Most Tulip customers use frontline operations apps to capture data from their production lines. This means that many devices running Tulip software need to communicate with your company’s network to store and potentially retrieve data.

This opens up many new security considerations since both operators and manufacturing engineers will be using Tulip. These security considerations occur across multiple levels of the Tulip platform and your network:

  • Server-level: Where are the servers that are running Tulip and storing your data?

  • Network-level: How can individual tablets, laptops and machines communicate with servers running Tulip?

  • Account-level: Who can access and modify data in a Tulip account?

  • IoT Gateway-level: How do your IoT Gateways share data with the Tulip Platform?

  • Tulip app-level: Who can access and modify each Tulip app?

  • Device-level: Who is allowed to access Tulip on a laptop or tablet that is running Tulip software? 

Here is a quick guide to the ways that Tulip addresses each of the above categories. 

These strategies will cover both security and compliance requirements.

Server Level

There are three ways to deploy Tulip software- on premises, in the Amazon Web Services (AWS) cloud and private cloud. 

If you would like to deploy Tulip on premises, Tulip team members will not be able to log into your account in order to provide technical support. Since Tulip is intended to be used as a critical piece of your production floor, Tulip has set up a variety of monitoring tools to quickly discover issues and notify your company’s IT team before the production line is impacted.

This allows Tulip to provide immediate support. When Tulip is deployed on premises, your IT team will become the first line of support because Tulip will not be able to access your account remotely.

The default method for deploying Tulip is Amazon Web Services, which is cloud-based. In a cloud-based deployment, the technical support team at Tulip will be able to monitor your account and alert you when Tulip fails to connect to your network due to an internal IT change or another reason.

One other, less common option is a private cloud deployment. Although this provides the same security measures as a normal cloud environment, it provides additional compliance benefits for companies that operate in highly-regulated industries.

Network Level

In order to allow devices running Tulip software to communicate with a server that is hosting the Tulip platform, your network must meet certain requirements. Please review this IT requirements guide to see if your network meets these standards.

In an on-premises deployment, your IT team will be responsible for the security of your network. In a cloud-based deployment, you will be covered by the security policies of Amazon Web Services.

Account Level

Tulip has 4 levels of user roles on "standard" and "professional" plans, and 8 levels of roles on enterprise plans. Read more about managing user roles here.

Access can be grouped into three distinct categories:

  1. "Users", which can access both Tulip and the Tulip Player

  2. "Viewers", which can only view assets in Tulip

  3. "Operators", which can only access the Tulip Player

You must add these users, operators and viewers individually to Tulip in Settings, or integrate with Active Directory to create restrictions in Tulip based on user permissions in Active Directory.

Let’s imagine that you want to deploy Tulip across multiple factories and departments, and you want to restrict user permissions based on each factory.

Since Tulip’s current permission system allows any user to build and edit apps, you can use multiple Tulip accounts to control permissions. For example, if the name of your company is “Acme” and you have factories in New York and Boston, you could use two accounts:



IoT Gateway Level

Your company may be considering an IoT Gateway to either monitor machines on your shop floor or integrate devices at operator workstations.

Tulip has a few requirements to allow your IoT Gateway to connect to Tulip servers. Please review the “Tulip Gateway” section of our IT requirements guide for more details.

Tulip App Level

Although all administrators can create and update apps, an app creator can restrict the editing privileges around their specific app.

The Permissions tab on the App Summary View on each app allows the creator to decide the privileges of all other administrators for that particular app. And, they can give specific permissions to individual administrators.

Additionally, Tulip offers an Approvals feature at the account level. This prevents new versions of apps from being released until a certain set of pre-defined administrators indicate their approval. This ensures that apps will not be used on the shop floor until a member of the quality or compliance department approves, for example.

Device Level

You may want to control which apps are available on each laptop or tablet on your shop floor. 

Tulip’s Shop Floor tab allows you to create virtual “Stations” that allow you to restrict the ways that specific laptops and tablets can use Tulip. It also allows you to monitor which apps are being used by operators in real time.

Additionally, Tulip’s LDAP Control Mode allows your Active Directory users to instantly begin using Tulip by entering their Active Directory credentials.


Although all the features listed above will help you comply with regulatory requirements, you will also need to provide data to show the history of your operators’ usage of Tulip. 

Tulip makes data readily available in order to comply with GxP standards. The data is created by all of the features listed in the sections above, and then tracked in one centralized location. It is accessible by any administrator of your Tulip account.

For more details, please use the chat tool in the bottom right of this page to reach out to a Tulip representative.

Did this answer your question?