Datadog (DDOG) Risk Factors

We may sell to U.S. federal, state, and local, as well as foreign, governmental agency customers, as well as to customers in highly regulated industries such as financial services, telecommunications and healthcare. Sales to such entities are subject to a number of challenges and risks. Selling to such entities can be highly competitive, expensive, and time-consuming, often requiring significant upfront time and expense without any assurance that these efforts will generate a sale. Government contracting requirements may change which may restrict our ability to sell into the government sector until we are able to comply with the revised contracting requirements. Government demand and payment for our products are affected by public sector budgetary cycles and funding authorizations, with funding reductions or delays adversely affecting public sector demand for our products. Further, governmental and highly regulated entities may demand contract terms that differ from our standard arrangements and are less favorable than terms agreed with private sector customers. Such entities may have statutory, contractual, or other legal rights to terminate contracts with us or our partners for convenience or for other reasons. Any such termination may adversely affect our ability to contract with other government customers as well as our reputation, business, financial condition and results of operations.

We are subject to the U.S. Foreign Corrupt Practices Act, or FCPA, U.S. domestic bribery laws, the UK Bribery Act, and other anti-corruption and anti-money laundering laws in the countries in which we conduct activities. Anti-corruption and anti-bribery laws have been enforced aggressively in recent years and are interpreted broadly to generally prohibit companies, their employees and their third-party intermediaries from authorizing, offering, or providing, directly or indirectly, improper payments or benefits to recipients in the public or private sector. As we increase our international sales and business and sales to the public sector, we may engage with business partners and third-party intermediaries to market our products and to obtain necessary permits, licenses, and other regulatory approvals. In addition, we or our third-party intermediaries may have direct or indirect interactions with officials and employees of government agencies or state-owned or affiliated entities. We can be held liable for the corrupt or other illegal activities of these third-party intermediaries, our employees, representatives, contractors, partners and agents, even if we do not explicitly authorize such activities. While we have policies and procedures to address compliance with such laws, we cannot assure you that all of our employees and agents will not take actions in violation of our policies and applicable law, for which we may be ultimately held responsible. As we increase our international sales and business, our risks under these laws may increase. Detecting, investigating, and resolving actual or alleged violations of anti-corruption laws can require a significant diversion of time, resources, and attention from senior management. In addition, noncompliance with anti-corruption, anti-bribery, or anti-money laundering laws could subject us to whistleblower complaints, investigations, sanctions, settlements, prosecution, enforcement actions, fines, damages, other civil or criminal penalties or injunctions, suspension or debarment from contracting with certain persons, reputational harm, adverse media coverage, and other collateral consequences. If any subpoenas or investigations are launched, or governmental or other sanctions are imposed, or if we do not prevail in any possible civil or criminal proceeding, our business, financial condition and results of operations could be harmed. In addition, responding to any action will likely result in a materially significant diversion of management's attention and resources and significant defense costs and other professional fees.

We have legal, contractual and other applicable obligations regarding the protection and appropriate use of personal information, confidential information, and other proprietary information that we, our third-party service providers or other partners process. We are subject to a variety of federal, state, local and foreign laws, directives, regulations, and industry standards, relating to the collection, use, retention, security, disclosure, transfer and other processing of personal information. The regulatory framework for and users' expectations around privacy and security issues worldwide is rapidly evolving and as a result, implementation standards and enforcement practices are likely to remain uncertain for the foreseeable future resulting in possible significant operational costs for compliance and risk to our business. In addition, new technologies we use in our products or in our business, like AI and machine learning, may also subject us to new or enhanced governmental or regulatory scrutiny, litigation, ethical concerns, or other complications that could adversely affect our business, reputation, or financial results. Internationally, nearly every jurisdiction in which we operate has established its own data security and privacy legal framework with which we, our third-party service providers, or our customers must comply. For example, the European Union's General Data Protection Regulation, or EU GDPR, contains numerous requirements and changes from previously existing law, including more robust obligations on data processors and heavier documentation requirements for data protection compliance programs by companies and data protection authorities. Under the EU GDPR, companies may face temporary or definitive bans on data processing and other corrective actions, significant monetary fines, and private litigation related to processing of personal data brought by classes of data subjects or consumer protection organizations authorized at law to represent their interests. In addition, Europe and other jurisdictions have enacted data localization laws and cross-border personal data transfer laws. For example, the European Economic Area (EEA) and the United Kingdom have significantly restricted the transfer of personal data to the United States and other countries whose privacy laws it generally believes are inadequate. Although there are currently various mechanisms that may be used to transfer personal data from the EEA and United Kingdom to the United States in compliance with law, such as the EEA standard contractual clauses, the United Kingdom's International Data Transfer Agreement/Addendum, and the EU-U.S. Data Privacy Framework and the United Kingdom extension thereto (which allows for transfers for relevant U.S.-based organizations who self-certify compliance and participate in the Framework), these mechanisms are subject to legal challenges, and there is no assurance that we can satisfy or rely on these measures to lawfully transfer personal data to the United States. Additionally, other countries outside of Europe have enacted or are considering enacting similar cross-border data transfer restrictions and laws requiring local data residency, and strict limitations to the processing of personal information, which could increase the cost and complexity of delivering our services and operating our business. For example, Brazil enacted the General Data Protection Law, New Zealand enacted the New Zealand Privacy Act, China enacted its Personal Information Protection Law, and Canada introduced the Digital Charter Implementation Act. If we are unable to implement a valid compliance mechanism for cross-border personal information transfers, we may face increased exposure to regulatory actions, substantial fines and injunctions against processing or transferring personal information from Europe or elsewhere. Inability to import personal information from other jurisdictions to the United States may significantly and negatively impact our business operations, including by lowering sales on our platform due to the difficulty of establishing a lawful mechanism for personal information transfers out of Europe or other jurisdictions, or requiring us to increase our data processing capabilities in Europe or elsewhere at significant expense. Some European regulators have ordered certain companies to suspend or permanently cease certain transfers out of Europe for allegedly violating the GDPR's cross-border data transfer limitations. Additionally, European legislative proposals and present laws and regulations apply to cookies and similar tracking technologies, electronic communications, and marketing. In the EU and the United Kingdom, regulators are increasingly focusing on compliance with requirements related to the online behavioral advertising ecosystem and requirements around consent. It is anticipated that the ePrivacy Regulation will replace the current national laws that implement the ePrivacy Directive that governs electronic communications. Outside of Europe, other laws and regulations, including legislative proposals, individual behavior and industry practices are increasingly resistant to the use of personal information to deliver targeted advertising, making certain online advertising activities more difficult and subject to additional scrutiny. For example, the California Consumer Privacy Act, or CCPA, grants California residents the right to opt-out of a company's sharing of personal information for cross-context behavioral advertising purposes. Other comprehensive U.S. state privacy laws extend similar rights to residents. As a result of these developments, we may be required to change the way we market our products, which would impair our ability to reach new or existing customers. Complying with these and other applicable laws may cause us to incur substantial operational costs or require us to change our business practices. Despite our efforts to bring practices into compliance with all applicable laws, we may not be successful in our efforts to achieve compliance either due to internal or external factors such as resource allocation limitations or a lack of vendor cooperation. Non-compliance could result in proceedings against us by governmental entities, customers, data subjects or others. We may also experience difficulty retaining or obtaining new European or multi-national customers due to the legal requirements, compliance cost, potential risk exposure, and uncertainty for these entities, and we may experience significantly increased liability with respect to these customers pursuant to the terms set forth in our engagements with them. While we utilize a data center in the EEA to maintain certain customer data (which may include personal information) originating from the EEA, we may find it necessary to establish additional systems and processes to maintain such data in the EEA, which may involve substantial expense and distraction from other aspects of our business. Domestic laws in this area are also complex and developing rapidly, and we are, or may become, subject to numerous U.S. data privacy and security laws. In the United States, laws governing data privacy and security include those promulgated under the authority of the Federal Trade Commission Act, the Electronic Communications Privacy Act, the Computer Fraud and Abuse Act, the CCPA, HIPAA, and numerous other state and federal laws relating to privacy and data security. Many state legislatures have adopted legislation that regulates how businesses operate online, including measures relating to privacy, data security and data breaches. Laws in all 50 states require businesses to provide notice to customers whose personal information has been disclosed as a result of a data breach. The laws are not consistent, and compliance in the event of a widespread data breach is costly. States are also constantly amending existing laws, requiring attention to frequently changing legal requirements. The CCPA, which became effective on January 1, 2020, gives California residents (including consumers, employees, job applicants and business representatives) expanded rights to access and delete their personal information, opt out of the sale of personal information, and receive detailed information about how their personal information is used. The CCPA provides a private right of action and statutory damages for data breaches and may increase our compliance costs and potential liability with respect to other personal information we collect about California residents. In addition, the amendments to the CCPA made by the California Privacy Rights Act, or the CPRA, went into effect on January 1, 2023. The CPRA amends the CCPA to give California residents the ability to limit the use of their sensitive information, provide additional penalties for CPRA violations concerning California residents under the age of 16, and establish a new California Privacy Protection Agency to implement and enforce the law. These changes to the CCPA could impact our business activities depending on how they are interpreted. These laws exemplify the vulnerability of our business to the evolving regulatory environment related to the protection of personal information. Other states have enacted or proposed comprehensive privacy laws as well. For example, privacy laws in Colorado, Connecticut, Utah and Virginia have recently gone into effect and similar laws in other states, such as Delaware, Indiana, Iowa, Montana, Oregon, Tennessee, and Texas have been enacted and are expected to go into effect over the next several years. Because the interpretation and application of many privacy and data protection laws and regulations, along with contractually imposed industry standards are uncertain, it is possible that they may be interpreted and applied in a manner that is inconsistent with our existing data management practices or the features of our products and platform capabilities. If so, in addition to the possibility of fines, lawsuits, mass arbitration demands, regulatory investigations and imprisonment of company officials, other claims and penalties, significant costs for remediation and damage to our reputation, we could be required to fundamentally change our business activities and practices or modify our products and platform capabilities, any of which could have an adverse effect on our business. In particular, plaintiffs have become increasingly more active in bringing privacy-related claims against companies, including class claims and mass arbitration demands. Some of these claims allow for the recovery of statutory damages on a per violation basis, and, if viable, carry the potential for monumental statutory damages, depending on the volume of data and the number of violations. Any inability to adequately address privacy and security concerns, even if unfounded, or comply with applicable privacy and data security laws, regulations, or contractual obligations, could result in additional cost and liability to us, damage our reputation, inhibit sales, and adversely affect our business. Furthermore, the costs of compliance with, and other burdens imposed by, the laws, regulations, and contractual obligations that are applicable to the businesses of our customers may limit the use and adoption of, and reduce the overall demand for, our products. Privacy and data security concerns, whether valid or not valid, may inhibit market adoption of our products, particularly in certain industries and foreign countries. If we are not able to adjust to these changing laws, regulations, and contractual obligations, our business may be harmed. We publicly post our policies and other documentation regarding our practices concerning the collection, processing, use, transfer, and disclosure of data. Although we endeavor to comply with our published policies and documentation, we may at times fail to do so or be alleged to have failed to do so. The publication of our policies and other documentation that provide promises and assurances about privacy and security can subject us to potential state and federal action if they are found to be deceptive, unfair, or misrepresentative of our actual practices. Any failure by us, our third-party service providers or other parties with whom we do business to comply with our policies or other documentation could result in proceedings against us by governmental entities, private parties or others. We are or may also be subject to the terms of our external and internal privacy and security policies, codes, representations, certifications, industry standards, publications and frameworks and contractual obligations to third parties related to privacy, information security, including contractual obligations to indemnify and hold harmless third parties from the costs or consequences of non-compliance with data protection laws or other obligations.

As of December 31, 2023, we had NOL carryforwards for federal and state income tax purposes of approximately $148.9 million and $206.4 million, respectively, which may be available to offset taxable income in the future, and which expire in 2026 for state purposes if not utilized. Unused U.S. federal NOLs for taxable years beginning before January 1, 2018, may be carried forward to offset future taxable income, if any, until such unused NOLs expire. Under current law, U.S. federal NOLs incurred in taxable years after December 31, 2017, can be carried forward indefinitely, but the deductibility of such U.S. federal NOLs is limited to 80% of taxable income. It is uncertain if and to what extent various states will conform to federal tax laws. A lack of future taxable income would adversely affect our ability to utilize portions of these NOLs before they expire. In general, under Section 382 of the Internal Revenue Code of 1986, as amended, or the Code, a corporation that undergoes an "ownership change" (as defined under Section 382 of the Code and applicable Treasury Regulations) is subject to limitations on its ability to utilize its pre-change NOLs to offset post-change taxable income. We may experience a future ownership change under Section 382 of the Code that could affect our ability to utilize the NOLs to offset our income. Furthermore, our ability to utilize NOLs of companies that we have acquired or may acquire in the future may be subject to limitations. There is also a risk that due to regulatory changes, such as suspensions on the use of NOLs or other unforeseen reasons, our existing NOLs could expire or otherwise be unavailable to reduce future income tax liabilities, including for state tax purposes. For these reasons, we may not be able to utilize a material portion of the NOLs reflected on our balance sheets, even if we attain profitability, which could potentially result in increased future tax liability to us and could adversely affect our operating results and financial condition.

An increasing number of states have considered or adopted laws that attempt to impose tax collection obligations on out-of-state companies. Additionally, the Supreme Court of the United States ruled in South Dakota v. Wayfair, Inc. et al, or Wayfair, that online sellers can be required to collect sales and use tax despite not having a physical presence in the buyer's state. In response to Wayfair, or otherwise, states or local governments may adopt, or begin to enforce, laws requiring us to calculate, collect, and remit taxes on sales in their jurisdictions. A successful assertion by one or more states requiring us to collect taxes where we presently do not do so, or to collect more taxes in a jurisdiction in which we currently do collect some taxes, could result in substantial tax liabilities, including taxes on past sales, as well as penalties and interest. The imposition by state governments or local governments of sales tax collection obligations on out-of-state sellers could also create additional administrative burdens for us, put us at a competitive disadvantage if they do not impose similar obligations on our competitors, and decrease our future sales, which could have a material adverse effect on our business and results of operations.

Our ability to attract new users and customers and increase revenue from existing customers depends in large part on our ability to enhance and improve our existing products, increase adoption and usage of our products, and introduce new products and capabilities. The market in which we compete is relatively new and subject to rapid technological change, evolving industry standards, and changing regulations, as well as changing customer needs, requirements and preferences. The success of our business will depend, in part, on our ability to adapt and respond effectively to these changes on a timely basis. For example, some of our products use artificial intelligence, or AI, and machine learning, and we are making investments in expanding our artificial intelligence capabilities, which will require significant investment in infrastructure and personnel. However, AI technologies are complex and rapidly evolving in a changing competitive market and market acceptance of AI technologies remains uncertain, see "Industry and Competitive Risks-We use artificial intelligence in our products and services which may result in operational challenges, legal liability, reputational harm, competitive risks and regulatory concerns that could adversely affect our business and results of operations." below. If we were unable to enhance our products and platform capabilities to keep pace with rapid technological and regulatory change, or if new technologies emerge that are able to deliver competitive products at lower prices, more efficiently, more conveniently, or more securely than our products, our business, financial condition and results of operations could be adversely affected. The success of our platform depends, in part, on its ability to be deployed in a self-service installation process. We currently offer more than 700 out-of-the-box integrations to assist customers in deploying Datadog, and we need to continuously modify and enhance our products to adapt to changes and innovation in existing and new technologies to maintain and grow our integrations. We expect that the number of integrations we will need to support will continue to expand as developers adopt new software platforms, and we will have to develop new versions of our products to work with those new platforms. This development effort may require significant engineering, sales and marketing resources, all of which would adversely affect our business. Any failure of our products to operate effectively with future infrastructure platforms and technologies could reduce the demand for our products. If we are unable to respond to these changes in a cost-effective manner, our products may become less marketable and less competitive or obsolete, and our business, financial condition and results of operations could be adversely affected.

Our success depends to a significant degree on our ability to obtain, maintain, protect and enforce our intellectual property rights, including our proprietary technology, know-how and our brand. We rely on a combination of trademarks, trade secrets, patents, copyrights, contractual restrictions, and other intellectual property laws and confidentiality procedures to establish and protect our proprietary rights. However, the steps we take to obtain, maintain, protect and enforce our intellectual property rights may be inadequate. We will not be able to protect our intellectual property rights if we are unable to enforce our rights or if we do not detect unauthorized use of our intellectual property rights. If we fail to protect our intellectual property rights adequately, our competitors may gain access to our proprietary technology and develop and commercialize substantially identical products, services or technologies, our business, financial condition, results of operations or prospects may be harmed. In addition, defending our intellectual property rights might entail significant expense. Any patents, trademarks, or other intellectual property rights that we have or may obtain may be challenged or circumvented by others or invalidated or held unenforceable through administrative processes, including re-examination, inter partes review, interference and derivation proceedings and equivalent proceedings in foreign jurisdictions (e.g., opposition proceedings) or litigation. Despite our pending patent applications, there can be no assurance that our patent applications will result in issued patents. Even if we continue to seek patent protection in the future, we may be unable to obtain or maintain patent protection for our technology. In addition, any patents issued from pending or future patent applications or licensed to us in the future may not provide us with competitive advantages, or may be successfully challenged by third parties. There may be issued patents of which we are not aware, held by third parties that, if found to be valid and enforceable, could be alleged to be infringed by our current or future technologies or products. There also may be pending patent applications of which we are not aware that may result in issued patents, which could be alleged to be infringed by our current or future technologies or products. Furthermore, legal standards relating to the validity, enforceability, and scope of protection of intellectual property rights are uncertain. Despite our precautions, it may be possible for unauthorized third parties to copy our products and platform capabilities and use information that we regard as proprietary to create products that compete with ours. Patent, trademark, copyright, and trade secret protections may not be available to us in every country in which our products are available. For example, as we have expanded internationally, we have been unable to register and obtain the exclusive right to use the Datadog trademark in certain jurisdictions, including certain European countries outside of the EU, and as we continue to expand, we may face similar issues in other jurisdictions. The value of our intellectual property could diminish if others assert rights in or ownership of our trademarks and other intellectual property rights, or trademarks that are similar to our trademarks. We may be unable to successfully resolve these types of conflicts to our satisfaction. In some cases, litigation or other actions may be necessary to protect or enforce our trademarks and other intellectual property rights. Furthermore, third parties may assert intellectual property claims against us, and we may be subject to liability, required to enter into costly license agreements, or required to rebrand our products and/or prevented from selling some of our products if third parties successfully claim that we infringe, misappropriate or otherwise violate their trademarks or other intellectual property rights. In addition, the laws of some foreign countries may not be as protective of intellectual property rights as those in the United States, and mechanisms for enforcement of intellectual property rights may be inadequate. As we expand our international activities, our exposure to unauthorized copying and use of our products and platform capabilities and proprietary information will likely increase. Moreover, policing unauthorized use of our technologies, trade secrets, and intellectual property may be difficult, expensive, and time-consuming, particularly in foreign countries where the laws may not be as protective of intellectual property rights as those in the United States and where mechanisms for enforcement of intellectual property rights may be weak. Accordingly, despite our efforts, we may be unable to prevent third parties from infringing upon, misappropriating or otherwise violating our intellectual property rights. We enter into confidentiality and invention assignment agreements with our employees and consultants and enter into confidentiality agreements with other third parties, including suppliers and other partners. However, we cannot guarantee that we have entered into such agreements with each party that has or may have had access to our proprietary information, know-how and trade secrets. Moreover, no assurance can be given that these agreements will be effective in controlling access to, distribution, use, misuse, misappropriation, reverse engineering or disclosure of our proprietary information, know-how and trade secrets. Further, these agreements may not prevent our competitors from independently developing technologies that are substantially equivalent or superior to our products and platform capabilities. These agreements may be breached, and we may not have adequate remedies for any such breach. In order to protect our intellectual property rights, we may be required to spend significant resources to monitor and protect our intellectual property rights. Litigation may be necessary in the future to enforce our intellectual property rights and to protect our trade secrets. Litigation brought to protect and enforce our intellectual property rights could be costly, time-consuming, and distracting to management, and could result in the impairment or loss of portions of our intellectual property. Further, our efforts to enforce our intellectual property rights may be met with defenses, counterclaims, and countersuits attacking the validity and enforceability of our intellectual property rights, and if such defenses, counterclaims or countersuits are successful, we could lose valuable intellectual property rights. Our inability to protect our proprietary technology against unauthorized copying or use, as well as any costly litigation or diversion of our management's attention and resources, could delay further sales or the implementation of our products and platform capabilities, impair the functionality of our products and platform capabilities, delay introductions of new solutions, result in our substituting inferior or more costly technologies into our products, or injure our reputation.

We use open source software in our products and we expect to continue to incorporate open source software in our services in the future. Few of the licenses applicable to open source software have been interpreted by courts, and there is a risk that these licenses could be construed in a manner that could impose unanticipated conditions or restrictions on our ability to commercialize our products. Moreover, we cannot ensure that we have not incorporated additional open source software in our software in a manner that is inconsistent with the terms of the applicable license or our current policies and procedures. If we fail to comply with these licenses, we may be subject to certain requirements, including requirements that we offer our solutions that incorporate the open source software for no cost, that we make available source code for modifications or derivative works we create based upon, incorporating or using the open source software and that we license such modifications or derivative works under the terms of applicable open source licenses. If an author or other third party that distributes such open source software were to allege that we had not complied with the conditions of one or more of these licenses, we could be required to incur significant legal expenses defending against such allegations and could be subject to significant damages, enjoined from the sale of our products that contained the open source software and required to comply with onerous conditions or restrictions on these products, which could disrupt the distribution and sale of these products. From time to time, there have been claims challenging the ownership rights in open source software against companies that incorporate it into their products and the licensors of such open source software provide no warranties or indemnities with respect to such claims. As a result, we and our customers could be subject to lawsuits by parties claiming ownership of what we believe to be open source software. Litigation could be costly for us to defend, have a negative effect on our business, financial condition and results of operations, or require us to devote additional research and development resources to change our products. In addition, although we employ open source software license screening measures, if we were to combine our proprietary software products with open source software in a certain manner we could, under certain open source licenses, be required to release the source code of our proprietary software products. Some open source projects have known vulnerabilities and architectural instabilities and are provided on an "as-is" basis which, if not properly addressed, could negatively affect the performance of our product. If we inappropriately use or incorporate open source software subject to certain types of open source licenses that challenge the proprietary nature of our products, we may be required to re-engineer such products, discontinue the sale of such products or take other remedial actions.

We have a field sales team that targets enterprise customers. Sales to large customers involve risks that may not be present or that are present to a lesser extent with sales to smaller entities, such as longer sales cycles, more complex customer requirements, substantial upfront sales costs, and less predictability in completing some of our sales. For example, enterprise customers may require considerable time to evaluate and test our solutions and those of our competitors prior to making a purchase decision and placing an order. A number of factors influence the length and variability of our sales cycle, including the need to educate potential customers about the uses and benefits of our solutions, the discretionary nature of purchasing and budget cycles, and the competitive nature of evaluation and purchasing approval processes. As a result, the length of our sales cycle, from identification of the opportunity to deal closure, may vary significantly from customer to customer, with sales to large enterprises typically taking longer to complete. Moreover, large enterprise customers often begin to deploy our products on a limited basis, but nevertheless demand configuration, integration services and pricing negotiations, which increase our upfront investment in the sales effort with no guarantee that these customers will deploy our products widely enough across their organization to justify our substantial upfront investment.

To encourage awareness, usage, familiarity and adoption of our platform and products, we offer free trials and a free tier of our platform. These strategies may not be successful in leading customers to purchase our products, as users of our free tier may not lead to them or others within their organization purchasing and deploying our platform. To the extent that users do not become, or we are unable to successfully attract paying customers, we will not realize the intended benefits of these marketing strategies and our ability to grow our revenue will be adversely affected.

Our customers rely on our customer support personnel to resolve issues and realize the full benefits that our platform provides. High-quality support is also important for the renewal and expansion of our subscriptions with existing customers. The importance of our support function will increase as we expand our business and pursue new customers. If we do not help our customers quickly resolve issues and provide effective ongoing support, our ability to maintain and expand our subscriptions to existing and new customers could suffer, and our reputation with existing or potential customers could suffer.