Agora (API) Risk Factors

We and our customers that use our products may be subject to privacy, cybersecurity and data protection-related laws and regulations that impose obligations in connection with the collection, processing and use of personal data, financial data, health or other similar data and general cybersecurity. The U.S. federal and various state governments as well as the PRC government and governments in other countries have adopted or proposed limitations on, or requirements regarding, the collection, distribution, use, security and storage of information, including personally identifiable information of individuals. In the United States, the U.S. Federal Trade Commission and numerous state attorneys general are applying federal and state consumer protection laws to impose standards on the online collection, use and dissemination of data, and to the security measures applied to such data. Also, the U.S. Congress enacted the Export Controls Act of 2018, or ECA, with the principal purpose to enhance protection of U.S. technology resources by imposing greater restrictions on the transfer to non-U.S. individuals and companies, particularly through exports to China, of certain key foundational and emerging technologies and cybersecurity considered critical to U.S. national security. The ECA has broadened the scope of U.S. export controls policy to protect a wider range of national security interests, including telecommunications technology, against perceived challenges presented by the PRC. The U.S. government may require us to assist in its investigations related to U.S. national security by providing requested information. In the PRC, the PRC Cybersecurity Law and relevant regulations require network operators, which may include us, to ensure the security and stability of the services provided via network and to provide assistance and support in accordance with the law for public security and national security authorities to protect national security or assist with criminal investigations. Similarly, many other countries and governmental bodies, including the EU member states, have laws and regulations concerning the collection and use of personal data obtained from individuals located in the EU or by businesses operating within their jurisdiction, which are often more restrictive than those in the United States. Laws and regulations in these jurisdictions apply broadly to the collection, use, storage, disclosure and security of personal data that identifies or may be used to identify an individual, such as names, telephone numbers, email addresses and, in certain circumstances, IP addresses and other online identifiers. For example, the EU has adopted the General Data Protection Regulation, or the GDPR, which took full effect on May 25, 2018. The GDPR enhances data protection obligations for businesses and requires service providers (data processors) processing personal data on behalf of customers to cooperate with European data protection authorities, implement security measures and keep records of personal data processing activities. The UK has adopted legislation substantially implementing the GDPR, the UK General Data Protection Regulation and the UK Data Protection Act 2018, which we collectively refer to as the UK GDPR. Noncompliance with the GDPR can trigger fines equal to or greater of €20 million or 4% of global annual revenues, and the UK GDPR provides for fines for noncompliance of up to the greater of £17.5 million and 4% of total annual revenue. Given the breadth and depth of its obligations, working to meet the requirements of the GDPR has required significant time and resources, including a review of our technology and systems currently in use against the requirements of the GDPR, and similar expenditures of time and resources are required in the case of the UK GDPR. There are also additional EU laws and regulations (and member states implementations thereof), and laws and regulations in the UK, which govern the protection of consumers and of electronic communications. We have taken measures to address certain obligations under the GDPR and UK GDPR and to make us compliant with those regimes, but we may be required to take additional steps in order to comply with them. If our efforts to comply with GDPR, the UK GDPR, or other applicable EU or UK laws and regulations are not successful, we may be subject to penalties and fines that would adversely impact our business and operating results, and our ability to conduct business in the EU and UK could be significantly impaired. Outside of the EU, we continue to see increased regulation of privacy cybersecurity and data protection, including the adoption of more strict laws with more stringent subject matter specific state laws in the United States and with a broader scope in the PRC. For example, in 2018, California enacted the CCPA, which took effect on January 1, 2020. The CCPA gives California residents expanded rights to access and delete their personal information, opt out of certain personal information sharing, and receive detailed information about how their personal information is used. The CCPA provides for civil penalties for violations, as well as a private right of action for data breaches that is expected to increase data breach litigation. Additionally, a new privacy law, the California Privacy Rights Act, or CPRA, was approved by California voters in the November 3, 2020 election. The CPRA generally takes effect on January 1, 2023 and significantly modifies the CCPA, including by expanding consumers' rights with respect to certain personal information and creating a new state agency to oversee implementation and enforcement efforts, potentially resulting in further uncertainty and requiring us to incur additional costs and expenses in an effort to comply. Aspects of the CCPA, the CPRA, and their interpretation remain uncertain. The CCPA, CPRA, and similar laws may increase our compliance costs and potential liability, and we may be required to modify our practices and take additional steps in an effort to comply with them. Some observers have noted that the CCPA and CPRA could mark the beginning of a trend toward more stringent state privacy legislation in the United States, which could increase our potential liability and adversely affect our business. For example, on March 2, 2021, Virginia enacted the Virginia Consumer Data Protection Act, or CDPA, a comprehensive privacy statute that shares similarities with the CCPA, CPRA and legislation proposed in other states. The CDPA will require us to incur additional costs and expenses in an effort to comply with it before it becomes effective on January 1, 2023. Broad federal privacy legislation also has been proposed in the United States. Recent and new state and federal legislation relating to privacy may add additional complexity, variation in requirements, restrictions and potential legal risk, require additional investment in resources to compliance programs, could impact strategies and availability of previously useful data and could result in increased compliance costs and/or changes in business practices and policies. In the PRC, PRC regulators, including the Ministry of Industry and Information Technology, or the MIIT and the Cyberspace Administration of China, have been increasingly focused on regulation in the areas of cybersecurity and data protection and governmental authorities have enacted a series of laws and regulations to enhance the protection of privacy and data, which require certain authorization or consent from users prior to collection, use or disclosure of their personal data and also protection of the security of the personal data of such users. Such regulations, including the Decision to Enhance the Protection of Network Information, require the internet service providers to expressly inform their users of the purpose, manner and scope of the internet services providers' collection and use of user personal information, publish the internet services providers' standards for their collection and use of user personal information, and collect and use user personal information only with the consent of the users and only within the scope of such consent. The MIIT issued the Order for the Protection of Telecommunication and Internet User Personal Information on July 16, 2013, further requiring internet service providers to establish and publish protocols relating to the collection or use of personal information, keep any collected information strictly confidential and take technological and other measures to maintain the security of such information. Institutions and their employees are prohibited from selling or otherwise illegally disclosing a person's personal information obtained during the course of performing duties or providing services. In July 2020, the Standing Committee of the National People's Congress of China released a draft data security law, or the Draft Data Security Law, for public comment. The Draft Data Security Law provides for data security and privacy obligations on entities and individuals carrying out data activities. The Draft Data Security Law also introduces a national security review procedure for those data activities which may affect national security and imposes export restrictions on certain data information. In October 2020, the Standing Committee of the National People's Congress of China released a draft personal information protection law, or the Draft Personal Information Protection Law, for public comment. The Draft Personal Information Protection Law provides for various requirements on personal information protection, including legal bases for data collection and processing, requirements on data localization and cross-border data transfer, requirements for consent and requirements on processing of sensitive personal information. As the Draft Data Security Law and Draft Personal Information Protection Law remain subject to change, we may be required to make further adjustments to our business practices to comply with the enacted form of the laws, which may increase our compliance cost and adversely affect our business performance. We also continue to see jurisdictions imposing data localization laws, which require personal information, or certain subcategories of personal information to be stored in the jurisdiction of origin. These regulations may inhibit our ability to expand into those markets or prohibit us from continuing to offer services in those markets without significant additional costs. The uncertainty and changes in the requirements of multiple jurisdictions may increase the cost of compliance, delay or reduce demand for our services, restrict our ability to offer services in certain locations, impact our customers' ability to deploy our solutions in certain jurisdictions, or subject us to claims and litigation from private actors and investigations, proceedings, and sanctions by data protection regulators, all of which could harm our business, financial condition and operating results. Additionally, although we endeavor to have our products and platform comply with applicable laws and regulations, these and other obligations may be modified, they may be interpreted and applied in an inconsistent manner from one jurisdiction to another, and they may conflict with one another, other regulatory requirements, contractual commitments or our practices. We also may be bound by contractual obligations relating to our collection, use and disclosure of personal, financial and other data or may find it necessary or desirable to join industry or other self-regulatory bodies or other privacy, cybersecurity or data protection-related organizations that require compliance with their rules pertaining to privacy and data protection. We expect that there will continue to be new proposed laws, rules of self-regulatory bodies, regulations and industry standards concerning privacy, data protection and information security in the United States, the PRC, the EU and other jurisdictions, and we cannot yet determine the impact such future laws, rules, regulations and standards may have on our business. Moreover, existing PRC, U.S. federal and various state and foreign privacy, cybersecurity and data protection-related laws and regulations are evolving and subject to potentially differing interpretations, and various legislative and regulatory bodies may expand current or enact new laws and regulations regarding privacy, cybersecurity and data protection-related matters. Because global laws, regulations and industry standards concerning privacy, cybersecurity and data protection have continued to develop and evolve rapidly, it is possible that we or our products or platform may not be, or may not have been, compliant with each such applicable law, regulation and industry standard and compliance with such new laws or to changes to existing laws may impact our business and practices, require us to expend significant resources to adapt to these changes, or to stop offering our products in certain countries. These developments could adversely affect our business, operating results and financial condition. Further, in many cases we rely on the data processing, privacy, data protection and cybersecurity practices of our suppliers and contractors, including with regard to maintaining the confidentiality, security and integrity of data. If we fail to manage our suppliers or contractors or their relevant practices, or if our suppliers or contractors fail to meet any requirements with regard to data processing, privacy, data protection or cybersecurity required by applicable legal or contractual obligations that we face (including any applicable requirements of our clients), we may be liable in certain cases. Legal obligations such as the GDPR, CCPA, CPRA, CDPA, the Health Insurance Portability and Accountability Act, or HIPAA, and other laws and regulations relating to privacy, cybersecurity and data protection may require us to manage our suppliers and their practices and to enter into agreements with them in certain cases. We may face difficulties in binding our suppliers and contractors to these agreements and otherwise managing their relevant practices, which may subject us to claims, proceedings, and liabilities. Any failure or perceived failure by us, our products or our platform to comply with new or existing U.S., PRC, EU, UK, or other foreign privacy, cybersecurity or data protection laws, regulations, policies, industry standards or legal obligations, any failure to bind our suppliers and contractors to appropriate agreements or to manage their practices or any systems failure or security incident that results in the unauthorized access to, or acquisition, release or transfer of, personally identifiable information or other data relating to customers or individuals may result in governmental investigations, inquiries, enforcement actions and prosecutions, private claims and litigation, fines and penalties, adverse publicity or potential loss of business.

The global market for RTE-PaaS is relatively new and rapidly evolving. Currently, our competitors mainly include: - PaaS providers in China and the United States, as well as various smaller software companies, which compete with all or portions of our platform and products;- open-source projects, such as WebRTC, which offer capabilities that compete with some of the functionalities in our SDK; and - network operators or cloud providers that offer private lines on which similar functionalities to ours can be built. In many cases, we encounter either custom software developed in-house or by consultants, or legacy solutions repurposed by in-house developers of our potential customers to meet specific use cases. As we look to sell our products to potential customers with existing internal solutions, we must convince internal stakeholders that our real-time engagement products are superior to the legacy solutions that the organization has previously adopted. If we are unable to effectively convince internal stakeholders at our prospective customers to abandon their legacy solutions, our business, results of operations and financial condition could be adversely affected. We expect competition to intensify in the future. It is possible that the large software vendors or cloud providers who currently do not have an offering in the RTE-PaaS category, some of which operate in adjacent product categories today, may in the future bring such a solution to market through product development, acquisitions or other means. In addition, several of our competitors have greater name recognition, longer operating histories, more and better-established customer relationships, larger sales forces, larger marketing and software development budgets and significantly greater resources than we do. As a result, certain of our competitors may be able to respond more quickly and effectively than we can to new or changing opportunities, technologies, standards or customer requirements. In extreme cases, these large vendors may be willing to provide competing software for free as part of enterprise-wide agreements that include other products or services. These combinations may make it more difficult for us to compete effectively. We expect these trends to continue as competitors attempt to strengthen or maintain their market positions. Some competitors may offer products or services that address one or a limited number of functions at lower prices, with greater depth than our products or geographies where we do not operate or are less established. Furthermore, some of our customers may choose to use our products and our competitors' products at the same time. Pricing pressures and increased competition generally could result in reduced revenue, reduced margins, increased losses or the failure of our products to achieve or maintain widespread market acceptance, any of which could harm our business, operating results and financial condition.

A component of our growth strategy involves the further expansion of our operations and customer base worldwide. We generated a majority of our revenue from customers operating primarily in the PRC in each of the periods presented in this annual report. We currently have offices in the PRC and the United States, as well as employees located in Europe. We are continuing to adapt to and develop strategies to address international markets but there is no guarantee that such efforts will have the desired effect. We expect that our international activities will continue to grow over the foreseeable future as we continue to pursue opportunities in existing and new markets, which will require significant management attention and financial resources worldwide. In connection with such expansion, we may face difficulties including costs associated with varying seasonality patterns, potential adverse movement of currency exchange rates, longer payment cycle difficulties in collecting accounts receivable in some countries, tariffs and trade barriers, a variety of regulatory or contractual limitations on our ability to operate, adverse tax events, reduced protection of intellectual property rights in some countries, political risks and a geographically and culturally diverse workforce and customer base. Failure to overcome any of these difficulties could harm our business. In addition, we will face risks in doing business internationally that could adversely affect our business, including: - the difficulty of managing and staffing international operations and the increased operations, travel, infrastructure and legal compliance costs associated with numerous international locations;- challenges to our corporate culture resulting from a dispersed workforce;- our ability to effectively price our products in competitive international markets;- new and different sources of competition;- our ability to comply with the General Data Protection Regulation 2016/679, or GDPR;- potentially greater difficulty collecting accounts receivable and longer payment cycles;- the need to adapt and localize our products for specific countries;- the effect of differing governmental responses to the COVID-19 pandemic and the continuing impact of the pandemic on individuals, businesses and economies in various foreign jurisdictions;- the need to offer customer support in various languages;- difficulties in understanding and complying with local laws, regulations and customs in foreign jurisdictions;- difficulties with differing technical and environmental standards, privacy, cybersecurity, data protection and telecommunications regulations and certification requirements outside China and the United States, which could prevent customers from deploying our products or limit their usage;- export controls and economic sanctions administered by the Department of Commerce Bureau of Industry and Security and the Treasury Department's Office of Foreign Assets Control;- compliance with various anti-bribery and anti-corruption laws such as the Foreign Corrupt Practices Act of 1977, or FCPA, and the United Kingdom Bribery Act of 2010;- tariffs and other non-tariff trade barriers, such as quotas and local content rules;- more limited protection for intellectual property rights in some countries;- adverse tax consequences;- fluctuations in currency exchange rates, which could increase the price of our products in certain markets, increase the expenses of our international operations and expose us to foreign currency exchange rate risk or the cost and risk of hedging transaction if we choose to enter into such transactions in the future;- currency control regulations, which might restrict or prohibit our conversion of other currencies into U.S. dollars;- restrictions on the transfer of funds;- deterioration of political relations between China, the United States and other countries;- exposure to political developments in the United Kingdom, or the U.K., including the departure of the U.K. from the European Union, or the EU, which has created an uncertain political and economic environment, instability for businesses and volatility in global financial markets; and - political or social unrest or economic instability in a specific country or region in which we operate, which could have an adverse impact on our operations in that location. Our failure to manage any of these risks successfully could harm our international operations, and adversely affect our business, operating results and financial condition. In some cases, compliance with the laws and regulations of one country could violate the laws and regulations of another country. As our global operations evolves, we cannot assure you that we are able to fully comply with the legal requirements of each foreign jurisdiction and successfully adapt our business models to local market conditions. Due to the complexity involved in our international business expansion, we cannot assure you that we are or will be in compliance with all local laws.

We have operations primarily in China and the United States but sell to customers worldwide. As we continue to expand our international operations, we will become increasingly exposed to the effects of fluctuations in currency exchange rates. Although the majority of our cash generated from revenue is denominated in U.S. dollars and Renminbi, a small amount is denominated in other currencies, and our expenses are generally denominated in the currencies of the jurisdictions in which we conduct our operations. Because we conduct business in currencies other than U.S. dollars but report our operating results in U.S. dollars, we also face translation exposure to fluctuations in currency exchange rates, which could hinder our ability to predict our future results and earnings and could materially impact our operating results. We do not currently maintain a program to hedge exposures to foreign currencies. The value of the Renminbi against the U.S. dollar and other currencies has in the past fluctuated significantly, and may in the future continue to do so, affected by, among other things, changes in political and economic conditions and the foreign exchange policy adopted by the PRC government. With the development of the foreign exchange market and progress towards interest rate liberalization and Renminbi internationalization, the PRC government may in the future announce further changes to the exchange rate system, and we cannot assure you that the Renminbi will not appreciate or depreciate significantly in value against the U.S. dollar in the future. It is difficult to predict how market forces or PRC or U.S. government policy may impact the exchange rate between the Renminbi and the U.S. dollar in the future. We are a holding company and we rely on dividends paid by our subsidiaries in China for our cash needs. Any significant fluctuation of Renminbi against the U.S. dollar could adversely affect our business, operating results and financial condition, and the value of any dividends payable in U.S. dollars. If we decide to convert our Renminbi into U.S. dollars for the purpose of making payments for dividends on our ordinary shares or for other business purposes, appreciation of the U.S. dollar against the Renminbi would have a negative effect on the U.S. dollar amount.

We rely on contractual arrangements with our VIEs and their respective shareholders to operate our business in the PRC, mainly, the contractual arrangements between Dayin, Zhaoyan and its shareholders. See the section of this annual report captioned "Item 4. Information on The Company-Organizational Structure- Contractual Arrangements among Dayin, Zhaoyan and Zhaoyan's Shareholders." These contractual arrangements may not be as effective as direct ownership in providing us with control over our VIEs. If our VIEs or their respective shareholders fail to perform their respective obligations under these contractual arrangements, our recourse to the assets held by our VIEs is indirect and we may have to incur substantial costs and expend significant resources to enforce such arrangements in reliance on legal remedies under PRC law. These remedies may not always be effective, particularly in light of uncertainties in the PRC legal system. Furthermore, in connection with litigation, arbitration or other judicial or dispute resolution proceedings, assets under the name of any of record holder of equity interest in our VIEs, including such equity interest, may be put under court custody. As a consequence, we cannot be certain that the equity interest will be disposed pursuant to the contractual arrangement or ownership by the record holder of the equity interest. In addition, though we have entered into equity pledge agreements with the shareholders of our VIEs, our remedies under the equity pledge agreements are primarily intended to help us collect debts owed to us by our VIEs or their shareholders under the contractual arrangements and may not help us in acquiring the assets or equity of our VIEs. Furthermore, pursuant to PRC laws, the pledge takes effect upon the completion of registration with relevant local branch of the State Administration for Market Regulation, or SAMR. See "Item 4. Information on the Company-C. Organizational Structure-Contractual Arrangements among Dayin, Zhaoyan and Zhaoyan's Shareholders." All the agreements under our contractual arrangements are governed by PRC laws and provide for the resolution of disputes through arbitration in China. Accordingly, these contracts would be interpreted in accordance with PRC laws and any disputes would be resolved in accordance with PRC legal procedures. The legal system in the PRC is not as developed as in some other jurisdictions, such as the United States. As a result, uncertainties in the PRC legal system could limit our ability to enforce these contractual arrangements. Meanwhile, there are very few precedents and little formal guidance as to how contractual arrangements in the context of a VIE should be interpreted or enforced under PRC laws. Significant uncertainties exist regarding the ultimate outcome of such arbitration should legal action become necessary. In addition, under PRC laws, rulings by arbitrators are final and parties cannot appeal arbitration results in court unless such rulings are revoked or determined unenforceable by a competent court. If the losing parties fail to carry out the arbitration awards within a prescribed time limit, the prevailing parties may only enforce the arbitration awards in PRC courts through arbitration award recognition proceedings, which would require additional expenses and delay. In the event that we are unable to enforce these contractual arrangements, or if we suffer significant delay or other obstacles in the process of enforcing these contractual arrangements, we may not be able to exert effective control over our VIEs and relevant rights and licenses held by it which we require in order to operate our business, and our ability to conduct our business may be adversely affected. See "-Risks Related to Doing Business in China-We may be adversely affected by the complexity, uncertainties and changes in PRC laws, rules and regulations, particularly of internet businesses." The arbitration provisions under these contractual arrangements have no effect on the rights of our shareholders to pursue claims against us under U.S. federal securities laws.

We lease office spaces from third parties for our operations in the United States and China. Any limitations on the leased properties, or lessors' title to such properties, may impact our use of the offices, or in extreme cases, result in relocation, which may in turn adversely affect our business operations. For example, some of our lessors in China failed to provide us with valid property ownership certificates or authorizations from the property owners for the lessors to sublease the properties, and some of our leased properties have been mortgaged by the owners to third parties such as banks. In addition, certain lease agreements of our leased properties in China may not have been registered with the applicable PRC government authorities as required by PRC law, and although failure to do so does not in itself invalidate the leases, we may be exposed to potential fines if we fail to rectify within the prescribed time period after receiving notices from the relevant PRC government authorities. As of the date of this annual report, we are not aware of any actions or claims raised by any third parties challenging our use of these properties we currently lease, nor have we received any notices from the PRC government authorities. Despite that, if any third parties who purport to be property owners or mortgagees challenge our right to use the leased properties, it could result in a diversion of management attention and cause us to incur costs associated with defending such actions or claims.