business and results of operations. For example, our payment processing code may contain a software bug or other misconfiguration, resulting in failure to collect payment for orders that are otherwise fulfilled, which could result in significant refunds owed to our customers. A software or API bug could also result in a customer receiving an item other than what they ordered or an ingredient to which they are allergic, causing reputational harm to us. In addition, our tax calculation code may also contain errors or defects, which may result in differences payable by us or fines owed by us, or our fraud detection software could identify false positives in the system, and in turn could reduce transactional revenue. Furthermore, our platform allows us to deploy new versions and enhancements to all of our customers simultaneously. To the extent we deploy new versions or enhancements that contain errors, defects, security vulnerabilities, or software bugs to all of our customers simultaneously, the consequences would be more severe than if such versions or enhancements were only deployed to a smaller number of our customers. Because our customers use our platform for processes that are critical to their businesses, errors, defects, security vulnerabilities, service interruptions, or software bugs in our platform and APIs could result in losses to our customers. Although we endeavor to limit our liability in customer agreements, our customers may be entitled to significant compensation from us in the form of service level credits or to pursue litigation against us for any losses they suffer or cease conducting business with us altogether. Further, a customer could share information about bad experiences on social media, at industry conferences, or with peer companies, which could result in damage to our reputation and loss of future sales. There can be no assurance that provisions typically included in our agreements with our customers that attempt to limit our exposure to claims against us would be enforceable or adequate or would otherwise protect us from liabilities or damages with respect to any particular claim. Even if not successful, a claim brought against us by any of our customers would likely be time-consuming and distracting to our management team and costly to defend, and such a claim could seriously damage our reputation and brand, making it harder for us to sell our modules. We and certain of our third-party partners, service providers, and subprocessors transmit and store personal information of our customers and consumers. If the security of this information is compromised or is otherwise accessed without authorization, our reputation may be harmed and we may be exposed to liability and loss of business. We transmit and store personal information and other confidential information of our partners, our customers, and consumers. Third-party applications integrated with our platform may also handle or store personal information, credit card information, including cardholder data and sensitive authentication data, or other confidential information. We do not proactively monitor the content that our customers upload and store, or the information provided to us through the applications integrated with our platform, and, therefore, we do not control the substance of the content on our servers, which may include personal information. Additionally, we use dozens of third-party service providers and subprocessors to help us deliver services to customers and consumers. These service providers and subprocessors may handle or store personal information, credit card information, or other confidential information. There may in the future be successful attempts by third parties to obtain unauthorized access to the personal information of our partners, our customers, and consumers. This information could also be otherwise exposed through human error, malfeasance, or otherwise. The unauthorized release, unauthorized access, or compromise of this information could have an adverse effect on our business, financial condition, and results of operations. Even if such a data breach did not arise out of our actions or inactions, or if it were to affect one or more of our competitors or our customers’ competitors, the resulting consumer concern could negatively affect our customers and our business. We integrate with a number of third-party service providers in order to meet our customers’ needs, and although we contractually require our customers to ensure the security of such service providers, a security breach of one of these providers could become negatively associated with our brand, or our assistance in responding to such a breach could tie up our internal resources. By the nature of the integrations, we could also get directly drawn into any resulting lawsuits. We are also subject to federal, state, and provincial laws regarding cybersecurity and the protection of data. Some jurisdictions have enacted laws requiring companies to notify individuals of security breaches involving certain types of personal information and our agreements with customers and partners require us to notify them in the event of certain security incidents. Additionally, some jurisdictions, as well as our contracts with certain customers, require us to use industry-standard or reasonable measures to safeguard personal information or confidential information. As cardholder data and sensitive authentication data is transmitted through our platform, we may be required by card networks and our contracts with payment processors to adhere to the Payment Card Industry Data Security Standards, or PCI-DSS. Our failure to comply with legal, regulatory or contractual requirements, and the rules of payment card networks and self-regulatory organizations, including PCI-DSS, around the security of personal information, cardholder data, or sensitive authentication data, could lead to significant fines and penalties imposed by regulators and card networks, as well as claims by our customers, consumers, or other relevant stakeholders. These proceedings or violations could force us to spend money in defense or settlement of these proceedings, result in the imposition of monetary liability or injunctive relief, divert management’s time and attention, increase our costs of doing business, and materially adversely affect our reputation and the 32
2022 10K Page 38 Page 40