Security
Where we are, plainly.
Last reviewed:
TallyUp holds financial knowledge for a living, so we treat the handling of your data as the product working, not a feature of it. This page says where we are honestly — and stays short on purpose.
Our posture
We are an early-stage company and do not yet hold a SOC 2, ISO 27001, or other third-party attestation. We'd rather say that in one sentence than dress it up.
What we can say plainly: customer data is kept separated by workspace; credentials for the systems you connect are handled as secrets, apart from your business records, and are never shown back to you in the product; and access to production systems is limited to the people who operate the service. The record itself is built on the open standards the financial world already runs on — a design conviction, not a compliance checkbox.
We deliberately don't publish implementation internals here. Mechanisms change as the system improves, and a page of stale machinery reassures no one. If your evaluation needs specifics, ask us directly — a real answer about today beats a published answer about last quarter.
Reporting a vulnerability
If you believe you've found a security issue, write to security@tallyupnow.com — also published at /.well-known/security.txt (RFC 9116). A person reads that mailbox; we'll acknowledge your report and work with you in good faith. Please give us a reasonable window to fix the issue before public disclosure.