Security

Shop data is useful only when it stays controlled.

BillCountr treats organization isolation, role-aware access, auditability, protected sync and safe assistance as product behaviour—not optional add-ons.

Tenant boundary

Every shop record belongs to one organization

Access

Role + permission + enabled feature

Sensitive history

Append-only audit records

AI writes

Proposal followed by explicit confirmation

What you need to know

Clear details, without the jargon.

01 · Isolation

Every shop stays separate

Tenant-owned data carries an organization identifier. The same organization context must be enforced in requests, database access, background jobs, sync ingestion, reports, exports and assisted workflows.

  • Sales, stock and contacts remain shop-scoped
  • Cross-organization identifiers are rejected
  • Exports and reports keep the same boundary
  • Device sync is registered to an organization

02 · Authentication

Sessions belong to active users

BillCountr uses authenticated sessions and treats password changes, account deactivation and device access as security events. Authentication endpoints and sensitive actions are designed for rate limiting.

  • Passwords are stored using secure hashing
  • Tokens can be revoked after password change
  • Deactivated staff lose access
  • Sensitive endpoints receive additional protection

03 · Authorization

A visible button is not the security boundary

Navigation and actions are simplified for the user’s role, but every protected API action must independently validate the role, exact permission, organization and enabled feature.

  • Owner, manager, cashier and auditor roles
  • Custom permissions for shop-specific work
  • Disabled features are hidden and blocked
  • Denied actions return a simple access message

04 · Audit

Sensitive changes leave an immutable trail

Audit entries record the actor, action, time, affected entity and relevant change snapshot. They are appended and cannot be edited or deleted, including by the owner.

  • Actor and exact timestamp
  • Before-and-after detail where relevant
  • Cancellation and reversal history
  • Audit exports for review

05 · Data protection

Protection applies in transit and at rest

The product architecture requires encrypted network traffic, protected sensitive storage, parameterized database access and platform-appropriate protection for offline data on mobile and web.

  • TLS for network communication
  • Protected database and file storage
  • Secure storage for credentials and tokens
  • Local-data hardening appropriate to each platform

06 · AI safety

Assistance inherits the user’s boundaries

The assistant may summarize and analyze only the modules the current user can access. Any requested data change must first be presented as a proposal and wait for explicit confirmation.

  • No access to another organization
  • Blocked modules remain unavailable
  • No silent stock, ledger or settings changes
  • Confirmed actions are audited

07 · Integrity

Corrections preserve what happened

Finalized invoice snapshots are not rewritten to hide a mistake. Cancellation marks the original and appends explicit stock and ledger reversals, maintaining a reviewable chain of events.

  • Original finalized bill remains visible
  • Reversal effects are appended
  • Reports can distinguish cancelled bills
  • The correction path remains auditable

Common questions

Quick answers.

Can a cashier view owner-only reports?

Only if the organization grants that permission. The navigation and API both enforce the resolved role, permission and enabled feature.

Can the owner delete an audit record?

No. Audit records are append-only and immutable by product rule, including for the owner.

Can the AI assistant update stock automatically?

Not silently. It must show the proposed change and wait for explicit user confirmation. The user must also have the required stock permission and AI capability enabled.

Does hiding a feature in the interface secure it?

Hiding reduces complexity, but security comes from server-side authorization. Disabled features and missing permissions must also be rejected by the API.

Ready for daily shop work

Enter your shop in one step.

Sign in to your shop