Legal
Security Policy
Security is the precondition for a tool that holds your team's work. This page describes how we protect your data — plainly, without security theater.
Last updated: July 1, 2026
1. Encryption
All traffic between your browser, AzureLayer, and Azure DevOps is encrypted with TLS 1.2 or higher. Data at rest — including databases and backups — is encrypted with AES-256. Encryption keys are managed in a dedicated key management service, rotated regularly, and never stored alongside the data they protect.
2. PAT token handling
Your Personal Access Token is the most sensitive thing you give us. We treat it accordingly:
- Encrypted with AES-256 immediately on receipt; plaintext tokens never touch disk;
- Never written to logs, error reports, or analytics;
- Used only for the Work Items scopes you granted — we request nothing broader;
- Revocable by you at any time from Azure DevOps, which instantly severs our access;
- Deleted within 24 hours when you disconnect or delete your account.
3. Access control
Production access is limited to a small set of named engineers, gated by single-sign-on with enforced multi-factor authentication, granted on a least-privilege basis, and logged in an immutable audit trail. Customer data is never copied to developer machines. Support staff see your data only with your explicit, time-boxed consent.
4. AI data handling
Content sent to AI features (story text, task history) is processed transiently to generate the output you requested. We do not train models on customer data, and our inference providers are contractually barred from retaining or training on it. AI-generated changes are drafts until you approve them.
5. Infrastructure & availability
AzureLayer runs on hardened cloud infrastructure with network isolation between environments, automated dependency and container scanning, and infrastructure defined as code and peer-reviewed. Backups run continuously with point-in-time recovery and are tested quarterly. Status and incidents are communicated to affected customers within 72 hours, or faster where law requires.
6. Compliance
We operate a GDPR-aligned privacy program (see our Privacy Policy), offer a Data Processing Agreement with Standard Contractual Clauses, and are progressing toward SOC 2 Type II attestation. Enterprise customers can request our security questionnaire responses and architecture overview under NDA.
7. Vulnerability disclosure
We welcome good-faith security research. If you believe you’ve found a vulnerability, email security@azurelayer.com with reproduction steps. We commit to:
- Acknowledging your report within 2 business days;
- Keeping you informed as we validate and remediate;
- Not pursuing legal action for good-faith research that respects user privacy and avoids service disruption;
- Crediting you (with your permission) once the issue is resolved.
Please do not access other users’ data, exfiltrate more than needed to demonstrate the issue, or run automated scanners against production.
Questions about this document? Contact us at legal@azurelayer.com. AzureLayer is an independent product and is not affiliated with, endorsed by, or sponsored by Microsoft Corporation. Azure and Azure DevOps are trademarks of Microsoft Corporation.