Does Carvel require franchisees to use specific vendors for security services?
Carvel Franchise · 2025 FDDAnswer from 2025 FDD Document
We require that you use vendors (and may require you to use one or more Approved Suppliers that we designate) to provide security services that are consistent with the Privacy Requirements.
We currently require you to use a managed firewall, conduct a quarterly network scan, maintain anti-virus/anti-malware software, and use managed Wi-Fi, but we may modify from time to time the specific security measures that you must maintain.
We require that you submit annually proof of your PCI-DSS compliance status, and we may require you to provide evidence of compliance with applicable Privacy Requirements upon our request.
We may require you to use vendors or Approved Suppliers to conduct periodic security audits to ensure that personal data is adequately protected.
We may require you to provide, or make available, to us copies of any audits, scanning results, or related documentation relating to such compliance or audits.
We may charge a reasonable fee for us to review your systems and verify your compliance with these requirements, which will not exceed 110% of our or our affiliates' actual costs and expenses related to such services.
Source: Item 23 — Receipts (FDD pages 100–353)
What This Means (2025 FDD)
According to Carvel's 2025 Franchise Disclosure Document, Carvel requires franchisees to use specific vendors for security services. Carvel may require franchisees to use one or more approved suppliers that they designate to provide security services that are consistent with the Privacy Requirements.
Currently, Carvel requires franchisees to use a managed firewall, conduct a quarterly network scan, maintain anti-virus/anti-malware software, and use managed Wi-Fi. Carvel may modify the specific security measures that franchisees must maintain from time to time. Franchisees must submit annually proof of their PCI-DSS compliance status, and Carvel may require franchisees to provide evidence of compliance with applicable Privacy Requirements upon their request.
Carvel may require franchisees to use vendors or Approved Suppliers to conduct periodic security audits to ensure that personal data is adequately protected. Carvel may also require franchisees to provide, or make available, copies of any audits, scanning results, or related documentation relating to such compliance or audits. Carvel may charge a reasonable fee for them to review systems and verify compliance with these requirements, which will not exceed 110% of their or their affiliates' actual costs and expenses related to such services.