Salesforce (CRM) Risk Analysis

If we fail to protect our intellectual property rights adequately, our competitors may gain access to our technology, affecting our brand, causing us to incur significant expenses and harming our business. Any of our patents, trademarks or other intellectual property rights may be challenged by others or invalidated through administrative process or litigation. While we have many U.S. patents and pending U.S. and international patent applications, we may be unable to obtain patent protection for the technology covered in our patent applications or the patent protection may not be obtained quickly enough to meet our business needs. In addition, our existing patents and any patents issued in the future may not provide us with competitive advantages, or may be successfully challenged by third parties. Similar uncertainty applies to our U.S. and international trademark registrations and applications. Furthermore, legal standards relating to the validity, enforceability and scope of protection of intellectual property rights are uncertain, and we also may face proposals to change the scope of protection for some intellectual property rights in the U.S. and elsewhere. Additionally, the intellectual property ownership and license rights, including copyright, surrounding AI technologies, which we are increasingly building into our product offerings, has not been fully addressed by U.S. courts or other federal or state laws or regulations, and the use or adoption of AI technologies in our products and services may expose us to copyright infringement or other intellectual property misappropriation claims related to AI training or output. Effective patent, trademark, copyright and trade secret protection may not be available to us in every country in which our services are available and legal changes and uncertainty in various countries' intellectual property regimes may result in making conduct that we believe is lawful to be deemed violative of others' rights. The laws of some foreign countries may not be as protective of intellectual property rights as those in the U.S., and mechanisms for enforcement of intellectual property rights may be inadequate. Also, our involvement in standard-setting activity, our contribution to open source projects, various competition law regimes or the need to obtain licenses from others may require us to license our intellectual property in certain circumstances. Accordingly, despite our efforts, we may be unable to prevent third parties from using our intellectual property. We may be required to spend significant resources and expense to monitor and protect our intellectual property rights. We may initiate claims or litigation against third parties for infringement of our proprietary rights or to establish the validity of our proprietary rights. If we fail to protect our intellectual property rights, it could impact our ability to protect our technology and brand. Furthermore, any litigation, whether or not it is resolved in our favor, could result in significant expense to us, cause us to divert time and resources from our core business, and harm our business.

Policies we adopt or choose not to adopt on social and ethical issues, especially regarding the use of our products, may be unpopular with some of our employees or with our customers or potential customers, and have in the past impacted and may in the future impact our ability to attract or retain employees and customers. Our decisions about whether to conduct business with potential customers, or whether to continue or expand business with existing customers, may also impact our ability to attract or retain employees and customers, and could result in negative publicity or reputational harm. Further, actions taken by our customers and employees, including through the use or misuse of our products or new technologies for illegal activities or improper information sharing, may result in reputational harm or possible liability, particularly in light of regulatory requirements like the Digital Services Act ("DSA") from the EU. For example, we have been subject to allegations in legal proceedings that we should be liable for the use of certain of our products by third parties. Although we believe that we have a strong defense against these allegations, legal proceedings can be lengthy, expensive and disruptive to our operations and the outcome of any claims or litigation, regardless of the merits, is inherently uncertain. Regardless of outcome, these types of claims could cause reputational harm to our brand or result in liability. We are increasingly building AI into many of our offerings, including generative and agentic AI. As with many innovations, AI offerings, such as Agentforce, and our Salesforce Platform present additional risks and challenges that could affect their adoption and therefore our business. For example, the development of our AI offerings and the Salesforce Platform, which provides information regarding our customers' customers, present emerging ethical issues. If we enable or offer solutions that draw controversy due to their perceived or actual impact on human rights, privacy, employment, or in other social contexts, we may experience new or enhanced governmental or regulatory scrutiny, brand or reputational harm, competitive harm or legal liability, especially as geopolitical turmoil creates increasingly volatile political and market conditions. Inadequate or ineffective AI development, deployment, content labeling or governance by us or others that result in controversy could also impair the acceptance of AI solutions or result in unintended performance of the services. This in turn could undermine confidence in the decisions, predictions, analysis or other content that our AI applications produce, subjecting us to competitive harm, legal liability and brand or reputational harm. The rapid evolution of AI will require the application of resources to develop, test and maintain our products and services to help ensure that AI is implemented ethically in order to minimize unintended, harmful impact. Uncertainty around new and emerging AI applications such as generative AI content creation and AI agents will require additional investment in compliance, governance and the licensing or development of proprietary datasets, machine learning models and systems to test for accuracy, bias and other variables, which are often complex, may be costly and could impact our profit margin. Moreover, the move from AI content classification to AI content generation through our development of Agentforce and other generative AI products brings additional risks and responsibility. Known risks of generative AI currently include risks related to accuracy, bias, toxicity, privacy and security and data provenance. For example, AI technologies, including generative AI, may create content that appears correct but is factually inaccurate or flawed, or contains copyrighted or other protected material, and if our customers or others use this flawed or protected content to their detriment, or the owners of such copyrighted material seek to enforce their rights, we may be exposed to brand or reputational harm, competitive harm and/or legal liability. Developing, testing and deploying AI systems may also increase the cost profile of our offerings due to the nature of the computing costs involved in such systems. If we are unable to mitigate these risks, or if we incur excessive expenses in our efforts to do so, our reputation, business, operating results and financial condition may be harmed.

Our solutions are subject to trade control laws and regulations where we conduct our business activities, including the U.S. Commerce Department's Export Administration Regulations, U.S. customs regulations, U.S. supply chain regulations and various economic and trade sanctions regulations administered by the U.S. Treasury Department's Office of Foreign Assets Control. If we fail to comply with applicable trade control laws and regulations, we and certain of our employees could be subject to substantial civil or criminal penalties, including the possible loss of trade privileges; fines, which may be imposed on us and responsible employees or managers; and, in extreme cases, the incarceration of responsible employees or managers. Obtaining necessary authorizations, including any required licenses, may be time-consuming, requires expenditure of corporate resources, is not guaranteed, and may result in the delay or loss of sales opportunities or the ability to realize value from certain acquisitions or engagements. Acquisitions may also subject us to successor liability and other integration compliance risks. Furthermore, export control and economic sanctions laws and regulations may prohibit or limit the transfer of certain products and services to embargoed or sanctioned countries, governments and parties. We can provide no assurance that any of the precautions we take to prevent our solutions from being provisioned or provided to sanctions targets in violation of applicable regulations will be effective, and, accordingly, our solutions could be provisioned or provided to those targets, including by our resellers or other third parties, which could have negative consequences for our business, including government investigations, penalties and reputational harm. Changes in our solutions or trade control laws and regulations may create delays in the introduction, sale and deployment of our solutions in international markets or prevent the export or import of our solutions to certain countries, governments or persons altogether. Any decreased use of our solutions or limitation on our ability to export or sell our solutions may adversely affect our business, financial condition and results of operations. Sanctions and export and import control regulations in the United States and other countries are subject to change and uncertainty, including as a result of rapidly evolving technology, increased government regulation of AI and cloud service solutions, and geopolitical developments such as events affecting relations between the United States and China, multi-jurisdictional sanctions on Russia, the war in Ukraine and regional conflict in the Middle East. Regulators in the United States and elsewhere have signaled an increased emphasis on sanctions and export control enforcement, including efforts to combat diversion of services to sanctioned countries and parties, several recent high-profile enforcement actions and increased pressure for companies to self-disclose potential violations.

Regulation related to the provision of services over the Internet is evolving, as federal, state and foreign governments continue to adopt new, or modify existing, laws and regulations addressing data privacy, cybersecurity, data protection, data sovereignty and the collection, processing, storage, hosting, transfer and use of data, generally. In some cases, data privacy laws and regulations, such as the EU's General Data Protection Regulation ("GDPR"), impose obligations directly on us as both a data controller and a data processor, as well as on many of our customers. In addition, domestic data privacy laws, such as the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA"), and laws that have recently passed and/or gone into effect in many other states similarly impose new obligations on us and many of our customers, potentially as both a covered business and service provider. These laws continue to evolve, including, for example, India's Digital Personal Data Protection Act 2023, and as various jurisdictions introduce similar proposals, which often include subsequent rules and regulation, we and our customers become subject to additional regulatory burdens. New EU laws, including the DSA, the Data Act and the AI Act, may impose additional rules and restrictions on the use of our products and services. In addition, various safe harbors have historically been provided to those who hosted content provided by others, such as safe harbors from monetary damages for copyright infringement arising from copyrighted content provided by customers and others and for defamation and other torts arising from information provided by customers and others. There is an increasing demand for repealing or limiting these safe harbors by either judicial decision or legislation, and we have active legal proceedings that have been impacted by the repeal or limiting of safe harbors that were previously available to us. Loss of these safe harbors may require altering or limiting some of our services or may require additional contractual terms to avoid liabilities for our customers' misconduct. Although we monitor the regulatory, judicial and legislative environment and have invested in addressing these developments, these laws may require us to make additional changes to our practices and services to enable us or our customers to meet the new legal requirements, and may also increase our potential liability exposure through new or higher potential penalties for noncompliance, including as a result of penalties, fines and lawsuits related to data breaches. Furthermore, privacy laws and regulations are subject to differing interpretations and may be inconsistent among jurisdictions. These and other requirements are causing increased scrutiny among customers, particularly in the public sector and highly regulated industries, and may be perceived differently from customer to customer. These developments could reduce demand for our services, require us to take on more onerous obligations in our contracts, restrict our ability to store, transfer and process data or, in some cases, impact our ability or our customers' ability to offer our services in certain locations, to deploy our solutions, to reach current and prospective customers, or to derive insights from customer data globally. For example, in July 2020, the Court of Justice of the European Union ("CJEU") invalidated the EU-U.S. Privacy Shield Framework, one of the mechanisms that allowed companies, including us, to transfer personal data from the European Economic Area ("EEA") to the United States. Even though the CJEU decision upheld the Standard Contractual Clauses ("SCCs") as an adequate transfer mechanism, the decision created uncertainty around the validity of all EU-to-U.S. data transfers. While the EU and U.S. governments have since adopted the EU-U.S. Data Privacy Framework to foster EU-to-U.S. data transfers and address the concerns raised in the aforementioned CJEU decision, it is uncertain whether this framework will be overturned in court like the previous two EU-U.S. bilateral cross-border transfer frameworks. As a result, regulators may continue to be inclined to interpret the CJEU's decision, and the logic behind it, as significantly restricting certain cross-border transfers and the cost and complexity of providing our services in certain markets may increase. Certain countries outside of the EEA have also passed or are considering passing laws requiring varying degrees of local data residency. By way of further example, statutory damages available through a private right of action for certain data breaches under the CCPA, may increase our and our customers' potential liability and the demands our customers place on us. The costs of compliance with, and other burdens imposed by, privacy laws, regulations and standards may limit the use and adoption of our services, reduce overall demand for our services, make it more difficult to meet expectations from our commitments to customers and our customers' customers, lead to significant fines, penalties or liabilities for noncompliance, impact our reputation, or slow the pace at which we close sales transactions, in particular where customers request specific warranties and unlimited indemnity for noncompliance with privacy laws, any of which could harm our business. In addition to government activity, privacy advocates and other industry groups have established or may establish new self-regulatory standards that may place additional burdens on our ability to provide our services globally. Our customers expect us to meet voluntary certification and other standards established by third parties. If we are unable to maintain these certifications or meet these standards, it could adversely affect our ability to provide our solutions to certain customers and could harm our business. In addition, we have seen a trend toward the private enforcement of data protection obligations, including through private actions for alleged noncompliance, which could harm our business and negatively impact our reputation. For example, in 2020 we were made a party to a legal proceeding brought by a Dutch privacy advocacy group (the Privacy Collective) on behalf of certain Dutch citizens that claims we violated the GDPR and Dutch Telecommunications Act through the processing and sharing of data in connection with our Audience Studio and Data Studio products. In December 2021, the Amsterdam District Court declared the Privacy Collective's claims against us inadmissible and dismissed the case, however, this ruling was appealed by the Privacy Collective. The appeal hearing took place in the Amsterdam Court of Appeal in February 2024 and the appellate court reversed the district court's judgment. We have appealed that appellate decision to the Dutch Supreme Court. We were also named as a defendant in a similar lawsuit brought in the UK, which has subsequently been dismissed. Although we believe we have a strong defense for these claims, these or similar future claims could cause reputational harm to our brand or result in liability. In addition, a shift in consumers' data privacy expectations or other social, economic or political developments could impact the regulatory enforcement of privacy regulations, which could require our cooperation and increase the cost of compliance with the imposed regulations. Furthermore, the uncertain and shifting regulatory environment and trust climate may raise concerns regarding data privacy and cybersecurity, which may cause our customers or our customers' customers to resist providing the data necessary to allow our customers to use our services effectively. In addition, new products we develop or acquire in connection with changing events may expose us to liability or regulatory risk. Even the perception that the privacy and security of personal information are not satisfactorily protected or do not meet regulatory requirements could inhibit sales of our products or services and could limit adoption of our cloud-based solutions.

We periodically change and make adjustments to our sales organization in response to market opportunities, competitive threats, management changes, product introductions or enhancements, acquisitions, sales performance, increases in sales headcount, cost levels and other internal and external considerations. Such sales organization changes have in some periods resulted in, and may in the future result in, a reduction of productivity, which could negatively impact our rate of growth in the current and future quarters and operating results, including revenue. In addition, any significant change to the way we structure our compensation of our sales organization may be disruptive and may affect our revenue growth.

Geopolitical crises, natural disasters or other catastrophic events have in the past and may in the future cause damage or disruption to our people, operations, international commerce and the global economy, and thus could have a strong negative effect on us. Our business operations, the business operations of third-party providers or suppliers that we rely on to conduct our business and the business operations of our customers are subject to interruption by geopolitical crises, natural disasters, fire, power or water shutoffs or shortages, telecommunications failures, terrorist attacks, acts of violence, political and/or civil unrest, acts of war or other military actions, actual or threatened public health emergencies and other events beyond our control. For example, the occurrence of regional conflicts, epidemics or a global pandemic have in the past and may in the future materially affect how we and our customers operate our businesses, as well as our operating results and cash flows. Although we maintain crisis management and disaster response plans, such events could make it difficult or impossible for us to deliver our services to our customers, and could decrease demand for our services. Our corporate headquarters, and a significant portion of our personnel, research and development activities and other critical business operations, are located near major seismic faults in the San Francisco Bay Area. Because we do not carry earthquake insurance for direct earthquake-related losses and significant recovery time could be required to resume operations, our financial condition and operating results could be materially and adversely affected in the event of a major earthquake or catastrophic event, and the adverse effects of any such catastrophic event would be exacerbated if experienced at the same time as another unexpected and adverse event.