Why Carta backs up its GitHub code base on Rewind

We recently sat down with Uttej Badwane, Senior Security Engineer at Carta, a FinTech specializing in managing private equity for startups. From idea to IPO, Carta supports innovators at every stage and in every role. Today, over 30,000 companies (including Rewind) rely on Carta to fundraise, issue equity, and stay compliant.

Carta’s IT environment comprises an extensive set of infrastructure and SaaS products. It relies upon Terraform, also known as infrastructure-as-code, for its infrastructure and GitHub for its product code. Uttej’s responsibilities span “all things cloud,” specifically ensuring that the data and code bases running on GitHub and AWS are secure, accessible, and comprehensively backed up.

Uttej and his team take a proactive approach to data and code security and integrity. He explains: “Let’s say someone is making changes to the codebase in GitHub, that will need approval on the pull request and needs to pass certain branch protection checks. Updates won’t automatically be merged with the main branch or enter our live production environment until we’re comfortable that there are no issues.”

Backup – to build or to buy?

When backing up GitHub, Uttej had two options, also known as the build vs. buy debate: assign internal resources to develop and maintain a bespoke backup solution or deploy a tool from a third party. Uttej says, “In making this decision, you need to consider how you want to assign your internal resources. How much maintenance do you really want your developers to do? With the DIY backup model, you’re diverting valuable time and resources away from higher-priority work.”

After doing some research online for GitHub backup solutions (including several open-source options), he discovered that Rewind is recommended on the GitHub Marketplace itself and took a closer look.

“I thought to myself, “This is going to save us money. I’m really excited,” he adds.

“Rewind is simple to use, and we can download entire repositories really fast and easily.”

Uttej Badwane
Senior Security Engineer, Carta

A backup plan for rainy days

Expanding on Carta’s rationale for selecting Rewind, Uttej says that it wasn’t just the risk of data loss or corruption that kept his team up at night. Having a single point of potential failure meant that business continuity was also at stake.

“I think about disaster recovery as avoiding a scenario where you have a single point of failure. If you’re using GitHub and your codebase resides exclusively in GitHub, you’re completely reliant on GitHub. Unfortunately, sometimes platforms do go down. We knew that if something happened to github.com, we could access a separate copy of our codebase and continue being productive until the outage was resolved. Rewind doesn’t just give us a full backup of the codebase with just a few clicks; it also gives us a business continuity plan in the event of the worst-case scenario.”

Compliant and audit-ready

Rewind also ensures that Carta abides by all compliance requirements. “As a FinTech, we’re committed to abiding by financial regulations and data privacy standards like SOC 2, which governs how companies manage sensitive customer data.”

Rewind also makes it quick and easy for Carta to demonstrate to auditors that all their repositories are backed up and that retrieving them would be swift and straightforward in case of an outage, failure, or cyber event.

The need for speed

Uttej explains that investing in Rewind aligns with his view that simply having a disaster recovery plan isn’t good enough. “The value of a disaster recovery plan should be measured by how quickly it allows you to retrieve your data and get back to business. Does it take minutes? Or does it take days or even weeks?”

“Rewind is simple to use, and we can download entire repositories really fast and easily.”

Richer data sets

He adds that Rewind also ensures a more comprehensive restoration than they would get if they simply relied on a clone: “Some companies just create a clone of their code and save it on their on-premises infrastructure. The drawback of that approach is that you can’t recover all your metadata – all you can retrieve is your codebase.”