Baijiayun Group (RTC) Risk Factors

The regulatory environment with respect to the industries in which we or our customers operate in China has been changing rapidly for the past several years and therefore is subject to substantial uncertainties, which may negatively impact our business. For example, the PRC private education industry, especially the after-school tutoring sector, has experienced intense scrutiny and has been subject to significant regulatory changes. In particular, the Opinions on Further Reducing Students' Homework Burden and After-School Tutoring Burden in Compulsory Education jointly promulgated by the General Office of State Council and the General Office of Central Committee of the Communist Party of China on July 24, 2021, sets out a series of operating requirements on after-school tutoring institutions, including, among other things, online academic after-school tutoring institutions that have filed with the local education administration authorities will be subject to review and re-approval procedures by competent government authorities, and any failure to obtain such approval will result in the cancellation of the previous filing and internet content provider license (the "ICP License"). Revenues generated from the education sector in general represented a significant portion of our total revenues in the past. The regulatory scrutiny on the PRC private education industry could materially and adversely affect our business, results of operations and financial condition. Since our customers operate in a broad range of industries, including private education industry, we are closely monitoring the evolving regulatory environment. However, our business, financial condition, results of operations and prospect may be materially and adversely affected due to restrictions on the private education and other industries. We also cannot assure that there will not be any new rules or regulations in China on business regarding the private education or other industry sectors that our customers currently operate in, or such new rules and regulations will not subject our business operations to further adjustments and in the event of such changes, our business operations may be adversely impacted.

Under PRC tax laws and regulations, some of our PRC subsidiaries currently benefit from a number of preferential tax treatments. For example, the modified EIT Law and its implementation rules generally impose a uniform income tax rate of 25% on all enterprises, but grant preferential treatment to "high and new technology enterprises strongly supported by the state" (the "HNTEs"), to enjoy a reduced enterprise tax rate of 15%. Beijing Baishilian Technology Co., Ltd., Baijiayunwang Technology Co., Ltd., Beijing Deran Technology Co., Ltd., Nanjing Baijia Cloud Technology Co., Wuhan Baijia Cloud Technology Co., Ltd. ("Wuhan BaiJiaYun"), Beijing Hydrogen, and Wuhan Qiyun Shilian Technology Co., Ltd. are qualified as HNTEs. We disposed of 100% equity interest of Wuhan BaiJiaYun in September 2022, and subsequently acquired 100% equity interest of Wuhan BaiJiaYun (currently known as Wuhan Xinwanlian Technology Co., Ltd.) in July 2023. Continued qualification as a HNTE is subject to a three-year review by the relevant government authorities in China, and in practice certain local tax authorities also require annual evaluation of the qualification. In addition to the foregoing tax benefit, some of our PRC subsidiaries obtained the certificate of Qualified Software Enterprise and some of our products have obtained software product registration certificates, based on which the relevant PRC subsidiaries enjoy certain preferential enterprise income tax and value-added tax benefits, according to relevant rules including the Notice on Value-added Tax Policies for Software Products issued by the Ministry of Finance (the "MOF") and the SAT on October 13, 2011, the Notice on Enterprise Income Tax Policies for Further Encouraging the Development of Software and Integrated Circuit Industries issued by the MOF and the SAT on April 20, 2012, the Notice on Increasing the Proportion of Weighted Pre-tax Deduction for R&D Expenses issued by the MOF, the SAT and the Ministry of Science and Technology on September 20, 2018, and the Announcement on Enterprise Income Tax Policies for Promoting the High-Quality Development of Integrated Circuit and Software Industries issued by the MOF, the SAT, the National Development and Reform Commission (the "NDRC") and the MIIT on December 11, 2020. In the event the preferential tax treatment for our PRC subsidiaries are discontinued or are not verified by the local tax authorities, and the affected entity fails to obtain preferential tax treatments, we will become subject to the standard tax rates and policies, including the PRC enterprise income tax rate of 25%. We cannot assure you that the tax authorities will not, in the future, discontinue our preferential tax treatment, potentially with retroactive effect.

We and our customers that use our products may be subject to privacy, cybersecurity and data protection- related laws and regulations that impose obligations in connection with the collection, processing and use of personal data, financial data, health or other similar data and general cybersecurity. The PRC government and governments in other countries have adopted or proposed limitations on, or requirements regarding, the collection, distribution, use, security and storage of information, including personally identifiable information of individuals. In the PRC, the PRC Cybersecurity Law and relevant regulations require network operators, which may include us, to ensure the security and stability of the services provided via network and to provide assistance and support in accordance with the law for public security and national security authorities to protect national security or assist with criminal investigations. In recent years, the PRC government has increasingly tightened the regulation of data privacy and data protection. The laws, regulations and governmental policies in the PRC for the data privacy and data protection are constantly evolving. For example, in June 2017, the PRC Cybersecurity Law promulgated by the Standing Committee of the National People's Congress (the "SCNPC"), took effect. The PRC Cybersecurity Law requires network operators to perform certain functions related to cybersecurity protection. In addition, the PRC Cybersecurity Law provides that the critical information infrastructure operators generally shall, during their operations in the PRC, store the personal information and important data collected and produced within the territory of PRC, and shall conduct security assessment for cross-border data transfer. See "Item 4. Information on the Company - Government Regulations - Regulation on Information Security and Censorship." On August 20, 2021, the SCPNC adopted the Personal Information Protection Law (the "PIPL"), which became effective on November 1, 2021. The PIPL stipulates that personal information processors who provide significant internet platform services, have a large user base and/or operate complex types of businesses are subject to certain obligations, such as establishing an internal personal information protection system in compliance with relevant laws, rules and regulations; and releasing social responsibility reports on personal information protection on a regular basis. See "Item 4. Information on the Company - Government Regulations -Regulation on Privacy Protection" Existing PRC laws and regulations do not provide clear parameters as to what constitutes "large user base" and/or "complex types of businesses." Nevertheless, it is widely accepted in practice that at least one million users is required in order to reach the "large user base" threshold, and "complex types of businesses" usually refers to a business model under which a company either operates as an integrated online platform, for example, a social media or e-commerce platform, or operates with diversified business lines or product catalogues. We believe that we are not a personal information processor who has a large user base and/or operate complex types of businesses. However, since there has been no official interpretation or explanation as to the definition of same, it remains uncertain whether we would be deemed as a personal information processor who has a large user base and/or operate complex types of businesses by the PRC regulatory authorities, thus requiring us to perform the obligations stipulated under the PIPL. On July 7, 2022, the Security Assessment Measures for Outbound Data Transfer was released by the CAC, which became effective on September 1, 2022, stipulates that before cross-border data transfer under certain circumstances, data processors shall make self-assessment of the risks, and shall apply for security assessment. These laws and regulations require, among others, that the personal information and important data generated and collected during the operations in the PRC should be stored within the PRC unless, prior to the intended data transfer, certain specified criteria have been satisfied, such as a completed official security assessment carried out by the PRC government authorities. As a personal information processor defined under the PIPL, while we do not believe current business involves any transmission, use and exchange of information that comes under the definition of "cross-border transfer of personal information and important data" under the PRC Cybersecurity Law, we cannot assure you that the PRC regulatory authorities will not take a view contrary to our view, thus requiring us to comply with the data localization, security assessment and other requirements under these laws and regulations. As our business continues to grow, there may arise circumstances where we engage in such cross-border transfer of personal data and/or important data, including in order to satisfy the legal and regulatory requirements, in which case we may need to comply with the foregoing requirements as well as any other limitations under PRC laws then applicable. Complying with these laws and requirements could cause us to incur substantial expenses or require us to alter or change our practices in ways that could harm our business. Additionally, to the extent we are found to be not in compliance with these laws and requirements, we may be subject to fines, regulatory orders to suspend our operations or other regulatory and disciplinary sanctions, which could materially and adversely affect our business, financial condition and results of operations. On December 28, 2021, the CAC, together with 12 other government authorities, jointly issued the Review Measures, which became effective on February 15, 2022. Pursuant to the Review Measures, "critical information infrastructure operators" who procure internet products and services that affect or may affect national security and any "network platform operators" carrying out data processing activities that affect or may affect national security shall be subject to cybersecurity review requirements. See "Item 4. Information on the Company - Government Regulations - Regulation on Information Security and Censorship." On September 24, 2024, the State Council promulgated the Network Data Security Management Regulation, which will come into effect on January 1, 2025. According to the Network Data Security Management Regulation, the national data security coordination mechanism coordinates relevant departments to formulate important data catalogues and strengthen the protection of important data; all regions and departments shall, in accordance with the data classification and classification protection system, determine the specific catalogue of important data in their own regions, departments and related industries and fields, and focus on the protection of network data included in the catalogue. Where network data processors carry out network data processing activities that affect or may affect national security, they shall go through a national security review in accordance with relevant PRC regulations. See "Item 4. Information on the Company - Government Regulations - Regulation on Information Security and Censorship." It remains uncertain what kind of data constitutes "Important Data." Also, there is no further explanation or interpretation as to how to determine what constitutes "affecting national security." Therefore, it is uncertain whether we would be deemed as a "Important Data Processors" and need to fulfill the obligations that the Important Data Processor should perform, whether we would be deemed as a "critical information infrastructure operator" or a "network platform operator" or a "data processors" holding one million users' personal information, or whether our business will be deemed to affect or may affect national security under PRC laws, thus requiring us to go through a national security review or cybersecurity review process. We currently do not have over one million users' personal information and do not anticipate that we will be collecting over one million users' personal information in the foreseeable future. As of the date of this annual report, we have not been informed by any PRC government authorities that we will be deemed as an Important Data Processor or a critical information infrastructure operator. It also remains uncertain whether future regulatory changes would impose additional restrictions on companies like us. We cannot predict the impact of the Review Measures and the Network Data Security Management Regulations, if any, at this stage. We will closely monitor and assess any development in the rulemaking process. If the Review Measures and the Network Data Security Management Regulations mandate clearance of a cybersecurity review and other specific actions to be completed by China-based companies listed on a foreign stock exchange like us, we face uncertainties as to whether such clearance can be timely obtained, or at all. As of the date of this annual report, we have not been involved in any formal investigations on cybersecurity review made by the CAC. If we are not able to comply with the cybersecurity and data privacy requirements in a timely manner, or at all, we may be subject to government enforcement actions and investigations, fines, penalties, suspension of our non-compliant operations, or removal of our applications from the relevant application stores, among other sanctions, which could materially and adversely affect our business and results of operations. In November 2021, one of our applications, "Cloud Classroom," was tested and determined to be in violation of the relevant regulations relating to the collection of personal information by National App Technology Testing Platform, which is an official platform under the MIIT. Upon receipt of the notice, we immediately conducted thorough reviews on relevant systems and made rectifications. In February 2022, such application was listed on a notice of criticism circulated by the MIIT, which determined that we violated relevant regulations in using users' personal information and mandatorily, frequently and excessively requesting for permissions of users' personal information. We reviewed our application system immediately and carried out rectification measures. The rectified application was recognized and approved by the MIIT in March 2022. Pursuant to the PIPL, where personal information is handled in violation of this law or personal information is handled without fulfilling personal information protection duties in accordance with the provisions, the departments fulfilling personal information protection duties and responsibilities are to order correction, confiscate unlawful income, and order the provisional suspension or termination of service provision of the application programs unlawfully handling personal information. The above-mentioned matters have neither caused the cessation of any of our applications nor adversely affected our business and results of operations. Further, in many cases we rely on the data processing, privacy, data protection and cybersecurity practices of our suppliers and contractors, including with regard to maintaining the confidentiality, security and integrity of data. If we fail to manage our suppliers or contractors or their relevant practices, or if our suppliers or contractors fail to meet any requirements with regard to data processing, privacy, data protection or cybersecurity required by applicable legal or contractual obligations that we face (including any applicable requirements of our clients), we may be liable in certain cases. We may face difficulties in binding our suppliers and contractors to these agreements and otherwise managing their relevant practices, which may subject us to claims, proceedings and liabilities. Any failure or perceived failure by us, our products or our platform to comply with new or existing cybersecurity or data protection laws, regulations, policies, industry standards or legal obligations in the PRC, any failure to bind our suppliers and contractors to appropriate agreements or to manage their practices or any systems failure or security incident that results in the unauthorized access to, or acquisition, release or transfer of, personally identifiable information or other data relating to customers or individuals may result in governmental investigations, inquiries, enforcement actions and prosecutions, private claims and litigation, fines and penalties, adverse publicity or potential loss of business.

To meet our customers' rapidly evolving demands, we invest substantial resources in research and development to incorporate additional functionalities, improve our technology capabilities and expand the use cases that our platform empowers. For the 2022, 2023 and 2024 fiscal years, the research and development expenses were US$13.0 million, US$6.4 million and US$8.8 million, respectively. If we are unable to develop products internally due to inadequate research and development resources, we may not be able to address our customers' needs in a timely manner, or at all. In addition, if we seek to enhance our research and development capabilities or the breadth of our products through acquisitions, such acquisitions could be expensive and we may not successfully integrate acquired technologies or businesses into our existing business. When we develop or acquire new or enhanced products, we typically incur expenses and expend resources upfront to develop, market, promote and sell the new offerings. Therefore, new or enhanced products we develop, acquire or introduce need to achieve high market acceptance to justify the upfront investment. Our new products or enhancements and changes to our existing products could fail to attain sufficient market acceptance for many reasons, including: - failure to accurately predict and meet market demand by launching products or functionalities desired by customers;- defects, errors, or failures in our products and solutions;- negative publicity about our platform's performance or effectiveness;- developments in the legal or regulatory landscape that could adversely affect our platform, such as increased legal or regulatory scrutiny;- emergence of competitors whose products and technologies achieve earlier or wider market acceptance than us;- delays in releasing enhancements to our platform to the market, or failure to achieve adequate market acceptance for our platform and our enhancements; and - introduction or anticipated introduction of competing products by our competitors. It is important that we maintain and increase the acceptance of our platform among the developers that work for our customers. We rely on developers to choose our platform over other options they may have, and to continue to use and promote our platform as they move between companies. These developers often make design decisions and influence the product and vendor processes within our customers. If we fail to gain or maintain their acceptance of our platform, our business, results of operations and financial condition would be harmed.

We believe that litigation and negative publicity surrounding companies with operations in China that are listed in the United States have negatively impacted stock prices for such companies. Certain politicians in the United States have publicly warned investors to shun China-based companies listed in the United States. The SEC and the PCAOB also issued a joint statement on April 21, 2020, reiterating the disclosure, financial reporting and other risks involved in the investments in companies that are based in emerging markets as well as the limited remedies available to investors who might take legal action against such companies. Furthermore, various equity-based research organizations have published reports on China-based companies after examining, among other things, their corporate governance practices, related party transactions, sales practices and financial statements that have led to special investigations and listing suspensions on U.S. national exchanges. Some China-based companies listed in the United States are also subject to allegations centered around financial and accounting irregularities, lack of effective internal controls over financial accounting, and fraud, and are in the process of internal and external investigations into the allegations, shareholder lawsuits and SEC enforcement actions. Any similar scrutiny of us, regardless of its lack of merit, could cause the market price of the Class A ordinary shares to fall, divert management resources and energy, and cause us to incur expenses in defending ourselves against rumors.

Our operations are dependent in part upon transmission bandwidth provided by third-party network or cloud providers and leasing co-location facilities for our servers and equipment. There can be no assurance that we are adequately prepared for unexpected increases in bandwidth demands by our customers. In the first quarter of 2020, we experienced a spike in usage as a result of demand for online real-time engagement spurred by the COVID-19 pandemic. Although we were able to scale our network infrastructure in response, the general increase in demand for bandwidth and servers increased prices which in turn adversely impacted our gross margin. Failure to contain the further spread, or any resurgence, of the COVID-19 pandemic may affect our ability to cost-effectively maintain and expand our network infrastructure, which could severely disrupt our business and operations and adversely affect our results of operations and financial condition. The bandwidth we have contracted to purchase may become unavailable for a variety of reasons, including service outages, payment disputes, suspension or termination of the network providers' business, natural disasters, pandemics, networks imposing traffic limits, or governments adopting regulations that impact network operations. We may also be unable to move quickly enough to augment capacity to reflect growing traffic or security demands. Failure to put in place the capacity we require could result in a reduction in, or disruption of, services to our customers, or require us to issue credits and ultimately a loss of those customers. Such a failure could result in our inability to acquire new customers demanding capacity not available on our platform. If we are unable to provide sufficient bandwidth, we may also become contractually obligated to provide affected customers with service credits under service level commitments in our customer agreements.

Our future performance depends on the continued services and contributions of our senior management to execute on our business plan, develop our products and platform, deliver our products to customers, attract and retain customers and identify and pursue business opportunities. The loss of services of senior management could significantly delay or prevent the achievement of our development and strategic objectives. In particular, to a considerable degree, we depend on the vision, skills, experience and effort of our chairman of the board and chief executive officer, Mr. Yi Ma and our chief financial officer, Ms. Fangfei Liu. The replacement of any of our senior management personnel would likely involve significant time and costs, and such loss could significantly delay or prevent the achievement of our business objectives. The loss of the services of any of our senior management for any reason could adversely affect our business, results of operations and financial condition.

Recently there have been heightened tensions in international relations, particularly between the United States and China, but also as a result of the war in Ukraine and sanctions on Russia. These tensions have affected both diplomatic and economic ties among countries. Heightened tensions could reduce levels of trade, investments, technological exchanges, and other economic activities between the major economies. The existing tensions and any further deterioration in the relationship between the United States and China may have a negative impact on the general, economic, political, and social conditions in both countries and, given our reliance on the Chinese market, adversely impact our business, financial condition, and results of operations.

A significant natural disaster, such as an earthquake, fire, flood or pandemic, occurring at our headquarters, at one of our other facilities or where a business partner is located could adversely affect our business, results of operations and financial condition. Further, if a natural disaster or man-made problem were to affect our service providers, this could adversely affect the ability of our customers to use our products and platform. In addition, natural disasters and acts of terrorism could cause disruptions in our or our customers' businesses, national economies or the world economy as a whole. We also rely on our network and third-party infrastructure and enterprise applications and internal technology systems for our engineering, sales and marketing, and operating activities. Although we maintain incident management and disaster response plans, in the event of a major disruption caused by a natural disaster or man-made problem, we may be unable to continue our operations and may endure system interruptions, reputational harm, delays in our development activities, lengthy interruptions in service, breaches of data security and loss of critical data, any of which could adversely affect our business, results of operations and financial condition. In addition, computer malware, viruses and computer hacking, fraudulent use attempts and phishing attacks have become more prevalent in our industry, have occurred on our platform and have impacted some of our services providers in the past and may occur on our platform in the future. Any failure to maintain performance, reliability, security, integrity and availability of our products and technical infrastructure, including third-party infrastructure and services upon which we rely, may give rise to litigation, consumer protection actions, or harm to our reputation, and as a result, may hinder our ability to retain existing customers and attract new customers.