To ensure secure and predictable communication with external systems that require strict firewall rules, Tavio routes all outgoing API traffic through specific regional proxy gateways. This architecture allows your clients or third-party vendors to whitelist specific IP ranges for ingress traffic without opening their networks to the entire public internet.

Data which is being pushed to Tavio environments via e.g. web hooks are routed through a static set of gateway proxies to ensure that our clients, our platform partners, and our partners' clients are able to maintain static destination IPs for their integration data.

The Tavio platform uses regional proxy gateways for funneling outbound traffic to its destination. Thus Tavio ensures that the source IP address of your integration requests remains constant, satisfying the security requirements of legacy HRIS or ERP systems that rely on IP-based access control lists (ACLs).

For data residing behind corporate firewalls—such as on-premises SQL databases or internal file servers—Tavio utilizes a secure On-Premises Agent. This lightweight software component acts as a bridge between the cloud platform and the internal network using a strictly Outbound-Only architecture.

The agent establishes a secure, persistent WebSocket connection using TLS 1.3 over standard TCP port 443.

 Because the agent initiates the connection from inside the network out to the Tavio platform, there is no need to open risky inbound firewall ports or configure complex VPNs. This design drastically reduces the network's attack surface while allowing your cloud-based workflows to interact with on-premises data as if it were a modern API.

For integrations requiring file-based transfers, Tavio provides a fully managed, hosted SFTP service that is tightly integrated with the platform’s security model.

 Access to the SFTP service is governed by directory-specific API Tokens. You can generate credentials that restrict a user or system to specific folders (e.g., /inbound only), ensuring that an external system cannot access files outside its designated scope.

The service supports both standard Basic Authentication (username/password) and SSH Key Authentication, allowing you to enforce higher security standards for automated file transfers.

Just as with other data, the file system is isolated per environment. Credentials created in a staging environment provide access only to that specific environment's directories, preventing accidental data leakage into production.

Cryptography and Data Protection

Network Security & Connectivity

Identity & Access Management

Tavio Technical Docs

Main

Architecture Overview

Creating Your First Workflow

Deploying Your First Workflow

Maintaining and Extending Integrations

Build

Productizing Your Logic

Instant Infrastructure

No-Code Activation

Automation via the Tavio Hub API

Change Management at Scale

Scale

A Solution is a Template

The Mechanics of Expansion

Development Environment Strategies

Landing the Expansion

Expand

Infrastructure Architecture: The Hybrid Control Plane

Operational Compliance & Telemetry

Certifications and Standards

Security

Getting Started with Tavio

February 2026 Platform Release

February 2026 Pack Releases

January 2026 Platform Release

January 2026 Pack Releases

Release Notes

Authentication

Environments

Solutions

Configurations

Deployments

Users

Endpoints

Tavio Public API

Screening

Unity Screening API