{ "domain": "aisecurity.llc", "company_name": "aisecurity.llc", "slug": "aisecurity-llc-public-sample", "published_at": "2026-05-20", "headline": { "label": "advanced", "total_score": 91, "summary": "The public trust surface is now comprehensive. Legal, AI-governance, security, SDLC, and contract surfaces are all discoverable, linked, and specifically documented. The remaining gap is a formal third-party security certification or attestation." }, "scores": { "public_surface": 95, "ai_language": 93, "legal_clarity": 91, "security_trust": 87, "consistency": 89, "remediation_opportunity": 82 }, "maturity": [ { "dimension_key": "public_surface", "label": "Advanced public trust surface", "public_description": "Trust center, legal hub, AI governance hub, security practices, secure SDLC, contracts, methodology, and research surfaces are all publicly discoverable with direct links." }, { "dimension_key": "ai_language", "label": "Specific and bounded AI language", "public_description": "AI claims are tied to responsible AI principles, a customer data and model training policy, an AI usage policy, and explicit human-review and output-caveat language. Generic AI safety claims are avoided." }, { "dimension_key": "legal_clarity", "label": "Enterprise-reviewable legal posture", "public_description": "Privacy, terms, acceptable use, cookie policy, subprocessors, data processing addendum, AI usage policy, and vulnerability disclosure are all individually documented and linked from the legal hub." }, { "dimension_key": "security_trust", "label": "Honest security disclosure", "public_description": "A dedicated security practices page covers encryption, access control, monitoring, and incident response. A secure SDLC page covers threat modeling, CI/CD controls, and AI-specific checks. Certification aspirations are separated from certifications held." }, { "dimension_key": "consistency", "label": "Consistent claim and caveat framing", "public_description": "Research, services, labs, legal, AI governance, and trust center pages use compatible evidence framing and caveats. Claim-readiness labels are applied consistently." }, { "dimension_key": "remediation_opportunity", "label": "Clear next improvement path", "public_description": "The public surface makes the next trust improvement obvious: a formal third-party attestation or security whitepaper would close the main remaining gap between disclosed controls and independently verified ones." } ], "observed_artifacts": [ { "type": "trust_center", "present": true, "url": "/trust-center" }, { "type": "legal_hub", "present": true, "url": "/legal" }, { "type": "ai_governance_hub", "present": true, "url": "/ai-governance" }, { "type": "privacy_policy", "present": true, "url": "/legal/privacy" }, { "type": "terms_of_service", "present": true, "url": "/legal/terms" }, { "type": "ai_usage_policy", "present": true, "url": "/legal/ai-usage-policy" }, { "type": "acceptable_use_policy", "present": true, "url": "/legal/acceptable-use" }, { "type": "cookie_policy", "present": true, "url": "/legal/cookie-policy" }, { "type": "subprocessors_list", "present": true, "url": "/legal/subprocessors" }, { "type": "data_processing_addendum", "present": true, "url": "/legal/data-processing-addendum" }, { "type": "vulnerability_disclosure", "present": true, "url": "/legal/vulnerability-disclosure" }, { "type": "responsible_ai_principles", "present": true, "url": "/ai-governance/responsible-ai" }, { "type": "customer_data_training_policy", "present": true, "url": "/ai-governance/customer-data-and-model-training" }, { "type": "security_practices_page", "present": true, "url": "/trust-center/security" }, { "type": "secure_sdlc_page", "present": true, "url": "/trust-center/secure-sdlc" }, { "type": "contract_templates", "present": true, "url": "/trust-center/contracts" }, { "type": "methodology", "present": true, "url": "/methodology" }, { "type": "public_report", "present": true, "url": "/report" }, { "type": "security_contact", "present": true, "url": "mailto:security@aisecurity.llc" }, { "type": "dedicated_security_whitepaper", "present": false }, { "type": "third_party_security_certification", "present": false } ], "public_findings": [ { "title": "Full legal suite is enterprise-reviewable", "severity": "info", "category": "legal_clarity", "summary": "Privacy, terms, acceptable use, cookie policy, subprocessors, DPA, AI usage policy, and vulnerability disclosure are all separately documented with dedicated routes under a legal hub.", "public_tip": "Keep each document directly linkable from the trust center and contract hub. Enterprise buyers often paste URLs into procurement systems rather than reading inline." }, { "title": "AI governance documentation is specific and bounded", "severity": "info", "category": "ai_language", "summary": "Responsible AI principles, a customer data and model training policy, and an AI usage policy are all individually documented. The customer data policy explicitly states that customer data does not train AI models.", "public_tip": "The model-training opt-out language is a high-value signal for enterprise buyers. Surface it on the trust center hero and in the DPA." }, { "title": "Security practices page is honest about certification scope", "severity": "info", "category": "security_trust", "summary": "The security page covers encryption, access control, MFA, dependency scanning, incident response, and vendor risk. It distinguishes between certifications held and certifications aspired to.", "public_tip": "The honest framing on certifications is appropriate — do not overclaim. Consider adding a target date or roadmap note for formal attestation." }, { "title": "No third-party security certification observed", "severity": "low", "category": "security_trust", "summary": "Controls are disclosed and appear appropriate for the platform's scope, but no SOC 2, ISO 27001, or equivalent third-party attestation is publicly referenced.", "public_tip": "A scoped SOC 2 Type I or equivalent readiness assessment would close the gap between disclosed controls and independently verified ones. Surface the roadmap publicly if a timeline exists." }, { "title": "Vulnerability disclosure program is present and in-scope", "severity": "info", "category": "security_trust", "summary": "A dedicated vulnerability disclosure page covers in-scope systems, the reporting address (security@aisecurity.llc), response process, and researcher protections.", "public_tip": "Ensure the security contact email resolves correctly and that response-time expectations are stated so researchers know what to expect." }, { "title": "Claim-readiness labeling is systematic", "severity": "info", "category": "consistency", "summary": "Public outputs use consistent claim-readiness labels (public-ready, public with caveat, internal only, do not claim). The methodology and trust center both explain the labeling system.", "public_tip": "Apply the same label system to scanner outputs and any product marketing copy so buyers see a coherent evidence story from discovery through procurement." } ], "improvement_guidance": [ { "title": "Pursue a scoped third-party security attestation", "public_tip": "A SOC 2 Type I or equivalent readiness assessment would provide independently verified evidence for the controls already disclosed on the security practices and SDLC pages. Even a scoped readiness letter closes the gap between self-disclosed and verified.", "recommended_artifacts": [ "soc2-readiness-scope.md", "control-evidence-pack.md", "certification-roadmap-note.md" ], "best_practice_refs": [ { "key": "soc2-type1", "label": "SOC 2 Type I attestation" }, { "key": "iso-27001", "label": "ISO/IEC 27001 management system" }, { "key": "nist-csf", "label": "NIST CSF Identify/Protect functions" } ] }, { "title": "Publish a security overview or whitepaper", "public_tip": "A single security overview document that cross-references the security practices page, SDLC controls, DPA, subprocessors, and vulnerability disclosure into a buyer-digestible summary would reduce enterprise review friction significantly.", "recommended_artifacts": [ "security-overview.pdf", "trust-artifact-index.md", "buyer-security-faq.md" ], "best_practice_refs": [ { "key": "nist-ai-rmf-govern", "label": "NIST AI RMF Govern function" }, { "key": "iso-42001-evidence", "label": "ISO/IEC 42001 management system evidence" }, { "key": "claim-readiness", "label": "Claim-readiness review" } ] }, { "title": "Add subprocessor change notification mechanism", "public_tip": "The subprocessors page lists current processors clearly. Adding a public changelog or notification mechanism (email or RSS) for subprocessor additions would satisfy enterprise DPA requirements and reduce procurement friction.", "recommended_artifacts": [ "subprocessor-change-log.md", "dpa-notification-clause.md" ], "best_practice_refs": [ { "key": "gdpr-art28", "label": "GDPR Art. 28 processor obligations" }, { "key": "ccpa-service-provider", "label": "CCPA service provider requirements" } ] } ], "methodology": { "engine_version": "trust-scanner-web-shell-v0", "rules_version": "atg-public-rules-v0.2", "crawl_snapshot_date": "2026-05-20", "page_count": 28, "disclaimer": "Based on public website signals and observed artifacts, not proof of any organization's internal security maturity." } }