EngageSmart (ESMT) Risk Analysis

It is difficult to predict customer adoption rates and demand for our products, the entry of competitive products or the future growth rate and size of the cloud-based software and SaaS business software markets. The expansion of these markets depends on a number of factors, including: the cost, performance, and perceived value associated with cloud-based and SaaS business software as an alternative to legacy systems, as well as the ability of cloud-based software and SaaS providers to address heightened data security and privacy concerns. If we have a security incident or other cloud-based software and SaaS providers experience security incidents, loss of customer data, disruptions in delivery or other similar problems, which is an increasing focus of the public and investors in recent years, the market for these applications as a whole, including our solutions, may be negatively affected. If cloud-based and SaaS business software does not continue to achieve market acceptance, or there is a reduction in demand caused by a lack of customer acceptance, technological challenges, weakening economic conditions, data security or privacy concerns, governmental regulation, competing technologies and products, or decreases in information technology spending or otherwise, the market for our solutions might not continue to develop or might develop more slowly than we expect, which would adversely affect our business, financial condition, and results of operations.

Our success is dependent, in part, upon protecting our intellectual property and proprietary technology. We rely on a combination of patent, copyright, trademark and trade secret laws, as well as contractual provisions with our employees, independent contractors, consultants and third parties with whom we have relationships to establish and protect our intellectual property and proprietary rights. However, the steps we take to protect our intellectual property may be inadequate, may not afford complete protection and may not adequately permit us to gain or keep any competitive advantage. Further, despite our efforts to obtain and maintain intellectual property rights, we cannot guarantee that we will be able to prevent unauthorized use or disclosure of our confidential information, intellectual property or technology, and we may not have adequate remedies in the event of unauthorized use or disclosure of our confidential information, intellectual property or technology. Various factors outside our control pose a threat to our intellectual property rights, as well as to our products, services and technologies. Although we have been issued patents in the United States and have additional patent applications pending, we may be unable to obtain patent protection for the technology covered in our patent applications or obtain the coverage originally sought. In addition, our existing patents, as well as the patents we obtain in the future may not provide us with competitive advantages or may be successfully challenged by third parties, which could result in them being narrowed in scope or declared invalid or unenforceable. For example, it is possible that third parties, including our competitors, may obtain patents relating to technologies that overlap or compete with our technology. If third parties obtain patent protection with respect to such technologies, they may assert that our technology infringes their patents and seek to charge us a licensing fee or otherwise preclude the use of our technology or file suit against us. We also may allow certain of our registered intellectual property rights, or our pending applications for intellectual property rights, to lapse or to become abandoned if we determine that obtaining or maintaining the applicable registered intellectual property rights is not worthwhile. Despite our efforts to protect our intellectual property and proprietary rights, there can be no guarantee that such rights will be sufficient to protect against others offering products or services that are substantially similar to ours, to prevent them from independently developing similar products, designing around our patents, adopting trade names or domain names similar to ours, or attempting to copy aspects of our technology and using information that we consider proprietary to compete with us, thereby impeding our ability to promote our solutions and possibly leading to customer or client confusion. Despite our efforts to protect our proprietary rights, unauthorized parties may attempt to copy, reverse engineer or otherwise obtain and use our technology, systems, methods, processes, intellectual property and other information that we regard as proprietary to create solutions that compete with ours. Policing unauthorized use of intellectual property and technology can be expensive and time consuming, and regardless of what measures we take, we cannot guarantee that we will be able to detect unauthorized uses. Even if we detect unauthorized uses, we cannot be certain that we will be able to successfully enforce our intellectual property, particularly in foreign countries where the laws may not protect our proprietary rights as comprehensively as in the United States. Litigation may be necessary to enforce our intellectual property rights, to protect our trade secrets or to determine the validity and scope of the proprietary rights of others, which could result in substantial costs and diversion of our resources. Further, our enforcement efforts may be met with defenses and counterclaims challenging the validity and enforceability of our intellectual property rights and may result in a court determining that our intellectual property is invalid or unenforceable. Any changes in, or unexpected interpretations of, intellectual property laws may also compromise our ability to enforce our intellectual property rights. Failure to obtain or maintain protection of our trade secrets or other proprietary information could harm our competitive position and materially and adversely affect our business, operating results and financial condition. In addition, while we rely in part on confidentiality and intellectual property assignment agreements with our employees and contractors involved in the development of material intellectual property for us, which place restrictions on the employees' and contractors' use and disclosure of this intellectual property, these assignments in these agreements may not be self-executing, and the confidentiality provisions may not be sufficient in scope, may be unenforceable, or may otherwise not provide meaningful protection for our trade secrets or other proprietary information in the event of unauthorized use or disclosure or other breaches of the agreements. We cannot guarantee that we have entered into such agreements with each person or entity that may have or have had access to our trade secrets or proprietary information or otherwise developed intellectual property or technology for us. Individuals who were involved in the development of intellectual property for us or who had access to our intellectual property but who are not subject to these agreements may make adverse ownership claims to our current and future intellectual property. Further, these agreements may be breached, and as a result, our trade secrets and other proprietary information may be disclosed or become known to our competitors, which could cause us to lose any competitive advantage, and we may not have adequate remedies for such breaches. Additionally, to the extent that our employees, independent contractors or other third parties with whom we do business use intellectual property owned by others in their work for us, disputes may arise as to the rights in related or resulting works of authorship, know-how and inventions. The loss of trade secret protection could make it easier for third parties to compete with our solutions by copying their functionality. Obtaining and maintaining effective patent, copyright, trademark, service mark, trade secret and domain name protection is time-consuming and expensive. Accordingly, we do not and may not own registered trademarks for all trademarks and logos used in our business in all of the jurisdictions in which we operate or may operate in the future. We may also choose not to seek patent protection for all patentable inventions, and we have chosen not to seek the registration of copyrights in our software solutions. Further, we have and may in the future employ individuals who previously were employed by our competitors, and, as a result, those competitors may bring claims against such individuals or us alleging their intellectual property rights have been infringed, misappropriated or otherwise violated.

The rapid growth we have experienced in our business places significant demands on our operational infrastructure. The scalability and flexibility of our solutions depend on the functionality of our technology and network infrastructure and its ability to handle increased traffic and demand for bandwidth. The growth in the number of customers and their clients using our solutions has increased the amount of data that we process. Any problems with the transmission of increased data could result in harm to our brand or reputation. Moreover, as our business grows, we will need to devote additional resources to improving our operational infrastructure and continuing to enhance its scalability in order to maintain the performance of our solutions, including customer support, risk and compliance operations, and other SaaS solutions services. Any failure of or delay in these efforts could result in service interruptions, impaired system performance, and reduced customer and client satisfaction. If sustained or repeated, these performance issues could reduce the attractiveness of our solutions to our customers and could result in lost customer opportunities and higher attrition rates, any of which could hurt our revenue growth, customer loyalty and our reputation. Even if our efforts to scale our business are successful, they will be expensive and complex, and require the dedication of significant management time and attention. We could also face inefficiencies or service disruptions as a result of our efforts to scale our internal infrastructure. We cannot be sure that the expansion and improvements to our internal infrastructure will be effectively implemented on a timely basis, if at all, and such failures could adversely affect our business, operating results, and financial condition. Moreover, our rapid growth has placed, and will likely continue to place, a significant strain on our managerial, administrative, operational, financial, and other resources. We grew from 592 employees as of December 31, 2020 to 971 employees as of December 31, 2022, substantially all of which were employed on a full-time basis. We intend to further expand our overall business, including headcount, with no assurance that our revenue will continue to grow or grow sufficiently to offset the costs associated with increased headcount. As we grow, we will be required to continue to improve our operational and financial controls and reporting procedures, and we may not be able to do so effectively. Furthermore, some members of our management do not have significant experience managing a large public company, so our management may not be able to manage such growth effectively. In managing our growing operations, we are also subject to the risks of over-hiring, over-compensating our employees, and over-expanding our operating infrastructure. As a result, we may be unable to manage our expenses effectively in the future, which may negatively impact our gross profit or operating income. In addition, we believe that an important contributor to our success has been our corporate culture, which we believe fosters innovation and is rooted in a philosophy of aligning our success with that of our customers. As a result of our rapid growth, a significant portion of our employees have been with us for fewer than three years. As we continue to grow and develop the infrastructure of a public company, we must effectively integrate, develop and motivate a growing number of new employees, who are dispersed geographically, primarily in the U.S. Our geographically dispersed workforce may make it more difficult for our management to manage our growth effectively and preserve our corporate culture. In addition, we must preserve our ability to execute quickly in further developing our solutions and implementing new features and tools. As a result, we may find it difficult to maintain our corporate culture, which could limit our ability to innovate and operate effectively. Any failure to preserve our culture could also negatively affect our ability to recruit and retain personnel, to continue to perform at current levels, or to execute our business strategy effectively and efficiently.

Our solutions enable our customers and partners to communicate directly with their clients, including via email, text messages and telephone calls. Our solutions also enable recording and monitoring of calls between our customers and partners and their clients for training and quality assurance purposes. On occasion, we also send communications directly to clients. These activities are subject to a variety of U.S. state and federal laws, rules, and regulations, such as the TCPA, the CAN-SPAM Act of 2003 (the "CAN-SPAM Act"), and others related to telemarketing, recording, and monitoring of communications. The TCPA prohibits companies from making telemarketing calls to numbers listed in the Federal Do-Not-Call Registry and imposes other obligations and limitations on making phone calls and sending text messages to consumers. The CAN-SPAM Act regulates commercial email messages and specifies penalties for the transmission of commercial email messages that do not comply with certain requirements, such as providing an opt-out mechanism for stopping future emails from senders. The TCPA, the CAN-SPAM Act and other communications laws, rules, and regulations are subject to varying interpretations by courts and governmental authorities and often require subjective interpretation, making it difficult to predict their application and therefore making compliance efforts more challenging. We and our customers and partners may be required to comply with these and similar laws, rules, and regulations. To comply with these laws, rules, and regulations, in some cases we rely on our customers and partners to obtain legally required consents from their consumers to receive communications sent using our solutions. We cannot, however, be certain that our or their efforts to comply will always be successful. Our business could be adversely affected by changes to the application or interpretation of existing laws, rules and regulations governing our solution's communication capabilities, or the enactment of new laws, rules and regulations, and by our and our customers' and partners' failure to comply with such laws, rules and regulations in using our solutions. If any of these laws, rules or regulations were to significantly restrict our or our customers' or partners' ability to use our solutions to communicate with existing and potential clients, we may not be able to develop adequate alternative communication modules for our solutions. Further, our or our customers' or partners' non-compliance with these laws, rules, and regulations could result in significant financial penalties, litigation, including class action litigation, consent decrees and injunctions, adverse publicity, and other negative consequences, any of which could adversely affect our business, operating results, and financial condition and significantly harm our reputation.

We have in the past and/or may in the future become subject to legal proceedings, claims, investigations, regulatory proceedings, or similar matters or actions that arise in the ordinary course of business, such as claims brought by our customers or their clients in connection with commercial disputes, employment claims made by our current or former employees, or claims regarding misappropriation of client data. In addition, the payment networks could impose fines on us or our third-party payment processor(s). Further, state or federal regulators could make inquiries and/or conduct investigations with respect to one or more of our solutions. Even if such claims do not have merit, litigation, investigations, regulatory proceedings, or similar matters might result in substantial costs and may divert management's attention and resources, which might seriously harm our business, operating results and financial condition. Insurance might not cover such matters, might not provide sufficient payments to cover all the costs to resolve one or more such matters and might not continue to be available on terms acceptable to us. A claim brought against us that is uninsured or underinsured could result in unanticipated costs, thereby reducing our operating results and leading analysts or potential investors to reduce their expectations of our performance, which could reduce the market price of our common stock.

We are subject to income taxes in the United States. Our effective tax rate could be adversely affected due to several factors, including: - changes in the relative amounts of income before taxes in the various jurisdictions in which we operate that have differing statutory tax rates;- changes in the United States tax laws and regulations or the interpretation of them, including the Tax Act, as modified by the CARES Act;- changes to our assessment about our ability to realize our deferred tax assets that are based on estimates of our future results, the prudence and feasibility of possible tax planning strategies, and the economic and political environments in which we do business;- the outcome of current and future tax audits, examinations, or administrative appeals; and - limitations or adverse findings regarding our ability to do business in some jurisdictions. New income or other tax laws or regulations could be enacted at any time, which could adversely affect our business operations and financial performance. Further, existing tax laws and regulations could be interpreted, modified, or applied adversely to us. For example, the Tax Act enacted many significant changes to the U.S. tax laws. Future guidance from the IRS and other tax authorities with respect to the Tax Act may affect us, and certain aspects of the Tax Act could be repealed or modified in future legislation. For example, the CARES Act modified certain provisions of the Tax Act. Changes in corporate tax rates, the realization of net operating losses, and other deferred tax assets relating to our operations, the taxation of foreign earnings, and the deductibility of expenses under the Tax Act or future reform legislation could have a material impact on the value of our deferred tax assets and could increase our future U.S. tax expense.

We receive, store and process personal information and other sensitive or confidential customer data. In addition, we receive, store, handle, transmit, use and otherwise process personal and business information and other data from and about actual and prospective customers, as well as our employees and service providers. A wide variety of state, national, and international laws and regulations apply to our collection, use, retention, protection, disclosure, transfer, and other processing of personal information, with oversight by governmental authorities, including the U.S. Federal Trade Commission ("FTC") and various state local and foreign agencies Our data processing activities are also subject to contractual obligations and industry standard requirements. The legislative and regulatory landscapes for privacy, data protection and information security continue to evolve in jurisdictions worldwide which could affect our business. Failure to comply with any of these laws or regulations could result in litigation, enforcement actions, damages, fines, penalties or adverse publicity and reputational damage, any of which could have a material adverse effect on our business, operating results and financial condition. In the United States, various laws and regulations apply to the security, collection, processing, storage, use, disclosure and other processing of certain types of data, including, among others, the Electronic Communications Privacy Act, the Computer Fraud and Abuse Act, HIPAA, and state laws relating to privacy and data security. Additionally, the FTC and many state attorneys general have interpreted and are continuing to interpret federal and state consumer protection laws to impose standards for the online collection, use, dissemination, processing and security of data. All states in which we operate have laws that protect the privacy and security of sensitive and personal data. Certain U.S. state laws may be more stringent or broader in scope, or offer greater individual rights, with respect to sensitive and personal information than international, federal, or other state laws, and such laws may differ from each other, which may complicate compliance efforts. For example, the CCPA, which came into force in 2020, gives California consumers expanded privacy rights and protections, including the right to access and delete certain personal information, opt-out of certain sales of personal information and receive detailed information about how their personal information is collected, used and shared. The CCPA provides for civil penalties for violations and a private right of action for data breaches. This private right of action has increased the likelihood of, and risks associated with, data breach litigation. While certain information that we maintain in our role as a "business associate" under HIPAA may be exempt from the CCPA, other personal information that we process outside of our role as a HIPAA business associate for or about California consumers may be subject to the CCPA. The expiration of the moratorium on January 1, 2023 on certain of the CCPA's requirements as applied to personal information of a business's employees and related individuals may increase our compliance costs and our exposure to public and regulatory scrutiny, costly litigation, fines and penalties. Additionally, the California Privacy Rights Act (the "CPRA") came into force on January 1, 2023 and imposes additional obligations on companies covered by the legislation and significantly modifies the CCPA, including by expanding California residents' rights with respect to certain sensitive personal information. The CPRA also creates a new state agency that will be vested with authority to implement and enforce the CCPA and the CPRA. The interpretation and enforcement of the CCPA and many aspects of the CPRA remain unclear, and the effects of the CCPA and the CPRA are potentially significant. Provisions of the CCPA and CPRA may require us to modify our data collection or processing practices and policies and to incur substantial costs and expenses in an effort to comply and increase our potential exposure to regulatory enforcement and sanctions and litigation. Certain other state laws impose similar privacy obligations, and all 50 states have laws including obligations to provide notification to affected individuals, state officers, and others in the event of security breaches involving unauthorized access to personal information. Further, the CCPA has prompted the enactment of several new state laws or amendments of existing state laws, which could mark the beginning of a trend toward more stringent privacy legislation in other U.S. states and which have prompted a number of proposals for new federal and state-level privacy legislation. This legislation, if passed, may add additional complexity, require additional investment of resources in compliance programs, adversely impact our business strategies and increase our potential liability. To the extent multiple state-level laws are introduced with inconsistent or conflicting standards and there is no federal law to preempt such laws, compliance with such laws could be difficult and costly to achieve and we could be subject to fines and penalties in the event of non-compliance. We are also subject to certain obligations under HIPAA, as well as certain state laws and related contractual obligations concerning the privacy and security of medical or health-related information. Among other provisions, HIPAA imposes obligations on certain healthcare providers, health plans and healthcare clearing houses ("covered entities") relating to the privacy and security of PHI. Under HIPAA, before disclosing PHI to a service provider for a business purpose, the covered entity must enter into a written agreement with the service provider ("business associate") relating to HIPAA privacy and security requirements. In addition to our obligations under these agreements with our covered entity customers, we may also be directly liable for compliance with certain HIPAA provisions. Among other things, HIPAA requires business associates to: (1) maintain physical and technical and administrative safeguards to prevent PHI from misuse, (2) report security incidents and other inappropriate uses or disclosures of the information to the covered entity and (3) assist covered entities with certain of their duties under HIPAA, including responding to an individual's request to access, correct, restrict, or provide accounting of disclosures related to PHI that a covered entity, and an associated business associate, maintains about that individual. We have policies and safeguards in place intended to protect health information as required by HIPAA and have processes in place to assist us in complying with applicable laws and regulations regarding the protection of this data and responding to any security incidents. Ongoing implementation and oversight of these measures involves significant time, effort and expense and we may have to dedicate additional time and resources to ensure compliance with HIPAA requirements. In addition, HIPAA requirements, and enforcement priorities, are subject to change, which may expose us to additional regulatory scrutiny and increase our costs for compliance. For example, on December 10, 2020, the Office of Civil Rights ("OCR") within the Department of Health and Human Services ("HHS"), issued a Notice of Proposed Rulemaking ("NPRM"), which would, among other things, reduce the length of time for a covered entity to respond to an individual's right of access request. For covered entities (i.e., certain of our customers), HIPAA mandates individual notification in instances of breaches of PHI and specifies that such notifications must be made "without unreasonable delay and in no case later than 60 calendar days after discovery of the breach," though many state breach notification laws require notifications to be provided sooner. If a breach affects 500 patients or more, it must be reported to HHS, without unreasonable delay, and HHS will post the name of the breaching entity on its public website. Breaches affecting 500 individuals or more in the same state or jurisdiction must also be reported to the local media. If a breach involves fewer than 500 people, the covered entity must record it in a log and notify HHS at least annually. In our role as a business associate, although HIPAA mandates only that the business associate provide notice of the breach of PHI to the covered entity, some of our customer agreements may require that we provide notifications to the affected individuals and regulators on the covered entity's behalf. Any notifications, including notifications to the public, could harm our business, financial condition, results of operations, and prospects. Penalties for failure to comply with a requirement of HIPAA vary significantly depending on the failure and could include requiring corrective actions, resolution agreements, and/or imposing civil monetary or criminal penalties. HIPAA also authorizes state attorneys general to file suit under HIPAA on behalf of state residents. Courts can award damages, costs and attorneys' fees related to violations of HIPAA in such cases. While HIPAA does not create a private right of action allowing individuals to sue us in civil court for HIPAA violations, its standards have been used as the basis for a duty of care claim in state civil suits such as those for negligence or recklessness in the misuse or breach of PHI. In addition, many states in which we operate and in which our customers are located also have laws that protect the privacy and security of health information, many of which differ from each other in significant ways and often are not preempted by HIPAA, thus complicating compliance efforts. Where state laws are more protective, we have to comply with the stricter provisions. In addition to imposing fines and penalties upon violators, some of these state laws also afford private rights of action to individuals who believe their personal information has been misused, such as the CCPA. Internationally, virtually every jurisdiction in which we operate has established its own data security, privacy and data protection legal frameworks with which our clients and partners must comply. For our clients and partners to comply with these various laws, rules, and regulations, our clients and partners may require us to enter into data processing agreements that may require us to implement certain privacy and data protection obligations. Failure to comply with and implement these contractual data protection obligations could result in breach of contract claims. In particular, the EU General Data Protection Regulation and UK General Data Protection Regulation and UK Data Protection Act 2018 (together, the "GDPR") regulates transfers of personal data subject to the GDPR to third countries that have not been found to provide adequate protection for such personal data, including the United States. Under the GDPR, a data exporter must implement appropriate safeguards such as the Standard Contractual Clauses ("SCCs") approved by the European Commission (in the case of transfers from the European Economic Area ("EEA")) or by the Information Commissioner's Office (in the case of transfers from the UK) unless a specific derogation applies. Our clients or partners subject to the GDPR will need to comply with these requirements and may require us to enter into SCCs which require us to implement certain privacy obligations. Failure to implement these contractual obligations could result in breach of contract claims, expose us to third party beneficiary claims from data subjects, and to regulatory action by European data protection authorities. In July 2020 the European Court of Justice invalidated the EU-US Privacy Shield framework (an adequacy decision approved by the European Commission for transfers to the United States), which provided a mechanism for the transfer of data from European Union member states to the United States, on the grounds that the EU-US Privacy Shield failed to offer adequate protections to EU personal information transferred to the United States. The European Court also advised that SCCs were not alone sufficient to protect personal data transferred to the third countries such as the United States. Use of the data transfer mechanisms such as SCCs must now be assessed on a case-by-case basis by data exporters, with the assistance of data importers where required, taking into account the legal regime applicable in the destination country, in particular applicable surveillance laws and rights of individuals. Further, on June 4, 2021 the European Commission finalized new versions of the SCCs, which came into effect under the Implementing Decision on June 27, 2021 (the "New SCCs"). Under the Implementing Decision, organizations that rely on SCCs to transfer data had until December 27, 2022 to update any existing agreements, and must incorporate the New SCCs into new agreements. As a result of this continued legislative activity and to comply with the Implementing Decision and the new Standard Contractual Clauses, our clients and partners may require us to enter into the New SCCs which will require us to implement additional safeguards to further enhance the security of data transferred out of the EEA/UK, which could increase our compliance costs, expose us to further liability for any breach of contract claims and therefore adversely affect our business. We may also experience hesitancy, reluctance, or refusal by European or multi-national customers to continue to use our products due to the potential risk exposure to such customers as a result of shifting business sentiment in the EEA regarding international data transfers and the data protection obligations imposed on them. We may find it necessary to establish systems to maintain personal data originating from the EEA in the EEA, which may involve substantial expense and may cause us to need to divert resources from other aspects of our business, all of which may adversely affect our business. We and our customers may face a risk of enforcement actions taken by European data protection authorities until the time, if any, that personal data transfers to us and by us from the EEA are legitimized under European law. Changing definitions of personal information and information may also limit or inhibit our ability to operate or expand our business, including limiting strategic partnerships that may involve the sharing of data. Also, some jurisdictions require that certain types of data be retained on servers within these jurisdictions. Our failure to comply with applicable laws, directives, and regulations may result in enforcement action against us, including fines, and damage to our reputation, any of which may have an adverse effect on our business and operating results. The scope and interpretation of the laws and regulations relating to privacy, data protection and information security that are or may be applicable to us are often uncertain and may be conflicting, as a result of the rapidly evolving regulatory framework for privacy issues worldwide. It is possible that these laws may be interpreted and applied in a manner that is inconsistent with our existing data management practices, solutions or capabilities. As a result of the laws that are or may be applicable to us, and due to the sensitive nature of the information we collect, we have implemented policies and procedures to preserve and protect our data and our platform users' data against loss, misuse, corruption, misappropriation caused by systems failures or unauthorized access. If our policies, procedures or measures relating to privacy, data protection, information security or the processing of data for marketing purposes or consumer communications fail to comply with laws, regulations, policies, legal obligations or industry standards, we may be subject to governmental enforcement actions, litigation, regulatory investigations, fines, penalties and negative publicity, and could cause our application providers, clients and partners to lose trust in us, and have an adverse effect on our business, operating results and financial condition. In addition to government regulation, privacy advocates and industry groups may propose new and different self-regulatory standards that may apply to us. One example of such a self-regulatory standard is the PCI-DSS, which relates to the processing of payment card information. In the event we are required to comply with the PCI-DSS but fail to do so, fines and other penalties could result, and we may suffer reputational harm and damage to our business. Further, our customers may expect us to comply with more stringent privacy and data security requirements than those imposed by laws, regulations or self-regulatory requirements, and we may be obligated contractually to comply with additional or different standards relating to our handling or protection of data on or by our offerings. Because the interpretation and application of privacy, data protection and information security laws, regulations, rules and other standards are still uncertain, it is possible that these laws, rules, regulations and other actual or alleged legal obligations, such as contractual or self-regulatory obligations, may be interpreted and applied in a manner that is inconsistent with our existing data management practices or the functionality of our platform. If so, in addition to the possibility of fines, lawsuits and other claims, we could be required to fundamentally change our business activities and practices or modify our software, which could have an adverse effect on our business. Further, any failure or perceived failure by us, or any third parties with which we do business, to comply with laws, regulations, policies (including our publicly posted privacy policies), procedures, measures, legal or contractual obligations, industry standards or regulatory guidance relating to privacy, data protection or information security may result in governmental investigations and enforcement actions, litigation, fines and penalties, or adverse publicity, and could cause our clients and partners to lose trust in us, which could have an adverse effect on our reputation, business, operating results and financial condition. We expect that there will continue to be new proposed laws, regulations and industry standards relating to privacy, data protection, information security, marketing and consumer communications, and we cannot predict the impact such future laws, regulations and standards may have on our business. Future laws, regulations, standards and other obligations or any changed interpretation of existing laws or regulations may be inconsistent among jurisdictions and may conflict with our current or future practices, which could impair our ability to develop and market new functionality and maintain and grow our client base and increase revenue. Future restrictions on the collection, use, processing, storage, sharing or disclosure of various types of data, including financial information and other personal data, or additional requirements for express or implied consent of our clients, partners or consumers for the collection, use, processing, storage, sharing and disclosure of such information could require us to incur additional costs or modify our platform, possibly in a material manner, and could limit our ability to develop new functionality. Complying with these requirements and changing our policies and practices may be onerous and costly, and we may not be able to respond quickly or effectively to regulatory, legislative and other developments. If we are not able to comply with these laws or regulations, or if we become liable under these laws or regulations, we could be directly harmed, including through fines and litigation, and we may be forced to implement new measures to reduce our exposure to this liability. This may require us to expend substantial resources or to discontinue certain products, which would negatively affect our business, operating results and financial condition. In addition, the increased attention focused upon liability issues as a result of lawsuits and legislative proposals could harm our reputation or otherwise adversely affect the growth of our business. Furthermore, any costs incurred as a result of this potential liability could harm our operating results.

A majority of our revenue is derived from transaction and usage-based fees from our Enterprise and SMB Solutions segments, which are either absorbed by customers or paid by their clients, and the majority of bills paid through our solutions are paid via credit or debit cards. In general, we receive more revenue for card-based payments than for electronic check and ACH payments. Accordingly, if more clients start paying their bills through our solutions by electronic check, ACH or other payment methods with lower transaction fees, it could materially impact our operating results.

We depend on third-party payment processors to process bill payments made through our solutions, including payments made by or though credit and debit cards, ACH transfers, eChecks and PayPal. The per-transaction settlement fees we pay under our agreements are significant. Rapid industry consolidation and reduced competition among payment processors could lead to higher settlement fees that we are not able to pass along to our customers. We also rely on payment processors to collect and store payment card information and provide certain fraud detection services. Our multi-year agreements with payment processors contain industry-standard terms and conditions, including technical requirements for the facilitation of payments and the settlement of transactions and chargebacks. These agreements also obligate us to comply with payment networks' security standards and guidelines, and to reimburse the payment processors for any fines they are assessed by payment networks as a result of any violations by us of the operating rules, procedures, and standards established by payment networks, such as Visa, Mastercard American Express, NACHA and INTERAC (the "Payment Network Rules"). If any of our third-party payment processors were to terminate their relationship with us or cease providing us or our customers with payment processing services, whether as a result of a failure by us to meet our contractual obligations or for other reasons, or if any of them were to refuse to renew its agreement with us on commercially reasonable terms, we would need to engage one or more alternate payment processors. In that case, we could experience service interruptions and incur significant expenses in transitioning to or arranging for replacement payment processing services. Such interruptions could also negatively impact our reputation and our relationships with existing or potential customers and partners, as well as, under certain contracts with our customers, cause us to become obligated to provide service credits or refunds under our service level commitments. Likewise, our third-party payment processors have in the past and may in the future experience outages that have and may cause the temporary loss of the ability to process transactions through our solutions. If any of our third-party payment processors fails to meet our standards and expectations, becomes compromised or suffers errors, outages or vulnerabilities, the ability to process transactions through our solutions may be interrupted or suspended until such issues have been remedied or we have engaged one or more alternate payment processors.

Many of the federal healthcare reform initiatives of the last decade have impacted us and our healthcare practitioner customers and continue to evolve. The American Reinvestment & Recovery Act ("ARRA"), passed in 2009, included the Health Information Technology for Economic and Clinical Health ("HITECH Act"). The HITECH Act introduced an incentive program linked to the "meaningful use" of EHR technology, an effort led by the CMS and the Office of the National Coordinator for Health IT ("ONC"). The ACA, passed in 2010, extended these incentive payments. Currently, our SimplePractice solution includes an electronic medical records service that is not certified as EHR technology and we do not have a current intention to cause the certification of such solution. If we decide in the future to certify our EHR technology, we will need to comply with various standards and specifications that will be subject to change and to interpretation by the entities designated to certify our electronic healthcare technology. Additionally, if our services are not compliant with these evolving regulatory requirements, our market position and sales could be impaired, and we may have to invest significantly in changes to our solutions. Further, we could bear financial risk if we are alleged to have not appropriately complied with these regulations, even if the allegations are untrue. The MACRA, enacted on April 16, 2015, established a new payment framework, called the Quality Payment Program, which modifies certain Medicare payments under the Medicare Physician Fee Schedule to "eligible clinicians," including physicians and other practitioners. Under MACRA, eligible clinicians must participate in either the Merit-Based Incentive Payment System ("MIPS") or Advanced Alternative Payment Model ("Advanced APM"). MIPS generally consolidates three programs: the Physician Quality Reporting System, the Value-based Payment Modifier program, and the Medicare EHR incentive program. Under this consolidated system, eligible clinicians report on metrics related to quality, clinical practice improvement activities and the use of certified EHR technology. Eligible clinicians may receive a positive or negative payment adjustment based on their reported metrics as compared to their peers. Eligible clinicians are not required to participate in MIPS if they are part of an Advanced APM, which can include certain accountable care organizations and other new payment models. CMS has structured these programs to incentivize clinicians to join Advanced APMs instead of participating in MIPS, though its results to date have been mixed. As such, the implications of MACRA and MIPS are uncertain and will depend on future regulatory activity and healthcare provider activity in the marketplace. If in the future we decide to position our solutions for MACRA and MIPS, compliance with applicable standards will need to be continuously monitored, and there can be no assurances that we will be able to maintain such standards and compliance. Any failure to successfully adapt our solutions either to MACRA and MIPS, or to the shift towards Advanced APMs and other value-based payment models, could have a material effect on our business, results of operations and financial condition. Government programs, such as MIPS, have been implemented to accelerate the adoption and utilization of EHRs. Changes to government incentive programs related to EHRs could materially impact healthcare providers' decisions to implement EHR systems or have other impacts that would be unfavorable to our business. There have been and continue to be a number of legislative initiatives to contain healthcare costs. By way of example, the ACA made a number of substantial changes in the way healthcare is financed by both governmental and private insurers. Since its enactment, there have been judicial, executive and Congressional challenges to certain aspects of the ACA, and on June 17, 2021, the U.S. Supreme Court dismissed the most recent judicial challenge to the ACA brought by several states without specifically ruling on the constitutionality of the ACA. Prior to the Supreme Court's decision, President Biden had issued an executive order relating to the ACA, including an instruction to certain governmental agencies to review and reconsider their existing policies and rules that limit access to healthcare. It remains unclear how healthcare reform measures enacted by Congress or implemented by the Biden administration or other challenges to the ACA, if any, will impact the ACA. Additional state and federal healthcare policies and reform measures adopted in the future could have a material adverse impact on our customers and, as a result, our operational results or the manner in which we operate our business.