Security

Last update: April 12, 2026

My name is Richard Mouser, the human behind AgileViz.

Your Azure DevOps data is sensitive and AgileViz is designed from the ground up so your ADO data never rests on my servers or infrastructure.

Security and privacy are key considerations in every decision from architecture, design, coding, operations, to user support.

This document provides a high level outline of the current AgileViz security posture and future roadmap.

Architecture and Design

  • Your sensitive Azure DevOps data is never stored or logged, only transmitted securely from Microsoft to your browser.
  • All data processing is done on Microsoft servers (processing the queries for data retrieval), and in the user’s browser (preparing the data for display).

Authentication and Permissions

  • User authentication is handled by Microsoft Authentication Library (MSAL) using the Authorization Code Flow with PKCE (Proof Key for Code Exchange).
  • Access tokens are short lived and stored only in browser session storage, AgileViz holds no secret keys or passwords for login.
  • Access tokens are never exposed in the browser’s URL or history.
  • Access is limited to the least privileged of requested scopes and each logged in user’s ADO access permissions.
  • All permissions are delegated — meaning AgileViz acts on behalf of the signed-in user, using only that user’s existing Azure DevOps access. AgileViz never has independent access to your organization’s data, and no app-only permissions are used or planned.
  • Admin approval of AgileViz usage may be required, depending on your organization’s Entra ID settings, see Admin approval for details.
  • AgileViz currently only requests vso.analytics access (read only access to ADO analytics data). I follow least-privilege principles:
    • Only the minimum scopes needed for each feature are requested at runtime.
    • Contemplated future features may request additional delegated permissions (vso.build, vso.project, vso.release, vso.work).
    • When users first use these new features with additional scopes, admin approval may be required (again) for the new scopes.
    • The goal is to use least privileged access, gracefully downgrading when permissions are not available.

Licensing and Trial Security

  • Trial eligibility is determined by a one-way HMAC-SHA256 hash of the user’s email address — the original email cannot be recovered from the stored hash.
  • No personal information is stored in plaintext for licensing purposes.

Infrastructure and Hosting

  • The entire service runs on Cloudflare Workers, Pages, and Cloudflare’s global edge network.
  • Automatic scaling and geographic redundancy are built-in; there is no single point of failure to attack.
  • All requests are forced to TLS 1.3 with Perfect Forward Secrecy.
  • HSTS (HTTP Strict Transport Security) is enforced with a 1-year max-age, including subdomains, and is submitted to the HSTS preload list — browsers will enforce HTTPS for agileviz.com without any server round-trip.
  • Cloudflare’s globally distributed edge terminates TLS as close to users as possible.

Threat Protection and Monitoring

  • AgileViz uses Cloudflare’s managed Web Application Firewall (WAF):
    • Blocks the Top 10 application security risks defined by Open Worldwide Application Security Project (OWASP)
    • Blocks bots and known malicious traffic automatically
    • Provides rate limiting and abuse protection on all endpoints
  • All form endpoints are protected by multiple anti-spam layers including honeypot fields, timing validation, and field verification — without relying on CAPTCHAs or third-party services.

Data Encryption

  • Personal information (names and email addresses) stored for content notifications is encrypted at rest using AES-256-GCM with per-record random initialization vectors.
  • License email addresses are stored as irreversible HMAC-SHA256 hashes.
  • All data in transit is encrypted via TLS 1.3.

Email Security

  • All outbound emails (contact form replies and content notifications) are DKIM-signed to prevent spoofing and improve deliverability.
  • Content notifications include RFC 8058 List-Unsubscribe headers for one-click unsubscribe in supported email clients.

Browser Security Controls

  • Subresource Integrity (SRI) on all JavaScript, CSS, and font files.
  • A strict Content Security Policy (CSP) is in place. style-src 'unsafe-inline' is required by the Vega visualization library’s runtime style injection and is therefore allowed globally; script-src is strict with no unsafe-inline or unsafe-eval on any page.
  • Permissions Policy: disables camera, geolocation, and microphone.
  • Referrer Policy: strict-origin-when-cross-origin
  • X-Content-Type-Options: nosniff
  • X-Frame-Options: SAMEORIGIN

Payment Processing

Credit card payments are completely handled by Stripe Checkout. AgileViz never touches card numbers or payment details.

Security Practices

  • Administrator access to AgileViz infrastructure and third-party services requires a hardware 2FA security key via FIDO2/WebAuthn. Services that do not support hardware keys use the strongest available authentication.
  • Dependabot continuously scans all dependencies and auto-opens PRs for security updates.

Responsible Disclosures & Bug Bounty

If you discover a vulnerability, please contact me via the contact form. I will respond to all legitimate reports within 24 hours and offer rewards as follows:

  • $500 for high-severity issues
  • $1,000–$5,000+ for critical issues that could lead to compromise of user data or authentication

Security and Compliance Roadmap

  • Current: GDPR-ready, CCPA-ready, SOC 2–aligned practices
  • Security Roadmap:
    • SOC 2 Type 1 report
    • Customer-hosted on your AWS or Azure account inside your private VPC / VNet
      • The only external end-point will be to Microsoft.
      • No external end points for on-prem ADO.

For questions, concerns, clarifications, or a Security Review

Contact me via the contact form.

Feedback