Security
Security Practices at Tulip
This page provides a summary of security practices at Tulip, both with regards to security functionality of the product and platform and company practices for secure software development and operations.
Internal Security Practices
Tulip operates under a formal information security program compliant with the Payment Card Industry Data Security Standard. Our software is developed, maintained, and operated under an Information Security Policy that includes a Secure Software Development Policy and an IT and Operations Policy.
Tulip’s Platform is deployed in Google Cloud Platform, through the GKE Kubernetes service. We leverage container security advantages – minimal access required; short lifetime; ease of monitoring; and infrastructure as code methodologies combine to ensure we understand what is running on our containers at all times.
We follow industry best practices throughout – two-factor authentication throughout our internal systems; role-based access control; next generation anti-virus; container behavior monitoring; principle of least privilege; encryption of data at rest and in transit; vulnerability and patch management based on CVSS; and formal information handling policies and processes.
We monitor and test our systems for security issues using a combination of container monitoring; log aggregation; Security Event and Information Monitoring; static code analysis and software composition analysis software; dynamic security testing tools; twice yearly external penetration testing; PCI Approved Scanning Vendor automated scanning tools; and other industry standard tools and practices.
Tulip operates an internal privacy program that is compliant with the European Union’s General Data Protection Regulation (GDPR); Canada’s PIPEDA; the California Consumer Privacy Act (CCPA); and other applicable regulations and laws. Tulip’s internal security practices are designed and tested to produce and operate a secure, scalable, modern platform.
Platform Security and Privacy Functionality
The Tulip Platform is intended to support Tulip’s customers in providing scalable, secure, privacy regulation compliant access to data for customer associates and other personnel.
Tulip supports Single Sign On through SAML, allowing our retailer customers to control the sign on experience. We restrict access to functionality based on user role – associates vs managers. Additionally, we offer retailers self-service functionality, including privacy regulation (GDPR/CCPA) Data Subject Request handling through a restricted portal.
Our customer capture functionality has been designed to be compliant with GDPR/CCPA opt-in/opt-out requirements and to capture consent and evidence appropriately within the system.
Our Checkout functionality operates through third-party payment processors, ensuring that Tulip never has access to credit card information. This ensures that PCI Compliance with Tulip is easier and more straightforward as we are outside the Cardholder Data Environment.
The Tulip iOS applications integrate well with retailer Mobile and Device Management systems, and we recommend deploying our application through those services.
Tulip’s platform is well positioned to provide secure and compliant access to critical information.
More information
Tulip regularly works with retailers to ensure we can coordinate on joint security compliance. To learn more about our security team and practices, or to ask additional questions please conect to your customer success or support representative who can put you in touch.