Unity Software (U) Risk Analysis

Our offerings, and particularly our Grow Solutions, rely on our ability to process sensitive, proprietary, confidential, and regulated information, including personal information, that belongs to us or that we, or the third parties with whom we work, handle on behalf of others such as our customers. These activities are regulated by an increasing number of various federal, state, local, and foreign privacy and data security laws and regulations. These have become increasingly stringent and continue to evolve, requiring significant resources for compliance. Any actual or perceived non-compliance could result in litigation, regulatory proceedings, fines and civil or criminal penalties, obligations to cease offerings or to substantially modify our Grow Solutions in ways that make them less effective in certain jurisdictions, negative publicity, and reduced overall demand for our platform or reduced returns on our Grow Solutions. As we embark on a comprehensive rebuild of our machine learning stack and data infrastructure, we may encounter challenges in complying with data privacy and similar laws aimed at regulating technology. Most jurisdictions in which we or our customers operate have adopted privacy and data security laws. For example, European privacy and data security laws, including the European Union's General Data Protection Regulation ("EU GDPR"), the European Union's Digital Services Act, the United Kingdom's GDPR ("UK GDPR") and others, impose significant and complex burdens on processing personal information and provide for robust regulatory enforcement and significant penalties for noncompliance. Regulators, courts, and platforms have increasingly interpreted the GDPR and other privacy and data security laws as requiring affirmative opt-in consent to use cookies and similar technologies for personalization, advertising, and analytics. Existing and proposed regulations could also impose onerous obligations related to AI, the use of cookies and other online tracking technologies on which our offerings rely, and online direct marketing. Any of these could increase our exposure to litigation or regulatory enforcement actions, increase our compliance costs, and adversely affect our business. In addition, certain jurisdictions may enact or have already enacted data localization cross-border data transfer laws. For example, the cross-border data transfer landscape in Europe remains unstable despite an agreement between the U.S. and Europe, and other countries outside of Europe have enacted or are considering enacting cross border data transfer restrictions and laws requiring data residency. The EU GDPR, UK GDPR, and other European privacy and data security laws generally prohibit the transfer of personal information to countries outside the European Economic Area ("EEA"), such as the U.S., that are not considered by some authorities as generally providing an adequate level of data protection. The various mechanisms that may be used for compliance with these data localization and other requirements are subject to legal challenges, and the future of cross-border data transfers remains uncertain in light of the evolving regulatory landscape, which could increase the cost and complexity of doing business. If we cannot maintain a valid mechanism for cross-border personal information transfers, we may face increased exposure to regulatory actions, litigation, penalties, data processing restrictions or bans, and reduced demand for our services. Loss of our ability to import personal information from Europe and elsewhere may also require us to increase our data processing capabilities outside the U.S. at significant expense. Similarly, China's Personal Information Protection Law and Data Security Law, Canada's Personal Information Protection and Electronic Documents Act, related provincial laws, and Canada's Anti-Spam Legislation, Israel's Privacy Protection Law 5741-1981, and new and emerging privacy and data security regimes in other jurisdictions in which we operate, such as China, Canada and Israel, broadly regulate processing of personal information and impose comprehensive compliance obligations and penalties. In the U.S., federal, state, and local governments have enacted numerous privacy and data security laws, including data breach notification laws, personal information privacy laws, health information privacy laws, and consumer protection laws. For example, the Telephone Consumer Protection Act ("TCPA") imposes various consumer consent requirements and other restrictions on certain telemarketing activity and other communications with consumers by phone, fax or text message. TCPA violations can result in significant financial penalties, including penalties or criminal fines imposed by the Federal Communications Commission or fines of up to $1,500 per violation imposed through private litigation or by state authorities. Some states have enacted laws similar to the TCPA, with similar potential exposure. In addition, the California Consumer Privacy Act ("CCPA"), which applies to personal information of consumers, business representatives, employees, and other individuals with whom we interact, imposes a number of obligations on covered businesses, including requirements to respond to requests from California residents related to their personal information. The CCPA contains significant potential penalties for noncompliance. Additionally, the California Privacy Rights Act expanded the CCPA's requirements, including by adding new rights and establishing a new regulatory agency to implement and enforce the law. Other states are considering or have also enacted privacy and data security laws, which increase compliance costs and resources. Our actual or perceived noncompliance with these and other emerging state laws could harm our business. We also use AI, including generative AI, and ML technologies in our products and services. The development and use of AI/ML present various privacy and data security risks that may impact our business. AI/ML are subject to privacy and data security laws, as well as increasing regulation and scrutiny. Several jurisdictions worldwide, including Europe and certain U.S. states, have proposed or enacted laws governing AI/ML. For example, the European Union is deliberating over legislation that would impose obligations on various actors in the AI value chain, and we expect other jurisdictions will adopt similar laws. Additionally, certain privacy and data security laws extend rights to consumers and regulate automated decision making in ways that may be incompatible with our use of AI/ML. These obligations may make it harder for us to conduct our business using AI/ML, lead to litigation or regulatory fines or penalties, require us to change our business practices, retrain our AI/ML, delete our models, or prevent or limit our use of AI/ML. For example, the FTC has required other companies to delete algorithms and models derived from or trained on allegedly unlawfully collected data, where it has alleged the company has violated privacy or consumer protection laws. If we cannot use AI/ML or that use is restricted, our business may be less efficient, and we may be at a competitive disadvantage. In addition, some of our solutions employ technology to help creators build augmented and virtual reality applications, and their use to recognize and collect information about individuals could be perceived as subject to the emerging regulations relating to biometric privacy laws. Actual or perceived noncompliance may expose us to litigation and regulatory risks. There are emerging cases applying existing privacy and data security laws in the U.S., such as the federal and state wiretapping laws, in novel and potentially impactful ways that may affect our ability to offer certain solutions. The outcome of these cases could cause us to make changes to our solutions to avoid costly litigation, government enforcement actions, damages, and penalties under these laws, which could adversely affect our business, results of operations, and our financial condition. Another area of increasing focus by regulators is children's privacy. Enforcement of longstanding privacy laws, such as the Children's Online Privacy Protection Act ("COPPA"), has increased and may continue under the new generation of privacy and data security laws and regulations, such as the GDPR, CCPA, the UK's Information Commissioner's Office Age-Appropriate Design Code ("Children's Code"), and the California Age-Appropriate Design Code Act ("Design Code"), and similar laws enacted by other U.S. states. European regulators are expected to introduce guidance for age appropriate design across all countries implementing the GDPR as well. We have previously been subject to claims related to the privacy of minors predicated on COPPA and other privacy and data security laws, and we may in the future face claims under COPPA, the GDPR, the Children's Code, the CCPA, the Design Code, or other laws relating to children's privacy and data security. In addition to increasing government regulation, we have obligations relating to privacy and data security under our published policies and documentation, contracts and applicable industry standards. For example, we are subject to the Payment Card Industry Data Security Standard ("PCI DSS"), which requires companies to adopt certain measures to ensure the security of cardholder information, including using and maintaining firewalls, adopting proper password protections for certain devices and software, and restricting data access. Noncompliance with PCI-DSS can result in penalties ranging from $5,000 to $100,000 per month by credit card companies, litigation, damage to our reputation, and revenue losses. Our business is materially reliant on revenue from behavioral, interest-based, or tailored advertising (collectively, "targeted advertising"), but delivering targeted advertisements is becoming increasingly difficult due to changes to our ability to gather information about user behavior through third party platforms, new laws and regulations, and consumer resistance. Major technology platforms on which we rely to gather information about consumers have adopted or proposed measures to provide consumers with additional control over the collection, use, and sharing of their personal data for targeted advertising purposes. For example, Apple allows users to easily opt-out of activity tracking across devices, which has impacted and may continue to impact our business. Similarly, Google announced similar plans to adopt additional privacy controls on its Android devices to allow users to limit sharing of their data with third parties and reduce cross-device tracking for advertising purposes. Additionally, Google has announced that it intends to phase out third-party cookies in its Chrome browser, which could make it more difficult for us to target advertisements. Other browsers, such as Firefox and Safari, have already adopted similar measures. In addition, legislative proposals and present laws and regulations regulate the use of cookies and other tracking technologies, electronic communications, and marketing. For example, in the EEA and the U.K., regulators are increasingly focusing on compliance with requirements related to the targeted advertising ecosystem. European regulators have issued significant fines in certain circumstances where the regulators alleged that appropriate consent was not obtained in connection with targeted advertising activities. It is anticipated that the ePrivacy Regulation and national implementing laws will replace the current national laws implementing the ePrivacy Directive, which may require us to make significant operational changes. In the U.S., state privacy laws, including the CCPA, grant residents the right to opt-out of most forms of targeted advertising (or to opt-in, in the case of residents under age 16). Some of the laws also require covered businesses to honor certain user-enabled browser signals, such as the Global Privacy Control. Partially as a result of these developments, individuals are becoming increasingly resistant to the collection, use, and sharing of personal data to deliver targeted advertising. Individuals are now more aware of options related to consent, "do not track" mechanisms (such as browser signals from the Global Privacy Control), and "ad-blocking" software to prevent the collection of their personal information for targeted advertising purposes. As a result, we have been and may be required to change the way we market our offerings, and any of these developments or changes could materially impair our ability to reach new or existing customers or otherwise negatively affect our operations. Although we endeavor to comply with these obligations, we may have actually or allegedly failed to do so or have otherwise processed data improperly. The requirements imposed by rapidly changing privacy and data security laws, platform providers, and application stores require us to dedicate significant resources to compliance, and could also limit our ability to operate, harm our reputation, reduce demand for our solutions, and subject us to regulatory enforcement action, private litigation, and other liability. Such occurrences could adversely affect our business, financial condition, and results of operations.

We collect sales, value added or similar indirect taxes in a number of jurisdictions. An increasing number of states have considered or adopted laws that attempt to impose sales tax collection obligations on out-of-state companies. Similarly, many foreign jurisdictions have considered or adopted laws that impose taxes on companies despite not having a physical presence in the foreign jurisdiction, including digital service taxes. A successful assertion by one or more states, or foreign jurisdictions, requiring us to collect taxes where we presently do not do so, or to collect more taxes in a jurisdiction in which we currently do collect some taxes, could result in substantial tax liabilities, including taxes on past sales, as well as penalties and interest. This could also create additional administrative burdens for us, put us at a competitive disadvantage if they do not impose similar obligations on our competitors, and decrease our future sales, which could harm our business and results of operations.

Our platform can be complex to use, and our ability to expand the appeal of our platform depends in part on ensuring that it can be used by a variety of creators. While certain features of our solutions are designed to address the needs of professional developers, we believe that our ability to expand adoption of our platform will depend in part on our ability to address the needs of creators with varied needs and levels of expertise, including artists, animators and sound technicians, as well as new categories of creators and end users in industries beyond gaming such as architects, civil and mechanical engineers, and designers. Accordingly, it will be important to our future success that we continue to increase the accessibility of our platform and if we are not able to, our ability to increase adoption of our platform will suffer. In order to get full use of our platform, users generally need training. We provide a variety of training resources to our customers, and we believe we will need to continue to maintain and enhance the breadth and effectiveness of our training resources as the scope and complexity of our platform increase. If we do not provide effective training resources for our customers on how to efficiently and effectively use our platform, our ability to grow our business will suffer, and our business and results of operations may be adversely affected. Additionally, when we announce or release new versions of our platform or advancements in our technology, such as Unity 6, we could fail to sufficiently explain or train our customers on how to use such new versions or advancements or we may announce or release such versions prematurely. These failures may lead to our customers being confused about use of our offerings or expected technology releases, and our ability to grow our business, results of operations, brand and reputation may be adversely affected. For example, such failures have in the past led to customers expressing frustration with our platform on social media and other internet sites.

Our success depends to a significant degree on our ability to obtain, maintain, protect and enforce our intellectual property rights, including our proprietary technology, know-how and our brand. The steps we take to obtain, maintain, protect and enforce our intellectual property rights may be inadequate. We will not be able to protect our intellectual property rights if we are unable to enforce our rights or if we do not detect unauthorized use of our intellectual property rights. If we fail to protect our intellectual property rights adequately, or fail to continuously innovate and advance our technology, our competitors could gain access to our proprietary technology and develop and commercialize substantially identical products, services or technologies. In addition, defending our intellectual property rights might entail significant expense. Any patents, trademarks or other intellectual property rights that we have or may obtain may be challenged or circumvented by others or invalidated or held unenforceable through administrative processes. In addition, we cannot assure you that our patent applications will result in issued patents, and we may be unable to obtain or maintain patent protection for our technology. In addition, any patents issued from pending or future patent applications or licensed to us in the future may not provide us with competitive advantages, or may be successfully challenged by third parties. Furthermore, legal standards relating to the validity, enforceability and scope of protection of intellectual property rights are uncertain. Despite our precautions, it may be possible for unauthorized third parties to copy our solutions and use information that we regard as proprietary to create products that compete with ours. Patent, trademark, copyright and trade secret protection may not be available to us in every country in which our solutions are available. The value of our intellectual property could diminish if others assert rights in or ownership of our trademarks and other intellectual property rights, or trademarks that are similar to our trademarks. We may be unable to successfully resolve these types of conflicts to our satisfaction. In some cases, litigation or other actions may be necessary to protect or enforce our trademarks and other intellectual property rights. Furthermore, third parties may assert intellectual property claims against us, and we may be subject to liability, required to enter into costly license agreements, required to rebrand our solutions or prevented from selling some of our solutions if third parties successfully oppose or challenge our trademarks or successfully claim that we infringe, misappropriate or otherwise violate their trademarks or other intellectual property rights. In addition, the laws of some foreign countries may not be as protective of intellectual property rights as those in the U.S., and mechanisms for enforcement of intellectual property rights may be inadequate. As we expand our global activities, our exposure to unauthorized copying and use of our platform and proprietary information will likely increase. Moreover, policing unauthorized use of our technologies, trade secrets and intellectual property may be difficult, expensive and time-consuming, particularly in foreign countries where the laws may not be as protective of intellectual property rights as those in the U.S. and where mechanisms for enforcement of intellectual property rights may be weak. Accordingly, despite our efforts, we may be unable to prevent third parties from infringing upon, misappropriating or otherwise violating our intellectual property rights. We enter into confidentiality and invention assignment agreements with our employees and consultants and enter into confidentiality agreements with other third parties, including suppliers and other partners. However, we cannot guarantee that we have entered into such agreements with each party that has or may have had access to our proprietary information, know-how and trade secrets or that has or may have developed intellectual property in connection with their engagement with us. Moreover, we cannot assure you that these agreements will be effective in controlling access to, distribution, use, misuse, misappropriation, reverse engineering or disclosure of our proprietary information, know-how and trade secrets. Further, these agreements may not prevent our competitors from independently developing technologies that are substantially equivalent or superior to our platform. These agreements may be breached, and we may not have adequate remedies for any such breach. In order to protect our intellectual property rights, we may be required to spend significant resources to monitor and protect our intellectual property rights. For example, we have commenced in the past and may in the future commence litigation proceedings to enforce our intellectual property rights, such as rights under our software licenses, and to protect our trade secrets. Litigation brought to protect and enforce our intellectual property rights could be costly, time-consuming and distracting to management, and could result in the impairment or loss of portions of our intellectual property. Further, our efforts to enforce our intellectual property rights may be met with defenses, counterclaims and countersuits attacking the validity and enforceability of our intellectual property rights, and if such defenses, counterclaims or countersuits are successful, we could lose valuable intellectual property rights. Our inability to enforce our unique licensing structure, including financial eligibility tiers, and our inability to protect our proprietary technology against unauthorized copying or use, including circumvention of licensing or usage restrictions as well as any costly litigation or diversion of our management's attention and resources, could delay further sales or the implementation of our solutions,impair the functionality of our platform, delay introductions of new solutions, result in our substituting inferior or more costly technologies into our offerings, or injure our reputation. We license and make available software to customers. Although those customers are restricted in the manner in which they can use and share our software, we cannot assure you that unauthorized use or copying of our software will not occur. We rely on periodic significant updates to our software to encourage our customers to access our software through us on a paying or, for qualified users, non-paying, basis. However, we cannot assure you that this strategy will be effective in ensuring that users are not circumventing licensing or usage restrictions or otherwise misusing or accessing our software on an unauthorized basis.

We and our customers are subject to the standard policies and terms of service of the operating system platforms on which we create, run and monetize applications and content, as well as policies and terms of service of the various application stores, such as the Apple App Store or Google Play Store, which make applications and content available to end users. Each of these operating system platforms and stores has broad discretion to change and interpret its terms of service and policies. Each may also change its fee structure, add fees associated with access to and use of its platform, alter how customers are able to advertise or monetize on their platform, change how the personal or other user information is made available to application developers on their platform, limit the use of personal information for advertising purposes or restrict how end users can share information on their platform or across other platforms. In particular, operating system platform providers or application stores such as Apple or Google have in the past and may in the future change their technical requirements or policies in a manner that adversely impacts the way in which we or our customers offer solutions or collect, use, and share data from end-user devices. Restrictions on our ability to collect and use data as desired could negatively impact our Create Solutions and Grow Solutions as well as our resource planning and feature development planning for our software. For example, Google is continuing to develop their implementation of Android Privacy Sandbox, a set of technologies that will, when their use is mandated, alter the manner in which advertising is performed on Android devices, and which may impact our business. The long-term impact of these and other future privacy, platform, and regulatory changes could increase application store fees to our customers, or have other impacts which could harm our business. If we or our customers violate or are accused of violating these terms of service or policies, an operating system platform provider or application store could limit or discontinue our or our customers' access to its platform or store. They could also limit or discontinue our access to its platform or store if it establishes more favorable relationships with one or more of our competitors or it determines that it is in their business interests to do so. Any limitation on or discontinuation of our or our customers' access to any third-party platform or application store could adversely affect our business, financial condition, or results of operations.

Certain of our Create and Grow Solutions customers are entitled to service-level agreements commitments. If we are unable to meet the stated service-level commitments, including failure to meet the uptime and response time requirements under our customer agreements, we could face terminations. Any service-level failures could also damage our reputation, which could also adversely affect our business, financial condition and results of operations.

Because many of the operations of Grow Solutions are conducted in Israel, many of our employees, are located in Israel. Political unrest, militarization, or continued war in Israel or the surrounding region has not materially impacted our operations as a whole, but has impacted our employee productivity in Israel, and may further adversely affect our business. As a result of the evolving geopolitical situation, several hundred thousand Israeli military reservists were drafted into immediate military service. While most reservists were released from active service, if a substantial number of our employees, or employees of our service providers in Israel are conscripted into military service on a prolonged basis, our operations and result of operations, particularly of our Grow Solutions, may be harmed. In the event that our facilities in Israel or facilities of providers of critical services to our operations in Israel are damaged, our ability to deliver or provide solutions and services in a timely manner to meet our contractual obligations with customers, partners and vendors and otherwise meet users' expectations, and our ability to develop our solutions in order to be competitive, could be adversely affected. In addition, we may incur significant costs in order to resume operations and we may be unable to develop or implement adequate plans to ensure continuity of business functions. Our commercial insurance may not cover losses that may occur as a result of events associated with war and terrorism. The Israeli government currently covers the reinstatement value of direct damages that are caused by terrorist attacks or acts of war, but we cannot assure you that such government coverage will be maintained or that it will sufficiently cover our potential damages. Any losses or damages incurred by us could harm our business. In addition, some countries may impose restrictions on doing business with Israel or companies with operations in Israel. There have also been calls to boycott Israeli goods and services. Such efforts may impact the operations of Grow Solutions and harm our business. The intensity and duration of the war in the region are difficult to predict, as are its impacts on our business and operations that are conducted in Israel.

We currently serve our users from co-located data centers in the U.S. We also use various third-party cloud hosting providers such as Google Cloud, AWS, Azure, and Tencent to provide cloud infrastructure for our platform. Our Create Solutions and Grow Solutions rely on the operations of this infrastructure. Customers need to be able to access our platform at any time, without interruption or degradation of performance, and we provide some customers with service-level commitments with respect to uptime. In addition, our Grow Solutions and enterprise game server hosting depend on the ability of these data centers and cloud infrastructure to allow for our customers' configuration, architecture, features and interconnection specifications and to secure the information stored in these data centers. Any limitation on the capacity of our data centers or cloud infrastructure could impede our ability to onboard new customers or expand the usage of our existing customers, host our solutions or serve our customers, which could adversely affect our business, financial condition and results of operations. In addition, any incident affecting our data centers or cloud infrastructure that may be caused by cyber-attacks, natural disasters, fire, flood, severe storm, earthquake, power loss, outbreaks of contagious diseases, telecommunications failures, terrorist or other attacks and other similar events beyond our control could negatively affect the cloud-based portion of our platform. A prolonged service disruption affecting our data centers or cloud-based services for any of the foregoing reasons would negatively impact our ability to serve our customers and could damage our reputation with current and potential customers, expose us to liability, cause us to lose customers or otherwise harm our business. We may also incur significant costs for using alternative providers or taking other actions in preparation for, or in response to, events that damage the third-party hosting services we use. In the event that our service agreements relating to our data centers or cloud infrastructure are terminated, or there is a lapse of service, elimination of services or features that we utilize, interruption of internet service provider connectivity or damage to such facilities, we could experience interruptions in access to our platform, loss of revenue from revenue-share and consumption-based solutions, as well as significant delays and additional expense in arranging or creating new facilities and services or re-architecting our platform for deployment on a different data center provider or cloud infrastructure service provider, which could adversely affect our business, financial condition and results of operations.