// Trust & Security Report

    Ramp Business Corporation logo

    Ramp Business Corporation

    AI-native finance operations platform: corporate cards, expense management, bill pay / accounts payable, accounting automation, travel, and business banking for the core commercial product, plus a separately isolated 'Ramp for Public Sector' offering (FedRAMP/AWS GovCloud environment and a U.S.-only data residency environment) and 'Stack by Ramp', a newer AI product aimed at accounting firms.

    Certifications held

    10

    Maturity

    Enterprise

    Trains on your data

    Yes

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    Ramp undergoes annual ISO 27001, SOC 1, SOC 2, and PCI audits to get external validation that our security program is aligned with industry standards. (Trust center lists 'SOC 2' with a SOC 2 Type 2 report dated through October 2025.)

    Verify on support.ramp.com
    SOC 1 Type II
    HELD

    Trust center lists 'SOC 1' alongside SOC 2, with a SOC 1 Type 2 report dated through October 2025; corroborated by the support article's statement that Ramp undergoes annual SOC 1 and SOC 2 audits.

    Verify on trust.ramp.com
    ISO/IEC 27001:2022
    HELD

    Ramp undergoes annual ISO 27001... audits to get external validation that our security program is aligned with industry standards. Trust center badge 'ISO/IEC 27001', certification dated 2025.

    Verify on support.ramp.com
    PCI DSS v4.0
    HELD

    Ramp abides by PCI security standards to ensure that all sensitive credit card information is processed, transmitted, and stored securely. Trust center badge 'PCI DSS' with an Attestation of Compliance dated December 2025.

    Verify on ramp.com
    CCPA
    HELD

    'CCPA' badge listed in the compliance section of the trust center; Ramp also operates a dedicated CCPA/state-privacy opt-out flow.

    Verify on trust.ramp.com
    GDPR (posture, not a certification)
    HELD

    Ramp publishes a Data Processing Addendum and a maintained subprocessor list ('these subprocessors have been evaluated in accordance with Ramp's third-party risk management process') as required for GDPR-style processor obligations. No GDPR 'certificate' exists under the regulation itself, so this reflects documented posture, not a formal cert.

    Verify on ramp.com
    FedRAMP (Ramp for Public Sector only)
    HELD

    Trust center badge 'FedRAMP Certified Class C'. Scope confirmed on a separate vendor page: 'two new environments designed specifically for public sector organizations, fully isolated from each other and from the commercial platform... one environment for teams that require FedRAMP compliance (running in AWS GovCloud), and another for teams that need U.S.-only data residency without the FedRAMP requirement.' This authorization applies ONLY to the isolated Public Sector/GovCloud environment, not Ramp's standard commercial product.

    Verify on ramp.com
    GovRAMP
    HELD

    'GovRAMP' badge listed in the trust center compliance section, consistent with the same public-sector environment described in the 'Ramp for Public Sector' announcement (state/local government authorization, modeled on FedRAMP).

    Verify on trust.ramp.com
    TX-RAMP
    HELD

    'TX-RAMP' badge listed in the trust center compliance section (Texas Risk and Authorization Management Program, for cloud products serving Texas state agencies); scoped to the public-sector offering, consistent with 'Ramp for Public Sector'.

    Verify on trust.ramp.com
    Cyber Essentials Plus
    HELD

    'Cyber Essentials Plus' badge listed in the trust center compliance section (UK government-backed cyber hygiene certification).

    Verify on trust.ramp.com
    > Show 3 unconfirmed / not-held certifications
    HIPAA
    NOT CONFIRMED

    No public evidence: HIPAA does not appear as a badge or in any documentation section of the trust center, and no BAA offering is referenced on ramp.com or support.ramp.com. Ramp's product (spend/expense/AP) is not marketed as a healthcare data processor.

    source: trust.ramp.com
    ISO/IEC 42001 (AI management system)
    NOT CONFIRMED

    No public evidence. Not listed on the trust center badge set and not referenced on ramp.com's AI/security pages.

    source: trust.ramp.com
    CSA STAR / CSA STAR AI
    NOT CONFIRMED

    No public evidence. Not listed on the trust center badge set and no CSA STAR registry entry found.

    source: trust.ramp.com

    // Privacy & AI training

    Trains on customer data

    Yes

    Data processing agreement

    Offered

    Data region

    Primary commercial platform hosted on AWS with no publicly documented EU/regional data-residency option found. A separate 'Ramp for Public Sector' product line offers two isolated environments: one U.S.-only data residency environment, and one FedRAMP-authorized AWS GovCloud environment; both are described as fully isolated from the standard commercial platform.

    Per Ramp's own AI blog post: Ramp splits models into two categories. 'General models trained on aggregated and masked customer data to handle common tasks. These shared models learn patterns across customers by understanding the structure of the data rather than the actual contents' (i.e. no raw cross-customer data mixing). Separately, 'Sensitive models... can temporarily use private customer data without storing it' via in-context learning. A specific feature, contract-pricing benchmarking, is explicitly opt-in: 'Customers then have the choice to share their contract data to improve Ramp's models, but only if they explicitly opt in.' Third-party model providers used for AI features (e.g. Anthropic) are listed as evaluated subprocessors with signed DPAs on the trust center. Net: baseline aggregated/masked training happens by default; there is no documented account-level global opt-out from that baseline, only from the separate contract-pricing-sharing feature.

    // Security controls

    Encryption in transit and at rest

    "We follow industry standard methods to encrypt your data and keep your data safe while it's being sent and stored." Trust center also lists 'Encryption-at-rest' as a documented control.

    support.ramp.com

    Card data tokenization

    "We use tokenization technology that hides your credit card information (e.g., card number, CVV, etc)."

    support.ramp.com

    MFA / SSO

    Multi-factor authentication available for all users; SSO integration with Okta, Google, and Microsoft Azure AD.

    ramp.com

    Fraud monitoring

    24/7 monitoring with dedicated risk analytics and support teams; virtual-card, vendor-level spend restrictions.

    ramp.com

    External penetration testing

    Independent web, API, and mobile-app penetration test reports published for 2024 and 2025.

    trust.ramp.com

    Subprocessor management

    Maintained subprocessor list (e.g. Cloudflare, AWS, Amplitude, Astronomer, Anthropic) with signed DPAs; subprocessors are evaluated under Ramp's third-party risk management process.

    trust.ramp.com

    // Products & data scope

    Ramp (core commercial platform)Spend management / corporate cards / AP automation / accounting automation / banking

    data: Corporate card transactions, employee spend data, receipts, invoices, accounting/ERP sync data, banking data

    Standard multi-tenant SaaS product covered by SOC 1 Type II, SOC 2 Type II, ISO/IEC 27001:2022, PCI DSS v4.0, and CCPA. No publicly documented EU data-residency option; hosted on standard AWS infrastructure.

    Ramp for Public SectorGovernment spend management

    data: Same categories of financial/spend data as the core platform, processed in a dedicated, isolated environment

    Two environments 'fully isolated from each other and from the commercial platform': (1) FedRAMP-authorized, running in AWS GovCloud, for federal/regulated agencies; (2) U.S.-only data residency environment (no FedRAMP requirement) for state/local use. GovRAMP and TX-RAMP badges align with this public-sector line.

    Stack by RampAI operating system for accounting firms

    data: Client accounting data processed on behalf of accounting firms using the product

    Newly launched product (per homepage banner as of mid-2026). No separate compliance documentation was found distinct from the core Ramp trust center; treat as covered by the same core-platform certifications until confirmed otherwise.

    // What to watch

    • SCOPE CAVEAT: FedRAMP, GovRAMP, and TX-RAMP badges on trust.ramp.com apply to the separate, isolated 'Ramp for Public Sector' environment (AWS GovCloud), NOT the standard commercial product that most AIFOXX users (startups/SMBs) would sign up for. Do not display a generic 'FedRAMP certified' badge on the main listing without this scope caveat.
    • SOURCE-QUALITY NOTE: Primary compliance-badge evidence (SOC1/2, ISO 27001, PCI, CCPA, FedRAMP, GovRAMP, TX-RAMP, Cyber Essentials Plus) came from trust.ramp.com, a SafeBase-hosted vendor trust center on Ramp's own domain, fetched and summarized three times with consistent results, plus corroboration from support.ramp.com and ramp.com/security for SOC 2, ISO 27001, and PCI DSS specifically. FedRAMP scope was independently corroborated via a separate ramp.com/blog page. GovRAMP, TX-RAMP, and Cyber Essentials Plus have only the trust-center badge as evidence (no second independent vendor page found) - recommend a human spot-check of trust.ramp.com before display if these three are surfaced prominently.
    • THIRD-PARTY DISCREPANCY IGNORED: A third-party aggregator (trustlists.org) claims Ramp holds HIPAA, but this was not found anywhere on trust.ramp.com or any other Ramp-owned page; trustlists.org appears to reuse a generic, possibly auto-generated cert list and was not used as evidence. HIPAA is graded held=false.
    • AI TRAINING NUANCE: Ramp trains general-purpose models on aggregated/masked customer data by default (no raw cross-customer mixing documented); a specific contract-pricing-benchmarking feature is opt-in only. There is no documented blanket opt-out from the baseline aggregated/masked training. Anthropic and other AI providers appear on Ramp's subprocessor list with signed DPAs.

    // At a glance

    Pricing model

    Free core platform monetized primarily via card interchange revenue, with paid upsell tiers (e.g. Ramp Plus) and custom enterprise/public-sector contracts.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Ramp Business Corporation's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-08. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.ramp.com

    > Browse all vendor trust reports