JFrog (FROG) Risk Analysis

We make a limited-functionality version of JFrog Artifactory that only supports Java-based packages, and also lacks other features required for organization-wide adoption by DevOps teams, available under an open source license, the Affero General Public License version 3.0 ("AGPL"). The AGPL grants licensees broad freedom to view, use, copy, modify, and redistribute the source code of this limited version of JFrog Artifactory. Anyone can download a free copy of this limited version of JFrog Artifactory from the Internet, and we neither know who all of our AGPL licensees are, nor have visibility into how JFrog Artifactory is being used by licensees, so our ability to detect violations of the open source license is extremely limited. The AGPL has a "copyleft" requirement that further distribution of AGPL-licensed software and modifications or adaptations to that software be made available pursuant to the AGPL as well. This leads some commercial enterprises to consider AGPL-licensed software to be unsuitable for commercial use. However, the AGPL would not prevent a commercial licensee from taking this open source version of JFrog Artifactory under AGPL and using it for internal purposes for free. AGPL also would not prevent a commercial licensee from taking this open source version of JFrog Artifactory under AGPL and using it to compete in our markets by providing it for free. This competition can develop without the degree of overhead and lead time required by traditional proprietary software companies, due to the permissions allowed under AGPL. It is also possible for competitors to develop their own software based on our open source version of JFrog Artifactory. Although this software would also need to be made available for free under the AGPL, it could reduce the demand for our products and put pricing pressure on our subscriptions. We cannot guarantee that we will be able to compete successfully against current and future competitors, some of which may have greater resources than we have, or that competitive pressure or the availability of new open source software will not result in price reductions, reduced operating margins, and loss of market share, any one of which could harm our business, financial condition, results of operations, and cash flows.

Although our products do not involve the processing of large amounts of personal data or personal information, our platform and products support customers' software, which may involve the processing of large amounts of personal data, personal information, and information that is confidential or otherwise sensitive or proprietary. Data security incidents affecting widely trusted data security architecture (such as historical incidents affecting SolarWinds Orion, the incident involving Accellion FTA, the incident affecting Microsoft Exchange, the incident affecting Kaseya VSA, the incident involving Log4j, and the software update incident involving CrowdStrike – none of which have directly affected us) may increase customer expectations regarding the security, testing, and compliance documentation of our platform and products for secure software development operations, management, automation, and releases. In addition, these or other incidents may trigger new laws and regulations that increase our compliance burdens, add reporting obligations, or otherwise increase costs for oversight and monitoring of our platform, products, and supply chain. We do collect and store certain sensitive and proprietary information, and to a lesser degree, personal data and personal information, in the operation of our business. This information includes trade secrets, intellectual property, employee data, and other confidential data. We have taken measures to protect our own sensitive and proprietary information, personal data, and personal information, as well as such information that we otherwise obtain, including from our customers. We also engage vendors and service providers to store and otherwise process some of our and our customers' data, including sensitive and proprietary information, personal data, and personal information. Our vendors and service providers have been and, in the future may be, the targets of cyberattacks, malicious software, supply chain attacks, phishing schemes, fraud, and other risks to the confidentiality, security, and integrity of their systems and the data they process for us. Our ability to monitor our vendors and service providers' data security is limited, and, in any event, third parties may be able to circumvent those security measures, resulting in the unauthorized or unlawful access to, misuse, disclosure, loss, acquisition, corruption, unavailability, alteration, modification, or destruction of our and our customers' data, including sensitive and proprietary information, personal data, and personal information. Security breaches and other security incidents that affect us may result from employee or contractor error or negligence or those of vendors, service providers, and strategic partners on which we rely. These attacks may come from individual hackers, criminal groups, and state-sponsored organizations. There have been and may continue to be significant supply chain attacks, and we cannot guarantee that our or our vendors or service providers' systems and networks have not been breached or that they do not contain exploitable vulnerabilities, defects, or bugs that could result in a breach of or disruption to our systems and networks or the systems and networks of third parties that support us and our services. In addition, our customers and users may also disclose or leak their passwords, API keys, or secrets that could lead to unauthorized access to their accounts and data, including information about their software, source code, and security environment, stored within our products. As we continue to expand the products that we can offer our customers, including through the acquisition of complementary businesses, such as our acquisition of Vdoo in 2021 and our acquisition of Qwak in July 2024, and through internal development, such as developing new security services, our products will likely have access to more sensitive and personal information of our customers, which could result in greater adverse effects from security breaches and other security incidents. Also, our expansion into new services and products could subject us to additional regulations. In addition, we are subject to other laws and regulations that obligate us to employ reasonable security measures. From time to time, we do identify product vulnerabilities, including through our bug bounty program. Certain vulnerabilities under certain circumstances could be exploited if our customers do not patch vulnerable versions of the product. In the future, we also may experience security breaches, including breaches resulting from a cybersecurity attack, phishing attack, or other means, including unauthorized access, unauthorized usage, malware, or similar breaches or disruptions. We incur significant costs in an effort to detect and prevent security breaches and other security-related incidents, including those to secure our product development, test, evaluation, and deployment activities, and we expect our costs will increase as we make improvements to our systems and processes to prevent future breaches and incidents. Despite our efforts, our systems and those of our vendors, service providers, and strategic partners also are potentially vulnerable to computer malware, malicious access or delivery of ransomware or other malicious software to our customers, AI risks, viruses, computer hacking, fraudulent use, social engineering attacks, phishing attacks, ransomware attacks, credential stuffing attacks, denial-of-service attacks, unauthorized access, exploitation of bugs, defects, and vulnerabilities, breakdowns, damage, interruptions, system malfunctions, power outages, terrorism, acts of vandalism, failures, security breaches and incidents, inadvertent or intentional actions by our employees, contractors, consultants, partners, and/or other third parties, and other real or perceived cyberattacks. Our risks of cyberattacks and other sources of security breaches and incidents, and those faced by our vendors, service providers, and strategic partners, may be heightened in connection with the war between Israel, Hamas and Hezbollah, the war between Israel and Iran, the regional conflict in the Middle East, the war between Russia and Ukraine, and other associated geopolitical tensions and regional instability. Any of these incidents or any compromise of our security or any unauthorized access to or breaches of the security of our or our service providers' systems or data processing tools or processes, or of our platform and product offerings, as a result of third-party action, employee error, vulnerabilities, defects or bugs, malfeasance, or otherwise, could result in unauthorized or unlawful access to, misuse, disclosure, loss, acquisition, corruption, unavailability, alteration, modification, or destruction of our and our customers' data, including sensitive and proprietary information, personal data and personal information, or a risk to the security of our or our customers' systems. We, our vendors, service providers, and strategic partners may be unable to anticipate these techniques and vulnerabilities, react, remediate, or otherwise address any security breach or other security incident in a timely manner, or implement adequate preventative measures. We may be more susceptible to security breaches and other security incidents in view of many of our employees and employees of our service providers working remotely, because we and our service providers have less capability to implement, monitor, and enforce our information security and data protection policies for those employees. Based on the examples set in other recent incidents, the more widespread our platform and products become, the more they may be viewed by malicious cyber threat actors as an attractive target for such an attack. We and our service providers may be unable to anticipate these techniques, react, remediate, or otherwise address any security breach or other security incident in a timely manner, or implement adequate preventative measures. In the past, we have experienced vulnerabilities, none of which led to account takeover and all such known vulnerabilities have been remedied. A security breach or other incident could result in reputational damage, litigation, regulatory investigations and orders, loss of business, indemnity obligations, damages for contract breach, penalties for violation of applicable laws, regulations, or contractual obligations, and significant costs, fees, and other monetary payments for remediation, including in connection with forensic examinations and costly and burdensome breach notification requirements. Any belief by customers or others that a security breach or other incident has affected us or any of our vendors or service providers, even if a security breach or other incident has not affected us or any of our vendors or service providers or has not actually occurred, could have any or all of the foregoing impacts on us, including damage to our reputation. Even the perception of inadequate security may damage our reputation and negatively impact our ability to gain new customers and retain existing customers. In the event of any such breach or incident, we could be required to expend significant capital and other resources to address our or our vendor or service provider's incident. Considering the SolarWinds Orion incident and the Kaseya VSA incident, if our products were compromised in a way that offered a means of malicious access or delivery of ransomware or other malicious software to our customers, the impact of such an incident would likely be significant. Techniques used to sabotage or obtain unauthorized access to systems or networks are constantly evolving and, in some instances, are not identified until launched against a target. For example, AI technologies may be used in connection with certain cybersecurity attacks, resulting in heightened risks of security breaches and incidents. We and our vendors and service providers may be unable to anticipate these techniques, react, remediate, or otherwise address any security breach or other security incident in a timely manner, or implement adequate preventative measures. In addition, laws, regulations, government guidance, and industry standards and practices in the U.S. and elsewhere are rapidly evolving to combat these threats. We may face increased compliance burdens regarding such requirements with regulators and customers regarding our products and services and also incur additional costs for oversight and monitoring of our own supply chain. Further, any provisions in our customer and user agreements, contracts with our vendors and service providers, or other contracts relating to limitations of liability, may not be enforceable or adequate or otherwise protect us from any liabilities or damages with respect to any particular claim relating to a security breach or other security-related matter. While our insurance policies include liability coverage for certain of these matters, subject to applicable deductibles, if we experienced a widespread security breach or other incident that impacted a significant number of our customers, we could be subject to indemnity claims or other damages that exceed our insurance coverage. If such a breach or incident occurred, our insurance coverage might not be adequate for data handling or data security liabilities actually incurred, such insurance may not continue to be available to us in the future on economically reasonable terms, or at all, and insurers may deny us coverage as to any future claim. The successful assertion of one or more large claims against us that exceed available insurance coverage, or the occurrence of changes in our insurance policies, including premium increases or the imposition of large deductible or co-insurance requirements, could have a material adverse effect on our business, including our financial condition, operating results, and reputation.

We outsource substantially all of the infrastructure relating to our cloud products to public cloud providers chosen by our customers. Customers of our SaaS offerings need to be able to access our platform at any time, without interruption or degradation of performance, and we provide them with service-level commitments with respect to uptime. Public cloud providers maintain control over their platforms that we access and on which we build our product offerings. Therefore, we are vulnerable to their service interruptions and any changes in their product offerings. Any limitation on the capacity of our public cloud providers could impede our ability to onboard new customers or expand the usage of our existing customers, which could adversely affect our business, financial condition, and results of operations. In addition, any incident affecting our public cloud providers' infrastructure that may be caused by their operational failures, or by cyber-attacks, natural disasters, fire, flood, severe storm, earthquake, power loss, telecommunications failures, terrorist or other attacks, protests or riots, and other similar events beyond our control could negatively affect our SaaS platform and hybrid products. It is also possible that our customers and regulators could seek to hold us accountable for any breach of security affecting a public cloud provider's infrastructure and we may incur significant liability in investigating such an incident and responding to any claims, investigations, or proceedings made or initiated by those customers, regulators, and other third parties. We may not be able to recover a material portion of such liabilities from any of our public cloud providers. Moreover, our insurance may not be adequate to cover such liability and may be subject to exclusions. Any of the above circumstances or events may harm our business, results of operations, and financial condition. In addition, our website and internal technology infrastructure may experience performance issues due to a variety of factors, including infrastructure changes, human or software errors, website or third-party hosting disruptions, capacity constraints, technical failures, natural disasters, or fraud or security attacks. If our website is unavailable, our business could be harmed. We expect to continue to make significant investments to maintain and improve website performance and to enable rapid releases of new features and applications for our products. To the extent that we do not effectively upgrade our systems as needed and continually develop our technology to accommodate actual and anticipated changes in technology, our business and results of operations may be harmed. In the event that our agreements with our public cloud providers are terminated, or there is a lapse of service, elimination of services or features that we utilize, interruption of internet service provider connectivity, or damage to such facilities, we could experience interruptions in access to our platform as well as significant delays and additional expense in arranging or creating new facilities and services and/or re-architecting our cloud solution for deployment on a different cloud infrastructure service provider, which could adversely affect our business, financial condition, and results of operations. We also rely on cloud services from public cloud providers in order to operate critical functions of our business, including financial management services, relationship management services, and lead generation management services. If these services become unavailable due to extended outages or interruptions or because they are no longer available on commercially reasonable terms or prices, our expenses could increase, our ability to manage our finances could be interrupted, our processes for managing sales of our products and supporting our customers could be impaired, and our ability to generate and manage sales leads could be weakened until equivalent services, if available, are identified, obtained, and implemented, any of which could harm our business and results of operations.

We expect to derive a significant portion of our revenue from renewals of existing subscriptions. Our customers have no contractual obligation to renew their subscriptions after the completion of their subscription term. Our self-managed subscriptions are offered on an annual and multi-year basis, while our SaaS subscriptions are offered on a monthly, annual, and multi-year basis and can consist of fixed and usage-based fees. Our customers' renewals may decline or fluctuate as a result of a number of factors, including their satisfaction with our products and our customer support, the frequency and severity of product outages, our product uptime or latency, the pricing of our, or competing, products, additional new features and capabilities that we offer,new integrations, and updates to our products as a result of updates by technology partners. If our customers renew their subscriptions, they may renew for shorter subscription terms or on other terms that are less economically beneficial to us. We may not accurately predict future renewal trends. If our customers do not renew their subscriptions, or renew on less favorable terms, our revenue may grow more slowly than expected or decline.

Our customers depend on our customer support services to resolve issues and realize the full benefits relating to our products. If we do not succeed in helping our customers quickly resolve post-deployment issues or provide effective ongoing support and education on our products, our ability to sell additional subscriptions to, or renew subscriptions with, existing customers or expand the value of existing customers' subscriptions would be adversely affected and our reputation with potential customers could be damaged. Many larger enterprise customers have more complex IT environments and require higher levels of support than smaller customers. If we fail to meet the requirements of these enterprise customers, it may be more difficult to grow sales with them. Additionally, it can take several months to recruit, hire, and train qualified engineering-level customer support employees. We may not be able to hire such resources fast enough to keep up with demand, particularly if the sales of our products exceed our internal forecasts. To the extent that we are unsuccessful in hiring, training, and retaining adequate support resources, our ability to provide adequate and timely support to our customers, and our customers' satisfaction with our products, will be adversely affected. Our failure to provide and maintain high-quality support services would have an adverse effect on our business, reputation, and results of operations.

We receive, collect, store, process, transfer, retain, use, and otherwise process personal information and other data relating to users of our products, our employees and contractors, and other persons. We have legal and contractual obligations regarding the protection of confidentiality and appropriate use of certain data, including personal data and personal information. We are subject to numerous federal, state, local, and international laws, directives, and regulations regarding privacy, data protection, e-marketing, cybersecurity, AI, and data security and the collection, storing, sharing, use, processing, transfer, retention, security, disclosure, and protection of personal information and other data, the scope of which are changing, subject to differing interpretations, and may be inconsistent among jurisdictions or conflict with other legal and regulatory requirements. We are also subject to certain contractual obligations to third parties related to privacy, data protection, cybersecurity, AI, and data security. We strive to comply with our applicable policies and applicable laws, regulations, contractual obligations, and other legal obligations relating to privacy, data protection, cybersecurity, and data security to the extent possible. However, the regulatory framework for privacy, data protection, cybersecurity, e-marketing, AI, and data security worldwide is, and is likely to remain for the foreseeable future, uncertain and complex, and it is possible that these or other actual or alleged obligations may be interpreted and applied in a manner that we do not anticipate or that is inconsistent from one jurisdiction to another and may conflict with other legal obligations or our practices. Any perception of privacy, data security, cybersecurity, or data protection concerns or an inability to comply with applicable laws, regulations, policies, industry standards, contractual obligations, or other legal obligations, even if unfounded, may result in additional cost and liability to us, harm our reputation and inhibit adoption of our products by current and future customers, and adversely affect our business, financial condition, and results of operations. Further, any significant change to applicable laws, regulations, or industry practices regarding the collection, storing, sharing, use, retention, security, protection, disclosure, other processing of data, or their interpretation, or any changes regarding the manner in which the consent of users or other data subjects for the collection, use, retention, disclosure, or other processing of such data must be obtained, could increase our costs and require us to modify our services and features, possibly in a material manner, which we may be unable to complete, and may limit our ability to store and process user data or develop new services and features. If we were found in violation of any applicable laws or regulations relating to privacy, data protection, cybersecurity, AI, or data security, in addition to any regulatory fines, penalties, contract breach, costs for remediation, or litigation costs, our business may be materially and adversely affected and we would likely have to change our business practices and potentially the services and features available through our platform. In addition, these laws and regulations could constrain our ability to use and process data in manners that may be commercially desirable. In addition, if a breach of data security were to occur or to be alleged to have occurred, if any violation of laws and regulations relating to privacy, data protection, or data security were to be alleged, or if we had any actual or alleged defect in our safeguards or practices relating to privacy, data protection, or data security, our solutions may be perceived as less desirable and our business, prospects, financial condition, and results of operations could be materially and adversely affected. Our insurance covering certain security and privacy damages and claim expenses may not be sufficient to compensate for all liabilities we may incur. The regulatory environment applicable to the handling of EEA residents' personal data, and our actions taken in response, may cause us to assume additional liabilities or incur additional costs and could result in our business, operating results, and financial condition being harmed. We and our customers may face a risk of enforcement actions by data protection authorities in the EEA relating to personal data transfers to us and by us from the EEA. Any such enforcement actions could result in substantial costs and diversion of resources, distract management and technical personnel, and negatively affect our business, operating results and financial condition. While the EU and U.S. governments have adopted the EU-U.S. Data Privacy Framework ("DPF") to foster EU-U.S. data transfers, the CJEU upheld the Standard Contractual Clauses ("SCCs"), and addressed the concerns of the CJEU's "Schrems II" decision, it is uncertain whether the DPF and the SCCs will eventually be overturned or invalidated, as the predecessors to the DPF were. Additionally, certain countries have considered passing laws requiring varying degrees of local data residency. Any actual or perceived failure to comply with these laws could result in a costly investigation or litigation resulting in potentially significant liability, loss of trust by our users, and a material and adverse impact on our reputation and business. The Israeli Privacy Protection Law, 1981 (PPL), and its regulations, including but not limited to the Israeli Privacy Protection Regulations (Data Security) 2017 (Security Regulations) impose obligations regarding processing, transferring and securing of personal data. In addition, in 2023, the Privacy Protection Regulations (Provisions Regarding Information Transferred to Israel from the European Economic Area), 2023 (EU Regulations) were enacted and consequently provide, in certain cases, additional rights to data subjects from the EEA and Israel. Therefore, significant changes to the PPL and its regulations may necessitate adjustments to our data protection and security practices. Lack of compliance with the PPL and its regulations could result in enforcement actions, litigation (including class actions), fines and penalties. A material amendment to the PPL was approved by the Israeli Parliament in August 2024 and will take effect on August 14, 2025 (Amendment 13). Among other things, Amendment 13 expands the Privacy Protection Authority's investigative authority and the monetary sanctions that can be imposed for breach of the PPL and its regulations, to substantial amounts that, in certain cases, may reach millions of NIS. There are increasing restrictions in the United States on certain personal sensitive data transfers involving foreign countries. Executive Order 14117, effective April 8, 2025, prohibits data transfer of personal identifiers, precise geolocation data, biometric identifiers, health data, and financial data over a certain bulk threshold to identified countries of concern (i.e., China, Hong Kong, Macau, Cuba, Iran, North Korea, Russia, and Venezuela). The regulations also restrict data brokerage agreements, investment agreements, employment agreements, and vendor agreements involving such data and countries of concern. Violations of these regulations may be punishable by criminal and/or civil sanctions, and may result in exclusion from participation in federal and state programs. These data transfer restrictions may create operational challenges and legal risks for our business, particularly with regard to China, where we continue to have limited operations. We also expect that there will continue to be changes in interpretations of existing laws and regulations, or new proposed laws and regulations concerning privacy, data security, cybersecurity, data sovereignty, e-marketing, AI, and data protection. We cannot yet determine the impact these laws and regulations or changed interpretations may have on our business, but we anticipate that they could impair our or our customers' ability to collect, use, or disclose information relating to individuals, which could decrease demand for our platform, increase our costs, and impair our ability to maintain and grow our customer base and increase our revenue. Moreover, because the interpretation and application of many laws and regulations relating to privacy, security, cybersecurity, e-marketing, AI, and data protection, along with mandatory industry standards, are uncertain, it is possible that these laws, regulations and standards, or contractual obligations to which we are or may become subject, may be interpreted and applied in a manner that is inconsistent with our existing or future data management practices or features of our platform and products. Any failure or perceived failure by us to comply with our posted privacy notices, our privacy-related obligations to users or other third parties, or any other actual or asserted legal obligations or regulatory requirements relating to privacy, data protection, cybersecurity, e-marketing, AI, or data security, may result in governmental investigations or enforcement actions, litigation, claims, or public statements against us by privacy advocacy groups or others and could result in significant liability, cause our customers to lose trust in us, and otherwise materially and adversely affect our reputation and business. Furthermore, the costs of compliance with, and other burdens imposed by, the laws, regulations, other obligations, and policies that are applicable to the businesses of our users may limit the adoption and use of, and reduce the overall demand for, our platform. Additionally, if third parties we work with violate applicable laws, regulations, or contractual obligations, such violations may put our users' data at risk, could result in governmental investigations or enforcement actions, fines, litigation, claims, or public statements against us by privacy advocacy groups or others, and could result in significant liability, cause our customers to lose trust in us, and otherwise materially and adversely affect our reputation and business. Further, public scrutiny of, or complaints about, technology companies or their data handling or data protection practices, even if unrelated to our business, industry, or operations, may lead to increased scrutiny of technology companies, including us, and may cause government agencies to enact additional regulatory requirements, or to modify their enforcement or investigation activities, which may increase our costs and risks.

Our research and development efforts were financed, in part, through grants from the IIA. From our inception through 2015, we conducted projects with the IIA's support and received grants totaling $1.2 million from the IIA and repaid to the IIA $1.3 million (the entire amount of the grants and accrued interest). The Innovation Law requires, inter alia, that the products developed as part of the programs under which the grants were given be manufactured in Israel and restricts the ability to transfer know-how funded by IIA outside of Israel. Transfer of IIA-funded know-how outside of Israel requires prior approval and is subject to payment of a redemption fee to the IIA calculated according to a formula provided under the Innovation Law. A transfer for the purpose of the Innovation Law is generally interpreted very broadly and includes, inter alia, any actual sale of the IIA-funded know-how, any license to develop the IIA-funded know-how or the products resulting from such IIA-funded know-how, or any other transaction, which, in essence, constitutes a transfer of IIA-funded know-how. We cannot be certain that any approval of the IIA will be obtained on terms that are acceptable to us, or at all. We may not receive the required approvals should we wish to transfer IIA-funded know-how and/or development outside of Israel in the future. Transfer of IIA know-how created, in whole or in part, in connection with an IIA-funded project, to a third party outside Israel requires prior approval and is subject to payment to the IIA of a redemption fee calculated according to a formula provided under the Innovation Law. Subject to prior approval of the IIA, we may transfer the IIA-funded know-how to another Israeli company. If the IIA-funded know-how is transferred to another Israeli entity, the transfer would still require IIA approval but will not be subject to the payment of the redemption fee. In such case, the acquiring company would have to assume all of the applicable restrictions and obligations towards the IIA (including the restrictions on the transfer of know-how and manufacturing capacity, to the extent applicable, outside of Israel) as a condition to IIA approval. General Risk Factors

The war between Israel, Hamas and Hezbollah, the war between Israel and Iran, and regional conflict in the Middle East, the war between Russia and Ukraine, and other areas of geopolitical tension around the world continue to impact worldwide economic activity and financial markets. As a result, we could experience disruptions in our business or the business of our partners, customers, or the economy as a whole, any of which could adversely affect and could materially adversely impact our business, results of operations, and overall financial condition in future periods. The extent and continued impact of the war between Israel, Hamas and Hezbollah, the war between Israel and Iran, the regional conflict in the Middle East, the Russia-Ukraine war, and related global economic disruptions on our operational and financial condition will depend on certain developments, including: government responses to the wars; the impact of the wars on our customers and our sales cycles; their impacts on customer, industry, or technology-based community events; and their effect on our partners, some of which are uncertain, difficult to predict, and not within our control. General economic conditions and disruptions in global markets due to the war between Israel, Hamas and Hezbollah, the war between Israel and Iran, the regional conflict in the Middle East, the Russia-Ukraine war, and other areas of geopolitical tension around the world, and any actions taken by governmental authorities and other third parties in response may also affect our future performance. As of the date of this Quarterly Report on Form 10-Q, the full impact of the war between Israel, Hamas and Hezbollah, the war between Israel and Iran, the regional conflict in the Middle East, the war between Russia and Ukraine, and related global economic disruptions on our financial condition and results of operations remains uncertain. Furthermore, because of our subscription-based business model, the impact of these factors may not be fully reflected in our results of operations and overall financial condition until future periods, if at all.

Our future results depend, in part, on our ability to sustain and expand our penetration of the international markets in which we currently operate and to expand into additional international markets. Our ability to expand internationally will depend upon our ability to deliver functionality and foreign language translations that reflect the needs of the international clients that we target. Our ability to expand internationally involves various risks, including the need to invest significant resources in such expansion, and the possibility that returns on such investments will not be achieved in the near future or at all in these less familiar competitive environments. We may also choose to conduct our international business through strategic partnerships or other collaboration arrangements. If we are unable to identify partners or negotiate favorable terms, our international growth may be limited. In addition, we have incurred and may continue to incur significant expenses in advance of generating material revenue as we attempt to establish our presence in certain international markets.

Given the global nature of our business, we have diversified U.S. and non-U.S. investments. Credit ratings and pricing of our investments can be negatively affected by liquidity, credit deterioration, financial results, economic risk, political risk, sovereign risk, or other factors. As a result, the value and liquidity of our investments may fluctuate substantially. Therefore, although we have not realized any significant losses on our investments, future fluctuations in their value could result in a significant realized loss.