DoorDash, Inc. 10-K Cybersecurity GRC - 2026-02-18

Page last updated on February 18, 2026

DoorDash, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-18 16:10:27 EST.

Filings

10-K filed on 2026-02-18

DoorDash, Inc. filed a 10-K at 2026-02-18 16:10:27 EST
Accession Number: 0001792789-26-000013

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy Cybersecurity risk management is an important part of our enterprise risk management program, and cybersecurity and data protection are identified as key enterprise risks in our risk assessments and periodic reporting to management and our board of directors. We have an enterprise-wide cybersecurity program that is designed to identify, protect, detect, and respond to reasonably foreseeable cybersecurity risk and threats, and continuously work to enhance and improve our cybersecurity and risk management efforts. We routinely assess material risks from cybersecurity threats and maintain incident response plans designed to protect, identify, evaluate, respond to, and recover from a cybersecurity incident. The plans are designed to be flexible so that they may be adapted to an array of potential scenarios, and provide for the creation of cross-functional cybersecurity incident response teams in the event of a cybersecurity incident. We regularly conduct exercises to help ensure our overall preparedness for a cybersecurity incident. We also have invested in tools and technologies to protect our data and information technology, and we monitor our systems on an ongoing basis to identify and assess risk. In addition, we have mandatory cybersecurity training designed to educate and train employees on how to identify and report cybersecurity threats. We also provide specialized training for employees in more sensitive roles. We take measures to assess and, where warranted, update and improve our cybersecurity program, including by regularly conducting internal risk assessments, internal control validations, independent program assessments, threat assessments, penetration testing, and scanning of our systems for vulnerabilities. Our cybersecurity risk management framework is based on applicable laws and regulations, as well as industry recognized standards and practices. Key portions of our operations undergo periodic third-party assessments against recognized industry standards and practices, such as system and organization controls 2 (SOC 2 type II), the ISO 27001 framework, and the payment card industry data security standard. We also periodically engage third-party advisors to assess the effectiveness of our cybersecurity program, policies and practices, consult with external advisors regarding opportunities and enhancements to strengthen our policies and practices, and assess our cybersecurity capabilities using third-party security firms. Our internal audit team provides independent assessment of our cybersecurity program and controls. With respect to third-party service providers, our cybersecurity program includes conducting due diligence and vendor risk assessment of relevant service providers' cybersecurity programs prior to onboarding, as well as ongoing monitoring through our third-party risk management policies and programs . We also contractually require third-party service providers with access to our information technology systems, sensitive business data, or personal information to implement and maintain appropriate security controls and provide for contractual restrictions on their ability to use our data. We work with these third-party service providers to help ensure their cybersecurity protocols are appropriate to the risk presented by their access to or use of our systems and/or data, including notification and coordination concerning incidents occurring on third-party systems that may affect us. Our service providers are contractually required to notify us promptly of security incidents that may affect our systems or data, including personal information. To date, risks from cybersecurity threats, including in connection with the cybersecurity threats and incidents we have previously disclosed, have not materially affected our business or operations. Although we have invested in the protection of our data and information technology, and monitor our systems on an ongoing basis, there can be no assurance that such efforts will be successful in preventing our information technology systems from being compromised or otherwise protecting us completely from security breaches or incidents. For additional information regarding whether any risks from cybersecurity threats, including as a result of previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect our company, including our business strategy, results of operations, or financial condition, please see the section titled "Risk Factors," in this Annual Report on Form 10-K, including the section titled " Risk Factors - Risks Related to Our Business and Operations- We have been subject to cybersecurity incidents in the past and anticipate being the target of future attacks. Any actual or perceived cybersecurity incident or security or privacy breach, particularly those involving our key systems, data, or critical third-party providers, could interrupt our operations, subject us to claims, litigation, regulatory investigations and liability, and adversely affect our reputation, brand, business, financial condition, and results of operations ." Governance Our board of directors is responsible for overseeing risk management for the Company and administers this responsibility both directly and with assistance from its committees. Our board of directors has designated our audit committee to administer oversight of cybersecurity risk management, which is a critical component of our enterprise risk management program. As such, our audit committee receives regular updates on our cybersecurity program and is actively involved in reviewing our cybersecurity and technology risks and opportunities, risk mitigation strategies, incident and industry trends, areas of emerging risks, and other areas of importance, including with respect to cybersecurity. Security updates are also provided to the full board of directors from time to time. The Company's cybersecurity risk management is led by our Vice President and Chief Information Security Officer ("CISO") Suha Can, who reports to our General Counsel, and is responsible for assessing and managing information security and technology risks across our global operations. Our CISO has more than 20 years of experience in cybersecurity and engineering leadership roles at technology companies, and holds degrees in software engineering and business. He is supported by experienced regional and functional security leaders who are responsible for assisting him in assessing and managing information security, technology, and related risks for our global operations. Management is responsible for assessing, identifying, and managing material cybersecurity risks. Our CISO and his globally distributed teams meet regularly with each other and with members of management to review and evaluate our cybersecurity risks and risk management program. As part of its oversight of cybersecurity risks, our audit committee receives regular updates from management on the risks and status of our security program. Additionally, our cybersecurity program has in place coordinated cybersecurity incident response processes that set forth procedures for managing and responding to cybersecurity incidents across the enterprise, including the assignment of cross-functional roles and responsibilities and protocols for the escalation of significant incidents to members of management and our audit committee.

Company Information