Asana (ASAN) Risk Analysis

There is considerable patent and other intellectual property development activity in our industry. Our competitors, as well as a number of other entities, including non-practicing entities and individuals, may own or claim to own intellectual property relating to our industry. As we face increasing competition and our public profile increases, the possibility of intellectual property rights claims against us may also increase. From time to time, our competitors or other third parties have claimed, and may in the future claim, that we are infringing upon, misappropriating, or violating their intellectual property rights, even if we are unaware of the intellectual property rights that such parties may claim cover our platform or some or all of the other technologies we use in our business. The costs of supporting such litigation, regardless of merit, are considerable, and such litigation may divert management and key personnel's attention and resources, which might seriously harm our business, results of operations, and financial condition. We may be required to settle such litigation on terms that are unfavorable to us. For example, a settlement may require us to obtain a license to continue practices found to be in violation of a third party's rights, which may not be available on reasonable terms and may significantly increase our operating expenses. A license to continue such practices may not be available to us at all. As a result, we may also be required to develop alternative non-infringing technology or practices or discontinue the practices. The development of alternative non-infringing technology or practices would require significant effort and expense. Similarly, if any litigation to which we may be a party fails to settle and we go to trial, we may be subject to an unfavorable judgment which may not be reversible upon appeal. For example, the terms of a judgment may require us to cease some or all of our operations or require the payment of substantial amounts to the other party. Any of these events would cause our business and results of operations to be materially and adversely affected as a result. We are also frequently required to indemnify our reseller partners and customers in the event of any third-party infringement claims against our customers and third parties who offer our platform, and such indemnification obligations may be excluded from contractual limitation of liability provisions that limit our exposure. These claims may require us to initiate or defend protracted and costly litigation on behalf of our customers and reseller partners, regardless of the merits of these claims. If any of these claims succeed, we may be forced to pay damages on behalf of our customers and reseller partners, may be required to modify our allegedly infringing platform to make it non-infringing, or may be required to obtain licenses for the products used. If we cannot obtain all necessary licenses on commercially reasonable terms, our customers may be forced to stop using our platform, and our reseller partners may be forced to stop selling our platform.

Our platform integrates generative AI and machine learning technology into certain features that we offer to our customers. The rapid evolution of AI and machine learning technologies require dedicated resources to develop, test, and maintain our product offerings and to help responsibly integrate such technologies into certain features to minimize unintended or harmful impacts to our customers. Uncertainty around new and emerging AI and machine learning technologies may require additional investment in the development of proprietary datasets, machine learning models, and systems to test for accuracy, bias, and other variables, which are often complex, may be costly,and could impact our profit margin as we expand the use of AI and machine learning technologies in our products. There are significant risks involved in developing, maintaining, and deploying these technologies internally and/or to customers and there can be no assurance that such technologies will enhance our products or benefit our customers or business. Our ability to continue to develop or use such technologies may be dependent on our access to technology offered by vendors and specific third-party software and infrastructure providers, such as processing hardware or third-party AI models, and we cannot control the quality, availability, or cost of such vendor offerings or third-party software and infrastructure offerings. We face competition from other companies in our industry who use similar machine learning technologies. Failure to offer or deploy new AI or machine learning technologies as quickly or effectively as our competitors could adversely affect our business. In addition, market acceptance and consumer perceptions of AI and machine learning technologies are currently fast-evolving and therefore remain uncertain. For example, AI technologies, including generative AI, may create content or information that appears correct but is factually inaccurate or flawed. The use of AI technologies also presents emerging ethical and social issues. If we enable or offer solutions that draw scrutiny or controversy due to their perceived or actual negative impact on our customers, we may experience brand or reputational harm, competitive disadvantages, consumer complaints, legal liability, and other adverse consequences, any of which could materially adversely affect our business, results of operations, and financial condition.

We receive, process, store, and use business and personal information belonging to individuals who interact with Asana, including our users and prospective, current, and former customers. There are numerous federal, state, local, and foreign laws and regulations regarding privacy, data protection, security and the storing, sharing, use, processing, disclosure, and protection of business and personal information. These laws continue to evolve in scope and are subject to differing interpretations, and may contain inconsistencies or pose conflicts with other legal requirements. Preparing for and attempting to comply with these laws and other obligations requires significant resources and, potentially, changes to our technologies, systems, and practices and those of any third parties that process personal information on our behalf. We seek to comply with applicable laws, regulations, policies, legal obligations, contracts, and industry standards and have developed privacy notices and policies, data processing addenda, and internal privacy procedures to reflect such compliance. However, it is possible that these obligations may be interpreted and applied in a manner that is inconsistent from one jurisdiction to another and may conflict with other rules or our practices. Failure or perceived failure by us to comply with our privacy notices and policies, privacy-related obligations to users, customers, or other third parties, or our privacy-related legal obligations, or any data compromise that results in the accidental or unauthorized release, misuse, or transfer of business or personal information or other user or customer data, may result in domestic or foreign governmental enforcement actions, investigations, penalties, audits, inspections, fines, injunctions, litigation, or public statements against us by our users, customers, consumers, regulators, consumer advocacy groups, or others, which would have an adverse effect on our reputation and business. We could also incur significant costs investigating and defending such claims and, if we are found liable, significant damages. Foreign privacy, data protection, and security laws have become more stringent in recent years, are undergoing a period of rapid change, and may increase the costs and complexity of offering our products and services in new and existing geographies. For example, the European Union's General Data Protection Regulation 2019/679 ("the EU GDPR"), the EU GDPR as it forms part of United Kingdom ("UK") law by virtue of section 3 of the European Union (Withdrawal) Act 2018 ("UK GDPR"), Australia's Privacy Act, and Canada's Personal Information Protection and Electronic Documents Act, impose strict requirements for processing personal information. European privacy, data protection, and security laws, including the EU GDPR and UK GDPR impose significant and complex burdens on processing personal information, provide for robust regulatory enforcement, and contemplate significant penalties for noncompliance. Non-compliance with the EU GDPR and UK GDPR can trigger fines of up to the greater of €20 million (£17.5 million for the UK GDPR) or 4% of our global revenues, restrictions or prohibitions on data processing, and exposure to private right of action and enforcement mechanisms including extensive audit and inspection rights, or private litigation related to processing of personal information brought by classes of data subjects or consumer protection organizations authorized at law to represent their interests. Globally, certain jurisdictions have enacted data residency or data localization laws and have imposed requirements for cross-border transfers of personal information. For example, the cross-border transfer landscape in Europe is currently unstable and other countries outside of Europe have enacted or are considering enacting cross-border data transfer restrictions and laws requiring data residency or other restrictions around the location of the storage and processing of data, which could increase the cost and complexity of doing business. The EU GDPR generally restricts the transfer of personal information to countries outside of the EEA, such as the United States, which are not considered by the European Commission to provide an adequate level of privacy, data protection, and security. In addition, Swiss and UK law contain similar data transfer restrictions as the EU GDPR. Although there are currently valid mechanisms available to transfer data from the EEA and the UK to the United States in compliance with law, such as the EEA standard contractual clauses, the UK's International Data Transfer Agreement / Addendum, and the EU-U.S. Data Privacy Framework and the UK extension thereto (which allows for transfers to relevant U.S.-based organizations who self-certify compliance and participate in the Framework), these mechanisms are subject to legal challenges and there remains some uncertainty regarding the future of these cross-border data transfers. If we cannot implement a valid compliance mechanism for cross-border personal information transfers, we may face increased exposure to regulatory actions, substantial fines, and injunctions against processing or transferring personal information from the EEA, UK, or elsewhere. Inability to import personal information to the United States may significantly and negatively impact our business operations, including limiting our ability to collaborate with service providers, contractors, and other companies subject to European and other privacy, data protection, and security laws; or requiring us to increase our data processing capabilities in Europe or elsewhere at significant expense. Furthermore, rules regarding the use of online cookies and similar online trackers in the European Union are becoming more stringent in terms of the advance consent companies must obtain from data subjects before such trackers can be placed on browsers. Other regions of the world have likewise adopted privacy regulations that may result in increased restrictions on cookie collection and use, and fines for noncompliance. These developments may impact our analytics and advertising activities and our ability to analyze how users interact with our services. In addition to the European Union, a growing number of other global jurisdictions, such as Brazil, Japan, India and Canada, are considering or have passed legislation implementing privacy, data protection, and security requirements or requiring local storage and processing of data or similar requirements that could increase the cost and complexity of delivering our platform, particularly as we expand our operations internationally. Some of these laws, such as the General Data Protection Law in Brazil, or the Act on the Protection of Personal Information in Japan, impose similar obligations as those under the EU GDPR. Domestic privacy, data protection, security, and consumer protection legislation is also becoming increasingly common in the United States. In the past few years, numerous U.S. states-including California, Virginia, Colorado, Connecticut, and Utah-have enacted comprehensive privacy laws that impose certain obligations on covered businesses, including providing specific disclosures in privacy notices and affording residents with certain rights concerning their personal information such as the right to access, correct, or delete certain personal information, and to opt-out of certain data processing activities, such as targeted advertising, profiling, and automated decision-making. The exercise of these rights may impact our business and ability to provide our products and services. Certain states also impose stricter requirements for processing certain personal information, including sensitive information, such as conducting data privacy impact assessments. These state laws allow for statutory fines for noncompliance. For example, the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 ("CPRA") (collectively, "CCPA") requires companies that process information of consumers, business representatives, and employees who are California residents to provide specific disclosures in privacy notices and honor requests of such individuals to exercise certain individual privacy rights. The CCPA provides for fines of up to $7,500 per intentional violation and allows private litigants affected by certain data breaches to recover significant statutory damages. Similar laws are being considered in other states and at the federal and local levels, and we expect more states to pass similar laws in the future. The enactment of such laws could have potentially conflicting requirements that would make compliance challenging, and increase legal risk and compliance costs for us and the third parties upon whom we rely. Furthermore, the Federal Trade Commission and many state attorneys general continue to enforce federal and state consumer protection laws against companies and individuals for online data collection, use, dissemination, and security and privacy practices that appear to be unfair or deceptive. We also publish privacy policies, marketing materials, and other statements, such as compliance with certain certifications or self-regulatory principles, regarding privacy, data protection, and security. If these policies, materials or statements are found to be deficient, lacking in transparency, deceptive, unfair, or misrepresentative of our practices, we may become subject to investigation, enforcement actions by regulators, or other adverse consequences. There are a number of legislative proposals in the United States, at both the federal and state level, and in the European Union and more globally, that could impose new obligations in areas such as e-commerce and other related legislation or liability for copyright infringement by third parties. We cannot yet determine the impact that future laws, regulations, and standards may have on our business. In addition to privacy, data protection, and security laws, we are or may become contractually subject to industry standards adopted by industry groups and may become subject to such obligations in the future. We are also bound by other contractual obligations related to privacy, data protection, and security, and our efforts to comply with such obligations may not be successful. We use artificial intelligence, including generative artificial intelligence, in our products and services. The development and use of artificial intelligence present various privacy, data protection, and security risks that may impact our business. Artificial intelligence technology is subject to existing privacy, data protection, and security laws, and may be subject to additional new laws and regulations. For example, several countries, states and localities have proposed or enacted measures related to the use of artificial intelligence technologies in products and services, including the EU's AI Act. The effects of these regulations are difficult to predict and we expect other jurisdictions to adopt similar laws. Additionally, certain privacy laws extend rights to consumers (such as the right to delete certain personal information) and regulate automated decision making, which may be incompatible with our use of artificial intelligence. These obligations may make it harder for us to conduct our business using artificial intelligence, lead to regulatory fines or penalties, require us to change our business practices, retrain our artificial intelligence, or prevent or limit our use of artificial intelligence. For example, the FTC has required other companies to turn over (or disgorge) valuable insights or trainings generated through the use of artificial intelligence where they allege the company has violated privacy and/or consumer protection laws. If we cannot use artificial intelligence or that use is restricted, our business may be less efficient, or we may be at a competitive disadvantage.

Income, sales, use, value added, or other tax laws, statutes, rules, regulations, or ordinances could be enacted or amended at any time (possibly with retroactive effect), and could be applied solely or disproportionately to products and services provided over the internet. These enactments or amendments could reduce our sales activity due to the inherent cost increase the taxes would represent and ultimately harm our results of operations and cash flows. The application of U.S. federal, state, local, and international tax laws to services provided electronically is unclear and continuously evolving. Existing tax laws, statutes, rules, regulations, or ordinances could be interpreted or applied adversely to us, possibly with retroactive effect, which could require us or our customers to pay additional tax amounts, as well as require us or our customers to pay fines or penalties, as well as interest for past amounts. If we are unsuccessful in collecting such taxes due from our customers, we would be held liable for such costs, thereby adversely affecting our results of operations and harming our business. We may be subject to taxation in several jurisdictions around the world with increasingly complex tax laws, the application of which can be uncertain. Although we have only been required to pay income and value-added taxes in certain foreign jurisdictions to date, the amount of taxes we pay in these jurisdictions could increase substantially as a result of changes in the applicable tax principles, including increased tax rates, new tax laws, or revised interpretations of existing tax laws and precedents, which could harm our liquidity and results of operations. In addition, the authorities in these jurisdictions could review our tax filings and impose additional tax, interest, and penalties, and the authorities could claim that various withholding requirements apply to us or our subsidiaries or assert that benefits of tax treaties are not available to us or our subsidiaries, any of which would harm us and our results of operations.

While we have designed our platform to be easy to adopt and use, once individuals, teams, and organizations begin using Asana, they rely on our support services to resolve any related issues. High-quality user and customer education and customer experience have been key to the adoption of our platform and for the conversion of individuals, teams, and organizations on our free and trial versions into paying customers. The importance of high-quality customer experience will increase as we expand our business and pursue new customers. For instance, if we do not help organizations on our platform quickly resolve issues and provide effective ongoing user experience at the individual, team, and organizational levels, our ability to convert organizations on our free and trial versions into paying customers will suffer, and our reputation with existing or potential customers will be harmed. Further, our sales are highly dependent on our business reputation and on positive recommendations from existing individuals, teams, and organizations on our platform. Any failure to maintain high-quality customer experience, or a market perception that we do not maintain high-quality customer experience, could harm our reputation, our ability to sell our platform to existing and prospective customers, and our business, results of operations, and financial condition. In addition, as we continue to grow our operations and reach a larger and increasingly global customer and user base, we need to be able to provide efficient customer support that meets the needs of organizations on our platform globally at scale. The number of organizations on our platform has grown significantly, which puts additional pressure on our support organization. We will need to hire additional support personnel to provide efficient product support globally at scale, and if we are unable to provide such support, our business, results of operations, and financial condition would be harmed.

Our success depends largely upon the continued services and performance of our senior management and other key personnel. From time to time, there may be changes in our senior management team resulting from the hiring or departure of executives and key employees, which could disrupt our business. Our senior management and key employees are employed on an at-will basis. We currently do not have "key person" insurance on any of our employees. The loss of key personnel, including our co-founder, President, Chief Executive Officer, and Chair, Dustin Moskovitz, and other key members of management, as well as our product development, engineering, sales, and marketing personnel, would disrupt our operations and have an adverse effect on our ability to grow our business. Changes in our senior management team may also cause disruptions in, and harm to, our business, results of operations, and financial condition.