Customer FAQs

General Contractual Framework and Data Model

1) Which types of contracts does Carrot enter into with customers?

Carrot enters into a framework service agreement with customers.  This is sometimes referred to as a “Master Services Agreement (MSA).” This agreement governs the relationship between Carrot (as the vendor) and the employer (as the customer) with respect to the provision of services.

We may also, depending on the countries involved, enter into a Data Processing Agreement (DPA) that governs the processing of personal information by a data processor (Carrot) on behalf of a data controller (the customer) and addresses, as needed, requirements related to international data transfers.

Please note that Carrot’s direct relationship with individual employees is governed by a separate set of agreements (reference FAQ 5).

2) What data does Carrot collect from customers?

“Customer Data” is data that Carrot collects from customers in the form of an “Employee Eligibility File (EE File).” The EE File is limited to the following data elements:

  • Eligible employee first name, last name, and work email address
  • Unique employee identification number
  • Eligibility start date
  • Date of birth
  • Sex
  • Zip code (US members only)
3) How does Carrot use data it collects from customers?

Carrot uses Customer Data to provide and improve services. This may involve, among other activities  outlined in the MSA:

  • Confirming that individual employees are eligible for the Service
  • Performing contractual obligations (e.g., sending launch and communications emails where agreed)
4) Does Carrot share data with its customers?

Yes, but only to a limited extent, as set forth in the MSA.

Specifically, Carrot provides:

  • “Utilization Reports” that show how a customer's employees are utilizing the Carrot benefit (e.g., response times, engagement times, employee feedback). This data is aggregated and de-identified.
  • “Reimbursement Reports” to assist customers with certain obligations (e.g., tax and payroll). By necessity, this includes certain identifiable data elements.
5) Which terms govern Carrot's relationship with individual employees?

We contract separately (via our Terms of Service and Privacy Notice) with a customer’s employees who sign up for Carrot (i.e., “Members”).  This means that we have a separate set of responsibilities to Members (e.g., around ownership and use of data) that we are unable to override in our contracts with customers.

Key Regulatory Considerations

6) Is Carrot considered a “Service Provider” under the California Privacy Rights Act (CPRA)?

Yes, but only if the customer is considered a “Business” as defined by the CPRA.

The MSA includes language that defines Carrot’s obligations as a Service Provider.

7) How does FISA 702 impact Carrot?

The main "targets" of FISA Sec. 702 are companies that have access to information that could be used in a FISA investigation. It is possible that Carrot could fall within the broad scope of 702, but even if that is the case, companies like Carrot are not the "traditional targets" of a FISA warrant and, per our "Warrant Canary" page, we have never received one.

8) Does Carrot process Protected Health Information (PHI)?

Only a very small subset of the data Carrot collects constitutes PHI under the the Health Insurance Portability and Accountability Act of 1996 (HIPAA). In its simplest formulation, PHI is (1) information related to an identified individual's health (i.e, “IIHI”) that is (2) held or transmitted by a Covered Entity or its Business Associate.

While Carrot is not a Covered Entity, it does set up an infertility HRA through which reimbursements of “infertility expenses” or “fertility expenses tied to medical necessity” are processed. This infertility HRA, which is established by Carrot, is a Covered Entity, and Carrot acts as its Business Associate.  For its part, the customer acts as the Plan Sponsor but is not a Covered Entity.

Accordingly, certain information related to administering and processing claims relating to “infertility expenses” or “fertility expenses tied to medical necessity” are the only subset of data Carrot processes that is considered PHI.

9) What does the Business Associate Agreement (BAA) cover?

The BAA only applies with respect to the infertility HRA. While other information that Carrot handles is very sensitive, it is not HIPAA-protected PHI, because it was not received from a Covered Entity (e.g., it might have been received from Members themselves, or it might relate to a fertility or gestational carrier journey, neither of which are handled in a manner that would qualify as a “Covered Entity” under HIPAA).