Security & Compliance
Captable is built with security and compliance at its core. Learn about our comprehensive approach to protecting your sensitive equity data and maintaining regulatory compliance.
Security First Approach
We understand that your cap table contains some of your company's most sensitive information. That's why we've implemented enterprise-grade security controls to protect your data.
Security First Architecture
Built with security as a core principle
End-to-End Encryption
Data encrypted in transit and at rest
Zero Trust Architecture
Continuous verification of all access
Data Protection
Encryption Standards
Data in Transit
- TLS 1.3 encryption for all connections
- Perfect Forward Secrecy (PFS)
- HSTS enforcement
- Certificate pinning
Data at Rest
- AES-256 encryption for database
- Encrypted backups and snapshots
- HSM-managed encryption keys
- Automatic key rotation
Access Controls
Authentication
- Multi-factor authentication (MFA) required
- WebAuthn/FIDO2 passkey support
- Single Sign-On (SSO) integration
- OAuth 2.0 and OpenID Connect
Authorization
- Role-based access control (RBAC)
- Principle of least privilege
- Granular permission system
- Just-in-time access provisioning
Data Residency & Privacy
Data Residency
Your data is stored in secure, enterprise-grade data centers with options for specific geographic regions.
- • Primary: United States (us-east-1)
- • Available: Europe (eu-west-1), Asia Pacific (ap-southeast-1)
- • Cross-border data transfer protections in place
Privacy Compliance
- • GDPR compliant data processing
- • CCPA compliance for California residents
- • Right to data portability and deletion
- • Privacy-by-design architecture
Infrastructure Security
Cloud Security
- AWS infrastructure with security best practices
- VPC isolation and network segmentation
- WAF protection against common attacks
- DDoS protection and rate limiting
- Intrusion detection and prevention
- 24/7 security monitoring and alerting
Application Security
- Secure development lifecycle (SDLC)
- Static and dynamic application security testing
- Dependency vulnerability scanning
- Regular penetration testing
- Bug bounty program
- Secure coding practices and training
Compliance Standards
Security Standards & Compliance
Captable follows industry best practices and security standards, demonstrating our commitment to the security, availability, processing integrity, confidentiality, and privacy of customer data.
Trust Service Criteria
- SecurityProtection against unauthorized access
- AvailabilitySystem operational availability
- Processing IntegrityComplete and accurate processing
- ConfidentialityInformation designated as confidential is protected
Annual Audits
We regularly review and update our security practices to meet the highest industry standards.
Industry Standards
ISO 27001
Information security management system standard
PCI DSS
We don't process credit card data directly
HIPAA
We don't process healthcare information
Audit and Monitoring
Comprehensive Audit Logs
Every action in Captable is logged and tracked for complete auditability and compliance.
What We Log
- User authentication and authorization events
- Data access and modification activities
- Share issuances and transfers
- Document uploads and downloads
- API requests and responses
- Administrative configuration changes
Log Details
Security Monitoring
Threat Detection
- Anomalous login pattern detection
- Unusual data access monitoring
- Failed authentication tracking
- Suspicious API usage alerts
Incident Response
- 24/7 security operations center
- Automated threat response
- Incident escalation procedures
- Customer notification protocols
Business Continuity
Disaster Recovery
- Multi-region data replication
- Automated daily backups
- Point-in-time recovery capabilities
- RTO: 4 hours, RPO: 1 hour
- Regular disaster recovery testing
- Documented recovery procedures
High Availability
- Auto-scaling infrastructure
- Load balancing across regions
- Health monitoring and alerting
- Automated failover systems
User Security Best Practices
Recommendations for Users
Account Security
- Enable multi-factor authentication (MFA)
- Use strong, unique passwords
- Register passkeys for passwordless authentication
- Regularly review active sessions
- Monitor login notifications
Data Protection
- Use role-based permissions appropriately
- Regularly review team member access
- Remove access for departing employees
- Be cautious with document sharing
- Report suspicious activity immediately
Security Contact
Have security questions or need to report a vulnerability? Our security team is here to help.