Cybersecurity Risk Management, Strategy, and Governance	12 Months Ended
Jan. 31, 2025
Cybersecurity Risk Management, Strategy, and Governance [Line Items]
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]	ITEM 1C. CYBERSECURITY We have developed and implemented a cybersecurity risk management program intended to protect the confidentiality, integrity, and availability of our critical systems and information. Our cybersecurity risk management program includes a written data security incident response policy and a security incident response plan, which were first developed in 2017 and are periodically reviewed and updated. We have designed and assessed our program using the National Institute of Standards and Technology Cybersecurity Framework (“NIST CSF”) as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business. Our cybersecurity risk management program is integrated into our overall enterprise risk management program, and shares common methodologies, reporting channels and governance processes that apply across the enterprise risk management program to our legal, compliance, strategic, operational, and financial risk areas. Our cybersecurity risk management program includes: • a written data security incident response policy and a security incident response plan that include detailed procedures for responding to cybersecurity incidents, determining severity of cybersecurity incidents and notifying appropriate internal and external parties; • third-party and internal risk assessments designed to help identify material cybersecurity risks to our critical systems, information, products, services, and our broader enterprise information technology environment; • a security team consisting of members of our information technology department, principally responsible for managing (1) our cybersecurity risk assessment processes, (2) our security controls, and (3) our response to cybersecurity incidents; • periodic tabletop exercises involving the security team, the data security incident management team, and members of management, with special sessions for the Board of Directors; • annual audit by a Payment Card Industry (“PCI”) qualified security risk assessor to validate our PCI-Data Security Standard (“PCI-DSS”) compliance; • the use of external service providers, where appropriate, to assess, test or otherwise assist with aspects of our security controls; • regular cybersecurity awareness training, including social engineering and phishing testing of our employees, incident response personnel, and senior management; • deployment of external tools designed to detect and protect against spam, malware and other cybersecurity threats and train personnel; and • third-party security event monitoring. There can be no assurance that our cybersecurity risk management program and processes, including our policies, controls or procedures, will be adequate, fully complied with or effective in protecting our systems and information. We have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected us, including our operations, business strategy, results of operations, or financial condition. We face risks from cybersecurity threats that, if realized, are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. See “Risk Factors – RISKS RELATED TO INFORMATION TECHNOLOGY, CYBERSECURITY AND DATA PRIVACY.” Cybersecurity Governance Our Board considers cybersecurity risk as part of its risk oversight function and has delegated to the Audit Committee oversight of data protection and cybersecurity risks as part of the Audit Committee’s oversight of the Company’s enterprise risk management framework. The Audit Committee regularly reports to the full Board regarding its activities, including those related to cybersecurity. The Audit Committee receives regular reports from management on our cybersecurity risks, which include updates on trends and threats, the Company’s backup and restore systems, internal and external risk assessments, results of PCI and other security audits, and planned updates and upgrades. The Audit Committee also receives regular enterprise risk management updates, which include management of cybersecurity risks. In accordance with our data security incident response plan, management is required to promptly update and discuss with the Audit Committee any material or potentially material cybersecurity incidents and provide an update to the Board upon determination that an incident is material. Management regularly updates the Audit Committee regarding incidents with lesser impact potential. Our management team, including our Chief Financial Officer, Chief Technology Officer and General Counsel (the cybersecurity disclosure committee), is responsible for assessing material risks from cybersecurity threats and our General Counsel oversees any required reporting obligations and notifications. Our Chief Technology Officer has primary responsibility for overseeing our security incident response plan, including identification and initial assessment of threat levels and escalations. Critical incidents are escalated to a cross functional data security incident management team for review, which then escalates potentially material incidents and threats to the cybersecurity disclosure committee for determinations of materiality and Audit Committee and Board communications. Our Chief Technology Officer has over 20 years of experience with cybersecurity management response, and multiple direct reports who have 10 or more years of experience leading technology infrastructure and security incident response. Our General Counsel has over eight years of experience leading our incident response management team. Our Chief Technology Officer is the primary point of responsibility for cybersecurity risk management program and supervises both our internal cybersecurity personnel and our retained external cybersecurity consultants. Our management team supervises efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, which may include briefings from internal security personnel; threat intelligence and other information obtained from governmental, public or private sources, including external consultants engaged by us; and alerts and reports produced by security tools deployed in the information technology environment.
Cybersecurity Risk Management Processes Integrated [Flag]	true
Cybersecurity Risk Management Processes Integrated [Text Block]	Our cybersecurity risk management program is integrated into our overall enterprise risk management program, and shares common methodologies, reporting channels and governance processes that apply across the enterprise risk management program to our legal, compliance, strategic, operational, and financial risk areas.
Cybersecurity Risk Management Third Party Engaged [Flag]	true
Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]	true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]	true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block]	There can be no assurance that our cybersecurity risk management program and processes, including our policies, controls or procedures, will be adequate, fully complied with or effective in protecting our systems and information. We have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected us, including our operations, business strategy, results of operations, or financial condition. We face risks from cybersecurity threats that, if realized, are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition.
Cybersecurity Risk Board of Directors Oversight [Text Block]	Our Board considers cybersecurity risk as part of its risk oversight function and has delegated to the Audit Committee oversight of data protection and cybersecurity risks as part of the Audit Committee’s oversight of the Company’s enterprise risk management framework.
Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]	The Audit Committee regularly reports to the full Board regarding its activities, including those related to cybersecurity.
Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]	In accordance with our data security incident response plan, management is required to promptly update and discuss with the Audit Committee any material or potentially material cybersecurity incidents and provide an update to the Board upon determination that an incident is material. Management regularly updates the Audit Committee regarding incidents with lesser impact potential.
Cybersecurity Risk Role of Management [Text Block]	Our Chief Technology Officer has primary responsibility for overseeing our security incident response plan, including identification and initial assessment of threat levels and escalations.
Cybersecurity Risk Management Positions or Committees Responsible [Flag]	true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block]	Our management team supervises efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents
Cybersecurity Risk Management Expertise of Management Responsible [Text Block]	Our Chief Technology Officer has over 20 years of experience with cybersecurity management response, and multiple direct reports who have 10 or more years of experience leading technology infrastructure and security incident response. Our General Counsel has over eight years of experience leading our incident response management team.
Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]	Management regularly updates the Audit Committee regarding incidents with lesser impact potential.
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]	true

Cybersecurity Risk Management, Strategy, and Governance

12 Months Ended

Jan. 31, 2025

Cybersecurity Risk Management, Strategy, and Governance [Line Items]

Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]

ITEM 1C. CYBERSECURITY

We have developed and implemented a cybersecurity risk management program intended to protect the confidentiality, integrity, and availability of our critical systems and information. Our cybersecurity risk management program includes a written data security incident response policy and a security incident response plan, which were first developed in 2017 and are periodically reviewed and updated.

We have designed and assessed our program using the National Institute of Standards and Technology Cybersecurity Framework (“NIST CSF”) as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business.

Our cybersecurity risk management program is integrated into our overall enterprise risk management program, and shares common methodologies, reporting channels and governance processes that apply across the enterprise risk management program to our legal, compliance, strategic, operational, and financial risk areas.

Our cybersecurity risk management program includes:

•

a written data security incident response policy and a security incident response plan that include detailed procedures for responding to cybersecurity incidents, determining severity of cybersecurity incidents and notifying appropriate internal and external parties;

•

third-party and internal risk assessments designed to help identify material cybersecurity risks to our critical systems, information, products, services, and our broader enterprise information technology environment;

•

a security team consisting of members of our information technology department, principally responsible for managing (1) our cybersecurity risk assessment processes, (2) our security controls, and (3) our response to cybersecurity incidents;

•

periodic tabletop exercises involving the security team, the data security incident management team, and members of management, with special sessions for the Board of Directors;

•

annual audit by a Payment Card Industry (“PCI”) qualified security risk assessor to validate our PCI-Data Security Standard (“PCI-DSS”) compliance;

•

the use of external service providers, where appropriate, to assess, test or otherwise assist with aspects of our security controls;

•

regular cybersecurity awareness training, including social engineering and phishing testing of our employees, incident response personnel, and senior management;

•

deployment of external tools designed to detect and protect against spam, malware and other cybersecurity threats and train personnel; and

•

third-party security event monitoring.

There can be no assurance that our cybersecurity risk management program and processes, including our policies, controls or procedures, will be adequate, fully complied with or effective in protecting our systems and information.

We have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected us, including our operations, business strategy, results of operations, or financial condition. We face risks from cybersecurity threats that, if realized, are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. See “Risk Factors – RISKS RELATED TO INFORMATION TECHNOLOGY, CYBERSECURITY AND DATA PRIVACY.”

Cybersecurity Governance

Our Board considers cybersecurity risk as part of its risk oversight function and has delegated to the Audit Committee oversight of data protection and cybersecurity risks as part of the Audit Committee’s oversight of the Company’s enterprise risk management framework. The Audit Committee regularly reports to the full Board regarding its activities, including those related to cybersecurity.

The Audit Committee receives regular reports from management on our cybersecurity risks, which include updates on trends and threats, the Company’s backup and restore systems, internal and external risk assessments, results of PCI and other security audits, and planned updates and upgrades. The Audit Committee also receives regular enterprise risk management updates, which include management of cybersecurity risks.

In accordance with our data security incident response plan, management is required to promptly update and discuss with the Audit Committee any material or potentially material cybersecurity incidents and provide an update to the Board upon determination that an incident is material. Management regularly updates the Audit Committee regarding incidents with lesser impact potential.

Our management team, including our Chief Financial Officer, Chief Technology Officer and General Counsel (the cybersecurity disclosure committee), is responsible for assessing material risks from cybersecurity threats and our General Counsel oversees any required reporting obligations and notifications. Our Chief Technology Officer has primary responsibility for overseeing our security incident response plan, including identification and initial assessment of threat levels and escalations.

Critical incidents are escalated to a cross functional data security incident management team for review, which then escalates potentially material incidents and threats to the cybersecurity disclosure committee for determinations of materiality and Audit Committee and Board communications. Our Chief Technology Officer has over 20 years of experience with cybersecurity management response, and multiple direct reports who have 10 or more years of experience leading technology infrastructure and security incident response. Our General Counsel has over eight years of experience leading our incident response management team.

Our Chief Technology Officer is the primary point of responsibility for cybersecurity risk management program and supervises both our internal cybersecurity personnel and our retained external cybersecurity consultants. Our management team supervises efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, which may include briefings from internal security personnel; threat intelligence and other information obtained from governmental, public or private sources, including external consultants engaged by us; and alerts and reports produced by security tools deployed in the information technology environment.

Cybersecurity Risk Management Processes Integrated [Flag]

true

Cybersecurity Risk Management Processes Integrated [Text Block]

Cybersecurity Risk Management Third Party Engaged [Flag]

true

Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]

true

Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]

true

Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block]

Cybersecurity Risk Board of Directors Oversight [Text Block]

Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]

The Audit Committee regularly reports to the full Board regarding its activities, including those related to cybersecurity.

Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]

Cybersecurity Risk Role of Management [Text Block]

Our Chief Technology Officer has primary responsibility for overseeing our security incident response plan, including identification and initial assessment of threat levels and escalations.

Cybersecurity Risk Management Positions or Committees Responsible [Flag]

true

Cybersecurity Risk Management Positions or Committees Responsible [Text Block]

Our management team supervises efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents

Cybersecurity Risk Management Expertise of Management Responsible [Text Block]

Our Chief Technology Officer has over 20 years of experience with cybersecurity management response, and multiple direct reports who have 10 or more years of experience leading technology infrastructure and security incident response. Our General Counsel has over eight years of experience leading our incident response management team.

Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]

Management regularly updates the Audit Committee regarding incidents with lesser impact potential.

Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]

true