Personally Identifiable Information
As a data processor, Tulip assembles, retains, and processes the retailer’s client data, as well as the information of the sales associate. We employ the information in hand to avail safe and secure access to our services. With a dedicated team of engineers, state-of-the-art technology, and automated systems, we ensure complete data protection of all the information we hold. Tulip as a controller also collects, retains, and processes data of their employees, potential employees and contractors, along with prospective partners, leads, and customers.
Security and Compliance
Our information systems and infrastructure are hosted within SOC 2 accredited data centers. Tulip is compliant with the Payment Card Industry’s Data Security Standards (PCI DSS 3.2) and re-attests this compliance annually. We work with a Qualified Security Assessor to ensure our PCI DSS compliance. In addition to this, we are also working towards ISO 27001 certification.
Our information security policies are regularly updated to ensure the privacy of our users’ database. The CTO and employees responsible for information security policies are trained on compliances like PCI and Secure Coding, and on any other skill, they need to develop to ensure data security.
Dedicated Security Personnel
Tulip has a dedicated security team, which focuses on applications, networks, and system security. This team is also responsible for security compliance, education and incident response.
Tulip’s database can only be accessed via a Virtual Private Network or an SSH query, and requires multi-factor authentication. We have a strong password policy, which involves complexity, expiration, and lockout. Tulip grants access to the information on as-needed basis and review the permission quarterly. After the termination of an employee, the system access is revoked within 24 hours.
Tulip conducts background screening at the time of hiring (to the extent permitted or facilitated by applicable laws and countries). In addition, Tulip communicates its information security policies to all personnel, requires new employees to sign non-disclosure agreements, and provides ongoing privacy and security training.
Vulnerability Management and Penetration Tests
Tulip has deployed a documented vulnerability management program, which includes periodic scans, remediation of security vulnerabilities on workstations, network equipment, servers, applications as well as identification. We use a trusted third party vendor to scan all networks including test and production environments. The critical patches are fixed on priority and other patches are fixed as required. We regularly conduct internal and external penetration tests to ensure our system is void of any vulnerability.