the platform for other customers. In addition, techniques used to sabotage or to obtain unauthorized access to data change frequently. As a result, we may be unable to anticipate these techniques or implement adequate measures to prevent an intrusion into our networks directly, or into our platform through the third-party applications or POS and management systems with which our platform integrates. Our exposure to security breaches may be heightened because our platform is accessible through hundreds of our customers’ white label domains and mobile applications. Our storage and use of our customers’ data concerning their restaurants and consumers is essential to their use of our platform, which stores, transmits and processes our customers’ proprietary information and information relating to them and consumers. If a security breach were to occur, as a result of third-party action, employee error, malfeasance, or otherwise, and the confidentiality, integrity or availability of our customers’ data was disrupted, we could incur significant liability to our customers and their consumers, and our platform may be perceived as less desirable, which could negatively affect our business and damage our reputation. In addition, any loss of customer or individual consumer data could create significant monetary damages for us that may harm our ability to operate the business. A security vulnerability in our platform or point of sale integration software could compromise our customers’ in-store networks, which could expose customer or consumer information beyond what we collect through our platform. As a multitenant SaaS provider, despite our logical separation of data between customers, we may face an increased risk of accidentally commingling data between customers due to employee error, a software bug, or otherwise, which may result in unauthorized disclosure of data between customers. We have in the past, and may in the future, be subject to distributed denial of service, or DDoS, attacks, a technique used by hackers to take an internet service offline by overloading its servers. A DDoS attack could delay or interrupt service to our customers and their consumers and may deter consumers from ordering or engaging with our customers’ restaurants. Our platform and third-party applications may also be subject to DDoS attacks in the future and we cannot guarantee that applicable recovery systems, security protocols, network protection mechanisms and other procedures are or will be adequate to prevent network and service interruption, system failure, or data loss. In addition, computer malware, viruses, hacking, credential stuffing, social engineering, phishing, physical theft, and other attacks by third parties are prevalent in our industry. While we have not experienced any material attack on our systems to date, we have in the past, and may in the future, experience such attacks and, as a result of our increased visibility, we believe that we are increasingly a target for such breaches and attacks. Moreover, our platform and third-party applications, services, or POS and management systems integrated with our platform could be breached if vulnerabilities in our platform or third-party applications or POS and management systems are exploited by unauthorized third parties or due to employee error, malfeasance, or otherwise. Further, third parties may attempt to fraudulently induce employees or customers into disclosing sensitive information such as user names, passwords, or other information or otherwise compromise the security of our internal networks, electronic systems and/or physical facilities in order to gain access to our data or our customers’ data. Because techniques used to obtain unauthorized access change frequently and the size and severity of DDoS attacks and security breaches are increasing, we may be unable to implement adequate preventative measures or stop DDoS attacks or security breaches while they are occurring. In addition to our own platform and applications, some of the third parties we work with may receive information provided by us, by our customers, or by our customers’ consumers through web or mobile applications integrated with our platform. If these third parties fail to adhere to adequate data security practices, or in the event of a breach of their networks, our own and our customers’ data may be improperly accessed, used, or disclosed. Any actual or perceived DDoS attack or security breach of our platform, systems, and networks could damage our reputation and brand, expose us to a risk of litigation and possible liability and require us to expend significant capital and other resources to respond to and alleviate problems caused by the DDoS attack or security breach. Our ability to retain adequate cyber-crime and liability insurance may be reduced. Some jurisdictions have enacted laws requiring companies to notify individuals of data security breaches involving certain types of personal data and our agreements with certain customers and partners require us to notify them in the event of a security incident. Such mandatory disclosures are costly, could lead to negative publicity, and may cause our customers to lose confidence in the effectiveness of our data security measures. Moreover, if a high-profile security breach occurs with respect to another SaaS provider or one of the service providers we partner with, customers may lose trust in the security of the SaaS business model generally, which could adversely impact our ability to retain revenue from existing customers or attract new ones. Any of these events could harm our reputation or subject us to significant liability, and materially and adversely affect our business and financial results. If our software contains serious errors or defects, we may lose revenue and market acceptance and may incur costs to defend or settle claims with our customers. Software or APIs such as ours may contain errors, defects, security vulnerabilities, or software bugs that are difficult to detect or correct, particularly when first introduced or when new versions or enhancements are released. Despite internal 56
Q3 2021 10Q Page 61 Page 63