|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Cybersecurity risk management is a significant part of our overall risk management process. Our cybersecurity risk management program is informed by security frameworks and standards, such as PCI DSS, ISO 27001, and CIS Controls. We have designed and implemented various information security processes that are intended to protect the confidentiality, integrity, security, and availability of our critical systems and information and provide a cross-functional framework for identifying, preventing, and mitigating cybersecurity threats and incidents, including threats and incidents associated with the use of applications developed and services provided by third-party service providers.
Our cybersecurity risk management program includes:
•an internal security team, led by our Chief Information Security Officer, or CISO, which is responsible for, among other matters, monitoring our platform through penetration testing and vulnerability scanning, managing our cybersecurity risk assessment processes, and implementing our security controls;
•an annual risk assessment performed by our internal security team designed to identify material cybersecurity risks to our critical systems, information, products, services, and our broader enterprise IT environment;
•a cybersecurity incident response plan, or IRP, that establishes an organizational framework and guidelines to assist us in identifying, responding to, and recovering from cybersecurity incidents;
•the use of external service providers, where appropriate, to assess, test, or otherwise assist with other services, such as performing third-party penetration testing, assisting with incident response, and facilitating adversary simulations;
•annual cybersecurity awareness training for our employees and additional training for engineers, technical team members, members of the cybersecurity incident response team, or CSIRT, and our Board of Directors;
•a third-party risk management process for service providers and vendors, which includes review by the internal security team at onboarding and, for certain significant vendors, an annual security review; and
•an insurance policy to help mitigate, in certain circumstances, potential liabilities resulting from cybersecurity incidents and other cyber issues.To date, risks from cybersecurity threats have not materially affected, and we do not believe they are reasonably likely to materially affect, us, our business strategy, results of operations or financial condition. However, despite our efforts, we cannot eliminate all risks from cybersecurity threats or incidents. For more information about cybersecurity-related risks, please refer to the section entitled “Risk Factors” in this Annual Report on Form 10-K.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|Our cybersecurity risk management program is informed by security frameworks and standards, such as PCI DSS, ISO 27001, and CIS Controls. We have designed and implemented various information security processes that are intended to protect the confidentiality, integrity, security, and availability of our critical systems and information and provide a cross-functional framework for identifying, preventing, and mitigating cybersecurity threats and incidents, including threats and incidents associated with the use of applications developed and services provided by third-party service providers.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Our Board of Directors exercises oversight over our risk management process directly, as well as through its various standing committees that address risks inherent in their respective areas of oversight. In particular, our Board of Directors delegates cybersecurity risk management oversight to the audit committee of the Board of Directors. The audit committee oversees our cybersecurity processes and policies on risk identification, management, and assessment. The audit committee also reviews the adequacy and effectiveness of such policies, as well as the steps taken by management to mitigate or otherwise control these cybersecurity exposures and to identify future risks. The audit committee receives periodic reports from our CISO and Chief Legal Officer, or CLO, on material cybersecurity risks, developments in cybersecurity, key cybersecurity initiatives, ongoing priorities and work of the governance, risk, and compliance committee, or the GRC Committee, updated risk assessments of our cybersecurity program, and mitigation strategies.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|In particular, our Board of Directors delegates cybersecurity risk management oversight to the audit committee of the Board of Directors. The audit committee oversees our cybersecurity processes and policies on risk identification, management, and assessment. The audit committee also reviews the adequacy and effectiveness of such policies, as well as the steps taken by management to mitigate or otherwise control these cybersecurity exposures and to identify future risks. The audit committee receives periodic reports from our CISO and Chief Legal Officer, or CLO, on material cybersecurity risks, developments in cybersecurity, key cybersecurity initiatives, ongoing priorities and work of the governance, risk, and compliance committee, or the GRC Committee, updated risk assessments of our cybersecurity program, and mitigation strategies.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Olo’s IRP is also designed to escalate certain cybersecurity incidents to members of management, depending on the circumstances. Our internal security team, among others, works with our CSIRT to help assess, mitigate, and remediate cybersecurity incidents of which they are notified. Our CLO, as the CSIRT leader, directs and coordinates CSIRT’s activities, in consultation with the CISO and other members of management. In addition, the IRP includes processes for reporting to the audit committee and our Board of Directors certain cybersecurity incidents.
|Cybersecurity Risk Role of Management [Text Block]
|
Our cybersecurity risk management processes are implemented, assessed, and managed by certain members of Olo management, including our CISO and CLO. Our CISO has 25 years of experience in information technology and risk management at various companies, such as Yum Brands, Inc. and Domino’s Pizza, Inc. He is also an ISC2 Certified Information Systems Security Professional. Our CLO has 16 years of experience and received a cybersecurity oversight certification from the National Cybersecurity Center. Both act as chairs of our GRC Committee. The GRC Committee provides direction, oversight, and management of our cybersecurity and privacy programs with a focus on business objectives, the protection of customer and employee data, safeguarding our systems, and complying with applicable laws, regulations, and contractual obligations. Cross-functional leaders within Olo, including members from our information technology, data science, finance, legal, and people & culture teams, are part of the committee. Our GRC Committee meets periodically to align cybersecurity and privacy strategy with business needs and risk appetite, monitor the execution of key cybersecurity initiatives, and serve as an escalation point for any related issues.Olo’s IRP is also designed to escalate certain cybersecurity incidents to members of management, depending on the circumstances. Our internal security team, among others, works with our CSIRT to help assess, mitigate, and remediate cybersecurity incidents of which they are notified. Our CLO, as the CSIRT leader, directs and coordinates CSIRT’s activities, in consultation with the CISO and other members of management. In addition, the IRP includes processes for reporting to the audit committee and our Board of Directors certain cybersecurity incidents.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|Our cybersecurity risk management processes are implemented, assessed, and managed by certain members of Olo management, including our CISO and CLO.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|Our CISO has 25 years of experience in information technology and risk management at various companies, such as Yum Brands, Inc. and Domino’s Pizza, Inc. He is also an ISC2 Certified Information Systems Security Professional. Our CLO has 16 years of experience and received a cybersecurity oversight certification from the National Cybersecurity Center.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|Our internal security team, among others, works with our CSIRT to help assess, mitigate, and remediate cybersecurity incidents of which they are notified. Our CLO, as the CSIRT leader, directs and coordinates CSIRT’s activities, in consultation with the CISO and other members of management. In addition, the IRP includes processes for reporting to the audit committee and our Board of Directors certain cybersecurity incidents.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef