Targe
Trust center

You should not have to trust us blindly.

Targe is built so serious teams can reduce how much trust they place in the hosted service. Use scoped keys for cloud scans, or run a private deployment when credentials cannot leave your environment.

Start with a scoped key

Public trust material

See also privacy and data handling, pricing, and security.txt.

How credentials are handled

Run it in your own VPC

The current safe model is a private deployment: the app, database, storage, Redis, and worker run under the customer account. The worker is a Dockerized poll loop, so it fits normal container platforms. Private deployments are onboarding-assisted today.

docker pull YOUR_TARGE_WORKER_IMAGE
docker run --rm \
  -e SUPABASE_URL=https://YOUR-PROJECT.supabase.co \
  -e SUPABASE_SERVICE_ROLE_KEY=... \
  -e ENCRYPTION_KEY=... \
  -e ALLOW_LOCAL_TARGETS=false \
  YOUR_TARGE_WORKER_IMAGE

Why not just give customers the cloud worker key?

The worker uses a service-role key because it writes scan state, findings, audit rows, and private report PDFs. That key must never be shared with customers. A shared-cloud customer runner needs scoped runner tokens before it is safe.

Compliance status

Targe has security controls that support customer review, but it is not SOC 2 certified yet. We will only claim SOC 2 after an external audit is complete.

Trust Center | Targe