Drata integration: Set up with Ramp Programs

This article applies to Ramp Administrators.

Overview

The Drata integration lets you add a Drata security review step to any Ramp Program workflow. When a vendor request reaches the Drata step, Ramp automatically creates the vendor in Drata and starts a security review. Once the review is completed in Drata, results sync back to Ramp and the workflow advances or stops based on the outcome.

What you can do

• Gate spend approval on a completed Drata security review.
• Automatically create vendors in Drata from Ramp spend requests.
• Map custom fields from Ramp to Drata vendor fields.
• Choose the security review type (Security, SOC Report, or Upload Report).
• Set a review deadline and assign an owner to manage the review.
• Track review progress from within the Ramp request.

Prerequisites

• Ramp Admin access to configure integrations and edit Programs.
• A Drata account with admin access to create OAuth applications. You must be using Drata's new experience — Classic Drata does not support OAuth applications.
• At least one Ramp Program with a workflow you can edit and publish.

Connect Drata in Ramp

Step 1: Start the connection in Ramp

1. In Ramp, go to Automations > Integrations .
2. Search for Drata and select Connect .

Step 2: Create an OAuth application in Drata

1. Sign in to Drata using the new experience . Classic Drata does not support OAuth applications.
2. Go to Settings > OAuth Applications .
3. Select Create OAuth Application .
4. In Basic details , enter a name (for example, Ramp ) and set the expiration to Never .
5. Select Next .
6. In Scopes , enable the following:

• read:event
• read:vendor
• create:vendor
• update:vendor
• create:vendor-security-review
• read:vendor-security-review

7. Select Save and finish .

Step 3: Complete the connection in Ramp

1. In Drata, copy the cURL command from the Client Secret modal that appears after creating the OAuth application.
2. In Ramp, paste the entire cURL command into the Drata cURL command field. Ramp automatically extracts the token URL, client ID, client secret, and audience from the command.
3. Select Finish . The integration shows as connected.

Add Drata to a program workflow

1. In Ramp, go to Manage Spend > Programs .
2. Create a new Program or open an existing one.
3. Edit the approval workflow.
4. Select the + on the canvas and add the Drata security review step from the Integrations section.
5. Configure the Drata step:

• Owner : Assign someone to start the Drata security review. Make sure this person has access in Drata.
• Instructions : Add guidance for the reviewer (up to 1,000 characters).
• Due date : Set a deadline for the review step.
• Security review type : Choose the type of review to create in Drata. Options are Security , SOC Report , or Upload Report .
• Review deadline : Set the number of days the reviewer has to complete the security review in Drata. Ramp calculates the deadline date from the day the review is created.
• Field mappings (optional): Map Ramp form fields to Drata vendor fields such as category, privacy URL, contact information, and compliance-related fields. This populates the Drata vendor record with data from the Ramp request when the vendor is created.

6. Save and publish the Program.

Note: The Drata step becomes available in the workflow builder after you connect the Drata integration. If you do not see it, confirm the integration is connected under Automations > Integrations > Connected integrations.

How the workflow runs

When a spend request reaches the Drata step, Ramp handles the process in two stages:

1. Vendor created : Ramp creates the vendor in Drata using the vendor name and URL from the spend request. If you configured custom field mappings, Ramp also sends those values to Drata.
2. Review completed : Ramp waits for the security review to reach a final decision in Drata.

Ramp responds to the Drata decision as follows:

• Approved or Approved with conditions : Ramp advances the workflow to the next step.
• Rejected : Ramp rejects the request.

The assigned owner receives a task on the Ramp home screen to manage the review. Complete the security review in Drata (review, finalize, approve or reject), and the result syncs back to Ramp.

How results sync back to Ramp

Drata review results sync back to Ramp in two ways:

• Automatic sync : Ramp polls Drata for updates every hour. Allow up to one hour for results to appear after completing a review in Drata.
• Manual sync : To refresh the status immediately, use the sync option on the in-progress Drata step in the workflow.

Note: Drata does not currently support real-time webhook notifications. Results are retrieved through scheduled polling. If you need results reflected in Ramp immediately, use the manual sync option.

Troubleshooting

I cannot connect Drata

Confirm you are signed in to Drata's new experience, not Classic Drata. Classic Drata does not support OAuth applications. If the connection fails after pasting the cURL command, verify that you copied the entire command (including the opening curl keyword and all parameters) and that the JSON payload is intact with no extra spaces or line breaks.

The cURL command is not accepted

Ramp extracts the token URL, client ID, client secret, and audience from the cURL command's JSON payload. If any of these values are missing, the command is rejected. Go back to Drata, generate new credentials, and copy the full cURL command again.

Drata step is not available in the workflow builder

The Drata step only appears after the integration is connected. Go to Automations > Integrations and confirm Drata shows as connected.

Review results are not syncing back to Ramp

Ramp checks Drata for updates every hour. If you completed the review in Drata less than an hour ago, wait for the next sync cycle or use the manual sync option on the in-progress Drata step. If results still do not appear after an hour, verify that the OAuth application in Drata is still active and that the credentials have not been revoked.

The request was rejected unexpectedly

Check the review decision in Drata. If the security review was completed with a Rejected decision, Ramp rejects the request. Approved and Approved with conditions both advance the workflow.

Vendor was not created in Drata

Confirm the OAuth application in Drata has the create:vendor scope enabled. Also verify that the vendor name in the Ramp request is not empty.

Frequently asked questions

What scopes does the Drata OAuth application need?

Six scopes: read:event, read:vendor, create:vendor, update:vendor, create:vendor-security-review, and read:vendor-security-review.

How quickly do Drata results appear in Ramp?

Automatic sync runs every hour. Use the manual sync option on the in-progress Drata step if you need results sooner.

What security review types are supported?

Drata supports three security review types: Security, SOC Report, and Upload Report.

Can I map custom fields from Ramp to Drata?

Yes. You can map Ramp form fields to Drata vendor fields such as category, privacy URL, contact information, and compliance-related fields. Configure field mappings when setting up the Drata step in your workflow.

Does the Drata integration work with Classic Drata?

No. The integration requires Drata's new experience, which supports OAuth applications. Classic Drata does not support the OAuth flow Ramp uses to connect.

Can I disconnect the integration?

Yes. Go to Automations > Integrations > Connected integrations, select Drata, and select Disable. You can reconnect at any time by creating new OAuth credentials in Drata.

Related articles

• Configuring Procurement Workflows
• Connect and use the Vanta integration for security reviews in Ramp procurement workflows
• Set up and use the OneTrust integration with Ramp Programs
• Set up and use the LogicGate integration with Ramp Programs