Sprinklr (CXM) Risk Factors

In the ordinary course of our business, we process confidential information. Use of our Unified-CXM platform also involves processing our customers' information, including personal data regarding their customers, employees or other individuals. Cyberattacks, malicious internet-based activity online and offline, fraud, security issues and other similar activities threaten the confidentiality, integrity and availability of our confidential information, are prevalent and continue to increase in frequency, intensity and sophistication. Further, these threats are becoming increasingly difficult to detect and come from a variety of sources, including traditional computer "hackers," threat actors, "hacktivists," organized crime threat actors, personnel (such as through theft or misuse), sophisticated nation-states, and nation-state-supported actors. In addition, our Unified-CXM platform or other internal systems used for operating our business may be misconfigured or contain significant unmitigated weaknesses or vulnerabilities, resulting in a heightened exposure to internal and external threats. The processes used to implement technical and administrative controls to protect our systems and the data they contain may be ineffective in parts or entirely. Our employees, contractors, partners, vendors and customers could create situations whereby critical controls are bypassed, deactivated or otherwise reduced in effectiveness, which could lead to the inadvertent exposure of confidential information, intellectual property or other sensitive information and heighten our exposure to security threats. Moreover, we may not have access to any effective control mechanisms that could mitigate these concerns or address new or advanced concerns. Some actors now engage and are expected to continue to engage in cyber-attacks, including, without limitation, nation-state actors for geopolitical reasons and in conjunction with military conflicts and defense activities. During times of war and other major conflicts, we, the third parties with whom we work, and our customers may be vulnerable to a heightened risk of these attacks, including retaliatory cyber-attacks, that could materially disrupt our systems and operations, supply chain, and ability to produce, sell and distribute our goods and services. We and the third parties with whom we work are subject to a variety of evolving threats, including, but not limited to, social-engineering attacks (including through deep fakes, which may be increasingly more difficult to identify as fake, and phishing attacks), malicious code (such as viruses, worms, backdoors and time bombs), malware (including as a result of advanced persistent threat intrusions), volumetric or application-level denial-of-service attacks, credential stuffing attacks, credential harvesting, personnel misconduct or error, ransomware attacks, supply-chain attacks, software bugs, server malfunctions, misconfiguration, software or hardware failures, access deprovisioning failures, loss of data or other information technology assets, and attacks enhanced or facilitated by AI. In particular, ransomware attacks, including by organized criminal threat actors, nation-states, and nation-state-supported actors, are prevalent and severe and can lead to significant interruptions in our operations, loss of data and income, reputational harm, and diversion of funds. Extortion payments may alleviate the negative impact of a ransomware attack, but we may be unwilling or unable to make such payments due to, for example, applicable laws or regulations prohibiting such payments. Adware, telecommunications failures, earthquakes, fires, floods, adverse weather events, and man-made disasters may also impact the availability of our systems and operations. Furthermore, our services are important to the internal processes of many of our customers worldwide and, as a result, if our products are compromised, a significant number or, in some instances, all of our customers and their data could be simultaneously affected, which could cause serious disruption and harm. The potential liability and associated consequences we could suffer as a result could be significant. Our remote workforce poses increased risks to our information technology systems and data, as more of our employees utilize network connections, computers, and devices outside our premises or network, including while working from home, while in transit, and in public locations. Future or past business transactions (such as acquisitions or integrations) could expose us to additional cybersecurity risks and vulnerabilities, as our systems could be negatively affected by vulnerabilities present in acquired or integrated entities' systems and technologies. We may also discover security issues that were not identified during due diligence of such acquired or integrated entities, and it may be difficult to integrate other companies into our information technology environment and security program. We rely upon third parties and third-party technologies to operate critical business systems to process confidential information in a variety of contexts, including, without limitation, third-party providers of cloud-based infrastructure, encryption and authentication technology, employee email, content delivery to customers, and other functions. While we require the third parties with whom we work to process confidential information on our behalf to meet certain security requirements and give contractual commitments to us regarding their data processing activities, our ability to monitor these third parties' information security practices is limited, and despite such assurance and commitments, these third parties may not have, or may not continue to have, adequate information security measures in place. If the third parties with whom we work experience a security incident or other interruption, we could experience adverse consequences. While we may be entitled to damages if these third parties fail to satisfy their privacy or security-related obligations to us, any award may be insufficient to cover our damages or protect our reputation, or we may be unable to recover any such awarded damages. Moreover, supply-chain attacks have increased in frequency and severity, and we cannot guarantee that third parties and infrastructure in our supply chain or in the third parties' with whom we work supply chains have not been compromised or that they do not contain exploitable vulnerabilities, defects or bugs that could result in a breach of or disruption to our information technology systems (including our products and services) or the third-party information technology systems that support us and our services. Additionally, the reliability and continuous availability of our platform and services is critical to our success. We take steps designed to detect, mitigate, and remediate vulnerabilities in our information systems (such as our hardware, software, and products, and those of the third parties with whom we work). However, our information systems may contain errors, defects, security vulnerabilities, or software bugs that are difficult to detect and correct, and some of these may pose a significant risk to our business and ability to provide our products and services, particularly when such vulnerabilities are first introduced or when new versions or enhancements of our platform are released. We have not always been able in the past and may be unable in the future to detect and remediate all such vulnerabilities in our information systems including on a timely basis, and sometimes customer permission to remediate certain vulnerabilities may be required, which could result in further delays in timely remediation. Despite our efforts to identify and remediate vulnerabilities and related unauthorized access in our information technology systems (including our products), our efforts may not be successful. Further, in some cases, these vulnerabilities may require immediate attention, but we may still experience delays in developing and deploying remedial measures designed to address any such vulnerabilities. Even if we have issued or otherwise made patches or information for vulnerabilities in our information systems, our customers may be unwilling or unable to deploy such patches and use such information effectively and in a timely manner. Vulnerabilities could be exploited and result in a security incident. Any of the previously identified or similar threats could cause a security incident or other interruption that could result in unauthorized, unlawful, or accidental acquisition, modification, destruction, loss, alteration, encryption, disclosure of, or access to our confidential information. A security incident or other interruption could disrupt our ability (and that of third parties with whom we work) to provide our Unified-CXM platform and our services. We may expend significant resources or modify our business activities to try to remediate and protect against security incidents. While we have implemented security measures designed to protect against security incidents, there can be no assurance that these measures will be effective. We have in the past and may in the future be subject to attempted or successful cybersecurity attacks by third parties seeking unauthorized access to our or our customers' confidential information or to disrupt our ability to provide our Unified-CXM platform. Our data privacy and security obligations under certain applicable laws and our customer agreements require us to implement and maintain specific security measures, industry-standard or reasonable security measures to protect our information technology systems and confidential information. In addition, we operate our products for the benefit of our customers who have documented responsibilities to maintain certain security controls, such as provisioning and deprovisioning users, in their respective environments without oversight or control by us. Our customers may reject, weaken or incorrectly configure security controls provided by us to maintain the security of their environments, resulting in a loss of confidentiality or integrity of such customer's data or processes. Such an event also may result in a compromise to our information technology systems or a security incident, or public disclosures and negative publicity for us and such customer, which may have a negative impact on our ability to achieve our corporate goals and could adversely affect our business, reputation, results of operations and financial condition. Such an event may also result in a compromise to our information technology systems or a security incident. Applicable data privacy and security obligations, both legally and contractually, may require us to notify relevant stakeholders of security incidents. Such notifications are costly, and the notifications or the failure to comply with such requirements could lead to adverse consequences, including breach of contract or applicable legislation. If we (or a third party with whom we work) experience a security incident or are perceived to have experienced a security incident, we may experience adverse consequences. These consequences may include: government enforcement actions (for example, investigations, fines, penalties, audits, and inspections); additional reporting requirements and/or oversight; restrictions on processing confidential information (including personal data); litigation (including class claims); indemnification obligations; negative publicity; reputational harm; monetary fund diversions; interruptions in our operations (including availability of data); financial loss; and other similar harms. Security incidents and attendant consequences may prevent or cause customers to stop using our Unified-CXM platform, deter new customers from using our Unified-CXM platform, and negatively impact our ability to grow and operate our business. Our contracts may not contain limitations of liability, and even where they do, there can be no assurance that limitations of liability in our contracts are sufficient to protect us from liabilities, damages, or claims related to our data privacy and security obligations. We cannot be sure that our insurance coverage will be adequate or sufficient to protect us from or to mitigate liabilities arising out of our privacy and security practices, that such coverage will continue to be available on commercially reasonable terms or at all, or that such coverage will pay future claims. In addition to experiencing a security incident, third parties may gather, collect, or infer sensitive information about us from public sources, data brokers, or other means that reveals competitively sensitive details about our organization and could be used to undermine our competitive advantage or market position.

In the ordinary course of business, we collect, receive, store, process, generate, use, transfer, disclose, make accessible, protect, secure, dispose of, transmit, share and conduct other activities with (which we collectively refer to as "process") proprietary and confidential data, including personal data, intellectual property, and trade secrets, of ours or our customers (collectively, "confidential information"). Additionally, our customers can utilize our Unified-CXM platform to process confidential information or personal data relating to their employees, customers, partners and other individuals. Our data processing activities subject us to numerous global data privacy and security obligations, such as various laws, regulations, guidance, industry standards, external and internal privacy and security policies, contracts, and other obligations that govern the processing of confidential information by us and on our behalf. In the United States, federal, state, and local governments have enacted numerous data privacy and security laws, including data breach notification laws, personal data privacy laws, and consumer protection laws (such as Section 5 of the Federal Trade Commission Act), and other laws, including wiretapping laws. For example, some privacy laws and other obligations may require us or our customers to obtain consent to process personal data in certain circumstances. Some of our data processing practices may be challenged under wiretapping laws, as we obtain customer information from third parties through various methods, including chatbot and session replay providers, or via third-party marketing pixels. In addition, we must comply with the FCC's regulations that require us to protect private customer information about their use of telecommunications services, known as customer proprietary network information. Our inability or failure to adhere to applicable requirements could result in adverse consequences, including class action litigation, mass arbitration demands and statutory fines for noncompliance. In the past few years, numerous U.S. states have enacted comprehensive privacy laws that impose certain obligations on covered businesses, including providing specific disclosures in privacy notices and affording residents with certain rights concerning their personal data. As applicable, such rights may include the right to access, correct, or delete certain personal data, and to opt-out of certain data processing activities, such as targeted advertising, profiling, and automated decision-making, which, even if not directly applicable to Sprinklr as a data processor, may be applicable to our customers. The exercise of these rights may impact our business and ability to provide our products and services. These state laws also allow for statutory fines for noncompliance. For example, under the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (collectively, "CCPA") noncompliance may carry fines of up to $7,500 per intentional violation; the CCPA also allows for a private right of action for certain data breaches. These laws, as well as other laws or regulations relating to data privacy and security, particularly any new or modified laws or regulations that require enhanced protection of certain types of data or new obligations with regard to data retention, transfer or disclosure, may result in further uncertainty with respect to data privacy and security issues, and will require us to incur additional resource, costs and expenses in an effort to comply. The enactment of various laws has prompted similar legislative developments in other states, which has created a patchwork of overlapping nuanced state laws, as certain state laws may be more stringent, broader in scope or offer greater individual rights with respect to personal data than federal, foreign or other state laws, which may complicate compliance efforts. The federal government is also still considering comprehensive privacy legislation. In addition, as we continue to expand our business activities, we are accessing additional types and greater volumes of potentially confidential or sensitive information that may subject us to additional privacy and security laws and obligations. For example, in certain limited instances, we have agreed with specific customers to permit the exchange of protected health information through certain approved platform components. Our access to protected health information for specific agreed use cases on behalf of those customers that are covered entities and therefore subject to the Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act (collectively, "HIPAA"), may subject us to HIPAA's specific requirements relating to the privacy, security, and transmission of protected health information. To the extent that we become subject to HIPAA, our failure to comply could result in significant penalties. Additionally, to the extent that additional customers with whom we did not agree to permit the exchange of protected health information through our platforms in their capacity as covered entities nonetheless input or allow such information within the platform in violation of their contractual obligations with us, we could also be subject to additional compliance risks. Similar privacy, security, and transmission obligations may apply to us outside the United States if we process health information and other categories of sensitive or confidential information unknowingly, and our failure to comply could result in significant penalties. As another example, we process an increasing amount of credit card data through our Secure Forms module, and we have entered contractual relationships requiring us to comply with the Payment Card Industry Data Security Standard ("PCI DSS"). The PCI DSS requires companies to adopt certain measures to ensure the security of cardholder information, including using and maintaining firewalls, adopting proper password protections for certain devices and software, and restricting data access. Noncompliance with PCI-DSS can result in penalties ranging from $5,000 to $100,000 per month by credit card companies, litigation, damage to our reputation, and revenue losses. Outside of the United States, an increasing number of laws, regulations, and industry standards apply to data privacy and security. Some examples of laws that apply to our processing of personal data include the European Union's General Data Protection Regulation ("EU GDPR"), the United Kingdom's GDPR ("UK GDPR" and, together with EU GDPR, "GDPR"), Brazil's General Data Protection Law (Lei Geral de Proteção de Dados Pessoais) (Law No. 13,709/2018), China's Personal Information Protection Law, India's Digital Personal Data Protection Act, and Japan's Act on the Protection of Personal Information. These laws all impose strict requirements for processing personal data. For example, noncompliance with the EU GDPR carries fines of up to the greater of €20 million or 4% of global annual turnover (and under the UK GDPR, up to the greater of £17.5 million or 4% of global annual turnover) and can result in data processing bans, other administrative penalties and litigation brought by classes of data subjects or consumer protection organizations authorized at law to represent their interests, together with associated damage to our reputation. Europe and other jurisdictions have enacted industry-specific laws requiring data to be localized in some limited circumstances or limiting the transfer of personal data to other countries. European and other data protection laws, including the GDPR, place some restrictions on the ability of companies to freely transfer personal data to countries deemed to be inadequate for privacy purposes, and there are fairly rigorous restrictions regarding transfers of personal data from China (although these have been softened recently). Other jurisdictions may also adopt stringent data localization and cross-border data transfer requirements and, in many circumstances, these may be requirements outside of the scope of privacy law, including industry-specific or national security requirements. Although there are currently various mechanisms that may be used to enable the transfer of personal data from the European Economic Area ("EEA") and UK to the United States in compliance with the law, such as the EU-US Data Privacy Framework and the UK extension thereto (to which we are an active participant) and the EU's standard contractual clauses, these mechanisms continue to be subject to legal challenges, and there is no continued assurance that we can satisfy or rely on these measures to lawfully transfer personal data to the United States or other countries with "inadequate" data protection regimes without the potential for future challenge. If there is no lawful manner for us to transfer personal data from the EEA, the UK, or other jurisdictions outside of the origin territory, or if the requirements for a legally-compliant transfer are too onerous, we could face significant adverse consequences, including the prohibition on further transfers (including remote access by employees in support teams in certain regions), the interruption or degradation of our operations, the need to relocate part of or all of our business or data processing activities to other jurisdictions at significant expense, increased exposure to regulatory actions, substantial fines and penalties, the inability to transfer data and work with partners, vendors and other third parties, and injunctions against our processing or transferring of personal data necessary to operate our business. Additionally, companies that transfer personal data out of the EEA and UK to other jurisdictions, particularly to the United States, can be subject to increased scrutiny from regulators, individual litigants, and activist groups. We may also become directly or indirectly subject to new laws in the EEA that regulate cybersecurity and non-personal data, such as the EU Data Act, the EU Digital Operational Resilience Act (DORA) or the so-called "EU NIS2 Directive," Depending on how new laws are implemented and interpreted, we may have to adapt our business practices, contractual arrangements and products to comply with such obligations. UK and EEA data privacy regulations in relation to electronic communications also require opt-in consent to send certain unsolicited marketing emails or other electronic communications to individuals or for the use of cookies and the data obtained using cookies and similar technologies for advertising, analytics and certain other purposes – activities on which our products and marketing strategies rely. Enforcement of these requirements has increased, and a new regulation proposed in the European Union, known as the ePrivacy Regulation, makes these requirements, as well as requirements around tracking technologies, such as cookies, more stringent and increases the penalties for violating them. Such restrictions could increase our exposure to regulatory enforcement action, increase our compliance costs, and adversely affect our business. We sometimes rely on data obtained from third-party data suppliers, and the sale of data to third parties has become subject to increased regulatory scrutiny. Therefore, obtaining information from third parties carries risk to us as a data purchaser and onward provider to our customers. Regulators are increasingly scrutinizing the activities of third-party data suppliers, as well as those using the data from those third parties, and laws in the United States (including the CCPA and California Delete Act) and other jurisdictions, such as Europe (including GDPR, and the ePrivacy Directive), are likewise regulating such activity. These laws pose additional, material compliance risks to such suppliers, and these suppliers may not be able to supply us with personal data in compliance with these laws. Such laws may make it difficult for our suppliers to provide the data as the costs associated with the data materially increase. For example, some data suppliers are required to register as data brokers under California, Vermont, Texas and Oregon law and file reports with regulators, which exposes them to increased scrutiny. Additionally, the California Delete Act requires the California Privacy Protection Agency to establish by January 1, 2026 a mechanism to allow California consumers to submit a single, verifiable request to delete all of their personal data held by all registered data brokers and their service providers. Moreover, third-party data suppliers have recently been subject to increased litigation under various claims of violating certain state privacy laws. These laws and challenges may make it so difficult for our suppliers to provide data to us that the costs associated with the data materially increase or may materially decrease the availability of data that our data suppliers can provide us. In addition, we may face compliance risks and limitations on our ability to use certain data provided by our third-party suppliers if those suppliers have not complied with applicable privacy laws, for example, where necessary by providing appropriate transparency notices to data subjects, obtaining necessary consents or where the data is not lawfully made available to us. In addition, there may be restrictions in their terms of use of which we are not aware. In addition to data privacy and security laws, our contractual obligations relating to data privacy and security have become increasingly stringent due to changes in data privacy and security and the expansion of our service offerings. For example, certain data privacy and security laws, such as the GDPR and the CCPA, require us to impose specific contractual restrictions on our service providers, and our customers are requiring broader and more extensive commitments. Moreover, we are certified or assessed to be compliant with UK Cyberessentials, Spain ENS, TISAX, System and Organization Controls ("SOC") 1, SOC 2, SOC 3, ISO 27001, PCI-DSS 4.0 and HIPAA (under Statements on Standards for Attestation Engagements ("SSAE") 21 reporting) and maintain a Federal Risk and Authorizations Management Program ("FedRAMP") LI-SaaS Authority to Operate ("ATO"). If we are unable to maintain these certifications or meet these standards, it could adversely affect our ability to provide our solutions to certain customers and could harm our business. Furthermore, we make numerous statements in our privacy policies, terms of service, contracts, requests for information, in online collateral, through our certifications to certain industry standards and in our marketing materials that describe the security and privacy practices of our Unified-CXM platform, including detailed descriptions of security and privacy measures we employ. Although we endeavor to comply with our public statements and documentation, we may at times fail to do so or be alleged to have failed to do so. Our privacy policies and other statements regarding data privacy and security can subject us to potential government or legal action if they are found to be deceptive, unfair, or misrepresentative of our actual practices. Should any of these statements prove to be untrue or be perceived as untrue, even though circumstances beyond our reasonable control, we may face litigation, disputes, claims, investigations, inquiries or other proceedings including, without limitation, by the U.S. Federal Trade Commission, federal, state and foreign regulators, our customers and private litigants, which could adversely affect our business, reputation, results of operations and financial condition. Business partners and other third parties with a strong influence on how consumers interact with our products, such as Apple, Google, Meta, Microsoft and Mozilla, may create new privacy controls or restrictions on their products and platforms, limiting the effectiveness of our services. With obligations relating to data privacy and security changing and imposing new and stringent obligations, and with some uncertainty over the interpretation and application of these and other obligations, we may face challenges in addressing their requirements and making necessary changes to our policies and practices and may incur significant costs and expenses in an effort to do so. Additionally, if the third parties with whom we work with, including our vendors or third-party service providers, violate applicable laws, rules or regulations or our policies, such violations also may put our or our customers' data at risk and could in turn have an adverse effect on our business. Any failure or perceived failure by us or our third-party partners to comply with our data privacy or security obligations to customers or other third parties, or any of our other legal obligations relating to data privacy or security, may result in governmental investigations or inquiries (which have occurred in the past and may occur in the future), enforcement actions, litigation and mass arbitration demands, disputes or other claims, indemnification requests, restrictions on providing our services, claims or public statements against us by privacy advocacy groups or others, adverse press and widespread negative publicity, reputational damage, significant liability or fines and the loss of the trust of our customers, any of which could have a material adverse effect on our business, results of operations and financial condition. In particular, individuals have become increasingly more active in bringing privacy-related claims against companies, including class claims and mass arbitration demands. Some of these claims allow for the recovery of statutory damages on a per violation basis, and, if viable, carry the potential for monumental statutory damages, depending on the volume of data and the number of violations. The cost of compliance with, and other burdens imposed by, laws, rules, regulations and other obligations relating to data privacy and security applicable to the businesses of our customers may adversely affect our customers' ability and willingness to process personal data from their employees, customers and partners, which could limit the use, effectiveness and adoption of our Unified-CXM platform and reduce overall demand. Furthermore, the uncertain and shifting regulatory environment, as well as changes in consumer expectations concerning data privacy may cause concerns regarding data privacy and may cause our data vendors, customers or our customers' customers to resist providing the data necessary to allow our customers to use our services effectively. Even the perception of privacy concerns, whether or not valid, may inhibit market adoption, effectiveness or use of our applications.

In order for us to maintain or improve our results of operations, it is important that we maintain and expand our relationships with our customers and that our customers renew their subscriptions when the initial subscription term expires or otherwise expand their subscription program with us. Our customers are not obligated to, and may elect not to, renew their subscriptions on the same or similar terms after their existing subscriptions expire. Some of our customers have in the past elected, and may in the future elect, not to renew their agreements with us or otherwise reduce the scope of their subscriptions, and we do not have sufficient operating history with our business model and pricing strategy to accurately predict long-term customer renewal rates. In addition, the growth of our business depends in part on our customers expanding their use of our Unified-CXM platform, which can be difficult to predict. Our customer renewal rates, as well as the rate at which our customers expand their use of our Unified-CXM platform, may decline or fluctuate as a result of a number of factors, including the customers' satisfaction with our Unified-CXM platform, defects or performance issues, our customer and product support, our prices, mergers and acquisitions affecting our customer base, the effects of global economic conditions, the entrance of new or competing technologies and the pricing of such competitive offerings or reductions in the enterprises' spending levels for any reason. If our customers do not renew their subscriptions, renew on less favorable terms or reduce the scope of their subscriptions, our revenue may decline and we may not realize improved results of operations from our customer base, and, as a result, our business and financial condition could be adversely affected.

We believe that our success and growth will depend to a substantial extent on the widespread acceptance and adoption of Unified-CXM solutions in general, and of our Unified-CXM platform in particular. The market for Unified-CXM solutions is new and rapidly evolving, and if this market fails to grow or grows more slowly than we currently anticipate, demand for our Unified-CXM platform could be adversely affected. The Customer Experience Management ("CXM") market also is subject to rapidly changing user demand and trends. As a result, it is difficult to predict enterprise adoption rates and demand for our Unified-CXM platform, the future growth rate and size of our market or the impact of competitive solutions. The expansion of the CXM market depends on a number of factors, including awareness of the Unified-CXM category generally, ease of adoption and use, cost, features, performance and overall platform experience, data security and privacy, interoperability and accessibility across devices, systems and platforms and perceived value. If Unified-CXM solutions do not continue to achieve market acceptance, or if there is a reduction in demand for Unified-CXM solutions for any reason, including a lack of category or use case awareness, technological challenges, weakening economic conditions, data security or privacy concerns, competing technologies and products or decreases in information technology spending, our business, results of operations and financial condition may be adversely affected. The market for Unified-CXM solutions is also highly competitive. Our competitors may be able to respond more quickly and effectively than we can to new or changing opportunities, technologies, standards or enterprise requirements. With the introduction of new technologies, the evolution of our Unified-CXM platform and new market entrants, we expect competition to intensify in the future. Pricing pressures and increased competition generally could result in reduced sales, reduced margins, losses or the failure of our Unified-CXM platform to achieve or maintain more widespread market acceptance, any one of which could harm our business. While we do not believe that any of our competitors currently offer a full suite of Unified-CXM solutions that competes across the breadth of our Unified-CXM platform, certain features of our Unified-CXM platform compete in particular segments of the overall Unified-CXM category. Our main competitors include, among others, experience management solutions, including solution media solutions, home-grown solutions and tools, adjacent Unified-CXM solutions, such as social messaging, customer service and support solutions, traditional marketing, advertising and consulting firms and customer relationship management and enterprise resource planning solutions. Further, other established SaaS providers and other technology companies not currently focused on Unified-CXM may expand their services to compete with us. Some of our competitors may be able to offer products or functionality similar to ours at a more attractive price than we can or do, including by integrating or bundling such products with their other product offerings. Additionally, some potential customers, particularly large organizations, have elected, and may in the future elect, to develop their own internal Unified-CXM solutions. Acquisitions, partnerships and consolidation in our industry may provide our competitors even more resources or may increase the likelihood of our competitors offering bundled or integrated products that we may not be able to effectively compete against. In particular, as we rely on the availability and accuracy of various forms of customer feedback and input data, the acquisition of any such data providers or sources by our competitors could affect our ability to continue accessing such data. Furthermore, we also are subject to the risk of future disruptive technologies. If new technologies emerge that are able to collect and process experience data, or otherwise develop Unified-CXM solutions at lower prices, more efficiently, more conveniently or with functionality and features enterprises prefer to ours, such technologies could adversely impact our ability to compete. If we are not able to compete successfully against our current and future competitors, our business, results of operations and financial condition may be adversely affected.

We believe that maintaining and enhancing our reputation as a differentiated and category-defining company in Unified-CXM is critical to our relationships with our existing customers and key employees and to our ability to attract new customers and talented personnel. The successful promotion of our brand depends on a number of factors, including the effectiveness of our marketing efforts, our ability to continue to develop a high-quality platform, our ability to provide reliable services that continue to meet the needs of our customers, our ability to maintain our customers' trust and our ability to successfully differentiate our Unified-CXM platform from competitive solutions, which we may not be able to do effectively. We do not have sufficient operating history to know whether our brand promotion activities will ultimately be successful or yield increased revenue, and, if they are not successful, our business may be adversely affected. Any unfavorable publicity of our business or platform generally, for example, relating to our privacy practices, terms of service, service quality, litigation, regulatory activity, the actions of our employees, partners or customers or the actions of other companies that provide similar solutions to us, all of which can be difficult to predict, could adversely affect our reputation and brand. In addition, independent industry analysts often provide reviews of our Unified-CXM platform, as well as solutions offered by our competitors, and our brand and perception of our Unified-CXM platform in the marketplace may be significantly influenced by these reviews. If these reviews are negative, or less positive compared to those of our competitors' solutions, our brand and market position may be adversely affected. It also may be difficult to maintain and enhance our brand as we expand our marketing and sales efforts through channel or strategic partners. The promotion of our brand also requires us to make substantial expenditures. We anticipate that these expenditures will increase as our market becomes more competitive, as we expand into new markets and as more sales are generated through our channel partners. To the extent that these activities yield increased revenue, this revenue may not offset the increased expenses we incur. If we do not successfully maintain and enhance our brand or incur substantial expenses in unsuccessful attempts to promote and maintain our brand, our business may not grow, we may have reduced pricing power relative to competitors and we could lose customers and key employees or fail to attract potential customers or talented personnel, all of which would adversely affect our business, results of operations and financial condition.

Our business depends to a significant extent on the overall demand for enterprise cloud software products and on the economic health of our current and prospective customers. The global economy, including credit and financial markets, has experienced extreme volatility and disruptions, including severely diminished liquidity and credit availability, declines in consumer confidence, declines in economic growth, increases in unemployment rates, fluctuations in inflation and interest rates, disruptions in access to bank deposits or lending commitments due to bank failures and uncertainty about economic stability. The Russia-Ukraine war has also added to, and the Israel-Hamas war and related regional tensions may add to, the extreme volatility in the global capital markets and is expected to have further global economic consequences, including disruptions of the global supply chain and energy markets. In addition, fluctuations in inflation and other macroeconomic pressures in the U.S. and the global economy could exacerbate extreme volatility in the global capital markets and heighten unstable market conditions. Any such volatility and disruptions may have adverse consequences on us or the third parties on whom we rely. If the equity and credit markets continue to deteriorate, including as a result of bank closures, public health crises, or political unrest, war or a global or domestic recession or the fear thereof, it may make any necessary debt or equity financing more difficult to obtain in a timely manner or on favorable terms, more costly or more dilutive. Increased inflation rates can adversely affect us by increasing our costs, including labor and employee benefit costs. In addition, higher inflation also could increase our customers' operating costs, which could result in reduced marketing budgets for our customers and potentially less demand for our platform. Any significant increases in inflation and related increase in interest rates could have a material adverse effect on our business, results of operations and financial condition. To the extent that these weak economic conditions cause our existing customers or potential customers to reduce their budget for Unified-CXM solutions or to perceive spending on such systems as discretionary, demand for our Unified-CXM platform may be adversely affected. Moreover, general economic weakness may lead to longer collection cycles for payments due from our customers, an increase in customer bad debt and restructuring initiatives and associated expenses, and customers and potential customers may require financial concessions, all of which would limit our ability to grow our business and adversely affect our business, results of operations and financial condition. In the event of a catastrophic event, including a natural disaster such as an earthquake, hurricane, fire, flood, tsunami or tornado, or other catastrophic event such as power loss, market manipulation, civil unrest, supply chain disruptions, armed conflict, computer or telecommunications failure, cybersecurity issues, human error, improper operation, unauthorized entry, break-ins, sabotage, intentional acts of vandalism and similar misconduct, war, terrorist attack or incident of mass violence in any geography where our operations or data centers are located or where certain other systems and applications that we rely on are hosted, we may be unable to continue our operations and may endure significant system degradations, disruptions, destruction of critical assets, reputational harm,delays in our application development, breaches of data security and loss of critical data, all of which could have an adverse effect on our future results of operations. We also rely on our employees and key personnel to meet the demands of our customers and run our day-to-day operations. In the event of a catastrophic event, the functionality of our employees could be negatively impacted, which could have an adverse effect on our business, financial condition and results of operations. In addition, natural disasters, cybersecurity attacks, market manipulations, supply chain disruptions, acts of terrorism or other catastrophic events could cause disruptions in our or our customers' businesses, national economies or the world economy as a whole.

During the nine months ended October 31, 2024, approximately 41% of our sales were to customers outside of the Americas. As part of our growth strategy, we expect to continue to expand our international operations, which may include opening additional offices in new jurisdictions and providing our Unified-CXM platform in additional languages and on-boarding new customers outside the United States. Any new markets or countries into which we attempt to sell subscriptions to our Unified-CXM platform may not be receptive to our business development activities. We currently have sales personnel and sales and customer and product support operations in the United States and certain countries across Europe, the Asia Pacific region and the Americas. We believe that our ability to attract new customers to our Unified-CXM platform and to convince existing customers to renew or expand their use of our Unified-CXM platform is directly correlated to the level of engagement we achieve with our customers in their home countries. To the extent that we are unable to effectively engage with non-U.S. customers, we may be unable to effectively grow in international markets. Our international operations also subject us to a variety of additional risks and challenges, including: - increased management, travel, infrastructure and legal compliance costs associated with having operations and developing our business in multiple jurisdictions;- providing our Unified-CXM platform and operating our business across a significant distance, in different languages, among different cultures and time zones, including the potential need to modify our Unified-CXM platform and products to ensure that they are culturally appropriate and relevant in different countries;- compliance with non-U.S. data privacy, protection and security laws, rules and regulations, including data localization requirements, and the risks and costs of non-compliance;- longer payment cycles and difficulties enforcing agreements, collecting accounts receivable or satisfying revenue recognition criteria, especially in emerging markets;- hiring, training, motivating and retaining highly-qualified personnel, while maintaining our unique corporate culture;- increased financial accounting and reporting burdens and complexities;- longer sales cycle and more time required to educate enterprises on the benefits of our Unified-CXM platform outside of the United States;- requirements or preferences for domestic products;- limitations on our ability to sell our Unified-CXM platform and for our solution to be effective in non-U.S. markets that have different cultural norms and related business practices that de-emphasize the importance of positive customer and employee experiences;- differing technical standards, existing or future regulatory and certification requirements and required features and functionality;- political and economic conditions and uncertainty in each country or region in which we operate and general economic and political conditions and uncertainty around the world;- compliance with laws and regulations for non-U.S. operations, including anti-bribery laws, import and export control laws, tariffs, trade barriers, economic sanctions and other regulatory or contractual limitations on our ability to sell our Unified-CXM platform and develop our business in certain non-U.S. markets, and the risks and costs of non-compliance;- heightened risks of unfair or corrupt business practices in certain geographies and of improper or fraudulent sales arrangements that may impact our financial condition and result in restatements of our consolidated financial statements;- fluctuations in currency exchange rates and related effects on our results of operations;- difficulties in repatriating or transferring funds from or converting currencies in certain countries;- communication and integration problems related to entering new markets with different languages, cultures and political systems;- new and different sources of competition;- differing labor standards, including restrictions related to, and the increased cost of, terminating employees in some countries;- the need for localized subscription agreements;- the need for localized language support and difficulties associated with delivering support, training and documentation in languages other than English;- increased reliance on channel partners;- reduced protection for intellectual property rights in certain non-U.S. countries and practical difficulties of obtaining, maintaining, protecting and enforcing such rights abroad; and - compliance with the laws of numerous foreign taxing jurisdictions, including withholding tax obligations, and overlapping of different tax regimes. Any of these risks and challenges could adversely affect our operations, reduce our revenue or increase our operating costs, each of which could adversely affect our ability to expand our business outside of the United States and thereby our business more generally, as well as our results of operations, financial condition and growth prospects. Compliance with laws and regulations applicable to our international operations substantially increases our cost of doing business. We may be unable to keep current with changes in government requirements as they change from time to time. Failure to comply with these regulations could have adverse effects on our business. In many foreign countries it is common for others to engage in business practices that are prohibited by our internal policies and procedures or U.S. or other regulations applicable to us. Although we have implemented policies and procedures designed to ensure compliance with these laws and policies, there can be no assurance that our employees, contractors, partners and agents will comply with these laws and policies. Violations of laws or our policies by our employees, contractors, partners or agents could result in delays in revenue recognition, financial reporting misstatements, enforcement actions, disgorgement of profits, fines, civil and criminal penalties, damages, injunctions, other collateral consequences and increased costs, including the costs associated with defending against such actions, or the prohibition of the importation or exportation of our Unified-CXM platform and related services, each of which could adversely affect our business, results of operations and financial condition.

We conduct our business in countries around the world and a portion of our transactions outside the United States are denominated in currencies other than the U.S. dollar. While we have primarily transacted with customers and vendors in U.S. dollars to date, from time to time we have transacted in foreign currencies for subscriptions to our Unified-CXM platform and may significantly expand the number of transactions with customers that are denominated in foreign currencies in the future. The majority of our international costs are also denominated in local currencies. In addition, our international subsidiaries maintain net assets or liabilities that are denominated in currencies other than the functional operating currencies of these entities. Accordingly, changes in the value of foreign currencies relative to the U.S. dollar can affect our revenue and results of operations due to transactional and translational remeasurements that are reflected in our results of operations. As a result of such foreign currency exchange rate fluctuations, it could be more difficult to detect underlying trends in our business and results of operations. We currently do not maintain a program to hedge transactional exposures in foreign currencies, but we may do so in the future. The future use of hedging instruments may introduce additional risks if we are unable to structure effective hedges with such instruments. There can be no assurance that we will be successful in managing our exposure to currency exchange rate risks, which may adversely affect our business, results of operations and financial condition.

To successfully execute our business strategy, we must attract and retain highly qualified talent. There is high competition for executive officers, software engineers, product managers, account executives, sales leaders and other key talent in our industry. In particular, we compete with many other companies for engineers with high levels of experience in designing, developing and managing cloud-based software, as well as for technical sales, operations and general leadership. In addition, we believe that the success of our business and corporate culture depends on employing people with a variety of backgrounds and experiences, and the competition for such diverse talent is significant. Many of the companies with which we compete for diverse and experienced talent have greater resources than we do and can frequently offer substantially greater compensation and benefits than we can offer, including, in some cases, large equity packages and cash-based awards. In addition, prospective and existing employees often consider the value of the equity awards they receive in connection with their employment. If the perceived value of our equity awards declines, including as a result of volatility or decline in the market price of our Class A common stock or changes in the perception about our future prospects, it may adversely affect our ability to recruit and retain highly qualified talent. In order to manage attrition, including as a result of recent decreases in our stock price and market volatility, we have issued, and may continue to issue, additional equity awards and increased cash compensation to attract and retain talent, which may impact results of operations or be dilutive to stockholders. We also face significant competition in hiring and attracting qualified talent in all aspects of our business, and the opportunity to work remotely or on a hybrid basis has also increased the competition for such talent. If we fail to attract new talent or fail to retain and motivate our current talent, our ability to maintain and grow our products and support our existing customers, attract new customers, respond to competitive pressures, and execute our business plan, would be at risk.