Viant Technology (DSP) Risk Factors

In 2011, we acquired Myspace LLC, which owns Myspace.com. We have faced and may continue to face claims, investigations, or lawsuits or incur liability as a result of content published or made available on Myspace.com, including claims for defamation, intellectual property rights, including copyright infringement, rights of publicity and privacy, illegal content, misinformation, content regulation and personal injury torts. The laws relating to the liability of providers of online products or services for activities of the people who use them remain somewhat unsettled, both within the United States and internationally. This risk is enhanced in certain jurisdictions outside the United States where our protection from liability for third-party actions may be unclear or where we may be less protected under local laws than we are in the United States. For example, in April 2019, the European Union ("EU") passed a directive expanding online platform liability for copyright infringement and regulating certain uses of news content online, which member states had to implement by June 2021. In addition, there have been various Congressional efforts, executive actions, and civil litigation efforts to restrict the scope of the protections available to online platforms under Section 230 of the Communications Decency Act, and our current protections from liability for third-party content in the United States could decrease or change, or if courts begin to interpret this law more narrowly than they have historically done. We could incur significant costs investigating and defending claims related to content published or made available on Myspace.com and, if we are found liable, could face significant damages. In late 2011, shortly after we acquired Myspace LLC, the Federal Trade Commission ("FTC") initiated an investigation of the entity relating to certain of its historical privacy practices in place between 2008 and 2010. In connection with its 2012 settlement, Myspace LLC agreed to a consent order barring it from misrepresenting the extent to which it protects the privacy of users' personal information or the extent to which it belongs to or complies with any privacy, security or other compliance program. The order also mandates Myspace LLC establish a comprehensive privacy program designed to protect consumers' information, and to obtain biennial assessments of its privacy program by independent, third-party auditors for 20 years. The order terminates in August 2032. If Myspace LLC fails to comply with the mandates of the consent order, or if Myspace LLC is found to be in violation of the consent order or other requirements, we may be subject to regulatory or governmental investigations or lawsuits, which may result in significant monetary fines, judgments, or other penalties, and we may also be required to make additional changes to our business practices. Myspace.com has been and may in the future be subject to cybersecurity incidents or data breaches. In 2016, we discovered a third-party cyber-attack in which Myspace.com usernames, passwords and email addresses were stolen from the old Myspace.com platform prior to June 11, 2013. While we took steps to remediate the attack, any failure to prevent or mitigate security breaches and improper access to or disclosure of the data on Myspace.com could result in litigation, indemnity obligations, regulatory enforcement actions, investigations, fines, penalties, mitigation and remediation costs, disputes, reputational harm, diversion of management's attention, and other liabilities and damage to our business. Myspace.com may also face operational or performance issues. For example, as a result of a server migration project in 2019, older photo, video or audio files of some users were lost. Myspace.com has in the past been, and may in the future be, the subject of unfavorable publicity regarding, for example, its privacy practices, site quality and site operational matters. Myspace.com may also face negative publicity relating to content or information that is published or made available on the platform, including defamation, dissemination of misinformation or news hoaxes, discrimination, violations of intellectual property rights, violations of rights of publicity and privacy, hate speech or other types of content. Any such negative publicity could damage our reputation and the reputation of our primary business, which could adversely affect our business and financial results.

We intend to operate such that Viant Technology LLC does not become a publicly traded partnership taxable as a corporation for U.S. federal income tax purposes. A "publicly traded partnership" is an entity that otherwise would be treated as a partnership for U.S. federal income tax purposes, the interests of which are traded on an established securities market or readily tradable on a secondary market or the substantial equivalent thereof. Under certain circumstances, exchanges of Viant Technology LLC units pursuant to the Viant Technology LLC Operating Agreement or other transfers of Viant Technology LLC units could cause Viant Technology LLC to be treated like a publicly traded partnership. From time to time the U.S. Congress has considered legislation to change the tax treatment of partnerships and there can be no assurance that any such legislation will not be enacted or if enacted will not be adverse to us. If Viant Technology LLC were to become a publicly traded partnership taxable as a corporation for U.S. federal income tax purposes, significant tax inefficiencies might result for us and Viant Technology LLC, including as a result of our inability to file a consolidated U.S. federal income tax return with Viant Technology LLC. In addition, we may not be able to realize tax benefits covered under the Tax Receivable Agreement and would not be able to recover any payments previously made by it under the Tax Receivable Agreement, even if the corresponding tax benefits (including any claimed increase in the tax basis of Viant Technology LLC's assets) were subsequently determined to have been unavailable.

We collect, receive, store, use, transmit, disclose, or otherwise process (collectively, "Process") personal information and other sensitive data such as confidential business data, trade secrets, and intellectual property, from and about consumers, our customers, employees, service providers, and other third parties. We also depend on a number of third-party vendors in relation to the operation of our business, some of which Process data on our behalf. Our and our third-party vendors handling of this data is subject to a wide variety of federal, state, local, and foreign laws regulations, guidance, industry standards, external and internal privacy and security policies, certifications, documents, contracts, and other obligations that govern the Processing of personal information by us and on our behalf. U.S. federal, state, and local governments, and foreign governments have adopted or proposed numerous laws relating to the Processing of personal information relating to individuals and households, including contact information and pseudonymous data, many with a particular focus on marketing and advertising uses of such personal information. The legal landscape for data privacy issues worldwide is complex, continually evolving and often conflicting, and is likely to remain uncertain for the foreseeable future. As a result, our practices may not comply with such laws, regulations or obligations. Any failure or perceived failure to comply with applicable laws or regulations regarding privacy, data protection and cybersecurity could adversely affect our business, brand or reputation and may result in claims, actions, investigations or proceedings against us by regulators or individuals and require us to change our practices, all of which may result in significant costs. In the United States, an ever-increasing number of state laws and regulations apply to the Processing of personal information. In recent years, U.S. federal and state legislatures, along with regulatory authorities, have increased their focus on the collection and use of personal information, including relating to "interest-based," "cross-context behavioral," or "targeted" advertising. As an example, the State Privacy Laws require covered businesses to, among other things, provide disclosures to consumers and grant consumers a right to opt-out of use and disclosure of their personal information for purposes of showing targeted advertisements and "sales" of personal information, a concept that is broadly defined as the disclosure of personal information to a third party for monetary or other valuable consideration. Certain of the State Privacy Laws also require or will require companies to respond to user-enabled global privacy controls, such as a browser plug-in or privacy setting, device setting, or other mechanisms, that communicate or signal the consumer's choice to opt-out of the sale or sharing of their personal information, or the use of their personal information for targeted advertising. Laws additionally require covered businesses to take extra precautions for data deemed "sensitive" and offer consumers rights to access, delete, and correct their information. These laws are generally enforced by each state's attorney general with potentially steep penalties for violations. Lawmakers and regulators are also focused on data Processing by companies that do not have direct relationships with the consumers whose personal data they process. Several states, including California and Texas, have recently enacted or updated laws restricting the activities of data brokers. In late 2023, California passed the Delete Act, dramatically increasing obligations and potential penalties relative to the state's preexisting data broker statute. Beyond additional transparency requirements, beginning in August 2026, companies registered as data brokers in California must honor universal deletion requests consumers make of all data brokers via a deletion mechanism the state will create. Beginning in 2028, data brokers must undergo audits verifying their compliance with the Delete Act. These obligations may reduce the data available to Viant, require us to develop complex and expensive compliance tools and procedures, and may result in reductions in revenue. Lawmakers, regulators, and advocates also continue to focus on activities involving the use of certain types of personal data perceived as especially sensitive, such as children's data and health data, which will impact the advertising industry. This includes the Children's Online Privacy Protection Act of 1998 ("COPPA"), which restricts the collection and use of data about users of child-directed websites. The Federal Trade Commission actively enforces COPPA and may in the future update and expand certain parts of the law. Additionally, several State Privacy Laws have increased the age at which a consumer can be shown targeted ads (without opt-in consent) from 13 to 16 or 18 years of age. Related to consumer health information, MHMD introduced a host of new requirements covering a very broadly defined notion of consumer health data, including obligations on disclosures of such data that will impact the advertising industry. MHMD is subject to a private right of action, and plaintiffs' attorneys could explore claims testing the bounds of the law's text. These developments and other comprehensive data privacy and security laws that have been proposed at the federal, state, and local levels in recent years could lead to a varied and increasingly complex regulatory landscape, further complicating our compliance efforts and those of our data suppliers and customers. Additionally, plaintiffs have sought to apply federal wiretap and similar laws, such as the Federal Wiretap Act and Video Privacy Protection Act, and similar U.S. state laws, such as California's Invasion of Privacy Act, to certain advertising and online tracking practices. Such laws include private causes of action, and could be costly to settle or litigate, regardless of the merit of the claim, and may result in significant monetary liability. In order to comply with the varying state data breach reporting laws, we must maintain adequate security measures, which require significant investments in resources and ongoing attention. Outside the United States, certain laws, regulations, and industry standards may apply to our or our suppliers' or customers' data privacy and security practices. The European Union's General Data Protection Regulation 2016/679 ("EU GDPR") and the UK counterpart regulation ("UK GDPR") (collectively the "GDPR") imposes strict requirements applicable to certain Processing of European personal information, respectively, in the European Economic Area ("EEA") and the United Kingdom ("UK"). The applicability analysis under the GDPR is complex, but if we were deemed to operate our business in a manner subject to GDPR, the GDPR provides for significant penalties for noncompliance of up to the greater of €20 million under the EU GDPR / 17.5 million pounds sterling under the UK GDPR, or, in each case, 4% of an enterprise's global turnover (or revenue) for the preceding fiscal year. Companies that violate the GDPR may face prohibitions on data processing and other corrective action, such as class action brought by classes of data subjects or by consumer protection organizations authorized at law to represent their interests. Additionally, Member States may assess other penalties for noncompliance on companies subject to GDPR. Several European legislative proposals could significantly affect our business. For example, the ePrivacy Regulation, which would repeal the ePrivacy Directive, could impose new obligations or limitations in areas affecting our business, notably with respect to the use of cookies. We may have to change our business practices to comply with such obligations. These changes to the regulatory landscape, coupled with EU and UK regulators' increasing focus on compliance with requirements related to the online behavioral advertising ecosystem could, limit the ability to obtain data through integrations with data suppliers, divert the attention of our technology personnel, adversely affect our margins, subject us to liabilities, and may require us to make significant operational changes. Furthermore, we may be unable to transfer personal data from Europe and other jurisdictions to the United States or other countries due to data localization requirements or limitations on cross-border transfers of personal information. In particular, the EEA and UK have significantly restricted the transfer of personal data to countries outside of the EEA. Other jurisdictions may adopt similarly stringent interpretations of their data localization and cross-border data transfer laws. Although the European Commission adopted the EU-US Data Privacy Framework and the United Kingdom adopted the UK Extension to permit transfers from the EEA and United Kingdom to the United States and there are currently various mechanisms that may be used to transfer personal data from the EEA and UK to the United States in compliance with law, these mechanisms are subject to ongoing legal challenges. If there is no lawful manner for us to transfer personal data from the EEA, the UK or other jurisdictions to the United States, or if the requirements for a legally-compliant transfer are too onerous, we may face increased exposure to regulatory actions, substantial fines, and injunctions against Processing or transferring personal information from Europe or elsewhere. For example, some European regulators have ordered certain companies to suspend or permanently cease transfers of personal data out of Europe for allegedly violating the GDPR's cross-border data transfer limitations. The inability to import personal information to the United States could significantly and negatively impact our business operations, including by limiting our ability to collaborate with parties that are subject to European and other data privacy and security laws, limiting our ability to obtain inventory or data from suppliers operating in Europe, or requiring us to increase our personal information processing capabilities and infrastructure in Europe and/or elsewhere at significant expense. Additionally, our employees and personnel use, and increasingly rely on, generative AI and automated decision-making technologies to perform their work, and such usage may be subject to various laws and other obligations, including those related to privacy, and governments have passed and are likely to pass additional laws regulating generative AI. For example, the California Privacy Protection Agency is contemplating regulatory requirements relating to automated decision-making technologies. Our use of this technology could result in additional compliance costs, regulatory investigations and actions, and consumer lawsuits. If we are unable to use generative AI, it could make our business less efficient and result in competitive disadvantages. Further, privacy advocates and industry groups have proposed, and may propose in the future, industry standards with which we are legally or contractually bound to comply. Moreover, we may make statements about our data Processing practices in light of these standards. For example, best practices and self-regulatory standards, such as those promulgated by the Network Advertising Initiative ("NAI"), the Digital Advertising Alliance ("DAA"), and their international counterparts, apply to many players in the advertising technology ecosystem. Some of these self-regulatory bodies can discipline members, which could result in fines, penalties, and/or public censure. Additionally, some of these self-regulatory bodies might refer violations of their requirements to the Federal Trade Commission or other regulatory bodies. See "-Our business or ability to operate our platform could be impacted by changes in technology initiated by technology companies, end users, or government regulation. Such developments, including the restriction of "third-party cookies," could cause instability in the advertising technology industry." Similarly, there has been increasing global scrutiny over online political advertising, and online political advertising laws are rapidly evolving. For example, publishers of online content have imposed varying prohibitions and restrictions on the types and breadth of political advertising allowed on their platforms. The lack of uniformity and increasing requirements for transparency and disclosure could adversely impact the demand for political advertising services and increase our operating and compliance costs. Because the interpretation and application of privacy and data protection laws, regulations, standards and other privacy obligations are uncertain and quickly changing, it is possible that these obligations may be interpreted and applied in manners that are, or are asserted to be, inconsistent with our practices. Preparing for and complying with these obligations requires significant resources. Further, adaptation of the digital advertising marketplace requires increasingly significant collaboration between participants in the market, such as publishers and marketers. Failure of the industry to adapt to changes in data privacy and security obligations and user response to such changes could negatively impact inventory, data, and demand. We cannot control or predict the pace or effectiveness of such adaptation, and we cannot predict the impact such changes may have on our business. In addition, it may be necessary for us to fundamentally change our business activities, information technologies, systems, and practices, and to those of any third parties that Process personal information on our behalf. We may at times fail or be perceived to have failed to comply with all applicable data privacy and security obligations, despite our efforts to comply. Moreover, despite our efforts, our customers, personnel or third parties upon whom we rely may fail to comply with such obligations, which could negatively impact our business operations and compliance posture. For example, any failure by a third-party processor to comply with applicable law, regulations, or contractual obligations could result in adverse effects, including inability to operate our business and proceedings against us by governmental entities or others. Any inability, or perceived inability, to address or comply with applicable data privacy or security obligations could result in significant consequences, including, but not limited to, government enforcement actions (e.g., investigations, fines, penalties, audits, inspections, and similar); litigation (including class-related claims) and mass arbitration demands; additional reporting requirements and/or oversight; bans on Processing personal information; and orders to destroy or not use personal information. Any of these events could have a material adverse effect on our reputation, business, or financial condition, including but not limited to loss of customers, additional costs and liabilities, damage our reputation, reduction in sales and demand for our platform, and harm our business. We have in the past been, and may in the future be, subject to enforcement actions, investigations, litigation, or other inquiries regarding our data privacy and security practices. For example, the FTC investigated our wholly owned subsidiary, Myspace LLC, and filed a complaint shortly after we acquired them in late 2011. See "-We face liabilities arising out of our ownership and operation of Myspace.com." Plaintiffs have also become increasingly more active in bringing privacy-related claims against companies, including class action claims and mass arbitration demands. Some of these claims allow for the recovery of statutory damages on a per violation basis; if viable, these claims carry the potential for monumental statutory damages, depending on the volume of data and the number of violations.

Our industry is subject to rapid and frequent changes in technology, evolving customer needs and the frequent introduction by our competitors of new and enhanced offerings. We must regularly make investment decisions regarding offerings and technology to maintain the technological competitiveness of our products and services and meet customer demand and evolving industry standards. The complexity and uncertainty regarding the development of new technologies and the extent and timing of market acceptance of innovative products and services create difficulties in maintaining this competitiveness. The success of any enhancement or new solution depends on many factors, including timely completion, adequate quality testing, appropriate introduction and market acceptance. Without the timely introduction of new products, services and enhancements, including those leveraging AI and machine learning, our offerings could become technologically or commercially obsolete over time, in which case our revenue and operating results would suffer. In addition, such new products, services or enhancements may create new, or exacerbate existing, technological, security, legal and other challenges, could cause unintended consequences and may not perform as intended. If new or existing competitors replicate our offerings or have more attractive offerings, we may lose customers or customers may decrease their use of our platform. New customer demands, superior competitive offerings or new industry standards could require us to make unanticipated and costly changes to our platform or business model. In addition, as we develop and introduce new products and services, including those incorporating or utilizing AI and machine learning and new processing of information, they may raise new, or heighten existing, technological, security, legal and other risks and challenges, that may cause unintended consequences and may not function properly or may be misused by our clients. If we fail to enhance our current products and services or fail to develop new products to adapt to our rapidly changing industry and applicable laws, regulations and other legal obligations, or to evolving customer needs, demand for our platform could decrease and our business, operating results and financial condition may be adversely affected.

Our success depends, in part, on our ability to protect proprietary methods and technologies that we develop or otherwise acquire, so that we can prevent others from using our inventions and proprietary information. If we fail to protect our intellectual property rights adequately, our competitors might gain access to our technology and our business might be adversely affected. We rely upon a combination of patent, trademark, copyright and trade secret laws, as well as third-party confidentiality and non-disclosure agreements, to establish and protect our proprietary rights. Establishing trade secret, copyright, trademark, domain name, and patent protection can be difficult and expensive, the laws, procedures and restrictions may provide only limited protection, and protection may not be available for some of our technology, in particular technology that uses open source software. It may be possible for unauthorized third parties to copy or reverse engineer aspects of our technology or otherwise obtain and use information that we regard as proprietary, or to develop technologies similar or superior to our technology or design around our proprietary rights, despite the steps we have taken to protect our proprietary rights. Our contracts with our employees and contractors that relate to intellectual property issues generally restrict the use of our confidential information solely in connection with our services. However, the theft or misuse of our proprietary information could occur by employees or contractors who have access to our technology. While we have issued patents and patent applications pending, we may be unable to obtain patent protection for the technology covered in our patent applications or such patent protection may not be obtained quickly enough to meet our business needs. Furthermore, the patent prosecution process is expensive, time-consuming, and complex, and we may not be able to prepare, file, prosecute, maintain, and enforce all necessary or desirable patent applications at a reasonable cost or in a timely manner. The scope of patent protection also can be reinterpreted after issuance and issued patents may be invalidated. Even if our patent applications do issue as patents, they may not issue in a form that is sufficiently broad to protect our technology, prevent competitors or other third parties from competing with us or otherwise provide us with any competitive advantage. Policing unauthorized use of our technology is difficult. In addition, the laws of some foreign countries may not be as protective of intellectual property rights as those of the United States, and mechanisms for enforcement of our proprietary rights in such countries may be inadequate. If we are unable to protect our proprietary rights (including in particular, the proprietary aspects of our platform) we may find ourselves at a competitive disadvantage to others who have not incurred the same level of expense, time and effort to create and protect their intellectual property.

We rely on computer systems, hardware, software, technology infrastructure and online sites and networks for both internal and external operations (collectively, "IT Systems"). We own and manage some of these IT Systems but also rely on third parties for various IT Systems, products and services. In addition, our business requires the processing of proprietary, confidential, and sensitive data, including personal information, intellectual property and trade secrets (collectively, "Confidential Data"). Like all companies, our IT Systems and Confidential Data are targets for cyber-attacks, malicious internet-based activity, online and offline fraud, and other similar activities by third parties that threaten the confidentiality, integrity, and availability of our IT Systems and Confidential Data. We and the third parties upon which we rely face a variety of evolving threats, which could cause security breaches that lead to operational disruption and/or compromises to our IT Systems and Confidential Data. In recent years, the frequency, severity and sophistication of cyber-attacks and other intentional misconduct has significantly increased, and these threats are becoming increasingly difficult to detect. These threats come from a variety of sources, including traditional computer hackers, nation states, threat actors, and personnel (such as through theft or misuse). We and the third parties upon which we rely are subject to a variety of evolving threats, including but not limited to social-engineering attacks (including through deep fakes, which may be increasingly more difficult to identify as fake given the increased usage of AI, and phishing attacks), malicious code (such as viruses and worms), malware (including as a result of advanced persistent threat intrusions), denial-of-service attacks (such as credential stuffing), personnel misconduct or error, malfeasance by insiders, ransomware attacks, supply-chain attacks, software bugs, server malfunctions, software or hardware failures, loss of data or other IT Systems, adware, telecommunications failures, earthquakes, fires, floods, and other similar threats. Threat actors, nation-states, and nation-state-supported actors now engage, and are expected to continue to engage, in cyber-attacks, including for geopolitical reasons and in connection with military conflicts and operations, as well as for financial gain. During times of war and other major conflicts, we and the third parties upon which we rely may be vulnerable to heightened risk of these attacks, including cyber-attacks that could materially disrupt our systems and operations, supply chain, and ability to conduct our business. Ransomware attacks are becoming increasingly prevalent and severe and can lead to significant interruptions in our operations, loss of data and income, reputational harm, and diversion of funds. Extortion payments may alleviate some of the negative impact of a ransomware attack, but we may be unwilling or unable to make such payments due to, for example, applicable laws or regulations prohibiting such payments. Further, we rely upon third-party service providers and technologies to operate critical business systems to process Confidential Data, including, without limitation, third-party providers of cloud-based infrastructure such as Google Cloud Platform and Amazon Web Services, employee email, and other functions. We may share or receive Confidential Data with or from third parties. Our ability to monitor these third parties' security practices is limited, and these parties may not have adequate information security measures in place. If our third-party service providers experience a security incident or other interruption, we could experience adverse consequences. While we may be entitled to damages if our third-party service providers fail to satisfy their privacy or security-related obligations to us, any award may be insufficient to cover our damages, or we may be unable to recover such award. Similarly, supply-chain attacks have increased in frequency and severity, and third parties and infrastructure in our supply chain or our third-party partners' supply chains may become compromised or contain exploitable defects or bugs that could result in a breach of or disruption to our IT Systems (including our products/services) or the third-party information technology systems that support us and our services. Future or past business transactions (such as acquisitions or integrations) could expose us to additional cybersecurity risks and vulnerabilities, as our systems could be negatively affected by vulnerabilities present in acquired or integrated entities' systems and technologies. Furthermore, we may discover security issues that were not found during due diligence of such acquired or integrated entities, and it may be difficult to integrate companies into our information technology environment and security program. Remote work has become more common and has increased risks to our information technology systems and data, as more of our employees utilize network connections, computers and devices outside our premises or network, including working at home, while in transit and in public locations. Any of the previously identified or similar threats, whether actual or perceived, could cause a security breach or other interruption, resulting in the unauthorized, unlawful, or accidental acquisition, modification, misuse, destruction, disclosure of, encryption of, or loss of Confidential Data. Cyberattacks are expected to accelerate on a global basis in frequency and magnitude as threat actors are becoming increasingly sophisticated in using techniques and tools-including AI-that circumvent security controls, evade detection, and remove forensic evidence. As a result, we may be unable to prevent, detect, investigate, remediate, or recover from future attacks or incidents, or to avoid a material adverse impact to our IT Systems, Confidential Information, or business. There can also be no assurance that our cybersecurity risk management program and processes, including our policies, controls, or procedures, will be fully implemented, complied with or effective in protecting our IT Systems and Confidential Information. Although we have taken measures to protect our systems from such threats, these measures may not be effective, and we and certain of our third-party providers regularly experience cyberattacks and other incidents, and we expect such incidents to continue in varying degrees. For example, in 2016, we discovered a breach of information from our Myspace databases resulting in the unauthorized access and offer for sale of approximately 360 million Myspace user account email addresses, usernames, and hashed passwords. See "-We face liabilities arising out of our ownership and operation of Myspace.com." We take steps to detect and remediate vulnerabilities, but we may not be able to detect and remediate all vulnerabilities because the threats and techniques used to exploit the vulnerability change frequently and are often sophisticated in nature. Therefore, such vulnerabilities could be exploited but may not be detected until after a security incident has occurred. These vulnerabilities pose material risks to our business. Further, we may experience delays in developing and deploying remedial measures designed to address any such identified vulnerabilities. We may incur significant costs in protecting against such cyberattacks and security breaches, and any cyber-related disruption or security breach of our or third parties' IT Systems or Confidential Data could result in adverse consequences, including but not limited to litigation (such as class actions), indemnity obligations, enforcement actions, investigations, fines, penalties, mitigation and remediation costs, disputes, reputational harm, diversion of management's attention, operational disruptions, decreased revenue, and reduced demand for our platform. Further, applicable data privacy and security obligations may require us to notify relevant stakeholders of security incidents. Such disclosures are costly, and the disclosures or the failure to comply with such requirements could lead to adverse consequences. Moreover, our contracts may not contain limitations of liability, and even where they do, there can be no assurance that limitations of liability in our contracts will be enforceable or are sufficient to protect us from liabilities, damages, or claims related to our data privacy and security obligations. Additionally, our insurance coverage may not be adequate or sufficient to protect us from or to mitigate liabilities arising out of our privacy and security practices, that such coverage will continue to be available on commercially reasonable terms or at all, or that such coverage will pay future claims. In addition to experiencing a security incident, third parties may gather, collect, or infer sensitive information about us from public sources, data brokers, or other means that reveals competitively sensitive details about our organization and could be used to undermine our competitive advantage or market position. Additionally, confidential or proprietary information of the Company or our customers could be leaked, disclosed, or revealed as a result of or in connection with our employee's, personnel's, or vendor's use of generative AI technologies. Further, certain data privacy and security obligations may require us to implement and maintain a certain level of security. For example, the Federal Trade Commission expects a company's data security measures to be reasonable and appropriate in light of the sensitivity and volume of consumer information it holds, the size and complexity of its business, and the cost of available tools to improve security and reduce vulnerabilities. Failure to maintain this level of security could result in government investigations or enforcement actions, litigation, reputational harm, and other material adverse consequences. Finally, as we accept debit and credit cards for payment, we are subject to the Payment Card Industry Data Security Standard ("PCI-DSS"), issued by the Payment Card Industry Security Standards Council. PCI-DSS contains compliance guidelines with regard to our security surrounding the physical and electronic storage, processing and transmission of cardholder data. If we or our service providers are unable to comply with the security standards established by banks and the payment card industry, we may be subject to fines, restrictions and expulsion from card acceptance programs, which could materially and adversely affect our business.

The use of APIs by our customers and suppliers has significantly increased in recent years. Our APIs allow customers and suppliers to build their own media buying and data management interface by using our APIs to develop custom integration of their business with our platform. The increased use of APIs increases security and operational risks to our systems, including the risk for cyber-attacks (including denial-of-service attacks), malicious internet-based activity online and offline fraud and other similar activities threaten the confidentiality, integrity and availability of our platform (for more information on risks related to cyber incidents, see "-A significant breach of our IT Systems or disclosure of our Confidential Data, or of the security of our or our customers', suppliers', or other third parties' systems upon which we rely could be detrimental to our business, reputation and results of operations"). Furthermore, while APIs allow customers and suppliers greater ease and power in accessing our platform, they also increase the risk of overusing our systems, potentially causing outages. We have experienced system slowdowns due to customer or supplier overuse of our systems through our APIs. While we have taken measures intended to decrease risks relating to security, performance and outages associated with the use of APIs, such measures may not be successful. Our failure to prevent outages or security breaches resulting from API use could result in government enforcement actions against us, claims for damages by consumers and other affected individuals, costs associated with investigation, notification, mitigation and remediation, damage to our reputation and loss of goodwill, any of which could have a material adverse impact on our business, operating results and financial condition.

A significant amount of our revenue comes from advertising agencies. Many of these agencies are owned by advertising agency holding companies, where decision-making is generally highly decentralized such that purchasing decisions are made, and relationships with marketers are located, at the agency, local branch or division level. Due to the highly decentralized operations and decision-making at the agencies owned by each of these advertising agency holding companies, we consider the individual agencies rather than the holding company to be our customers. Often, we enter into separate contracts and billing relationships with the individual agencies and account for them as separate customers. However, some holding companies for these agencies may choose to exert control over the individual agencies in the future. If so, any loss of relationships with such holding companies and, consequently, of their agencies, local branches or divisions, as customers could significantly harm our business, operating results and financial condition. We do not have exclusive relationships with advertising agencies, and we depend on agencies to work with us as they embark on advertising campaigns for their clients. The loss of such agencies could significantly harm our business, operating results and financial condition. If we fail to maintain satisfactory relationships with an advertising agency or an advertising agency otherwise chooses not to do business with us, we risk losing business from the marketers represented by that agency. Marketers may change advertising agencies. If a marketer switches from an agency that utilizes our platform to one that does not, we could lose revenue from that marketer. In addition, some advertising agencies have strong relationships with competing DSPs or other platforms and may direct their marketers to such other platforms. We are primarily focused on the U.S. market, while competing DSPs may be focused on international markets. Advertising agencies who seek both domestic and international services, or otherwise limit the number or types of DSPs used, may choose to consolidate with competing DSPs. If a significant number of marketers and their agencies begin to utilize competing platforms for the administration of their advertising campaigns, our business, financial condition and results of operations could be adversely affected.

Our sales cycle, from initial contact to contract execution and implementation, can take significant time. As part of our sales cycle, we may incur significant expenses before we generate any revenue from a prospective customer. The substantial time and money spent on our sales efforts may not generate significant revenue. If conditions in the marketplace, generally or with a specific prospective customer, change negatively, it is possible that we will be unable to recover any of these expenses. Our sales efforts involve educating our customers about the use, technical capabilities and benefits of our platform. Many of our prospective customers undertake a lengthy evaluation process that involves assessing our platform against the offerings of our competitors. As a result, it is difficult to predict when or if we will obtain new customers and begin generating revenue from these new customers. Even if our sales efforts result in obtaining a new customer, the customer controls when and to what extent it uses our platform and therefore the amount of revenue we generate, and it may not sufficiently justify the expenses incurred to acquire the customer and the related training support. As a result, we may not be able to add customers, or generate revenue, as quickly as we may expect, which could harm our growth prospects.

We are a founder-led business, and our future success depends on the continuing efforts of our executive officers and other key employees, including Tim Vanderhook, our chief executive officer, and Chris Vanderhook, our chief operating officer. We rely on the leadership, knowledge and experience that our executive officers provide. They foster our corporate culture, which has been instrumental to our ability to attract and retain new talent. We also rely on employees in our engineering, technical, product development, support and sales teams to attract and retain key customers. The market for talent in our key areas of operations, including California, is intensely competitive, which could increase our costs to attract and retain talented employees. As a result, we may incur significant costs to attract and retain employees, including significant expenditures related to salaries and benefits and compensation expenses related to equity awards, and we may lose new employees to our competitors or other companies before we realize the benefit of our investment in recruiting and training them. We have at times experienced employee turnover. Because of the complexity of our platform, new employees often require significant training and, in many cases, take significant time before they achieve full productivity. Our account managers, for instance, need to be trained quickly on the features of our platform since failure to offer high-quality support may adversely affect our relationships with our customers. Employee turnover, including changes in our management team, could disrupt our business. None of our founders or other key employees has an employment agreement for a specific term, and any of our employees may terminate his or her employment with us at any time. The loss of one or more of our executive officers, especially Tim Vanderhook and Chris Vanderhook, or our inability to attract and retain highly skilled employees could have an adverse effect on our business, operating results and financial condition.

We currently serve our platform functions from third-party data center hosting facilities operated by Google Cloud Platform and Amazon Web Services, and we primarily use shared servers in such facilities. We are dependent on these third parties to provide continuous power, cooling, humidity control, internet connectivity and physical and technological security for our servers, and our operations depend, in part, on their ability to protect these facilities against any damage or interruption from natural disasters, such as earthquakes, wildfires, extreme temperatures, drought, flooding, storms, power or telecommunication failures, criminal acts and similar events. In the event that any of our third-party facilities arrangements is terminated, or if there is a lapse of service or damage to a facility, we could experience interruptions in our platform as well as delays and additional expenses in arranging new facilities and services. Any damage to, or failure of, the systems of our third-party providers could result in interruptions to our platform. Despite precautions taken at our data centers, the occurrence of spikes in usage volume, a natural disaster, such as earthquakes, wildfires, extreme temperatures, drought, flooding, storms, an act of terrorism, vandalism or sabotage, a decision to close a facility without adequate notice, or other unanticipated problems at a facility could result in lengthy interruptions in the availability of our platform. Climate change may increase the frequency and/or intensity of certain of these events and/or of efforts to reduce the impact of such events. For example, in certain areas, there has been an increase in power shutoffs associated with wildfire prevention. Climate change may also result in chronic meteorological changes, including changes to precipitation and temperature patterns, which may likewise disrupt our or our suppliers' operations, require us to incur additional operating or capital expenditures, or otherwise adversely impact our business, financial condition, or results of operations. Even with current and planned disaster recovery arrangements, our business could be harmed. Also, in the event of damage or interruption, our insurance policies may not adequately compensate us for any losses that we may incur. These factors in turn could further reduce our revenue, subject us to liability and cause us to issue credits or cause customers to stop using our platform, any of which could materially and adversely affect our business. We incur significant costs with our third-party data hosting services. If the costs for such services increase due to vendor consolidation, regulation, contract renegotiation, or otherwise, we may not be able to increase the fees for our products and services to cover the changes. As a result, our operating results may be significantly worse than forecasted.