39 comments

[ 1.9 ms ] story [ 91.5 ms ] thread
This response by the CEO of Carta is pretty appalling, as it doubles down on an existing breach of trust. The response itself may actually do more reputational damage than the original "mistake".
Don't forget how poorly he handled the harassment claims last year.

This is now a pattern.

I liked Dare Obasanjo's take on this one: https://twitter.com/Carnage4Life/status/1743579253176930641

> Every startup plays fast and lose with user privacy until they have a come to Jesus moment which marks their transition into becoming a big company.

> That Carta’s sales teams use the private data in your cap table to nag your investors to sell their shares should be that moment.

But is this really true? In my experience, it's been less of a "come to Jesus" moment and more a slow process of hiring experienced folks who understand the appropriate privacy/security posture for a growing company.

Edit: I'm yet to experience (or see) it as a public breach of trust, especially when the company already has thousands of employees.

* they’re not just using that private information to nag you. They appear to be abusing their access to confidential information to price it for the buyers too.
One of my unofficial roles as technical cofounder was to bring some ethics regarding customer data and privacy. If I could build the software in a way that (ab)using PII or otherwise private data unnecessarily was difficult, even better. Business types understand when things are too expensive to build ;)

Not saying business folks never have good ethics regarding that stuff, but I find engineers are often more opinionated about it.

(comment deleted)
There’s examples going back years to when they released the third party sales product, CartaX.

Funnily there were internsl signs that there were problems with this product before it launched:

“Andrea Walne, Carta's head of liquidity solutions, was pushed out after she raised concerns about regulatory compliance [of CartaX].” - https://www.nytimes.com/2020/08/30/business/carta-workers-in...

Are there any open-source cap table management alternatives?
Let's do it and call it Cartb
(comment deleted)
I would not trust the open source community with this private data. the potential for abuse is too distributed without practical access controls.
The software would be open source, not the data. You'd probably run it on your own server/VPS, and just give appropriate people access.
You could just use a spreadsheet. The reason I pay for cap table management software is that it’s the easiest way to get a 409(a) valuation, which is something pretty much every US startup needs annually and open source couldn’t replace.

(I looked at getting a 409(a) valuation separately and the best prices were more than cap table software that bundled one.)

It appears as if they didn’t just mishandle the data, but also used that data to help investors price their offers based on several confidential factors.
Is there anything the SEC could intervene with on that particular allegation - I mean, it's more-or-less insider trading right?
This is a massive breach of trust. We’re in the middle of a raise, we did our SAFEs with Mercury but hadn’t gotten to cap table stage yet. Guess we’ll use Pulley instead of Carta.
I went with Pulley after a Carta sales rep called me out of the blue, on a number they must have scraped (or bought from someone who scraped) from an SEC filing, ignoring the do-not-call registry.
Took a quick look on here https://carta.com/careers/

"Carta is a place where everyone can be the best version of themselves."

If this is the best version of the current CEO I can't imagine what the day to day looks like.

Why does a cap table company need 2000 employees again?
Their last raise was $500m at a $7.4B valuation.

Using a 10x rule of thumb, that implies they make $740m/year, or the vc believes they will grow into making that.

I can't understand it either.

As this drama prominently shows: Carts is tying it's darndest not to be just a "cap table company"
Hard to beat pen and paper for privacy.
I'm surprised that the cap table is considered sensitive information. In my country it's public information and all companies have the obligation to give you the full cap table on request.
Does your country have a thriving startup scene like the United States?
This is probably why your country does not have a thriving startup ecosystem. SV runs on naive young 'uns who believe the "you own 0.5% of the company" bullshit.
I’m not sure where’s the surprise, they’ve been saying this was their plan from the beginning, from their initial fundraise