Data Processing Addendum
This Data Processing Addendum (this "DPA") forms part of the Customer Terms of Service or other written agreement between you ("Customer") and Tallyfy, Inc. ("Tallyfy") that governs your use of the Tallyfy services (the "Agreement"). It applies where, and to the extent that, Tallyfy processes personal data on Customer's behalf when providing the services.
To request a countersigned copy of this DPA for your records, please contact us.
Last updated: 19 May 2026
1. Definitions
Capitalized terms not defined in this DPA have the meaning given to them in the Agreement.
- "Customer Data" means data that Customer or its authorized users submit to the services.
- "Personal Data" means any Customer Data relating to an identified or identifiable natural person, where that data is protected as personal data, personal information, or a similar term under Data Protection Laws.
- "Data Protection Laws" means the data protection and privacy laws applicable to Tallyfy's processing of Personal Data under the Agreement, which may include the EU General Data Protection Regulation ("GDPR"), the UK GDPR, the Swiss Federal Act on Data Protection, and US state privacy laws such as the California Consumer Privacy Act as amended (the "CCPA").
- "Sub-processor" means a third party engaged by Tallyfy to process Personal Data in connection with the services.
- "Standard Contractual Clauses" means the contractual clauses approved by the European Commission for the transfer of personal data to third countries.
- The terms "controller", "processor", "business", "service provider", "sell", "share", and "data subject" have the meanings given to them in the applicable Data Protection Laws.
2. Roles and scope
For Personal Data, Customer acts as the controller (or business) and Tallyfy acts as the processor (or service provider). Tallyfy processes Personal Data only to provide and support the services, and only on Customer's documented instructions, including the instructions set out in the Agreement and this DPA.
Customer is responsible for the accuracy and legality of Customer Data and for having a lawful basis to provide it to Tallyfy. If Tallyfy reasonably believes an instruction infringes Data Protection Laws, it will inform Customer.
3. Details of the processing
- Subject matter: Tallyfy's provision of the services under the Agreement.
- Duration: the term of the Agreement, plus any period until deletion or return of Customer Data under Section 11.
- Nature and purpose: hosting, storage, and processing of Customer Data to operate the workflow and process-management services.
- Types of Personal Data: contact and account details (such as name, email address, and similar identifiers) and any other Personal Data that Customer or its authorized users choose to include in Customer Data.
- Categories of data subjects: Customer's authorized users and any individuals whose data Customer chooses to include in Customer Data.
4. Tallyfy's obligations
Tallyfy will:
- process Personal Data only on Customer's documented instructions;
- ensure that personnel authorized to process Personal Data are bound by appropriate confidentiality obligations;
- implement and maintain appropriate technical and organizational measures designed to protect Personal Data, taking into account the state of the art, the costs of implementation, and the nature, scope, and purposes of the processing; and
- taking into account the nature of the processing, provide reasonable assistance to Customer, at Customer's expense, with data protection impact assessments and with responding to data subject requests, to the extent Customer cannot reasonably do so itself using the services.
Tallyfy does not warrant that Personal Data will be free from unauthorized access; it commits to maintaining the measures described above.
5. Sub-processors
Customer provides a general authorization for Tallyfy to engage Sub-processors. Tallyfy imposes on each Sub-processor data protection terms designed to meet the requirements of Data Protection Laws, and remains responsible for each Sub-processor's performance of its data protection obligations to the extent required by Data Protection Laws.
Tallyfy will update the list below before a new Sub-processor begins processing Personal Data. Customer may object to a new Sub-processor on reasonable data protection grounds by contacting us. If the parties cannot resolve the objection, Customer's sole and exclusive remedy is to stop using the affected part of the services and terminate the affected subscription.
The following Sub-processors are engaged as of the last update date shown above:
| Sub-processor | Purpose of processing | Location of processing |
|---|---|---|
| Amazon Web Services, Inc. (AWS) | Primary cloud infrastructure (compute, database, storage, networking) | United States |
| Cloudflare, Inc. | DNS, WAF, CDN, edge compute, and object storage | United States, with a global edge network |
| DigitalOcean, LLC | Hosting for operational services, including logging, support desk, and automation | United States |
| GitHub, Inc. | Source code repository and deployment pipeline | United States |
| Google LLC (Google Workspace) | Business email and document collaboration | United States |
| Mailgun Technologies, Inc. | Transactional and notification email delivery | United States |
| Anthropic, PBC | AI-assisted features within the services | United States |
| Recurly, Inc. | Subscription billing and payment processing | United States |
| Functional Software, Inc. (Sentry) | Application error monitoring and performance tracking | United States |
6. Data subject requests
If Tallyfy receives a request from a data subject to exercise rights under Data Protection Laws in respect of Personal Data, Tallyfy will, where permitted by law, direct the data subject to Customer. Customer is responsible for responding to such requests, using the functionality of the services where available.
7. Personal data breach
If Tallyfy becomes aware of a personal data breach affecting Personal Data, Tallyfy will notify Customer without undue delay and will provide the information then reasonably available to help Customer meet its own notification obligations. Tallyfy's notification is not an acknowledgement of fault or liability.
8. International data transfers
Tallyfy complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce, and has certified to the U.S. Department of Commerce that it adheres to the applicable Principles. To learn more about the Data Privacy Framework program, and to view our certification, please visit https://www.dataprivacyframework.gov/.
Where Personal Data of individuals in the European Economic Area, the United Kingdom, or Switzerland is transferred to a country that has not received an adequacy decision, and the Data Privacy Framework does not apply to that transfer, the transfer is governed by the European Commission's Standard Contractual Clauses (Module Two, controller to processor) and, for the United Kingdom, the UK International Data Transfer Addendum. Those clauses are incorporated into this DPA by reference, with Tallyfy acting as the data importer.
9. US state privacy laws
Where Tallyfy processes Personal Data subject to US state privacy laws, including the CCPA, Tallyfy acts as a service provider or processor. Tallyfy will not:
- sell or share Personal Data;
- retain, use, or disclose Personal Data for any purpose other than performing the services specified in the Agreement, or as otherwise permitted by Data Protection Laws;
- retain, use, or disclose Personal Data outside the direct business relationship between Customer and Tallyfy; or
- combine Personal Data with personal information received from other sources, except as permitted by Data Protection Laws.
Tallyfy certifies that it understands the restrictions in this Section 9 and will comply with them.
10. Security and audits
Tallyfy maintains an information security program and undergoes an independent third-party SOC 2 examination. To verify Tallyfy's compliance with this DPA, on Customer's written request, no more than once in any twelve-month period and with at least 30 days' notice, Tallyfy will make available a copy of its then-current SOC 2 report or a completed standard security questionnaire.
An on-site audit will be conducted only where required by Data Protection Laws, during business hours, subject to confidentiality obligations, at Customer's expense, and scheduled to avoid disruption to Tallyfy's operations.
11. Return and deletion of Customer Data
On expiry or termination of the Agreement, Tallyfy will, within 60 days, delete or return Customer Data in its possession, except to the extent retention is required by law or forms part of routine backup cycles. Where data is retained in backups, Tallyfy will continue to protect it and will delete it on expiry of the backup cycle.
12. Liability
Each party's liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to, and counts toward, the exclusions and limitations of liability set out in the Agreement. This DPA does not create any additional liability, or any separate or higher cap on liability, beyond what the Agreement provides.
13. General
This DPA forms part of, and is subject to, the Agreement. If there is a conflict between this DPA and the rest of the Agreement on the subject of data protection, this DPA prevails. This DPA is governed by the same law as the Agreement and may be signed electronically and in counterparts. To request a countersigned copy of this DPA for your records, please contact us.