Carrot enters into a framework service agreement with customers. This is sometimes referred to as a “Master Services Agreement (MSA).” This agreement governs the relationship between Carrot (as the vendor) and the employer (as the customer) with respect to the provision of services.
We may also, depending on the countries involved, enter into a Data Processing Agreement (DPA) that governs the processing of personal information by a data processor (Carrot) on behalf of a data controller (the customer) and addresses, as needed, requirements related to international data transfers.
Please note that Carrot’s direct relationship with individual employees is governed by a separate set of agreements (reference FAQ 5).
“Customer Data” is data that Carrot collects from customers in the form of an “Employee Eligibility File (EE File).” The EE File is limited to the following data elements:
Carrot uses Customer Data to provide and improve services. This may involve, among other activities outlined in the MSA:
Yes, but only to a limited extent, as set forth in the MSA.
Specifically, Carrot provides:
We contract separately (via our Terms of Service and Privacy Notice) with a customer’s employees who sign up for Carrot (i.e., “Members”). This means that we have a separate set of responsibilities to Members (e.g., around ownership and use of data) that we are unable to override in our contracts with customers.
Carrot is not directly subject to the GDPR because: (1) Carrot is not "established " in the European Union (as that term is broadly defined under the GDPR) and (2) Carrot does not "target"individuals in the EU (per guidance issued by the European Data Protection Board).
Carrot will only be subject to the GDPR to the extent that it processes personal data about residents of the European Economic Area (EEA) on behalf of a customer that is directly subject to the GDPR.
For practical purposes, this means that the GDPR applies when Carrot processes EE Files that contain data about EEA employees, and it does so on behalf of and under the instructions of a customer (i.e, the data controller).
As noted above, Carrot will only be subject to the GDPR to the extent that it processes EE Files (reference FAQ 2) that contain data about EEA employees, and it does so on behalf of and under the instructions of a customer (i.e, the data controller).
In this case, since the customer/controller will transfer/export this personal data to the United States, Carrot and the Customer will enter into European Union Standard Contractual Clauses ("SCCs") (Module 2) to comply with the GDPR's international data transfer requirements.
The main "targets" of FISA Sec. 702 are companies that have access to information that could be used in a FISA investigation. It is possible that Carrot could fall within the broad scope of 702, but even if that is the case, companies like Carrot are not the "traditional targets" of a FISA warrant and, per our "Warrant Canary" page, we have never received one.
Only a very small subset of the data Carrot collects constitutes PHI under the the Health Insurance Portability and Accountability Act of 1996 (HIPAA). In its simplest formulation, PHI is (1) information related to an identified individual's health (i.e, “IIHI”) that is (2) held or transmitted by a Covered Entity or its Business Associate.
While Carrot is not a Covered Entity, it does set up an infertility HRA through which reimbursements of “infertility expenses” or “fertility expenses tied to medical necessity” are processed. This infertility HRA, which is established by Carrot, is a Covered Entity, and Carrot acts as its Business Associate. For its part, the customer acts as the Plan Sponsor but is not a Covered Entity.
Accordingly, certain information related to administering and processing claims relating to “infertility expenses” or “fertility expenses tied to medical necessity” are the only subset of data Carrot processes that is considered PHI.
The BAA only applies with respect to the infertility HRA. While other information that Carrot handles is very sensitive, it is not HIPAA-protected PHI, because it was not received from a Covered Entity (e.g., it might have been received from Members themselves, or it might relate to a fertility or gestational carrier journey, neither of which are handled in a manner that would qualify as a “Covered Entity” under HIPAA).