SEMrush Holdings (SEMR) Risk Analysis

The attractiveness of our platform depends, in part, on our ability to integrate via APIs with third-party applications that our customers desire to use with our products, such as Google, Facebook, Instagram, X, YouTube, LinkedIn, Pinterest, AIOSEO, Monday.com, Pagecloud, Renderforest, Scalenut, SurferSEO, Wix, Quickblog, Zoho and others. Third-party application providers may change the features of their applications and platforms, including their APIs, or alter the terms governing use of their applications and platforms in an adverse manner. Further, third-party application providers may refuse to partner with us, may implement an expensive fee based model for API integration, or otherwise limit or restrict our access to their applications and platforms. Such changes could functionally limit or terminate our ability to use these third-party applications with our platform, which could negatively impact our offerings and the customer experience, and ultimately harm our business. If we fail to integrate our platform with new third-party applications that our customers desire, or to adapt to the data transfer requirements of such third-party applications and platforms, we may not be able to offer the functionality that our customers expect, which would negatively impact our offerings and, as a result, harm our business. Additionally, our business could be harmed if our customers have negative experiences in using the third-party integrations that we offer.

Our online visibility management SaaS platform is designed to help our customers connect with consumers across a variety of digital channels, search engines, social networking sites, and other third-party services. These third-party services may adapt and change their strategies and policies over time. Search engines typically provide two types of search results, organic (i.e., non-paid) and purchased listings. Organic search results are determined and organized solely by automated criteria set by the search engine, and a ranking level cannot be purchased. Search engines revise their algorithms from time to time in an attempt to optimize their search result listings, and typically do not publicize the full extent of what has changed in their algorithm (although certain changes may be publicly announced). Changes to search engine algorithms may diminish the efficacy of certain of our products, tools, and add-ons, and potentially render them obsolete. For example, if a given search engine stopped using backlinks in its ranking algorithm, our customers' perception of our backlink analytics tool, which enables customers to analyze and monitor the backlink profile of their own and other websites, may be adversely impacted. Similarly, if a search engine ceases to manually penalize or take action against web pages for unnatural backlinks, then our customers may determine that auditing their backlinks is unnecessary which could cause them to devalue our backlink audit tool, which enables companies to check whether malicious websites have links to their sites, or cease using it altogether. Additionally, increased adoption of artificial intelligence for use and responses to internet search queries may result in significant changes to how search engines rank, return, and display responses. As a result of these types of changes we may be required to recalibrate our solutions, products and add-ons by reducing prices, discontinuing the affected product or tool, or otherwise develop new products or tools to meet the needs of our customers. These responses may be costly, may not be effective, and our business may suffer. Additionally, search engines, social networking sites, third-party artificial intelligence services and other third-party services typically have terms of service, guidelines, and other policies to which its users are contractually obligated to adhere. For example, Google's Gmail offering has a spam and abuse policy that prohibits sending spam, distributing viruses, or otherwise abusing the service. Our email distribution tool enables our customers to send emails to their desired recipients, such as journalists and bloggers. Our email distribution tool relies on a DMARC integration which enables our customers to send emails using our platform as if they were sending emails directly from their email provider, and our product involves emails initiated by customers over our servers. Our customers' actions using either the link building tool or email distribution tool could be flagged under Google's spam and abuse policy or in the future such actions may be prohibited by subsequent changes to Google's policies. Any change to the policies of the third-party services with which our products, tools, and add-ons integrate or interact, or with which our products are intended to be used, including any anti-spam policies, or any actions taken by these third-party service providers under their policies could adversely impact the efficacy and perceived value of our products, tools, and add-ons, and as a result, our business may be harmed.

We rely on cookies and other technologies, such as web beacons (collectively, "cookies") which are placed on internet browsers to gather data regarding the content of a user's web browsing activity. We use cookies to store users' settings between sessions and to enable visitors to our website to use certain features, such as gaining access to secure areas of the website. We also use cookies, including cookies placed by third-party services with which we integrate, to enable us to gather statistics about our visitors' use of our website and to allow our website visitors to connect our platform to their social networking sites, which enables us to advertise our products to them using retargeting methods. The availability of this data may be limited by numerous potential factors, including government legislation or regulation restricting the use of cookies for certain purposes, such as retargeting, browser limitations on the collection or use of cookies, or internet users deleting or blocking cookies on their web browsers or on our website. Our ability, like those of other technology companies, to collect, augment, analyze, use, and share information collected through the use of third-party cookies for online behavioral advertising is governed by U.S. and foreign laws and regulations which change from time to time, such as those regulating the level of consumer notice and consent required before a company can employ cookies to collect data about interactions with users online. In the United States, both state and federal legislation govern activities such as the collection and use of data, and privacy in the advertising technology industry has frequently been subject to review, and occasional enforcement, by the Federal Trade Commission (the "FTC"), U.S. Congress, and individual states. Our use of online tracking technologies are regulated by the CCPA and other state privacy laws that require companies to offer consumers the right to opt out of certain tracking activities. As our business is global, our activities are also subject to foreign legislation and regulation. In the EU, the EU Directive 2002/58/EC (as amended by Directive 2009/136/EC), commonly referred to as the e-Privacy Directive, and related implementing legislation in the EU member states, and in the UK, the Privacy and Electronic Communications (EC Directive) Regulations 2003, require that accessing or storing information on an internet user's device, such as through a cookie, is allowed only if the internet user has been informed thereof, and provided prior unambiguous, specific, and informed consent for the placement of a cookie on a user's device. A new e-Privacy Regulation is currently under discussion by EU member states to replace the e-Privacy Directive. Although it remains under debate, the proposed e-Privacy Regulation would amend rules on third-party cookies and significantly increase penalties for non-compliance. We cannot yet determine the impact such future laws, regulations, and standards may have on our use of third-party cookies. Additionally, the use of third-party cookies in the digital advertising ecosystem, particularly in the context of real-time bidding advertising auctions, is subject to increased regulatory scrutiny in the EU and the UK. Several European data protection authorities (including in Belgium, Ireland, UK, Poland, Spain, Luxembourg, and the Netherlands) have launched investigations or inquiries over Google's and other AdTech companies' practices concerning the collection and sharing of consumer data through cookies, the outcome of which is still uncertain. These investigations or inquiries could result in the imposition of more stringent standards around consent to place cookies or otherwise restrict the use of third-party cookies for online behavioral advertising. We have also received inquiries from, and engaged in correspondence with, European data protection authorities regarding our practices regarding cookies used on our websites, and the outcome of these inquiries is still uncertain. Additionally, new and expanding "Do Not Track" regulations have been enacted or proposed that protect users' right to choose whether or not to be tracked online. These regulations seek, among other things, to allow end users to have greater control over the use of private information collected online, to forbid the collection or use of online information, to demand a business to comply with their choice to opt out of such collection or use, and to place limits upon the disclosure of information to third-party websites. Continued regulation of cookies, and changes in the interpretation and enforcement of existing laws, regulations, standards, and other obligations, as well as increased enforcement by industry groups or data protection authorities, could restrict our activities, such as efforts to understand users' internet usage and engage in marketing activities, or require changes to our practices. New and evolving laws and regulations, and public perception concerning data protection, privacy and cybersecurity, or changes in the interpretation or patterns of enforcement of existing laws and regulations, could impair our efforts to maintain and expand our customer base, impact the manner in which we can interact with our current and prospective customers or users, or impair the ability of our customers and users to use our platform and some or all of our products. Compliance efforts may be costly, and breaches of laws and regulations concerning data protection privacy and cybersecurity could impact our reputation, expose us to significant fines and other penalties, and impact our ability to successfully run our business. We collect and process personal data about a variety of individuals, such as our customers, users, employees, contractors, and business partners, in connection with our relationship with such individuals,including to collect and process payment from our customers, provide our products and services to our customers, communicate with and recommend products to our customers and prospective customers through our marketing and advertising efforts, comply with legal obligations, and for other internal business purposes. Such processing of personal data is increasingly subject to new and rapidly evolving legislation and regulation globally. In the United States, we are subject to rules and regulations promulgated under the authority of the Federal Trade Commission, the CCPA and similar state privacy laws, and state breach notification laws. At the federal level, failing to take appropriate steps to keep consumers' personal information secure may constitute unfair acts or practices in or affecting commerce in violation of Section 5(a) of the Federal Trade Commission Act (the FTCA), 15 U.S.C § 45(a). The FTC expects a company's data security measures to be reasonable and appropriate in light of the sensitivity and volume of consumer information it holds, the size and complexity of its business and the cost of available tools to improve security and reduce vulnerabilities. Through executive and legislative action, the federal government has also taken steps to restrict data transactions involving certain sensitive data categories with persons affiliated with China, Russia, and other countries of concern. In addition, certain state laws govern privacy and security of personal information. The CCPA (as amended by the California Privacy Rights Act ("CPRA")), for example, broadly defines personal information and provides an expansive meaning to activity considered to be a sale of personal information, requires covered companies to provide specific disclosures to California residents, and gives California residents expanded privacy rights and protections, including the right to opt out of the sale or sharing of personal information. The CCPA also provides for civil penalties for violations and a private right of action for certain data breaches involving personal information, which may increase our exposure to litigation. The CPRA, which went into effect January 1, 2023, imposed additional obligations on companies covered by the legislation, including by expanding consumer rights with respect to certain categories of sensitive information. Additionally, similar comprehensive privacy laws have passed in many other states. Other states have also proposed new privacy laws which, if enacted, may add additional complexity, variation in requirements, restrictions and potential legal risk, require additional investment of resources in compliance programs, impact strategies and the availability of previously useful data and could result in increased compliance costs and/or changes in business practices and policies. U.S. state privacy laws are changing rapidly and the U.S. Congress has also contemplated federal data privacy legislation to which we could become subject to, if enacted. Many foreign jurisdictions in which we do business, including the European Union ("EU"), European Economic Area ("EEA"), United Kingdom ("UK"), Canada, Australia, Japan and others have laws and regulations addressing the collection and use of personal data obtained in connection with their territories, which are more restrictive in certain respects than those in the U.S. We maintain offices in the EU (including Cyprus, the Czech Republic, Germany, the Netherlands, Poland, and Spain), and we have customers in the EEA and the UK. Accordingly, we are subject to the General Data Protection Regulation (EU) 2016/679 (the "EU GDPR"), the UK General Data Protection Regulation ("UK GDPR"), and related or otherwise applicable data protection laws in effect in the member states of the EEA and in the UK (together, the "European Data Protection Law") in connection with the activities of our establishments in the EEA and UK, our offering of goods or services to individuals in the EEA and the UK, and the monitoring of their behavior in these regions. European Data Protection Law places a number of obligations on controllers and processors of personal data, while also establishing rights for individuals with respect to their personal data, including rights of access and deletion in certain circumstances. These obligations include the requirement to obtain consent from individuals in specific situations, provide additional disclosures to individuals regarding data processing activities, implement safeguards to protect the security and confidentiality of personal data, limit personal data retention periods, conduct mandatory data breach notifications in certain circumstances, and put in place specific measures (including contractual requirements) when engaging third-party service providers. European Data Protection Law also imposes strict rules on the transfer of personal data out of the EEA/UK to third countries deemed to lack adequate privacy protections, including the United States in certain circumstances, unless a derogation applies, or an appropriate transfer safeguard specified by the European Data Protection Law is implemented, such as the Standard Contractual Clauses ("SCCs") approved by the European Commission and the "International Data Transfer Agreement or Addendum ("IDTA") approved by the UK Information Commissioner's Office. International transfers made pursuant to the SCCs and IDTA also need to be analyzed on a case-by-case basis to ensure EEA/UK standards of data protection are met in the jurisdiction where the data importer is based. Any inability to transfer personal data from the EEA/UK to the United States in compliance with data protection laws may impede our operations. Following the UK's exit from the EU or Brexit, there will be increasing scope for divergence in application, interpretation and enforcement of the data protection laws between these territories. For example, the UK has introduced the Data Reform Bill into the UK legislative process with the intention for this bill to reform the UK's data protection regime following Brexit. If passed, the final version of the Data Reform Bill may have the effect of further altering the similarities between the UK and EEA data protection regimes and threaten the UK adequacy decision from the EU Commission allowing the free flow of personal data from the UK to the EEA, which may lead to additional compliance costs and could increase our overall risk. This lack of clarity on future UK laws and regulations and their interaction with those of the EEA could add legal risk, uncertainty, complexity, and cost to our handling of European personal data and our privacy and security compliance programs, and could require us to implement different compliance measures for the UK and EEA. Following the UK's exit from the EU, or Brexit, there will be increasing scope for divergence in application, interpretation and enforcement of the data protection laws between these territories. For example, the UK has introduced the Data (Use and Access) Bill into the UK legislative process with the intention for this bill to reform the UK's data protection regime following Brexit. If passed, the final version of the bill may have the effect of further altering the similarities between the UK and EEA data protection regimes and threaten the UK adequacy decision from the EU Commission allowing the free flow of personal data from the UK to the EEA, which may lead to additional compliance costs and could increase our overall risk. This lack of clarity on future UK laws and regulations and their interaction with those of the EEA could add legal risk, uncertainty, complexity, and cost to our handling of European personal data and our privacy and security compliance programs, and could require us to implement different compliance measures for the UK and EEA. We have implemented measures designed to comply with the requirements of applicable data protection, privacy and cybersecurity laws and regulations. In respect of these measures, we rely on positions and interpretations of the law that have yet to be fully tested before the relevant courts and regulators. If a regulator or court of competent jurisdiction determines that one or more of our compliance efforts (such as our data collection and processing consents) does not satisfy the applicable requirements of the law, or if any party brought a claim in this regard, we could be subject to governmental or regulatory investigations, enforcement actions, regulatory fines, compliance orders, litigation or public statements against us by consumer advocacy groups or others, any of which could restrict our ability to collect or otherwise process personal data, cause customers to lose trust in us, or otherwise damage our reputation and business. Likewise, a change in guidance could be costly and have an adverse effect on our business. With regards to data that we license or otherwise receive from third parties, we may not be able to verify with complete certainty the source of such data, how it was collected, and that such data was collected and is being shared with us in compliance with all applicable data protection and privacy laws. Our use of personal data obtained from third-party vendors could result in potential regulatory investigations, fines, penalties, compliance orders, liability, litigation, and remediation costs, as well as reputational harm, any of which could materially adversely affect our business and financial results. The requirements of laws and regulations (including European Data Protection Law) pertaining to the licensing of data or obtaining such data from third parties are not entirely clear in all cases. It is possible that third parties may bring claims against us, alleging non-compliance with such requirements, and seeking damages, seeking to prevent us from using certain data, or seeking to prevent us from using data in particular ways. Such claims could potentially adversely affect our ability to provide our services and the current level of functionality of our platform in such circumstances, which could adversely affect our results of operations. These new and evolving laws and regulations may, among other things, complicate our compliance efforts and impact how we collect and process personal data, conduct data protection assessments, and transfer personal data to affiliates and other third parties, which could in turn require us to make changes to our platform or products in order to comply, increase the cost of delivering our platform and products in some markets, reduce our ability to lawfully collect personal data used in our platform and products, impact how we respond to consumer rights requests, restrict our ability to reach current and prospective customers, increase the likelihood that we may be subject to enforcement actions or otherwise incur liability for noncompliance, and limit our ability to derive insights from data globally. A new Data (Use and Access) Bill (UK Bill) has now been introduced into parliament. The uncertain and shifting regulatory environment and trust climate may cause concerns regarding data privacy and may cause our vendors, customers and users to resist providing the data necessary to allow us to offer our platform and products to our customers and users effectively, or could prompt individuals to opt out of our collection of their personal data. Even the perception that the privacy of personal data is not satisfactorily protected or does not meet regulatory requirements could discourage prospective customers from subscribing to our products or discourage current customers from renewing their subscriptions. Additionally, the evolving nature and complexity of privacy and data security legislation may further increase our risk of litigation, adverse publicity and regulatory or governmental enforcement actions, including fines for non-compliance. For example, CCPA allows for fines of up to $7,500 for each violation, while European Data Protection Law imposes fines up to the greater of €20 million (£17.5 million for the UK) and 4% of worldwide gross annual revenue, also conferring a private right of action on data subjects and consumer associations to lodge complaints with supervisory authorities, seek judicial remedies, and obtain compensation for damages resulting from violations of European Data Protection Law. Our compliance efforts could reduce demand for our platform or products and compliance itself could require us to take on more onerous obligations in our contracts which may expose us to more contractual risk, and may slow the pace at which we close sales transactions. Taken as a whole, these complexities and the evolving nature of data protection and privacy and cybersecurity laws and regulations could have a material adverse effect on our reputation, business and financial results.

We are expanding our international operations to better support our growth into international markets. We are also hiring workers in several jurisdictions outside our local offices. Our corporate structure and associated transfer pricing policies contemplate future growth in international markets, and consider the functions, risks, and assets of the various entities involved in intercompany transactions. The amount of taxes we pay in different jurisdictions may depend on the application of the tax laws of various jurisdictions, including the United States, to our international business activities, changes in tax rates, new or revised tax laws or interpretations of existing tax laws and policies, and our ability to operate our business in a manner consistent with our corporate structure and intercompany arrangements. The taxing authorities of the jurisdictions in which we operate may challenge our methodologies for pricing intercompany transactions pursuant to our intercompany arrangements or disagree with our determinations as to the income and expenses attributable to specific jurisdictions. If such a challenge or disagreement were to occur, and our position was not sustained, we could be required to pay additional taxes, interest, and penalties, which could result in one-time tax charges, higher effective tax rates, reduced cash flows, and lower overall profitability of our operations and we may be required to revise our intercompany agreements. Our consolidated financial statements could fail to reflect adequate reserves to cover such a contingency.

The labor costs associated with our business are subject to several external factors, including unemployment levels and the quality and the size of the labor market, prevailing wage rates, minimum wage laws, wages and other forms of remuneration and benefits offered to prospective employees by competitor employers, potential collective bargaining arrangements, health insurance costs and other insurance costs and changes in employment and labor legislation or other workplace regulation From time to time, the labor market becomes increasingly competitive. Although we have not experienced any material labor shortage to date, we have observed an overall tightening and increasingly competitive labor market and have recently experienced and expect to continue to experience some labor cost pressures. Furthermore, we have recently experienced costs and operational complexities with relocating personnel. Any of these factors or events, if not mitigated, could negatively impact us, for example by increasing our labor costs, making it more difficult to acquire and retain talent, creating customer service issues, or requiring us to increase our prices, the result of which could have an adverse effect on our business, results of operations or financial condition.