Security is not a feature. It is the foundation.
Status Portal runs entirely within Microsoft’s Visual Studio Marketplace extension sandbox. We do not operate separate servers that touch your Azure DevOps data — the extension runs in the same trusted environment as ADO itself.
// DATA RESIDENCY
All incident data, status history, and configuration is stored within Microsoft Azure infrastructure in the region you select during setup. We do not replicate your data to third-party infrastructure. Status page content served to your customers is delivered via Azure CDN, which operates within Microsoft’s global network.
// AUTHENTICATION
Your team authenticates using Azure Active Directory — the same credentials they use for Azure DevOps every day. There are no additional passwords to manage, no separate identity provider, and no third-party SSO configuration. Permissions for the Status Portal hub are inherited from your ADO project access model.
// EXTENSION PERMISSIONS
| PERMISSION SCOPE | LEVEL | PURPOSE |
|---|---|---|
| vso.build_execute | Read + Execute | Trigger pipeline status updates on incident creation |
| vso.work_write | Read + Write | Create and update work items for incident tracking |
| vso.profile | Read | Identify the current user for audit logs |
| vso.project | Read | List ADO projects for component mapping |
| vso.extension_manage | Read | Manage extension settings within ADO hub |
// ENCRYPTION
All data in transit between Status Portal and end-user browsers is encrypted using TLS 1.3. Data at rest is encrypted using AES-256, managed by Azure Storage Service Encryption. API tokens used for pipeline integration are hashed with bcrypt before storage and are never stored in plaintext. Tokens are non-retrievable after initial generation — if lost, a new token must be generated.
// COMPLIANCE
Status Portal operates as a Visual Studio Marketplace extension, which means it falls under Microsoft’s compliance umbrella for Azure DevOps — including SOC 2 Type II certification and ISO 27001 accreditation. We do not collect personal data beyond what is necessary to operate the service. No tracking pixels. No third-party analytics. No data sold to advertisers.
// RESPONSIBLE DISCLOSURE
If you discover a security vulnerability in Status Portal, please report it responsibly to hello@status.baytekdev.com with the subject line “Security Disclosure”. We commit to acknowledging your report within 48 hours and providing a resolution timeline within 7 days.