factual

In the event of a data breach, what rights does Carvel have to investigate and remediate the incident?

Carvel Franchise · 2025 FDD

Answer from 2025 FDD Document

e all responsibility for providing all notices of breach or compromise and all duties to monitor credit histories and transactions concerning customers of the Franchised Business.

  • 12.3 Data Breach Notification. If you learn of an incident that may be a "breach of the security of the system" under Cal. Civ. Code § 1798.82 or any other data breach notification Law, you must immediately notify us of the facts that are known about the incident (a "Data Breach"). Although you are responsible for complying with all data breach notification Laws and standards applicable to your organization, we expect that you will coordinate with us regarding such incidents where notification to individuals is required before individuals are notified so that we can be aware of and be prepared to address issues that may affect the System and be in a position to support you where possible. In the event of an actual or suspected Data Breach, you grant us and our designees and agents the right, exercisable in our sole and absolute discretion, to conduct an investigation of the incident and to install, run, and maintain any hardware, software, or code on your Computer System or in your computer network necessary or advisable to facilitate the investigation and to contain and remediate the incident, and you agree to cooperate with us and to provide us with any access and information we may reasonably request for those purposes. Nothing in the preceding sentence shall relieve you of your obligation to comply with applicable laws, regulations, rules, standards or any equivalent thereof concerning an actual or suspected Data Breach. You are responsible for any costs or financial losses you incur or remedial actions that you must take as a result of an actual or suspected Data Breach.

12.4 Failure to Comply with Laws or Standards.

  • A. Suspension of Operations. If: (i) any Approved Product you produce or sell evidences dilution or adulteration from the Standards; (ii) any Approved Product you produce or sell is contaminated or is otherwise in violation of applicable Law; (iii) you fail to maintain the Franchised Business in compliance with applicable Law; or (iv) your Franchised Business or Approved Products pose a threat to the health or safety of the public, you must immediately suspend operations, search out and destroy any adulterated, diluted, or contaminated Approved Products, eliminate their source, and remedy all unsanitary, unsafe, or otherwise hazardous conditions present. You may not resume operation of the Franchised Business until our laboratory analysis of your Approved Products or inspection of your Franchised Business, as applicable, demonstrates compliance with all applicable Laws and Standards. You must promptly implement any remedial measures we require to cure the default.

Source: Item 23 — Receipts (FDD pages 100–353)

What This Means (2025 FDD)

According to Carvel's 2025 Franchise Disclosure Document, in the event of an actual or suspected data breach, Carvel and its designees and agents have the right to investigate the incident. This right is exercisable at Carvel's sole and absolute discretion. Carvel can install, run, and maintain any hardware, software, or code on the franchisee's computer system or network that is necessary to facilitate the investigation and to contain and remediate the incident.

As a Carvel franchisee, you must cooperate with Carvel and provide them with any access and information they reasonably request for the investigation. However, this does not relieve you of your obligation to comply with applicable data breach laws and regulations. You, as the franchisee, are responsible for any costs or financial losses you incur or remedial actions you must take as a result of a data breach.

Furthermore, if a Carvel franchisee learns of an incident that may be a data breach under California law or any other data breach notification law, they must immediately notify Carvel of the facts known about the incident. While the franchisee is responsible for complying with all data breach notification laws, Carvel expects coordination regarding such incidents, especially where notification to individuals is required, so that Carvel can be aware and prepared to address issues that may affect the entire Carvel system and support the franchisee where possible.

Carvel also requires franchisees to use vendors for security services that are consistent with privacy requirements, potentially including approved suppliers designated by Carvel. Currently, franchisees are required to use a managed firewall, conduct quarterly network scans, maintain anti-virus/anti-malware software, and use managed Wi-Fi. Carvel may modify these specific security measures from time to time. Franchisees must submit annual proof of PCI-DSS compliance and may be required to provide evidence of compliance with applicable Privacy Requirements upon Carvel's request. Carvel may also require periodic security audits conducted by vendors or approved suppliers and access to audit results. Carvel may charge a reasonable fee, not exceeding 110% of their actual costs, to review systems and verify compliance.

Disclaimer: This information is extracted from the 2025 Franchise Disclosure Document and is provided for research purposes only. It does not constitute legal or financial advice. Consult with a franchise attorney before making any investment decisions.
All Carvel 2025 FAQs Ask FDD Ninja