What is OnRaven’s all-in-one customer communication platform?

OnRaven brings every customer conversation—messaging, phone calls, IVR, WhatsApp calling, WhatsApp, Instagram, Facebook, TikTok, SMS, RCS, Email, Telegram, and web chat—into one platform. Teams often call this omnichannel; OnRaven delivers that breadth with 11+ channels in every plan and no per-channel add-on fees.

Is OnRaven more affordable than other customer communication platforms?

Yes. OnRaven starts at $0 with a free plan, and paid plans begin at $49/month with unlimited messages across all channels. Many platforms charge $55-$74+ per agent or per seat from day one, or use per-contact pricing. OnRaven gives you all 11+ channels with flat base pricing — per-seat only when you exceed plan limits.

Which channels and calling features does OnRaven support?

OnRaven supports WhatsApp Business (messaging and calling), Instagram DMs, Facebook Messenger, TikTok, SMS, RCS, Email, Telegram, voice/phone, IVR, and more. New channels are added regularly based on customer requests.

Do I need to code or have technical skills?

Not at all! OnRaven is designed for business users. Our visual workflow builder lets you create automations with drag-and-drop. No coding required. If you can use email, you can use OnRaven.

Is my customer data secure?

Yes. We use AES-256 encryption for data at rest and TLS 1.3 for data in transit. Our infrastructure runs on AWS in US and Canadian data centers, following SOC 2 best practices. We never sell your data.

Where is OnRaven based?

OnRaven is headquartered in Toronto, Ontario, Canada. We are a proudly Canadian startup with infrastructure hosted on AWS Canada (ca-central-1), ensuring data residency and low latency for North American customers while serving businesses worldwide.

How is OnRaven different from other tools?

OnRaven is built as an all-in-one customer communication platform: unified messaging, voice, IVR, and 11+ channels with automation, team collaboration, and analytics included in every plan.

Can I send bulk messages or broadcasts?

Yes! You can send targeted broadcast campaigns to your opted-in subscribers. Our platform ensures compliance with platform policies and anti-spam regulations. You can segment audiences and personalize messages at scale.

Technical Documentation

Security & Encryption
Whitepaper

Umfassende technische Dokumentation zu OnRavens Sicherheitsarchitektur, Verschlüsselung, Audit-Logging und zur Ausrichtung an gängige Sicherheits- und Datenschutzrahmen. Zuletzt aktualisiert: März 2026.

1. Overview 2. Encryption Architecture 3. Data Protection 4. Audit Logging 5. Access Control 6. Compliance & Bereitschaft

1. Security Overview

OnRaven is built with security at its core. Our platform implements enterprise-grade security measures to protect your customer conversations and business data at every layer of our infrastructure.

Core Security Principles

Defense in Depth: Multiple layers of security controls throughout the stack
Encryption at Rest & in Transit: All data encrypted using industry-standard algorithms
Comprehensive Audit Logging: Every data access is logged for security monitoring
Zero Trust Architecture: Strict access controls and verification at every layer
Rahmen-Ausrichtung: Technische und operative Bereitschaft wird anhand gemappter Kontrollthemen (u. a. DSGVO, CCPA, PIPEDA, SOC 2) verfolgt—kein Ersatz für Ihre eigenen Bewertungen oder eine formale Zertifizierung.

2. Encryption Architecture

2.1 Message Encryption at Rest

All conversation messages are encrypted at the database level using AES-256-GCM (Advanced Encryption Standard with Galois/Counter Mode), providing both confidentiality and authenticity.

Encryption Specifications

Algorithm: AES-256-GCM
Key Length: 256 bits (32 bytes)
IV Length: 128 bits (16 bytes, randomly generated per encryption)
Authentication Tag: 128 bits (16 bytes)
Key Derivation: PBKDF2 with SHA-256 (100,000 iterations)

2.2 Encryption Process Flow

Step 1: Key Derivation

Master encryption key is derived from a secure secret using PBKDF2 with 100,000 iterations and a fixed salt.

Step 2: Message Encryption

Each message array is serialized to JSON and encrypted using AES-256-GCM with a randomly generated IV.

Step 3: Storage Format

Encrypted data is stored as Base64-encoded string containing: [IV + AuthTag + Ciphertext]

Step 4: Retrieval & Decryption

Upon retrieval, the service automatically decrypts messages before returning them to the application layer.

2.3 Transport Layer Security

All data in transit is protected using TLS 1.3 with strong cipher suites:

TLS_AES_256_GCM_SHA384
TLS_CHACHA20_POLY1305_SHA256
Perfect Forward Secrecy (PFS) enabled
HSTS (HTTP Strict Transport Security) enforced

2.4 Key Management

Encryption keys are managed securely:

Master keys stored in environment variables (not in code or database)
Keys are never logged or exposed in API responses
Future roadmap includes AWS KMS integration for enhanced key rotation
Per-tenant encryption keys available for enterprise customers

3. Data Protection

3.1 Database Security

Encrypted Connections: All database connections use SSL/TLS encryption
Network Isolation: Database servers run in private VPC subnets with no public access
Automated Backups: Daily encrypted backups with 30-day retention
Point-in-Time Recovery: PITR enabled for disaster recovery

3.2 Data Classification

🔴 Highly Sensitive

Customer messages, PII, payment data

Protection: Encrypted at rest + transit, strict access controls, comprehensive audit logs

🟠 Sensitive

API keys, authentication tokens, campaign data

Protection: Encrypted at rest, hashed when possible, limited access

🟡 Internal

User preferences, settings, non-PII metadata

Protection: Role-based access, tenant isolation

🟢 Public

Documentation, marketing materials

Protection: Standard web security practices

3.3 Data Retention & Deletion

We implement strict data retention policies to comply with privacy regulations:

Active Data: Retained while account is active and customer has valid subscription
Closed Conversations: Retained per customer settings (default: 2 years)
Account Deletion: All data permanently deleted within 30 days of account closure
Backup Retention: Encrypted backups retained for 30 days, then permanently deleted
Right to Deletion: GDPR Article 17 "Right to be Forgotten" fully supported

4. Comprehensive Audit Logging

Every access to sensitive data is logged for security monitoring, compliance, and incident investigation.

4.1 What We Log

Authentication Events

Sign-in attempts (success & failure), Password changes, MFA events, Session creation/termination

Data Access

Message viewing/retrieval, Conversation access, Customer data exports, Admin panel access

Administrative Actions

User role changes, Settings modifications, Integration changes, API key generation/revocation

Data Modifications

Conversation deletions, Account closures, Data exports, GDPR deletion requests

4.2 Audit Log Structure

Each audit log entry contains:

{
  "timestamp": "2026-02-05T10:30:00Z",
  "userId": "uuid",
  "domainId": "tenant-uuid",
  "activityType": "message.access",
  "ipAddress": "192.168.1.1",
  "userAgent": "Mozilla/5.0...",
  "customFields": {
    "conversationId": "conv-uuid",
    "messageCount": 25,
    "action": "view"
  }
}

4.3 Audit Log Retention & Access

Audit logs retained for minimum 2 years (configurable per customer requirements)
Logs stored in immutable format to prevent tampering
Available for customer review via admin dashboard
Exportable for external SIEM integration (enterprise customers)
Real-time alerting for suspicious activity patterns

5. Access Control & Authentication

5.1 Role-Based Access Control (RBAC)

OnRaven implements granular RBAC with hierarchical permission levels ensuring team members only access what they need. Our system includes platform-level and tenant-level permissions with fine-grained control over features like user management, campaigns, integrations, and customer data access.

5.2 Authentication Mechanisms

JWT-based Authentication: Stateless tokens with 24-hour expiration
Magic Link Login: Passwordless authentication with single-use tokens (15-minute expiry)
Password Security: Bcrypt hashing with proper salt rounds
MFA Support: Multi-factor authentication available for enterprise customers
API Key Authentication: Encrypted API keys with usage tracking and revocation

5.3 Multi-Tenancy & Data Isolation

Every query includes domain/tenant filtering to ensure complete data isolation:

Database queries automatically filtered by domain_id
Row-level security prevents cross-tenant data access
Separate encryption keys available per tenant (enterprise)
Network-level isolation via VPC peering for large customers

6. Compliance, Bereitschaft & Rahmenwerke

Wir überwachen kontinuierlich Code, Cloud und Bereitstellungspipelines gegen gängige Sicherheits- und Datenschutzrahmen (u. a. mit Aikido Security).

6.1 Überwachte Rahmenwerke

PCI DSS Stufe 1

Über Stripe

Karteninhaberdaten verarbeitet Stripe; wir überwachen weiterhin Plattform- und Infrastrukturkontrollen für eine sichere Zahlungsumgebung.

DSGVO

Bereit

Verschlüsselung, Zugriffsverwaltung, Protokollierung und Verarbeitungsschutz werden gegen DSGVO-orientierte Themen überwacht. Bereitschaft ist technisch und operativ—keine behördliche Abnahme.

CCPA

Bereit

Datenzugriff, Löschung und Sicherheit der Verarbeitung werden in der Produktpolitik adressiert und in Infrastruktur- und Anwendungskontrollen überwacht.

PIPEDA

Bereit

Als kanadisches Unternehmen richten wir faire Informations- und Sicherheitsanforderungen an überwachte technische Kontrollen aus.

SOC 2

Bereit

Trust-Services-Kriterien (Sicherheit, Verfügbarkeit, Vertraulichkeit) werden über Cloud, Änderungsmanagement, Zugriff und Schwachstellen-SLAs verfolgt. Ein SOC-2-Typ-II-Bericht ist eine separate formelle Attestierung.

HIPAA

Bereit

Technische Schutzmaßnahmen wie Verschlüsselung, Zugriffskontrolle, Audit-Logging und Backups werden an HIPAA-orientierten Checklisten überwacht. Unternehmenskunden mit BAA-Bedarf kontaktieren uns bitte.

ISO 27001:2022

Bereit

Anhang-A-artige Bereiche—Zugriff, Kryptographie, Logging, Backups, Schwachstellenmanagement und sichere Entwicklung—sind in der kontinuierlichen Überwachung enthalten. ISO-27001-Zertifizierung erfordert ein akkreditiertes Audit.

OWASP Top 10

Bereit

Anwendungs- und Cloud-Prüfungen adressieren u. a. fehlerhafte Zugriffskontrolle, Injection, kryptographische Fehler, SSRF, Logging und verwandte OWASP-Risiken.

NIST SP 800-53

Bereit

Sicherheits- und Datenschutz-Kontrollfamilien für unsere SaaS-Landschaft werden wo zutreffend überwacht—kein FedRAMP-Paket oder behördliches ATO.

CIS Controls & AWS Benchmark

Bereit

CIS Controls v8.1 und Erwartungen des CIS AWS Foundations Benchmark fließen in laufende Konfigurations- und Hygieneüberwachung ein.

NIS2 (EU)

Bereit

IKT-Risikomanagement, Vorfallbearbeitung, Lieferkette und Resilienz werden an NIS2-ausgerichteten Anforderungen überwacht.

DORA (EU)

Bereit

Operative Resilienz—Erkennung, Reaktion, Backup und Governance—wird an DORA-ausgerichteten IKT-Risikothemen überwacht.

UK Cyber Essentials

Bereit

Kernkontrollen für Perimeterschutz, sichere Konfiguration, Zugriff, Malwareschutz und Patches werden an Cyber-Essentials-ähnlichen Kriterien überwacht.

HITRUST CSF

Bereit

Gesundheitsdaten-orientierte Kontrollthemen werden mit hoher Abdeckung in unserem Sicherheitsprogramm überwacht. Dies ist keine HITRUST-Zertifizierung.

6.2 Formelle Attestierungen vs. operative Bereitschaft

Die folgenden Punkte erfordern typischerweise separate Programme, Verträge oder unabhängige Prüfung jenseits des Monitorings gemappter Kontrollen:

SOC 2 Typ II: unabhängiger Prüferbericht über einen definierten Zeitraum—getrennt vom kontinuierlichen Kontrollmonitoring.
ISO 27001: formelle Zertifizierung erfordert ein Audit durch eine akkreditierte Zertifizierungsstelle.
HIPAA für relevante Verarbeitungen: Unternehmenskunden mit BAA-Bedarf sollten uns zur Einordnung kontaktieren.
Kundenspezifische Penetrationstests und formelle Reports können unter NDA verfügbar sein, soweit angemessen.

6.3 Betroffenenrechte nach DSGVO

We fully support all GDPR data subject rights:

Right to Access (Article 15): Export all personal data via settings panel
Right to Rectification (Article 16): Update profile and data through dashboard
Right to Erasure (Article 17): Delete account and all associated data
Right to Data Portability (Article 20): Export data in machine-readable format
Right to Object (Article 21): Opt out of data processing activities

Questions About Our Security?

Our security team is available to answer technical questions, provide additional documentation, or discuss custom security requirements for enterprise deployments.

Contact Security Team Back to Security Overview

Security & EncryptionWhitepaper

Table of Contents

1. Security Overview

Core Security Principles

2. Encryption Architecture

2.1 Message Encryption at Rest

Encryption Specifications

2.2 Encryption Process Flow

2.3 Transport Layer Security

2.4 Key Management

3. Data Protection

3.1 Database Security

3.2 Data Classification

🔴 Highly Sensitive

🟠 Sensitive

🟡 Internal

🟢 Public

3.3 Data Retention & Deletion

4. Comprehensive Audit Logging

4.1 What We Log

Authentication Events

Data Access

Administrative Actions

Data Modifications

4.2 Audit Log Structure

4.3 Audit Log Retention & Access

5. Access Control & Authentication

5.1 Role-Based Access Control (RBAC)

5.2 Authentication Mechanisms

5.3 Multi-Tenancy & Data Isolation

6. Compliance, Bereitschaft & Rahmenwerke

6.1 Überwachte Rahmenwerke

PCI DSS Stufe 1

DSGVO

CCPA

PIPEDA

SOC 2

HIPAA

ISO 27001:2022

OWASP Top 10

NIST SP 800-53

CIS Controls & AWS Benchmark

NIS2 (EU)

DORA (EU)

UK Cyber Essentials

HITRUST CSF

6.2 Formelle Attestierungen vs. operative Bereitschaft

6.3 Betroffenenrechte nach DSGVO

Questions About Our Security?

Security & Encryption
Whitepaper