Security

Last update: January 3, 2026

My name is Richard Mouser, the human behind AgileViz.

Your Azure DevOps data is sensitive and AgileViz is designed from the ground up so your ADO data never rests on my servers or infrastracture.

Security and privacy are key considerations in every decision from architecture, design, coding, to user support.

This document provides a high level outline of the current AgileViz security posture and future roadmap.

Archetecture and Design

• Your sensitive Azure DevOps data is never stored or logged, only transmitted securely from Microsoft to your browser.
• All data processing is done on Microsoft servers (processing the queries for data retrieval), and in the user’s browser (preparing the data for display).

Authentication and Permissions

• User authentication is handled by Microsoft Authentication Library (MSAL) using the Authorization Code Flow with PKCE (Proof Key for Code Exchange).
• Access tokens are short lived and stored only in browser session storage, Agileviz holds no secret keys or passwords for login.
• Access tokens are never exposed in the browser’s URL or history.
• Access is limited to the least priviledged of requested scopes and each logged in user’s ADO access permissions.
• All permission are for delegated access, no app-only permissions are used or planned.
• Admin approval of AgileViz usage may be required, depending on your organization’s Entra ID settings, see Admin approval for details.
• AgileViz currently only requests vso.analytics access (read only access to ADO analytics data). We follow least-privilege principles:
  • Only the minimum scopes needed for each feature are requested at runtime.
  • Planned future features will request additional delegated permissions (vso.build, vso.project, vso.release, vso.work).
  • When users first use these new features with additional scopes, admin approval may be required (again) for the new scopes.
  • The goal is to use least privileged access, gracefully downgrading when permission are not available.

Infrastracture and Hosting

• The entire service runs on Cloudflare Workers, Pages, and Cloudflare’s global edge network.
• Automatic scaling and geographic redundancy are built-in; there is no single point of failure to attack.
• All requests are forced to TLS 1.3 with Perfect Forward Secrecy and HSTS preloading.
• Cloudflare’s globally distributed edge terminates TLS as close to users as possible.

Threat Protection and Monitoring

• AgileViz uses Cloudflare’s managed Web Appliation Firewall (WAF):
  • Blocks the Top 10 application security risks defined by Open Worldwide Application Security Project (OWASP)
  • Blocks bots and known malicious traffic automatically
  • Provides rate limiting and abuse protection on all endpoints

Browser Security Controls

• Subresource Integrity (SRI) on all JavaScript, CSS, and font files.
• A strict Level 3 Content Security Policy (CSP) is in place.
• Permissions Policy: disables camera, geolocaiton, and microphone.
• Referrer Policy: strict-origin-when-cross-origin
• X-Content-Type-Options: nosniff

Payment Processing

Credit card payments are completely handled by Stripe Checkout. AgileViz never touches card numbers or payment details.

Security Practices

• Administor access to AgileViz infrastructure and third-party services requires a hardware 2FA security key via FIDO2/WebAuthn.
• Dependabot continuously scans all dependencies and auto-opens PRs for security updates

Responsible Disclosures & Bug Bounty

If you discover a vulnerability, please contact me via the contact form. I will respond to all legitimate reports within 24 hours and offer rewards as follows:

• $500 for high-severity issues
• $1,000–$5,000+ for critical issues that could lead to compromise of user data or authentication

Security and Compliance Roadmap

• Current: GDPR-ready, CCPA-ready, SOC 2–aligned practices
• Security Roadmap:
  • Microsoft Partner Network Publisher Verification (in progress)
  • CSP Level 3: add ‘strict-dynamic’ with nonces
  • SOC 2 Type 1 report
  • Customer-hosted deployment on your AWS or Azure account inside your private VPC / VNet
    • The only external end-points will be to Microsoft, no external end points for on-prem ADO

For questions, concerns, clarifications, or a Security Review

Contact me via the contact form.