The Tulip corporate security guide can be found here: http://support.tulip.co/it-security/tulip-it-security-guide 

At Tulip, ensuring your data is secure is one of our top priorities. Listed below are all the ways we provide world-class security for you and your company. 

Tulip Platform

  • SSL/HTTPS required for all connections
  • Latest web security features
  • Passwords salted and hashed with industry-standard bcrypt
  • Automated security updates
  • Browser authentication: email/password with minimum entropy requirements
  • Firewall via EC2 Security Group
  • Admin access only via SSH
  • Key-based authentication
  • Inbound IP restrictions

SSL

  • 2048-bit RSA key
  • SHA384 signature
  • Yearly rotation
  • Forward-secrecy (ECDHE) preferred
  • Outdated cipher suites (SSL 2/3) forbidden
  • Qualsys SSLLabs A+ score

Database Security

  • Randomly-generated authentication keys
  • Colocated in AWS, only local traffic
  • Dedicated read-only accounts for analytics
  • Parameterization to avoid injection
  • Encryption-at-rest and encryption-in-transit

Web Security Standards

  • HSTS to prevent SSL-stripping MITM attacks
  • DOM Templating and CSP to prevent XSS
  • LocalStorage instead of cookies
  • X-Frame-Options to prevent clickjacking

Application Security

  • All web server endpoints verify ACL
  • Enforced with static analysis and code review
  • Password hashing:
  • SHA512 client-side
  • bcrypt + per-user salt server-side
  • Password entropy estimation and minimums
  • Long, random keys for cells and tablets
  • Automated security updates
  • All production code reviewed by multiple engineers

Tulip Gateway Security

  • Industry Standard PKI - per-device randomly-generated shared secret
  • Remote Updates - managed devices software updates provided at no-cost by Tulip
  • Secure Connections - SSL/HTTPS required for all connections
  • Native Device Firewalling - only authorized devices can connect to the Tulip gateway
Did this answer your question?