analysis →Recommended Actions
Steps to address findings for Bill.com
- 1
Request the SOC 2 Type II report and bridge letter: contact Bill.com's security team via [bill.com/security](https://bill.com/security) and ask for the most recent Type II report under NDA, plus a bridge letter if the audit period closed more than six months ago.
- 2
Request the SOC 1 Type II report separately if your organization has internal financial control dependencies on Bill.com's AP/AR workflows.
- 3
Manually review the subprocessor disclosure page at [bill.com/privacy/data-processing-addendum](https://www.bill.com/privacy/data-processing-addendum) and request a structured list of all subprocessors from the vendor's legal team; cross-reference against OFAC and EU sanctions lists.
- 4
Request Bill.com's AI-specific data terms or DPA addendum — ask explicitly whether customer invoice data is used for AI model training, what opt-out mechanisms exist, and which third-party AI providers (if any) process customer data.
- 5
Verify HTTP security header posture on the production application domain (app.bill.com) independently via [SSL/TLS analysis service](https://www.SSL/TLS analysis service.com/ssltest/analyze.html?d=app.bill.com), and ask Bill.com's security team to confirm HSTS enforcement on the application layer.
- 6
Request confirmation of ISO 27001 certification status directly from Bill.com's security team, and ask for the certificate number and expiry date so it can be verified against the [IAF CertSearch registry](https://www.iafcertsearch.org).
- 7
Confirm HITRUST certification status directly with Bill.com or query the [HITRUST Alliance directory](https://directory.hitrustalliance.net/search?q=Bill.com) — a possible match was found but requires manual validation.
Intelligence Sources Queried
27 sources in this assessment
25of 27 sources returned data
IP Reputation
AI Data Usage Policy
Threat Intelligence (OTX)
Adverse Media Scan
Certification Registry Verification
Deep Document Analysis
Domain Analysis
FDIC Institution Check
Business Registration
Historical Media Search
Tech Community Sentiment
Company Intelligence
Adverse Media Scan (Fallback)
HTTP Security Scan
Sanctions & Watchlist Screening
Malware & Phishing Check
SEC Filing Search
Infrastructure Exposure
SSL/TLS Analysis
Supply Chain & Subprocessor Discovery
Trust & Compliance Page Scan
Website Security Scan
Threat Intelligence
Web Archive History
Domain Registration
Certificate Transparency
AI Research Agent
Data Coverage Notes
Some data sources may have had limited availability during this assessment. This does not reflect negatively on the vendor.
- Certificate Transparency log data (Certificate Transparency service) was unavailable during this assessment; certificate information was sourced from direct TLS handshake only, which may not reflect the full subdomain footprint.
- Subprocessor entities could not be extracted from Bill.com's published disclosure page due to an unsupported page format — supply chain entities were not individually assessed for sanctions or security posture.
- No public AI data usage policy was found at standard crawlable paths; AI-specific data handling commitments may exist in enterprise agreements or gated portals not accessible to automated scanning.
- The HTTP security header assessment was performed on the marketing site (bill.com); the application endpoint (app.bill.com) was detected but not independently scanned — scores may not reflect production application security controls.
- ISO 27001 certification status returned 'not_found' via the IAF CertSearch registry; a third-party source (Nudge Security) indicates ISO 27001 compliance, but this could not be independently verified through the authoritative registry during this assessment.
- HITRUST directory returned an unconfirmed possible match (90% confidence) for Bill.com — manual verification with the vendor or HITRUST Alliance is required to confirm or rule out certification.
- Questionnaire answers derived from automated public data mapping carry medium or low confidence for many controls and should be treated as supplementary signals, not vendor attestations.
183+
Vendors assessed
98%
Average confidence
<2 min
Time to report
Security & Compliance Profile
67% complete · 89/133 questions answered from public sourcesAre you Bill.com? Claim this profile to complete your security record. Buyers are reviewing this profile now.
Claim this profile →What a ThirdProof assessment covers↓
Sanctions Screening
Is Bill.com on any OFAC, EU, or UN sanctions list? Are any officers or affiliates flagged?
Cyber Risk Assessment
What is Bill.com's security posture? Threat intelligence scanning, known vulnerabilities, and security header analysis.
Business Registration
Is Bill.com a legitimately registered business entity? Corporate status, jurisdiction, and officer verification.
Adverse Media Analysis
Has Bill.com appeared in negative news coverage? Data breaches, lawsuits, regulatory actions, and complaints.
Domain & Infrastructure
Is Bill.com's website secure? TLS configuration, DNS hygiene, security headers, and domain age analysis.
Company Intelligence
What are Bill.com's firmographics? Employee count, industry classification, technology stack, and corporate structure.
Trust & Compliance Verification
Does Bill.com claim SOC 2, ISO 27001, HITRUST, or FedRAMP? ThirdProof scans trust pages for certification claims and cross-references the FedRAMP public registry for independent verification.
Supply Chain & Subprocessor Discovery
Who does Bill.com depend on? ThirdProof discovers subprocessors from vendor-published pages and runs sanctions screening and safe browsing checks against each one.
Regulatory & Financial Filings
Has Bill.com appeared in SEC enforcement filings? Is it associated with any FDIC bank failures? ThirdProof searches regulatory databases with entity verification to confirm attribution.
Full methodology, rule engine, and AI disclosure: /methodology
Seeing this in an audit? ThirdProof lets you investigate Bill.com and every other vendor in your stack — average report time: 7 minutes. Get Bill.com's Full Report Free →
Frequently asked about Bill.com
Is Bill.com FedRAMP authorized?+
Bill.com is not currently listed on the FedRAMP Marketplace as of April 2026.
Does Bill.com have SOC 2 Type II?+
Yes — Bill.com holds SOC 2 (Type II not confirmed). Rated Low Risk — subprocessor list unavailable. See all 4 findings →
Is Bill.com on the OFAC sanctions list?+
Bill.com returned no matches in ThirdProof's OFAC SDN, EU Consolidated, and UN sanctions screening as of April 2026.
What is Bill.com's vendor risk tier?+
ThirdProof assigned Bill.com a risk tier of Low Risk with 96% confidence based on assessment across 27 intelligence sources as of April 2026.
Can I get an auto-filled security questionnaire for Bill.com?+
Yes. Every ThirdProof investigation of Bill.com produces two deliverables: an audit-ready risk report and a 133-question security questionnaire pre-filled with evidence from 27 independent sources. The questionnaire is mapped to SIG, SOC 2, HIPAA, PCI DSS and 9 other frameworks — answered without sending Bill.com a single email or waiting for a vendor response.
Is Bill.com safe to use as a vendor?+
Bill.com is a financial operations vendor that handles organizational data. Safety depends on their current security posture, certification status, and how they handle your specific data. ThirdProof automates this evaluation across 27 intelligence sources — sanctions databases (OFAC, EU, UN), business registration verification, adverse media scanning, and cyber risk assessment — producing a deterministic risk tier with confidence score plus an auto-filled security questionnaire. Run a free investigation to see Bill.com's full risk profile.
Does Bill.com have SOC 2 certification?+
Yes — Bill.com holds SOC 2. Rated Low Risk — subprocessor list unavailable. See all 4 findings →
Has Bill.com had any data breaches?+
Data breach history is an important signal for any vendor, particularly financial operations platforms like Bill.com that handle organizational data. ThirdProof's adverse media analysis searches multiple news APIs and public records for data breaches, security incidents, lawsuits, regulatory enforcement actions, and financial distress signals. Each finding is linked to its original source with severity classification.
Is Bill.com on any sanctions lists?+
Sanctions screening is standard due diligence for financial operations vendors. ThirdProof screens Bill.com against OFAC SDN, consolidated international sanctions lists, and PEP databases. The screening uses entity name verification to reduce false positives. If Bill.com or any associated officers appear on a sanctions list, this triggers automatic escalation to the highest risk tier.
How do I assess Bill.com for vendor risk?+
Assessing Bill.com as a financial operations vendor involves verifying SOC 2 Type II and applicable industry standards compliance, reviewing their subprocessor chain, and checking sanctions exposure. ThirdProof automates this across 27 intelligence sources in an average of 7 minutes — no questionnaires or vendor participation required. Your first 5 investigations are free.
How long does a ThirdProof assessment take?+
A ThirdProof assessment completes in an average of 7 minutes. 27 intelligence sources are queried in parallel — sanctions databases, business registries, threat intelligence feeds, certificate transparency logs, and more. The result is a deterministic risk tier with confidence score and audit-ready PDF report.
Is ThirdProof free?+
ThirdProof offers 5 free vendor assessments with no credit card required. Each assessment includes the full report — risk tier, confidence score, individual findings, executive summary, and PDF export. Paid plans start at $399/month for teams that need ongoing vendor monitoring.
Can I use a ThirdProof report as SOC 2 audit evidence?+
Yes. ThirdProof reports are designed to satisfy SOC 2 CC9.2 (vendor risk management) requirements. Each report includes SHA-256 integrity verification, methodology disclosure, source attribution for every finding, and AI content labeling. Auditors can independently verify the report's authenticity and trace each finding to its original source.
How is ThirdProof different from a security questionnaire?+
Security questionnaires require vendor participation, take weeks, and produce self-reported answers. ThirdProof queries 27 independent intelligence sources — no vendor involvement needed. Risk tiers are assigned by a deterministic rules engine (not AI opinion), and every finding links to its original source. You get an audit-ready report in an average of 7 minutes instead of waiting weeks for a questionnaire response.
Also investigate these vendors
Bill.com is in your vendor stack. Can you prove you assessed them?
SOC 2 CC9.2, HIPAA, PCI-DSS, and CMMC all require documented vendor due diligence — not just knowing the answer, but having audit-ready evidence you verified it. Most compliance teams can't produce that documentation on demand.
ThirdProof investigates Bill.com across 27 intelligence sources in an average of 7 minutes — sanctions screening, cyber posture, SOC 2 verification, FedRAMP status, and more. Every investigation produces two deliverables: an audit-ready risk report and an auto-filled security questionnaire your prospects and auditors expect to see.
✓ 5 free investigations✓ Risk report + auto-filled questionnaire✓ No credit card required✓ Average report time: 7 minutes
Replaces $600–$900 in manual compliance consulting time per vendor assessed.