Carta Security Procedures

We undergo regular examinations from our independent auditor. They perform an internal “Service Organization Control” Report (“SOC”) annually to evaluate internal systems and processes. 

Account security

You control your own password and authentication for your account on Carta. As part of your company or portfolio, you can invite any number of other users to view your information along with a detailed set of permissions. You do not need to share your password to share your cap table – simply invite others with limited access rights that you can revoke at any time.

Carta passwords must be sufficiently complex. We use the realistic password strength estimation to validate complexity of user passwords. Passwords must be:

  • Sufficiently long, around 9 characters or more
  • Sufficiently complex, which may include upper case, lower case, numbers, and symbols
  • Cannot contain common passwords
  • Cannot contain common dictionary words or common phrases
  • Cannot contain common patterns, such as 123456

You may also opt to secure your account via two-factor authentication using your phone as an authentication device. To learn more, click here

The company administrator can require company viewers, editors and legal administrators to enable two - factor authentication. Go to Settings > General tab. 

All account activity is logged into a distinct and separate logging platform.


Browser security

Carta honors the "do not track" preference setting of certain browsers. Users that opt into "do not track" will be exempted from analytics tracking that Carta may perform.


Operational security

Carta is a registered SEC-registered transfer agent which includes rigorous privacy and security measures. Our filing can be found here. We are subject to rules and regulations that are enforced by the SEC and monitored by our independent auditor. 

We maintain a business continuity plan as part of our SOC 1 Type 2 report. 

All Carta employees pass a rigorous background check as a condition of employment.

All Carta staff accounts are protected by two-factor authentication, and Carta staff cannot disable it. All staff computers have full disk encryption enabled. All staff email accounts are protected with two-factor authentication.

We use  Box to send files securely back and forth with customers during the onboarding process. This also provides internal tracking and permissions for which agent has access to your files during the onboarding process.

Carta is compliant with the ESIGN Act for digital signatures.


Technical and data security

Carta maintains bank-level digital security: 256-bit SSL encryption (with an A+ rating via  Qualys SSL Labs). This includes OCSP stapling and HTTP strict transport security. 

We utilize Amazon Web Services (AWS) to host our servers and data. AWS has a suite of compliance certificates for their data centers, include full SSAE 16 (SOC 1, SOC 2, and SOC 3) compliance. Our server instances are hosted in a virtual private cloud, using only data centers located in the United States. Only select Carta engineers have access to our production environment. All direct access to our production systems is protected by public key encryption and two-factor authentication.

Our files, including those that you upload, are hosted on the AWS storage service. Files are encrypted with AES-256 and backed up to multiple locations in the United States. We protect access to download these private files through cryptographic signatures, and links are time-limited for extra protection. Private keys are rotated at least annually, and access to private keys is restricted to a subset of Carta engineers.

All databases are stored on encrypted-at-rest file systems using AES-256 encryption using private keys that are rotated at least annually. All database queries and traffic is only routed through SSL secured connections.

All technical and software changes go through a rigorous peer-review process and a full suite of technical acceptance tests.

The Carta website is only served over SSL to keep website traffic secure, and insecure protocols like SSL 2 and SSL 3 are not enabled.

Attempts to log in with incorrect usernames or passwords are rate-limited to greatly reduce the opportunity to brute-force break into a User Account.

Carta utilizes  CloudFlare to protect against denial of service and other common attack vectors.

More sensitive data fields, such as tax IDs (employer ID numbers, Social Security numbers) are further encrypted using AES-256 with a separate private key.

All passwords are hashed using the  PBKDF2 (Password-Based Key Derivation Function 2), with unique per-user salts, with at work factor of at least 15,000 iterations.

Our database is backed up regularly to multiple areas only located within the United States (Virginia, Oregon).

All changes to any customer data are automatically logged in a separate audit database. This includes every action and click on the Carta platform. This allows us to identify what data changed, on which date, by whom, and from where.


Banking and money movement

Carta utilizes two money movement providers: Stripe, for credit card transactions, and Silicon Valley Bank for cash movement in the United States via ACH.

For credit card transactions,  Stripe holds the actual credit card information; Carta does not have access to credit card numbers. You can read a broader piece on Stripe's security and PCI compliance in their security overview.

For cash and wire transactions, we use Silicon Valley Bank with industry-standard encryption, end-to-end, with SVB. Account information, such as account numbers, are stored with a separate encryption key (again, AES-256). Cash movement does involve some delays as part of our process to ensure the funds are fully cleared. Failed transactions, such as non-sufficient funds or stop payments, are raised internally through our transaction auditing platform for personal follow up by Carta account managers.

Carta uses industry-standard micro-deposits to verify accounts. Micro deposits are two small deposits under $1.00 to an account that the account holder must verify.


Third party validation

We utilize  HackerOne, a security vulnerability testing and disclosure platform. We invite top security researchers ("white hats") to explore the Carta platform in a sandbox environment to discover vulnerabilities in a responsible manner. Many other top companies use this network effectively: Square, Dropbox, Cloudflare, and more.


Background

Carta employs engineers who have worked in other security- and availability-critical domains, including national defense research, public high-volume brokerages, and healthcare technology.


Carta Software updates

Carta is rapidly improving on all aspects of our software. We currently release software updates four times per week, Monday through Thursday evenings, around 8 p.m. US/Pacific time. Some of these iterative updates may include a few brief moments where our service is unavailable.

All software changes are, at a minimum, reviewed by another software engineer and product manager. All changes are also reviewed by a senior member of the engineering team and product team prior to release.

All software changes go through a rich set of automated tests, covering critical parts of the application, including visual tests to ensure any visual changes are as we expected.


Support options

Carta strives to be as accessible as possible regarding customer support. 

Customer support is available via email (support@carta.com) and via phone or live chat between 7:30 am and 6 pm Pacific time.


Responsible disclosure

If you believe you have discovered a vulnerability within Carta, or are a security researcher interested in this space, please contact us at security@carta.com. Please include as many details as possible, including steps to repeat or proof. We are always interested in adding talented researchers into our HackerOne disclosure program.