Onestream, Inc. Class A (OS) Risk Analysis

We are focused on creating a modern, unified platform for the Office of the CFO in a rapidly evolving industry and market acceptance of our platform is critical to our continued success. Our platform and applications are relatively new, continue to evolve and have been developed to respond to an increasingly global and complex business environment with rigorous regulatory standards. If organizations do not increasingly allocate their budgets to solutions like ours or if we do not succeed in convincing potential customers that our platform should be an integral part of their approach to their enterprise performance management, or EPM, our sales might not grow as quickly as anticipated, or at all. Our business is substantially dependent on businesses recognizing that EPM inefficiencies are pervasive and are not effectively addressed by legacy approaches. Economic uncertainty or volatility, or future deterioration in general economic, market, political or social conditions, might also cause our customers to cut or delay their information technology or other business spending, and such cuts might disproportionately affect businesses like ours to the extent customers view our platform as too costly or as discretionary. If our revenue does not increase for any of these reasons, or any other reason, our business, operating results, financial condition and growth prospects will be materially and adversely affected.

There is considerable activity in our industry to develop proprietary technology and enforce intellectual property rights. Our success depends in part upon our not infringing upon the intellectual property rights of others. From time to time, our competitors or other third parties may own or claim to own intellectual property relating to our platform and underlying technology, and we may be unaware of the intellectual property rights that others may claim cover aspects of our platform or the underlying technology. Accordingly, third parties may claim that our platform and underlying technology are infringing, misappropriating or otherwise violating third-party intellectual property rights and such third parties may bring claims alleging such infringement, misappropriation or violation. As one example, there may be issued patents of which we are not aware, held by third parties that, if found to be valid and enforceable, could be alleged to be infringed by our current or future technologies or solutions. There also may be pending patent applications of which we are not aware that may result in issued patents, which could be alleged to be infringed by our current or future technologies or products. Because patent applications can take years to issue and are often afforded confidentiality for some period of time, there may currently be pending applications, unknown to us, that later result in issued patents that could cover our current or future technologies. Claims of infringement, misappropriation or other violations of intellectual property rights might require us to stop using technology found to violate a third party's rights, redesign our platform, which could require significant effort and expense and cause delays of releases, enter into costly settlement or license agreements, pay costly damage awards or ongoing royalties, or face a temporary or permanent injunction prohibiting us from marketing or selling our platform. With respect to claims that our technology or the conduct of our business infringe or otherwise violate intellectual property rights, or if we cannot or do not obtain licenses to such intellectual property rights on commercially reasonable terms or at all, or substitute similar non-infringing technology from another source, we could be forced to limit or stop selling our platform. In addition, we may be unable to meet our obligations to customers under our customer contracts or to compete effectively, and our revenue and operating results could be adversely impacted. We might also be obligated to indemnify our customers or other companies in connection with any such litigation and to obtain licenses, modify our platform or refund subscription fees, which could harm our financial results. In addition, we might incur substantial costs to resolve claims or litigation, whether or not successfully asserted against us, which could include payment of significant settlement, royalty or license fees, modification of our platform or refunds to customers of subscription fees. Even if we were to prevail in the event of claims or litigation against us, any claim or litigation regarding our intellectual property could be costly and time-consuming and divert the attention of our management and other employees from our business operations. Such disputes could also disrupt our sales and marketing efforts, making it more difficult to attract new customers, retain our existing customers and maintain customer satisfaction.

Our platform, including certain aspects of our AI-enabled solutions and applications, uses software governed by open source licenses. The use of open source software involves a number of risks, many of which cannot be eliminated and could negatively affect our business. For example, the terms of various open source licenses have not been interpreted by United States courts, and there is a risk that such licenses could be construed in a manner that imposes unanticipated conditions or restrictions on our ability to market our platform. By the terms of certain open source licenses, if we combine our proprietary software with open source software in a certain manner, we could be required to release the source code of our proprietary software and to make our proprietary software available under open source licenses. Additionally, the use and distribution of open source software may entail greater risks than the use of third-party commercial software, as open source licensors generally do not provide warranties or other contractual protections regarding infringement claims or the quality of the code. From time to time, there have been claims challenging the use of open source software against companies that incorporate such software into their platforms. As a result, we could be subject to suits by parties claiming misuse of, or a right to compensation for, what we believe to be open source software. Litigation could be costly for us to defend, harm our business, operating results and financial condition or require us to devote additional research and development resources to change our platform. Although we have implemented policies to regulate the use and incorporation of open source software into our platform, we cannot be certain that we have not incorporated open source software in our platform in a manner that is inconsistent with such policies. If we inappropriately use open source software, we might be required to re-engineer our platform, discontinue the sale of our platform or take other remedial actions.

We sell our platform to U.S. federal, state, local and foreign governmental agency customers, as well as to customers in highly regulated industries such as financial services, telecommunications and healthcare. Sales to such entities are subject to a number of challenges and risks. Selling to such entities can be highly competitive, expensive and time-consuming, often requiring significant up-front time and expense without any assurance that our efforts will generate a sale. We have achieved FedRAMP High Authorization, meaning our platform has met certain government security standards and been approved for use by U.S. federal agencies. Any change in our FedRAMP certification could impede our ability to enter into contracts with government entities. If we do not successfully manage our FedRAMP certification, our sales to governments and governmental agencies could be delayed or limited, and as a result, our business, operating results and financial condition could be adversely affected. In addition, government certification requirements for products like ours may change, thereby restricting our ability to sell into the government sector until we have attained such revised certification or certifications. Government contracting requirements may also change and, in doing so, restrict our ability to sell into the government sector until we or our partners have met government-mandated requirements. If we do not achieve and maintain compliance with government requirements, it may harm our competitive position against competitors whose offerings are able to meet these requirements. There can also be no assurance that we will secure commitments or contracts with government entities even following efforts to meet government requirements, which could harm our margins, business, operating results and financial condition. Additionally, government entities and highly regulated organizations typically have longer implementation cycles, sometimes require acceptance provisions that can lead to a delay in revenue recognition, can have more complex IT and data environments and may expect greater payment flexibility from vendors. Further, governmental and highly regulated entities may demand contract terms that differ from our standard arrangements and may be less favorable than terms agreed upon with private sector customers. Such entities may have statutory, contractual or other legal rights to terminate contracts with us or our partners for convenience or for other reasons. Contracts with governmental entities may also include preferential pricing terms, including, but not limited to, "most favored customer" pricing. In the event that we are successful in being awarded a government contract, such award may be subject to appeals, disputes or litigation, including but not limited to bid protests by unsuccessful bidders. As a government contractor or subcontractor, we must comply with laws, regulations and contractual provisions relating to the formation, administration and performance of government contracts, which affect how we and our partners do business with government agencies. Governments routinely investigate and audit government contractors' administrative processes, and any unfavorable audit could result in the government refusing to renew our subscriptions, a reduction in revenue or fines or civil or criminal liability if the audit uncovers improper or illegal activities. As a result of actual or perceived noncompliance with government contracting laws, regulations or contractual provisions, we may also be subject to non-ordinary course audits and government or internal investigations which may prove costly to our business financially, divert management time or limit our ability to continue selling our platform to our government customers. These laws, regulations and contractual provisions could result in other added costs on our business, and failure to comply with these or other applicable regulations and requirements could lead to claims for damages from our partners, downward contract price adjustments or refund obligations, civil or criminal penalties, investigations, audits, termination of contracts, fines and other penalties, including, but not limited to, the federal False Claims Act. Violations of certain regulatory and contractual requirements, or failure to maintain required certifications, could also result in suspension or debarment from government contracting for a period of time with government agencies. Any such damages, penalties, disruption or limitation in our ability to do business with a government would adversely impact our business, operating results, financial condition, public perception and growth prospects. Government demand and payment for our platform is affected by public sector budgetary cycles and funding authorizations, as well as government fiscal and contracting policies, with funding reductions or delays adversely affecting public sector demand for our platform. If budget appropriations are not obtained, we may face contract terminations. In addition, the current administration has stated its intent to evaluate overall government spending, which could impact our business, operating results, financial condition and growth prospects. More generally, if expected sales to a government entity or highly regulated organization for a particular quarter are not realized in that quarter or at all, our business, operating results, financial condition and growth prospects could be adversely affected.

We are subject to the FCPA, U.S. domestic bribery laws, the UK Bribery Act and other anti-corruption and anti-bribery laws, and anti-money laundering and similar laws, in the countries in which we conduct activities. Anti-corruption and anti-bribery laws have been enforced aggressively in recent years and are interpreted broadly to generally prohibit companies, their employees, business partners, third-party intermediaries, representatives and agents from authorizing, offering, or providing, directly or indirectly, improper payments or other benefits, to government officials or others in the private sector in order to influence official action, direct business to any person, gain any improper advantage, or obtain or retain business. Anti-money laundering laws generally prohibit persons from engaging in transactions where the proceeds at issue derive from, or are intended to facilitate or conceal, illegal activity or where a party to the transaction is "willfully blind" to the illegal sources of the proceeds. As we increase our international sales and business, our risks under these laws may increase. We sometimes engage with third-parties to market our platform or conduct our business in the United States and in foreign jurisdictions. In addition, we, our employees, business partners, third-party intermediaries, representatives and agents may have direct or indirect interactions with officials and employees of government agencies or state-owned or affiliated entities. We may be held liable for the corrupt or other illegal activities of our employees, business partners, third-party intermediaries, representatives and agents, even if we do not explicitly authorize such activities. These laws also require that we keep accurate books and records and maintain internal controls and compliance procedures designed to prevent any such actions. While we have policies and procedures to address compliance with such laws, we cannot assure you that none of our employees, business partners, third-party intermediaries, representatives and agents will take actions in violation of our policies and applicable law, for which we may be ultimately held responsible. Detecting, investigating and resolving actual or alleged violations of anti-corruption laws can require a significant diversion of time, resources and attention from senior management, as well as significant defense costs and other professional fees. In addition, any allegations of a violation of the FCPA or other applicable anti-corruption or anti-bribery laws or anti-money laundering laws could subject us to whistleblower complaints, investigations, sanctions, settlements, prosecution, enforcement actions, fines, damages, severe civil or criminal penalties or injunctions against us, our officers or our employees, disgorgement of profits, suspension or debarment from contracting with governments or other persons, reputational harm, adverse media coverage, and other collateral consequences, all of which may have an adverse effect on our reputation, business, operating results, financial condition, stock price and prospects.

We are and will be generally subject to tax laws, regulations, and policies of several taxing jurisdictions. Changes in applicable tax laws and regulations, as well as other factors, including the possibility of retroactive effect, could cause us to experience fluctuations in our tax obligations and effective tax rates and could affect our tax positions and/or our tax liabilities. For example, beginning in 2022, the Internal Revenue Code eliminated the right to deduct research and development expenditures currently and requires taxpayers to capitalize and amortize U.S. and foreign research and development expenditures over five and fifteen tax years, respectively. Additionally, recent changes to U.S. tax laws, including limitations on the ability of taxpayers to claim and use foreign tax credits, as well as changes to U.S. tax laws that might be enacted in the future, could impact the tax treatment of our foreign earnings. Due to expansion of our international business activities, any changes in the U.S. taxation of such activities might increase our worldwide effective tax rate and adversely affect our operating results and financial condition. There is also a high level of uncertainty in today's tax environment stemming from both global initiatives put forth by the Organisation for Economic Co-operation and Development, or the OECD, and unilateral measures being implemented by various countries due to a lack of consensus on these global initiatives. As an example, the OECD has announced that it has reached agreement among its member countries to implement Pillar Two rules, a global minimum tax at 15% for certain multinational enterprises. While some countries, including certain members of the EU, among other jurisdictions, have issued laws and regulations to conform to this regime that became effective as of January 1, 2024, we have determined that we are not yet subject to Pillar Two rules. We will continue to monitor legislative and regulatory developments to assess potential impacts that Pillar Two rules may have on our business, operating results and financial condition. Further, unilateral measures such as digital services tax and corresponding tariffs in response to such measures create additional uncertainty and may adversely impact our business. If these proposals or other unanticipated proposals are passed, it is likely that we will have to pay higher income taxes in countries where such rules are applicable.

Privacy, cybersecurity and data protection are significant issues in the United States, Europe and many other jurisdictions where we offer our platform. The regulatory frameworks governing the collection, storage, use and other processing of business information, particularly information that affects financial statements and personal data, are rapidly evolving, and any failure or perceived failure to comply with applicable privacy, cybersecurity or data protection laws or regulations may adversely affect our business. Further, these laws are not always interpreted uniformly and there is no guarantee that regulators or consumers will agree with our approach to compliance. Additionally, any violations of applicable laws, regulations or policies by third parties we work with, such as vendors or developers, may put our customers' content at risk and have an adverse effect on our business. Any significant change to applicable laws, regulations or industry practices regarding the collection, use, retention, security, disclosure, or other processing of our customers' content, or regarding the manner in which the express or implied consent of customers for the collection, use, retention, disclosure or other processing of such content is obtained, could increase our costs and require us to modify our platform, core solutions and applications, or modify our policies or practices, possibly in a material manner, which we may be unable to do on a commercially reasonable basis or at all and, which may limit our ability to store and process customer data or develop new applications and features. For example, in the United States, several states have enacted new data privacy laws. The California Consumer Privacy Act, as amended by the California Privacy Rights Act, or the CCPA, among other things, requires covered companies to provide required disclosures to California consumers, and afford such consumers abilities to opt out of certain processing of personal information. Additionally, many other states have proposed or enacted data privacy laws, including, for example, Washington's My Health, My Data Act, and numerous laws similar to the CCPA. The U.S. federal government also is contemplating federal privacy legislation, reflecting a trend toward more stringent data privacy legislation. In addition, the U.S. federal government and various U.S. state and foreign governments have adopted or proposed requirements regarding obligations on companies to notify individuals of security breaches and incidents involving particular personal information, which could result from breaches and incidents experienced by us or by organizations with which we have formed or may form strategic relationships. Even though we may have certain contractual protections with such organizations, notifications or other public disclosure or dissemination of information related to any actual or perceived security breach or incident could impact our reputation, harm customer confidence, hurt our expansion into new markets or cause us to lose existing customers. Further, many foreign countries and governmental bodies, including the European Union, or the EU, where we conduct business and have offices or use vendors, have laws and regulations concerning the collection and use of personal data obtained from their residents or by businesses operating within their jurisdiction. For example, we are subject to the European General Data Protection Regulation and applicable national supplementing laws, collectively the EU GDPR. We may also be subject to the United Kingdom General Data Protection Regulations and Data Protection Act 2018, collectively the UK GDPR and together with the EU GDPR, the GDPR. Laws and regulations in these jurisdictions apply broadly to the collection, use, storage, disclosure and security of data that identifies or may be used to identify an individual and include a principle of accountability and the obligation to demonstrate compliance through policies, procedures, training and audit. The GDPR also regulates cross-border transfers of personal data out of the European Economic Area, or EEA, and the United Kingdom, or UK. With regard to data transfers of personal data from our European employees and customers to the United States, we historically relied upon EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield certifications for the transfer of personal data from the EU and Switzerland to the United States. On October 7, 2022, President Biden signed an Executive Order on ‘Enhancing Safeguards for United States Intelligence Activities' which introduced new redress mechanisms and binding safeguards to address concerns raised by the Court of Justice of the European Union, or the CJEU, in relation to data transfers from the EEA to the United States and which formed the basis of the EU-US Data Privacy Framework, or DPF, which became effective as an EU GDPR (and subsequently leveraged for use as a UK GDPR) transfer mechanism to U.S. entities self-certified under the DPF. We currently rely on the EU Standard Contractual Clauses to transfer personal data outside of the EEA. CJEU case law states that reliance on the standard contractual clauses alone may not necessarily be sufficient in all circumstances and that transfers must be assessed on a case-by-case basis. On June 28, 2021, the EU Commission adopted an "adequacy decision," which allows for free flow of personal data between the EEA and the UK. This adequacy decision includes a "sunset clause," which limits its duration to four years. During this period, the Commission could intervene at any time if the UK deviates from the level of protection currently in place. It is uncertain how data protection laws and related regulations will develop in the UK over time, and if and when the Commission might make use of this right to intervene. The UK government has introduced legislation on multiple occasions that, if enacted, could cause UK data protection law to deviate from the EU GDPR. Any restrictions on cross-border transfers of personal data could adversely impact our customers' use of our platform and our business, operating results and financial condition. We may, in addition to other impacts, experience additional costs associated with increased compliance burdens following such decisions and otherwise in connection with regulatory developments and evolving guidance regarding cross-border data transfers, and we and our customers face the potential for regulators in the EEA, Switzerland, the UK and other regions to apply different standards to the transfer of personal data from those regions to the United States, and to block, or require ad hoc verification of measures taken with respect to, certain data flows to the United States. We also may be required to engage in new contract negotiations with third parties that aid in processing data on our behalf. Our means for transferring personal data from the EEA, Switzerland, the UK and other regions may not be adopted by all of our customers and may be subject to legal challenge by data protection authorities. We may also experience reluctance or refusal by customers in Europe or other regions to use our platform due to potential risk exposure. We and our customers face a risk of enforcement actions taken by data protection authorities in various jurisdictions regarding cross-border data transfers, including from and to the United States. Any such enforcement actions could result in substantial costs and diversion of resources, distract management and technical personnel and negatively affect our business, operating results and financial condition. We are also subject to evolving privacy laws on cookies, tracking technologies and e-marketing. Recent U.S. and European court and regulatory proceedings are driving increased attention to cookies and tracking technologies. If the trend of increasing proceedings by litigants and enforcement by regulators continues, this could lead to substantial costs, require significant system changes, limit the effectiveness of our marketing activities, divert the attention of our technology personnel, adversely affect our margins and subject us to additional liabilities. Our customers also expect that we comply with certain standards that may place additional burdens on us. Our customers expect us to meet voluntary certifications or adhere to standards established by third parties, such as the SSAE 18, SOC1 and SOC2 audit processes, and may demand that they be provided with an auditor's report to verify our compliance. If we are unable to maintain these certifications or meet these standards, it could adversely affect our customers' demand for our service and could harm our business. In recent years, use of AI and automated decision-making methods have come under increased regulatory scrutiny. New laws, guidance or decisions in this area could provide a new regulatory framework that could require us to adjust and may limit our ability to use our existing AI models and make changes to our operations that may decrease our operational efficiency, resulting in an increase to operating costs and/or hindering our ability to improve our services. For example, in the United States, Colorado has enacted legislation that, when effective, will restrict the use of certain AI systems, and the California Privacy Protection Agency is in the process of finalizing regulations under the CCPA regarding the use of automated decision-making and other matters. Further, in Europe, in March 2024, the EU Parliament adopted a comprehensive, risk-based governance framework for AI in the EU market, the EU AI Act. It is intended to apply to companies that develop, use and/or provide AI in the EU and includes requirements around transparency, conformity assessments and monitoring, risk assessments, human oversight, security and accuracy, and introduces significant fines for noncompliance. There are also specific obligations regarding the use of automated decision-making under the GDPR. We also expect laws, regulations, industry standards and other obligations worldwide relating to privacy, data protection and cybersecurity to continue to evolve, and that there will continue to be new, modified, and re-interpreted laws, regulations, standards, and other obligations in these areas. For example, the Network and Information Security Directive II, or NIS2, adopted in 2023, aims to enhance cybersecurity across critical infrastructure and essential services in the EU. It expands the scope of the 2016 NIS Directive to include additional sectors while enforcing stricter governance and accountability requirements. NIS2 requires all 27 EU member states to issue implementing legislation by October 2024; however, several EU member states have not finalized their respective legislation and guidance. Additionally, the Digital Operational Resiliency Act, or DORA, became effective in January 2025, and aims to establish a universal framework for managing and mitigating information and communication technology risk that will apply to entities in the financial sector and their third-party cloud service providers. We cannot yet determine the impact these laws and regulations or any future laws, regulations and standards may have on our business. Such laws, regulations and standards are often subject to differing interpretations and these or other laws or regulations relating to privacy, data protection and cybersecurity may be inconsistent among jurisdictions. These and other actual or asserted requirements could reduce demand for our service, increase our costs, impair our ability to grow our business, restrict our ability to store and process data or, in some cases, impact our ability to offer our platform, core solutions or applications in some locations and may subject us to liability. Further, in view of new or modified federal, state or foreign laws and regulations, industry standards, contractual obligations and other actual or asserted legal obligations, or any changes in their interpretation, we may find it necessary or desirable to fundamentally change our business activities and practices or to expend significant resources to modify our platform, core solutions or applications and otherwise adapt to these changes. We may be unable to make such changes and modifications in a commercially reasonable manner or at all, and our ability to develop new core solutions and applications could be limited. The costs of compliance with and other burdens imposed by laws, regulations and standards may limit the use and adoption of our platform and reduce overall demand for it, or lead to regulatory investigations and other proceedings, private claims and litigation, and significant fines, penalties or liabilities in connection with any actual or asserted noncompliance. Privacy, cybersecurity and data protection concerns, whether valid or not valid, may inhibit market adoption of our platform, particularly in certain industries and foreign countries. Any failure or perceived failure by us to comply with our privacy policies, our obligations to customers relating to privacy, cybersecurity or data protection, any statements or commitments we make regarding privacy, data protection, cybersecurity or the processing of customer data or other data, or our other policies or obligations relating to privacy, cybersecurity or data protection, or any actual or perceived security breach or incident or other cybersecurity compromise, including any such compromise that results in the loss or unavailability of data, unauthorized access to, or use, alteration, disclosure or other processing of data, may result in governmental investigations and enforcement actions, claims, demands and litigation, negative publicity, harm to our reputation, and could cause a loss of customers and harm our ability to attract new customers, any or all of which could have an adverse effect on our business, operating results and financial condition.

In order for us to maintain or improve our business, operating results and financial condition, it is important that our customers renew their subscriptions when their contract term expires and add products, solutions and users to their subscriptions. Our initial subscription term is typically three years, but can range from less than one year up to ten years. Our customers have no obligation to renew their subscriptions after the expiration of their existing subscription period. Although our customer retention rate has been high historically, we cannot assure you that we will not experience lower customer retention rates in the future, or that we will be able to accurately predict renewal rates. Our customers may decide not to renew their subscriptions at all, or may decide not to renew with a similar contract period, at the same prices or terms, or with the same or a greater amount of products, solutions or users. Our customer retention may decline or fluctuate as a result of a number of factors, many of which are beyond our control, including our customers' satisfaction with our platform and applications, the quality of our professional services and customer support, our prices, the features and pricing of competing products, reductions in our customers' spending levels, customer adoption and expanded use of our platform, mergers and acquisitions involving our customers and uncertain or deteriorating general economic conditions. Our ability to increase the number of users may also be negatively impacted by current and future AI capabilities that may reduce or replace our customers' need for existing or future employees who are or would be potential users of our platform. If our customers do not renew their subscriptions, if they renew on less favorable terms or if they do not add more products, solutions or users, our business, operating results and financial condition will be adversely affected.

Our results of operations may fluctuate, in part, because of the complexity of customer problems that our platform and applications address, the resource-intensive nature of our sales efforts, the length and variability of our sales cycles and the difficulty in making short-term adjustments to our operating expenses. The timing of our sales is difficult to predict. The average length of our sales cycle, from initial evaluation to payment for our subscriptions and licenses, is four to eight months, but can vary substantially from customer to customer and can extend over a number of years for some customers. Our sales efforts involve educating our customers about the use, technical capabilities and benefits of our platform. Customers often undertake a prolonged evaluation process, which frequently involves not only our platform but also other companies' products. In addition, the size of potential customers may lead to longer sales cycles. For instance, we invest resources into sales to large organizations, and large organizations typically undertake a significant evaluation and negotiation process due to their leverage, size, organizational structure and approval requirements, all of which can lengthen our sales cycle. Our ability to close sales during long sales cycles has in the past been, and may in the future be, negatively impacted by events outside of our control, such as labor union strikes and volatile macroeconomic conditions. We may also face unexpected deployment challenges with large organizations or more complicated deployment of our platform and core solutions. Large organizations may demand additional features, support services and pricing concessions or require additional security management or control features. We may spend substantial time, effort and money on sales efforts to large organizations without any assurance that our efforts will produce any sales. As a result, it is difficult to predict exactly when, or even if, we will make a sale to a potential customer or if we can increase sales to our existing customers. Individual sales tend to be large as a proportion of our overall sales, which impacts our ability to plan and manage cash flows and margins. These large individual sales have, in some cases, occurred in quarters subsequent to those we anticipated, or have not occurred at all. If our sales cycle lengthens or our substantial up-front investments do not result in sufficient revenue to justify our investments, our business, operating results and financial condition could be adversely affected. In addition, within each quarter, it is difficult to project the month in which a sale will close. Therefore, it is difficult to determine whether we are achieving our quarterly expectations or will achieve annual expectations until near the end of the quarter or year, as applicable. Most of our expenses are relatively fixed or require time to adjust. Therefore, if expectations for our business are not accurate, we may not be able to adjust our cost structure on a timely basis, and our margins and cash flows may differ from expectations.

To execute our growth plan, we must attract and retain highly qualified personnel across our business, both in the United States and internationally. Competition for personnel is intense, especially for experienced sales personnel and engineers experienced in designing and developing cloud-based solutions and applications, including products with AI and machine learning capabilities. We have from time to time experienced, and we expect to continue to experience, difficulty in hiring and retaining employees with appropriate qualifications. Many of the companies with which we compete for experienced personnel have greater resources than we have, and some of these companies may offer more attractive compensation packages. If we hire employees from competitors or other companies, their former employers might attempt to assert that we or these employees have breached their legal obligations, resulting in a diversion of our time and resources. Likewise, if competitors hire our employees, we might divert time and resources to deterring any breach by our former employees or their new employers of their legal obligations. In addition, job candidates and existing employees often consider the value of the equity awards they receive in connection with their employment. If the perceived value of our equity awards declines, it might harm our ability to recruit and retain highly-skilled employees. Further, laws and regulations, such as restrictive immigration laws or export control laws, may limit our ability to recruit internationally. We must also continue to retain and motivate existing employees through our compensation practices, company culture and career development opportunities. We may fail to identify, attract and retain talented and diverse employees who support our corporate culture that we believe fosters innovation, teamwork, diversity and inclusion, and which we believe is critical to our success. If we fail to identify, attract, develop and integrate new personnel, or fail to retain and motivate our current personnel, our growth prospects would be severely harmed. As we continue to grow and further develop our public company infrastructure, we may find it difficult to maintain our company culture. In particular, increasing our customer and user base and sales will depend, to a significant extent, on our ability to effectively expand our sales and marketing operations and activities. We are substantially dependent on our direct sales force to obtain new customers. We plan to continue to expand our direct sales force and marketing team over time, both domestically and internationally. We believe that there is significant competition for experienced sales and marketing professionals with the skills and technical knowledge that we require. Our ability to achieve significant revenue growth in the future will depend, in part, on our success in recruiting, training and retaining a sufficient number of experienced professionals. New hires require significant training and time before they achieve full productivity, particularly in new sales segments and territories. Our recent hires and planned hires might not become as productive as quickly as we expect, and we might be unable to hire or retain sufficient numbers of qualified individuals in the future in the markets where we do business. Our business will be harmed if our sales expansion efforts do not generate a significant increase in revenue.

We manage our platform and serve most of our customers using cloud-based infrastructure that is owned and operated by Microsoft. We do not control the operation of these facilities. Any changes in third-party service levels at our data centers or any disruptions or delays from errors, defects, hacking, incidents, security breaches or incidents, computer viruses or other intentional bad acts or performance problems could harm our reputation, damage our customers' businesses and harm our business, operating results and financial condition. The third-party data centers that we use are also vulnerable to damage or interruption from earthquakes, hurricanes, floods, fires, war, terrorist attacks, power losses, hardware failures, systems failures, telecommunications failures and similar events. If the data centers that we use were compromised or unavailable or our customers were unable to access our platform for any reason, our business and operations would be materially harmed. Our customers have experienced disruptions and outages in accessing our platform in the past, and might in the future experience, disruptions, outages and other performance problems. Although we expend considerable effort to ensure that our platform is capable of handling existing and increased traffic levels, the ability of our cloud-based platform to effectively manage any increased capacity requirements depends on our third-party providers. Our third-party data center providers might not be able meet such performance requirements, especially to cover peak levels or spikes in traffic, and as a result, our customers might experience delays in accessing our platform or encounter slower performance in our core solutions or applications, which could significantly impair the operations of our customers. Interruptions in our services might reduce our revenue, cause us to issue credits to customers, subject us to potential liability and cause customers to terminate their subscriptions or harm our renewal rates. If we do not accurately predict our infrastructure capacity requirements, our customers could experience service shortfalls. The provisioning of additional cloud hosting capacity requires lead time. In addition, if these services and infrastructure become unavailable because they are no longer available on commercially reasonable terms, our expenses could increase. If we are unable to maintain our relationship with, or achieve required capacity under, our agreements with Microsoft, we might be required to transfer the operation of our platform to new data center facilities, and we might incur significant costs and possible service interruption in connection with doing so.