Quiver Quantitative

Risk Factors Dashboard

Once a year, publicly traded companies issue a comprehensive report of their business, called a 10-K. A component mandated in the 10-K is the ‘Risk Factors’ section, where companies disclose any major potential risks that they may face. This dashboard highlights all major changes and additions in new 10K reports, allowing investors to quickly identify new potential risks and opportunities.

View risk factors by ticker

Search filings by term

Risk Factors - QTWO

-New additions in green
-Changes in blue
-Hover to see similar sentence in last filing

Item 1A. Risk Factors" for further information.

Privacy and Information Safeguard Laws

In the ordinary course of our business, we and our customers using our solutions access, process and transmit certain types of data, which subjects us and our customers to a variety of privacy and information security laws and regulations in the United States and internationally, including, for example, GLBA, CCPA, CPRA and GDPR, and other federal, state and international data privacy, security, and protection laws designed to regulate the use of consumer information and mitigate identity theft. We are also subject to an expanding number of comprehensive state privacy laws and related regulations, as well as state data breach notification and information safeguard requirements.

These laws impose obligations with respect to the collection, processing, storage, disposal, use and disclosure of personal information, and require financial services providers to maintain administrative, technical and physical safeguards and related policies regarding information privacy and security. In addition, under certain of these laws, we are required to provide notices to consumers describing our information sharing practices, provide advance notice of certain policy changes, and, in some cases and subject to applicable exemptions, offer consumers rights regarding the use and disclosure of their personal information. Certain laws may require us to notify affected clients, regulators, law enforcement, authorities, consumer reporting agencies or other third parties in the event of a data security or privacy breach involving personal information.

To address these requirements, we maintain confidentiality and information security standards and procedures applicable to our business operations and to our third-party vendors and service providers. Privacy and information security laws and regulations continue to evolve and may be subject to differing interpretations, requiring ongoing monitoring and modifications to our compliance program, which may result in increased operational complexity and compliance costs.

Available Information

Our website address is https://q2.com. Our Annual Report on Form 10-K, quarterly reports on Form 10-Q, current reports on Form 8-K and amendments to those reports filed or furnished pursuant to Section 13(a) or 15(d) of the Securities Exchange Act of 1934 are available through the investor relations page of our Internet website free of charge as soon as reasonably practicable after we electronically file such material with, or furnish it to the SEC. Our website and the information contained therein or connected thereto are not intended to be incorporated into this Annual Report on Form 10-K. In addition, the SEC maintains an Internet site (http://www.sec.gov) that contains reports, proxy and information statements, and other information regarding issuers that file electronically with the SEC.

Table of Contents

Item 1A. Risk Factors.

Our business, prospects, financial condition, operating results and the trading price of our common stock could be materially adversely affected by a variety of risks and uncertainties, including those described below, as well as other risks not currently known to us or that are currently considered immaterial. In assessing these risks, you should also refer to the other information contained in this Annual Report on Form 10-K, including our consolidated financial statements and related notes. Our principal risks include risks associated with:

•security and privacy threats and breaches involving our solutions;

•the current economic environment and challenges in the financial services industry, including impacts on our customers' decisions to purchase our products and services and the related demand for our solutions relative to our expectations, including economic impacts resulting from changes to U.S. trade policy, tariff and import/export regulations;

•focusing on the financial services industry, and particular customer segments therein, and any geographies where we have general customer concentration and the potential for any economic downturn or consolidation in such industry, segments or geographies to adversely affect our business;

•the integration of our solutions with and reliance by our solutions on third-party systems or services;

•defects or errors in our solutions, including failures associated with transaction processing or interest, principal or balance calculations;

•the recently completed migration of the computing, storage and processing of our digital banking platform solutions from our third-party data centers to third-party public cloud service providers;

•defects, failures or interruptions in third-party services or solutions, including third-party public cloud service providers;

•our ability to plan for and manage our growth and scale with our new and existing customers effectively;

•the length, cost and unpredictability of our sales cycle;

•the development of our solutions and changes to the market for our solutions compared to our expectations;

•our ability to attract new customers and expand and renew existing customer relationships;

•managing challenges and costs associated with the implementation of a higher volume of or more complex configurations of our solutions;

•customer acceptance of and satisfaction with our existing and new solutions;

•the strength of our brand and reputation;

•intense competition in the markets we serve and challenges we face as we enter new markets or new areas of existing markets;

•customer training and customer support;

•development of our AI strategies and solutions, changes to the market for our solutions and regulatory specifications and functionality required by our customers and relevant governmental authorities;

•evolving technological requirements, enhancements and additions to our solution offerings, including AI;

•our sales and marketing capabilities, including partner relationships;

•our dependency on our management team and other key employees and the increased costs associated with recruiting and retaining talent;

•our international operations;

•mergers, acquisitions, divestitures or strategic investments;

•our revenue recognition method and the relative impacts of changes in subscription rates;

Table of Contents

•quarterly fluctuations in our operating results relative to our expectations and guidance and the reliability and accuracy of our forecasts and the market data we use;

•our history of net operating losses and potential limitations on our ability to utilize our net operating loss carryforwards;

•our profit margins and the unpredictability of End-User adoption and usage, and customer implementation and support requirements;

•changes in financial accounting standards or practices;

•our ability to maintain proper and effective internal controls and produce accurate and timely financial statements;

•regulations applicable to us, our customers and our solutions, including evolving regulation of AI, machine learning and the receipt, collection, storage, processing and transfer of data, and the impacts of any violation of these regulations;

•global data privacy and security regulations;

•increased regulatory scrutiny and evolving requirements for money movement services and the resulting potential higher costs, increased complexity and limitations on offerings;

•litigation or threats of litigation;

•our ability to protect our intellectual property;

•the use of "open-source" software in our solutions;

•environmental, social and governance, or ESG, disclosures and evolving ESG disclosure requirements;

•the expenses and administrative burdens as a public company;

•the dilutive effects of future sales or anticipation of future sales, of our common stock and the resulting impact on the price of our common stock;

•unfavorable or misleading research by industry analysts;

•our stock price volatility and historical policy of no dividends;

•anti-takeover provisions in our charter documents and Delaware law;

•our convertible debt obligations and related capped call transactions and the related accounting treatment and our ability to secure sufficient additional financing when desired or needed on favorable terms; and

•our ability to obtain additional financing and potential dilution to our stockholders resulting from raising capital or using equity for acquisitions.

Table of Contents

Risks Related to our Operations, Industry and the Markets We Serve

Our business faces significant risks from diverse and increasingly frequent security threats. If our security measures or the security measures of our customers or third-party providers on whom we rely are compromised, unauthorized access to our systems or customer data is otherwise obtained or financial transaction fraud involving our solutions goes undetected, our systems and solutions may not be secure or may be perceived as not being secure or adequate, and customers may curtail or cease their use of our solutions, our reputation may be harmed, and we or our customers may incur significant liabilities, litigation, regulatory enforcement, fines or other consequences.

We maintain various types of confidential information, including our own information and that of our customers and their End Users. For example, certain elements of our solutions process and store personally identifiable information, or PII, such as banking and personal information of our customers and their End Users, and we also regularly have access to PII during various stages of the implementation process or during the course of providing customer support. Furthermore, as we develop additional functionality, we may gain greater access to PII. However, we are vulnerable to attack and cannot entirely eliminate the risk of improper or unauthorized access to our solutions or information technology systems or disclosure of confidential information or other security and privacy events that impact the integrity, availability or privacy of confidential information, including PII, or our systems, solutions and operations, or the related costs we may incur to mitigate the consequences from such events. In addition, because we increasingly leverage third-party providers, including cloud, software and other critical technology vendors to develop and deliver our solutions to our customers and their End Users, we rely heavily on the data security technology practices and policies adopted by these third-party providers, and we may not be able to identify vulnerabilities in such third-party practices and policies. A vulnerability in a third-party provider's software or systems, a failure of our third-party providers' safeguards, policies, procedures or overall business operations or a breach of a third-party provider's software or systems could result in financial loss and the compromise of the confidentiality, integrity or availability of our systems or the data housed in our solutions.

Our security measures and the security measures of our customers or third-party providers on whom we rely may not be sufficient to prevent our solutions or systems from being compromised as a result of third-party action, the error or intentional misconduct of employees, customers or their End Users, malfeasance or stolen or fraudulently obtained login credentials. Our business and operations, as well as those of our customers and third-party providers, are continuously exposed to a broad range of internal and external threats such as cyber-attacks, ransomware attacks, account take-over attacks, hijacking, organized cybercrime, financial transaction fraud, fraudulent representations, malicious code (such as viruses and worms), supply chain attacks, phishing, employee errors or omissions, employee theft or misuse, denial-of-service attacks and other malicious Internet-based activity. These internal and external threats continue to increase and evolve and financial services providers, their End Users, and technology providers are often targets of such threats or attacks. In addition to traditional computer "hackers," sophisticated criminal networks as well as nation-state and nation-state supported actors now engage in attacks, including advanced persistent threat intrusions.

Table of Contents

In addition, third parties may attempt to fraudulently induce our employees or the employees of our customers or third-party providers into disclosing sensitive information such as usernames, passwords or other information to gain access to our confidential or proprietary information or the data of our customers and their End Users. We continue to make investments in insider threat programs, but we may be unable to anticipate or prevent techniques used to obtain unauthorized access or sabotage systems because they change frequently and generally are not detected until after an incident has occurred. In addition, there may be a heightened risk of state-sponsored cyberattacks or cyber fraud during periods of geopolitical uncertainty, as cybercriminals attempt to profit from the disruption, given increased online banking, e-commerce and other online activity. Additionally, there is an increased risk that we may experience cybersecurity-related events, such as phishing attacks, and other security challenges as a result of some of our employees and employees of our service providers working remotely from non-corporate managed networks. Increased risks associated with cyberattacks, data and privacy breaches and breaches of security measures within our solutions, systems and infrastructure or the products, systems and infrastructure of our customers or third parties upon which we rely and the resultant costs and liabilities may cause failure or inability to meet our customers' expectations with respect to security and confidentiality and could harm our business, and seriously damage our reputation and affect our ability to retain customers and attract new business. Our systems and operations are also subject to inherent internal threats from employees or contractors such as unauthorized information access or disclosure and asset misappropriation, including as a result of inadequate access management. While we endeavor to counter these threats through processes designed to identify and monitor potentially risky behaviors, including data loss prevention and access rights management protocols, no risk mitigation strategy can entirely eliminate the risks posed by internal threats.

Although we monitor our solutions and information technology systems to detect and block threats, as cyber threats have evolved and continue to evolve, vulnerabilities in the supplier ecosystem, our solutions and information technology systems have been and may in the future be exploited. We continue to expend additional resources to modify or enhance our layers of defense to remediate such vulnerabilities and adjust lifecycle management. System enhancements and updates create risks associated with implementing new systems and integrating them with existing ones, including risks associated with the effectiveness of our, our customers' and our third-party providers' software development lifecycles. Due to the complexity and interconnectedness of our systems and solutions, the process of enhancing our layers of defense, including addressing hardware-based vulnerabilities, can itself create a risk of systems disruptions and security issues. Our and our customers' and third-party providers' ability and willingness to deliver patches and updates to mitigate vulnerabilities in a timely manner can introduce additional risks, particularly when a vulnerability is being actively exploited by threat actors. Customer utilization of older versions of our solutions can increase the risk and complexity of security vulnerabilities and the resources and time required to address them.

Federal, state and other regulations may require us to notify customers and their End Users of data security incidents involving certain types of personal data. Any security and privacy compromise in our industry, whether actual or perceived, could erode customer confidence in the effectiveness of our security measures, negatively impact our ability to attract new customers, cause existing customers to elect not to renew their subscriptions or subject us to third-party lawsuits, regulatory investigations or fines or other action or liability, which could materially and adversely affect our business and operating results.

In addition, some of our customers contractually require notification of any data security and privacy compromise and include representations and warranties that our solutions comply with certain regulations related to data security and privacy. Although our customer agreements typically include limitations on our potential liability, there can be no assurance that such limitations of liability would be enforceable or adequate or would otherwise protect us from any such liabilities or damages with respect to any particular claim. We also cannot be sure that our existing general liability insurance coverage and coverage for errors or omissions will continue to be available on acceptable terms or will be available in sufficient amounts to cover one or more claims, or that our insurers will not deny or attempt to deny coverage as to any future claim. The successful assertion of one or more claims against us, the inadequacy of or denial of coverage under our insurance policies, litigation to pursue claims under our policies or the occurrence of changes in our insurance policies, including premium increases or the imposition of large deductible or co-insurance requirements, could have a material adverse effect on our business, financial condition and results of operations.

Table of Contents

Unfavorable conditions or uncertainty in the financial services industry, geopolitical landscape or the global economy could limit our ability to grow our business and negatively affect our operating results.

While we do not have significant operations in directly affected areas, we are unable to predict the impact of geopolitical factors on the global economy or on our financial condition or results of operations. The revenue growth and potential profitability of our business depend on demand for enterprise SaaS solutions and services generally and for financial services solutions in particular. Changes in interest rates may impact account holder demand for loans and the creditworthiness of existing borrowers, resulting in operational challenges for financial institutions, including higher credit losses and difficulty in assessing risk in their existing loan portfolios and in making new lending decisions. Uncertain economic and geopolitical conditions may also disrupt supply chains, including third parties with which we have entered into relationships and upon which we depend in order to grow our business, such as technology vendors and third-party public cloud service providers, which could lead to payment delays and failures to settle financial transactions. The duration and severity of these unfavorable or uncertain conditions and their long-term effects on us and our customers remain uncertain and difficult to predict, and we may be unable to continue to grow or to grow at a similar rate in the event of future and sustained economic slowdowns.

In addition, the imposition by the U.S. of additional tariffs on a broad range of imports from multiple countries, and the potential for further expansion of such tariffs, including retaliatory tariffs being imposed by foreign countries, has introduced uncertainty into the global trade environment. Although our operations do not involve the direct purchase of significant volumes of goods or raw materials from outside the U.S., and we do not manufacture or inventory physical products, these trade measures may indirectly affect our business. For example, continued or escalating tariffs may contribute to inflationary pressures or impact the cost structures of our third-party service providers, cloud infrastructure partners, or customers, which could affect demand for our solutions and services or increase our cost of service delivery over time. To date, these developments have not had a material impact on our operations or financial performance. However, we continue to monitor the evolving trade landscape, including any additional tariffs or retaliatory measures that may arise, given the potential for broader macroeconomic implications and downstream effects on the financial services industry.

We derive substantially all of our revenues from customers in the financial services industry, and in particular RCFIs, and any economic downturn or consolidation in the financial services industry, or unfavorable economic conditions affecting regions in which a significant portion of our customers are concentrated or segments of potential customers on which we focus, could harm our business.

Downturns in the financial services industry and unfavorable economic conditions affecting the regions in which our customers or prospective customers are concentrated or particular segments of customers or prospective customers on which we focus, including the Alt-FI and FinTech sectors, have and may continue to cause our customers or prospective customers to delay or reduce their spending on solutions such as ours or seek to terminate or renegotiate their contracts with us, including in either case as a result of insolvency or bankruptcy. A significant portion of our revenues is derived from financial institutions, and in particular RCFIs, and we have been and may continue to be impacted by challenges in the economic environment and financial services industry. Some financial institutions have in the past experienced significant pressure due to economic uncertainty, liquidity concerns and increased regulatory scrutiny. The actions taken by such institutions to address potential liquidity concerns have resulted in certain institutions incurring substantial costs that have negatively impacted, and may continue to negatively impact, their profitability and could lead to further market instability or bank failures. Additionally, regulatory changes aimed at stabilizing the financial system

Table of Contents

could impose new burdens, further straining the profitability of these institutions and potentially leading to a contraction in economic activities. Additionally, banking regulators, as well as increasingly cautious investors, have increased scrutiny of commercial real estate lending. This heightened attention may compel financial institutions with substantial commercial real estate loan portfolios to adopt more stringent underwriting standards, enhance internal controls, bolster risk management policies, conduct more rigorous portfolio stress testing, and maintain higher reserve levels. While the U.S. government has taken measures to strengthen public confidence in the banking system and protect depositors, such steps may be insufficient to resolve the volatility in the financial markets and reduce the risk of additional bank failures. It is possible these conditions may persist, deteriorate or reoccur, and longer term, failures and consolidations are likely to continue, and there are very few new financial institutions being created. Further, if our customers merge with or are acquired by other entities that have in-house developed solutions or that are not our customers or use fewer of our solutions, our customers may discontinue, reduce or change the terms of their use of our solutions. Any of these developments could have an adverse effect on our business, results of operations and financial condition.

If we are unable to effectively integrate our solutions with other systems or services used by our customers and prospective customers, including if we are forced to discontinue integration due to security or quality concerns with a third-party system or service, or if there are performance issues with such third-party systems or services, our solutions will not operate effectively, our operations will be adversely affected and our reputation may be harmed.

The functionality of our solutions depends on our ability to integrate with other third-party systems and services used by our customers, including core processing software and, in the case of our Helix solutions, banking services. Certain providers of these third-party systems or services also offer solutions that are competitive with our solutions and may have an advantage over us with customers using their software by having better ability to integrate with their software and by being able to bundle their competitive products with other applications used by our customers and prospective customers at favorable pricing. We do not have formal arrangements with many of these third-party providers regarding our access to their APIs to enable these customer integrations. We also resell numerous third-party services and market integrations to many third-party services, including services and integrations offered through our Q2 Innovation Studio solution.

Our business and reputation may be harmed if any such third-party provider:

•changes the features or functionality of, or fails to make updates to its services, applications and platforms in a manner adverse to us;

•discontinues or limits our solutions' access to its systems or services;

•suffers a security incident or other incident, including one that requires us to discontinue integration with its systems, or services or results in a compromise of our systems or services;

•experiences staffing shortages or other operational challenges, including as a result of challenging economic conditions, which interferes with their ability to implement or adequately support an integration with our solutions;

•ceases to operate;

•terminates or does not allow us to renew or replace our existing contractual relationships on the same or better terms;

•modifies its terms of service or other policies, including fees charged to, or other restrictions on, us or our customers; or

•establishes more favorable relationships with one or more of our competitors or acquires one or more of our competitors and offers competing services.

Table of Contents

Such events or circumstances could delay, limit or prevent us from integrating our solutions with these third-party systems or services, which could impair the functionality of our solutions, prohibit the use of our solutions or limit our ability to sell our solutions to customers, each of which could harm our business. If we are unable to integrate with such third-party systems or services because of changes to or restricted access to the systems or services by such third parties during the terms of existing agreements with customers using such third-party systems or services, we may not be able to meet our contractual obligations to customers, which may result in disputes with customers and harm to our business. In addition, if any such third-party providers experience an outage, our solutions integrated with such systems or services may not function properly or at all, and our customers may be dissatisfied with our solutions. If the systems or services of such third-party providers have performance or other problems, such issues may reflect poorly on us and the adoption and renewal of our solutions and our business may be harmed. Although we or our customers may be able to switch to alternative technologies if a provider's systems or services were unreliable or if a provider was to limit customer access and utilization of its data or the provider's functionality, our business could nevertheless be harmed due to the risk that our customers could reduce their use of our solutions.

Our solutions are inherently complex and from time-to-time have had and may in the future contain defects or errors, particularly when first introduced or as new functionality is released. The volume and dollar amount of payment transactions and interest, principal or balance amounts that we, our customers and our third-party partners process and calculate is significant and continues to grow. Certain of our solutions also calculate dollar amounts, including interest, principal, remaining balance and payment amounts on loans, and in certain circumstances our solutions serve as the system of record on which our customers rely to instruct and inform End Users of amounts they must pay and their associated remaining balances. Additionally, certain of these solutions are designed to be configurable by our customers and their ability to perform as intended can be affected by the manner in which our customers use or configure the solution. From time-to-time we discover, and may in the future discover, defects or errors in our solutions or the solutions of our third-party partners, as well as unanticipated processing errors resulting from customer use or behavior. In addition, due to changes in regulatory requirements relating to our customers or to technology providers to financial services providers like us, we may discover deficiencies in our or our third-party partners' software processes related to those requirements. Material performance problems or defects in our solutions might arise in the future.

Such errors, defects, other performance problems, or disruptions in service to provide bug fixes or upgrades, whether in connection with day-to-day operations or otherwise, can be costly and complicated for us to remedy, cause damage to our customers' businesses and to their End Users and harm our reputation. Additionally, certain of our solutions are hosted by our customers or third-party resellers, resulting in our inability to directly access and monitor the data being processed by and our customers' use of such solutions. When any such solutions being hosted by our customers or third-party resellers encounter errors, defects or other performance problems, it can be difficult and costly to assess the issues properly and apply fixes, including because we must rely on the assistance and records of our customers or third-party resellers, as applicable. If the continuity of operations, integrity of processing, or ability to detect or prevent fraudulent payments were compromised in connection with payments transactions, we could suffer financial as well as reputational loss. In addition, if we have any such errors, defects or other performance problems, our customers could seek to terminate their agreements, elect not to renew their subscriptions, delay or withhold payment or make claims against us. Such errors, defects or other problems could also result in reduced sales or a loss of, or delay in, the market acceptance of our solutions.

Moreover, software development is time-consuming, expensive, complex and requires regular maintenance. Unforeseen difficulties can arise. If we do not complete our periodic maintenance according to schedule or if customers are otherwise dissatisfied with the frequency or duration of our maintenance services, customers could elect not to renew, or delay or withhold payment to us or cause us to issue credits, make refunds or pay penalties. Because our solutions are often customized and deployed on a customer-by-customer basis, rather than through a multi-tenant SaaS method of distribution, applying bug fixes, upgrades or other maintenance services may require updating each instance of our solutions, including a variety of different versions of our solutions. This could be time consuming and cause us to incur significant expense and may require the involvement of our customers, which potentially increases the technical delivery risk. We might also encounter technical obstacles, and it is possible that we discover problems that prevent our solutions from operating properly. As a result of the complexity of our solutions and the complex needs of our customers, our customers depend on our technical resources to develop reliable and secure solutions and to resolve any technical issues relating to our solutions. Our ability to deliver our

Table of Contents

solutions is dependent on our software development lifecycle management processes, including with respect to our change management processes, which impact our ability to effectively develop our solutions and to identify, track, test, manage and implement changes to our solutions. As a result, our solutions require an ongoing commitment of significant resources to maintain and enhance them and to develop new solutions in order to keep pace with continuing changes in information technology, emerging cybersecurity risks and threats, evolving industry and regulatory standards and changing preferences of our customers. If our solutions do not function reliably or fail to achieve customer expectations in terms of performance, customers could seek to cancel their agreements with us and assert liability claims against us, which could damage our reputation, impair our ability to attract or maintain customers, harm our results of operations or have an adverse impact on our financial performance.

We rely on hardware and services that we purchase or lease and software, including open-source software, that we develop or license from, or that is hosted by third parties, to offer our solutions. In addition, we obtain licenses from third parties to use intellectual property associated with the development of our solutions. These licenses might not continue to be available to us on acceptable terms, or at all. These third-party providers may in the future choose not to continue to support certain of the hardware, software or services we license. We also may in the future choose to discontinue the use of the hardware, services or software we acquire or license from such third-party providers, which may require that we pay termination fees or recognize related accounting charges or impairments. The loss of the right or ability to use all or a significant portion of our third-party hardware, services or software required for the development, maintenance and delivery of our solutions could result in delays in the provision of our solutions until we develop or identify, obtain and integrate equivalent technology, which could harm our business.

Any errors or defects in the hardware, services or software we use could result in errors, interruptions or a failure of our solutions. Although we believe that there are alternatives, any significant interruption in the availability of all or a significant portion of such hardware, services or software could have an adverse impact on our business unless and until we can replace the functionality provided by these products at a similar cost. Furthermore, such hardware, services and software may not be available on commercially reasonable terms, or at all. The loss of the right to use all or a significant portion of such hardware, services or software could limit access to our solutions. Additionally, we rely upon third parties' abilities to enhance their current products, develop new products on a timely and cost-effective basis and respond to emerging industry standards and other technological changes. We may be unable to influence changes to such third-party technologies, which may prevent us from rapidly responding to evolving customer requirements. We also may be unable to replace the functionality provided by the third-party software currently offered in conjunction with our solutions in the event that such software becomes obsolete or incompatible with future versions of our solutions or is otherwise not adequately maintained or updated.

We have migrated the computing, storage and processing of our digital banking platform solutions from our third-party data centers to third-party public cloud service providers and any challenges or difficulties with such migration could adversely affect our and our customers' business.

We have migrated the hosting of the computing, storage and processing of our digital banking platform solutions from our third-party data centers to third-party public cloud service providers. In certain cases, operating our solutions with third-party public cloud service providers requires changes to our solutions to allow for optimal operation of the solution when hosted by the third-party public cloud service provider, and such changes can vary significantly from customer to customer depending upon the particular design and combination of services they use and offer, including integrations to third-party services over which we have little or no control. The migration required planned downtime to transfer our customers' environments to the public cloud, and while we planned this migration extensively and conducted this migration carefully and methodically, we or our customers could experience unforeseen subsequent challenges or difficulties including outages, service delays, defects or errors from the migration or changes to our solutions that we implemented to enable it. Additionally, such migration may not achieve the anticipated cost savings or technical advantages.

Our ability to operate effectively depends, in part, on the availability, security, and resilience of these third-party platforms and the providers' continued compliance with applicable contractual, legal, and regulatory requirements. Disruptions, outages, cyber incidents, data loss, or other security events affecting our third-party public cloud service providers could impair our ability to access critical systems or data, interrupt customer services, or result in the unauthorized access to or disclosure of sensitive information. In addition, changes in a provider's business, financial condition, service offerings, or contractual terms, or a decision by a provider to limit or discontinue services, could require us to incur additional costs or transition to alternative solutions, which may be time-consuming and complex. Additionally, heightened supervisory expectations or new regulatory requirements may require us to enhance governance, monitoring, contractual protections, or contingency planning related to these arrangements, which could increase costs or limit flexibility in how we use such services.

Table of Contents

We depend on third-party public cloud service providers and third-party Internet service providers, and any disruption in the operation of these services or access to the Internet have in the past and could in the future adversely affect our business.

We operate our digital banking platform on third-party public cloud infrastructure, with Amazon Web Services, or AWS, and Microsoft Azure serving as our primary cloud providers. Our digital lending and relationship pricing solutions, along with select digital banking platform components, are hosted natively in third-party public cloud environments. We have completed the migration of our digital banking platform, including the core computing, storage and processing capabilities, from privately operated data centers to public cloud infrastructure. Our reliance on these providers and their systems is significant. These problems may be caused by a variety of factors, including infrastructure changes, hardware failures, human or software errors, viruses, security attacks, fraud, operational disruption, spikes in customer usage and denial of service issues. In some instances, we may not be able to identify the cause or causes of these performance problems within an acceptable period of time. They also could be subject to break-ins, computer viruses, sabotage, intentional acts of vandalism and other misconduct.

We also depend on third-party Internet service providers and continuous and uninterrupted access to the Internet through third-party bandwidth providers to operate our business. If we lose the services of one or more of our Internet service or bandwidth providers for any reason or if their services are disrupted, for example due to viruses or denial of service or other attacks on their systems, or due to human error, intentional bad acts, power loss, hardware failures, telecommunications failures, fires, wars, terrorist attacks, floods, earthquakes, hurricanes, tornadoes, pandemics or similar catastrophic events, we could experience disruption in our ability to offer our solutions and adverse perception of our solutions' reliability, or we could be required to retain the services of replacement providers, which could increase our operating costs and harm our business and reputation. Prolonged interruption in the availability, or reduction in the speed or other functionality, and frequent or persistent interruptions in our solutions could cause customers to believe that our solutions are unreliable, leading them to switch to our competitors or to avoid our solutions, which could also harm our business and reputation.

A disruption at a key vendor, such as a third-party public cloud service provider, third-party Internet service provider, software update distributor or cybersecurity firm, could impair our systems or our clients' ability to access our platforms. Because certain cloud and hosting services are provided by a limited number of large providers, an extended or widespread outage at a major provider could have a disproportionate impact on our operations, even if the outage is not specific to our systems. In such circumstances, our ability to implement timely workarounds or migrate affected workloads may be constrained, which could increase the duration or severity of operational disruption. Major global outages caused by faulty updates from a cybersecurity vendor have historically resulted in widespread service interruptions across multiple industries. A similar event affecting our vendors could cause outages in client-facing applications, transaction processing delays or data access issues, which could damage client confidence, lead to contractual penalties, and adversely affect our financial performance.

If we fail to manage our growth effectively or experience an unexpected decline in our growth rate, we may be unable to execute our business strategy, maintain high levels of service and customer satisfaction or adequately address competitive challenges, and our financial performance and operating results may be adversely affected.

We intend to further expand our overall business, customer base, and number of employees. The growth in our business, our management of a growing international workforce and customer base and the stress of such growth on our internal controls and systems generally requires substantial management effort, infrastructure and operational capabilities. To support our growth, we must continue to improve our management's resources and operational and financial controls and systems, and these improvements may increase our expenses more than anticipated and result in a more complex business, and our failure to timely and

Table of Contents

effectively implement these improvements could have an adverse effect on our operations and financial results. In addition, selling our solutions to larger customers and the increased breadth of our solution offerings and the types of customers we serve may result in greater uncertainty and variability in our business and sales results. We also will have to anticipate the necessary expansion of our relationship management, implementation, customer service and other personnel to support our growth and maintain high levels of customer service and satisfaction, particularly as we sell to larger customers that have heightened levels of complexity in their hardware, software and network infrastructure needs and as we sell a broader range of solutions to a broader and larger set of customers. Our success will depend on our ability to plan for and manage this growth effectively and to address challenges to our growth model resulting from rapid changes in economic conditions. If we fail to anticipate and manage our growth or are unable to provide high levels of system performance and customer service, our reputation, as well as our business, results of operations and financial condition, could be harmed.

Our sales cycle can be unpredictable, time-consuming and costly, which could harm our business and operating results.

Our sales process involves educating prospective customers and existing customers about the use, technical capabilities, implementation timelines and benefits of our solutions and services. Prospective customers, especially larger financial services providers, often undertake a prolonged evaluation process, which typically involves not only our solutions, but also those of our competitors and lasts from six to nine months or longer. We may spend substantial time, effort and money on our sales and marketing efforts without any assurance that our efforts will produce any sales. It is also difficult to predict the level and timing of sales opportunities that come from our partners and resellers.

Events affecting our customers' businesses have and may continue to occur during the sales cycle that could impact the size or timing of a purchase, contributing to more unpredictability in our business and operating results. Such events have and may continue to cause our customers or partners to delay, reduce, or even cancel planned digital financial services spending and impact our business and operations. If customers or partners significantly reduce their spending with us or significantly delay or fail to make payments to us, our business, results of operations, and financial condition would be materially adversely affected, and as a result of our sales cycle, subscription model and our revenue recognition policies, the effects of such reductions or delays on our results of operations may not be fully reflected for some time.

If the market for our solutions develops more slowly than we expect or changes in a way that we fail to anticipate, our sales would suffer and our operating results would be harmed.

The market for financial services has been dramatically changing, and we do not know whether financial institutions and other financial services providers will adopt or continue to adopt our existing and new solutions or whether the market will change in ways that we do not anticipate. Many potential customers believe switching providers involves too many potential disadvantages such as disruption of business operations, loss of accustomed functionality, and increased costs (including conversion and transition costs). Furthermore, some financial institutions may be reluctant or unwilling to use a cloud-based solution over concerns such as the security of their data and reliability of the delivery model. These concerns or other considerations may cause financial institutions to choose not to adopt cloud-based solutions such as ours or to adopt alternative solutions, either of which could harm our operating results. We attempt to overcome these concerns through value enhancing strategies such as a flexible integration process, continued investment in the enhanced functionality and features of our solutions, and investing in new innovative solutions.

Our future success also depends on our ability to sell new solutions and enhanced solutions to our current and new customers. If the market for our solutions does not continue to evolve in the manner in which we believe it will or if our newer solutions are not adopted by our current and prospective customers, our future business prospects may be negatively impacted. In addition, promoting and selling new and enhanced solutions may require increasingly costly sales and marketing efforts, and if customers choose not to adopt these solutions, our business could suffer.

Table of Contents

If we are unable to attract new customers, continue to broaden our existing customers' use of our solutions or renew existing relationships with customers or partners, our business, financial condition and results of operations could be materially and adversely affected.

To increase our revenues, we will need to continue to attract new customers and encourage current customers to expand the utilization of our solutions or agree to price increases associated with existing solutions. In addition, for us to maintain or improve our results of operations, it is important that our customers renew their subscriptions with us on similar or more favorable terms to us when their existing subscription term expires.

We have and may continue to face unexpected implementation challenges related to the complexity of our customers' implementation and integration requirements, particularly implementations for larger customers with more complex requirements in their hardware, software and network infrastructure needs. Our implementation expenses increase when customers have unexpected data, hardware or software technology challenges, or complex or unanticipated business or regulatory requirements. In addition, our customers in some cases may require complex acceptance testing related to the implementation of our solutions. Implementations often involve integration with or conversion of customers off of systems and services of third parties over which we do not have control. We may also experience implementation inefficiencies, delays, or increased costs associated with the introduction or expansion of new delivery tools, automation, or AI-assisted capabilities, including risks related to adoption, performance, training, change management, or integration with existing processes.

Implementation delays may require us to delay revenue recognition under the related customer agreement longer than expected. Further, because we do not fully control our customers’ implementation schedules, if our customers do not allocate the internal resources necessary to meet implementation timelines or if there are unanticipated implementation delays or difficulties, our revenue recognition may be delayed.

Our business could be adversely affected if our customers are not satisfied with our solutions, particularly as we introduce new products and solutions, or our systems, infrastructure and resources fail to meet their needs.

Our business depends on our ability to satisfy our customers and meet their business needs. Our customers use a variety of network infrastructure, hardware and software, which typically increases in complexity the larger the customer is, and our solutions must support the specific configuration of our customers' existing systems, including in many cases the solutions of third-party providers. If our solutions do not currently support a customer's required data format or appropriately integrate with a customer's applications and infrastructure, then we must configure our solutions to do so, which could negatively affect the performance of our systems and increase our expenses and the time it takes to implement our solutions. Any failure of or delays in our systems or resources could cause service interruptions or impaired system performance. Some of our customer agreements require us to issue credits for downtime in excess of certain thresholds, and in some instances give our customers the ability to terminate the agreements in the event of significant amounts of downtime, or if we experience other defects with our solutions. If sustained or repeated, these performance issues could reduce the attractiveness of our solutions to new and existing customers, cause us to lose customers, and lower renewal rates for existing customers, each of which could adversely affect our revenue and reputation.

Table of Contents

If the use of our solutions increases, or if our customers demand more advanced features from our solutions, we will need to devote additional resources to improving our solutions, and we also may need to expand our technical infrastructure and related resources at a more rapid pace than we have in the past. It takes a significant amount of time to plan, develop and test changes to our solutions and related infrastructure and resources, and we may not be able to accurately forecast demand or predict the results we will realize from such improvements. There are inherent risks associated with changing, upgrading, improving and expanding our technical infrastructure and related resources. Any failure of our solutions to operate effectively with future infrastructure and technologies could reduce the demand for our solutions, resulting in customer dissatisfaction and harm to our business. Also, any expansion of our infrastructure and related resources would likely require that we appropriately scale our internal business systems and services organization, including implementation and customer support services, to serve our growing customer base. If we are unable to respond to these changes or fully and effectively implement them in a cost-effective and timely manner, our service may become ineffective, we may lose customers, and our operating results may be negatively impacted.

Growth of our business depends on a strong brand and any failure to maintain, protect and enhance our brand could hurt our ability to retain or expand our base of customers.

We believe that a strong brand is necessary to continue to attract and retain customers. We need to maintain, protect and enhance our brand in order to expand our customer base. This depends largely on the effectiveness of our marketing efforts, our ability to provide reliable solutions that continue to meet the needs of our customers at competitive prices, our ability to maintain our customers’ trust, our ability to implement and support our solutions, our ability to continue to develop new functionality and use cases, and our ability to successfully differentiate our solutions and their capabilities from competitive products and services, which we may not be able to do effectively. While we may choose to engage in a broader marketing campaign to further promote our brand, this effort may not be successful or cost effective. Our brand promotion activities may not generate customer awareness or yield increased revenues, and even if they do, any increased revenues may not offset the expenses we incur in building our brand. If we are unable to maintain or enhance customer awareness in a cost-effective manner, our brand and our business, financial condition and results of operations could be materially and adversely affected.

Our corporate reputation is susceptible to damage by actions or statements made by adversaries in legal proceedings, current or former employees or customers, competitors and vendors, partners, as well as members of the investment community and the media. There is a risk that negative information about our company, even if based on false rumor or misunderstanding, could adversely affect our business. In particular, damage to our reputation could be difficult and time-consuming to repair, could make potential or existing customers reluctant to select us for new engagements, resulting in a loss of business, and could adversely affect our employee recruitment and retention efforts. Damage to our reputation could also reduce the value and effectiveness of our brand name and could reduce investor confidence in us and materially and adversely affect our business, financial condition and results of operations.

The markets in which we participate are competitive, and pricing pressure, new technologies or other competitive dynamics could adversely affect our business and operating results.

We currently compete with providers of technology and services in the financial services industry, including point system vendors, core processing vendors and systems internally developed by financial services providers. With respect to our digital banking platform, we have several point solution competitors, including Candescent, Alkami Technology, CSI, Backbase and Lumin Digital in the online, consumer and SMB banking space and Finastra and Bottomline Technologies in the commercial banking space. With respect to our Helix solution, we primarily compete with Galileo Financial Technologies, Marqeta and Green Dot in the BaaS and embedded finance markets, and we compete with Finxact, a Fiserv company, Nymbus, Mambu and Thought Machine Group in the cloud-core markets. Some of our competitors have significantly more financial, technical, marketing and other resources than we have, may devote greater resources to the promotion, sale and support of their systems than we can, have more extensive customer bases and broader customer relationships than we have and have longer operating histories and greater name recognition than we have. In addition, some of our competitors expend more funds on research and development, which may allow them to introduce new and improved technologies and services more frequently than us.

Table of Contents

We also may face competition from new companies entering our markets, which may include large established businesses that decide to develop, market or resell competitive solutions, acquire one of our competitors or form a strategic alliance with one of our competitors. In addition, new companies entering our markets may choose to offer competitive solutions at little or no additional cost to the customer by bundling them with their existing applications, including adjacent financial services technologies and core processing software. New entrants to the markets we serve might also include financial services providers developing financial services solutions and other technologies, including solutions built using competing BaaS solutions or open API platforms. Competition from these new entrants may make our business more difficult and adversely affect our results.

If we are unable to compete in this environment, sales and renewals of our solutions could decline and adversely affect our business, operating results and financial condition. With the introduction of new technologies and potential new entrants into the markets for our solutions, competition could intensify in the future, which could harm our ability to increase sales and achieve profitability. Our industry has also experienced recent consolidations which we believe may continue. Any further consolidation our industry experiences could lead to increased competition and result in pricing pressure or loss of market share, either of which could have a material adverse effect on our business, limit our growth prospects or reduce our revenues.

We do not have any control over the availability or performance of salesforce.com's Force.com with another platform, which could be difficult and costly.

Our Symphonix lending platform runs on salesforce.com's Force.com platform, and we do not have any control over the Force.com platform or the prices salesforce. Salesforce.com may discontinue or modify Force. If salesforce. Additionally, we may not be able to honor commitments we have made to our customers and we may be subject to breach of contract or other claims from our customers.

In addition, we do not control the performance of Force.com. If Force. If salesforce.com has performance or other problems with its Force.com platform or its operations generally, they will reflect poorly on us and the adoption and renewal of certain of our Symphonix lending platform and our business may be harmed.

If we fail to provide effective customer training on our solutions and high-quality customer support, our business and reputation would suffer.

Effective customer training on our solutions and high-quality, ongoing customer support are important to the successful marketing and sale of our solutions, for the renewal of existing customer agreements and for the remediation of any defects or issues with our solutions or the manner in which they are being used. Providing this training and support requires that our customer training and support personnel have Q2 solutions and financial services knowledge and expertise, which can make it difficult for us to hire qualified personnel and scale our training and support operations. The demand on our customer support organization has and will continue to increase as we expand our business, offer new and more complex solutions and pursue new and larger customers, and such increased support could require us to devote significant development services and support personnel, which could strain our team and infrastructure and reduce our profit margins. From time to time, customer support cases can include product issues or defects which involve inconvenience or financial harm for our customers or End Users. If we do not help our customers quickly resolve any post-implementation product or support issues and provide effective ongoing customer support, our customers or End Users may incur further inconvenience or may not be able to remediate or limit resulting financial harm, and our ability to sell additional solutions to existing and future customers could suffer and our reputation could be harmed.

Consequences related to our development and use of AI may result in reputational harm or liability.

AI algorithms and training methodologies may create accuracy issues, unintended biases and other unexpected outcomes. Ineffective or inadequate AI development or deployment practices by us or others could result in incidents that impair the accuracy and acceptance of AI-based solutions or cause harm to individuals or customers, creating perceived or actual technical, legal, compliance, privacy, security and ethical risks, which could subject us to competitive harm, regulatory action, legal liability and

Table of Contents

brand or reputational harm. These incidents could include explainability risk whereby our potential inability to interpret, articulate or justify the decision-making processes of AI models, compounded by challenges in achieving replicability of outcomes due to the adaptive nature of AI learning, where identical inputs may not always yield repeatable or consistent outputs, and may lead to concerns about trust, regulatory compliance and accountability. Further, incorporating AI into our solutions may increase our risk of litigation and risk of non-compliance, as AI is an emerging technology for which the legal and regulatory landscape is not fully developed.

While we aim to use AI ethically and attempt to identify and mitigate ethical or legal issues presented by its use, we may be unsuccessful in identifying or resolving issues before they arise. Additionally, we may experience challenges related to implementing and maintaining AI tools, such as developing and maintaining appropriate datasets for such support and internal controls related to their use as well as active management of infrastructure and related costs as AI capabilities increase in the industry. Use of AI for business operations also involves the risk of infringing third-party intellectual property rights. Further, dependence on AI may introduce additional operational vulnerabilities by impacting our relationships with customers, partners and suppliers, by producing inaccurate outcomes based on flaws in the underlying data or other unintended results. Our competitors or other third-parties may incorporate AI into their products more quickly or more successfully than us, which could impair our ability to compete effectively.

Additionally, AI model health presents a growing risk to our business and operations. As we develop, test, deploy and operate AI models that are integrated with or support our products and services, these models must remain compliant with evolving regulatory and model risk management requirements and fit for purpose over time. Gaps in security, evaluation rigor, repeatability, or traceability could produce biased or inaccurate outputs, trigger regulatory scrutiny, harm customers or erode trust. Weak governance, documentation or monitoring could further limit our ability to explain model behavior, demonstrate compliance or respond effectively to incidents, which could adversely affect our financial condition and reputation.

The markets for our solutions are characterized by rapid technological advancements, changes in customer requirements and technologies, frequent new product introductions and enhancements and changing regulatory requirements. The life cycles of our solutions are difficult to estimate. Rapid technological changes and the introduction of new products and enhancements by new or existing competitors or large financial services providers could undermine our current market position. Other means of digital financial services solutions may be developed or adopted in the future, and our solutions may not be compatible with these new technologies. In addition, the technological needs of, and services provided by, customers may change if they or their competitors offer new services to End Users. Maintaining adequate research and development resources to meet the demands of the markets we serve is essential. The process of developing new technologies and solutions is complex and expensive. The introduction of new solutions by our competitors, the market acceptance of competitive solutions based on new or alternative technologies or the emergence of new technologies or solutions in the broader financial services industry could render our solutions obsolete or less effective.

Additionally, AI, including generative AI and autonomous decisioning technologies, is evolving rapidly and may significantly alter how financial technology products and services are developed, distributed and consumed. AI-enabled offerings may reduce demand for our products and services, compress pricing, weaken customer relationships or shift value creation away from regulated financial institutions toward technology providers.

The success of any enhanced or new solution depends on several factors, including timely completion, adequate testing and market release and acceptance of the solution. Any new solutions that we develop or acquire may not be introduced in a timely or cost-effective manner, may contain defects or may not achieve the broad market acceptance necessary to generate significant revenues. If we are unable to anticipate customer requirements or work with our customers successfully on implementing new solutions or features in a timely manner or enhance our existing solutions to meet our customers' requirements, our business and operating results may be adversely affected.

Table of Contents

If we fail to effectively maintain or expand our sales and marketing capabilities and teams, as necessary, including through partner relationships, we may not be able to increase our customer base and achieve broader market acceptance of our solutions.

Increasing our customer base and achieving broader market acceptance of our solutions will depend on our ability to maintain and potentially expand our sales and marketing organizations and their abilities to obtain new customers and sell additional solutions and services to new and existing customers. We believe there is significant competition for direct sales professionals with the skills and knowledge that we require, and we may be unable to hire or retain sufficient numbers of qualified individuals in the future. Our ability to achieve significant future revenue growth may depend on our success in recruiting, training and retaining a sufficient number of direct sales professionals, as well as our ability to deploy our existing sales and marketing resources efficiently. New hires may require significant training and time before they become fully productive and may not become as productive as quickly as we anticipate. As a result, the cost of hiring and carrying new representatives cannot be offset by the bookings and revenues they produce for a significant period of time. Our growth prospects will be harmed if our efforts to expand, train and retain our direct sales team do not generate a corresponding increase in revenues. Additionally, if we fail to sufficiently invest in our marketing programs or they are unsuccessful in creating market awareness of our company and solutions, our business may be harmed and our sales opportunities limited.

In addition to our direct sales team, we also extend our sales distribution through formal and informal relationships with referral partners and resellers. While we are not substantially dependent upon referrals and sales from any partner, our ability to grow revenue in the future may depend upon continued referrals from our partners and growth of the network of our referral partners. These partners are under no contractual obligation to continue to refer business to us, nor do these partners have exclusive relationships with us and may choose to instead refer potential customers to our competitors. We cannot be certain that these partners will prioritize or provide adequate resources for promoting our solutions or that we will be successful in maintaining, expanding or developing our relationships with referral partners. Our competitors may be effective in providing incentives to third parties, including our partners, to favor their solutions or prevent or reduce subscriptions to our solutions either by disrupting our relationships with existing customers or limiting our ability to win new customers. Establishing and retaining qualified partners and training them with respect to our solutions requires significant time and resources. If we are unable to devote sufficient time and resources to establish and train these partners or if we are unable to maintain successful relationships with them, we may lose sales opportunities and our revenues could suffer.

We rely on our management team and other key employees to grow our business, and the loss of one or more key employees or an inability to hire, integrate, train and retain qualified personnel could harm our business.

Our success and future growth depend upon the continued services of our management team, in particular our Chief Executive Officer, and other key employees, including in the areas of research and development, marketing, sales, services and general and administrative functions. From time to time, there may be changes in our management team resulting from the hiring or departure of executives, which could disrupt our business. We also are dependent on the continued service of our existing development professionals because of the complexity of our solutions, including complexity arising as a result of the regulatory requirements that are applicable to our customers and the pace of technology changes impacting our customers and their End Users. We may generally terminate any employee's employment at any time, with or without cause, subject to local laws in particular non-U.S. jurisdictions, and any employee may resign at any time, with or without cause; however, our employment agreements with our named executive officers provide for the payment of severance under certain circumstances. We also have entered into employment agreements with our other executive officers which provide for the payment of severance under similar circumstances as in our named executive officers' employment agreements. The loss of one or more of our key employees could harm our business.

If we fail to attract, hire and integrate qualified new employees, motivate and retain existing personnel, or maintain a highly skilled and diverse global workforce, our business and future growth prospects could be harmed. In particular, we compete with many other companies for executive officers, software developers with high levels of experience in designing, developing and managing software, as well as skilled sales and operations professionals and knowledgeable customer support professionals, and we may not be successful in attracting the professionals we need. We have from time-to-time experienced, and we may experience in the future, difficulty in hiring and retaining highly skilled employees with appropriate qualifications. Qualified individuals are usually in high demand, and we may incur incremental costs to attract and retain them. We have hired and continue to hire personnel in countries where technical knowledge and other expertise are offered at lower costs than in the U.S., which increases the efficiency of our global workforce structure and reduces our personnel related expenditures. Nonetheless, as globalization continues, competition for employees in these countries has increased, which may impact our ability to retain these employees and increase our compensation-related expenses. We may be unable to scale our infrastructure effectively or as quickly as our competitors in these markets, and our revenue may not increase sufficiently to offset these expected increases in costs, causing our results to suffer.

Table of Contents

Because our long-term success depends in part on our ability to operate our business internationally, our business is susceptible to risks associated with international operations.

We have international operations in India, Australia, Canada, the United Kingdom and Mexico. In recent years, we have expanded our international operations in order to maintain an appropriate cost structure, access a broader talent pool and meet our customers' needs, which has included opening offices in new jurisdictions. The international expansion of our operations requires significant management attention and financial resources and involves significant administrative and compliance costs. Our limited experience in operating our business in certain regions outside the U.S. increases the risk that our expansion efforts into those regions may not be successful. In particular, our business model may not be successful in particular countries or regions outside the U.S. for reasons that we currently are unable to anticipate. In addition, conducting international operations subjects us to risks that we have not generally faced in the U.S. These include, but are not limited to:

•fluctuations in currency exchange rates;

•the complexity of, or changes in, foreign regulatory requirements;

•difficulties in managing the staffing of international operations, including compliance with local labor and employment laws and regulations;

•complexities implementing and enforcing cross-border information technology and security controls;

•potentially adverse tax consequences, including the complexities of foreign value added tax systems, overlapping tax regimes, restrictions on the repatriation of earnings and changes in tax rates;

•the cost and complexity of bringing our solutions into compliance with foreign regulatory requirements, and risks of our solutions not being compliant;

•dependence on resellers and distributors to increase customer acquisition or drive localization efforts;

•the burdens of complying with a wide variety of foreign laws and different legal standards, certain of which may be significantly more burdensome than those in place in the U.S.;

•increased financial accounting and reporting burdens and complexities;

•longer payment cycles and difficulties in collecting accounts receivable;

•longer sales cycles;

•political, social and economic instability abroad;

•terrorist attacks and security concerns in general;

•failure to recruit, onboard, build and retain a talented and engaged global workforce;

•integrating personnel with diverse business backgrounds and organizational cultures;

•challenges in obtaining visas and other restrictions on international travel;

•difficulties entering new non-U.S. markets due to, among other things, consumer acceptance and business knowledge of these new markets;

•constraints of remote working by employees;

•reduced or varied protection for intellectual property rights in some countries; and

•the risk of U.S. regulation of foreign operations.

The occurrence of any one of these risks could negatively affect our international business and, consequently, our operating results. We cannot be certain that the investment and additional resources required to establish, acquire or integrate operations in other countries will produce desired levels of revenue or profitability. If we are unable to effectively manage our expansion into additional geographic markets, our financial condition and results of operations could be harmed.

Table of Contents

In particular, we operate some of our research and development activities internationally and outsource a portion of the coding and testing of our products and product enhancements to contract development vendors. We believe that performing research and development in our international facilities and supplementing these activities with our contract development vendors enhances the efficiency and cost-effectiveness of our product development. If we experience problems with our workforce or facilities internationally, we may not be able to develop new products or enhance existing products in an alternate manner that may be equally or less efficient and cost-effective. In addition, if information technology and security controls we have implemented to address risks posed by research and development activities outside of the U.S. are breached or are otherwise ineffective, our intellectual property or technical infrastructure could be compromised or stolen and we could be subjected to cyberattacks or intrusions.

We also may enter into relationships with other businesses to expand our solutions, which could involve preferred or exclusive licenses and additional channels of distribution. Negotiating any acquisition, investment or alliance, or any divestiture opportunity, can be time-consuming, difficult and expensive, and our ability to close these transactions may be subject to approvals that are beyond our control. We may not be able to find and identify desirable additional acquisition targets, we may incorrectly estimate the value of an acquisition target, and we may not be successful in entering into an agreement with any particular target or identified purchaser for divestiture opportunities. Consequently, these transactions, even if undertaken and announced, may not close.

We may not achieve the anticipated benefits from our past acquisitions or any additional businesses we acquire due to a number of factors, including:

•our inability to integrate, manage or benefit from acquired operations, technologies or services;

•our inability to successfully sell and maintain the solutions of the acquired business;

•unanticipated costs or liabilities associated with the acquisition, including the assumption of liabilities or commitments of the acquired business that were not disclosed to us or that exceeded our estimates;

•difficulty integrating the technology, accounting systems, operations and personnel of the acquired business;

•difficulties and additional expenses associated with supporting and modernizing legacy solutions, security architecture and hosting infrastructure of the acquired business;

•uncertainty of entry into markets in which we have limited or no prior experience or in which competitors have stronger market positions;

•difficulty converting the customers of the acquired business to our solutions and contract terms, including disparities in the revenues, licensing, support or professional services model of the acquired company;

•diversion of management's attention to other business concerns;

•adverse effects to our existing business relationships with business partners and customers as a result of the acquisition or divestiture;

•use of resources that are needed in other parts of our business;

•the use of a substantial portion of our cash that we may need to operate our business and which may limit our operational flexibility and ability to pursue additional strategic transactions;

•the issuance of additional equity securities that would dilute the ownership interests of our stockholders;

•incurrence of debt on terms unfavorable to us or that we are unable to repay;

•incurrence of large charges or substantial liabilities;

•our inability to apply and maintain internal standards, controls, procedures and policies with respect to the acquired businesses;

Table of Contents

•difficulties retaining key employees of the acquired company or integrating diverse software codes or business culture; and

•becoming subject to adverse tax consequences, substantial depreciation or deferred compensation charges.

In addition, a significant portion of the purchase price of companies we acquire may be allocated to acquired goodwill and other intangible assets, which must be assessed for impairment at least annually. In the future, if our acquisitions do not yield expected returns, we may be required to take charges to our operating results based on this impairment assessment process, which could adversely affect our results of operations.

Financial and Accounting-Related Risks

Because we recognize revenues from a significant portion of our solutions over the terms of our customer agreements, the impact of changes in the subscriptions for such solutions will not be immediately reflected in our operating results, and rapid growth in our customer base may adversely affect our operating results in the short term since we expense a substantial portion of implementation costs as incurred.

We generally recognize revenues monthly over the terms of our customer agreements. The initial term of our digital banking platform agreements averages over five years, although it varies by customer. As a result, the substantial majority of the revenues we report in each quarter are related to agreements entered into during previous quarters. Consequently, a change in the level of new customer agreements or implementations in any quarter may have a small impact on our revenues in that quarter but will primarily affect our revenues in future quarters. Accordingly, the effect of significant downturns in sales and market acceptance of our solutions, or changes in our rate of renewals may not be fully reflected in our results of operations until future periods. Our subscription model and the proportion of our subscription revenues to our total revenues also make it difficult for us to rapidly increase our revenues through additional sales in any period.

Additionally, we recognize our expenses over varying periods based on the nature of the expense. In particular, we recognize a substantial portion of implementation expenses as incurred even though we recognize the revenues over extended periods. As a result, we may report poor operating results in periods in which we are incurring higher implementation expenses related to revenues that we will recognize in future periods, including implementations for larger customers that have heightened levels of complexity in their hardware, software and network infrastructure needs. Alternatively, we may report better operating results in periods due to lower implementation expenses, but such lower expenses may be indicative of slower revenue growth in future periods. As a result, our expenses may fluctuate as a percentage of revenues and changes in our business generally may not be immediately reflected in our results of operations.

We may experience quarterly fluctuations in our operating results or key operating measures due to a number of factors, which makes our future results difficult to predict and could cause our operating results or key operating measures to fall below expectations or our guidance.

Our quarterly operating results and key operating measures have fluctuated in the past and are expected to fluctuate in the future due to a variety of factors, many of which are outside of our control. As a result, comparing our operating results or key operating measures on a period-to-period basis may not be meaningful. Our past results may not be indicative of our future performance. In addition to the other risks described in this report, factors that may affect our quarterly operating results or key operating measures include the following:

•the addition or loss of customers, including through acquisitions, consolidations or failures;

•the timing of large subscriptions and customer terminations, renewals or failures to renew;

•the amount of use of our solutions in a period and the amount of any associated transactional revenues and expenses;

•the amount and timing of professional service engagements and associated revenues and expenses;

•budgeting cycles of our customers and changes in spending on solutions by our current or prospective customers;

•seasonal variations in sales of our solutions, which may be lower in the first half of the calendar year;

•changes in the competitive dynamics of our industry, including consolidation among competitors, changes to pricing or the introduction of new products and services that limit demand for our solutions or cause customers to delay purchasing decisions;

•the amount and timing of cash collections from our customers;

Table of Contents

•long or delayed implementation times for new customers, including larger customers with more complex requirements, or other changes in the levels of customer support we provide;

•the timing and predictability of sales of our solutions and the impact that the timing of bookings may have on our revenue and financial performance in a period;

•the timing of customer payments and payment defaults by customers, including any buyouts by customers of the remaining term of their contracts with us in a lump sum payment that we would have otherwise recognized over the term of those contracts, and any costs associated with impairments of related contract assets;

•changes in actual customer usage or projected customer usage of our solutions;

•the amount and timing of our operating costs and capital expenditures;

•changes in tax rules or the impact of new accounting pronouncements;

•general economic conditions or conditions in the financial services industry that may adversely affect our customers' ability or willingness to purchase solutions, delay a prospective customer's purchasing decision, reduce our revenues from customers or affect renewal rates;

•natural disasters or public health emergencies and their effect on the operations of us, our customers, our third-party providers and on the overall economy;

•impairment charges related to long-lived assets;

•unexpected expenses such as those related to non-recurring corporate transactions, litigation or other disputes, or changes in claim trends on our workers' compensation, unemployment, disability and medical benefit plans may negatively impact our operating costs;

•the timing of stock awards to employees and related adverse financial statement impact of having to expense those stock awards over their vesting schedules; and

•the amount and timing of costs associated with recruiting, hiring, training and integrating new employees, many of whom we hire in advance of anticipated needs.

Any one of the factors above, or the cumulative effect of some or all of the factors referred to above, may result in significant fluctuations in our quarterly and annual results of operations. This variability and unpredictability could result in our failure to meet our internal operating plan. Additionally, the price of our common stock might be based on expectations of investors or securities analysts of future performance that are inconsistent with our actual growth opportunities or that we might fail to meet and, if our revenues or operating results fall below expectations, the price of our common stock could decline substantially.

Table of Contents

We have a history of losses and may incur additional losses in the future.

We have incurred losses from operations in many periods since our inception in 2005. We incurred net losses of $38.5 million and $65.4 million for the years ended December 31, 2024 and 2023, respectively, and net income of $52.0 million for the year ended December 31, 2025. As of December 31, 2025, we had an accumulated deficit of $612.2 million. As we seek to continue to grow our business, including through acquisitions, we expect to incur additional sales, marketing, implementation and other related expenses, including amortization of acquired intangibles. We also expect to continue to make other investments to develop and expand our solutions and our business, including continuing to increase our marketing, services and sales operations and continuing our significant investment in research and development and our technical infrastructure, while also managing our business in response to continued challenging economic conditions, challenges in the financial services industry and any resulting economic slowdown. Our efforts to grow our business may be more costly than we expect, and we may not be able to increase our revenues enough to offset our higher operating expenses, thus making it challenging to maintain profitability. While our revenues have grown in recent periods, such growth may not be sustainable, and our revenues could decline or grow more slowly than we expect. We also may incur additional losses in the future for a number of reasons, including due to litigation and other unforeseen reasons and the risks described in this report.

As the markets for our existing solutions develop and evolve, we may be unable to attract new customers at the same price or based on the same pricing model as we have used historically. Additionally, as a result of the operational and economic challenges being faced by our customers, we could be forced to modify contractual or payment terms with our customers. Moreover, large or influential financial services providers may demand more favorable pricing or other contract terms, including termination rights. As a result, in the future we may not be able to maintain historical contract terms such as pricing and duration and instead may be required to reduce our prices or accept other unfavorable contract terms, each of which could adversely affect our revenues, gross margin, profitability, financial position and cash flow.

Our customers have no obligation to renew their subscriptions for our solutions after the expiration of the initial subscription term, and if our customers renew at all, then our customers may renew for fewer solutions or on different pricing terms. Our renewal rates may decline or fluctuate as a result of a number of factors, including our customers' satisfaction with our pricing or our solutions or their ability to continue their operations and spending levels. Additionally, certain agreements may include termination rights allowing customers to terminate their customer agreements in the event of, among other things, defects with our solutions, changes in our solution, breach by us of our obligations, requirements from regulatory authorities or a change in control of our company. If our customers terminate or do not renew their subscriptions for our solutions on similar pricing terms, our revenues may decline and our business could suffer. As we create new solutions or enhance our existing solutions to support new technologies and devices, our pricing of these solutions and related services may be unattractive to customers or fail to cover our costs.

Shifts over time in the number of End Users of our solutions, their use of our solutions and our customers' implementation and customer support needs could negatively affect our profit margins.

Our profit margins can vary depending on numerous factors, including the scope and complexity of our implementation efforts, the number of End Users on our solutions, the frequency and volume of their use of our solutions and the level of customer support services required by our customers. For example, our services offerings typically have a much higher cost of revenues compared to subscription fees for the use of our solutions, so any increase in sales of services as a proportion of our subscriptions would have an adverse effect on our overall gross margin and operating results. If we are unable to increase the number of End Users and the number of transactions they perform on our solutions, the number of End Users on our solutions or the number of transactions they perform decreases, customers fail to achieve their anticipated End User growth, the types of customers that purchase our solutions changes, or the mix of solutions purchased by our customers changes, our profit margins could decrease and our operating results could be adversely affected.

Table of Contents

The market data and forward-looking trends included in this report and other filings may prove to be inaccurate, and even if the markets in which we compete achieve the forecasted growth, we cannot give assurance that our business will grow at similar rates, or at all.

If the forecasts of market size, growth or anticipated spending prove to be inaccurate, our business and growth prospects could be adversely affected. Even if the forecasted size or growth proves accurate, our business may not grow at a similar rate, or at all. Our future growth is subject to many factors, including our ability to successfully execute on our business strategy, which itself is subject to many risks and uncertainties. Data and forecasts we use reflect information as of their respective publication dates and the opinions expressed in such reports are subject to change.

As of December 31, 2025, we had approximately $458.8 million of U.S. federal net operating loss carryforwards. Utilization of these net operating loss carryforwards depends on many factors, including our future income, which cannot be assured. Section 382 of the Internal Revenue Code, as amended, generally imposes an annual limitation on the amount of net operating loss carryforwards that may be used to offset taxable income when a corporation has undergone an ownership change. An ownership change is generally defined as a greater than 50% change in equity ownership by value over a 3-year period. Future ownership changes or future regulatory changes could further limit our ability to utilize our net operating loss carryforwards. To the extent we are not able to offset our future income against our net operating loss carryforwards, this would adversely affect our operating results and cash flows to the extent we are able to sustain our profitability.

Our business may be subject to additional obligations to collect and remit sales tax and other taxes, and we may be subject to tax liability for past sales. Any successful action by state, local or other authorities to collect additional or past taxes could adversely harm our business.

We file sales and other tax returns within the U.S. and foreign jurisdictions as required by law and certain customer contracts for a portion of the solutions that we provide. Our tax liabilities with respect to sales and other taxes in various jurisdictions were approximately $1.0 million as of December 31, 2025. From time to time, we face sales and other tax audits, and we will likely continue to do so in the future. Our liability for these taxes could exceed our estimates as tax authorities could assert that we are obligated to collect additional amounts as taxes from our customers and remit those taxes to such authorities.

We do not collect sales or other similar taxes in certain states and other jurisdictions, and some jurisdictions do not apply sales or similar taxes to certain solutions. State, local and foreign taxing jurisdictions have differing rules and regulations governing sales and other taxes, and these rules and regulations are subject to varying interpretations that may change over time. In particular, the applicability of sales taxes to our solutions in various jurisdictions is unclear. We review these rules and regulations periodically, and when we believe we are subject to sales and other taxes in a particular jurisdiction, we may voluntarily engage tax authorities to determine how to comply with their rules and regulations. A successful assertion by one or more jurisdictions, including those for which we have not accrued tax liability, requiring us to collect sales or other taxes with respect to sales of our solutions or customer support could result in substantial tax liabilities for past transactions, including interest and penalties, discourage customers from purchasing our solutions or otherwise harm our business and operating results.

Changes in financial accounting standards or practices may cause adverse, unexpected financial reporting fluctuations and affect our reported results of operations.

Financial accounting standards may change or their interpretation may change. Changes to existing rules or the re-examining of current practices may adversely affect our reported financial results or the way we conduct our business.

Table of Contents

We may not be able to secure sufficient additional financing on favorable terms, or at all, to meet our future capital needs.

We also may decide to engage in equity or debt financings or enter into credit facilities for other reasons. We may not be able to secure additional debt or equity financing in a timely manner, on favorable terms, or at all. Any debt financing we obtain in the future could involve restrictive covenants relating to our capital raising activities and other financial and operational matters, which may make it more difficult for us to obtain additional capital and pursue business opportunities, including potential acquisitions.

Legal and Regulatory Risks

Our customers are highly regulated and subject to a number of challenges and risks. Our failure to comply with laws and regulations applicable to us as a technology provider to financial services providers and to enable our customers to comply with the laws and regulations applicable to them could adversely affect our business and results of operations, increase costs and impose constraints on the way we conduct our business.

Our customers and prospective customers are highly regulated and may be required to comply with stringent regulations in connection with subscribing to, implementing and using our solutions. As a provider of technology to financial institutions, we are examined on a periodic basis by various regulatory agencies and required to review our third-party suppliers and partners. If deficiencies are identified, customers may choose to terminate or reduce their relationships with us. In particular, as a result of obligations under our customer agreements, we are required to comply with certain provisions of the Gramm-Leach-Bliley Act related to the privacy of consumer information and may be subject to other privacy and data security laws because of the solutions we provide. In addition, numerous regulations have been proposed and are still being written to implement the Dodd-Frank Act, including requirements for enhanced due diligence of the internal systems and processes of companies like ours by their financial institution customers. In 2024, the CFPB issued a rule pursuant to Section 1033 of the Dodd-Frank Act that would require banks and other financial institutions to share certain customer account data securely with consumers and authorized third parties upon consumer request. In general, larger financial institutions are subject to more stringent regulations and as a result, as we sell our solutions to larger financial institutions, we will become obligated to meet more stringent regulatory standards, including more in-depth due diligence. Certain of our solutions are designed to be highly configurable by our customers and their ability to perform as intended can be affected by the manner in which our customers use or configure the solutions. To the extent we do not adequately train our customers to properly use such highly configurable solutions and advise them of the associated risks, or to the extent our customers do not follow our training, our customers may use them incorrectly or in a manner that violates the law or causes harm to our customers or their End Users. Regulatory scrutiny of BaaS solutions has recently increased and may require us to devote significant resources to enhancing relevant policies, procedures and operations related to our Helix solutions, and the failure to satisfy such increased scrutiny may cause regulators to take action against us. Furthermore, regulatory scrutiny of BaaS solutions extends directly to middleware providers, which, in certain circumstances, may result in our customers bearing accountability for our compliance and risk management, including with respect to penalties, fines, and other measures that bank regulatory agencies take in the event of non-compliant activity or risks that are not well controlled. Additionally, regulatory agencies have expressed increased interest in the use of automated and data-driven tools in financial services. Changes in supervisory expectations or enforcement approaches related to such tools could require additional compliance investments or operational adjustments and may adversely affect our business. In July 2025, the GENIUS Act, which established a framework for regulating stablecoins, was signed into law and may impact our prospects' and customers' operations. Financial services providers and their solutions are subject to extensive and complex regulations and oversight by federal, state and other regulatory authorities. New regulations or changes to existing regulations may create uncertainty or additional cost for financial services providers as they adjust their operations and compliance efforts.

Table of Contents

As FinTechs and financial institutions face increased regulatory scrutiny, their scrutiny of our services will likely increase and our inability to satisfactorily respond to partner demands could result in those partners moving to different solutions. If we have to make changes to our internal processes and solutions as a result of these regulatory changes, we could be required to invest substantial time and funds and divert time and resources from other corporate purposes to remedy any identified deficiency.

This evolving, complex and often unpredictable regulatory environment could result in our failure to provide regulatory-compliant solutions, which could result in customers' not purchasing our solutions or terminating their agreements with us or the imposition of fines or other liabilities for which we may be responsible. Any failure of our solutions to withstand regulatory scrutiny could reflect badly on our relationship with our regulators and on our overall reputation. In addition, federal, state or foreign agencies may attempt to further regulate our activities in the future. For example, Congress could enact legislation to regulate providers of electronic commerce services as consumer financial services providers or under another regulatory framework. If enacted or deemed applicable to us, such laws, rules or regulations could be imposed on our activities or our business thereby rendering our business or operations more costly, burdensome, less efficient or impossible, any of which could have a material adverse effect on our business, financial condition and operating results.

Increased focus on money movement activities may subject us to additional operational, compliance and reputational risks.

We provide a range of money movement services, including electronic payments, funds transfers and other transaction processing activities, that are subject to extensive and evolving regulatory, supervisory and operational requirements. Regulatory authorities and industry participants have placed increased emphasis on the safety, integrity and oversight of money movement activities, including with respect to fraud prevention, transaction monitoring, consumer protection, operational resilience and third-party dependencies.

Heightened supervisory expectations or enforcement activity in this area may result in additional examinations, information requests or changes in applicable rules, guidance or industry standards. Compliance with evolving requirements may require enhancements to systems, controls, staffing or processes, increase operational complexity or costs, or limit the products or services we are able to offer. Any of the foregoing could adversely affect our business, financial condition or results of operations.

Table of Contents

We are subject to various global data privacy and security regulations, which could result in additional costs and liabilities to us.

Our business is subject to a wide variety of local, state, national and international laws, directives and regulations that apply to the collection, use, retention, protection, disclosure, transfer and other processing of personal data. These data protection and privacy-related laws and regulations continue to evolve and may result in ever-increasing regulatory and public scrutiny and escalating levels of enforcement and sanctions and increased costs of compliance. Data privacy, information security, and data protection are significant issues in the U.S. and globally. The regulatory framework governing the collection, processing, storage, use and sharing of certain information, particularly financial and other PII, is rapidly evolving and is likely to continue to be subject to uncertainty and varying interpretations. The occurrence of unanticipated events and development of evolving technologies often rapidly drives the adoption of legislation or regulation affecting the use, collection or other processing of data and the way we conduct our business. In the U.S., these include rules and regulations promulgated under the authority of the Federal Trade Commission, and state breach notification laws. Additionally, a breach of our systems could trigger an SEC-mandated cybersecurity disclosure that requires us to disclose material cybersecurity incidents. Such a disclosure could harm our reputation and business. Other states and countries have enacted different requirements for protecting personal information collected and maintained electronically. We expect that there will continue to be new proposed laws, regulations and industry standards concerning privacy, data protection and information security in the U.S., the European Union and other jurisdictions, and we cannot yet determine the impact such future laws, regulations and standards will have on our business or the businesses of our customers, including, but not limited to, the European Union's GDPR, which came into force in May 2018, the European Union's Digital Operational Resilience Act, or DORA, which was formally adopted November 2022 and the California Consumer Privacy Act, which came into force in January 2020, each of which creates a range of new compliance obligations, which could require us to change our business practices, and significantly increases financial penalties for noncompliance.

Additionally, the Dodd-Frank Act granted the CFPB authority to promulgate rules and interpret certain federal consumer financial protection laws, some of which apply to the solutions we offer. While the CFPB has not disclosed the substance or timing of the anticipated interim final rule, these developments introduce uncertainty regarding the scope, timing, and implementation of the Section 1033 requirements and could affect financial institutions and service providers subject to the rule.

In response to this evolving regulatory landscape, we continuously monitor developments in data privacy, cybersecurity, and information security laws, regulations, and supervisory guidance and seek to integrate applicable changes and emerging standards into the design, development, and ongoing enhancement of our solutions. However, the pace and complexity of regulatory change may require ongoing product modifications and operational adjustments, and we may not be able to anticipate or address all regulatory expectations in a timely or cost-effective manner.

Failure to comply with applicable privacy, data protection or information security laws and requirements, whether due to our own controls, third-party service providers or evolving regulatory expectations, could result in enforcement actions against us, including fines, penalties, remediation obligations, reduced demand for our solutions, imprisonment of company officials and public censure, claims for damages by customers, End Users and other affected individuals, damage to our reputation and loss of goodwill (both in relation to existing customers and End Users and prospective customers and End Users), any of which could materially adversely affect our business, results of operations and financial condition. Compliance with breach notifications and remediation obligations alone could result in substantial costs. In addition, we could suffer adverse publicity and loss of customer confidence were it known that we did not take adequate measures to assure the confidentiality of the personally identifiable information that our customers had given to us. This could result in a loss of customers and revenue that could jeopardize our success. Moreover, even where we believe we are in compliance, we may nevertheless be subject to claims, investigations or enforcement actions due to evolving legal standards, regulatory interpretations or allegations of inadequate safeguards. We may not be successful in avoiding potential liability or disruption of business resulting from the failure to comply with these laws and, even if we comply with laws, may be subject to liability because of a security incident. If we were required to pay any significant amount of money in satisfaction of claims under these laws, or any similar laws enacted by other jurisdictions, or if we were forced to cease our business operations for any length of time because of our inability to comply fully with any of these laws, our business, operating results and financial condition could be adversely affected. Further, complying with the applicable notice requirements in the event of a security and privacy breach could result in significant costs.

Table of Contents

Additionally, our ability to achieve business efficiencies and economies of scale depends in part on offering generally uniform solutions and processes across jurisdictions. However, increasingly fragmented and jurisdiction specific privacy, cybersecurity and data localization requirements impose additional operational complexity, increase costs and heighten the risk of non-compliance.

Our failure to comply with laws and regulations related to the Internet or changes in the Internet infrastructure itself could adversely affect our business and results of operations, increase costs and impose constraints on the way we conduct our business.

The future success of our business depends upon the continued use of the Internet as a primary medium for commerce, including through mobile usage. We and our customers are subject to laws and regulations applicable to doing business over the Internet. Federal, state, or foreign government bodies or agencies have in the past adopted, and may in the future adopt, laws or regulations affecting the use of the Internet as a commercial medium. It is often not clear how existing laws governing issues such as property ownership, sales and other taxes apply to the Internet, as these laws have in some cases failed to keep pace with technological change. Laws governing the Internet could also impact our business or the business of our customers, and changes in these laws or regulations could require us to modify our software in order to comply with these changes. Additionally, if governmental agencies or private organizations began to impose taxes, fees or other charges for accessing the Internet or commerce conducted via Internet, characterize the types and quality of services and products, or restrict the exchange of information over the Internet, we may experience reduced growth of our business, a general decline in the use of the Internet by financial services providers, or their End Users, or diminished viability of our solutions and our customers' ability to use our solutions could be significantly restricted. Changing laws and regulations, industry standards and industry self-regulation regarding the collection, use and disclosure of certain data may have similar effects on our and our customers' businesses. Any such constraint on the growth in Internet usage could decrease its acceptance as a medium of communication and commerce or result in increased adoption of new modes of communication and commerce that may not be supported by our solutions. In addition, the use of the Internet as a business tool could be adversely affected due to delays in the development or adoption of new standards and protocols to handle increased demands of Internet activity, security, reliability, cost, ease of use, accessibility and quality of service. The performance of the Internet and its acceptance as a business tool have been adversely affected by a variety of evolving data security threats and the Internet has experienced a variety of outages and other delays as a result of damage to portions of its infrastructure. If the use of the Internet is adversely affected by these issues, demand for our offerings and related services could suffer.

Legislation relating to consumer privacy may affect our ability to collect data that we use in providing our customers End-User information, which, among other things, could negatively affect our ability to satisfy our customers' needs.

We collect and store personal and identifying information regarding our customers' End Users to enable certain functionality of our solutions and provide our customers with data about their End Users. The enactment of new or amended legislation or industry regulations pertaining to consumer or private sector privacy issues, AI or machine learning could have a material adverse impact on our receipt, collection, storage, processing and transferring of such information. Legislation or industry regulations regarding consumer or private sector privacy issues could place restrictions upon the collection, sharing and use of information that is currently legally available, which could materially increase our cost of collecting some data. These types of legislation or industry regulations could also prohibit us from collecting or disseminating certain types of data, which could adversely affect our ability to meet our customers' requirements and our profitability and cash flow targets. These legislative measures impose strict requirements on reporting time frames for providing notice, as well as the contents of such notices. The costs of compliance combined with the inability to determine whether a data breach has occurred within the time frame provided by, and other burdens imposed by, such laws and regulations may lead to significant fines, penalties or liabilities for any noncompliance with such privacy laws. Even the perception of privacy concerns, whether or not valid, may inhibit market adoption of our solutions.

If the collecting, storing and processing of personal information were to be curtailed, our solutions would be less effective, which may reduce demand for our solutions and adversely affect our business.

Table of Contents

Any use of our solutions by our customers in violation of regulatory requirements could damage our reputation and subject us to additional liability.

If our customers or their End Users use our solutions in violation of regulatory requirements and applicable laws, we could suffer damage to our reputation and could become subject to claims. We rely on contractual obligations made to us by our customers that their use and their End Users' use of our solutions will comply with applicable laws. However, we do not audit our customers or their End Users to confirm compliance. We may become subject to or involved with claims for violations by our customers or their End Users of applicable laws in connection with their use of our solutions. Even if claims asserted against us do not result in liability, we may incur costs in investigating and defending against such claims. If we are found liable in connection with our customers' or their End Users' activities, we could incur liabilities and be required to redesign our solutions or otherwise expend resources to remedy any damages caused by such actions and to avoid future liability.

Any future litigation against us could be costly and time-consuming to defend.

We may become subject, from time to time, to legal proceedings and claims that arise in the ordinary course of business such as claims brought by our customers in connection with commercial or intellectual property disputes, employment claims made by our current or former employees, whistleblower claims or commercial or intellectual property claims by our suppliers or service providers. Litigation might result in substantial costs and may divert management's attention and resources, which might seriously harm our business, our overall financial condition and our operating results. Insurance may not cover such claims, provide sufficient payments to cover all the costs to resolve one or more such claims or continue to be available on terms acceptable to us.

Our industry is characterized by the existence of a large number of patents, copyrights, trademarks, trade secrets and other intellectual property and proprietary rights as well as a high number of allegations and disputes related to these rights. Our competitors and the competitors of our customers, as well as a number of other entities and individuals (both operating and non-operating), own or claim to own intellectual property relating to our industry. As a result, we periodically are subject to allegations and involved in disputes, either directly or on behalf of our customers, that our solutions and the underlying technology infringe the patent and other intellectual property rights of third parties. The defense against these allegations and disputes and, if unsuccessful, their resolution could result in our having to pay damages and negatively impact our ability to continue to sell and provide all or a portion of our solutions or certain third-party solutions, any of which could materially harm our reputation, business results and financial condition. Insurance may not cover such claims, provide sufficient payments to cover all the costs to resolve one or more such claims or continue to be available on terms acceptable to us. Successful outcomes in these disputes depend upon our ability to demonstrate that our solutions do not infringe upon the intellectual property rights of others. We have a very limited patent portfolio, which will likely prevent us from deterring patent infringement claims, and our competitors and others may now and in the future have significantly larger or more relevant patent portfolios than we have.

Our customer agreements typically require us to indemnify our customers in connection with claims alleging our solutions or the underlying technologies infringe the patent or other intellectual property rights of third parties. Our customers regularly receive allegations from third parties or are involved in these disputes with third parties, and we may be required to indemnify them in connection with these matters. We have in the past been involved in these types of disputes, and given the high level of this activity in our industry, we expect these types of disputes to continue to arise in the future. If we are unsuccessful in defending claims for which we are required to provide indemnity, our business and operating results could be adversely affected. Any significant disputes among us and our customers as to the applicability of our indemnity obligations could negatively impact our reputation and customer relations, affect our ability to sell our solutions and harm our operating results. Further, there can be no assurances that any provisions in our contracts that purport to limit our liability would be enforceable or adequate or would otherwise protect us from any such liabilities or damages with respect to any particular claim.

In certain instances, we license technologies from third parties for use directly or indirectly in our solutions or for resale with our solutions. Our contracts with these third parties may include provisions that require the third party to indemnify us in the event of any claim or dispute that the third party's technologies infringe upon the patent or other intellectual property rights of others.

Table of Contents

The risk of patent litigation exists with operating entities but also has been amplified by the increase in the number of non-practicing patent asserting entities, or "patent trolls." Any claims or litigation, whether by operating entities or "patent trolls," could cause us to incur significant expenses and, if successfully asserted against us or our customers whom we indemnify, could require that we pay substantial damages or ongoing royalty payments, prevent us from offering our solutions or require that we comply with other unfavorable terms. Even if the claims do not result in litigation or are resolved in our favor, these claims and the time and resources necessary to resolve them, could divert the resources of our management and harm our business and operating results.

If we are unable to protect our intellectual property, our business could be adversely affected.

Our success depends upon our ability to protect our intellectual property, which may require us to incur significant costs. We have developed much of our intellectual property internally, and we rely on a combination of confidentiality obligations in contracts, patents, copyrights, trademarks, service marks, trade secret laws and other contractual restrictions to establish and protect our intellectual property and other proprietary rights. In particular, we enter into confidentiality and invention assignment agreements with our employees and consultants and enter into confidentiality agreements with the parties with whom we have business relationships in which they will have access to our confidential information. We also rely upon licenses to intellectual property from third parties. No assurance can be given that these agreements or other steps we take to protect our intellectual property or the third-party intellectual property used in our solutions will be effective in controlling access to and distribution of our solutions and our confidential and proprietary information. We will not be able to protect our intellectual property if we are unable to enforce our rights or if we do not detect unauthorized uses of our intellectual property.

Third parties also may independently develop technologies that are substantially equivalent to our solutions. Some license provisions protecting against unauthorized use, copying, transfer and disclosure of our solutions may be unenforceable under the laws of certain jurisdictions.

Our employees may use certain technological tools and infrastructure that allow us to enhance productivity, such as AI-enhanced chat bot functionality, which can generate code or other content. If we cannot develop or maintain effective policies and controls around the use of AI, or if resulting code or content inadvertently contains malicious or vulnerable data or code, open-source code, infringes upon third-party intellectual property rights or is encumbered by third-party rights, our business and reputation could be harmed.

In some cases, litigation may be necessary to enforce our intellectual property rights or to protect our trade secrets. Litigation could be costly, time consuming and distracting to management and could result in the impairment or loss of portions of our intellectual property. Furthermore, our efforts to enforce our intellectual property rights may be met with defenses, counterclaims and countersuits attacking the validity and enforceability of our intellectual property rights and exposing us to significant damages or injunctions. Our inability to protect our intellectual property against unauthorized copying or use, as well as any costly litigation or diversion of our management's attention and resources, could delay sales or the implementation of our solutions, impair the functionality of our solutions, delay introductions of new solutions, result in our substituting less-advanced or more-costly technologies into our solutions or harm our reputation.

As of December 31, 2025, we had seven patent applications pending and 17 patents issued in the U.S. and other countries. We do not know whether our pending patent applications will result in the issuance of patents or whether the examination process will require us to narrow the scope of our claims. To the extent that our pending patent applications or any portion of such applications proceed to issuance as a patent, any such future patent may be opposed, contested, circumvented, designed around by a third party or found to be invalid or unenforceable. In addition, our existing and any future issued patents may be opposed, contested, circumvented, designed around by a third party or found to be invalid or unenforceable. The process of seeking patent protection can be lengthy and expensive. We rely on a combination of patent, copyright, trade secret, trademark and other intellectual property laws to protect our intellectual property, and much of our technology is not covered by any patent or patent application.

Table of Contents

We use "open-source" software in our solutions, which may restrict how we use or distribute our solutions, require that we release the source code of certain software subject to open-source licenses or subject us to litigation or other actions that could adversely affect our business.

We currently, and may in the future, use in our solutions software that is licensed under "open-source," "free" or other similar licenses where the licensed software is made available to the general public on an "as-is" basis under the terms of a specific non-negotiable license. Some open-source software licenses require that software subject to the license be made available to the public and that any modifications or derivative works based on the open-source code be licensed in source code form under the same open-source licenses. Although we monitor our use of open-source software, there can be no assurance that all open-source software is reviewed prior to use in our solutions, that our programmers have not incorporated open-source software into our solutions, or that they will not do so in the future. In addition, some of our products may incorporate third-party software under commercial licenses. We cannot be certain whether such third-party software incorporates open-source software without our knowledge. In the past, companies that incorporate open-source software into their products have faced claims alleging noncompliance with open-source license terms or infringement or misappropriation of proprietary software. Therefore, we could be subject to suits by parties claiming noncompliance with open-source licensing terms or infringement or misappropriation of proprietary software. Because few courts have interpreted open-source licenses, the manner in which these licenses may be interpreted and enforced is subject to some uncertainty. There is a risk that open-source software licenses could be construed in a manner that imposes unanticipated conditions or restrictions on our ability to market or provide our solutions. As a result of using open-source software subject to such licenses, we could be required to release our proprietary source code, pay damages, re-engineer our products, limit or discontinue sales or take other remedial action, any of which could adversely affect our business.

Our business activities related to ESG matters may involve certain risks and considerations.

We strive to conduct our business in a responsible and sustainable manner, considering ESG factors in our decision-making processes. We are committed to sustainable business practices and strive for positive impacts in not just environmental matters, but also social and governance practices. We disclose our goals, accomplishments, and targets related to these matters on our website and through various public communications. While we are dedicated to these objectives, they are aspirational in nature and not guarantees of future performance or results. In addition, as anti-ESG sentiment has gained momentum in the U.S. in recent years, we may also face scrutiny, reputational risk, lawsuits, market access restrictions or governmental enforcement actions or penalties as a result of our ESG programs and commitments.

Our commitment to ESG objectives exposes us to various risks, many of which are beyond our control. Achieving our ESG goals depends on factors such as market conditions, resource availability, evolving regulations, supplier capabilities, stakeholder expectations, and our ability to attract and retain diverse talent. Regulatory requirements are continuously changing and compliance may require significant resources, potentially leading to revisions in our ESG goals and disclosures.

Additionally, ESG reporting standards are still evolving, which may result in inconsistent or non-comparable data over time or across industry peers. We may also rely on third-party data for ESG metrics, and inaccuracies could harm our reputation and financial performance. Failure or perceived failure to meet, track, or report ESG objectives could negatively impact our brand, investor confidence, employee retention, business relationships, and may increase regulatory scrutiny, compliance costs, and litigation risk.

Risks Related to Ownership of Our Common Stock

We incur significant expenses and administrative burdens as a public company, which could have a material adverse effect on our operations and financial results.

Compliance with rules and regulations applicable to public companies may increase our costs, make some activities more time-consuming, and divert management's attention from operational and other business matters to devote substantial time to these public company requirements.

Table of Contents

Ensuring that we have adequate internal financial and accounting controls and procedures in place so that we can produce accurate financial statements on a timely basis is a costly and time-consuming effort that needs to be re-evaluated frequently. Our internal control over financial reporting is a process designed to provide reasonable assurance regarding the reliability of financial reporting and preparation of financial statements in accordance with U.S. generally accepted accounting principles, or GAAP. While we have documented and assessed our internal controls, we continue to evaluate opportunities to further strengthen the effectiveness and efficiency of our internal controls and procedures for compliance with Section 404 of the Sarbanes-Oxley Act, which requires annual management assessment and annual independent registered public accounting firm attestation reports of the effectiveness of our internal control over financial reporting. If we make additional acquisitions, we will need to similarly assess and ensure the adequacy of the internal financial and accounting controls and procedures of such acquisitions. If we fail to maintain proper and effective internal controls, including with respect to acquired businesses, our ability to produce accurate and timely financial statements could be impaired, which could harm our operating results, harm our ability to operate our business and reduce the trading price of our common stock.

In addition, changing laws, regulations and standards relating to corporate governance and public disclosure are creating uncertainty for public companies, increasing legal and financial compliance costs and making some activities more time consuming. These laws, regulations and standards are subject to varying interpretations, in many cases due to their lack of specificity, and, as a result, their application in practice may evolve over time as new guidance is provided by regulatory and governing bodies. This situation could result in continuing uncertainty regarding compliance matters and higher costs necessitated by ongoing revisions to disclosure and governance practices. We may be required to invest additional resources to comply with evolving laws, regulations and standards. If our efforts to comply with new laws, regulations and standards differ from the activities intended by regulatory or governing bodies due to ambiguities related to their application and practice, regulatory authorities may initiate investigations, inquiries, administrative proceedings or legal proceedings against us and our business may be adversely affected.

If securities or industry analysts publish unfavorable or misleading research about our business, or cease coverage of our company, our stock price and trading volume could decline.

The trading market for our common stock is influenced in part by the research and reports that securities or industry analysts publish about us or our business. If one or more of the securities or industry analysts who covers us downgrades our stock or publishes unfavorable or misleading research about our business, our stock price would likely decline. If one or more of these analysts ceases coverage of our company or fails to publish reports on us regularly, we could lose visibility in the market for our stock, and demand for our stock could decrease, which could cause our stock price or trading volume to decline.

Our stock price has been and may continue to be highly volatile.

The trading price of our common stock has been and may continue to be highly volatile and could be subject to wide fluctuations in response to various factors, including the risk factors described in this report, and other factors beyond our control. Additional factors affecting the trading price of our common stock include, among others:

•variations in our operating results or the operating results of similar companies;

•announcements of technological innovations, new solutions or enhancements or strategic partnerships or agreements by us or by our competitors;

•changes in the estimates of our operating results, our financial guidance or changes in recommendations by any of the securities analysts that follow our common stock;

•the gain or loss of customers, particularly our larger customers;

•the utilization of our share repurchase program;

•adoption or modification of regulations, policies, procedures or programs applicable to our business and our customers' business;

•uncertainties in the financial services industries;

•public disclosures or marketing and advertising initiatives by us or our competitors;

Table of Contents

•concerns related to actual or perceived security breaches, outages or other defects related to our solutions;

•threatened or actual litigation;

•changes in our senior management or key personnel; and

•the occurrence of any adverse events or circumstances described in these risk factors.

In addition, the stock market in general and the market for technology companies in particular have experienced extreme price and volume fluctuations that have often been unrelated or disproportionate to the operating performance of those companies. Broad market and industry factors may harm the market price of our common stock regardless of our actual operating performance. Each of these factors, among others, could adversely affect an investment in our common stock. Some companies that have had volatile market prices for their securities have had securities class action lawsuits filed against them. If a suit were filed against us, regardless of its merits or outcome, it could result in substantial costs and divert management's attention.

We currently do not intend to pay dividends on our common stock, and, consequently, the only opportunity to achieve a return on investment is if the price of our common stock appreciates.

We have never declared nor paid cash dividends on our capital stock. We currently do not plan to declare dividends on shares of our common stock in the foreseeable future. Any payment of future dividends will be at the discretion of our board of directors and will depend on our financial condition, results of operations, capital requirements, general business conditions and other factors that our board of directors may deem relevant. Consequently, the only opportunity to achieve a return on investment in our company will be if the market price of our common stock appreciates and shares are sold at a profit. There is no guarantee that the price of our common stock that will prevail in the market will ever exceed the price that is paid for our common stock.

Anti-takeover provisions in our charter documents and Delaware law could discourage, delay or prevent a change in control of our company and may affect the trading price of our common stock.

We are a Delaware corporation and the anti-takeover provisions of the Delaware General Corporation Law, which apply to us, may discourage, delay or prevent a change in control by prohibiting us from engaging in a business combination with an interested stockholder for a period of three years after the stockholder becomes an interested stockholder, even if a change in control would be beneficial to our existing stockholders. In addition, our amended and restated certificate of incorporation and amended and restated bylaws may discourage, delay or prevent a change in our management or control over us that stockholders may consider favorable. Our certificate of incorporation and bylaws:

•authorize the issuance of "blank check" preferred stock that could be issued by our board of directors to help defend against a takeover attempt;

•require that directors only be removed from office for cause and only upon a supermajority stockholder vote;

•provide that vacancies on the board of directors, including newly created directorships, may be filled only by a majority vote of directors then in office rather than by stockholders;

•prevent stockholders from calling special meetings;

•include advance notice procedures for stockholders to nominate candidates for election as directors or bring matters before an annual meeting of stockholders;

•prohibit stockholder action by written consent, requiring all actions to be taken at a meeting of the stockholders; and

•provide that certain litigation against us can only be brought in Delaware.

Table of Contents

We may not be able to obtain capital when desired on favorable terms, if at all, and we may not be able to obtain capital or complete acquisitions through the use of equity or without dilution to our stockholders.

If we raise additional funds through the issuance of equity or convertible debt securities, the percentage ownership of our stockholders could be significantly diluted, and newly issued securities may have rights, preferences or privileges senior to those of existing stockholders. If we accumulate additional funds through debt financing, a substantial portion of our operating cash flow may be dedicated to the payment of principal and interest on such indebtedness, thus limiting funds available for our business activities. If adequate funds are not available or are not available on acceptable terms, when we desire them, our ability to fund our operations, take advantage of unanticipated opportunities, develop or enhance our products and services, or otherwise respond to competitive pressures would be significantly limited. Any of these factors could harm our results of operations and negatively impact the trading price of our common stock.

Risks Related to Our Debt

We incurred indebtedness by issuing our 2026 Notes in 2019, we may borrow under our Revolving Credit Agreement and our debt repayment obligations may adversely affect our financial condition and cash flows from operations in the future.

We may not have enough available cash on hand or be able to obtain financing at the time we are required to make the repurchases of the convertible notes surrendered therefor, or at the time the convertible notes are being converted, to settle such repurchase or conversion. Our failure to repurchase the convertible notes at a time when the repurchase is required by the indenture, or to pay any cash payable on future conversions of the convertible notes as required by the indenture, would constitute a default under such indenture. If the repayment of the related indebtedness were to be accelerated after any applicable notice or grace periods, we may not have sufficient funds to repay the indebtedness and repurchase the notes or make cash payments upon conversions thereof. Any such acceleration could result in our bankruptcy, in which the holders of our convertible notes would have a claim to our assets that is senior to the claims of our equity holders.

Table of Contents

We entered into a five-year secured revolving credit agreement with Wells Fargo Bank, National Association, Wells Fargo Securities, LLC and Texas Capital Bank on July 29, 2024, the Revolving Credit Agreement, which provides for a $125.0 million revolving line of credit, none of which was drawn as of December 31, 2025. The Revolving Credit Agreement contains customary representations, warranties, affirmative and negative covenants, including covenants which restrict our ability, or any of our subsidiaries to, among other things, create liens, incur additional indebtedness and engage in certain other transactions, in each case subject to certain exclusions. In addition, the Revolving Credit Agreement contains certain financial covenants which become effective in the event our liquidity (as defined in the Revolving Credit Agreement) falls below specified levels. The Revolving Credit Agreement contains customary events of default relating to, among other things, payment defaults, breach of covenants, cross-default acceleration to material indebtedness, bankruptcy-related defaults, judgment defaults, and the occurrence of certain change of control events. Borrowings under the Revolving Credit Agreement are secured by our assets and those of Q2 Software, Inc., our wholly owned subsidiary, which has guaranteed all obligations under the Revolving Credit Agreement.

Our indebtedness could have important consequences because it may impair our ability to obtain additional financing in the future for working capital, capital expenditures, repurchases of our common stock under our Repurchase Program, acquisitions and general corporate or other purposes, or otherwise constrain the operation of our business. Our ability to meet our debt obligations will depend on our future performance, which will be affected by financial, business, economic, regulatory and other factors, many of which are not under our control. If we fail to comply with any covenants contained in the agreements governing any of the debt or fail to make a payment on our debt when due, we could be in default on such debt. If we are at any time unable to pay our indebtedness when due, we may be required to renegotiate the terms of the indebtedness, seek to refinance all or a portion of the indebtedness or obtain additional financing. There can be no assurance that, in the future, we will be able to successfully renegotiate such terms, that any such refinancing would be possible or that any additional financing could be obtained on terms that are favorable or acceptable to us.

Conversion of the convertible notes could dilute the ownership interest of our existing stockholders or may otherwise depress the price of our common stock.

The conversion of some or all of our convertible notes could dilute the ownership interests of existing stockholders. Any sales in the public market of our common stock issuable upon such conversion of our convertible notes could adversely affect prevailing market prices of our common stock. In addition, the existence of the convertible notes may encourage short selling by market participants because the conversion of the notes could be used to satisfy short positions, or anticipated conversion of the convertible notes into shares of our common stock could depress the price of our common stock.

The Capped Calls cover, subject to customary adjustments, the number of shares of our common stock initially underlying the 2026 Notes. In connection with establishing their initial hedges of the Capped Calls, the counterparties or their respective affiliates purchased shares of our common stock or entered into various derivative transactions with respect to our common stock concurrently with or shortly after the pricing of the 2026 Notes. This activity could also cause or avoid an increase or a decrease in the market price of our common stock.

Table of Contents

We are subject to counterparty risk with respect to the Capped Calls, and they may not operate as planned.

Our exposure to the credit risk of these counterparties will not be secured by any collateral. If an option counterparty becomes subject to insolvency proceedings, we will become an unsecured creditor in those proceedings with a claim equal to our exposure at that time under our transactions with that option counterparty. Our exposure will depend on many factors, but, generally, the increase in our exposure will be correlated with increases in the market price or the volatility of our common stock. In addition, upon a default by an option counterparty, we may suffer more dilution than we currently anticipate with respect to our common stock underlying the convertible notes. We can provide no assurances as to the financial stability or viability of any option counterparty.

For example, the terms of each may be subject to adjustment, modification or, in some cases, renegotiation if certain corporate events or other transactions occur.

A takeover of us may trigger the requirement that we repurchase our convertible notes, and/or increase the conversion rate, which could make it more costly for a potential acquirer to engage in such takeover. Such additional costs may have the effect of delaying or preventing a takeover of us that would otherwise be beneficial to investors in our common stock.

If we elect to or would be required to settle a portion or all of our conversion obligation in cash, it could adversely affect our liquidity, either of which may negatively impact the trading price of our common stock.

Item 1B. Unresolved Staff Comments.

Not applicable.

Table of Contents

Item 1C. Cybersecurity

As a provider of SaaS solutions and an extensive user of a variety of technology services, we are subject to numerous risks from cybersecurity threats that have and could adversely affect us; however, to date none have materially affected us or our business strategy, results of operation or financial condition. Cybersecurity threats are ever-present and continuously evolving and we have and will continue to expend considerable resources to deliver solutions that are designed to comply with the stringent security and technical regulations and practices applicable to financial institutions and financial services providers and to safeguard our solutions and information systems against cybersecurity threats. For more information regarding the risks we face from cybersecurity threats, please see "Item 1A. Risk Factors." We have implemented a risk-based approach to identify and assess the cybersecurity threats that have and could affect our business and information systems, and this approach is incorporated into our overall enterprise risk management program. Our enterprise risk management program includes a formal, enterprise-wide inventory, categorization and assessment of risks, including risks associated with cybersecurity threats, overseen by the Risk and Compliance Committee, or RACC, of our Board of Directors. This program is managed by our Chief Risk Officer, or CRO, appointed by the RACC, and an Enterprise Risk Oversight Committee consisting of a cross-functional representation of senior leaders including our Chief Information Security Officer, or CISO. Our CRO has over ten years of senior risk management experience at large technology organizations, following a 20-year career in the U.S. Army. Our enterprise risk management team works in partnership with our security, information technology, compliance, internal audit, and third-party risk management functions, which collectively rely on a variety of internal resources and processes, as well as third-party consultants, auditors and applications, to identify, assess and manage cybersecurity risks, including cybersecurity threats related to third-party providers on which we rely. Our enterprise risk management function also extensively consults with senior management across our organization in identifying, assessing and managing risks.

Our information security program is managed by a CISO, whose team is responsible for leading our enterprise-wide cybersecurity strategy, policy, standards, architecture and processes. Our CISO has more than 20 years of experience directing disparate teams across application and product security, cyber defense, risk management, information governance, information technology compliance, information technology training and sales. Our CISO is appointed by the RACC, which also oversees the implementation, monitoring and testing of our information security program. Our CISO and CRO provide periodic reports to the RACC, at least quarterly. These reports include updates on the Company's cybersecurity risks and threats, the status of projects to strengthen our information security posture, assessments of the information security program, and the emerging threat landscape. Our CISO and CRO also regularly meet separately with the chair of the RACC to provide similar updates. Our information security program includes incident response procedures designed to facilitate escalation of actual or potential cybersecurity incidents initially to members of our security team, and as appropriate to senior management and the RACC, to allow proper consideration, mitigation and remediation of, as well as evaluation of potential disclosure obligations with respect to, actual or potential cybersecurity incidents. Our information security program is regularly evaluated by internal and external experts with the results of those reviews reported to senior management and the RACC. We also actively engage with key vendors, industry participants and intelligence and law enforcement communities as part of our continuing efforts to evaluate and enhance the effectiveness of our information security program.

Recently Filed

Click on a ticker to see risk factors

Ticker *	File Date
EPRT	2 hours ago
APH	2 hours ago
VKTX	2 hours ago
RCL	2 hours ago
AUR	2 hours ago
QTWO	2 hours ago
AMCX	2 hours ago
FR	2 hours ago
GLIBA	2 hours ago
ALB	2 hours ago
RNR	2 hours ago
WPC	2 hours ago
R	3 hours ago
CFLT	3 hours ago
HUBS	3 hours ago
WHR	3 hours ago
AR	3 hours ago
EGP	3 hours ago
AM	3 hours ago
MGM	3 hours ago
RFAI	3 hours ago
EQIX	3 hours ago
RBLX	3 hours ago
CRBG	3 hours ago
TFIN	3 hours ago
STAG	3 hours ago
SITM	3 hours ago
DVA	3 hours ago
JNJ	3 hours ago
KMPR	3 hours ago
TMUS	3 hours ago
NBIX	3 hours ago
HXL	4 hours ago
NVR	4 hours ago
TXT	5 hours ago
BWA	6 hours ago
BKH	6 hours ago
ACBM	6 hours ago
SYK	7 hours ago
BMY	8 hours ago
MA	8 hours ago
HLT	9 hours ago
RPRX	10 hours ago
NNN	11 hours ago
NVCT	11 hours ago
AVTR	12 hours ago
LEU	12 hours ago
FNMA	12 hours ago
U	12 hours ago
SHOP	12 hours ago

OTHER DATASETS

House Trading

Dashboard

Corporate Flights

Dashboard

App Ratings

Dashboard

Strategies

Alerts

Browse Data

Risk Factors Dashboard

View risk factors by ticker

Search filings by term

Risk Factors - QTWO

-New additions in green
-Changes in blue
-Hover to see similar sentence in last filing

Recently Filed

OTHER DATASETS

House Trading

Corporate Flights

App Ratings

TRADE SMARTER

TRADE SMARTER

Strategies

Alerts

Browse Data

Risk Factors Dashboard

View risk factors by ticker

Search filings by term

Risk Factors - QTWO

-New additions in green-Changes in blue-Hover to see similar sentence in last filing

Recently Filed

OTHER DATASETS

House Trading

Corporate Flights

App Ratings

TRADE SMARTER

TRADE SMARTER

-New additions in green
-Changes in blue
-Hover to see similar sentence in last filing