What is OnRaven’s all-in-one customer communication platform?

OnRaven brings every customer conversation—messaging, phone calls, IVR, WhatsApp calling, WhatsApp, Instagram, Facebook, TikTok, SMS, RCS, Email, Telegram, and web chat—into one platform. Teams often call this omnichannel; OnRaven delivers that breadth with 11+ channels in every plan and no per-channel add-on fees.

Is OnRaven more affordable than other customer communication platforms?

Yes. OnRaven starts at $0 with a free plan, and paid plans begin at $49/month with unlimited messages across all channels. Many platforms charge $55-$74+ per agent or per seat from day one, or use per-contact pricing. OnRaven gives you all 11+ channels with flat base pricing — per-seat only when you exceed plan limits.

Which channels and calling features does OnRaven support?

OnRaven supports WhatsApp Business (messaging and calling), Instagram DMs, Facebook Messenger, TikTok, SMS, RCS, Email, Telegram, voice/phone, IVR, and more. New channels are added regularly based on customer requests.

Do I need to code or have technical skills?

Not at all! OnRaven is designed for business users. Our visual workflow builder lets you create automations with drag-and-drop. No coding required. If you can use email, you can use OnRaven.

Is my customer data secure?

Yes. We use AES-256 encryption for data at rest and TLS 1.3 for data in transit. Our infrastructure runs on AWS in US and Canadian data centers, following SOC 2 best practices. We never sell your data.

Where is OnRaven based?

OnRaven is headquartered in Toronto, Ontario, Canada. We are a proudly Canadian startup with infrastructure hosted on AWS Canada (ca-central-1), ensuring data residency and low latency for North American customers while serving businesses worldwide.

How is OnRaven different from other tools?

OnRaven is built as an all-in-one customer communication platform: unified messaging, voice, IVR, and 11+ channels with automation, team collaboration, and analytics included in every plan.

Can I send bulk messages or broadcasts?

Yes! You can send targeted broadcast campaigns to your opted-in subscribers. Our platform ensures compliance with platform policies and anti-spam regulations. You can segment audiences and personalize messages at scale.

Technical Documentation

Security & Encryption
Whitepaper

OnRaven의 보안 아키텍처, 암호화, 감사 로깅, 주요 보안·개인정보 프레임워크와의 정렬을 다루는 기술 문서입니다. 최종 업데이트: 2026년 3월.

1. Overview 2. Encryption Architecture 3. Data Protection 4. Audit Logging 5. Access Control 6. 규정 준수 및 준비 상태

1. Security Overview

OnRaven is built with security at its core. Our platform implements enterprise-grade security measures to protect your customer conversations and business data at every layer of our infrastructure.

Core Security Principles

Defense in Depth: Multiple layers of security controls throughout the stack
Encryption at Rest & in Transit: All data encrypted using industry-standard algorithms
Comprehensive Audit Logging: Every data access is logged for security monitoring
Zero Trust Architecture: Strict access controls and verification at every layer
프레임워크 정렬: GDPR, CCPA, PIPEDA, SOC 2 등 매핑된 통제 주제에 대해 기술·운영적 준비 상태를 추적합니다. 공식 인증이나 귀사 자체 평가를 대체하지 않습니다.

2. Encryption Architecture

2.1 Message Encryption at Rest

All conversation messages are encrypted at the database level using AES-256-GCM (Advanced Encryption Standard with Galois/Counter Mode), providing both confidentiality and authenticity.

Encryption Specifications

Algorithm: AES-256-GCM
Key Length: 256 bits (32 bytes)
IV Length: 128 bits (16 bytes, randomly generated per encryption)
Authentication Tag: 128 bits (16 bytes)
Key Derivation: PBKDF2 with SHA-256 (100,000 iterations)

2.2 Encryption Process Flow

Step 1: Key Derivation

Master encryption key is derived from a secure secret using PBKDF2 with 100,000 iterations and a fixed salt.

Step 2: Message Encryption

Each message array is serialized to JSON and encrypted using AES-256-GCM with a randomly generated IV.

Step 3: Storage Format

Encrypted data is stored as Base64-encoded string containing: [IV + AuthTag + Ciphertext]

Step 4: Retrieval & Decryption

Upon retrieval, the service automatically decrypts messages before returning them to the application layer.

2.3 Transport Layer Security

All data in transit is protected using TLS 1.3 with strong cipher suites:

TLS_AES_256_GCM_SHA384
TLS_CHACHA20_POLY1305_SHA256
Perfect Forward Secrecy (PFS) enabled
HSTS (HTTP Strict Transport Security) enforced

2.4 Key Management

Encryption keys are managed securely:

Master keys stored in environment variables (not in code or database)
Keys are never logged or exposed in API responses
Future roadmap includes AWS KMS integration for enhanced key rotation
Per-tenant encryption keys available for enterprise customers

3. Data Protection

3.1 Database Security

Encrypted Connections: All database connections use SSL/TLS encryption
Network Isolation: Database servers run in private VPC subnets with no public access
Automated Backups: Daily encrypted backups with 30-day retention
Point-in-Time Recovery: PITR enabled for disaster recovery

3.2 Data Classification

🔴 Highly Sensitive

Customer messages, PII, payment data

Protection: Encrypted at rest + transit, strict access controls, comprehensive audit logs

🟠 Sensitive

API keys, authentication tokens, campaign data

Protection: Encrypted at rest, hashed when possible, limited access

🟡 Internal

User preferences, settings, non-PII metadata

Protection: Role-based access, tenant isolation

🟢 Public

Documentation, marketing materials

Protection: Standard web security practices

3.3 Data Retention & Deletion

We implement strict data retention policies to comply with privacy regulations:

Active Data: Retained while account is active and customer has valid subscription
Closed Conversations: Retained per customer settings (default: 2 years)
Account Deletion: All data permanently deleted within 30 days of account closure
Backup Retention: Encrypted backups retained for 30 days, then permanently deleted
Right to Deletion: GDPR Article 17 "Right to be Forgotten" fully supported

4. Comprehensive Audit Logging

Every access to sensitive data is logged for security monitoring, compliance, and incident investigation.

4.1 What We Log

Authentication Events

Sign-in attempts (success & failure), Password changes, MFA events, Session creation/termination

Data Access

Message viewing/retrieval, Conversation access, Customer data exports, Admin panel access

Administrative Actions

User role changes, Settings modifications, Integration changes, API key generation/revocation

Data Modifications

Conversation deletions, Account closures, Data exports, GDPR deletion requests

4.2 Audit Log Structure

Each audit log entry contains:

{
  "timestamp": "2026-02-05T10:30:00Z",
  "userId": "uuid",
  "domainId": "tenant-uuid",
  "activityType": "message.access",
  "ipAddress": "192.168.1.1",
  "userAgent": "Mozilla/5.0...",
  "customFields": {
    "conversationId": "conv-uuid",
    "messageCount": 25,
    "action": "view"
  }
}

4.3 Audit Log Retention & Access

Audit logs retained for minimum 2 years (configurable per customer requirements)
Logs stored in immutable format to prevent tampering
Available for customer review via admin dashboard
Exportable for external SIEM integration (enterprise customers)
Real-time alerting for suspicious activity patterns

5. Access Control & Authentication

5.1 Role-Based Access Control (RBAC)

OnRaven implements granular RBAC with hierarchical permission levels ensuring team members only access what they need. Our system includes platform-level and tenant-level permissions with fine-grained control over features like user management, campaigns, integrations, and customer data access.

5.2 Authentication Mechanisms

JWT-based Authentication: Stateless tokens with 24-hour expiration
Magic Link Login: Passwordless authentication with single-use tokens (15-minute expiry)
Password Security: Bcrypt hashing with proper salt rounds
MFA Support: Multi-factor authentication available for enterprise customers
API Key Authentication: Encrypted API keys with usage tracking and revocation

5.3 Multi-Tenancy & Data Isolation

Every query includes domain/tenant filtering to ensure complete data isolation:

Database queries automatically filtered by domain_id
Row-level security prevents cross-tenant data access
Separate encryption keys available per tenant (enterprise)
Network-level isolation via VPC peering for large customers

6. 규정 준수, 준비 상태 및 프레임워크

코드, 클라우드, 배포 파이프라인을 주요 보안·개인정보 프레임워크에 대해 지속적으로 모니터링합니다(Aikido Security 포함).

6.1 모니터링하는 프레임워크

PCI DSS 레벨 1

Stripe 통해

카드 소지자 데이터는 Stripe가 처리합니다. 안전한 결제 환경을 뒷받침하는 플랫폼·인프라 통제도 모니터링합니다.

GDPR

준비됨

암호화, 액세스 관리, 로깅, 처리 보호 조치를 GDPR 정렬 주제로 모니터링합니다. 준비됨은 기술·운영적 의미이며 규제 승인이 아닙니다.

CCPA

준비됨

데이터 액세스, 삭제, 처리 보안은 제품 정책으로 다루고 인프라·애플리케이션 통제로 모니터링합니다.

PIPEDA

준비됨

캐나다 기업으로서 공정한 정보 관행 및 보호 기대를 모니터링되는 기술 통제와 맞춥니다.

SOC 2

준비됨

Trust Services 기준(보안, 가용성, 기밀 유지)을 클라우드, 변경 관리, 액세스, 취약점 SLA 전반에서 추적합니다. SOC 2 Type II 보고서는 별도의 공식 검증입니다.

HIPAA

준비됨

암호화, 액세스 제어, 감사 로그, 백업 등 기술적 보호 조치를 HIPAA 정렬 체크리스트로 모니터링합니다. BAA가 필요한 엔터프라이즈 고객은 문의해 주세요.

ISO 27001:2022

준비됨

부속서 A 스타일 영역—액세스, 암호화, 로깅, 백업, 취약점 관리, 보안 개발—이 지속 모니터링에 포함됩니다. ISO 27001 인증은 공인 심사가 필요합니다.

OWASP Top 10

준비됨

애플리케이션 및 클라우드 점검으로 깨진 액세스 제어, 인젝션, 암호 실패, SSRF, 로깅 등 OWASP Top 10 위험을 다룹니다.

NIST SP 800-53

준비됨

SaaS 범위에 해당하는 보안·프라이버시 통제 패밀리를 적용 가능한 곳에서 모니터링합니다. FedRAMP 패키지나 정부 ATO가 아닙니다.

CIS Controls & AWS Benchmark

준비됨

CIS Controls v8.1과 CIS AWS Foundations Benchmark 기대치에 따라 구성 및 위생 상태를 지속적으로 평가합니다.

NIS2(EU)

준비됨

ICT 위험 관리, 사고 대응, 공급망, 복원력을 NIS2 정렬 요구사항으로 모니터링합니다.

DORA(EU)

준비됨

탐지, 대응, 백업, 거버넌스 등 운영 복원력을 DORA 정렬 ICT 위험 주제로 모니터링합니다.

UK Cyber Essentials

준비됨

경계 보호, 안전한 구성, 액세스, 멀웨어 방어, 패치 등 핵심 통제를 Cyber Essentials 유형 기준으로 모니터링합니다.

HITRUST CSF

준비됨

의료 데이터 지향 통제 주제를 보안 프로그램에서 높은 적용 범위로 모니터링합니다. HITRUST 인증과 같지 않습니다.

6.2 공식 검증 vs 운영 준비

아래 항목은 일반적으로 매핑된 통제 모니터링과 별도의 프로그램, 계약 또는 독립 검증이 필요합니다.

SOC 2 Type II: 정의된 기간에 대한 독립 감사인 보고서이며, 지속적인 통제 모니터링과는 별개입니다.
ISO 27001: 공식 인증은 공인 인증기관 심사가 필요합니다.
HIPAA 해당 처리: BAA가 필요한 엔터프라이즈 고객은 범위 정의를 위해 문의해 주세요.
고객별 침투 테스트 및 공식 보고서는 상황에 따라 NDA 하에 제공될 수 있습니다.

6.3 GDPR 데이터 주체 권리

We fully support all GDPR data subject rights:

Right to Access (Article 15): Export all personal data via settings panel
Right to Rectification (Article 16): Update profile and data through dashboard
Right to Erasure (Article 17): Delete account and all associated data
Right to Data Portability (Article 20): Export data in machine-readable format
Right to Object (Article 21): Opt out of data processing activities

Questions About Our Security?

Our security team is available to answer technical questions, provide additional documentation, or discuss custom security requirements for enterprise deployments.

Contact Security Team Back to Security Overview

Security & EncryptionWhitepaper

Table of Contents