Does 7 Brew require franchisees to validate compliance with data security standards and laws periodically?
7_Brew Franchise · 2025 FDDAnswer from 2025 FDD Document
You must comply with our reasonable instructions regarding the organizational, physical, administrative, and technical measures and security procedures to safeguard the confidentiality and security of the names, addresses, telephone numbers, e-mail addresses, dates of birth, demographic or related information, buying habits, preferences, credit-card information, and other personally-identifiable information of customers ("Consumer Data") and, in any event, employ reasonable means to safeguard the confidentiality and security of Consumer Data. You must comply with all Laws governing the use, protection, and disclosure of Consumer Data.
If there is a Data Security Incident at the Store, you must notify us immediately after becoming aware of the actual or suspected occurrence, specify the extent to which Consumer Data was compromised or disclosed, and comply and cooperate with our instructions for addressing the Data Security Incident in order to protect Consumer Data and the 7 BREW Store brand (including giving us or our designee access to your Computer System, whether remotely or at the Store). We (and our designated affiliates) have the right, but no obligation, to take any action or pursue any proceeding or litigation with respect to the Data Security Incident, control the direction and handling of such action, proceeding, or litigation, and control any remediation efforts.
"Data Security Incident" means any act that initiates either internally or from outside the Store's computers, point-of-sale terminals, and other technology or networked environment and violates the Law or explicit or implied security policies, including attempts (either failed or successful) to gain unauthorized access (or to exceed authorized access) to the Franchise System, 7 BREW Stores, or their Data or to view, copy, or use Consumer Data or Confidential Information without authorization or in excess of authorization; unwanted disruption or denial or service; unauthorized use of a system for processing or storage of Data; and changes to system hardware, firmware, or software characteristics without our knowledge, instruction, or consent.
Source: Item 22 — CONTRACTS (FDD pages 82–83)
What This Means (2025 FDD)
According to 7 Brew's 2025 Franchise Disclosure Document, franchisees must adhere to laws governing consumer data use, protection, and disclosure. Franchisees must also follow 7 Brew's instructions to protect consumer data, employing reasonable means to safeguard its confidentiality and security. Consumer data includes names, addresses, phone numbers, email addresses, dates of birth, buying habits, preferences, and credit card information.
If a data security incident occurs at the store, the franchisee must immediately notify 7 Brew, specifying the extent of compromised or disclosed consumer data. The franchisee is obligated to cooperate with 7 Brew's instructions for addressing the incident to protect consumer data and the 7 Brew brand. This includes providing access to the computer system, whether remotely or at the store.
7 Brew retains the right, but not the obligation, to take action or pursue legal proceedings regarding a data security incident, controlling the handling and remediation efforts. A data security incident includes unauthorized access to the franchise system, 7 Brew stores, or their data; disruption or denial of service; unauthorized data use; and unauthorized changes to system hardware or software.
While the FDD mandates immediate notification and cooperation in the event of a data breach, it does not explicitly state a requirement for periodic validation of data security compliance. However, franchisees are expected to maintain continuous compliance with data protection laws and brand standards, suggesting an ongoing responsibility for data security.