Compliance and Information Security

This section details information that’s targeted at your IT department or IT manager.

It applies to both mid-size and enterprise customers.

We take information security seriously, and invest in best-of-breed vendors that help us run specific services.

For our privacy policy and registration for Privacy Shield – relevant to EU and Swiss companies – see our privacy policy page.

Key facts on our commitment to user experience

User experience is critical to IT functions that need to service modern business units. Difficult interfaces and expensive training/change management lead to complete failures in many IT projects. Tallyfy takes a UX-first approach to our product to mitigate this large risk.

  • Tallyfy’s user interface is built mobile-first, using responsive design – which means it should work perfectly on smartphones, tablets as well as desktop computers.
  • Tallyfy’s user interface supports locales and languages that enable you to serve the UI to users in all the languages we support. At present, we support English and Spanish. Contact us if you need more languages.
  • Enterprise accounts can choose to authenticate with Active Directory, Microsoft Accounts, or LDAP for a Single Sign-on (SSO) experience.

Key facts on our commitment to open integration

Modern IT leaders know that vendors who don’t offer easy integration are not the right choice as future-proof platforms that serve critical business needs.

  • Tallyfy guarantees open access to all data we hold via an open API.
  • Tallyfy guarantees that we will always offer an open API to enable IT teams to freely integrate, push, pull and listen to data and events in our system. The future is not about closed systems.
  • We support the extraction of data from our system as activity logs, so that you can analyze such data within your existing analytics and business intelligence platforms.

Key facts on our infrastructure

Tallyfy is divided into two entirely different systems – an industry-standard REST API and a client user interface, which entirely depends on the API to function. No business logic exists on the user interface.

  • Tallyfy is offered as a hosted cloud service only. This applies to both the API and the UI – which are – architecturally, entirely different.
  • We do not offer on-premise installation. The benefits of this approach to customers are immense – since security, scaling, maintenance, threat mitigation and many other aspects are handled by our in-house team of expert sysadmins and developers. You can compare the cost of SaaS vs on-premise in numerous ways – like here. Note that this does not factor in the costs of skilled personnel needed to maintain an on-premise installation.
  • Tallyfy was built API-first. We used modern development techniques from inception in 2016, and an API was not an after-thought. The API uses a load-balancer which automatically scales using Amazon’s auto-scaling.
  • Tallyfy’s user interface is a lightweight AngularJS front-end which is served via a content delivery network that covers the globe – Amazon Cloudfront. All heavy lifting is done via the API. This also means that your in-house web development team can integrate anything they like into Tallyfy using our open REST API.
  • Authentication with our API uses OAuth 2.0.
  • We are entirely hosted on Amazon Web Services in the US. We tend to use the us-west-2 (Oregon) region for AWS, but we often replicate data to other AWS locations within the US. For disaster recovery purposes – we use Amazon CloudFormation templates to guarantee precise provisioning and takedown of VM instances. Instances are always assumed to be temporary and shared-everything. The only permanent aspect of our infrastructure is data sinks – such as our database and static file stores – both of which are backed up.
  • For sessions – we use Amazon services like DynamoDB.
  • For our database – we use Amazon’s managed database services to run a tuned instance of Postgres. We chose Postgres because of it’s stricter ACID compliance and scaling attributes. Many of the largest companies in the world use Postgres, which is mature and well-tested. Backups of our database are daily and automated. No access to the database is possible from the outside web – it resides within a private subnet on AWS. We use Multi-AZ deployment for high availability.
  • All data is encrypted in transit – for both the API and the UI.
  • For an extra charge – we can offer data encryption at rest, in our multi-tenant database.
  • For an extra charge – you can customize our native storage bucket to your own, and even use your own encryption key. This means nobody but you can access your files. In the case of Amazon S3 – this includes the ability to pick a region or jurisdiction that suits you in terms of data protection laws, etc.
  • More information on our stack can be shared privately with qualified customers – since publicising such information is a security risk. We are also open to third-party vulnerability assessments on our API. If you could give us a time period in which you intend to do such testing – whether it’s load or penetration testing – that would be helpful to prevent misunderstandings and total blocks. Nobody likes waking up in the middle of the night to deal with a fake attack – although we’re ready!
  • We challenge all requests from Tor exit nodes via our perimeter defense (Cloudflare).
  • We block usage of weak cipher suites based on vulnerable protocols like TLS v1.0, TLS v1.1 and TLS v1.2.

Key facts on infrastructure monitoring

  • Tallyfy uses Amazon’s Cloudwatch for real-time alarms, alerts and monitoring.
  • We auto-scale our resources on AWS based on minute-by-minute demand. We maintain a status page with an incident history.
  • We use Cloudflare as our perimeter defense against denial of service and similar attacks for our production systems – in particular, our API.

Key facts on user support, billing and 2nd line support

  • We use a helpdesk platform called Helpscout to offer online ticketing.
  • Tickets can be creating by emailing us, through our support documentation, and within the client UI.
  • For larger companies, our offering is geared to serve as 2nd or 3rd line support, although we can function as first-line support too. We assume your IT would be first-line support for business users.
  • Our billing is run via a vendor called Recurly and under Recurly, we use Stripe to actually process payments. They are PCI compliant. We never store any billing information on our side.
  • As part of our enterprise plans we offer phone support and/or live-chat support inside the client UI.
  • As part of our enterprise and pro plans – we can offer you (on request) the ability to pay for Tallyfy using your AWS billing through Amazon.

Key facts on release management and automated testing

  • GitHub is used, along with feature branches to ensure clean merges of code.
  • We employ strict QA for all commits, along with automated unit testing on our client UI. Our deployments are automated via Deploybot.
  • Our releases go through a manual QA process on a staging environment before being released on production.
  • We automatically capture exceptions and issues through Sentry.
  • A changelog can be supplied on request.

Key facts on SHA-2 support and modern TLS

Tallyfy’s website and product only allows browsers that use modern versions (1.2 and 1.3) of the TLS protocol to connect to our services.

For security reasons – we also prevent browsers without Server Name Indication (SNI) support from connecting to our website or product. SHA-1 support is disabled, which means that the minimum browser versions required (which must support SNI) are as follows:

  • IE7 on Windows Vista (Windows XP not supported)
  • Google Chrome on Windows Vista or OS X 10.5.7
  • Safari 3.0 on Windows Vista or Mac OS X 10.5.6
  • Mozilla Firefox 2.0
  • Opera 8.0 (with TLS 1.1 enabled)
  • BlackBerry 10
  • Windows Phone 7