How does Carta handle my cap table data?

How does Carta handle my cap table data?

At Carta, trust, transparency, and integrity are our most important currency. We have strict procedures, systems, and technologies to protect your cap table data. Customer data is encrypted at rest (AES256) and in transit (TLS 1.2+). Carta follows the principle of least privilege for system and data access, which means access to systems that store customer data is restricted to authorized individuals. You can read more in-depth about our compliance and security controls in our SOC 1/2 reports and related security documentation, which is available on our customer trust platform, Conveyor.

Data privacy and protection protocols


Who has access to see my cap table?
Access to systems that store customer data is restricted to authorized individuals based on their assigned role. Access outside a user’s standard job function requires documented approval from the system owner.

Do you track who’s accessed my cap table?
Yes. Every internal action and click on the Carta platform is logged.

Will any third parties have access to my data?
Yes. You can see our sub processor list and Privacy Policy for more details.

How is data recovered in case of loss?
We back up data daily and restore daily to ensure we can recover from potential disruptive events. We have implemented a highly available and redundant architecture through AWS hosted services so if one data center goes out, our services can maintain operations. In addition, we have a Business Continuity Plan that is reviewed, updated, tested and approved annually.

How is customer data protected?
Carta has a robust defense-in-depth strategy to safeguard our customers’ data. These measures include controls implemented across various domains, including:

  • Hiring and training practice
  • Physical and logical access control
  • Network and data protection
  • Application and infrastructure security
  • Threat detection and incident response
  • Vulnerability management
  • Secure code development and configuration management
  • Highly resilient architecture
  • Risk management programs to identify, document and treat risks across the organization

Multiple independent third-party auditors review our policies and controls on a periodic basis as part of our SOC1, SOC2, and ISO 27001 audits, which can be accessed here.

How is data used in Carta data reports?
We create, use, and share aggregated and anonymized data in our data reports.