107 comments

[ 3.4 ms ] story [ 156 ms ] thread
Here is the HN discussion on original accusations: https://news.ycombinator.com/item?id=38886915

Carta CEO's first response saying it was a one time employee mistake that happened on Friday: https://x.com/henrysward/status/1743713154721554849?s=20

Evidence by Karri that it happened well before Friday, and happened to multiple other companies too, questioning if it was indeed a one time incident: https://x.com/karrisaarinen/status/1743741496921383250?s=20

The linked tweet is Carta's CEO Henry Ward's comment ranting about how Karri should have reached out to them instead of publicly questioning the company, accusing him of using this incident to increase his twitter/linkedin exposure.

Here is a detailed response from Karri about the call details: https://twitter.com/karrisaarinen/status/1743824345334714587

This particular detail stands out as to how the solicitation actually happened: "He (Carta's CEO) explains commonly Carta Marketplace looks for sellers and buyers in their platform who have opted in to it. But in this case the employee in question, again not employed by Carta but a separate business, Carta Marketplace, was able to access our cap table data by their “break the glass” system which requires approval to see customer data. He didn’t know how it was done, he offered that potentially the employee self approved the request. The employee in question was put on administrative leave."

Lol, the employee (of technically a different business entity?) might have accessed the info through self approved request, but Carta's CEO is sure that this only happened this Friday to one company and is a one time incident. Yeah, I don't believe it.

> “break the glass” system

That begs the question, when is that system supposed to be used? In what sorts of situations would it be beneficial to Carta'a clients for another company (Carta Marketplace) to access their confidential information?

My guess is that it’s a customer support system that has a mode where non-support agents like account managers can in emergencies access a companies carta account. Imagine a scenario where a founder is freaking out because it seems like the cap table in carta doesn’t match the spreadsheet they’ve been working on, and they’re in the middle of negotiating a funding. They might call their account manager in a panic asking for their help, and the AM might want to see their account setup so that they can more effectively communicate with support.

Perfectly justified reason, and a reasonable feature. But I would bet that essentially everyone at “both” cartas who interact with founders or investors have access, and while theoretically every break glass is logged with a justification, and those justifications are audited, every single one says “helping company (company being accessed)”. That’s assuming anyone even looks at the audit trail (Narrator: they do not).

(comment deleted)
Having a “break glass” button is common for production access during an outage - the idea being that you should never touch prod manually (instead using code reviewed changes via normal deployment), except during incident response, where you can hit the button that lets you do so anyways.
I've built a break glass system.

The trick is you need to actually audit the use. We reviewed every access, audited as part of our soc 2 commitments, at a +2 reporting level the next business day.

> After the call I’ve learned Henry has been trying to explain this as “isolated incident” over tier 1 VC email group and saying the only way this to happen is if the company has opted in to CartaX.

How does Karri know this? Did someone in the email group tell him? Why would a VC leak information damaging to the company?

And if this is true, isn't this an implication that Henry is lying to investors about the problem? Karri has already proven he hasn't opted in to CartaX.

[flagged]
It is his own unhinged response that is far more threatening to his employees. And what exactly is his argument ?

That we should ignore behaviour at Enron, Theranos, FTX etc because people may lose their job.

Well that's because those companies didn't apologize with enough :folded-hands-emoji:
Unfortunately I feel like this style of thinking is all too common. When company leadership ^w^w job creators do something bad to the employees, the needs of the business are the shield for their accountability. When they use the company to do something bad to an outside party, suddenly the needs of those employees are the shield.
I loved the response. This is a founder to founder public response! Not a customer support deal, but a personal one… I’d appreciate more people talked their hearts out like this, openly.
It would seem like Ward is no stranger to this sort of public candidness. But it doesn't particularly seem like the sort of transparency that actually puts users, or employees, at ease.
This is a pathetic twitter slap fight between two dorks. It's so incredibly transparent that I honestly struggle to believe anyone could consider this a genuine exchange with a common goal of resolution. It's public shit slinging dressed up as humble, sincere tweets. It's plain embarrassing.
(comment deleted)
Unfortunately his heart is in the wrong place.
I think you're confused. This relationship is between customer and vendor.

And as a customer, I expect my vendor not to take my data and use it against me.

And then when I simply ask for clarification why this is happening not be gaslighted and made to feel a victim.

They sell comp data from all their customers, and most of their customers probably aren’t aware of it?
Eh, all feelings no facts.

Sorry but I just don't buy it. When you communicate this way it becomes apparent that the truth isn't on your side, or if it is then it's not what is most important to you.

Stick to the facts guys. Either information was used inappropriately or not, it was either systemic (i.e happening all the time) or occured because of a lapse of controls or specific employee trying to get around said controls (in which case you should probably fire them). Identify and disclose which it is along with what you are doing to fix it.

There is no need to muddy the conversation with the why/ethics/whatever of getting called out.

The accusation was clear, as should have been the response.

My comment from Karri's initial LinkedIn post:

At minimum, this is confidential information. At worst, they may be leveraging privileged information that only they and your Board have.

Either way, it's ugly. Even with a good explanation and tight controls in place, it needs to be opt in for shareholders.

Slightly worse situation here than in your linked example, from what I can see.

paulg is talking about Carta apparently used to email investors to advertise the existence of their new CartaX (Liquidity) platform. I don't know the contents of these emails, but I assume it was something like, "if you ever want to sell, ask your founder to opt-in to CartaX." I don't agree with this practice, and Henry apparently also said "sending marketing emails to investors is at best poor taste if not just wrong"[1].

In my opinion this case is a bit different, because not only are they apparently advertising Liquidity to investors, but Karri is saying they are trying to broker deals and close sales through back channels without the founders knowing or opting in to Liquidity.

Either way, in my opinion this history adds a bit of evidence to support this is a wider problem in how Carta employees treat data privacy.

1: https://nitter.net/MarwanRefaat/status/1357820073918910464#m

It’s funny how in a lot of these corporate missteps it’s the response which tells you more about the culture than the original incident. This is more likely to turn me off using them than the original incident.

Apologising and saying you will put processes into place to prevent it happening again is corporate comms and emotional 101, and it would have blown over in a week.

(comment deleted)
Karri Saarinen tweeted this today (Jan 6) at 8:36am https://twitter.com/karrisaarinen/status/1743672776643535015 he provides a helpful perspective on why Carta might be tempted to leverage customer information to facilitate transactions.

   This buy order was for $2.5M, they take 2% transaction fee 
   from the buyer and seller. 

   We pay them about $10k a year for the cap table management 
   but this transaction alone would net them $100k. 
   So I can see the temptation.
Is this CEO 13 years old? What a terrible response
(comment deleted)
These people are all so insufferable (praying hands emoji).
I don't get it. Does he think he's so clever with the passive-aggressiveness? Who does he think he's fooling?
I think the first paragraph was enough. There wasn't a need to publicly bash your customer.
The tone throughout that tweet sounds ill-chosen to me.
I agree. I'm not that familiar with this situation but seeing a CEO use swear words (idk what's the adult way to say this, I'm used to saying "bad words" to my kids) strikes me as incredibly unprofessional when it's in public, written communication. If the intent is genuine apology, that language does not make it more genuine. If, on the other hand, there's some element of sarcasm in it, then I'd question the need for such a statement in public in the first place.
I think it also comes across as aggressive and snotty.

Who is ever going to want to talk with that CEO, if he posts a Tweet like this as a followup? Or do business with him at all?

If you're a prospective customer or partner, and this is what you've seen, are you going to bother researching, to find out whether this was a fluke or typical behavior?

So, if it was a fluke, I'd think the best move is to make the very next messaging be an all-out effort to un-fudge it all up.

We all have bad moments, and I'd like to think there's an imminent un-fudging.

What are the main competitors or alternatives?
Contracts on paper
That’s like saying the competitor to cars is walking
Heh iPhone 14 Pro Max, latest OS and mobile Firefox; in landscape their Pulley/Carta side by side shows Carta has a 30 day onboarding period. In portrait it says 90 day.
You're right...the mobile view changes the text
They use Webflow which requires you manually apply copy changes at each breakpoint. Looks like they forgot one of them.
Likely a bug from them updating the text at one point from 90 days to 30 days. But Ooph at such a mistake made. We’ve all been there so cut some slack.
Perhaps people using landscape mode have a quicker grasp of things.
This twitter/x? site mostly doesn't work for me, all I see is a log in screen? but some research suggest its a product for like minded extremist to angrily signal at one another?
This has to be one of the most harebrained tweets from a CEO I have ever seen. This is a great example of exactly how not to handle credible allegations. Gaslighting the original complainant and suggesting he's posting for LinkedIn cred....unreal
Can anybody explain the fundamental issue with the original reach out from the Carta employee?

Barring something within the shareholder agreement (between the startup employee and the startup) that bars the employee from selling those shares on Carta's platform, what's the issue?

I think it messes up the valuation depending on the price the shares were sold at.
They are hooking up potential buyers with private pricing info to help the buyer get a good deal, which makes the sale more likely and helps ensure Carta gets to take a nice cut.
And it opens the door to unhappy wondering about just who within Carta has this info, and who outside Carta are they sharing it with.
I think a rough analogy would be:

You’re a startup who keeps a payroll spreadsheet in Google Sheets and the Google recruiting team accesses that data to recruit your employees and decide how much to offer them.

There’s nothing wrong with Google trying to hire your employees, but it’s wrong for them to use your confidential data from another business unit to do so.

I must be still confused. The startup employee knows what their strike price was and here Carta was offering to hook them up with a buyer for those shares at price $X (which I presume is/was different than the strike price of the employee).

Maybe I'm misunderstanding? But that doesn't seem like they're sharing cap table data with anyone. They've found a buyer for the employee's shares at some price. Is it implied that they shared the cap table info with that buyer (i.e. the third party investor)?

The information that person X owns Y shares is private cap table info. Carta breached that privacy by using it for lead generation
I think "privacy" here is the wrong word. Carta owes some obligations to companies that sign up or their services (though they are vague and ambiguous).

But I hope people wake up to what they are agreeing to when they sign up as a user for Carta. Carta makes you agree that they owe you NO duty of confidentiality with respect to any information you submit into the service.

Why is this guy broadcasting a message for a specific person to the whole world? I wouldn't want to do business with someone like that. Also, he seems to be trying call the other person out on some kind of contradiction - again publicly - while also appologising?
This CEO lives in a different reality. It’s bizarre to see their logic and what matters to them.
If you work at a company that grants and manages options through Carta, is there a way as an employee to opt out and manage options some other way? Is there any way to go back to paper stock certificates and options exercise agreements?

I'm utterly ignorant about this, I think every tech company I've worked at that offered options has used it, and I've often wondered how things worked before it existed.

I hope you do have paper/PDF stock certificates. Carta is just a tool to display your vesting progress. It holds no weight in court.
What a petty response.

I was expecting more of a statement: Carta does not spam or solicit our customers’ investors. In this case, there was a salesperson who broke our rules, and they have been terminated. We apologize for the mistake. Please contact your account rep if you have any concerns.

That was a good example of how one should NOT openly respond in public and air dirty laundry.

Should have left to “it has come to my attention that X has happened. It was a one time incident and we did Y to rectify it. I am sorry this happened and we are doing Z so it doesn’t happen again. We deeply value our customers privacy and trust. Our mission is X and I will ensure we will do right by our customers.

- Yours truly, CEO “

Hacker News doesn't like corp speak...but sometimes corp speak is infinitely better than the alternative.
(comment deleted)
Addressing what happened directly and providing the concrete steps taken towards rectification is not corp speak.

Deflecting and talking about values and abstract things to avoid directly addressing the issue is however and is what should be condemned on HN.

Your point still stands though as the emotional petulant rant in this case was even worse than a spineless corp speak response.

Oh and now that you have found a couple more instances, those were also ones that I was aware of but there definitely were not any others.