Salesforce (CRM) Risk Analysis

If we fail to protect our intellectual property rights adequately, our competitors may gain access to our technology, affecting our brand, causing us to incur significant expenses and harming our business. Any of our patents, trademarks or other intellectual property rights may be challenged by others or invalidated through administrative process or litigation. While we have many U.S. patents and pending U.S. and international patent applications, we may be unable to obtain patent protection for the technology covered in our patent applications or the patent protection may not be obtained quickly enough to meet our business needs. In addition, our existing patents and any patents issued in the future may not provide us with competitive advantages, or may be successfully challenged by third parties. Similar uncertainty applies to our U.S. and international trademark registrations and applications. Furthermore, legal standards relating to the validity, enforceability and scope of protection of intellectual property rights are uncertain, and we also may face proposals to change the scope of protection for some intellectual property rights in the U.S. and elsewhere. Additionally, the intellectual property ownership and license rights, including copyright, surrounding AI technologies, which we are increasingly building into our product offerings, has not been fully addressed by U.S. courts or other federal or state laws or regulations, and some U.S. governmental entities and courts have expressed the view that U.S. copyright and patent protection should be limited to protecting inventions and works of authorship created by humans. If this position becomes widely accepted, intellectual property ownership and license rights, including copyright, may be limited, or not available at all, for inventions or works developed in part or wholly by AI technologies. Furthermore, the use or adoption of AI technologies in our products and services may expose us to copyright infringement or other intellectual property misappropriation claims related to AI training or output. Effective patent, trademark, copyright and trade secret protection may not be available to us in every country in which our services are available and legal changes and uncertainty in various countries' intellectual property regimes may result in making conduct that we believe is lawful to be deemed violative of others' rights. The laws of some foreign countries may not be as protective of intellectual property rights as those in the U.S., and mechanisms for enforcement of intellectual property rights may be inadequate. Also, our involvement in standard-setting activity, our contribution to open source projects, various competition law regimes or the need to obtain licenses from others may require us to license our intellectual property in certain circumstances. Accordingly, despite our efforts, we may be unable to prevent third parties from using our intellectual property. We may be required to spend significant resources and expense to monitor and protect our intellectual property rights. We may initiate claims or litigation against third parties for infringement of our proprietary rights or to establish the validity of our proprietary rights. If we fail to protect our intellectual property rights, it could impact our ability to protect our technology and brand. Furthermore, any litigation, whether or not it is resolved in our favor, could result in significant expense to us, cause us to divert time and resources from our core business, and harm our business.

Policies we adopt or choose not to adopt, on social and ethical issues, particularly regarding the development, deployment or use of our products, may be viewed as controversial by employees, customers, potential customers, or regulators who have varied, evolving and oftentimes conflicting expectations. These perceptions have in the past, and may in the future, impact our ability to attract or retain employees and customers and may result in negative publicity or reputational harm. Our decisions about whether to conduct business with potential customers, or whether to continue or expand relationships with existing customers, may also impact our stakeholder relationships and reputation. Actions taken by our customers or employees, including through the use or misuse of our products or technologies for unlawful activities, improper information sharing or other harmful purposes, may result in reputational harm, regulatory scrutiny or legal liability. Regulatory frameworks such as the EU Digital Services Act ("DSA"), the EU AI Act and other rapidly evolving and sometimes conflicting global laws and regulations related to AI, privacy and consumer protection could increase compliance costs, restrict features or data flows, delay launches and expose us to penalties or litigation. We are increasingly building AI into many of our offerings, including generative and agentic AI. As with many technical innovations, AI offerings, such as Agentforce, and our Agentforce 360 Platform present additional risks and challenges that could affect customer adoption and therefore our business. For example, the development and deployment of AI offerings, including those involving information regarding our customers' customers, raise emerging ethical, legal and operational considerations. If we enable or offer solutions that draw controversy due to their perceived or actual impact on human rights, privacy, employment or other social concerns, we may experience new or heightened governmental or regulatory scrutiny, investigations, enforcement actions, fines or penalties and reputational or competitive harm. As we develop and deploy AI applications in our products and services, including in customer-facing contexts, the speed, scale and complexity of related data processing may increase. AI applications may be targeted or misused, or may perform in ways that are inaccurate, biased, unreliable or otherwise harmful, or that implicate personal or proprietary data in ways that may be difficult to anticipate, detect or control. Such issues could result in regulatory scrutiny, litigation, contractual disputes, loss of customer trust or reputational harm. Inadequate or ineffective AI development, testing, deployment, content labeling, governance, monitoring or oversight, whether by us or others, could result in our AI applications not operating as intended or with reduced functionality, reduced acceptance of our products and services or diminished confidence in the decisions, predictions, analysis or other content that our AI applications produce. Such risks may be heightened as AI applications are integrated into a broader range of our products and services. This could subject us to regulatory scrutiny, competitive harm, legal liability and reputational damage. We may rely in part on third-party models, datasets, cloud infrastructure or other technologies in developing or offering certain AI applications. Our reliance on such third parties exposes us to risks relating to performance, availability, security vulnerabilities, intellectual property claims, licensing restrictions, cost increases or changes in terms of service. If a third-party provider modifies, suspends or terminates access to its models, data or infrastructure, or if such technologies fail to perform as expected, our ability to offer, scale or support certain AI applications may be adversely affected, and we may incur additional costs to mitigate such impacts. The rapid evolution of AI technologies and related regulatory requirements will require the allocation of significant resources to develop, test, monitor and maintain our products and services in order to comply with applicable laws and regulations and to address concerns relating to accuracy, bias, transparency, explainability, security and data provenance. Uncertainty surrounding new and emerging AI applications, including generative AI content creation and AI agents, may require additional investment in compliance programs, governance frameworks, licensing arrangements, documentation, auditing and risk mitigation processes, which may be complex, costly and could impact our profit margins. Moreover,expansion of our AI capabilities to content generation, including through Agentforce and other generative AI offerings, introduces additional risks and responsibilities. AI technologies may produce content that is inaccurate, misleading, biased, offensive or unsafe, and may implicate privacy, security or intellectual property rights, including through the generation of copyrighted or other protected material. If our customers or others rely on such content to their detriment, or if regulators or rights holders assert claims relating to AI-generated content, we may be exposed to litigation, regulatory investigations, enforcement actions, indemnification obligations, monetary penalties or other liabilities, or reputational harm. Developing, testing and deploying AI technologies may also increase the cost profile of our offerings due to the computing costs required. If we are unable to effectively mitigate these risks, or if our mitigation efforts result in excessive costs, our reputation, business, operating results and financial condition may be adversely affected.

Our customers and potential customers conduct business in a variety of industries, including financial services, the public sector, healthcare and telecommunications. Regulators in certain industries have adopted and may in the future adopt regulations or interpretive positions regarding the use of cloud computing, AI services and other outsourced services. The costs of compliance with, and other burdens imposed by, industry-specific laws, regulations and interpretive positions may limit our customers' use and adoption of our services and reduce overall demand for our services. Compliance with these regulations may also require us to devote greater resources to support certain customers, which may increase costs and lengthen sales cycles. For example, some financial services regulators have imposed guidelines for use of cloud computing services that mandate specific controls or require financial services enterprises to obtain regulatory approval prior to outsourcing certain functions. If we are unable to comply with these guidelines or controls, or if our customers are unable to obtain regulatory approval to use our services where required, our business may be harmed. In addition, an inability to satisfy the standards of certain voluntary third-party certification bodies that our customers may expect may have an adverse impact on our business and results. Any inability in the future to achieve or maintain industry-specific certifications or other requirements or standards relevant to our customers may harm our business and adversely affect our results. Further, in some cases, industry-specific, regionally-specific or product-specific laws, regulations or interpretive positions may impact our ability, as well as the ability of our customers, partners and data providers, to collect, augment, analyze, use, transfer and share personal and other information that is integral to certain services we provide. The interpretation of many of these statutes, regulations and rulings is evolving in the courts and administrative agencies and an inability to comply may have an adverse impact on our business and results. This impact may be particularly acute in countries that have passed or are considering passing legislation that requires data to remain localized "in country," as this may impose financial costs on companies required to store data in jurisdictions not of their choosing and to use nonstandard operational processes that add complexity and are difficult and costly to integrate with global processes. This is also true with respect to the global proliferation of laws regulating the financial services industry, including its use of cloud services. In Europe, the Digital Operational Resilience Act ("DORA") aims to ensure the resilience of the EU financial sectors, including through mandatory risk management, incident reporting, resilience testing and third-party outsourcing restrictions. The UK has implemented similar legislation and other countries may follow. Further, jurisdictions are increasingly applying existing data privacy, consumer protection and other laws to AI, including emerging AI technologies such as generative AI, and are also enacting, or considering enacting, AI-specific legal frameworks, such as the EU AI Act, and the Utah Artificial Intelligence Policy Act, the Colorado Artificial Intelligence Act and the draft CCPA regulations on automated decision-making technology. As these laws and regulations are implemented, interpreted and enforced, they may impose additional compliance obligations or restrictions on our products, services or business practices. Any failure, or perceived failure, by us to comply with applicable AI-related legal requirements could have an adverse impact on our business. There are also various statutes, regulations and regulatory rulings governing direct email marketing and text messaging, including the Telephone Consumer Protection Act ("TCPA") and related Federal Communication Commission orders, which impose significant restrictions on the use of telephone calls and text messages to mobile telephone numbers without prior consent. We have been, and may in the future be, subject to class action and individual lawsuits alleging that one of our businesses or customers violated the TCPA or similar communications-based laws. A determination that we or our customers failed to comply with such requirements could expose us to significant statutory damages or other liabilities that could, individually or in the aggregate, materially harm our business. In addition, many jurisdictions across the world are considering, or have begun implementing, changes to antitrust and competition laws, regulations or interpretative positions intended to enhance competition in digital markets or address practices perceived to be anticompetitive. These developments may result in new or expanded legal or regulatory obligations that require changes to our business practices, increased compliance costs, or other measures that could adversely affect our business and operating results.

Regulation related to the provision of services over the Internet continues to evolve, as federal, state and foreign governments adopt new, or modify existing, laws and regulations addressing data privacy, cybersecurity, data protection, data sovereignty and the collection, storage, hosting, transfer, use and other processing of data. The volume, complexity and scope of these regulatory requirements may continue to increase, including in response to heightened geopolitical tensions. In some cases, data privacy laws and regulations, such as the EU's General Data Protection Regulation ("GDPR"), impose obligations directly on us as both a data controller and a data processor, as well as on many of our customers. In addition, domestic data privacy laws, such as the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA"), and similar laws that have passed, gone into effect or are being considered in numerous other U.S. states, impose obligations on us and many of our customers, potentially as both a covered business and service provider. These laws continue to evolve and expand, including through the adoption of new comprehensive data protection regimes such as India's Digital Personal Data Protection Act 2023, and through the introduction of additional implementing rules and regulations in various jurisdictions. As a result, we and our customers may become subject to additional regulatory burdens. New EU laws, including the DSA, the Data Act and the AI Act, have also been adopted and, depending on how they are implemented, interpreted and enforced, may impose additional rules, restrictions or compliance requirements on the development, deployment or use of our products and services, including AI-enabled features. Historically, certain legal frameworks have provided safe harbors to companies that host or transmit content provided by others, including limitations on liability for monetary damages arising from copyright infringement or defamation based on customer-provided content. There is increasing legislative, regulatory and judicial scrutiny of these safe harbors, and ongoing legal efforts to repeal, narrow or limit these protections that were previously available to us. The loss or further erosion of these protections may require us to alter, limit or discontinue certain of our services, or may impose additional contractual terms on customers to mitigate potential liability for customer misconduct. Compliance with these laws and regulations may require us to make changes to our practices, products or services to enable us or our customers to meet applicable legal requirements, and may increase our potential liability exposure through new or higher potential penalties, fines, investigations or litigation, including in connection with data breaches. Privacy and data protection laws and regulations are also subject to differing interpretations and may be inconsistent or conflicting across jurisdictions. These factors have increased scrutiny from customers, particularly those in the public sector and highly regulated industries and may be perceived differently from customer to customer. In addition, we may be subject to increased liability exposure or regulatory scrutiny related to the use of certain technologies associated with the collection, management or processing of data, including the use of cookies and similar technologies. These developments could reduce demand for our services, require us to take on more onerous contractual obligations, restrict our ability to store, transfer and otherwise process data or, in some cases, limit our or our customers' ability to offer our services in certain locations, deploy our solutions, reach current or prospective customers, or derive insights from customer data on a global basis. For example, statutory damages available through a private right of action for certain data breaches under the CCPA may increase our and our customers' potential liability exposure and the demands customers place on us. In July 2020, the Court of Justice of the European Union ("CJEU") invalidated the EU-U.S. Privacy Shield Framework, one of the mechanisms that previously permitted transfers of personal data from the European Economic Area ("EEA") to the United States. Even though the CJEU decision upheld the use of Standard Contractual Clauses ("SCCs") as a lawful transfer mechanism, the decision created ongoing uncertainty regarding EU-to-U.S. data transfers. While the EU and U.S. governments have since adopted the EU-U.S. Data Privacy Framework to facilitate such transfers and address the concerns raised by the CJEU, it remains uncertain whether this framework will withstand future legal challenges. As a result, regulators may continue to interpret the CJEU's decision and the reasoning underlying it as significantly restricting certain cross-border data transfers increasing the cost and complexity of providing our services in certain markets. Certain countries outside of the EEA have enacted or are considering enacting laws that require varying degrees of local data residency or localization. Additionally, recent governmental actions and geopolitical developments have increased the perceived risk that our services, particularly in the EU, could be disrupted, suspended or terminated. The costs of compliance with, and other burdens imposed by, privacy laws, regulations and standards may limit the use and adoption of our services, reduce overall demand for our services, make it more difficult to meet expectations from our commitments to customers and our customers' customers, lead to significant fines, penalties or liabilities for noncompliance, impact our reputation or slow the pace at which we close sales transactions particularly where customers request specific warranties or broad indemnities for noncompliance with privacy laws, any of which could harm our business. In addition to government activity, privacy advocates and industry groups have established or may establish new self-regulatory standards or voluntary certification requirements that customers may expect us to meet. If we are unable to maintain required certifications or comply with such standards, our ability to provide our services to certain customers could be adversely affected. We have also observed increased private enforcement of data protection obligations, including through private actions for alleged noncompliance, which could result in litigation, harm to our business, reputational harm or liability. For example, in 2020 we were named as a defendant in a legal proceeding brought by a Dutch privacy advocacy group (the Privacy Collective) on behalf of certain Dutch citizens alleging violations of the GDPR and Dutch Telecommunications Act. Although the claims were initially dismissed, that decision was later reversed on appeal, and that matter remains pending before the Dutch Supreme Court. Although we believe we have strong defenses in these or similar matters, current or future claims of this nature could cause reputational harm or liability. In addition, a shift in consumers' data privacy expectations or other social, economic or political developments could impact regulatory enforcement priorities, require our cooperation with regulators and increase the cost of compliance with applicable privacy regulations. Furthermore, the uncertain and evolving regulatory environment and broader trust climate may heighten concerns regarding data privacy, cybersecurity, and artificial intelligence, particularly where advanced analytics or automated functionality is involved, which could cause our customers or their end users to limit the data they provide or their use of our products and services. Even the perception that personal data is not adequately protected or that our products or services do not comply with applicable regulatory requirements could inhibit sales, reduce adoption of our offerings or otherwise adversely affect our business.

We may face greater costs, longer sales cycles, greater competition and less predictability in completing some of our sales to large enterprise customers, including governmental entities and customers in regulated industries. In these market segments, the customer's decision to use our services is often an enterprise-wide decision and may require us to provide greater levels of education regarding the use and benefits of our services, as well as address other concerns, such as heightened privacy and data protection requirements. In addition, larger enterprise customers and governmental entities often demand more configuration, integration services and features. These sales opportunities often require us to devote greater sales support and professional services resources to individual customers, driving up costs and time required to complete sales and diverting our own sales and professional services resources to a smaller number of larger transactions, while potentially requiring us to delay revenue recognition on some of these transactions until the technical or implementation requirements have been met. Pricing and packaging strategies for enterprise and other customers for our existing and future service offerings, including for our AI offerings such as Agentforce, may not be widely accepted by new or existing customers. Our adoption of or failure to adopt, as well as the manner and time of, changes to our pricing and packaging models and strategies may harm our business.

While we seek to mitigate our business risks associated with climate change by establishing appropriate environmental programs and partnering with organizations who are focused on mitigating their own climate-related risks, there are inherent climate-related risks where our business is conducted. In particular, increased energy consumption, including as a result of AI-related growth, climate-related events, energy market volatility, and power grid disruptions, may increase the operational costs related to inputs across our value chain, including for data centers. Any of our primary locations may be vulnerable to the adverse effects of climate change. For example, our offices globally are projected to continue to experience climate-related events at increased frequency, including drought, water scarcity, heat waves, cold waves, flooding, wildfires and resultant air quality impacts and power shutoffs. These events in turn have impacts on inflation risks, the cost and availability of insurance, food security, water security (including for water availability for data center cooling), energy security and on our employees' health, productivity and well-being. Changing market dynamics, global policy developments and the increasing frequency and impact of extreme weather events on critical infrastructure in the United States and elsewhere have the potential to disrupt our business, as well as the business of the companies we invest in, third-party providers or suppliers that we rely on, and our customers, and may cause us to experience higher attrition, losses and additional costs to maintain or resume operations.