Built with security-first principles

Security & Trust

Your devices, users, and operational data are valuable. Here's a transparent overview of how RaqeebIT 360 protects them — from encryption to infrastructure to access control.

Last updated: April 20, 2026

TLS 1.3
Encryption in transit
AES-256
Encryption at rest
24/7
Monitoring & alerts
180d
Audit log retention

1. Data Encryption

Every bit of data is encrypted — in transit, at rest, and between the agent and our API.

In Transit Live

All HTTPS traffic uses TLS 1.3 with AES-256-GCM ciphers.
Certificates issued by Let's Encrypt, auto-renewed every 60 days.
HSTS enabled — browsers will never downgrade to HTTP.
Legacy TLS 1.0 / 1.1 / SSLv3 fully disabled.

At Rest Live

Passwords hashed with Django's PBKDF2 + SHA-256, 600,000 iterations.
API tokens & credentials stored using Fernet symmetric encryption.
Database volume encrypted at the host level (AES-256).
Backups encrypted before leaving the database server.

Agent ↔ API: The agent authenticates to the API using a unique per-device JWT token over TLS 1.3. Tokens are revocable instantly and rotated on re-registration.

2. Data Residency & Backups

You should always know where your data lives and how it's protected from loss.

Where your data is stored

Production servers in a Tier-III certified European data center (Germany).
Application and database live on separate physical hosts.
DB server is firewalled — only the app server can reach port 5432.
KSA / UAE data residency — on the 2026 roadmap for enterprise customers.

Backups & recovery

Automated PostgreSQL backups every 24 hours.
30 days of point-in-time recovery retained.
Backup restoration drills performed regularly.
Self-service data export available to every tenant owner.

3. Access Controls & Authentication

Your data is strictly isolated from other customers, and only the people you authorize can see it.

Multi-tenant isolation Live

Every request is scoped to your tenant at the middleware and ORM layer. A malicious or buggy query cannot reach data from another customer. Tenant IDs are UUIDs — not guessable sequential integers.

Role-based access control (RBAC) Live

Four roles cover the full lifecycle of a team: Owner, Admin, Manager, User. Permissions are enforced on both API and UI layers.

owner admin manager user

Tamper-evident audit log Live

Every sensitive action — login, password change, user invite, permission change, device command — is written to an append-only audit log with actor, IP, user-agent, and full metadata. Owners can export the log as CSV any time. Retention: 180 days.

Two-factor authentication (2FA) & SSO Roadmap

TOTP-based 2FA and SAML/Google SSO are in active development and planned for release in 2026. Enterprise customers can request early access via security@raqeebit360.com.

4. Agent Privacy — what it reads, what it doesn't

The RaqeebIT agent runs on your devices. Here's exactly what it sees.

✅ What the agent DOES read

Hardware info (CPU, RAM, disk, motherboard, serial number).
Operating system version & patch level.
Installed software list (name, version, publisher).
Performance metrics — CPU %, RAM %, disk %, uptime.
Network config (IP, MAC, hostname, gateway).
System events (logins, service starts/stops, boot, shutdown).
Commands you explicitly send from the dashboard.

❌ What the agent does NOT read

File contents — your documents, spreadsheets, source code.
Screenshots or screen content.
Keystrokes or clipboard data.
Browser history, bookmarks, or saved passwords.
Email contents or chat messages.
Webcam or microphone.
Personal files, photos, or videos.

You stay in control.

Remote commands (restart, run script, install updates, etc.) require explicit triggering from your dashboard. The agent never auto-executes code from the cloud unless you tell it to — and every action is recorded in your audit log.

5. Infrastructure Security

Hardened servers, least-privilege defaults, and real-time intrusion response.

Host firewall (UFW)

Only ports 22, 80, and 443 are exposed. All other traffic is denied by default.

Fail2ban intrusion defense

Automatic IP ban after 3 failed SSH attempts. Active rules block brute-force attacks in real time.

Automatic security updates

Unattended-upgrades installs Ubuntu security patches daily without manual intervention.

Key-only SSH access

Password authentication disabled. Root login disabled. Only SSH keys from whitelisted operators accepted.

Isolated database server

PostgreSQL 16 runs on a separate host that accepts connections ONLY from the app server IP.

24/7 server monitoring

CPU, RAM, disk, and service health checks every 5 minutes. Telegram alerts fire the moment anything degrades.

Real-time system status

Live uptime, response times, and incident history — always public.

View Status Page →

6. Compliance & Privacy

We're honest about where we are today and where we're going.

GDPR-aligned practices Live

Privacy-by-design: data minimization, purpose limitation, consent, the right to export and the right to be forgotten. Data-processing agreements (DPA) available on request.

Published privacy policy Live

Read our full Privacy Policy and Terms of Service. No hidden clauses, no data resale to third parties, ever.

SOC 2 Type II & ISO 27001 Roadmap

We operate using the same security controls these certifications require, but haven't undergone a formal audit yet. Formal certification is planned once we reach the customer volume that justifies the audit cost.

7. Report a Vulnerability

Found something that looks off? We want to know — and we'll respond quickly.

Responsible disclosure

Email details of any security issue to the address below. Please do not publish, exploit, or share the issue until we've had a chance to investigate and patch.

security@raqeebit360.com

What you can expect from us

Initial reply within 48 hours (business days).
Triage and patch timeline shared transparently.
Credit in our security hall-of-fame (if you'd like it).
Customer notification if your data was affected.

Still have questions about our security posture?

Talk to our team