Security & Encryption
Whitepaper
Comprehensive technical documentation of OnRaven's security architecture, encryption methods, audit logging, and how we align with major security and privacy frameworks. Last updated: March 2026.
1. Security Overview
OnRaven is built with security at its core. Our platform implements enterprise-grade security measures to protect your customer conversations and business data at every layer of our infrastructure.
Core Security Principles
- Defense in Depth: Multiple layers of security controls throughout the stack
- Encryption at Rest & in Transit: All data encrypted using industry-standard algorithms
- Comprehensive Audit Logging: Every data access is logged for security monitoring
- Zero Trust Architecture: Strict access controls and verification at every layer
- Framework alignment: Technical and operational readiness is tracked against GDPR-, CCPA-, PIPEDA-, SOC 2-, and other mapped control themes—not a substitute for your own assessments or formal certification.
2. Encryption Architecture
2.1 Message Encryption at Rest
All conversation messages are encrypted at the database level using AES-256-GCM (Advanced Encryption Standard with Galois/Counter Mode), providing both confidentiality and authenticity.
Encryption Specifications
- Algorithm: AES-256-GCM
- Key Length: 256 bits (32 bytes)
- IV Length: 128 bits (16 bytes, randomly generated per encryption)
- Authentication Tag: 128 bits (16 bytes)
- Key Derivation: PBKDF2 with SHA-256 (100,000 iterations)
2.2 Encryption Process Flow
Step 1: Key Derivation
Master encryption key is derived from a secure secret using PBKDF2 with 100,000 iterations and a fixed salt.
Step 2: Message Encryption
Each message array is serialized to JSON and encrypted using AES-256-GCM with a randomly generated IV.
Step 3: Storage Format
Encrypted data is stored as Base64-encoded string containing: [IV + AuthTag + Ciphertext]
Step 4: Retrieval & Decryption
Upon retrieval, the service automatically decrypts messages before returning them to the application layer.
2.3 Transport Layer Security
All data in transit is protected using TLS 1.3 with strong cipher suites:
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
- Perfect Forward Secrecy (PFS) enabled
- HSTS (HTTP Strict Transport Security) enforced
2.4 Key Management
Encryption keys are managed securely:
- Master keys stored in environment variables (not in code or database)
- Keys are never logged or exposed in API responses
- Future roadmap includes AWS KMS integration for enhanced key rotation
- Per-tenant encryption keys available for enterprise customers
3. Data Protection
3.1 Database Security
- Encrypted Connections: All database connections use SSL/TLS encryption
- Network Isolation: Database servers run in private VPC subnets with no public access
- Automated Backups: Daily encrypted backups with 30-day retention
- Point-in-Time Recovery: PITR enabled for disaster recovery
3.2 Data Classification
🔴 Highly Sensitive
Customer messages, PII, payment data
Protection: Encrypted at rest + transit, strict access controls, comprehensive audit logs
🟠 Sensitive
API keys, authentication tokens, campaign data
Protection: Encrypted at rest, hashed when possible, limited access
🟡 Internal
User preferences, settings, non-PII metadata
Protection: Role-based access, tenant isolation
🟢 Public
Documentation, marketing materials
Protection: Standard web security practices
3.3 Data Retention & Deletion
We implement strict data retention policies to comply with privacy regulations:
- Active Data: Retained while account is active and customer has valid subscription
- Closed Conversations: Retained per customer settings (default: 2 years)
- Account Deletion: All data permanently deleted within 30 days of account closure
- Backup Retention: Encrypted backups retained for 30 days, then permanently deleted
- Right to Deletion: GDPR Article 17 "Right to be Forgotten" fully supported
4. Comprehensive Audit Logging
Every access to sensitive data is logged for security monitoring, compliance, and incident investigation.
4.1 What We Log
Authentication Events
Sign-in attempts (success & failure), Password changes, MFA events, Session creation/termination
Data Access
Message viewing/retrieval, Conversation access, Customer data exports, Admin panel access
Administrative Actions
User role changes, Settings modifications, Integration changes, API key generation/revocation
Data Modifications
Conversation deletions, Account closures, Data exports, GDPR deletion requests
4.2 Audit Log Structure
Each audit log entry contains:
{
"timestamp": "2026-02-05T10:30:00Z",
"userId": "uuid",
"domainId": "tenant-uuid",
"activityType": "message.access",
"ipAddress": "192.168.1.1",
"userAgent": "Mozilla/5.0...",
"customFields": {
"conversationId": "conv-uuid",
"messageCount": 25,
"action": "view"
}
}4.3 Audit Log Retention & Access
- Audit logs retained for minimum 2 years (configurable per customer requirements)
- Logs stored in immutable format to prevent tampering
- Available for customer review via admin dashboard
- Exportable for external SIEM integration (enterprise customers)
- Real-time alerting for suspicious activity patterns
5. Access Control & Authentication
5.1 Role-Based Access Control (RBAC)
OnRaven implements granular RBAC with hierarchical permission levels ensuring team members only access what they need. Our system includes platform-level and tenant-level permissions with fine-grained control over features like user management, campaigns, integrations, and customer data access.
5.2 Authentication Mechanisms
- JWT-based Authentication: Stateless tokens with 24-hour expiration
- Magic Link Login: Passwordless authentication with single-use tokens (15-minute expiry)
- Password Security: Bcrypt hashing with proper salt rounds
- MFA Support: Multi-factor authentication available for enterprise customers
- API Key Authentication: Encrypted API keys with usage tracking and revocation
5.3 Multi-Tenancy & Data Isolation
Every query includes domain/tenant filtering to ensure complete data isolation:
- Database queries automatically filtered by domain_id
- Row-level security prevents cross-tenant data access
- Separate encryption keys available per tenant (enterprise)
- Network-level isolation via VPC peering for large customers
6. Compliance, readiness & frameworks
We continuously monitor code, cloud, and delivery pipelines against major security and privacy frameworks (including through Aikido Security).
6.1 Monitored frameworks
PCI DSS Level 1
Via StripeCardholder data is processed by Stripe; we still monitor platform and infrastructure controls that support a secure payment posture.
GDPR
ReadyEncryption, access management, logging, and processing safeguards are monitored against GDPR-aligned themes. Readiness is technical and operational—not a regulatory sign-off.
CCPA
ReadyData access, deletion, and security-of-processing themes are handled in product policy and monitored in infrastructure and application controls.
PIPEDA
ReadyAs a Canadian company, we align fair-information and security-safeguard expectations with monitored technical controls.
SOC 2
ReadyTrust Services Criteria themes (security, availability, confidentiality) are tracked across cloud, change management, access, and vulnerability SLAs. A SOC 2 Type II report is a separate formal attestation.
HIPAA
ReadyTechnical safeguards such as encryption, access control, audit logging, and backups are monitored against HIPAA-aligned checklists. Enterprise customers needing a BAA should contact us.
ISO 27001:2022
ReadyAnnex A-style areas—access, cryptography, logging, backups, vulnerability management, and secure development—are covered in continuous monitoring. ISO 27001 certification requires an accredited audit.
OWASP Top 10
ReadyApplication and cloud checks address broken access control, injection, cryptographic failures, SSRF, logging, and related risks from the OWASP Top 10.
NIST SP 800-53
ReadySecurity and privacy control families relevant to our SaaS footprint are monitored where applicable—not a FedRAMP package or government ATO.
CIS Controls & AWS Benchmark
ReadyCIS Controls v8.1 themes and CIS AWS Foundations Benchmark expectations inform ongoing configuration and hygiene monitoring.
NIS2 (EU)
ReadyICT risk management, incident handling, supply chain, and resilience practices are monitored against NIS2-aligned requirements.
DORA (EU)
ReadyOperational resilience themes—detection, response, backup, and governance—are monitored against DORA-aligned ICT risk expectations.
UK Cyber Essentials
ReadyCore controls for boundary protection, secure configuration, access, malware protection, and patching are monitored against Cyber Essentials-style criteria.
HITRUST CSF
ReadyHealth-data-oriented control themes are monitored at high coverage in our security program. This does not constitute HITRUST certification.
6.2 Formal attestations vs. operational readiness
The items below typically require separate programs, contracts, or independent validation beyond mapped-control monitoring:
- SOC 2 Type II: an independent auditor's report over a defined period—separate from continuous control monitoring.
- ISO 27001: formal certification requires an accredited certification body audit.
- HIPAA for covered workloads: enterprise customers needing a BAA should contact us to scope requirements.
- Customer-specific penetration testing and formal reports may be available under NDA where appropriate.
6.3 GDPR Data Subject Rights
We fully support all GDPR data subject rights:
- Right to Access (Article 15): Export all personal data via settings panel
- Right to Rectification (Article 16): Update profile and data through dashboard
- Right to Erasure (Article 17): Delete account and all associated data
- Right to Data Portability (Article 20): Export data in machine-readable format
- Right to Object (Article 21): Opt out of data processing activities
Questions About Our Security?
Our security team is available to answer technical questions, provide additional documentation, or discuss custom security requirements for enterprise deployments.