Ooma (OOMA) Risk Factors

The Company, its directors, and certain officers were named as defendants in a consolidated securities class action in connection with its initial public offering, and in October 2019, the Court dismissed the lawsuit with prejudice. In addition, in February 2021 the Company and Ooma Canada Inc. were named as defendants in a class action complaint in the Federal Court of Canada, alleging violations of Canada's Trademarks Act and Competition Act. In the future, especially following periods of volatility in the market price of our shares, additional purported class action or derivative complaints may be filed against us. The outcome of any pending and potential future litigation is difficult to predict and quantify and the defense of such claims or actions can be costly. In addition to diverting financial and management resources and general business disruption, we may suffer from adverse publicity that could harm our brand or reputation, regardless of whether the allegations are valid or whether we are ultimately held liable. A judgment or settlement that is not covered by or is significantly in excess of our insurance coverage for any claims, or our obligations to indemnify the underwriters and the individual defendants, could materially and adversely affect our financial condition, results of operations and cash flows.

There are numerous U.S. federal, state and local, and foreign laws and regulations, as well as contractual obligations and industry standards, that provide for certain obligations and restrictions with respect to data privacy and security, and the collection, storage, retention, protection, use, processing, transmission, sharing, disclosure, and protection ("Processing") of personal information and other customer data. The scope of these obligations and restrictions is changing, subject to differing interpretations, and may be inconsistent among jurisdictions or conflict with other rules, and their status remains uncertain. In the United States and in other jurisdictions, a variety of regulations are currently being proposed that would increase restrictions on online service providers in the field of data privacy and security, and we believe that the adoption of such increasingly restrictive regulation is likely. For example, the California Consumer Privacy Act (the "CCPA") regulates the processing of personal data, which could result in civil penalties for violations. In addition, the California Privacy Rights Act ("CPRA") took effect on January 1, 2023 and an increasing number of states are adopting similar privacy laws. We will continue to monitor developments related to new privacy laws like the CPRA which will require us to incur additional costs and expenses in an effort to monitor and comply with such laws. In Canada, penalties for non-compliance with certain Canadian anti-spam legislation are considerable, including administrative monetary penalties of up to $10 million and a private right of action. The EU has implemented strict laws that apply in connection with the Processing of personal information, and other customer data. Data protection regulators within the EU and other jurisdictions have the power to fine non-compliant organizations significant amounts and seek injunctive relief, including the cessation of certain data processing activities. For example, the EU's General Data Protection Regulation, or GDPR, provides for significant penalties for violations, including fines of up to 4% of the violating company's worldwide revenue. While the United Kingdom's Data Protection Act substantially implements the GDPR, the United Kingdom's exit from the European Union has created regulatory uncertainty, including the cross-border transfer of data. Such uncertainty may adversely impact the operations of our U.K. subsidiary by adding operational complexities and expenses. In addition, there is uncertainty about data transfer to the United States. For example, although the new U.S. Data Privacy Framework was formally approved by the European Commission in July 2023, the framework may still be invalidated by the Court of Justice of the European Union, which invalidated the framework's predecessor, the Privacy Shield Program, in 2020. We have taken administrative, contractual and other measures designed to achieve compliance with applicable privacy laws and standards, but we cannot guarantee these measures are sufficient. Obligations and restrictions imposed by current and future applicable laws, regulations, contracts and industry standards, in particular as we continue to expand our international operations, may increase the cost of our operations, affect our ability to provide all the current features of our business, residential and mobile products and services and our customers' ability to use our products and services, and could require us to modify the features and functionality of our products and services. Such obligations and restrictions may limit our ability to Process data, and to allow our customers to Process data with others through our products and services. Failure to comply with such obligations could subject us to lawsuits, fines, criminal penalties, statutory damages, consent decrees, injunctions, adverse publicity and other losses that could harm our business. Our customers may use our services to transmit and store protected health information, or PHI, that is protected under HIPAA. Noncompliance with laws and regulations relating to privacy such as HIPAA may lead to significant fines, penalties or liabilities. Our actual compliance, our customers' perception of our compliance, costs of compliance with such regulations and customer concerns regarding their own compliance obligations (whether factual or in error) may limit the use and adoption of our service and reduce overall demand. Furthermore, privacy concerns, including the inability or impracticality of providing advance notice to customers of privacy issues related to the use of our services, may cause our customers' customers to resist providing the personal data necessary to allow our customers to use our services effectively. Even the perception of privacy concerns, whether or not valid, may inhibit market adoption of our service in certain industries. In addition to government activity, privacy advocacy groups and industry groups have adopted and are considering the adoption of various self-regulatory standards and codes of conduct that may place additional burdens on us and our customers, which may further reduce demand for our services and harm our business. Our employees and personnel may also use generative AI technologies to perform their work, and the disclosure and use of personal information in such technologies is subject to various data privacy and security laws and obligations. Governments have passed and are likely to pass additional laws regulating generative AI. Our use of this technology could result in additional compliance costs and regulatory investigations and actions. If we are unable to use generative AI, it could make our business less efficient and result in competitive disadvantages. Any failure by us to protect our users' privacy and data, including as a result of our systems being compromised by hacking or other malicious activity, could result in a loss of user confidence in our services and ultimately in a loss of users, which could materially and adversely affect our business. Our customers may also accidentally disclose their passwords, store them on a mobile device that is lost or stolen, or otherwise fall prey to attacks outside our system, creating the perception that our systems are not secure against third-party access. If our third-party contractors or vendors violate applicable laws or our policies, such violations may also put our customers' information at risk and could in turn have a material and adverse effect on our business.

The cloud-based communications and connected services industries are characterized by rapid changes in customer requirements, frequent introductions of new and enhanced services, and continuing and rapid technological advancement. To compete successfully in these emerging markets, we must anticipate and adapt to unpredictable technological changes and evolving industry standards and continue to design, develop, manufacture and sell new and enhanced services and products that provide increasingly higher levels of performance and reliability at lower cost. For fiscal 2024, we derived approximately 58% of our revenue from Ooma Business and approximately 40% from Ooma Residential and expect they will continue to account for most of our revenue for the foreseeable future. However, our future success will also depend on our ability to introduce and sell new services, such as our fiscal 2023 launch of Ooma Office Pro Plus or our newly-acquired 2600Hz solutions, as well as products, features and functionality that enhance or are beyond the voice, fax, text and connected services we currently offer, as well as to improve usability and support and increase customer satisfaction. The success of new product introductions, such as our fiscal 2023 launch of AirDial, depends on a number of factors including, but not limited to: pricing, market and customer acceptance, the ability to successfully identify and anticipate product trends, effective forecasting and management of product demand, purchase commitments and inventory levels, availability of products in appropriate quantities to meet anticipated demand, ability to obtain timely and adequate delivery of components for our new products from third-party suppliers, management of manufacturing and supply costs, management of risks and delays associated with product design and production ramp-up, delays in customer readiness for AirDial installations, the quality of AirDial installations performed by third-parties, ability to maintain the levels of service uptime and performance required by our customers, and the risk that new products or enhanced versions of existing products, may have quality issues or other defects or bugs in the early stages of introduction including testing of new components and features. Moreover, the market for plain old telephone service ("POTS") line replacement is relatively new and characterized by long sales cycles, and Ooma AirDial may not result in long-term success or significant revenue for us. Our failure to develop solutions that satisfy customer preferences in a timely and cost-effective manner may harm our ability to renew our subscriptions with existing customers and to create or increase demand for our services and products and may materially and adversely impact our results of operations. The introduction or announcement of new services and technologies by our competitors, including artificial intelligence ("AI") tools, could make our existing solutions obsolete, cause customers to defer purchases of our products and services, or otherwise adversely affect our business and results of operations. Further, we may experience higher product returns from retailers or reseller partners and may face challenges managing the inventory of new or existing products, which could lead to excess inventory charges and/or discounting of such products. In addition, new products may have varying selling prices and higher costs or different kinds of costs compared to legacy products, which could negatively impact our gross margins and operating results. For example, as and to the extent sales of AirDial increase, we expect to incur higher levels of support costs. We may experience difficulties with software development, operations, design or marketing that could delay or prevent the introduction or implementation of new or enhanced products, services and applications. We have in the past experienced and may in the future experience delays in the planned release dates of new features and upgrades and have discovered defects in new services and applications after their introduction. New products, or new features or upgrades to existing products and services, may not be released according to schedule, or, when released, they may contain defects. Either of these situations could result in adverse publicity, loss of revenue, higher than expected costs, delay in market acceptance or claims by customers against us, all of which could harm our reputation, business, results of operations and financial condition. Moreover, the development of new or enhanced products, services or applications may require substantial investment, and we must continue to invest a significant amount of resources in our research and development efforts to remain competitive. We do not know whether these investments will be successful. If we are unable to develop, license or acquire new or enhanced products, services and applications on a timely and cost-effective basis, or if such new or enhanced products, services and applications do not achieve adequate market acceptance, we may not be able to realize a return on our investments and our business, financial condition and results of operations may be materially and adversely affected.

Our operations depend on our ability to protect our network from interruption or damage resulting from unauthorized access or entry, computer viruses or malware or other events beyond our control, and our ability to detect any such events. In the past, we have been subject to distributed denial-of-service ("DDOS cyberattacks"), and have been subject to other forms of attacks by hackers intent on bringing down our services or accessing confidential information. Although these attempts were not successful in penetrating our network, we may be subject to other DDOS and other forms of attacks in the future, undetected or otherwise. Recent developments in the threat landscape include use of AI and machine learning, as well as an increased number of cyber extortion and ransomware attacks, with higher financial ransom demand amounts and increasing sophistication and variety of ransomware techniques and methodology. For example, the industry has experienced an increase in cyber-attack activity has been observed in connection with Russia's invasion of Ukraine. We cannot assure you that our backup systems, regular data backups, physical, technological and organizational security protocols and measures and other procedures that are currently in place, or that may be in place in the future, will be adequate to detect or prevent unauthorized access to our systems, significant damage, system interruption, degradation or failure, or data loss or to respond to a cyberattack once launched. Additionally, hackers may attempt to directly gain access to a customer's on-premise appliance, or their mobile phone, which may delay or interrupt services, or may subject our customers to further security risks, including in relation to any connected household devices a customer might have now or in the future, such as our connected smart security sensors and our partner's connected devices or to our network more generally. Also, our services are web-based, and the amount of data we store for our users on our servers has been increasing as our business has grown. Despite our ongoing efforts to enhance security measures, our infrastructure and those of third parties we rely upon may be vulnerable to hackers, phishing, computer viruses, worms, ransomware other malicious software programs or similarly disruptive problems caused by our customers, employees, consultants or other internet users who attempt to invade public and private data networks. In some cases, we do not have in place disaster recovery facilities for certain ancillary services, such as email delivery of messages. Currently, a majority of our customers authorize us to bill their credit or debit card accounts directly for all transaction fees that we charge. We rely on encryption and authentication technology to ensure secure transmission of confidential information, including customer credit and debit card numbers. Despite our efforts to encrypt and secure transmission of confidential customer information, hackers with sufficiently sophisticated technology or methods may still be able to infiltrate our systems to gain unauthorized access to payment card information. Further, advances in computer capabilities, new discoveries in the field of cryptography or other developments may result in a compromise or breach of the technology we use to protect transaction data. In addition, because the techniques used to obtain unauthorized access to the information systems change frequently, and may not be recognized until launched against a target, we may be unable to anticipate these techniques or to implement adequate preventative measures. Third parties may attempt to fraudulently induce employees, consultants or customers into disclosing sensitive information, such as user names, passwords, customer proprietary network information ("CPNI"), intellectual property or other information in order to gain access to our customers' data or to our data. CPNI includes information such as the phone numbers called by a customer, the frequency, duration, and timing of such calls, and any services purchased by the customer, such as call waiting, call forwarding and caller ID, in addition to other information that may appear on a customer's bill. In addition, because the techniques used to obtain unauthorized access, or to sabotage systems, change frequently and generally are not recognized until launched against a target, we may be unable to anticipate these techniques or to implement adequate preventative measures. In addition, as noted above, due to political uncertainty and military actions associated with Russia's invasion of Ukraine, we and our vendors, business partners, and contractors may also be vulnerable to heightened risks of cyber-attacks, including from or affiliated with nation-state actors, which could materially disrupt our systems and operations, supply chain, and ability to produce, sell and distribute our services and products. Any compromise or perceived compromise of our security could damage our reputation, and could subject us to significant liability, as well as regulatory action, including financial penalties, which would materially adversely affect our brand, results of operations, financial condition, business and prospects. See "Risks Related to Security, IT Systems and Intellectual Property" for further risks related to security breaches.

The cloud-based communications and connected services industries are highly competitive and we expect that competition will continue to be intense in the future. Increased competition may result in pricing pressures, reduced profit margins and may impede our ability to continue to increase the sales of our services and products or cause us to lose market share, any of which could substantially harm our business and results of operations. We face continued competition from established communications providers, such as Comcast Corporation, Verizon Communications Inc. and Rogers Communications Inc.; as well as from traditional on-premise, hardware business communications providers, mobile communications app companies providing "over-the-top" solutions, large internet companies that offer services with features that compete with some of what we offer, and certain other communications companies. These companies currently or may in the future host their solutions through the cloud. Some of our competitors have been acquired, and may in the future consolidate with or be acquired by, other companies and competitors. Some of our competitors may enter into new alliances with each other or may establish or strengthen cooperative relationships with systems integrators, third-party consulting firms or other parties. Any such consolidation, acquisition, alliance or cooperative relationship could adversely affect our ability to compete effectively and lead to downward pricing pressure and our loss of market share, and could result in a competitor with greater financial, technical, marketing, service and other resources, all of which could harm our business, results of operations and financial condition. Furthermore, increased competition may result in aggressive business and pricing tactics by our competitors, including: offering products similar to our platforms and solutions on a bundled basis at no charge; announcing competing products combined with extensive marketing efforts; providing financial incentives to consumers; and asserting intellectual property rights irrespective of the validity of the claims. In addition, our retail partners may offer the products and services of competing companies, which would adversely affect our business. Competition from other companies may also adversely affect our negotiations with service providers and suppliers, including, in some cases, requiring us to lower our prices. We may not be able to compete successfully with the offerings and sales tactics of other companies, which could result in the loss of customers and, as a result, our revenue and profitability could be adversely affected. The market for our newly-acquired CPaaS and CCaaS 2600Hz solutions is rapidly evolving, significantly fragmented and highly competitive, with relatively low barriers to entry in some segments. Our competitors in this segment of the market are primarily (i) CPaaS companies that offer communications products and applications, and (ii) other software companies that compete with portions of these and CCaaS solutions. Some of our competitors and potential competitors in this segment are larger and have greater name recognition, longer operating histories, more established customer relationships, larger budgets, lower operating costs, and significantly greater resources than we do. As a result, our competitors may be able to respond more quickly and effectively than we can to new or changing opportunities, technologies, standards, customer requirements or changing economic conditions. Our competitors may also offer products or services that address one or a limited number of functions at lower prices, with greater depth than our products or in different geographies. Our current and potential competitors may develop and market new products and services with comparable functionality to our products, and this could lead to us having to decrease prices in order to remain competitive. Additionally, in connection with our AirDial product offering, we face competition in the POTS replacement market from a range of other companies, such as Verizon Communications Inc., Granite Telecommunications LLC, MetTel Inc., and Napco Securities Technologies, Inc., as well as other service providers that bundle their offerings with POTS-related products from POTS replacement equipment manufacturers, such as DataRemote Inc. Our business, operating results and financial condition also depend, in part, on our ability to establish and maintain relationships through resellers, distributors, and strategic partners. A portion of our revenue is derived from sales made by these partners and any one of them may later decide to sell their own products or those of third parties that may be competitive with our products. A loss or reduction in sales of our products through these third-party intermediaries could adversely affect our revenue and other results of operations.

We believe that continuing to strengthen our current brand will be critical to achieving widespread acceptance of our services and will require continued focus on active marketing efforts. The demand for and cost of online and traditional advertising have been increasing and may continue to increase. Accordingly, we may need to increase our investment in, and devote greater resources to, advertising, marketing, and other efforts to create and maintain brand loyalty among users. Brand promotion activities may not yield increased revenue, and even if they do, any increased revenue may not offset the expenses incurred in building our brands. If we fail to promote and maintain our brand, or if we incur substantial expense in an unsuccessful attempt to promote and maintain our brands, our business could be materially and adversely affected. Our services, as well as those of our competitors, are regularly reviewed and commented upon by online and social media sources, as well as computer and other business publications. Negative reviews, or reviews in which our competitors' products and services are rated more highly than our solutions, could negatively affect our brand and reputation. From time to time, our customers have expressed dissatisfaction with our services, including dissatisfaction with our customer support, our billing policies and the way our services operate. If we do not handle customer complaints effectively, our brand and reputation may suffer, we may lose our customers' confidence, and they may choose to terminate, reduce or not to renew their subscriptions. In addition, many of our customers participate in social media and online blogs about internet-based services, including our services, and our success depends in part on our ability to minimize negative and generate positive customer feedback through such online channels where existing and potential customers seek and share information. If actions we take or changes we make to our services do not receive a favorable reception from these customers, their blogging could negatively affect our brand and reputation. Complaints or negative publicity about our services or customer service could materially and adversely impact our ability to attract and retain customers and our business, financial condition and results of operations.

To date, we have not generated significant revenue from outside of the United States and Canada, but we have continued to expand operations outside North America as we ramp up to provide services in certain countries internationally. The future success of our business will depend, in part, on our ability to expand our operations and customer base worldwide. Operating in international markets requires significant resources and management attention and will subject us to regulatory, economic and political risks different from those in the United States. Because of our limited experience with international operations and developing and managing sales and distribution channels in international markets, our expansion efforts may not succeed. We face risks in doing business internationally that could materially and adversely affect our business, including: - our ability to comply with differing and evolving technical and environmental standards, telecommunications regulations, and certification requirements outside the United States;- our ability to comply with different and evolving laws, rules, regulations and standards relating to data privacy, data protection, data localization and data security enacted in countries in which we operate or do business;- potential contractual and other liability to our business partners if we fail to meet their aggressive expansion schedules in new locations;- difficulties and costs associated with staffing and managing foreign operations;- potentially greater difficulty collecting accounts receivable and longer payment cycles;- the need to adapt and localize our services for specific countries;- the need to offer customer care in various languages;- reliance on third parties over which we have limited control for marketing and reselling our services;- availability of reliable broadband connectivity and wide area networks in targeted areas for expansion;- lower levels of adoption of credit or debit card usage for internet related purchases by foreign customers and compliance with various foreign regulations related to credit or debit card processing and data privacy;- difficulties in understanding and complying with local laws, regulations, and customs in foreign jurisdictions;- export controls and trade and economic sanctions administered by the Department of Commerce Bureau of Industry and Security and the Treasury Department's Office of Foreign Assets Control;- tariffs and other non-tariff barriers, such as quotas and local content rules;- tariffs imposed by the United States on goods from other countries and tariffs imposed by other countries on U.S. goods, including the tariffs implemented and additional tariffs that have been proposed by the U.S. government on various imports from China, Canada, Mexico and the EU, and by the governments of these jurisdictions on certain U.S. goods, and any other possible tariffs that may be imposed on services such as ours, the scope and duration of which, if implemented, remain uncertain;- compliance with various anti-bribery and anti-corruption laws such as the U.S. Foreign Corrupt Practices Act of 1977, as amended, or the FCPA;- more limited protection for intellectual property rights in some countries;- adverse tax consequences;- fluctuations in currency exchange rates, economic stability, and inflationary conditions which could increase the price of our services outside of the United States, increase the expenses of our international operations, including expenses related to foreign contractors, and expose us to foreign currency exchange rate risk;- exchange control regulations, which might restrict or prohibit our conversion of other currencies into U.S. Dollars;- restrictions on the transfer of funds;- international conflict and sanctions, such as those resulting from Russia's ongoing invasion of Ukraine;- deterioration of political relations between the United States and other countries; and - political or social unrest or economic instability in a specific country or region, which could have an adverse impact on our third-party software development and quality assurance operations there. Failure to manage any of these risks could harm our future international operations and our overall business.