Sample dataThis public trust center preview is populated with illustrative sample data.

Public Trust Center

MeetMyCTO Security & Trust Snapshot

A buyer-safe posture page backed by the same evidence ledger and security command system Taj uses internally. This is how the product starts looking more like a live trust platform instead of a static questionnaire helper.

Trust readiness 78%Internal security command
Trust posture is backed by verified technical facts, active security checks, and explicit evidence gaps rather than a static questionnaire library.
Framework Coverage
SOC 2partially covered

Core controls are mapped, but the bridge letter and pentest summary still need refresh.

Updated June 30, 2026

ISO 27001in progress

Policies and risk treatment are mapped; vendor and network evidence are still being tightened.

Updated June 29, 2026

GDPRpartially covered

RoPA and retention work are underway, but final owner approvals are still open.

Updated June 28, 2026

AI Governancecovered

Prompt review, model access, and answer-library controls are now tracked from one place.

Updated June 30, 2026

Available Documents
overviewpublicfresh

Public trust center snapshot

Designed to replace static trust pages with evidence-backed posture updates.

Updated June 30, 2026

architecturegatedfresh

Buyer-safe architecture packet

Sensitive topology is abstracted while still showing control ownership and network boundaries.

Updated June 29, 2026

securityinternalunknown

Pentest and attack-surface summary

Blocked on the refreshed summary letter from the latest testing cycle.

Updated Pending refresh

privacypublicstale

Privacy and retention summary

Needs the final 180-day support log decision.

Updated June 18, 2026

Current Security Notes

Staging admin host is reachable from the public internet

A public admin surface undercuts trust-center claims and creates unnecessary takeover exposure.

Reachable dependency flaw is present in the support reply worker

This path is reachable through the production job runtime, so patch priority is real rather than theoretical.

Verified Security Facts

Quarterly access review is incomplete for one former contractor

GitHub admin access remains active after engagement end, so the quarter cannot be marked fully complete.

The external attack-surface sweep found one public staging admin route

That finding is verified and maps to both active security work and trust-center accuracy, so it should drive immediate remediation rather than sit in a separate AppSec queue.

Request deeper access