ZipRecruiter (ZIP) Risk Analysis

Many of our Paid Employers pay for access to our marketplace on a per-job-per-day basis, rather than entering into new longer term paid time-based job posting plans, renewing their paid time-based job posting plans when such contract terms expire, or purchasing performance-based services from us. Employers who enter into paid plans have no obligation to renew their plans after the expiration of their contract period, which typically range from one day to 12 months. In addition, employers may renew for lower subscription amounts or for shorter contract lengths. Historically, some of our Paid Employers have elected not to renew their agreements with us and as we expand into new products and markets, we have a limited ability to reliably predict future renewal rates. Our future renewal rates for both existing and potential new products may be lower, possibly significantly lower, than historical trends. Our future success also depends in part on our ability to sell upsell services to employers who use our marketplace. If employers do not purchase upsell services from us, our revenue may decline and our operating results may be harmed. Our Paid Employer subscription renewals, performance-based services, and upsells may decline or fluctuate as a result of a number of factors, including user usage, sunsetting, changing, or removing certain products or services, user satisfaction with our services and user support, our prices, the prices of competing services, mergers and acquisitions affecting our user base, the effects of U.S. and global economic conditions, or reductions in our Paid Employers' spending levels generally.

Our ability to increase revenue and profitability depends, in part, on widespread acceptance and utilization of our marketplace by businesses of all sizes and types. Because our customers reflect a wide variety of businesses, we face a variety of challenges, including but not limited to, pricing pressure, cost variances and marketing strategies that vary based on the business type and size, varying lengths of sales cycles, and less predictability in completing some of our sales. For example, some of our larger prospective customers may need us to provide greater levels of education regarding the use and benefits of our marketplace and services, because the prospective customer's decision to use our marketplace and services may be a company-wide decision. We are in the early stages of developing the analytical tools that will allow us to determine how prospective customers can be most effectively directed within, and addressed by, our sales organizations. As a result, we may not always approach new opportunities in the most cost-effective manner or with the most appropriate resources. Developing and successfully implementing these tools will be important as we seek to efficiently capitalize on new and expanding market opportunities. In addition, because we are a relatively new company with a limited operating history when compared to some of our existing competitors, our target employers and job seekers may prefer to use offerings from more established competitors that are more tailored to their specific requirements.

Our marketplace functions on software that is highly technical and complex and may now or in the future contain undetected errors, bugs, or vulnerabilities. Some errors in our software code may be discovered only after the code has been deployed. Any errors, bugs, or vulnerabilities discovered in our code after deployment, inability to identify the cause or causes of performance problems within an acceptable period of time, or difficulty maintaining and improving the performance of our marketplace could result in damage to our reputation or brand, loss of employers and job seekers, loss of revenue, or liability for damages, any of which could adversely affect our business and results of operations. As the usage of our marketplace grows, we will need an increasing amount of technical infrastructure, including network capacity and computing power, to continue to operate our marketplace. If we cannot continue to effectively scale and grow our technical infrastructure to accommodate these increased demands, it may adversely affect our user experience. We also rely on third-party software and infrastructure, including the infrastructure of the internet, to provide our marketplace. Any failure of or disruption to this software and infrastructure, whether intentionally or unintentionally or due to our activities or those of our vendors or other third parties, could also make our marketplace unavailable to our users. If our marketplace is unavailable to our subscribers or job seekers for any period of time, our business could be adversely affected. Our marketplace technology is constantly changing with new updates, which may contain undetected errors when first introduced or released. Any errors, defects, disruptions in service, or other performance or stability problems with our marketplace, or the insufficiency of our efforts to adequately prevent or 1 "Paid Employer(s)" means any actively recruiting employer(s) (or entities acting on behalf of employers) on a paying subscription plan or performance marketing campaign for at least one day. Paid Employer(s) excludes employers from our third-party sites or other indirect channels, employers who are not actively recruiting and employers on free trials. timely remedy errors or defects, could result in negative publicity, loss of or delay in market acceptance of our marketplace, loss of competitive position, our inability to timely and accurately maintain our financial records, inaccurate or delayed invoicing of Paid Employers, delay of payment to us, claims by users for losses sustained by them, corrective action taken by gatekeepers of components integral to our marketplace, or investigation and corrective action taken by a regulatory agency. In such an event, we may be required, or may choose, for user relations or other reasons, to expend additional resources to help resolve the issue. Accordingly, any errors, defects, or disruptions in our marketplace could adversely impact our brand and reputation, revenue, and operating results. Because of the large amount of data that our Paid Employers collect and manage by means of our services, it is possible that failures or errors in our systems could result in data loss or corruption, or cause the information that we or our Paid Employers collect to be incomplete or contain inaccuracies that our Paid Employers regard as significant. Furthermore, the availability or performance of our marketplace could be adversely affected by a number of factors, including users' inability to access the internet or to send or receive email messages, the failure of our network or software systems, security breaches or variability in user traffic for our services. We may be required to issue credits or refunds for prepaid amounts related to unused services or otherwise be liable to our users for damages they may incur resulting from certain of these events. In addition to potential liability, if we experience interruptions in the availability of our marketplace, our reputation could be adversely affected and we could lose employers and job seekers. Our errors and omissions insurance may be inadequate or may not be available in the future on acceptable terms, or at all. In addition, our policy may not cover all claims made against us and defending a suit, regardless of its merit, could be costly and divert management's attention.

We have voluntarily implemented policies and procedures designed to allow us to comply with U.S. economic sanctions laws and prevent our marketplace from being used to facilitate business in countries or with persons or entities included on designated lists promulgated by the U.S. Department of the Treasury's Office of Foreign Assets Control, or OFAC, and equivalent foreign authorities. We may be subject to fines or other penalties in one or more jurisdictions levied by federal, state or local regulators, in the event that we engage in any conduct, intentionally or not, that facilitates money laundering, terrorist financing, or other illicit activity, or that violates sanctions or otherwise constitutes sanctionable activity. Regulators continue to increase their scrutiny of compliance with these obligations, which may require us to further revise or expand our compliance program, including the procedures that we use to verify the identity of our users and to monitor our marketplace for potential illegal activity. In addition, any policies and procedures that we implement to comply with OFAC regulations may not be effective, including in preventing users from using our services within the OFAC-sanctioned countries of North Korea, Syria, Cuba, Iran, Russia, and the breakaway regions of Ukraine (which currently include Crimea, Donetsk and Luhansk), or additional countries or regions that may be included from time-to-time. Given the technical limitations in developing controls to prevent, among other things, the ability of users to publish in our marketplace false or deliberately misleading information or to develop sanctions-evasion methods, it is possible that we may inadvertently and without our knowledge provide services to individuals or entities that have been designated by OFAC or are located in a country subject to an embargo by the United States that may not be in compliance with the economic sanctions regulations administered by OFAC. Consequences for failing to comply with applicable rules and regulations could include fines, criminal and civil lawsuits, forfeiture of significant assets, or other enforcement actions. We could also be required to make changes to our business practices or compliance programs as a result of regulatory scrutiny. In addition, any perceived or actual breach of compliance by us, our employers and job seekers, or payment partners with respect to applicable laws, rules, and regulations could have a significant impact on our reputation and could cause us to lose existing employers and job seekers, prevent us from obtaining new employers and job seekers, cause other payment partners to terminate or not renew their agreements with us, require us to expend significant funds to remedy problems caused by violations and to avert further violations, and expose us to legal risk and potential liability, all of which may adversely affect our business, operating results, and financial condition and may cause the price of our common stock to decline. We are also subject to the FCPA, the U.S. domestic bribery statute contained in 18 U.S.C. § 201, the U.S. Travel Act, and the UK Bribery Act 2010, and may be subject to other anti-bribery, anti-money laundering, and sanctions laws in countries in which we conduct activities or have employers and job seekers. The FCPA prohibits providing, offering, promising, or authorizing, directly or indirectly, anything of value to government officials, political parties, or political candidates for the purposes of obtaining or retaining business or securing any improper business advantage. The provisions of the Bribery Act extend beyond bribery of government officials and create offenses in relation to commercial bribery including private sector recipients. The provisions of the Bribery Act also create offenses for accepting bribes in addition to bribing another person. We face significant risks if we cannot comply with the FCPA, the Bribery Act and other applicable anti-corruption laws. We have implemented an anti-corruption compliance policy, but we cannot ensure that all of our employees, employers and job seekers, and agents, as well as those contractors to which we outsource certain of our business operations, will not take actions in violation of our policies or agreements and applicable law, for which we may be ultimately held responsible. Any violation of the FCPA, the Bribery Act, other applicable anti-corruption laws, and other laws could result in investigations and actions by federal or state attorneys general or foreign regulators, loss of export privileges, severe criminal or civil fines and penalties or other sanctions, forfeiture of significant assets, debarment from government contracts, whistleblower complaints, and adverse media coverage, which could have an adverse effect on our reputation, business, operating results, and prospects. In addition, responding to any enforcement action or internal investigation related to alleged misconduct may result in a significant diversion of management's attention and resources and significant defense costs and other professional fees.

We receive, collect, store, process, transfer, and use personal information and other user data. There are numerous federal, state, local, and international laws and regulations regarding data privacy, data protection, AI (including machine learning), information security, and the collection, storing, sharing, use, transfer, disclosure, protection, and other processing of personal information and other content, and consumer protection. The scope of these laws and regulations is changing, subject to differing interpretations, and may be inconsistent among countries or between U.S. states, or conflict with other laws and regulations. We are also subject to the terms of our privacy policies and obligations to third parties related to privacy, data protection, AI, and information security. The regulatory framework for privacy, data protection and AI worldwide is uncertain and complex, and these or other actual or alleged obligations may be interpreted and applied in ways we do not anticipate or that are inconsistent from one jurisdiction to another and may conflict with other rules or our practices. Further, any significant change to applicable laws, regulations, or industry practices regarding the collection, use, processing, retention, security, or disclosure of the data of our employers and job seekers, employees, contractors, or others, or their interpretation, or any changes regarding the manner in which the express or implied consent of employers and job seekers for the collection, use, processing, retention, or disclosure of such data must be obtained, or any limitations on how we can collect, use, process, retain or disclose such data, could increase our costs, limit our development of new services or features, or the taking of new initiatives, and/or require us to modify our services and features, which may be material, limiting or not cost-effective. We also expect that there will continue to be new laws, regulations, and industry standards concerning privacy, data protection, AI, and information security proposed and enacted in various jurisdictions. For example, in 2018, European legislators adopted the General Data Protection Regulation, or the GDPR, which imposes more stringent European Union, or EU, data protection requirements, and provides for significant penalties for noncompliance. The GDPR also confers a private right of action on data subjects and consumer associations to lodge complaints with supervisory authorities, seek judicial remedies, and obtain compensation for damages resulting from violations of the GDPR. Compliance with the GDPR has been and will continue to be a rigorous and time-intensive process that may increase our cost of doing business or require us to change our business practices, and may subject us to governmental investigations or enforcement actions, fines and penalties, claims, litigation, and reputational harm in connection with any European activities. Further, the United Kingdom, or the UK, has enacted the UK GDPR, which, together with the amended UK Data Protection Act 2018, or DPA, retains the GDPR in UK national law. Fines for certain breaches of the GDPR and the UK data protection regime are significant (e.g., fines for certain breaches of the GDPR or the UK GDPR are up to the greater of 20 million Euros (or 17.5 million GBP under the UK GDPR) or 4% of total global annual turnover), and since we are under the supervision of relevant data protection authorities in both the EU and the UK, we may be fined under both the GDPR and the UK GDPR for the same breach. Additionally, the California Consumer Privacy Act, or CCPA, which afforded new data privacy rights for consumers and new operational requirements for companies, came into force in 2020, and also provides for fines for noncompliance. The California Privacy Rights Act, or CPRA, which took effect on January 1, 2023, further expanded the CCPA with additional data privacy compliance requirements and rights for California consumers, and established a new regulatory agency dedicated to enforcing those requirements and issuing additional rulemaking, including with respect to cybersecurity audits, risk assessment, and automated decisionmaking technology. Comprehensive privacy legislation has also been enacted, and taken effect or is soon going into effect, in more than one-third of U.S. states (with several states going into effect in the near future) and each imposes similar, but not identical, compliance obligations. Similar laws have been proposed in many other states and at the federal level as well, which may impose significant obligations and restrictions. The effects of these laws are potentially significant and may require us to modify our data collection or processing practices and policies and to incur substantial costs and expenses in an effort to comply, and increase our potential exposure to regulatory enforcement and/or litigation. Moreover, several U.S. and European jurisdictions are looking to regulate specific uses of AI. For example, New York City currently regulates the use of automated employment decision tools by employers and employment agencies, Utah regulates disclosures for the use of generative AI, Colorado will soon regulate the use of high-risk AI (which definition includes an AI system that is a substantial factor in making a decision that has a significant effect on employment or employment opportunities), and Texas will soon prohibit specific AI use cases (including those developed or deployed with the intent of unlawfully discriminating against a protected class under federal or state law). California has also enacted several new laws in 2024 and 2025 that further regulate use of AI and machine learning technologies, or AI Technologies, and provide consumers with additional protections around companies' use of AI Technologies, such as requiring companies to disclose certain uses of generative AI and the types of data used to train such models. In the EU, the Artificial Intelligence Act, or the EU AI Act, entered into force in August 2024. The EU AI Act seeks to create a establishing a comprehensive legal framework for the regulation of AI systems across the EU. The majority of obligations under the EU AI Act expected to take effect in August 2026. Once fully applicable, the EU AI Act will have a material impact on the way AI is regulated in the EU, including, for certain types of AI systems, requirements around transparency, conformity assessments and monitoring, risk assessments, human oversight, security, accuracy, general purpose AI and foundation models, and fines for breach of up to 7% of worldwide annual turnover. Failure to comply with such laws or regulations could subject us to legal or regulatory liability. Further, the cost to comply with such laws or regulations could be significant and would increase our operating expenses, which could adversely affect our business, financial condition and results of operations. The regulatory framework for AI Technologies has also already shifted significantly as the technology continues to evolve. For example, in the United States, the Trump Administration in early 2025 rescinded an executive order relating to the safe and secure development of AI Technologies that was previously implemented by the Biden Administration in 2023. The Trump Administration then issued a new executive order that, among other things, requires certain agencies to develop and submit to the president action plans to "sustain and enhance America's global AI dominance," and to specifically review and, if possible, rescind rulemaking taken pursuant to the rescinded Biden executive order. In July 2025, the Trump Administration further issued America's AI Action Plan focusing on the three pillars of innovation, infrastructure, and international diplomacy and security in AI, and seven underlying principles. The Trump administration may continue to rescind other existing federal orders and/or administrative policies relating to AI Technologies, or may implement new executive orders and/or other rule making relating to AI Technologies in the future. Any such changes at the federal level could require us to expend significant resources to modify our products, services, or operations to ensure compliance with old frameworks or meet new obligations. We are also subject to different consumer protection laws, including laws that regulate the offering of automatically renewing subscription offers. For example, the Federal Trade Commission, or FTC, previously implemented the "Click-to-Cancel" rule that would have prohibited covered businesses from, amongst other things, impeding consumers (including in business-to-business transactions) from canceling recurring subscriptions and memberships. However, on July 8, 2025, the U.S. Court of Appeals for the Eighth Circuit vacated the entirety of the "Click-to-Cancel" rule due to a finding of flaws in the FTC's rulemaking process. The rule may still be appealed by the FTC or the FTC may engage in further rulemaking processes. However, there are still other state laws around these topics that we may be required to comply with, and which compliance requirements may impact our business practices in ways that impact our revenues. The costs of compliance with, and other burdens imposed by, the GDPR, the UK GDPR, the DPA, the CCPA, consumer protection requirements and other laws and regulations may limit the use and adoption of our products and services and could have an adverse impact on our business. As a result, we may need to modify the way we treat, process, or store such information or offer our products and services. Further, in July 2023, the SEC adopted new cybersecurity disclosure rules for public companies that require disclosure regarding cybersecurity risk management in Annual Reports on Form 10-K and the disclosure of material cybersecurity incidents in Current Reports on Form 8-K within four business days of determining an incident is material. Any failure or perceived failure by us to comply with our privacy policies, our privacy-related obligations to employers and job seekers, employees, contractors, or other third parties, or any other legal obligations or regulatory requirements relating to privacy, data protection, consumer protection, AI, or information security may result in governmental and regulatory investigations or enforcement and/or assessment notices (for a compulsory audit), orders to cease or change our processing of our data, litigation, claims (including representative actions and other class action type litigation, where individuals have suffered harm), or public statements against us by consumer advocacy groups or others and could result in significant liability, cause our employers and job seekers to lose trust in us, and otherwise have an adverse effect on our reputation and business. Furthermore, the costs of compliance with such laws, regulations and policies may limit the adoption and use of, and reduce the overall demand for, our marketplace.

The employers in the United States' private sector are diverse across a number of business characteristics, including company size, geography, and industry, among other factors. Hiring activity may vary significantly among businesses with different characteristics and accordingly, any concentration we may have among businesses with certain characteristics may subject us to high volatility in our financial results. Smaller businesses, for example, typically have less persistent hiring needs and may experience greater volatility in their need for job advertisement services and preferences among providers of such services. Along with a relatively shorter sales cycle, smaller businesses may be more likely to change platforms based on short-term differences in perceived price, value, service level, or other factors. Difficulty in acquiring and/or retaining these employers may adversely affect our operating results.

We plan to expand our operations internationally in the future. Outside of the United States, we currently have operations in the United Kingdom, Israel, and Canada. There are significant costs and risks inherent in conducting business in international markets, including: - establishing and maintaining effective controls at foreign locations and the associated costs;- adapting our marketplace to non-U.S. employers' and job seekers' preferences and customs;- increased competition from local providers;- longer sales or collection cycles in some countries;- compliance with foreign laws and regulations, including data privacy frameworks like the GDPR, UK GDPR and DPA;- adapting to doing business in other languages or cultures;- compliance with local tax regimes, including potential double taxation of our international earnings, and potentially adverse tax consequences due to U.S. and foreign tax laws as they relate to our international operations;- compliance with anti-bribery laws, such as the FCPA and the Bribery Act;- currency exchange rate fluctuations and related effects on our operating results;- economic and political instability in some countries;- the uncertainty of obtaining and protecting intellectual property rights in some countries and practical difficulties of enforcing rights abroad;- potential challenges arising from strained foreign relations or geopolitical tensions, which could lead to regulatory hurdles, trade barriers, or reputational harm; and - other costs of doing business internationally. These factors and other factors could harm our international operations and, consequently, materially impact our business, operating results, and financial condition. Further, we may incur significant operating expenses as a result of our international expansion, and it may not be successful. We have limited experience with regulatory environments and market practices internationally, and we may not be able to penetrate or successfully operate in new markets. We also have more limited brand recognition in certain parts of the world, leading to delayed acceptance of our marketplace by international employers and job seekers. If we cannot continue to expand internationally and manage the complexity of our global operations successfully, our financial condition and operating results could be adversely affected.