Legal
Partner Acceptable Use Policy
Last updated: July 10, 2026
This Acceptable Use Policy (“AUP”) applies to every partner that accesses the Tally Partner API. It is incorporated into the Partner Agreement and Partner DPA. Breach of this AUP is a material breach of the Partner Agreement and may result in immediate suspension or termination.
01Credentials and access
- Keep partner API keys and per-user connection secrets confidential; treat them at least as carefully as a customer credential.
- Do not share, resell, sublicense, or transfer credentials.
- Rotate credentials on suspected compromise and notify us within 72 hours.
- Use one connection per end user; do not multiplex many end users through a single connection.
02Prohibited data
You must not send, and Tally will not knowingly accept, the following through any field of the Partner API, including note and metadata:
- Names, email addresses, postal addresses, or phone numbers of end users or third parties.
- Government identifiers (passport, national insurance, social security, tax IDs beyond what an uploaded tax form legitimately contains).
- Payment card numbers, bank account numbers, CVV values, or any cardholder data as defined by PCI-DSS.
- Passwords, session tokens, API keys, or other credentials.
- Special-category personal data under Article 9 UK/EU GDPR — racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic or biometric data, health data, or data about sexual orientation.
- Content of a minor where age verification has not been performed on your side.
Where a document upload legitimately contains such data (for example a signed contract with names), the Partner remains responsible for having a lawful basis and for informing the End User in advance.
03Prohibited use cases
- Illegal activity, or facilitating illegal activity, in any jurisdiction where the End User or Partner operates.
- Transactions on behalf of parties subject to comprehensive sanctions administered by the UK, EU, US OFAC, or United Nations.
- Adult content platforms, weapons, controlled substances, or "high risk" categories under card-scheme rules, unless expressly agreed with Tally in writing.
- Gambling, betting, or lottery services without prior written approval.
- Scraping End User data out of Tally back to the Partner platform via the API or otherwise.
- Reverse engineering the API to build a competing product.
04Honest integrations
- Clearly disclose to End Users which platform Tally is, what data is shared, and how to disconnect. A footer link is not enough — the disclosure must be part of the enable/connect flow.
- Do not imply that Tally endorses, certifies, or is affiliated with your business beyond the technical integration.
- Do not use Tally trademarks in a way that could confuse a reasonable user about the source of a product or service.
- Do not push spend or earn entries that do not correspond to real transactions on your platform ("stuffing" the End User's ledger to inflate a metric).
05Fair use of the API
- Respect published rate limits (currently 600 entries/min and 60 document uploads/min per connection). Retry with exponential backoff, honour
Retry-After, and cap retries. - Send an
external_idderived from a stable source identifier — never a timestamp alone. Retries with the sameexternal_idmust represent the same source event. - Send amounts in the smallest currency unit as integers. Do not send floats. Do not fabricate currencies or amounts.
- Send documents no larger than 10 MB in a supported MIME type. Do not use the documents endpoint to store arbitrary blobs unrelated to the End User's ledger.
06Security and abuse
- Do not attempt to probe, scan, or bypass the security of the Tally API or infrastructure beyond the scope of a coordinated disclosure programme.
- Report vulnerabilities to security@tally.ac. Give us reasonable time to remediate before public disclosure.
- Do not upload material that contains malware, exploits, or is otherwise designed to harm Tally, Tally users, or third parties.
07Enforcement
Tally's standard enforcement path for AUP breach is:
- Notice — we email the registered contact with a description of the issue and a reasonable window to remediate.
- Pause — we pause the affected connection or key. Requests return
403 connection_paused. - Revocation — we revoke the key or connection and, where appropriate, remove the marketplace listing.
For serious breach — active security incident, clearly illegal use, exfiltration of End User data, or repeated wilful violation — Tally may skip directly to pause or revocation. We may also notify affected End Users and, where required, regulators or law enforcement.
08Changes
We may update this AUP as the API and the abuse landscape evolve. Material changes will be published on this page and, where the change materially reduces what you may do with the API, emailed to the registered partner contact at least 30 days before the change takes effect.
Questions about this document? Open a support ticket and we'll reply inside Tally.
Open a ticketTally Accounting Software Limited
Registered office: 20 Wenlock Road, London, N1 7GU, United Kingdom
Registered in England & Wales.
© 2026 Tally Accounting Software Limited. All rights reserved.