// Trust & Security Report
eShares, Inc. DBA Carta, Inc.
Equity management and private capital operations platform (cap tables, fund administration, valuations, legal)
Certifications held
6
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on trust.carta.com“Compliance: SOC 2 Type II | Featured Documents: 2025 SOC 2 Type 2 Report for Carta Platform | Bridge Letter for Carta's 2025 SOC 2 Reports”
Verify on trust.carta.com“Compliance: SOC 1 Type II | Featured Documents: 2025 SOC 1 Type 2 Report for Fund Administration, 2025 SOC 1 Type 2 Report for Cap Table, 2025 SOC 1 Type 2 Report for Money Movement, 2025 SOC 1 Type 2 Report for Fund Services, 2025 SOC 1 Type 2 Report for Financial Reporting”
Verify on trust.carta.com“Compliance: ISO 27001:2022 | Featured Documents: Carta ISO 27001 Certificate 2025-2028, Carta ISO 27001 - SOA v1.0 - March 2025, Avantia (now Carta Law) ISO 27001 Certification, Accelex (now LPPA) ISO 27001 Certification”
Verify on trust.carta.com“Compliance ISO 27001:2022 SOC 2 Type II SOC 1 Type II SIG GDPR CCPA”
Verify on trust.carta.com“Compliance ISO 27001:2022 SOC 2 Type II SOC 1 Type II SIG GDPR CCPA”
Verify on trust.carta.com“Compliance: SIG | Featured Documents: Carta SIG Core 2026”
> Show 8 unconfirmed / not-held certifications
source: trust.carta.comNo public evidence of HIPAA compliance found on trust center or public pages. Carta is a financial equity management platform; HIPAA does not apply to its core services.
source: trust.carta.comNo public evidence of PCI DSS certification found on Carta trust center or public pages.
source: trust.carta.comNo public evidence of FedRAMP authorization found on Carta trust center or public pages.
source: trust.carta.comNo public evidence of ISO 27017 certification found on Carta trust center or public pages.
source: trust.carta.comNo public evidence of ISO 27018 certification found on Carta trust center or public pages.
source: trust.carta.comNo public evidence of ISO 27701 certification found on Carta trust center or public pages.
source: trust.carta.comNo public evidence of CSA STAR certification found on Carta trust center or public pages.
source: trust.carta.comNo public evidence of ISO 42001 certification found on Carta trust center or public pages.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
Primarily AWS-hosted in the United States. Transatlantic transfers of EU/UK/Switzerland data are covered by Standard Contractual Clauses and the EU-US Data Privacy Framework. No dedicated EU data residency option publicly confirmed.
Carta explicitly states: 'Carta does not train internal or third-party generative AI models on customer data.' Anonymized and aggregated data may be used for product analytics and research but never in a way that identifies individual users. An 'Use of AI at CARTA' policy document is listed in the trust center. Vendor agreements also prohibit third-party AI providers from using Carta customer data to train public models.
// Security controls
Penetration testing
Annual third-party penetration testing; 2025 Pen Test Executive Report available in trust center
trust.carta.comDisaster recovery
Has a disaster recovery plan; data backed up daily; highly available and redundant AWS architecture
trust.carta.comIdentity and access management
Uses a centralized IAM solution (SSO) to manage employee access; principle of least privilege applied to systems storing customer data
trust.carta.comThird-party audits
One or more annual third-party audits covering SOC 1, SOC 2, and ISO 27001
trust.carta.com// Products & data scope
data: Cap table ownership records, equity grants, employee compensation data, investor PII, 409A valuations
SOC 2 Type II (2025 SOC 2 Type 2 Report for Carta Platform) and SOC 1 Type II (Cap Table, Financial Reporting) coverage confirmed. Handles highly sensitive financial and equity ownership data.
data: Fund financial data, LP investor information, portfolio company data, fund tax records
SOC 1 Type II reports cover Fund Administration, Money Movement, Fund Services, and Financial Reporting. SOC 2 Type 2 also covers Loan Ops (formerly Sirvatus) and CRM (formerly ListAlpha).
data: Legal documents, transactional data, privileged client communications
Has its own separate ISO 27001 certification (Avantia now Carta Law) and SOC 2 Type 2 report (2025 SOC 2 Type 2 - Avantia Law). Buyers should confirm combined vs. standalone coverage with Carta.
data: European company equity data, EU employee and investor PII
Has its own SOC 2 Type 2 report (2025 SOC 2 Type 2 Report for Capdesk) and ISO 27001 certification. Dedicated GDPR compliance coverage. EU customers should reference Capdesk-specific certifications.
// What to watch
- Multi-entity certification scope: Carta Law (formerly Avantia) and Capdesk hold separate ISO 27001 and SOC 2 certifications distinct from the main Carta Platform. Buyers should confirm which entity and report covers their specific subscription.
- Trust center documents (full SOC 1, SOC 2, ISO 27001 reports) are NDA-gated and require approval via the Conveyor portal. Only the compliance listing and document titles are publicly visible.
- ISO 27001 certificate 2025-2028 reflects the ISO 27001:2022 standard; a prior 2013-based certificate was in place from August 2023 and has now been superseded.
- AI features are expanding rapidly across Fund Admin and Carta Law. The 'Use of AI at CARTA' document in the trust center should be reviewed for current scope; AI policy may evolve as product AI capabilities grow.
- No evidence of HIPAA, PCI DSS, FedRAMP, ISO 27017/27018/27701, CSA STAR, or ISO/IEC 42001 certifications. HIPAA and FedRAMP are not applicable to core equity and fund admin use cases.
- Data residency: Carta primarily hosts on AWS in the US. EU/UK customers relying on data sovereignty requirements should confirm Capdesk-based EU infrastructure via trust center or sales.
// At a glance
Pricing model
Subscription-based, tiered by company stage and product suite (Equity Suite, Fund ERP, Carta Law priced separately). Free Launch tier for early-stage startups.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on eShares, Inc. DBA Carta, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-29. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.carta.com