// Trust & Security Report
Tally (Tally B.V. / Tally, based in Ghent, Belgium)
Tally.so - a free-first online form builder (single core product) with Free, Pro, and Business pricing tiers; includes an AI form-generation feature and an MCP server that connects Tally forms/submissions to AI assistants (Claude, ChatGPT, Cursor).
Certifications held
1
Maturity
Growth
Trains on your data
Unknown
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on tally.so“Yes. Tally is based in Belgium (EU) and complies with the GDPR framework.”
> Show 8 unconfirmed / not-held certifications
source: tally.soNo public evidence on Tally's own domain. Tally's Data Processing Agreement states only that Tally 'reviews and obtains the third party's independent assurance reports or certificates where such is relevant and available (e.g. ISO 27001, ISO 27701 or SOC 2 Type II report)' - this describes vetting of Tally's subprocessors, not a certification Tally itself holds. No SOC 2 report, badge, or trust center exists on tally.so.
source: tally.soNo public evidence on Tally's own domain. Same DPA clause above references ISO 27001 only in the context of vetting subprocessors, not as a certification Tally holds itself.
source: tally.soNo mention of HIPAA compliance, a Business Associate Agreement (BAA), or HIPAA-eligible data handling anywhere on tally.so's privacy policy, GDPR page, DPA, or terms. No public evidence.
source: tally.soNo public evidence of PCI DSS certification on Tally's own domain. Tally supports payment-collection form blocks, which typically route through a PCI-compliant payment processor (e.g. Stripe) rather than Tally being PCI certified itself; Tally's own materials make no PCI claim.
source: tally.soNo mention of CSA STAR anywhere on tally.so. No public evidence.
source: tally.soReferenced in the DPA only as an example of the kind of certificate Tally checks for in its subprocessors ('e.g. ISO 27001, ISO 27701 or SOC 2 Type II report'), not as a certification Tally itself holds.
source: tally.soNo mention of ISO 42001 or any AI-governance certification on tally.so, including the dedicated ai-info page. No public evidence.
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Offered
Data region
EU (Belgium/Europe) - 'Your data is stored on high-security servers within the European Union.'
Tally's AI form-builder and MCP server integrate third-party foundation models (Claude, ChatGPT, Cursor) rather than a Tally-trained model. No statement was found on tally.so (privacy policy, terms, or the dedicated /ai-info page) confirming or denying whether form/submission data is used to train any model, and no opt-out mechanism is documented. Treat as unconfirmed rather than assume 'no training'.
// Security controls
Encryption in transit and at rest
All Tally form data is encrypted both in transit and at rest.
tally.soData hosting region
Data stored on high-security servers within the European Union; company is EU-based (Ghent, Belgium).
tally.soTechnical/organizational measures (per DPA)
Multi-factor authentication for key resources, encryption at rest and in transit, anti-malware defenses, backups, logical access controls.
tally.soNo data sale
Tally will not sell, rent, distribute or otherwise make Personal Data commercially available to third parties.
tally.so// Products & data scope
data: Unlimited forms and submissions within fair-usage limits; standard GDPR/DPA terms apply.
No SSO, no dedicated data-retention controls, 10MB file upload limit.
data: Same data handling as Free; adds custom domains, unlimited file uploads, analytics, version history.
No additional security certifications documented for this tier.
data: Adds data-retention controls for privacy compliance and email verification for lead quality.
Closest tier to an 'enterprise' offering, but no SSO, BAA, or formal compliance certifications are advertised even at this tier.
data: Exposes form structure and submission data to connected AI assistants (Claude, ChatGPT, Cursor) via the Model Context Protocol.
No vendor documentation found describing data retention, training use, or security boundaries specific to this integration - flagged as a gap.
// What to watch
- No dedicated trust/security center exists on tally.so - security posture had to be pieced together from the GDPR help page, privacy policy, DPA, and cookie policy.
- Third-party aggregator sites (e.g. a subprocessor-tracking directory and a security-profile site) claim Tally is 'SOC 2 Compliant, ISO 27001 Compliant, PCI Compliant, HIPAA Compliant, FedRAMP Compliant, and CSA STAR Level 1 Compliant.' These claims do NOT appear anywhere on tally.so and are contradicted by Tally's own DPA, which only says it vets subprocessors for such certifications - this looks like a host/subprocessor-vs-vendor conflation or an inaccurate third-party listing. Do not surface these certs as held without a primary Tally source (e.g. a signed report or direct vendor confirmation).
- No public statement on whether Tally's AI features (AI form generation, MCP server) train models on customer data, or any opt-out - flagged as an open gap rather than assumed either way.
- No BAA or HIPAA statement found; do not list Tally as HIPAA-suitable for PHI intake.
// At a glance
Pricing model
Freemium SaaS - Free tier plus Pro (€20/mo) and Business (€65/mo) paid tiers; no published Enterprise plan.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Tally (Tally B.V. / Tally, based in Ghent, Belgium)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
tally.so