Evolv Technologies Holdings (EVLV) Risk Factors

Our future success depends, in part, on our ability to expand the deployment of our products with existing customers by selling them additional Evolv Express systems. This may require increasingly sophisticated and costly sales efforts and may not result in additional sales. In addition, the rate at which our customers purchase additional products depends on a number of factors, including the perceived need for additional touchless security screening solutions as well as general economic conditions. If our efforts to sell additional products to our customers are not successful, our business may suffer.

Our success depends on our ability to acquire new customers in new and existing vertical markets, and in new and existing geographic markets. If we are unable to attract a sufficient number of new customers and retain our existing customers, we may be unable to generate revenue growth at desired rates. The physical security solutions market is competitive, and many of our competitors have significantly greater financial, personnel, and other resources than we do and may be able to devote greater resources to their efforts to develop solutions and attract customers. As a result, it may be difficult for us to add new customers to our customer base. Competition in the marketplace may also lead us to win fewer new customers or result in us providing discounts and other commercial incentives to win new customers or retain our existing customers. Additional factors that impact our ability to acquire new customers and retain existing customers include the perceived need for AI-based weapons detection for security solutions, the size of our prospective customers' security budgets, the availability of government funding, the utility and efficacy of our existing and new products or product enhancements, whether proven or perceived, and general economic conditions. These factors may have a meaningful negative impact on our future revenues and operating results. While our immediate focus is on the United States market, our long-term success in part depends on our ability to acquire new customers outside the United States. The United States has significantly more privately owned firearms than any other country. If customers in other countries do not perceive the threat of firearms and weapons to be significant enough to justify the purchase of our products, we will be unable to establish a meaningful business outside the United States. If we are unable to attract a sufficient number of new customers outside the United States, we may be unable to generate future revenue growth at desired rates in the long term.

Approximately 4% of our revenue was generated by sales to government entities during each of the years ended December 31, 2023 and December 31, 2022, respectively. Selling to government entities can be highly competitive, expensive, and time-consuming, and often requires significant upfront time investment and expense without any assurance of winning a sales contract. Government demand and payment for our solutions may also be impacted by changes in fiscal or contracting policies, changes in government programs or applicable requirements, the adoption of new laws or regulations or changes to existing laws or regulations, public sector budgetary cycles and funding authorizations, with funding reductions or delays adversely affecting public sector demand for our solutions. Accordingly, increasing sales of our products to government entities may be more challenging than selling to commercial organizations, especially given extensive certification, compliance, clearance, and security requirements. Government agencies may have statutory, contractual, or other legal rights to terminate contracts with us or reseller partners. Further, in the course of providing our solutions to government entities, our employees and those of our reseller partners may be exposed to sensitive government information. Any failure by us or our reseller partners to safeguard and maintain the confidentiality of such information could subject us to liability and reputational harm, which could materially and adversely affect our results of operations and financial performance. Governments routinely investigate and audit government contractors' administrative processes, and any unfavorable audit may cause the government to shift away from our solutions and may result in a reduction of revenue, fines or civil or criminal liability if the audit uncovers improper or illegal activities, which could adversely impact our results or operations.

Our business model is dependent, in part, on our ability to maintain and increase subscriptions for our proprietary products as they generate recurring revenues. Existing and future customers of our products may not purchase our subscriptions for our proprietary products at the same rate at which customers currently purchase those subscriptions. If our current and future customers purchase a lower volume of our subscriptions for our proprietary products, our recurring revenue stream relative to our total revenues would be reduced and our operating results would be adversely affected.

Third parties may in the future assert claims of infringement, misappropriation, or other violations of intellectual property rights against us. They may also assert such claims against our customers or reseller partners, whom we typically indemnify against claims that our products infringe, misappropriate, or otherwise violate the intellectual property rights of third parties. If we do infringe a third party's rights and are unable to provide a sufficient workaround, we may need to negotiate with holders of those rights to obtain a license to those rights or otherwise settle any infringement claim as a party that makes a claim of infringement against us may obtain an injunction preventing us from shipping products containing the allegedly infringing technology. As the number of products and competitors in our market increase and overlaps occur, claims of infringement, misappropriation, and other violations of intellectual property rights may increase. Any claim of infringement, misappropriation, or other violation of intellectual property rights by a third party, even those without merit, could cause us to incur substantial costs defending against the claim and could distract our management from our business. Future assertions of patent rights by third parties, and any resulting litigation, may involve patent holding companies or other adverse patent owners who have no relevant product revenues and against whom our own patents may therefore provide little or no deterrence or protection. There can be no assurance that we will not be found to infringe or otherwise violate any third-party intellectual property rights or to have done so in the past. An adverse outcome of a dispute may require us to: - pay substantial damages, including treble damages, if we are found to have willfully infringed a third party's patents or copyrights;- make substantial payments for legal fees, settlement payments or other costs or damages;- cease selling, making, licensing, or using products that are alleged to infringe or misappropriate the intellectual property of others;- expend additional development resources to attempt to redesign our products or otherwise develop non-infringing technology, which may not be successful;- enter into potentially unfavorable royalty or license agreements to obtain the right to use necessary technologies or intellectual property rights;- take legal action or initiate administrative proceedings to challenge the validity and scope of the third-party rights or to defend against any allegations of infringement; and - indemnify our partners and other third parties. In addition, royalty or licensing agreements, if required or desirable, may be unavailable on terms acceptable to us, or at all, and may require significant royalty payments and other expenditures. Some licenses may also be non-exclusive, and therefore our competitors may have access to the same technology licensed to us. Any of the foregoing events could seriously harm our business, financial condition, and results of operations. Even if the claims do not result in litigation or are resolved in our favor, these claims, and the time and resources necessary to resolve them, could divert the resources of our management and harm our business and operating results. Moreover, there could be public announcements of the results of hearings, motions, or other interim proceedings or developments and if securities analysts or investors perceive these results to be negative, it could have a substantial adverse effect on the price of our ordinary shares. We expect that the occurrence of infringement claims is likely to grow as the market for our products and solutions grows. Accordingly, our exposure to damages resulting from infringement claims could increase and this could further exhaust our financial and management resources.

Our future success and competitive position depend in part on our ability to protect our intellectual property and proprietary technologies. To safeguard these rights, we rely on a combination of patent, trademark, copyright, and trade secret laws and contractual protections in the United States and other jurisdictions, all of which provide only limited protection and may not now or in the future provide us with a competitive advantage. We maintain a program of identifying technology appropriate for patent protection. Our practice is to require employees and consultants to execute non-disclosure and proprietary rights agreements upon commencement of employment or consulting arrangements. These agreements acknowledge our exclusive ownership of all intellectual property developed by the individuals during their work for us and require that all proprietary information disclosed will remain confidential. Such agreements may not be enforceable in full or in part in all jurisdictions and any breach could have a negative effect on our business and our remedy for such breach may be limited. We own or co-own eight issued U.S. patents and 24 issued foreign patents and have 24 pending or allowed patent applications relating to our products. It cannot be certain that any patents will issue from any patent applications, that patents that issue from such applications will give us the protection that we seek or that any such patents will not be challenged, invalidated, or circumvented. Any patents that may issue in the future from our pending or future patent applications may not provide sufficiently broad protection and may not be enforceable in actions against alleged infringers. We have registered the Evolv Technology, Evolv Express, Evolv Insights, Evolv Cortex AI, and Evolv Edge names and logos in the United States and certain other countries. We also have registrations and/or pending applications for additional marks in the United States and other countries; however, we cannot be certain that any future trademark registrations will be issued for pending or future applications or that any registered trademarks will be enforceable or provide adequate protection of our proprietary rights. We also license software from third parties for integration into our products, including open source software and other software available on commercially reasonable terms. We cannot be certain that such third parties will maintain such software or continue to make it available. If we are unable to maintain sufficient intellectual property protection for our proprietary technologies or if the scope of the intellectual property protection obtained is not sufficiently broad, our competitors and other third parties could develop and commercialize technologies similar or identical to ours, and our ability to successfully commercialize our technologies may be impaired. While we take steps to protect our intellectual property, the steps we take may be inadequate to prevent infringement, misappropriation, or other violations of our intellectual property rights. We will not be able to protect our intellectual property if we are unable to enforce our rights or if we do not detect unauthorized use of our intellectual property. Any of our patents or other intellectual property rights may be challenged by others or invalidated through administrative process or litigation. Furthermore, legal standards relating to the validity, enforceability, and scope of protection of intellectual property rights are uncertain. Some license provisions protecting against unauthorized use, copying, transfer, and disclosure of our offerings may be unenforceable under the laws of certain jurisdictions and foreign countries. In addition, the laws of some countries do not protect proprietary rights to the same extent as the laws of the United States, and mechanisms for enforcement of intellectual property rights in some foreign countries may be inadequate. Changes in the law or adverse court rulings may also negatively affect our ability to prevent others from using our technology. To the extent we expand our international activities, our exposure to unauthorized copying and use of our technology and proprietary information may increase. We may be required to spend significant resources to monitor and protect our intellectual property rights. From time to time, legal action by us may be necessary to enforce our patents and other intellectual property rights, to protect our trade secrets, to determine the validity and scope of the intellectual property rights of others or to defend against claims of infringement or invalidity. Such litigation could result in substantial costs and diversion of resources and could negatively affect our business, operating results, and financial condition. Furthermore, our efforts to enforce our intellectual property rights may be met with defenses, counterclaims, and countersuits attacking the validity and enforceability of our intellectual property rights. Our inability to protect our proprietary technology against unauthorized copying or use, as well as any costly litigation, could delay further sales or the implementation of our products and offerings, impair the functionality of our products and offerings, delay introductions of new features or enhancements, result in our substituting inferior or more costly technologies into our products and offerings, or injure our reputation.

We use machine learning, artificial intelligence, and automated decision making technologies, including propriety artificial intelligence and machine learning algorithms, in the development and operation of our AI-based weapons detection products for security screening. There are significant risks involved in developing, maintaining, and deploying machine learning and artificial intelligence technologies and there can be no assurance that the usage of such technologies will always enhance our products or services or be beneficial to our business, including our efficiency or profitability. In particular, if these artificial intelligence or machine learning models are incorrectly designed or implemented; trained or reliant on incomplete, inadequate, inaccurate, biased or otherwise poor quality data or on data to which we do have sufficient rights; and/or are adversely impacted by unforeseen defects, technical challenges, cyber security threats or material performance issues, the performance of our products, services, and business, as well as our reputation and the reputations of our customers, could suffer or we could incur liability through the violation of laws or contracts to which we are a party or civil claims. Further, our ability to continue to develop or use such technologies may be dependent on access to specific third-party software and infrastructure, such as processing hardware or third-party artificial intelligence models, and we cannot control the availability or pricing of such third party software and infrastructure, especially in a highly competitive environment. In addition, market acceptance and consumer perceptions of artificial intelligence and machine learning technologies are uncertain. A number of aspects of intellectual property protection in the field of artificial intelligence and machine learning are currently under development, and there is uncertainty and ongoing litigation in different jurisdictions as to the degree and extent of protection warranted for artificial intelligence and machine learning systems and relevant system input and outputs. If we fail to obtain protection for the intellectual property rights concerning our artificial intelligence and machine learning technologies, or later have our intellectual property rights invalidated or otherwise diminished, our competitors may be able to take advantage of our research and development efforts to develop competing products.

We, our reseller partners, and our customers are subject to a number of domestic and international laws and regulations that apply to cloud services and the internet generally. These laws, rules, and regulations address a range of issues including data privacy and cyber security, breach notification and restrictions or technological requirements regarding the collection, use, storage, protection, disclosure, retention, transfer, or other processing of data. The regulatory framework for online services, data privacy and cyber security issues worldwide can vary substantially from jurisdiction to jurisdiction, is rapidly evolving and is likely to remain uncertain for the foreseeable future. Many federal, state, local, and foreign government bodies and agencies have adopted or are considering adopting laws, rules and regulations regarding the collection, use, storage, disclosure and other processing of information, web browsing and geolocation data collection, data analytics, facial recognition, cyber security, and breach response and notification procedures. Furthermore, new laws and regulations that apply to our business are being introduced at every level of government in the United States, as well as internationally. As we seek to expand our business, we are, and may increasingly become subject to various laws, regulations, and standards, and may be subject to contractual obligations relating to data privacy and security in the jurisdictions in which we operate. For example, in the United States, there are numerous federal and state data privacy and security laws, rules, and regulations governing the collection, use, disclosure, retention, security, transfer, storage, and other processing of personal information, including federal and state data privacy laws, data breach notification laws, and consumer protection laws. The FTC and many state attorneys general are interpreting federal and state consumer protection laws to impose standards for the online collection, use, dissemination, and security of data. Such standards require us to publish statements that describe how we handle personal data and choices individuals may have about the way we handle their personal data. If such information that we publish is considered untrue or inaccurate, we may be subject to government claims of unfair or deceptive trade practices, which could lead to significant liabilities and consequences. Moreover, according to the FTC, violating consumers' privacy rights or failing to take appropriate steps to keep consumers' personal data secure may constitute unfair acts or practices in or affecting commerce in violation of Section 5(a) of the Federal Trade Commission Act. State consumer protection laws provide similar causes of action for unfair or deceptive practices. There are also laws and regulations governing the collection and use of biometric information, such as fingerprints and face prints. For example, the Illinois' Biometric Information Privacy Act ("BIPA") applies to the collection and use of "biometric identifiers" and "biometric information" which include finger and face prints. Several class action lawsuits have been brought under BIPA, as the statute is broad and still being interpreted by the courts. In addition, the California Consumer Privacy Act, or the CCPA, as amended by the California Privacy Rights Act, and the data protection and security laws of other states impose requirements with respect to disclosure and deletion of personal information of their residents, imposing penalties for violations and, in some cases, private right of action for data breaches. These laws, and similar legislation in other states that are developing or have been recently enacted, impose transparency and other obligations with respect to personal data of their respective residents and provide residents with similar rights for certain types of data breaches. This legislation may add additional complexity, variation in requirements, restrictions, and potential legal risk, require additional investment in resources to compliance programs, could impact strategies and availability of previously useful data, and could result in increased compliance costs and/or changes in business practices and policies. Further, some laws may require us to notify governmental authorities and/or affected individuals of data breaches involving certain personal information or other unauthorized or inadvertent access to or disclosure of such information. We may need to notify governmental authorities and affected individuals with respect to such incidents. For example, laws in all 50 U.S. states may require businesses to provide notice to consumers whose personal information has been disclosed as a result of a data breach. These laws are not consistent, and compliance in the event of a widespread data breach may be difficult and costly. We also may be contractually required to notify consumers or other counterparties of a security breach. Regardless of our contractual protections, any actual or perceived security breach or breach of our contractual obligations could harm our reputation and brand, expose us to potential liability or require us to expend significant resources on data security and in responding to any such actual or perceived breach. Internationally, virtually every jurisdiction in which we operate has customers and/or have prospective customers to which we market has established its own data security and privacy legal frameworks with which we, our reseller partners or our customers must comply. For example, in the European Union, the General Data Protection Regulation 2016/679 ("GDPR") imposes requirements on controllers and processors of personal data, including, for example, higher standards for obtaining consent from individuals to process their personal data, more robust disclosures to individuals, a strong individual rights regime, shortened timelines for data breach notifications and restrictions on the transfer of personal data outside of the European Economic Area. Following its departure from the European Union, the United Kingdom has adopted a separate regime based on the GDPR ("UK GDPR") that imposes similarly onerous requirements. Companies that violate the EU or UK regime can face regulatory investigations, private litigation, prohibitions on data processing, and fines of up to the greater of 4% of their worldwide annual revenue or 20 million Euros (for the EU) or £17.5 million (for the U.K.). Other EU and UK data protection laws and evolving regulatory guidance restrict the ability of companies to market electronically, including through the use of cookies and similar technologies, and companies are increasingly subject to strict enforcement action including fines for noncompliance. Certain data privacy legislation restricts the cross-border transfer of personal data and some countries introduced data localization into their laws. Specifically, the GDPR, the UK GDPR and other European and UK data protection laws generally prohibit the transfer of personal data from Europe, including the European Economic Area, United Kingdom and Switzerland, to third countries, unless the transfer is to a country deemed to provide adequate protection or the parties to the transfer have implemented specific safeguards to protect the transferred personal data. European case law and guidance have imposed additional onerous requirements in relation to data transfers, and we expect the existing legal complexity and uncertainty regarding international personal data transfers to continue in Europe and globally. If we do not implement the relevant transfer mechanism to transfer personal data, we may violate or infringe data privacy legislation requirements, and we may be exposed to regulatory proceedings or litigation and increased exposure to fines, penalties, or commercial liabilities, as well as reputational damages. Further, many federal, state, and foreign government bodies and agencies have introduced, and are currently considering, additional laws and regulations, including related to the development and integration of artificial intelligence ("AI"), machine learning, and additional emerging data technologies while mitigating or controlling for bias and discrimination in the context of AI and machine learning. For example, in the United States, an executive order was issued in October 2023 on the Safe, Secure and Trustworthy Development and Use of AI, emphasizing the need for transparency, accountability and fairness in the development and use of AI. The order seeks to balance innovation with addressing risks associated with AI by providing eight guiding principles and priorities, such as ensuring that consumers are protected from fraud, discrimination and privacy risks related to AI. Legislation has also been promulgated on the state level. For example, the California Privacy Protection Agency is currently in the process of finalizing regulations under the CCPA regarding the use of automated decision making. In addition, in Europe the European Commission proposed a regulation seeking to establish a comprehensive, risk-based governance framework for AI in the EU market, the EU AI Act, which was politically agreed to in December 2023. It is intended to apply to companies that develop, use and/or provide AI in the EU and includes requirements around transparency, conformity assessments and monitoring, risk assessments, human oversight, security and accuracy and introduces significant fines for noncompliance. There are also specific rules on the use of automated decision making under the GDPR that provide the data subject the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. Additionally, the existence of automated decision making must be disclosed to the data subject with a meaningful explanation of the logic used in such decision making in certain circumstances and safeguards must be implemented to safeguard individual rights, including the right to obtain human intervention and to contest any decision. If passed, we will likely incur additional expenses and costs associated with complying with such laws, as well as face heightened potential liability if we are unable to comply with these laws. While we minimize any physical bias in our product's identification of threats because the product's AI does not process or analyze an individual's physical characteristics, we may not be able to identify such issues in advance, or if identified, we may not be able to identify mechanisms for effectively mitigating such issues. We strive to comply with all applicable laws, policies, legal obligations, and industry codes of conduct relating to privacy and data protection to the extent possible. Because the interpretation and application of privacy and data protection laws are still uncertain, it is possible that these laws may be interpreted and applied in a manner that is inconsistent from one jurisdiction to another or with our existing practices or the features of our products and may conflict with other rules or regulations, making enforcement, and thus compliance requirements, ambiguous, uncertain, and potentially inconsistent. Any significant change to applicable laws, regulations or industry practices, or how each is interpreted, regarding the use or disclosure of personal information, or regarding the manner in which the express or implied consent of customers for the use and disclosure of personal information is obtained, could require us to modify our products and features, possibly in a material manner and subject to increased compliance costs, which may limit our ability to develop new products and features that make use of the personal information that our customers voluntarily share. Any failure or perceived failure by us to comply with our privacy policies, privacy-related obligations to customers or other third parties, or our privacy-related legal obligations, or any compromise of security that results in the unauthorized access to or unintended release of personally identifiable information or other customer data, may result in governmental enforcement actions, litigation, or public statements against us by consumer advocacy groups or others. Any of these events could cause us to incur significant costs in investigating and defending such claims and, if found liable, pay significant damages. Further, these proceedings and any subsequent adverse outcomes may cause our customers to lose trust in us, which could have an adverse effect on our reputation and business. We may also be subject to claims of liability or responsibility for the actions of third parties with whom we interact or upon whom it relies in relation to various products, including but not limited to vendors and business partners. If so, in addition to the possibility of fines, lawsuits and other claims, we could be required to fundamentally change our business activities and practices or modify our products, which could have an adverse effect on our business. Any inability to adequately address privacy and/or data concerns, even if unfounded, or comply with applicable privacy or data protection laws, regulations, and policies, could result in additional cost and liability to us, damage our reputation, inhibit sales and adversely affect our business. The costs of compliance with, and other burdens imposed by, the laws, rules, regulations, and policies that are applicable to the businesses of our customers may limit the use and adoption of, and reduce the overall demand for, our software. Even the perception of privacy or discrimination concerns, whether or not valid, may harm our reputation, inhibit adoption of our products by current and future customers, or adversely impact our ability to attract and retain workforce talent. Our failure to comply with applicable laws and regulations, or to protect such data, could result in enforcement action against us, including fines, imprisonment of company officials and public censure, claims for damages by customers and other affected individuals, damage to our reputation and loss of goodwill (both in relation to existing customers and prospective customers), any of which could have a material adverse effect on our operations, financial performance and business. We may also have costs associated with engaging with stakeholders, including investors, insurance providers, and other capital providers, on such issues. The marketing and sale of our products are also subject to extensive regulation by various federal agencies, including the FTC, as well as various other federal, state, provincial, local, and international regulatory authorities in the countries in which our products are distributed or sold and industry codes of conduct. From time to time, we receive government regulatory inquiries and requests for information and our approach is to be cooperative and educate them about our company and products. For example, the FTC has requested information about certain aspects of our marketing practices. We are complying with the FTC's requests and have been cooperating with them to answer their questions and educate them about our mission. In February 2024, we received a subpoena from the SEC, Division of Enforcement, requesting that we produce certain documents and information. The Company is cooperating with the FTC and SEC with respect to the investigations. We can offer no assurances as to the outcome of these investigations or their potential effect, if any, on us or our results of operations. Any inability to adequately address the FTC's or SEC's concerns or comply with applicable laws, regulations, and policies, could result in litigation, enforcement actions or significant penalties or claims, which could, in turn, divert financial and management resources, damage our reputation, inhibit sales, and otherwise adversely affect our business. Any resolution or litigation with the FTC, SEC or other parties could ultimately result in monetary and/or injunctive relief that may impose costs on us and/or require us to make changes to our business practices and marketing activities and could adversely impact our customer relationships. In addition to the possibility of fines, injunctive relief, lawsuits and other claims, as a result of any pending or any future regulatory enforcement proceedings or inquiries we could be required to fundamentally change our business practices. Responding to these or other investigations alone can be costly and time-consuming. Any of these events could materially adversely affect our operating results and financial condition. See also Note 14 (Commitments and Contingencies) to our condensed consolidated financial statements for the six months ended June 30, 2024 for additional information.