Tulip and the General Data Protection Regulation

The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC to safeguard European Union data subjects’ basic right to privacy and therefore the protection of private data. The regulation was designed to harmonize data privacy laws throughout Europe, to safeguard and empower all EU citizens privacy and to reshape the means by which organizations across the region approach data privacy. This regulation introduces robust requirements which will raise standards for data protection, security, and compliance. Enforcement Date: May 25, 2018.

Protecting customer data and individual’s rights to privacy and security is a top priority for Tulip and we are committed to partnering with retailers to comply with GDPR.

Ali Asaria, CEO at Tulip

Our Commitment

As your partner, Tulip wants to help you make your GDPR compliance process as seamless as possible and accelerate your efforts. Our commitment to protecting customer data makes it essential for us to comply with all the GDPR requirements. We provide companies who do business with us with transparency and control of their customer data so that compliance with regulations like the General Data Protection Regulation is straightforward.

Our Work

We strive to ensure the security and privacy of the data we process and store. The procedures we follow are described here in this section. It provides information about the steps we take to secure data and ensure compliance with security and privacy regulations.

Personally Identifiable Information

As a data processor, Tulip assembles, retains, and processes the retailer’s client data, as well as the information of the sales associate. We employ the information in hand to avail safe and secure access to our services. With a dedicated team of engineers, state-of-the-art technology, and automated systems, we ensure complete data protection of all the information we hold. Tulip as a controller also collects, retains, and processes data of their employees, potential employees and contractors, along with prospective partners, leads, and customers.

Security and Compliance

Our information systems and infrastructure are hosted within SOC 2 accredited data centers. Tulip is compliant with the Payment Card Industry’s Data Security Standards (PCI DSS 3.2) and re-attests this compliance annually. We work with a Qualified Security Assessor to ensure our PCI DSS compliance. In addition to this, we are also working towards a SOC 2 report.

Security Policies

Our information security policies are regularly updated to ensure the privacy of our users’ database. The CTO and employees responsible for information security policies are trained on compliances like PCI and Secure Coding, and on any other skill, they need to develop to ensure data security.  

Dedicated Security Personnel

Tulip has a dedicated security team, which focuses on applications, networks, and system security. This team is also responsible for security compliance, education and incident response.

Access Control

Tulip’s database can only be accessed via a Virtual Private Network or an SSH query, and requires multi-factor authentication. We have a strong password policy, which involves complexity, expiration, and lockout. Tulip grants access to the information on as-needed basis and review the permission quarterly. After the termination of an employee, the system access is revoked within 24 hours.


Tulip conducts background screening at the time of hiring (to the extent permitted or facilitated by applicable laws and countries). In addition, Tulip communicates its information security policies to all personnel, requires new employees to sign non-disclosure agreements, and provides ongoing privacy and security training.

Vulnerability Management and Penetration Tests

Tulip has deployed a documented vulnerability management program, which includes periodic scans, remediation of security vulnerabilities on workstations, network equipment, servers, applications as well as identification. We use a trusted third party vendor to scan all networks including test and production environments. The critical patches are fixed on priority and other patches are fixed as required. We regularly conduct internal and external penetration tests to ensure our system is void of any vulnerability.


Our development team employs secure coding techniques and best practices, focused around the OWASP Top Ten. Developers are formally trained in secure web application development practices upon hire and annually. Development, testing, and production environments are separated. All changes are peer-reviewed and logged for performance, audit, and forensic purposes prior to deployment into the production environment.


Tulip encrypts data in transit using secure TLS cryptographic protocols.

Logging and Auditing

All the logs of applications and infrastructure systems are sent to a centrally managed log repository for analysis, security reviews and troubleshooting. In addition, it preserves the information as per the regulatory requirements. This information can be shared with customers in case a security incident occurs, which may, directly or indirectly, impact their data.

Asset Management

Tulip incorporates an asset management policy, which includes identification, classification, retention, and disposal of information and assets. Devices and systems issues by Tulip are equipped with best antivirus software and complete hard-disk encryption. The Company-issued devices will be used to access production networks and corporate data.

Information Security Aspects of Business Continuity Management

Tulip adheres to the complete guidelines and policies to maintain the security incident response including investigation, remediation and public communication. These policies are checked after every six months.

GDPR Compliance

We ensure that all the services and resources we offer are compliant with GDPR requirements of any business associated with us. By engaging with MNP LLP., Tulip continues to align and work towards GDPR compliance.


Tulip is subject to the General Data Protection Regulations and other privacy and security frameworks and regulations. Under those regulations, we are required to respond to data subject requests and concerns. To date, Tulip has not received any relevant requests, concerns or complaints from data subjects, advocacy groups or regulators.


What is GDPR?

The GDPR is a General Data Protection Law to ensure the safety of the customers’ data in EU countries. It will replace the old Data Protection Directive 95/46/EC.

What is regulated by GDPR?

The GDPR will ensure that all businesses, irrespective of their physical presence within the EU, should adhere to the regulations forced by the laws when collecting, storing and transferring the data of EU individuals.

What is personal data?

Personal data, as explained by a GDPR, is a broad term, which covers any information relating to an identified or identifiable data subjects.

What is the difference between a data processor and a data controller?

A controller is defined as an entity that identifies the purpose, conditions, and means of the personal data protection process. A data processor, on the other hand, is a unit that is responsible for processing the personal data in support of the controller.

Does the GDPR require EU personal data to stay in the EU?

No, the GDPR doesn’t entail the personal data to remain within the EU, nor does it enforce any restrictions on data outside the EU. Data processing requirements by Tulip and reference to the European Commission’s model clauses will persist to enable customers to legitimize the transmission of EU personal data outside the physical boundaries of the EU.