|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
We recognize the importance of assessing, identifying, and managing material risks associated with cybersecurity threats, as such term is defined in Item 106(a) of Regulation S-K. These risks include, among other things: operational risks, intellectual property theft, fraud, extortion, harm to our employees, customers or third-party vendors and service providers and violation of data privacy or security laws.
Identifying and assessing cybersecurity risk is integrated into our overall risk management systems and processes. Cybersecurity risks related to our business, technical operations, privacy and compliance issues are identified and addressed through our cybersecurity risk management program, which includes third-party assessments, internal IT audits conducted by our Audit Committee and IT security, governance, risk and compliance reviews.
We have implemented a multi-layered cybersecurity approach which includes physical, technical and administrative measures to protect our systems against cybersecurity incidents. All data transfers over the Internet are encrypted using the Transport Layer Security (TLS) protocol. Our measures for assessing, identifying and managing material risks from cybersecurity threats and security incidents include:
•Our information is encrypted and securely stored in the cloud following best practices such as OWASP Top 10 and the Amazon’s Well Architected framework, and adhering to internationally recognized security and privacy standards such as ISO 27001.
•We employ advanced tools and services for data protection, including WAF, TDR, ZT, and MDM, among others.
•We conduct periodic internal and external assessments, such as penetration testing and vulnerability scans.
•We implement system safeguards, including email filtering and access control.
•We ensure continuous threat surveillance and have incident response plans in place for prompt identification, reporting, and resolution.
•We provide cybersecurity and privacy training to our employees.
•We monitor our compliance with data protection regulations.
•We maintain policies for handling third-party data.
•We regularly update and review our internal cybersecurity policies.
We have also implemented incident response and breach management policies and procedures. Such incident response processes are overseen by leaders from our Information Security, People Operations, Compliance and Legal teams regarding matters of cybersecurity. As part of these processes, we engage external consultants to assess our internal cybersecurity programs and compliance with applicable practices and standards.
Our risk management program also assesses third-party cybersecurity risks and threats. We perform third-party risk assessments to identify and mitigate risks from third parties such as vendors, suppliers, and other business partners associated with our use of third-party service providers. Such cybersecurity risks are evaluated when selecting and overseeing applicable third-party service providers and potential fourth-party risks that may handle and/or process our employee, business or customer data. Our evaluations include security questionnaires and legal review and oversight of contracts, including, but not limited to, contractual clauses related to cybersecurity and data privacy. In addition to new vendor onboarding, we have procedures in place to perform risk management during third-party cybersecurity compromise incidents to identify and mitigate risks to us from third-party incidents. Although we have continued to invest in our due diligence, onboarding, and monitoring capabilities over critical third parties with whom we do business, including our third-party vendors and service providers, our control over the security posture of, and ability to monitor the cybersecurity practices of, such third parties remains limited, and there can be no assurance that we can prevent, mitigate, or remediate the risk of any compromise or failure in the cybersecurity infrastructure owned or controlled by such third parties. When we do become aware that a third-party vendor or service provider has experienced such compromise or failure, we attempt to mitigate our risk, including by terminating such third party’s connection to our information systems and networks where appropriate.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
Identifying and assessing cybersecurity risk is integrated into our overall risk management systems and processes. Cybersecurity risks related to our business, technical operations, privacy and compliance issues are identified and addressed through our cybersecurity risk management program, which includes third-party assessments, internal IT audits conducted by our Audit Committee and IT security, governance, risk and compliance reviews.
We have implemented a multi-layered cybersecurity approach which includes physical, technical and administrative measures to protect our systems against cybersecurity incidents. All data transfers over the Internet are encrypted using the Transport Layer Security (TLS) protocol. Our measures for assessing, identifying and managing material risks from cybersecurity threats and security incidents include:
•Our information is encrypted and securely stored in the cloud following best practices such as OWASP Top 10 and the Amazon’s Well Architected framework, and adhering to internationally recognized security and privacy standards such as ISO 27001.
•We employ advanced tools and services for data protection, including WAF, TDR, ZT, and MDM, among others.
•We conduct periodic internal and external assessments, such as penetration testing and vulnerability scans.
•We implement system safeguards, including email filtering and access control.
•We ensure continuous threat surveillance and have incident response plans in place for prompt identification, reporting, and resolution.
•We provide cybersecurity and privacy training to our employees.
•We monitor our compliance with data protection regulations.
•We maintain policies for handling third-party data.
•We regularly update and review our internal cybersecurity policies.
We have also implemented incident response and breach management policies and procedures. Such incident response processes are overseen by leaders from our Information Security, People Operations, Compliance and Legal teams regarding matters of cybersecurity. As part of these processes, we engage external consultants to assess our internal cybersecurity programs and compliance with applicable practices and standards.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Cybersecurity is an important part of our risk management processes and an area of focus for our board of directors and management. Our Audit Committee is responsible for the oversight of risks from cybersecurity threats and responses to incidents, should they arise. Members of the Audit Committee receive updates as necessary on a quarterly basis regarding matters of cybersecurity or when there is cybersecurity incident. The internal auditor communicates this information to the Audit Committee. This includes existing and new cybersecurity risks, status on how management is addressing and/or mitigating those risks, cybersecurity and data privacy incidents (if any) and status on key information security initiatives.
Our cybersecurity risk management and strategy processes are overseen by leaders from our Technology, People Operations, and Legal teams. These individuals are informed about, and monitor the prevention, mitigation, detection and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including the operation of our incident response plan, and report either directly, or via our internal auditor, to the Audit Committee on any appropriate items.
Our Chief Technology Officer (“CTO”) and Head of Technology Operations, who report to our CEO, are primarily responsible for the assessment and management of our material risks from cybersecurity threats. Our CTO and Head of Technology Operations oversee our cybersecurity policies and processes, including those described in “Risk Management and Strategy” above. Our IT and engineering team, which reports to the CTO and Head of Technology Operations, maintains our security incident response plan and manages day-to-day incident identification, assessment and management, leads our overall cybersecurity risk management program, including ongoing assessments of system vulnerabilities and mitigation efforts, and continuously updates our CTO and Head of Technology Operations on such matters. Our IT and engineering team includes members that have been involved in cybersecurity for approximately 10 years, with project experience relating to SOC-2, ISO 27001, GDPR, Business Continuity Planning, Disaster Recovery Planning, Incident Response Planning. Our CTO and Head of Technology Operations escalate cybersecurity incidents to other members of the Company’s leadership, as appropriate, including our CFO, CEO and internal auditor. The IT and engineering team provides regular briefings to the CTO and Head of Technology Operations regarding the Company’s cybersecurity risks and activities, including any recent cybersecurity incidents and related responses, cybersecurity systems testing, activities of third parties, and the like.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Our cybersecurity risk management and strategy processes are overseen by leaders from our Technology, People Operations, and Legal teams. These individuals are informed about, and monitor the prevention, mitigation, detection and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including the operation of our incident response plan, and report either directly, or via our internal auditor, to the Audit Committee on any appropriate items.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Members of the Audit Committee receive updates as necessary on a quarterly basis regarding matters of cybersecurity or when there is cybersecurity incident. The internal auditor communicates this information to the Audit Committee. This includes existing and new cybersecurity risks, status on how management is addressing and/or mitigating those risks, cybersecurity and data privacy incidents (if any) and status on key information security initiatives.
|Cybersecurity Risk Role of Management [Text Block]
|
Our cybersecurity risk management and strategy processes are overseen by leaders from our Technology, People Operations, and Legal teams. These individuals are informed about, and monitor the prevention, mitigation, detection and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including the operation of our incident response plan, and report either directly, or via our internal auditor, to the Audit Committee on any appropriate items.
Our Chief Technology Officer (“CTO”) and Head of Technology Operations, who report to our CEO, are primarily responsible for the assessment and management of our material risks from cybersecurity threats. Our CTO and Head of Technology Operations oversee our cybersecurity policies and processes, including those described in “Risk Management and Strategy” above. Our IT and engineering team, which reports to the CTO and Head of Technology Operations, maintains our security incident response plan and manages day-to-day incident identification, assessment and management, leads our overall cybersecurity risk management program, including ongoing assessments of system vulnerabilities and mitigation efforts, and continuously updates our CTO and Head of Technology Operations on such matters. Our IT and engineering team includes members that have been involved in cybersecurity for approximately 10 years, with project experience relating to SOC-2, ISO 27001, GDPR, Business Continuity Planning, Disaster Recovery Planning, Incident Response Planning. Our CTO and Head of Technology Operations escalate cybersecurity incidents to other members of the Company’s leadership, as appropriate, including our CFO, CEO and internal auditor. The IT and engineering team provides regular briefings to the CTO and Head of Technology Operations regarding the Company’s cybersecurity risks and activities, including any recent cybersecurity incidents and related responses, cybersecurity systems testing, activities of third parties, and the like.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|Our cybersecurity risk management and strategy processes are overseen by leaders from our Technology, People Operations, and Legal teams. These individuals are informed about, and monitor the prevention, mitigation, detection and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including the operation of our incident response plan, and report either directly, or via our internal auditor, to the Audit Committee on any appropriate items.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|Our IT and engineering team includes members that have been involved in cybersecurity for approximately 10 years, with project experience relating to SOC-2, ISO 27001, GDPR, Business Continuity Planning, Disaster Recovery Planning, Incident Response Planning.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|Our IT and engineering team, which reports to the CTO and Head of Technology Operations, maintains our security incident response plan and manages day-to-day incident identification, assessment and management, leads our overall cybersecurity risk management program, including ongoing assessments of system vulnerabilities and mitigation efforts, and continuously updates our CTO and Head of Technology Operations on such matters. Our IT and engineering team includes members that have been involved in cybersecurity for approximately 10 years, with project experience relating to SOC-2, ISO 27001, GDPR, Business Continuity Planning, Disaster Recovery Planning, Incident Response Planning. Our CTO and Head of Technology Operations escalate cybersecurity incidents to other members of the Company’s leadership, as appropriate, including our CFO, CEO and internal auditor. The IT and engineering team provides regular briefings to the CTO and Head of Technology Operations regarding the Company’s cybersecurity risks and activities, including any recent cybersecurity incidents and related responses, cybersecurity systems testing, activities of third parties, and the like.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef