On Friday we had an internal policy violation that affected three companies. I’ve been in touch with the founders and I’m appalled we made that mistake and it should never have happened. It is unacceptable and we’ve dealt with the violation on Saturday morning and are continuing the investigation to make sure it never happens again.
Let me share our framework on data privacy and access controls to hopefully address concerns from this weekend. For a deeper dive, I will bucket data privacy into four buckets with different rules that I will cover separately.
1. Public Disclosures: We can only publish aggregate and anonymous data. So we can say things like there are 34K startups on Carta, or the average Series A startup has 25 employees, etc… However, we cannot say Acme Startup has 41 shareholders or the PPS is $13.24. You will see this type of aggregate anonymous information frequently in our data reports.
2. Internal Systems Disclosures: We can use cap table data for onboarding and internal systems development. So for example, we can load cap table data into dashboards for audit, we can write health checks to make sure cap table reports are correct, we can run machine learning algorithms to predict when you need a 409A, etc… We can use cap table data to help us improve the software or customer experience. This also includes things like when support teams access cap tables (through an approval and audit system) or when a customer needs help correcting or updating their cap table. All human access to cap tables is tracked and audited.
3. Sales & Marketing: Lastly, we can market to our customers and users. For example, we can offer new products to help companies with employee compensation, taxes, and expense reporting. Occasionally we have offered products directly to employee shareholders. For example, in the past we have offered stock based loan products to employees of certain companies where employees can access loans to exercise their stock. But when we offer these products to employees we only do it in collaboration with the company. The company has to approve the program for their employees for us to offer it.
4. CartaX: CartaX is a separate product that operates as an opt-in marketplace where investors are invited to enter bids and asks on different companies. At any given time we have about one hundred companies that are in the marketplace. Where CartaX and the cap table business converge is if we match a trade in the marketplace, we go to the company and ask if they will allow it. If the company allows it, we use their cap table to execute the trade. If the company doesn’t allow it, we stop the trade. We do not and will never trade without company consent.
In the case of Linear and two other companies, we had an internal breach of protocol and we contacted someone directly on the cap table. That never should have happened and is absolutely a breach of our privacy protocols. And we have addressed it over the weekend.
The second mistake might be whether we are too close to the cap table business to be helping on liquidity. We started CartaX five years ago to help founders and companies with liquidity and it has mostly been a net positive for founders, employees, and shareholders. But even if we do everything perfectly and make zero mistakes, perhaps just the appearance of being in the liquidity business makes us seem compromised. Everything we do must be grounded in trust and if being in the liquidity business compromises that trust, perhaps we need to reevaluate that offering.
I will think about this and come back with more thoughts in the coming months. If you have a perspective on whether Carta should be helping companies with liquidity, please reach out to me. I’d love to hear them.
I’m sorry for scaring everybody about this. After ten years of managing cap tables across 40,000 startups, I promise we aren’t compromising anyone’s data. We won’t be here if you don’t trust us. Trust, transparency, and integrity is our most important currency. If you would like to chat with me more one-on-one, please email me at firstname.lastname@example.org and we can set up a zoom.