Last updated: November 28, 2025
On rewrite, stress the following points: My name is Richard Mouser, write in first person Subresource Integrity (SRI) on all downloaded assets with exception of CloudFlare Turnstile, which does not allow SRI by design. Legacy browsers are not supported, many are blocked by forced use of TLS 1.3, others by custom JavaScript.
Authorization Code Flow with Proof Key for Code Exchange (PKCE), the current industry standard for securing OAuth 2.0 authorization in public clients, including single-page applications (SPAs).
- Enhanced Security: PKCE provides protection against authorization code interception attacks
- No Tokens in URLs: Tokens are never exposed in the browser’s URL or history
- Refresh Token Support: Enables long-lived sessions through refresh tokens
- OIDC Compliance: Fully compliant with OpenID Connect standards
Your Azure DevOps data is sensitive. I designed AgileViz from the ground up so that sensitive data never rests on our servers.
1. Core Architectural Guarantee
- All query execution, work-item processing, and visualization happen entirely in your browser.
- Your Azure DevOps Analytics data (e.g., work items, metrics, and reports) is never stored on our servers or any third-party server.
- Data is sent directly from Microsoft Azure DevOps to your browser (via encrypted HTTPS). It only passes through Cloudflare as a secure proxy and is never written to disk or logged.
2. Authentication & Access Control
- Login is performed exclusively via Microsoft Entra (OAuth 2.0 / OIDC).
- No passwords are ever stored.
- All administrative access to our infrastructure and third-party services is protected by hardware 2FA security keys (FIDO2/WebAuthn).
3. Data in Transit
- All traffic forced to TLS 1.3 with Perfect Forward Secrecy and HSTS preloading via Cloudflare’s global edge.
- Cloudflare’s globally distributed edge terminates TLS as close to users as possible.
4. Infrastructure & Hosting
- The entire backend runs on Cloudflare Workers and Cloudflare’s global edge network (serverless).
- No servers we manage, no databases we manage, no persistent disks we manage.
- Automatic scaling and geographic redundancy are built-in; we have no single point of failure to attack.
5. Threat Protection & Monitoring
- Cloudflare’s managed WAF blocks OWASP Top 10, bots, and known malicious traffic automatically
- Rate limiting and abuse protection on all endpoints (logins, contact forms, API calls)
- Dependabot continuously scans all dependencies and auto-opens PRs for security updates
- Zero identifiable user logs are retained
6. Payments
All billing is handled by Stripe Checkout. Card numbers and payment details never touch our systems.
7. Responsible Disclosure & Bug Bounty
We take security seriously.
If you discover a vulnerability, please email security@agileviz.com.
We respond to all legitimate reports within 24 hours and offer rewards starting at:
- $500 for high-severity issues
- $1,000–$5,000+ for critical issues that could lead to compromise of user data or authentication
8. Compliance & Enterprise Roadmap
- Current: GDPR-ready, CCPA-ready, SOC 2–aligned practices
- 2026 roadmap: Customer-hosted deployment on your AWS or Azure account inside your private VPC / VNet, SCIM provisioning, Azure AD App Gallery listing, enhanced audit logs, dedicated support, SOC 2 Type 2 report
9. Questions or Security Review?
Enterprise teams are welcome to contact us directly for questions, architecture diagrams, or a live security review call.
Contact: Use the contact form.