Ramp exists to save you time and to save you money. We understand the importance of the trust you place in us by sharing your data. Upholding and nurturing that trust is ingrained in our company culture, guiding our internal operations and product development.
Ramp has garnered trust from customers operating in tightly regulated industries, including defense, financial services, and medical manufacturing. Our team is committed to safeguarding your data against potential threats, and we’re excited to provide insight into our approach on this page.
Accessing the documentation on our trust center: Please request access via the banner above. You will be sent an invite via email, and will be prompted to sign an NDA once in the portal. Once the NDA is signed, you will have access to view and download the resources in our Trust Center.
Trust Center Updates
As we continue to build and improve our platform, Ramp will be leveraging Groq to build AI powered product features.
This serves as notification that Groq will be added as a new Ramp subprocessor.
Name: Groq
Location: United States
Website: groq.com
Purpose: Leveraged in providing AI powered features to customers.
DPA Signed: Yes
This new subprocessor has been evaluated in accordance with Ramp’s third-party risk management process.
Ramp Security was made aware of a Crowdstrike incident on July 19, 2024 and confirmed that Ramp services and infrastructure are not impacted by this incident.
As we continue to build and improve our platform, Ramp will be leveraging ClickHouse as a data warehouse to host Ramp data and support the Ramp application.
This serves as notification that ClickHouse will be added as a Ramp subprocessor.
Name: ClickHouse
Location: United States
Website: clickhouse.com
Purpose: Data Warehouse
DPA Signed: Yes
This subprocessor has been evaluated in accordance with Ramp’s third-party risk management process.
As we continue to build and improve our platform, Ramp will be leveraging Decagon as an AI support agent within the Ramp application*.
This serves as notification that Decagon will be added as a new Ramp subprocessor.
Name: Decagon
Location: United States
Website: decagon.ai
Purpose: AI chatbot support agent
DPA Signed: Yes
This new subprocessor has been evaluated in accordance with Ramp’s third-party risk management process.
*This is only applicable if the customer decides to use the subprocessor's services
Ramp is not impacted by CVE-2024-3094, a critical vulnerability discovered in XZ Utils versions 5.6.0 and 5.6.1.
Ramp’s security team reviewed all OS versions deployed in our environment and confirmed that none of the impacted operating systems or versions are utilized.
We continue to track announcements from our subprocessors and partners for potential impact.
Ramp will allow you to view the last 30 days of login history with the Ramp application. Users can retrieve more insights about logins to better protect their application. You will be able to find these updates in Personal Settings within the Ramp app.
Ramp's SOC 2 Type 2, SOC 1 Type 2, and ISO 27001 Certification Available for Download
ComplianceCopy linkRamp's 2023 SOC 2 Type 2 and SOC 1 Type 2 reports for the period ending in October 2023 are now available to request and download from our Trust Center.
Our ISO 27001 certification, which we achieved in October 2023, is also available for download.
Ramp now allows you to specify an IT or Security contact, who will be sent information regarding your account’s security and login configuration. Update your IT & Security Contact settings and have a contact on file!
As we continue to build and improve our platform, Ramp will be leveraging Tango as a rewards provider within the Ramp application*.
This serves as notification that Tango will be added as a new Ramp subprocessor.
Name: Tango
Location: United States
Website: tangocard.com
Purpose: Rewards provider
DPA Signed: Yes
This new subprocessor has been evaluated in accordance with Ramp’s third-party risk management process.
*This is only applicable if the customer decides to use the subprocessor's services
As we continue to build and improve our platform, Ramp will be leveraging Ascenda as a rewards provider within the Ramp application*.
This serves as notification that Ascenda will be added as a new Ramp subprocessor.
Name: Ascenda
Location: Singapore
Website: ascendaloyalty.com
Purpose: Rewards provider
DPA Signed: Yes
This new subprocessor has been evaluated in accordance with Ramp’s third-party risk management process.
**This is only applicable if the customer decides to use the subprocessor's services
The Ramp Security was made aware of an incident to Okta’s support systems and confirmed that Ramp is unaffected by this incident and there is no impact to our Okta environment.
Ramp’s 2023 external penetration test report, which includes the web application and API-driven services, is now available to request and download from our Trust Center.
As we continue to build and improve our platform, Ramp will be leveraging OneSchema as a CSV uploader tool within the Ramp application.
This serves as notification that OneSchema will be added as a new Ramp subprocessor.
Name: OneSchema
Location: United States
Website: Oneschema.co
Purpose: CSV Upload Feature
DPA Signed: Yes
This new subprocessor has been evaluated in accordance with Ramp’s third-party risk management process.
Ramp’s 2023 PCI DSS Attestation of Compliance (AOC) as of August 2023 is now available to request and download from our Trust Center.
As we continue to build and improve our platform, Ramp will be leveraging Anthropic to build AI powered product features and to extract and structure information from documentation, like invoices, receipts, bills, and contracts. Anthropic helps enable Ramp product features and transform unstructured data into structured data.
This serves as notification that Anthropic will be added as a new Ramp subprocessor.
Name: Anthropic
Location: United States
Website: Anthropic.com
Purpose: Leveraged in providing AI powered features to customers
DPA Signed: Yes
This new subprocessor has been evaluated in accordance with Ramp’s third-party risk management process.
As we continue to build and improve our platform, Ramp will be leveraging Microsoft Azure as a Cloud Provider to host Ramp data and support the Ramp application.
This serves as notification that Microsoft Azure will be added as a new Ramp subprocessor.
Name: Microsoft Azure
Location: United States
Website: Azure.microsoft.com
Purpose: Cloud Service Provider
DPA Signed: Yes
This new subprocessor has been evaluated in accordance with Ramp’s third-party risk management process.
As we continue to build and improve our platform, Ramp will be leveraging OpenAI to build AI powered product features and to extract and structure information from documentation, like invoices, receipts, bills, and contracts. OpenAI helps enable Ramp product features and transform unstructured data into structured data.
This serves as notification that OpenAI will be added as a new Ramp subprocessor.
Name: OpenAI
Location: United States
Website: Openai.com
Purpose: Leveraged in providing AI powered features to customers
DPA Signed: Yes
This new subprocessor has been evaluated in accordance with Ramp’s third-party risk management process.
As we continue to build and improve our platform, Ramp will be leveraging GCP’s Document AI product to support the extraction and structuring of information from documentation, like invoices, receipts, bills, and contracts. DocumentAI is a document understanding platform that helps us transform unstructured data into structured data, making it easier to understand, analyze, and consume.
This serves as notification that Document AI will be added as an updated use of Ramp’s current subprocessor, Google Cloud Platform (GCP):
Name: Google Cloud Platform (Document AI)
Location: United States
Website: https://cloud.google.com/document-ai
Purpose: To extract and analyze structured data from documents.
DPA Signed: Yes
This new use of the subprocessor has been evaluated in accordance with Ramp’s third party risk management process.
Last week, Ramp learned of a sophisticated SMS phishing incident targeting Zendesk, Ramp’s third-party customer support vendor. The incident resulted in unauthorized access to Zendesk’s logging platform between September 25, 2022 and October 26, 2022.
Service Data* belonging to Ramp may have been in the compromised logging platform. According to Zendesk, there is no evidence suggesting that the threat actor accessed the Ramp Zendesk instance.
Ramp has requested additional details about Zendesk regarding this incident and will provide any updates if there is a confirmed impact to Ramp customers.
*“Service Data” means all electronic data, text, messages, communications or other materials submitted to and stored within a Service by You, Agents and End-Users in connection with Your use of such Service, excluding Agent Contact Information. Examples of the data that may be contained in impacted logs includes: timestamp, token ID, email address, user agent, username, Account ID, User ID, name, IP address, application paths and parameters, Session IDs, provisioned infrastructure, Ticket and Help Center data, Agent data and other types of Service Data.
Ramp's internal environment is not impacted by CVE-2022-3602 or CVE-2022-3786, two high severity issues in openssl version 3.
To confirm this, we took the following steps:
- Reviewed all container images stored in our image registries
- Reviewed all containers running in our environment
- Reviewed all virtual machines running in our environment From all these reviews, none use openssl version 3.
Separately we reviewed the openssl versions installed on our corporate endpoints, updating to 3.0.7 where appropriate. We continue to track announcements from our subprocessors and partners for impact.
As you investigate your environment, keep in mind that many platforms ship with openssl 1.1.1, which is not included in this CVE. Learn more about technology that is not impacted here.
If you think you may have discovered a vulnerability, please send us a note.