Competition

Our market is evolving, highly competitive and fragmented, and we expect competition to increase in the future. We believe the principal competitive factors in our market are:

We believe we compete favorably with respect to all of these factors. We believe we compete favorably with respect to all of these factors.

We face intense competition from other companies that develop marketing, sales, customer service, operations, commerce, intelligence and content management software. Our competitors offer various point applications that provide certain functions and features that we provide, including:

In addition, instead of using our customer platform, some prospective customers may elect to combine disparate point applications, such as content management, marketing automation, analytics, social media management, ticketing, and conversational bots. In addition, instead of using our CRM Platform, some prospective customers may elect to combine disparate point applications, such as content management, marketing automation, analytics, social media management, ticketing, and conversational bots.

Intellectual Property

Our ability to protect our intellectual property, including our technology, will be an important factor in the success and continued growth of our business. We protect our intellectual property through trade secrets law, copyrights, trademarks, patents, and contracts. Some of our technology relies upon third-party licensed intellectual property. We have 34 issued U.S. Patents and 35 patents applications pending. We intend to pursue and are pursuing additional patent protection to the extent we believe it would be beneficial and cost-effective.

In addition to the foregoing, we have established business procedures designed to maintain the confidentiality of our proprietary information, including the use of confidentiality agreements and assignment of inventions agreements with employees, independent contractors, consultants, and companies with which we conduct business. In addition to the foregoing, we have established business procedures designed to maintain the confidentiality of our proprietary information, including the use of confidentiality agreements and assignment of inventions agreements with employees, independent contractors, consultants, and companies with which we conduct business.

Despite our efforts to protect our intellectual property, unauthorized parties may still copy or otherwise obtain and use our technology. Despite our efforts to protect our intellectual property, unauthorized parties may still copy or otherwise obtain and use our technology. In addition, we intend to continue to expand our international operations, and effective intellectual property, copyright, trademark and trade secret protection may not be available or may be limited in foreign countries. Any significant impairment of our intellectual property rights could harm our business or our ability to compete.

Financial Information About Segments

We operate as one operating segment. Operating segments are defined as components of an enterprise for which separate financial information is regularly evaluated by the chief operating decision maker (“CODM”), which is our chief executive officer, in

deciding how to allocate resources and assess performance. The CODM evaluates our financial information and resources and assesses the performance of these resources on a consolidated basis. Since we operate in one operating segment, financial information evaluated by the CODM can be found in the consolidated financial statements. Since we operate in one operating segment, all required financial segment information can be found in the consolidated financial statements. See Footnote 11 within the consolidated financial statements for information by geographic area.

Available Information

Our website is located at http://www.hubspot.com, and our investor relations website is located at https://www.hubspot.com/investor-relations. Copies of our Annual Reports on Form 10-K, Quarterly Reports on Form 10-Q, Current Reports on Form 8-K, and amendments to these reports filed or furnished pursuant to Sections 13(a) and 15(d) of the Securities Exchange Act of 1934, as amended, are available, free of charge, on our investor relations website as soon as reasonably practicable after such reports are filed with, or furnished to, the Securities and Exchange Commission, or the SEC. The SEC also maintains a website at http://www.sec.gov that contains our SEC filings and other information regarding issuers that file electronically with the SEC.

We webcast our earnings calls and certain events we participate in or host with members of the investment community on our investor relations website. Additionally, we provide notifications of news or announcements regarding our financial performance, including SEC filings, investor events, press and earnings releases, and blogs as part of our investor relations website. We have used, and intend to continue to use, our investor relations website as means of disclosing material non-public information and for complying with our disclosure obligations under Regulation FD. Further corporate governance information, including our certificate of incorporation, bylaws, governance guidelines, board committee charters, and code of business conduct and ethics, is also available on our investor relations website under the heading “Corporate Governance.” The contents of our websites are not intended to be incorporated by reference into this Annual Report on Form 10-K or in any other report or document we file with the SEC, and any references to our websites are intended to be inactive textual references only.

Item 1A. RISK FACTORS

An investment in our common stock involves a high degree of risk. You should carefully consider the risks described below and the other information in this Annual Report on Form 10-K and in our other public filings before making an investment decision. Our business, prospects, financial condition, or operating results could be harmed by any of these risks, as well as other risks not currently known to us or that we currently consider immaterial. If any such risks and uncertainties actually occurs, our business, financial condition or operating results could differ materially from the plans, projections and other forward-looking statements included in the section titled “Management’s Discussion and Analysis of Financial Condition and Results of Operations” and elsewhere in this Annual Report on Form 10-K and in our other public filings. The trading price of our common stock could decline due to any of these risks, and, as a result, you may lose all or part of your investment.

Risks Related to Our Business and Strategy

We are dependent upon customer renewals, the addition of new customers, increased revenue from existing customers and the continued growth of the market for a customer platform.

We derive, and expect to continue to derive, a substantial portion of our revenue from the sale of subscriptions to our customer platform. The market for marketing, sales, service, operations, commerce and customer management products is still evolving, and competitive dynamics may cause pricing levels to change as the market matures and as existing and new market participants introduce new types of point applications and different approaches to enable businesses to address their respective needs. The market for inbound marketing, sales, service, operations and content management products is still evolving, and competitive dynamics may cause pricing levels to change as the market matures and as existing and new market participants introduce new types of point applications and different approaches to enable businesses to address their respective needs. As a result, we may be forced to, or strategically choose to, reduce the prices we charge for our platform and may be unable to renew existing customer agreements or enter into new customer agreements at the same prices and upon the same terms that we have historically. As a result, we may be forced to reduce the prices we charge for our platform and may be unable to renew existing customer agreements or enter into new customer agreements at the same prices and upon the same terms that we have historically. In addition, our growth strategy involves a scalable pricing model (including freemium versions of our products and our recent seats-based and consumption-based pricing model changes) intended to provide opportunities to increase the value of our customer relationships over time, including as customers expand their use of our platform, or we sell to other parts of their organizations, cross-sell additional products and seats through touchless or low touch in product purchases, and upsell additional offerings and features. In addition, our growth strategy involves a scalable pricing model (including freemium versions of our products) intended to provide us with an opportunity to increase the value of our customer relationships over time as we expand their use of our platform, sell to other parts of their organizations, cross-sell our sales products to existing marketing product customers and vice versa through touchless or low touch in product purchases, and upsell additional offerings and features. Our consumption-based pricing strategies are novel and evolving. Due to customer flexibility in the timing of their use of our platform, we could have less predictability from our consumption-based products than we do for our subscription-based products, and there is a risk that customers could use our consumption-based products at lower levels than we expect. If our scalable pricing and cross-selling efforts are unsuccessful or if our existing customers do not expand their use of our platform or adopt additional offerings and features, or if the anticipated benefits from scalable pricing take longer to realize or are not realized at all, our revenue and operating results may suffer.

Our subscription renewal rates may decrease, and any decrease could harm our future revenue and operating results.

Our customers have no obligation to renew their subscriptions for our platform after the expiration of their subscription periods, substantially all of which are one year or less. In addition, our customers may seek to renew for lower subscription tiers, for fewer contacts or seats, or for shorter contract lengths. Also, customers may choose not to renew their subscriptions for a variety of reasons. Our renewal rates may decline or fluctuate as a result of a number of factors, including limited customer resources, pricing changes, the prices of services offered by our competitors, adoption and utilization of our platform and add-on applications by our customers, adoption of our new products, customer satisfaction with our platform, mergers and acquisitions affecting our customer base, reductions in our customers’ spending levels or declines in customer activity as a result of economic downturns or uncertainty in financial markets. If our customers do not renew their subscriptions for our platform or decrease the amount they spend with us, our revenue will decline and our business will suffer.

In addition, a subscription model creates certain risks related to the timing of revenue recognition and potential reductions in cash flows. A portion of the subscription-based revenue we report each quarter results from the recognition of deferred revenue relating to subscription agreements entered into during previous quarters. In addition, we do not record deferred revenue beyond amounts invoiced as a liability on our consolidated balance sheets. A decline in new or renewed subscriptions in any period may not be immediately reflected in our reported financial results for that period, but may result in a decline in our revenue in future quarters. If we were to experience significant downturns in subscription sales and renewal rates, our reported financial results might not reflect such downturns until future periods.

We face significant competition from both established and new companies in the software market in which we operate, which may harm our ability to add new customers, retain existing customers and grow our business.

The software market in which we operate is evolving, highly competitive and significantly fragmented. With the introduction of new technologies and the potential entry of new competitors into the market, we expect competition to persist and intensify in the future, which could harm our ability to increase sales, maintain or increase renewals and maintain our prices.

We face intense competition from other software companies in the market we operate that provide interactive marketing services. Competition could significantly impede our ability to sell subscriptions to our customer platform on terms favorable to us. Competition could significantly impede our ability to sell subscriptions to our CRM Platform on terms favorable to us. Our current and potential competitors may develop and market new technologies including as a result of new or better use of evolving AI technologies, whether through greater investments in AI development, access to higher quality training datasets, or more advanced AI models, that render our existing or future products less competitive, or obsolete. We may also face greater competition from non-specialist solutions relying on generic large language models (“LLMs”), generative AI and general-purpose agents to address a broad range of business needs. As we attempt to sell our products and solutions to new and existing customers, we must convince them that our products and solutions are superior to other solutions available to their organizations, including generic LLMs, software created using natural language prompts and generative AI (referred to as vibe coding) and other emerging technologies. In addition, if these competitors develop products with similar or superior functionality to our platform, we may need to decrease the prices or accept less favorable terms for our platform subscriptions in order to remain competitive. If we are unable to maintain our pricing due to competitive pressures, our margins will be reduced and our operating results will be negatively affected.

Our competitors include:

In addition, instead of using our platform, some prospective customers may elect to combine disparate point applications, such as content management, marketing automation, CRM, analytics and social media management. We expect that new competitors, such as enterprise software vendors that have traditionally focused on enterprise resource planning or other applications supporting back office functions, will develop and introduce applications serving customer-facing and other front office functions. This development could have an adverse effect on our business, operating results and financial condition. In addition, sales force automation and CRM vendors could acquire or develop applications that compete with our sales and CRM offerings. In addition, sales automation and CRM vendors could acquire or develop applications that compete with our sales and CRM offerings. Some of these companies have acquired social media marketing and other marketing software providers to integrate with their broader offerings.

Our current and potential competitors may have significantly more financial, technical, marketing and other resources than we have, be able to devote greater resources to the development, promotion, sale and support of their products and services, may have more extensive customer bases and broader customer relationships than we have, and may have longer operating histories and greater name recognition than we have. As a result, these competitors may respond faster to new technologies and undertake more extensive marketing campaigns for their products. In a few cases, these vendors may also be able to offer a customer platform at little or no additional cost by bundling it with their existing suite of applications. In a few cases, these vendors may also be able to offer marketing, sales, customer service and content management software at little or no additional cost by bundling it with their existing suite of applications. To the extent any of our competitors has existing relationships with potential customers for either marketing software or other applications, those customers may be unwilling to purchase our platform because of their existing relationships with our competitor. If we are unable to compete with such companies, the demand for our customer platform could substantially decline. If we are unable to compete with such companies, the demand for our CRM Platform could substantially decline.

In addition, if one or more of our competitors were to merge or partner with another of our competitors, our ability to compete effectively could be adversely affected. Our competitors may also establish or strengthen cooperative relationships with our current or future strategic distribution and technology partners or other parties with whom we have relationships, thereby limiting our ability to promote and implement our platform. We may not be able to compete successfully against current or future competitors, and competitive pressures may harm our business, operating results and financial condition.

We have experienced rapid growth and organizational change in recent periods and expect growth of headcount and operations over the long-term. If we fail to manage growth and organizational change effectively, we may be unable to execute our business plan, maintain high levels of service or address competitive challenges adequately.

Our headcount and operations continue to grow. For example, we had 8,882 full-time employees as of December 31, 2025 and 8,246 as of December 31, 2024. To date, we have opened several international offices. For example, we had 7,433 full-time employees as of December 31, 2022, as compared with 5,895 as of December 31, 2021. To date, we 16 have opened several international offices. This growth has placed, and will continue to place, a significant strain on our management, administrative, operational and financial infrastructure. We expect to continue to grow

headcount and operations over the long-term. We anticipate future growth will be required over the long term to address increases in our product offerings and continued expansion. Our success will depend in part upon our ability to recruit, hire, train, manage and integrate qualified managers, technical personnel and employees in specialized roles within our company, including in technology, sales and marketing. Furthermore, as many of our employees work remotely from geographic areas across jurisdictions where we have offices pursuant to our hybrid workplace model, which provides our employees with the option to be fully remote, work full-time from one of our offices, or have the flexibility to work both in the office and remotely, we may need to reallocate our investment of resources and closely monitor a variety of local regulations and requirements, including local tax laws. Furthermore, as more of our employees work remotely from geographic areas across the globe on a permanent basis pursuant to our hybrid workplace model, which provides our employees with the option to be fully remote, work full-time from one of our offices, or have the flexibility to work both in the office and remotely, we may need to reallocate our investment of resources and closely monitor a variety of local regulations and requirements, including local tax laws. We may experience unpredictability in our expenses and employee work culture. If we experience any of these effects in connection with future growth, if our new employees perform poorly, or if we are unsuccessful in recruiting, hiring, training, managing and integrating new employees, or retaining our existing employees, it could materially impair our ability to attract new customers, retain existing customers and expand their use of our platform, all of which would materially and adversely affect our business, financial condition and results of operations.

Failure to effectively develop and expand our customer platform capabilities could harm our ability to increase our customer base and achieve broader market acceptance of our platform.

To increase customers and achieve broader market acceptance of our customer platform, we will need to continue to expand our customer platform capabilities, including our sales force and third-party channel partners. We will continue to dedicate significant resources to sales and marketing programs. We will continue to dedicate significant resources to inbound sales and marketing programs. The effectiveness of our sales and marketing and third-party channel partners has varied over time and may vary in the future and depends on our ability to maintain and improve our customer platform including with respect to AI and machine learning. All of these efforts will require us to invest significant financial and other resources. Our business will be seriously harmed if our efforts do not generate a correspondingly significant increase in revenue. We may not achieve anticipated revenue growth from expanding our sales force if we are unable to hire, develop and retain talented sales personnel, if our new sales personnel are unable to achieve desired productivity levels in a reasonable period of time or if our sales and marketing programs are not effective.

The rate of growth of our business depends on the continued participation and level of service of our Solutions Partners.

We rely on our Solutions Partners to provide certain services to our customers, as well as pursue sales of our customer platform to customers. To the extent we do not attract new Solutions Partners, or existing or new Solutions Partners do not refer a growing number of customers to us, due to changes in our Solutions Partner relationship models or otherwise, our revenue and operating results would be harmed. To the extent we do not attract new Solutions Partners, or existing or new Solutions Partners do not refer a growing number of customers to us, our revenue and operating results would be harmed. In addition, if our Solutions Partners do not continue to provide services to our customers, we would be required to provide such services ourselves either by expanding our internal team or engaging other third-party providers, which would increase our operating costs.

If we fail to maintain our thought leadership position, our business may suffer.

We believe that maintaining our thought leadership position in the customer platform space is an important element in attracting new customers. We devote significant resources to develop and maintain our thought leadership position, with a focus on identifying and interpreting emerging trends, shaping and guiding industry dialog and creating and sharing the best practices. We devote significant resources to develop and maintain our thought leadership position, with a focus on identifying and interpreting emerging trends in the inbound experience, shaping and guiding industry dialog and creating and sharing the best inbound practices. Our activities related to developing and maintaining our thought leadership may not yield increased revenue, and even if they do, any increased revenue may not offset the expenses we incurred in such effort. We rely upon the continued services of our management and employees with domain expertise with marketing, sales, services, operations, commerce and content management, and the loss of any key employees in this area could harm our competitive position and reputation. We rely upon the continued services of our management and employees with domain expertise with inbound marketing, sales, services, operations, and content management, and the loss of any key employees in this area could harm our competitive position and reputation. If we fail to successfully grow and maintain our thought leadership position, we may not attract enough new customers or retain our existing customers, and our business could suffer.

If we fail to further enhance our brand and maintain our existing strong brand awareness, our ability to expand our customer base will be impaired and our financial condition may suffer.

We believe that our development of the HubSpot brand is critical to achieving widespread awareness of our existing and future solutions, and, as a result, is important to attracting new customers and maintaining existing customers. In the past, our efforts to build our brand have involved significant expenses, and we believe that this investment has resulted in strong brand recognition in the B2B market. Successful promotion and maintenance of our brands will depend largely on the effectiveness of our marketing efforts and on our ability to provide a reliable and useful customer platform at competitive prices. Brand promotion activities may not yield increased revenue, and even if they do, any increased revenue may not offset the expenses we incurred in building our brand. If we fail to successfully promote and maintain our brand, our business could suffer.

If we fail to adapt and respond effectively to rapidly changing technology, evolving industry standards and changing customer needs or requirements, our customer platform may become less competitive.

Our future success depends on our ability to adapt and innovate our customer platform. To attract new customers and increase revenue from existing customers, we need to continue to enhance and improve our offerings to meet customer needs at prices that our customers are willing to pay. Such efforts will require adding new functionality and responding to technological advancements, including AI and machine learning, which will increase our research and development costs. Such efforts will require adding new functionality and responding to technological advancements, which will increase our research and development costs. Further, any third-party AI

technologies leveraged in our products and services may not be available on commercially reasonable terms or at all and any loss of rights to use such technologies may significantly increase our expenses or otherwise disrupt or delay the provisioning of

our products and services to customers. If we are unable to develop, license or acquire new applications that address our customers’ needs, or to enhance and improve our platform in a timely manner, we may not be able to maintain or increase market acceptance of our platform. If we are unable to develop new applications that address our customers’ needs, or to enhance and improve our platform in a timely manner, we may not be able to maintain or increase market acceptance of our platform. Our ability to grow is also subject to the risk of future disruptive technologies. Access and use of our customer platform is provided via the cloud, which, itself, was disruptive to the previous enterprise software model. Access and use of our CRM Platform is provided via the cloud, which, itself, was disruptive to the previous enterprise software model. If new technologies emerge that are able to deliver marketing software and related applications at lower prices, more efficiently, more conveniently or more securely, such technologies could adversely affect our ability to compete. If new technologies emerge that are able to deliver inbound marketing software and related applications at lower prices, more efficiently, more conveniently or more securely, such technologies could adversely affect our ability to compete.

If we fail to offer high-quality customer support, our business and reputation may suffer.

High-quality education, training and customer support are important for the successful marketing, sale and use of our customer platform and for the renewal of existing customers. Providing this education, training and support requires that our personnel who manage our online training resource, HubSpot Academy, or provide customer support have specific domain knowledge and expertise, making it more difficult for us to hire qualified personnel and to scale up our support operations. Providing this education, training and support requires that our personnel who manage our online training resource, HubSpot Academy, or provide customer support have specific inbound experience domain knowledge and expertise, making it more difficult for us to hire qualified personnel and to scale up our support operations. The importance of high-quality customer support will increase as we expand our business and pursue new customers. If we do not help our customers use multiple applications within our customer platform and provide effective ongoing support, our ability to sell additional functionality and services to, or to retain, existing customers may suffer and our reputation with existing or potential customers may be harmed. If we do not help our customers use multiple applications within our CRM Platform and provide effective ongoing support, our ability to sell additional functionality and services to, or to retain, existing customers may suffer and our reputation with existing or potential customers may be harmed.

We may not be able to scale our business quickly enough to meet our customers’ growing needs and if we are not able to grow efficiently, our operating results could be harmed.

As usage of our customer platform grows and as customers use our platform for additional applications, such as sales and services, we will need to devote additional resources to improving our application architecture, integrating with third-party systems and maintaining infrastructure performance. In addition, we will need to appropriately scale our internal business systems and our services organization, including customer support and professional services, to serve our growing customer base, particularly as our customer demographics change over time. Any failure of or delay in these efforts could cause impaired system performance and reduced customer satisfaction. These issues could reduce the attractiveness of our customer platform to customers, resulting in decreased sales to new customers, lower renewal rates by existing customers, the issuance of service credits, or requested refunds, which could impede our revenue growth and harm our reputation. These issues could reduce the attractiveness of our CRM Platform to customers, resulting in decreased sales to new customers, lower renewal rates by existing customers, the issuance of service credits, or requested refunds, which could impede our revenue growth and harm our reputation. Even if we are able to upgrade our systems and expand our staff, any such expansion will be expensive and complex, requiring management’s time and attention. We could also face inefficiencies or operational failures as a result of our efforts to scale our infrastructure. Moreover, there are inherent risks associated with upgrading, improving and expanding our information technology systems. We cannot be sure that the expansion and improvements to our infrastructure and systems will be fully or effectively implemented on a timely basis, if at all.

Our ability to introduce new products and features, including new products and features that utilize AI, is dependent on adequate research and development resources. If we do not adequately fund our research and development efforts, we may not be able to compete effectively and our business and operating results may be harmed.

To remain competitive, we must continue to develop new product offerings, applications, features and enhancements to our existing customer platform. Maintaining adequate research and development personnel and resources to meet the demands of the market is essential. If we are unable to develop our platform internally due to certain constraints, such as high employee turnover, lack of management ability or a lack of other research and development resources, we may miss market opportunities. Further, many of our competitors expend a considerably greater amount of funds on their research and development programs, and those that do not may be acquired by larger companies that would allocate greater resources to our competitors’ research and development programs. Our failure to maintain adequate research and development resources, including recruiting and retaining highly qualified personnel, (particularly with AI and machine learning backgrounds), or to compete effectively with the research and development programs of our competitors could materially adversely affect our business.

The development of next-generation solutions that utilize new and advanced features, including AI and machine learning, such as Breeze, involves making predictions regarding the willingness of the market to adopt such technologies over legacy solutions. The

Company may be required to commit significant resources to developing new products, software and services, such as Breeze, before knowing whether such investment will result in products or services that the market will accept.

The Company’s inability, for technological, legal or other reasons, some of which may be beyond the Company’s control, to enhance, develop, introduce and monetize products and services in a timely manner, or at all, in response to changing market conditions or customer requirements could have a material adverse effect on the Company’s business, results of operations and financial condition or could result in its products and services not achieving market acceptance or becoming obsolete. In addition, if the Company fails to deliver a compelling customer experience or accurately predict emerging technological trends and the changing needs of customers and end users, or if the features of its new products and services do not meet the demands of its customers or are not sufficiently differentiated from those of its competitors, the Company’s business, results of operations and financial condition could be materially harmed. We have from time to time found defects in our software and may discover in the future additional defects, outages, delays or cessations of service, performance and quality problems or may produce errors in connection with systems integrations, migration work or other causes, which could result in business disruptions and the process of 24 remediating them could be more expensive, time-consuming, disruptive and resource intensive than planned.

Uncertainty around new and emerging AI applications such as agentic AI technologies and generative AI content creation, including Breeze, may require additional investment in the development or acquisition of proprietary datasets, machine learning models and other AI systems to test for accuracy, bias and other variables, which are often complex. Development of new approaches and processes to provide attribution or remuneration to content creators and building and/or integrating systems that enable creatives to have greater control over the use of their work in the development of AI may be costly and could impact our profit margin if we are unable to monetize such assets. In addition, AI technologies, including agentic and generative AI tools, may create content, analyses or recommendations without human intervention that take or suggest actions based on incomplete or inaccurate data, “hallucinatory” inferences, or flawed training inputs, or contain copyrighted or other protected material, and if our customers or others use this flawed or protected content or materials to their detriment, we may be exposed to brand or reputational harm, competitive harm, and/or legal liability. Developing, testing and deploying AI systems may also increase the cost profile of our offerings due to the nature of the computing costs involved in such systems.

Changes in the sizes or types of businesses that purchase our platform or in the applications within our customer platform purchased or used by our customers could negatively affect our operating results.

Our strategy is to sell subscriptions to our customer platform to mid-sized businesses, but we have sold and will continue to sell to organizations ranging from small businesses to enterprises. Our gross margins can vary depending on numerous factors related to the implementation and use of our customer platform, including the sophistication and intensity of our customers’ use of our platform and the level of professional services and support required by a customer. Our gross margins can vary depending on numerous factors related to the implementation and use of our CRM Platform, including the sophistication and intensity of our customers’ use of our platform and the level of professional services and support required by a customer. Sales to enterprise customers may entail longer sales cycles and more significant selling efforts. Selling to small businesses may involve greater credit risk and uncertainty. If there are changes in the mix of businesses that purchase our platform or the mix of the product plans purchased by our customers, our gross margins could decrease and our operating results could be adversely affected.

We have in the past completed acquisitions and may continue to acquire or invest in other companies or technologies in the future, which could divert management’s attention, fail to meet our expectations, result in additional dilution to our stockholders, increase expenses, disrupt our operations or harm our operating results.

We have in the past acquired, and we may in the future acquire or invest in, businesses, products or technologies that we believe could complement or expand our platform, enhance our technical capabilities or otherwise offer growth opportunities. We may not be able to fully realize the anticipated benefits of historical or any future acquisitions. The pursuit of potential acquisitions may divert the attention of management and cause us to incur various expenses related to identifying, investigating and pursuing suitable acquisitions, whether or not they are consummated.

There are inherent risks in integrating and managing acquisitions. If we acquire additional businesses, we may not be able to assimilate or integrate the acquired personnel, operations and technologies successfully or effectively manage the combined business following the acquisition and our management may be distracted from operating our business. We also may not achieve the anticipated benefits from the acquired business due to a number of factors, including: unanticipated costs or liabilities associated with the acquisition; incurrence of acquisition-related costs, which would be recognized as a current period expense; the inability to generate sufficient revenue to offset acquisition or investment costs; the inability to maintain relationships with customers and partners of the acquired business; the difficulty of incorporating acquired technology and rights into our platform and of maintaining quality and security standards consistent with our brand; delays in customer purchases due to uncertainty related to any acquisition; the need to integrate or implement additional controls, procedures and policies; challenges caused by distance, language and cultural differences; harm to our existing business relationships with business partners and customers as a result of the acquisition; the potential loss of key employees; use of resources that are needed in other parts of our business and diversion of management and employee resources; and use of substantial portions of our available cash or the incurrence of debt to consummate the acquisition. We also may not achieve the anticipated benefits from the acquired business due to a number of factors, including: unanticipated costs or liabilities associated with the acquisition; incurrence of acquisition-related costs, which would be recognized as a current period expense; inability to generate sufficient revenue to offset acquisition or investment costs; the inability to maintain relationships with customers and partners of the acquired business; the difficulty of incorporating acquired technology and rights into our platform and of maintaining quality and security standards consistent with our brand; delays in customer purchases due to uncertainty related to any acquisition; the need to integrate or implement additional controls, procedures and policies; challenges caused by distance, language and cultural differences; harm to our existing business relationships with business partners and customers as a result of the acquisition; the potential loss of key employees; use of resources that are needed in other parts of our business and diversion of management and employee resources; and 19 use of substantial portions of our available cash or the incurrence of debt to consummate the acquisition. Acquisitions also increase the risk of unforeseen legal and compliance liabilities, including for potential violations of applicable law or industry rules and regulations, arising from prior or ongoing acts or omissions by the acquired businesses which are not discovered by

due diligence during the acquisition process, including data handling, cybersecurity risks and privacy violations. Generally, if an acquired business fails to meet our expectations, our operating results, business and financial condition may suffer. Acquisitions could also result in dilutive issuances of equity securities or the incurrence of debt, which could adversely affect our business, results of operations or financial condition.

In addition, a significant portion of the purchase price of companies we acquire may be allocated to goodwill and other intangible assets, which must be assessed for impairment at least annually. If our acquisitions do not ultimately yield expected returns, we may be required to make charges to our operating results based on our impairment assessment process, which could harm our results of operations.

We are subject to risks associated with our strategic investments, including partial or complete loss of invested capital. Significant changes in the fair value of this portfolio, including changes in the valuation of our investments in privately held companies, could negatively impact our financial results.

We have made, and expect in the future to make, strategic investments in privately held companies and private limited partnerships. While we invest in companies that we believe have the potential to transform their industries, improve customer experiences, help us expand our solution ecosystem or support other corporate initiatives, we may still experience unforeseen brand or reputational harm associated with our investments. We may also experience challenges from regulatory authorities in connection with our investments, including from antitrust authorities who are increasingly scrutinizing technology investments, and which may lead to unforeseen expenditures or which may block, delay or impose undesirable conditions on transactions involving our investment portfolio. Our investments range from early-stage companies to more mature companies with established revenue streams and business models. Many such companies generate net losses and the market for their products, services or technologies may be slow to develop, and, therefore, they are dependent on the availability of later rounds of financing from banks or investors on favorable terms to continue their operations. Investments in early-stage companies are inherently speculative, as these companies may not yet be revenue-generating and could still be in the process of developing their products and services at the time of our investment. The financial success of our investment in any company or partnership is typically dependent on a liquidity event, such as a public offering, acquisition or other favorable market event reflecting appreciation to the cost of our initial investment. In certain cases, our ability to sell these investments may be impacted by contractual obligations to hold the securities for a set period of time after a public offering. All of our investments are subject to a risk of partial or total loss of invested capital.

We may experience future volatility in our consolidated statements of operations due to changes in market prices, observable price changes and impairments of our strategic investments. The resulting gains or losses could be material depending on market conditions and events, particularly in periods with economic uncertainty, inflation, geopolitical conflict, volatile public equity markets or unsettled global market conditions.

Because our long-term growth strategy involves further expansion of our sales to customers outside the United States, our business will be susceptible to risks associated with international operations.

A component of our growth strategy involves the further expansion of our operations and customer base internationally. We have formed several international entities and may plan to form additional entities in the future. These international operations focus primarily on sales, professional services and support, and select international locations have development teams. Our current international operations and future initiatives will involve a variety of risks, including:

Our limited experience in operating our business internationally increases the risk that any potential future expansion efforts that we may undertake will not be successful. If in the future, we invest substantial time and resources to expand our international operations and are unable to do so successfully and in a timely manner, our business and operating results will suffer. We continue to implement policies and procedures to facilitate our compliance with U.S. laws and regulations applicable to or arising from our international business. Inadequacies in our past or current compliance practices may increase the risk of inadvertent violations of such laws and regulations, which could lead to financial and other penalties that could damage our reputation and impose costs on us.

Social and ethical issues relating to the use of new and evolving technologies, such as AI, in our offerings may result in reputational harm and liability.

Social and ethical issues relating to the use of new and evolving technologies such as AI in our offerings, may result in reputational harm and liability, and may cause us to incur additional research and development costs to resolve such issues. We are increasingly building AI into many of our offerings, including early-stage agentic and generative AI features. As with many innovations, AI presents risks and challenges that could affect its adoption, and therefore our business. If we enable or offer solutions that draw controversy due to their perceived or actual impact on human rights, privacy, employment, or in other social contexts, we may experience brand or reputational harm, competitive harm or legal liability. If we are unable to develop our platform internally due to certain constraints, such as high employee turnover, lack of management ability or a lack of other research and development resources, we may miss market opportunities. Potential government regulation related to AI use and ethics may also increase the burden and cost of research and development in this area, and failure to properly remediate AI usage or ethics issues may cause public confidence in AI to be undermined, which could slow adoption of AI in our products and services. The rapid evolution of AI will require the application of resources to develop, test and maintain our products and services to help ensure that AI is implemented ethically in order to minimize unintended, harmful impact.

Risks Related to Employee Matters

If we cannot maintain our company culture as we experience changes in our workforce, we could lose the innovation, teamwork, passion and focus on execution that we believe contribute to our success and our business may be harmed.

We believe that a critical component to our success has been our company culture, which is based on transparency and personal autonomy. We have invested substantial time and resources in building our team within this company culture. We offer a hybrid workplace model, which means our employees have the option to be fully remote, work full-time from one of our offices, or work both in the office and remotely. Preservation of our corporate culture has been made more difficult as the majority of our workforce works from home. Any failure to preserve our culture could negatively affect our ability to retain and recruit personnel and to effectively focus on and pursue our corporate objectives. As we grow and continue to develop our company infrastructure, and experience organizational change, we may find it difficult to maintain these important aspects of our company culture and our business may be adversely impacted.

We rely on our management team and other key employees, and the loss of one or more key employees could harm our business.

Our success and future growth depend upon the continued services of our management team, including our co-founder, Dharmesh Shah, our chief executive officer, Yamini Rangan, and other key employees in the areas of research and development,

marketing, sales, services, operations, and general and administrative functions. From time to time, there may be changes in our management team resulting from the hiring or departure of executives, which could disrupt our business. We also are dependent on the continued service of our existing software engineers and information technology personnel because of the complexity of our platform, technologies and infrastructure. We may terminate any employee’s employment at any time, with or without cause, and any employee may resign at any time, with or without cause. We may terminate any employee’s employment at any 21 time, with or without cause, and any employee may resign at any time, with or without cause. We do not have employment agreements with any of our key personnel. The loss of one or more of our key employees could harm our business.

The failure to attract and retain additional qualified personnel could prevent us from executing our business strategy.

To execute our business strategy, we must attract and retain highly qualified personnel. In particular, we compete with many other companies for software developers with high levels of experience in designing, developing and managing cloud-based software, or with AI and machine learning backgrounds, as well as for skilled information technology, marketing, sales and operations professionals, and we may not be successful in attracting and retaining the professionals we need. In particular, we compete with many other companies for software developers with high levels of experience in designing, developing and managing cloud-based software, as well as for skilled information technology, marketing, sales and operations professionals, and we may not be successful in attracting and retaining the professionals we need. Also, our customer platform domain experts are very important to our success and are difficult to replace. We have from time to time in the past experienced, and we expect to continue to experience in the future, difficulty in hiring and difficulty in retaining highly skilled employees with appropriate qualifications worldwide, particularly for engineers with experience in AI. We have from time to time in the past experienced, and we expect to continue to experience in the future, difficulty in hiring and difficulty in retaining highly skilled employees with appropriate qualifications. Many of the companies with which we compete for experienced personnel have greater resources than we do. Other companies that continue to offer a remote or hybrid work environment may increase the competition for such employees from employers outside of our traditional office locations. The change by companies to offer a remote or hybrid work environment may increase the competition for such employees from employers outside of our traditional office locations. In addition, if we choose to no longer offer a remote or hybrid work environment, we may face more difficulty in retaining our workforce. Further, labor is subject to external factors that are beyond our control, including our industry’s highly competitive market for skilled workers and leaders, cost inflation, and workforce participation rates. In addition, if our reputation were to be harmed, whether as a result of media, legislative, or regulatory scrutiny or otherwise, it could make it more difficult to attract and retain personnel that are critical to the success of our business.

In addition, in making employment decisions, particularly in the software industry, job candidates often consider the value of equity incentives they are to receive in connection with their employment. If the price of our stock declines, or experiences significant volatility, our ability to attract or retain key employees will be adversely affected. If we fail to attract new personnel or fail to retain and motivate our current personnel, our growth prospects could be severely harmed.

Risks Related to Global Economic Conditions

We are exposed to fluctuations in currency exchange rates that could adversely affect our financial results.

We face exposure to movements in currency exchange rates, which may cause our revenue and operating results to differ materially from expectations. As we have expanded our international operations, our exposure to exchange rate fluctuations has increased. As we have expanded our international operations, our exposure to exchange rate fluctuations has increased, in particular with respect to the Euro, British Pound Sterling, Australian Dollar, Singapore Dollar, Japanese Yen, Colombian Peso, and Canadian Dollar. Fluctuations in the value of the U.S. dollar versus foreign currencies may impact our operating results when translated into U.S. dollars. Thus, our results of operations and cash flows are subject to fluctuations due to changes in foreign currency exchange rates and may be adversely affected in the future due to changes in foreign currency exchange rates. As exchange rates vary, revenue, cost of revenue, operating expenses and other operating results, when re-measured, may differ materially from expectations. In addition, our operating results are subject to fluctuation if our mix of U.S. and foreign currency denominated transactions and expenses changes in the future. In the first quarter of 2024, we implemented a hedging program intended to allow us to mitigate foreign exchange impacts, such as exposure to currency exchange rates in connection with significant transactions denominated in currencies other than the U.S. dollar, by entering into derivatives transactions such as foreign exchange forwards. We may also employ certain other strategies in the future to mitigate foreign currency risk. There can be no guarantee or assurance that such hedging program and the strategies we employ pursuant thereto will be effective to reduce or eliminate our exposure to foreign exchange rate fluctuations to the extent we anticipate, or at all. Furthermore, the hedging program and the derivatives transactions employed as part thereof involve costs and risks of their own, including ongoing management time and expertise, external costs to implement the programs and strategies, potential counterparty credit risk and liquidity risk, and potential accounting implications. Additionally, as we anticipate growing our business further outside of the United States, the effects of movements in currency exchange rates will increase as our transaction volume outside of the United States increases.

Weakened global economic conditions may harm our industry, business and results of operations.

Our overall performance depends in part on worldwide economic conditions. Global financial developments and downturns seemingly unrelated to us or the software industry may harm us. The United States and other key international economies have been affected from time to time by falling demand for a variety of goods and services, restricted credit, poor liquidity, reduced corporate profitability, volatility in credit, equity and foreign exchange markets, volatility in the banking sector, changes in the labor market,

supply chain disruptions, bankruptcies, inflation and overall uncertainty with respect to the economy, including with respect to trade issues, such as trade wars, tariffs or other trade restrictions or the threat of such actions. For example, on October 1, 2025, the U.S. federal government shut down through November 12, 2025, suspending services deemed non-essential as a result of the failure by Congress to enact regular appropriations for the 2026 fiscal year. If we experience another government shutdown , it could result in increased uncertainty and volatility in the global economy and financial markets which could have an adverse effect on our business. Weak economic conditions or significant uncertainty regarding the stability of financial markets related to stock market volatility, inflation, recession, changes in tariffs or other trade restrictions, trade agreements, trade wars or governmental fiscal, monetary and tax policies, among others, could adversely impact our business, financial condition and operating results. Weak economic conditions or significant uncertainty regarding the stability of financial markets related to stock market volatility, inflation, recession, changes in tariffs, trade agreements or 22 governmental fiscal, monetary and tax policies, among others, could adversely impact our business, financial condition and operating results. Further, weak market conditions have, and could in the future result in, impairment of our investments and long-lived assets.

Further, the economies of countries in Europe have been experiencing weakness associated with high sovereign debt levels, weakness in the banking sector, uncertainty over the future of the Eurozone and volatility in the value of the pound sterling and the Euro and instability resulting from the ongoing conflicts between Russia and Ukraine and in Israel, Gaza, Iran, and in Venezuela. The effects of such conflicts, including any resulting sanctions, export controls or other restrictive actions that may be imposed against governmental or other entities in, for example, Russia, have in the past contributed and may in the future contribute to disruption, instability and volatility in the global markets. The effect of the conflict between Russia and Ukraine, including any resulting sanctions, export controls or other restrictive actions that may be imposed against governmental or other entities in, for example, Russia, have in the past contributed and may in the future contribute to disruption, instability and volatility in the global markets. We have operations, as well as current and potential new customers, throughout Europe. If economic conditions in Europe and other key markets for our platform continue to remain uncertain or deteriorate further, it could adversely affect our customers’ ability or willingness to subscribe to our platform, delay prospective customers’ purchasing decisions, reduce the value or duration of their subscriptions or affect renewal rates, all of which could harm our operating results.

More recently, global inflation rates have increased to levels not seen in several decades, which may result in decreased demand for our products and services, increases in our operating costs, including our labor costs, constrained credit and liquidity, reduced government spending and volatility in financial markets. The Federal Reserve and other international government agencies have raised, and may again raise, interest rates in response to concerns over inflation risk. Increases in interest rates on credit and debt that would increase the cost of any borrowing that we may make from time to time and could impact our ability to access the capital markets. Increases in interest rates, especially if coupled with reduced government spending and volatility in financial markets, may have the effect of further increasing economic uncertainty and heightening these risks. In an inflationary environment, we may be unable to raise the sales prices of our products and services at or above the rate at which our costs increase, which could/would reduce our profit margins and have a material adverse effect on our financial results and net income. We also may experience lower than expected sales and potential adverse impacts on our competitive position if there is a decrease in consumer spending or a negative reaction to our pricing. A reduction in our revenue would be detrimental to our profitability and financial condition and could also have an adverse impact on our future growth.

There continues to be uncertainty in the changing market and economic conditions, including the possibility of additional measures that could be taken by the Federal Reserve and other domestic and international government agencies, related to concerns over inflation risk. A sharp rise in interest rates could have an adverse impact on the fair market value of certain securities in our portfolio and investments in some financial instruments could pose risks arising from market liquidity and credit concerns, which could adversely affect our financial results.

Economic uncertainty may lead to decreased demand for our products and services and otherwise harm our business and results of operations.

Our overall performance depends, in part, on worldwide economic conditions. Impacts of economic weakness include:

Economic weakness could lead to inflation, higher interest rates, and uncertainty about business continuity, which may adversely affect our business and our results of operations. As our customers react to global economic conditions and the potential for

a global recession, we may see them reduce spending on our products and take additional precautionary measures to limit or delay expenditures and preserve capital and liquidity. Reductions in spending on our solutions, delays in purchasing decisions, lack of renewals, inability to attract new customers, as well as pressure for extended billing terms or pricing discounts, would limit our ability to grow our business and could negatively affect our operating results and financial condition.

Risks Related to Our Technical Operations Infrastructure and Dependence on Third Parties

Interruptions or delays in service from our third-party data center providers could impair our ability to deliver our platform to our customers, resulting in customer dissatisfaction, damage to our reputation, loss of customers, limited growth and reduction in revenue.

We currently serve the majority of our platform functions from third-party data center hosting facilities operated by Amazon Web Services (“AWS”) in the United States and Europe. We also have several colocations which host certain critical services (for example, VPN access) in various locations around the world. In addition, we use Cloudflare Global CDN to optimize content delivery across our locations.

Any damage to, or failure of, the systems of our third-party providers could result in interruptions to our platform. Despite precautions taken at our data centers, the occurrence of spikes in usage volume, a natural disaster, such as earthquakes or hurricane, an act of terrorism, geopolitical conflict, vandalism or sabotage, a disruptive cyber-attack, a decision to close a facility without adequate notice, power or telecommunications failures or other unanticipated problems at a facility could result in lengthy interruptions in the availability of our on-demand software. Despite precautions taken at our data centers, the occurrence of spikes in usage volume, a natural disaster, such as earthquakes or hurricane, an act of terrorism, vandalism or sabotage, a decision to close a facility without adequate notice, power or telecommunications failures or other unanticipated problems at a facility could result in lengthy interruptions in the availability of our on-demand software. Similarly, security vulnerabilities or data breaches with our third-party providers could impact the security and availability of our platform. In the event that any of our third-party facilities arrangements is terminated, or if there is a lapse of service or damage to a facility, we could experience interruptions in our platform as well as delays and additional expenses in arranging new facilities and services. Even with current and planned disaster recovery arrangements, our business could be harmed. Also, in the event of damage or interruption, our insurance policies may not adequately compensate us for any losses that we may incur. These factors in turn could further reduce our revenue, subject us to liability and cause us to issue credits or cause customers to fail to renew their subscriptions, any of which could materially adversely affect our business.

If our customer platform has outages or fails due to defects or similar problems, and if we fail to correct any defect or other software problems, we could lose customers, become subject to service performance or warranty claims or incur significant costs.

Our customer platform and its underlying infrastructure are inherently complex and may contain material defects or errors. We release modifications, updates, bug fixes and other changes to our software several times per day, without traditional human-performed quality control reviews for each release. We have from time to time found defects in our software and may discover additional defects in the future. We may not be able to detect and correct defects or errors before customers begin to use our platform or its applications. Consequently, we or our customers may discover defects or errors after our platform has been implemented. Defects or errors could result in product outages and could also cause inaccuracies in the data we collect and process for our customers, or even the loss, damage or inadvertent release of such confidential data. We implement bug fixes and upgrades as part of our regular system maintenance, which may lead to system downtime. Even if we are able to implement the bug fixes and upgrades in a timely manner, any history of product outages, defects or inaccuracies in the data we collect for our customers, or the loss, damage or inadvertent release of confidential data could cause our reputation to be harmed, and customers may elect not to purchase or renew their agreements with us. Furthermore, these issues could subject us to service performance credits (whether offered by us or required by contract), warranty claims or increased insurance costs. The costs associated with product outages, any material defects or errors in our platform or other performance problems may be substantial and could materially adversely affect our operating results.

In addition, third-party applications and features on our customer platform may not meet the same quality standards that we apply to our own development efforts and, to the extent they contain bugs, vulnerabilities or defects, they may create disruptions in our customers’ use of our products, lead to data loss, unauthorized access to customer data, damage our brand and reputation and affect the continued use of our products, any of which could harm our business, results of operations and financial condition.

If our information technology systems, including our customer platform, have outages or fail due to defects or similar problems, and if we fail to correct any defect or other software problems, it could disrupt our internal operations or services provided to customers, and could reduce our revenue, increase our expenses, damage our reputation and adversely affect our cash flows and stock price.

We rely on our information technology systems, including the sustained and uninterrupted performance of our customer platform, to manage numerous aspects of our business, including marketing, sales, content management, customer service and other

internal operations. Our information technology systems are an essential component of our business and any disruption could significantly limit our ability to manage and operate our business efficiently.

Our customer platform and its underlying infrastructure are inherently complex and may contain material defects or errors. We release modifications, updates, bug fixes and other changes to our software several times per day, without traditional human-performed quality control reviews for each release. While we seek to implement secure development practices, we cannot eliminate the risk that our applications may have vulnerabilities. From time to time, we find defects in our software and may discover in the future additional defects, outages, delays or cessations of service, performance and quality problems or may produce errors in connection with systems integrations, migration work or other causes, which could result in business disruptions and the process of remediating them could be more expensive, time-consuming, disruptive and resource intensive than planned. We have from time to time found defects in our software and may discover in the future additional defects, outages, delays or cessations of service, performance and quality problems or may produce errors in connection with systems integrations, migration work or other causes, which could result in business disruptions and the process of 24 remediating them could be more expensive, time-consuming, disruptive and resource intensive than planned. Such disruptions could adversely impact our internal operations and interrupt other processes. Delayed sales, lower margins or lost customers resulting from these disruptions could reduce our revenue, increase our expenses, damage our reputation and adversely affect our cash flows and stock price.

We are dependent on the continued availability of third-party data hosting and transmission services.

A significant portion of our operating cost is from our third-party data hosting and transmission services, including AWS, which hosts the substantial majority of our products and platform. If the costs for such services increase due to vendor consolidation, regulation, contract renegotiation, or otherwise, we may not be able to increase the fees for our customer platform or services to cover the changes, which could have a negative impact on our operating results.

Additionally, our customers need to be able to access our platform at any time, without interruption or degradation of performance. AWS runs its own platform that we access, and we are, therefore, vulnerable to service interruptions at AWS. We have experienced, and expect that in the future we may experience interruptions, delays and outages in service and availability due to a variety of factors, including infrastructure changes, human or software errors, website hosting disruptions and capacity constraints. Moreover, as a result of the increasing use and deployment of AI technologies, infrastructure capacity requirements, including network capacity and, computing power and energy requirements, may increase which could lead to an increase in service interruptions we experience. In some instances, including because we do not control our service providers, we may not be able to identify the cause or causes of these problems within a period of time acceptable to our customers. Additionally, as our business continues to grow, to the extent that we do not effectively address capacity constraints, through our providers of cloud infrastructure, our results of operations may be adversely affected. In addition, any changes in service levels from our service providers may adversely affect our ability to meet our customers’ requirements, result in negative publicity which could harm our reputation and brand and may adversely affect the usage of our platform.

If we do not or cannot maintain the compatibility of our customer platform with third-party applications that our customers use in their businesses, our revenue will decline.

A significant percentage of our customers choose to integrate our platform with certain capabilities provided by third-party application providers using application programming interfaces (“APIs”) published by these providers. The functionality and popularity of our customer platform depends, in part, on our ability to integrate our platform with third-party applications and platforms, including CRM, CMS, e-commerce, call center, analytics and social media sites that our customers use and from which they obtain data. The functionality and popularity of our CRM Platform depends, in part, on our ability to integrate our platform with third-party applications and platforms, including CRM, CMS, e-commerce, call center, analytics and social media sites that our customers use and from which they obtain data. Third-party providers of applications and APIs may change the features of their applications and platforms, restrict our access to their applications and platforms, or alter the terms governing use of their applications and APIs and access to those applications and platforms in an adverse manner. Such changes could functionally limit or terminate our ability to use these third-party applications and platforms in conjunction with our platform, which could negatively impact our offerings and harm our business. If we fail to integrate our platform with new third-party applications and platforms that our customers use for marketing, sales, services, operations, commerce, or content management purposes, or fail to renew existing relationships pursuant to which we currently provide such integration, we may not be able to offer the functionality that our customers need, which would negatively impact our ability to generate new revenue or maintain existing revenue and adversely impact our business. If we fail to integrate our platform with new third-party applications and platforms that our customers use for marketing, sales, services, operations or content management purposes, or fail to renew existing relationships pursuant to which we currently provide such integration, we may not be able to offer the functionality that our customers need, which would negatively impact our ability to generate new revenue or maintain existing revenue and adversely impact our business.

We rely on data provided by third parties, the loss of which could limit the functionality of our platform and disrupt our business.

Select functionality of our customer platform depends on our ability to deliver data, including search engine results and social media updates, provided by unaffiliated third parties, such as Meta, Google, LinkedIn and X. Some of this data is provided to us pursuant to third-party data sharing policies and terms of use, under data sharing agreements by third-party providers or by customer consent. In the future, any of these third parties could change its data sharing policies, including making them more restrictive, or alter its algorithms that determine the placement, display, and accessibility of search results and social media updates, any of which could result in the loss of, or significant impairment to, our ability to collect and provide useful data to our customers. These third parties could also interpret our, or our service providers’ data collection policies or practices as being inconsistent with their policies, which

could result in the loss of our ability to collect this data for our customers. Any such changes could impair our ability to deliver data to our customers and could adversely impact select functionality of our platform, impairing the return on investment that our customers derive from using our solution, as well as adversely affecting our business and our ability to generate revenue.

Privacy concerns and end users’ acceptance of Internet behavior tracking may limit the applicability, use and adoption of our customer platform.

Privacy concerns may cause end users to resist providing the personal data necessary to allow our customers to use our platform effectively. We have implemented various features intended to enable our customers to better protect end user privacy, but these measures may not alleviate all potential privacy concerns and threats. Even the perception of privacy concerns, whether or not valid, may inhibit market adoption of our platform. Privacy advocacy groups and the technology and other industries are considering various new, additional or different self-regulatory standards that may place additional burdens on us. Privacy advocacy groups and the technology and other industries are considering various 25 new, additional or different self-regulatory standards that may place additional burdens on us. The costs of compliance with, and other burdens imposed by these groups’ policies and actions may limit the use and adoption of our customer platform and reduce overall demand for it, or lead to significant fines, penalties or liabilities for any noncompliance or loss of any such action. The costs of compliance with, and other burdens imposed by these groups’ policies and actions may limit the use and adoption of our CRM Platform and reduce overall demand for it, or lead to significant fines, penalties or liabilities for any noncompliance or loss of any such action.

If our or our customers’ security measures are compromised or unauthorized access to data of our customers or their customers is otherwise obtained, our customer platform may be perceived as not being secure, our customers may be harmed and may curtail or cease their use of our platform, our reputation may be damaged and we may incur significant liabilities.

Our operations involve the storage and transmission of data of our customers and their customers, including personal data. Our storage is typically the sole source of record for portions of our customers’ businesses and end user data, such as initial contact information and online interactions. While we have security measures in place designed to protect our production and development environments and other systems, maintain the integrity of customer, company, and employee information, and prevent data loss, misappropriation and other security incidents and breaches, there can be no assurance that such security measures will be effective, security incidents or data breaches could result in unauthorized access to, loss of or unauthorized disclosure of this information, litigation, indemnity obligations and other possible liabilities, as well as negative publicity, which could damage our reputation, impair our sales and harm our customers and our business. Cyber-attacks and other malicious Internet-based activity continue to increase generally, and cloud-based platform providers of marketing services have been targeted. If our security measures, or those of our service providers, are compromised as a result of third-party action, employee, vendor or customer error or wrongful conduct, malfeasance, stolen or fraudulently obtained log-in credentials or otherwise, our reputation could be damaged, our business may be harmed and we could incur significant liability. If our security measures, or those of our service providers, are compromised as a result of third-party action, employee or customer error, malfeasance, stolen or fraudulently obtained log-in credentials or otherwise, our reputation could be damaged, our business may be harmed and we could incur significant liability. Additionally, if third parties with whom we work, such as vendors or developers, violate applicable laws, our security policies or our acceptable use policy, such violations may also put our customers’ information at risk and could in turn have an adverse effect on our business. In addition, if the security measures of our customers or our service providers are compromised, even without any actual compromise of our own systems, we may face negative publicity or reputational harm if our customers or anyone else incorrectly attributes the blame for such security breaches to us or our systems. We may be unable to anticipate or prevent techniques used to obtain unauthorized access or to sabotage systems because they change frequently and generally are not detected until after an incident has occurred. As we increase our customer base and our brand becomes more widely known and recognized, we may become more of a target for third parties seeking to compromise our security systems or gain unauthorized access to our customers’ data. Additionally, we provide our employees with limited access restricted via just-in-time-access controls and least privilege access models to our databases, which store our customer data, and to our APIs to facilitate our rapid pace of product development and to support our customers. If such access, unauthorized access or our own operations, cause damage, destruction or loss (including, without limitation, because of actions by a bad actor, attempts to exfiltrate customer data which attempts we have experienced in the past and could experience in the future), our systems being compromised or unintentional or accidental disclosure, or destruction of our customers’ business data, their sales, lead generation, support and other business operations may be permanently harmed. As a result, our customers may bring claims against us for lost profits and other damages, or such concerns may cause us to further limit access by our development team. Additionally, in certain of our subscription agreements with our customers, we agree to indemnify these customers against claims by a third party alleging our breach of confidentiality obligations or our misuse of customer data in violation of the subscription agreement.

Cyber-attacks, denial-of-service attacks, ransomware attacks, supply chain attacks, business email compromises, computer malware, viruses, wrongful intrusions, data breaches social engineering (including phishing), and other compromises are prevalent in our industry, the industries of certain of our service providers and our customers' industries. Like other companies in our industry, we and our third party vendors have in the past experienced threats and security incidents related to our data and systems, and we may in the future experience other threats, compromises, breaches, or incidents. Attempts to disrupt or gain unauthorized access to our and our third-party vendors’ information systems from malicious third parties or insider threats may incorporate widely varying and frequently changing tactics, which may be enhanced or facilitated by AI. Our internal computer systems and those of our current and any future strategic collaborators, vendors, and other contractors or consultants are vulnerable to damage from cyber-attacks, attacks enhanced or facilitated by AI, computer viruses, unauthorized access, natural disasters, cybersecurity threats, terrorism, geopolitical conflict, war and telecommunication and electrical failures. Our internal computer systems and those of our current and any future strategic collaborators, vendors, and other contractors or consultants are vulnerable to damage from cyber-attacks, computer viruses, unauthorized access, natural disasters, cybersecurity threats, terrorism, war and telecommunication and electrical failures. Accordingly, if our cybersecurity measures or those of our service

providers fail to protect against unauthorized access, attacks (which may include sophisticated cyber-attacks), compromise or the mishandling of data by our employees and contractors, then our reputation, customer trust, business, results of operations and financial condition could be adversely affected. Cyber incidents have been increasing in sophistication and frequency and can include third parties gaining access to employee or customer data using stolen or inferred credentials, computer malware, viruses, spamming, phishing attacks, ransomware, vulnerabilities in first- or third-party code, card skimming code, and other deliberate attacks and attempts to gain unauthorized access. Cyber incidents have been increasing in sophistication and frequency and can include third parties gaining access to employee or customer data using stolen or inferred credentials, computer malware, viruses, spamming, phishing attacks, ransomware, card skimming code, and other deliberate attacks and attempts to gain unauthorized access. These attacks and activity are also being facilitated or enhanced by evolving technologies, including AI. This risk is increased by the difficulty of balancing rapid vulnerability patching and system availability in a large and rapidly-changing production environment. At times, we may be unable to patch all of our systems in a manner that strictly adheres to our internally prescribed timelines. The techniques used to sabotage or to obtain unauthorized access to our platform, systems, networks, or physical facilities in which data is stored or through which data is transmitted change frequently, and we may be unable to implement adequate preventative measures or stop security breaches while they are occurring. Because the techniques used by threat actors who may attempt to penetrate and sabotage our computer systems change frequently and may not be recognized until launched against a target, we may be unable to anticipate these techniques. Additionally, with the expansion of remote work and resource access, there is an increased risk that we may experience cybersecurity-related events such as phishing attacks, exploitation of any cybersecurity flaws that may exist, an increase in the number of cybersecurity threats or attacks, and other security challenges as a result of most of our employees and our service providers continuing to work remotely from non-corporate managed networks. Additionally, during the COVID-19 pandemic, and potentially beyond as remote work and resource access expand, there is an increased risk that we may experience cybersecurity-related events such as COVID-19 themed phishing attacks, exploitation of any cybersecurity flaws that may exist, an increase in the number of cybersecurity threats or attacks, and other security challenges as a result of most of our employees and our service providers continuing to work remotely from non-corporate managed networks. There is also a risk of potential increase in such attacks due to cyberwarfare in connection with the ongoing global conflicts, and this could adversely affect our and our suppliers' ability to maintain or enhance key cybersecurity and data protection measures. There is also a risk of potential increase in such attacks due to cyberwarfare in connection with the ongoing conflict between Russia and Ukraine, and this could adversely affect our and our suppliers' ability to maintain or enhance key cybersecurity and data protection measures. We believe we have previously been, and may in the future become, the target of cyber-attacks, incidents, or compromises by third parties seeking unauthorized access to our or our customers' data, systems, or infrastructure, or to disrupt our operations or ability to provide our services. We have previously been, and may in the future become, the target of cyber-attacks by third parties seeking unauthorized access to our or our customers' data, systems, or infrastructure, or to disrupt our operations or ability to provide our services.

Additionally, it is also possible that unauthorized access to sensitive customer and business data may be obtained through inadequate use of security controls by our customers, suppliers or other vendors, using social engineering to cause an employee or contractor to install malware or exploiting known vulnerabilities. Like other businesses, we rely on hardware and software supplied by third-parties and, therefore, are susceptible to supply chain attacks. Such attacks are becoming increasingly common, and we may not be able to anticipate and prevent negative impacts from such an attack. Supply chain attacks are becoming increasingly common, and we may not be able to anticipate and prevent negative impacts from such an attack. If we are impacted by a supply chain attack, we could incur liability, our competitive position could be harmed and the further development and commercialization of our product and services could be hindered or delayed.

Recent cybersecurity incidents and compromises affecting large institutions, including an incident that affected us in 2024, suggest that the risk of such events is significant, even if privacy protection and security measures are implemented and enforced. A cyber-attack, incident, or compromise could result in a material disruption of our development programs and our business operations, whether due to a loss of our trade secrets or other proprietary information or other disruptions. A cyber-attack could result in a material disruption of our development programs and our business operations, whether due to a loss of our trade secrets or other proprietary information or other disruptions. These cyber-attacks could be carried out by threat actors of all types (including but not limited to nation states, organized crime, other criminal enterprises, individual actors, malicious insiders, and/or advanced persistent threat groups). In addition, we may experience intrusions on our physical premises by any of these threat actors. To the extent that any compromise, disruption or security breach were to result in a loss of, or damage to, our data or applications, or inappropriate disclosure of confidential or proprietary information, we could incur liability, incur significant costs associated with remediation and the implementation of additional security measures, including costs to deploy additional personnel and protection technologies, train employees, and engage third-party experts and consultants, and our competitive position could be harmed. To the extent that any disruption or security breach were to result in a loss of, or damage to, our data or applications, or inappropriate disclosure of confidential or proprietary information, we could incur liability, incur significant costs associated with remediation and the implementation of additional security measures, including costs to deploy additional personnel and protection technologies, train employees, and engage third-party experts and consultants, and our competitive position could be harmed. Any breach, loss, or compromise of personal data may also subject us to civil fines and penalties, or claims for damages either under the General Data Protection Regulation (the “EU GDPR”), the EU GDPR as incorporated into United Kingdom law, and relevant member state law in the European Union, other foreign laws, and other relevant state and federal privacy laws in the United States.

Many governments have enacted laws requiring companies to notify individuals of security incidents, including unauthorized access and transfers of certain types of personal data. In addition, the data processing agreement we execute with our customers contractually requires us to notify them of any personal data breach. In addition, the data processing agreement we execute with our customers contractually requires us to notify them of any personal data breach. Under payment card network rules and our contracts with our payment processors, if there is a data breach of payment resulting in the compromise of cardholder payment information that is stored by our direct payment card processing vendors, we could be liable to the payment card issuing banks for their cost of issuing new cards and related expenses depending on the cause of such data breach. Under payment card network rules and our contracts with our payment processors, if there is a breach of payment card information that we store, or that is stored by our direct payment card processing vendors, we could be liable to the payment card issuing banks for their cost of issuing new cards and related expenses. Data breaches and other data security compromises experienced by our competitors, by our customers or by us may lead to public disclosures, which may lead to widespread negative publicity. Any security compromise in our industry, whether actual or perceived, could harm our reputation, erode customer confidence in the effectiveness of our security measures, negatively impact our ability to attract new customers, cause existing customers to elect not to renew their subscriptions or subject us to third-party lawsuits, regulatory fines or other action or liability, which could materially and adversely affect our business and operating results.

There can be no assurance that any limitations of liability provisions in our contracts for a security breach would be enforceable or adequate or would otherwise protect us from any such liabilities or damages with respect to any particular claim. We also cannot be

sure that our existing insurance coverage will continue to be available on acceptable terms or will be available in sufficient amounts to cover one or more large claims, or that the insurer will not deny coverage as to any future claim. The successful assertion of one or more large claims against us that exceed available insurance coverage, or the occurrence of changes in our insurance policies, including premium increases or the imposition of large deductible or co-insurance requirements, could have a material adverse effect on our business, financial condition and operating results.

Risks Related to Intellectual Property

Our business may suffer if it is alleged or determined that our technology infringes the intellectual property rights of others.

The software industry is characterized by the existence of a large number of patents, copyrights, trademarks, trade secrets and other intellectual and proprietary rights. Companies in the software industry are often required to defend against litigation claims based on allegations of infringement or other violations of intellectual property rights. Companies in the software industry, including those in marketing software, are often required to defend against litigation claims based on allegations of infringement or other violations of intellectual property rights. Many of our competitors and other industry participants have been issued patents and/or have filed patent applications and may assert patent or other intellectual property rights within the industry. Moreover, in recent years, individuals and groups that are non-practicing entities, commonly referred to as “patent trolls,” have purchased patents and other intellectual property assets for the purpose of making claims of infringement in order to extract settlements. From time to time, we may receive threatening letters or notices or may be the subject of claims that our services and/or platform and underlying technology infringe or violate the intellectual property rights of others. Responding to such claims, regardless of their merit, can be time consuming, costly to defend in litigation, divert management’s attention and resources, damage our reputation and brand and cause us to incur significant expenses. Our technologies may not be able to withstand any third-party claims against their use. Claims of intellectual property infringement, even those without merit, could require us to redesign our application, delay releases, enter into costly settlement or license agreements or pay costly damage awards, or face a temporary or permanent injunction prohibiting us from marketing or selling our platform. Claims of intellectual property infringement might require us to redesign our application, delay releases, enter into costly settlement or license agreements or pay costly damage awards, or face a temporary or permanent injunction prohibiting us from marketing or selling our platform. If we cannot or do not license the infringed technology on reasonable terms or at all, or substitute similar technology from another source, our revenue and operating results could be adversely impacted. Additionally, our customers may not purchase our customer platform if they are concerned that they may infringe third-party intellectual property rights. Additionally, our customers may not purchase our CRM Platform if they are concerned that they may infringe third-party intellectual property rights. The occurrence of any of these events may have a material adverse effect on our business.

In our subscription agreements with customers, we agree to indemnify them against claims by a third party alleging infringement of a valid patent, registered copyright or registered trademark. Customers can also assert a common law indemnity claim or that any existing limitations of liability provisions in our contracts would be enforceable or adequate, or would otherwise protect us from any such liabilities or damages with respect to any particular claim. Our customers who are accused of intellectual property infringement may in the future seek indemnification from us under common law or other legal theories. If such claims are successful, or if we are required to indemnify or defend our customers from these or other claims, these matters could be disruptive to our business and management and have a material adverse effect on our business, operating results and financial condition.

If we fail to adequately protect our proprietary rights, in the United States and abroad, our competitive position could be impaired and we may lose valuable assets, experience reduced revenue and incur costly litigation to protect our rights.

Our success is dependent, in part, upon protecting our proprietary technology. We rely on a combination of patents, copyrights, trademarks, service marks, trade secret laws and contractual restrictions to establish and protect our proprietary rights in our products and services. We rely on a combination of copyrights, trademarks, service marks, trade secret laws and contractual restrictions to establish and protect our proprietary rights in our products and services. However, the steps we take to protect our intellectual property may be inadequate. We will not be able to protect our intellectual property if we are unable to enforce our rights or if we do not detect unauthorized use of our intellectual property. Any of our trademarks or other intellectual property rights may be challenged by others or invalidated through administrative process or litigation. Furthermore, legal standards relating to the validity, enforceability and scope of protection of intellectual property rights are uncertain. Additionally, the intellectual property ownership and license rights surrounding AI technologies, which we are increasingly building into our product offerings, have not been fully addressed by U.S. courts or other federal, state or international laws or regulations, and the use or adoption of AI technologies in our products and services may expose us to claims of copyright infringement or other intellectual property infringement or misappropriation, violation of applicable laws or regulations, or breach of contractual obligations to which we are or may become subject. Despite our precautions, it may be possible for unauthorized third parties to copy our technology and use information that we regard as proprietary to create products and services that compete with ours. Some license provisions protecting against unauthorized use, copying, transfer and disclosure of our offerings may be unenforceable under the laws of certain jurisdictions and foreign countries. In addition, the laws of some countries do not protect proprietary rights to the same extent as the laws of the United States. To the extent we expand our international activities, our exposure to unauthorized copying and use of our technology and proprietary information may increase.

We enter into confidentiality and invention assignment agreements with our employees and consultants and enter into confidentiality agreements with the parties with whom we have strategic relationships and business alliances. No assurance can be given that these agreements will be effective in controlling access to and distribution of our products and proprietary information.

Further, these agreements may not prevent our competitors from independently developing technologies that are substantially equivalent or superior to our platform and offerings.

We may be required to spend significant resources to monitor and protect our intellectual property rights. Litigation may be necessary in the future to enforce our intellectual property rights and to protect our trade secrets. Such litigation could be costly, time consuming and distracting to management and could result in the impairment or loss of portions of our intellectual property. Furthermore, our efforts to enforce our intellectual property rights may be met with defenses, counterclaims and countersuits attacking the validity and enforceability of our intellectual property rights. Our inability to protect our proprietary technology against unauthorized copying or use, as well as any costly litigation, could delay further sales or the implementation of our platform and offerings, impair the functionality of our platform and offerings, delay introductions of new features or enhancements, result in our substituting inferior or more costly technologies into our platform and offerings, or injure our reputation.

Our use of “open source” software could negatively affect our ability to offer our platform and subject us to possible litigation.

A substantial portion of our cloud-based platform incorporates so-called “open source” software, and we may incorporate additional open source software in the future. Open source software is generally freely accessible, usable and modifiable. Certain open source licenses may, in certain circumstances, require us to offer the components of our platform that incorporate the open source software for no cost, that we make available source code for modifications or derivative works we create based upon, incorporating or using the open source software and that we license such modifications or derivative works under the terms of the particular open source license. If an author or other third party that distributes open source software we use were to allege that we had not complied with the conditions of one or more of these licenses, we could be required to incur significant legal expenses defending against such allegations and could be subject to significant damages, including being enjoined from the offering of the components of our platform that contained the open source software and being required to comply with the foregoing conditions, which could disrupt our ability to offer the affected software. We could also be subject to suits by parties claiming ownership of what we believe to be open source software. Litigation could be costly for us to defend, have a negative effect on our operating results and financial condition and require us to devote additional research and development resources to change our products.

Risks Related to Government Regulation

We are subject to governmental regulation and other legal obligations, particularly related to privacy, data protection and information security, and our actual or perceived failure to comply with such obligations could harm our business. Compliance with such laws could also impair our efforts to maintain and expand our customer base and business lines, and thereby decrease our revenue. Compliance with such laws could also impair our efforts to maintain and expand our customer base, and thereby decrease our revenue.

Our handling of data across our products and services is subject to a variety of laws and regulations, including regulation by various government agencies, including the U.S. Federal Trade Commission ("FTC"), and various state, local and foreign agencies. We collect personal data and other data from our customers, prospects, partners, third-party providers and publicly available sources. We also handle personal data about our customers’ customers. We use this information to provide services to our customers, to support, expand and improve our business. We may also share customers’ personal data with third parties as authorized by the customer or as described in our privacy policy.

The U.S. federal and various state and foreign governments have adopted or proposed limitations on the collection, processing, distribution, use, storage and safeguarding of personal data. In the U.S., the FTC and many state attorneys general are applying federal and state privacy and consumer protection laws to impose standards for the online collection, use and dissemination of personal and other data. However, these obligations may be interpreted and applied in a manner that is inconsistent from one jurisdiction to another and may conflict with other requirements or our practices. Any failure or perceived failure by us to comply with privacy or data security laws, policies, legal obligations or industry standards or any security incident that results in the unauthorized, disclosure, release or transfer of personal data or other customer data may result in governmental enforcement actions, litigation, fines and penalties and/or adverse publicity, and could cause our customers to lose trust in us, which could have an adverse effect on our reputation and business. Any failure or perceived failure by us to comply with privacy or security laws, policies, legal obligations or industry standards or any security incident that results in the unauthorized, disclosure, release or transfer of personal data or other customer data may result in governmental enforcement actions, litigation, fines and penalties and/or adverse publicity, and could cause our customers to lose trust in us, which could have an adverse effect on our reputation and business.

Laws and regulations governing privacy, data protection, cybersecurity, and online safety are rapidly evolving, and changes to such laws and regulations could require us to change features of our platform or restrict our customers’ ability to collect and use email addresses, page viewing data and other personal data, which may reduce demand for our platform or inhibit our improvement and development of our platform or its features, including AI models. Our failure to comply with federal, state and foreign privacy and cybersecurity laws and regulations could harm our ability to successfully operate our business and pursue our business goals. Our failure to comply with federal, state and international data privacy laws and regulations could harm our ability to successfully operate our business and pursue our business goals.

For example, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, the “CCPA”), among other things, requires covered companies to provide disclosures to California residents and afford such individuals the ability to opt out of the sales or sharing of their personal data. New and proposed regulations implementing the CCPA continue to evolve the standards of protection required by the CCPA. In addition to increasing our potential exposure to regulatory enforcement, the CCPA also provides for violations and a limited private right of action, which may increase our exposure to civil litigation.

Recently, plaintiffs’ attorneys have initiated a wave of demand letters, claims and class action lawsuits alleging companies’ use of online trackers, such as cookies and pixels, constitutes a violation of state wiretapping laws, primarily the California Invasion of Privacy Act (“CIPA”). Plaintiffs’ attorneys have also expanded their claims and threatened claims to other privacy-related statutes that provide for private rights of action, including statutes governing text messaging and other commercial communications. So far, most of these claims have settled outside the courthouse, though a risk of costly litigation now exists for business practices that are common. We have been subject to these actions and may become subject to additional such actions in the future.

The landscape of privacy and cybersecurity regulation in the U.S. is increasingly complex. Numerous states have passed comprehensive privacy and data security laws, which impose obligations on covered businesses similar – but not identical – to those under the CCPA, and some states have passed privacy and cybersecurity laws governing specific sectors, technologies, or categories of personal data, such as laws regulating health data, children’s data, and online chatbots. Many of those states have also passed – or proposed to pass – laws and regulations that amend the standard of protection required by such laws. A number of other states have proposed similar privacy legislation, and the U.S. Congress has considered – and may reintroduce – federal privacy and cybersecurity legislation that may or may not preempt some or all of such U.S. state privacy laws, and may provide a private right of action. Through executive and legislative action, the federal government has also taken steps to restrict data transactions involving persons affiliated with China, Russia, Venezuela, and other countries of concern. For example, the Department of Justice January 8, 2025 rule on "Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons,” prohibits the sharing of certain sensitive personal data categories to countries of concern. The regulations also restrict certain investment agreements, employment agreements and vendor agreements involving such data and countries of concern, absent specified cybersecurity controls. Actual or alleged violations of these regulations are punishable by criminal and/or civil sanctions. The evolving complexity of privacy and data security legislation in the U.S. may complicate our compliance efforts and further increase our risk of regulatory enforcement, penalties and litigation.

In addition, many foreign jurisdictions in which we do business, including the European Union, Japan, United Kingdom, Canada, Australia, and others have laws and regulations dealing with the collection and use of personal data obtained from their residents, which are more restrictive in certain respects than those in the U.S. Laws and regulations in these jurisdictions apply broadly to the collection, use, storage, disclosure and security of personal data that identifies or may be used to identify an individual. In relevant part, these foreign laws and regulations may affect our ability to engage in lead generation activities by imposing heightened requirements, such as affirmative opt-ins or other consent prior to sending commercial correspondence, obtaining leads or engaging in electronic tracking activities that aid our marketing and business intelligence. In relevant part, these laws and regulations may affect our ability to engage in lead generation activities by imposing heightened requirements, such as affirmative opt-ins or consent prior to sending commercial correspondence or engaging in electronic tracking activities that aid our marketing and business intelligence. We may be required to modify our policies, procedures, and data processing measures in order to address requirements under these or other privacy, data protection, or cyber security regimes, and may face claims, litigation, investigations, or other proceedings regarding them and may incur related liabilities, expenses, costs, and operational losses.

In connection with the operation of some of our business lines, such as business intelligence and AI services, we collect, process and share personal data, such as business contact information or other personal data individuals make available in their professional capacity. We may be subject to additional requirements under privacy and data protection laws that could lead to additional compliance costs, regulatory scrutiny, claims, and reputational risks that may affect our business. For example, we may be required to send notifications to individuals and respond to higher volumes of data privacy requests, which may require substantial costs and expenses, or reduce the potential value of our business intelligence services. We may also receive data from third-party vendors (e.g., data brokers) in connection with such services. While we have implemented certain contractual measures with such vendors to protect our interests, we are ultimately unable to verify with complete certainty the source of such data, how it was received, and that such information was collected and is being shared with us in compliance with all applicable data privacy laws. Furthermore, the uncertain and shifting regulatory environment and trust climate may cause concerns regarding data privacy and may cause our vendors, customers, users, or our customers’ customers to decline to provide the data necessary to allow us to offer some of our services to our customers and users effectively, or could prompt individuals to opt out of our collection of their personal data. If our information technology systems, including our CRM Platform, have outages or fail due to defects or similar problems, and if we fail to correct any defect or other software problems, it could disrupt our internal operations or services provided to customers, and could reduce our revenue, increase our expenses, damage our reputation and adversely affect our cash flows and stock price. Concern regarding our use of the personal data collected when performing our services could keep prospective customers from subscribing to our services.

Within the European Union, the EU GDPR, and in the United Kingdom, the EU GDPR as incorporated into the laws of the United Kingdom ("UK") (the “UK GDPR” together with the EU GDPR, the “GDPR”), impose heightened obligations and risk upon our business and substantially increases the penalties to which we could be subject in the event of any non-compliance. Non-compliance with the GDPR and the related national data protection laws of the European Union Member States may result in monetary penalties of up to €20 million (£17.5 million) or 4% of worldwide annual revenue, whichever is higher.

The proliferation of privacy and data protection laws has heightened risks and uncertainties concerning cross-border transfers of personal data and other data, which could impose significant compliance costs and expenses on our business, increase our potential exposure to regulatory enforcement and/or litigation, and have a negative effect on our existing business and on our ability to attract and retain new customers. To enable the transfer of personal data outside of the European Union or United Kingdom, adequate safeguards must be implemented in compliance with data protection laws. On June 4, 2021, the European Commission published new versions of its Standard Contractual Clauses (“SCCs”), which are required for all transfers of personal data from the European Union to third countries (including the U.S). The United Kingdom is not subject to the new SCCs but has its own equivalent, being the international data transfer agreement and/or UK Addendum (“IDTAs”). Our customer agreements include the updated SCCs and UK IDTAs. Under the new SCCs and IDTAs, companies are also required to assess the risk of a data transfer on a case-by-case basis by undertaking a transfer impact assessment, and may be required to adopt additional measures to accomplish transfers of personal data to the United States and other third countries. There continue to be concerns about whether the SCCs will face additional challenges.

On July 10, 2023, the European Commission approved the EU-U.S. Data Privacy Framework (“DPF”) to support transfers of personal data from the EU to companies in the U.S. Because we have maintained our certification under the previously invalidated Privacy Shield, we have now automatically become subject to the DPF and are required to maintain policies and procedures to comply with the DPF principles. We may be subject to regulatory enforcement by the FTC if we are found to be noncompliant with any of the DPF principles, and this regulatory enforcement may lead to significant civil penalties.

Until the remaining legal uncertainties regarding SCCs, DPF and other transfer mechanisms are settled, we will continue to face uncertainty as to whether our customers will be permitted to transfer personal data to the United States for processing by us as part of our platform services. Our customers may view data transfer mechanisms as being too costly, too burdensome, too legally uncertain or otherwise objectionable and therefore decide not to do business with us. Our customers may view alternative data transfer mechanisms as being too costly, too burdensome, too legally uncertain or otherwise objectionable and therefore decide not to do business with us.

We publicly post documentation regarding our practices concerning the collection, processing, use and disclosure of data. Although we endeavor to comply with our published policies and documentation, we may at times fail to do so or be alleged to have failed to do so. Any failure or perceived failure by us to comply with our privacy policies or any applicable privacy, security or data protection, information security or consumer-protection related laws, regulations, orders or industry standards could expose us to costly litigation, significant awards, fines or judgments, civil and/or criminal penalties or negative publicity, and could materially and adversely affect our business, financial condition and results of operations. The publication of our privacy policy and other documentation that provide promises and assurances about privacy and security can subject us to potential state and federal action if they are found to be deceptive, unfair, or misrepresentative of our actual practices, which could, individually or in the aggregate, materially and adversely affect our business, financial condition and results of operations.

If our privacy or data security measures fail to comply with current or future laws and regulations, we may be subject to claims, legal proceedings or other actions by individuals or governmental authorities based on privacy or data protection regulations and our commitments to customers or others, as well as negative publicity and a potential loss of business. Moreover, if future laws and regulations limit our subscribers’ ability to use and share personal data or our ability to store, process and share personal data, demand for our solutions could decrease, our costs could increase, and our business, results of operations and financial condition could be harmed.

Our use of new and evolving technologies, such as AI, may present risks and challenges that can impact our business, including by posing cybersecurity and other risks to our confidential and/or proprietary information, including personal information, and as a result we may be exposed to reputational harm and liability.

We currently use and integrate AI technologies into our business processes and services. Development, use, and deployment of these technologies could pose cybersecurity, data privacy, IT, intellectual property, regulatory, legal, operational, competitive, reputational, and other risks and challenges that could affect our business. Specifically, risks related to bias, AI hallucinations, discrimination, harmful content, misinformation, fraud, scams, targeted attacks such as model poisoning or data poisoning, surveillance, data leakage, loss of consensus reality, inequality, environmental harms, and other harms may flow from our development, use, or deployment of AI technologies. If we enable or use solutions that draw controversy due to perceived or actual negative societal impact or otherwise cause harm, we may experience brand or reputational harm, competitive harm, legal liability, and defensive costs and expenses. If we are unable to develop our platform internally due to certain constraints, such as high employee turnover, lack of management ability or a lack of other research and development resources, we may miss market opportunities.

A growing number of legislators and regulators are adopting laws and regulations addressing, and have focused enforcement efforts on the development and adoption of AI technologies and use of such technologies in compliance with ethical standards and societal expectations. Several states, including Colorado, California, and Texas passed laws that will take effect in 2026 to regulate various uses of AI, from making consequential decisions to requiring companies to disclose sources of training data for AI technologies, among other requirements. In addition, U.S. states and the federal government have a wide variety of measures to

regulate various facets of AI development, deployment, and use in recent years, and it is possible that new laws and regulations will be adopted in the near future, or that existing laws and regulations may be interpreted in ways that would affect our business and the ways in which we and our customers use our AI technologies, our financial condition and our results of operations, including as a result of the cost to comply with such laws or regulations. The Trump Administration has endorsed a federal moratorium on the enforcement of certain state AI laws, including through a December 11, 2025 Executive Order on “Ensuring a National Policy Framework for Artificial Intelligence.” So far, these efforts have not been successful in curtailing state action on AI regulation, contributing to a complicated legislative patchwork, which may be litigated in state and federal courts.

Outside the U.S., lawmaking and regulation relating to AI is proceeding at a similar pace. In Europe, for example, the EU’s Artificial Intelligence Act (“AI Act”) entered into force on August 1, 2024 and, with some exceptions, and potentially evolving implementation timelines with the Digital Omnibus Regulation proposal, will begin to apply as of August 2, 2026. This legislation imposes significant obligations on providers and deployers of high-risk AI systems, and encourages providers and deployers of AI systems to account for EU ethical principles in their development and use of these systems. As we continue to develop and use AI systems, which may be governed by the AI Act or other emerging regulations, we may be required to ensure higher standards of data quality, transparency, and human oversight, as well as adhere to specific ethical, accountability, and administrative requirements, some of which may increase our costs and compliance obligations. Further, potential government regulation related to AI use and ethics may also increase the cost of research and development in this area, and failure to properly remediate AI usage or ethics issues may cause public confidence in AI to be undermined, which could slow adoption of AI in our products and services.

The rapid evolution of AI technologies and regulatory frameworks will require the application of significant resources to design, develop, test and maintain such systems to help ensure that AI is implemented in accordance with applicable law and regulation and in a socially responsible manner and to minimize any real or perceived unintended harmful impacts. The use of certain AI technologies can also give rise to intellectual property risks, including the disclosure or compromise of our confidential information or other proprietary intellectual property through the use of agentic and generative AI tools, or the ability to assert or defend ownership rights in intellectual property created with the use of agentic and generative AI tools.

Our vendors have in turn incorporated AI tools into their offerings, and the providers of these AI tools may not meet existing or rapidly evolving regulatory or industry standards, including with respect to privacy and data security. Further, bad actors around the world use increasingly sophisticated methods, including the use of AI, to engage in illegal activities involving the theft and misuse of personal information, confidential information and intellectual property. Companies in the software industry, including those in marketing software, are often required to defend against litigation claims based on allegations of infringement or other violations of intellectual property rights. Use of generative AI models in our internal or third-party systems may create new attack surfaces or methods for adversaries, which could impact us and our vendors. The integration of AI systems, by us or by our vendors, may increase cybersecurity risk. Any of these effects could damage our reputation, result in the loss of valuable property and information, cause us to breach applicable laws and regulations, and adversely impact our business. Our failure to comply with federal, state and international data privacy laws and regulations could harm our ability to successfully operate our business and pursue our business goals.

We could face liability, or our reputation might be harmed, as a result of the activities of our customers, the content of their websites or the data they store on our servers.

As a provider of a cloud-based marketing, sales and customer service software platform, we may be subject to potential liability for the activities of our customers on or in connection with the data they store on our servers. Although our customer terms of use prohibit illegal use of our services by our customers and permit us to take down websites or take other appropriate actions for illegal use, customers may nonetheless engage in prohibited activities or upload or store content with us in violation of applicable law or the customer’s own policies, which could subject us to liability or harm our reputation. Furthermore, customers may upload, store, or use content on our customer platform that may violate our policy on acceptable use which prohibits content that is threatening, abusive, harassing, deceptive, false, misleading, vulgar, obscene, or indecent. Furthermore, customers may upload, store, or use content on our CRM Platform that may violate our policy on acceptable use which prohibits content that is threatening, abusive, harassing, deceptive, false, misleading, vulgar, obscene, or indecent. While such content may not be illegal, use of our customer platform for such content could harm our reputation resulting in a loss of business. While such content may not be illegal, use of our CRM Platform for such content could harm our reputation resulting in a loss of business.

Several U.S. federal statutes may apply to us with respect to various customer activities:

Although these statutes and case law in the United States have generally shielded us from liability for customer activities to date, court rulings in pending or future litigation may narrow the scope of protection afforded us under these laws. In addition, laws governing these activities are unsettled in many international jurisdictions, or may prove difficult or impossible for us to comply with in some international jurisdictions. Also, notwithstanding the exculpatory language of these bodies of law, we may become involved in complaints and lawsuits which, even if ultimately resolved in our favor, add cost to our doing business and may divert management’s time and attention. Finally, other existing bodies of law, including the criminal laws of various states, may be deemed to apply or new statutes or regulations may be adopted in the future, any of which could expose us to further liability and increase our costs of doing business.

Additionally, our end-to-end payment solution, as well as our Stripe payment processing integration (“Payments”), are both built within Commerce Hub and are susceptible to potentially illegal or improper uses, including money laundering, terrorist financing, fraudulent or illegal sales of goods or services, piracy of software, movies, music, and other copyrighted or trademarked information, bank fraud, securities fraud, pyramid or ponzi schemes, or the facilitation of other illegal or improper activity. While we engage a third party as our registered payment facilitator, the use of Payments for illegal or improper uses may subject us to claims (including claims brought by our third-party payment processor), government and regulatory requests, inquiries, or investigations that could result in liability, and harm our reputation. Moreover, certain activity that may be legal in one jurisdiction may be illegal in another jurisdiction, and a merchant may be found responsible for intentionally or inadvertently importing or exporting illegal goods, resulting in liability for us. Owners of intellectual property rights or government authorities may seek to bring legal action against providers of payments solutions, including Payments, that are peripherally involved in the sale of infringing or allegedly infringing items. Any threatened or resulting claims could result in reputational harm, and any resulting liabilities, loss of transaction volume, or increased costs could harm our business.

If Payments is used for illegal or improper uses, we may incur substantial losses as a result of claims from merchants and their buyers, including consumers. Allowances for transaction losses that we have established may be insufficient to cover incurred losses. Moreover, if measures to detect and reduce the risk of fraud are not effective and our loss rate is higher than anticipated, Payments and our business could be negatively impacted.

The standards that private entities use to regulate the use of email have in the past interfered with, and may in the future interfere with, the effectiveness of our customer platform and our ability to conduct business.

Our customers rely on email to communicate with their existing or prospective customers. Various private entities attempt to regulate the use of email for commercial solicitation. These entities often advocate standards of conduct or practice that significantly exceed current legal requirements and classify certain email solicitations that comply with current legal requirements as spam. Some of these entities maintain “blacklists” of companies and individuals, and the websites, internet service providers and internet protocol addresses associated with those entities or individuals that do not adhere to those standards of conduct or practices for commercial email solicitations that the blacklisting entity believes are appropriate. If a company’s internet protocol addresses are listed by a blacklisting entity, emails sent from those addresses may be blocked if they are sent to any internet domain or internet address that subscribes to the blacklisting entity’s service or purchases its blacklist.

From time to time, some of our internet protocol addresses may become listed with one or more blacklisting entities due to the messaging practices of our customers. There can be no guarantee that we will be able to successfully remove ourselves from those lists. Blacklisting of this type could interfere with our ability to market our customer platform and services and communicate with our customers and, because we fulfill email delivery on behalf of our customers, could undermine the effectiveness of our customers’ email marketing campaigns, all of which could have a material negative impact on our business and results of operations. Blacklisting of this type could interfere with our ability to market our CRM Platform and services and communicate with our customers and, because we fulfill email delivery on behalf of our customers, could undermine the effectiveness of our customers’ email marketing campaigns, all of which could have a material negative impact on our business and results of operations.

Existing federal, state and foreign laws regulate Internet tracking software, commercial emails and text messages, website owners and other activities, and could impact the use of our customer platform and potentially subject us to regulatory enforcement or private litigation.

Certain aspects of how our customers utilize our platform are subject to regulations in the United States, European Union and elsewhere. In recent years, U.S. and European lawmakers and regulators have expressed concern over the use of third-party cookies or web beacons for online behavioral advertising, and legislation adopted recently in the European Union requires informed consent for the placement of a cookie on a user’s device. Regulation of cookies and web beacons may lead to restrictions on our activities, such as efforts to understand users’ Internet usage. New and expanding “Do Not Track” regulations have recently been enacted or proposed that protect users’ right to choose whether or not to be tracked online. The entry into force of state law requirements to implement Universal Opt-Out Mechanisms (UOOMs) may require us to adapt our data collection, processing, and retention practices to ensure compliance with evolving privacy regulations. We are actively monitoring these developments and assessing the potential operational and financial impact of implementing the necessary technical and organizational measures to support UOOM functionality across our platforms.

Related regulations may restrict the use or disclosure of consumer information without sufficient consent. These regulations seek, among other things, to allow end users to have greater control over the use of private information collected online, to forbid the collection or use of online information, to demand a business to comply with their choice to opt out of such collection or use, and to place limits upon the disclosure of information to third-party websites. These policies could have a significant impact on the operation of our customer platform, impair our attractiveness to customers, and lead to claims or threatened claims, which would harm our business. These policies could have a significant impact on the operation of our CRM Platform and could impair our attractiveness to customers, which would harm our business.

Many of our customers and potential customers in the healthcare, financial services and other industries are subject to substantial regulation regarding their collection, use and protection of data and may be the subject of further regulation in the future. Accordingly, these laws or significant new laws or regulations or changes in, or repeals of, existing laws, regulations or governmental policy may change the way these customers do business and may require us to implement additional features or offer additional contractual terms to satisfy customer and regulatory requirements, or could cause the demand for and sales of our customer platform to decrease and adversely impact our financial results.

In addition, the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 ("CAN-SPAM Act"), establishes certain requirements for commercial email messages and specifies penalties for the transmission of commercial email messages that are intended to deceive the recipient as to source or content. The CAN-SPAM Act, among other things, obligates the sender of commercial emails to provide recipients with the ability to opt out of receiving future commercial emails from the sender. The ability of our customers’ message recipients to opt out of receiving commercial emails may minimize the effectiveness of the email components of our customer platform. In addition, certain states and foreign jurisdictions, such as Australia, Canada and the European Union, have enacted laws that regulate sending email, and some of these laws are more restrictive than U.S. laws. For example, some foreign laws prohibit sending unsolicited email unless the recipient has provided the sender advance consent to receipt of such email, or in other words has “opted-in” to receiving it. A requirement that recipients opt into, or the ability of recipients to opt out of, receiving commercial emails may minimize the effectiveness of our platform.

While these laws and regulations generally govern our customers’ use of our customer platform, we may be subject to certain laws as a data processor on behalf of, or as a business associate of, our customers. For example, laws and regulations governing the collection, use and disclosure of personal data include, in the United States, rules and regulations promulgated under the authority of the Federal Trade Commission, the Health Insurance Portability and Accountability Act of 1996, the Gramm-Leach-Bliley Act of 1999 and state breach notification laws, and internationally, the GDPR and other privacy and data protection laws. If we were found to be in violation of any of these laws or regulations as a result of government enforcement or private litigation, we could be subjected to civil and criminal sanctions, including both monetary fines and injunctive action that could force us to change our business practices, all of which could adversely affect our financial performance and significantly harm our reputation and our business. If we were found to be in violation of any of these laws or regulations as a result of government enforcement or private litigation, we could be subjected to 34 civil and criminal sanctions, including both monetary fines and injunctive action that could force us to change our business practices, all of which could adversely affect our financial performance and significantly harm our reputation and our business.

We are subject to governmental export controls and economic sanctions laws that could impair our ability to compete in international markets and subject us to liability if we are not in full compliance with applicable laws.

Our business activities are subject to various restrictions under U.S. and other global export controls and trade and economic sanctions laws, including the U.S. Commerce Department’s Export Administration Regulations and economic and trade sanctions regulations maintained by the U.S. Treasury Department’s Office of Foreign Assets Control. If we fail to comply with these laws and regulations, we, and certain of our employees, could be subject to civil or criminal penalties and reputational harm. Obtaining the necessary authorizations, including any required license(s), for a particular transaction may be time-consuming, is not guaranteed, and may result in the delay or loss of sales opportunities. Obtaining the necessary authorizations, including any required license, for a particular transaction may be time-consuming, is not guaranteed, and may result in the delay or loss of sales opportunities. Furthermore, export control laws and economic sanctions laws prohibit certain transactions with embargoed or sanctioned countries, governments, persons and entities. Furthermore, US export control laws and economic sanctions laws prohibit certain transactions with US embargoed or sanctioned countries, governments, persons and entities. These sanctions laws with which we must comply may also change rapidly from time to time as a result of geopolitical events, such as the imposition of sanctions on Russia as a result of the conflict between Russia and Ukraine. Although we take precautions to prevent unlawful transactions and business relationships with sanction targets, the possibility exists that we could inadvertently provide our products and services to persons or entities prohibited by U.S. and other global sanctions regimes. This could result in negative consequences to us, including government investigations, enforcement actions resulting in civil and/or criminal penalties and reputational harm. This could result in negative consequences to us, including government investigations, penalties and reputational harm.

Risks Related to Taxation

We may be subject to additional obligations to collect and remit sales tax and other taxes, and we may be subject to tax liability for past sales, which could harm our business.

State, local, and non-U.S. jurisdictions have differing rules and regulations governing sales, use, value added, digital service, and other taxes, and these rules and regulations are subject to varying interpretations that may change over time. In particular, the applicability of such taxes to our customer platform in various jurisdictions can be unclear. In particular, the applicability of such taxes to our CRM Platform in various jurisdictions can be unclear. Further, these jurisdictions’ rules regarding tax nexus are complex and vary significantly. As a result, we could face the possibility of tax assessments and audits, and our liability for these taxes and associated penalties could exceed our original estimates. A successful assertion that we should be collecting additional sales, use, value added or other taxes in those jurisdictions where we have not historically done so and do not accrue for such taxes could result in substantial tax liabilities and related penalties for past sales, discourage customers from purchasing our application or otherwise harm our business and operating results.

Changes in tax laws or regulations that are applied adversely to us or our customers could increase the costs of our customer platform and adversely impact our business.

New income, sales, use or other tax laws, statutes, rules, regulations or ordinances could be enacted at any time. For example, on July 4, 2025, tax reform legislation included in the One Big Beautiful Bill Act was enacted in the United States. Key corporate tax provisions include the restoration of 100% bonus depreciation, allowing for the immediate expensing of domestic research and experimental expenditures, changes to Section 163(j) interest limitations, updates to Global Intangible Low-Taxed Income and Foreign-Derived Intangible Income rules, amendments to energy credits, and expanded aggregation requirements for the Section 162(m) limitation on executive compensation. Any new tax laws could adversely affect our current tax position, domestic and international business operations, and our business and financial performance. Any new taxes could adversely affect our domestic and international business operations, and our business and financial performance. Further, existing tax laws, statutes, rules, regulations or ordinances could be interpreted, changed, modified or applied adversely to us. These events could require us or our customers to pay additional tax amounts on a prospective or retroactive basis, as well as require us or our customers to pay fines and/or penalties and interest for past amounts deemed to be due. Additionally, new, changed, modified or newly interpreted or applied tax laws could increase our customers’ and our compliance, operating and other costs, as well as the costs of our platform. Any or all of these events could adversely impact our business, cash flows and financial performance. Furthermore, as our employees continue to work remotely from geographic locations across the United States and internationally, we may become subject to additional taxes and our compliance burdens with respect to the tax laws of additional jurisdictions may increase.

We are a multinational organization faced with increasingly complex tax issues in many jurisdictions, and we could be obligated to pay additional taxes in various jurisdictions.

As a multinational organization, we may be subject to taxation in several jurisdictions around the world with increasingly complex tax laws, the application of which can be uncertain. The amount of taxes we pay in these jurisdictions could increase substantially as a result of changes in the applicable tax principles, including increased tax rates, new tax laws or revised interpretations of existing tax laws and precedents, or challenges to our tax positions by tax authorities, any of which could have a material adverse effect on our liquidity, financial condition or operating results. We also may invest in companies located in jurisdictions outside the United States, and these investments may result in complex U.S. or non-U.S. tax consequences. New global

tax developments may have a material impact to our business, cash flows, or financial results. Such developments, may include certain Organization for Economic Co-operation and Development's proposals including the implementation of global minimum tax under the Pillar Two model rules, and the European Commission’s and certain major jurisdictions’ heightened interest in and taxation of companies participating in the digital economy. In addition, the authorities in these jurisdictions could review our tax returns and impose additional tax, interest and penalties, and the authorities could claim that various withholding requirements apply to us or our subsidiaries or assert that benefits of tax treaties are not available to us or our subsidiaries, or assert that we are subject to tax in a jurisdiction where we believe we have not established a taxable nexus, often referred to as a “permanent establishment” under international tax treaties, any of which could have a material impact on us, our financial condition or our operating results.

We may not be able to utilize a significant portion of our net operating loss carryforwards, which could adversely affect our profitability.

As of December 31, 2025, we had $1.1 billion of U.S. federal and $866.1 million of state net operating loss carryforwards. U.S. federal net operating losses generated in taxable years beginning after December 31, 2017 have an indefinite carryforward and may be used to offset up to 80% of taxable income. State net operating loss carryforwards are subject to varying carryforward periods with certain states beginning to expire as early as 2026 and others conforming to an indefinite carryforward period. A portion of our state net operating loss carryforwards could expire unused and be unavailable to offset future income tax liabilities, which could adversely affect our profitability. These net operating loss carryforwards could expire unused and be unavailable to offset future income tax liabilities, which could adversely affect our profitability. In addition, under Section 382 and Section 383 of the Internal Revenue Code of 1986, our ability to utilize net operating loss carryforwards or other tax attributes, such as research tax credits, in any taxable year may be further limited if we experience an “ownership change. In addition, under Section 382 and Section 383 of the Internal Revenue Code of 1986, as amended, which we refer to as the Code, our ability to utilize net operating loss carryforwards or other tax attributes, such as research tax credits, in any taxable year may be further limited if we experience an “ownership change. ” An ownership change generally occurs if one or more stockholders or groups of stockholders who own at least 5% of our stock increase their ownership by more than 50 percentage points over their lowest ownership percentage (by value) within a rolling three-year period. Similar rules may apply under state tax laws. We may have experienced an ownership change in the past, and future issuances of our stock or other transactions could cause an ownership change. We may have experienced an ownership change in the past, and future issuances of our stock could cause an ownership change. It is possible that any such ownership change could have a material effect on the use of our net operating loss carryforwards or other tax attributes accrued prior to such ownership change, which could adversely affect our profitability.

Risks Related to Our Operating Results and Financial Condition

We have a history of losses and may not become consistently profitable or maintain or increase profitability in the future.

We generated net income of $45.9 million in 2025 and $4.6 million in 2024, and a net loss of $164.5 million in 2023. As of December 31, 2025, we had an accumulated deficit of $753.9 million. We will need to generate and sustain increased revenue levels in future periods to become consistently profitable, and, even if we do, we may not be able to maintain or increase our level of profitability. We will need to generate and sustain increased revenue levels in future periods to become profitable, and, even if we do, we may not be able to maintain or increase our level of profitability. We have spent and intend to continue to expend significant funds on our marketing, sales, customer service, and general and administrative operations, the development and enhancement of our customer platform, scaling our data center infrastructure and services capabilities and expanding into new markets. We have spent and intend to continue to expend significant funds on our marketing, sales, customer service, operations, and content management operations, develop and enhance our CRM Platform, scale our data center infrastructure and services capabilities and expand into new markets. Our efforts to grow our business may be more costly than we expect, and we may not be able to increase our revenue enough to offset our higher operating expenses. We may incur significant losses in the future for a number of reasons, including the other risks described in this Annual Report on Form 10-K, and unforeseen expenses, difficulties, complications and delays and other unknown events. If we are unable to achieve and sustain profitability, the market price of our common stock may decrease significantly.

From time to time, we may invest funds in social impact investment funds, and may receive no return on our investment or lose our entire investment.

From time to time, we may invest in social impact investment funds. From time to time, we may invest in social impact investment funds. As of December 31, 2025, we have invested $12.2 million in the National Strategic Investments Impact Fund (f/k/a the Black Economic Development Fund) and $7.5 million in support of Minority Depository Institutions to help close the racial wealth, health and opportunity gap. As of December 31, 2022, we have invested $6.2 million in the Black Economic Development Fund and $7.5 million in support of Minority Depository Institutions to help close the racial wealth, health and opportunity gap. There is no guarantee as to the performance of this investment or any similar investments we make in the future. Depending on the performance of this investment and future investments we may make, we may not receive any return on our investment or we may lose our entire investment, which could have an adverse effect on our business.

We may experience quarterly fluctuations in our operating results due to a number of factors, which makes our future results difficult to predict and could cause our operating results to fall below expectations or our guidance.

Our quarterly operating results have fluctuated in the past and are expected to fluctuate in the future due to a variety of factors, many of which are outside of our control. As a result, our past results may not be indicative of our future performance, and comparing

our operating results on a period-to-period basis may not be meaningful. In addition to the other risks described in this Annual Report on Form 10-K, factors that may affect our quarterly operating results include the following:

We may not be able to accurately forecast the amount and mix of future subscriptions, revenue and expenses and, as a result, our operating results may fall below our estimates or the expectations of public market analysts and investors. If our revenue or operating results fall below the expectations of investors or securities analysts, or below any guidance we may provide, the price of our common stock could decline.

If we do not accurately predict subscription renewal rates or otherwise fail to forecast our revenue accurately, or if we fail to match our expenditures with corresponding revenue, our operating results could be adversely affected.

Our customers have no obligation to renew their subscriptions for our services after the expiration of their contractual subscription period and some customers have elected not to renew. In addition, our customers may renew for fewer subscriptions, renew for shorter contract lengths or switch to lower cost offerings of our services. In addition, our customers may seek to renew for lower subscription tiers, for fewer contacts or seats, or for shorter contract lengths. It is difficult to predict attrition rates given our varied customer base. Our attrition rates may increase or fluctuate as a result of various factors, including customer dissatisfaction with our services, customers’ spending levels, mix of customer base, competition, pricing increases or changes in the macroeconomic environment. If customers do not renew their subscriptions, do not purchase additional features or enhanced subscriptions or if attrition rates increase our operating results in future reporting periods may be significantly below the expectations of the public market, equity research analysts or investors, which could harm the price of our common stock. Accordingly, if our cybersecurity measures or those of our service providers fail to protect against unauthorized access, attacks (which may include sophisticated cyberattacks), compromise or the mishandling of data by our employees and contractors, then our reputation, customer trust, business, results of operations and financial condition could be adversely affected.

Changes in accounting standards and subjective assumptions, estimates and judgments by management related to complex accounting matters could significantly affect our financial condition and results of operations.

We apply accounting principles and related pronouncements, implementation guidelines and interpretations to a wide range of matters that are relevant to our business, are highly complex and involve subjective assumptions, estimates and judgments by our management. Changes in these rules or their interpretation, or changes in underlying assumptions, estimates or judgments by our management, could significantly change our reported or expected financial performance.

Risks Related to Indebtedness

Our credit facility provides our lenders with a first-priority lien against substantially all of our assets, and contains financial covenants and other restrictions on our actions, which could limit our operational flexibility and otherwise adversely affect our financial condition.

Our credit facility restricts our ability to, among other things:

Our credit facility also requires that our Consolidated Leverage Ratio (as defined in the Revolving Credit Agreement) not exceed specified levels during periods when we do not maintain investment-grade credit ratings. Our ability to comply with these and other covenants is dependent upon several factors, some of which are beyond our control.

Our failure to comply with the covenants or payment requirements, or the occurrence of other events specified in our credit facility, could result in an event of default under the credit facility, which would give our lenders the right to terminate their commitments to provide additional loans under the credit facility and to declare all borrowings outstanding, together with accrued and unpaid interest and fees, to be immediately due and payable. In addition, we have granted our lenders first-priority liens against all of our assets as collateral. Failure to comply with the covenants or other restrictions in the credit facility could result in a default. If the debt under our credit facility was to be accelerated, we may not have sufficient cash on hand or be able to sell sufficient collateral to repay it, which would have an immediate adverse effect on our business and operating results. If we are unable to generate such cash flow, we may be required to adopt one or more alternatives, such as selling assets, restructuring debt or obtaining additional debt financing or equity capital on terms that may be onerous or highly dilutive.

Risks Related to Our Common Stock

Our stock price may be volatile and you may be unable to sell your shares at or above the price you purchased them.

The trading prices of the securities of technology companies, including providers of software via the cloud-based model, have been highly volatile. Since shares of our common stock were sold in our initial public offering in October 2014 at a price of $25.00 per share, our stock price has ranged from $25.79 to $881.13 through December 31, 2025. The market price of our common stock may fluctuate significantly in response to numerous factors, many of which are beyond our control, including:

In addition, the stock markets have experienced extreme price and volume fluctuations that have affected and continue to affect the market prices of equity securities of many technology companies. Stock prices of many technology companies have fluctuated in a manner unrelated or disproportionate to the operating performance of those companies.

In the past, stockholders have instituted securities class action litigation following periods of market volatility. If we were to become involved in securities litigation, it could subject us to substantial costs, divert resources and the attention of management from our business and adversely affect our business.

If we fail to maintain an effective system of disclosure controls and internal control over financial reporting, our ability to produce timely and accurate financial statements or comply with applicable regulations could be impaired.

As a public company we are subject to the reporting requirements of the Securities Exchange Act of 1934, as amended (the “Exchange Act”), the Sarbanes-Oxley Act of 2002 (the “Sarbanes-Oxley Act”), the Dodd-Frank Wall Street Reform and Consumer Protection Act (the “Dodd-Frank Act”), and the rules and regulations of the New York Stock Exchange (the “NYSE”). We expect that compliance with these rules and regulations will continue to increase our legal, accounting and financial compliance costs, make some activities more difficult, time consuming and costly, and place significant strain on our personnel, systems and resources.

The Sarbanes-Oxley Act requires, among other things, that we assess the effectiveness of our internal control over financial reporting annually and the effectiveness of our disclosure controls and procedures quarterly. In particular, Section 404 of the Sarbanes-Oxley Act (“Section 404”), requires us to perform system and process evaluation and testing of our internal control over financial reporting to allow management to report on, and our independent registered public accounting firm to attest to, the effectiveness of our internal control over financial reporting. Our compliance with applicable provisions of Section 404 requires that we incur substantial accounting expenses and expend significant management time on compliance-related issues as we implement additional corporate governance practices and comply with reporting requirements. Moreover, if we are not able to comply with the requirements of Section 404 applicable to us in a timely manner, or if we or our independent registered public accounting firm identifies deficiencies in our internal control over financial reporting that are deemed to be material weaknesses, the market price of our stock could decline and we could be subject to sanctions or investigations by the SEC or other regulatory authorities, which would require additional financial and management resources.

Furthermore, investor perceptions of our company may suffer if deficiencies are found, and this could cause a decline in the market price of our stock. Irrespective of compliance with Section 404, any failure of our internal control over financial reporting could have a material adverse effect on our stated operating results and harm our reputation. If we are unable to implement these requirements effectively or efficiently, it could harm our operations, financial reporting, or financial results and could result in an adverse opinion on our internal controls from our independent registered public accounting firm. In addition, as a result of our hybrid culture, many of our employees – including those critical to maintaining an effective system of disclosure controls and internal control over financial reporting – are working, and are expected to continue to work, in a remote environment and not in the office environment from which they have historically performed their duties. While we have experience maintaining effective control systems with our employees working in remote environments, and risks that we have not contemplated may arise and result in our failure to maintain effective disclosure controls or internal control over financial reporting. We have limited experience maintaining effective control systems with our employees working in remote environments, and risks that we have not contemplated may arise and result in our failure to maintain effective disclosure controls or internal control over financial reporting.

We cannot guarantee that our share repurchase program will be fully consummated or will enhance long-term stockholder value, and share repurchases could increase the volatility of the trading price of our common stock and diminish our cash reserves.

On February 7, 2026, our Board of Directors authorized a share repurchase program under which we are authorized to purchase up to $1.0 billion of our common stock from time to time (the “2026 Share Repurchase Program”). As of the date of filing of this report, a total of $1.0 billion remained available for repurchase under the share repurchase program. Repurchases under the 2026 Share Repurchase Program will be made in the open market, through privately negotiated transactions or other means, including pursuant to 10b5-1 plans, and in compliance with applicable securities laws and other requirements. The timing, manner, price, and amount of the 2026 Share Repurchase Program is subject to the discretion of our management. The 2026 Share Repurchase Program does not obligate us to acquire a specified number of shares, and may be suspended, modified, or terminated at any time, without prior

notice. There can be no assurance that we will repurchase shares at favorable prices. Further, our share repurchases could affect the trading price of our common stock, increase its volatility, reduce our cash reserves, and may be suspended or terminated at any time, which may result in a lower market valuation of our common stock.

Anti-takeover provisions in our charter documents and Delaware law may delay or prevent an acquisition of our company.

Our amended and restated certificate of incorporation, amended and restated bylaws and Delaware law contain provisions that may have the effect of delaying or preventing a change in control of us or changes in our management. Our amended and restated certificate of incorporation and bylaws include provisions that:

These provisions, alone or together, could delay or prevent hostile takeovers and changes in control or changes in our management.

In addition, because we are incorporated in Delaware, we are governed by the provisions of Section 203 of the Delaware General Corporation Law, which limits the ability of stockholders owning in excess of 15% of our outstanding voting stock to merge or combine with us in certain circumstances.

Any provision of our amended and restated certificate of incorporation or amended and restated bylaws or Delaware law that has the effect of delaying or deterring a change in control could limit the opportunity for our stockholders to receive a premium for their shares of our common stock, and could also affect the price that some investors are willing to pay for our common stock.

General Risks

Failure to comply with laws and regulations could harm our business.

Our business is subject to regulation by various federal, state, local and foreign governmental agencies, including agencies responsible for monitoring and enforcing employment and labor laws, workplace safety, environmental laws, consumer protection laws, anti-bribery laws, import/export controls, federal securities laws and tax laws and regulations. In certain jurisdictions, these regulatory requirements may be more stringent than those in the United States. Noncompliance with applicable regulations or requirements could subject us to investigations, sanctions, mandatory recalls, enforcement actions, disgorgement of profits, fines, damages, civil and criminal penalties or injunctions.

Adverse litigation results could affect our business.

From time to time we may become involved in legal proceedings or be subject to claims arising in the ordinary course of our business. Litigation can be lengthy, expensive and disruptive to our operations, and can divert our management’s attention away from running our core business. The results of our litigation also cannot be predicted with certainty. Even a favorable judgment may be subject to appeals leading to protracted litigation, additional costs and the prospect that our desired outcome will be overturned. An adverse decision could result in monetary damages or injunctive relief that could affect our business, operating results or financial condition.

Our ability to raise capital in the future may be limited, and our failure to raise capital when needed could prevent us from growing.

Our business and operations may consume resources faster than we anticipate. In the future, we may need to raise additional funds to invest in future growth opportunities. Additional financing may not be available on favorable terms, if at all. In addition, recent volatility in capital markets and lower market prices for many securities may affect our ability to access new capital through sales of shares of our common stock or issuance of indebtedness, which may materially harm our liquidity, limit our ability to grow our business, pursue acquisitions or improve our operating infrastructure and restrict our ability to compete in our markets.

If adequate funds are not available on acceptable terms, we may be unable to invest in future growth opportunities, which could seriously harm our business and operating results. If we incur additional debt, including under the credit facility, the debt holders would have rights senior to common stockholders to make claims on our assets. Additionally, the credit facility restricts our operations, including our ability to pay dividends on our common stock. Furthermore, if we issue equity securities, stockholders will experience dilution, and the new equity securities could have rights senior to those of our common stock. The Notes are and any additional equity or equity-linked financings would be dilutive to our stockholders. Because our decision to issue securities in any future offering will depend on market conditions and other factors beyond our control, we cannot predict or estimate the amount, timing or nature of our future offerings. As a result, our stockholders bear the risk of our future securities offerings reducing the market price of our common stock and diluting their interest.

Catastrophic events could disrupt our business and adversely affect our financial condition and results of operations.

We rely on our network infrastructure and enterprise applications, internal technology systems and website for our development, marketing, operations, support, hosted services and sales activities. In addition, some of our businesses rely on third-party hosted services, and we do not control the operation of third-party data center facilities serving our customers from around the world, which increases our vulnerability. A disruption, infiltration or failure of these systems or third-party hosted services in the event of a major earthquake, fire, flood, tsunami or other weather event, power loss, telecommunications failure, software or hardware malfunctions, pandemics, cyber-attack, war, terrorist attack or other catastrophic event that we do not adequately address, could cause system interruptions, reputational harm, loss of intellectual property, delays in our product development, lengthy interruptions in our services, breaches of data security and loss of critical data. A disruption, infiltration or failure of these systems or third-party hosted services in the event of a major earthquake, fire, flood, tsunami or other weather event, power loss, telecommunications failure, software or hardware malfunctions, pandemics (including the COVID-19 pandemic), cyber-attack, war, terrorist attack or other catastrophic event that we do not adequately address, could cause system interruptions, reputational harm, loss of intellectual property, delays in our product development, lengthy interruptions in our services, breaches of data security and loss of critical data. Any of these events could prevent us from fulfilling our customer demands or could negatively impact a country or region in which we sell our products, which could in turn decrease that country’s or region’s demand for our products. A catastrophic event that results in the destruction or disruption of any of our data centers or our critical business or information technology systems could severely affect our ability to conduct normal business operations and, as a result, our future operating results could be adversely affected. The adverse effects of any such catastrophic event would be exacerbated if experienced at the same time as another unexpected and adverse event.

The occurrence of regional epidemics or a global pandemic, may have an adverse effect on how we and our customers operate our businesses and our operating and financial results. Our operations may in the future be negatively affected by a range of external factors related to the pandemic that are not within our control, including the emergence and spread of more transmissible variants and the degree of transmissibility and severity thereof. The extent to which global pandemics, impact our financial condition or results of operations will depend on factors, such as the duration and scope of the pandemic, as well as whether there is a material impact on the businesses or productivity of our customers, partners, employees, suppliers and other partners. The extent to which global pandemics, such as the COVID-19 pandemic, impact our financial condition or results of operations will depend on factors, such as the duration and scope of the pandemic, as well as whether there is a material impact on the businesses or productivity of our customers, partners, employee, suppliers and other partners. To the extent that a pandemic, harms our business and results of operations, many of the other risks described in this “Risk Factors” section, may be heightened. To the extent that the pandemic harms our business and results of operations, many of the other risks described in this “Risk Factors” section, may be heightened.

Climate-related risks, regulatory compliance and evolving stakeholder expectations may impact our business.

While we seek to partner with organizations that mitigate their business risks associated with climate change, we recognize that there are inherent risks wherever business is conducted, including risks relating to the physical impact of climate change and to transitioning to a lower carbon economy. Any of our primary locations may be vulnerable to the adverse effects of climate change. For example, our offices globally may experience climate-related events at an increasing frequency, including drought, water scarcity, heat waves, cold waves, wildfires and resultant air quality impacts and power shutoffs associated with wildfire prevention. While this danger has a low-assessed risk of disrupting normal business operations, it has the potential to disrupt employees’ abilities to commute to work or to work from home and stay connected effectively. Furthermore, it is more difficult to mitigate the impact of these events on our employees to the extent they work from home. Climate-related events, including the increasing frequency of extreme weather events and their impact on the U.S.’s, Europe’s and other major region’s critical infrastructure, have the potential to disrupt our business, our third-party suppliers and/or the business of our customers, and may cause us to experience higher attrition of our employees, losses and additional costs to maintain or resume operations.

In addition to physical and transition risks, regulatory developments, evolving market dynamics and stakeholder expectations regarding climate change may impact our business, financial condition and results of operations. We are working to align our reporting with recognized disclosure standards such as the Financial Stability Board’s Task Force on Climate-Related Financial Disclosures, the Sustainability Accounting Standards Board and the Global Reporting Initiative, and we regularly monitor and prepare for new disclosure requirements that may be applicable to us (for example, the International Financial Reporting Standards S1 and S2). To inform our disclosures and take potential action as appropriate, we are working to align our reporting with emerging disclosure and accounting standards such as the Financial Stability Board’s Task Force on Climate-Related Financial Disclosures, the Sustainability Accounting Standards Board and the Global Reporting Initiative as well as potential new disclosure requirements from regulators such as the SEC. We may also be subject to California’s recently enacted climate disclosure laws, which will require in-scope companies to report on greenhouse gas emissions and climate-related financial risks. The future of these California laws is uncertain given pending litigation, and the California Air Resources Board, which has been tasked with implementing the climate-disclosure laws, has not yet released implementing regulations. Collecting, measuring and reporting sustainability information and metrics to comply with applicable requirements can be resource-intensive and time-consuming, requiring new systems and processes. These efforts may also expose us to operational challenges, reputational scrutiny, and legal and other risks as expectations continue to evolve.

ITEM 1B. UNRESOLVED STAFF COMMENTS

None.