DigitalOcean Holdings, Inc. 10-K Cybersecurity GRC - 2026-02-24

Page last updated on February 24, 2026

DigitalOcean Holdings, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-24 16:28:07 EST.

Filings

10-K filed on 2026-02-24

DigitalOcean Holdings, Inc. filed a 10-K at 2026-02-24 16:28:07 EST
Accession Number: 0001582961-26-000019

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cybersecurity Risk Management and Strategy We have developed and implemented a cybersecurity risk management program, which includes administrative, technical and physical safeguards designed to maintain the confidentiality, integrity and availability of company and customer information. Our cybersecurity risk management program is integrated into our overall enterprise risk management program, and shares common methodologies, reporting channels and governance processes that apply across the enterprise risk management program to other legal, compliance, strategic, operational, and financial risk areas, including the involvement of cross-functional teams and, depending on the nature and severity of an incident, an escalation path to notify our executive and senior management teams and our Board of Directors. We have an established process and playbook led by our chief information security officer ("CISO") governing our assessment, response and notifications internally and externally upon the occurrence of a cybersecurity incident. We undertake reassessments of the Company's risk profile periodically or as needed and may make certain adjustments to our security controls based on such assessments to further enhance our security posture. Our cybersecurity risk management program includes: - a risk assessment methodology designed to escalate cybersecurity risks to the appropriate channels within our organization in order to help identify material cybersecurity risks to our critical systems, information, products, services, and our broader enterprise IT environment; - a security department, including our CISO and experienced information systems security professionals and information security managers, divided into three teams: (1) security operations, which is responsible for 45 responding to abuse on our platform, digital forensics and incident response, and threat intelligence; (2) security engineering, which is responsible for security data analysis and observability on our infrastructure and product offerings; and (3) trust and governance, which is responsible for privacy and security regulatory compliance and risk management; - a cybersecurity incident response plan that includes procedures for responding to cybersecurity incidents and escalating cybersecurity incidents to cross-functional teams, management and our Board of Directors; - deployment of technical safeguards that are designed to protect our platform, customers, employees and systems from cybersecurity threats. We maintain cybersecurity insurance that provides coverage for cyber breaches, cyber-crime, and related matters; - the imposition of contractual obligations related to cybersecurity on our third-party vendors. In addition, we assess the security profile of those vendors that store, process or have access to sensitive data through questionnaires and data flow risk assessments; - securing data going to third-party vendors and, depending on the nature of the services provided, the sensitivity of the data at issue and the identity of the provider, our vendor management process may involve different levels of assessment designed to help identify cybersecurity risks associated with a provider, including through the use of monitoring tools, threat intelligence tools, and data protection tools. We actively monitor, manage and configure our systems to protect our data against any vulnerabilities we find; - continuous monitoring of our infrastructure network for vulnerabilities and threats through our security observability platform; - a system to proactively identify risks that may threaten customer information and utilize both internal and external resources to perform a variety of vulnerability and penetration testing on the platforms, systems and applications used to provide our products and services; - engagement of third party experts to assist in assessing, managing and reviewing various risks from cybersecurity threats and incidents, including to perform independent audits our data centers, to conduct adversary simulations and to perform network penetration tests periodically; - mandatory periodic cybersecurity awareness training for all of our employees and consultants, covering key threats and measures to take to protect their own data and the data of the company in addition to role-specific training for security personnel; and - a privacy compliance program governing personal data we collect from and how we use, share and store such data, including implementation of measures to collect personal data only to the extent necessary for legitimate business purposes. Our cybersecurity risk management program is designed to be adaptable in order to respond to an evolving landscape of emerging threats and available technology. Our security controls and cybersecurity risk management program are evaluated through data gathering and analysis of emerging threats from internal and external incidents and technology investments. To date, we believe that the risks from identified cybersecurity threats, including as a result of previous cybersecurity incidents, have not materially affected and are not reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition. See Part I, Item 1A. "Risk Factors" for a more comprehensive description of risks related to cybersecurity. Cybersecurity Governance Our Board has overall oversight responsibility for our risk management and delegated cybersecurity risk management oversight to the Audit Committee of the Board. The Audit Committee oversees management's implementation of our cybersecurity risk management program. Our CISO is responsible for developing and implementing our information security program and reporting on cybersecurity matters to the Audit Committee on a regular basis and briefing the full Board on cybersecurity risk oversight activities and preparedness efforts on an annual basis, as well as on an ad hoc basis upon request. Our security teams have a wealth of cross-industry, government, and national defense experience. We employ qualified and certified security practitioners with specialized skill sets in security engineering, incident response, forensics, and threat management. Our CISO has more than a decade of experience leading highly technical security teams that evolve with the technology and threat landscape. 46 Our security and legal teams oversee our information security and privacy practices and are responsible for identifying and proactively addressing security and privacy risks on an ongoing basis, establishing processes to help ensure that such potential cybersecurity risk exposures are monitored, putting in place appropriate mitigation measures and incident response plans and maintaining cybersecurity programs. We maintain an in depth incident response plan that includes a process for identifying, containing and removing any threats and vulnerabilities and a plan to recover and restore normal business operations following an incident. Members of the security team are always on call to be able to address any issues that arise. In addition to our cybersecurity incident response plan and program, we maintain a cybersecurity incident disclosure framework designed to support timely disclosure of cybersecurity incidents, including those that may reasonably be expected to have a material impact on the Company, in compliance with applicable security laws. Under this framework, potential cybersecurity incidents are evaluated by our information security and legal teams, and incidents that may be material are referred to a cross-functional materiality assessment team for further evaluation. Our General Counsel reviews and confirms the determination by our materiality assessment team. If an incident is determined to be material, executive management and the Board of Directors are informed accordingly by our General Counsel, and the Company makes any required disclosures pursuant to applicable security laws. To support our preparedness to appropriately respond to cybersecurity incidents, the respective cross-functional teams meet periodically or as needed and conduct simulations of cybersecurity incidents to test its procedures. Our executive and senior management teams, including our chief executive officer, chief financial officer and CISO, supervise these efforts to prevent, detect, mitigate, remediate, and comply with required disclosures regarding cybersecurity risks and incidents, through various means, which may include briefings from internal security personnel; threat intelligence and other information obtained from governmental, public or private sources, including external consultants engaged by us; and alerts and reports produced by security tools deployed in the IT environment.

Company Information