Legal
Partner Data Processing Addendum
Last updated: July 10, 2026
This Partner Data Processing Addendum (“Partner DPA”) forms part of the Partner Agreement between Tally Accounting Software Limited (“Tally”) and the Partner. It applies whenever a Partner sends personal data of its end users (“End Users”) to Tally through the Partner API. Terms in bold have the meanings given in the UK GDPR and EU GDPR.
01Roles of the parties
Tally and the Partner are independent controllers in respect of End User data transferred through the Partner API. The Partner is the controller of End User data on its own platform; Tally is the controller of that data once it is written into the End User's Tally account, which the End User separately holds under our Terms of Service and Privacy Policy.
This model reflects reality: Tally has its own direct relationship with the End User, gives them independent access to their data, and determines the essential means of processing inside Tally. The Partner determines the purposes and means of processing on the Partner's own platform. Neither party acts as a processor for the other in respect of that data.
02Scope and subject-matter
Subject-matter: the transmission of transactional information from the Partner's platform into the End User's Tally space and, at the Partner's option, the transmission of related documents. Duration: for as long as the Partner maintains an active connection for that End User, or until the End User revokes the connection.
Nature and purpose: helping the End User keep an accurate, consolidated ledger of their income and expenditure across the services they use.
03Data shared through the API
The Partner may transmit only the following categories of personal data through the Partner API:
- Amount and currency of a transaction.
- Date the transaction occurred.
- A free-text note describing the transaction (max 500 characters).
- A stable external identifier chosen by the Partner (for idempotency).
- Optional structured metadata as JSON.
- Optional supporting documents (invoices, receipts, statements, contracts, tax records).
The Partner will not include, in any field, End User names, email addresses, postal addresses, telephone numbers, government identifiers, payment card numbers, passwords, other credentials, or any special-category data (Article 9 UK/EU GDPR). See the Acceptable Use Policy for enforcement.
Categories of data subjects: the Partner's End Users who have chosen to enable the Tally integration.
04Lawful basis and End User transparency
The Partner will establish an appropriate lawful basis under Article 6 UK/EU GDPR before enabling a connection. The Partner will present a disclosure to the End User that (a) identifies Tally by name, (b) describes the categories of data listed in Section 3, (c) links to Tally's Privacy Policy, and (d) explains how the End User can pause or revoke the connection from either the Partner platform or Tally.
05Security measures
Each party will maintain appropriate technical and organisational measures, including:
- Encryption in transit (TLS 1.2+) for all API traffic.
- Encryption at rest for data stored in Tally.
- Connection secrets stored only as salted hashes; never logged in plaintext.
- Least-privilege access controls with audit logging.
- Per-connection rate limiting and event logs surfaced to the End User.
- Regular vulnerability scanning and dependency monitoring.
- Documented incident-response and business-continuity procedures.
06Sub-processors used by Tally
Tally uses the following sub-processors to receive and store data from Partners:
- Supabase — database, authentication and file storage.
- Cloudflare — application hosting, edge compute and CDN.
- Stripe — subscription billing to End Users. No Partner-supplied End User data is shared with Stripe.
- Resend — transactional email to End Users.
Tally imposes data-protection obligations on each sub-processor no less protective than those in this Partner DPA. Changes to this list are published on our customer DPA with reasonable notice.
07International transfers
Where personal data is transferred outside the UK/EEA, both parties will implement an appropriate transfer mechanism, such as the UK International Data Transfer Addendum, the EU Standard Contractual Clauses (2021/914) between independent controllers (Module 1), or an adequacy decision, together with any supplementary measures required by the relevant regulator. By entering into this Partner DPA, each party is deemed to have entered into the applicable Standard Contractual Clauses in the Module 1 configuration to the extent required.
08Personal data breaches
Each party will notify the other without undue delay, and in any case within 72 hours of becoming aware, of a personal data breach affecting End User data transferred under this Partner DPA. Notice will describe the nature of the breach, the categories and approximate number of records concerned, the likely consequences, and the measures taken or proposed to address it.
09Data subject requests
Each party will handle End User requests (access, rectification, erasure, portability, restriction, objection, and withdrawal of consent) in respect of the data it controls. Tally handles requests for data held inside a Tally account through its normal in-product controls. Where an End User contacts one party but the request concerns data controlled by the other, the receiving party will direct the End User to the correct controller within a reasonable time.
10Retention and deletion
When an End User revokes a Partner connection or closes their Tally account, Tally will delete Partner-supplied personal data associated with that connection within 30 days, subject to encrypted backup rotation and any statutory retention requirements. The Partner is responsible for the retention and deletion of End User data held on its own platform.
11Audit
On reasonable written request no more than once every 12 months (except following a personal data breach), each party will respond in reasonable detail to a written security and privacy questionnaire from the other. On-site audits will be considered where a questionnaire is genuinely insufficient, subject to reasonable notice, confidentiality obligations and cost-recovery for time and materials.
12Order of precedence
To the extent of any conflict between this Partner DPA and the Partner Agreement, this Partner DPA prevails for matters of personal data protection. To the extent of any conflict between this Partner DPA and the Standard Contractual Clauses, those clauses prevail.
13Contact
Data-protection queries under this Partner DPA: privacy@tally.ac. Commercial queries: partners@tally.ac.
Questions about this document? Open a support ticket and we'll reply inside Tally.
Open a ticketTally Accounting Software Limited
Registered office: 20 Wenlock Road, London, N1 7GU, United Kingdom
Registered in England & Wales.
© 2026 Tally Accounting Software Limited. All rights reserved.