I had a great chat with Tallyfy – and love the user-first design. They are also a rare example of transparency and confidence. The legal compliance and security page (which hardly anyone would normally read) would be one of the best examples of open communication I have seen for a while – around how the service is constructed and the underpinning technologies and services used. Well worth a look if you are technically-minded, or just interested in how a modern tech. company approaches their IT. Good stuff!
Garry Johnston – Business Design and Delivery Manager – Vodafone New Zealand
![Tallyfy integrations](png/integrations-tyfy.png)
- Tallyfy is one of the very few (if only) cloud-based workflow platforms that properly passes SSL tests (with an A+ grade) and is pre-loaded with a modern HSTS policy on Google Chrome, Firefox, Edge and other browsers. Test any domain for yourself at the official testing website that’s based on RFC 6797, and you will see most/all other vendors do not validate properly or fail these tests. Congratulations – you just discovered an important fact that other vendors will “omit” from their sales and marketing babble.
- Unlike many other vendors – we natively support HTTP/3 and QUIC. HTTP/3 is a major revision of the web’s protocol designed to take advantage of QUIC, a new encrypted-by-default Internet transport protocol that provides a number of improvements designed to accelerate HTTP traffic as well as make it more secure.
- Unlike many other vendors – we are cloud-born and API-first – with an entirely open API.
- Unlike many other vendors – UX and ease-of-use is not a “feature” at Tallyfy. It’s the core of our existence.
- Unlike many other vendors – we log ALL API calls via a serverless worker with a 28-day retention policy.
- Unlike many other vendors – we stream your data to any analytics platform that supports Amazon Athena like Microsoft PowerBI, Tableau or Google Data Studio. No need to re-invent the wheel – when you already have an analytics stack. Best of all – you customize any view, any visual, in any shape or form – with no need to wait for us.
- Our perimeter defenses work on the edge (at any scale) and we use vendors that have proven they can deal with 10x the volume of the largest known DDoS attacks in history.
- Our founding team is deeply technical and truly understands workflow and process management. We take a long-term view built entirely around customer benefits, and we don’t cut corners on core tech.
Jump to any section
- Key facts on our commitment to user experience
- Key facts on our commitment to open integration
- Key facts on our infrastructure
- Key facts on infrastructure monitoring
- Key facts on user support, billing and 2nd line support
- Key facts on release management and automated testing
- Key facts on SHA-2 support, TLS and DNS
- HSTS – strict requirements are enabled
Key facts on our commitment to user experience
- Tallyfy’s user interface is built mobile-first, using responsive design – which means it should work perfectly on smartphones, tablets as well as desktop computers.
- Tallyfy’s user interface supports locales and languages that enable you to serve the UI to users in all the languages we support. At present, we support many languages on the UI. Contact us if you need more languages.
- Enterprise accounts can choose to authenticate with Active Directory, Microsoft Accounts, or LDAP for a Single Sign-on (SSO) experience.
- Tallyfy’s client application requires minimum browser versions to be as follows: Safari – v9.1.1+, Chrome – v50+, Firefox – 46.0.1+, Internet Explorer – 11+, Mobile Safari – 9+
- Users are now deciding to buy software themselves. Old BPM was traditionally bought by the IT department – which tended to favour a large/boring company that met a set of “checkbox requirements”. That approach is not okay today. Shadow IT is exploding – it’s real and it’s unstoppable. If you’re running modern IT, it’s not “optional” to make UX, user adoption and user-driven buy-in the #1 factor to any procurement decision.
- Modern cloud tools are free to try by anyone, anytime. With Old BPM you had to call sales and wait for 50 questions just to look at it and finally decide it sucks. We’re happy to talk to IT about specific questions, second/third-line support, etc. but initially – please sign up to Tallyfy to let us know your initial questions. We look forward to engaging with IT for larger questions like SSO, security, etc.
- People want to share workflows with clients. With Old BPM you were stuck with trying to automate internal processes alone. Your clients would be very scared and run a mile from it. With Tallyfy – we provide a cloud-native, secure solution for external collaboration.
- People expect to integrate cloud tools without IT. With Old BPM you had get engineers to write code to make a simple integration. That’s now become a drag-and-drop service. See the API section below as well. We support various integration-as-a-service products like Zapier, Microsoft Flow (Power Automate), etc.
- People expect to work on phones. This means giant, clunky flowcharts in Old BPM are dead – because they don’t fit on your phone’s screen – and only define “the perfect process”. Tallyfy can be used in most browsers on most devices.
- People are tired of flowcharts. Old BPM was all about the high priest telling you how a process can/will be done, and you would obey. Now – modern workers and teams are paid high salaries to collaborate. Dust off your legacy process maps and map them into non-flowchart equivalents in Tallyfy. If you have everything in BPMN – you can find most equivalents on Tallyfy.
- People expect all the benefits of the cloud. Old BPM was never cloud-born and was never designed for the cloud. And that creates a massive bunch of missed opportunities. Don’t settle for a legacy BPM vendor whose product reality and marketing/sales-talk are in totally different directions.
- Companies of all sizes need process management – and never had it. Since Old BPM was so expensive and complicated, only large companies could afford it. The rest of us were left out. Tallyfy is designed for any size of team or business. “BPM in 60 seconds” really has magical properties!
- People are excited about AI – but confused about where to begin. With Old BPM you have zero chance of using AI without an army of engineers. With cloud-born systems like Tallyfy – it’s childs’ play to use any AI you like to run amazing automations for photos, voice, video and more. Ask us about how you can custom-extend our infrastructure to listen to an event firehose – using custom, serverless functions such as Lambda functions. You’ll be pleasantly surprised.
Key facts on our commitment to open integration
- Tallyfy guarantees open access to all data we hold via an open API.
- Tallyfy guarantees that we will always offer an open API to enable IT teams to freely integrate, push, pull and listen to data and events in our system. The future is not about closed systems.
- We support the extraction of data from our system as activity logs, so that you can analyze such data within your existing analytics and business intelligence platforms. We strongly believe that we should not provide you with native analytics, so that you can be a in a much stronger position. Please read our reasoning for this decision here.
Key facts on our infrastructure
- Tallyfy is offered as a hosted cloud service only. This applies to both the API and the UI – which are – architecturally, entirely different. We do not offer on-premise installation. The benefits of this approach to customers are immense – since security, scaling, maintenance, threat mitigation and many other aspects are handled by our in-house team of expert sysadmins and developers. You can compare the cost of SaaS vs on-premise in numerous ways – like here. Note that this does not factor in the costs of skilled personnel needed to maintain an on-premise installation.
- Tallyfy was built API-first. We used modern development techniques from inception, and an API was not an after-thought. The API uses a load-balancer which automatically scales using Amazon’s auto-scaling.
- As a US company – we comply with US trade sanctions and laws. We use a highly scalable, serverless worker which executes on hundreds of edge locations throughout the globe, to inspect every packet coming into our client and API. A packet is dumped at the edge node if we refuse to serve the HTTPS request – it never even makes it to the origin. We deny all HTTP requests into our product from countries identified as being under trade sactions under US law. All HTTPS packets arriving at our API are logged within 1-2 milliseconds at the edge via a third-party service called Moesif. As a US company – we are serious about doing business with you legally and securely. For this reason – we block entire countries from using our product at layer 7. You’ll find most other SaaS companies don’t do this but still say “we’re secure”. These blocks are implemented conservatively for legal, security and other reasons. We’re open to lifting blocks with adequate justification – so please contact us
- Tallyfy’s user interface is a lightweight AngularJS front-end which is served via a content delivery network that covers the globe – Amazon Cloudfront. All heavy lifting is done via the API. This also means that your in-house web development team can integrate anything they like into Tallyfy using our open REST API.
- Authentication with our API uses OAuth 2.0.
- We are entirely hosted on Amazon Web Services in the United States. We tend to use the us-west-2 (Oregon) region for AWS, but we often replicate data to other AWS locations within the US. For disaster recovery purposes – we use Amazon CloudFormation templates to guarantee precise provisioning and takedown of VM instances. Instances are always assumed to be temporary and shared-everything. The only permanent aspect of our infrastructure is our data sinks – such as our multi A-Z database and static file stores, which have daily backups.
- To scale and run sessions and queues – we use Amazon services like DynamoDB and Amazon SQS.
- For our database – we use Amazon’s managed database services to run a tuned instance of Postgres. We chose Postgres because of it’s stricter ACID compliance and scaling attributes. Many of the largest companies in the world use Postgres, which is mature and well-tested. Backups of our database are daily and automated. No access to the database is possible from the outside web – it resides within a private subnet on AWS. We use Multi-AZ deployment for high availability.
- All data is encrypted in transit – for both the API and the UI.
- For an extra charge – we can offer data encryption at rest, in our multi-tenant database.
- For an extra charge – you can customize our native storage bucket to your own, and even use your own encryption key. This means nobody but you can access your files. In the case of Amazon S3 – this includes the ability to pick a region or jurisdiction that suits you in terms of data protection laws, etc.
- More information on our stack can be shared privately with qualified customers – since publicising such information is a security risk. We are also open to third-party vulnerability assessments on our API. If you could give us a time period in which you intend to do such testing – whether it’s load or penetration testing – that would be helpful to prevent misunderstandings and total blocks. Nobody likes waking up in the middle of the night to deal with a fake attack – although we’re ready!
- We challenge all requests from Tor exit nodes via our perimeter defense (Cloudflare).
- We block usage of weak cipher suites based on vulnerable protocols like TLS v1.0, TLS v1.1 and TLS v1.2.
- ISO 27001
- SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)
- PCI Level 1
- FISMA Moderate
- Sarbanes-Oxley (SOX)
Tallyfy Client – How Packets Route
Tallyfy REST API – How Packets Route
Key facts on infrastructure monitoring
- Tallyfy uses AWS Cloudwatch and Cloudtrail for real-time alarms, alerts, monitoring and logging.
- We auto-scale our resources on AWS based on minute-by-minute demand. We maintain a status page with an incident history that’s run by a third-party provider – so we can’t influence data reported on it.
- We use Cloudflare as our perimeter defense against denial of service and similar attacks for our production systems – in particular, our API. Our API challenges requests from the same IP address if they exceed 40 requests per second, as a very primitive first line of defense to crude denial-of-service attacks. We’re aware botnets use far more sophisticated techniques, but that’s a separate problem.
Key facts on user support, billing and 2nd line support
- We use a helpdesk platform called Helpscout to offer online ticketing.
- Tickets can be creating by emailing us, through our support documentation, and within the client UI.
- For larger companies, our offering is geared to serve as 2nd or 3rd line support, although we can function as first-line support too. We assume your IT would be first-line support for business users.
- Our billing is run via a vendor called Recurly and under Recurly, we use Stripe to actually process payments. They are PCI compliant. We never store any billing information on our side.
- As part of our enterprise plans we offer phone support and/or live-chat support inside the client UI.
Key facts on release management and automated testing
- GitHub is used, along with feature branches to ensure clean merges of code.
- We employ strict QA for all commits, along with automated unit testing on our client UI. Our deployments are automated via Deploybot.
- Our releases go through a manual QA process on a staging environment before being released on production.
- We automatically capture API and UI client exceptions and issues through third-party products.
- A changelog of product updates is available here.
Key facts on SHA-2 support, TLS and DNS
- IE7 on Windows Vista (Windows XP not supported)
- Google Chrome on Windows Vista or OS X 10.5.7
- Safari 3.0 on Windows Vista or Mac OS X 10.5.6
- Mozilla Firefox 2.0
- Opera 8.0 (with TLS 1.1 enabled)
- BlackBerry 10
- Windows Phone 7
HSTS – strict requirements are enabled
HTTP Strict Transport Security (HSTS, RFC 6797) is a header which allows a website to specify and enforce security policy in client web browsers. This policy enforcement protects secure websites from downgrade attacks, SSL stripping, and cookie hijacking. It allows a web server to declare a policy that browsers will only connect using secure HTTPS connections, and ensures end users do not “click through” critical security warnings. HSTS is an important security mechanism for high security websites. HSTS headers are only respected when served over HTTPS connections, not HTTP. Tallyfy is pre-loaded in major browsers (hard-coded) to strictly serve https via a strong HSTS policy. Our security testing results achieve an A+ grade from comprehensive tests on Qualsys SSL labs – shown below. You can also run these tests yourself at this URL.
We hope this page has shown you that we’re serious about security and that we’re willing to back that statement with hard evidence of what we actually do.