IT and Security Documentation

Tallyfy is an integration-first platform – see integrations.

• Tallyfy is one of the few cloud-based workflow platforms that properly passes SSL tests (A+ grade) and has a modern HSTS policy. Test any domain at the official testing website to find out the facts. Most other vendors choose not to bring this to you up for obvious reasons.
• We natively support HTTP/3 and QUIC which accelerate and secure HTTP traffic.
• We are cloud-born and API-first with an open API.
• UX and ease-of-use is core to Tallyfy.
• We log all API calls with a 28-day retention policy.
• We stream your data to any analytics platform that supports Amazon Athena like PowerBI, Tableau or Google Data Studio, allowing custom views.
• Our perimeter defenses work at any scale to handle large DDoS attacks.
• Our founding team is technical and understands workflow management. We take a long-term, customer-centric view.
• SOC 2 Type 1 compliant working towards Type II by Q3 or Q4 2024.

This information is for your IT department. We take security seriously and invest in best-of-breed vendors. See our privacy policy.

SOC 2 Type II attestation

We are going through SOC 2 Type II, expected in Q3/Q4 2024. Tallyfy has achieved SOC 2 Type 1 attestation, audited by Prescient Assurance. This demonstrates we manage data with the highest security standards. Please contact us for details on this.

Our commitment to user experience

UX is critical for IT to service business units. Tallyfy takes a UX-first approach to mitigate risks.

• Tallyfy’s UI is mobile-first and responsive.
• We support many languages. Contact us for more.
• All customers can use SSO for free via Active Directory, Google, Okta, OneLogin, etc.
• Minimum browser versions: Safari 9.1.1+, Chrome 50+, Firefox 46.0.1+, IE 11+, Mobile Safari 9+

On the subject of UX – Tallyfy was created because legacy BPM software is tired and broken:

• Users now decide to buy software themselves. UX and user adoption are key.
• Modern cloud tools are free to try. We’re happy to engage IT for larger questions.
• People want to share workflows with clients. Tallyfy provides a secure solution.
• People expect drag-and-drop integrations. We support middleware and have an open API.
• People expect to work on phones. Tallyfy works on most devices.
• People are tired of flowcharts. Map legacy processes to Tallyfy equivalents.
• People expect cloud benefits. Don’t settle for legacy vendors.
• Companies of all sizes need process management. Tallyfy is designed for any team size.
• People are excited about AI. Tallyfy makes it easy to use AI for automation or generative applications.

Key facts on our commitment to open integration

Modern IT leaders know vendors must offer easy integration.

• Tallyfy guarantees open data access via API.
• We will always offer an open API for integration.
• We support data extraction for analysis in your BI platforms. See our reasoning.

Key facts on our infrastructure

Tallyfy has an industry-standard REST API and a client UI that depends on the API.

• Tallyfy is a cloud-only service. We handle security, scaling, maintenance, etc.
• Tallyfy was built API-first using modern development techniques.
• As a US company, we comply with trade sanctions. We block entire countries for legal and security reasons. Contact us to discuss lifting blocks.
• Tallyfy’s UI is lightweight. Your web team can integrate using our open REST API.
• API authentication uses OAuth 2.0.
• We are hosted on AWS in us-west-2 with a disaster recovery process tested.
• We use native AWS services to scale.
• Our database is Postgres on AWS RDS with Multi-AZ for high availability. Daily automated backups.
• All data encrypted in transit and at rest.
• Customizable storage and encryption available.
• More stack details available privately. Open to vulnerability assessments.
• We challenge requests from Tor and block weak cipher suites.

Tallyfy uses ISO 27001 and FISMA certified AWS data centers with strict physical access controls.

Firewall infrastructure is provided by Cloudflare and AWS.

AWS is accredited under ISO 27001, SOC 1/2, PCI Level 1, FISMA Moderate, SOX.

Tallyfy Client – How Packets Route

Tallyfy REST API – How Packets Route

API docs: https://go.tallyfy.com/api/

Key facts on infrastructure monitoring

• We use AWS Cloudwatch, Cloudtrail and Moesif at the edge for monitoring and logging.
• Resources auto-scale based on demand. See our status page for uptime.
• Cloudflare is our perimeter defense against attacks.

Key facts on user support, billing and 2nd line support

• We use a helpdesk for online ticketing.
• For larger companies, we provide 2nd/3rd line support. Your IT can be your first line.
• Billing via Recurly and Stripe, PCI compliant. No billing info stored.
• Enterprise plans have phone/live-chat support.

Key facts on release management and automated testing

• GitHub used with feature branches for clean code merges.
• Strict QA and automated testing. Automated deployments via Deploybot.
• Manual QA on staging before production release.
• Automatic capture of API/UI exceptions.
• Product update changelog.

Key facts on SHA-2 support, TLS and DNS

Tallyfy only allows modern TLS (1.2/1.3) connections.

Our domain uses DNSSEC to protect against DNS forgery.

We prevent browsers without SNI from connecting. Minimum browser versions:

• IE7 on Windows Vista
• Chrome on Vista/OS X 10.5.7+
• Safari 3.0 on Vista/OS X 10.5.6+
• Firefox 2.0+
• Opera 8.0+ (TLS 1.1)
• BlackBerry 10+
• Windows Phone 7+

HSTS – strict requirements enabled

HSTS (RFC 6797) allows websites to enforce HTTPS, protecting against attacks. Tallyfy is pre-loaded in browsers to serve HTTPS via strong HSTS, achieving A+ on SSL labs tests.

We are one of few workflow SaaS vendors properly validating on the HSTS preload list. Check official status.

We take security seriously and back it with evidence. We hope this demonstrates our commitment.