Miscellaneous > Terms & legals
Compliance
Security and compliance overview
Section titled “Security and compliance overview”Tallyfy is SOC 2 Type 2 certified with bank-level encryption, SSO enforcement options, and complete audit trails for regulatory needs. As an independent, profitable company, we invest heavily in security.
SOC 2 Type 2 attestation
Section titled “SOC 2 Type 2 attestation”Tallyfy maintains a current SOC 2 Type 2 attestation. For the audit period, scope, and how to request the report under NDA, see Tallyfy’s SOC 2 page ↗.
Audit trail
Section titled “Audit trail”Tallyfy tracks all workflow actions automatically - who did what, when, and what changed.
What’s tracked
Section titled “What’s tracked”- Timestamped steps: Every step records the user, time, and outcome
- Immutable records: Audit records can’t be deleted or modified, not even by admins
- Activity logging: Full visibility into every user action
- Exports: Generate audit reports for regulatory compliance
- Template version control: Track all template changes with author and reason
Regulated industries using Tallyfy
Section titled “Regulated industries using Tallyfy”Financial services:
- Asset management firms meeting SEC Rules 204-2 and 206(4)-7
- Banks complying with FINRA audit requirements
- Insurance companies tracking claim decisions and approvals
Healthcare and life sciences:
- Pharma companies following FDA 21 CFR Part 111
- Clinical research teams meeting ICH E6(R3) standards
- Medical device manufacturers proving ISO 13485 compliance
- Healthcare IT maintaining HIPAA audit logs
Manufacturing and safety-critical industries:
- Auto manufacturers tracking part changes for IATF 16949:2016
- Aviation maintenance shops meeting FAA AC 145-9A
- Nuclear facilities following 10 CFR 50 Appendix B
- Chemical plants meeting OSHA Process Safety Management requirements
Infrastructure and utilities:
- Power companies handling NERC CIP cybersecurity audits
- Railroads documenting track inspections per 49 CFR 213
- Mining operations proving MSHA workplace examinations
All these industries need documented proof of “who did what, when.” See industry-specific workflow applications for details.
PCI-DSS considerations
Section titled “PCI-DSS considerations”Tallyfy isn’t PCI-DSS certified - we don’t process payment card data directly. You can still use Tallyfy in PCI-compliant environments:
- Never store card data in Tallyfy - don’t enter credit card numbers, CVVs, or payment data in form fields
- Use tokenization - store only tokenized references from your payment processor
- Use compensating controls - Tallyfy’s audit trails and access controls support your PCI compliance program
- Separate systems - keep payment processing separate from workflow management
Consult your QSA (Qualified Security Assessor) about including Tallyfy in your cardholder data environment.
Security governance
Section titled “Security governance”Tallyfy applies enterprise security principles across the product.
Identity and access management
Section titled “Identity and access management”- Least privilege: Users only access workflows relevant to their role (Admin, Standard, or Light)
- Role-based access: Three distinct permission levels control what each user can see and do
- Access reviews: Regular permission audits for users and admins
- Environment segregation: Full separation between development, test, and production
Single Sign-On enforcement
Section titled “Single Sign-On enforcement”Tallyfy can restrict login exclusively to your SSO provider. SSO-only mode means:
- All logins go through your SSO provider only
- Email-password login is disabled organization-wide
- User management stays centralized in your identity provider
To enable SSO-only mode, contact Tallyfy support.
Data security
Section titled “Data security”- Transport encryption: TLS 1.2+ for all data in transit
- At-rest encryption: AES-256 for stored data on AWS servers
- Tenant isolation: Complete data separation between organizations
Operational security
Section titled “Operational security”- Vulnerability testing: Annual penetration testing plus automated security scanning
- Change control: All code changes go through development, testing, review, and approval before production
- Continuous monitoring: AWS CloudWatch and GuardDuty provide 24/7 monitoring with alerting
- Incident response: Documented and tested security incident response procedures
Third-party risk
Section titled “Third-party risk”- Vendor assessment: Security vetting required for all vendors with regular reassessments
- Supply chain oversight: Regular review of AWS SOC 2 reports and vendor security documentation
Related articles
Section titled “Related articles”Tutorials > Workflow applications
Terms Legals > Tallyfy's privacy policy
Footnotes
Section titled “Footnotes”-
Federal regulation for electronic records and signatures in pharmaceutical and medical device industries ↩
Was this helpful?
- 2026 Tallyfy, Inc.
- Privacy Policy
- Terms of Use
- Report Issue
- Trademarks