Enterprise-Grade Security
Tolly handles sensitive compensation and meeting data. We take that responsibility seriously with multiple layers of protection.
SOC 2 Type II Compliance
Tolly is built to meet SOC 2 Type II standards for security, availability, and confidentiality. We undergo regular third-party audits to verify our controls and processes.
Encryption in Transit and at Rest
All data is encrypted in transit with TLS 1.3 and at rest with AES-256 encryption. Database connections use encrypted channels, and backups are encrypted with separate key material.
Per-Org Key Encryption for Salary Data
Compensation data is the most sensitive information in Tolly. Each organization's salary data is encrypted with a unique, per-tenant key. Even in the unlikely event of a breach, one organization's data cannot be used to access another's.
GDPR and CCPA Compliance
Tolly supports data subject access requests, right to deletion, and data portability. Our Data Processing Agreement (DPA) is available for enterprise customers upon request.
Data Residency Options
For enterprise customers with regulatory requirements, we offer data residency options to ensure your data stays within specific geographic regions. Available for US and EU deployments.
Infrastructure Security
Tolly runs on hardened cloud infrastructure with network isolation, intrusion detection, automated vulnerability scanning, and 24/7 monitoring. All access is logged and auditable.
Our Security Commitments
We never sell your data. Your meeting and compensation data is used solely to provide Tolly's intelligence features. Aggregated, anonymized benchmarks are only published at cohort level.
We practice least-privilege access. Internal access to customer data is restricted, logged, and requires multi-factor authentication. We follow the principle of least privilege across all systems.
We respond to vulnerabilities fast. If you discover a security issue, please report it to security@trytolly.ai. We commit to acknowledging reports within 24 hours and providing a resolution timeline within 72 hours.
Have security questions?
Our team is happy to walk through our security posture, provide our SOC 2 report, or discuss your specific requirements.