Security & Data Handling
ScopeCone Roadmaps is built with security and privacy as foundational principles. This page explains our data handling practices, security measures, and compliance information.
Data Flow Overview
ScopeCone Roadmaps operates with a minimal data footprint. Here's how data flows between systems:
Azure DevOps
Your roadmap data, work items, and project information remain in your Azure DevOps instance. ScopeCone Roadmaps reads and writes data through Azure DevOps APIs.
ScopeCone Extension
The extension runs in your browser and communicates with Azure DevOps APIs and our licensing service.
Supabase Licensing API
Our Supabase-backed service stores only licensing metadata: organization ID, contact email, and trial/license status.
Important: Your roadmap data, work items, and project information never leave Azure DevOps. Only minimal licensing metadata is stored in our service.
Stored Data & Retention
ScopeCone Roadmaps stores minimal data in our Supabase licensing service:
| Data Attribute | Purpose | Retention |
|---|---|---|
azure_org_id | Unique identifier for license management | Until license expires + 90 days |
contact_email | License communication and support | Until license expires + 90 days |
trial_started_at | Trial period tracking | Until license expires + 90 days |
trial_expires_at | Trial expiration date | Until license expires + 90 days |
license_status | Current license state (trial/active/expired) | Until license expires + 90 days |
license_audits | Telemetry and abuse detection logs | 90 days |
Retention Policy: Expired trial metadata and audit logs are automatically deleted after 90 days. Active license data is retained until the license expires, then deleted after a 90-day grace period.
GDPR Compliance
ScopeCone Roadmaps is designed with GDPR principles in mind. We practice data minimization, secure storage, and provide clear data subject rights.
Data Minimization
We only collect and store the minimum data necessary for license management:
- • Azure DevOps organization ID (for license activation)
- • Contact email (for license communication)
- • Trial and license status metadata
We do not collect or store roadmap data, work items, project information, or any other content from your Azure DevOps instance.
Encryption & Storage
All data stored in our Supabase service is encrypted at rest (Supabase default). Data is stored in EU/US regions based on Supabase's infrastructure. All API communications use TLS/HTTPS.
Retention Windows
We automatically delete expired data according to our retention policy:
- • Expired trial metadata: Deleted after 90 days
- • Audit logs: Deleted after 90 days
- • Active license data: Retained until license expires, then deleted after 90-day grace period
Data Subject Rights
You have the right to:
- • Access: Request a copy of all data we store about your organization
- • Rectification: Request correction of inaccurate data
- • Erasure: Request deletion of your data (subject to legal retention requirements)
- • Portability: Request your data in a machine-readable format
To exercise these rights, contact us at privacy@scopecone.io. We will respond within 30 days.
Data Subject Access Requests (DSAR)
To request access to, correction of, or deletion of your data, send an email to privacy@scopecone.io with your Azure DevOps organization URL and the nature of your request. We'll verify your identity and process your request within 30 days.
Security & Privacy Incidents
If you discover a security vulnerability or have concerns about data privacy, please contact us immediately:
Security Incidents
For security vulnerabilities or suspected breaches, contact:
Privacy Incidents
For privacy concerns, data deletion requests, or DSARs, contact:
Response SLA: We aim to acknowledge security and privacy incidents within 24 hours and provide a resolution timeline within 3 business days.
Legal & Compliance
For complete legal information, please review our privacy policy and terms of service: