Amplitude (AMPL) Risk Factors

We collect and maintain information in digital form that is necessary to conduct our business, and we are increasingly dependent on information technology systems and infrastructure to operate our business. In the ordinary course of our business, we collect, store and transmit large amounts of confidential information, including intellectual property, proprietary business information, and personal information (collectively, "Confidential Information") of customers and our employees and contractors. Our platform also stores, transmits, and processes our customers' proprietary data, including personal or identifying information of their customers or employees. Unauthorized disclosure of, access to, or security breaches of our platform or our information technology systems could result in the loss of Confidential Information, loss of business, severe reputational damage adversely affecting customer or investor confidence, damage to our brand, diversion of management's attention, regulatory investigations, and orders, litigation, indemnity obligations, damages for contract breach, penalties for violation of applicable laws or regulations, significant costs for remediation that may include liability for stolen assets or information and repair of system damage that may have been caused, incentives offered to customers or other business partners in an effort to maintain business relationships after a breach, and other liabilities. We have incurred, and expect to continue to incur, significant expenses to prevent security breaches, including deploying additional personnel and protection technologies, training employees, and engaging third-party experts and consultants. Even though we do not control the security measures of third parties who may have access to our Confidential Information or our platform, we may be responsible for any breach of such measures or suffer reputational harm even where we do not have recourse to the third party that caused the breach. In addition, any failure by our vendors to comply with applicable law or regulations could result in proceedings against us by governmental entities or others. There can be no assurance that our cybersecurity risk management program and processes, including our policies, controls, or procedures, will be fully implemented, complied with, or effective in protecting our systems and information and despite the implementation of security measures, our information technology systems, as well as those of third parties with which we have relationships, are not fully secure from, and may be vulnerable to, cyberattacks, denial and degradation-of-service attacks, ransomware attacks, business email compromises, computer malware, malicious code, viruses, and social engineering (including phishing) which are prevalent in our industry and our customers' industries. In addition, we as well as those third parties with which we have relationships, may experience attacks, unavailable systems, unauthorized access to systems or data, or disclosure due to natural disasters, terrorism, war, telecommunication and electrical failures, hacking, employee theft or misuse, human error, fraud, denial and degradation-of-service attacks, sophisticated nation-state and nation-state-supported actors, and advanced persistent threat intrusions. Electronic security attacks designed to gain access to personal, sensitive, or confidential data are increasing in number, constantly evolving, and such attacks continue to grow in sophistication. The techniques used to sabotage, or to obtain unauthorized access to, our platform, information technology systems, networks, or physical facilities in which Confidential Information is stored or through which Confidential Information is transmitted change frequently, and we may be unable to implement adequate preventative measures or stop security breaches while they are occurring. We may also experience security breaches that may remain undetected for an extended period. Even if identified, we may be unable to adequately investigate or remediate incidents or breaches due to attackers increasingly using tools and techniques that are designed to circumvent controls, to avoid detection, and to remove or obfuscate forensic evidence. As a result of our continued hybrid work environment, we may also face increased cybersecurity risks due to our reliance on internet technology and the number of our and our service providers' employees who are, and may continue, working remotely, which may create additional opportunities for cybercriminals to exploit vulnerabilities. We have previously been, and may in the future become, the target of cyberattacks by third parties seeking unauthorized access to our Confidential Information or to disrupt our operations or ability to provide our services. We and certain of our vendors are from time to time subject to cyberattacks and security incidents. While we do not believe that we have experienced any significant system failure, accident, or security breach to date, if such an event were to occur and cause interruptions in our operations, it could result in a material disruption of our business operations, whether due to a loss, corruption, or unauthorized disclosure of our Confidential Information or other similar disruptions. Such an event could also expose us to risks,including an inability to provide our services and fulfill contractual demands, and could cause management distraction and the obligation to devote significant financial and other resources to mitigate such problems, which would increase our future information security costs, including through organizational changes, deploying additional personnel, reinforcing administrative, physical, and technical safeguards, further training of employees, changing third-party vendor control practices, and engaging third-party subject matter experts and consultants and reduce the demand for our technology and services. Because data security is a critical competitive factor in our industry, we make numerous statements in our customer contracts, privacy policies, terms of service, and marketing materials providing assurances about the security of our platform, including detailed descriptions of security measures we employ. Should any of these statements be untrue or become untrue, even in circumstances beyond our reasonable control, we may face claims of misrepresentation or deceptiveness by the U.S. Federal Trade Commission (the "FTC"), state, federal, and foreign regulators, and private litigants. Further, we have contractual and legal obligations to notify relevant stakeholders of security breaches. Most jurisdictions have enacted laws requiring companies to notify individuals, regulatory authorities, and others of security incidents or data breaches involving certain types of data. For example, we are subject to an increasing number of reporting obligations in respect of material cybersecurity incidents. These reporting requirements have been proposed or implemented by a number of regulators in different jurisdictions, may vary in their scope and application, and could contain conflicting requirements. Certain of these rules and regulations may require us to report a cybersecurity incident before we have been able to fully assess its impact or remediate the underlying issue. Efforts to comply with such reporting requirements could divert management's attention from our incident response and could potentially reveal system vulnerabilities to threat actors. Failure to timely report incidents under these rules could also result in monetary fines, sanctions, or subject us to other forms of liability. In addition, our agreements with certain customers may require us to notify them in the event of a security incident or data breach. Such mandatory disclosures are costly, could lead to negative publicity, may cause our customers to lose confidence in the effectiveness of our security measures, and require us to expend significant capital and other resources to respond to, or alleviate problems caused by, the actual or perceived security incident or data breach and otherwise comply with the multitude of foreign, federal, state, and local laws and regulations relating to the unauthorized access to, or use or disclosure of, personal information. Additionally, as a result of a breach or other security incident, we could be subject to demands, claims, and litigation by private parties and investigations, related actions, and penalties by regulatory authorities. Further, if we fail to detect or remediate a security breach in a timely manner, or a breach otherwise affects a large amount of Confidential Information, or if we suffer a cyberattack that impacts our ability to operate our platform, we may suffer damage to our reputation and our brand, and our business, financial condition, and results of operations may be materially adversely affected. Further, although we maintain insurance coverage, our insurance coverage may not be adequate for data security breaches, indemnification obligations, or other liabilities. In addition, we cannot be sure that our existing insurance coverage and coverage for errors and omissions will continue to be available on acceptable terms or that our insurers will not deny coverage as to any future claim. Our risks are likely to increase as we continue to expand our platform, grow our customer base, and process, store, and transmit increasingly large amounts of Confidential Information.

We are subject to numerous federal, state, local, and foreign privacy and data protection laws, regulations, policies, and contractual obligations that apply to the collection, transmission, storage, processing, sharing, disclosure, security, and use of personal information or personal data which, among other things, impose certain requirements relating to the privacy and security of personal information and other data. Laws and regulations governing privacy and data protection, the use of the internet as a commercial medium, the use of data in AI and ML, and data sovereignty requirements are rapidly evolving, extensive, complex, and include inconsistencies and uncertainties and may conflict with other rules or our practices. Further, new laws, rules, and regulations could be enacted with which we are not familiar or with which our current practices do not comply. We may incur significant expenses to comply with the laws, regulations, and other obligations that apply to us. For example, the GDPR went into effect in May 2018 and imposes stringent data protection requirements for processing the personal data of individuals within the EEA or in the context of our activities within the EEA, including certain disclosure requirements, limitations on retention of personal data, mandatory data breach notification requirements, and additional obligations. Non-compliance with the GDPR can trigger fines of up to the greater of €20 million or 4% of our global annual turnover. Among other requirements, the GDPR regulates transfers of personal data subject to the GDPR to third countries that have not been found to provide adequate protection to such personal data, including the United States, and the efficacy and longevity of current transfer mechanisms between the EEA and the United States remains uncertain. Case law from the Court of Justice of the European Union ("CJEU") states that reliance on the standard contractual clauses-a standard form of contract approved by the European Commission as an adequate personal data transfer mechanism-alone may not necessarily be sufficient in all circumstances and that transfers must be assessed on a case-by-case basis. The European Commission adopted its Adequacy Decision in relation to the new E.U.-U.S. Data Privacy Framework ("DPF") on July 10, 2023, rendering the DPF effective as a GDPR transfer mechanism to U.S. entities self-certified under the DPF. We expect the regulatory guidance and enforcement landscape to continue to develop, in relation to transfers to the United States and elsewhere. As a result, we may have to make certain operational changes and we will have to implement revised standard contractual clauses and other relevant documentation for existing data transfers within required time frames. Since the beginning of 2021, companies have also had to comply with both the GDPR and the UK GDPR, which, together with the amended UK Data Protection Act 2018, retains the GDPR in U.K. national law. The UK GDPR mirrors the fines under the GDPR, imposing fines up to the greater of €20 million (£17.5 million) or 4% of a non-compliant undertaking's annual global revenue for the preceding financial year. On October 12, 2023, the UK Extension to the DPF came into effect (as approved by the U.K. Government), as a data transfer mechanism from the United Kingdom to U.S. entities self-certified under the DPF. As we continue to expand into other foreign countries and jurisdictions, we may be subject to additional laws and regulations that may affect how we conduct business. In addition to the European Union and United Kingdom, a growing number of other global jurisdictions are considering, or have passed, legislation implementing data protection requirements or requiring local storage and processing of data or similar requirements that could increase the cost and complexity of delivering our platform, particularly as we expand our operations internationally. Some of these laws, such as the General Data Protection Law in Brazil, or the Act on the Protection of Personal Information in Japan, impose similar obligations as those under the GDPR. Others, such as those in Russia, India, and China, could potentially impose more stringent obligations, including data localization requirements. If we are unable to develop and offer features that meet legal requirements or help our customers meet their obligations under the laws or regulations relating to privacy, data protection, or information security, or if we violate or are perceived to violate any laws, regulations, or other obligations relating to privacy, data protection, or information security, we may experience reduced demand for our Digital Analytics Platform, harm to our reputation, and could become subject to investigations, claims, and other remedies, which would expose us to significant fines, penalties, and other damages, all of which would harm our business. Further, given the breadth and depth of changes in global data protection obligations, compliance has caused us to expend significant resources, and such expenditures are likely to continue into the future as we continue our compliance efforts and respond to new interpretations and enforcement actions. The data protection landscape is also rapidly growing and evolving in the United States. As our operations and business grow, we may become subject to or affected by new or additional data protection laws and regulations and face increased scrutiny or attention from regulatory authorities. For example, the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act (collectively, the "CCPA"), requires covered businesses that process the personal information of California residents to, among other things: (i) provide certain disclosures to California residents regarding the business's collection, use, and disclosure of their personal information, (ii) receive and respond to requests from California residents to access, delete, and correct their personal information, or to opt out of certain disclosures of their personal information, and (iii) enter into specific contractual provisions with service providers that process California resident personal information on the business's behalf. Additional compliance investment and potential business process changes may be required. Similar laws have been passed in other states and are continuing to be proposed at the state and federal level, reflecting a trend toward more stringent privacy legislation in the United States. The enactment of such laws may have potentially conflicting requirements that would make compliance challenging. Furthermore, the FTC and many state Attorneys General continue to enforce federal and state consumer protection laws against companies for online collection, use, dissemination, and security practices that appear to be unfair or deceptive. For example, according to the FTC, failing to take appropriate steps to keep consumers' personal information secure can constitute unfair acts or practices in or affecting commerce in violation of Section 5(a) of the Federal Trade Commission Act. The FTC expects a company's data security measures to be reasonable and appropriate in light of the sensitivity and volume of consumer information it holds, the size and complexity of its business, and the cost of available tools to improve security and reduce vulnerabilities. Additionally, federal and state consumer protection laws are increasingly being applied by FTC and states' attorneys general to regulate the collection, use, storage, and disclosure of personal or personally identifiable information, through websites or otherwise, and to regulate the presentation of website content. There are also a number of legislative proposals in the United States, at both the federal and state level, and in the European Union and elsewhere, that could impose new obligations in areas such as e-commerce and other related legislation or liability for copyright infringement by third parties. We cannot yet determine the impact that these future laws, regulations, and standards may have on our business. Although we work to comply with applicable laws, regulations, and standards, our contractual obligations, and other legal obligations, these requirements are evolving and may be modified, interpreted, and applied in an inconsistent manner from one jurisdiction to another, and may conflict with one another or other legal obligations with which we must comply. Any failure or perceived failure by us or our employees, representatives, contractors, consultants, collaborators, or other third parties to comply with such requirements or adequately address privacy and security concerns, even if unfounded, could result in additional costs and liability to us and damage to our reputation, and could adversely affect our business and results of operations. In addition, if our practices are not consistent, or viewed as not consistent, with legal and regulatory requirements, including changes in laws, regulations, and standards or new interpretations or applications of existing laws, regulations, and standards, we may also become subject to audits, inquiries, whistleblower complaints, adverse media coverage, investigations, or criminal or civil sanctions, all of which may harm our business, financial condition, and results of operations.

The market for applications that look to address digital analytics is fragmented, rapidly evolving, and highly competitive, with relatively low barriers to entry. As this market continues to mature and new technologies and competitors enter the market, we expect competition to intensify. We face competition from: - large companies that have greater name recognition, much longer operating histories, more established customers and commercial partners, and significantly greater resources than we do, such as larger sales forces and marketing budgets, broader distribution networks and global presence, and more mature intellectual property portfolios;- in-house software systems;- large integrated systems vendors;- smaller companies offering alternative SaaS applications; and - new or emerging entrants seeking to develop competing technologies. Our competitors may be able to respond more quickly and effectively than we can to new or changing opportunities, technologies, standards, or customer requirements. With the introduction of new technologies, the evolution of our Digital Analytics Platform, and new market entrants, we expect competition to intensify in the future. Pricing pressures and increased competition generally could result in reduced sales, reduced margins, financial losses, or the failure of our Digital Analytics Platform to achieve or maintain more widespread market acceptance, any of which could harm our business. Our competitors vary in size and in the breadth and scope of the products and services they offer. Further, other established SaaS providers not currently focused on digital analytics may expand their services to compete with us. Many of our current and potential competitors have established marketing relationships, access to larger customer bases, pre-existing customer relationships, and major distribution agreements with consultants, system integrators, and resellers. Certain of our competitors have partnered with, or have acquired, and may in the future partner with or acquire, other competitors to offer services, leveraging their collective competitive positions, which makes, or would make, it more difficult to compete with them. For all of these reasons, we may not be able to compete successfully against our current and future competitors, which would harm our business. For more information about the competitive landscape in which we operate, see "Part I, Item 1. Business-Competition" in our 2023 Form 10-K.

We believe that maintaining and enhancing our reputation as a differentiated and category-defining company in digital analytics is critical to our relationships with our existing customers and to our ability to attract new customers. The successful promotion of our brand attributes will depend on a number of factors, including our marketing efforts, our ability to ensure that our platform remains reliable and secure, our ability to continue to develop high-quality software, and our ability to successfully differentiate our Digital Analytics Platform from competitive products and services. In addition, independent industry analysts often provide reviews of our Digital Analytics Platform, as well as products and services offered by our competitors, and the market perception of our Digital Analytics Platform may be significantly influenced by these reviews. If these reviews are negative, or less positive as compared to those of our competitors' products and services, our brand may be adversely affected. It may also be difficult to maintain and enhance our brand in connection with sales through channel or strategic partners. The promotion of our brand requires us to make substantial expenditures, and we anticipate that the expenditures will increase as our market becomes more competitive, as we expand into new markets, and as more sales are generated through our channel partners. To the extent that these activities yield increased revenue, this revenue may not offset the increased expenses we incur. If we do not successfully maintain and enhance our brand, our business may not grow, we may have reduced pricing power relative to competitors, and we could lose customers or fail to attract potential customers, all of which would materially adversely affect our business, financial condition, and results of operations.

For the year ended December 31, 2023 and the nine months ended September 30, 2024 and 2023, 39%, 40% and 39% of our revenue was generated outside the United States, respectively. A component of our growth strategy involves the further expansion of our operations and customer base internationally, which will require significant dedication of management attention and financial resources. We are continuing to adapt to and develop strategies to address international markets, but there is no guarantee that such efforts will have the desired effect. Our sales organization outside the United States is substantially smaller than our sales organization in the United States, and, to date, only a very small portion of our sales has been driven by resellers or other channel partners. To the extent we are unable to effectively engage with non-U.S. customers due to our limited sales force capacity and limited channel partners, we may be unable to effectively grow in international markets. Our current and future international business and operations involve a variety of risks, including: - slower than anticipated public cloud adoption by international businesses;- changes, which may be unexpected, in a specific country's or region's political, economic, or legal and regulatory environment, including Brexit, armed conflicts, pandemics, terrorist activities, tariffs, trade wars, or long-term environmental risks;- the need to adapt and localize our Digital Analytics Platform for specific countries;- longer payment cycles and greater difficulty enforcing contracts, collecting accounts receivable, or satisfying revenue recognition criteria, especially in emerging markets;- new, evolving, and more stringent regulations relating to privacy and data security and the unauthorized use of, or access to, commercial and personal information, particularly in Europe;- differing and potentially more onerous labor regulations, especially in Europe, where labor laws are generally more advantageous to employees as compared to the United States, including deemed hourly wage and overtime regulations in these locations;- challenges inherent in efficiently managing, and the increased costs associated with, an increased number of employees over large geographic distances, including the need to implement appropriate systems, policies, benefits, and compliance programs that are specific to each jurisdiction;- difficulties in managing a business in new markets with diverse cultures, languages, customs, legal systems, alternative dispute systems, and regulatory systems;- increased travel, real estate, infrastructure, and legal compliance costs associated with international operations;- currency exchange rate fluctuations and the resulting effect on our revenue and expenses, and the cost and risk of entering into hedging transactions if we choose to do so in the future;- limitations on our ability to reinvest earnings from operations in one country to fund the capital needs of our operations in other countries;- laws and business practices favoring local competitors or general market preferences for local vendors;- limited or insufficient intellectual property protection or difficulties obtaining, maintaining, protecting, or enforcing our intellectual property rights, including our trademarks and patents;- global political, social or macroeconomic events, including the war in Ukraine, the conflict in the Middle East, and potential public health epidemics or pandemics, that could decrease economic activity in certain markets, decrease use of our products and services, or decrease our ability to import, export, or sell our products and services to existing or new customers in international markets;- exposure to liabilities under export control, economic and trade sanctions, anti-corruption, and anti-money laundering laws, including the Export Administration Regulations, regulations administered by the Office of Foreign Assets Control, the U.S. Foreign Corrupt Practices Act ("FCPA"), U.S. bribery laws, the UK Bribery Act, and similar laws and regulations in other jurisdictions;- increased financial accounting and reporting burdens and complexities;- requirements or preferences for domestic products;- differing technical standards, existing or future regulatory and certification requirements, and required features and functionality;- burdens of complying with laws and regulations related to privacy and data security, including the E.U. General Data Protection Regulation ("GDPR") and similar laws and regulations in other jurisdictions; and - burdens of complying with laws and regulations related to taxation, and regulations, adverse tax burdens, and foreign exchange controls that could make it difficult to repatriate earnings and cash. If we invest substantial time and resources to further expand our international operations and are unable to do so successfully and in a timely manner, our business, financial condition, and results of operations could be materially adversely affected.

We conduct transactions, particularly intercompany transactions, in currencies other than the U.S. dollar. While we have primarily transacted with customers and vendors in U.S. dollars, we have transacted in foreign currencies for subscriptions to our Digital Analytics Platform, and we expect to significantly expand the number of transactions with customers for our Digital Analytics Platform that are denominated in foreign currencies. A portion of our operating expenses are incurred outside the United States, denominated in foreign currencies, and subject to fluctuations due to changes in foreign currency exchange rates, particularly changes in the Euro, British Pound, Canadian Dollar, Singapore Dollar, Australian Dollar, and Japanese Yen. In addition, our international subsidiaries maintain net assets denominated in currencies other than the functional operating currencies of these entities. Accordingly, changes in the value of foreign currencies relative to the U.S. dollar can affect our results of operations due to transactional and translational remeasurements. As a result of these foreign currency exchange rate fluctuations, it could be more difficult to detect underlying trends in our business and results of operations. To the extent that fluctuations in currency exchange rates cause our results of operations to differ from our expectations or the expectations of our investors, the trading price of our Class A common stock could be adversely affected. We do not currently maintain a program to hedge transactional exposures in foreign currencies. However, in the future, we may use derivative instruments, such as foreign currency forward and option contracts, to hedge certain exposures to fluctuations in foreign currency exchange rates. The use of these hedging instruments may not offset any, or more than a portion of, the adverse financial effects of unfavorable movements in foreign exchange rates over the limited time the hedges are in place, and may introduce additional risks if they are not structured effectively. In addition, our international subsidiaries maintain net assets denominated in currencies other than the functional operating currencies of these entities. Accordingly, changes in the value of foreign currencies relative to the U.S. dollar can affect our revenue and results of operations due to transactional and translational remeasurements. As a result of these foreign currency exchange rate fluctuations, it could be more difficult to detect underlying trends in our business and results of operations. To the extent that fluctuations in currency exchange rates cause our results of operations to differ from our expectations or the expectations of our investors, the trading price of our Class A common stock could be adversely affected.

We have experienced net losses in each period since inception. We generated net losses of $90.4 million for the fiscal year ended December 31, 2023 and $61.7 million and $71.8 million for the nine months ended September 30, 2024 and 2023, respectively. As of September 30, 2024, we had an accumulated deficit of $425.3 million. We expect our costs and expenses to increase in future periods. In particular, we intend to continue to invest significant resources in: - the development of our Digital Analytics Platform, including investments in our research and development team, the development or acquisition of new products, features, and functionality, and improvements to the scalability, availability, and security of our platform;- our technology infrastructure, including expansion of our activities in third-party data centers that we may lease, enhancements to our network operations and infrastructure, and hiring of additional employees;- sales and marketing;- additional international expansion, in an effort to increase our customer base and sales; and - general administration, including legal, accounting, and other expenses. In addition, part of our business strategy is to focus on our long-term growth. As a result, our profitability may be lower in the near term than it would be if our strategy was to maximize short-term profitability. Significant expenditures on sales and marketing efforts, expanding our platform, products, features, and functionality, and expanding our research and development, each of which we intend to continue to invest in, may not ultimately grow our business or result in long-term profitability. If we are ultimately unable to achieve profitability at the level anticipated by industry or financial analysts and our stockholders, the trading price of our Class A common stock may decline. Our efforts to grow our business may be costlier than we expect, or our revenue growth rate may be slower than we expect, and we may not be able to increase our revenue enough to offset the increase in operating expenses resulting from these investments. If we are unable to continue to grow our revenue, the value of our business and Class A common stock may significantly decrease.