Trust Center

As we continue to build and improve our platform, Ramp will be leveraging OneSchema as a CSV uploader tool within the Ramp application.

This serves as notification that OneSchema will be added as a new Ramp subprocessor.

Name: OneSchema

Location: United States

Website: Oneschema.co

Purpose: CSV Upload Feature

DPA Signed: Yes

This new subprocessor has been evaluated in accordance with Ramp’s third-party risk management process.

Ramp’s 2023 PCI DSS Attestation of Compliance (AOC) as of August 2023 is now available to request and download from our Trust Center.

As we continue to build and improve our platform, Ramp will be leveraging Anthropic to build AI powered product features and to extract and structure information from documentation, like invoices, receipts, bills, and contracts. Anthropic helps enable Ramp product features and transform unstructured data into structured data.

This serves as notification that Anthropic will be added as a new Ramp subprocessor.

Name: Anthropic

Location: United States

Website: Anthropic.com

Purpose: Leveraged in providing AI powered features to customers

DPA Signed: Yes

This new subprocessor has been evaluated in accordance with Ramp’s third-party risk management process.

As we continue to build and improve our platform, Ramp will be leveraging Microsoft Azure as a Cloud Provider to host Ramp data and support the Ramp application.

This serves as notification that Microsoft Azure will be added as a new Ramp subprocessor.

Name: Microsoft Azure

Location: United States

Website: Azure.microsoft.com

Purpose: Cloud Service Provider

DPA Signed: Yes

This new subprocessor has been evaluated in accordance with Ramp’s third-party risk management process.

As we continue to build and improve our platform, Ramp will be leveraging OpenAI to build AI powered product features and to extract and structure information from documentation, like invoices, receipts, bills, and contracts. OpenAI helps enable Ramp product features and transform unstructured data into structured data.

This serves as notification that OpenAI will be added as a new Ramp subprocessor.

Name: OpenAI

Location: United States

Website: Openai.com

Purpose: Leveraged in providing AI powered features to customers

DPA Signed: Yes

This new subprocessor has been evaluated in accordance with Ramp’s third-party risk management process.

As we continue to build and improve our platform, Ramp will be leveraging GCP’s Document AI product to support the extraction and structuring of information from documentation, like invoices, receipts, bills, and contracts. DocumentAI is a document understanding platform that helps us transform unstructured data into structured data, making it easier to understand, analyze, and consume.

This serves as notification that Document AI will be added as an updated use of Ramp’s current subprocessor, Google Cloud Platform (GCP):

Name: Google Cloud Platform (Document AI)

Location: United States

Website: https://cloud.google.com/document-ai

Purpose: To extract and analyze structured data from documents.

DPA Signed: Yes

This new use of the subprocessor has been evaluated in accordance with Ramp’s third party risk management process.

Last week, Ramp learned of a sophisticated SMS phishing incident targeting Zendesk, Ramp’s third-party customer support vendor. The incident resulted in unauthorized access to Zendesk’s logging platform between September 25, 2022 and October 26, 2022.

Service Data* belonging to Ramp may have been in the compromised logging platform. According to Zendesk, there is no evidence suggesting that the threat actor accessed the Ramp Zendesk instance.

Ramp has requested additional details about Zendesk regarding this incident and will provide any updates if there is a confirmed impact to Ramp customers.

*“Service Data” means all electronic data, text, messages, communications or other materials submitted to and stored within a Service by You, Agents and End-Users in connection with Your use of such Service, excluding Agent Contact Information. Examples of the data that may be contained in impacted logs includes: timestamp, token ID, email address, user agent, username, Account ID, User ID, name, IP address, application paths and parameters, Session IDs, provisioned infrastructure, Ticket and Help Center data, Agent data and other types of Service Data.

Ramp's 2022 SOC 2 Type 2 and SOC 1 Type 2 reports for the period ending in October 2022 are now available to request and download from our Trust Center.

Our ISO 27001 certification, which we achieved in December 2022, is also available for download.

Ramp's internal environment is not impacted by CVE-2022-3602 or CVE-2022-3786, two high severity issues in openssl version 3.

To confirm this, we took the following steps:

• Reviewed all container images stored in our image registries
• Reviewed all containers running in our environment
• Reviewed all virtual machines running in our environment From all these reviews, none use openssl version 3.

Separately we reviewed the openssl versions installed on our corporate endpoints, updating to 3.0.7 where appropriate. We continue to track announcements from our subprocessors and partners for impact.

As you investigate your environment, keep in mind that many platforms ship with openssl 1.1.1, which is not included in this CVE. Learn more about technology that is not impacted here.