At Ramp, we take security and protection of your data very seriously. For the most comprehensive view of Ramp's security measures and documentation, please visit our Security Portal. We've also detailed some of our approaches to security below:
Multi Factor Authentication
Ramp leverages automated systems to prevent account takeover attempts and other malicious requests. All accounts are enrolled in multi-factor authentication by phone number, and users can enroll additional authentication devices from their Ramp profile (learn more→).
SAML SSO Account Protection
We also support SSO through your identity provider (i.e. Google or Okta idp) leveraging SAML technology.
All data is transmitted with encryption-in-transit using HTTPS or similar protocols. Furthermore, all data is securely stored with encryption-at-rest using AES-256 or higher standards. Where possible within databases, we also leverage in-field encryption to protect particularly sensitive data.
Ramp uses tokenization to protect your card and CVV numbers.
Least Privileges and Audit Logging
As standard best practice, we adhere to the notion of least privileges, whereby only a small subset of personnel have the means to view your data, and only when needed to support you. Naturally, all data access is logged and monitored for audit purposes too.
Ramp continuously undergoes automated penetration testing to check for any vulnerabilities in our infrastructure. The tests are augmented by manual "business logic assessment" reviews on a periodic cadence.
On an annual basis, Ramp is audited by a large external firm to ensure we continue to meet and exceed the requirements of SOC 2, a compliance standard. We ensure that all of our partners have current SOC 2 reports too.
WAF and DDoS Protection
Ramp uses an industry leading firewall provider to protect against distributed denial-of-service (DDoS) attacks and attempted intrusions into our systems. We also block certain countries and enforce rate limiting to prevent against brute-force attacks.
Trusted Third Parties
When we need to leverage third-parties to help provide service to you (i.e. with bank account linking, leveraging Finicity and Teller), we verify that they have adopted equally stringent security protocols. Our legal officer ensures we have a comprehensive contract in place and our security team further approves any engagement.
Payment Card Industry Data Security Standards (PCI DSS)
To the extent that Ramp possesses or otherwise stores, processes, or transmits cardholder data on your behalf, or to the extent that Ramp’s activities could impact the security of your cardholder data, Ramp shall maintain all applicable requirements in accordance with the Payment Card Industry Data Security Standard.
Phishing & similar scams
Ramp support will never contact you to ask for your password, card information, or verification codes. Nevertheless, fraudsters may impersonate Ramp or members of the finance team at your company to attempt to trick employees into sharing sensitive information. Learn how to recognize and respond to phishing at your business→
If someone reaches out to you on behalf of Ramp and requests sensitive information, report the interaction to email@example.com.