Toast Inc (TOST) Risk Factors

A majority of our customers are SMBs and we expect they will continue to comprise a large portion of our customer base for the foreseeable future. We define SMBs in the context of our customer base as customers that have between one and ten restaurant locations. Selling to and retaining SMBs can be more difficult than retaining enterprise customers, as SMBs often have higher rates of business failure and more limited resources, may have decisions related to the choice of payment processor dictated by their affiliated parent entity and are more readily able to change their payment processors than larger organizations. SMBs are also typically more susceptible to the adverse effects of economic fluctuations, including those caused by fluctuating inflation levels and interest rates. Adverse changes in the economic environment or business failures of our SMB customers may have a greater impact on us than on our competitors who do not focus on SMBs to the extent that we do.

We believe that maintaining and enhancing our brand identity and reputation is critical to our relationships with, and ability to attract, new customers, partners and employees. Accordingly, we have invested, and expect to continue to invest, increasing amounts of money in and greater resources to branding and other marketing initiatives, which may not be successful or cost effective. If we do not successfully maintain and enhance our brand and reputation in a cost-effective manner, our business may not grow, we may have reduced pricing power relative to competitors with stronger brands or reputations, and we could lose customers or partners, all of which would harm our business, financial condition, and results of operations. In addition, any negative publicity about our company or our management, including about the quality, pricing and fee arrangement, stability, and reliability of our platform or services, changes to our products and services, our privacy and security practices, litigation, regulatory enforcement, and other actions involving us, as well as the perception of us and our products by our customers and their guests, even if inaccurate, could cause a loss of confidence in us and adversely affect our brand.

We, our customers, our partners, and other third parties, including third-party vendors, cloud service providers, and payment processors that we use, obtain and process large amounts of sensitive and personal information, including information related to our customers, their guests, and their transactions. We face risks, including to our reputation as a trusted brand, in the handling and protection of this information, and these risks will increase as our business continues to expand to include new products and technologies. Our operations involve the storage, transmission, and processing of our customers' proprietary information and sensitive and personal information of our customers and their guests and employees, including contact information and payment information, purchase histories, lending information, and payroll information. Cyber incidents have been increasing in sophistication and frequency and can include third parties gaining access to employee or guest information using stolen or inferred credentials, computer malware, viruses, spamming, phishing attacks, ransomware, card skimming code, and other deliberate attacks and attempts to gain unauthorized access. In addition, these incidents can originate on our vendors' websites or systems, which can then be leveraged to access our website or systems, further preventing our ability to successfully identify and mitigate the attack. As a result, unauthorized access to, security breaches of, or denial-of-service attacks against our platform (or any platform of our third-party vendors) could result in the loss of service, unauthorized access to or use of, and/or loss of, such data, as well as loss of intellectual property, guest information, employee data, trade secrets, or other confidential or proprietary information. We have administrative, technical, and physical security measures in place and proactively employ multiple security measures at different layers of our systems to defend against intrusion and attack and to protect our information; however, we have experienced security incidents in the past, and we may face additional security incidents in the future. Because the techniques used to obtain unauthorized access to or to sabotage systems change frequently and generally are not identified until they are launched against a target, we may be unable to anticipate these techniques or to implement adequate preventative measures that will be sufficient to counter all current and emerging technology threats. In addition, any security breaches that occur may remain undetected for extended periods of time. While we also have and will continue to make significant efforts to address any IT security issues with respect to acquisitions we make, we may still inherit such risks when we integrate these companies. We also have policies and procedures in place to contractually require third parties to which we transfer data to implement and maintain appropriate security measures. Sensitive and personal information is processed and stored by our customers, software and financial institution partners and third-party service providers to whom we outsource certain functions. Threats to third-party systems can originate from human error, fraud, or malice on the part of employees or third parties, or simply from accidental technological failure, and/or computer viruses and other malware that can be distributed and infiltrate systems of third parties on whom we rely. While we select third parties to which we transfer data carefully, we do not control their actions, and these third parties may experience security breaches that result in unauthorized access of data and information stored with them despite these contractual requirements and the security measures these third parties employ. If any security breach involving our systems or the systems of third parties that store or process our data or significant denial-of-service attacks or other cyber attack occurs or is believed to have occurred, our reputation and brand could be damaged, we could be required to expend significant capital and other resources to alleviate problems caused by such actual or perceived breaches or attacks and remediate our systems. In addition, we could be exposed to a risk of loss, litigation, or regulatory action and possible liability, some or all of which may not be covered by insurance, and our ability to operate our business may be impaired. Unauthorized parties have in the past gained access, and may in the future gain access, to systems or facilities used in our business through various means, including gaining unauthorized access into our systems or facilities or those of customers and their guests, attempting to fraudulently induce our employees, customers, their guests, or others into disclosing usernames, passwords, payment card information, or other sensitive or personal information, which may in turn be used to access our IT systems or fraudulently transfer funds to bad actors. If new or existing customers believe that our platform does not provide adequate security for the storage of personal or sensitive information or its transmission over the Internet, they may not adopt our platform or may choose not to renew their subscriptions to our platform, which could harm our business. Additionally, actual, potential, or anticipated attacks may cause us to incur increasing costs, including costs to deploy additional personnel and protection technologies, train employees, and engage third-party experts and consultants. Our errors and omissions insurance policies covering certain security and privacy damages and claim expenses may not be sufficient to compensate for all potential liability. Although we maintain cyber liability insurance, we cannot be certain that our coverage will be adequate for liabilities actually incurred or that insurance will continue to be available to us on economically reasonable terms, or at all. Further, because data security is a critical competitive factor in our industry, we may make statements in our privacy statements and notices and in our marketing materials describing the security of our platform, including descriptions of certain security measures we employ or security features embedded within our products. Should any of these statements be untrue, become untrue, or be perceived to be untrue, even if through circumstances beyond our reasonable control, we may face claims, including claims of unfair or deceptive trade practices, brought by the U.S. Federal Trade Commission, state, local, or foreign regulators (e.g., a European Union-based data protection agency), or private litigants.

From time to time, we are or may become involved in claims, lawsuits (whether class actions or individual lawsuits), arbitration proceedings, government investigations, and other legal or regulatory proceedings involving commercial, corporate and securities matters; privacy, marketing and communications practices; labor and employment matters; alleged infringement of third-party patents and other intellectual property rights; and other matters. The results of any such claims, lawsuits, arbitration proceedings, government investigations, or other legal or regulatory proceedings cannot be predicted with any degree of certainty. Any claims against us, whether meritorious or not, could be time-consuming, result in costly litigation, require significant management attention, and divert significant resources. Determining reserves for our pending litigation is a complex and fact-intensive process that requires significant subjective judgment and speculation. It is possible that a resolution of one or more such proceedings could result in substantial damages, settlement costs, fines, and penalties. These proceedings could also result in harm to our reputation and brand, sanctions, consent decrees, injunctions, or other orders requiring a change in our business practices. Any of these consequences could adversely affect our business, financial condition, and results of operations. Further, under certain circumstances, we have contractual and other legal obligations to indemnify and to incur legal expenses on behalf of our business, customers, and commercial partners and current and former directors and officers. In addition, certain litigation or the resolution of certain litigation may affect the availability or cost of some of our insurance coverage, which could adversely impact our results of operations and cash flows, expose us to increased risks that would be uninsured, and adversely impact our ability to attract directors and officers. Notwithstanding the terms of our agreements with our customers, it is possible that one or more of our customers could breach their obligations, which in the aggregate, could adversely affect our business, financial condition, or results of operations. For example, if a customer defaults on its obligations under a customer agreement or terminates a customer agreement prior to the contractual termination date, we may be required to assert a claim to acquire the amount in full due under the customer agreement, which we may choose not to pursue. However, if we choose to pursue any such claim, we may incur substantial costs to resolve claims or enter into litigation or arbitration, and even if we were to prevail in the event of claims, litigation or arbitration, such claims, litigation, or arbitration could be costly and time-consuming and divert the attention of our management and other employees from our business operations. We also include arbitration and class action waiver provisions in our terms of service with the customers that utilize our platform and certain agreements with our employees. These provisions are intended to streamline the litigation process for all parties involved, as they can in some cases be faster and less costly than litigating disputes in state or federal court. However, arbitration can nevertheless be costly and burdensome, and the use of arbitration and class action waiver provisions subjects us to certain risks to our reputation and brand, as these provisions have been the subject of increasing public scrutiny. In order to minimize these risks to our reputation and brand, we may limit our use of arbitration and class action waiver provisions, or we may be required to do so in any particular legal or regulatory proceeding, either of which could cause an increase in our litigation costs and exposure. Additionally, we permit certain customers and other users of our platform to opt out of such provisions, which could cause an increase in our litigation costs and exposure. Further, with the potential for conflicting rules regarding the scope and enforceability of arbitration and class action waivers on a state-by-state basis, as well as between state and federal law, there is a risk that some or all of our arbitration and class action waiver provisions could be subject to challenge or may need to be revised to exempt certain categories of protection. If these provisions were found to be unenforceable, in whole or in part, or specific claims are required to be exempted, we could experience an increase in our costs to litigate disputes and in the time involved in resolving such disputes, and we could face increased exposure to potentially costly lawsuits, each of which could adversely affect our business, financial condition, and results of operations.

We are subject to taxation in the United States and certain other jurisdictions in which we operate. Changes in applicable tax laws or regulations may be proposed or enacted that could materially and adversely affect our effective tax rate, tax payments, results of operations, financial condition and cash flows. Changes to tax laws (which changes may have retroactive application) could adversely affect us or holders of our Class A common stock. Prospective investors should consult their tax advisors regarding the potential consequences of changes in tax law on our business and on the ownership and disposition of our Class A common stock. Our future tax rates could be influenced by modifications in accounting standards or alterations in tax laws at the federal, state, or international levels, as well as new tax rulings. The U.S. Department of Treasury can issue regulations and provide interpretive guidance, which could affect our compliance with the law and potentially impact our operational results when issued. Numerous countries are actively considering or implementing changes to their tax legislation following the Organization for Economic Development's adoption of model rules for 15% global minimum tax (often referred to as Pillar 2). Such changes might elevate our tax responsibilities in the countries where we conduct business or necessitate adjustments in our operational strategies. Evolving global tax regulations affecting multinational corporations could significantly influence our operations, lead to an increase in our global effective tax rate and adversely impact our financial performance. Under state tax law, we may be deemed responsible for collecting and remitting sales taxes directly to certain states. State tax authorities may raise questions about, or challenge or disagree with, our calculation, reporting, or collection of taxes and may require us to collect taxes or to remit additional taxes and interest and could impose associated penalties and fees. Moreover, an increasing number of states have considered or adopted laws or administrative practices that attempt to impose obligations for online marketplaces, payment service providers, and other intermediaries. These obligations may require us to collect and remit taxes on the merchant customers behalf and take on additional reporting and record-keeping obligations. Any failure by us to prepare for and to comply with these and similar reporting and record-keeping obligations could result in substantial monetary penalties and other sanctions, adversely impact our ability to do business in certain jurisdictions, and harm our business.

As we seek to build a trusted and secure platform for and to expand our network of customers and facilitate their transactions and interactions with their guests, we will increasingly be subject to laws and regulations relating to the collection, use, retention, privacy, security, and transfer of information, including the personal information of their employees and guests. Domestically, this includes federal as well as state-specific legislation, including but not limited to the CCPA. Additionally, a number of U.S. state-specific privacy laws have recently become effective or will become effective in 2024. As we expand internationally, international privacy laws pertaining to the processing and security of personal information become more relevant to our business, including but not limited to the GDPR, the United Kingdom GDPR and local privacy legislation, as well as Canadian privacy legislation, including Canada's Personal Information Protection and Electronic Documents Act and local provincial legislation. As with the other laws and regulations noted above, these laws and regulations may change or be interpreted and applied differently over time and from jurisdiction to jurisdiction, and it is possible they will be interpreted and applied in ways that will materially and adversely affect our business. As noted above, many states in which we operate have laws that protect the privacy and security of sensitive and personal information. Certain state laws may be more stringent or broader in scope, or offer greater individual rights, with respect to sensitive and personal information than federal or other state laws, and such laws may differ from each other, which may complicate compliance efforts. For example, California enacted the CCPA, which initially went into effect in January 2020, with important amendments that went into effect in January 2023. The CCPA, as amended, requires companies covered by the legislation to provide disclosures to California consumers and afford such consumers rights with respect to their personal information, including the right to request deletion of their personal information, the right to receive the personal information on record for them, the right to know what categories of personal information generally are maintained about them, as well as the right to opt-out of certain sales of personal information and sharing personal information for certain advertising purposes. The CCPA also granted a new state agency, the California Privacy Protection Agency, powers to adopt and enforce regulations interpreting the CCPA, and the agency is continuing to adopt new rules that may require us to evolve and adapt our compliance strategies. The effects of the CCPA are potentially significant and may require us to modify our data collection or processing practices and policies and to incur substantial costs and expenses in an effort to comply and increase our potential exposure to regulatory enforcement and/or litigation. In addition, the CCPA provides for civil penalties for violations, as well as a private right of action for certain data breaches that result in the loss of personal information. This private right of action may increase the likelihood of, and risks associated with, data breach litigation. Certain other states, such as Virginia, Colorado, Connecticut, and Utah, have passed and implemented consumer privacy laws that impose similar privacy obligations as the CCPA. Additional states have passed consumer privacy laws that will come into force over the next few years. We anticipate that more states may enact legislation similar to the CCPA and the forthcoming state privacy laws, which provide consumers with new privacy rights and increase the privacy and security obligations of entities handling certain personal information of such consumers. Moreover, states may pass consumer privacy laws that deviate from or exceed the requirements of the existing laws, or that regulate specific business practices. For example, Washington state's My Health My Data Act will come into effect in 2024 and will require regulated businesses to apply specific protections for consumer health data, which is defined broadly to include certain data categories that are not directly related to health, such as location information. These state privacy developments have prompted a number of proposals for new federal and state-level privacy legislation and regulation. Such proposed legislation and regulation, if enacted, may add additional complexity, variation in requirements, restrictions and potential legal risk, require additional investment of resources in compliance programs, impact strategies, and the availability of previously useful data, and could result in increased compliance costs and/or changes in business practices and policies. The regulatory framework governing the collection, processing, storage, use, and sharing of certain information, particularly financial and other personal information, is rapidly evolving and is likely to continue to be subject to uncertainty and varying interpretations. It is possible that these laws may be interpreted and applied in a manner that is inconsistent with our existing data management practices or the features of our services and platform capabilities. Any failure or perceived failure by us, or any third parties with which we do business, to comply with our posted privacy statements or notices, changing consumer expectations, evolving laws, rules and regulations, industry standards, or contractual obligations to which we or such third parties are or may become subject, may result in actions or other claims against us by governmental entities or private actors, the expenditure of substantial costs, time, and other resources or the incurrence of significant fines, penalties, or other liabilities. In addition, any such action, particularly to the extent we were found to have engaged in violations or otherwise liable for damages, would damage our reputation and adversely affect our business, financial condition, and results of operations. We cannot yet fully determine the impact these or future laws, rules, regulations, and industry standards may have on our business or operations. Any such laws, rules, regulations, and industry standards may be inconsistent among different jurisdictions, subject to differing interpretations or may conflict with our current or future practices. Additionally, our partners and our customers and their guests may be subject to differing privacy laws, rules, and legislation, which may mean that our partners or customers require us to be bound by varying contractual requirements applicable to certain other jurisdictions. If our customers fail to comply with such privacy laws, rules, or legislation, we could be exposed to liability and our business, financial condition, results of operations, and brand could be adversely affected. Adherence to contractual requirements imposed by our partners or customers may impact our collection, use, processing, storage, sharing, and disclosure of various types of information including financial information and other personal information, and may mean we become bound by, or voluntarily comply with, self-regulatory or other industry standards relating to these matters that may further change as laws, rules, and regulations evolve. Complying with these requirements and changing our policies and practices may be onerous and costly, and we may not be able to respond quickly or effectively to regulatory, legislative, and other developments. These changes may in turn impair our ability to offer our existing or planned features, products, and services, and/or increase our cost of doing business. As we expand our partnerships and our customer base, these requirements may vary from customer to customer, and from guest to guest, further increasing the cost of compliance and doing business. We publicly post documentation regarding our practices concerning the collection, processing, use, and disclosure of information. Although we endeavor to comply with our published statements, notices, and documentation, we may at times fail to do so or be alleged to have failed to do so. Any failure or perceived failure by us to comply with our privacy statements, notices, or any applicable privacy, security, or data protection, information security, or consumer-protection related laws, regulations, orders, or industry standards could expose us to costly litigation, significant awards, fines or judgments, civil and/or criminal penalties, or negative publicity, and could materially and adversely affect our business, financial condition, and results of operations. The publication of our privacy statements, notices, and other documentation that provide promises and assurances about privacy and security can subject us to potential state and federal action if they are found to be deceptive, unfair, or misrepresentative of our actual practices, which could, individually or in the aggregate, materially and adversely affect our business, financial condition, and results of operations. We have incurred, and may continue to incur, significant expenses to comply with evolving mandatory privacy and security standards and protocols imposed by law, regulation, industry standards, shifting customer and guest expectations, or contractual obligations, both in the U.S. and internationally. We post on our website our privacy statement and practices concerning the collection, use, and disclosure of information. In particular, with laws and regulations such as the CCPA and similar laws in the United States imposing new and relatively burdensome obligations, and with substantial uncertainty over the interpretation and application of these and other laws and regulations, we may face challenges in addressing their requirements and making necessary changes to our policies and practices and may incur significant costs and expenses in an effort to do so. This also applies in the context of international privacy legislation such as the GDPR, UK GDPR and applicable Canadian privacy legislation. Any failure, real or perceived, by us to comply with our posted privacy statements or notices, changing customer and guest expectations, or with any evolving regulatory requirements, interpretations, or orders, other local, state, federal, or international privacy, data protection, information security, or consumer protection-related laws and regulations, industry standards, or contractual obligations could cause our customers to reduce their use of our products and services, disrupt our supply chain or third-party vendor or developer partnerships, and materially and adversely affect our business.

We procure third-party insurance policies to cover various operations-related risks including employment practices liability, workers' compensation, business interruptions, cybersecurity and data breaches, crime, directors' and officers' liability, and general business liabilities, but our insurance may not cover 100% of the costs and losses from all events. For certain types of operations-related risks or future risks related to our new and evolving services, we may not be able to, or may choose not to, acquire insurance. In addition, we may not obtain enough insurance to adequately mitigate such operations-related risks or risks related to our new and evolving services, and we may have to pay high premiums, self-insured retentions, or deductibles for the coverage we do obtain. Additionally, if any of our insurance providers becomes insolvent, it would be unable to pay any operations-related claims that we make. Further, some of our agreements with customers may require that we procure certain types of insurance, and if we are unable to obtain and maintain such insurance, we would be in violation of the terms of these customer agreements. We are responsible for certain retentions and deductibles that vary by policy, and we may suffer losses that exceed our insurance coverage by a material amount. If the amount of one or more operations-related claims were to exceed our applicable aggregate coverage limits, we would bear the excess, in addition to amounts already incurred in connection with deductibles, or self-insured retentions. Insurance providers have raised premiums and deductibles for many businesses and may do so in the future. As a result, our insurance and claims expenses could increase, or we may decide to raise our deductibles or self-insured retentions when our policies are renewed or replaced. Our business, financial condition, and results of operations could be adversely affected if the cost per claim, premiums, or the number of claims significantly exceeds our historical experience and coverage limits; we experience a claim in excess of our coverage limits; our insurance providers fail to pay on our insurance claims; we experience a claim for which coverage is not provided; or the number of claims under our deductibles or self-insured retentions differs from historical averages.

Our operating results may vary based on the impact of global events and macroeconomic conditions, such as inflation and its potential impact on consumer spending, rising interest rates, global supply chain issues, and pandemics. For example, the COVID-19 pandemic impacted our business and operations in a variety of ways, including supply chain challenges, disruptions in our sales and marketing efforts, restrictions in our ability to conduct research and development and other business activities, uncertainty in restaurant technology spending, and fluctuation on the payment volume processed through our platform. Furthermore, our revenue growth and potential profitability depend on demand for business management software and platforms serving the restaurant industry. Historically, during economic downturns, there have been reductions in spending on IT as well as pressure for extended billing terms and other financial concessions. The adverse impact of economic downturns may be particularly acute among SMBs, which comprise the majority of our customer base. If economic conditions deteriorate, our current and prospective customers may elect to decrease their IT budgets, which would limit our ability to grow our business and adversely affect our operating results. A deterioration in general economic conditions (including distress in financial markets, rising inflation and interest rates, and turmoil in specific economies around the world) may adversely affect our financial performance by causing a reduction in locations through restaurant closures or a reduction in gross payment volume. A reduction in the amount of consumer spending or credit card transactions could result in a decrease of our revenue and profits. Adverse economic factors may accelerate the timing, or increase the impact of, risks to our financial performance. These factors could include: - restrictions on credit lines to consumers or limitations on the issuance of new credit cards;- uncertainty and volatility in the performance of our customers' businesses, particularly SMBs;- customers or consumers decreasing spending for value-added services we market and sell;- declining economies and the pace of economic recovery which can change consumer spending behaviors;- low levels of consumer and business confidence typically associated with inflationary or recessionary environments;- high unemployment levels, which may result in decreased spending by consumers;- budgetary concerns in the United States and other countries around the world, which could impact consumer confidence and spending; and - government actions, including the effect of laws and regulations and any related government stimulus.

Although we currently do not derive significant revenue from customers located outside the United States, the long-term potential of our business will depend in part on our ability to expand our business into international markets. We have recently made an initial investment to establish our international presence and plan to continue such efforts, which has and may continue to be accomplished in part through acquisitions of companies located outside of the United States. However, we have limited experience with international customers and in selling our platform internationally. Accordingly, we cannot be certain that our business model will be successful, or that our platform will achieve commercial acceptance, outside the United States. Conducting international operations subjects us to risks that we have not generally faced in the United States, including but not limited to: - managing geographically separate organizations, systems, and facilities;- challenges caused by language, cultural, and ethical differences;- difficulties in staffing and managing foreign operations, including employment laws and regulations;- presence of more established competitors and/or local competitors favored by local business practices;- compliance challenges related to the complexity of multiple, conflicting, and changing governmental laws and regulations, including data privacy, employment, tax, anti-money laundering, and anti-bribery laws and regulations and sanction regimes, including but not limited to, additional exposure to GDPR, rules and programs administered by the Treasury Department's Office of Foreign Assets Control, or OFAC, domestic and international anti-corruption laws, such as the U.S. Foreign Corrupt Practices Act, or FCPA, and the U.K. Bribery Act, as well as other similar anti-bribery and anti-kickback laws and regulations;- different pricing environments, sales cycles, and collections issues;- financial and other impacts to our business resulting from fluctuations in currency exchange rates and unit economics across multiple jurisdictions, including the possibility of use of hedging arrangements to reduce potential foreign currency exchange exposure;- increased financial accounting and other reporting burdens and complexities, including rapidly changing requirements with respect to corporate sustainability reporting;- enforcing intellectual property rights outside of the United States;- difficulty entering new non-U.S. markets due to, among other things, difficulties in achieving consumer acceptance of our platform in new markets and more limited business knowledge of these markets; and - general economic and political conditions. Expanding our business internationally requires significant additional investment in our platform, operations, infrastructure, compliance efforts, and sales and marketing organization, and any such investments may not be successful or generate an adequate return on our investment.