The ESOP grant letter given to any employee needs to be signed by someone authorised by the company. It is usually one of the directors on the board as designated by the ESOP committee or the board of directors as the case may be based on the ESOP scheme doc. Note that this person could be an employee (HR head, CFO, Founder etc) or a non-employee (board member or an external ESOP consultant etc).
There are four level of Admin roles supported by the product - 1) ESOP Admin - he/she have full access of the ESOP module, can manage employee records, draft grant letters, manage employee exits etc. 2) ESOP Signatory - he/she can approve the grants given to an employee, signs the grant letter digitally. 3) Captable Admin - have full access of the Captable module, can manage shareholder records, manage round information, allott shares, convert securities etc. 4) Captable View - he/she has only the view access of the Captable data. Note that a single person can have more than one role assigned at the same time. Also note that the sharehodlers by default will be able to see his own shareholding. Similarly, the employees by default will be able to see his own ESOP grants when he/she logs in.
Employee can only accept the grant letters once it has been created by the ESOP admin. After that he can only see his/her grants, vesting table, value of his ESOP, access the grant letter, ESOP scheme document etc, nothing else.
Two-factor authentication is much more secure than the usual email/password mechanism of authentication. We will soon introduce the feature of sending an OTP to your mobile and email id to add this second factor authentication mechanism thus making the application more secure.
First of all the entire authentication is handled by AWS cognito itself, no userid/password is saved in our own database. Secondly, the database (MongoDB Atlas) provides encryption for data at rest by default. Thirdly the entire app uses https and SSL for secure communication between browser and server thereby ensuring that data in transit can't be hacked even on unsecured networks (e.g. public wifi hotspots etc). Fourthly, there is a provision for adding custom AWS KMS keys (just for your company) to encrypt your data using your own KMS keys. You can use this feature to ensure none (not even us) can decrypt your data if you choose to revoke your keys anytime.
We keep improving the product on a daily basis and there is a roadmap we are working with already. If you need any features or have any ideas, please feel free to reach out to us at firstname.lastname@example.org