|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2025
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
The Company employs systems and processes designed to oversee, identify, and reduce the potential impact of a security incident at a third-party vendor, service provider or customer or otherwise implicating the third-party technology and systems we use.
Information Security Policy and Requirements
The Company’s Information Security Policy (“Policy”) is based upon the International Organization for Standardization (“ISO”) 27001, HITRUST Common Security Framework (“CSF”), System and Organization Controls 2 Type 2
(“SOC 2 Type 2”), FedRAMP, and Payment Card Industry Data Security Standard (“PCI DSS”) frameworks and standards and provides specific and detailed direction and support for appropriately maintaining the overall security, confidentiality, integrity, and availability of information within the Company. The Policy covers all processes, equipment, hardware, and software owned or under the control of the Company as well as networks operated by third parties containing Company information or processes. It addresses the Company’s procedures and controls for, including but not limited to, asset and data management, user access and authentication, personnel education/trainings, change management, risk management, system configurations, security monitoring and reporting, vulnerability management, and business continuity and disaster recovery. The Policy applies to all employees, consultants, contractors, and other such persons (“Personnel”) with access to the aforementioned processes, equipment, hardware, and software. The Policy requires that Personnel agree to and are trained annually on all components of the Policy as a condition of employment, partnership, or temporary affiliation with the Company.
Employee Trainings
All Company employees are required to complete trainings at least annually on various security threats and best practices including, but not limited to, trainings on the following topics: the Company’s Information Security Policy; Information Security Incident Response Plan; HIPAA, PCI Compliance; General Data Protection Regulation (“GDPR”) and CCPA; Security Awareness and Incident Response Training covering Social Engineering Phishing (identification and common red flags), Social Media safety best practices, Internet Security best practices, and Incident response training for end-users; and Phishing. In addition, our developers must complete Secure Code / Secure Application Development Training based on Open Web Application Security Project top 10 standards.
Incident Response
Our Company has adopted an Information Security Incident Response Plan that applies in the event of a cybersecurity threat or incident (the “IRP”) to provide a standardized framework for responding to security incidents. The IRP sets out a coordinated approach to investigating, containing, documenting and mitigating incidents, including reporting findings and keeping senior management and other key stakeholders informed and involved as appropriate. In general, our incident response process follows the National Institute of Standards and Technology (“NIST”) framework and focuses on four phases: preparation; detection and analysis; containment, eradication and recovery; and post-incident remediation.
The IRP requires an Information Security Incident Response Team (“IRT”) which includes, at a minimum, the following representatives: CTO, CISO, CLO, Data Protection Officer, and department heads of Network Operations, Engineering, and Information Security to oversee all details of the incident response. The IRP applies to all Company personnel (including third-party contractors, vendors and partners) that perform functions or services that require access to secure Company information, and to all devices and network services that are owned or managed by the Company.
Third-Party Certifications and AuditsIn addition to our internal cybersecurity capabilities, we regularly engage with consultants, and other third parties to assist with assessing, identifying, and managing cybersecurity risks. Specifically, the Company is engaged with third-party auditors for HITRUST, PCI, ISO 27001, FedRamp (High Impact), and SOC 2 Type 2 for annual certification. We are also engaged with a third-party Data Protection Officer to oversee compliance with the GDPR.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
We have implemented a cybersecurity program to assess, identify, and manage risks from cybersecurity threats that may result in material adverse effects on the confidentiality, integrity, and availability of our information systems.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Board of DirectorsOur Board of Directors, in coordination with the Audit Committee of the Board of Directors (the “Audit Committee”), oversees the Company’s enterprise risk management process, including the management of risks arising from cybersecurity threats. Our Board of Directors has delegated the primary responsibility to oversee cybersecurity matters to the Audit Committee. The Audit Committee regularly reviews the measures implemented by the Company to identify and mitigate data protection and cybersecurity risks. As part of such reviews, the Audit Committee receives presentations at least quarterly from members of our team responsible for overseeing the Company’s cybersecurity risk management, including the Chief Information Security Officer (“CISO”), Chief Technology Officer (“CTO”), Chief Legal Officer (“CLO”), and Head of Internal Audit, which address topics including recent developments, evolving standards, vulnerability assessments, third-party and independent reviews, the threat environment, technological trends and information security considerations arising with respect to the Company’s peers and third parties. Then, the Audit Committee and such members of our management team report to the Board of Directors on a quarterly basis, with an in-depth review at least annually, on data protection and cybersecurity matters. Additionally, the Company has protocols for cybersecurity incidents that meet established reporting thresholds for escalation within the Company including, where appropriate, reporting to the Board of Directors and Audit Committee, with required updates for ongoing matters until any such incident has been addressed and resolved.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|At the management level, our Cybersecurity and Governance Council, composed of the CISO, CTO, CLO, Chief Revenue Officer and Executive Vice President of Operations, and Head of Internal Audit has broad oversight of the Company’s risk management processes. The Cybersecurity and Governance Council meets regularly to discuss the risk management measures implemented by the Company to identify and mitigate data protection and cybersecurity risks. Our CISO invites team members from the product and technology groups to attend each Cybersecurity and Governance Council meeting to report on ongoing or relevant cybersecurity and compliance matters. The Cybersecurity and Governance Council reports any material developments to the Audit Committee on a quarterly basis.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The Cybersecurity and Governance Council meets regularly to discuss the risk management measures implemented by the Company to identify and mitigate data protection and cybersecurity risks. Our CISO invites team members from the product and technology groups to attend each Cybersecurity and Governance Council meeting to report on ongoing or relevant cybersecurity and compliance matters. The Cybersecurity and Governance Council reports any material developments to the Audit Committee on a quarterly basis.
|Cybersecurity Risk Role of Management [Text Block]
|
Management
The Company has implemented a cross-functional approach to identifying, preventing and mitigating cybersecurity threats and incidents, while also implementing controls and procedures that provide for the prompt escalation of certain cybersecurity incidents so that decisions regarding the public disclosure and reporting of such incidents can be made by management in a timely manner. At the management level, our Cybersecurity and Governance Council, composed of the CISO, CTO, CLO, Chief Revenue Officer and Executive Vice President of Operations, and Head of Internal Audit has broad oversight of the Company’s risk management processes. The Cybersecurity and Governance Council meets regularly to discuss the risk management measures implemented by the Company to identify and mitigate data protection and cybersecurity risks. Our CISO invites team members from the product and technology groups to attend each Cybersecurity and Governance Council meeting to report on ongoing or relevant cybersecurity and compliance matters. The Cybersecurity and Governance Council reports any material developments to the Audit Committee on a quarterly basis.Our CISO, who has extensive cybersecurity knowledge and skills gained from over 20 years of work experience at the Company and elsewhere, heads the team responsible for implementing, monitoring and maintaining cybersecurity and data protection practices across our business. The CISO receives reports on cybersecurity threats from industry threat reports, and the team members in Information Security who are responsible for various parts of the business on an ongoing basis and in conjunction with management regularly reviews risk management measures implemented by the Company to identify and mitigate data protection and cybersecurity risks. Our CISO and the team work closely with Legal and Internal Audit to oversee compliance with legal, regulatory, and contractual security requirements.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|At the management level, our Cybersecurity and Governance Council, composed of the CISO, CTO, CLO, Chief Revenue Officer and Executive Vice President of Operations, and Head of Internal Audit has broad oversight of the Company’s risk management processes. The Cybersecurity and Governance Council meets regularly to discuss the risk management measures implemented by the Company to identify and mitigate data protection and cybersecurity risks. Our CISO invites team members from the product and technology groups to attend each Cybersecurity and Governance Council meeting to report on ongoing or relevant cybersecurity and compliance matters. The Cybersecurity and Governance Council reports any material developments to the Audit Committee on a quarterly basis.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|Our CISO, who has extensive cybersecurity knowledge and skills gained from over 20 years of work experience at the Company and elsewhere, heads the team responsible for implementing, monitoring and maintaining cybersecurity and data protection practices across our business.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|
The Company has implemented a cross-functional approach to identifying, preventing and mitigating cybersecurity threats and incidents, while also implementing controls and procedures that provide for the prompt escalation of certain cybersecurity incidents so that decisions regarding the public disclosure and reporting of such incidents can be made by management in a timely manner. At the management level, our Cybersecurity and Governance Council, composed of the CISO, CTO, CLO, Chief Revenue Officer and Executive Vice President of Operations, and Head of Internal Audit has broad oversight of the Company’s risk management processes. The Cybersecurity and Governance Council meets regularly to discuss the risk management measures implemented by the Company to identify and mitigate data protection and cybersecurity risks. Our CISO invites team members from the product and technology groups to attend each Cybersecurity and Governance Council meeting to report on ongoing or relevant cybersecurity and compliance matters. The Cybersecurity and Governance Council reports any material developments to the Audit Committee on a quarterly basis.Our CISO, who has extensive cybersecurity knowledge and skills gained from over 20 years of work experience at the Company and elsewhere, heads the team responsible for implementing, monitoring and maintaining cybersecurity and data protection practices across our business. The CISO receives reports on cybersecurity threats from industry threat reports, and the team members in Information Security who are responsible for various parts of the business on an ongoing basis and in conjunction with management regularly reviews risk management measures implemented by the Company to identify and mitigate data protection and cybersecurity risks. Our CISO and the team work closely with Legal and Internal Audit to oversee compliance with legal, regulatory, and contractual security requirements.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef