Risk Factors Dashboard

Once a year, publicly traded companies issue a comprehensive report of their business, called a 10-K. A component mandated in the 10-K is the ‘Risk Factors’ section, where companies disclose any major potential risks that they may face. This dashboard highlights all major changes and additions in new 10K reports, allowing investors to quickly identify new potential risks and opportunities.

View risk factors by ticker

Search filings by term

Risk Factors - SAIL

-New additions in green
-Changes in blue
-Hover to see similar sentence in last filing

ITEM 1A. RISK FACTORS

The nature of the business activities conducted by the Company subjects it to certain hazards and risks. A description of some of the material risk factors that make an investment in the Company speculative or risky is set forth below. Such description reflects the Company's beliefs and opinions as to factors that could materially harm the Company's business, financial condition, or results of operations and impair the Company's ability to implement business plans. References to past events are provided by way of example only and are not intended to be a complete listing or a representation as to whether or not such factors have occurred in the past or their likelihood of occurring in the future. In addition, other risks are described in Part I, Item 1. “Business—Competition,” Part II, Item 7. “Management’s Discussion and Analysis of Financial Condition and Results of Operations.—Liquidity and Capital Resources” and Part II, Item 7A. “Quantitative and Qualitative Disclosures About Market Risk.” These risks and those described below are not the only risks facing the Company. The Company’s business could also be affected by additional risks and uncertainties not currently known to the Company or that it currently deems to be immaterial.

Risks Related to Our Business and Industry

We have experienced rapid growth in recent periods, and our recent growth rates may not be indicative of our future growth.

Our revenue grew from $699.6 million to $1.1 billion from the fiscal year ended January 31, 2024 to the fiscal year ended January 31, 2026. Our revenue growth may not continue at a level

Table of Contents

consistent with historical performance. We believe our revenue growth depends on a number of factors, including, but not limited to:

•our ability to attract new customers and retain and increase sales to existing customers;

•our ability to, and the ability of our channel partners to, successfully deploy and implement our solutions, increase our existing customers’ use of our solutions, and provide our customers with excellent customer support;

•our ability to hire and retain substantial numbers of marketing, research and development, and general and administrative personnel and expand our global operations;

•our ability to develop our existing solutions and introduce new solutions; and

•our ability to increase the number of our partners.

It is important to our continued growth that our customers renew their arrangements when existing contract terms expire. For Identity Security Cloud, our SaaS-based cloud solution, and IdentityIQ, our customer-hosted solution, our customers typically enter into three-year contracts with annual billing upfront. Our customer retention and expansion are difficult to accurately predict and may decline or fluctuate as a result of a number of factors.

Additionally, if the incidence of cyber attacks were to decline, or enterprises or governments perceive that the general level of cyber attacks has declined, our ability to attract new customers could be adversely affected. We may face additional difficulties in attracting organizations that use legacy products to purchase our solutions if they believe that these legacy products are more cost-effective or provide a level of security that is sufficient to meet their needs. Furthermore, the use of our solutions to manage identities and access is relatively new, and if we are unable to convince organizations of the benefits of our solutions, then we may be unable to acquire new customers or keep existing customers.

If the market for identity security solutions does not grow, our ability to grow our business and our results of operations may be adversely affected.

Table of Contents

We believe our future success will depend in large part on the growth, if any, in the market for identity security solutions. The market for identity security solutions, including our platform and identity security solutions, is rapidly evolving. Rapid advancement in AI technologies and capabilities further add to this state of evolution. As such, it is difficult to predict this market’s potential growth, if any, customer adoption and retention rates, customer demand for identity security platforms, or the success of competitive products. The markets for some of our solutions are new, unproven, and evolving, and our future success depends on growth and expansion of these markets. If our platform and identity security solutions do not achieve widespread adoption or there is a reduction in demand for our platform and identity security solutions due to a lack of customer acceptance, technological challenges, competing products or solutions, privacy concerns, decreases in corporate spending, weakening economic conditions or otherwise, it could result in early terminations, reduced customer retention rates, or decreased revenue, any of which would adversely affect our business, financial condition, and results of operations.

We derive a significant portion of our revenue from sales influenced by, or made through, our channel partner network and expect these sales to continue to grow for the foreseeable future. Our channel partners provide implementation and other services to our customers in exchange for fees paid by those customers. We may not achieve anticipated revenue growth from our channel partners if we are unable to retain our existing channel partners and expand their sales or add additional motivated channel partners.

Our quarterly revenue and operating results tend to fluctuate from period-to-period, and we believe that our quarterly results may vary significantly in the future. Consequently, you should not rely on the results of any one quarter as an indication of future performance. Period-to-period comparisons of our revenue and operating results may not be meaningful and, as a result, may not fully reflect the underlying performance of our business.

Our quarterly operating results may fluctuate as a result of a variety of factors, including, but not limited to, those listed below, many of which are outside of our control:

•the mix of revenue and associated costs attributable to subscription and professional services, which may impact our gross margins and operating income;

•the mix of revenue attributable to larger transactions as opposed to smaller transactions and the associated volatility and timing of our transactions;

•the mix of SaaS subscriptions compared to term subscriptions, which affects how we recognize revenue and may result in a decrease in gross margins as well as impact the results of our operations;

Table of Contents

•the loss or deterioration of our channel partner and other relationships influencing our sales execution;

•the growth in the market for our solutions;

•our ability to attract new customers and retain and increase sales to existing customers;

•changes in customers’ budgets and in the timing of their purchasing decisions, including seasonal buying patterns for IT spending;

•the timing and success of new product introductions by our competitors and by us;

•changes in our pricing policies or those of our competitors;

•significant security breaches of, technical difficulties with, or interruptions to the delivery and use of our platform;

•changes in the legislative or regulatory environment;

•foreign exchange gains and losses related to expenses and sales (including operating metrics such as ARR) denominated in currencies other than the U.S. dollar or the functional currencies of our subsidiaries;

•increases in and timing of sales and marketing and other operating expenses that we may incur to grow and expand our operations and to remain competitive;

•costs related to the acquisition of businesses, talent, technologies, or intellectual property, including potentially significant amortization costs and possible write-downs;

•our ability to control costs, including our operating expenses;

•the collectability of receivables from customers and channel partners, which may be hindered or delayed if these customers or channel partners experience financial distress;

•economic conditions specifically affecting industries in which our customers participate;

•natural disasters or other catastrophic events; and

•litigation-related costs, settlements, or adverse litigation judgments.

We and our channel partners are often required to spend significant time and resources to better educate and familiarize potential customers with the value proposition of our platform and solutions. Customers often view the purchase of our solutions as a strategic decision and significant investment and, as a result, frequently require considerable time to evaluate, test, and qualify our platform and solutions prior to purchasing our solutions. During the sales cycle, we expend significant time and money on sales and marketing and contract negotiation activities, which ultimately may not result in a sale. Additional factors that may influence the length and variability of our sales cycle include:

•the discretionary nature of purchasing and budget cycles and decisions;

•lengthy purchasing approval processes;

•the evaluation of competing products during the purchasing process;

•time, complexity, and expense involved in replacing existing solutions;

•announcements or planned introductions of new products, features, or functionality by our competitors or of new solutions or modules by us;

Table of Contents

•the practice of large enterprises often driving their purchasing cycles based on internal factors rather than marketing cycles; and

•evolving functionality demands.

In recent years, we have transitioned our business to a subscription model.

We recognize most of our revenue ratably over the terms of our agreements with customers. As a result, a portion of the revenue that we report in each period will be derived from the recognition of deferred revenue relating to agreements entered into during previous periods. This decline, however, will negatively affect our revenue in future periods.

We expect to continue to invest in research and development, sales and marketing, general and administrative functions, and other areas to grow our business. We are likely to recognize the costs associated with these investments earlier than some of the anticipated benefits, and the return on these investments may develop more slowly, or may be lower, than we expect, which could adversely affect our operating results.

We expect our revenue mix and certain business factors to impact the amount of revenue recognized period to period, which could make period-to-period revenue comparisons not meaningful and difficult to predict.

Our subscription revenue includes revenue from sales of SaaS subscriptions, which is recognized ratably over the contract period, and revenue from sales of term subscriptions, a majority of which is recognized upfront when we transfer control of the license to the customer. Due to the proportion of our contracts trending from term subscriptions and maintenance to SaaS subscriptions, our revenue may fluctuate and period-to-period revenue comparisons may not be meaningful, and our past results may not be indicative of future performance. We cannot be certain how long these factors may persist. These factors make it challenging to forecast our revenue as the mix of solutions and services, as well as the size of contracts, are difficult to predict.

The market for identity security solutions is intensely competitive and is characterized by constant change and innovation. For example, our competitors include large public companies, such as IBM, Microsoft, and Oracle that offer identity solutions within their product portfolios, and identity centric solution providers, including Palo Alto Networks (CyberArk), Okta, and One Identity.

Potential customers may also prefer to purchase, or incrementally add solutions, from their existing suppliers rather than a new or additional supplier regardless of product performance or features.

Table of Contents

In addition, merger and acquisition transactions in the technology industry continue to occur, particularly transactions involving cloud-based technologies. Accordingly, there is a greater likelihood that we will compete with other large technology companies in the future. Some of our competitors have made acquisitions or entered into strategic relationships to offer a more comprehensive product than they individually had offered. Companies and alliances resulting from these possible consolidations and partnerships may create more compelling product offerings and be able to offer more attractive pricing, making it more difficult for us to compete effectively. In addition, continued industry consolidation may adversely impact customers’ perceptions of the viability of small and medium-sized technology companies and consequently their willingness to purchase from those companies.

New start-up companies that innovate and competitors that are making significant investments in research and development may invent similar or superior products and technologies that compete with our solutions, including technologies that heavily utilize AI and agentic AI, and our business could be materially and adversely affected if such technologies or products are widely adopted. Conditions in our market could change rapidly and significantly as a result of technological advancements, partnering by our competitors, or continuing market consolidation. The development process for competitive offerings that leverage AI and agentic AI technologies in particular may be more condensed than ours, accelerating the time that it takes for such offerings to become available in the market to compete with existing offerings. These competitive pressures in our market or our failure to compete effectively may result in price reductions, fewer orders, reduced revenue, and gross margins, increased net losses, and loss of market share. Any failure to meet and address these factors would adversely affect our business, financial condition, and operating results.

We increased the number of our employees from 2,379 at January 31, 2024 to 3,229 at January 31, 2026 and the number of countries in which we have employees from 22 at January 31, 2024 to 24 at January 31, 2026. We have also experienced growth in the number of our customers from over 2,760 at January 31, 2024 to approximately 3,235 at January 31, 2026. We expect this growth to continue and for our operations to become increasingly complex. To effectively manage this growth, we have made, and plan to continue to make, substantial investments to improve our operational, financial, and management controls, as well as our reporting systems and procedures. Our success will depend in part on our ability to manage this complexity effectively without undermining our corporate culture, which we believe has been central to our success. If we are unable to manage this complexity, our business, operations, operating results, and financial condition may suffer.

We also will need to effectively manage our direct and indirect sales processes as the number and type of our sales personnel and partner network continues to grow and become more complex and as we continue to expand into new geographies and vertical markets. This complexity is further driven by the various ways in which we sell our solutions, including on a per identity and per module basis through SaaS and other subscription offerings. If we do not effectively manage the increasing complexity of our business and operations, the quality of our solutions and customer service could suffer, and we may not be able to adequately address competitive challenges. These factors could impair our ability, and our channel partners’ ability, to attract new customers, retain existing customers, expand our customers’ use of existing solutions and adoption of more of our products, and continue to provide high levels of customer service, all of which would adversely affect our reputation, overall business, operations, operating results, and financial condition.

Seasonality may cause fluctuations in our sales, results of operations, and remaining performance obligations.

Historically, we have experienced seasonality in remaining performance obligations (“RPO”) and customer sales, as we typically sell a higher percentage of our solutions to new customers and renewal subscriptions with existing customers in the fourth quarter of our fiscal year. We believe that this results from the procurement, budgeting, and deployment cycles of many of our customers, particularly our enterprise customers. We expect that this seasonality will continue to affect our sales, RPO, and results of operations in the future and might become more pronounced as we continue to target larger enterprise customers.

Table of Contents

As a public company, we are subject to the reporting requirements of the Exchange Act, the Sarbanes-Oxley Act of 2002 (the “Sarbanes-Oxley Act”), and the rules and regulations of the applicable listing standards of the Nasdaq Global Select Market (“Nasdaq"). The requirements of these rules and regulations have increased our legal, accounting, and financial compliance costs, could make some activities more difficult, time-consuming, and costly, and could place significant strain on our personnel, systems, and resources. The Sarbanes-Oxley Act requires, among other things, that we maintain effective disclosure controls and procedures and internal control over financial reporting. In order to maintain and improve the effectiveness of our disclosure controls and procedures and internal control over financial reporting, we have expended, and anticipate that we will continue to expend, significant resources, including accounting- and technology-related costs and significant management oversight.

Our internal resources and personnel may in the future be insufficient to avoid accounting errors, and there can be no assurance that we will not have material weaknesses in the future. Any failure to implement and maintain effective internal control over financial reporting also could adversely affect the results of periodic management evaluations and annual independent registered public accounting firm attestation reports regarding the effectiveness of our internal control over financial reporting that we will eventually be required to include in our periodic reports that will be filed with the SEC. Ineffective disclosure controls and procedures and internal control over financial reporting could also cause investors to lose confidence in our reported financial and other information, which would likely have a negative effect on the trading price of our common stock. In addition, if we are unable to continue to meet these requirements, we may not be able to remain listed on Nasdaq.

Any failure to maintain effective disclosure controls and internal control over financial reporting could have an adverse effect on our business and operating results and could cause a decline in the price of our common stock.

We believe that maintaining and enhancing our reputation as a leader and innovator in the market for identity security solutions is critical to our relationship with our existing customers and our ability to attract new customers. As our platform, product portfolio, and target markets continue to expand, we may face increased challenges in maintaining clear, consistent, and effective messaging regarding our value proposition, differentiation, and brand positioning. Our brand promotion activities may not be successful or yield increased revenue. Changes in digital marketing ecosystems, search engine algorithms, social media platforms, and AI-driven discovery tools or answer engines may also reduce the visibility, reach, or effectiveness of our content and brand messaging, which could adversely affect our ability to generate awareness, demand, and customer trust.

In addition, independent industry analysts often provide reports on our solutions, as well as those of our competitors, and perception of our solutions in the marketplace may be significantly influenced by these reports. Our reputation may also be harmed by negative publicity, unfavorable social media commentary, misinformation, or other third-party statements, whether or not accurate, which can spread rapidly and be difficult to counteract. Additionally, the performance of our channel partners may affect our brand and reputation if customers do not have a positive experience with our solutions as implemented by our channel partners or with the implementation generally. The promotion of our brand requires us to make substantial expenditures, and we anticipate that the expenditures will increase as our market becomes more competitive, as we expand into new geographies and vertical markets, and as more sales are generated through our channel partners. To the extent that these activities yield increased revenue, this revenue may not offset the increased expenses we incur. If we do not successfully maintain and enhance our brand and reputation, our business and operating results may be adversely affected.

Sales to enterprise customers involve risks that may not be present or that are present to a lesser extent with respect to sales to smaller organizations.

We target our sales to enterprise customers and large organizations, which involves risks that may not be present or that are present to a lesser extent with sales to smaller customers, including the commercial customer segment. These risks include longer sales cycles and negotiations, more complex customer requirements (including audit and other requirements driven by such customers’ regulatory and industry contexts), substantial upfront sales costs, and less predictability in

Table of Contents

completing some of our sales. For example, enterprise customers may require considerable time to evaluate and test our platform and solutions and those of our competitors prior to making a purchase decision and placing an order or may need specialized security features to meet regulatory requirements. A number of factors influence the length and variability of our sales cycle, including the need to educate potential customers about the uses and benefits of our platform and solutions, the discretionary nature of purchasing and budget cycles, the macroeconomic uncertainty and challenges and resulting increased technology spending scrutiny, and the competitive nature of evaluation and purchasing approval processes. Customers may engage in extensive evaluation, testing, and quality assurance work before making a purchase commitment, which increases our upfront investment in sales, marketing, and deployment efforts, with no guarantee that these customers will make a purchase or increase the scope of their subscriptions. In certain circumstances, an enterprise customer’s decision to use our platform and solutions may be an organization-wide decision, and therefore, these types of sales require us to provide greater levels of education regarding the use and benefits of our platform and solutions. As a result, the length of our sales cycle, from identification of the opportunity to deal closure, has varied, and may continue to vary, significantly from customer to customer, with sales to large enterprises and organizations typically taking longer to complete. Moreover, large enterprise customers often begin to deploy our platform and solutions on a limited basis but nevertheless demand configuration, integration services, and pricing negotiations, which increase our upfront investment in the sales effort with no guarantee that these customers will deploy our identity security solutions widely enough across their organization to justify our substantial upfront investment.

Given these factors, it is difficult to predict whether and when a sale will be completed and when revenue from a sale will be recognized due to the variety of ways in which customers may purchase our platform and solutions. This may result in lower than expected revenue in any given period, which would have an adverse effect on our business, financial condition, and results of operations.

At January 31, 2026, we had customers in over 65 countries and employees in 24 countries, and we intend to continue expanding our international sales and marketing operations.

These risks include:

•encountering existing and new competitors with stronger brand recognition in the new markets;

•challenges developing, marketing, selling, and implementing our platform and solutions caused by language, cultural, and ethical differences, and the competitive environment;

•heightened risks of unethical, unfair, or corrupt business practices, actual or claimed, in certain geographies and of improper or fraudulent sales arrangements that may impact financial results and result in restatements of, and irregularities in, financial statements;

•global and domestic political instability, economic sanctions, terrorist activities, or international conflicts, including the conflicts in the Middle East (e.g., in Iran, Israel, and the surrounding areas) and between Russia and Ukraine, for example, which have in the past and may in the future impact the operations of our business or the businesses of our customers;

•currency fluctuations;

•the risks of currency hedging activities to limit the impact of exchange rate fluctuations, should we engage in such activities in the future;

•difficulties in managing systems integrators and technology providers;

•laws imposing heightened restrictions on data usage and increased penalties for failure to comply with applicable laws, particularly in the EU;

Table of Contents

•risks associated with trade restrictions and foreign import requirements, including the importation, certification, and localization of our solutions required in foreign countries, as well as changes in trade, tariffs, restrictions, or requirements;

•potentially different pricing environments, longer sales cycles, and longer accounts receivable payment cycles and collections issues;

•management communication and integration problems resulting from cultural differences and geographic dispersion;

•increased turnover of international personnel as compared to our domestic operations;

•potentially adverse tax consequences, including multiple and possibly overlapping tax structures, the complexities of foreign value added tax systems, restrictions on the repatriation of earnings, and changes in tax rates;

•greater difficulty in enforcing contracts, accounts receivable collection, and longer collection periods;

•the uncertainty and limitation of protection for intellectual property rights in some countries;

•increased financial accounting and reporting burdens and complexities; and

•lack of familiarity with local laws, customs, and practices, and laws and business practices favoring local competitors or commercial parties.

Additionally, operating in international markets requires significant management attention and financial resources. We cannot be certain that the investment and additional resources required to operate in other countries will produce desired levels of revenue or net income.

Unfavorable conditions in our industry or the global economy, including those caused by the ongoing conflicts around the world, or reductions in technology spending, could limit our ability to grow our business and negatively affect our results of operations.

Global business activities face widespread macroeconomic uncertainties, and our results of operations may vary based on the impact of changes in our industry or the global economy on us or our customers and potential customers. Negative conditions in the general economy in the United States, Europe, or Asia and in the global economy, including conditions resulting from changes in gross domestic product growth, financial and credit market fluctuations, inflation and efforts to control further inflation, rising interest rates, bank failures, international trade relations, political turmoil (such as the conflicts in the Middle East (e.g., in Iran, Israel, and the surrounding areas) and between Russia and Ukraine, for example), potential U.S. federal government shutdowns, natural catastrophes, warfare, and terrorist attacks could cause a decrease in business investments by existing or potential customers, including spending on technology, and negatively affect the growth of our business. As an example, in the United States, capital markets have experienced and continue to experience volatility and disruption. Furthermore, inflation rates in the United States have recently increased to levels not seen in decades.

Such economic volatility could adversely affect our business, financial condition, results of operations, and cash flows, and future market disruptions could negatively impact us. In particular, we have in the past experienced longer sales cycles and related negotiations for prospective customers and existing customer expansions, reduced contract sizes, or generally increased scrutiny on technology spending and budgets from existing and potential customers, due in part to the effects of macroeconomic uncertainty. These customer dynamics may again occur in the future, and to the extent there is a sustained general economic downturn, a recession, or another situation where technology budgets grow at a slower rate or contract, these customer dynamics may be exacerbated.

Table of Contents

We have employees and contractors in locations throughout the Middle East, Europe, and Asia, including in Israel. If the global effect of the ongoing conflict in Israel and the surrounding area or the ongoing conflict between Russia and Ukraine escalates or expands, our ability to conduct business in these regions could be adversely impacted, potentially resulting in delays to product development, sales and marketing, and other key business functions. Additionally, as a result of geopolitical conflicts, including in Russia and Iran, we may face a heightened risk of state-sponsored cyber attacks in the near term. Our competitors, many of whom are larger and have greater financial resources than we do, may respond to challenging market conditions by lowering prices in an attempt to attract our customers, which may require us to respond in kind and may negatively impact our existing customer relationships and new customer acquisition strategy. In addition, the increased pace of consolidation in certain industries may result in reduced overall spending on our identity security solutions. We cannot predict the timing, strength, or duration of any economic slowdown, instability, or recovery, generally or within any particular industry.

Any failure to offer high-quality customer support may adversely affect our relationships with our customers and our financial results.

In deploying and using our platform and solutions, our customers typically require the assistance of our support teams to resolve complex technical and operational issues. We may be unable to modify the nature, scope, and delivery of our customer support to compete with changes in product support services provided by our competitors. Increased customer demand for support, without corresponding revenue, could increase costs and adversely affect our operating results. We may also be unable to respond quickly enough to accommodate short-term increases in customer demand for support. Our sales are highly dependent on our reputation and on positive recommendations from our existing customers. Any failure to maintain high-quality customer support, or a market perception that we do not maintain high-quality product support, could adversely affect our reputation and our ability to sell our solutions to existing and new customers.

In addition, if the quality of our professional services does not meet contractual requirements, we may be required to re-perform the services at our expense or refund amounts paid for the services.

We derived approximately 12% to 13% of our revenue from sales of our solutions to federal, state, local, and foreign governments and public universities in each of the last three fiscal years, and we believe that the success and growth of our business will continue to depend in part on our successful procurement of government and other public sector contracts. Factors that could impede our ability to maintain or increase the amount of revenue derived from the public sector include:

•changes in fiscal or contracting policies;

•decreases in available government funding;

•changes in government programs or applicable requirements;

•the adoption of new laws or regulations or changes to existing laws or regulations; and

•potential delays or changes in the government appropriations or other funding authorization processes.

Table of Contents

The occurrence of any of the foregoing could cause governments, governmental agencies, and others in the public sector to delay or refrain from purchasing our solutions or otherwise have an adverse effect on our business, operating results, and financial condition.

Additionally, the sale of our solutions to the public sector is tied to budget cycles, and there are government requirements and authorizations that we may be required to meet. Further, we may be subject to audits and investigations relating to the contracts we enter into with the public sector, and violations could result in penalties and sanctions, including contract termination, refunding or forfeiting payments, fines and suspension, or debarment from future public sector business. Selling to these entities can be highly competitive, expensive, and time consuming, often requiring significant upfront time and expense. Public sector entities often require contract terms that differ from our standard arrangements and impose additional compliance requirements, require increased attention to pricing practices, or are otherwise time consuming and expensive to satisfy. For example, some of our government entity customers contract with us on the basis of our authorization under FedRAMP, which has in the past and may in the future require us to undertake additional actions and expense to ensure compliance. Public sector entities may also have statutory, contractual, or other legal rights to terminate contracts with our partners for convenience, for lack of funding, or due to a default, and any such termination may adversely impact our future results of operations. If we represent that we meet certain standards, authorizations (such as FedRAMP), or requirements and do not meet them, or if such authorizations are suspended or revoked, we could be subject to increased liability from our customers, investigation by regulators, or termination rights. Even if we do meet them, the additional costs associated with providing our service to public sector entities could harm our margins. Moreover, changes in underlying regulatory requirements could be an impediment to our ability to efficiently provide our service to public sector customers and to grow or maintain our customer base. Any of these risks related to contracting with public sector entities could adversely impact our future sales and results of operations or make them more difficult to predict.

If we raise additional equity financing, our security holders may experience significant dilution of their ownership interests. If we engage in debt financing, we may be required to accept terms that restrict our ability to incur additional indebtedness, force us to maintain specified liquidity or other ratios, or restrict our ability to pay dividends or make acquisitions. If we need additional capital and cannot raise it on acceptable terms, or at all, we may not be able to, among other things:

•develop and enhance our solutions;

•continue to expand our product development, sales, and marketing organizations;

•hire, train, and retain employees;

•respond to competitive pressures or unanticipated working capital requirements; or

•pursue acquisition opportunities.

We may be unable to integrate acquired businesses and technologies successfully or achieve the expected benefits of such acquisitions, and acquisitions, particularly of development stage companies, may adversely affect our operating results and liquidity as well as our ability to meet expectations.

As a function of the industry in which we operate, we may acquire development stage companies that are not yet profitable, and that require continued investment, which could adversely affect our results of operations and liquidity as well as our ability to meet expectations, particularly if they were formulated prior to such acquisitions. Development stage companies generally involve a higher degree of risk and have not been proven, require additional capital to develop, and typically do not generate enough revenue to offset increased expenses associated therewith.

Table of Contents

The identification of suitable acquisition or investment candidates can be difficult, time-consuming, and costly, and we may not be able to successfully complete identified acquisitions or investments. The risks we face in connection with acquisitions and/or investments include:

•an acquisition may negatively affect our operating results because it may require us to incur charges or assume substantial debt or other liabilities, may cause adverse tax consequences or unfavorable accounting treatment, may expose us to claims and disputes by stockholders and third parties, including intellectual property claims and disputes, or may not generate sufficient financial return to offset additional costs and expenses related to the acquisition;

•we may encounter difficulties or unforeseen expenditures in integrating the business, technologies, products, personnel, or operations of any company that we acquire;

•an acquisition or investment may disrupt our ongoing business, divert resources, increase our expenses, and distract our management;

•an acquisition may result in a delay or reduction of customer purchases for both us and the company acquired due to customer uncertainty about continuity and effectiveness of service from either company;

•we may encounter difficulties in, or may be unable to, successfully sell any acquired products or effectively integrate them into or with our existing solutions;

•our use of cash to pay for acquisitions or investments would limit other potential uses for our cash;

•if we incur debt to fund any acquisitions or investments, such debt may subject us to material restrictions on our ability to conduct our business; and

•if we issue a significant amount of equity securities in connection with future acquisitions, existing stockholders may be diluted and earnings per share may decrease.

The occurrence of any of these risks could adversely affect our business, operating results, and financial condition.

The preparation of financial statements in conformity with U.S. generally accepted accounting principles (“GAAP") requires management to make estimates and assumptions that affect the amounts reported in our consolidated financial statements and accompanying notes.” The results of these estimates form the basis for making judgments about the carrying values of assets, liabilities, and equity and the amount of revenue and expenses that are not readily apparent from other sources. Significant assumptions and estimates used in preparing our consolidated financial statements include those related to the fair value allocation of multiple performance obligations in revenue recognition, the expected period of benefit of contract acquisition costs, the assumptions underlying the fair value used for equity-based compensation expense for awards prior to our IPO, and estimated useful lives and impairment of intangible assets and goodwill arising from business combinations and the assumptions underlying the fair value used for the redemption value of the redeemable convertible units issued prior to our IPO. Our operating results may be adversely affected if our assumptions change or if actual circumstances differ from those in our assumptions, which could cause our operating results to fall below the expectations of securities analysts and investors, resulting in a decline in the trading price of our common stock.

Further, such changes could potentially affect our reporting of transactions completed before such changes are effective.

A change in these principles or interpretations

Table of Contents

could have a significant effect on our reported financial results and could affect the reporting of transactions completed before the announcement of a change. Adoption of such new standards and any difficulties in implementation of changes in accounting principles, including the ability to modify our accounting systems, could cause us to fail to meet our financial reporting obligations, which could result in regulatory discipline and harm investors’ confidence in us.

We track certain business and operational metrics, which are subject to inherent challenges in measurement, and real or perceived inaccuracies in such metrics may harm our reputation and materially adversely affect our stock price, business, results of operations, and financial condition.

We track certain business and operational metrics, including metrics such as ARR, SaaS ARR, and dollar-based net retention rate, which may differ from estimates or similar metrics published by third parties due to differences in sources, methodologies, or the assumptions on which we rely. Our internal systems and tools are subject to a number of limitations, and our methodologies for tracking these metrics may change over time, which could result in unexpected changes to our metrics, including the metrics we publicly disclose. If the internal systems and tools we use to track these metrics undercount or overcount performance or contain algorithmic or other technical errors, the data we report may not be accurate.

If our solutions fail to help our customers achieve and maintain compliance with certain government regulations and industry standards, our business and operating results could be materially and adversely affected.

Examples of industry standards and government regulations include the Federal Information Security Management Act (FISMA) and associated National Institute for Standards and Testing ("NIST") Network Security Standards; the Sarbanes-Oxley Act; the Payment Card Industry Data Security Standard (PCI-DSS); Title 21 of the U.S. Code of Federal Regulations, which governs food and drug industries; the North American Electric Reliability Corporation Critical Infrastructure Protection Plan (NERC-CIP); the GDPR; the German Federal Financial Supervisory Authority (BaFin) Minimum Requirements for Risk Management; and the Monetary Authority of Singapore’s Technology Risk Management Notices. These industry standards may change with little or no notice, including changes that could make them more or less onerous for businesses. In addition, governments may also adopt new laws or regulations, or make changes to existing laws or regulations, that could affect whether our customers believe our solution assists them in maintaining compliance with such laws or regulations. In addition, if government regulations and industry standards related to IT security are changed in a manner that makes them less onerous, our customers may view compliance as less critical to their businesses, and our customers may be less willing to purchase our solutions. In either case, our sales and financial results would suffer.

Our success has depended, and continues to depend, on the efforts and talents of our senior management team and key employees, including our Chief Executive Officer, leadership team, engineers, product managers, sales and marketing personnel, and professional services personnel.

The majority of our employees, including all of our officers and key employees, are employed on an at-will basis, which means that they could terminate their employment with us at any time. The loss of one or more members of our senior management team, particularly if closely grouped, could adversely affect our ability to execute our business plan and thus, our business, operating results, and prospects.

We may need to invest significant amounts of cash and equity to attract and retain new employees, and we may never realize returns on these investments.

Table of Contents

We believe that our corporate culture has been and will continue to be a key contributor to our success. The size of our workforce has grown significantly in recent years, and we expect headcount growth to continue for the foreseeable future. If we are not able to maintain our corporate culture as we grow, we may be unable to continue to foster the innovation, integrity, and collaboration we believe we need to support our growth, which could adversely affect our business.

Our platform and solutions are billed in multiple currencies, and therefore, a portion of our revenue (and, consequently, ARR) is subject to foreign currency risk. A strengthening of the U.S. dollar could increase the real cost of our platform and solutions to our customers outside of the United States, which could also adversely affect our results of operations. In addition, an increasing portion of our operating expenses are incurred outside the United States. These operating expenses are denominated in foreign currencies and are subject to fluctuations due to changes in foreign currency exchange rates. While we do not currently hedge against the risks associated with currency fluctuations, if our foreign currency risk increases in the future and we are not able to successfully hedge against the risks associated with currency fluctuations, our results of operations would be adversely affected.

Our business could be disrupted by catastrophic events.

Occurrence of any catastrophic event, including earthquake, fire, flood, tsunami, or other weather event, power loss, telecommunications failure, software or commodity appliance malfunction, cyber attack, war, military action, terrorist attack, explosion, or pandemic could impact our business. Our insurance coverage may not compensate us for losses that may occur in the event of a significant natural disaster.

Risks Related to Our Technology and Our Intellectual Property Rights

Our introduction and use of AI, and the integration of AI with our solutions, may not be successful and may present business, compliance, and reputational challenges, which could lead to operational or reputational damage, competitive harm, legal and regulatory risk, and additional costs, any of which could adversely affect our business, financial condition, and results of operations.

We have incorporated, and expect to continue to incorporate, AI in our solutions, and this incorporation of AI in our business and operations may become more significant over time. The use of generative AI, a relatively new and emerging technology in the early stages of commercial use, exposes us to additional risks, such as potential damage to our reputation, competitive position, and business, legal and regulatory risks, and additional costs. For example, generative AI has been known to produce false or “hallucinatory” inferences or output, and certain generative AI uses ML and predictive analytics, which can create inaccurate, incomplete, or misleading content, unintended biases, and other discriminatory or unexpected results, errors, or inadequacies, any of which may not be easily detectable by us or any of our related service providers. Accordingly, while AI systems may help provide more tailored or personalized user experiences, if the content, analyses, or recommendations that AI systems assist in producing in our solutions are, or are perceived to be, deficient, inaccurate, biased, unethical, or otherwise flawed, our reputation, competitive position, and business may be materially and adversely affected. In addition, new laws and regulations, or the interpretation of existing laws and regulations, in any of the jurisdictions we operate in may affect the use of our AI systems and our use of third-party AI tools and solutions and may expose us to government enforcement or civil suits.

As the legal and regulatory framework encompassing AI matures, it may result in increases in our operational and development expenses that impact our ability to earn revenue from or utilize any AI systems. Any of the foregoing and any similar issues, whether actual or perceived, could negatively impact our users’ experience and diminish the perceived quality and value of our offerings. This in turn could damage our brand, reputation, competitive position, and business. Additionally, if any of our employees, contractors, consultants, vendors, or service providers use any third-party AI-powered tools or solutions in connection with our business or the services they provide to us, it may lead to the inadvertent disclosure or incorporation of our confidential information into publicly available training sets, which may impact our ability to realize the benefit of, or adequately maintain, protect, and enforce our intellectual property or confidential information, harming our competitive position and business. Our ability to mitigate risks associated with disclosure of our confidential information, including in

Table of Contents

connection with AI systems, will depend on our implementation, maintenance, monitoring, and enforcement of appropriate technical and administrative safeguards, policies, and procedures governing the use of AI in our business.

Additionally, any output created by us using AI tools may not be subject to copyright protection, which may adversely affect our intellectual property rights in, or ability to commercialize or use, any such content. In the United States, a number of civil lawsuits have been initiated related to the foregoing and other concerns, any one of which may, among other things, require us to limit the ways in which our AI systems are trained and may affect our ability to develop our AI-powered solutions. For example, the output produced by AI tools may include information subject to certain privacy or right of publicity laws or constitute an unauthorized derivative work of the copyrighted material used in training the underlying AI model, any of which could also create a risk of liability for us, or adversely affect our business or operations. AI-related lawsuits to date have generally focused on AI service providers, which may increase our risks of liability. In addition, the use of AI has resulted in, and may in the future result in, cybersecurity breaches, incidents, or disruptions that implicate the personal information of clients of AI systems. To the extent that we do not have sufficient rights to use the data or other material or content used in or produced by the AI tools used in our business, or if we experience cybersecurity incidents in connection with our use of AI, it could adversely affect our reputation and expose us to legal liability or regulatory risk, including with respect to third-party intellectual property, privacy, data protection and cybersecurity, publicity, contractual, or other rights. Further, our competitors or other third parties may incorporate AI into their products more quickly or more successfully than us, which could impair our ability to compete effectively.

As the utilization of AI becomes more prevalent, we anticipate that it will continue to present new or unanticipated ethical, reputational, technical, operational, legal, competitive, and regulatory issues, among others. We expect that our incorporation of AI in our business will require additional resources, including the incurrence of additional costs, to develop and maintain our solutions and features to minimize potentially harmful or unintended consequences, to comply with applicable and emerging laws and regulations, to maintain or extend our competitive position and to address any ethical, reputational, technical, operational, legal, competitive, or regulatory issues which may arise as a result of any of the foregoing. As a result, the challenges presented with our use of AI could adversely affect our business, financial condition, and results of operations.

Our ability to introduce new identity security solutions and features is dependent on adequate research and development resources and our ability to successfully complete acquisitions.

To remain competitive, we must continue to offer new data security solutions and enhancements to our platform and existing solutions. This is particularly true as we further expand and diversify our capabilities. Maintaining adequate research and development resources, such as the appropriate personnel and development technology, to meet the demands of the market is essential. If we elect not to or are unable to develop solutions internally due to certain constraints, such as high employee turnover, lack of management ability, or a lack of other research and development resources, we may choose to expand into a certain market or strategy via an acquisition for which we could potentially pay too much or fail to successfully integrate into our operations. For additional information about the risks we face in connection with acquisitions, see “—Risks Related to Our Business and Industry— We may be unable to integrate acquired businesses and technologies successfully or achieve the expected benefits of such acquisitions, and acquisitions, particularly of development stage companies, may adversely affect our operating results and liquidity as well as our ability to meet expectations.” Further, many of our competitors expend a considerably greater amount of funds on their respective research and development programs, and those that do not may be acquired by larger companies that would allocate greater resources to our competitors’ research and development programs. Moreover, there is no assurance that our research and development or acquisition efforts will successfully anticipate market needs and result in significant new marketable solutions or enhancements to our solutions, design improvements, cost savings, revenues, or other expected benefits. If we are unable to generate an adequate return on such investments, we may not be able to compete effectively, and our business and results of operations may be adversely affected.

Cyber attacks or other cybersecurity breaches, incidents, or disruptions with respect to our networks, systems, or applications, including unauthorized access to, or disclosure or other processing of, our proprietary, confidential, or sensitive information, including personal information, could disrupt our operations, compromise sensitive information related to our business or personal information processed by us or on our behalf, and expose us to liability, which could

Table of Contents

harm our reputation and adversely affect our business, financial condition, and results of operations, and as we grow, we may become a more attractive target for cyber attacks.

Our solutions analyze and otherwise process proprietary and confidential information, including personal information. Increasingly, companies in our industry are subject to a wide variety of attacks on their networks and systems. As a well-known provider of identity security solutions, we pose an attractive target for such attacks, and as our footprint grows larger, we may become an even more attractive target for cyber attacks. We have previously experienced, and may in the future experience, various attempts to access or disrupt our networks, systems, and applications. We face threats from a variety of sources, including sophisticated nation-state and nation-state supported actors, cyber criminals, terrorists, and politically motivated groups or individuals that pose risks to our internal networks, our platform, our third-party service providers, and our customers’ systems and the proprietary, confidential, or sensitive information, including personal information processed by us or on our behalf. We may face a heightened risk of state-sponsored cyber attacks in the near term as a result of geopolitical conflicts, including in Russia and Iran.

The nature of the attacks perpetrated against us may include theft of sensitive information, exploitation of our solutions as part of a supply chain attack against our customers, manipulation of data, ransomware, or others. In the case of ransomware, extortion payments may alleviate the negative impact of a ransomware attack, but we may be unwilling or unable to make such payments due to, for example, applicable laws or regulations prohibiting such payments. We do expend and may be required to expend significantly more capital and financial resources in the future to protect against any such threats or to alleviate problems caused by breaches in security.

Moreover, future or past business transactions (such as acquisitions or integrations) could expose us to additional cybersecurity risks and vulnerabilities, as our systems could be negatively affected by vulnerabilities present in acquired or integrated entities’ systems and technologies. Furthermore, we may discover security issues that were not found during due diligence of such acquired or integrated entities, and it may be increasingly difficult to integrate companies into our IT environment and security program successfully, or at all.

Despite significant efforts to create security barriers to safeguard against such threats, it is impossible for us to entirely mitigate these risks. In addition, techniques used to sabotage or obtain unauthorized access to networks in which data is stored or through which data is transmitted change frequently, generally are not recognized until launched against a target, and may be difficult to discover for an extended period. Even if identified, we may be unable to adequately investigate or remediate incidents or breaches due to attackers increasingly using tools and techniques that are designed to circumvent controls, to avoid detection, and to remove or obfuscate forensic evidence. For example, threat actors may leverage emerging AI technologies to develop new hacking tools and attack vectors, exploit vulnerabilities, obscure their activities, and increase the difficulty of threat attribution and remediation.

If an actual or perceived breach of our or our third-party service providers’ security occurs, whether as result of third-party action, employee error, malfeasance, or otherwise, the market perception of the effectiveness of our security measures could be harmed, our brand and reputation could be impacted, we could lose potential sales and existing customers, our ability to operate our business could be impaired, we could be subject to litigation, government enforcement actions, additional reporting requirements, and restrictions on data processing, and we may incur significant liabilities. Some of our contracts may not contain limitations of liability, and even where they do, there can be no assurance that any such limitations of liability are sufficient to protect us from liabilities, damages, or claims related to any such breaches. Additionally, while our insurance policies include liability coverage for certain breaches, subject to retention amounts that could be substantial, we cannot be sure that our insurance coverage will be sufficient to protect us from liabilities, damages, or claims related to any such breaches, that such coverage will continue to be available on commercially reasonable terms or at all or that such coverage will pay future claims. The successful assertion of one or more large claims against us that exceed available insurance coverage, or the occurrence of changes in our insurance policies, including premium increases or larger deductibles, could adversely affect our

Table of Contents

business, financial condition, and results of operations. Further, our solutions may be perceived as less desirable, which could negatively affect our business and damage our reputation. Our ability to retain existing customers, expand solutions, and use case penetration with existing customers and acquire new customers is dependent upon our reputation as a trusted intelligent security provider. The importance of our reputation in retaining existing business and acquiring new business is heightened by our focus on enterprise customers. In addition, we have a number of customers that operate in highly-regulated industries where our customers’ data is particularly sensitive, such as financial services and healthcare. A network or security breach could damage our relationships with customers, result in the loss of customers across one or more use case or solution, and make it more challenging to acquire new customers, and such damage would likely be heightened in the event a network or security breach occurred in the highly-regulated industries we serve.

As a result, security incidents impacting our platform or the systems of our third-party service providers could result in a risk of loss or unauthorized access to or disclosure of the information we process on behalf of our customers. This, in turn, could require notification under applicable data privacy regulations and could lead to litigation, governmental audits and investigations, and possible liability, damage our relationships with our existing customers, trigger indemnification and other contractual obligations, cause us to incur investigation, mitigation, and remediation expenses, and have a negative impact on our ability to attract and retain new customers. Furthermore, any such incident, including a breach of our customers’ systems, could compromise our networks or networks secured by our solutions, creating system disruptions or slowdowns and exploiting security vulnerabilities of our or our customers’ networks, and the information stored on our or our customers’ systems could be accessed or disclosed without authorization, altered, lost, or stolen, which could subject us to liability and cause us financial harm. An actual or perceived breach of our networks, our customers’ networks, those of our third-party service providers or other networks secured by our solutions, whether or not due to a vulnerability in our platform, may also undermine confidence in our platform or our industry and result in expenditure of significant resources in efforts to analyze, correct, eliminate, or work around errors or defects, delayed or lost revenue, delay in the development or release of new solutions, an increase in collection cycles for accounts receivable, damage to our brand and reputation, negative publicity, loss of channel partners, customers and sales, increased costs to remedy any problem, increased insurance expense, and costly litigation.

In addition, if a high-profile security incident occurs with respect to another identity security solution provider, our customers and potential customers may lose trust in the value of the identity security solution business model generally, including the security of our solutions, which could adversely impact our ability to retain existing customers or attract new ones, potentially causing a negative impact on our business.

Interruptions, outages, or other disruptions affecting the delivery of our SaaS solution, or any of the third-party cloud-based systems that we use in our operations, may adversely affect our business, operating results, and financial condition.

Our continued growth depends in part on the ability of our existing customers and new customers to consistently access our platform and solutions at any time and within an acceptable amount of time. We have experienced, and may in the future experience, service disruptions, outages, and other performance problems both in the delivery of our SaaS solution and in third-party SaaS solutions we use due to a variety of factors, including infrastructure changes, malicious actors, human or software errors, or capacity constraints. In some instances, we may not be able to identify the cause or causes of these performance problems within an acceptable period of time.

We host our SaaS solution primarily using AWS data centers. Although we have disaster recovery plans that utilize multiple AWS locations, any incident affecting their infrastructure that may be caused by fire, flood, severe storm, earthquake, or other natural disasters, cyber attacks, terrorist, or other attacks, military

Table of Contents

actions, public health issues, or other similar events beyond our control have in the past, and could in the future, negatively affect our SaaS platform. For example, in October 2025, we experienced limited disruptions to our SaaS platform due to a widespread AWS outage. More recently, we experienced a limited disruption affecting our services hosted in the United Arab Emirates due to the conflict in the Middle East. Neither situation has had a significant impact on our business. In addition, AWS may terminate our agreement for cause by providing 30 days’ prior written notice.

We rely on third-party software to provide many essential financial and operational services to support our business. Some of these vendors are less established and have shorter operating histories than traditional software vendors. Moreover, many of these vendors, including Salesforce, NetSuite, Workday, and ServiceNow, provide their services to us via a cloud-based model instead of software that is installed on our premises. As a result, we depend upon these vendors to provide us with services that are always available and are free of errors or defects that could cause disruptions in our business processes. Interruptions, outages, or other disruptions affecting SaaS solutions that we rely on can significantly impact our business, operating results, and financial condition. Such disruptions could cause operational delays, inefficiencies, and customer dissatisfaction, which could result in increased customer churn, revenue loss, and increased mitigation costs and potential penalties for not meeting service-level agreements. Frequent or significant disruptions could damage our reputation, making it harder to attract and retain customers. Additionally, service disruptions can result in non-compliance with regulatory requirements, which could lead to legal penalties and increased scrutiny.

The market in which we compete is relatively new and subject to rapid technological change (including increasingly rapid advancement in AI technologies and capabilities), evolving industry standards, and changing regulations, as well as changing customer needs, requirements, and preferences. The success of our business will depend, in part, on our ability to adapt and respond effectively to these changes on a timely basis. In addition, as our customers’ technologies and business plans grow more complex, we expect them to face new and increasing challenges. Our customers require that our solution effectively identifies and responds to these challenges without disrupting the performance of our customers’ IT systems.

Our enhancements or new solutions could fail to attain sufficient market acceptance for many reasons, including:

•delays in releasing platform or solutions enhancements or new solutions;

•inability to interoperate effectively with existing or newly introduced technologies, systems, or applications of our existing and prospective customers;

•defects, errors, or failures in our platform or solutions;

•negative publicity about the performance or effectiveness of our platform or solutions;

•introduction or anticipated introduction of competing products by our competitors;

•installation, configuration, or usage errors by our customers or partners; and

Table of Contents

•changing of regulatory requirements related to security.

If new technologies emerge that are able to deliver competitive products and services at lower prices, more efficiently, more conveniently, or more securely, such technologies could adversely impact our ability to compete effectively.

Real or perceived errors, failures, or disruptions in our platform and solutions could adversely affect our customers’ satisfaction with our solutions and/or our industry reputation and business could be harmed.

Our platform and solutions are often used in connection with large-scale computing environments with different operating systems, system management software, equipment, and networking configurations, which may cause errors or failures of products, or other aspects of the computing environment into which our solutions are deployed. If our platform and solutions are not implemented or used correctly or as intended, inadequate performance and disruption of service may result. In addition, deployment of our platform and solutions into complicated, large-scale computing environments may expose errors, failures, or vulnerabilities in our solutions. Any such errors, failures, or vulnerabilities may not be found until after they are deployed to our customers. Some of our software and features are powered by ML and AI, which depend on datasets and algorithms that could be flawed, including through inaccurate, insufficient, outdated, or biased data. From time to time, we have experienced errors, failures, and bugs in our platform that have resulted in customer downtime, and we cannot assure you that we will be able to mitigate future errors, failures, vulnerabilities, or bugs in a quick or cost-effective manner.

We have also been the target of distributed denial of service attacks and other cybersecurity attacks that attempt to disrupt our services. If our or our third-party service providers’ products, solutions, or corporate security are compromised, our website, professional services, customer support, or SaaS solution is unavailable, or there are flaws in our ML and AI processes, our business could be negatively affected. Furthermore, our solutions may not help detect situations in which a valid user identity has been compromised, for example as part of a highly sophisticated cyber attack of the type described below. Highly publicized cybersecurity events have heightened consumer, legislative, and regulatory awareness of these kinds of cybersecurity risks, while further emboldening individuals or groups to target IT systems more aggressively, highlighting the vulnerability of IT supply chains.

However, if we are unable to attract and retain personnel with the necessary cybersecurity expertise, or fail to implement sufficient safeguarding measures, we may not be able to prevent, detect, and mitigate potentially disruptive events which could occur in the future. In some instances, we may not be able to identify the cause or causes of these events within an acceptable period of time. Even with these investments, we may not be able to stop a complex and sophisticated cyber attack. Such attacks can be particularly difficult to prevent or fully mitigate when they occur in the supply chain. If we are or become a target of such an attack, we may not be able to prevent, detect, and mitigate such an attack, which could cause disruptions in service or other performance problems, hurt our reputation and our ability to attract new customers and retain existing customers, and damage our customers’ businesses.

Furthermore, defects, errors, vulnerabilities, or failures in our platform or solutions may require us to implement design changes or software updates. Any defects, vulnerabilities, or errors in our platform or solutions, or the perception of such defects, vulnerabilities, or errors, could result in:

Table of Contents

(i) expenditure of significant financial and product development resources in efforts to analyze, correct, eliminate, or work around errors or defects; (ii) loss of existing or potential customers or channel partners; (iii) delayed or lost revenue; (iv) delay or failure to attain market acceptance; (v) delay in the development or release of new solutions; (vi) negative publicity, which will harm our reputation; (vii) an increase in collection cycles for accounts receivable or the expense and risk of litigation; and (viii) harm to our operating results.

Any insurance coverage we may have may not adequately cover all claims asserted against us or may cover only a portion of such claims. In addition, even claims that ultimately are unsuccessful could result in our expenditure of funds in litigation and the diverting of management’s time and other resources.

We may not be successful in adapting our platform or solutions to operate effectively with these applications or data.

Incorrect or improper implementation or use of our platform and solutions could result in customer dissatisfaction and harm our business, financial condition, and results of operations.

Implementations of our platform and solutions may be technically complicated, and it may not be easy to maximize the value of our platform and solutions without proper implementation, training, and support. Some of our customers have experienced difficulties implementing our platform and solutions in the past and may experience implementation difficulties in the future. If we or our customers are unable to implement our platform and solutions successfully, customer perceptions of our platform and solutions may be impaired, our reputation and brand may suffer, or customers may choose not to renew their subscriptions or purchase additional identity security solutions from us.

Any failure by customers to appropriately implement our platform and solutions or any failure of our platform and solutions to effectively integrate and operate within our customers’ data management infrastructure could result in customer dissatisfaction, impact the perceived reliability of our platform and solutions, result in negative press coverage, negatively affect our reputation, and harm our business, financial condition, and results of operations.

We use third-party licensed software, third-party licensed services, and cloud services subscriptions in or with our solutions, and the inability to maintain these licenses and subscriptions or issues with the software we license or services we leverage could result in increased costs or reduced service levels, which would adversely affect our business.

This exposes us to risks over which we may have little or no control. For example, the third-party software we currently license may not always be available (including as a result of periodic government restrictions on use and licensing), or available on commercially reasonable terms, and we may not have access to alternative third-party software in the event of any issues with such software. We also cannot be certain that activities such as intellectual property protection, maintenance, prosecution, and enforcement by our licensors have been or will be conducted consistent with our best interests or in compliance with applicable laws and regulations or will result in valid and enforceable intellectual property rights. It is possible that our licensors’ infringement proceedings or defense activities may be

Table of Contents

less vigorous than had we conducted them ourselves or may not be conducted in accordance with our best interests. Furthermore, we cannot be certain that our licensors are not infringing, misappropriating, or otherwise violating the intellectual property rights of third parties or that our licensors have sufficient rights to the licensed intellectual property in all jurisdictions in which we may offer our solutions.

If we fail to obtain, maintain, protect, defend, or adequately enforce our intellectual property or proprietary rights, our competitive position could be impaired, and we may lose valuable assets, generate reduced revenue, and incur costly litigation to protect our rights.

We regard the protection of our copyrights, proprietary software, trademarks, domain names, trade secrets, and other intellectual property rights as critical to our success. We rely and expect to continue to rely on a combination of copyright, trademark, patent, trade secret, and unfair competition laws, as well as confidentiality procedures and agreements, protective covenant agreements, and other contractual protections with our employees, independent contractors, advisers, channel partners, resellers, and customers to protect our trade secrets, proprietary information, and intellectual property rights.

We strive to protect our intellectual property rights by relying on foreign, federal, state, and common law rights, as well as certain contractual restrictions. However, the steps we take to protect our intellectual property and proprietary rights, including physical, operational, and managerial protections of our confidential information, contractual obligations of confidentiality, assignment agreements with our employees and contractors, license agreements, the prosecution, defense, enforcement, protection, and maintenance of registrations and applications for registration of intellectual property rights, and the defense and enforcement of common law rights require significant resources and may be inadequate. Effective trade secret, copyright, trademark, patent, and domain name protection is expensive to develop and maintain, both in terms of initial and ongoing registration requirements and expenses and the costs of defending and enforcing our rights. Given the costs and expenses of obtaining, maintaining, protecting, exploiting, defending, and enforcing our intellectual property rights, we may choose not to obtain, maintain, protect, exploit, defend, or enforce certain intellectual property rights that later turn out to be important. We cannot guarantee that our efforts to obtain, maintain, protect, exploit, defend, or enforce our intellectual property rights are adequate or that we have secured, or will be able to secure, appropriate permissions or protections for all of the intellectual property rights we use or rely on.

Our registered or unregistered trademarks, trade names, or other intellectual property rights may be challenged, infringed, diluted, circumvented, misappropriated, or otherwise violated or declared invalid or unenforceable or determined to be infringing on or dilutive of other marks. Our domain names and social media handles may also be misappropriated or otherwise misused. Further, at times, competitors may adopt trade names, trademarks, domain names, or social media handles similar to ours, thereby impeding our ability to build, maintain, or extend brand identity and possibly leading to market confusion or brand dilution. Furthermore, even if we are able to obtain intellectual property rights, any challenge to our intellectual property rights could result in them being narrowed in scope or declared invalid or unenforceable. Litigation may become necessary to enforce our intellectual property rights, protect our trade secrets, or determine the validity and scope of proprietary rights claimed by others. We may be unable to prevent the misappropriation or disclosure of our proprietary information or deter independent development of similar technologies by others, which may diminish the value of our brand and other intangible assets and allow competitors to more effectively mimic our solutions.

While it is our policy to require our employees, contractors, and other parties with whom we conduct business who may be involved in the conception or development of intellectual property for us to execute agreements assigning such intellectual property to us, we may be unsuccessful in executing such an agreement with each party who, in fact, conceives or develops intellectual property that we regard as our own. Additionally, any such assignment of intellectual property rights may not be self-executing or the assignment agreements may be breached, and we may be forced to bring claims against third parties, or defend claims that they may bring against us, to determine the ownership of what we regard as our intellectual property. Further, although it is our policy to enter into confidentiality agreements with employees and third parties to protect our trade secrets and other proprietary rights, we cannot guarantee that we have entered into such agreements with each party that has or may have had access to our trade secrets, confidential information, software, or other proprietary technology and, even if entered into, these agreements may otherwise fail to effectively prevent disclosure of our proprietary or confidential rights, information, or technologies, may be limited as to their term, or may not provide an adequate remedy in the event of

Table of Contents

unauthorized disclosure, misappropriation, use, or other violation of our trade secrets, confidential information, and other proprietary rights or technologies.

We pursue the registration or protection of our domain names and trademarks in the United States and in certain jurisdictions abroad. However, the laws of some foreign countries do not protect our intellectual property to the same extent as the laws of the United States, and effective intellectual property protection and enforcement mechanisms may not be available in those jurisdictions, which could make it difficult for us to stop the infringement, misappropriation, dilution, or other violation of our intellectual property or marketing of competing products or solutions in violation of our intellectual property rights generally.

We may be subject to intellectual property rights claims by third parties, including contractual counterparties, which may be costly to defend, result in damage to our reputation, and could require us to pay significant damages, limit our ability to use certain technologies, and adversely affect our business, financial condition, and results of operations.

We have in the past and may in the future be subject to notices or claims that we have infringed, misappropriated, or misused the intellectual property of our competitors or other third parties, including third parties that may have significantly larger and more mature patent holdings than we do or are patent holding companies whose sole business is to assert such claims. To the extent we increase our visibility in the market, we face a higher risk of being the subject of intellectual property claims. Additionally, despite our efforts to ensure that our employees, contractors, consultants, vendors, and service providers do not use the intellectual property and other proprietary information or know-how of third parties in their work for us, intellectual property, including copyrighted materials, trade secrets, software code, or other proprietary information, we have been and could in the future be subject to claims that we, our employees, or our contractors, consultants, vendors, and service providers have inadvertently or otherwise used or disclosed intellectual property, copyrighted materials, trade secrets, or other proprietary information of our competitors, former employers, or other parties. Litigation may be necessary to defend against these claims. If we fail in defending against such claims, a court could order us to pay substantial damages and prohibit us from using technologies or features that are essential to our solutions, if such technologies or features are found to incorporate or be derived from the trade secrets or other proprietary information of these parties. In addition, we may lose valuable intellectual property rights or personnel. A loss of key personnel or their work product could hamper or prevent our ability to develop, market, and support potential solutions or enhancements, which could severely harm our business. Even if we are successful in defending against these claims, such litigation could result in substantial costs and be a distraction to management.

See “—Indemnity provisions in various agreements potentially expose us to substantial liability for intellectual property infringement, misappropriation, or violation as well as other losses.”

Any intellectual property, indemnification, or wrongful use or disclosure claims, with or without merit, could be time-consuming and expensive, could require litigation, and could divert our management’s attention and other resources. These claims could also subject us to significant liability for damages, potentially including treble damages if we are found to have willfully infringed patents or copyrights. These claims could also result in our having to stop using technology found to be in violation of a third party’s rights. We might be required to seek a license for the intellectual property, which may not be available on reasonable terms or at all. Even if a license is available, we could be required to pay significant royalties, which would increase our operating expenses. As a result, we may be required to develop alternative non-infringing technology, which could require significant effort and expense. If we cannot license or develop technology for any aspect of our business that may ultimately be determined to infringe on or misappropriate the intellectual property rights of another party, we could be forced to limit or stop sales of licenses to our platform and solutions and may be unable to compete effectively. We could also lose valuable intellectual property rights or key personnel as a result of a wrongful disclosure dispute. Furthermore, we may be subject to indemnification obligations with respect to third-party intellectual property pursuant to our agreements with our channel partners or customers. Any of these results would adversely affect our business, operating results, and financial condition.

Indemnity provisions in various agreements potentially expose us to substantial liability for intellectual property infringement, misappropriation, or violation as well as other losses.

Table of Contents

Our agreements with customers and certain partners include indemnification provisions under which we agree to defend and indemnify such customer or partner for losses suffered or incurred as a result of third-party claims for intellectual property infringement or misappropriation of our solutions. The intellectual property infringement indemnity to such customers or partners is an uncapped liability for which we would be responsible, and intellectual property indemnity provisions survive termination or expiration of the applicable agreement.

From time to time, customers also require us to indemnify them for a third-party claim for a violation of law arising from our breach of obligations under the applicable agreement. The existence of such a dispute may have adverse effects on our customer relationship and reputation, and even if we contractually limit our liability with respect to such obligations, we may still incur substantial liability related to them. Any assertions by a third party, whether or not successful, with respect to any of these indemnification obligations could subject us to costly and time-consuming litigation, expensive remediation and licenses, divert management attention and financial resources, harm our relationship with that customer and other current and prospective customers, reduce demand for our platform and solutions, and harm our brand, business, operating results, and financial condition. Any dispute with a customer with respect to such obligations could have adverse effects on our relationship with that customer and other existing customers and new customers and adversely affect our business and operating results.

From time to time, we contribute software source code to open source projects under open source licenses or release internal software projects under open source software licenses and anticipate doing so in the future. Open source software is generally freely accessible, usable, and modifiable. However, certain open source licenses may, in certain circumstances, require us to offer our solutions that incorporate the open source software for no cost, make available source code for modifications or derivative works we create based upon the open source software, incorporate or use the open source software, and/or license such modifications or derivative works under the terms of the particular open source license or otherwise unfavorable terms. The terms of certain open source licenses to which we are subject have not been interpreted by U.S. or foreign courts, and there is a risk that open source software licenses could be construed in a manner that imposes unanticipated conditions or restrictions on our ability to monetize our solutions. While we try to insulate our proprietary code from the effects of such open source license provisions, we cannot guarantee that we will be successful, that all open source software is reviewed prior to use in our solutions, that our developers have not incorporated open source software into our solutions in potentially disruptive ways, or that they will not do so in the future. Additionally, we may from time to time face claims from third parties claiming ownership of, or demanding release of, the open source software or derivative works that we developed using such software, which could include our proprietary source code, or otherwise seeking to enforce the terms of the applicable open source software license. This re-engineering process could require significant additional research and development resources, and we may not be able to complete it successfully. We could also be subject to suits by parties claiming ownership of what we believe to be open source software. In addition to risks related to license requirements, use of certain open source software can lead to greater risks than use of third-party commercial software, as open source licensors generally do not provide warranties or controls on the origin of software and, thus, may contain security vulnerabilities or broken code. Moreover, some open source projects have known security and other vulnerabilities and architectural instabilities, or are otherwise subject to security attacks due to their wide availability, and are provided on an “as-is” basis. There is typically no support available for open source software, and we cannot ensure that the authors of such open source software will implement or push updates to address security risks or will not abandon further development and maintenance. Further, our use of any AI tools that use, incorporate, or output any open source software may heighten the foregoing risks. Any of these risks could be difficult to eliminate or manage, and if not addressed, could have a negative effect on our business, operating results, and financial condition.

Risks Related to Indebtedness

We may incur significant indebtedness, which could reduce our strategic flexibility and liquidity and may have other adverse effects on our results of operations.

We are currently party to a credit agreement (the “2025 Credit Agreement”) that provides for a five-year $250.0 million senior secured revolving credit facility, including a letter of credit sub-facility up to $10.0 million (the “2025 Revolving Credit Facility”). While we have no outstanding borrowings or letters of credit under the 2025 Credit Agreement or 2025

Table of Contents

Revolving Credit Facility, we have historically relied on the availability of debt financing and we may incur significant indebtedness in the future under the Revolving Credit Facility or otherwise. We may also consider investments in joint ventures or acquisitions, which may increase our indebtedness. Our ability to meet our future debt service obligations, if any, will depend on our future performance, which is subject to economic, financial, competitive, and other factors beyond our control, including the factors described in this “Risk Factors” section. Prevailing economic conditions and global credit markets could adversely impact our ability to do so on terms acceptable to us, or at all. The amount and terms of any future indebtedness could also make us more vulnerable to economic downturns, less able to withstand competitive pressures, and less flexible in responding to changing business and economic conditions as well as require us to allocate more of our cash flow from operations to the payment of outstanding indebtedness, rather than research and development or business growth.

The terms, conditions, and restrictions contained in the 2025 Credit Agreement could expose us to risks that could adversely affect our liquidity and financial condition or otherwise adversely affect our operating results.

The 2025 Credit Agreement contains, and any future debt agreements may contain, various covenants that, among other things, limit our and certain of our subsidiaries’ abilities to:

•incur additional indebtedness or guarantee indebtedness of others;

•create additional liens on our assets;

•merge, consolidate, or dissolve;

•make loans or investments, including acquisitions;

•sell assets;

•engage in sale and leaseback transactions;

•pay dividends and make other distributions on our capital stock, and redeem and repurchase our capital stock; or

•enter into transactions with affiliates.

The 2025 Credit Agreement also contains, and any future debt agreements may also contain, numerous affirmative covenants, including financial covenants. Our failure to comply with these covenants could result in an event of default, which, if not cured or waived, could result in the acceleration of our then outstanding debt.

Interest rate fluctuations may have a material adverse effect on our business, results of operations, financial condition, and cash flows.

Indebtedness under the 2025 Revolving Credit Facility, if any, bears interest at variable rates, and we may incur additional variable interest rate indebtedness in the future. This exposes us to interest rate risk, and any interest rate swaps we enter into in order to reduce interest rate volatility may not fully mitigate our interest rate risk. If interest rates were to increase, our debt service obligations on the variable rate indebtedness would increase even if the amount borrowed remained the same, and our net income and cash flows, including cash available for servicing our indebtedness, would correspondingly decrease.

Risks Related to Laws and Regulations

We will face risks associated with the growth of our business with certain heavily regulated industry verticals.

We market and sell our platform and solutions to customers in heavily regulated industry verticals, including the banking, healthcare, and financial services industries. As a result, we face additional regulatory scrutiny, risks, and burdens from the governmental entities and agencies that regulate those industries. Entering new heavily regulated verticals and expanding in those verticals in which we are already operating will continue to require significant resources to address potential regulatory scrutiny, risks, and burdens, and there is no guarantee that such efforts will be successful or beneficial to us. If we are unable to successfully penetrate these verticals, maintain our market share in such verticals in which we already operate or cost-effectively comply with governmental and regulatory requirements applicable to our activities with customers in such verticals, our business, financial condition, and results of operations may be harmed.

Table of Contents

Any actual or perceived failure by us to comply with our privacy policy or legal or regulatory requirements, rules, industry standards, contractual requirements, and other obligations relating to privacy, data protection, and cybersecurity, in one or multiple jurisdictions could result in proceedings, actions, or penalties against us.

Our solutions analyze and otherwise process customer information, including personal information and other information supplied by our customers. Our standard customer agreement prohibits customers from sending to or storing sensitive customer data in our solutions, whether proprietary data, confidential data, sensitive personal data, or otherwise. However, we may enter into agreements with customers with unique terms that allow for certain sensitive customer data to be sent to and stored in our solutions. Further, our customers’ use of data concerning, among others, their employees, contractors, customers, and/or partners is essential to their use of our platform and solutions, and our solutions are not architected in a manner that prevents our customers from submitting or storing sensitive customer data.

A wide variety of domestic and foreign laws, rules and regulations, and contractual requirements apply to the use and processing of proprietary, confidential, and sensitive information, including personal information. These laws, rules, regulations, industry standards, contractual requirements, and other obligations are constantly evolving, and we will continue to become subject to new proposed laws, rules, regulations, industry standards, contractual requirements, and other obligations in the United States, Europe, and other jurisdictions.

For example, in the United States, there are numerous federal, state, and local privacy, data protection, and cybersecurity laws, rules, and regulations governing the use and processing of personal data. At the federal level, we are subject to, among other laws, rules, and regulations, the rules and regulations promulgated under the authority of the Federal Trade Commission, which has the authority to regulate and enforce against unfair or deceptive acts or practices in or affecting commerce, including acts and practices with respect to privacy, data protection, and cybersecurity. Moreover, Congress has considered, and continues to consider, proposals for comprehensive national data privacy and cybersecurity legislation. As another example, at the state level, we are subject to laws, rules, and regulations, such as the California Consumer Privacy Act (as amended by the California Privacy Rights Act (collectively, “CCPA”)), which, amongst other things, requires businesses to provide specific disclosures in privacy notices, implement new operational practices, honor requests from California residents to exercise certain privacy rights (such as the right to access and request deletion of their personal information and to opt out of certain sharing and sales of personal information) and provides for civil penalties of up to $7,998 per violation, as well as a private right of action for certain data breaches that may increase the likelihood of and risks associated with data breach litigation. Many other states have also enacted, or are in the process of enacting, comprehensive privacy, data protection, and cybersecurity laws, rules, and regulations many of which share similarities with the CCPA, creating a patchwork of overlapping but different state laws. In addition, all 50 states have laws that require the provision of notification for security breaches of personal information to affected individuals, state officers, or others. Possible consequences for non-compliance with these various state laws include enforcement actions in response to rules and regulations promulgated under the authority of federal agencies, state attorneys general, and legislatures and consumer protection agencies.

Outside of the United States, an increasing number of laws, rules, regulations, and industry standards apply to privacy, data protection, and cybersecurity. For example, we are subject to the GDPR in the EU, and in the UK, we are subject to the UK’s Data Protection Act 2018 as supplemented by the GDPR as implemented into UK law (collectively, “UK GDPR”), both of which impose similar, stringent data protection requirements. The GDPR and UK GDPR are wide-ranging in scope and impose numerous additional requirements on companies that process personal data, including imposing special requirements in respect of the processing of personal data, requiring that consent of individuals to whom the personal data relates is obtained in certain circumstances, requiring additional disclosures to individuals regarding data processing activities, requiring that safeguards are implemented to protect the security and confidentiality of personal data, creating mandatory data breach notification requirements in certain circumstances, and requiring that certain measures (including contractual requirements) are put in place when engaging third-party processors. The GDPR and UK GDPR also provide individuals with various rights in respect of their personal data, including rights of access, erasure, portability, rectification, restriction, and objection. Failure to comply with the GDPR and the UK GDPR can result in significant fines and other liability, including fines of up to EUR 20 million (or GBP 17.5 million under the UK GDPR) or four percent of global revenue, whichever is greater. European data protection authorities have shown a willingness to impose significant fines and issue orders preventing the processing of personal data on non-compliant businesses and have imposed several fines for GDPR violations for hundreds of millions of Euros, and even one fine totaling 1.2 billion Euros. Europe's overlapping and yet divergent data protection regimes create increased compliance challenges, costs, and risks for affected businesses. Legal developments in the European Economic Area (“EEA”) and the UK, including rulings from the Court of Justice of the European Union (“CJEU”), have also created

Table of Contents

complexity and uncertainty regarding processing and transfers of personal data from the EEA and the UK to the United States and other so-called third countries outside the EEA and the UK that have not been determined by the relevant data protection authorities to provide an adequate level of protection for privacy rights. Case law from the CJEU indicates that reliance on the standard contractual clauses—a standard form of contract approved by the European Commission as an adequate personal data transfer mechanism—alone may not necessarily be sufficient in all circumstances and that transfers must be assessed on a case-by-case basis. In July 2023, the European Commission adopted an adequacy decision in relation to the EU-U.S. Data Privacy Framework (“DPF”) rendering the DPF effective as a GDPR transfer mechanism for personal data transferred from the EEA to the United States by U.S. entities self-certified under the DPF. In October 2023, the UK Extension to the DPF came into effect, as approved by the UK government, as a data transfer mechanism from the UK to U.S. entities self-certified under the DPF. While we have taken steps to mitigate the impact on us, such as implementing the European Commission’s standard contractual clauses, the efficacy and longevity of these mechanisms remains uncertain. Other jurisdictions outside the EU and the UK are similarly introducing or enhancing privacy, data protection, and cybersecurity laws, rules, and regulations, which increase our compliance costs and the risks associated with noncompliance. We cannot fully determine the impact these or future laws, rules, and regulations may have on our business or operations. These laws, rules, and regulations are often inconsistent from one jurisdiction to another, subject to differing interpretations, and may be interpreted to conflict with our practices. Failure to comply with such requirements could result in fines, sanctions, or other penalties, which could materially affect our reputation, business, financial condition, and results of operations.

See Part I, Item 1, “Business—Government Regulations” for more information. Our failure to comply with contractual obligations or applicable laws and regulations, or to protect any personal or other customer data, could result in enforcement actions against us, including regulatory fines or other civil or criminal liability, as well as claims for damages, contractual or otherwise, by customers and other affected individuals, damage to our reputation, and loss of goodwill (both in relation to existing customers and prospective customers), any of which could adversely affect our business, operating results, financial performance, and prospects.

In addition, we are subject to certain contractual obligations and have made privacy commitments, including in privacy policies and customer data processing agreements, regarding our use and processing of personal data. Additionally, a failure or perceived failure to comply with privacy commitments could lead to regulator or civil claims if our commitments are found to be deceptive or otherwise misrepresentative of our actual policies and practices.

Any failure or perceived failure by us or any third parties with which we do business to comply with laws, rules, regulations, industry standards, contractual requirements, or other actual or asserted obligations to which we or such third parties are or may become subject may result in significant liability, adverse publicity, inability to process data, and investigations, proceedings, and other legal actions against us by governmental entities and private claims, demands, and litigation. Any such action or other matter could be expensive to defend, may require the expenditure of substantial legal and other costs and substantial time and resources, may result in fines, penalties, or other liabilities, and likely would damage our reputation and adversely affect our business, financial condition, and results of operations. We have in the past and may in the future be party to privacy-related actions and disputes. In many jurisdictions, enforcement actions and consequences for non-compliance with privacy, data protection, and cybersecurity laws, rules, regulations, industry standards, contractual requirements, or other obligations are rising. Data subjects may also have a private right of action, as well as consumer associations, to lodge complaints with supervisory authorities, seek judicial remedies, and obtain compensation for damages resulting from violations of applicable privacy, data protection, and cybersecurity laws, rules, and regulations. In addition, privacy advocates and industry groups have regularly proposed, and may propose in the future, self-regulatory standards that may legally or contractually apply to us or be alleged to apply to us. If we fail or are alleged to fail to follow these standards, even if no personal information is compromised, we may incur significant fines or experience a significant increase in costs and face regulatory investigations and other proceedings or private claims, demands, and litigation. In addition, future laws, regulations, standards, and other obligations, and changes in the interpretation of existing laws, regulations, standards, and other obligations, could impair our customers’ ability to collect, use, or disclose data relating to individuals, which could decrease demand for our platform and solutions, increase our costs, and impair our ability to maintain and grow

Table of Contents

our customer base and increase our revenue. This includes evolutions in definitions of what constitutes “Personal Information” and “Personal Data” subject to privacy laws, especially relating to classification of intellectual property addresses, machine or device identification numbers, location data and other information. Changes in the law may limit or inhibit our ability to offer certain solutions or features, limit the growth of features and/or development of new solutions, including that supported by AI or ML, or limit our ability to operate or expand our business and develop technology alliance relationships that may involve the sharing of data.

Privacy concerns, whether or not valid, may inhibit market adoption of our solutions.

Regulatory and legislative developments related to the use of AI could adversely affect our use of such technologies in our solutions and business.

We use AI throughout our business. As the regulatory framework for AI and automated decision making evolves, our business, financial condition, and results of operations may be adversely affected. The regulatory framework for AI and similar technologies and automated decision making is changing rapidly. It is possible that new laws and regulations will be adopted in the United States and in non-U.S. jurisdictions or that existing laws and regulations may be interpreted in ways that would affect the operation of our solutions and the way in which we use AI and similar technologies. We may not be able to adequately anticipate or respond to these evolving laws and regulations, and we may need to expend additional resources to adjust our offerings in certain jurisdictions if applicable legal frameworks are inconsistent across jurisdictions. In addition, because these technologies are themselves highly complex and rapidly developing, it is not possible to predict all of the legal or regulatory risks that may arise relating to our use of such technologies.

For example, in August 2024, the EU Artificial Intelligence Act (the “AI Act”), which establishes broad obligations for the development and use of AI-based technologies in the EU based on their potential risks and level of impact, came into force. This framework categorizes AI systems, based on the risks associated with such AI systems’ intended purposes, as creating unacceptable or high risks, with all other AI systems being considered low risk. Furthermore, the AI Act includes requirements around transparency, conformity assessments and monitoring, risk assessments, human oversight, security, accuracy, general purpose AI, and foundation models, and provides for fines of up to the greater of €35 million or 7% of worldwide annual turnover for violations. There is a risk that our current or future AI-powered solutions may obligate us to comply with the applicable requirements of the AI Act, which may impose additional costs on us, increase our risk of liability, or adversely affect our business. For example, the AI Act prohibits certain uses of AI systems and places numerous obligations on providers and deployers of permitted AI systems, with heightened requirements based on AI systems that are considered high risk. This regulatory framework is expected to have a material impact on the way AI is regulated in the EU and beyond, and, together with developing regulatory guidance and judicial decisions in this area, may affect our use of AI and our ability to provide and to improve our solutions, require additional compliance measures and changes to our operations and processes, result in increased compliance costs and potential increases in civil claims against us, and could adversely affect our business, financial condition, and results of operations.

Table of Contents

We are subject to the Foreign Corrupt Practices Act (the “FCPA”), the U.K. Bribery Act, and other anti-corruption, anti-bribery, and anti-money laundering laws in various jurisdictions both domestic and abroad. The FCPA prohibits any U.S. individual or business from paying, offering, authorizing payment, or offering anything of value, directly or indirectly, to any foreign official, political party, or candidate for the purpose of influencing any act or decision of the foreign entity in order to assist the individual or business in obtaining or retaining business. The U.K. Bribery Act is similar but even broader in scope in that it prohibits bribery of private (non-government) persons as well. The FCPA also obligates companies whose securities are listed in the United States to comply with certain accounting provisions requiring the company to maintain books and records that accurately and fairly reflect all transactions of the corporation, including international subsidiaries, and to devise and maintain an adequate system of internal accounting controls for international operations. Our sales model presents some risk under these laws. We leverage third parties, including channel partners, to sell our solutions and conduct our business abroad. We and our third-party intermediaries may have direct or indirect interactions with officials and employees of government agencies, state-owned or affiliated entities, and non-governmental commercial entities and may be held liable for the corrupt or other illegal activities of these third-party intermediaries, our employees, representatives, contractors, channel partners, and agents, even if we do not explicitly authorize such activities. Noncompliance with these laws could subject us to investigations, sanctions, settlements, prosecution, other enforcement actions, disgorgement of profits, significant fines, damages, other civil and criminal penalties or injunctions, adverse media coverage, and other consequences.

Our business activities are subject to various restrictions under U.S. export controls and trade and economic sanctions laws, including the U.S. Commerce Department’s Export Administration Regulations and economic and trade sanctions regulations maintained by the U.S. Treasury Department’s Office of Foreign Assets Control. The U.S. export control laws and U.S. economic sanctions laws include prohibitions on the sale or supply of certain products and services to U.S. embargoed or sanctioned countries, governments, persons, and entities and also require authorization for the export of encryption items. If the applicable U.S. or Israeli requirements regarding export of encryption technology were to change or if we change the encryption means in our solutions, we may need to satisfy additional requirements in the United States or Israel. There can be no assurance that we will be able to satisfy any additional requirements under these circumstances in either the United States or Israel.

If we fail to comply with these laws and regulations, we and certain of our employees could be subject to civil or criminal penalties, including the possible loss of export privileges and monetary penalties. Obtaining the necessary authorizations, including any required license, for a particular transaction may be time-consuming, is not guaranteed, and may result in the delay or loss of sales opportunities. Although we take precautions to prevent transactions with U.S. sanction targets, we could inadvertently provide our solutions to persons prohibited by U.S. sanctions. This could result in negative consequences to us, including government investigations, penalties, and harm to our reputation.

The amount of taxes we pay in these jurisdictions could increase substantially as a result of changes in the applicable tax principles, including increased tax rates, new tax laws, or revised interpretations of existing tax laws and precedents. In addition, the authorities in these jurisdictions could challenge our methodologies for valuing developed technology or intercompany arrangements, including our transfer pricing. The relevant taxing authorities may determine that the manner in which we operate our business does not achieve the intended tax consequences. If such a disagreement were to occur, and our position were not sustained, we could be required to pay additional taxes, interest, and penalties. Such authorities could claim that various withholding requirements apply to us or our subsidiaries

Table of Contents

or assert that benefits of tax treaties are not available to us or our subsidiaries. Any increase in the amount of taxes we pay or that are imposed on us could increase our worldwide effective tax rate and adversely affect our business and operating results.

Our U.S. federal and state net operating loss (“NOLs”) carryforwards and certain other tax credits may be subject to limitations under Section 382 and Section 383 of the Internal Revenue Code of 1986, as amended (the “Code”), respectively, and similar provisions of state law. Under those sections of the Code, a corporation that undergoes an “ownership change,” generally defined as a greater than 50% change (by value) in its equity ownership over a three-year period, is subject to limitations on its ability to utilize its pre-change NOLs and other pre-change tax attributes, such as research tax credits, to offset future taxable income or taxes. Our existing NOLs may be subject to limitations arising from previous ownership changes, and if we undergo an ownership change, our ability to utilize NOLs and other tax attributes could be further limited by Sections 382 and 383 of the Code. In addition, future changes in our stock ownership, many of which are outside of our control, could result in an ownership change under Sections 382 and 383 of the Code. “Ownership changes” that have occurred in the past or that may occur in the future could result in the imposition of an annual limit on the amount of pre-ownership change NOLs and other tax attributes we can use to reduce taxable income, potentially increasing and accelerating our liability for income taxes, and also potentially causing those tax attributes to expire unused.

The Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act (“HITECH”), and their respective implementing regulations (collectively referred to as “HIPAA”), imposes specified requirements relating to the privacy, security, and transmission of individually identifiable health information, including “protected health information” (“PHI”) under HIPAA. HIPAA requires, among other things, that “covered entities” and their business associates maintain reasonable and appropriate administrative, physical, and technical safeguards to protect PHI. Additionally, business associates are required to assist covered entities with various requirements under HIPAA, including reporting certain breaches, security incidents, or other unauthorized uses or disclosures of PHI to individuals, the Department of Health and Human Services Office for Civil Rights, and the media, depending on the extent of the disclosure.

HITECH also gave state attorneys general authority to file civil actions for damages or injunctions in federal courts to enforce the federal HIPAA laws and seek attorneys’ fees and costs associated with pursuing federal civil actions. Furthermore, the HIPAA-covered entities and service providers to which we provide solutions require us to enter into HIPAA-compliant business associate agreements with them. These agreements impose stringent data security obligations on us.

In addition, many state laws govern the privacy and security of health information in certain circumstances, including having passed privacy legislation to cover consumer health data and sensitive data. These laws may differ from other state privacy requirements, including in the way such laws are interpreted and enforced by state regulatory authorities, and may be more stringent than HIPAA. Under these state laws, states may impose fines or penalties for violations and, depending on the state, may allow a private right of action for individuals who believe their information has been inappropriately used or disclosed, including from a security incident or breach. Additionally, many state attorneys general and the Federal Trade Commission have interpreted existing consumer protection laws to impose standards on the privacy, security, use, transfer, disclosure, disposal, and other treatment of an individual’s information, including health information.

Increased and complex scrutiny of environmental, social, governance, and sustainability (“ESG”) matters may require us to incur additional costs or otherwise adversely impact our business.

Table of Contents

Increased attention to climate change, diversity, equity, and inclusion, and other ESG issues, may result in increased costs (including but not limited to increased costs related to compliance, stakeholder engagement, and contracting), impact our reputation or otherwise affect our business performance. In addition, organizations that provide information to investors on corporate governance and related matters have developed ratings processes for evaluating companies on ESG matters. Such ratings are used by some investors to inform their investment or voting decisions and also by some customers and prospective customers to inform their purchasing decisions. Unfavorable ESG ratings could lead to negative investor sentiment toward us and/or our industry, which could have a negative impact on our access to and costs of capital, and could also cause customers and prospective customers to not purchase our solutions. To the extent ESG matters negatively impact our reputation, we may also not be able to compete as effectively to recruit or retain employees. We may take certain actions, including the establishment of ESG-related goals, to improve our ESG profile and/or respond to stakeholder demands, and such actions may be costly or be subject to numerous conditions that are outside our control, and we cannot guarantee that such actions will have the desired effect.

Moreover, while we may have and may continue to create and publish voluntary disclosures regarding ESG matters from time to time, many of the statements in those voluntary disclosures are based on hypothetical expectations and assumptions that may or may not be representative of current or actual risks or events or forecasts of expected risks or events, including the costs associated therewith. Such expectations and assumptions are necessarily uncertain and may be prone to error or subject to misinterpretation given the long timelines involved and the lack of an established single approach to identifying, measuring, and reporting on many ESG matters. Such disclosures may also be at least partially reliant on third-party information that we have not independently verified or cannot be independently verified. In addition, we expect there will likely be increasing levels of regulation, disclosure-related and otherwise, with respect to ESG matters, and increased regulation will likely lead to increased compliance costs as well as scrutiny that could heighten all of the risks identified in this risk factor. Such ESG matters may also impact our customers, which may adversely impact our business, financial condition, or results of operations.

Risks Related to Ownership of Our Common Stock

The trading price of our common stock could be volatile, which could cause the value of your investment to decline.

Our initial public offering (our "IPO") occurred in February 2025. Therefore, there has only been a public market for our common stock for a short period of time. Technology stocks have historically experienced high levels of volatility. The trading price of our common stock may fluctuate substantially in response to numerous factors, many of which are beyond our control. These fluctuations could cause you to lose all or part of your investment in our common stock. Factors that could cause fluctuations in the trading price of our common stock include the following:

•announcements of new solutions, products, or technologies, commercial relationships, acquisitions, or other events by us, our competitors, or other technology industry companies, including potential technology industry disruption as a result of AI and agentic AI advancements;

•changes in how customers perceive the benefits of our solutions;

•shifts in the mix of revenue attributable to SaaS subscriptions from quarter to quarter;

•departures of key personnel;

•price and fluctuations in the overall stock market from time to time;

•fluctuations in the trading volume of our shares or the size of our public float;

•sales of large blocks of our common stock;

•actual or anticipated changes or fluctuations in our operating results;

•whether our operating results meet the expectations of securities analysts or investors;

Table of Contents

•changes in actual or future expectations of investors or securities analysts;

•litigation involving us, our industry, or both;

•regulatory developments in the United States, foreign countries, or both;

•general economic conditions and trends;

•major catastrophic events in our domestic and foreign markets; and

•“flash crashes,” “freeze flashes,” or other glitches that disrupt trading on the securities exchange on which we are listed.

In addition, if the market for technology stocks or the stock market in general experiences a loss of investor confidence, the trading price of our common stock could decline, including for reasons unrelated to our business, operating results, or financial condition. The trading price of our common stock might also decline in reaction to events that affect other companies in our industry even if these events do not directly affect us. In the past, following periods of volatility in the trading price of a company’s securities, securities class action litigation has often been brought against that company. If our stock price is volatile, we may become the target of securities litigation. Securities litigation could result in substantial costs and divert our management’s attention and resources from our business. This could have an adverse effect on our business, operating results, and financial condition.

If securities analysts or industry analysts were to downgrade our stock, publish negative research or reports, or fail to publish reports about our business, our competitive position could suffer and our stock price and trading volume could decline.

The trading market for our common stock, to some extent, depends on the research and reports that securities or industry analysts publish about us or our business. We do not have any control over these analysts. If one or more of the analysts who cover us should downgrade our stock or publish negative research or reports, cease coverage of our company, or fail to regularly publish reports about our business, our competitive position could suffer and our stock price and trading volume could decline.

Our issuance of additional capital stock in connection with financings, acquisitions, investments, our stock incentive plans, or otherwise will dilute all other stockholders.

We may issue additional capital stock in the future that will result in dilution to all other stockholders. We may also raise capital through equity financings in the future. As part of our business strategy, we may acquire or make investments in complementary companies, products, or technologies and issue equity securities to pay for any such acquisition or investment. Any such issuances of additional capital stock may cause stockholders to experience significant dilution of their ownership interests and the per share value of our common stock to decline.

We do not intend to pay dividends on our common stock and, consequently, your ability to achieve a return on your investment will depend on appreciation in the price of our common stock.

We have never declared or paid any dividends on our common stock. We intend to retain any earnings to finance the operation and expansion of our business, and we do not anticipate paying any cash dividends in the foreseeable future. As a result, you may only receive a return on your investment in our common stock if the market price of our common stock increases.

Provisions of our corporate governance documents could make an acquisition of us more difficult and may prevent attempts by our stockholders to replace or remove our current management, even if beneficial to our stockholders.

Our certificate of incorporation and bylaws and the Delaware General Corporation Law (the “DGCL”) contain provisions that could make it more difficult for a third party to acquire us, even if doing so might be beneficial to our stockholders. Among other things:

Table of Contents

•these provisions allow us to authorize the issuance of undesignated preferred stock, the terms of which may be established and the shares of which may be issued without stockholder approval, and which may include supermajority voting, special approval, dividend, or other rights or preferences superior to the rights of stockholders;

•these provisions provide for a classified board of directors with staggered three-year terms;

•these provisions provide that, at any time when Thoma Bravo controls, in the aggregate, less than 40% in voting power of our stock entitled to vote generally in the election of directors, directors may only be removed for cause and only by the affirmative vote of holders of at least 66 2/3% in voting power of all the then-outstanding shares of our stock entitled to vote thereon, voting together as a single class;

•these provisions prohibit stockholder action by written consent from and after the date on which Thoma Bravo controls, in the aggregate, less than 35% in voting power of our stock entitled to vote generally in the election of directors;

•these provisions provide that for as long as Thoma Bravo controls, in the aggregate, at least 50% in voting power of our stock entitled to vote generally in the election of directors, any amendment, alteration, or repeal of our bylaws by our stockholders will require the affirmative vote of a majority in voting power of the outstanding shares of our capital stock and at any time when Thoma Bravo controls, in the aggregate, less than 50% in voting power of all outstanding shares of our stock entitled to vote generally in the election of directors, any amendment, alteration, or repeal of our bylaws by our stockholders will require the affirmative vote of the holders of at least 66 2/3% in voting power of all the then-outstanding shares of our stock entitled to vote thereon, voting together as a single class; and

•these provisions establish advance notice requirements for nominations for elections to our Board or for proposing matters that can be acted upon by stockholders at stockholder meetings; provided, however, at any time when Thoma Bravo controls, in the aggregate, at least 10% in voting power of our stock entitled to vote generally in the election of directors, such advance notice procedure will not apply to Thoma Bravo.

We have opted out of Section 203 of the DGCL, which generally prohibits a Delaware corporation from engaging in any of a broad range of business combinations with any interested stockholder for a period of three years following the date on which the stockholder became an interested stockholder. However, our certificate of incorporation contains a provision that provides us with protections similar to Section 203 and prevents us from engaging in a business combination with a person (excluding Thoma Bravo and any of their direct or indirect transferees and any group as to which such persons are a party) who acquires at least 15% of our common stock for a period of three years from the date such person acquired such common stock, unless board or stockholder approval is obtained prior to the acquisition. These provisions could discourage, delay, or prevent a transaction involving a change in control of our company. These provisions could also discourage proxy contests and make it more difficult for you and other stockholders to elect directors of your choosing and cause us to take other corporate actions you desire, including actions that you may deem advantageous, or negatively affect the trading price of our common stock. In addition, because our Board is responsible for appointing the members of our management team, these provisions could in turn affect any attempt by our stockholders to replace current members of our management team.

These and other provisions in our certificate of incorporation, bylaws, and Delaware law could make it more difficult for stockholders or potential acquirers to obtain control of our Board or initiate actions that are opposed by our then-current Board, including actions to delay or impede a merger, tender offer, or proxy contest involving our company. The existence of these provisions could negatively affect the price of our common stock and limit opportunities for you to realize value in a corporate transaction.

Thoma Bravo controls us, and its interests may conflict with ours or yours in the future.

As of January 31, 2026, investment entities affiliated with Thoma Bravo UGP, LLC (together with its affiliated entities, "Thoma Bravo") control approximately 85% of the voting power of our outstanding common stock, which means that, based on its percentage voting power, Thoma Bravo controls the vote of all matters submitted to a vote of our stockholders. This control enables Thoma Bravo to control the election of the members of the Board and all other corporate decisions. Even when Thoma Bravo ceases to control a majority of the total voting power, for so long as Thoma Bravo continues to own a significant percentage of our common stock, Thoma Bravo will still be able to significantly influence the composition of our Board and the approval of actions requiring stockholder approval. Accordingly, for such period of time, Thoma Bravo will have significant influence with respect to our management, business plans, and policies, including the appointment and removal of our officers, decisions on whether to raise future capital, and amending our charter and bylaws, which govern the rights attached to our common stock. In particular, for so long as Thoma Bravo continues to own a significant percentage of our

Table of Contents

common stock, Thoma Bravo will be able to cause or prevent a change of control of us or a change in the composition of our Board and could preclude any unsolicited acquisition of us. The concentration of ownership could deprive you of an opportunity to receive a premium for your shares of common stock as part of a sale of us and ultimately might affect the market price of our common stock.

In addition, we have entered into a director designation agreement (the “Director Designation Agreement”) with Thoma Bravo that provides it the right to designate: (i) all of the nominees for election to our Board for so long as Thoma Bravo beneficially owns 40% or more of the total number of shares of our common stock beneficially owned by Thoma Bravo upon completion of the IPO, as adjusted for any reorganization, recapitalization, stock dividend, stock split, reverse stock split, or similar changes in our capitalization (such number of shares as may be adjusted, the “Original Amount"); (ii) a number of nominees for election to our Board (rounded up to the nearest whole number) equal to 40% of the total directors for so long as Thoma Bravo beneficially owns at least 30% and less than 40% of the Original Amount; (iii) a number of nominees for election to our Board (rounded up to the nearest whole number) equal to 30% of the total directors for so long as Thoma Bravo beneficially owns at least 20% and less than 30% of the Original Amount; (iv) a number of nominees for election to our Board (rounded up to the nearest whole number) equal to 20% of the total directors for so long as Thoma Bravo beneficially owns at least 10% and less than 20% of the Original Amount; and (v) one nominee for election to our Board for so long as Thoma Bravo beneficially owns at least 5% of the Original Amount. The Director Designation Agreement also provides that Thoma Bravo may assign such right to an affiliate. The Director Designation Agreement prohibits us from increasing or decreasing the size of our Board without the prior written consent of Thoma Bravo. See Part III, Item 13, “Certain Relationships and Related Party Transactions, and Director Independence—Related Party Transactions—Director Designation Agreement” for more details with respect to the Director Designation Agreement.

Thoma Bravo and its affiliates engage in a broad spectrum of activities, including investments in our industry generally. In the ordinary course of their business activities, Thoma Bravo and its affiliates may engage in activities where their interests conflict with our interests or those of our other stockholders, such as investing in or advising businesses that directly or indirectly compete with certain portions of our business or are suppliers or customers of ours. Our certificate of incorporation provides that none of Thoma Bravo, any of its affiliates, or any director who is not employed by us (including any non-employee director who serves as one of our officers in both his or her director and officer capacities) or its affiliates will have any duty to refrain from engaging, directly or indirectly, in the same business activities or similar business activities or lines of business in which we operate. Thoma Bravo also may pursue acquisition opportunities that may be complementary to our business, and, as a result, those acquisition opportunities may not be available to us. In addition, Thoma Bravo may have an interest in pursuing acquisitions, divestitures, and other transactions that, in their judgment, could enhance their investment, even though such transactions might involve risks to you or may not prove beneficial.

We may issue preferred stock whose terms could adversely affect the voting power or value of our common stock.

Our charter authorizes us to issue, without the approval of our stockholders, one or more classes or series of preferred stock having such designations, preferences, limitations, and relative rights, including preferences over our common stock respecting dividends and distributions, as our Board may determine. The terms of one or more classes or series of preferred stock could adversely impact the voting power or value of our common stock. For example, we might grant holders of preferred stock the right to elect some number of our directors in all events or on the happening of specified events or the right to veto specified transactions. Similarly, the repurchase or redemption rights or liquidation preferences we might assign to holders of preferred stock could affect the residual value of our common stock.

Our charter designates the Court of Chancery of the State of Delaware as the sole and exclusive forum for certain types of actions and proceedings that may be initiated by our stockholders, which could limit our stockholders’ ability to obtain a favorable judicial forum for disputes with us or our directors, officers, employees, or agents.

Pursuant to our certificate of incorporation, unless we consent in writing to the selection of an alternative forum, the Court of Chancery of the State of Delaware will be the sole and exclusive forum for any claims in state court for (i) any derivative action or proceeding brought on our behalf, (ii) any action asserting a claim of breach of a fiduciary duty owed by any of our directors, officers, other employees, or stockholders to us or our stockholders, (iii) any action asserting a claim against us arising pursuant to any provision of the DGCL, our certificate of incorporation, or our bylaws, or (iv) any other action asserting a claim against us that is governed by the internal affairs doctrine; provided that for the avoidance of doubt, the forum selection provision that identifies the Court of Chancery of the State of Delaware as the exclusive forum for certain litigation, including any “derivative action,” will not apply to suits to enforce a duty or liability created by the Securities Act of 1933, as amended (the “Securities Act”) Securities Act, the Exchange Act, or any other claim for which the federal courts have exclusive jurisdiction. Our certificate of incorporation will also provide that, unless we consent in writing to the selection of an alternative forum, the federal district courts of the United States shall be the exclusive forum for the resolution of any complaint asserting a cause of action arising under the Securities Act. Our certificate of incorporation further provides that any person or entity

Table of Contents

purchasing or otherwise acquiring or holding any interest in shares of our capital stock is deemed to have notice of and consented to the provisions of our certificate of incorporation described above. The forum selection provisions in our certificate of incorporation may have the effect of discouraging lawsuits against us or our directors and officers and may limit our stockholders’ ability to obtain a favorable judicial forum for disputes with us. If the enforceability of our forum selection provisions were to be challenged, we may incur additional costs associated with resolving such challenge. While we currently have no basis to expect any such challenge would be successful, if a court were to find our forum selection provisions to be inapplicable or unenforceable with respect to one or more of these specified types of actions or proceedings, we may incur additional costs associated with having to litigate in other jurisdictions, which could have an adverse effect on our business, financial condition, results of operations, cash flows, and prospects and result in a diversion of the time and resources of our employees, management, and Board.

We are a controlled company within the meaning of the rules of Nasdaq and, as a result, qualify for and are relying on exemptions from certain corporate governance requirements.

Thoma Bravo beneficially owns, on a combined basis, a majority of the combined voting power of all classes of our outstanding voting stock. As a result, we are a controlled company within the meaning of the rules of Nasdaq. Under Nasdaq rules, a company of which more than 50% of the voting power is held by another person or group of persons acting together is a controlled company and may elect not to comply with certain Nasdaq corporate governance requirements, including the requirements that:

•a majority of the board of directors consist of independent directors as defined under the rules of Nasdaq;

•the nominating and governance committee be composed entirely of independent directors with a written charter addressing the committee’s purpose and responsibilities; and

•the compensation committee be composed entirely of independent directors with a written charter addressing the committee’s purpose and responsibilities.

These requirements will not apply to us as long as we remain a controlled company. We currently utilize some or all of these exemptions. Accordingly, our stockholders may not have the same protections afforded to stockholders of companies that are subject to all of the corporate governance requirements of Nasdaq.

Item 1B. Unresolved Staff Comments.

None.

Cybersecurity.

Cybersecurity Risk Management and Strategy

We view managing cybersecurity risk as imperative to protecting the confidentiality, integrity, availability, and resiliency of the information and systems we use to achieve our strategic business goals and satisfy our customers and partners. To that end, we have developed a formal cybersecurity risk management program that is integrated into our broader enterprise risk processes in an effort to protect our applications, networks, and systems from risks from cybersecurity threats. We use elements of the NIST Cybersecurity Framework and other recognized industry standards to inform and guide the design of this program, though we do not purport to meet any particular technical standards, specifications, or requirements of NIST.

We engage with multiple teams across the business, including IT, Product, Engineering, DevOps, Legal, Human Resources, Compliance, and Sales, in an effort to address all aspects and phases of the cybersecurity risk lifecycle, including identification, assessment, treatment, monitoring, and reporting. We also engage with external independent partners on a regular basis to assess the maturity of our cybersecurity risk management program and to recommend improvements thereto, including with respect to third-party risk. We also conduct annual audits and control testing to evaluate the efficiency of our controls across the organization.

Key features of our cybersecurity risk management program include:

•A dedicated team of risk analysts who manage the program and associated activities, such as risk assessments, risk lifecycle management, control assessments, and risk reporting.

Table of Contents

•Risk assessments that are conducted by the risk team on a regular basis, which sometimes include emerging topics addressed through targeted risk assessments.

•Security incident response policies and procedures to investigate and respond to security incidents, including procedures to assess the threat of relevant vulnerabilities or security incidents, and to establish remediation and mitigation actions for events.

•Security awareness training campaigns assigned to our users at least twice a year covering a multitude of security and privacy topics.

•Management of third-party risk, including conducting cybersecurity assessments of vendors before onboarding them, followed by ongoing monitoring for compliance with standards.

We have not identified any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. We nevertheless face ongoing risks from cybersecurity threats that, if realized, could affect us, including our operations, business strategy, results of operations, or financial condition. See Part I, Item 1A, “Risk Factors” in this Annual Report for additional information regarding potential cybersecurity risks, particularly the risk factor titled “Cyber attacks or other cybersecurity breaches, incidents, or disruptions with respect to our networks, systems, or applications, including unauthorized access to, or disclosure or other processing of, our proprietary, confidential, or sensitive information, including personal information, could disrupt our operations, compromise sensitive information related to our business or personal information processed by us or on our behalf, and expose us to liability, which could harm our reputation and adversely affect our business, financial condition, and results of operations, and as we grow, we may become a more attractive target for cyber attacks.”

Cybersecurity Governance

Our Board oversees our risk management efforts and has created a dedicated cybersecurity committee to specifically oversee our cybersecurity risk policies, plans, and programs. The cybersecurity committee typically meets at least quarterly and at each regular meeting, management, including our Chief Information Security Officer (CISO), provides an update to the committee regarding our cybersecurity risk management program, including with respect to plan design, recent cybersecurity incidents (if any), and general cybersecurity developments.

Our management team, including our CISO, is responsible for assessing and managing our risks from cybersecurity threats under the cybersecurity committee’s oversight. Our current CISO has 20 years of cybersecurity experience in both the public and private sectors. His senior public sector roles include Senior Policy Advisor and the Director of Stakeholder Engagement in the Office of the National Cyber Director, Chief of Cyber Threat Analysis at the Cybersecurity and Infrastructure Security Agency (CISA), CISO of the Pandemic Response Accountability Committee, and Deputy CISO of the Pension Benefit Guaranty Corporation.

Our CISO leads an internal cybersecurity team comprised of individuals with varying experience and skillsets. This team covers a variety of cybersecurity-related functions, including security operations, strategy and governance risk and compliance, program management, security architecture and engineering, vulnerability management, and product security. We also have a dedicated security operations center that is responsible for detection and monitoring of cybersecurity incidents. Our CISO takes steps to stay informed about and monitor the identification, prevention, detection, protection, mitigation, and remediation of key cybersecurity risks and incidents through various means. In the case of a security event, the security incident response plan is activated to respond to the security event. We also assess and manage our cyber risks through our internal Information Security and Privacy Governance Committee, which is composed of a cross-organizational leadership team and was formed to oversee the management, operation, and overall effectiveness of the information security management system.

Recently Filed

Click on a ticker to see risk factors

Ticker *	File Date
SFDL	33 minutes ago
OVTZ	an hour ago
UNB	an hour ago
LFAC	an hour ago
SWDR	2 hours ago
SLBK	2 hours ago
FSEA	5 hours ago
VSCO	6 hours ago
MIST	6 hours ago
DG	7 hours ago
AEVA	16 hours ago
OZ	17 hours ago
PELI	18 hours ago
YSS	19 hours ago
FLY	20 hours ago
ODYS	20 hours ago
SBXD	20 hours ago
STRW	20 hours ago
ASST	20 hours ago
SPIR	20 hours ago
ELDN	20 hours ago
COLA	20 hours ago
BKKT	20 hours ago
AWX	21 hours ago
NBY	21 hours ago
NLST	21 hours ago
COEP	21 hours ago
MSAI	21 hours ago
LUNR	21 hours ago
RCAT	21 hours ago
BFRG	21 hours ago
HRGN	21 hours ago
ECOR	21 hours ago
ZNOG	21 hours ago
WWR	21 hours ago
FIVE	21 hours ago
SAIL	21 hours ago
RLMD	21 hours ago
ALMS	21 hours ago
TPTA	21 hours ago
KOYN	21 hours ago
MOV	1 day, 3 hours ago
EQPT	1 day, 4 hours ago
PLBC	1 day, 5 hours ago
MREO	1 day, 5 hours ago
TSHA	1 day, 5 hours ago
SIG	1 day, 5 hours ago
MLCI	1 day, 6 hours ago
GRTX	1 day, 6 hours ago
ACRV	1 day, 6 hours ago

OTHER DATASETS

House Trading

Dashboard

Corporate Flights

Dashboard

App Ratings

Dashboard

Strategies

Alerts

Browse Data

Risk Factors Dashboard

View risk factors by ticker

Search filings by term

Risk Factors - SAIL

-New additions in green
-Changes in blue
-Hover to see similar sentence in last filing

Recently Filed

OTHER DATASETS

House Trading

Corporate Flights

App Ratings

TRADE SMARTER

TRADE SMARTER

Strategies

Alerts

Browse Data

Risk Factors Dashboard

View risk factors by ticker

Search filings by term

Risk Factors - SAIL

-New additions in green-Changes in blue-Hover to see similar sentence in last filing

Recently Filed

OTHER DATASETS

House Trading

Corporate Flights

App Ratings

TRADE SMARTER

TRADE SMARTER

-New additions in green
-Changes in blue
-Hover to see similar sentence in last filing