The Carrot application is hosted on Microsoft Azure, a top-tier cloud provider that undergoes extensive audits in technical and physical security.
Secure software development
Carrot adheres to a rigorous and secure Software Development Lifecycle (SDLC) to ensure only safe and stable updates are shipped to our application.
Penetration testing
Carrot undergoes annual penetration testing from a third-party auditor and continuously scans our application and system for vulnerabilities.
Encryption
All data is encrypted in transit (TLS 1.2) and at rest (AES-256).
Access controls
Carrot systems are designed to abide by the principals of Deny by Default, Least Privilege, Need-To-Know, and Unique Identification.
Single sign-on (SSO)
Employers have the option to connect their SAML identity provider (e.g., Okta, G Suite, OneLogin) for seamless and secure authentication.
Anti-money laundering program
Carrot maintains a rigorous anti-money laundering (AML) program designed to prevent our platform from being used as a vehicle for money laundering.
Privacy
Frequently asked questions
How does Carrot ensure data privacy for employees?
Carrot strictly adheres to regulatory frameworks including HIPAA, GDPR, and CCPA to ensure data privacy for our members.
What data does Carrot collect from employees?
Data collected from employees is limited to the data necessary to provide our service.
What does Carrot do with data it collects?
Carrot uses collected data to conduct necessary business and optimize the experience of our members.
Does Carrot share data with third parties?
Carrot shares data with third parties only to the extent necessary to conduct our business. Carrot does not share employee data with employers, except when limited, de-identified data must be shared to process taxes and payroll. Carrot does not sell or rent employee data to outside parties.