Compliance

Tallyfy’s security and compliance overview

Tallyfy works hard to keep data safe and our platform reliable. We follow strict security and compliance rules. This section explains our security practices.

SOC 2 Type 2 compliance

Tallyfy has passed a detailed security audit called SOC 2 Type 2 for our workflow platform.

• Audit Period: This review covered May 21, 2024, to August 21, 2024.
• What Was Audited: The audit focused on Security, following criteria set by the AICPA (American Institute of Certified Public Accountants).
• Who Audited: An independent company, Prescient Assurance LLC, performed the audit.
• Current Status: We continue to meet SOC 2 Type 2 standards through ongoing monitoring and annual audits. The next review period ends on August 21, 2025.

The SOC 2 Type 2 report details Tallyfy’s security controls and proves their effectiveness.

Getting the SOC 2 report

If you are a current customer or a potential customer under an NDA (Non-Disclosure Agreement), you can request the full report. Contact our sales or support team.

Key security practices

We use many security methods based on industry best practices to protect Tallyfy systems and your data. Key areas include:

Access control

• Only Necessary Access: Users get access only to information and tools needed for their job.
• Logging In: Users need a unique login and password. We also use multi-factor authentication (MFA), like a code sent to your phone, for extra security for key systems.
• Regular Checks: We regularly review who has access (yearly for most users, quarterly for privileged access) and adjust access as needed.
• Keeping Things Separate: We keep development, testing, and production environments separate. Developers cannot access production without specific approval.

Mandatory Single Sign-On (SSO)

For organizations requiring an additional layer of authentication security, Tallyfy can be configured to enforce “SSO only” access. When this mode is active:

• All members must authenticate exclusively through your configured Single Sign-On (SSO) provider.
• Standard login with an email and password will be disabled for all users in the organization.
• The ability to invite new members directly via email will be turned off. New users must be provisioned through your SSO identity provider and will gain access to Tallyfy upon their first SSO login.

This ensures that all access to your Tallyfy organization adheres strictly to your corporate SSO policies, enhancing security and simplifying user management for administrators. To enable “SSO only” mode for your organization, please contact Tallyfy support.

Data protection

• Secure Connections (Encryption in Transit): When data travels over the internet (e.g., between your computer and Tallyfy), it’s encrypted using strong methods (TLS 1.2 or higher) so others cannot read it.
• Secure Storage (Encryption at Rest): When data is stored on Tallyfy servers (using AWS), it’s also encrypted using strong methods.
• Keeping Data Separate: Each organization’s data is kept logically separate using unique IDs.

System security and operations

• Finding Weaknesses (Vulnerability Management): We regularly scan Tallyfy systems for security vulnerabilities. We also hire external experts annually to find issues (penetration testing).
• Making Changes Carefully (Change Management): Before updating Tallyfy or its infrastructure, we follow a strict process for development, testing, review, and approval.
• Watching the Systems (Monitoring): We constantly monitor our systems to ensure they are working well, available, and secure. We use tools like AWS CloudWatch and GuardDuty to look for issues or suspicious activity and alert us.
• Handling problems (incident response): We have a plan for handling security incidents. We regularly test this plan so we’re prepared.

Vendor management

• Checking Vendors: Before working with other companies (vendors/sub-processors), we assess their security practices. We review them periodically too.
• Monitoring Key Partners: We review security reports (like SOC 2) of key sub-processors we rely on, such as AWS (Amazon Web Services).

• How Tallyfy uses HTTP Strict Transport Security (HSTS)
• Understanding BIMI compliance for Tallyfy emails

---

Related articles

Miscellaneous > Terms & legals

Tallyfy implements comprehensive security measures including SOC 2 Type 2 attestation encryption protocols GDPR compliance SSO functionality and various protective features through AWS hosting and Cloudflare services.

Integrations > Authentication and SSO

Free Single Sign-On integration enables team members to access Tallyfy using their existing company credentials while providing enhanced security automated account setup and centralized user management through popular identity providers.

Terms Legals > Tallyfy's privacy policy

Access Tallyfy’s privacy details and security documentation through dedicated links while protecting sensitive data through secure external storage and following country-specific restrictions.

Compliance > How Tallyfy uses HTTP Strict Transport Security (HSTS)

HSTS enforces secure HTTPS-only connections between web browsers and Tallyfy by implementing strict security rules that protect user data from potential attacks and unauthorized access.