Security

IdRamp is committed to the security of the Verified Workforce platform and the trust of the organizations that use it. This page describes the security practices, attestations, partner standards, and operational frameworks that govern how IdRamp builds and operates its platform.

Compliance and Attestations

SOC 2 Type 2

IdRamp has achieved SOC 2 Type 2 attestation, independently audited in accordance with the Trust Services Criteria established by the American Institute of Certified Public Accountants (AICPA). Unlike a point-in-time assessment, SOC 2 Type 2 validates that IdRamp’s security controls have been operating effectively and consistently over the full audit period.

The SOC 2 framework governs IdRamp’s approach to security across the organization, including but not limited to access controls, change management, risk assessment, incident response, and vendor management. Customers and prospective customers may request a copy of IdRamp’s SOC 2 report under NDA through the contact link below.

Microsoft Security Elite Partner

IdRamp holds Microsoft Security Elite Partner status with an Entra Verified ID specialization. This designation is granted by Microsoft to a select number of vetted partners that meet Microsoft’s security, architecture, and alignment standards. It reflects IdRamp’s deep integration with Microsoft’s identity security roadmap and its standing within the Entra ecosystem.

ServiceNow Store Certified

The IdRamp platform is certified in the ServiceNow Store. ServiceNow certification requires meeting defined security, architecture, and support standards before any application is made available to enterprise customers.

SailPoint Certified Integration

IdRamp’s integration with SailPoint is fully live and certified by the SailPoint partner team, meeting SailPoint’s security and technical standards for native integrations within their identity governance platform.

Data Protection Compliance

IdRamp’s zero PII retention architecture is designed to support customers’ own GDPR and CCPA compliance obligations. IdRamp’s architecture keeps identity data within the customer’s own infrastructure.

Platform Security

Zero PII Retention

IdRamp operates on a security-by-design architecture that does not store or retain personally identifiable information. Verified identity results are written directly to the customer’s own infrastructure. IdRamp holds no personal data.

This is a deliberate architectural decision. The verified truth belongs in the customer’s infrastructure, not in a third-party system.

Encryption

Data transmitted through the IdRamp platform is protected using industry-standard encryption in transit and at rest. IdRamp applies strong encryption standards consistent with current best practices.

Native API Architecture

IdRamp integrations are built on native platform APIs across Microsoft Entra, Okta, ServiceNow, Workday, SailPoint, and others, enabling secure interoperability within each platform’s own security model.

Security Testing and Assessment

Annual Third-Party Penetration Testing

IdRamp conducts annual penetration testing performed by independent third-party security specialists. This testing is conducted in accordance with IdRamp’s SOC 2 program and covers platform components within a defined scope. Findings are reviewed, prioritized, and remediated as part of IdRamp’s ongoing security program.

Subprocessor and Partner Security Assessments

IdRamp conducts annual security assessments of subprocessors and partners within its vendor management program. Vendor management and third-party security assessment are requirements of IdRamp’s SOC 2 program, ensuring that third parties operating within IdRamp’s ecosystem are evaluated against consistent security standards on a regular basis.

Infrastructure

Microsoft Azure Infrastructure

The IdRamp platform is hosted on Microsoft Azure. Azure maintains its own independently audited compliance program, which includes attestations such as SOC 2, ISO 27001, and FedRAMP High. Hosting on Azure is itself a security decision, and IdRamp’s platform benefits from a rigorously audited infrastructure stack that enterprise organizations already rely on.

Physical security, environmental controls, network infrastructure, and hardware operations are managed by Microsoft under their published security standards. These controls are independently audited and form part of the foundation on which IdRamp’s own SOC 2 attestation is built.

Redundancy and Availability

IdRamp’s platform is built on Azure’s native redundancy capabilities, including availability zones and geographic resilience. This infrastructure provides the foundation for IdRamp’s documented Disaster Recovery plans, which are tested and maintained as a requirement of IdRamp’s SOC 2 program. Recovery procedures are validated on a regular basis to support continuity of service for enterprise customers.

Incident Response and Support

Incident Response

IdRamp maintains a documented Incident Response plan that is tested and maintained in accordance with its SOC 2 program. Incident response obligations are governed by individual customer agreements.

ITIL-Aligned Operations

IdRamp’s incident response and support operations follow ITIL framework standards. Service management, incident handling, and escalation processes are structured, documented, and consistently applied, giving enterprise customers a predictable operational experience aligned to the standards their own IT organizations recognize and expect.

SOC 2 Type 2 reports, security documentation, and additional compliance information are available to customers and qualified prospective customers under NDA. Contact IdRamp at idramp.com/contact.

Cookie	Type	Duration	Description
__cfduid	1	4 weeks	The cookie is set by CloudFare. The cookie is used to identify individual clients behind a shared IP address d apply security settings on a per-client basis. It doesnot correspond to any user ID in the web application and does not store any personally identifiable information.
cookielawinfo-checkbox-advertisement	0	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Advertisement".
cookielawinfo-checkbox-analytics	0	11 months	This cookies is set by GDPR Cookie Consent WordPress Plugin. The cookie is used to remember the user consent for the cookies under the category "Analytics".
cookielawinfo-checkbox-necessary	0	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-non-necessary	0	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Non Necessary".
cookielawinfo-checkbox-performance	0	11 months	This cookie is used to keep track of which cookies the user have approved for this site.
viewed_cookie_policy	0	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Type	Duration	Description
_ga	0	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, camapign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assigns a randoly generated number to identify unique visitors.
_gid	0	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the wbsite is doing. The data collected including the number visitors, the source where they have come from, and the pages visited in an anonymous form.
GPS	0	30 minutes	This cookie is set by Youtube and registers a unique ID for tracking users based on their geographical location
IDE	1	1 year	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
is_unique	0	4 years	The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visited in an anonymous form
is_visitor_unique	0	2 years	The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visited in an anonymous form
sc_is_visitor_unique	0	2 years	The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the wbsite is doing. The data collected including the number visitors, the source where they have come from, and the pages visited in an anonymous form.
vuid	0	2 years	The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visited in an anonymous form.

Cookie	Type	Duration	Description
_gat	0	1 minute	This cookies is installed by Google Universal Analytics to throttle the request rate to limit the colllection of data on high traffic sites.
muxData	0	19 years	This cookie is used to enable certain video player functionalities associated with Vimeo.
PREF	0	7 months	This cookie is set by Youtube. Used to store user preferences like language or any other customizations for YouTube Videos embedded in different sites.
VISITOR_INFO1_LIVE	1	5 months	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.
YSC	1		This cookies is set by Youtube and is used to track the views of embedded videos.