Legal, Regulatory, Compliance, and Reputational Risks Security breaches, denial of service attacks, or other hacking and phishing attacks on our systems or the systems with which our platform integrates could harm our reputation or subject us to significant liability, and adversely affect our business and financial results. We operate in the on-demand digital commerce industry, which is prone to cyber-attacks. Cyber incidents have been increasing in sophistication and frequency and can include third parties gaining access to employee or customer data using stolen or inferred credentials, computer malware, viruses, spamming, phishing attacks, ransomware, card skimming code, and other deliberate attacks and attempts to gain unauthorized access. Because the techniques used by computer programmers who may attempt to penetrate and sabotage our network security or our website change frequently and may not be recognized until launched against a target, we may be unable to anticipate these techniques. Our Board of Directors reviews cybersecurity risks brought to its attention by members of senior management who report up to our Board of Directors. We have an established in house security team which is responsible for reviewing and overseeing our cybersecurity program and bringing any cybersecurity risks to the attention of our Board of Directors and the audit committee at regular meetings of the audit committee. Failure to prevent or mitigate security breaches and improper access to or disclosure of our data, our customers’ data, or their consumers’ data, could result in the loss or misuse of such data, which could harm our business and reputation. The security measures we have integrated into our systems and processes, which are designed to prevent or minimize security breaches, may not function as expected or may not be sufficient to protect our internal networks and platform against attacks. Further, our platform also integrates with third-party applications and POS and management systems over which we exercise no control. Such third-party applications and POS and management systems are also susceptible to security breaches, which could directly or indirectly result in a breach of our platform. The failure of a customer’s third-party front-end provider to adequately protect their systems could result in an attack that we are unable to prevent from the back-end, which could result in a service outage for all customers, and may require us to take the affected customer offline to restore service to the platform for other customers. In addition, techniques used to sabotage or to obtain unauthorized access to data change frequently. As a result, we may be unable to anticipate these techniques or implement adequate measures to prevent an intrusion into our networks directly, or into our platform through the third-party applications or POS and management systems with which our platform integrates. Our exposure to security breaches may be heightened because our platform is accessible through hundreds of our customers’ white label domains and mobile applications. Our storage and use of our customers’ data concerning their restaurants and consumers is essential to their use of our platform, which stores, transmits and processes our customers’ proprietary information and information relating to them and consumers. If a security breach were to occur, as a result of third-party action, employee error, malfeasance, or otherwise, and the confidentiality, integrity, or availability of our customers’ data was disrupted, we could incur significant liability to our customers and their consumers, and our platform may be perceived as less desirable, which could negatively affect our business and damage our reputation. In addition, any loss of customer or individual consumer data could create significant monetary damages for us that may harm our ability to operate the business. A security vulnerability in our platform or point of sale integration software could compromise our customers’ in-store networks, which could expose customer or consumer information beyond what we collect through our platform. As a multitenant SaaS provider, despite our logical separation of data between customers, we may face an increased risk of accidentally commingling data between customers due to employee error, a software bug, or otherwise, which may result in unauthorized disclosure of data between customers. We have in the past, and may in the future, be subject to distributed denial of service, or DDoS, attacks, a technique used by hackers to take an internet service offline by overloading its servers. A DDoS attack could delay or interrupt service to our customers and their consumers and may deter consumers from ordering or engaging with our customers’ restaurants. Our platform and third-party applications may also be subject to DDoS attacks in the future and we cannot guarantee that applicable recovery systems, security protocols, network protection mechanisms and other procedures are or will be adequate to prevent network and service interruption, system failure, or data loss. In addition, computer malware, viruses, hacking, credential stuffing, social engineering, phishing, physical theft, and other attacks by third parties are prevalent in our industry. While we have not experienced any material attack on our systems to date, we have in the past, and may in the future, experience such attacks and, as a result of our increased visibility, we believe that we are increasingly a target for such breaches and attacks. Moreover, our platform and third-party applications, services, or POS and management systems integrated with our platform could be breached if vulnerabilities in our platform or third-party applications or POS and management systems are exploited by unauthorized third parties or due to employee error, malfeasance, or otherwise. Further, third parties may attempt to fraudulently induce employees or customers into disclosing sensitive information such as user names, passwords, or other 30
2022 10K Page 36 Page 38