I had a great chat with Tallyfy – and love the user-first design. They are also a rare example of transparency and confidence. The legal compliance and security page (which hardly anyone would normally read) would be one of the best examples of open communication I have seen for a while – around how the service is constructed and the underpinning technologies and services used. Well worth a look if you are technically-minded, or just interested in how a modern tech. company approaches their IT. Good stuff!
Garry Johnston – Business Design and Delivery Manager – Vodafone New Zealand
Tallyfy is uniquely built as an integration-first platform – see integrations here.
Tallyfy is one of the very few (if only) cloud-based workflow platforms that properly passes SSL tests (with an A+ grade) and is pre-loaded with a modern HSTS policy on Google Chrome, Firefox, Edge and other browsers. Test any domain for yourself at the official testing website that’s based on RFC 6797, and you will see most/all other vendors do not validate properly or fail these tests. Congratulations – you just discovered an important fact that other vendors will “omit” from their sales and marketing babble.
Unlike many other vendors – we natively support HTTP/3 and QUIC. HTTP/3 is a major revision of the web’s protocol designed to take advantage of QUIC, a new encrypted-by-default Internet transport protocol that provides a number of improvements designed to accelerate HTTP traffic as well as make it more secure.
Unlike many other vendors – we are cloud-born and API-first – with an entirely open API.
Unlike many other vendors – UX and ease-of-use is not a “feature” at Tallyfy. It’s the core of our existence.
Unlike many other vendors – we log ALL API calls via a serverless worker with a 28-day retention policy.
Unlike many other vendors – we stream your data to any analytics platform that supports Amazon Athena like Microsoft PowerBI, Tableau or Google Data Studio. No need to re-invent the wheel – when you already have an analytics stack. Best of all – you customize any view, any visual, in any shape or form – with no need to wait for us.
Our perimeter defenses work on the edge (at any scale) and we use vendors that have proven they can deal with 10x the volume of the largest known DDoS attacks in history.
Our founding team is deeply technical and truly understands workflow and process management. We take a long-term view built entirely around customer benefits, and we don’t cut corners on core tech.
SOC 2 compliant. We are currently SOC 2 – Type 1 compliant. We will be SOC 2 – Type 2 compliant by December 2023.
This information is targeted at your engineers and / or IT department. It applies to both mid-size and enterprise customers. We take information security seriously, and invest in best-of-breed vendors that help us run specific services. For our privacy policy – see our privacy policy page.
SOC-2 compliance
Tallyfy has achieved SOC 2 Type 1 compliance in accordance with American Institute of Certified Public Accountants (AICPA) standards for SOC for Service Organizations also known as SSAE 18. Achieving this standard with an unqualified opinion serves as third-party industry validation that Tallyfy provides enterprise-level security for customer’s data secured in the Tallyfy System.
Tallyfy was audited by Prescient Assurance, a leader in security and compliance attestation for B2B SaaS companies worldwide. Prescient Assurance is a registered public accounting in the US and Canada and provides risk management and assurance services which includes but is not limited to SOC 2, PCI, ISO, NIST, GDPR, CCPA, HIPAA, and CSA STAR.
An unqualified opinion on a SOC 2 Type I audit report demonstrates to Tallyfy, Inc’s current and future customers that they manage their data with the highest standard of security and compliance.
Key facts on our commitment to user experience
User experience is critical to IT functions that need to service modern business units. Difficult interfaces and expensive training/change management lead to complete failures in many IT projects. Tallyfy takes a UX-first approach to our product to mitigate this large risk.
Tallyfy’s user interface is built mobile-first, using responsive design – which means it should work perfectly on smartphones, tablets as well as desktop computers.
Tallyfy’s user interface supports locales and languages that enable you to serve the UI to users in all the languages we support. At present, we support many languages on the UI. Contact us if you need more languages.
Enterprise accounts can choose to authenticate with Active Directory, Microsoft Accounts, or LDAP for a Single Sign-on (SSO) experience.
Tallyfy’s client application requires minimum browser versions to be as follows: Safari – v9.1.1+, Chrome – v50+, Firefox – 46.0.1+, Internet Explorer – 11+, Mobile Safari – 9+
We can’t write about UX and not mention legacy BPM (think flowcharts and BPMN). “Old BPM” software is tired and broken. It never worked for business users. Here’s why:
Users are now deciding to buy software themselves. Old BPM was traditionally bought by the IT department – which tended to favour a large/boring company that met a set of “checkbox requirements”. That approach is not okay today. Shadow IT is exploding – it’s real and it’s unstoppable. If you’re running modern IT, it’s not “optional” to make UX, user adoption and user-driven buy-in the #1 factor to any procurement decision.
Modern cloud tools are free to try by anyone, anytime. With Old BPM you had to call sales and wait for 50 questions just to look at it and finally decide it sucks. We’re happy to talk to IT about specific questions, second/third-line support, etc. but initially – please sign up to Tallyfy to let us know your initial questions. We look forward to engaging with IT for larger questions like SSO, security, etc.
People want to share workflows with clients. With Old BPM you were stuck with trying to automate internal processes alone. Your clients would be very scared and run a mile from it. With Tallyfy – we provide a cloud-native, secure solution for external collaboration.
People expect to integrate cloud tools without IT. With Old BPM you had get engineers to write code to make a simple integration. That’s now become a drag-and-drop service. See the API section below as well. We support various integration-as-a-service products like Zapier, Microsoft Flow (Power Automate), etc.
People expect to work on phones. This means giant, clunky flowcharts in Old BPM are dead – because they don’t fit on your phone’s screen – and only define “the perfect process”. Tallyfy can be used in most browsers on most devices.
People are tired of flowcharts. Old BPM was all about the high priest telling you how a process can/will be done, and you would obey. Now – modern workers and teams are paid high salaries to collaborate. Dust off your legacy process maps and map them into non-flowchart equivalents in Tallyfy. If you have everything in BPMN – you can find most equivalents on Tallyfy.
People expect all the benefits of the cloud. Old BPM was never cloud-born and was never designed for the cloud. And that creates a massive bunch of missed opportunities. Don’t settle for a legacy BPM vendor whose product reality and marketing/sales-talk are in totally different directions.
Companies of all sizes need process management – and never had it. Since Old BPM was so expensive and complicated, only large companies could afford it. The rest of us were left out. Tallyfy is designed for any size of team or business. “BPM in 60 seconds” really has magical properties!
People are excited about AI – but confused about where to begin. With Old BPM you have zero chance of using AI without an army of engineers. With cloud-born systems like Tallyfy – it’s childs’ play to use any AI you like to run amazing automations for photos, voice, video and more. Ask us about how you can custom-extend our infrastructure to listen to an event firehose – using custom, serverless functions such as Lambda functions. You’ll be pleasantly surprised.
Key facts on our commitment to open integration
Modern IT leaders know that vendors who don’t offer easy integration are not the right choice as future-proof platforms that serve critical business needs.
Tallyfy guarantees open access to all data we hold via an open API.
Tallyfy guarantees that we will always offer an open API to enable IT teams to freely integrate, push, pull and listen to data and events in our system. The future is not about closed systems.
We support the extraction of data from our system as activity logs, so that you can analyze such data within your existing analytics and business intelligence platforms. We strongly believe that we should not provide you with native analytics, so that you can be a in a much stronger position. Please read our reasoning for this decision here.
Key facts on our infrastructure
Tallyfy is divided into two entirely different systems – an industry-standard REST API and a client user interface, which entirely depends on the API to function. No business logic exists on the user interface.
Tallyfy is offered as a hosted cloud service only. This applies to both the API and the UI – which are – architecturally, entirely different. We do not offer on-premise installation. The benefits of this approach to customers are immense – since security, scaling, maintenance, threat mitigation and many other aspects are handled by our in-house team of expert sysadmins and developers. You can compare the cost of SaaS vs on-premise in numerous ways – like here. Note that this does not factor in the costs of skilled personnel needed to maintain an on-premise installation.
Tallyfy was built API-first. We used modern development techniques from inception, and an API was not an after-thought. The API uses a load-balancer which automatically scales using Amazon’s auto-scaling.
As a US company – we comply with US trade sanctions and laws. We use a highly scalable, serverless worker which executes on hundreds of edge locations throughout the globe, to inspect every packet coming into our client and API. A packet is dumped at the edge node if we refuse to serve the HTTPS request – it never even makes it to the origin. We deny all HTTP requests into our product from countries identified as being under trade sactions under US law. All HTTPS packets arriving at our API are logged within 1-2 milliseconds at the edge via a third-party service called Moesif. As a US company – we are serious about doing business with you legally and securely. For this reason – we block entire countries from using our product at layer 7. You’ll find most other SaaS companies don’t do this but still say “we’re secure”. These blocks are implemented conservatively for legal, security and other reasons. We’re open to lifting blocks with adequate justification – so please contact us
Tallyfy’s user interface is a lightweight AngularJS front-end which is served via a content delivery network that covers the globe – Amazon Cloudfront. All heavy lifting is done via the API. This also means that your in-house web development team can integrate anything they like into Tallyfy using our open REST API.
Authentication with our API uses OAuth 2.0.
We are entirely hosted on Amazon Web Services in the United States. We tend to use the us-west-2 (Oregon) region for AWS, but we often replicate data to other AWS locations within the US. For disaster recovery purposes – we use Amazon CloudFormation templates to guarantee precise provisioning and takedown of VM instances. Instances are always assumed to be temporary and shared-everything. The only permanent aspect of our infrastructure is our data sinks – such as our multi A-Z database and static file stores, which have daily backups.
To scale and run sessions and queues – we use Amazon services like DynamoDB and Amazon SQS.
For our database – we use Amazon’s managed database services to run a tuned instance of Postgres. We chose Postgres because of it’s stricter ACID compliance and scaling attributes. Many of the largest companies in the world use Postgres, which is mature and well-tested. Backups of our database are daily and automated. No access to the database is possible from the outside web – it resides within a private subnet on AWS. We use Multi-AZ deployment for high availability.
All data is encrypted in transit – for both the API and the UI.
All data is encrypted at rest – in our multi-tenant database.
For an extra charge – you can customize our native storage bucket to your own, and even use your own encryption key. This means nobody but you can access your files. In the case of Amazon S3 – this includes the ability to pick a region or jurisdiction that suits you in terms of data protection laws.
More information on our stack can be shared privately with qualified customers – since publicising such information is a security risk. We are also open to third-party vulnerability assessments on our API. If you could give us a time period in which you intend to do such testing – whether it’s load or penetration testing – that would be helpful to prevent misunderstandings and total blocks. Nobody likes waking up in the middle of the night to deal with a fake attack – although we’re ready!
We challenge all requests from Tor exit nodes via our perimeter defense (Cloudflare).
We block usage of weak cipher suites based on vulnerable protocols like TLS v1.0, TLS v1.1 and TLS v1.2.
Tallyfy uses ISO 27001 and FISMA certified data centers managed by Amazon in the United States. AWS data centers are housed in nondescript facilities, and critical facilities have extensive setback and military grade perimeter control as well as other natural boundary protection. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, state of the art intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication no fewer than three times to access data center floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff.
All firewall infrastructure and management is provided by our service providers – Cloudflare and Amazon Web Services (AWS).
Amazon (AWS) continually manages risk and undergoes recurring assessments to ensure compliance according to industry standards. Amazon’s data center operations have been accredited under:
ISO 27001
SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)
Tallyfy uses AWS Cloudwatch and Cloudtrail for real-time alarms, alerts, monitoring and logging.
We auto-scale our resources on AWS based on minute-by-minute demand. We maintain a status page with an incident history that’s run by a third-party provider – so we can’t influence data reported on it.
We use Cloudflare as our perimeter defense against denial of service and similar attacks for our production systems – in particular, our API. Our API challenges requests from the same IP address if they exceed 40 requests per second, as a very primitive first line of defense to crude denial-of-service attacks. We’re aware botnets use far more sophisticated techniques, but that’s a separate problem.
Key facts on user support, billing and 2nd line support
We use a helpdesk platform called Helpscout to offer online ticketing.
Tickets can be creating by emailing us, through our support documentation, and within the client UI.
For larger companies, our offering is geared to serve as 2nd or 3rd line support, although we can function as first-line support too. We assume your IT would be first-line support for business users.
Our billing is run via a vendor called Recurly and under Recurly, we use Stripe to actually process payments. They are PCI compliant. We never store any billing information on our side.
As part of our enterprise plans we offer phone support and/or live-chat support inside the client UI.
Key facts on release management and automated testing
GitHub is used, along with feature branches to ensure clean merges of code.
We employ strict QA for all commits, along with automated unit testing on our client UI. Our deployments are automated via Deploybot.
Our releases go through a manual QA process on a staging environment before being released on production.
We automatically capture API and UI client exceptions and issues through third-party products.
Tallyfy’s website and product only allows browsers that use modern versions (1.2 and 1.3) of the TLS protocol to connect to our services.
Our domain uses DNSSEC to protect against forged DNS answers. DNSSEC-protected zones are cryptographically signed to ensure the DNS records received are identical to the DNS records published by the domain owner.
For security reasons – we also prevent browsers without Server Name Indication (SNI) support from connecting to our website or product. SHA-1 support is disabled, which means that the minimum browser versions required (which must support SNI) are as follows:
IE7 on Windows Vista (Windows XP not supported)
Google Chrome on Windows Vista or OS X 10.5.7
Safari 3.0 on Windows Vista or Mac OS X 10.5.6
Mozilla Firefox 2.0
Opera 8.0 (with TLS 1.1 enabled)
BlackBerry 10
Windows Phone 7
HSTS – strict requirements are enabled
HTTP Strict Transport Security (HSTS, RFC 6797) is a header which allows a website to specify and enforce security policy in client web browsers. This policy enforcement protects secure websites from downgrade attacks, SSL stripping, and cookie hijacking. It allows a web server to declare a policy that browsers will only connect using secure HTTPS connections, and ensures end users do not “click through” critical security warnings. HSTS is an important security mechanism for high security websites. HSTS headers are only respected when served over HTTPS connections, not HTTP. Tallyfy is pre-loaded in major browsers (hard-coded) to strictly serve https via a strong HSTS policy. Our security testing results achieve an A+ grade from comprehensive tests on Qualsys SSL labs – shown below. You can also run these tests yourself at this URL.
We are one of the few, if only workflow SaaS vendors that properly validate on the HSTS pre-load list. See the official status check here.
We hope this page has shown you that we’re serious about security and that we’re willing to back that statement with hard evidence of what we actually do.