Instructure Holdings (INST) Risk Analysis

Our applications, in particular a substantial portion of Canvas, use "open source" software that we, in some cases, have obtained from third parties. Open source software is generally freely accessible, usable and modifiable, and is made available to the general public on an "as-is" basis under the terms of a non-negotiable license. Use and distribution of open source software may entail greater risks than use of third-party commercial software. Open source licensors generally do not provide warranties or other contractual protections regarding infringement claims or the quality of the code. In addition, certain open source licenses, like the GNU Affero General Public License, or AGPL, may require us to offer for no cost the components of our software that incorporate the open source software, to make available source code for modifications or derivative works we create based upon incorporating or using the open source software, or to license our modifications or derivative works under the terms of the particular open source license. If we are required, under the terms of an open source license, to release the source code of our proprietary software to the public, our competitors could create similar applications with lower development effort and time, which ultimately could result in a loss of sales for us. We may also face claims alleging noncompliance with open source license terms or infringement or misappropriation of proprietary software. These claims could result in litigation, require us to purchase a costly license or require us to devote additional research and development resources to change our software, any of which would have a negative effect on our business and operating results, including being enjoined from the offering of the components of our software that contained the open source software. In addition, if the license terms for open source software that we use change, and we cannot continue to use the version of such software that we had been using, we may be forced to re-engineer our applications, incur additional costs, or discontinue the sale of applications or services if re-engineering could not be accomplished on a timely basis. We could also be subject to suits by parties claiming ownership of what we believe to be open source software. Litigation could be costly for us to defend, have a negative effect on our operating results and financial condition and require us to devote additional research and development resources to change our applications. Although we monitor our use of open source software to avoid subjecting our applications to unintended conditions, few courts have interpreted open source licenses, and there is a risk that these licenses could be construed in a way that could impose unanticipated conditions or restrictions on our ability to commercialize our applications. We cannot guarantee that we have incorporated open source software in our software in a manner that will not subject us to liability, or in a manner that is consistent with our current policies and procedures.

Amazon Web Services, or AWS, provides a distributed computing infrastructure platform for business operations, or what is commonly referred to as a cloud computing service. We have designed our software and computer systems to use data processing, storage capabilities and other services provided by AWS. Currently, our cloud service infrastructure is run on AWS. Given this, we cannot easily switch our AWS operations to another cloud provider, so any disruption of or interference with our use of AWS would impact our operations and our business would be adversely impacted. AWS provides us with computing and storage capacity pursuant to an agreement that continues until terminated by either party. AWS may terminate the agreement without cause by providing 90 days' prior written notice, and may terminate the agreement with 30 days' prior written notice for cause, including any material default or breach of the agreement by us that we do not cure within the 30-day period. The agreement requires AWS to provide us their standard computing and storage capacity and related support in exchange for timely payment by us. If any of our arrangements with AWS is terminated, we could experience interruptions in our software as well as delays and additional expenses in arranging new facilities and services. We utilize third-party data center hosting facilities operated by AWS, located in various sites within the states of Virginia, Ohio and Oregon. For international customers, we utilize third-party data center hosting facilities operated by AWS located in Dublin, Ireland, Frankfurt, Germany, Sydney, Australia, Montreal, Canada and Singapore. Our operations depend, in part, on AWS's abilities to protect these facilities against damage or interruption from natural disasters, power or telecommunications failures, criminal acts and similar events. Despite precautions taken at our data centers, the occurrence of spikes in usage volume, a natural disaster, an act of terrorism, vandalism or sabotage, a decision to close a facility without adequate notice, or other unanticipated problems at a facility could result in lengthy interruptions in the availability of our platform. Even with current and planned disaster recovery arrangements, our business could be harmed. Also, in the event of damage or interruption, our insurance policies may not adequately compensate us for any losses that we may incur. These factors in turn could further reduce our revenue, subject us to liability and cause us to issue credits or cause customers to fail to renew their subscriptions, any of which could harm our business.

To increase the number of customers and increase the market share of our platform and applications, we will need to expand our sales and marketing operations, including our domestic and international sales force. We will continue to dedicate significant resources to sales and marketing programs. The effectiveness of our inbound sales and marketing has varied over time and, together with the effectiveness of any international resellers we may engage, may vary in the future. Our business will be harmed if our efforts do not generate a correspondingly significant increase in revenue. We may not achieve anticipated revenue growth from expanding our sales force if we are unable to hire, develop and retain talented sales personnel, if our new sales personnel are unable to achieve desired productivity levels in a reasonable period of time or if our sales and marketing programs are not effective.

Personal privacy and information security are significant issues in the U.S. and the other jurisdictions where we offer our applications. The legislative and regulatory framework for privacy and security issues worldwide is rapidly evolving and is likely to remain uncertain for the foreseeable future. Our handling of data is subject to a variety of laws and regulations, including laws and regulations enforced by various government agencies, such as the Federal Trade Commission, or FTC, and various state, local and foreign agencies. We collect personally identifiable information, or PII, and other data from our employees, customers and users. We use this information to provide services to our customers and users and to operate, support, expand and improve our business. We may also share customers' or users' PII with third parties as allowed by applicable law and agreements, as authorized by the customer, or as described in our privacy policies. The U.S. federal and various state and foreign governments have adopted or proposed limitations on the collection, distribution, use and storage of PII. In the U.S., the FTC and many state attorneys general are applying federal and state consumer protection laws to impose standards on the online collection, use and dissemination of data. Furthermore, many states have enacted laws that apply directly to the operators of online services that are intended for K-12 school purposes or are proposing legislation to mandate privacy and data security obligations on the collection, use, and disclosure of PII generally. For example, the recently enacted California Consumer Privacy Act, or CCPA, which is scheduled to take effect on January 1, 2020, imposes a number of privacy and security obligations on companies who process PII of California residents. These laws may impose limits on the collection, distribution, use and storage of student PII. Many foreign countries and governmental bodies, including the European Union, or EU, Canada, Australia and other jurisdictions, have laws and regulations concerning the collection and use of PII obtained from their residents or by businesses operating within their jurisdiction. These laws and regulations often are more restrictive than those in the U.S. Laws and regulations in these jurisdictions may apply broadly to the collection, use, storage, disclosure and security of data that identifies or may be used to identify or locate an individual, such as names, email addresses and, in some jurisdictions, Internet Protocol, or IP, addresses and other online identifiers. We publicly post our privacy policies and practices concerning our processing, use and disclosure of PII. Our publication of our privacy policy and other statements we publish that provide promises and assurances about privacy and security can subject us to potential state and federal action if they are found to be deceptive or misrepresentative of our practices. In the EU, where companies must meet specified privacy and security standards, the General Data Protection Regulation, or GDPR, became enforceable on May 25, 2018.  The GDPR introduced new and enhanced data protection requirements throughout the EU and significant penalties of up to the greater of 4% of worldwide turnover and €20 million for violations of data protection rules. We are actively working to ensure ongoing compliance with the GDPR. We may find it necessary to establish systems to maintain EU-origin data in the European Economic Area, or EEA, or to amend agreements with our customers which may involve substantial expense and distraction from other aspects of our business. In addition, data protection authorities in each member state of the EU will still have the ability to interpret certain aspects of the GDPR, which has the potential to create inconsistencies on a country-by-country basis. Ongoing implementation of the GDPR could require us to change certain business practices and result in increased costs. Further, the EU's proposed ePrivacy Regulation is currently under discussion by EU member states to complement and bring electronic communications services in line with the GDPR and force a harmonized approach across EU member states. Although it remains under debate, drafts of the proposed ePrivacy Regulation would alter rules on third-party cookies, web beacons and similar technologies, and significantly increase penalties for non-compliance. We cannot yet determine the impact such future laws, regulations, and standards may have on our business. We rely on adherence to the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield Frameworks, as agreed to and set forth by the U.S. Department of Commerce, and the European Union and Switzerland, which established a means for legitimizing the transfer of PII by U.S. companies doing business in the EU from the EEA to the U.S. In light of the continued uncertainty around cross-border data transfer, we have engaged in efforts to legitimize data transfers from the EEA through means other than the Privacy Shield Frameworks, such as through the use of so-called ‘model contract clauses' developed by the European Commission. We may experience hesitancy, reluctance, or refusal by European or multi-national customers to continue to use our services due to the potential risk exposure to such customers as a result of the uncertainty around the legality of cross-border data transfer methods on which we rely. Ongoing legal challenges to the Privacy Shield Framework and ‘model contract clauses' may render either or both methods invalid or could result in further limitations on the ability to transfer data across borders. Additionally, certain countries have passed or are considering passing laws requiring local data residency. Although we are working to comply with those federal, state, and foreign laws and regulations, industry standards, contractual obligations and other legal obligations that apply to us, those laws, regulations, standards and obligations are evolving and may be modified, interpreted and applied in an inconsistent manner from one jurisdiction to another, and may conflict with one another, other requirements or legal obligations, our practices or the features of our applications or platform. Any failure or perceived failure by us to comply with federal, state or foreign laws or regulations, industry standards, contractual obligations or other legal obligations, or any actual or suspected security incident, whether or not resulting in unauthorized access to, or acquisition, release or transfer of PII or other data, may result in governmental enforcement actions and prosecutions, private litigation, fines and penalties or adverse publicity and could cause our customers to lose trust in us, which could have an adverse effect on our reputation and business. Any inability to adequately address privacy and security concerns, even if unfounded, or comply with applicable laws, regulations, policies, industry standards, contractual obligations, or other legal obligations could result in additional cost and liability to us, damage our reputation, inhibit sales, and materially adversely affect our business. We also expect that there will continue to be new proposed laws, regulations and industry standards concerning privacy, data protection and information security in the U.S., the EU and other jurisdictions, and we cannot yet determine the impact such future laws, regulations and standards may have on our business. Future laws, regulations, standards and other obligations, and changes in the interpretation of existing laws, regulations, standards and other obligations could impair our or our customers' ability to collect, use or disclose information relating to consumers, which could decrease demand for our applications, increase our costs and impair our ability to maintain and grow our customer base and increase our revenue. New laws, amendments to or re-interpretations of existing laws and regulations, industry standards, contractual obligations and other obligations may require us to incur additional costs and restrict our business operations. Such laws and regulations may require companies to implement or update privacy and security policies, permit users to access, correct and delete personal information stored or maintained by such companies, inform individuals of security breaches that affect their personal information, and, in some cases, obtain individuals' consent to use PII for certain purposes. In addition, a foreign government could require that any PII collected in a country not be disseminated outside of that country, and we are not currently equipped to comply with such a requirement. Other proposed legislation could, if enacted, impose additional requirements and prohibit the use of certain technologies that track individuals' activities on web pages or that record when individuals click through to an internet address contained in an email message. Such laws and regulations could require us to change features of our software or restrict our customers' ability to collect and use email addresses, page viewing data and personal information, which may reduce demand for our software. If we fail to comply with federal, state and international data privacy laws and regulations our ability to successfully operate our business and pursue our business goals could be harmed. We also may find it necessary or desirable to join industry or other self-regulatory bodies or other privacy- or data protection-related organizations that require compliance with their rules pertaining to privacy and data protection. We also may be bound by additional, more stringent contractual obligations relating to our collection, use and disclosure of personal, financial and other data.

As a provider of cloud-based software, we may be subject to potential liability for the activities of our customers or users on or in connection with the data they store on our servers. Although our customer terms of use prohibit illegal use of our services by our customers and permit us to take down content or take other appropriate actions for illegal use, customers may nonetheless engage in prohibited activities or upload or store content with us in violation of applicable law or the customer's own policies, which could subject us to liability or harm our reputation. Various U.S. federal statutes may apply to us with respect to various customer activities. The Digital Millennium Copyright Act of 1998, or DMCA, provides recourse for owners of copyrighted material who believe that their rights under U.S. copyright law have been infringed on the internet. Under the DMCA, based on our current business activity as an internet service provider that does not own or control website content posted by our customers, we generally are not liable for infringing content posted by our customers or other third parties, provided that we follow the procedures for handling copyright infringement claims set forth in the DMCA. Generally, if we receive a proper notice from, or on behalf, of a copyright owner alleging infringement of copyrighted material located on websites we host, and we fail to expeditiously remove or disable access to the allegedly infringing material or otherwise fail to meet the requirements of the safe harbor provided by the DMCA, the copyright owner may seek to impose liability on us. Technical mistakes in complying with the detailed DMCA take-down procedures, or if we fail to otherwise comply with the other requirements of the safe harbor, could subject us to liability for copyright infringement. Although statutes and case law in the United States have generally shielded us from liability for customer activities to date, court rulings in pending or future litigation may narrow the scope of protection afforded us under these laws. In addition, laws governing these activities are unsettled in many international jurisdictions, or may prove difficult or impossible for us to comply with in some international jurisdictions. Also, notwithstanding the exculpatory language of these bodies of law, we may become involved in complaints and lawsuits which, even if ultimately resolved in our favor, add cost to our doing business and may divert management's time and attention. Finally, other existing bodies of law, including the criminal laws of various states, may be deemed to apply or new statutes or regulations may be adopted in the future, any of which could expose us to further liability and increase our costs of doing business. Additionally, our customers could use our platform or applications to store or process PII, including sensitive PII, without our knowledge of such storage or processing. In the event that our systems experience a data security incident, or an individual or entity accesses information without, or in excess of, proper authorization, we could be subject to data security incident notification laws, as described elsewhere, which may require prompt remediation and notification to individuals. If we are unaware of the data and information stored on our systems, we may be unable to appropriately comply with all legal obligations, and we may be exposed to governmental enforcement or prosecution actions, private litigation, fines and penalties or adverse publicity and these incidents could cause our customers to lose trust in us, which could harm our reputation and business.

State, local and foreign jurisdictions have differing rules and regulations governing sales, use, value added and other taxes, and these rules and regulations are subject to varying interpretations that may change over time. In particular, the applicability of such taxes to our learning management software in various jurisdictions is unclear. Further, these jurisdictions' rules regarding tax nexus are complex and vary significantly. As a result, we could face the possibility of tax assessments and audits, and our liability for these taxes and associated penalties could exceed our original estimates. A successful assertion that we should be collecting additional sales, use, value added or other taxes in those jurisdictions where we have not historically done so and do not accrue for such taxes could result in substantial tax liabilities and related penalties for past sales, discourage customers from purchasing our application or otherwise harm our business and operating results.

Our success and future growth depend upon the continued services of our management team, including the members of the Office of the Chief Executive Officer, which is comprised of Matthew Kaminer, Jeff Weber, Marta DeBellis, Frank Maylett, Melissa Loble, Mitch Benson, and John Knotwell, and other key employees in the areas of engineering, marketing, sales, services and general and administrative functions. From time to time, there may be changes in our management team resulting from the hiring or departure of executives. We also are dependent on the continued service of our existing software engineers and information technology personnel because of the complexity of our software, technologies and infrastructure. We may terminate any employee's employment at any time, with or without cause, and any employee may resign at any time, with or without cause. We do not maintain any "key man" insurance for any employee. The loss of one or more of our key employees could harm our business.