Overview
Ramp exists to save you time and to save you money. We recognize that you entrust us with your data. Earning and maintaining that trust is a core part of our company culture, internal operations, and product development processes.
Ramp has earned trust from customers in various tightly regulated industries, including defense, financial services, and medical manufacturing. Our team is committed to safeguarding your data against potential threats, and is excited to share an overview of how we do that on this page.
Compliance
Documents
Risk Profile
Product Security
Reports
Self-Assessments
Data Security
App Security
Legal
Access Control
Infrastructure
Endpoint Security
Network Security
Corporate Security
Security Grades
Trust Center Updates
Last week, Ramp learned of a sophisticated SMS phishing incident targeting Zendesk, Ramp’s third-party customer support vendor. The incident resulted in unauthorized access to Zendesk’s logging platform between September 25, 2022 and October 26, 2022.
Service Data* belonging to Ramp may have been in the compromised logging platform. According to Zendesk, there is no evidence suggesting that the threat actor accessed the Ramp Zendesk instance.
Ramp has requested additional details about Zendesk regarding this incident and will provide any updates if there is a confirmed impact to Ramp customers.
*“Service Data” means all electronic data, text, messages, communications or other materials submitted to and stored within a Service by You, Agents and End-Users in connection with Your use of such Service, excluding Agent Contact Information. Examples of the data that may be contained in impacted logs includes: timestamp, token ID, email address, user agent, username, Account ID, User ID, name, IP address, application paths and parameters, Session IDs, provisioned infrastructure, Ticket and Help Center data, Agent data and other types of Service Data.
Ramp's SOC 2 Type 2, SOC 1 Type 2, and ISO 27001 Certification Available for Download
ComplianceCopy linkRamp's 2022 SOC 2 Type 2 and SOC 1 Type 2 reports for the period ending in October 2022 are now available to request and download from our Trust Center.
Our ISO 27001 certification, which we achieved in December 2022, is also available for download.
Ramp's internal environment is not impacted by CVE-2022-3602 or CVE-2022-3786, two high severity issues in openssl version 3.
To confirm this, we took the following steps:
- Reviewed all container images stored in our image registries
- Reviewed all containers running in our environment
- Reviewed all virtual machines running in our environment From all these reviews, none use openssl version 3.
Separately we reviewed the openssl versions installed on our corporate endpoints, updating to 3.0.7 where appropriate. We continue to track announcements from our subprocessors and partners for impact.
As you investigate your environment, keep in mind that many platforms ship with openssl 1.1.1, which is not included in this CVE. Learn more about technology that is not impacted here.
If you think you may have discovered a vulnerability, please send us a note.