OnRamp Security Overview

Last updated: March 14, 2026

OnRamp is built for B2B customer onboarding, which means it regularly handles sensitive project data, customer information, and integration credentials. Here’s how we protect it.

Certifications & Compliance

  • SOC 2 Type II — OnRamp holds an unqualified (clean) SOC 2 Type II certification, audited annually by a third-party firm. We have received clean reports four consecutive years running.

  • HIPAA — OnRamp’s platform, data handling, and processes are HIPAA compliant, audited as part of our annual SOC 2 process. Business Associate Agreements (BAAs) are available — contact your Account Manager.

  • CCPA — OnRamp is CCPA compliant and can fulfill CCPA-related data requests.

  • GDPR — OnRamp supports GDPR compliance. For organizations that require EU data residency, we can provision EU-hosted infrastructure. Contact your Account Manager to discuss requirements.

  • Annual Penetration Testing — OnRamp conducts an annual third-party penetration test. The most recent report is available to customers under NDA — contact your Account Manager or security@onramp.us.

Encryption

  • In transit: All data transmitted between your browser, the OnRamp app, and our servers is encrypted using TLS 1.2 or higher.

  • At rest: Data stored in OnRamp’s infrastructure is encrypted at rest using AES-256.

  • Customer portal: All customer portal sessions run over HTTPS. Portal links use secure, authenticated access.

Authentication

  • Password-based login: Passwords are hashed and never stored in plaintext.

  • Single Sign-On (SSO): OnRamp supports SSO via Google, Okta, and Azure Active Directory (SAML). SSO is available as an add-on — contact your CSM to enable it.

  • Customer portal authentication: Customers authenticate via a secure PIN sent to their email address, or through your organization’s SSO if configured. No separate password is required.

Access Controls

  • Role-based permissions: OnRamp uses a role-based access control model. Internal users can be Admins, Creators, Collaborators, or view-only.

  • Project-level access: Customers only see projects and tasks they’ve been explicitly invited to. One customer cannot access another’s data.

  • Internal task visibility: Internal tasks are hidden from customers by default. Admins can control which task details are visible in the portal on a per-project basis.

Infrastructure

  • OnRamp’s infrastructure is hosted on AWS (Amazon Web Services).

  • Data is stored in the United States by default. EU hosting is available for organizations with GDPR data residency requirements — contact your Account Manager.

  • Regular backups are performed to protect against data loss.

Integration Security

  • Integrations use OAuth 2.0 where supported, avoiding the need to store raw credentials.

  • API keys and secrets are stored encrypted and never exposed in the UI after initial entry.

  • Webhooks support authentication via secret tokens to verify requests originate from OnRamp.

PHI and HIPAA Considerations

OnRamp’s platform and processes are HIPAA compliant. PHI (Protected Health Information) is not included in email notification bodies sent by OnRamp. For customers handling PHI, we recommend engaging your Account Manager to discuss your specific requirements and execute a BAA.

Responsible Disclosure

If you believe you’ve discovered a security vulnerability, contact security@onramp.us. We take all reports seriously and will respond promptly.