Customer FAQs

General Contractual Framework and Data Model

1) Which types of contracts does Carrot enter into with customers?

Carrot enters into a framework service agreement with customers.  This is sometimes referred to as a “Master Services Agreement (MSA).” This agreement governs the relationship between Carrot (as the vendor) and the employer (as the customer) with respect to the provision of services.

We may also, depending on the countries involved, enter into a Data Processing Agreement (DPA) that governs the processing of personal information by a data processor (Carrot) on behalf of a data controller (the customer) and addresses, as needed, requirements related to international data transfers.

Please note that Carrot’s direct relationship with individual employees is governed by a separate set of agreements (reference FAQ 5).

2) What data does Carrot collect from customers?

“Customer Data” is data that Carrot collects from customers in the form of an “Employee Eligibility File (EE File).” The EE File is limited to the following data elements:

  • Eligible employee first name, last name, and work email address
  • Unique employee identification number
  • Eligibility start date
  • Date of birth
  • Sex
  • Zip code (US members only)
3) How does Carrot use data it collects from customers?

Carrot uses Customer Data to provide and improve services. This may involve, among other activities  outlined in the MSA:

  • Confirming that individual employees are eligible for the Service
  • Performing contractual obligations (e.g., sending launch and communications emails where agreed)
4) Does Carrot share data with its customers?

Yes, but only to a limited extent, as set forth in the MSA.

Specifically, Carrot provides:

  • “Utilization Reports” that show how a customer's employees are utilizing the Carrot benefit (e.g., response times, engagement times, employee feedback). This data is aggregated and de-identified.
  • “Reimbursement Reports” to assist customers with certain obligations (e.g., tax and payroll). By necessity, this includes certain identifiable data elements.
5) Which terms govern Carrot's relationship with individual employees?

We contract separately (via our Terms of Service and Privacy Notice) with a customer’s employees who sign up for Carrot (i.e., “Members”).  This means that we have a separate set of responsibilities to Members (e.g., around ownership and use of data) that we are unable to override in our contracts with customers.

Key Regulatory Considerations

6) Is Carrot considered a “Service Provider” under the California Privacy Rights Act (CPRA)?

Yes, but only if the customer is considered a “Business” as defined by the CPRA.

The MSA includes language that defines Carrot’s obligations as a Service Provider.

7) To what extent does the General Data Protection Regulation (GDPR) apply to Carrot?

Carrot is not directly subject to the GDPR because: (1) Carrot is not "established " in the European Union (as that term is broadly defined under the GDPR) and (2) Carrot does not "target"individuals in the EU (per guidance issued by the European Data Protection Board).

Carrot will only be subject to the GDPR to the extent that it processes personal data about residents of the European Economic Area (EEA) on behalf of a customer that is directly subject to the GDPR.  

For practical purposes, this means that the GDPR applies when Carrot processes EE Files that contain data about EEA employees, and it does so on behalf of and under the instructions of a customer (i.e, the data controller).

8) What are Carrot's obligations under the GDPR?

As noted above, Carrot will only be subject to the GDPR to the extent that it processes EE Files (reference FAQ 2) that contain data about EEA employees, and it does so on behalf of and under the instructions of a customer (i.e, the data controller).

In this case, since the customer/controller will transfer/export this personal data to the United States, Carrot and the Customer will enter into European Union Standard Contractual Clauses ("SCCs") (Module 2) to comply with the GDPR's international data transfer requirements.

9) How does FISA 702 impact Carrot?

The main "targets" of FISA Sec. 702 are companies that have access to information that could be used in a FISA investigation. It is possible that Carrot could fall within the broad scope of 702, but even if that is the case, companies like Carrot are not the "traditional targets" of a FISA warrant and, per our "Warrant Canary" page, we have never received one.

10) Does Carrot process Protected Health Information (PHI)?

Only a very small subset of the data Carrot collects constitutes PHI under the the Health Insurance Portability and Accountability Act of 1996 (HIPAA). In its simplest formulation, PHI is (1) information related to an identified individual's health (i.e, “IIHI”) that is (2) held or transmitted by a Covered Entity or its Business Associate.

While Carrot is not a Covered Entity, it does set up an infertility HRA through which reimbursements of “infertility expenses” or “fertility expenses tied to medical necessity” are processed. This infertility HRA, which is established by Carrot, is a Covered Entity, and Carrot acts as its Business Associate.  For its part, the customer acts as the Plan Sponsor but is not a Covered Entity.

Accordingly, certain information related to administering and processing claims relating to “infertility expenses” or “fertility expenses tied to medical necessity” are the only subset of data Carrot processes that is considered PHI.

11) What does the Business Associate Agreement (BAA) cover?

The BAA only applies with respect to the infertility HRA. While other information that Carrot handles is very sensitive, it is not HIPAA-protected PHI, because it was not received from a Covered Entity (e.g., it might have been received from Members themselves, or it might relate to a fertility or gestational carrier journey, neither of which are handled in a manner that would qualify as a “Covered Entity” under HIPAA).

The standard for inclusive, global fertility healthcare and family-forming support

Find out how our customizable fertility solutions do more for your people, groups, and organizations

Get started
Carrot member