Overview
Ramp exists to save you time and to save you money. We recognize that you entrust us with your data. Earning and maintaining that trust is a core part of our company culture, internal operations, and product development processes.
Ramp has earned trust from customers in various tightly regulated industries, including defense, financial services, and medical manufacturing. Our team is committed to safeguarding your data against potential threats, and is excited to share an overview of how we do that on this page.
Compliance



Documents
Risk Profile
Product Security
Reports
Self-Assessments
Data Security
App Security
Legal
Access Control
Infrastructure
Endpoint Security
Network Security
Corporate Security
Security Grades
Trust Center Updates
As we continue to build and improve our platform, Ramp will be leveraging Microsoft Azure as a Cloud Provider to host Ramp data and support the Ramp application.
This serves as notification that Microsoft Azure will be added as a new Ramp sub-processor.
Name: Microsoft Azure
Location: United States
Website: Azure.microsoft.com
Purpose: Cloud Service Provider
DPA Signed: Yes
This new sub-processor has been evaluated in accordance with Ramp’s third-party risk management process.
As we continue to build and improve our platform, Ramp will be leveraging OpenAI to build AI powered product features and to extract and structure information from documentation, like invoices, receipts, bills, and contracts. OpenAI helps enable Ramp product features and transform unstructured data into structured data.
This serves as notification that OpenAI will be added as a new Ramp sub-processor.
Name: OpenAI
Location: United States
Website: Openai.com
Purpose: Leveraged in providing AI powered features to customers
DPA Signed: Yes
This new sub-processor has been evaluated in accordance with Ramp’s third-party risk management process.
As we continue to build and improve our platform, Ramp will be leveraging GCP’s Document AI product to support the extraction and structuring of information from documentation, like invoices, receipts, bills, and contracts. DocumentAI is a document understanding platform that helps us transform unstructured data into structured data, making it easier to understand, analyze, and consume.
This serves as notification that Document AI will be added as an updated use of Ramp’s current sub-processor, Google Cloud Platform (GCP):
Name: Google Cloud Platform (Document AI)
Location: United States
Website: https://cloud.google.com/document-ai
Purpose: To extract and analyze structured data from documents.
DPA Signed: Yes
This new use of the sub-processor has been evaluated in accordance with Ramp’s third party risk management process.
Last week, Ramp learned of a sophisticated SMS phishing incident targeting Zendesk, Ramp’s third-party customer support vendor. The incident resulted in unauthorized access to Zendesk’s logging platform between September 25, 2022 and October 26, 2022.
Service Data* belonging to Ramp may have been in the compromised logging platform. According to Zendesk, there is no evidence suggesting that the threat actor accessed the Ramp Zendesk instance.
Ramp has requested additional details about Zendesk regarding this incident and will provide any updates if there is a confirmed impact to Ramp customers.
*“Service Data” means all electronic data, text, messages, communications or other materials submitted to and stored within a Service by You, Agents and End-Users in connection with Your use of such Service, excluding Agent Contact Information. Examples of the data that may be contained in impacted logs includes: timestamp, token ID, email address, user agent, username, Account ID, User ID, name, IP address, application paths and parameters, Session IDs, provisioned infrastructure, Ticket and Help Center data, Agent data and other types of Service Data.
Ramp's SOC 2 Type 2, SOC 1 Type 2, and ISO 27001 Certification Available for Download
ComplianceCopy linkRamp's 2022 SOC 2 Type 2 and SOC 1 Type 2 reports for the period ending in October 2022 are now available to request and download from our Trust Center.
Our ISO 27001 certification, which we achieved in December 2022, is also available for download.
Ramp's internal environment is not impacted by CVE-2022-3602 or CVE-2022-3786, two high severity issues in openssl version 3.
To confirm this, we took the following steps:
- Reviewed all container images stored in our image registries
- Reviewed all containers running in our environment
- Reviewed all virtual machines running in our environment From all these reviews, none use openssl version 3.
Separately we reviewed the openssl versions installed on our corporate endpoints, updating to 3.0.7 where appropriate. We continue to track announcements from our subprocessors and partners for impact.
As you investigate your environment, keep in mind that many platforms ship with openssl 1.1.1, which is not included in this CVE. Learn more about technology that is not impacted here.
If you think you may have discovered a vulnerability, please send us a note.