Terms of Data Processing




September 21, 2020

Company name


Carrot Fertility, Inc. ("Carrot")

Brief description of transfer (Please indicate the scale and regularity of transfers in this regard)


Customer will transfer limited employee eligibility information of European-based employees to Carrot

Data privacy role in regard to the data processing for us (e.g. data processor)


Carrot acts as Data Processor

Current legal mechanism for the international transfer (e.g. Standard Contractual Clauses, Article 49 General Data Protection Regulation)




Standard Contractual Clauses


Describe the nature, scope and context of the data processing


Carrot processes the Customer employee eligibility file for the purpose of identifying the Customer employees who are eligible to access services through Carrot.

Purposes of the data processing


Identifying Customer employees who are eligible to access services through Carrot.


Providing location-specific services to employees based on the country where they are located

Functional/technical description of the data processing


Employee eligibility files are temporarily downloaded to an authorized individual’s MDM-enforced company-issued laptop (encrypted, timed lockout, remote wipeable) to be uploaded to the Carrot application, and deleted from the device immediately after.

Categories of personal data being processed


Contact information (e.g., first name, last name, work email address), country of residence, and start date. 

Number of datasets that are being processed

1, with periodic updates

The recipients of the personal data 

Company entities


Carrot Fertility Inc.



Files.com, Azure, Google Drive, Zendesk

Assets on which the personal data sits (e.g. hardware, software, networks, people, paper or paper transmission channels)


Personal data is stored in Files.com, Azure, Google Drive, and Zendesk. 


Factors relevant to the assessment 


Applicable regulatory regime

U.S. Law

Safeguard offered by local data privacy laws


None (regarding non-U.S. persons)

Risks posed by laws authorizing authorities to access or conduct surveillance on personal data for security or other reasons (including laws applicable to company’s cloud service or other communication providers)

Foreign Intelligence Surveillance Act, Sec. 702 

Risk of surveillance mainly on U.S. soil.

Executive Order 12333 & Presidential Policy Directive 28 

Risk of surveillance mainly during transit to/through the U.S.

[Applicable Law 3] (please indicate if other applicable laws pose any similar risks, e.g. applicable sector-specific laws)

Carrot is not aware of any further laws applicable in this respect. 

Access to judicial process to protect data subject rights


None (regarding non-U.S. persons); merely generalized judicial review of FISA surveillance decisions by the FISC

Role of regulators and supervisory authorities in protecting data


None (regarding non-U.S. persons)

Ability of individuals to raise complaints, appeal and enforce decisions


None (regarding non-U.S. persons)




Factors relevant to the assessment 


Note: Please indicate if you are under a legal obligation not to answer one of the following questions. 

Please indicate whether you qualify as an electronic communication service provider within the meaning of 50 USC § 1881(b)(4) (i.e. as a telecommunications carrier, provider of electronic communication service, provider of a remote computing service, any other communication service provider who has access to wire or electronic communications either as such communications are transmitted or as such communications are stored or an officer, employee, or agent of any such entity)

There is a risk, even though not probable, that Carrot may qualify as an Electronic Communication Service Provider in the meaning of 50 USC § 1881 (b) (4) due to the services it currently provides to its end-customers or may provide in the future, in particular with respect to the function to get in touch with fertility experts as well as the provision of the Desktop & mobile app.

Please indicate whether you have been subject to additional government requests for customer data.



Please indicate whether you cooperate in any respect with US authorities conducting surveillance of communications under EO 12.333, should this be mandatory or voluntary.

No, this has never been requested.

Please indicate whether you periodically issue transparency reports including Information on data access requests in regard to the U.S.




Please indicate whether you have implemented any safeguards to mitigate the risk associated with the data transfer (e.g. encryption). 


If applicable, describe these measures as precise as possible.

Technical Measures: 


In transit

All connections to the Carrot application are secured with SSL/TLS. This is enforced using HSTS. The signature algorithm of Carrot's backend TLS certificate is SHA-256 with RSA Encryption.


At rest

Carrot leverages an encrypted SQL Server DB in Azure with all sensitive information leveraging column-level encryption following RFC 2898.


The entire database is encrypted in Azure leveraging Azure's Transparent Data Encryption Strategy (https://docs.microsoft.com/en-us/azure/storage/common/storage-service-encryption). This is 256 AES encryption.


For sensitive information at the column level, Carrot additionally use a PBKDF2 strategy to encrypt within the application before writing to the DB (https://en.wikipedia.org/wiki/PBKDF2).


Access and access controls must abide by the following principles of Deny by Default, Need-To-Know, Least Privilege, and Unique User Identification. Access is revoked upon termination or change of job responsibilities.


Organizational Measures:


Amendment of the SCC in the Terms of Data Processing in accordance with the latest guidance provided by the European Data Protection Board and the German Supervisory Authority for the Land Baden Württemberg.


Request a demo

See how Carrot can transform your company.

Find out how our customizable fertility solutions can help your plan, your groups, and your members.