What is a Carvel franchisee's immediate obligation if they suspect a security breach?
Carvel Franchise · 2025 FDDAnswer from 2025 FDD Document
twork scan, maintain anti-virus/anti-malware software, and use managed Wi-Fi, but we may modify from time to time the specific security measures that you must maintain. We require that you submit annually proof of your PCI-DSS compliance status, and we may require you to provide evidence of compliance with applicable Privacy Requirements upon our request. We may require you to use vendors or Approved Suppliers to conduct periodic security audits to ensure that personal data is adequately protected. We may require you to provide, or make available, to us copies of any audits, scanning results, or related documentation relating to such compliance or audits. We may charge a reasonable fee for us to review your systems and verify your compliance with these requirements, which will not exceed 110% of our or our affiliates' actual costs and expenses related to such services. If you suspect or know of a security breach, you must immediately give us notice of such security breach and promptly identify and remediate the source of any compromise or security breach at your expense. You assume all responsibility for providing all notices of breach or compromise and all duties to monitor credit histories and transactions concerning customers of the Franchised Business.
- 12.3 Data Breach Notification. If you learn of an incident that may be a "breach of the security of the system" under Cal. Civ. Code § 1798.82 or any other data breach notification Law, you must immediately notify us of the facts that are known about the incident (a "Data Breach").
Source: Item 23 — Receipts (FDD pages 100–353)
What This Means (2025 FDD)
According to Carvel's 2025 Franchise Disclosure Document, if a franchisee suspects or knows of a security breach, they must immediately notify Carvel of the breach. Additionally, the franchisee must promptly identify and remediate the source of any compromise or security breach at their own expense.
Carvel also requires franchisees to comply with all data breach notification laws and standards. If a franchisee learns of an incident that may be a "breach of the security of the system" under Cal. Civ. Code § 1798.82 or any other data breach notification Law, they must immediately notify Carvel of the facts that are known about the incident, defined as a "Data Breach".
While the franchisee is responsible for complying with all data breach notification Laws and standards applicable to their organization, Carvel expects franchisees to coordinate with them regarding such incidents where notification to individuals is required before individuals are notified. This coordination ensures that Carvel is aware of and prepared to address issues that may affect the entire Carvel system and can support the franchisee where possible. In the event of an actual or suspected Data Breach, the franchisee grants Carvel and its designees the right to conduct an investigation of the incident and to install necessary hardware, software, or code on the franchisee's computer system to facilitate the investigation and remediate the incident. The franchisee is responsible for any costs or financial losses incurred as a result of an actual or suspected Data Breach.