Compliance

Security and compliance overview

Tallyfy delivers SOC 2 Type 2 certified security with bank-level encryption, mandatory SSO options, and complete audit trails that meet regulatory requirements.

SOC 2 Type 2 certification

Tallyfy maintains SOC 2 Type 2 certification. An independent auditor examines our security controls over a three-month period.

• Assessment Period: Our most recent audit covered May 21, 2024, to August 21, 2024.
• Scope Coverage: The assessment tested Security controls based on AICPA Trust Services Criteria¹ (the gold standard for SaaS security).
• Independent Auditor: Prescient Assurance LLC handled the audit - they’re tough, thorough, and don’t miss a thing.
• Compliance Status: We maintain continuous SOC 2 Type 2 compliance with annual renewals. Our next assessment wraps up August 21, 2025.

Getting the SOC 2 report

Current customers and prospective clients operating under Non-Disclosure Agreements may request comprehensive compliance documentation through our Tallyfy sales or support channels.

Regulatory audit trail requirements

Tallyfy tracks all workflow actions automatically, creating a complete audit trail showing who did what, when they did it, and what changed.

Audit trail capabilities

• Complete Process Documentation: Every step gets timestamped with user and outcome
• Immutable Record Keeping: Once something happens, it’s locked in stone. Nobody can delete or modify audit records (not even admins)
• User Activity Logging: See exactly who clicked what button at 3:47 PM last Tuesday - it’s all there
• Export Capabilities: Generate audit reports for regulatory compliance
• Version Control: Track all template changes with author and reason

Regulated industries using Tallyfy

Financial Services Compliance:

• Asset management firms meeting SEC Rules 204-2 and 206(4)-7
• Banks complying with FINRA audit requirements
• Insurance companies tracking every claim decision and approval

Healthcare and Life Sciences:

• Pharma companies following FDA 21 CFR Part 11²
• Clinical research teams meeting ICH E6(R3) standards for trial documentation
• Medical device manufacturers proving ISO 13485 compliance with every design change
• Healthcare IT maintaining those mandatory HIPAA audit logs

Manufacturing and Safety-Critical Industries:

• Auto manufacturers tracking every part change for IATF 16949:2016
• Aviation maintenance shops meeting FAA AC 145-9A compliance
• Nuclear facilities following 10 CFR 50 Appendix B
• Chemical plants meeting OSHA’s Process Safety Management requirements

Infrastructure and Utilities:

• Power companies dealing with NERC CIP cybersecurity audits
• Railroads documenting track inspections per 49 CFR 213
• Mining operations proving MSHA workplace examinations actually happened

These organizations require complete documentation showing “who did what, when.” For industry-specific details, see industry-specific workflow applications.

PCI-DSS compliance considerations

Tallyfy itself is not PCI-DSS certified as we don’t process payment card data directly. However, you can use Tallyfy in PCI-compliant environments by:

• Never storing card data in Tallyfy - Don’t enter credit card numbers, CVV codes, or other sensitive payment data in form fields
• Using tokenization - Store only tokenized references from your payment processor
• Implementing compensating controls - Use Tallyfy’s audit trails and access controls as part of your PCI compliance program
• Separating systems - Keep payment processing separate from workflow management

For organizations requiring PCI compliance, consult your QSA (Qualified Security Assessor) about using Tallyfy as part of your cardholder data environment.

Security governance framework

Tallyfy implements enterprise security principles across the platform:

Identity and access management

• Principle of Least Privilege: Users only access workflows relevant to their role
• Multi-Factor Authentication: Required second factor authentication for all logins
• Access Reviews: Annual permission audits for users, quarterly for admins
• Environment Segregation: Complete separation between development, test, and production environments

Single Sign-On enforcement

Tallyfy can restrict authentication exclusively to your SSO provider. SSO-only mode provides:

• All logins through your SSO provider only
• Email-password authentication disabled organization-wide
• Centralized user management through your identity provider

To enable SSO-only mode, contact Tallyfy support.

Advanced SSO for AI Integrations

For organizations implementing AI workflows, SSO integration with MCP servers extends identity governance to AI-powered applications, ensuring centralized authentication across both traditional workflow systems and emerging AI tools.

Data security protocols

• Transport Layer Encryption: TLS 1.2+ encryption for all data in transit
• Data-at-Rest Protection: AES-256 encryption for stored data in AWS servers
• Tenant Isolation: Complete data separation between organizations

Operational security management

• Vulnerability Assessment: Annual penetration testing plus automated security scanning
• Change Control Procedures: All code changes require development, testing, review, and approval before production deployment
• Continuous Monitoring: AWS CloudWatch and GuardDuty provide 24/7 system monitoring with immediate alerting
• Incident Response Framework: Documented and tested security incident response procedures

Third-party risk management

• Vendor Security Assessment: Security vetting required for all vendors with regular reassessments
• Supply Chain Oversight: Regular review of AWS SOC 2 reports. According to industry research ↗^[1], SOC 2 adoption increased 40% in 2024.

• BIMI compliance
• HSTS compliance

---

Related articles

Miscellaneous > Terms & legals

Tallyfy maintains SOC 2 Type 2 attestation GDPR compliance HSTS security BIMI email standards custom data processing agreements comprehensive encryption multi-layer API protection AWS GovCloud hosting options and various enterprise-grade security measures to meet regulatory obligations and enterprise requirements.

Tutorials > Workflow applications

Tallyfy adapts to specialized industry requirements through configurable workflows conditional logic and comprehensive audit trails that meet regulatory demands across financial services healthcare manufacturing and other highly regulated sectors.

Terms Legals > Tallyfy's privacy policy

Tallyfy’s privacy policy and security documentation can be accessed through dedicated web pages that outline data collection practices protection measures and compliance standards.

Integrations > Authentication and SSO

Tallyfy offers free Single Sign-On integration for paid plans that connects to enterprise identity providers like Azure AD Google Workspace Okta and OneLogin within 30 minutes while providing security benefits automatic account provisioning and the ability to replace traditional e-signature solutions with SSO-based approvals for internal company processes.

Footnotes

1. American Institute of CPAs framework covering security, availability, processing integrity, confidentiality, privacy ↩

2. Federal regulation for electronic records and signatures in pharmaceutical and medical device industries ↩