Confluent (CFLT) Risk Factors

We believe that maintaining and enhancing the Confluent brand, including among developers, is important to support the marketing and sale of our existing and future offerings to new customers and expansion of sales to existing customers. We believe that the importance of brand recognition will increase as competition in our market increases. In particular, we believe that enhancing the Confluent brand will be critical to the growth and market adoption and acceptance of Confluent Cloud due to the presence of open source alternatives, competing large public cloud providers with widespread name recognition, such as AWS, Azure, and GCP, and other data infrastructure platforms. Software developers, including those within our customers' IT departments, are often familiar with our underlying technology and value proposition. We rely on their continued adoption of our offering to evangelize on our behalf within their organizations and increase reach and mindshare within the developer community. Actions that we have taken in the past or may take in the future with respect to Apache Kafka or our community license, including the development and growth of our proprietary offering, may be perceived negatively by the developer community and harm our reputation. Successfully maintaining and enhancing our brand will depend largely on the effectiveness of our marketing efforts, our ability to provide reliable products that continue to meet the needs of our customers at competitive prices, our ability to maintain our customers' trust, our ability to continue to develop new functionality and use cases, our ability to successfully differentiate our offering and its capabilities from competitive products, including open source alternatives, and our ability to increase our reach and mindshare in the developer community. Our brand promotion activities may not generate customer awareness or yield increased revenue, and even if they do, any increased revenue may not offset the expenses we incur in building our brand. If we fail to successfully promote and maintain our brand, our business, financial condition, and results of operations may suffer.

We may become subject to legal proceedings and claims that arise in the ordinary course of business, including but not limited to, intellectual property claims, including trade secret misappropriation and breaches of confidentiality terms, alleged breaches of non-competition or non-solicitation terms, or employment claims made by our current or former employees. Litigation might result in substantial costs and may divert management's attention and resources, which might seriously harm our business, financial condition, and results of operations. Insurance might not cover such claims, might not provide sufficient payments to cover all the costs to resolve one or more such claims, and might not continue to be available on terms acceptable to us. A claim brought against us that is uninsured or underinsured could result in unanticipated costs, potentially harming our business, financial position, and results of operations.

There is an increasing focus from certain investors, customers, employees, and other stakeholders concerning environmental, social and governance matters, or ESG. Some investors may use these non-financial performance factors to guide their investment strategies and, in some cases, may choose not to invest in us if they believe our policies and actions relating to ESG are inadequate. We may face reputational damage in the event that we do not meet the ESG standards set by various constituencies. As ESG best practices and reporting standards continue to develop, we may incur increasing costs relating to ESG monitoring and reporting and complying with ESG initiatives. For example, proposed or adopted climate and other ESG reporting regulations from the SEC, California, the European Union, the United Kingdom and other jurisdictions may increase our compliance costs. We may also face greater costs to comply with new ESG standards or initiatives in the European Union. Since 2022, we have published an annual ESG Report, which describes the measurement of our greenhouse gas emissions and our efforts to achieve carbon neutrality. In addition, our ESG Report provides highlights of how we are supporting our global workforce and our governance practices. Our disclosures on these matters, or a failure to meet evolving stakeholder expectations for ESG practices and reporting, may potentially harm our reputation and customer relationships. Due to new regulatory standards and market standards, certain new or existing customers, particularly those in the European Union, may impose stricter ESG guidelines or mandates for, and may scrutinize relationships more closely with, their counterparties, including us, which may lengthen sales cycles or increase our costs. In addition, in the event that we communicate certain initiatives or goals regarding ESG matters, we could fail, or be perceived to fail, in our achievement of such initiatives or goals, or we could be criticized for the scope of such initiatives or goals. If we fail to satisfy the expectations of investors, customers, employees and other stakeholders or our initiatives are not executed as planned, our business, financial condition, results of operations, and prospects could be adversely affected.

In the ordinary course of our business, we and the third parties upon which we rely, may process sensitive data, which may include personal information and our or our customers' or other third parties' sensitive, proprietary, and confidential information. As a result, we and the third parties upon which we rely, face a variety of evolving threats, which could cause security incidents. Security incidents that compromise the confidentiality, integrity, and availability of this information could result from cyber-attacks, computer viruses (such as worms, spyware, or other malware), social engineering (including phishing), ransomware, supply chain attacks, denial of service attacks, credential harvesting or stuffing, efforts by individuals or groups of hackers and sophisticated organizations, including state-sponsored organizations, errors or malfeasance of our personnel, including personnel who have authorized access to our systems and/or information, and security vulnerabilities in the software or systems on which we rely, including third-party systems. In particular, severe ransomware attacks, including those perpetrated by organized criminal threat actors, nation-states, and nation-state-supported actors, are becoming increasingly prevalent and severe and can lead to significant interruptions in our operations, loss of information and income, reputational harm, and diversion of funds. We have also experienced, and may in the future experience, inadvertent disclosures of confidential information, including source code, caused by accidental actions or inactions by personnel who have authorized access to our systems and the systems of third-party repositories of such information. If our personnel access authorization policies and processes for our systems and/or information are too permissive or if we do not implement adequate safeguards or controls in our information systems environments, we may experience additional security incidents due to errors or malfeasance from our personnel, customer dissatisfaction, loss of our proprietary and confidential information, or an increased risk of third-party breaches or cyber-attacks. Extortion payments may alleviate the negative impact of a ransomware attack, but we may be unwilling or unable to make such payments due to, for example, applicable laws or regulations prohibiting such payments. Some threat actors now engage and are expected to continue to engage in cyber-attacks, including without limitation nation-state actors for geopolitical reasons and in conjunction with military conflicts and defense activities. During times of war and other major conflicts, we and the third parties upon which we rely may be vulnerable to a heightened risk of these attacks, including retaliatory cyber-attacks, that could materially disrupt our systems and operations, supply chain, and ability to produce, sell and distribute our services. Additionally, certain functional areas of our workforce remain in a remote work environment and outside of our corporate network security protection boundaries, which imposes additional risks to our business, including increased risk of industrial espionage, phishing, and other cybersecurity attacks, including those that are state-sponsored or politically motivated, and unauthorized access to or dissemination of sensitive, proprietary, or confidential information. Future acquisitions could also expose us to additional cybersecurity risks and vulnerabilities from any newly acquired information technology infrastructure. In addition, our reliance on third-party service providers could introduce new cybersecurity risks and vulnerabilities, including supply-chain attacks, and other threats to our business operations. We rely on third parties to operate our critical business systems and process the sensitive, proprietary, and confidential information that we own, process, or control, including customer information and proprietary data and information, including source code. Our ability to monitor these third parties' information security practices is limited, and these third parties may not have adequate security measures and could experience a security incident that compromises the confidentiality, integrity, or availability of the systems they operate for us or the information they process on our behalf. If our third-party service providers experience a security incident or other interruption, we could experience adverse consequences. While we may be entitled to damages if our third-party service providers fail to satisfy their data privacy or security-related obligations to us, any award may be insufficient to cover our damages, or we may be unable to recover such award. In addition, supply-chain attacks have increased in frequency and severity, and we cannot guarantee that third parties' infrastructure in our supply chain or our third-party partners' supply chains have not been compromised. Cybercrime and hacking techniques are constantly evolving, and we or third parties who we work with may be unable to anticipate attempted security breaches, react in a timely manner, or implement adequate preventative measures, particularly given increasing use of hacking techniques designed to circumvent controls, avoid detection, and remove or obfuscate forensic artifacts. These risks are likely to increase as we continue to grow and process, control, store, and transmit increasingly large amounts of data. While we have taken steps designed to protect the confidentiality, integrity, and availability of our systems and the sensitive, proprietary, and confidential information that we own, process, or control, our security measures or those of our third-party vendors may not be able to anticipate or implement effective preventive and remedial measures against all data privacy and security threats. No security solution, strategy, or measures can address all possible security threats or block all methods of penetrating a network or otherwise perpetrating a security incident. For example, we and our third-party providers have been and may in the future be compromised by the aforementioned or similar threats, which may result in unauthorized, unlawful, or accidental processing of our information, or vulnerabilities in the products or systems upon which we rely. For example, beginning in January 2021, a malicious third party gained unauthorized access to a third-party vendor, Codecov, that provides a software code testing tool, potentially affecting more than a thousand of Codecov's customers, or Codecov Breach. In April 2021, we were notified that we had been impacted by the Codecov Breach. Through our investigations, we determined that the attackers leveraged a vulnerability in Codecov's software to gain access to credentials in our development environment, and thereby obtained unauthorized read-only access to, and copied to overseas IP addresses, the private Github repositories containing our source code and certain internal-use documents containing references to certain customers and other customer-related attributes. Upon learning of the breach, we took action to revoke Codecov's access and discontinued our use of the Codecov service, rotated all of our credentials identified as exposed by the Codecov Breach to prevent further unauthorized access, enhanced monitoring of our environment, and engaged a third-party forensics firm to assist in our investigation, response, and impact mitigation. We did not find any evidence of access to any customer data sent through or stored in our products, nor did we find any evidence that the attackers modified any of our source code or uploaded any malware or any other malicious code to our system. However, the full extent of the impact of this incident on our operations, products, or services may not be known for some time, and we cannot assure you that there will be no further impact in the future. This incident or any future incidents relating to the Codecov Breach could result in the use of exfiltrated source code to attempt to identify vulnerabilities in our offering, future ransomware or social engineering attacks, reduced market acceptance of our offering, injury to our reputation and brand, legal claims against us, and the diversion of our resources. In addition, we do not control the content that our customers transmit, process, and maintain using our offering. If our customers use our offering for the transmission or storage of personal information and our security measures are, or are believed to have been, breached, our business may suffer, and we could incur significant liability. If we, or a third party upon whom we rely, experience a security incident that results in the compromise of the confidentiality, integrity, or availability of our systems or the sensitive, proprietary, or confidential information that we own, process, or control, or the perception that one has occurred, this could result in a loss of customer confidence in the security of our platform and damage to our brand, reduce the demand for our offering, disrupt business operations, result in the exfiltration of proprietary data and information, including source code, require us to spend material resources to investigate or correct the incident and to prevent future security incidents, expose us to legal liabilities, including litigation, regulatory enforcement (including investigations, fines, penalties, audits, and inspections), additional oversight, restrictions or bans on processing personal information, indemnity obligations, claims by our customers or other relevant parties that we have failed to comply with contractual obligations to implement specified security measures, and adversely affect our business, financial condition, and results of operations. We cannot assure you that the limitations of liability in our contracts would be enforceable or adequate or would otherwise protect us from such liabilities or damages. Applicable data privacy and security obligations may also require us to notify relevant stakeholders of security incidents. Such notifications are costly, and the notifications or the failure to comply with such requirements could lead to material adverse impacts such as negative publicity, loss of customer confidence in our services or security measures, investigations, and private or government claims. In addition to experiencing a security incident, third parties may gather, collect, or infer sensitive information about us from public sources, data brokers, or other means that reveal competitively sensitive details about our organization and could be used to undermine our competitive advantage or market position. Additionally, sensitive information of Confluent or our customers could be leaked, disclosed, or revealed as a result of or in connection with our employees', personnel's, or vendors' use of GenAI technologies. Additionally, we cannot be certain that our insurance coverage will be adequate or otherwise protect us with respect to claims, expenses, fines, penalties, business loss, data loss, litigation, regulatory actions, or other impacts arising out of security incidents, particularly if we experience an event that impacts multiple customers, that such coverage will continue to be available on acceptable terms or at all, or that such coverage will pay future claims. Any of these results could adversely affect our business, financial condition, and results of operations.

Global business activities face widespread macroeconomic uncertainties, and our results of operations may vary based on the impact of changes in our industry or the global economy on us or our customers and potential customers. Negative conditions in the general economy both in the United States and abroad, including conditions resulting from changes in gross domestic product growth, financial and credit market fluctuations, inflation and efforts to control further inflation, including high interest rates, bank failures, international trade relations, political turmoil, potential U.S. federal government shutdowns, natural catastrophes, warfare, and terrorist attacks on the United States, Europe, the Asia Pacific region, including Japan, or elsewhere, could cause a decrease in business investments by existing or potential customers, including spending on information technology, and negatively affect the growth of our business. As an example, in the United States, capital markets have experienced and continue to experience volatility and disruption. Furthermore, high inflation rates in the United States have in the past, and could in the future, result in federal action to increase interest rates, affecting capital markets. In addition to the foregoing, adverse developments that affect financial institutions, transactional counterparties or other third parties, such as bank failures, or concerns or speculation about any similar events or risks, could lead to market-wide liquidity problems, which in turn may cause third parties, including customers, to become unable to meet their obligations under various types of financial arrangements as well as general disruptions or instability in the financial markets. Such economic volatility has adversely affected and may continue to adversely affect our business, financial condition, results of operations and cash flows, and future market disruptions could negatively impact us. In particular, we have experienced and expect to continue to experience longer sales cycles, reduced IT budgets, slowdowns in customer consumption expansion and growth rates, including fewer new use cases adopted by customers, lower consumption from some of our larger enterprise customers, and generally increased scrutiny on IT spending and budgets from existing and potential customers, due in part to the effects of macroeconomic uncertainty and challenges and the geopolitical situation in Ukraine and in the Middle East. We have operations and customers in Israel, and many of our customers in other regions have substantial operations and customers in Israel. We believe the uncertainty and disruption resulting from the conflict has negatively impacted certain of these customers and their consumption of our offering. Our growth, business, and results of operations could be further negatively impacted if the current armed conflict in the Middle East continues, worsens or expands to other nations or regions, including if our customers are harmed and reduce their engagement with or consumption of Confluent. Actual or potential U.S. federal government shutdowns have also resulted in uncertainty and disruption for certain of our customers, which have negatively impacted and may continue to negatively impact their consumption of our offering. These customer dynamics may persist in the future, even if macroeconomic conditions improve, and to the extent there is a sustained general economic downturn, a recession, or other period when IT budgets are growing at a slower rate or contracting growth, these customer dynamics may be exacerbated. These customer dynamics have had and may continue to have negative impacts on our revenue, business, and results of operations and have resulted and may in the future result in strategic changes in our focus on growth versus operating efficiency, margin improvements, and profitability. Competitors, many of whom are larger and have greater financial resources than we do, may respond to challenging market conditions by lowering prices in an attempt to attract our customers, which may require us to respond in kind and may negatively impact our existing customer relationships and new customer acquisition strategy. In addition, the increased pace of consolidation in certain industries may result in reduced overall spending on our offering. We cannot predict the timing, strength, or duration of any economic slowdown, instability, or recovery, generally or within any particular industry.

Substantially all of our subscriptions and services are billed in U.S. dollars, and therefore, our revenue is not subject to foreign currency risk. However, a strengthening of the U.S. dollar could increase the real cost of our offering to our customers outside of the United States, which could adversely affect our results of operations. In addition, an increasing portion of our operating expenses and balance sheet items are incurred outside the United States. These operating expenses and balance sheet items are denominated in foreign currencies and are subject to fluctuations due to changes in foreign currency exchange rates. We currently hedge a portion of operating expenses denominated in certain currencies against foreign currency exchange rate fluctuations. If we are not able to successfully hedge against the risks associated with fluctuations in these currencies or if we do not hedge a sufficient portion of such operating expenses, our financial condition and results of operations could be adversely affected.

We believe our success has depended, and continues to depend, on the efforts and talents of our senior management team, particularly Jay Kreps, our Chief Executive Officer and co-founder, as well as our other key employees in the areas of research and development and sales and marketing. From time to time, there have been and may in the future be changes in our executive management team or other key employees resulting from the hiring or departure of these personnel. Our executive officers and certain other key employees are generally employed on an at-will basis, which means that these personnel could terminate their employment with us at any time. The loss or transition of one or more of our executives, or the failure by our executive team to effectively work with our employees and lead our company, could harm our business. We also are dependent on the continued service of our existing software engineers because of the complexity of our offering. In addition, to execute our growth plan, we must attract and retain highly qualified personnel. Competition for these personnel is intense, especially for engineers experienced in designing and developing cloud-based infrastructure products and for experienced sales professionals. If we are unable to attract such personnel at appropriate locations, we may need to hire in new regions, which may add to the complexity and costs of our business operations. We have experienced attrition among sales personnel, and may experience increased attrition or retention difficulties among our sales personnel as we reorient our sales motion and sales incentives in connection with our shift to a consumption-oriented sales model for Confluent Cloud. Increased attrition or retention difficulties and related challenges to ramped capacity have negatively impacted and may continue to negatively impact our growth, and may negatively impact employee morale or cause execution risks for our shift to a consumption-oriented sales model, any of which may harm our growth, business, results of operations, or financial condition. From time to time, we have experienced, and we expect to continue to experience, difficulty in hiring and retaining employees with appropriate qualifications. Many of the companies with which we compete for experienced personnel have greater resources than we have. Further, inflationary pressures, or stress over economic or geopolitical events such as those the global market is currently experiencing, may result in employee attrition. If we hire employees from competitors or other companies, their former employers may attempt to assert that these employees or we have breached certain legal obligations, resulting in a diversion of our time and resources. In addition, prospective and existing employees often consider the value of the equity awards they receive in connection with their employment. If the actual or perceived value of our equity awards declines, experiences significant volatility, or increases such that current and prospective employees believe there is limited upside to the value of our equity awards, it may adversely affect our ability to recruit and retain key employees. Additionally, in order to retain our existing employees and manage potential attrition, including as a result of stock price decreases and continued market volatility that impact the actual or perceived value of our equity awards, we have issued and may in the future issue additional equity awards, which could negatively impact our results of operations. If we fail to attract new personnel or fail to retain and motivate our current personnel, our business and future growth prospects would be harmed.

We outsource all of the infrastructure relating to Confluent Cloud to AWS, Azure, and GCP, as selected by our customers. Customers of our Confluent Cloud service need to be able to access our service at any time, without interruption or degradation of performance, and we provide them with service-level commitments with respect to uptime. Our Confluent Cloud service depends on the ability of the cloud infrastructure hosted by these third-party providers to allow for our customers' configuration, architecture, features, and interconnection specifications, as well as secure the information stored in these virtual data centers, which is transmitted through third-party internet service providers. Any limitation on the capacity of our third-party hosting providers, including due to technical failures, natural disasters, fraud, or security attacks, could impede our ability to onboard new customers or expand the usage of our existing customers, which could adversely affect our business, financial condition, and results of operations. In addition, our third-party cloud service providers run their own platforms that we access, and we are, therefore, vulnerable to service interruptions at these providers. Any incident affecting our providers' infrastructure, including any incident that may be caused by cyber-attacks, natural disasters, fire, flood, severe storm, earthquake, power loss, telecommunications failures, terrorist or other attacks, and other similar events beyond our control could negatively affect our Confluent Cloud service. In some instances, we may not be able to identify the cause or causes of these performance problems within a period of time acceptable to our customers. A prolonged service disruption affecting our service for any of the foregoing reasons would negatively impact our ability to serve our customers and could damage our reputation with current and potential customers, expose us to liability, cause us to lose customers or otherwise harm our business. We may also incur significant costs for using alternative equipment or taking other actions in preparation for, or in reaction to, events that damage the third-party cloud services we use. Features and functionality for Confluent Cloud may also not be available on the same basis or at all on one or more infrastructure platforms, which may hinder adoption of Confluent Cloud, reduce usage, and harm our brand, business, and results of operations. Additionally, such third-party providers either have or may develop competing products to Confluent Cloud, which may impact our ability to partner with them effectively. Any of the above circumstances or events may harm our reputation, cause customers to stop using our products, impair our ability to increase revenue from existing customers, impair our ability to grow our customer base, and otherwise harm our business, results of operations, and financial condition. In the event that our service agreements with our third-party cloud service providers are terminated or amended, or there is a lapse of service, elimination of services or features that we utilize, interruption of internet service provider connectivity or damage to such facilities, access to Confluent Cloud could be interrupted and result in significant delays and additional expense as we arrange or create new facilities and services or re-architect our Confluent Cloud service for deployment on a different cloud infrastructure service provider, which could adversely affect our business, financial condition, and results of operations. To the extent that we do not effectively anticipate capacity demands, upgrade our systems as needed, and continually develop our technology and network architecture to accommodate actual and anticipated changes in technology, our business and results of operations may be adversely affected.