Security & Protection

Security policy

Learn how we safeguard your data through industry-standard security practices, infrastructure protections, and internal controls.

Last Updated
Septermber 9, 2025

At Billix, we take security seriously. This policy outlines how we protect your data and maintain the security of our AI application.

Last Updated: September 9, 2025

Encryption

  • API Keys: Encrypted using AES-GCM 256-bit with PBKDF2 key derivation (100,000 iterations)
  • Data in Transit: All communications use HTTPS/TLS encryption
  • User Isolation: User-specific encryption keys ensure data isolation

Access Controls

  • Authentication via Google OAuth through Convex Auth
  • Users can only access their own data
  • Server-side validation for all data access requests
  • Rate limiting: 5 messages/day anonymous, 20 messages/day authenticated
  • Session management with automatic expiration

Technology Stack

  • Convex Backend: Managed serverless backend with built-in security features
  • Next.js 15: Modern framework with security best practices
  • TypeScript: Type-safe development to reduce bugs
  • Vercel: Secure edge hosting with DDoS protection

Application Security

  • Input validation and sanitization
  • Protection against common web vulnerabilities (XSS, CSRF)
  • Secure session management
  • Environment variables for sensitive configuration

AI Providers

  • OpenAI, Anthropic, Google, and other established AI providers
  • API calls are encrypted
  • Only necessary message data is sent
  • API keys are encrypted and stored securely

Other Services

  • Convex: Database and backend infrastructure
  • Vercel: Edge hosting and CDN
  • Polar: Payment processing (PCI compliant) — we do not store card info

Data We Store

  • Account information (name, email from Google OAuth)
  • Chat messages and conversation history
  • Encrypted API keys (if provided)
  • User preferences and settings

Data Deletion

  • Users can delete their chat history at any time
  • Account deletion removes all associated data
  • Data is retained only as long as necessary for service functionality

Our Security Practices

  • Regular updates of dependencies and frameworks
  • Code reviews for security-sensitive changes
  • Monitoring for known vulnerabilities in dependencies
  • Following web application security best practices
  • Using environment variables for sensitive configuration

Incident Response

  • Investigate security issues promptly
  • Contain and fix problems
  • Notify affected users if data is compromised
  • Work to prevent similar incidents in the future

Your Security Responsibilities

  • Keep your Google account secure
  • Do not share your API keys
  • Log out when using shared devices
  • Report any suspicious activity to us

Reporting Security Issues

  • Report vulnerabilities to support@billix.io
  • Include issue details and reproduction steps
  • Allow reasonable time for investigation and resolution
  • Do not publicly disclose until addressed

Policy Updates

We may update this security policy as practices evolve. Check periodically for updates. The "Last Updated" date shows the most recent changes.

FAQS

Frequently Asked Questions

Find quick, helpful explanations about features, pricing, integrations, and how Billix fits into your workflow.

Yes. The full Billix codebase lives at github.com/Billixio/billix_agent_main under a permissive open source license. Every feature is in the repo — there's no closed paid tier hiding the good stuff.

You can use the hosted version at billix.io for free, or clone the repo and self-host on your own hardware.

Open Source & Free Forever

Use Billix free,
or fork it on GitHub

Start for free

100%
Open Source

Free
Forever

Self-host
Or Cloud

Built
In The Open

Open source, free forever