Security
Security and data protection.
Raavio is an RMM platform that accesses your devices with high privilege. That is why we describe our security approach with verifiable technical facts, not marketing language.
Where is your data stored?
Raavio's entire application and database infrastructure is hosted on Turkey-based, domestic servers. Customer data is not transferred abroad. For MSPs and enterprise IT teams with data-residency requirements under KVKK (Turkish data protection law), this is a direct compliance advantage.
- Application and database: Turkey-based domestic servers
- Database: PostgreSQL
- Customer data is not transferred outside Turkey
Transport security
All panel, API, and agent traffic travels over encrypted channels. Certificates renew automatically; unencrypted (HTTP) connections are not accepted and all requests are redirected to HTTPS.
- TLS 1.2 and TLS 1.3 supported
- Forced HTTP → HTTPS redirect
- HSTS (Strict-Transport-Security) enabled
- Agent connection: encrypted with TLS over gRPC
Agent connection: outbound only
The Windows agent connects to the server itself. You do not need to open ports, define inbound firewall rules, or assign static IPs on your managed devices. This significantly reduces the attack surface.
- Agent → server direction (outbound connection)
- No inbound port opening required
- Connection encrypted with TLS over gRPC
- The agent reports device state to the central panel on a regular interval
Remote desktop security
Remote desktop sessions are established peer-to-peer via WebRTC. Screen and input traffic flows directly between the technician and the device. STUN/TURN is used to reach devices behind NAT.
- WebRTC-based peer-to-peer connection
- Runs in the browser; no client install on the technician side
- STUN/TURN for NAT traversal
- Session history is retained for recording and audit
Authentication and access control
Passwords are never stored in plain text; they are hashed with the industry-standard bcrypt algorithm. Sessions are managed with time-limited JWTs, and short-lived tokens are used for sensitive operations.
- Passwords hashed with bcrypt (never stored in plain text)
- Session management: time-limited JWT (24 hours)
- Short-lived (5 minute) tokens for sensitive operations
- Role-based access control (RBAC) with custom permission templates
Multi-tenant isolation
Raavio is built for MSPs managing multiple client companies from a single panel. Each company's data is isolated at the application layer on a per-company basis, and queries enforce this isolation. Company, customer, and device records are identified by unguessable UUIDs across the API and agent surface; sequential numeric IDs are never exposed. This reduces enumeration and insecure direct object reference (IDOR) risks.
- Company-scoped data isolation; one customer's data never appears in another's panel
- Company, customer, and device identifiers are carried as UUIDs (no sequential IDs exposed)
- Agent and tenant resolution is performed over UUIDs
- Users access only the data of companies they are authorized for
- Role and permission templates for in-team separation of duties
Backup and continuity
The database is backed up daily. Service availability is monitored continuously and uptime data is recorded.
- Daily database backup
- Continuous uptime monitoring (checks every 30 seconds)
- Uptime over the last 30 days: 99.90%
- SSL certificate validity tracking
Payment security
Subscription billing is processed through Iyzico, a payment institution licensed by the BRSA (Turkish banking regulator). Your card details are not stored on Raavio servers; card data is processed and stored directly by Iyzico.
- Payment infrastructure: Iyzico (BRSA licensed)
- 3D Secure verification
- Card data is not stored on Raavio's side
Subprocessors
The complete list of third-party services we use to deliver Raavio. This page is updated whenever the list changes.
| Provider | Purpose | Data processed | Location |
|---|---|---|---|
| Iyzico | Subscription billing and payment processing | Payment and invoice information | Turkey |
| Google Analytics | Marketing site usage statistics | Anonymized usage data (IP anonymization enabled) | Global |
Raavio's application and database infrastructure runs on our own Turkey-based servers; no third-party cloud provider is used for hosting.
Security FAQ
Is my data stored in Turkey?
Yes. Raavio's application and database infrastructure is hosted on Turkey-based domestic servers, and customer data is not transferred abroad.
Do I need to open firewall ports for the agent?
No. The agent establishes an outbound connection to the server. You do not need to open inbound ports, assign static IPs, or write firewall rules.
How are passwords stored?
Passwords are not stored in plain text. They are hashed with the industry-standard bcrypt algorithm and cannot be reversed.
Can one of my customers see another customer's data?
No. Data is isolated on a per-company basis and users can only access data for companies they are authorized for. Company and device identifiers are carried as unguessable UUIDs rather than sequential numeric IDs.
Is my card information stored by Raavio?
No. Payments are processed through Iyzico, licensed by the BRSA; card data is processed and stored by Iyzico, not on Raavio servers.
What should I do if I find a security vulnerability?
Please report it to [email protected]. We take reports seriously and respond as quickly as possible. We kindly ask that you contact us before publicly disclosing the issue.
Vulnerability disclosure
If you have identified a security vulnerability, we kindly ask that you contact us before disclosing it publicly. We review every report carefully and respond as quickly as possible.
[email protected]Last updated: 14 July 2026
Ready to start?
14-day free trial. No charges during the trial.
14-day free trial · No charge during trial · Cancel anytime