How Ramp keeps its global financial operations platform compliant with Vanta

THE COMPANY

An all-in-one finance solution to save businesses time and money

Ramp is a financial operations platform that helps businesses achieve more by spending less. Over 30,000 businesses, from fast-growing tech companies like Stripe and Shopify to mature enterprises like CBRE, use Ramp’s corporate accounting and spend management software to control spend across their organization and automate tedious tasks. To date, the company has collectively saved customers over $2 billion dollars and 20 million hours.

“With Ramp, you can pay expenses, you can pay bills, you can automate bookkeeping, book travel, and manage vendors and procurement workflows, all in one platform,” says Paul Yoo, Head of Platform Security at Ramp.

Paul’s team of 13 full-time security professionals maintains compliance in more than a dozen U.S. and international security frameworks. Some, like PCI-DSS, FedRAMP, and HIPAA, are mandatory for companies that handle certain types of data from U.S. customers or work with U.S. government agencies. Others, like NIST CSF and the Open Finance Data Security Standard, are crucial to building customer trust in the heavily regulated, high-stakes financial services industry.

Like many of its customers, Ramp is scaling fast. More than 1,000 employees and counting work between offices in  Manhattan, Miami, and San Francisco, and Paul says it has big plans to expand its solutions and broaden its reach. To keep up, Paul’s small team needed a Ramp-like automation solution for its governance, risk, and compliance (GRC) needs.

‍

THE CHALLENGE

Ramp was outgrowing its manual, redundant GRC processes 

Before Vanta, Paul’s team mostly used manual workflows to manage its extensive, ever-evolving U.S. and international compliance obligations. 

"Because we are in the money movement business, we operate in a highly regulated industry," Paul says.

The manual approach created extra work for the team, especially when Ramp needed to integrate new compliance frameworks. Ramp’s global platform supports transfers and payments in 40 currencies and 195 countries, which means the team must keep up with frameworks not only in the U.S., but across the world. 

The process looked something like this: When Ramp’s legal team alerted its security colleagues of a new framework,  Paul’s team would have to manually download each new framework, review the documentation, convert the frameworks into spreadsheets, “and then manually go through each one and see if we had anything in place to meet them,” he explains.

This time-consuming process became more and more cumbersome  as Ramp scaled. Once Paul’s team had integrated a new framework into its compliance process, they were stuck wasting additional, unnecessary hours on manual, point-in-time checks to prepare for SOC 2 audits and meet the requirements of broad security frameworks like ISO 27001, 27017, and 27018. Keeping up was a real challenge because Ramp currently only has two full-time GRC employees. 

{{quote-2}}

It became clear to Paul and his team that automation and continuous monitoring were core requirements for Ramp’s GRC program, which they knew would continue to evolve—and get even more complicated—as Ramp grew. They sought a GRC solution that their small team could implement easily, manage effectively, and depend on to scale with the business.

‍

THE SOLUTION

A faster, more accurate solution to build and manage compliance frameworks

The search led them to Vanta, which Paul’s team saw as a true security and compliance partner that could do more than just automate framework compliance and audits. 

“What drew us to Vanta was that we wanted to partner with a solution that could help us automate a lot of our manual efforts so that we can actually scale our GRC program as our business scales,” Paul says.

Now, Ramp utilizes a selection of Vanta’s 35+ pre-built compliance frameworks to reduce manual effort and stay on top of its evolving compliance obligations. The result is a centralized control set that Ramp’s security team can maintain, pull from, and customize as its needs evolve.

Additionally, Ramp uses Vanta’s continuous monitoring capabilities to ensure it remains compliant between audit cycles without time-consuming manual checks. Vanta also automates evidence collection and cross-maps it across their frameworks, speeding up audit preparation and freeing Paul’s small team to focus on higher-value work.

“Vanta is the one-stop shop that helps us scale as a business,” Paul says. “The future of Vanta is an exciting one for us.”

‍

THE IMPACT

Fewer spreadsheets, countless hours saved, and better visibility into compliance

By centralizing Ramp’s custom controls and mapping them into continuously monitored frameworks, Vanta eliminates much of the team’s manual work. It provides much better visibility into Ramp’s evolving GRC program and makes it easy to integrate new compliance frameworks as they come. And most gratifying for Paul’s team, using Vanta means saying goodbye to those annoying, redundant spreadsheets.

“We don't have to have 10 different spreadsheets for every different framework and regulation that comes out,” Paul says. They leverage the saved time with Vanta to do even more with a lean team, focusing on “other areas of our security program that are equally important,” he adds.

Vanta’s custom framework capabilities are particularly exciting for Ramp. One of Ramp’s priorities as it grows is to “build a lot of our own control set and then be able to map that to all the different frameworks that we have to adhere to, and all the new ones that come out,” says Paul. As its custom controls take shape, Ramp can use Vanta’s customization capabilities to augment the platform’s existing frameworks and pre-built customizations. When the time comes, Vanta’s bulk upload feature makes it easy to quickly transfer detailed controls built by the team into Vanta and seamlessly map them into each framework.

Far from being a barrier, Ramp’s GRC program is now a growth driver thanks to Vanta.

"We love working with Vanta, particularly because we wanted not just a solution but a real partner … to come alongside us to be able to help us grow,” Paul says.

{{quote-3}}