Olo (OLO) Risk Factors

Our success depends, in part, on our ability to protect our brand and the proprietary methods and technologies that we develop under the intellectual property laws of the United States and, potentially in the future, foreign jurisdictions so that we can prevent others from using our inventions and proprietary information. Although we own 14 registered trademarks in the United States, as of December 31, 2023, we hold no issued patents and therefore would not be entitled to exert patents to exclude or prevent our competitors from using our proprietary technology, methods, and processes to the extent independently developed by our competitors. We rely primarily on trade secret laws and confidentiality agreements with our business partners, employees, consultants, advisors, customers, and other current or prospective partners in our efforts to protect our proprietary technology, confidential information, processes, methods, and intellectual property. These confidentiality agreements may not effectively prevent disclosure of our confidential information or the unauthorized use of our technology, and it may be possible for unauthorized parties to copy our software or other proprietary technology or information, or to develop similar software independently without our having an adequate remedy for unauthorized use or disclosure of our confidential information. In addition, others may independently discover our trade secrets and proprietary information, and in these cases, we would not be able to assert any trade secret rights against those parties. Costly and time-consuming litigation could be necessary to enforce and determine the scope of our proprietary rights, and failure to obtain or maintain trade secret protection could adversely affect our competitive business position. In addition, the laws of some countries do not protect intellectual property and other proprietary rights to the same extent as the laws of the United States. To the extent we expand our international activities, our exposure to unauthorized copying, transfer, and use of our proprietary technology or information may increase. We cannot be certain that our means of protecting our intellectual property and proprietary rights will be adequate or that our competitors will not independently develop similar technology. If we fail to meaningfully protect our intellectual property and proprietary rights, our business, results of operations, and financial condition could be adversely affected.

We operate in the on-demand digital commerce industry, which is prone to cyber-attacks. Cyber incidents have been increasing in sophistication and frequency. We and our third party vendors are at constant risk of cyber-attacks or cyber intrusions via third parties gaining access to employee or customer data using stolen or inferred credentials, computer malware, viruses, worms, break-ins, spamming, phishing attacks, hacking, ransomware, denial-of-service attacks, card skimming code, and other deliberate attacks and attempts to gain unauthorized access (including from both internal and external sources). Because the techniques used by computer programmers who have in the past and may in the future attempt to penetrate and sabotage our network security or our website change frequently and may not be recognized until launched against a target, we may be unable to anticipate these techniques. Our Board of Directors reviews cybersecurity risks brought to its attention by members of senior management who report up to our Board of Directors. We have an established in-house security team, which is responsible for reviewing and overseeing our cybersecurity program and bringing any cybersecurity risks to the attention of our Board of Directors and the audit committee at regular meetings of the audit committee. Failure to prevent or mitigate security breaches and improper access to or disclosure of our data, our customers' data, or their guests' data, whether for our systems or the systems of vendors, could result in its loss or misuse or unauthorized disclosure of confidential information, interruptions, delays or outages of our products, negative publicity, cause our customers and partners to cease doing business with us, lead to exposure to risk of loss or possible liability due to lawsuits, enforcement actions investigations, regulatory penalties and sanctions, and could harm our business and reputation. The security measures we have integrated into our systems and processes, which are designed to prevent or minimize security breaches, have in the past and may in the future not always function as expected or be sufficient to protect our internal networks and platform against attacks. Further, our platform also integrates with third-party applications and POS and management systems over which we exercise no control. Such applications and systems are also susceptible to security breaches, which could directly or indirectly result in a breach of our platform. For example, the failure of a customer's third-party front-end provider to adequately protect their systems could result in an attack that we are unable to prevent from the back-end; such an attack could result in a service outage for all our customers, and may require us to take the affected customer offline to restore service to the platform and mitigate the breach. Our exposure to security breaches may be heightened because our platform is accessible through hundreds of our customers' white label domains and mobile applications. Our storage and use of our customers' data concerning their restaurants and guests is essential to their use of our platform, which stores, transmits, and processes our customers' proprietary information and information relating to them and guests. If a material security breach were to occur, as a result of third-party action, employee error, malfeasance, or otherwise, and the confidentiality, integrity, or availability of our customers' data was disrupted, we could incur significant liability to those customers and their guests. Additionally, because of a security breach our platform could be perceived as less desirable, which could negatively affect our business. In addition, any loss of customer or individual guest data could create significant monetary damages for us that may harm our ability to operate the business. A security vulnerability in our platform or other integrated software could compromise our customers' in-store networks, which could expose customer or guest information beyond what we collect through our platform. As a multi-tenant SaaS provider, despite our logical separation of data between customers, we may also face an increased risk of accidentally commingling data between customers due to employee error, a software bug, or otherwise, which may result in unauthorized disclosure of data between customers. We have in the past and could in the future be subject to distributed denial of service, or DDoS, attacks, a technique used by hackers to take an internet service offline by overloading its servers. A DDoS attack could delay or interrupt service to our customers and their guests and prevent guests from ordering from or otherwise engaging with our customers' restaurants. We cannot guarantee that applicable recovery systems, security protocols, network protection mechanisms, and other DDoS-prevention techniques are or will be adequate to prevent network and service interruption, system failure, or data loss. In addition, computer malware, viruses, hacking, credential stuffing, social engineering, phishing, physical theft, and other attacks by third parties are prevalent in our industry. We have in the past and could in the future experience such attacks and, as a result of our increased visibility, we believe that we are increasingly a target for such breaches and attacks. In addition to our own platform and applications, some of the third parties with which we work may receive information from us, our customers, or customers' guests through web or mobile applications integrated with their platforms. If these third parties fail to adhere to adequate data security practices, or in the event of a breach of their networks, our own and our customers' data may be improperly accessed, used, or disclosed. Any actual or perceived DDoS attack or security breach of our platform, systems, and networks, or of our integrated partners, could damage our reputation and brand, expose us to a risk of litigation and possible liability, and require us to expend significant capital and other resources to respond to and alleviate problems caused by the DDoS attack or security breach. Our ability to retain adequate cyber-crime and liability insurance may be reduced. Some jurisdictions have enacted laws requiring companies to notify individuals of data security breaches involving certain types of personal data and our agreements with certain customers and partners require us to notify them in the event of a security incident. In addition, Form 8-K was modified to require the disclosure of any material cybersecurity incident. Such mandatory disclosures are costly, could lead to negative publicity, and may cause our customers to lose confidence in the effectiveness of our data security measures. Moreover, if a high-profile security breach occurs with respect to another SaaS provider or one of the service providers with which we partner, customers may lose trust in the security of the SaaS business model generally, which could adversely impact our ability to retain revenue from existing customers or attract new ones. Any of these events could harm our reputation or subject us to significant liability, and materially and adversely affect our business and financial results. Although we maintain cyber liability insurance, we cannot be certain that its coverage will be adequate for liabilities actually incurred or that insurance will continue to be available to us on acceptable terms, or at all.

We rely on open source software in our proprietary platforms, and we expect to continue to rely on open source software in our platform in the future. The terms of certain open source licenses to which we are subject have not been interpreted by U.S. or foreign courts, and there is a risk that these licenses could be construed in a manner that could impose unanticipated conditions or restrictions on our ability to commercialize our platforms. Certain open source projects that we use include other open source software, and there is a risk that this software may be subject to licensing terms inconsistent with the licensing terms of the project, resulting in uncertainties as to the governing terms for the open source software. Moreover, we cannot ensure that we have incorporated and are currently relying on open source software in our platform in a manner that is consistent with the terms of the applicable license or our current policies and procedures. Although we employ open source software license screening measures, if we were to combine our proprietary software platform with open source software in a certain manner, we could, under certain open source licenses, be required to release the source code of our proprietary platform, which could allow our customers and competitors to freely use such software solutions, without compensation to us. Additionally, we may from time to time face claims from third parties claiming ownership of, or demanding release of, the open source software or derivative works that we developed using such software, which could include our proprietary source code, or otherwise seeking to enforce the terms of the applicable open source license. These claims could result in litigation and we could be required to incur significant legal expenses defending against such allegations and could be subject to significant damages, required to comply with onerous conditions or restrictions, required to make our proprietary source code for our platform and any modifications and derivative works developed using such open source software generally available at no cost, purchase a costly license, or cease offering the implicated services unless and until we can re-engineer them to avoid use of the open source software in dispute, which could disrupt the business dependent on the affected platforms. This re-engineering process could require significant additional research and development resources, and we may not be able to complete it successfully. In addition to risks related to license requirements, use of certain open source software can lead to greater risks than use of third-party commercial software, as open source licensors generally do not provide warranties or controls on the origin of software. From time to time, there have been claims challenging the ownership rights in open source software against companies that incorporate it into their products, and the licensors of such open source software provide no warranties or indemnities with respect to such claims. As a result, we and our customers could be subject to lawsuits by parties claiming ownership of what we believe to be open source software. Additionally, some open source projects have known vulnerabilities and architectural instabilities and are provided on an "as-is" basis, which if not properly addressed, could negatively affect the performance of our platform. Any of these risks could be difficult to eliminate or manage and, if not addressed, could have a negative effect on our business, results of operations, and financial condition.

For the year ended December 31, 2023, our ten largest restaurant customers generated an aggregate of approximately 12% of our revenue. Although these customers enter into contracts with us, our largest customers have in the past, and may in the future, reduce or terminate their usage of our platform, reduce the number of locations using our platform, or decide not to renew their agreements with us. Our customers have in the past, and may in the future, choose to develop their own solutions that do not utilize any or all of our modules. They also may demand price reductions as their usage of our modules increases, due to competitive pressures, changes in economic conditions or otherwise, which could have an adverse impact on our gross margin. If we are unable to increase the revenue that we derive from these customers, then our business, results of operations, and financial condition may be adversely affected. We have lost in the past, and we may lose in the future, one or more of our largest restaurant customers. While no such losses have been material to date, in the event that any of our largest restaurant customers do not continue to use our platform, use fewer of our modules, use our modules in a more limited capacity, or not at all, reduce the number of locations using our platform, or if the volume of transactions processed on our platform declines, our business, results of operations, and financial condition could be adversely affected.

We have historically incurred significant costs and experienced long sales cycles when selling to customers. In the restaurant market segment, the decision to adopt our modules may require the approval of multiple technical and business decision makers, including security, compliance, operations, finance and treasury, marketing, and IT. In addition, before committing to deploy our modules at scale, restaurant customers often require extensive education about our modules and significant support time with our employees or pilot programs, engage in protracted pricing negotiations, and seek to secure development resources. Additionally, sales cycles for restaurant customers in general, and larger restaurants in particular, are inherently complex and unpredictable. These complex and resource intensive sales efforts could place additional strain on our development and engineering resources. Our standard contracts state that we will be the exclusive provider of digital ordering services to the restaurant brand, and the restaurant brand must use best efforts to ensure their operators also use Olo exclusively. However, not all of our contracts that we enter into with restaurant brands provide that we will be the exclusive provider of digital ordering services, as we have in the past and may in the future agree to waive exclusivity for various reasons. We strive for exclusivity across all locations, but because operators are not required to use Olo, we have in the past had and may in the future have some locations of a restaurant brand choose not to use our platform. Further, even after our restaurant brands contract to use our platform, individual locations or any future new locations may require extensive integration or deployment resources from us before they become active locations, which have at times extended to multiple quarterly periods following the execution of an agreement with us. Because we generally only generate transaction revenue after our platform is deployed, if we are unable to deploy our platform with our customers in a timely manner, our results of operations and financial condition may be harmed. For example, our sales cycle extended in 2022 and 2023 to be longer than we had experienced historically, and may continue to be extended, due to our restaurant customers' budgetary constraints and shifting priorities in response to labor and staffing challenges at both the operator and brand level. If we are unsuccessful in closing sales after expending significant funds and management resources, or we experience delays in the deployment of our platform to customers or incur greater than anticipated costs, our business, financial condition, and results of operations have in the past and may in the future be adversely affected.

There has been an increased focus from regulators and stakeholders on environmental, social, and governance, or ESG, matters, including greenhouse gas emissions and climate-related risks; diversity, equity, and inclusion; responsible sourcing and supply chain; human rights and social responsibility; and corporate governance and oversight. Given our commitment to ESG, we actively manage these issues and have established and publicly announced certain goals, commitments, and targets which we may refine or even expand further in the future. These goals, commitments, and targets reflect our current plans and aspirations and are not guarantees that we will be able to achieve them. Evolving stakeholder expectations and our efforts and ability to manage these issues, provide updates on them, and accomplish our goals, commitments, and targets present numerous operational, regulatory, reputational, financial, legal, and other risks, any of which may be outside of our control or could have a material adverse impact on our business, including on our reputation and stock price. Further, there is uncertainty around the accounting standards and climate-related disclosures associated with emerging laws and reporting requirements and the related costs to comply with the emerging regulations. Our failure or perceived failure to achieve our ESG goals, maintain ESG practices or comply with emerging ESG regulations that meet evolving regulatory or stakeholder expectations could harm our reputation, adversely impact our ability to attract and retain customers and talent, and expose us to increased scrutiny from the investment community and enforcement authorities. Our reputation also may be harmed by the perceptions that our stakeholders have about our action or inaction on ESG-related issues. Damage to our reputation and loss of brand equity may reduce demand for our products and services and thus have an adverse effect on our future financial results, as well as require additional resources to rebuild our reputation and could also reduce our stock price.

As of December 31, 2023, we had approximately $287.3 million of federal net operating losses, or NOLs. Approximately $20.7 million of the federal NOLs will expire at various dates beginning in 2032 through 2037 if not utilized, while the remaining amount will have an indefinite life. As of December 31, 2023, we had approximately $211.4 million of state NOLs. Of the state NOLs, some may follow the Tax Cut and Jobs Act and are indefinite-lived and most are definite-lived with various expiration dates beginning in 2025 through 2040. In addition, our federal research and development tax credits were approximately $1.5 million as of December 31, 2023. The federal research credits will begin to expire in 2036. Under current law, federal NOLs generated in taxable years ending after December 31, 2017, may be carried forward indefinitely, but the deductibility of such federal NOLs may be limited to 80% of our taxable income annually for tax years beginning after December 31, 2020. NOLs generated prior to December 31, 2017, however, have a 20-year carryforward period, but are not subject to the 80% limitation. In general, under Section 382 of the Internal Revenue Code of 1986, as amended, or the Code, a corporation that undergoes an "ownership change," as defined under Section 382 of the Code and applicable Treasury Regulations, is subject to limitations on its ability to utilize its pre-change NOLs to offset taxable income. This limitation would generally apply in the event of a cumulative change in ownership of our company of more than 50% within a three-year period. We have experienced ownership changes under Section 382 of the Code in the past, including in connection with our initial public offering, or IPO, or may experience changes in the future, in each case that could affect our ability to utilize our NOLs to offset our taxable income. Furthermore, our ability to utilize NOLs of companies that we have acquired or may acquire in the future may be subject to similar limitations. There is also a risk that due to regulatory changes, such as suspensions on the use of NOLs by federal or state taxing authorities or other unforeseen reasons, our existing NOLs could expire or otherwise be unavailable to reduce future income tax liabilities. For these reasons, we may not be able to utilize a material portion of the NOLs reflected on our balance sheet, even if we attain profitability, which could potentially result in increased future tax liability to us and could adversely affect our operating results and financial condition.

Our future performance depends on the continued services and contributions of our senior management, including our Founder and Chief Executive Officer, Noah H. Glass, and other key employees to execute on our business plan, keep our platform stable and secure, and identify and pursue new opportunities and platform innovations. The failure to properly manage succession plans or the loss of services of senior management or other key employees could significantly delay or prevent the achievement of our strategic objectives. From time to time, there may be changes in our senior management team resulting from the hiring or departure of executives, which could disrupt our business. We do not maintain key person life insurance policies on any of our employees with the exception of Noah H. Glass, our Founder and Chief Executive Officer. The loss of the services of one or more of our senior management or other key employees for any reason could adversely affect our business, financial condition, and operating results, and require significant amounts of time, training, and resources to find suitable replacements and integrate them within our business, and could affect our corporate culture. We engage the services of third parties who provide us with certain consulting services to support our business. Any failure to identify and/or retain such third parties could adversely affect our business, operating results, and financial condition and could require significant amounts of time and resources to find suitable replacements.

We rely on software licensed from, and services rendered by, third parties in order to provide our modules and run our business. Third-party software and services may not continue to be available on commercially reasonable terms, or at all. Any loss of the right to use, or any failures of, third-party software or services could result in delays in our ability to provide our modules or run our business until equivalent software or services are developed by us or, if available, identified, obtained, and integrated, which could be costly and time-consuming and may not result in an equivalent module, any of which could cause an adverse effect on our business and results of operations. Further, customers could assert claims against us in connection with such service disruption or cease conducting business with us altogether. Even if not successful, a claim brought against us by any of our customers would likely be time-consuming and costly to defend and could seriously damage our reputation and brand, making it harder for us to sell our modules.

Our financial success is dependent, in part, on the ability of our restaurant customers to increase digital ordering and maintain profitability. These customers have in the past and may in the future experience increased operating costs, including as a result of changes to food, labor, rent, energy, occupancy, insurance, and supply costs, and they may be unable to recover these costs through increased menu prices, and as a result, may cease operations. Additionally, if our restaurant customers raise prices in light of these factors, order volume may decline, which could harm our revenue and results of operations. For example, some of our restaurant customers raised prices in 2023 and we observed a decline in order volume following such price increases. Various factors beyond our control, including government regulations relating to independent contractor classifications, price controls on food delivery logistics platforms, labor shortages, supply constraints, inflation, and minimum wage increases, may also affect the total cost of digital food orders to guests. The overall cost environment for food commodities can also be volatile due to domestic and worldwide agricultural supply and demand and other macroeconomic factors that are outside of our control. If our current or future customers and partners are unable to maintain or increase digital orders or maintain profitability, our business, financial condition, and results of operations could be harmed.