Box (BOX) Risk Factors

There is considerable patent and other intellectual property development activity in our industry. Our success depends on developing or licensing our own intellectual property and not infringing upon the valid intellectual property rights of others. Our competitors, as well as a number of other entities, including non-practicing entities, and individuals, may own or claim to own intellectual property relating to our industry. From time to time, third parties have claimed, and in the future may claim, that we are infringing upon their intellectual property rights, and we may be found to be infringing upon such rights. We may be unaware of the intellectual property rights that others may claim cover some or all of our technology or services. Additionally, the intellectual property rights surrounding AI technologies have not been fully addressed by U.S. courts or other federal or state laws or regulations, and the use or adoption of AI technologies in our products and services may expose us to copyright infringement or other intellectual property misappropriation claims. Any claims or litigation could cause us to incur significant expenses and, if successfully asserted against us, could require that we pay substantial damages or ongoing royalty payments, prevent us from offering our services, or require that we comply with other unfavorable terms. We may also be obligated to indemnify our customers or business partners or pay substantial settlement costs, including royalty payments, in connection with any such claim or litigation and to obtain licenses, modify services, or refund fees, which could be costly. Even if we were to prevail in such a dispute, any litigation regarding our intellectual property could be costly and time consuming and divert the attention of our management and key personnel from our business operations. During the course of any litigation, we may make announcements regarding the results of hearings and motions, and other interim developments. If securities analysts or investors regard these announcements as negative, the market price of our Class A common stock may decline.

We offer our services across a variety of operating systems and through the internet. We are dependent on the interoperability of our platform with third-party mobile devices, tablets, desktop and mobile operating systems, as well as web browsers that we do not control. Any changes in such systems, devices or web browsers that degrade the functionality of our services or give preferential treatment to competitive services could adversely affect usage of our services and our ability to deliver high quality services. We may not succeed in developing relationships with key participants in the mobile industry or in developing services that operate effectively with these operating systems, networks, infrastructure, devices, web browsers and standards. In the event that our users experience difficulty accessing and using our services, our user growth may be harmed, and our business and operating results could be adversely affected.

To improve our operating results, it is important that our customers renew their subscriptions with us when their existing subscription term expires. We cannot assure you that customers will renew their subscriptions upon expiration at the same or higher level of service, for the same number of seats or for the same duration of time, if at all. Our net retention rate has fluctuated from period to period and it may decrease again in the future if our customers do not renew their subscriptions with us or decrease their use of our services. Our net retention rate was approximately 102% as of October 31, 2024 and 2023. Our net retention rate may decline or fluctuate as a result of a number of factors, including our customers' satisfaction with our services, the effectiveness of our customer support services, the performance of our partners and resellers, our pricing, the prices of competing products or services, mergers and acquisitions affecting our customer base, our ability to successfully integrate new or acquired technology into our products, our ability to execute on our product roadmap, our customers' budgets and spending levels, and the effects of global economic conditions, especially if challenging macroeconomic conditions continue. If our customers do not renew their subscriptions, renew them on less favorable terms, purchase fewer seats, or fail to purchase new product offerings, our revenue may decline, and we may not realize improved operating results from our customer base. In addition, our business growth depends in part on our customers expanding their use of our services. The use of our cloud content management platform often expands within an organization as new users are added or as additional services are purchased by or for other departments within an organization. Further, as we have introduced new services throughout our operating history, our existing customers have constituted a significant portion of the users of such services, including our recent Box AI offerings. If our customers do not expand their use of our services, our operating results may be adversely affected.

We sell to government customers, which can be highly competitive, often requiring significant upfront time and expense without any assurance that these efforts will generate a sale. Government certification requirements may change, or we may lose one or more government certifications, and in doing so restrict our ability to sell into the government sector or maintain existing government customers until we attain revised certifications. Government demand and payment for our products and services are affected by public sector budgetary cycles and funding authorizations, with funding reductions or delays adversely affecting public sector demand for our solutions. Moreover, an extended federal government shutdown resulting from budgetary decisions, a prolonged continuing resolution, breach of the federal debt ceiling, or potential U.S. sovereign default may limit or delay federal government spending on our solutions and adversely affect our revenue. Government entities may also have statutory, contractual or other legal rights to terminate contracts with us for convenience or due to a default, and any such termination may adversely affect our future operating results.

The future success of our business depends upon the continued use and availability of the internet as a primary medium for commerce, communication and business services. Federal, state or foreign government bodies or agencies have in the past adopted, and may in the future adopt, laws or regulations affecting the use of the internet as a commercial medium. The adoption of any laws or regulations that adversely affect the growth, popularity or use of the internet, including laws or practices limiting internet neutrality, could decrease the demand for, or the usage of, our services, increase our cost of doing business, adversely affect our operating results, and require us to modify our services in order to comply with these changes. In addition, government agencies or private organizations may begin to impose taxes, fees or other charges for accessing the internet or commerce conducted via the internet. These laws or charges could limit the growth of internet-related commerce or communications generally, or result in reductions in the demand for internet-based services such as ours. In addition, the use of the internet and, in particular, the cloud as a business tool could be adversely affected due to delays in the development or adoption of new standards and protocols to handle increased demands of internet activity, security, reliability, cost, ease of use, accessibility, and quality of service. The performance of the internet and its acceptance as a business tool have been adversely affected by "viruses," "worms," "denial of service attacks" and similar malicious activity. The internet has also experienced a variety of outages, disruptions and other delays as a result of this malicious activity targeted at critical internet infrastructure. These service disruptions could diminish the overall attractiveness to existing and potential customers of services that depend on the internet and could cause demand for our services to suffer.

The application of federal, state, local and international tax laws to services provided electronically is complex and continuously evolving. Income, sales, use, value added or other tax laws, statutes, rules, regulations or ordinances could be enacted or amended at any time, possibly with retroactive effect, and could be applied solely or disproportionately to services provided over the internet. These enactments or amendments could adversely affect our sales activity due to the inherent cost increase the taxes would represent and ultimately result in a negative impact on our operating results and cash flows. Our future effective tax rates and results from operations could be unfavorably affected by changes in the tax rates in jurisdictions where our income is earned, by changes to limitations on our utilization of net operating losses, or by changes in the tax rules and regulations in the jurisdictions in which we do business. For example, the Tax Cuts and Jobs Act of 2017 eliminated the option to deduct research and development expenditures currently and instead required taxpayers to capitalize and amortize them over five or fifteen years beginning in our fiscal year 2023. The Inflation Reduction Act of 2022 also imposed a 1% excise tax on certain repurchases of stock and a 15% alternative minimum tax on adjusted financial statement income. Further, in 2021, the Organization for Economic Cooperation and Development (OECD) introduced a framework, referred to as Pillar Two, which contemplates a global minimum effective tax rate of 15%. In December 31, 2023, Pillar Two was implemented by the Council of the European Union and its member states. Similar directives under Pillar Two are already adopted or expected to be adopted by taxing authorities in other countries where we do business, including the U.K. We have evaluated the impact of Pillar Two to our financial position and concluded it to be not material. We will continue to monitor developments to Pillar Two in countries where we do business. These enactments or amendments could adversely affect our tax rate and ultimately result in a negative impact on our operating results and cash flows. In addition, existing tax laws, statutes, rules, regulations or ordinances could be interpreted or applied adversely to us, possibly with retroactive effect, which could require us or our customers to pay additional tax amounts, as well as require us or our customers to pay fines or penalties, as well as interest for past amounts. For example, we are subject to examination regarding our interpretation of tax laws by domestic and foreign tax authorities. If the taxing authorities do not agree with our interpretations, or if we become subject to an adverse tax assessment, we may incur significant liabilities and/or be required to change our practices going forward. Further, to the extent it is determined that our customers should have paid certain taxes, and if we are unsuccessful in collecting such taxes due from our customers, we could be held liable for such costs and/or interest and penalties, thereby adversely impacting our operating results and cash flows.

Users can use our services to store identifying information or information that otherwise is considered personal information. Federal, state and foreign government bodies and agencies have adopted or are considering adopting laws and regulations regarding the collection, use and disclosure of personal information obtained from consumers, businesses and other individuals and entities. Data protection, privacy, consumer protection, cybersecurity and other laws and regulations, particularly in Europe, are often more restrictive than those in the United States. The costs of compliance with, and other burdens imposed by, such laws, policies and regulations that apply to our business or our customers' businesses may limit the use and adoption of our services and reduce overall demand for them. These laws and regulations, which may be enforceable by private parties and/or governmental entities, are constantly evolving and can be subject to significant change. A number of new laws coming into effect and/or proposals pending before federal, state and foreign legislative and regulatory bodies could affect our business. For example, the European Union's General Data Protection Regulation (GDPR) imposes significant obligations on companies regarding the handling of personal data and provides for penalties for noncompliance of up to the greater of 20 million Euros or four percent of a company's global revenue. Further, local data protection authorities in Europe may adopt regulations and/or guidance more stringent than the GDPR, which may impose additional compliance costs or other burdens that impact our business. Additionally, developments relating to cross-border data transfer may result in the European Commission (EC), European Data Protection Board and/or other regulators applying differing standards for, and requiring ad hoc verification of, transfers of personal data from the European Economic Area (EEA), Switzerland, or the United Kingdom (U.K.) to the U.S. For example, revised standard contractual clauses were published by regulators in EEA, Switzerland and the U.K., which we adopted in our data processing addenda. However, we cannot guarantee that the policies and related measures that we have implemented will ensure compliance due to possible fluctuations in these laws. Moreover, European governments and the U.S. government have cooperated to adopt the EU-U.S. Data Privacy Framework, U.K.-U.S. Data Bridge and Swiss-U.S. Data Privacy Framework (together, the "Data Privacy Framework") replacing the EU-U.S. Privacy Shield Framework. While the Data Privacy Framework could benefit the industry as a whole, and we presently maintain self-certification under the Data Privacy Framework, maintaining compliance with the Data Privacy Framework could result in additional costs. The EU-U.S. Data Privacy Framework also already has faced legal challenges, and more generally, the Data Privacy Framework may be subject to future reviews, and subject to suspension, amendment, repeal, or limitations. Brexit has created uncertainty around data protection issues and could lead to further legislative and regulatory changes. For example, the U.K. Data Protection Act of 2018 substantially mirrors the EU GDPR in the U.K. and was the subject of statutory amendments that further aligned it with the GDPR in 2019. In June 2021, the EC announced a decision that the U.K. is an "adequate country" to which personal data could be exported from the EEA, but this decision must be renewed and may face challenges in the future, creating uncertainty regarding transfers of personal data to the U.K. from the EEA. It remains unclear how U.K. data protection laws or regulations will develop, and how data transfers to and from the U.K. will be regulated, over time. Additional or modified guidance regarding, or changes to, U.K. cross border data transfers and/or overall U.K. data protection laws and/or guidance could occur, which may require us to change our policies, practices and engage in additional contractual negotiations. Such legislative and regulatory changes may result in increased costs of compliance and limitations on our customers and us. In 2018, the State of California enacted the California Consumer Privacy Act (CCPA), which became operative on January 1, 2020. The CCPA requires covered companies to, among other things, provide new disclosures to California consumers and afford such consumers new abilities to opt-out of certain sales of personal information. Additionally, the California Privacy Rights Act (CPRA) was approved by California voters in November 2020 and amended and expanded the CCPA. The CPRA's substantive provisions became effective on January 1, 2023, and the newly formed California Privacy Protection Agency began its rulemaking process to adopt proposed regulations, with an enforcement date of March 29, 2024. Our CPRA compliance efforts are subject to change and may result in continued uncertainty and require additional costs and expenses to ensure readiness, compliance and decrease risks. Further, other states have been considering, and in some cases enacting, laws relating to privacy and cybersecurity, many of which are comprehensive privacy statutes imposing obligations similar to the CCPA and CPRA. For example, laws enacted in Virginia, Colorado, Utah, Texas, Montana and Oregon are currently effective and laws enacted in Delaware, Tennessee, Iowa, Indiana, Maryland, Nebraska, New Hampshire, New Jersey, Kentucky, Minnesota, and Rhode Island will become effective between 2025 and 2026. Other U.S. states, including Pennsylvania, Massachusetts, and North Carolina, are anticipated to follow suit. Other states have also enacted privacy laws relating to particular subject matter, such as Washington's enactment of the My Health, My Data Act, which includes a private right of action. Efforts to comply with these laws and related fluctuations in laws relating to privacy and cybersecurity at the federal, state and local levels may impact readiness and compliance, along with the potential to incur additional costs. We cannot fully predict the impact of these laws and other proposed federal and state laws relating to privacy and cybersecurity on our business or operations, but they may require us to modify our data processing practices and policies and incur substantial costs and expenses in an effort to comply. In addition, some countries, such as member states of the EEA are considering or have enacted legislation requiring storage localization and/or the processing of more regulated types of data in region, along with other limitations that could impact U.S. technology companies (e.g., cloud service providers) and more specifically, Box. If we are unable to develop and offer services that meet these obligations or help our customers meet their requirements under the laws, regulations, case law or guidance issued relating to privacy, data protection, or information security, we may become unable to provide services in these regions and/or be subject to significant fines and penalties, which would harm our business. We also expect laws, regulations, industry standards and other obligations worldwide relating to privacy, data protection, and cybersecurity to continue to evolve, and that there will continue to be new, modified, and re-interpreted laws, regulations, standards, and other obligations in these areas. For example, the Network and Information Security Directive II (NIS2), adopted in 2023, aims to enhance cybersecurity across critical infrastructure and essential services in the European Union. Specifically, it expands on the 2016 NIS Directive and broadens its scope to include additional sectors while enforcing stricter governance and accountability requirements. NIS2 requires all 27 EU member states to have issued implementing legislation by October 2024; however, several EU member states have not finalized their respective legislation and guidance. Additionally, the Digital Operational Resiliency Act (DORA) will become effective in January 2025, and will aim to establish a universal framework for managing and mitigating information and communication technology risk that will apply to entities in the financial sector and their third-party cloud service providers, such as Box. The specific impact and effects of new and evolving laws and regulations will continue to change over time as they are implemented. As a result, we cannot yet determine the impact such future laws, regulations and standards, or amendments to or re-interpretations of, existing laws and regulations, industry standards, or other obligations may have on us or our business. Moreover, these existing and proposed laws, regulations, standards, and other actual or asserted obligations can be difficult and costly to comply with, delay or impede the development or adoption of our products and services, reduce the overall demand for our products and services, increase our operating costs, require modifications to our policies, practices, or products or services, require significant management time and attention, and slow the pace at which we close (or prevent us from closing) sales transactions. Additionally, any actual or alleged noncompliance with these laws, regulations, standards, or other actual or asserted obligations could result in negative publicity and subject us to investigations and other proceedings by regulatory authorities, claims, demands, and litigation by private entities, or other requested remedies or demands, including demands that we modify or cease existing business practices, and expose us to significant fines, penalties and other damages and liabilities. In addition to the possibility of fines, proceedings, demands, claims, and litigation, we may find it necessary or appropriate to fundamentally change our business activities and practices, including the establishment of in-region data storage or other data processing operations, or modify or cease offering certain products or services, any of which could have an adverse effect on our business. We may be unable to make such changes and modifications in a commercially reasonable manner or at all, and our ability to develop new offerings and features could be limited. Furthermore, government agencies may seek to access sensitive information that our users upload to Box, or restrict users' access to Box. Laws and regulations relating to government access and restrictions are evolving, and compliance with such laws and regulations could limit adoption of our services by users and create burdens on our business. Moreover, regulatory investigations into, or other proceedings by regulators or private entities involving, our compliance with privacy-related laws and regulations could increase our costs and divert management attention.

We rely on third parties for certain essential financial and operational services. We receive many of these services on a subscription basis from various software-as-a-service companies that are smaller and have shorter operating histories than traditional software vendors. Moreover, these vendors provide their services to us via a cloud-based model instead of software that is installed on our premises. We depend upon these vendors to provide us with services that are always available and are free of errors or defects that could cause disruptions in our business processes, and any failure by these vendors to do so, or any disruptions in networks or the availability of the internet, would adversely affect our ability to operate and manage our operations.