Enterprise security built-in, not bolted-on.

The Security, Governance + Hosting Layer is Layer 5 of the 5-layer Rayven Platform stack. Rather than being an isolated feature, it is a cross-cutting architectural layer that governs every other layer of the platform. It defines who can access what data and functionality, ensures all actions are logged and auditable, enforces encryption at every point, and provides flexible hosting options to meet organisational and regulatory requirements.

Rayven provides role-based access control (RBAC) with granular permission assignment at the feature, dashboard, data source, and row level. Administrators can define custom roles combining any combination of permissions and assign them to individual users or groups. Row-level security allows data-level filtering based on user attributes — so a site manager automatically sees only their site's data without manual filtering. Field-level masking is available for sensitive data types. Access assignments are audited and can be time-limited for contractors or temporary users.

All data transmitted to and from the Rayven platform is encrypted in transit using TLS 1.3. All data stored within the platform is encrypted at rest using AES-256. Encryption keys are managed by Rayven using AWS KMS or Azure Key Vault by default. For organisations with strict data sovereignty requirements, customer-managed key (CMK) options are available on enterprise plans, giving your team full control over key lifecycle without compromising platform functionality.

Rayven maintains an immutable, tamper-evident audit log that records every user action (login, data access, dashboard view, form submission), every data write and transformation, every workflow execution, and every configuration change — with user identity, timestamp, IP address, and action details. Audit logs are retained for a configurable period (typically 12–24 months on standard plans) and are exportable in structured format for integration with your SIEM, compliance tooling, or legal discovery processes.

Yes. Rayven supports enterprise SSO via SAML 2.0, OAuth 2.0, and OpenID Connect, with pre-built integrations for Microsoft Azure Active Directory (Entra ID), Okta, Google Workspace, and any standards-compliant identity provider. SSO can be enforced organisation-wide, preventing direct username/password logins. Just-in-time (JIT) user provisioning and SCIM-based directory synchronisation are available for automated user lifecycle management.

Rayven's security architecture and operational practices are aligned with ISO 27001, SOC 2 Type II, and GDPR requirements. The platform ships with pre-built controls, evidence templates, and audit capabilities that directly support compliance evidence gathering for these frameworks. For industry-specific requirements (including NERC CIP for energy, and OT-specific security standards), Rayven's compliance team works with customers during onboarding to map controls to relevant obligations. Certification documents and penetration test reports are available under NDA for enterprise customers.

Rayven offers three hosting models. Managed cloud: Rayven hosts and manages the platform on AWS, Azure, or GCP in your preferred region, with SLAs covering uptime, patching, backups, and disaster recovery. Private cloud: Rayven deploys and manages the platform in your own AWS or Azure account, giving you data isolation within your own infrastructure boundary. On-premise: Rayven is deployed within your own data centre or private network for environments with strict connectivity or regulatory requirements. All hosting options include the full Rayven feature set.

Data residency is configurable across all Rayven hosting models. For managed cloud deployments, you select the AWS, Azure, or GCP region where your data is stored and processed — with all data remaining within that region unless you explicitly configure cross-region replication. For private cloud and on-premise deployments, data never leaves your own infrastructure boundary. Rayven does not transfer or process customer operational data outside your selected region without explicit agreement.

You own your data. On termination of your Rayven subscription, you have a defined window (typically 30–90 days depending on contract terms) to export your data in structured, portable formats. Rayven provides export tools for all data types including time-series, relational, document, and configuration data. After the export window closes, data is securely deleted from Rayven-managed infrastructure in accordance with the data retention schedule defined in your agreement. Deletion certificates are available on request.

The Security Layer functions as a governance plane that sits across and beneath all other platform layers. Every data access event in the Data Layer, every workflow execution in the Execution Layer, every dashboard view in the Presentation Layer, and every connection event in the Integration Layer is subject to the access control rules, encryption standards, and audit logging configured in the Security Layer. This means security is not enforced at the interface — it is enforced at the data level, making it impossible to bypass through the underlying layers.