Security at Tallo

Tallo's security program is built around the controls and principles that underpin recognized industry standards, including SOC 2, GDPR, CCPA, and HIPAA. We are actively maturing our program with the goal of pursuing formal attestations and certifications as we grow.

If your organization has specific compliance requirements or due-diligence questions, we're happy to walk through our current controls and roadmap.

In transit: All connections to the Services use TLS 1.2 or higher with modern cipher suites. Internal service-to-service traffic is also encrypted.

At rest: Customer Data is encrypted at rest using AES-256. Encryption keys are managed by our cloud provider's key management service, with strict access controls and automatic rotation.

Tallo runs on top-tier cloud infrastructure with physical security, redundancy, and environmental controls managed by the underlying provider. Production environments are logically isolated from development and staging, deployed through automated CI/CD pipelines, and protected by network segmentation, web application firewalls, and continuous vulnerability scanning.

Access to production systems is restricted to a small number of authorized engineers and requires:

• Single sign-on with mandatory multi-factor authentication.
• Role-based access following the principle of least privilege.
• Time-bound, audited privileged access for break-glass scenarios.
• Quarterly access reviews and prompt deprovisioning upon role change or departure.

For customers, Tallo supports SSO (SAML 2.0 and OIDC), SCIM provisioning, and granular role-based permissions inside the product.

We follow a secure software development lifecycle that includes peer code review, automated static analysis, dependency scanning, secrets scanning, and regular third-party penetration testing. Findings are tracked, prioritized by severity, and remediated against defined SLAs.

Production services are deployed across multiple availability zones with automated failover and 24/7 monitoring. Customer Data is backed up regularly, with backups encrypted and periodically tested for restoration. Our disaster recovery plan is reviewed and tested at least annually.

All Tallo employees undergo background checks where permitted by law, sign confidentiality agreements, and complete security and privacy training upon hire and annually thereafter. Engineers handling production systems receive additional training on secure development and data handling.

We use a limited set of vetted sub-processors to deliver the Services. Each is reviewed for security, privacy, and compliance posture, and bound by contractual data protection terms. A current list of sub-processors is available on request.

Tallo maintains a documented incident response plan with defined roles, severity levels, and communication protocols. In the event of a confirmed security incident affecting customer data, we will notify impacted customers without undue delay and in accordance with applicable law and contractual commitments.

We welcome reports from the security community. If you believe you have found a vulnerability in Tallo, please reach out through our contact form with details and steps to reproduce. We will acknowledge your report, investigate promptly, and keep you informed of remediation. We commit not to pursue legal action against researchers who act in good faith and follow this process.

For security questions, documentation requests, or to report an issue, please reach out through our contact form.