// Trust & Security Report

    Tally (Tally B.V. / Tally, based in Ghent, Belgium) logo

    Tally (Tally B.V. / Tally, based in Ghent, Belgium)

    Tally.so - a free-first online form builder (single core product) with Free, Pro, and Business pricing tiers; includes an AI form-generation feature and an MCP server that connects Tally forms/submissions to AI assistants (Claude, ChatGPT, Cursor).

    Certifications held

    1

    Maturity

    Growth

    Trains on your data

    Unknown

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    GDPR
    HELD

    Yes. Tally is based in Belgium (EU) and complies with the GDPR framework.

    Verify on tally.so
    > Show 8 unconfirmed / not-held certifications
    SOC 2 (Type I/II)
    NOT CONFIRMED

    No public evidence on Tally's own domain. Tally's Data Processing Agreement states only that Tally 'reviews and obtains the third party's independent assurance reports or certificates where such is relevant and available (e.g. ISO 27001, ISO 27701 or SOC 2 Type II report)' - this describes vetting of Tally's subprocessors, not a certification Tally itself holds. No SOC 2 report, badge, or trust center exists on tally.so.

    source: tally.so
    ISO 27001
    NOT CONFIRMED

    No public evidence on Tally's own domain. Same DPA clause above references ISO 27001 only in the context of vetting subprocessors, not as a certification Tally holds itself.

    source: tally.so
    HIPAA
    NOT CONFIRMED

    No mention of HIPAA compliance, a Business Associate Agreement (BAA), or HIPAA-eligible data handling anywhere on tally.so's privacy policy, GDPR page, DPA, or terms. No public evidence.

    source: tally.so
    PCI DSS
    NOT CONFIRMED

    No public evidence of PCI DSS certification on Tally's own domain. Tally supports payment-collection form blocks, which typically route through a PCI-compliant payment processor (e.g. Stripe) rather than Tally being PCI certified itself; Tally's own materials make no PCI claim.

    source: tally.so
    FedRAMP
    NOT CONFIRMED

    No mention of FedRAMP anywhere on tally.so. No public evidence.

    source: tally.so
    CSA STAR
    NOT CONFIRMED

    No mention of CSA STAR anywhere on tally.so. No public evidence.

    source: tally.so
    ISO 27701
    NOT CONFIRMED

    Referenced in the DPA only as an example of the kind of certificate Tally checks for in its subprocessors ('e.g. ISO 27001, ISO 27701 or SOC 2 Type II report'), not as a certification Tally itself holds.

    source: tally.so
    ISO/IEC 42001 (AI management systems)
    NOT CONFIRMED

    No mention of ISO 42001 or any AI-governance certification on tally.so, including the dedicated ai-info page. No public evidence.

    source: tally.so

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Offered

    Data region

    EU (Belgium/Europe) - 'Your data is stored on high-security servers within the European Union.'

    Tally's AI form-builder and MCP server integrate third-party foundation models (Claude, ChatGPT, Cursor) rather than a Tally-trained model. No statement was found on tally.so (privacy policy, terms, or the dedicated /ai-info page) confirming or denying whether form/submission data is used to train any model, and no opt-out mechanism is documented. Treat as unconfirmed rather than assume 'no training'.

    // Security controls

    Encryption in transit and at rest

    All Tally form data is encrypted both in transit and at rest.

    tally.so

    Data hosting region

    Data stored on high-security servers within the European Union; company is EU-based (Ghent, Belgium).

    tally.so

    Technical/organizational measures (per DPA)

    Multi-factor authentication for key resources, encryption at rest and in transit, anti-malware defenses, backups, logical access controls.

    tally.so

    Cookie policy

    Website only uses essential cookies; no cookie-based third-party tracking.

    tally.so

    Data deletion

    Deleted form data is permanently deleted from backups within 90 days.

    tally.so

    No data sale

    Tally will not sell, rent, distribute or otherwise make Personal Data commercially available to third parties.

    tally.so

    Account security (2FA)

    Two-factor authentication is available to secure a Tally account.

    tally.so

    // Products & data scope

    Tally FreeForm builder

    data: Unlimited forms and submissions within fair-usage limits; standard GDPR/DPA terms apply.

    No SSO, no dedicated data-retention controls, 10MB file upload limit.

    Tally Pro (€20/mo)Form builder - paid tier

    data: Same data handling as Free; adds custom domains, unlimited file uploads, analytics, version history.

    No additional security certifications documented for this tier.

    Tally Business (€65/mo)Form builder - highest published tier

    data: Adds data-retention controls for privacy compliance and email verification for lead quality.

    Closest tier to an 'enterprise' offering, but no SSO, BAA, or formal compliance certifications are advertised even at this tier.

    Tally MCP / AI integrationsAI connector

    data: Exposes form structure and submission data to connected AI assistants (Claude, ChatGPT, Cursor) via the Model Context Protocol.

    No vendor documentation found describing data retention, training use, or security boundaries specific to this integration - flagged as a gap.

    // What to watch

    • No dedicated trust/security center exists on tally.so - security posture had to be pieced together from the GDPR help page, privacy policy, DPA, and cookie policy.
    • Third-party aggregator sites (e.g. a subprocessor-tracking directory and a security-profile site) claim Tally is 'SOC 2 Compliant, ISO 27001 Compliant, PCI Compliant, HIPAA Compliant, FedRAMP Compliant, and CSA STAR Level 1 Compliant.' These claims do NOT appear anywhere on tally.so and are contradicted by Tally's own DPA, which only says it vets subprocessors for such certifications - this looks like a host/subprocessor-vs-vendor conflation or an inaccurate third-party listing. Do not surface these certs as held without a primary Tally source (e.g. a signed report or direct vendor confirmation).
    • No public statement on whether Tally's AI features (AI form generation, MCP server) train models on customer data, or any opt-out - flagged as an open gap rather than assumed either way.
    • No BAA or HIPAA statement found; do not list Tally as HIPAA-suitable for PHI intake.

    // At a glance

    Pricing model

    Freemium SaaS - Free tier plus Pro (€20/mo) and Business (€65/mo) paid tiers; no published Enterprise plan.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Tally (Tally B.V. / Tally, based in Ghent, Belgium)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    tally.so

    > Browse all vendor trust reports