Compliance

Security and compliance overview

Tallyfy is SOC 2 Type 2 certified with bank-level encryption, SSO enforcement options, and complete audit trails for regulatory needs. As an independent, profitable company, we invest heavily in security.

SOC 2 Type 2 certification

Tallyfy maintains SOC 2 Type 2 certification - an independent auditor examines our security controls over a rolling three-month period.

Assessment period: Rolling three-month periods with continuous assessment
Scope: Security controls based on AICPA Trust Services Criteria¹
Independent auditor: A third-party audit firm handles each assessment
Status: Continuous SOC 2 Type 2 compliance with annual renewals

Audit trail

Tallyfy tracks all workflow actions automatically - who did what, when, and what changed.

What’s tracked

Timestamped steps: Every step records the user, time, and outcome
Immutable records: Audit records can’t be deleted or modified, not even by admins
Activity logging: Full visibility into every user action
Exports: Generate audit reports for regulatory compliance
Template version control: Track all template changes with author and reason

Regulated industries using Tallyfy

Financial services:

Asset management firms meeting SEC Rules 204-2 and 206(4)-7
Banks complying with FINRA audit requirements
Insurance companies tracking claim decisions and approvals

Healthcare and life sciences:

Pharma companies following FDA 21 CFR Part 11²
Clinical research teams meeting ICH E6(R3) standards
Medical device manufacturers proving ISO 13485 compliance
Healthcare IT maintaining HIPAA audit logs

Manufacturing and safety-critical industries:

Auto manufacturers tracking part changes for IATF 16949:2016
Aviation maintenance shops meeting FAA AC 145-9A
Nuclear facilities following 10 CFR 50 Appendix B
Chemical plants meeting OSHA Process Safety Management requirements

Infrastructure and utilities:

Power companies handling NERC CIP cybersecurity audits
Railroads documenting track inspections per 49 CFR 213
Mining operations proving MSHA workplace examinations

All these industries need documented proof of “who did what, when.” See industry-specific workflow applications for details.

PCI-DSS considerations

Tallyfy isn’t PCI-DSS certified - we don’t process payment card data directly. You can still use Tallyfy in PCI-compliant environments:

Never store card data in Tallyfy - don’t enter credit card numbers, CVVs, or payment data in form fields
Use tokenization - store only tokenized references from your payment processor
Use compensating controls - Tallyfy’s audit trails and access controls support your PCI compliance program
Separate systems - keep payment processing separate from workflow management

Consult your QSA (Qualified Security Assessor) about including Tallyfy in your cardholder data environment.

Security governance

Tallyfy applies enterprise security principles across the product.

Identity and access management

Least privilege: Users only access workflows relevant to their role (Admin, Standard, or Light)
Role-based access: Three distinct permission levels control what each user can see and do
Access reviews: Regular permission audits for users and admins
Environment segregation: Full separation between development, test, and production

Single Sign-On enforcement

Tallyfy can restrict login exclusively to your SSO provider. SSO-only mode means:

All logins go through your SSO provider only
Email-password login is disabled organization-wide
User management stays centralized in your identity provider

To enable SSO-only mode, contact Tallyfy support.

Data security

Transport encryption: TLS 1.2+ for all data in transit
At-rest encryption: AES-256 for stored data on AWS servers
Tenant isolation: Complete data separation between organizations

Operational security

Vulnerability testing: Annual penetration testing plus automated security scanning
Change control: All code changes go through development, testing, review, and approval before production
Continuous monitoring: AWS CloudWatch and GuardDuty provide 24/7 monitoring with alerting
Incident response: Documented and tested security incident response procedures

Third-party risk

Vendor assessment: Security vetting required for all vendors with regular reassessments
Supply chain oversight: Regular review of AWS SOC 2 reports and vendor security documentation

Miscellaneous > Terms & legals

Tallyfy offers enterprise-grade security and legal compliance including SOC 2 Type 2 attestation along with GDPR support and HSTS protection and full data encryption and free SSO and AWS GovCloud hosting and multi-layer API security and custom data processing agreements for regional privacy laws.

Tutorials > Workflow applications

Tallyfy’s configurable template system with conditional logic and full audit trails enables organizations across dozens of regulated industries — from banking and pharmaceuticals to aviation and nuclear power — to build compliant and standardized workflows that capture every action with user identity and timestamps while adapting to sector-specific requirements through conditional branching and role-based routing.

Terms Legals > Tallyfy's privacy policy

Tallyfy’s privacy policy outlines how personal information is collected and used and protected while their security documentation at the compliance page details IT infrastructure and data protection measures and operational safeguards.

Integrations > Authentication and SSO

Tallyfy offers free SSO on all paid plans with support for Microsoft Entra ID and Google Workspace and Okta and OneLogin and JumpCloud and any SAML 2.0 provider — letting teams log in with existing corporate credentials while also enabling SSO-based approval audit trails that can replace costly e-signature tools for internal use cases like purchase orders and policy acknowledgments.

American Institute of CPAs framework covering security, availability, processing integrity, confidentiality, privacy ↩
Federal regulation for electronic records and signatures in pharmaceutical and medical device industries ↩

Was this helpful?

Get in touch

About Tallyfy