Security & Reliability — Tally Digital

Our approach

Three pillars

We operate on three principles: minimise what we hold, control who can reach it, and fail loudly if something breaks. Each of the controls below sits under one of these.

●

Minimise

The best way to keep sensitive data safe is to never ingest it in the first place. Personal notes, session content, and other non-essential fields are stripped at the boundary before the pipeline sees them. We call this privacy by elimination.

◐

Control

Every administrative surface sits behind Cloudflare Zero Trust with named-user access control and multi-factor authentication. No shared logins, no default passwords, no unguarded admin endpoints facing the public internet.

◑

Observe

Every production workflow is wired to an error-handler pipeline. Failures become an email in our inbox within minutes — not a client complaint three weeks later. You hear about incidents from us first.

Technical controls

What's in place

Honest status on every technical control. Live means it is in production today. In progress means we have a concrete plan and date.

TLS 1.2+ on every public endpoint. All client- and operator-facing surfaces terminate TLS at the Cloudflare edge; no unencrypted traffic is accepted. Live
Cloudflare Zero Trust on every admin surface. Dashboard access, workflow authoring, and infrastructure management sit behind a named-user allowlist with MFA. Public form endpoints are the only path without Access, by design — and those paths carry no credentials or admin rights. Live
Secrets encrypted at rest in the workflow engine. Credentials for Xero, Acuity, Google, SMTP, and every other integration are stored encrypted by the automation platform and never appear in logs, exports, or source files. Live
Privacy by elimination at the ingestion boundary. Fields that the business logic doesn't need — session notes, clinical free-text, phone numbers, location data — are explicitly dropped at the earliest node in every pipeline. They cannot propagate downstream because they never arrive. Live
Error-handler workflows on every production flow. Any failure — HTTP error, schema drift, credential expiry — triggers a notification, not a silent drop. Live
UPS and auto-reconnect on infrastructure. Our compute sits behind battery backup; the public tunnel reconnects automatically after network interruptions. Live
Encrypted backups, off-site, weekly. Nightly snapshots of workflow exports, configurations, and logs. Encrypted with a key we hold, stored in a separate datacentre region. Rolling out by end of Q2. In progress
Dataset-level encryption at rest. Underlying server volumes are encrypted by the host (Hetzner) by default. We're adding per-dataset encryption with keys we hold — rotated annually — for any sensitive client workload. In progress
Commercial EU hosting for production workloads. Production workflows run on Hetzner Cloud in Falkenstein/Nuremberg (EU). UK data stays in the EU adequacy zone; no transfers outside it without explicit contractual safeguards. Documented SLA and weekly automated snapshots. Live

Policy & compliance

How we meet UK GDPR

We treat every client engagement as if the ICO will audit it tomorrow. These are the policy and contractual controls that sit alongside the technical ones.

ICO registration. Tally Digital is registering with the Information Commissioner's Office as a data processor — the mandatory step for any UK business handling personal data on behalf of clients. Registration number published here once issued. In progress
Written Data Processing Agreement. A clear DPA template signed with every client engagement, spelling out: what data we process, lawful basis, retention, sub-processors, breach notification, and the client's audit rights. In progress
Clear roles: processor vs controller. We are a data processor for client business data (appointments, transactions, contacts) and a data controller only for our own records (invoicing you, supporting you). Never the reverse. Live
72-hour breach notification commitment. Any incident that materially risks client data gets communicated to the client within 72 hours of our detection, as required by UK GDPR Article 33. Live
Documented right-to-erasure and data-export process. When your client exercises their GDPR rights, we can help you fulfil them within the statutory window — with a documented process, not an ad-hoc scramble. In progress
Sub-processor transparency. The third-party services we rely on — Cloudflare, Xero, Google, Acuity, and so on — are each named in the DPA. You know exactly who can see what, and each one has its own published privacy posture. Live

Reliability

Honest uptime

We don't claim four nines. What we do claim, we can back up.

Target: 99.5% uptime on scheduled workflows. That's roughly 3.6 hours of downtime per month as the worst case. We measure it on every production flow via the error-handler pipeline, and we report it honestly to every client on the monthly review.

When an incident does happen — platform outage, API change, credential expiry — the sequence is: detect via error handler, notify the client, fix, document, and include it in the next review. Nothing gets quietly swept under a rug.

Every client engagement comes with a short written runbook covering what can go wrong, how we'd spot it, and what we'd do about it. If we can't explain the failure modes, we haven't understood the system.

How we look after your data.