Security FAQs

Common security and compliance questions from customers and enterprise buyers — answered.

Is OnRamp SOC 2 certified?

Yes. OnRamp holds a SOC 2 Type II certification with an unqualified (clean) audit report. We have received clean reports four consecutive years running. The audit is conducted annually by an independent third-party firm. The full report is available to customers under NDA — contact your Account Manager or security@onramp.us.

Is OnRamp HIPAA compliant?

Yes. OnRamp's platform, data handling, and processes are HIPAA compliant. HIPAA compliance is audited annually as part of our SOC 2 process. PHI is not included in email notification bodies sent by OnRamp. Business Associate Agreements (BAAs) are available — contact your Account Manager.

Is OnRamp GDPR compliant?

Yes. OnRamp is GDPR compliant. For organizations that require EU data residency, we can provision EU-hosted infrastructure. Contact your Account Manager to discuss your specific requirements.

Is OnRamp CCPA compliant?

Yes. OnRamp is CCPA compliant and can fulfill CCPA-related data requests. Contact privacy@onramp.us with any CCPA requests.

Does OnRamp conduct penetration testing?

Yes. OnRamp conducts an annual third-party penetration test. The most recent report is available to customers under NDA — contact your Account Manager or security@onramp.us.

Is data encrypted?

Yes. All data is encrypted in transit using TLS 1.2+ and at rest using AES-256. Customer portal sessions are always served over HTTPS.

Where is my data stored?

OnRamp's infrastructure runs on AWS. Data is stored in the United States by default. EU hosting is available for organizations with GDPR data residency requirements — contact your Account Manager.

Can customers see each other's data?

No. Customer access is strictly scoped to the projects they've been explicitly invited to. One customer cannot access another customer's projects, tasks, or data.

Can customers see internal-only tasks?

No — internal tasks are hidden from customers by default. Admins can configure exactly what task details are visible in the customer portal on a per-project basis.

Does OnRamp support Single Sign-On (SSO)?

Yes. OnRamp supports SSO via Google, Okta, and Azure Active Directory (SAML) for internal team members. SSO is an add-on feature — contact your CSM or Account Manager to enable it.

How do customers authenticate to the portal?

By default, customers authenticate via a secure one-click link sent to their email address — no separate password required.

For organizations that need a more streamlined experience, Federated SSO for the Customer Portal is also available. This allows customer organizations to use their own identity provider (such as Okta or Azure AD) to authenticate directly to the OnRamp portal — eliminating the need for separate login credentials. Contact your Account Manager to discuss setup.

Can OnRamp sign a BAA for HIPAA?

Yes. Contact your Account Manager to execute a Business Associate Agreement.

How are integrations secured?

Integrations use OAuth 2.0 where supported. API keys and secrets are stored encrypted and not exposed in the UI after setup. Webhooks support secret-based authentication to verify requests originate from OnRamp.

Can I get a security questionnaire completed?

Yes — contact your Account Manager or security@onramp.us and we'll work with you to complete your organization's security review.

How do I report a security vulnerability?

Email security@onramp.us with details. We take all reports seriously and will respond promptly.