// Trust & Security Report

    eShares, Inc. DBA Carta, Inc. logo

    eShares, Inc. DBA Carta, Inc.

    Equity management and private capital operations platform (cap tables, fund administration, valuations, legal)

    Certifications held

    6

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    Compliance: SOC 2 Type II | Featured Documents: 2025 SOC 2 Type 2 Report for Carta Platform | Bridge Letter for Carta's 2025 SOC 2 Reports

    Verify on trust.carta.com
    SOC 1 Type II
    HELD

    Compliance: SOC 1 Type II | Featured Documents: 2025 SOC 1 Type 2 Report for Fund Administration, 2025 SOC 1 Type 2 Report for Cap Table, 2025 SOC 1 Type 2 Report for Money Movement, 2025 SOC 1 Type 2 Report for Fund Services, 2025 SOC 1 Type 2 Report for Financial Reporting

    Verify on trust.carta.com
    ISO 27001:2022
    HELD

    Compliance: ISO 27001:2022 | Featured Documents: Carta ISO 27001 Certificate 2025-2028, Carta ISO 27001 - SOA v1.0 - March 2025, Avantia (now Carta Law) ISO 27001 Certification, Accelex (now LPPA) ISO 27001 Certification

    Verify on trust.carta.com
    GDPR
    HELD

    Compliance ISO 27001:2022 SOC 2 Type II SOC 1 Type II SIG GDPR CCPA

    Verify on trust.carta.com
    CCPA
    HELD

    Compliance ISO 27001:2022 SOC 2 Type II SOC 1 Type II SIG GDPR CCPA

    Verify on trust.carta.com
    SIG (Standardized Information Gathering)
    HELD

    Compliance: SIG | Featured Documents: Carta SIG Core 2026

    Verify on trust.carta.com
    > Show 8 unconfirmed / not-held certifications
    HIPAA
    NOT CONFIRMED

    No public evidence of HIPAA compliance found on trust center or public pages. Carta is a financial equity management platform; HIPAA does not apply to its core services.

    source: trust.carta.com
    PCI DSS
    NOT CONFIRMED

    No public evidence of PCI DSS certification found on Carta trust center or public pages.

    source: trust.carta.com
    FedRAMP
    NOT CONFIRMED

    No public evidence of FedRAMP authorization found on Carta trust center or public pages.

    source: trust.carta.com
    ISO 27017
    NOT CONFIRMED

    No public evidence of ISO 27017 certification found on Carta trust center or public pages.

    source: trust.carta.com
    ISO 27018
    NOT CONFIRMED

    No public evidence of ISO 27018 certification found on Carta trust center or public pages.

    source: trust.carta.com
    ISO 27701
    NOT CONFIRMED

    No public evidence of ISO 27701 certification found on Carta trust center or public pages.

    source: trust.carta.com
    CSA STAR
    NOT CONFIRMED

    No public evidence of CSA STAR certification found on Carta trust center or public pages.

    source: trust.carta.com
    ISO/IEC 42001 (AI Management Systems)
    NOT CONFIRMED

    No public evidence of ISO 42001 certification found on Carta trust center or public pages.

    source: trust.carta.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    Primarily AWS-hosted in the United States. Transatlantic transfers of EU/UK/Switzerland data are covered by Standard Contractual Clauses and the EU-US Data Privacy Framework. No dedicated EU data residency option publicly confirmed.

    Carta explicitly states: 'Carta does not train internal or third-party generative AI models on customer data.' Anonymized and aggregated data may be used for product analytics and research but never in a way that identifies individual users. An 'Use of AI at CARTA' policy document is listed in the trust center. Vendor agreements also prohibit third-party AI providers from using Carta customer data to train public models.

    // Security controls

    Encryption in transit

    TLS 1.2+

    carta.com

    Encryption at rest

    AES-256

    carta.com

    Penetration testing

    Annual third-party penetration testing; 2025 Pen Test Executive Report available in trust center

    trust.carta.com

    Vulnerability disclosure

    Has a bug bounty or vulnerability disclosure program

    trust.carta.com

    Mobile device management

    Has a formal mobile device management (MDM) program

    trust.carta.com

    Disaster recovery

    Has a disaster recovery plan; data backed up daily; highly available and redundant AWS architecture

    trust.carta.com

    Identity and access management

    Uses a centralized IAM solution (SSO) to manage employee access; principle of least privilege applied to systems storing customer data

    trust.carta.com

    Subprocessors

    Subprocessors list available in trust center

    trust.carta.com

    Cyber insurance

    Has cyber insurance

    trust.carta.com

    Audit logging

    Every internal action and click on the Carta platform is logged

    support.carta.com

    Third-party audits

    One or more annual third-party audits covering SOC 1, SOC 2, and ISO 27001

    trust.carta.com

    Data deletion

    Deletes customer data on request

    trust.carta.com

    // Products & data scope

    Carta Equity SuiteCap table management, equity administration

    data: Cap table ownership records, equity grants, employee compensation data, investor PII, 409A valuations

    SOC 2 Type II (2025 SOC 2 Type 2 Report for Carta Platform) and SOC 1 Type II (Cap Table, Financial Reporting) coverage confirmed. Handles highly sensitive financial and equity ownership data.

    Carta Fund ERPFund administration, portfolio analytics, valuations, KYC/AML

    data: Fund financial data, LP investor information, portfolio company data, fund tax records

    SOC 1 Type II reports cover Fund Administration, Money Movement, Fund Services, and Financial Reporting. SOC 2 Type 2 also covers Loan Ops (formerly Sirvatus) and CRM (formerly ListAlpha).

    Carta Law (formerly Avantia Law)AI-native legal services for private capital

    data: Legal documents, transactional data, privileged client communications

    Has its own separate ISO 27001 certification (Avantia now Carta Law) and SOC 2 Type 2 report (2025 SOC 2 Type 2 - Avantia Law). Buyers should confirm combined vs. standalone coverage with Carta.

    Capdesk (now Carta, European markets)Cap table management for European companies

    data: European company equity data, EU employee and investor PII

    Has its own SOC 2 Type 2 report (2025 SOC 2 Type 2 Report for Capdesk) and ISO 27001 certification. Dedicated GDPR compliance coverage. EU customers should reference Capdesk-specific certifications.

    // What to watch

    • Multi-entity certification scope: Carta Law (formerly Avantia) and Capdesk hold separate ISO 27001 and SOC 2 certifications distinct from the main Carta Platform. Buyers should confirm which entity and report covers their specific subscription.
    • Trust center documents (full SOC 1, SOC 2, ISO 27001 reports) are NDA-gated and require approval via the Conveyor portal. Only the compliance listing and document titles are publicly visible.
    • ISO 27001 certificate 2025-2028 reflects the ISO 27001:2022 standard; a prior 2013-based certificate was in place from August 2023 and has now been superseded.
    • AI features are expanding rapidly across Fund Admin and Carta Law. The 'Use of AI at CARTA' document in the trust center should be reviewed for current scope; AI policy may evolve as product AI capabilities grow.
    • No evidence of HIPAA, PCI DSS, FedRAMP, ISO 27017/27018/27701, CSA STAR, or ISO/IEC 42001 certifications. HIPAA and FedRAMP are not applicable to core equity and fund admin use cases.
    • Data residency: Carta primarily hosts on AWS in the US. EU/UK customers relying on data sovereignty requirements should confirm Capdesk-based EU infrastructure via trust center or sales.

    // At a glance

    Pricing model

    Subscription-based, tiered by company stage and product suite (Equity Suite, Fund ERP, Carta Law priced separately). Free Launch tier for early-stage startups.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on eShares, Inc. DBA Carta, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-29. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.carta.com

    > Browse all vendor trust reports