BillaLog in
Trust & Security

How we protect your data

Last updated: April 2026

Entity & Registration

Billa is operated by CommonGround Digital, an Australian company. We are based in Victoria and operate in accordance with Australian law, including the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

We are not ourselves a registered NDIS provider. Billa is a software platform used by registered NDIS providers, support workers, and support coordinators to manage their documentation and claims workflows.

Data Hosting

All Billa data is stored and processed in Australia. We use the following infrastructure:

  • Database & authentication: Supabase (Sydney region, ap-southeast-2)
  • Application hosting: Vercel (Sydney edge, CDN globally for static assets only)
  • File storage: Supabase Storage (Sydney region)
  • Email delivery: Resend (transactional emails only — no participant data included)

No participant health or support data is sent to AI providers. AI-assisted note generation uses only the structured line item code, dates, duration, and anonymised support context you provide in the form — not participant names or NDIS numbers. Anthropic processes this data under their data processing agreement; all requests are submitted via their API with zero-data-retention configured.

NDIS Practice Standards Alignment

Billa is designed to support providers in meeting their record-keeping obligations under the NDIS Practice Standards and NDIS Act 2013:

  • Timestamped, immutable service note records with full audit log
  • Approval workflows with named approvers and timestamps
  • Participant-linked documentation with NDIS number tracking
  • Support item codes linked to the current NDIS Support Catalogue
  • PRODA-formatted claim file export for direct NDIA submission
  • PDF invoice generation meeting NDIA evidence requirements

Billa does not submit claims on your behalf — you retain full control over what you lodge and when. We provide the documentation infrastructure; you remain the registered provider accountable for your claims.

Privacy Act Compliance

Billa handles sensitive information as defined under the Privacy Act 1988, including information about disability and health services. We apply the following practices:

  • Data collected only for the purposes of NDIS documentation and claims management
  • No sale or sharing of personal data with third parties for marketing
  • Right of access: you can export your organisation's data at any time from the Claims view
  • Right of deletion: your data is fully removed within 30 days of account closure
  • Data breach notification: you will be notified within 72 hours of any confirmed breach affecting your data

Our full Privacy Policy is available at billa.com.au/privacy.

Security Practices

We implement the following technical and organisational security controls:

  • All data encrypted in transit (TLS 1.3) and at rest (AES-256)
  • Row-Level Security (RLS) enforced at the database layer — each organisation's data is strictly isolated
  • Authentication via Supabase Auth with support for email+password and magic link
  • Multi-factor authentication available for all accounts
  • API routes protected by server-side session validation on every request
  • Dependency auditing via automated tooling on every deployment
  • Error monitoring via Sentry (no participant data captured in error events)

To report a security vulnerability, email security@billa.com.au. We aim to respond to all reports within 24 hours.