Trust Center

To provide more clarity around our use of subprocessors (where Ramp may act as a data processor) and other key service providers (where Ramp may act as a data controller), we’ve separated our lists of subprocessors and key service providers.

We’ve updated our subprocessor list to include Amplitude Inc., Astronomer, Cloudflare, Duffel Technology Ltd., and Sierra Technologies Inc.

Name: Amplitude Inc.
Location: United States
Website: https://amplitude.com/
Purpose: Product analytics
DPA Signed: Yes

Name: Astronomer, Inc
Location: United States
Website: https://www.astronomer.io/
Purpose: AI and machine learning services
DPA Signed: Yes

Name: Cloudflare
Location: United States
Website: https://www.cloudflare.com/
Purpose: Caching and content delivery network
DPA Signed: Yes

Name: Duffel Technology Ltd.
Location: EU
Website: https://duffel.com/
Purpose: Travel booking and management
DPA Signed: Yes

Name: Sierra Technologies Inc.
Location: United States
Website: https://sierra.ai/
Purpose: AI support agent
DPA Signed: Yes

These subprocessors have been evaluated in accordance with Ramp’s third-party risk management process.

The following updated 2024 security documentation is available for download from our Trust Center:

• SOC 2 Type 2 report for the period ending October 2024
• SOC 1 Type 2 report for the period ending October 2024
• ISO 27001:2022 Certification, achieved in October 2024
• PCI DSS v4.0 Attestation of Compliance (AoC) as of December 2024
• Ramp’s 2024 external penetration test report

A new list of phishing domains have been identified and are being remediated.

• app[.]mob-ramp[.]com
• mob-ramp[.]com
• app[.]r-ramp[.]top
• r-ramp[.]com
• whitelink[.]business

IP address related to hosted phishing site:

• 207[.]32[.]217[.]14

Links related to the redirect chain:

• my[.]link-me[.]su
• u21060774[.]ct[.]sendgrid[.]net (found in body of phishing email)

A new campaign has been identified details are below:

• Subject: 🔒 Important: New Security Enhancement for Your Account
• Sender: info@frontlinetradinginc[.]com
• Links in the phishing email: shor[.]tf/saferamp

Known redirect chain:

• shor[.]tf/saferamp
• my[.]safe-link[.]su
• app[.]ramp[.]info

Businesses are advised to identify these emails in user inboxes and remove as soon as possible. Mitigating actions of the identified domains are in progress.

New hosts/domains have been identified and are in the process of being mitigated.

• protect-ramp[.]com
• 87[.]120[.]116[.]47

New phishing domains identified:

• app[.]upt-ramp[.]com
• se-ramp[.]com
• app[.]safe-ramp[.]com

Businesses are advised to blocked the above domains.

A new campaign was launched today. Details that deviate from the original campaign are below.

Subject line: "🔒 Important: New Security Enhancement for Your Account" Links: bit[.]ly/sec-ram

Summary

We are sending this security advisory to inform you of an ongoing phishing campaign targeting Ramp customers. This campaign seeks to trick users into providing their Ramp credentials and MFA code by sending an email pretending to request acceptance of a new Terms of Service and Privacy Policy, with a link to a Ramp sign-in phishing page. Ramp businesses with password authentication enabled for users are most vulnerable to this phishing campaign.

About the email

• Subject line: “🔄 December Updates: Important Ramp Changes & Next Steps”
• Links: Two different bit.ly links have been observed in samples of the email that have been shared with Ramp: bit[.]ly/rampcompany, bit[.]ly/ramptos
• Sender: Display name being used is “The Ramp Team”. Known Sender emails: admin[at]digitiz[.]io, comercial[at]edolmed[.]com[.]br

Update 12/09/24

• Subject line: "🔒 Important: New Security Enhancement for Your Account"
• Links: bit[.]ly/sec-ram

Indicators of Compromise

Phishing Domains: Ramp uses a phishing detection and mitigation vendor to identify and takedown domains used in phishing campaigns targeting Ramp users. Below are the domains that have been identified.

• acc-ramp[.]com
• terms-ramp[.]com
• app[.]terms-ramp[.]com
• app[.]tos-ramp[.]com
• app[.]security-ramp[.]com
• app[.]ramp[.]company
• seteclnc[.]com
• sec-ramp[.]com
• app[.]us-ramp[.]com
• app[.]update-ramp[.]com
• 93[.]123[.]39[.]38
• p-ramp[.]com

What you can do

• Use the information provided above to update email security rulesets to detect and mitigate the risk of Ramp account compromise.
• If applicable, check proxy, VPN, or web traffic logs for evidence of users visiting the listed phishing domains.
• If you believe you or a user at your business has been compromised, review transactions for suspicious transactions and file a dispute if necessary.
• Review invited users on Ramp for unknown users.

We are committed to ensuring the security of our customers and partners. If you have any questions or need further assistance, please reach out to us at security@ramp.com. If you believe fraudulent transactions have occurred, please follow Ramp’s dispute process. We will provided updates to this advisory as they become available.

As we continue to build and improve our platform, Ramp will be leveraging ASAPP to enhance customer support functions.

This serves as notification that ASAPP will be added as a new Ramp subprocessor.

Name: ASAPP

Location: United States

Website: https://www.asapp.com/

Purpose: Leveraged in providing AI powered features during the customer support process.

DPA Signed: Yes

This new subprocessor has been evaluated in accordance with Ramp’s third-party risk management process.

As we continue to build and improve our platform, Ramp will be leveraging Groq to build AI powered product features.

This serves as notification that Groq will be added as a new Ramp subprocessor.

Name: Groq

Location: United States

Website: groq.com

Purpose: Leveraged in providing AI powered features to customers.

DPA Signed: Yes

This new subprocessor has been evaluated in accordance with Ramp’s third-party risk management process.