Data protection approach
TallyArk is designed around organization-scoped records. Internal users can access records according to their role inside an organization, while platform support access is intended to be limited and auditable.
The product handles business data such as organization profiles, clients, vendors, invoices, quotations, payment records, email logs, audit logs, portal shares, and comments.
Controller and processor roles
For most workspace content entered by an organization, the organization is the controller of that data and TallyArk acts as a processor providing the software service.
For account administration, security, platform operations, website contact forms, and direct support requests, TallyArk may act as an independent controller.
Security controls
TallyArk uses role-based permissions, organization boundaries, email verification, httpOnly authentication cookies, server-side validation, rate limiting, private database networking in production, and audit/event records for important account and document activity.
Production deployments should use HTTPS, strong secrets, restricted database access, tested backups, and a carefully controlled platform admin account.
Subprocessors
Depending on production configuration, TallyArk may rely on subprocessors for hosting, database infrastructure, SMTP email delivery, payment processing, DNS, security, backups, and monitoring.
Stripe may process payment data when card payment features are enabled. SMTP providers process outbound invoice, quotation, verification, and notification emails.
Data location and transfers
The location of stored data depends on the hosting provider and production deployment selected for TallyArk.
Before a broad launch, confirm hosting region, backup region, email provider region, payment provider terms, and any cross-border transfer requirements that apply to your customers.
Deletion and export
Authorized organization users can delete or update many business records through the app, subject to role permissions and product rules.
For organization-level export, deletion, or access requests, contact TallyArk with the organization name, account email, and the nature of the request.
Incident handling
If a security or data protection issue is discovered, TallyArk should investigate, reduce further exposure, preserve relevant logs, notify affected customers when required, and take corrective action.
Users should report suspected unauthorized access, incorrect sharing, or suspicious account activity as soon as possible.