Security overview
BillPilot is designed for enterprise controls: strict tenant isolation, auditable workflows, and secret handling that aligns with AWS best practices.
Strict tenant isolation
All API access is scoped by tenant and enforced with RBAC on every request.
Secrets stored in AWS Secrets Manager
OAuth tokens and operational secrets are never stored in plaintext databases.
Immutable audit trails
Sensitive actions are recorded and designed to be append-only and reviewable.
Encryption by default
Data is encrypted in transit and at rest using AWS-managed encryption primitives.
For deeper details (token handling, encryption, audit semantics), see the repository's docs/SECURITY.md.