SentinelOne (S) Risk Factors

Companies are subject to an increasing number and wide variety of attacks on their networks on an ongoing basis. Traditional computer "hackers," malicious code (such as viruses and worms), phishing attempts, ransomware, account takeover, business email compromise, employee fraud, theft or misuse, denial of service attacks, and sophisticated nation-state and nation-state supported actors engage in intrusions and attacks that create risks for our internal networks and cloud deployed products and the information they store and process. Cybersecurity companies face particularly intense attack efforts, and we have faced, and will continue to face, cyber threats and attacks from a variety of sources. The research that we conduct and report may make us, or our customers, a further target for attacks of all kinds. State-supported and geopolitical-related cyberattacks may rise in connection with regional geopolitical conflicts such as the conflicts in the Middle East, Ukraine and tensions between China and Taiwan. In addition, our cybersecurity product is likely considered a valuable target for lateral attacks because of its highly privileged access. Moreover, the ongoing war in Ukraine and associated activities in Ukraine and Russia have increased the risk of cyberattacks on various types of infrastructure and operations, and the U.S. government has warned companies to be prepared for a significant increase in Russian cyberattacks in response to the sanctions on Russia. There may also be increased risks of cybersecurity attacks as a result of the unfolding events in the Middle East. Additionally, bad actors are beginning to utilize AI-based tools to execute attacks, creating unprecedented cybersecurity challenges. Although we have implemented security measures to prevent such attacks, our networks and systems may be breached due to the actions of outside parties or human error, insufficient cybersecurity controls, malfeasance, a combination of these, or otherwise, and as a result, an unauthorized party may obtain access to our and/or our customers' systems, networks, or data. We may face difficulties or delays in identifying or otherwise responding to any attacks or actual or potential security breaches or threats. These risks are exacerbated by developments in generative AI. A breach in our data security or an attack against our platform could impact our networks or the networks and data of our customers that are secured by our platform, creating system disruptions or slowdowns and providing access to malicious parties to information stored on our networks or the networks of our customers, resulting in data being publicly disclosed, misused, altered, lost, or stolen, which could subject us to liability and adversely affect our financial condition. If compromised, our own systems could be used to facilitate or magnify an attack. Further, the increase in remote work by companies and individuals in recent years has generally increased the attack surface available to bad actors for exploitation, and as such, the risk of a cybersecurity incident potentially occurring has increased. We have accordingly increased our investments in protective measures and risk mitigation strategies, but we cannot guarantee that our efforts, or the efforts of those upon whom we rely and partner with, will be successful in preventing any such information security incidents. Protecting our own assets has become more expensive from a dollar investment and time perspective and these costs may increase as the threat landscape increases, including as a result of use by bad actors of AI. Any actual, alleged, or perceived security breach in our systems or networks, or any other actual, alleged or perceived data security incident we suffer, could result in damage to our reputation, negative publicity, loss of customers and sales, loss of competitive advantages over our competitors, increased costs to remedy any problems and otherwise respond to any incident, regulatory investigations and enforcement actions, fines and penalties, costly litigation, and other liability. We would also be exposed to a risk of loss or litigation and potential liability under laws, regulations, and contracts that protect the privacy and security of personal information. For example, the California Consumer Privacy Act of 2018 (CCPA), as amended by the California Privacy Rights Act (CPRA), imposes a private right of action for security breaches that could lead to some form of remedy including regulatory scrutiny, fines, private right of action settlements, and other consequences. Where a security incident involves a breach of security leading to the accidental or unlawful destruction, loss, alternation, unauthorized disclosure of, or access to, personal data from the European Economic Area (EEA) or the United Kingdom (U.K.) in respect of which we are a controller or processor under the General Data Protection Regulation (GDPR), and the U.K. General Data Protection Regulation and U.K. Data Protection Act 2018 (U.K. GDPR), this could result in fines of up to €20 million or 4% of annual global turnover, whichever is greater, under the GDPR or up to £17.5 million or 4% of annual global turnover, whichever is greater, in the case of the U.K. GDPR. We may also be required to provide notice of such breaches to regulators and/or individuals which may result in us incurring additional costs, penalties, fines or litigation. Further, on July 26, 2023, the SEC adopted cybersecurity disclosure rules for public companies that require disclosure regarding cybersecurity risk management (including the board's role in overseeing cybersecurity risks, management's role and expertise in assessing and managing cybersecurity risks and processes for assessing, identifying and managing cybersecurity risks) in annual reports on Form 10-K. These cybersecurity disclosure rules also require the disclosure of material cybersecurity incidents by Form 8-K, within four business days of determining an incident is material. Any public disclosure relating to a material cybersecurity incident, whether as a result of the new SEC rules or otherwise, could harm our reputation, result in litigation and adversely impact our business, operating results, and financial condition. In addition, certain of our customer agreements may require us to promptly report security breaches involving their data on our systems or those of subcontractors processing such data on our behalf. This mandatory disclosure could be costly, result in litigation, harm our reputation, erode customer trust, and require significant resources to mitigate issues stemming from actual or perceived security breaches. In addition, we may incur significant financial and operational costs to investigate, remediate, eliminate and put in place additional tools and devices designed to prevent actual or perceived security breaches and other security incidents, as well as costs to comply with any notification obligations resulting from any security incidents. Any of these negative outcomes could adversely affect the market perception of our platform and customer and investor confidence in our company, and would adversely affect our business, operating results, and financial condition.

The market for cybersecurity products and services is intensely competitive, fragmented and is rapidly evolving, characterized by changes in technology, customer requirements, industry standards, increasingly sophisticated attackers, and frequent introductions of new or improved products and services. We expect to continue to face intense competition from current competitors, as well as from new entrants into the market, as our competitors complete strategic acquisitions or form cooperative relationships and/or customer requirements evolve. If we are unable to anticipate or react to these challenges, our competitive position could weaken, and we would experience a decline in revenue or reduced revenue growth, and loss of market share that would adversely affect our business, operating results, and financial condition. Our ability to compete effectively depends upon numerous factors, many of which are beyond our control, including, but not limited to: - our ability to attract and retain new customers, expand our platform or sell additional products and services to our existing customers;- our ability to attract, train, retain, and motivate talented employees;- our ability to successfully incorporate new technologies into our platform, including AI;- the budgeting cycles, seasonal buying patterns, and purchasing practices of our customers, including any slowdown in technology spending due to U.S. and general global macroeconomic conditions;- general global macroeconomic and political conditions, both domestically and in our foreign markets that could impact some or all regions where we operate, including the change in the U.S. presidential administration, global economic slowdowns, actual or perceived global banking and finance related issues, increased risk of inflation, interest rate volatility, supply chain disruptions, labor shortages, and potential global recession;- the impact of natural or man-made global events on our business, including wars and other armed conflict, such as the conflicts in the Middle East, Ukraine and the tensions between China and Taiwan;- changes in customer, distributor or reseller requirements or market needs;- price competition;- the timing and success of new product and service introductions by us or our competitors or any other change in the competitive landscape of our industry, including consolidation among our competitors or customers and strategic partnerships entered into by and between our competitors;- changes in our mix of products, subscriptions and services sold, including changes in the average contract length for subscriptions and support;- our ability to successfully and continuously expand our business domestically and internationally;- changes in the growth rate of endpoint security, cloud security, and overall cybersecurity product platform and services sectors;- deferral of orders from customers in anticipation of new or enhanced products and services announced by us or our competitors;- significant security breaches of, technical difficulties with, or interruptions to the use of our platform;- the timing and costs related to the development or acquisition of technologies, businesses, or strategic partnerships;- our ability to execute, complete, or efficiently integrate any acquisitions that we may undertake;- increased expenses, unforeseen liabilities, or write-downs and any impact on our operating results from any acquisitions we consummate;- our ability to increase the size and productivity of our distribution channels;- decisions by potential customers to purchase security solutions from larger, more established security vendors or from their primary network equipment vendors;- timing of revenue recognition and revenue deferrals;- insolvency or credit difficulties confronting our customers, which could increase due to U.S. and global macroeconomic issues, including actual or perceived global banking and finance related issues, inflation, interest rate volatility, and market downturns, which would adversely affect their ability to purchase or pay for our platform, products, and services in a timely manner or at all;- the cost and potential outcomes of litigation or other proceedings, which could have a material adverse effect on our business;- future accounting pronouncements or changes in our accounting policies; and - increases or decreases in our expenses caused by fluctuations in foreign currency exchange rates. Many of our competitors have greater financial, technical, marketing, sales, and other resources, greater name recognition, longer operating histories, and a larger base of customers than we do. Our competitors may be able to devote greater resources to the development, promotion and sale of their products and services than we can, and they may offer lower pricing than we do or bundle certain competing products and services at lower prices. Our competitors may also have greater resources for research and development of new technologies, customer support and to pursue acquisitions, or they may have other financial, technical, or other resource advantages. Our larger competitors have substantially broader and more diverse product and service offerings and more mature distribution and go-to-market strategies, which allows them to leverage their existing customer and distributor relationships to gain business in a manner that discourages potential customers from purchasing our platform. Conditions in our market could change rapidly and significantly as a result of technological advancements, including but not limited to increased advancements and proliferation in the use of open artificial intelligence applications, partnering or acquisitions by our competitors or continuing market consolidation. Some of our competitors have recently made or could make acquisitions of businesses or have established cooperative relationships that may allow them to offer more directly competitive and comprehensive products and services than were previously offered and adapt more quickly to new technologies and customer needs. These competitive pressures in our market or our failure to compete effectively may result in price reductions, fewer orders, reduced revenue and gross margin, increased net losses, and loss of market share. Even if there is significant demand for endpoint and cloud security solutions like ours, if our competitors include functionality that is, or is perceived to be, equivalent to or better than ours in legacy products that are already generally accepted as necessary components of an organization's IT security architecture, we will have difficulty increasing the market penetration of our platform. Furthermore, even if the functionality offered by other cybersecurity providers is different and more limited than the functionality of our platform, organizations may elect to accept such limited functionality in lieu of purchasing products and services from additional vendors like us. If we are unable to compete successfully, or if competing successfully requires us to take aggressive action with respect to pricing or other actions, our business, financial condition, and operating results would be adversely affected.

We believe that maintaining and enhancing our brand and our reputation as a leading provider of endpoint and platform security solutions is critical to our relationship with our existing customers, channel partners, and alliance partners and our ability to attract new customers and partners. The successful promotion of our brand will depend on a number of factors, including our ability to continue to develop additional features for our platform, our ability to successfully differentiate our platform from competitive cloud-based or legacy security solutions, our marketing efforts, and, ultimately, our ability to detect and stop breaches. Although we believe it is important for our growth, our brand promotion activities may not be successful or yield increased revenue. Under certain circumstances, our employees may have access to our customers' platforms. An employee may take advantage of such access to conduct malicious activities. Any such misuse of our platform could result in negative press coverage and negatively affect our reputation, which could result in harm to our business, reputation, and operating results. In addition, independent industry and research firms often evaluate our solutions and provide reviews of our platform, as well as the products of our competitors, and perception of our platform in the marketplace may be significantly influenced by these reviews. If these reviews are negative, or less positive as compared to those of our competitors' products, our brand may be adversely affected. Our solutions may fail to detect or prevent threats in any particular test for a number of reasons that may or may not be related to the efficacy of our solutions in real world environments. To the extent potential customers, industry analysts or research firms believe that the occurrence of a failure to detect or prevent any particular threat is a flaw or indicates that our solutions or services do not provide significant value, we may lose customers, and our reputation, financial condition and business would be harmed. Moreover, the performance of our channel partners and alliance partners may affect our brand and reputation if customers do not have a positive experience with these partners. In addition, we have in the past worked, and continue to work, with high profile customers as well as assist in analyzing and remediating high profile cyberattacks. Our work with such customers has exposed us to publicity and media coverage. Negative publicity about us, including about our management, the efficacy and reliability of our platform, our products offerings, our professional services, and the customers we work with, even if inaccurate, could adversely affect our reputation and brand.

We are subject to laws and regulations, including governmental export and import controls, that could subject us to liability or impair our ability to compete in our markets. Our platform and related technology are subject to U.S. export controls, including the U.S. Department of Commerce's Export Administration Regulations (also known as "EAR"), and we and our employees, representatives, contractors, agents, intermediaries, and other third parties are also subject to various economic and trade sanctions regulations administered by OFAC and other U.S. government agencies. We incorporate standard encryption algorithms into our platform, which, along with the underlying technology, may be exported outside of the U.S. only with the required export authorizations, including by license,license exception or other appropriate government authorizations, which may require the filing of an encryption registration and classification request. We also offer certain customers a ransomware warranty in addition to their subscriptions, providing coverage in the form of a limited monetary payment if they are affected by a ransomware attack (as specified in our ransomware warranty agreement), and though the terms of the warranty do not allow those customers to use warranty claim payments to fund payments to persons on OFAC's list of Specially Designated Nationals and Blocked Persons or who are otherwise prohibited to receive such payments under U.S. sanctions, we cannot assure you that all of our customers will comply with our warranty terms or refrain from taking actions in violation of our warranty and applicable law. Furthermore, U.S. export control laws and economic sanctions prohibit the export and re-export of certain hardware and software and the provision of certain cloud-based solutions to certain countries, governments and persons targeted by U.S. sanctions and for certain end-uses. As an example, following Russia's invasion of Ukraine, the U.S. and other countries imposed economic sanctions and severe export control restrictions against Russia and Belarus. The U.S. and its allies could expand and strengthen these sanctions and export restrictions and take other actions should the conflict further escalate. These restrictions would further impact our ability to do business in certain parts of the world and to do business with certain persons and entities, including selling our services and using local developers. Further, regulators in the U.S. and elsewhere have signaled an increased emphasis on sanctions and export control enforcement, including several recent high-profile enforcement actions and increased pressure for companies to self-disclose potential violations. While we have implemented certain procedures to facilitate compliance with applicable laws and regulations in connection with the collection and distribution of this information, we cannot assure you that these procedures have been effective or that we, or third parties who we do not control, have complied with all laws or regulations in this regard. Failure by our employees, representatives, contractors, channel partners, agents, intermediaries, or other third parties to comply with applicable laws and regulations in the collection and distribution of this information also could have negative consequences to us, including reputational harm, government investigations, and penalties. We also collect information about cyber threats from open sources, intermediaries and third parties that we make available to our customers in our threat industry publication. Although we take precautions to prevent our information collection practices and services from being provided in violation of such laws, our information collection practices and services may have been in the past, and could in the future be, provided in violation of such laws. If we or our employees, representatives, contractors, channel partners, agents, intermediaries, or other third parties fail to comply with these laws and regulations, we could be subject to civil or criminal penalties, including the possible loss of export privileges and fines. We may also be adversely affected through reputational harm, loss of access to certain markets or otherwise. Obtaining the necessary authorizations, including any required license, for a particular transaction may be time-consuming, is not guaranteed and may result in the delay or loss of sales opportunities. Various countries regulate the import of certain encryption technology, including through import permit and license requirements, and have enacted laws that could limit our ability to distribute our platform or could limit our customers' ability to implement our platform in those countries. Additionally, export restrictions imposed on Russia and Belarus specifically limit the export of encryption hardware, software and related source code and technology to these locations which could limit our ability to provide our software and services to these countries. Changes in our platform, and changes in or promulgation of new export and import regulations may create delays in the introduction of our platform into international markets, prevent our customers with international operations from deploying our platform globally or, in some cases, prevent the export or import of our platform to certain countries, governments or persons altogether. Any change in export or import regulations, economic sanctions or related legislation, shift in the enforcement or scope of existing regulations, or change in the countries, governments, persons or technologies targeted by such regulations, could result in decreased use of our platform by, or in our decreased ability to export or sell our platform to, existing or potential customers with international operations. Any decreased use of our platform or limitation on our ability to export or sell our platform would adversely affect our business, operating results, and financial condition. We are also subject to the United States Foreign Corrupt Practices Act of 1977 (FCPA), as amended, the United Kingdom Bribery Act 2010 (the Bribery Act), and other anti-corruption, sanctions, anti-bribery, anti-money laundering and similar laws in the U.S. and other countries in which we conduct activities. Anti-corruption and anti-bribery laws, which have been enforced aggressively and are interpreted broadly, prohibit companies and their employees, agents, intermediaries and other third parties from promising, authorizing, making or offering improper payments or other benefits to government officials and others in the public, and in certain cases, private sector. We leverage third parties, including intermediaries, agents and channel partners, to conduct our business in the U.S. and abroad, to sell subscriptions to our platform and to collect information about cyber threats. We and these third parties may have direct or indirect interactions with officials and employees of government agencies or state-owned or affiliated entities and we may be held liable for the corrupt or other illegal activities of these third-party business partners and intermediaries, our employees, representatives, contractors, channel partners, agents, intermediaries and other third parties, even if we do not explicitly authorize such activities. While we have policies and procedures to address compliance with FCPA, Bribery Act and other anti-corruption, sanctions, anti-bribery, anti-money laundering and similar laws, we cannot assure you that they will be effective, or that all of our employees, representatives, contractors, channel partners, agents, intermediaries or other third parties have not taken, or will not take actions, in violation of our policies and applicable law, for which we may be ultimately held responsible. As we increase our international sales and business, including our business with government organizations, our risks under these laws may increase. Noncompliance with these laws could subject us to investigations, severe criminal or civil sanctions, settlements, prosecution, loss of export privileges, suspension or debarment from U.S. government contracts, other enforcement actions, disgorgement of profits, significant fines, damages, other civil and criminal penalties or injunctions, whistleblower complaints, adverse media coverage and other consequences. Any investigations, actions or sanctions could harm our reputation, business, operating results, and financial condition. Moreover, the rapid evolution of AI, including potential government regulation of AI, may require significant additional resources to develop, test, and maintain our platform. Our AI-related initiatives may result in new or enhanced governmental or regulatory scrutiny, including regarding the use of AI in our products and the marketing of products using AI, litigation, customer reporting or documentation requirements, ethical or social concerns, or other complications and may also introduce risks related to accuracy, bias, toxicity, privacy, and security and data provenance. For example, in Europe, the E.U. AI Act entered into effect on August 1, 2024 and will become fully applicable on August 2, 2026, with some provisions becoming applicable starting February 2025. The E.U. AI Act aims to introduce a common and regulatory framework for AI through regulating AI providers and entities making use of AI tools in a professional capacity. Further, the E.U. AI Act may require the implementation of additional quality assurance controls and measures to be reviewed and approved by regulatory submissions of our offerings.

We receive, store, and process some personal information from our employees, customers, the employees of our customers, and our end users. This personal information is hosted by our third-party service providers. A wide variety of state, national, and international laws, as well as regulations and industry standards apply to the collection, use, retention, protection, disclosure, transfer and other processing of personal information and other information, the scope of which are changing, subject to differing interpretations, and may be inconsistent across countries or conflict with other rules. Data protection and privacy-related laws and regulations are evolving and may result in increasing regulatory and public scrutiny and escalating levels of enforcement and sanctions. Failure to comply with laws, regulations and industry standards regarding personal information or other information could adversely affect our business, operating results, and financial condition. Complying with these various laws and regulations could cause us to incur substantial costs or require us to change our business practices, systems, and compliance procedures in a manner adverse to our business. In the U.S., there are numerous federal and state consumer, privacy, and data security laws and regulations governing the collection, use, disclosure, and protection of personal information, including security breach notification laws and consumer protection laws. Each of these laws is subject to varying interpretations and constantly evolving. Notably, but not necessarily limited to, we may be subject to: - Controlling the Assault of Non-Solicited Pornography And Marketing Act (CAN-SPAM Act) and similar state consumer protection laws regarding the use of telephones and text messaging for marketing purposes. - Section 5(a) of the Federal Trade Commission (FTC) Act for violating consumers' privacy rights or failing to take appropriate steps to keep consumers' personal information secure, resulting in a finding of an unfair act or practice. - The CCPA, effective since January 1, 2020, which created new data privacy obligations for covered businesses and provided new privacy rights to California residents, including the right to opt out of certain disclosures of their information and receive detailed information about how their personal information is used. The CCPA provides for civil penalties for violations, as well as a private right of action for data breaches that is expected to increase data breach litigation. A ballot initiative called the California Privacy Rights Act (CPRA) went into force July 1, 2023, and significantly modifies the CCPA, including by expanding consumers' rights with respect to certain sensitive personal data. The CPRA also creates a new state agency, known as the California Privacy Protection Agency, which is vested with the authority to implement and enforce the CCPA and the CPRA. Potential uncertainty surrounding the CCPA and CPRA may increase our compliance costs and potential liability, particularly in the event of a data breach, and could have a material adverse effect on our business. - Following California's lead, other states have enacted privacy laws in recent years. In addition, a comprehensive federal privacy bill, which includes a private right of action for violations, has been proposed in Congress. In certain circumstances, we may also be subject to the GDPR (established in 2018 and implemented by countries in the EEA) and the U.K. GDPR, which respectively govern the collection, use, disclosure, transfer or other processing of personal data of natural persons, and it applies extra-territorially and imposes onerous requirements on controllers and processors of personal data, including, for example: (i) accountability and transparency requirements, and enhanced requirements for obtaining valid consent; (ii) obligations to consider data protection as any new products or services are developed and to limit the amount of personal data processed; (iii) obligations to comply with data protection rights of data subjects; and (iv) reporting of personal data breaches to the supervisory authority without undue delay (and no later than 72 hours). Companies that must comply with the GDPR face increased compliance obligations and risk, including more robust regulatory enforcement of data protection requirements and potential fines for noncompliance of up to €20 million or 4 percent of the annual global revenues of the noncompliant company, whichever is greater. Additionally, following the withdrawal by the U.K. from the E.U. and the EEA, companies must comply with both the GDPR and the U.K. GDPR as incorporated into U.K. national law, the latter regime having the ability to separately fine up to the greater of £17.5 million or 4 percent of global turnover. In addition to the foregoing, a breach of the GDPR or U.K. GDPR could result in regulatory investigations, reputational damage, orders to cease or change our processing of our data, enforcement notices, and/or assessment notices (for a compulsory audit). We may also face civil claims including representative actions and other class action type litigation (where individuals have suffered harm), potentially amounting to significant compensation or damages liabilities, as well as associated costs, diversion of internal resources, and reputational harm. The GDPR and U.K. GDPR requires, among other things, that personal information only be transferred outside of the EEA, or the U.K., respectively to jurisdictions that have been deemed adequate (also known as "Third Countries,") by the European Commission or by the U.K. data protection regulator, respectively. Accordingly, personal information may not be transferred to those jurisdictions that have not been deemed adequate, unless steps are taken to legitimize those data transfers. Switzerland follows similar legal practices. We rely on the use of Standard Contractual Clauses (SCCs), a standard form of contract approved by the European Commission, as an adequate personal data transfer mechanism for the transfer of data to Third Countries; however, the SCCs may not be alone sufficient to protect data transferred to the U.S. or other Third Countries under certain circumstances without making a case-by-case basis assessment of the legal regime applicable in the destination country according to the CJEU. On June 28, 2021, the European Commission issued an adequacy decision for personal information transfers from the EEA to the U.K., with a sunset clause of four years, meaning that the European Commission will review and renew only if the European Commission considers that the U.K. continues to ensure an adequate level of data protection. Notably, the European Commission reserved a right to intervene at any time during the four-year adequacy period if the U.K. deviates from the level of protection then in place. If this adequacy decision is reversed by the European Commission, we would have to implement protection measures such as the SCCs for data transfers between the E.U. and the U.K. or find alternative solutions for the compliant transfer of personal data from the E.U. into the U.K. In March 2022, the UK Information Commissioner's Office adopted an International Data Transfer Agreement (IDTA) for transfers of personal data out of the UK to so-called third countries, as well as an international data transfer addendum (UK SCC Addendum) that can be used with the SCCs for the same purpose. To add to this complexity, effective on July 10, 2023, the European Commission adopted the new E.U.-U.S. Data Privacy Framework (DPF) which allows for transfers of personal data from the E.U. to certified companies in the U.S. without the need for additional privacy safeguards as an alternative to the SCCs. In October 2023, a U.K. extension to the DPF was adopted enabling the transfer of personal data between the U.K. and U.S. entities without the need for an IDTA or U.K. SCC Addendum. Similarly, the Swiss-U.S. DPF allows transfers of personal data from Switzerland to certified companies in the U.S. without the need for additional privacy safeguards as an alternative to the SCCs. We have self-certified to the E.U.-U.S. DPF, the U.K. extension to the E.U.-U.S. DFP, and the Swiss-U.S. DPF and now rely on these mechanisms instead of the SCCs for certain transfers from those respective countries to the U.S. however these transfer mechanisms could be subject to further legal challenge which could cause the legal requirements for personal data transfers from these countries to the U.S. to become uncertain once again. Some countries (including some outside the EEA) also are considering or have passed legislation requiring local storage and processing of data, or similar requirements, which could increase the cost and complexity of delivering our products and services if we were to operate in those countries. If we are required to implement additional measures to transfer data from the EEA, this could increase our compliance costs, and could adversely affect our business, financial condition and results of operations. The myriad of international and U.S. privacy and data breach laws are not consistent, and compliance in the event of a widespread data breach is difficult and may be costly. In many jurisdictions, enforcement actions and consequences for noncompliance are also rising. In addition to government regulation, privacy advocates and industry groups may propose new and different self-regulatory standards that either legally or contractually apply to us. As supervisory authorities continue to issue further guidance on personal information transfers, we could suffer additional costs, complaints, or regulatory investigations or fines. If we are otherwise unable to transfer personal data between and among countries and regions in which we operate, it could affect the manner in which we provide our services, adversely affecting our financial results, and possibly making it necessary to establish systems in the EEA, Switzerland, the U.K. and other jurisdiction to maintain personal data originating from those jurisdictions that adds expenses and may create distractions from our other business pursuits. Loss, retention or misuse of certain information and alleged violations of laws and regulations relating to privacy and data security, and any relevant claims, may expose us to potential liability and may require us to expend significant resources on data security and in responding to and defending such allegations and claims. We are also subject to evolving E.U. and U.K. privacy laws on cookies and electronic marketing. In the E.U. and the U.K., informed opt-in consent is required for the placement of a cookie or similar technologies on a user's device and for direct electronic marketing. The GDPR also imposes conditions on obtaining valid consent, such as a prohibition on pre-checked consents and a requirement to ensure separate consents are sought for each type of cookie or similar technology. While we anticipate the development of the ePrivacy Regulation to govern cookies and e-marketing, recent European court decisions and regulators' guidance are driving increased attention to cookies and tracking technologies. If regulators start to enforce the strict approach in recent guidance, this could lead to substantial costs, require significant systems changes, limit the effectiveness of our marketing activities, divert the attention of our technology personnel, adversely affect our margins, increase costs and subject us to additional liabilities. Regulation of cookies and similar technologies, and any decline of cookies or similar online tracking technologies as a means to identify and potentially target users, may lead to broader restrictions and impairments on our marketing and personalization activities and may negatively impact our efforts to understand users. Similar concerns may happen under the new CPRA regime in California and other current and soon-to-be enacted U.S. state privacy laws. Additionally, by expanding into the E.U. and U.K., we may also trigger Article 3(2) of the GDPR/U.K. GDPR directly as we may be considered to be monitoring data subjects. To the extent we process personal data on behalf of our customers for the provision of services, we have, and may in the future, also be required to enter into data processing agreements which comply with Article 28 of the GDPR/U.K. GDPR. We depend on a number of third parties in relation to the operation of our business, a number of which process personal data on our behalf or as our sub-processor. To the extent required by applicable law, we attempt to mitigate the associated risks of using third parties by performing security assessments and detailed due diligence, entering into contractual arrangements to ensure that providers only process personal data according to our instructions or comparable instructions to the instructions of our customer (as applicable), and that they have sufficient technical and organizational security measures in place. There is no assurance that these contractual measures and our own privacy and security-related safeguards will protect us from the risks associated with the third-party processing, storage and transmission of such information. Any violation of privacy, data protection, data or cybersecurity laws by our third-party processors could have a material adverse effect on our business and result in the fines and penalties under the GDPR and the U.K. GDPR outlined above. In recent years, some regulators have proposed or introduced cybersecurity licensing requirements or certification regimes for specific sectors, such as critical infrastructure. These may impose new requirements on us or our current or prospective customer including, but not limited to, data processing locations, breach notification, and security standards. Such requirements may cause us to incur significant organizational costs and increase barriers of entry into new markets. New worldwide data protection laws, including in the U.S. and European jurisdictions described above, may lead to changing definitions of personal information and other sensitive information which may also limit or inhibit our ability to operate or expand our business, including limiting strategic partnerships that may involve the sharing of data. Notably some foreign jurisdictions require that certain types of data be retained on servers within these respective jurisdictions. Our failure to comply with applicable laws, directives, and regulations may result in enforcement action against us, including fines, and damage to our reputation, any of which may have an adverse effect on our business and operating results. Any failure or perceived failure by us, even if unfounded, to comply with applicable privacy and data security laws and regulations, our privacy policies, or our privacy-related obligations to customers, users or other third parties, or any compromise of security that results in the unauthorized release or transfer of personal information or other customer data, may result in governmental enforcement actions, fines, penalties, litigation, or public statements against us by consumer advocacy groups or others and could cause our users to lose trust in us, which would have an adverse effect on our reputation and business. For example, in 2017, we reached a consent agreement with the FTC, to resolve an investigation relating to certain disclosures in our privacy policy. The consent agreement requires us, among other things, to provide information to the FTC about our compliance with the FTC order and about representations made in our marketing materials. We may be subject to future investigations and legal proceedings by the FTC or other regulators. As such, it is possible that a regulatory inquiry might result in changes to our policies or business practices. Violation of existing or future regulatory orders or consent decrees could subject us to substantial monetary fines and other penalties that could negatively affect our operating results and financial condition. In addition, it is possible that future orders issued by, or enforcement actions initiated by, regulatory authorities could cause us to incur substantial costs or require us to change our business practices in a manner materially adverse to our business. Any significant change to applicable laws, regulations or industry practices regarding the use or disclosure of our customers' data, or regarding the manner in which the express or implied consent of customers for the use and disclosure of such data is obtained – or in how these applicable laws, regulations or industry practices are interpreted and enforced by state, federal and international privacy regulators – could require us to modify our services and features, possibly in a material manner, may subject us to regulatory enforcement actions and fines, and may limit our ability to develop new products, services and features that make use of the data that our customers voluntarily share with us. Any security breach or incident, including those resulting from a cybersecurity attack, phishing attack, unauthorized access, unauthorized usage, virus, malware, ransomware, denial of service, credential stuffing attack, supply chain attack, hacking or similar breach involving our networks and systems, or those of third parties upon which we rely, could result in the loss of customer data, including personal information, disruption to our operations, significant remediation costs, lost revenue, increased insurance premiums, damage to our reputation, litigation,regulatory investigations, or other liabilities. These attacks may come from individual hackers, criminal groups, and state-sponsored organizations, and security breaches and incidents may arise from other sources, such as employee or contractor error or malfeasance. Cyber threats are evolving and becoming increasingly sophisticated and complex, increasing the difficulty of detecting and successfully defending against them. As a cybersecurity company, we have been and may continue to be specifically targeted by malicious actors for attacks intended to circumvent our security capabilities as an entry point into customers' endpoints, networks, or systems. Our industry is experiencing an increase in phishing attacks and unauthorized scans of systems searching for vulnerabilities or misconfigurations to exploit. If our security measures are breached or otherwise compromised as a result of third-party action, employee or contractor error, defect, vulnerability or bug in our products or products of third parties upon which we rely, malfeasance or otherwise, including any such breach or compromise resulting in someone obtaining unauthorized access to our confidential information, including personal information or the personal information of our customers or others, or if any of these are perceived or reported to occur, we may suffer the loss, compromise, corruption, unavailability, or destruction of our or others' confidential information and personal information, we may face a loss in intellectual property protection, our reputation may be damaged, our business may suffer and we could be subject to claims, demands, regulatory investigations and other proceedings, indemnity obligations, and otherwise incur significant liability. Even the perception of inadequate security may damage our reputation and negatively impact our ability to win new customers and retain existing customers. Further, we could be required to expend significant capital and other resources to address any security incident or breach, and we may face difficulties or delays in identifying and responding to any security breach or incident. Techniques used to sabotage or obtain unauthorized access to systems or networks are constantly evolving and, in some instances, are not identified until launched against a target. We and our third-party vendors and service providers may be unable to anticipate these techniques, react in a timely manner, or implement adequate preventative measures. Due to political uncertainty and military actions associated with the conflicts in Ukraine, the Middle East and tensions between China and Taiwan, we and our third-party vendors and service providers are vulnerable to a heightened risk of cybersecurity attacks, phishing attacks, viruses, malware, ransomware, hacking or similar breaches from nation-state and affiliated actors, including attacks that could materially disrupt our and our third-party vendors' and service providers' systems and operations, supply chain, and ability to produce, sell and distribute our products and services as well as retaliatory cybersecurity attacks from Russian and Russian-affiliated actors against companies with a U.S. presence. In addition, laws, regulations, government guidance, and industry standards and practices in the U.S. and elsewhere are rapidly evolving to combat these threats. We may face increased compliance burdens regarding such requirements with regulators and customers regarding our products and services and also incur additional costs for oversight and monitoring of our own supply chain. We and our customers may also experience increased costs associated with security measures and increased risk of suffering cyberattacks, including ransomware attacks. Should we or the third-party vendors and service providers upon which we rely experience such attacks, including from ransomware or other security breaches or incidents, our operations may also be hindered or interrupted due to system disruptions or otherwise, with foreseeable secondary contractual, regulatory, financial and reputational harms that may arise from such an incident. Further, we cannot assure that any limitations of liability provisions in our customer agreements, contracts with third-party vendors and service providers or other contracts would be enforceable or adequate or would otherwise protect us from any liabilities or damages with respect to any particular claim relating to a security breach or other security incident. We also cannot be sure that our existing insurance coverage will continue to be available on acceptable terms or will be available in sufficient amounts to cover claims related to a security incident or breach, or that the insurer will not deny coverage as to any future claim. The successful assertion of claims against us that exceed available insurance coverage, or the occurrence of changes in our insurance policies, including premium increases or the imposition of large deductible or coinsurance requirements, could have a material adverse effect on our business, including our financial condition, operating results, and reputation. Moreover, while we strive to publish and prominently display privacy policies that are accurate, comprehensive, and compliant with applicable laws, rules regulations and industry standards, we cannot ensure that our privacy policies and other statements regarding our practices will be sufficient to protect us from claims, proceedings, liability or adverse publicity relating to data privacy and security. If our public statements about our use, collection, disclosure and other processing of personal information, whether made through our privacy policies, information provided on our website, press statements or otherwise, are alleged to be deceptive, unfair or misrepresentative of our actual practices, we may be subject to potential government or legal investigation or action, including by the FTC or applicable state attorneys general. Our compliance efforts are further complicated by the fact that data privacy and security laws, rules, regulations and standards around the world are rapidly evolving, may be subject to uncertain or inconsistent interpretations and enforcement, and may conflict among various jurisdictions. Any failure or perceived failure by us to comply with our privacy policies, or applicable data privacy and security laws, rules, regulations, standards, certifications or contractual obligations, or any compromise of security that results in unauthorized access to, or unauthorized loss, destruction, use, modification, acquisition, disclosure, release or transfer of personal information, may result in requirements to modify or cease certain operations or practices, the expenditure of substantial costs, time and other resources, proceedings or actions against us, legal liability, governmental investigations, enforcement actions, claims, fines, judgments, awards, penalties, sanctions and costly litigation (including class actions). Any of the foregoing could harm our reputation, distract our management and technical personnel, increase our costs of doing business, adversely affect the demand for our products and services, and ultimately result in the imposition of liability, any of which could have a material adverse effect on our business, operating results, and financial condition.

Our business depends on the overall demand for information technology and on the economic health of our current and prospective customers. In addition, the purchase of our platform is often discretionary and may involve a significant commitment of capital and other resources. Weak global and regional economic conditions, including the change in the U.S. presidential administration, U.S. and global macroeconomic issues, actual or perceived global banking and finance related issues, labor shortages, supply chain disruptions, fluctuating interest rates and inflation, spending environments, geopolitical instability, warfare and uncertainty, weak economic conditions in certain regions or a reduction in information technology spending regardless of macroeconomic conditions, including the effects of the conflicts in the Middle East, Ukraine, and tensions between China and Taiwan, could adversely affect our business, operating results, and financial condition, including resulting in longer sales cycles, a negative impact on our ability to attract and retain new customers or expand our platform or sell additional products and services to our existing customers, lower prices for our platform, higher default rates among our channel partners, reduced sales to new or existing customers and slower or declining growth. For example, as a result of current uncertainty in macroeconomic conditions and related higher cost consciousness around IT budgets, we have recently experienced certain impacts on our business, including a decline in usage and consumption patterns from certain customers, especially larger enterprise customers, longer sales cycles, and deal downsizing by new customers and of renewals by existing customers, especially larger enterprises. We expect the global macroeconomic conditions impacting demand to persist in the near term. Deterioration in economic conditions in any of the countries in which we do business could also cause slower or impaired collections on accounts receivable, which may adversely impact our liquidity and financial condition. Moreover, the U.S. capital markets specifically have experienced and continue to experience extreme volatility and disruption. Inflation rates in the U.S. significantly increased in 2022 and 2023, resulting in federal action to increase interest rates, adversely affecting capital markets activity. Further deterioration of the global macroeconomic environment and regulatory action may adversely affect our business, operating results, and financial condition.

We are generating a growing portion of our revenue outside of the U.S., and conduct our business activities in various foreign countries, including some emerging markets where we have limited experience, where the challenges of conducting our business can be significantly different from those we have faced in more developed markets and where business practices may create internal control risks including: - fluctuations in foreign currency exchange rates, which could add volatility to our operating results;- new, or changes in, regulatory requirements;- tariffs, export and import restrictions, restrictions on foreign investments, sanctions, and other trade barriers or protection measures;- exposure to numerous, increasing, stringent (particularly in the European Union (E.U.)), and potentially inconsistent laws and regulations relating to privacy, data protection, and information security;- costs of localizing products and services (including, but not limited to data localization requirements);- lack of acceptance of localized products and services;- the need to make significant investments in people, solutions and infrastructure, typically well in advance of revenue generation;- challenges inherent in efficiently managing an increased number of employees over large geographic distances, including the need to implement appropriate systems, policies, benefits, and compliance programs;- difficulties in maintaining our corporate culture with a dispersed and distant workforce;- treatment of revenue from international sources, evolving domestic and international tax environments, and other potential tax issues, including with respect to our corporate operating structure and intercompany arrangements;- different or weaker protection of our intellectual property, including increased risk of theft of our proprietary technology and other intellectual property;- economic weakness or currency-related crises;- compliance with multiple, conflicting, ambiguous or evolving governmental laws and regulations, including employment, tax, data privacy, anti-corruption, import/export, antitrust, data transfer, storage and protection, and industry-specific laws and regulations, including rules related to compliance by our third-party resellers and our ability to identify and respond timely to compliance issues when they occur and regulations applicable to us and our third party data providers from whom we purchase and resell syndicated data;- vetting and monitoring our third-party channel partners in new and evolving markets to confirm they maintain standards consistent with our brand and reputation;- generally longer payment cycles and greater difficulty in collecting accounts receivable;- our ability to adapt to sales practices and customer requirements in different cultures;- the lack of reference customers and other marketing assets in regional markets that are new or developing for us, as well as other adaptations in our market generation efforts that we may be slow to identify and implement;- dependence on certain third parties, including channel partners with whom we do not have extensive experience;- natural disasters, acts of war, terrorism, or pandemics, including the armed conflicts in the Middle East, Ukraine and tensions between China and Taiwan;- actual or perceived instability in the global banking system;- cybersecurity incidents;- corporate espionage; and - political instability and security risks in the countries where we are doing business and changes in the public perception of governments in the countries where we operate or plan to operate. We have undertaken, and will continue to undertake, additional corporate operating restructurings from time to time that involve our group of foreign country subsidiaries through which we do business abroad. We consider various factors in evaluating these restructurings, including the alignment of our corporate legal entity structure with our organizational structure and its objectives, the operational and tax efficiency of our group structure, and the long-term cash flows and cash needs of our business. Such restructurings increase our operating costs, and if ineffectual, could increase our income tax liabilities and our global effective tax rate.

Natural disasters or other catastrophic events may cause damage or disruption to our operations, international commerce, and the global economy, and thus could have an adverse effect on us. Our business operations are also subject to interruption by fire, power shortages, flooding, and other events beyond our control. In addition, our global operations expose us to risks associated with public health crises, such as pandemics and epidemics, which could harm our business and cause our operating results to suffer. Further, acts of war, armed conflict, terrorism and other geopolitical unrest, such as the conflicts in the Middle East and Ukraine and tensions between China and Taiwan, could cause disruptions in our business or the businesses of our partners or the economy as a whole. We maintain an office in Tel-Aviv, Israel and had approximately 11% of our personnel in Israel as of October 31, 2024. We are closely monitoring the unfolding events of the armed conflict in Israel. While this conflict is still evolving, to date, the conflict has not had an adverse impact on our business results of operations and we have implemented continuity measures to address the safety of our employees and continue our operations in the event of reduced employee availability in the conflict region. However, if our continuity measures fail or the conflict continues to worsen or intensify, any business interruptions or spillover effects could adversely affect our business and operations. In the event of a natural disaster, including a major earthquake, blizzard, or hurricane, or a catastrophic event such as a fire, power loss, cyberattack, or telecommunications failure, we may be unable to continue our operations and may endure system interruptions, reputational harm, delays in development of our platform, lengthy interruptions in service, breaches of data security, and loss of critical data, all of which could have an adverse effect on our future operating results. Climate change could result in an increase in the frequency or severity of such natural disasters. Moreover, any of our office locations may be vulnerable to the adverse effects of climate change. For example, our corporate offices are located in California, a state that frequently experiences earthquakes, wildfires and resultant air quality impacts and power shutoffs associated with wildfire prevention, heatwaves, and droughts. These events can, in turn, have impacts on inflation risk, food security, water security and on our employees' health and well-being. Additionally, all the aforementioned risks will be further increased if we do not implement an effective disaster recovery plan or our partners' disaster recovery plans prove to be inadequate.

Our sales contracts are denominated in U.S. dollars, and therefore our revenue is not subject to foreign currency risk. However, strengthening of the U.S. dollar increases the real cost of our platform to our customers outside of the U.S., which could lead to delays in the purchase of our platform and the lengthening of our sales cycle. If the U.S. dollar continues to strengthen, this could adversely affect our operating results and financial condition. In addition, increased international sales in the future, including through continued international expansion, our channel partners and other partnerships, could result in foreign currency denominated sales, which would increase our foreign currency risk. Our operating expenses incurred outside the U.S. and denominated in foreign currencies are increasing and are subject to fluctuations due to changes in foreign currency exchange rates. These expenses are denominated in foreign currencies and are subject to fluctuations due to changes in foreign currency exchange rates. We do not currently hedge against the risks associated with currency fluctuations but may do so, or use other derivative instruments, in the future.