Dropbox (DBX) Risk Factors

The content collaboration market is characterized by rapid technological change and frequent new product and service introductions. Our ability to grow our user base and increase revenue from existing users will depend heavily on our ability to enhance and improve our platform, introduce new features and products, increase our strategic partnerships with third parties, and interoperate across an increasing range of devices, operating systems, and third-party applications. Users may require features and capabilities that our current platform does not have. The need to respond to technological changes may require investments in our business that could impact short-term growth or profitability. We have made, and intend to continue making,significant investments in developing products that will incorporate AI, and while we are optimistic that such new products have the potential to drive future growth of our business, the development of such new features will incur significant costs and there is no guarantee that such new product offerings will ultimately be successful. Additionally, use of newly-developed AI technology could result in reputational harm, operational risks, or legal liability. Moreover, uncertainty in the regulatory landscape relating to AI along with new or enhanced governmental or regulatory scrutiny could negatively impact our business in the U.S. or in other jurisdictions where we operate. For example, the European Union enacted the Artificial Intelligence Act in March 2024 that prohibits certain AI applications and systems and imposes additional requirements on the use of certain applications or systems. In addition, while we believe trends towards remote or distributed work will prove to be significant and long lasting, and that these trends will open up increased market opportunities for us, such as our work on new AI-driven products, such trends or opportunities may not materialize or, if they do, we may not be able to develop new features or products, or enhance our existing offerings, sufficiently to take advantage of them. We invest significantly in research and development, and our goal is to focus our spending on measures that improve quality and ease of adoption and create organic user demand for our platform. There is no assurance that our enhancements to our platform or our new product experiences, partnerships, features, or capabilities will be compelling to our users or gain market acceptance. If our research and development investments do not accurately anticipate user demand, we are unsuccessful in establishing or maintaining our strategic partnerships, or if we fail to develop our platform in a manner that satisfies user preferences in a timely and cost-effective manner, we may fail to retain our existing users or increase demand for our platform. The introduction of new products and services by competitors or the development of entirely new technologies to replace existing offerings could make our platform obsolete or adversely affect our business, results of operations, and financial condition. We may experience difficulties with software development, design, or marketing that could delay or prevent our development, introduction, or implementation of new product experiences, features, or capabilities. We also may experience broad-based business or economic disruptions that could adversely affect the productivity of our employees and result in delays in the development or implementation process. For example, in response to the COVID-19 pandemic, we transitioned to a Virtual First work model, which may lead to disruptions and decreased productivity that could result in delays in our product development process. The risk of such disruptions and decreased productivity may persist as our workforce operates under a Virtual First model. We have in the past experienced delays in our internally planned release dates of new features and capabilities, and there can be no assurance that new product experiences, features, or capabilities will be released according to schedule. Any delays could result in adverse publicity, loss of revenue or market acceptance, or claims by users brought against us, all of which could have a material and adverse effect on our reputation, business, results of operations, and financial condition. Moreover, new features may require substantial investment, and we have no assurance that such investments will be successful. If users do not widely adopt our new product experiences, features, and capabilities, we may not be able to realize a return on our investment. If we are unable to develop, license, or acquire new features and capabilities to our platform on a timely and cost-effective basis, or if such enhancements do not achieve market acceptance, our business, results of operations, and financial condition could be adversely affected.

Unauthorized parties have in the past gained access, and may in the future gain access, to systems, networks, or facilities used in our business through various means, including gaining unauthorized access to our systems, networks, or facilities, attempting to fraudulently induce our employees, users, or others into disclosing user names, passwords, or other sensitive information. For example, as previously disclosed in our Form 8-K filed with the Securities and Exchange Commission on May 1, 2024, on April 24, 2024, we became aware of unauthorized access to the Dropbox Sign production environment. We continue to face risks relating to this incident, including harm to our reputation and customer relationships, and ongoing litigation, in the form of a consolidated class action lawsuit that has been filed in federal court in the Northern District of California, and regulatory scrutiny related to this incident, and we may discover other impacts or new related events may occur that could affect our business operations, financial condition or results of operations. Any unauthorized or inadvertent access to, or an actual or perceived security breach of or incident impacting, our systems, or networks, or facilities, or those of third parties on which we rely, or those of any businesses or technologies we have acquired, could result in an actual or perceived loss of, or unauthorized access to or disclosure, modification, misuse, loss, corruption, unavailability, or destruction of, our data or our users' content, regulatory investigations, proceedings, and orders, claims, demands, and litigation, indemnity obligations, damages, penalties, fines, and other costs in connection with actual and alleged contractual breaches, violations of applicable laws and regulations or other actual or asserted obligations, and other liabilities. Any such incident could also materially damage our reputation and market position and harm our business, results of operations, and financial condition, including reducing our revenue, causing us to issue credits to users, negatively impacting our ability to accept and process user payment information, eroding our users' trust in our services and payment solutions, subjecting us to costly user notification or remediation, harming our ability to retain users, harming our brand, or increasing our cost of acquiring new users. We maintain errors, omissions, and cyber liability insurance policies covering certain security and privacy damages. However, we cannot be certain that our coverage will be adequate for liabilities actually incurred or that insurance will continue to be available to us on economically reasonable terms, or at all. Further, if a high-profile security breach or incident occurs with respect to another content collaboration solutions provider, our users and potential users could lose trust in the security of content collaboration solutions providers generally, which could adversely impact our ability to retain users or attract new ones. We have also incorporated AI technologies into certain products and expect to continue to incorporate additional AI technologies into our products and otherwise into our business and operations in the future. The use of AI technologies and the accelerated product development lifecycle for AI products may create additional or increase existing cybersecurity risks and may result in security or privacy incidents. Further, cybersecurity attacks may use AI technologies and increase the risk of security incidents. The use of our platform involves the transmission, storage, and processing of user content, some of which may be considered personal, confidential, or sensitive information of users or their organizations. We also process, store and transmit our own data as part of our business and operations. This data may include personal, confidential, or sensitive information. We have previously faced and will continue to face security threats from malicious third parties that could obtain unauthorized access to our systems, infrastructure, and networks. We anticipate that these threats will continue to grow in scope and complexity over time. Although we have taken corrective actions in response to past incidents, and have developed systems and processes that are designed to protect the personal data of users and their organizations, protect our systems, prevent data loss, and prevent other security breaches and security incidents, these security measures have not fully protected our systems in the past and cannot guarantee security in the future. Emerging and evolving cybersecurity threats pose unique challenges and involve sophisticated threat actors. Computer malware, ransomware, viruses, social engineering (phishing attacks), denial of service or other attacks, employee theft or misuse and increasingly sophisticated network attacks have become more prevalent, particularly against cloud services. In this fast-changing threat environment, we are continuously assessing our security posture, including through the use of penetration testing and red team exercises, to identify gaps, threats, and vulnerabilities and, where we believe appropriate, we actively take additional and ongoing steps that are intended to strengthen our cybersecurity capabilities and mitigate the risk of a breach or incident. If we fail to respond appropriately to any identified gaps, threats or vulnerabilities, including by providing adequate funding and prioritizing strategic initiatives, or if we fail to adequately identify the gaps, threats or vulnerabilities, we face greater risk that an unauthorized party will obtain access to, or disrupt, our systems or networks or obtain access to data or content that we or third parties on which we rely store or otherwise process. Notwithstanding our efforts, we may fail to detect the existence of security breaches or incidents, including breaches or compromises of user content, and may be unable to prevent unauthorized access to user content. Malicious third parties might use techniques that we are unable to defend against to compromise and infiltrate our systems, infrastructure, and networks. The techniques used to obtain unauthorized access to, and to disable or degrade service, or sabotage systems change frequently and are often not recognized until launched against a target. They may originate from less regulated or remote areas around the world, or from state-sponsored actors, and the risks could also be elevated in connection with wars or other armed conflicts. If our security measures are breached or compromised or we, our systems, facilities or networks, or those of third parties on which we rely otherwise are subject to a security breach or incident, or our users' content or other data is otherwise accessed, misused, modified, rendered unavailable, destroyed, or otherwise processed through unauthorized means, or if any such actions are believed to occur, our platform may be perceived as insecure, and we may lose existing users or fail to attract and retain new users. Moreover, public announcements concerning any cybersecurity-related incidents and steps we may take to respond to or remediate any such incidents could be perceived by securities analysts or investors to be negative, and such perception could, among other things, have an adverse effect on the price of our Class A common stock. We may rely on third parties when deploying our infrastructure, and in doing so, expose it to security risks outside of our direct control. We rely on outside vendors and contractors to perform services necessary for the operation of the business, and they may fail to adequately secure our user and company content data. This risk may increase when vendors and contractors work remotely, including as part of our Virtual First model. Additionally, unapproved internal AI product usage or human error in the product development process each have the potential to result in disclosure of user or company content data. In addition, certain developers or other partners who create applications that integrate with our platform, may receive or store information provided by us or by our users through these applications. If these third parties or developers fail to adopt or adhere to adequate data security practices or the Dropbox Developer Terms and Conditions, or in the event of a breach or other compromise of their networks or systems, our data or our users' data may be improperly accessed, used, or disclosed. Third parties may attempt to compromise our employees and their privileged access into internal systems to gain access to accounts, our information, our networks, or our systems or those of third parties on which we rely. Employee error, malfeasance, errors in our systems and processes, or other errors in the storage, use, transmission, or other processing of personal information has in the past and could in the future result in an actual or perceived breach of user privacy or inadvertent disclosure of information, and such errors could adversely affect our business, brand, and reputation. For example, in the past an error in our use of a trusted third party to provide anti-malware and phishing services resulted in URLs embedded within content shared on Dropbox or uploaded to DocSend being made available to other paid subscribers and partners of that third party. However, only the URLs were sent - neither the document itself, nor any information within it, was shared. To address this, we asked the service provider to delete the affected URLs from its databases, and they have done so. While we are not aware of any URLs that were exploited by malicious actors, we cannot rule this out. As a standard practice, we complied with our notification obligations to applicable regulatory authorities. While we believe we have adequate systems in place to detect and prevent integration of software and services that may compromise personal information, we can provide no assurances those systems will be effective in every case.

The market for content collaboration platforms is competitive and rapidly changing. Certain features of our platform compete in the cloud storage market with products offered by Microsoft, Amazon, Apple, Google, and Adobe and in the content collaboration market with products offered by Microsoft, Atlassian, Slack, and Google. On a more limited basis, we compete with Box in the cloud storage market for deployments by large enterprises, as well as in the e-signature market along with Adobe and DocuSign. We have also made and will continue to make significant investments in developing products in the highly-competitive marketplace for AI technology and, in light of the rapid development and significant competitive pressures, we may not be able to compete effectively or realize a return on our investments. We also compete with smaller private companies that offer point solutions in the cloud storage market or the content collaboration market. We believe the principal competitive factors in our markets include the following: - user-centric design;- ease of adoption and use;- scale of user network;- features and platform experience;- performance;- brand;- security and privacy;- accessibility across several devices, operating systems, and applications;- third-party integration;- customer support;- continued innovation;- pricing;- investments in AI; and - macroeconomic trends. With the introduction of new technologies and market entrants, we expect competition to intensify. Many of our actual and potential competitors have competitive advantages over us, such as greater name recognition, longer operating histories, more varied products and services, larger marketing budgets, more established marketing relationships, access to larger user bases, major distribution agreements with hardware manufacturers and resellers, and greater financial, technical, and other resources. Some of our competitors may make acquisitions or enter into strategic relationships or alliances to offer a broader range of products and services than we do. These combinations make it increasingly difficult for us to compete effectively. We expect these trends to continue as competitors strengthen or maintain their market positions. Demand for our platform is sensitive to price, and our pricing and packaging has in the past and could in the future negatively impact our top of funnel and conversion rates. Many factors, including our marketing, user acquisition and technology costs, and our current and future competitors' pricing and marketing strategies, can significantly affect our pricing strategies. Certain of our competitors offer, or may in the future offer, lower-priced or free products or services that compete with our platform or may bundle and offer a broader range of products and services. Similarly, certain competitors may use marketing strategies that enable them to acquire users at a lower cost than us. There can be no assurance that we will not be forced to engage in price-cutting initiatives or to increase our marketing and other expenses to attract and retain users in response to competitive pressures, either of which could materially and adversely affect our business, results of operations, and financial condition.

We generate, and expect to continue to generate, revenue from the sale of subscriptions to our platform. As a result, widespread acceptance and use of content collaboration solutions in general, and our platform in particular, is critical to our future growth and success. If the content collaboration market fails to grow or grows more slowly than we currently anticipate, or if there are changes in trends with regard to remote or distributed work, demand for our platform could be negatively affected. Changes in user preferences for content collaboration may have a disproportionately greater impact on us than if we offered multiple platforms or disparate products. Demand for content collaboration solutions in general, and our platform in particular, is affected by a number of factors, many of which are beyond our control. Some of these potential factors include: - awareness of the content collaboration category generally;- availability of products and services that compete with ours;- the impact, scale, and duration, of trends towards or away from remote or distributed work;- ease of adoption and use;- features and platform experience;- performance;- brand;- security and privacy;- customer support;- pricing;- investments in AI; and - macroeconomic trends. The content collaboration market is subject to rapidly changing user demand and trends in preferences. If we fail to successfully predict and address these changes and trends, meet user demands, or achieve more widespread market acceptance of our platform, our business, results of operations, and financial condition could be harmed.

We believe that our brand identity and awareness have contributed to our success and have helped fuel our efficient go-to-market strategy. We also believe that maintaining and enhancing the Dropbox brand is critical to expanding our base of users. We anticipate that, as our market becomes increasingly competitive, maintaining and enhancing our brand may become increasingly difficult and expensive. Any unfavorable publicity or consumer perception of our platform or the providers of content collaboration solutions generally could adversely affect our reputation and our ability to attract and retain users. Additionally, if we fail to promote and maintain the Dropbox brand, our business, results of operations, and financial condition will be materially and adversely affected.

We receive, store, process, and use personal information and other user content. Numerous federal, state, local, and international laws and regulations address privacy, data protection, information security, and the storing, sharing, use, processing, transfer, disclosure, and protection of personal information and other content, the scope of which are changing, subject to differing interpretations, and may be inconsistent among jurisdictions, or conflict with other rules. We also post privacy policies and are subject to contractual obligations to third parties related to privacy, data protection, and information security. We strive to comply with applicable laws, regulations, policies, and other legal obligations relating to privacy, data protection, and information security to the extent possible. However, the regulatory framework for privacy and data protection worldwide is, and is likely to remain, uncertain for the foreseeable future, and it is possible that these or other actual or alleged obligations may be interpreted and applied in a manner that is inconsistent from one jurisdiction to another and may conflict with other rules or our practices. We also expect that there will continue to be new laws, regulations, and industry standards concerning privacy, data protection, AI, and information security proposed and enacted in various jurisdictions. On July 10, 2023, the European Commission adopted an adequacy decision relating to the transfer of personal data from the European Economic Area ("EEA") to the U.S. that takes place under the EU-U.S. Data Privacy Framework ("DPF"). The DPF is the successor to the EU-U.S. Privacy Shield ("Privacy Shield") and allows participating entities to transfer personal data to the U.S. As we continued to participate in Privacy Shield, we transitioned automatically to the DPF. The DPF also applies to transfers from the UK and Switzerland to the U.S. Switzerland must also adopt its own adequacy decision, which is expected to happen shortly. While we rely on legal mechanisms to transfer data from the EEA, the United Kingdom, and Switzerland to the United States, there is some regulatory uncertainty surrounding the future of data transfers from these locations to the United States, and we are closely monitoring regulatory developments in this area. On July 16, 2020, the Court of Justice of the European Union ("CJEU") imposed additional obligations on companies relying on standard contractual clauses approved by the European Commission ("SCCs") to transfer personal data. A recent decision by the Irish Data Protection Commission ("IDPC") found the additional measures employed by Meta Platforms, Inc. ("Meta") in response to the CJEU decision to be inadequate, resulting in an order for Meta to suspend transfers of EU data to the US. This decision was limited to Meta, but similar decisions against other providers are possible. The CJEU and IDPC decisions may result in data protection regulators applying differing standards for, and requiring additional measures in connection with, transfers of personal data from the EEA and Switzerland to the United States. The European Commission issued revised SCCs in June 2021 that are required to be implemented. The revised SCCs and other developments relating to cross-border data transfer may require us to implement additional contractual and technical safeguards for any personal data transferred out of the EEA and Switzerland, which may increase our costs, lead to increased regulatory scrutiny or liability, necessitate additional contractual negotiations, and adversely impact our business, results of operations, and financial results. Additionally, several states in the U.S. have enacted new data privacy laws. For example, the California Consumer Privacy Act of 2018 ("CCPA"), which affords consumers expanded privacy protections, went into effect on January 1, 2020. The California Privacy Rights Act ("CPRA"), effective as of January 1, 2023, significantly modified the CCPA, resulting in uncertainty and requiring us to incur additional costs and expenses. The enactment of the CCPA has prompted similar legislative developments in other states. For example, Virginia, Colorado, Utah, and Connecticut have each passed laws similar to the CCPA and CPRA that took effect in 2023; Florida, Montana, Oregon, and Texas have enacted similar laws that have taken effect in 2024; Tennessee, Delaware, New Jersey, Nebraska, Iowa, Maryland, Minnesota, and New Hampshire have enacted similar laws that go into effect in 2025, and Indiana, Kentucky, and Rhode Island have enacted similar laws that will go into effect in 2026. Other laws relating to privacy and cybersecurity, many of which are similar to the CCPA and CPRA, are being considered by other state legislatures, and the U.S. federal government is contemplating federal privacy legislation. These developments create the potential for a patchwork of overlapping but different laws throughout the U.S. relating to privacy and cybersecurity. The effects of the CCPA and these other laws remain far-reaching and, depending on final regulatory guidance and other related developments, may require us to modify our data processing practices and policies and to incur substantial costs and expenses in an effort to comply. Similarly, a number of legislative initiatives in the EEA and the United States, at both the federal and state level, as well as other jurisdictions have been proposed or enacted, and could impose new obligations in areas affecting our business. For example, on November 17, 2022, the Digital Services Act ("DSA") entered into force in the EU and includes new obligations to limit the spread of illegal content and illegal products online, increase the protection of minors, and provide users with more choice and transparency and allows for fines of up to 6% of annual turnover. The impacts of the DSA on the overall industry, business models and our operations are uncertain, and these regulations could result in changes to our subscriptions or introduce new operational requirements and administrative costs, each of which could have an adverse effect on our business, results of operations, and financial condition. Further, the EU revised its Cybersecurity Directive ("NIS2"), with EU member states obligated to transpose it into national law by October 17, 2024. NIS2, among other things, obligates companies to adopt or update policies and procedures on issues such as incident handling and supply chain security, implementing certain administrative measures, and requires top management's involvement in cybersecurity risk-management measures, with top management potentially held liable for non-compliance. More generally, NIS2 provides for significant penalties for noncompliance, requiring EU member states to provide for a maximum fine level of at least €10,000,000 or 2% of annual turnover, whichever is greater. In addition, some countries are considering or have passed legislation implementing data protection requirements or requiring local storage and processing of data, or similar requirements, that could increase the cost and complexity of delivering our services. With laws and regulations such as the GDPR in the EU and the CCPA in the U.S. imposing new and relatively burdensome obligations, and with substantial uncertainty over the interpretation and application of these and other laws and regulations, we may face challenges in addressing their requirements and making necessary changes to our policies and practices, and may incur significant costs and expenses in an effort to do so. Any failure or perceived failure by us to comply with our privacy policies, our privacy-related obligations to users or other third parties, or any of our other legal obligations relating to privacy, data protection, or information security may result in governmental investigations, enforcement actions or other proceedings, litigation, claims, or public statements against us by consumer advocacy groups or others, and could result in significant liability or cause our users to lose trust in us, which could have an adverse effect on our reputation and business. Furthermore, the costs of compliance with, and other burdens imposed by, the laws, regulations, and policies that are applicable to the businesses of our users may limit the adoption and use of, and reduce the overall demand for, our services. In addition to government regulation, self-regulatory standards and industry-specific regulations, other industry standards or requirements may legally or contractually apply to us or be argued to apply to us, or we may elect to comply with, or to facilitate our customers' compliance with, such regulations, standards, requirements, or other actual or asserted obligations. If we are unable or are perceived to be unable to comply with any of these regulations, standards, requirements, or other actual or asserted obligations, if we are unable to maintain certifications or standards relevant to our customers, or if our customers are unable to obtain regulatory approval to use our services where required, our business may be harmed. In addition, an inability to satisfy the standards of certain government agencies that our customers may expect may have an adverse impact on our business and results. Additionally, if third parties we work with, such as vendors or developers, violate applicable laws or regulations or our policies, such violations may also put our users' content at risk and could in turn have an adverse effect on our business. Any significant change to applicable laws, regulations, or industry practices regarding the collection, use, retention, security, or disclosure of our users' content, or regarding the manner in which the express or implied consent of users for the collection, use, retention, or disclosure of such content is obtained, could increase our costs and require us to modify our services and features, possibly in a material manner, which we may be unable to complete, and may limit our ability to store and process user data or develop new services and features.

Our business may be affected by general economic, political, and market conditions, including any resulting negative impact on spending by our business and consumer users. Some of our users may view a paid subscription to our platform as a discretionary purchase, and our paying users have in the past and may in the future reduce their spending on our platform during an economic downturn, especially in the event of a prolonged recessionary period. Concerns about inflation, interest rates, unemployment trends, geopolitical issues, including wars and other armed conflicts, global health epidemics and other highly communicable diseases, bank insolvencies and related uncertainty and volatility in the financial services industry, or a widespread economic slowdown or recession (in the United States or internationally) have led to, and could continue to lead to, increased market volatility and economic uncertainty, which could cause current and prospective paying users to delay, decrease, or cancel purchases of our products and services, or delay or default on their payment obligations. In response to economic uncertainty, we have been more disciplined in our hiring and operating expenses, either of which could negatively impact our ability to grow and invest in our business. As a result, our business, results of operations, and financial condition may be significantly affected by changes in the economy generally.

We have paying users across approximately 180 countries and approximately half of our revenue in the year ended December 31, 2023 was generated from paying users outside the United States. We expect to continue to expand our international operations, which may include employees working in new jurisdictions and providing our products in additional languages. Any new markets or countries into which we attempt to sell subscriptions to our platform may not be receptive. For example, we may not be able to expand further in some markets if we are unable to satisfy certain government- and industry-specific requirements. In addition, our ability to manage our business and conduct our operations internationally requires considerable management attention and resources and is subject to the particular challenges of supporting a rapidly growing business in an environment of multiple languages, cultures, customs, legal and regulatory systems, alternative dispute systems, and commercial markets. International expansion has required, and will continue to require, investment of significant funds and other resources. Expanding and operating internationally subjects us to regulatory, economic, geographic, social, and political risks and may increase risks that we currently face, including risks associated with: - compliance with applicable international laws, regulations, and standards including laws and regulations with respect to labor and employment, privacy, data protection, cybersecurity, AI, consumer protection, tax, export control and sanctions, and unsolicited email, and the risk of penalties to our users and individual members of management or employees if our practices are deemed to be out of compliance;- recruiting and retaining talented and capable employees in locations outside the United States, and maintaining our company culture across all of our locations, including in light of our Virtual First work model and an increasingly distributed workforce;- providing our platform and operating our business across a significant distance, in different languages and among different cultures, including the potential need to modify our platform and features to ensure that they are culturally appropriate and relevant in different countries;- management of an employee base in jurisdictions that may not give us the same employment and retention flexibility as the United States;- operating in jurisdictions that do not protect intellectual property rights in the same manner or to the same extent as the United States;- compliance by us and our business partners with anti-corruption laws, import and export control laws, tariffs, trade barriers, economic sanctions, and other regulatory limitations on our ability to provide our platform in certain international markets;- foreign exchange controls that might require significant lead time in setting up operations in certain geographic territories and might prevent us from repatriating cash earned outside the United States;- political, social, and economic instability, conflicts, and wars, and their regional and global ramifications;- changes in diplomatic and trade relationships, including the imposition of new trade restrictions, trade protection measures, import or export requirements, trade embargoes and other trade barriers;- double taxation of our international earnings and potentially adverse tax consequences due to changes in the income and other tax laws of the United States or the international jurisdictions in which we operate;- higher costs of doing business internationally, including increased accounting, travel, infrastructure, and legal compliance costs; and - the impact of natural disasters and public health epidemics on employees, travel and the global economy. If we continue to invest substantial time and resources to expand our operations internationally and are unable to manage these risks effectively, our business, financial condition, and results of operations could be adversely affected. In addition, continued international expansion may subject our business to broader economic, political, and other international risks, including economic volatility, security risks, and geopolitical conflicts. Further, compliance with laws, regulations, and standards applicable to our global operations substantially increases our cost of doing business in international jurisdictions. We may be unable to keep current with changes in laws, regulations, or standards as they change. Although we have implemented policies and procedures designed to support compliance with these laws, regulations, and standards there can be no assurance that we will always maintain compliance or that all of our employees, contractors, partners, and agents will comply with the varying and sometimes conflicting laws, regulations and standards in all jurisdictions. Any violations could result in regulatory investigations and enforcement actions, fines, civil and criminal penalties, damages, injunctions, restrictions on our ability to conduct business, or reputational harm. If we are unable to comply with these laws and regulations or manage the complexity of our global operations successfully, our business, results of operations, and financial condition could be adversely affected.

Occurrence of any catastrophic event, including earthquake, fire, flood, tsunami, or other weather event, power loss, telecommunications failure, software or hardware malfunctions, cyber-attack, war, or terrorist attack, could result in lengthy interruptions in our service or result in unexpected increases in our costs. Further, outbreaks of pandemic diseases, or the fear of such events, have resulted in responses, including government-imposed travel restrictions, grounding of flights, and shutdown of workplaces. As a result, we have in the past conducted business with substantial modifications, including modifications to employee travel and employee work locations. Any such modifications we make in the future may disrupt important business operations, such as our product development and sales and marketing activities, and the productivity of our employees. Additionally, our U.S. headquarters is located in the San Francisco Bay Area, a region known for seismic activity, and our insurance coverage may not compensate us for losses that may occur in the event of an earthquake or other significant natural disaster. In addition, acts of terrorism could cause disruptions to the internet or the economy as a whole. Even with our disaster recovery arrangements, our service could be interrupted. If our systems were to fail or be negatively impacted as a result of a natural disaster or other event, our ability to deliver products to our users would be impaired, we could lose critical data and we may be subject to increased costs. If we are unable to develop adequate plans to mitigate the impact of a disaster or to ensure that our business functions continue to operate during and after a disaster, and successfully execute on those plans in the event of a disaster or emergency, our business, results of operations, financial condition, and reputation would be harmed.

We conduct our business across approximately 180 countries around the world. As we continue to expand our international operations, we will become more exposed to the effects of fluctuations in currency exchange rates. This exposure is the result of selling in multiple currencies and operating in foreign countries where the functional currency is the local currency. In 2023, 27% of our sales were denominated in currencies other than U.S. dollars. Our expenses, by contrast, are primarily denominated in U.S. dollars. As a result, any increase in the value of the U.S. dollar against these foreign currencies has in the past and could in the future cause our revenue to decline relative to our costs, thereby decreasing our margins. Our results of operations are primarily subject to fluctuations in the Euro and British pound sterling. Because we conduct business in currencies other than U.S. dollars, but report our results of operations in U.S. dollars, we also face translation exposure to fluctuations in currency exchange rates, which could hinder our ability to predict our future results and earnings and could materially impact our results of operations. We do not currently maintain a program to hedge exposures to non-U.S. dollar currencies.

We use software and services licensed and procured from third parties to develop and offer our platform. We may need to obtain additional licenses and services from third parties to use intellectual property and technology associated with the development of our platform, which might not be available to us on acceptable terms, or at all. Any loss of the right to use any software or services required for the development and maintenance of our platform could result in delays in the provision of our platform until equivalent technology is either developed by us, or, if available from others, is identified, obtained, and integrated, which could harm our platform and business. Any errors or defects in third-party software or services could result in errors or a failure of our platform, which could harm our business, results of operations, and financial condition. We also depend on our ecosystem of developers to create applications that will integrate with our platform. As of December 31, 2023, Dropbox was receiving over 75 billion API calls per month, and just under 1,000,000 developers had registered and built applications on our platform. Our reliance on this ecosystem of developers creates certain business risks relating to the quality of the applications built using our APIs, service interruptions of our platform from these applications, lack of service support for these applications, and possession of intellectual property rights associated with these applications. We may not have the ability to control or prevent these risks. As a result, issues relating to these applications could adversely affect our business, brand, and reputation.