XML 39 R25.htm IDEA: XBRL DOCUMENT v3.25.2
Cybersecurity Risk Management and Strategy Disclosure
 12 Months Ended
Aug. 01, 2025
Cybersecurity Risk Management, Strategy, and Governance [Line Items]  
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]

We are committed to securing and strengthening our information systems against cybersecurity threats and protecting the privacy and security of our customer, employee, and company data. However, as outlined in “Item 1A. Risk Factors — Risks Related to IT Systems, Cybersecurity and Data Privacy” of this Annual Report on Form 10-K, we are acutely aware that cybersecurity threats are a persistent concern in today’s digital world. Despite our investments in securing our information systems, we understand that cybersecurity incidents can still occur, potentially causing material harm to our brand, business, operations, and financial condition. In light of this, we have developed a cybersecurity risk management program to identify, assess, monitor and manage cybersecurity risk.

Our Board of Directors oversees cybersecurity risk as part of its risk management function and has delegated oversight of cybersecurity risk to the Audit Committee. The Audit Committee oversees management’s implementation of our cybersecurity risk management program, including reviewing risk assessments from management and outside consultants regarding our information systems and procedures and overseeing our cybersecurity risk management processes.

The Audit Committee receives quarterly reports from management on our cybersecurity risks and is updated on any cybersecurity incidents as necessary. The Audit Committee reports on cybersecurity matters to the full Board on a regular basis. Additionally, the full Board regularly receives presentations from management and third-parties on cybersecurity topics as part of the Board's ongoing education on issues that affect public companies.

As a critical component of our cybersecurity risk management program, we have strategically integrated cybersecurity risk management into our broader enterprise risk management function to cultivate a company-wide culture of cybersecurity risk management. Our program has been designed and evaluated based on the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF). We use the NIST CSF as a guide to identify, assess, and manage cybersecurity risks relevant to our business. Additionally, given that we accept credit cards as a form of payment, we consider the requirements of the Payment Card Industry Data Security Standards (PCI DSS) as part of our cybersecurity risk management program.

We place a high priority on cybersecurity within our organization. This includes regular cybersecurity training for employees, focusing on relevant risks to their job duties (e.g., social engineering, ransomware, denial of service, and other risks). As part of our cybersecurity risk management program, we conduct internal tests to identify potential vulnerabilities. Additionally, we organize annual tabletop exercises led by third-party consultants to enhance our readiness for different scenarios, assess our core information systems and cybersecurity practices, improve decision-making and prioritization, and promote monitoring and reporting across business functions.

Cybersecurity Risk Management Processes Integrated [Flag] true
Cybersecurity Risk Management Processes Integrated [Text Block]

We place a high priority on cybersecurity within our organization. This includes regular cybersecurity training for employees, focusing on relevant risks to their job duties (e.g., social engineering, ransomware, denial of service, and other risks). As part of our cybersecurity risk management program, we conduct internal tests to identify potential vulnerabilities. Additionally, we organize annual tabletop exercises led by third-party consultants to enhance our readiness for different scenarios, assess our core information systems and cybersecurity practices, improve decision-making and prioritization, and promote monitoring and reporting across business functions.

Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] false
Cybersecurity Risk Board of Directors Oversight [Text Block]

Our Board of Directors oversees cybersecurity risk as part of its risk management function and has delegated oversight of cybersecurity risk to the Audit Committee. The Audit Committee oversees management’s implementation of our cybersecurity risk management program, including reviewing risk assessments from management and outside consultants regarding our information systems and procedures and overseeing our cybersecurity risk management processes.

The Audit Committee receives quarterly reports from management on our cybersecurity risks and is updated on any cybersecurity incidents as necessary. The Audit Committee reports on cybersecurity matters to the full Board on a regular basis. Additionally, the full Board regularly receives presentations from management and third-parties on cybersecurity topics as part of the Board's ongoing education on issues that affect public companies.
Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] Audit Committee
Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]

The Audit Committee receives quarterly reports from management on our cybersecurity risks and is updated on any cybersecurity incidents as necessary. The Audit Committee reports on cybersecurity matters to the full Board on a regular basis. Additionally, the full Board regularly receives presentations from management and third-parties on cybersecurity topics as part of the Board's ongoing education on issues that affect public companies.
Cybersecurity Risk Role of Management [Text Block]

Our Chief Information Officer (“CIO”) is directly responsible for the implementation of our cybersecurity risk management program, and our Senior Director of Information Security reports directly to the CIO. Our CIO is additionally primarily responsible for our overall information security, strategy, policy, security engineering, architecture, operations and cybersecurity threat detection and the management of cybersecurity risk. Our CIO has over 30 years of experience in the fields of finance, technology and cybersecurity, including relevant prior senior leadership positions held with Marriott International, where he served as Global Chief Information Officer. The CIO meets with our Chief Executive Officer (“CEO”) on a weekly basis and regularly reports to our senior management, as well as directly to our Board of Directors and the Audit Committee, regarding our cybersecurity risk and risk management.
Cybersecurity Risk Management Positions or Committees Responsible [Flag] true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block] Chief Information Officer (“CIO”)
Cybersecurity Risk Management Expertise of Management Responsible [Text Block] Our CIO is additionally primarily responsible for our overall information security, strategy, policy, security engineering, architecture, operations and cybersecurity threat detection and the management of cybersecurity risk. Our CIO has over 30 years of experience in the fields of finance, technology and cybersecurity, including relevant prior senior leadership positions held with Marriott International, where he served as Global Chief Information Officer. The CIO meets with our Chief Executive Officer (“CEO”) on a weekly basis and regularly reports to our senior management, as well as directly to our Board of Directors and the Audit Committee, regarding our cybersecurity risk and risk management.
Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]

We continuously monitor cybersecurity risks and adjust our cybersecurity risk management program and practices as needed. As part of our program, we occasionally identify risks or threats to our systems, including ransomware and attempts to obtain team member credentials through both phishing attacks or social engineering. While these risks and threats require active and ongoing efforts to mitigate, we have not identified any cybersecurity incidents that have materially affected or are reasonably likely to materially affect our operations, business strategy, or financial condition.

Our Chief Information Officer (“CIO”) is directly responsible for the implementation of our cybersecurity risk management program, and our Senior Director of Information Security reports directly to the CIO. Our CIO is additionally primarily responsible for our overall information security, strategy, policy, security engineering, architecture, operations and cybersecurity threat detection and the management of cybersecurity risk. Our CIO has over 30 years of experience in the fields of finance, technology and cybersecurity, including relevant prior senior leadership positions held with Marriott International, where he served as Global Chief Information Officer. The CIO meets with our Chief Executive Officer (“CEO”) on a weekly basis and regularly reports to our senior management, as well as directly to our Board of Directors and the Audit Committee, regarding our cybersecurity risk and risk management.
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] true