With cybersecurity threats and data breaches still a concern for consumers and businesses around the world, it’s more important than ever for retailers to ensure that their data security and privacy compliance meets the highest standards. Tulip’s global customers need to be compliant with many different privacy and security regulations, and to support their needs, Tulip follows a wide range of industry best cybersecurity practices.
When companies don’t have their own security office, they may face risks of exposure. In these cases, they must rely on their vendors to be compliant with various international privacy regulations. It’s essential to note, however, that companies retain responsibility for the data they collect, even when it is handled by third parties, and that failure to comply with these regulations can result in steep financial penalties. Here’s what to look for in a vendor:
Internal security
Tulip follows a formal information security program that is compliant with PCI DSS (Payment Card Industry Data Security Standard). This information security program governs how we develop, maintain, and operate our software. It also includes a secure software development policy and an IT and operations policy.
Tulip’s platform is securely deployed in Google Cloud Platform. We leverage the advantages of container security: access is permissions-based, it’s easy to monitor and transient containers prevent cyber attackers from getting a foothold in the data. Using these methodologies, we’re able to understand what is running on our containers at all times.
Tulip also follows industry best practices in all areas of information security. Here are some of the highlights:
- Two-factor authentication deployed in every internal system.
- Role-based access control prevents unauthorized access.
- Next-generation anti-virus protection.
- All data is encrypted at all times, both at rest and in transit.
- Vulnerability and patch management is based on CVSS.
- Formal information handling policies and process are in place and are regularly updated.
- Security event and information monitoring is in place.
- External penetration testing conducted twice yearly.
Tulip’s internal privacy program is compliant with the EU’s GDPR (General Data Protection Requirements) in the EU, Canada’s PIPEDA (Personal Information Protection and Electronic Documents Act), and California’s CCPA (California Consumer Privacy Act). Tulip is also compliant with other applicable regulations and laws, and our internal security practices are designed and tested to produce and operate a secure, scalable, modern platform.
Platform security and privacy functionality
The Tulip Platform supports Tulip’s customers by providing access to data for customer associates and other personnel that is scalable, secure, and compliant with privacy regulations. Tulip supports Single Sign On through SAML, so our retailer customers can control the sign-on experience. Access to functionality is restricted based on user role, so managers have greater access than associates.
We also support retailers by offering self-service functionality, including privacy regulation (GDPR/CCPA) Data Subject Request handling through a restricted portal. Other supports include our customer capture functionality, which has been designed to be compliant with GDPR/CCPA opt-in/opt-out requirements, and captures consent and evidence appropriately within the system. In addition, our checkout functionality operates through third-party payment processors, ensuring that Tulip never has access to credit card information. This means that PCI Compliance is easier and more straightforward with Tulip, since we are outside the cardholder data requirement. Finally, the Tulip iOS applications integrate well with retailer mobile and device management systems, and we recommend deploying our application through those services.
Always look for a vendor that meets or exceeds these requirements. We can work with you to make good security decision.