Security & Compliance

At Raffle, we ensure your data is secure and private, allowing you to rest assured.

We employ a variety of security techniques, depending on the product you are interested in, to give you the security and data protection required by law, and above.



At Raffle, we take security and transparency seriously. We take multiple security measures to protect both our platform and those who use it.
To prove our high commitment to strong security, availability, and privacy, we have completed the SOC 2 Type 2 certification in January 2023, which is your safety that Raffle continuously upholds the highest standards within these areas. We are very serious about security and display this through our certifications.
SOC2 badgeSOC2 badge
Read our SOC2 Report


Our products run on a dedicated network which is locked down and carefully monitored. We work with industry leading partners (FRSecure and Drata) and risk response teams to ensure that we continuously and effectively monitor, manage and evaluate risks.
Any questions or comments relating to Raffle security can be submitted to

Data Protection

Raffle is on top of new regulations and laws, so you do not have to, ensuring compliance on all levels and across different countries.

European Union General Data Protection Regulation (GDPR)

Since May 25th, 2018, the GDPR has increased regulation and use of European citizens' data, increasing the privacy and security of personal information. Raffle was founded in mid-2018, which is why Raffle has been fully compliant with GDPR among other standard privacy regulations from the very beginning and has never compromised. Raffle will make sure to safely guide you through what is needed. When relevant to the services Raffle provides, we enter into a Data Processing Agreement (DPA, to protect both parties) performed by leading European Law firm Kromann Reumert (the winner of the prize: Europe's best law firm, three years in a row).

US HIPAA legislation

The United States of America Health Insurance Portability and Accountability Act of 1996 protects sensitive patient healthcare information from being disclosed without approval or knowledge of the patient. Since Raffle was founded in mid-2018 we have been dedicated to security and compliance without compromise. We are committed to being transparent and protecting our customers if there is any health data in the sources that raffle is searching.

Location of Data

For our customers in the EU the location of our Azure Data Center is West Europe (Netherlands) and data will never leave the EU. In a disaster recovery situation, our systems are guaranteed to be started up in another EU-based data center. Furthermore, we have Customer Lockbox enabled on our Azure subscription, which ensures that Microsoft cannot access content to do service operations without our explicit approval.

For our customers in the US the location of our Azure Data Center is in the US (New York). In a disaster recovery situation, our systems are being started up in the US or in an EU-based data center. Furthermore, we have Customer Lockbox enabled on our Azure subscription, which ensures that Microsoft cannot access content to do service operations without our explicit approval.

Access Management

With data security comes data access, and such access can be managed in the Raffle back end by authorized users in your company. Access management lets you control who sees what data in Raffle-generated search results, so different people will see different answers and/or linked data sources (e.g. documents within an intranet) according to their security/permission profiles; even if their search queries may be identical in phrasing. This security feature is highly relevant for Workplace Search.

Does Raffle for Public Data need a DPA?

The intention with raffle Search and Chat on the website is to give answers to questions that would normally be placed in a search on the website. In other words it is not the intention - and we would not ask- for users to put in personal information on the website.

However, if your users should do that anyway, raffle will anonymise this, as raffle do not need or want to store any personal information that the users may key in. All numbers and names are getting anonymised automatically. As this anonymisation is on behalf of us (raffle) and not on behalf of you (the customer), we are not processing your data but instead controlling the data that we are anonymising.
Raffle do not use or store the IP of your website users, when they use the raffle Search or Chat. Therefore, we do not know the users, nor can we track back to any information on the user. As raffle is not a marketing tool, raffle has no need for this information.
If you have employee information on your website, your employees has to have specifically approved to have their personal information on the website, as this content will now be regarded as public for searches like Google, Yahoo, Bing and Raffle to search.
Therefore we do not need a DPA when it comes to website search.

Generally on data

Data Storage

The Customer Data is stored in a PostgreSQL database in the Azure Cloud. It includes scraped content from customer documents (not in their original form, but broken into smaller sections), and anonymized search queries. All data is encrypted at rest with AES 256 and uses TLS for communication on the wire.

Data in Transit

To protect data in transit between our app and our servers, supports the latest recommended secure cipher suites to encrypt all traffic in transit, including the use of TLS 1.2 protocols, AES256 encryption, and SHA2 signatures, whenever supported by the clients.

Data at Rest

Data at rest in’s production network is encrypted using industry-standard 256-bit Advanced Encryption Standard (AES256), which applies to all types of data at rest within’s systems, relational databases, file stores, database backups, etc.

Development practices

In Raffle, we follow a set of development practices, to ensure the our systems are at all time running and functioning according to our commitments:
All code changes are thoroughly tested and reviewed according to our change processes.
All code changes are tested in a staging environment before deploying to production.
We perform weekly vulnerability scans against our main endpoints to detect weaknesses.
We conduct a periodic third party manual penetration testing of our web applications. 
We use several tools and services to automatically monitor uptime and Services availability. Key employees receive automatic notifications in the case of downtime or emergencies.
We use automatic security vulnerability detection tools to alert us when our dependencies have known security issues.

Risk Assessment Process

Raffle has established an organization-wide risk assessment process to identify and manage information security risks across the organization. Raffle regularly reviews the risks that may threaten the achievement of its service commitments and system requirements related to security.
Raffle’s Risk Assessment process takes into account a number of factors each of which contributes to both the likelihood and potential impact of a given risk. These include:
The criticality of potentially impacted business processes as laid out in the Business Continuity and Disaster Recovery Policy.
Whether a risk could potentially impact the confidentiality, availability, integrity, or privacy of customer data.
The ability of the risk to impact Raffle’s business objectives.
Potential impact to Raffle’s customers or vendors
Potential monetary loss.

Security Policies

Raffle has adopted the following Security Policies (maintained and reviewed yearly):
  • Acceptable Use Policy
  • Business Continuity Plan
  • Data Deletion Policy
  • Encryption Policy
  • Password Policy
  • Risk Assessment Policy
  • Vendor Management Policy
  • Asset Management Policy
  • Code of Conduct
  • Data Protection Policy
  • Incident Response Plan
  • Physical Security Policy
  • Software Development Life Cycle Policy
  • Vulnerability Management Policy
  • Backup Policy
  • Data Classification Policy
  • Disaster Recovery Plan
  • Information Security Policy
  • Responsible Disclosure Policy
  • System Access Control Policy
Don't miss any update!
SOC2 badge