Trust Center

Start your security review
View & download sensitive information
Search items
ControlK

Ramp exists to save you time and to save you money. We understand the importance of the trust you place in us by sharing your data. Upholding and nurturing that trust is ingrained in our company culture, guiding our internal operations and product development.

Ramp has garnered trust from customers operating in tightly regulated industries, including defense, financial services, and medical manufacturing. Our team is committed to safeguarding your data against potential threats, and we’re excited to provide insight into our approach on this page.

Accessing the documentation on our trust center: Please request access via the banner above. You will be sent an invite via email, and will be prompted to sign an NDA once in the portal. Once the NDA is signed, you will have access to view and download the resources in our Trust Center.

Architecture Diagram

Trust Center Updates

Groq Subprocessor Update

SubprocessorsCopy link

As we continue to build and improve our platform, Ramp will be leveraging Groq to build AI powered product features.

This serves as notification that Groq will be added as a new Ramp subprocessor.

Name: Groq

Location: United States

Website: groq.com

Purpose: Leveraged in providing AI powered features to customers.

DPA Signed: Yes

This new subprocessor has been evaluated in accordance with Ramp’s third-party risk management process.

Published at N/A

Ramp is Unaffected by the 7/19/24 Crowdstrike Incident

IncidentsCopy link

Ramp Security was made aware of a Crowdstrike incident on July 19, 2024 and confirmed that Ramp services and infrastructure are not impacted by this incident.

Published at N/A

ClickHouse Subprocessor Update

SubprocessorsCopy link

As we continue to build and improve our platform, Ramp will be leveraging ClickHouse as a data warehouse to host Ramp data and support the Ramp application.

This serves as notification that ClickHouse will be added as a Ramp subprocessor.

Name: ClickHouse

Location: United States

Website: clickhouse.com

Purpose: Data Warehouse

DPA Signed: Yes

This subprocessor has been evaluated in accordance with Ramp’s third-party risk management process.

Published at N/A

Decagon Subprocessor Update

SubprocessorsCopy link

As we continue to build and improve our platform, Ramp will be leveraging Decagon as an AI support agent within the Ramp application*.

This serves as notification that Decagon will be added as a new Ramp subprocessor.

Name: Decagon

Location: United States

Website: decagon.ai

Purpose: AI chatbot support agent

DPA Signed: Yes

This new subprocessor has been evaluated in accordance with Ramp’s third-party risk management process.

*This is only applicable if the customer decides to use the subprocessor's services

Published at N/A

Ramp's response to the XZ Utils backdoor vulnerability

IncidentsCopy link

Ramp is not impacted by CVE-2024-3094, a critical vulnerability discovered in XZ Utils versions 5.6.0 and 5.6.1.

Ramp’s security team reviewed all OS versions deployed in our environment and confirmed that none of the impacted operating systems or versions are utilized.

We continue to track announcements from our subprocessors and partners for potential impact.

Published at N/A

Login History

GeneralCopy link

Ramp will allow you to view the last 30 days of login history with the Ramp application. Users can retrieve more insights about logins to better protect their application. You will be able to find these updates in Personal Settings within the Ramp app.

Published at N/A*

Ramp's SOC 2 Type 2, SOC 1 Type 2, and ISO 27001 Certification Available for Download

ComplianceCopy link

Ramp's 2023 SOC 2 Type 2 and SOC 1 Type 2 reports for the period ending in October 2023 are now available to request and download from our Trust Center.

Our ISO 27001 certification, which we achieved in October 2023, is also available for download.

Published at N/A

IT & Security Contact settings

GeneralCopy link

Ramp now allows you to specify an IT or Security contact, who will be sent information regarding your account’s security and login configuration. Update your IT & Security Contact settings and have a contact on file!

Published at N/A

Tango Subprocessor Update

SubprocessorsCopy link

As we continue to build and improve our platform, Ramp will be leveraging Tango as a rewards provider within the Ramp application*.

This serves as notification that Tango will be added as a new Ramp subprocessor.

Name: Tango

Location: United States

Website: tangocard.com

Purpose: Rewards provider

DPA Signed: Yes

This new subprocessor has been evaluated in accordance with Ramp’s third-party risk management process.

*This is only applicable if the customer decides to use the subprocessor's services

Published at N/A*

Ascenda Subprocessor Update

SubprocessorsCopy link

As we continue to build and improve our platform, Ramp will be leveraging Ascenda as a rewards provider within the Ramp application*.

This serves as notification that Ascenda will be added as a new Ramp subprocessor.

Name: Ascenda

Location: Singapore

Website: ascendaloyalty.com

Purpose: Rewards provider

DPA Signed: Yes

This new subprocessor has been evaluated in accordance with Ramp’s third-party risk management process.

**This is only applicable if the customer decides to use the subprocessor's services

Published at N/A*

Ramp is Unaffected by the 10/20/23 Okta Incident

IncidentsCopy link

The Ramp Security was made aware of an incident to Okta’s support systems and confirmed that Ramp is unaffected by this incident and there is no impact to our Okta environment.

Published at N/A

Ramp’s 2023 Penetration Test Report Available for Download

ComplianceCopy link

Ramp’s 2023 external penetration test report, which includes the web application and API-driven services, is now available to request and download from our Trust Center.

Published at N/A

OneSchema Subprocessor Update

SubprocessorsCopy link

As we continue to build and improve our platform, Ramp will be leveraging OneSchema as a CSV uploader tool within the Ramp application.

This serves as notification that OneSchema will be added as a new Ramp subprocessor.

Name: OneSchema

Location: United States

Website: Oneschema.co

Purpose: CSV Upload Feature

DPA Signed: Yes

This new subprocessor has been evaluated in accordance with Ramp’s third-party risk management process.

Published at N/A*

Ramp’s PCI DSS Attestation of Compliance Available for Download

ComplianceCopy link

Ramp’s 2023 PCI DSS Attestation of Compliance (AOC) as of August 2023 is now available to request and download from our Trust Center.

Published at N/A

Anthropic Subprocessor Update

SubprocessorsCopy link

As we continue to build and improve our platform, Ramp will be leveraging Anthropic to build AI powered product features and to extract and structure information from documentation, like invoices, receipts, bills, and contracts. Anthropic helps enable Ramp product features and transform unstructured data into structured data.

This serves as notification that Anthropic will be added as a new Ramp subprocessor.

Name: Anthropic

Location: United States

Website: Anthropic.com

Purpose: Leveraged in providing AI powered features to customers

DPA Signed: Yes

This new subprocessor has been evaluated in accordance with Ramp’s third-party risk management process.

Published at N/A*

Microsoft Azure Subprocessor Update

SubprocessorsCopy link

As we continue to build and improve our platform, Ramp will be leveraging Microsoft Azure as a Cloud Provider to host Ramp data and support the Ramp application.

This serves as notification that Microsoft Azure will be added as a new Ramp subprocessor.

Name: Microsoft Azure

Location: United States

Website: Azure.microsoft.com

Purpose: Cloud Service Provider

DPA Signed: Yes

This new subprocessor has been evaluated in accordance with Ramp’s third-party risk management process.

Published at N/A*

OpenAI Subprocessor Update

SubprocessorsCopy link

As we continue to build and improve our platform, Ramp will be leveraging OpenAI to build AI powered product features and to extract and structure information from documentation, like invoices, receipts, bills, and contracts. OpenAI helps enable Ramp product features and transform unstructured data into structured data.

This serves as notification that OpenAI will be added as a new Ramp subprocessor.

Name: OpenAI

Location: United States

Website: Openai.com

Purpose: Leveraged in providing AI powered features to customers

DPA Signed: Yes

This new subprocessor has been evaluated in accordance with Ramp’s third-party risk management process.

Published at N/A*

Document AI Subprocessor Update

SubprocessorsCopy link

As we continue to build and improve our platform, Ramp will be leveraging GCP’s Document AI product to support the extraction and structuring of information from documentation, like invoices, receipts, bills, and contracts. DocumentAI is a document understanding platform that helps us transform unstructured data into structured data, making it easier to understand, analyze, and consume.

This serves as notification that Document AI will be added as an updated use of Ramp’s current subprocessor, Google Cloud Platform (GCP):

Name: Google Cloud Platform (Document AI)

Location: United States

Website: https://cloud.google.com/document-ai

Purpose: To extract and analyze structured data from documents.

DPA Signed: Yes

This new use of the subprocessor has been evaluated in accordance with Ramp’s third party risk management process.

Published at N/A*

Ramp update of Zendesk security incident

IncidentsCopy link

Last week, Ramp learned of a sophisticated SMS phishing incident targeting Zendesk, Ramp’s third-party customer support vendor. The incident resulted in unauthorized access to Zendesk’s logging platform between September 25, 2022 and October 26, 2022.

Service Data* belonging to Ramp may have been in the compromised logging platform. According to Zendesk, there is no evidence suggesting that the threat actor accessed the Ramp Zendesk instance.

Ramp has requested additional details about Zendesk regarding this incident and will provide any updates if there is a confirmed impact to Ramp customers.

*“Service Data” means all electronic data, text, messages, communications or other materials submitted to and stored within a Service by You, Agents and End-Users in connection with Your use of such Service, excluding Agent Contact Information. Examples of the data that may be contained in impacted logs includes: timestamp, token ID, email address, user agent, username, Account ID, User ID, name, IP address, application paths and parameters, Session IDs, provisioned infrastructure, Ticket and Help Center data, Agent data and other types of Service Data.

Published at N/A

Ramp's response to the 2022 OpenSSL 3 Vulnerabilities

IncidentsCopy link

Ramp's internal environment is not impacted by CVE-2022-3602 or CVE-2022-3786, two high severity issues in openssl version 3.

To confirm this, we took the following steps:

  • Reviewed all container images stored in our image registries
  • Reviewed all containers running in our environment
  • Reviewed all virtual machines running in our environment From all these reviews, none use openssl version 3.

Separately we reviewed the openssl versions installed on our corporate endpoints, updating to 3.0.7 where appropriate. We continue to track announcements from our subprocessors and partners for impact.

As you investigate your environment, keep in mind that many platforms ship with openssl 1.1.1, which is not included in this CVE. Learn more about technology that is not impacted here.

Published at N/A

If you think you may have discovered a vulnerability, please send us a note.

Powered bySafeBase Logo