Upland Software (UPLD) Risk Analysis

The overall market for software is rapidly evolving and subject to changing technology, shifting customer needs, and frequent introductions of new applications, including without limitation AI in its multiple forms. Our ability to attract new customers and increase revenue from existing customers will depend, in large part, on our ability to develop or acquire new applications and enhance and improve existing applications. To achieve market acceptance for our applications, we must effectively anticipate and offer applications that meet changing customer demands in a timely manner. Customers may require features and capabilities not offered by our current applications. We may experience difficulties that could delay or prevent our development, acquisition, or implementation of new applications and enhancements. If we are unable to successfully develop or acquire new software capabilities and functionality, enhance our existing applications to anticipate and meet customer preferences, sell our applications into new markets, or adapt to changing industry standards in software, our revenue and results of operations would be adversely affected.

Our applications involve the storage and transmission of our customers' proprietary and confidential information, including personal or identifying information regarding their employees and customers and are subject to attempted cyberattacks. Any security breaches, unauthorized access, unauthorized usage, virus, or similar breach or disruption could result in loss of confidential information, damage to our reputation, early termination of our contracts, litigation, regulatory investigations, indemnity obligations, or other liabilities. If our security measures or those of our third-party software providers and data centers are breached as a result of third-party action, employee error, malfeasance or otherwise, resulting in unauthorized access to customer data, our reputation will be damaged, our business may suffer, and we could incur significant liability. Unauthorized parties may attempt to misappropriate or compromise our confidential information or that of third parties, create system disruptions, product or service vulnerabilities or cause shutdowns. These perpetrators of cyberattacks also may be able to develop and deploy viruses, worms, malware and other malicious software programs that directly or indirectly attack our products, services or infrastructure (including our third party cloud service providers). Because the techniques used to obtain unauthorized access or sabotage systems change frequently and generally are not identified until they are launched against a target, we may be unable to anticipate these techniques or to implement adequate preventative measures. Any or all of these issues could negatively affect our ability to attract new customers, cause existing customers to elect not to renew or upgrade their subscriptions, result in reputational damage, or subject us to third-party lawsuits, regulatory fines, or other action or liability, which could adversely affect our operating results. In addition, to the extent we are diverting our resources to address and mitigate these vulnerabilities, it may hinder our ability to deliver and support our solutions and customers in a timely manner. Despite our efforts to build secure services, we can make no assurance that we will be able to detect, prevent, timely and adequately address, or mitigate the negative effects of cyberattacks or other security breaches.

We are subject to governmental export and import controls that could impair our ability to compete in international markets due to licensing requirements and subject us to liability if we are not in compliance with applicable laws. Our applications are subject to export control and import laws and regulations, including the U.S. Export Administration Regulations, U.S. Customs regulations, and various economic and trade sanctions regulations administered by the U.S. Treasury Department's Office of Foreign Assets Controls. Exports of our applications must be made in compliance with these laws and regulations. If we fail to comply with these laws and regulations, we and certain of our employees could be subject to substantial civil or criminal penalties, including: the possible loss of export or import privileges; fines, which may be imposed on us and responsible employees or managers; and, in extreme cases, the incarceration of responsible employees or managers. Obtaining the necessary authorizations, including any required license, for a particular sale may be time-consuming, is not guaranteed, and may result in the delay or loss of sales opportunities. In addition, changes in our applications or changes in applicable export or import regulations may create delays in the introduction and sale of our applications in international markets, prevent our customers with international operations from deploying our applications, or, in some cases, prevent the export or import of our applications to certain countries, governments, or persons altogether. Any change in export or import regulations, shift in the enforcement or scope of existing regulations, or change in the countries, governments, persons or technologies targeted by such regulations, could also result in decreased use of our applications, or in our decreased ability to export or sell our applications to existing or potential customers with international operations. Any decreased use of our applications or limitation on our ability to export or sell our applications would likely adversely affect our business. Furthermore, we incorporate encryption technology into certain of our applications. Various countries regulate the import of certain encryption technology, including through import permitting and licensing requirements, and have enacted laws that could limit our ability to distribute our applications or could limit our customers' ability to implement our applications in those countries. Encrypted applications and the underlying technology may also be subject to export control restrictions. Governmental regulation of encryption technology and regulation of imports or exports of encryption products, or our failure to obtain required import or export approval for our applications, when applicable, could harm our international sales and adversely affect our revenue. Compliance with applicable regulatory requirements regarding the export of our applications, including with respect to new releases of our applications, may create delays in the introduction of our applications in international markets, prevent our customers with international operations from deploying our applications throughout their globally-distributed systems or, in some cases, prevent the export of our applications to some countries altogether. Moreover, U.S. export control laws and economic sanctions programs prohibit the shipment of certain products and services to countries, governments, and persons that are subject to U.S. economic embargoes and trade sanctions. Even though we take precautions to prevent our applications from being shipped or provided to U.S. sanctions targets, our applications and services could be shipped to those targets or provided by third parties despite such precautions. Any such shipment could have negative consequences, including government investigations, penalties and reputational harm.

The regulatory framework for privacy and data security matters around the world is rapidly evolving and is likely to remain volatile for the foreseeable future. We are subject to privacy and data security obligations in the United States, United Kingdom, European Union and other foreign jurisdictions relating to the collection, use, sharing, retention, security, transfer and other handling of personal data about individuals, including our users and employees around the world. Data protection, consumer protection and privacy laws may differ, conflict and be interpreted and applied inconsistently, from country to country. In many cases, these laws apply not only to user data, employee data and third-party transactions, but also to transfers of personal data between or among ourselves, our subsidiaries, and other parties with which we have commercial relations, in addition to methods of communication and consent for such communication. These laws continue to develop in the U.S. and around the globe, including through regulatory and legislative action and judicial decisions, in ways we cannot predict and that may harm our business. For example, a new Quebec data protection law took effect in September 2023, and updates to Canadian federal privacy legislation are pending. India passed the Digital Personal Data Protection Act in 2023. In addition, the United States, through the Federal Communications Commission, recently implemented new lead generation "robot-text" and "robo-calls" regulations under the Telephone Consumer Protection Act (TCPA). As the particulars of these regulations are unknown at this time, these new consumer protection regulations could impact our organization's corporate go-to-market sales initiatives, as well as certain feature sets in our current product stack. Any failure to comply with applicable laws, regulations or contractual obligations may harm our business, results of operations and financial condition. If we are subject to an investigation or litigation or suffer a breach of security of personal data, we may incur costs or be subject to forfeitures and penalties that could reduce our profitability. In addition, compliance with these laws may restrict our ability to provide services to our customers that they may find to be valuable. For example, the General Data Protection Regulation ("GDPR") became effective in May 2018. The GDPR, which applies to personal data collected in the context of all of our activities conducted from an establishment in the European Union, related to products and services offered to individuals in the European Union or related to the monitoring of individuals' behavior in Europe, imposes a range of significant compliance obligations regarding the handling of personal data. Actions required to comply with these obligations depend in part on how particular and strict regulators interpret and apply them. If we fail to comply with the GDPR, or if regulators assert we have failed to comply with the GDPR, we may be subject to, for example, regulatory enforcement actions, that can result in monetary penalties of up to 4% of our annual worldwide revenue or EUR 20 million (whichever is higher), private lawsuits, class actions, regulatory orders to stop processing and delete data, and reputational damage. In June 2021, the European Commission published new versions of the Standard Contractual Clauses, which are used as a legal cross-border mechanism allowing companies to transfer/allow access to personal data outside the European Economic Area. Use of the previous versions of the Standard Contractual Clauses is no longer allowed and all contracts that include the earlier versions should have been amended to replace them with the new versions by December 27, 2022. Also in June 2021, the European Data Protection Board finalized its recommendations regarding supplemental transfer measures to protect personal data during cross-border transfers. We must incur costs and expenses to comply with the new requirements, which may impact the cross-border transfer of personal data throughout our organization and to/from third parties. Further, states continue to adopt new laws or amending existing laws related to data privacy, requiring attention to frequently changing regulatory requirements. For example, the California Consumer Privacy Act of 2018 ("CCPA") require businesses to provide specific disclosures in their privacy notices and honor residents' privacy rights. The CCPA provides for civil penalties of up to $7,500 per violation and allows private litigants affected by certain data breaches to recover significant statutory damages. Although the CCPA does not apply to certain data that we process in the context of clinical trials, efforts to comply with the CCPA may increase our annual compliance costs and subject us to potential liability with respect to other personal information we may maintain about California residents. In addition, the California Privacy Rights Act of 2020 ("CPRA"), which came into effect on January 1, 2023, expanded the CCPA's requirements, extending it to cover personal information of business representatives and employees and the CPRA established a new regulatory agency to implement and enforce the law. Other states, such as Virginia, Nevada, Connecticut, Utah, Texas and Colorado, have also passed comprehensive privacy laws, and similar laws are being considered in several other states, as well as at the federal and local levels, which impose similar obligations to those in the CCPA. These laws may increase our potential liability related to our data processing activities, complicate our compliance efforts, and increase both legal risk and compliance costs for us and the third parties upon whom we rely. Compliance with the GDPR, the new state laws, and other current and future applicable U.S. and international privacy, data protection, cybersecurity, artificial intelligence and other data-related laws can be costly and time-consuming. Complying with these varying requirements could cause us to incur substantial costs and/or require us to change our business practices in a manner adverse to our business. Violations of applicable data and privacy-related laws can result in significant penalties that could adversely affect our business, financial condition, reputation, and results of our operations. Furthermore, conflicting requirements across applicable privacy and data security laws would complicate our compliance efforts and increase both legal risk and compliance costs for us and the third parties upon whom we rely. Australia recently amended its Privacy Act, increasing the maximum penalties available for serious or repeated data breaches from AUS 2.2 million to the greater of: (i) AUS 50 million; (ii) three times the value of any benefit obtained through misuse of the information; or (iii) 30% of a company's adjusted turnover in the relevant period. In addition to the influx of privacy and data protection law, AI has become a topic of discussion across the United States and globe. In the United States, states have either passed laws or have utilized existing laws to implement policies and rules governing the use of AI as it relates to the personal data of individuals and decision making. For example, the California Privacy Protection Agency, has proposed regulations governing automated decision-making technologies pursuant to the authority granted under the CCPA. At the federal level, the United States government has affirmed its ability to regulate AI through, but not limited to, existing laws such as the Federal Trade Commission Act, the federal rule making process through various federal agencies, and Presidential Executive Orders. In addition, the United States Congress is actively and continuously introducing laws governing AI and data protection with the expectation that such laws will be passed in 2025 to regulate AI systems while providing protection for individuals within the United States. Globally, countries have been proactive in implementing laws and regulations concerning AI. For example, the EU AI Act was passed by the European Union entered into force on August 1, 2024, which provides for a compliance centered around a risk-based approach taking into account the implementation and use of the AI system. Other countries, such as Canada, Australia, the United Kingdom, have either proposed laws or provided guidance under existing law governing the use of AI. Compliance with the ever-changing AI landscape could result in substantial costs or require changes in business practices, with violations resulting in significant penalties. We also may be bound by additional, more stringent contractual obligations relating to our collection, use and disclosure of personal data or may find it necessary or desirable to join industry or other self-regulatory bodies or other privacy or security related organizations that require compliance with their rules pertaining to privacy and data protection. We post on our websites our privacy notices and practices concerning the collection, use, sharing, disclosure, deletion and retention of our user data. Any failure, or perceived failure, by us to comply with our posted privacy notices or with any regulatory requirements or orders or other federal, state or international privacy -related laws and regulations, including the GDPR, CCPA and CPRA, could result in proceedings or actions against us by governmental entities or others (e.g., class action plaintiffs), subject us to significant penalties and negative publicity, require us to change our business practices, increase our costs and adversely affect our business. We may also experience security breaches and likely will in the future, which themselves may result in a violation of these laws and give rise to regulatory enforcement and/or private litigation.

As our operations have expanded, we have established and currently maintain offices in the United States, Australia, Canada, France, Germany, India, Ireland, Israel, Malaysia, Netherlands, Romania and the United Kingdom. For the year ended December 31, 2024, we generated approximately 29% of our total revenue from customers outside of the United States. As a result, we are subject to a number of risks, including: - inflation and actions taken by central banks to counter inflation;- foreign currency fluctuations and controls;- international and regional economic, political and labor conditions, including any instability or security concerns abroad, such as uncertainty caused by economic sanctions, trade disputes, armed conflicts and wars, including the Russia-Ukraine and Israeli-Hamas wars;- changes to tax laws (including U.S. taxes on foreign subsidiaries);- increased financial accounting and reporting burdens and complexities;- changes in, or impositions of, legislative or regulatory requirements;- changes in laws governing the free flow of data across international borders;- failure of laws to protect our intellectual property rights adequately;- inadequate local infrastructure and difficulties in managing and staffing international operations;- delays resulting from difficulty in obtaining export licenses for certain technology, tariffs, quotas and other trade barriers;- the imposition of governmental economic sanctions on countries in which we do business or where we plan to expand our business;- costs and delays associated with developing products in multiple languages;- operating in locations with a higher incidence of corruption and fraudulent business practices; and - other factors beyond our control, such as terrorism, war, natural disasters, climate change and pandemics and resulting restrictions on business activity, which may vary significantly by region. Some of our third-party business partners have international operations and are also subject to these risks, and our business may be harmed if such partners are unable to appropriately manage these risks. If sales to any of our customers outside of the Americas are reduced, delayed or canceled because of any of the above factors, our revenue may decline. We have limited experience in operating in certain foreign jurisdictions and expect to continue to expand our relationship with international customers. Managing a global organization is difficult, time-consuming and expensive. Because of our limited experiences with international operations, any international efforts that we may undertake may not be successful in creating demand for our applications outside of the U.S. or in effectively selling subscriptions to our cloud offerings in all of the international markets that we enter.

We face risks related to an epidemic, pandemic or contagious disease which has impacted, and in the future could impact, the markets in which we operate and could have a material adverse effect on our business, results of operations and financial condition. The impact of an epidemic, pandemic or other health crisis and measures to prevent the spread of such an event could materially and adversely affect our business in a number of ways. For example, existing and potential customers may choose to reduce or delay technology spending in response, or attempt to renegotiate contracts and obtain concessions, which could materially and negatively impact our operating results, financial condition and prospects.

Our customers are generally invoiced in the currency of the country in which they are located. In addition, we incur a portion of our operating expenses in foreign currencies, including Australian dollars, British pounds, Canadian dollars, Indian Rupees, Euros and Israeli New Shekels, and in the future, as we expand into other foreign countries, we expect to incur operating expenses in other foreign currencies. As a result, we are exposed to foreign exchange rate fluctuations as the financial results of our international operations and our revenue and operating results could be adversely affected. We have not previously engaged in foreign currency hedging. If we decide to hedge our foreign currency exchange rate exposure, we may not be able to hedge effectively due to lack of experience, unreasonable costs, or illiquid markets.

The overall market for software is rapidly evolving and subject to changing technology, shifting customer needs and frequent introductions of new applications. The intensity and nature of our competition varies significantly across our family of software applications. Many of our competitors and potential competitors are larger and have greater brand name recognition,longer operating histories, larger marketing budgets, and significantly greater resources than we do. Some of our smaller competitors may offer applications on a stand-alone basis at a lower price than our price due to lower overhead or other factors, while some of our larger competitors may offer applications at a lower price in an attempt to cross-sell additional products in the future or retain a customer using a different application. We believe there are a limited number of direct competitors that provide a comprehensive software offering. However, we face competition both from point solution providers, including legacy on-premise enterprise systems, and other cloud-based work management software vendors that may address one or more of the functional elements of our applications, but are not designed to address a broad range of software needs. In addition, we face competition from manual processes and traditional tools, such as paper-based techniques, spreadsheets, and email. If our competitors' products, service, or technologies become more accepted than our software applications, if they are successful in bringing their products or services to market earlier than ours, or if their products or services are more technologically capable than ours, our revenues could be adversely affected.

Our success depends, in part, upon the continued service of our key executive officers, as well as other key personnel. The employment agreements with our executive officers and other key personnel do not require them to continue to work for us for any specified period; therefore, they may terminate employment with us at any time with no advance notice. The replacement of our senior management team or other key personnel likely would involve significant time and costs, and the loss of these employees may significantly delay or prevent the achievement of our business objectives. We face intense competition for qualified individuals from numerous technology and software companies. If we fail to attract and retain suitably qualified individuals, including software engineers and sales personnel, our ability to implement our business plan and develop and maintain our applications could be adversely affected. As a result, our ability to compete would decrease, our operating results would suffer, and our revenue would decrease.