Skip to main content
Raavio

Security

Security and data protection.

Raavio is an RMM platform that accesses your devices with high privilege. That is why we describe our security approach with verifiable technical facts, not marketing language.

Where is your data stored?

Raavio's entire application and database infrastructure is hosted on Turkey-based, domestic servers. Customer data is not transferred abroad. For MSPs and enterprise IT teams with data-residency requirements under KVKK (Turkish data protection law), this is a direct compliance advantage.

  • Application and database: Turkey-based domestic servers
  • Database: PostgreSQL
  • Customer data is not transferred outside Turkey

Transport security

All panel, API, and agent traffic travels over encrypted channels. Certificates renew automatically; unencrypted (HTTP) connections are not accepted and all requests are redirected to HTTPS.

  • TLS 1.2 and TLS 1.3 supported
  • Forced HTTP → HTTPS redirect
  • HSTS (Strict-Transport-Security) enabled
  • Agent connection: encrypted with TLS over gRPC

Agent connection: outbound only

The Windows agent connects to the server itself. You do not need to open ports, define inbound firewall rules, or assign static IPs on your managed devices. This significantly reduces the attack surface.

  • Agent → server direction (outbound connection)
  • No inbound port opening required
  • Connection encrypted with TLS over gRPC
  • The agent reports device state to the central panel on a regular interval

Remote desktop security

Remote desktop sessions are established peer-to-peer via WebRTC. Screen and input traffic flows directly between the technician and the device. STUN/TURN is used to reach devices behind NAT.

  • WebRTC-based peer-to-peer connection
  • Runs in the browser; no client install on the technician side
  • STUN/TURN for NAT traversal
  • Session history is retained for recording and audit

Authentication and access control

Passwords are never stored in plain text; they are hashed with the industry-standard bcrypt algorithm. Sessions are managed with time-limited JWTs, and short-lived tokens are used for sensitive operations.

  • Passwords hashed with bcrypt (never stored in plain text)
  • Session management: time-limited JWT (24 hours)
  • Short-lived (5 minute) tokens for sensitive operations
  • Role-based access control (RBAC) with custom permission templates

Multi-tenant isolation

Raavio is built for MSPs managing multiple client companies from a single panel. Each company's data is isolated at the application layer on a per-company basis, and queries enforce this isolation. Company, customer, and device records are identified by unguessable UUIDs across the API and agent surface; sequential numeric IDs are never exposed. This reduces enumeration and insecure direct object reference (IDOR) risks.

  • Company-scoped data isolation; one customer's data never appears in another's panel
  • Company, customer, and device identifiers are carried as UUIDs (no sequential IDs exposed)
  • Agent and tenant resolution is performed over UUIDs
  • Users access only the data of companies they are authorized for
  • Role and permission templates for in-team separation of duties

Backup and continuity

The database is backed up daily. Service availability is monitored continuously and uptime data is recorded.

  • Daily database backup
  • Continuous uptime monitoring (checks every 30 seconds)
  • Uptime over the last 30 days: 99.90%
  • SSL certificate validity tracking

Payment security

Subscription billing is processed through Iyzico, a payment institution licensed by the BRSA (Turkish banking regulator). Your card details are not stored on Raavio servers; card data is processed and stored directly by Iyzico.

  • Payment infrastructure: Iyzico (BRSA licensed)
  • 3D Secure verification
  • Card data is not stored on Raavio's side

Subprocessors

The complete list of third-party services we use to deliver Raavio. This page is updated whenever the list changes.

Provider Purpose Data processed Location
Iyzico Subscription billing and payment processing Payment and invoice information Turkey
Google Analytics Marketing site usage statistics Anonymized usage data (IP anonymization enabled) Global

Raavio's application and database infrastructure runs on our own Turkey-based servers; no third-party cloud provider is used for hosting.

Security FAQ

Is my data stored in Turkey?

Yes. Raavio's application and database infrastructure is hosted on Turkey-based domestic servers, and customer data is not transferred abroad.

Do I need to open firewall ports for the agent?

No. The agent establishes an outbound connection to the server. You do not need to open inbound ports, assign static IPs, or write firewall rules.

How are passwords stored?

Passwords are not stored in plain text. They are hashed with the industry-standard bcrypt algorithm and cannot be reversed.

Can one of my customers see another customer's data?

No. Data is isolated on a per-company basis and users can only access data for companies they are authorized for. Company and device identifiers are carried as unguessable UUIDs rather than sequential numeric IDs.

Is my card information stored by Raavio?

No. Payments are processed through Iyzico, licensed by the BRSA; card data is processed and stored by Iyzico, not on Raavio servers.

What should I do if I find a security vulnerability?

Please report it to [email protected]. We take reports seriously and respond as quickly as possible. We kindly ask that you contact us before publicly disclosing the issue.

Vulnerability disclosure

If you have identified a security vulnerability, we kindly ask that you contact us before disclosing it publicly. We review every report carefully and respond as quickly as possible.

[email protected]

Last updated: 14 July 2026

Ready to start?

14-day free trial. No charges during the trial.

14-day free trial · No charge during trial · Cancel anytime