Cybersecurity Risk Management and Strategy Disclosure |
12 Months Ended |
|---|---|
Jan. 31, 2026 | |
| Cybersecurity Risk Management, Strategy, and Governance [Line Items] | |
| Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block] | We rely on technology, including the internet and mobile services, to conduct much of our business activity and allow our clients to conduct financial transactions on our platform. As a result, our systems and operations as well as those of the third parties on which we rely to conduct certain key functions are vulnerable to cybersecurity incidents. We have developed and implemented a cybersecurity risk management program that has been integrated into our broader enterprise risk management framework. Our program is designed to protect our core platform, client assets, and sensitive data through a "Defense in Depth" architecture. Continuous Security Operations To identify and mitigate emerging threats, we employ a multi-layered testing strategy: •Detection. We utilize a Security Information and Event Management (SIEM) solution for 24/7 infrastructure monitoring and detection. •Assessment. We perform vulnerability scans, third-party penetration testing, and maintain a managed, third-party-hosted bug bounty program to encourage and compensate third-party security researchers. •Resilience. We maintain Business Continuity and Disaster Recovery (BCP and DR) plans that utilize geographic redundancy. Our resilience strategy includes annual tabletop exercises to verify our recovery protocols and communication chains. ◦We also engage the assistance of third-party consultants to increase protection of our information, IT systems, and network to help secure long-term value for our stakeholders. ◦Services provided by third-party consultants include, but are not limited to, regular assessments of our cybersecurity program, including cyber maturity assessments and penetration tests, and participating in incident response processes. Incident Management and Materiality Process We maintain a formal Engineering Incident Management Policy to govern the detection, escalation, and remediation of operational and security events. We maintain 24/7 on-call rotations with defined service level agreements (SLAs) for executive escalation to the VP of Engineering and Chief Technology Officer for critical issues. Upon escalation of a significant incident, we initiate a cross-functional assessment process involving Engineering leadership, Legal, and Compliance. This team evaluates the incident’s materiality by considering quantitative factors (e.g., remediation costs and lost revenue) and qualitative factors (e.g., reputational harm, impact on client relationships, and regulatory implications). This process is designed to ensure that if an incident is deemed material, a determination is reached without unreasonable delay to facilitate timely disclosure. Following high-priority incidents, we conduct formal post-mortems to drive continuous improvement. Standards and Certifications Our security posture is informed by the following international standards: •ISO27001:2022 - We maintain an Information Security Management System (ISMS) that was ISO/IEC 27001:2022 certified in the fiscal year ended January 31, 2026. •PCI DSS v4.0.1 - As part of our commitment to the security of the debit card functionality associated with the Cash Account service security, we successfully completed our annual assessment under PCI DSS v4.0.1 in the fiscal year ended January 31, 2026.
|
| Cybersecurity Risk Management Processes Integrated [Flag] | true |
| Cybersecurity Risk Management Processes Integrated [Text Block] | We rely on technology, including the internet and mobile services, to conduct much of our business activity and allow our clients to conduct financial transactions on our platform. As a result, our systems and operations as well as those of the third parties on which we rely to conduct certain key functions are vulnerable to cybersecurity incidents. We have developed and implemented a cybersecurity risk management program that has been integrated into our broader enterprise risk management framework. Our program is designed to protect our core platform, client assets, and sensitive data through a "Defense in Depth" architecture.
|
| Cybersecurity Risk Management Third Party Engaged [Flag] | true |
| Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] | true |
| Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] | false |
| Cybersecurity Risk Board of Directors Oversight [Text Block] | The Audit Committee of the Board of Directors oversees our cybersecurity risk exposure. This committee receives quarterly briefings from our Head of Security regarding: •The status of our ISO 27001 and PCI DSS compliance postures. •Results of annual BCP/DR tabletop exercises and the performance of our vulnerability management programs. •Summaries of significant incidents and subsequent remediation efforts.
|
| Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] | The Audit Committee of the Board of Directors oversees our cybersecurity risk exposure. |
| Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block] | This committee receives quarterly briefings from our Head of Security regarding: •The status of our ISO 27001 and PCI DSS compliance postures. •Results of annual BCP/DR tabletop exercises and the performance of our vulnerability management programs. •Summaries of significant incidents and subsequent remediation efforts.
|
| Cybersecurity Risk Role of Management [Text Block] | We rely on technology, including the internet and mobile services, to conduct much of our business activity and allow our clients to conduct financial transactions on our platform. As a result, our systems and operations as well as those of the third parties on which we rely to conduct certain key functions are vulnerable to cybersecurity incidents. We have developed and implemented a cybersecurity risk management program that has been integrated into our broader enterprise risk management framework. Our program is designed to protect our core platform, client assets, and sensitive data through a "Defense in Depth" architecture. Continuous Security Operations To identify and mitigate emerging threats, we employ a multi-layered testing strategy: •Detection. We utilize a Security Information and Event Management (SIEM) solution for 24/7 infrastructure monitoring and detection. •Assessment. We perform vulnerability scans, third-party penetration testing, and maintain a managed, third-party-hosted bug bounty program to encourage and compensate third-party security researchers. •Resilience. We maintain Business Continuity and Disaster Recovery (BCP and DR) plans that utilize geographic redundancy. Our resilience strategy includes annual tabletop exercises to verify our recovery protocols and communication chains. ◦We also engage the assistance of third-party consultants to increase protection of our information, IT systems, and network to help secure long-term value for our stakeholders. ◦Services provided by third-party consultants include, but are not limited to, regular assessments of our cybersecurity program, including cyber maturity assessments and penetration tests, and participating in incident response processes. Incident Management and Materiality Process We maintain a formal Engineering Incident Management Policy to govern the detection, escalation, and remediation of operational and security events. We maintain 24/7 on-call rotations with defined service level agreements (SLAs) for executive escalation to the VP of Engineering and Chief Technology Officer for critical issues. Upon escalation of a significant incident, we initiate a cross-functional assessment process involving Engineering leadership, Legal, and Compliance. This team evaluates the incident’s materiality by considering quantitative factors (e.g., remediation costs and lost revenue) and qualitative factors (e.g., reputational harm, impact on client relationships, and regulatory implications). This process is designed to ensure that if an incident is deemed material, a determination is reached without unreasonable delay to facilitate timely disclosure. Following high-priority incidents, we conduct formal post-mortems to drive continuous improvement. Standards and Certifications Our security posture is informed by the following international standards: •ISO27001:2022 - We maintain an Information Security Management System (ISMS) that was ISO/IEC 27001:2022 certified in the fiscal year ended January 31, 2026. •PCI DSS v4.0.1 - As part of our commitment to the security of the debit card functionality associated with the Cash Account service security, we successfully completed our annual assessment under PCI DSS v4.0.1 in the fiscal year ended January 31, 2026. Board of Directors Oversight The Audit Committee of the Board of Directors oversees our cybersecurity risk exposure. This committee receives quarterly briefings from our Head of Security regarding: •The status of our ISO 27001 and PCI DSS compliance postures. •Results of annual BCP/DR tabletop exercises and the performance of our vulnerability management programs. •Summaries of significant incidents and subsequent remediation efforts. Management’s Role in Assessing and Managing Material Risks Our cybersecurity strategy is executed by our Head of Security, who has over 15 years of experience in information security, and over 10 years of experience in the financial technology sector. The Head of Security oversees the administration of our Incident Management and BCP/DR policies, ensuring that security is integrated into the software development lifecycle. Third-Party Risk: We maintain a Third-Party Risk Management Policy and conduct security reviews of vendors, including for potential fourth-party risks, prior to and during their contracts. We require all third-party service providers with access to sensitive information to implement and maintain cybersecurity practices consistent with applicable legal and industry standards. Any identified risks, including potential fourth-party risks, are highlighted to internal business owners to help make informed risk-based decisions. We also require critical service providers to provide evidence of independent security audits (such as SOC 2 or ISO 27001). Cybersecurity Risk While to date no risks from identified cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect us, including our business strategy, financial condition, or results of operations, our systems and those of our clients and third-party service providers have been and might in the future be vulnerable to cybersecurity threats. For more information about risks related to cybersecurity threats that have materially affected or are reasonably likely to materially affect our business, financial condition, and results of operations, see “Risk Factors–Risks Related to Cybersecurity and Data Privacy” in this Form 10-K.
|
| Cybersecurity Risk Management Positions or Committees Responsible [Flag] | true |
| Cybersecurity Risk Management Positions or Committees Responsible [Text Block] | Our cybersecurity strategy is executed by our Head of Security, who has over 15 years of experience in information security, and over 10 years of experience in the financial technology sector. The Head of Security oversees the administration of our Incident Management and BCP/DR policies, ensuring that security is integrated into the software development lifecycle.
|
| Cybersecurity Risk Management Expertise of Management Responsible [Text Block] | has over 15 years of experience in information security, and over 10 years of experience in the financial technology sector. |
| Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block] | Our cybersecurity strategy is executed by our Head of Security, who has over 15 years of experience in information security, and over 10 years of experience in the financial technology sector. The Head of Security oversees the administration of our Incident Management and BCP/DR policies, ensuring that security is integrated into the software development lifecycle.
|
| Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] | true |