Endava (DAVA) Risk Factors

In the ordinary course of business, we collect, receive, store, process, generate, use, transfer, disclose, make accessible, protect, secure, dispose of, transmit, and share (collectively, process) personal data and other sensitive information, including proprietary and confidential business data, trade secrets, source code, intellectual property, sensitive third-party data, and customer data (including proprietary and confidential information of our customers and our customers' customers, such as their confidential business data and intellectual property). Our data processing activities may subject us to numerous laws, rules, regulations, guidance, external and internal privacy and security policies, contractual requirements, industry standards, and other obligations related to privacy and data security, including in the United Kingdom and European Union, where we have material operations, and other jurisdictions around the world. European countries and the United Kingdom have imposed strict laws, regulations, directives and requirements for processing personal data, such as the European Union's General Data Protection Regulation, or EU GDPR, and the United Kingdom's General Data Protection Regulation, or U.K. GDPR, and the Privacy and Electronic Communications Directive 2002/58/EC, or ePrivacy Directive. For example, both the EU GDPR and/or the U.K. GDPR, together referred to as GDPR, require covered companies to offer individuals certain rights over their personal data (such as the right to be forgotten), impose additional data breach notification requirements, requires companies to appoint data protection officers in certain circumstances, and impose additional recordkeeping obligations, in addition to other requirements. Penalties under these laws (and others) can be severe. In particular, under the GDPR we may face temporary or definitive bans on data processing and other corrective actions that could materially adversely impact our operations and ability to do business; fines of up to 20 million Euros or 17.5 million pounds (under the EU GDPR and the U.K. GDPR, respectively) or 4% of annual global revenue, whichever is greater; or private litigation related to processing of personal data brought by individual data subjects or groups of data subjects or consumer protection organizations authorized at law to represent their interests. Developments and changes in privacy and data security laws in the European Union and United Kingdom, including to the EU GDPR, U.K. GDPR, ePrivacy Directive, and EU or U.K. data breach laws, may more materially affect our operations than developments or changes to such laws in other jurisdictions because the majority of our operations (including employees) are based in the EU and U.K., we are headquartered in the United Kingdom, and we serve customers across Europe. Additionally, we may be subject to various privacy laws in the jurisdictions where we operate, including Australian privacy laws, such as the Privacy Act of 1988, as well as Canada's Personal Information Protection and Electronic Documents Act, or PIPEDA, and various related provincial laws, as well as Canada's Anti-Spam Legislation, or CASL. We also have operations in Asia, and may be subject to new and emerging data privacy regimes in the region, including Singapore's Personal Data Protection Act or Vietnam Decree No. 13/2023/ND-CP on the Protection of Personal Data. The European Union, United Kingdom and other jurisdictions have enacted laws requiring data to be localized, heavily conditioning or limiting the transfer of personal data to other countries. We may be unable to transfer personal data from Europe and other jurisdictions to different countries due to data localization laws, regulations, requirements or limitations on cross-border data flows. Although there are various mechanisms that may be used in some cases to lawfully transfer personal data from the United Kingdom, Europe and other jurisdictions to the different countries, these mechanisms are subject to legal challenges and may not be available to us. A prohibition or material limitation on our ability to transfer personal data to other countries could materially adversely impact our business operations. In particular, on July 10, 2023, the European Commission adopted an adequacy decision for the new EU-U.S. Data Privacy Framework, which facilitates international transfers of personal data between the European Union and the United States, for companies that choose to self-certify with the framework and comply with its principles. However, the EU-U.S. Data Privacy Framework is expected to be subject to legal challenges and could be withdrawn if, for example, it is deemed not to provide an adequate level of protection to EU individuals. It is unclear how data transfers to and from the United States and the European Union will be regulated in the long term, which measures must be put in place for onward transfers to and from the United States and the European Union, and whether or not the EU-U.S. Data Privacy Framework will provide a long-term solution to managing flows of personal data between the European Union and the United States. Although the United States and the United Kingdom agreed in principle to implement a similar transfer mechanism for data transfers from the United Kingdom to the United States, this mechanism may also be subject to legal challenges, and there is no assurance that we will satisfy or rely on this measure to lawfully transfer personal data to the United States. Although there are currently various mechanisms that may be used to transfer personal data from Europe to inadequate countries or to U.S.-based companies which did not self-certify to new EU-U.S. Data Privacy Framework, such as the standard contractual clauses in the European Union and the United Kingdom, these mechanisms are complex to implement effectively and subject to legal challenges, and there is no assurance that we can satisfy or rely on these measures to lawfully transfer personal data to such countries or recipients. The European Commission adopted an adequacy decision for the new EU-U.S. Data Privacy Framework, which facilitates international transfers of personal data between the European Union and the United States, for companies that choose to self-certify with the framework and comply with its principle, but the Framework may be subject to legal challenges and certifications may be withdrawn. Although the United States and the United Kingdom agreed in principle to implement a similar transfer mechanism for data transfers from the United Kingdom to the United States, this mechanism may also be subject to legal challenges, and there is no assurance that we will satisfy or rely on this measure to lawfully transfer personal data to the U.S. Other jurisdictions may adopt similarly stringent data localization and cross-border data transfer laws, or such laws may be stringently interpreted by regulators. If there is no lawful manner for us to transfer personal data from the United Kingdom, Europe or other jurisdictions to different countries, or if the requirements for a legally-compliant transfer are too onerous, we could face materially adverse consequences, including the interruption or degradation of our operations, the need to relocate part of or all of our business or data processing activities to other jurisdictions at significant expense, increased exposure to regulatory actions, substantial fines and penalties, the inability to transfer data and work with partners, vendors and other third parties, and injunctions against our processing or transferring of personal data necessary to operate our business. Notably, some European regulators have prevented companies from transferring personal data out of Europe for allegedly violating GDPR and the EU's cross-border data transfer limitations. Additionally, some of our customer contracts may require us to host personal data locally, and this further complicates our ability to transfer and process personal data in order to provide our services, operate and earn revenue. In the United States, federal, state, and local governments have enacted numerous privacy and data security laws, including consumer protection laws (e.g., Section 5 of the Federal Trade Commission Act), data breach notification laws, and personal data privacy laws. For example, the federal Health Insurance Portability and Accountability Act of 1996, or HIPAA imposes specific requirements relating to the privacy, security, and transmission of individually identifiable health information, including on entities such as ours which are business associates under HIPAA. Various states have also implemented laws regulating the use and disclosure of individually identifiable health information. Additionally, some of our U.S. healthcare industry customers may rely on our solutions to protect information as required by HIPAA and related regulations. As another example, the California Consumer Privacy Act, as amended by the California Privacy Rights Act of 2020, or CPRA, collectively, the CCPA, applies to personal information of consumers, business representatives, and employees who are California residents, and requires businesses to provide specific disclosures in privacy notices and honor requests of such individuals to exercise certain privacy rights. The CCPA provides for administrative fines of up to $7,500 per violation and allows private litigants affected by certain data breaches to recover significant statutory damages. The CPRA expands the CCPA's requirements including by adding a new right for individuals to correct their personal information and establishing a new regulatory agency to implement and enforce the law. Other states, such as Virginia, Utah and Colorado, have also passed comprehensive privacy laws, and similar laws are being considered in several other states. These developments may further complicate compliance efforts, and may increase legal risk and compliance costs for us, the third parties upon whom we rely, and our customers. Additionally, privacy and data security laws have been proposed at the federal, state, and local levels in recent years, which could further complicate compliance efforts. Our employees and personnel may use generative AI technologies to perform their work, and the disclosure and use of personal information in generative AI technologies is subject to various privacy laws and other privacy obligations. Governments have passed and are likely to pass additional laws regulating generative AI. Our use of this technology could result in additional compliance costs, regulatory investigations and actions, and consumer lawsuits. If we are unable to use generative AI, it could make our business less efficient and result in competitive disadvantages. Furthermore, the use of AI and machine learning, or ML, in our operations and service offerings are subject to privacy and data security laws, as well as increasing regulation and scrutiny. Several jurisdictions around the globe, including Europe and certain U.S. states, have proposed or enacted laws governing AI and ML and we expect other jurisdictions will adopt similar laws. For example, European regulators have proposed a stringent AI regulation, that, if adopted, could impose onerous obligations related to the use of AI-related systems and may require us to change our business practices to comply with such obligations. Additionally, certain privacy laws extend rights to consumers (such as the right to delete certain personal data) and regulate automated decision making, which may be incompatible with our use of AI and ML in our service offering. These obligations may make it harder for us to conduct our business using AI and ML, lead to regulatory fines or penalties, require us to change our business practices, retrain our AI and ML, or prevent or limit our use of AI and ML. For example, the Federal Trade Commission has required other companies to turn over (or disgorge) valuable insights or trainings generated through the use of AI and ML where they allege the company has violated privacy and consumer protection laws. If we cannot use AI and ML or that use is restricted, our business may be less efficient, or we may be at a competitive disadvantage. In addition to privacy and data security laws, we may be contractually subject to industry standards adopted by industry groups and may become subject to such obligations in the future. We may also be bound by contractual obligations related to data privacy and security, and our efforts to comply with such obligations may not be successful. For example, certain privacy laws, such as the GDPR and the CCPA, require our customers to impose specific contractual restrictions on their processors or service providers. We may publish privacy policies, marketing materials and other statements, such as compliance with certain certifications or self-regulatory principles, including to our customers and others regarding data privacy and security. If these policies, materials or statements are found to be deficient, lacking in transparency, deceptive, unfair, or misrepresentative of our practices, we may be subject to investigation, enforcement actions by regulators or other adverse consequences. Obligations related to privacy and data security are quickly changing, becoming increasingly stringent, and creating regulatory uncertainty. Additionally, these obligations may be subject to differing applications and interpretations, which may be inconsistent or conflict among jurisdictions. Preparing for and complying with these obligations requires us to devote significant resources. These obligations may necessitate changes to our services, information technologies, systems, and practices and to those of any third parties that process personal data on our behalf. We may at times fail (or be perceived to have failed) in our efforts to comply with our data privacy and security obligations. Moreover, despite our efforts, our personnel or third parties on whom we rely may fail to comply with such obligations, which could negatively impact our business operations. Any failure or perceived failure by us or the third parties on which we rely to comply with applicable privacy or data security obligations could result in significant consequences, including governmental investigations and enforcement actions (e.g., fines, penalties, audits, inspections, and similar), litigation (including class-action claims) or other claims, additional reporting requirements and/or oversight, bans on processing personal data, orders to destroy or not use personal data, and fines and penalties. In particular, plaintiffs have become increasingly more active in bringing privacy-related claims against companies, including class claims and mass arbitration demands. Some of these claims allow for the recovery of statutory damages on a per violation basis, and, if viable, carry the potential for monumental statutory damages, depending on the volume of data and the number of violations. Any of these events could have a material adverse effect on our reputation, business or financial condition, including but not limited to: adverse publicity, loss of trust in us by our clients and partners, reputational harm, inability to process personal data or to operate in certain jurisdictions, expenditure of time and resources to defend any claim or inquiry, and interruptions or stoppages in our business operations. Further, any failure of us to correct business processed that is departing from privacy compliant legal obligations, or any failure of us to adopt or implement business processes that are ensuring compliance with applicable privacy laws, constitute a risk that should be mitigated by adequate efforts brought synergic by various internal teams (legal, compliance, audit, business processes and training).

From time to time, we may be party to various claims and litigation proceedings, including as part of class actions. We evaluate these claims and litigation proceedings to assess the likelihood of unfavorable outcomes and to estimate, if possible, the amount of potential losses. Based on these assessments and estimates, we may establish reserves, as appropriate. These assessments and estimates are based on the information available to management at the time and involve a significant amount of management judgment. Actual outcomes or losses may differ materially from our assessments and estimates. We are not currently party to any material litigation. Even when not merited, the defense of these lawsuits may divert our management's attention, and we may incur significant expenses in defending these lawsuits. The results of litigation and other legal proceedings are inherently uncertain, and adverse judgments or settlements in some of these legal disputes may result in adverse monetary damages, penalties or injunctive relief against us, which could have a material adverse effect on our financial position, cash flows or results of operations. Any claims or litigation, even if fully indemnified or insured, could damage our reputation, make it more difficult to compete effectively or to obtain adequate insurance in the future. Furthermore, while we maintain insurance for certain potential liabilities, such insurance does not cover all types and amounts of potential liabilities and is subject to various exclusions as well as caps on amounts recoverable. Even if we believe a claim is covered by insurance, insurers may dispute our entitlement to recovery for a variety of potential reasons, which may affect the timing and, if the insurers prevail, the amount of our recovery.

We conduct business globally and file income tax returns in multiple jurisdictions. Our consolidated effective income tax rate could be materially adversely affected by several factors, including: changing tax laws (such as the Inflation Reduction Act recently enacted by the U.S. government or the increase in the headline rate of corporation tax in the United Kingdom), regulations and treaties, or the interpretation thereof; tax policy initiatives and reforms under consideration (such as those related to the Organization for Economic Co-Operation and Development's, or OECD, Base Erosion and Profit Shifting, or BEPS, Project, the European Commission's state aid investigations and other initiatives); the practices of tax authorities in jurisdictions in which we operate and jurisdictions in which our customers operate; the cancellation of or alteration to relevant tax incentive regimes; the resolution of issues arising from tax audits or examinations and any related interest or penalties. Such changes may include (but are not limited to) the taxation of operating income, investment income, dividends received or (in the specific context of withholding tax) dividends paid. In particular, there have been significant changes to the taxation systems in Central European countries and also in Argentina and the United States in recent years as the authorities have gradually replaced or introduced new legislation regulating the application of major taxes such as corporate income tax, VAT, corporate property tax, personal income taxes and payroll taxes. The post-Brexit deal that the United Kingdom agreed with the European Union did not include an exemption from withholding tax on dividends between U.K. and E.U. resident group members, and Romanian dividend withholding tax rates have recently been increased, and so profits recognized by us in Romania are now subject to an 8% withholding tax on distributions to us. The headline rate of corporation tax in the United Kingdom increased from 19% to 25% from April 2023. In addition, the OECD is working on proposals, commonly referred to as "BEPS 2.0," which, if implemented in line with current expectations, will make important changes to the international tax system, by allocating taxing rights in respect of certain profits of multinational enterprises above a fixed profit margin to the jurisdictions within which they carry on business (subject to threshold rules) and imposing a minimum effective tax rate on certain multinational enterprises. In particular, the OECD is coordinating the implementation of rules to be adopted for taxing the digital economy, specifically with respect to nexus and profit allocation (Pillar One), and for a global minimum tax (Pillar Two), the latter rules expected to be implemented in a number of jurisdictions with effect from 1 January 2024. While these and other BEPS initiatives are in the final stages of approval and/or implementation, we cannot comprehensively predict their outcome or what impact they will have on our tax obligations and operations or our financial statements, up to their final enactment in national and international legislation. In addition, recently-enacted U.K. legislation (the Retained EU Law (Revocation and Reform) Act 2023) provides for the revocation of E.U. laws and rights which, notwithstanding Brexit, currently remain effective in the United Kingdom. Certain aspects of the stamp duty and stamp duty reserve tax treatment of our ordinary shares and ADSs are based on such E.U. laws and rights. Accordingly, unless steps are taken by the U.K. Government and/or parliament to preserve the current position (for example, by passing regulations under powers conferred by the legislation), then this could, in particular, result in a charge to stamp duty reserve tax, at the rate of 1.5% of the issue price, on the issuance of ADSs after December 31, 2023, which would represent an additional cost if we seek to raise further capital in this way. We are unable to predict what tax reforms may be proposed or enacted in the future or what effect such changes would have on our business, but such changes, to the extent they are brought into tax legislation, regulations, policies or practices in jurisdictions in which we operate, could increase the estimated tax liability that we have expensed to date and paid or accrued on our balance sheets, and otherwise affect our financial position, future results of operations, cash flows in a particular period and overall or effective tax rates in the future in countries where we have operations, reduce post-tax returns to our shareholders and increase the complexity, burden and cost of tax compliance.

We are a party to a small number of agreements with clients that restrict our ability to perform similar services for such clients' competitors. We may in the future enter into agreements with clients that restrict our ability to accept assignments from, or render similar services to, those clients' customers, require us to obtain our clients' prior written consent to provide services to their customers or restrict our ability to compete with our clients, or bid for or accept any assignment for which those clients are bidding or negotiating. These restrictions may hamper our ability to compete for and provide services to other clients in a specific industry in which we have expertise and could materially adversely affect our business, financial condition and results of operations.

Concerns that offshore outsourcing has resulted in a loss of jobs and sensitive technologies and information to foreign countries have led to negative publicity concerning outsourcing in some countries. Many organizations and public figures in the United States and Europe have publicly expressed concern about a perceived association between offshore outsourcing IT service providers and the loss of jobs in their home countries. Current or prospective clients may elect to perform services that we offer themselves, or may be discouraged from transferring these services to offshore providers such as ourselves, to avoid any negative perceptions that may be associated with using an offshore provider or for data privacy and security concerns. As a result, our ability to compete effectively with competitors that operate primarily out of facilities located in these countries could be harmed. Legislation enacted in certain European jurisdictions and any future legislation in Europe or any other country in which we have clients that restricts the performance of services from an offshore location could also materially adversely affect our business, financial condition and results of operations. For example, legislation enacted in the United Kingdom, based on the 1977 EC Acquired Rights Directive, has been adopted in some form by many European Union countries, and provides that if a company outsources all or part of its business to an IT services provider or changes its current IT services provider, the affected employees of the company or of the previous IT services provider are entitled to become employees of the new IT services provider, generally on the same terms and conditions as their original employment. In addition, dismissals of employees who were employed by the company or the previous IT services provider immediately prior to that transfer are automatically considered unfair dismissals that entitle such employees to compensation. As a result, in order to avoid unfair dismissal claims, we may have to offer, and become liable for, voluntary redundancy payments to the employees of our clients who outsource business to us in the United Kingdom and other European Union countries who have adopted similar laws. This legislation could materially affect our ability to obtain new business from companies in the United Kingdom and European Union and to provide outsourced services to companies in the United Kingdom and European Union in a cost-effective manner. Compliance efforts can be expensive and burdensome, and, we could be subject to regulatory investigations and orders, significant fines and penalties, mitigation and breach notification expenses, private litigation and contractual damages, corrective action plans and related regulatory oversight and reputational harm. Governments and industry organizations may also adopt new laws, regulations or requirements, or make changes to existing laws or regulations, that could impact the demand for, or value of, our services. If we are unable to adapt the solutions we deliver to our clients to changing legal and regulatory standards or other requirements in a timely manner, or if our solutions fail to allow our clients to comply with applicable laws and regulations, our clients may lose confidence in our services and could switch to services offered by our competitors, or threaten or bring legal actions against us.

We have experienced, and may in the future experience, a long selling cycle with respect to certain projects that require significant investment of human resources and time by both our clients and us. Before committing to use our services, potential clients may require us to expend substantial time and resources educating them on the value of our services and our ability to meet their requirements. Therefore, our selling cycle is subject to many risks and delays over which we have little or no control, including our clients' decision to choose alternatives to our services (such as other technology and IT service providers or in-house resources) and the timing of our clients' budget cycles and approval processes. If our sales cycle unexpectedly lengthens for one or more projects, it would negatively affect the timing of our revenue and hinder our revenue growth. For certain clients, we may begin work and incur costs prior to executing the contract. A delay in our ability to obtain a signed agreement or other persuasive evidence of an arrangement, or to complete certain contract requirements in a particular quarter, could reduce our revenue in that quarter or render us entirely unable to collect payment for work already performed. Implementing our services also involves a significant commitment of resources over an extended period of time from both our clients and us. Our clients may experience delays in obtaining internal approvals or delays associated with technology, thereby further delaying the implementation process. Our current and future clients may not be willing or able to invest the time and resources necessary to implement our services, and we may fail to close sales with potential clients to which we have devoted significant time and resources. In addition, it is possible that our current and future clients will try to reduce their investment and dependency on human resources, and, in turn, us, by adopting AI and ML initiatives. We may therefore incur additional costs in delivering these specific AI or ML environments, specific to each client or prospective client, which may also negatively affect future revenue. Any significant failure to generate revenue or delays in recognizing revenue after incurring costs related to our sales or services process could materially adversely affect our business.

Our contracts generally require, and our clients typically expect, that we will assign to them all intellectual property rights associated with the deliverables that we create in connection with our engagements. In order to assign these rights to our clients, we must ensure that our employees and contractors validly assign to us all intellectual property rights that they have in such deliverables. Our policy is to require employees and independent contractors to sign assignment of intellectual property agreements with us upon commencement of employment or engagement, but there can be no assurance that we will be able to enforce our rights under such agreements. Given that we operate in a variety of jurisdictions with different and evolving legal regimes, particularly in Central Europe and Latin America, we face increased uncertainty regarding whether such agreements will be found to be valid and enforceable by competent courts and whether we will be able to avail ourselves of the remedies provided for by applicable law. Our success also depends in part on certain methodologies, practices, tools and technical expertise our company utilizes in designing, developing, implementing and maintaining applications and other proprietary intellectual property rights. In order to protect our intellectual property rights, we rely upon a combination of nondisclosure and other contractual arrangements as well as trade secret, copyright and trademark laws. We consider proprietary trade secrets and confidential know-how to be important to our business. However, trade secrets and confidential know-how are difficult to maintain as confidential. To protect this type of information against disclosure or appropriation by competitors, our policy is to require our employees, consultants, contractors and advisors to enter into confidentiality agreements with us. We also seek to preserve the integrity and confidentiality of our data, trade secrets and know-how by maintaining physical security of our premises and physical and electronic security of our information technology systems. Monitoring unauthorized uses and disclosures is difficult, and we do not know whether the steps we have taken to protect our proprietary technologies are or will be effective. We cannot guarantee that our trade secrets and other proprietary and confidential information will not be disclosed or that competitors will not otherwise gain access to our trade secrets. Current or former employees, consultants, contractors and advisers may unintentionally or willfully disclose our confidential information to competitors, and confidentiality agreements may not provide an adequate remedy in the event of unauthorized disclosure of confidential information. Enforcing a claim that a third party illegally obtained and used trade secrets and/or confidential know-how is expensive, time consuming, unpredictable and may vary from jurisdiction to jurisdiction. Furthermore, if a competitor lawfully obtained or independently developed any of our trade secrets, we would have no right to prevent such competitor from using that technology or information to compete with us, which could harm our competitive position. If the steps taken to maintain our trade secrets are deemed inadequate, we may have insufficient recourse against third parties for misappropriating the trade secret. We have registered the "Endava" name and logo in the United Kingdom, the United States and certain other countries. We have pending applications for the "Endava" name and logo in other countries; however, we cannot assure you that any future trademark registrations will be issued for pending or future applications or that any registered trademarks will be enforceable or provide adequate protection of our proprietary rights. Our trademarks may also be subject to misappropriation in jurisdictions in which they are not registered.

We use generative AI tools in our operations, including to generate software code that is incorporated into our client deliverables and to gain data-driven insights, build predictive models and develop intelligent systems, and expect to use generative AI tools in the future. Generative AI refers to AI technology that creates new content (such as text, audio, data, images, video, software code) or Output, by leveraging content that the technology was trained on (e.g., through machine learning) in response to prompts submitted by a user, Prompts. Generative AI provides significant opportunities for new and efficient forms of content development, across a wide range of applications. However, generative AI is relatively new and the business, legal and ethical landscape regarding its use, commercialization and regulation is unsettled and constantly evolving. Uncertainty in the legal regulatory regime relating to AI may require significant resources to modify and maintain business practices to comply with relevant U.S. and non-U.S. laws. For further information on the AI regulatory framework see also the risk factor titled "We are subject to stringent and evolving laws, regulations, rules, self-regulatory standards, policies, contractual obligations, and other obligations regarding privacy and data security matters, including in the European Union and the United Kingdom, where we have material operations. Our actual or perceived failure to comply with such obligations could expose us to regulatory investigations or actions, litigation, fines and penalties or other financial liabilities, disruption of our business operations, reputational harm, loss of revenue or profit, loss of customers or sales and/or adversely affect our ability to conduct our business." While we have implemented policies to govern the use of generative AI tools by our personnel and any other person in the performance of services for our Company, the use of generative AI in aspects of our business may present material risks and challenges that could increase as generative AI tools become more prevalent. Recent decisions of the U.S. Copyright Office suggest that we would not be able to claim copyright ownership in any Output, and the availability of such protection in other countries is unclear. In the United Kingdom, copyright law may protect works generated by a computer where there is no human creator, however to date there has been no judicial treatment of these computer-generated work considerations in the context of generative AI. Therefore, even in jurisdictions where copyright protection may be extended to AI-generated works, the ownership of any Outputs generated using generative AI tools may be subject to legal challenge. As a result, we may not be the legal owner of the Output, which in turn is likely to prevent or limit our ability and the ability of our clients to enforce our respective rights in the Output or mean that both our clients and us are unable to prevent others from copying it or reusing it, or unable to stop the provider of the generative AI tool from providing identical Outputs to third parties. The generative AI tool's terms of service may also declare that the provider of the generative AI tool owns the Outputs, or that it retains a broad right to re-use the Outputs beyond the right to use the Outputs (and the Prompts) to train the generative AI tool. In addition, we have little or no insight into the third-party content and materials used to train the generative AI tools, or the extent of the original works which remain in the Output. As a result, we and our clients may face claims from third parties alleging infringement of their intellectual property rights, or infringement of open-source licenses or other license terms. Open-source licenses have various conditions on the use of the source code, ranging from notice and attribution requirements to other more onerous provisions, such as an obligation to make any proprietary code linking to or derived from such open-source code available under the same license terms, which could have significant implications for our and our clients' proprietary code. See also the risk factor titled "We incorporate third-party open source software into our client deliverables and our failure to comply with the terms of the underlying open source software licenses could adversely impact our clients and create potential liability." We and our clients could also be subject to claims from the providers of the generative AI tools if the use of the Output or the tool is inconsistent with, or in breach of, the terms of use. Any of these claims could result in legal proceedings and liability for us or our clients, and could require us or our clients to purchase a costly license, comply with the requirements of open-source software license terms, limit or cease using the Output unless and until such Output is re-engineered to avoid infringement, or change the use of, or remove, the implicated Output. Our use of generative AI tools for software development may also present additional security risks because the generated source code may have been modelled from publicly available code, or otherwise not be subject to our internal controls. There is also a risk that "bad actors" may intend to influence training models to incorporate latent security issues, trojans, malware, or "inorganic" results in Outputs. Unlike open-source software which typically involves community oversight and review of contributions to open-source projects or other community-driven code, generative AI tools may not have the same oversight and review, increasing the risk of any widespread vulnerability or influence of algorithmic output by those with intentions that are against the interest of users or entire groups of users. In addition, AI algorithms may be flawed, and datasets may be insufficient or contain biased information, which could result in inaccurate Output, or Output that is discriminatory, unethical or biased. Any of the foregoing events could adversely impact our business and the business of our clients, and, as a result, we may suffer significant reputational harm and we may face claims from our clients, including contractual claims if the agreement prohibits the use of AI-generated content in the deliverables and indemnification claims. We also face risks in respect of any personal data or confidential or proprietary information of the Company which may be included in any Prompts. Whilst some generative AI tool operators offer an "enterprise" or "business" version with more customer-favourable confidentiality and security provisions, free-to-use generative AI tools do not typically have confidentiality or security obligations with respect to Prompts or Outputs. As a result, if our confidential information, or information of a third party to which we have an obligation to keep confidential, is included in the Prompt provided to the generative AI tool, the generative AI tool might disclose or reuse such confidential information, including re-creating the Output to others, or using the confidential information as training data for other Outputs, and we may not have the ability to prevent the generative AI tool from doing so. Additionally, there is the risk of personal data being included in a Prompt, which could result in such personal data being inappropriately transferred or processed. This could result in a breach of our obligations under applicable data protection laws, or contracts with our clients or other third parties, which could put us at risk of a fine from the relevant regulator and/or a claim for damages. For further information of data protection breaches and fines, see the risk factor titled "We are subject to stringent and evolving laws, regulations, rules, self-regulatory standards, policies, contractual obligations, and other obligations regarding privacy and data security matters, including in the European Union and the United Kingdom, where we have material operations. Our actual or perceived failure to comply with such obligations could expose us to regulatory investigations or actions, litigation, fines and penalties or other financial liabilities, disruption of our business operations, reputational harm, loss of revenue or profit, loss of customers or sales and/or adversely affect our ability to conduct our business." The risks resulting from use of generative AI tools could be difficult to eliminate or manage, and, if not addressed, could have a material adverse effect on our business, reputation, results of operations, financial condition, and future prospects.

Economies in many regions in which we operate, including the United States and Europe, have experienced over the past financial year, or are currently experiencing, rising rates of inflation. Periods of higher inflation may slow economic growth and significantly impact our results of operations. Inflation is also likely to increase some of our costs and expenses, including wages, rents, leases and employee benefit payments. To the extent inflation causes these costs to increase, such inflation may materially adversely affect our financial results and business as it may erode our profitability. We may be unable to raise our prices in line with increased inflation and fail to pass on the costs of increased inflation to our clients. As a result, this may reduce our gross margins and profitability. Inflationary pressures could also affect our ability to access financial markets and lead to counter-inflationary measures that may harm our financial condition, results of operations or materially adversely affect the market price of our securities.

Certain countries in South Asia, Central European and Latin American countries are generally considered to be emerging markets, which are subject to rapid change and greater legal, economic and political risks than more established markets. Financial problems or an increase in the perceived risks associated with investing in emerging economies could dampen foreign investment in South East Asia, Central Europe and Latin America and adversely affect the economy of the region. Political instability could result in a worsening overall economic situation, including capital flight and slowdown of investment and business activity. Current and future changes in governments of the countries in which we have or develop operations, as well as major policy shifts or lack of consensus between various branches of the government and powerful economic groups, could lead to political instability and disrupt or reverse political, economic and regulatory reforms, which could materially adversely affect our business and operations in those countries. In addition, political and economic relations between certain of the countries in which we operate are complex, and recent conflicts have arisen between certain of their governments. Political, ethnic, religious, historical and other differences have, on occasion, given rise to tensions and, in certain cases, military conflicts among Central European, Latin American or South East Asian countries which can halt normal economic activity and disrupt the economies of neighboring regions. The emergence of new or escalated tensions in South East Asia, Central European or Latin American countries could further exacerbate tensions between such countries and the United Kingdom, the United States and the European Union, which may have a negative effect on their economy, our ability to develop or maintain our operations in those countries and our ability to attract and retain employees, any of which could materially adversely affect our business and operations. In addition, banking and other financial systems in certain countries in which we have operations are less developed and regulated than in some more developed markets, and legislation relating to banks and bank accounts is subject to varying interpretations and inconsistent application. Banks in these regions often do not meet the banking standards of more developed markets, and the transparency of the banking sector lags behind international standards. Furthermore, in certain countries in which we operate, bank deposits made by corporate entities generally either are not insured or are insured only to specified limits. As a result, the banking sector remains subject to periodic instability. Another banking crisis, or the bankruptcy or insolvency of banks through which we receive or with which we hold funds may result in the loss of our deposits or adversely affect our ability to complete banking transactions in certain countries in which we have operations, which could materially adversely affect our business and financial condition.

In order to sustain our growth, we must attract and retain a large number of highly-skilled and talented IT professionals. During the fiscal year ended June 30, 2023, we increased our headcount by 210 employees, or 1.8%. Our business is people driven and, accordingly, our success depends upon our ability to attract, develop, motivate, retain and effectively utilize highly-skilled IT professionals in our delivery locations, which are principally located in European Union countries (Bulgaria, Croatia, Poland, Romania and Slovenia), Central European countries (Bosnia & Herzegovina, Moldova, North Macedonia and Serbia), Latin America (Argentina, Colombia, Mexico and Uruguay) and South East Asia (Malaysia and Vietnam). We believe that there is significant competition for attracting technology professionals in the geographic regions in which our delivery centers are located and that such competition will continue for the foreseeable future. Increased hiring by technology companies and increasing worldwide competition for skilled technology professionals has led to a shortage in the availability of suitable personnel in the locations where we operate and hire. In addition, we are in a period of economic uncertainty and capital markets disruption following the escalation of geopolitical tensions and the Russia-Ukraine conflict and related sanctions, which could conceivably expand into the surrounding region. All of these factors may negatively impact our ability to recruit, hire and train the IT professionals we require to operate our business. As remote or flexible work options become more commonplace, potential candidates may choose to move to lower cost of living areas, which could negatively impact our ability to recruit appropriately skilled personnel for onsite positions. Moreover, we have observed increased wage expectations due to inflation and adverse global economic conditions. Such wage expectations could create challenges for our recruiting efforts in light of profitability considerations and margin requirements. Our ability to properly staff projects, maintain and renew existing engagements and win new business depends, in large part, on our ability to recruit, train and retain IT professionals in the areas where our delivery centers are located. Failure to hire, train and retain IT professionals in sufficient numbers could have a material adverse effect on our business, results of operations and financial condition.

We have made and continue to make significant contractual commitments related to our leased facilities. The total lease related expense (net of any related gains and income) included in our financial statements for the 2023 fiscal year was £15.3 million, and we are contractually committed to £16.1 million in such lease expenses for the 2024 fiscal year. These expenses will have a significant impact on our fixed costs, and if we are unable to grow our business and revenue proportionately, our operating results may be negatively affected. Additionally, as we continue to move to a hybrid working model allowing for remote work, we may require less office space than we currently have under our leases. This could require us to renegotiate some of our leases to match a reduced need for office space, which may in turn lead to disputes with existing landlords. This process could be costly and time consuming, and we cannot guarantee that any new leases would be on the same or better terms as our current lease arrangements. Additionally, we plan to make significant changes to our offices to adapt them to new ways of working as we embrace a hybrid working model. This investment could be costly and time consuming as we evolve our plan to meet the requirements and opportunities this new working model presents and to increase our employees' capabilities, wellness, job satisfaction and productivity under this model. Furthermore, these investments as well as our operating costs, such as utilities, could be negatively impacted by inflation rates and global economic and geopolitical conditions.