Carta Security Procedures
3rd party audits of Carta security
We undergo regular examinations from our independent auditor.
They perform an internal Service Organization Control (SOC) Report annually to evaluate internal systems and processes for various products.
- SOC 1 Type 2 for the cap table-related products
- SOC 2 Type 2 for all of Carta’s platform (planned delivery by the end of 2019)
- SOC 1 Type 2 for custody/safekeeping and ASC 820 products (planned delivery by the end of 2019)
- SOC 1 Type 2 for fund administration product (planned delivery by the end of 2019)
- SOC 1 Type 2 for public markets products (planned delivery by the end of 2019)
Carta also maintains an ISO 27001 certification; details can be provided upon request.
You control your own password and authentication for your account on Carta. As part of your company or portfolio, you can invite any number of other users to view your information along with a detailed set of permissions. You do not need to share your password to share your cap table – simply invite others with limited access rights that you can revoke at any time.
Carta passwords must be sufficiently complex. We use the realistic password strength estimation to validate complexity of user passwords. Passwords must be:
- Sufficiently long (9 characters or more)
- Sufficiently complex, which may include upper case, lower case, numbers, and symbols
- Cannot contain common passwords
- Cannot contain common dictionary words or common phrases
- Cannot contain common patterns, such as 123456
- You may also opt to secure your account via two-factor authentication using your phone as an authentication device. To learn more, click here.
The company administrator can require company viewers, editors, and legal administrators to enable two-factor authentication. Go to Settings > General tab to do so.
All account activity is logged into a distinct and separate logging platform.
Carta honors the "do not track" preference setting of certain browsers. Users that opt into "do not track" will be exempted from analytics tracking that Carta may perform.
Carta is a SEC-registered transfer agent, which includes rigorous privacy and security measures. Our filing can be found here. We are subject to rules and regulations that are enforced by the SEC and monitored by our independent auditor.
Business continuity plan
We maintain a business continuity plan as part of our SOC 1 Type 2, SOC 2 Type 2, and ISO 27001 reports.
All Carta employees pass a rigorous background check as a condition of employment.
All Carta staff accounts are protected by two-factor authentication, and Carta staff cannot disable it. All staff computers have full disk encryption enabled. All staff email accounts are protected with two-factor authentication.
File sharing with customers
We use Box to send files securely back and forth with customers during the onboarding process. This also provides internal tracking and permissions for which the agent has access to your files during the onboarding process.
Carta is compliant with the ESIGN Act for digital signatures.
Technical and data security
Carta maintains bank-level digital security: 256-bit SSL encryption (with an A+ rating via Qualys SSL Labs). This includes OCSP stapling and HTTP strict transport security.
We utilize Amazon Web Services (AWS) to host our servers and data. AWS has a suite of compliance certificates for their data centers, including full SSAE 16 (SOC 1, SOC 2, and SOC 3) compliance. Our server instances are hosted in a virtual private cloud, using only data centers located in the United States. Only select Carta engineers have access to our production environment. All direct access to our production systems is protected by public key encryption and two-factor authentication.
Encryption at rest
Our files, including those that you upload, are hosted on the AWS storage service. Files are encrypted with AES-256 and backed up to multiple locations in the United States. We restrict access to download these private files through cryptographic signatures, and links are time-limited for extra protection. Private keys are rotated at least annually, and access to private keys is restricted to a subset of Carta engineers.
All databases are stored on encrypted-at-rest file systems using AES-256 encryption using private keys that are rotated at least annually. All database queries and traffic is only routed through SSL secured connections.
Encryption in transit
The Carta website is only served over SSL to keep website traffic secure, and insecure protocols like SSL 2 and SSL 3 are not enabled.
All technical and software changes go through a rigorous peer-review process and a full suite of technical acceptance tests.
Brute force login protection
Attempts to log in with incorrect usernames or passwords are rate-limited to greatly reduce the opportunity to brute-force break into a user account.
Carta utilizes CloudFlare to protect against denial of service (DoS) and other common attack vectors.
Further encryption of highly confidential information
More sensitive data fields, such as tax IDs (employer ID numbers, Social Security numbers) are further encrypted using AES-256 with a separate private key.
All passwords are hashed using the PBKDF2 (Password-Based Key Derivation Function 2), with unique per-user salts, with at work factor of at least 15,000 iterations.
Data and system backups
Our database is backed up regularly to multiple areas only located within the United States (Virginia, Oregon).
All changes to any customer data are automatically logged in a separate audit database. This includes every action and click on the Carta platform. This allows us to identify what data changed, on which date, by whom, and from where.
Banking and money movement
Carta utilizes two money-movement providers: Stripe, for credit card transactions, and Silicon Valley Bank for cash movement in the United States via ACH.
For credit card transactions, Stripe holds the actual credit card information; Carta does not have access to credit card numbers. You can read a broader piece on Stripe's security and PCI compliance in their security overview.
For cash and wire transactions, we use Silicon Valley Bank with industry-standard encryption, end-to-end. Account information, such as account numbers, are stored with a separate encryption key (again, AES-256). Cash movement does involve some delays as part of our process to ensure the funds are fully cleared. Failed transactions, such as non-sufficient funds or stop payments, are raised internally through our transaction auditing platform for personal follow up by Carta account managers.
Carta uses industry-standard micro-deposits to verify accounts. Micro-deposits are two small deposits under $1.00 to an account that the account holder must verify.
Third party validation
We utilize HackerOne, a security vulnerability testing and disclosure platform. We invite top security researchers ("white hats") to explore the Carta platform in a sandbox environment to discover vulnerabilities in a responsible manner. Many other top companies use this network effectively: Square, Dropbox, Cloudflare, and more.
Carta employs engineers who have worked in other security- and availability-critical domains, including national defense research, public high-volume brokerages, and healthcare technology.
Carta software updates
Carta is rapidly improving on all aspects of our software. We currently release software updates four times per week, Monday through Thursday evenings, around 8 p.m. US/Pacific time. Some of these iterative updates may include a few brief moments where our service is unavailable.
All software changes are, at a minimum, reviewed by another software engineer and product manager. All changes are also reviewed by a senior member of the engineering team and product team prior to release.
All software changes go through a rich set of automated tests, covering critical parts of the application, including visual tests to ensure any visual changes are as we expected.
Carta strives to be as accessible as possible regarding customer support.
Customer support is available via email (email@example.com) and via phone or live chat between 7:30 am and 6 pm Pacific time.
If you believe you have discovered a vulnerability within Carta, or are a security researcher interested in this space, please contact us at firstname.lastname@example.org. Please include as many details as possible, including steps to repeat or proof. We are always interested in adding talented researchers into our HackerOne disclosure program.