What is considered a 'Data Breach' that a Carvel franchisee must report?
Carvel Franchise · 2025 FDDAnswer from 2025 FDD Document
If you learn of an incident that may be a "breach of the security of the system" under Cal. Civ. Code § 1798.82 or any other data breach notification Law, you must immediately notify us of the facts that are known about the incident (a "Data Breach").
Although you are responsible for complying with all data breach notification Laws and standards applicable to your organization, we expect that you will coordinate with us regarding such incidents where notification to individuals is required before individuals are notified so that we can be aware of and be prepared to address issues that may affect the System and be in a position to support you where possible.
In the event of an actual or suspected Data Breach, you grant us and our designees and agents the right, exercisable in our sole and absolute discretion, to conduct an investigation of the incident and to install, run, and maintain any hardware, software, or code on your Computer System or in your computer network necessary or advisable to facilitate the investigation and to contain and remediate the incident, and you agree to cooperate with us and to provide us with any access and information we may reasonably request for those purposes.
You are responsible for any costs or financial losses you incur or remedial actions that you must take as a result of an actual or suspected Data Breach.
Source: Item 23 — Receipts (FDD pages 100–353)
What This Means (2025 FDD)
According to Carvel's 2025 Franchise Disclosure Document, a 'Data Breach' is defined as an incident that may be a "breach of the security of the system" under Cal. Civ. Code § 1798.82 or any other data breach notification Law. If a Carvel franchisee learns of such an incident, they must immediately notify Carvel of the known facts.
While the franchisee is responsible for complying with all data breach notification laws and standards, Carvel expects franchisees to coordinate with them regarding incidents requiring individual notification. This coordination is necessary so that Carvel can be aware and prepared to address issues that may affect the entire Carvel system and support the franchisee where possible.
In the event of an actual or suspected Data Breach, the franchisee grants Carvel the right to conduct an investigation of the incident. Carvel can install and maintain hardware, software, or code on the franchisee's computer system to facilitate the investigation and contain and remediate the incident. The franchisee is required to cooperate with Carvel and provide any access and information reasonably requested for these purposes. The franchisee is also responsible for any costs or financial losses incurred or remedial actions that must be taken due to an actual or suspected Data Breach.