Skip to content

Compliance

Tallyfy is SOC 2 Type 2 certified with bank-level encryption, SSO enforcement options, and complete audit trails for regulatory needs. As an independent, profitable company, we invest heavily in security.

Tallyfy maintains a current SOC 2 Type 2 attestation. For the audit period, scope, and how to request the report under NDA, see Tallyfy’s SOC 2 page.

Tallyfy tracks all workflow actions automatically - who did what, when, and what changed.

  • Timestamped steps: Every step records the user, time, and outcome
  • Immutable records: Audit records can’t be deleted or modified, not even by admins
  • Activity logging: Full visibility into every user action
  • Exports: Generate audit reports for regulatory compliance
  • Template version control: Track all template changes with author and reason

Financial services:

  • Asset management firms meeting SEC Rules 204-2 and 206(4)-7
  • Banks complying with FINRA audit requirements
  • Insurance companies tracking claim decisions and approvals

Healthcare and life sciences:

  • Pharma companies following FDA 21 CFR Part 111
  • Clinical research teams meeting ICH E6(R3) standards
  • Medical device manufacturers proving ISO 13485 compliance
  • Healthcare IT maintaining HIPAA audit logs

Manufacturing and safety-critical industries:

  • Auto manufacturers tracking part changes for IATF 16949:2016
  • Aviation maintenance shops meeting FAA AC 145-9A
  • Nuclear facilities following 10 CFR 50 Appendix B
  • Chemical plants meeting OSHA Process Safety Management requirements

Infrastructure and utilities:

  • Power companies handling NERC CIP cybersecurity audits
  • Railroads documenting track inspections per 49 CFR 213
  • Mining operations proving MSHA workplace examinations

All these industries need documented proof of “who did what, when.” See industry-specific workflow applications for details.

Tallyfy isn’t PCI-DSS certified - we don’t process payment card data directly. You can still use Tallyfy in PCI-compliant environments:

  • Never store card data in Tallyfy - don’t enter credit card numbers, CVVs, or payment data in form fields
  • Use tokenization - store only tokenized references from your payment processor
  • Use compensating controls - Tallyfy’s audit trails and access controls support your PCI compliance program
  • Separate systems - keep payment processing separate from workflow management

Consult your QSA (Qualified Security Assessor) about including Tallyfy in your cardholder data environment.

Tallyfy applies enterprise security principles across the product.

  • Least privilege: Users only access workflows relevant to their role (Admin, Standard, or Light)
  • Role-based access: Three distinct permission levels control what each user can see and do
  • Access reviews: Regular permission audits for users and admins
  • Environment segregation: Full separation between development, test, and production

Tallyfy can restrict login exclusively to your SSO provider. SSO-only mode means:

  • All logins go through your SSO provider only
  • Email-password login is disabled organization-wide
  • User management stays centralized in your identity provider

To enable SSO-only mode, contact Tallyfy support.

  • Transport encryption: TLS 1.2+ for all data in transit
  • At-rest encryption: AES-256 for stored data on AWS servers
  • Tenant isolation: Complete data separation between organizations
  • Vulnerability testing: Annual penetration testing plus automated security scanning
  • Change control: All code changes go through development, testing, review, and approval before production
  • Continuous monitoring: AWS CloudWatch and GuardDuty provide 24/7 monitoring with alerting
  • Incident response: Documented and tested security incident response procedures
  • Vendor assessment: Security vetting required for all vendors with regular reassessments
  • Supply chain oversight: Regular review of AWS SOC 2 reports and vendor security documentation

  1. Federal regulation for electronic records and signatures in pharmaceutical and medical device industries