You should not have to trust us blindly.
Targe is built so serious teams can reduce how much trust they place in the hosted service. Use scoped keys for cloud scans, or run a private deployment when credentials cannot leave your environment.
Start with a scoped keyPublic trust material
- Public security model for credential handling, report access, and private deployment.
- Public privacy and data page explaining what Targe stores and which vendors are used.
- Public pricing page explaining the free launch period and paid SaaS model.
- Public security.txt vulnerability disclosure file at /.well-known/security.txt.
- Signed report hashes so generated PDFs can be tied back to the scan record.
- A no-SOC2-claim policy until an external audit is actually complete.
See also privacy and data handling, pricing, and security.txt.
How credentials are handled
- Use scoped or temporary endpoint credentials. Targe does not need your primary provider key.
- Endpoint auth values are AES-256-GCM encrypted before storage and decrypted only by the worker at probe time.
- Secrets are never returned to the browser, printed in reports, or intentionally written to audit events.
- Report PDFs live in private storage and are downloaded through short-lived signed URLs after an ownership check.
- The worker revalidates target URLs before connecting and rejects private, loopback, link-local, reserved, and cloud metadata addresses.
- For teams that cannot send credentials to Targe Cloud, run a private deployment in your own cloud account.
Run it in your own VPC
The current safe model is a private deployment: the app, database, storage, Redis, and worker run under the customer account. The worker is a Dockerized poll loop, so it fits normal container platforms. Private deployments are onboarding-assisted today.
- Deploy the web app, Supabase project, storage bucket, Redis, and worker inside the customer environment.
- Run the Targe worker image we provide as a long-lived job in ECS, EKS, GKE, AKS, Fly, Railway, Render, or Kubernetes.
- Give the worker SUPABASE_URL, SUPABASE_SERVICE_ROLE_KEY, ENCRYPTION_KEY, and optional judge provider keys from the customer secrets manager.
- Keep the service-role key out of Vercel, browsers, logs, and client-side environments.
- Allow egress only to Supabase, the judge provider if used, and the LLM endpoints the customer owns.
docker pull YOUR_TARGE_WORKER_IMAGE docker run --rm \ -e SUPABASE_URL=https://YOUR-PROJECT.supabase.co \ -e SUPABASE_SERVICE_ROLE_KEY=... \ -e ENCRYPTION_KEY=... \ -e ALLOW_LOCAL_TARGETS=false \ YOUR_TARGE_WORKER_IMAGE
Why not just give customers the cloud worker key?
The worker uses a service-role key because it writes scan state, findings, audit rows, and private report PDFs. That key must never be shared with customers. A shared-cloud customer runner needs scoped runner tokens before it is safe.
Compliance status
Targe has security controls that support customer review, but it is not SOC 2 certified yet. We will only claim SOC 2 after an external audit is complete.