// Trust & Security Report
Ramp Business Corporation
AI-native finance operations platform: corporate cards, expense management, bill pay / accounts payable, accounting automation, travel, and business banking for the core commercial product, plus a separately isolated 'Ramp for Public Sector' offering (FedRAMP/AWS GovCloud environment and a U.S.-only data residency environment) and 'Stack by Ramp', a newer AI product aimed at accounting firms.
Certifications held
10
Maturity
Enterprise
Trains on your data
Yes
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on support.ramp.com“Ramp undergoes annual ISO 27001, SOC 1, SOC 2, and PCI audits to get external validation that our security program is aligned with industry standards. (Trust center lists 'SOC 2' with a SOC 2 Type 2 report dated through October 2025.)”
Verify on trust.ramp.com“Trust center lists 'SOC 1' alongside SOC 2, with a SOC 1 Type 2 report dated through October 2025; corroborated by the support article's statement that Ramp undergoes annual SOC 1 and SOC 2 audits.”
Verify on support.ramp.com“Ramp undergoes annual ISO 27001... audits to get external validation that our security program is aligned with industry standards. Trust center badge 'ISO/IEC 27001', certification dated 2025.”
Verify on ramp.com“Ramp abides by PCI security standards to ensure that all sensitive credit card information is processed, transmitted, and stored securely. Trust center badge 'PCI DSS' with an Attestation of Compliance dated December 2025.”
Verify on trust.ramp.com“'CCPA' badge listed in the compliance section of the trust center; Ramp also operates a dedicated CCPA/state-privacy opt-out flow.”
Verify on ramp.com“Ramp publishes a Data Processing Addendum and a maintained subprocessor list ('these subprocessors have been evaluated in accordance with Ramp's third-party risk management process') as required for GDPR-style processor obligations. No GDPR 'certificate' exists under the regulation itself, so this reflects documented posture, not a formal cert.”
Verify on ramp.com“Trust center badge 'FedRAMP Certified Class C'. Scope confirmed on a separate vendor page: 'two new environments designed specifically for public sector organizations, fully isolated from each other and from the commercial platform... one environment for teams that require FedRAMP compliance (running in AWS GovCloud), and another for teams that need U.S.-only data residency without the FedRAMP requirement.' This authorization applies ONLY to the isolated Public Sector/GovCloud environment, not Ramp's standard commercial product.”
Verify on trust.ramp.com“'GovRAMP' badge listed in the trust center compliance section, consistent with the same public-sector environment described in the 'Ramp for Public Sector' announcement (state/local government authorization, modeled on FedRAMP).”
Verify on trust.ramp.com“'TX-RAMP' badge listed in the trust center compliance section (Texas Risk and Authorization Management Program, for cloud products serving Texas state agencies); scoped to the public-sector offering, consistent with 'Ramp for Public Sector'.”
Verify on trust.ramp.com“'Cyber Essentials Plus' badge listed in the trust center compliance section (UK government-backed cyber hygiene certification).”
> Show 3 unconfirmed / not-held certifications
source: trust.ramp.comNo public evidence: HIPAA does not appear as a badge or in any documentation section of the trust center, and no BAA offering is referenced on ramp.com or support.ramp.com. Ramp's product (spend/expense/AP) is not marketed as a healthcare data processor.
source: trust.ramp.comNo public evidence. Not listed on the trust center badge set and not referenced on ramp.com's AI/security pages.
source: trust.ramp.comNo public evidence. Not listed on the trust center badge set and no CSA STAR registry entry found.
// Privacy & AI training
Trains on customer data
Yes
Data processing agreement
Offered
Data region
Primary commercial platform hosted on AWS with no publicly documented EU/regional data-residency option found. A separate 'Ramp for Public Sector' product line offers two isolated environments: one U.S.-only data residency environment, and one FedRAMP-authorized AWS GovCloud environment; both are described as fully isolated from the standard commercial platform.
Per Ramp's own AI blog post: Ramp splits models into two categories. 'General models trained on aggregated and masked customer data to handle common tasks. These shared models learn patterns across customers by understanding the structure of the data rather than the actual contents' (i.e. no raw cross-customer data mixing). Separately, 'Sensitive models... can temporarily use private customer data without storing it' via in-context learning. A specific feature, contract-pricing benchmarking, is explicitly opt-in: 'Customers then have the choice to share their contract data to improve Ramp's models, but only if they explicitly opt in.' Third-party model providers used for AI features (e.g. Anthropic) are listed as evaluated subprocessors with signed DPAs on the trust center. Net: baseline aggregated/masked training happens by default; there is no documented account-level global opt-out from that baseline, only from the separate contract-pricing-sharing feature.
// Security controls
Encryption in transit and at rest
"We follow industry standard methods to encrypt your data and keep your data safe while it's being sent and stored." Trust center also lists 'Encryption-at-rest' as a documented control.
support.ramp.comCard data tokenization
"We use tokenization technology that hides your credit card information (e.g., card number, CVV, etc)."
support.ramp.comMFA / SSO
Multi-factor authentication available for all users; SSO integration with Okta, Google, and Microsoft Azure AD.
ramp.comFraud monitoring
24/7 monitoring with dedicated risk analytics and support teams; virtual-card, vendor-level spend restrictions.
ramp.comExternal penetration testing
Independent web, API, and mobile-app penetration test reports published for 2024 and 2025.
trust.ramp.comSubprocessor management
Maintained subprocessor list (e.g. Cloudflare, AWS, Amplitude, Astronomer, Anthropic) with signed DPAs; subprocessors are evaluated under Ramp's third-party risk management process.
trust.ramp.com// Products & data scope
data: Corporate card transactions, employee spend data, receipts, invoices, accounting/ERP sync data, banking data
Standard multi-tenant SaaS product covered by SOC 1 Type II, SOC 2 Type II, ISO/IEC 27001:2022, PCI DSS v4.0, and CCPA. No publicly documented EU data-residency option; hosted on standard AWS infrastructure.
data: Same categories of financial/spend data as the core platform, processed in a dedicated, isolated environment
Two environments 'fully isolated from each other and from the commercial platform': (1) FedRAMP-authorized, running in AWS GovCloud, for federal/regulated agencies; (2) U.S.-only data residency environment (no FedRAMP requirement) for state/local use. GovRAMP and TX-RAMP badges align with this public-sector line.
data: Client accounting data processed on behalf of accounting firms using the product
Newly launched product (per homepage banner as of mid-2026). No separate compliance documentation was found distinct from the core Ramp trust center; treat as covered by the same core-platform certifications until confirmed otherwise.
// What to watch
- SCOPE CAVEAT: FedRAMP, GovRAMP, and TX-RAMP badges on trust.ramp.com apply to the separate, isolated 'Ramp for Public Sector' environment (AWS GovCloud), NOT the standard commercial product that most AIFOXX users (startups/SMBs) would sign up for. Do not display a generic 'FedRAMP certified' badge on the main listing without this scope caveat.
- SOURCE-QUALITY NOTE: Primary compliance-badge evidence (SOC1/2, ISO 27001, PCI, CCPA, FedRAMP, GovRAMP, TX-RAMP, Cyber Essentials Plus) came from trust.ramp.com, a SafeBase-hosted vendor trust center on Ramp's own domain, fetched and summarized three times with consistent results, plus corroboration from support.ramp.com and ramp.com/security for SOC 2, ISO 27001, and PCI DSS specifically. FedRAMP scope was independently corroborated via a separate ramp.com/blog page. GovRAMP, TX-RAMP, and Cyber Essentials Plus have only the trust-center badge as evidence (no second independent vendor page found) - recommend a human spot-check of trust.ramp.com before display if these three are surfaced prominently.
- THIRD-PARTY DISCREPANCY IGNORED: A third-party aggregator (trustlists.org) claims Ramp holds HIPAA, but this was not found anywhere on trust.ramp.com or any other Ramp-owned page; trustlists.org appears to reuse a generic, possibly auto-generated cert list and was not used as evidence. HIPAA is graded held=false.
- AI TRAINING NUANCE: Ramp trains general-purpose models on aggregated/masked customer data by default (no raw cross-customer mixing documented); a specific contract-pricing-benchmarking feature is opt-in only. There is no documented blanket opt-out from the baseline aggregated/masked training. Anthropic and other AI providers appear on Ramp's subprocessor list with signed DPAs.
// At a glance
Pricing model
Free core platform monetized primarily via card interchange revenue, with paid upsell tiers (e.g. Ramp Plus) and custom enterprise/public-sector contracts.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Ramp Business Corporation's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-08. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.ramp.com