What is OnRaven’s all-in-one customer communication platform?

OnRaven brings every customer conversation—messaging, phone calls, IVR, WhatsApp calling, WhatsApp, Instagram, Facebook, TikTok, SMS, RCS, Email, Telegram, and web chat—into one platform. Teams often call this omnichannel; OnRaven delivers that breadth with 11+ channels in every plan and no per-channel add-on fees.

Is OnRaven more affordable than other customer communication platforms?

Yes. OnRaven starts at $0 with a free plan, and paid plans begin at $49/month with unlimited messages across all channels. Many platforms charge $55-$74+ per agent or per seat from day one, or use per-contact pricing. OnRaven gives you all 11+ channels with flat base pricing — per-seat only when you exceed plan limits.

Which channels and calling features does OnRaven support?

OnRaven supports WhatsApp Business (messaging and calling), Instagram DMs, Facebook Messenger, TikTok, SMS, RCS, Email, Telegram, voice/phone, IVR, and more. New channels are added regularly based on customer requests.

Do I need to code or have technical skills?

Not at all! OnRaven is designed for business users. Our visual workflow builder lets you create automations with drag-and-drop. No coding required. If you can use email, you can use OnRaven.

Is my customer data secure?

Yes. We use AES-256 encryption for data at rest and TLS 1.3 for data in transit. Our infrastructure runs on AWS in US and Canadian data centers, following SOC 2 best practices. We never sell your data.

Where is OnRaven based?

OnRaven is headquartered in Toronto, Ontario, Canada. We are a proudly Canadian startup with infrastructure hosted on AWS Canada (ca-central-1), ensuring data residency and low latency for North American customers while serving businesses worldwide.

How is OnRaven different from other tools?

OnRaven is built as an all-in-one customer communication platform: unified messaging, voice, IVR, and 11+ channels with automation, team collaboration, and analytics included in every plan.

Can I send bulk messages or broadcasts?

Yes! You can send targeted broadcast campaigns to your opted-in subscribers. Our platform ensures compliance with platform policies and anti-spam regulations. You can segment audiences and personalize messages at scale.

Connectez-vous Commencez

Technical Documentation

Security & Encryption
Whitepaper

Documentation technique complète sur l'architecture de sécurité d'OnRaven, le chiffrement, la journalisation d'audit et l'alignement sur les principaux cadres de sécurité et de confidentialité. Dernière mise à jour : mars 2026.

1. Overview 2. Encryption Architecture 3. Data Protection 4. Audit Logging 5. Access Control 6. Conformité et maturité opérationnelle

1. Security Overview

OnRaven is built with security at its core. Our platform implements enterprise-grade security measures to protect your customer conversations and business data at every layer of our infrastructure.

Core Security Principles

Defense in Depth: Multiple layers of security controls throughout the stack
Encryption at Rest & in Transit: All data encrypted using industry-standard algorithms
Comprehensive Audit Logging: Every data access is logged for security monitoring
Zero Trust Architecture: Strict access controls and verification at every layer
Alignement sur les cadres : la maturité technique et opérationnelle est suivie par rapport aux thèmes de contrôles mappés (RGPD, CCPA, PIPEDA, SOC 2, etc.)—ce n'est pas un substitut à vos propres évaluations ni une certification formelle.

2. Encryption Architecture

2.1 Message Encryption at Rest

All conversation messages are encrypted at the database level using AES-256-GCM (Advanced Encryption Standard with Galois/Counter Mode), providing both confidentiality and authenticity.

Encryption Specifications

Algorithm: AES-256-GCM
Key Length: 256 bits (32 bytes)
IV Length: 128 bits (16 bytes, randomly generated per encryption)
Authentication Tag: 128 bits (16 bytes)
Key Derivation: PBKDF2 with SHA-256 (100,000 iterations)

2.2 Encryption Process Flow

Step 1: Key Derivation

Master encryption key is derived from a secure secret using PBKDF2 with 100,000 iterations and a fixed salt.

Step 2: Message Encryption

Each message array is serialized to JSON and encrypted using AES-256-GCM with a randomly generated IV.

Step 3: Storage Format

Encrypted data is stored as Base64-encoded string containing: [IV + AuthTag + Ciphertext]

Step 4: Retrieval & Decryption

Upon retrieval, the service automatically decrypts messages before returning them to the application layer.

2.3 Transport Layer Security

All data in transit is protected using TLS 1.3 with strong cipher suites:

TLS_AES_256_GCM_SHA384
TLS_CHACHA20_POLY1305_SHA256
Perfect Forward Secrecy (PFS) enabled
HSTS (HTTP Strict Transport Security) enforced

2.4 Key Management

Encryption keys are managed securely:

Master keys stored in environment variables (not in code or database)
Keys are never logged or exposed in API responses
Future roadmap includes AWS KMS integration for enhanced key rotation
Per-tenant encryption keys available for enterprise customers

3. Data Protection

3.1 Database Security

Encrypted Connections: All database connections use SSL/TLS encryption
Network Isolation: Database servers run in private VPC subnets with no public access
Automated Backups: Daily encrypted backups with 30-day retention
Point-in-Time Recovery: PITR enabled for disaster recovery

3.2 Data Classification

🔴 Highly Sensitive

Customer messages, PII, payment data

Protection: Encrypted at rest + transit, strict access controls, comprehensive audit logs

🟠 Sensitive

API keys, authentication tokens, campaign data

Protection: Encrypted at rest, hashed when possible, limited access

🟡 Internal

User preferences, settings, non-PII metadata

Protection: Role-based access, tenant isolation

🟢 Public

Documentation, marketing materials

Protection: Standard web security practices

3.3 Data Retention & Deletion

We implement strict data retention policies to comply with privacy regulations:

Active Data: Retained while account is active and customer has valid subscription
Closed Conversations: Retained per customer settings (default: 2 years)
Account Deletion: All data permanently deleted within 30 days of account closure
Backup Retention: Encrypted backups retained for 30 days, then permanently deleted
Right to Deletion: GDPR Article 17 "Right to be Forgotten" fully supported

4. Comprehensive Audit Logging

Every access to sensitive data is logged for security monitoring, compliance, and incident investigation.

4.1 What We Log

Authentication Events

Sign-in attempts (success & failure), Password changes, MFA events, Session creation/termination

Data Access

Message viewing/retrieval, Conversation access, Customer data exports, Admin panel access

Administrative Actions

User role changes, Settings modifications, Integration changes, API key generation/revocation

Data Modifications

Conversation deletions, Account closures, Data exports, GDPR deletion requests

4.2 Audit Log Structure

Each audit log entry contains:

{
  "timestamp": "2026-02-05T10:30:00Z",
  "userId": "uuid",
  "domainId": "tenant-uuid",
  "activityType": "message.access",
  "ipAddress": "192.168.1.1",
  "userAgent": "Mozilla/5.0...",
  "customFields": {
    "conversationId": "conv-uuid",
    "messageCount": 25,
    "action": "view"
  }
}

4.3 Audit Log Retention & Access

Audit logs retained for minimum 2 years (configurable per customer requirements)
Logs stored in immutable format to prevent tampering
Available for customer review via admin dashboard
Exportable for external SIEM integration (enterprise customers)
Real-time alerting for suspicious activity patterns

5. Access Control & Authentication

5.1 Role-Based Access Control (RBAC)

OnRaven implements granular RBAC with hierarchical permission levels ensuring team members only access what they need. Our system includes platform-level and tenant-level permissions with fine-grained control over features like user management, campaigns, integrations, and customer data access.

5.2 Authentication Mechanisms

JWT-based Authentication: Stateless tokens with 24-hour expiration
Magic Link Login: Passwordless authentication with single-use tokens (15-minute expiry)
Password Security: Bcrypt hashing with proper salt rounds
MFA Support: Multi-factor authentication available for enterprise customers
API Key Authentication: Encrypted API keys with usage tracking and revocation

5.3 Multi-Tenancy & Data Isolation

Every query includes domain/tenant filtering to ensure complete data isolation:

Database queries automatically filtered by domain_id
Row-level security prevents cross-tenant data access
Separate encryption keys available per tenant (enterprise)
Network-level isolation via VPC peering for large customers

6. Conformité, maturité opérationnelle et cadres

Nous surveillons en continu le code, le cloud et les pipelines de livraison par rapport aux principaux cadres de sécurité et de confidentialité (notamment via Aikido Security).

6.1 Cadres surveillés

PCI DSS Level 1

Via Stripe

Cardholder data is processed by Stripe; we still monitor platform and infrastructure controls that support a secure payment posture.

GDPR

Prêt

Encryption, access management, logging, and processing safeguards are monitored against GDPR-aligned themes. Readiness is technical and operational—not a regulatory sign-off.

CCPA

Prêt

Data access, deletion, and security-of-processing themes are handled in product policy and monitored in infrastructure and application controls.

PIPEDA

Prêt

As a Canadian company, we align fair-information and security-safeguard expectations with monitored technical controls.

SOC 2

Prêt

Trust Services Criteria themes (security, availability, confidentiality) are tracked across cloud, change management, access, and vulnerability SLAs. A SOC 2 Type II report is a separate formal attestation.

HIPAA

Prêt

Technical safeguards such as encryption, access control, audit logging, and backups are monitored against HIPAA-aligned checklists. Enterprise customers needing a BAA should contact us.

ISO 27001:2022

Prêt

Annex A-style areas—access, cryptography, logging, backups, vulnerability management, and secure development—are covered in continuous monitoring. ISO 27001 certification requires an accredited audit.

OWASP Top 10

Prêt

Application and cloud checks address broken access control, injection, cryptographic failures, SSRF, logging, and related risks from the OWASP Top 10.

NIST SP 800-53

Prêt

Security and privacy control families relevant to our SaaS footprint are monitored where applicable—not a FedRAMP package or government ATO.

CIS Controls & AWS Benchmark

Prêt

CIS Controls v8.1 themes and CIS AWS Foundations Benchmark expectations inform ongoing configuration and hygiene monitoring.

NIS2 (EU)

Prêt

ICT risk management, incident handling, supply chain, and resilience practices are monitored against NIS2-aligned requirements.

DORA (EU)

Prêt

Operational resilience themes—detection, response, backup, and governance—are monitored against DORA-aligned ICT risk expectations.

UK Cyber Essentials

Prêt

Core controls for boundary protection, secure configuration, access, malware protection, and patching are monitored against Cyber Essentials-style criteria.

HITRUST CSF

Prêt

Health-data-oriented control themes are monitored at high coverage in our security program. This does not constitute HITRUST certification.

6.2 Attestations formelles vs maturité opérationnelle

Les éléments ci-dessous nécessitent généralement des programmes, contrats ou validations indépendantes distincts du suivi des contrôles mappés :

SOC 2 Type II : rapport d'un auditeur indépendant sur une période définie—distinct du suivi continu des contrôles.
ISO 27001 : la certification formelle exige un audit par un organisme accrédité.
HIPAA pour les traitements concernés : les clients entreprise ayant besoin d'un BAA doivent nous contacter pour cadrer les exigences.
Tests d'intrusion spécifiques au client et rapports formels peuvent être disponibles sous NDA le cas échéant.

6.3 Droits des personnes concernées (GDPR)

We fully support all GDPR data subject rights:

Right to Access (Article 15): Export all personal data via settings panel
Right to Rectification (Article 16): Update profile and data through dashboard
Right to Erasure (Article 17): Delete account and all associated data
Right to Data Portability (Article 20): Export data in machine-readable format
Right to Object (Article 21): Opt out of data processing activities

Questions About Our Security?

Our security team is available to answer technical questions, provide additional documentation, or discuss custom security requirements for enterprise deployments.

Contact Security Team Back to Security Overview

Security & EncryptionWhitepaper

Table of Contents

1. Security Overview

Core Security Principles

2. Encryption Architecture

2.1 Message Encryption at Rest

Encryption Specifications

2.2 Encryption Process Flow

2.3 Transport Layer Security

2.4 Key Management

3. Data Protection

3.1 Database Security

3.2 Data Classification

🔴 Highly Sensitive

🟠 Sensitive

🟡 Internal

🟢 Public

3.3 Data Retention & Deletion

4. Comprehensive Audit Logging

4.1 What We Log

Authentication Events

Data Access

Administrative Actions

Data Modifications

4.2 Audit Log Structure

4.3 Audit Log Retention & Access

5. Access Control & Authentication

5.1 Role-Based Access Control (RBAC)

5.2 Authentication Mechanisms

5.3 Multi-Tenancy & Data Isolation

6. Conformité, maturité opérationnelle et cadres

6.1 Cadres surveillés

PCI DSS Level 1

GDPR

CCPA

PIPEDA

SOC 2

HIPAA

ISO 27001:2022

OWASP Top 10

NIST SP 800-53

CIS Controls & AWS Benchmark

NIS2 (EU)

DORA (EU)

UK Cyber Essentials

HITRUST CSF

6.2 Attestations formelles vs maturité opérationnelle

6.3 Droits des personnes concernées (GDPR)

Questions About Our Security?

Security & Encryption
Whitepaper