Domo (DOMO) Risk Factors

Our success depends on our customers' willingness to adopt and use our platform, including on their smartphone or mobile device, as well as our ability to adapt and enhance our platform. To attract new customers and increase revenue from existing customers, we need to continue to enhance and improve our platform, to meet customer needs at prices that customers are willing to pay. Such efforts will require adding new features, expanding related applications and responding to technological advancements, which will increase our research and development costs. If we are unable to develop solutions that address customers' needs, or enhance and improve our platform in a timely manner, we may not be able to increase or maintain market acceptance of our platform. Further, we may make changes to our platform that customers do not find useful. We may also discontinue certain features, begin to charge for certain features that are currently free or increase fees for any features or usage of our platform. We may also face unexpected problems or challenges in connection with new applications or feature introductions. Enhancements and changes to our platform could fail to attain sufficient market acceptance for many reasons, including: - failure to predict market demand accurately in terms of platform functionality and capability or to supply features that meets this demand in a timely fashion;- inability to operate effectively with the technologies, systems or applications of existing or potential customers;- defects, errors or failures;- negative publicity about their performance or effectiveness;- delays in releasing new enhancements and additional features to our platform to the market;- the introduction or anticipated introduction of competing products;- an ineffective sales force;- poor business conditions for our end-customers, causing them to delay purchases;- challenges with customer adoption and use of our platform on mobile devices or problems encountered in developing or supporting enhancements to our mobile applications; and - the reluctance of customers to purchase subscriptions to software incorporating open source software. Because our platform is designed to operate on and with a variety of systems, we will need to continuously modify and enhance our platform to keep pace with changes in technology, and we may fail to do so. In addition, issues in the use of artificial intelligence in our platform may result in reputational harm or liability. Domo's suite of data science leverages machine learning algorithms, predictive analytics, and other artificial intelligence technologies to identify trends, anomalies and correlations, provide alerts and initiate business processes. Artificial intelligence presents risks and challenges that could affect its adoption, and therefore our business. Artificial intelligence algorithms may be flawed. Datasets may be insufficient or contain biased information. Artificial intelligence technologies that we make use of may produce or create outputs that appear correct but are factually inaccurate or otherwise flawed. Inappropriate or controversial data practices by us or others could impair the acceptance of artificial intelligence solutions. These deficiencies could undermine the decisions, predictions, or analysis artificial intelligence applications produce, subjecting us to competitive harm, legal liability, and brand or reputational harm. Additionally, artificial intelligence technologies are complex and rapidly evolving, and we face significant competition from other companies as well as evolving legal and regulatory landscapes. Laws and regulations applicable to artificial intelligence continue to develop and may be inconsistent from jurisdiction to jurisdiction. For example, the E.U. has proposed an Artificial Intelligence Act that, if finalized, would prohibit certain artificial intelligence applications and systems and impose additional requirements on the use of certain applications or systems. The use of artificial intelligence technologies in our platform may result in new or enhanced governmental or regulatory scrutiny, new or modified laws or regulations, claims, demands, and litigation, confidentiality, privacy, data protection, or security risks, ethical concerns, or other complications that could adversely affect our business, financial condition, results of operations and prospects. Uncertainty around new and emerging artificial intelligence technologies may require additional investment in the development and maintenance of proprietary datasets and machine learning models, development of new approaches and processes to provide attribution or remuneration to creators of training data, and development of appropriate protections, safeguards, and policies for handling the processing of data with artificial intelligence technologies, which may be costly and could impact our expenses. Our platform also provides real-time write-back capabilities to customer environments, including to IoT products and services. The development of the internet of things (IoT) presents security, privacy and execution risks. Many IoT devices have limited interfaces and ability to be updated or patched. IoT solutions may collect large amounts of data, and our handling of IoT data may not satisfy customers or regulatory requirements. IoT scenarios may increasingly affect personal health and safety. If IoT solutions that include our technologies do not work as intended, violate the law, or harm individuals or businesses, we may be subject to legal claims or enforcement actions. These risks, if realized, may increase our costs, damage our reputation or brand, or negatively impact our business and operating results. Moreover, many competitors expend a considerably greater amount of funds on their research and development programs, and those that do not may be acquired by larger companies that would allocate greater resources to competitors' research and development programs. If we fail to maintain adequate research and development resources or compete effectively with the research and development programs of competitors, our business could be harmed. Our ability to grow is also subject to the risk of future disruptive technologies. If new technologies emerge that are able to deliver business intelligence solutions at lower prices, more efficiently, more conveniently or more securely, such technologies could adversely affect our ability to compete.

Our success is dependent, in part, upon protecting our proprietary technology. As of January 31, 2024, we had 115 issued U.S. patents covering our technology and four patent applications pending for examination in the United States. Our issued patents, and any patents issued in the future, may not provide us with any competitive advantages or may be challenged by third parties, and our patent applications may never be granted. Additionally, the process of obtaining patent protection is expensive and time-consuming, and we may not be able to prosecute all necessary or desirable patent applications at a reasonable cost or in a timely manner. Even if issued, there can be no assurance that these patents will adequately protect our intellectual property, as the legal standards relating to the validity, enforceability and scope of protection of patent and other intellectual property rights are uncertain. Any patents that are issued may subsequently be invalidated or otherwise limited, allowing other companies to develop offerings that compete with ours, which could adversely affect our competitive business position, business prospects and financial condition. In addition, issuance of a patent does not guarantee that we have a right to practice the patented invention. Patent applications in the United States are typically not published until 18 months after filing or, in some cases, not at all, and publications of discoveries in industry-related literature lag behind actual discoveries. We cannot be certain that we were the first to use the inventions claimed in our issued patents or pending patent applications or otherwise used in our platform, that we were the first to file for protection in our patent applications, or that third parties do not have blocking patents that could be used to prevent us from marketing or practicing our patented technology. Effective patent, trademark, copyright and trade secret protection may not be available to us in every country in which our platform is available. The laws of some foreign countries may not be as protective of intellectual property rights as those in the United States (in particular, some foreign jurisdictions do not permit patent protection for software), and mechanisms for enforcement of intellectual property rights may be inadequate. Additional uncertainty may result from changes to intellectual property legislation enacted in the United States, including the America Invents Act, and other national governments and from interpretations of the intellectual property laws of the United States and other countries by applicable courts and agencies. Accordingly, despite our efforts, we may be unable to prevent third parties from infringing upon or misappropriating our intellectual property. Although we generally enter into confidentiality and invention assignment agreements with our employees and consultants that have access to material confidential information and enter into confidentiality agreements with our customers and the parties with whom we have strategic relationships and business alliances, no assurance can be given that these agreements will be effective in controlling access to and distribution of our platform and propriety information or prevent reverse engineering. Further, these agreements may not prevent competitors from independently developing technologies that are substantially equivalent or superior to our platform, and we may be unable to prevent this competition. Unauthorized use of our intellectual property may have already occurred or may occur in the future. We may be required to spend significant resources to monitor and protect our intellectual property rights. Litigation may be necessary in the future to enforce our intellectual property rights. Such litigation could be costly, time consuming and distracting to management and could result in the impairment or loss of portions of our intellectual property. Furthermore, efforts to enforce our intellectual property rights may be met with defenses, counterclaims and countersuits attacking the validity and enforceability of our intellectual property rights. We may not prevail in any lawsuits that we initiate. Any litigation, whether or not resolved in our favor, could subject us to substantial costs, divert resources and the attention of management and technical personnel from our business and adversely affect our business. Our inability to protect our proprietary technology against unauthorized copying or use, as well as any costly litigation, could delay further sales or the implementation of our platform, impair the functionality of our platform, delay introductions of new features or enhancements, result in our substituting inferior or more costly technologies into our platform, or injure our reputation. We may initiate claims or litigation against third parties for infringement or other violation of our proprietary rights or to establish the validity of our proprietary rights. Litigation also puts our patents at risk of being invalidated or interpreted narrowly and our patent applications at risk of not issuing. Additionally, we may provoke third parties to assert counterclaims against us. We may not prevail in any lawsuits that we initiate, and the damages or other remedies awarded, if any, may not be commercially viable. Any litigation, whether or not it is resolved in our favor, could result in significant expense to us and divert the efforts of our technical and management personnel, which may adversely affect our business, operating results, financial condition and cash flows.

We rely on data centers and other technologies and services provided by third parties in order to manage our cloud-based infrastructure and operate our business. If any of these services becomes unavailable or otherwise is unable to serve our requirements due to extended outages, interruptions, facility closure, or because it is no longer available on commercially reasonable terms, expenses could increase, our ability to manage finances could be interrupted and our operations otherwise could be disrupted or otherwise impacted until appropriate substitute services, if available, are identified, obtained, and implemented. We do not control, or in some cases have limited control over, the operation of the data center facilities we use, and they are vulnerable to damage or interruption from earthquakes, floods, fires, power loss, telecommunications failures and similar events. They may also be subject to break-ins, sabotage, intentional acts of vandalism and similar misconduct, to adverse events caused by operator error, and to interruptions, data loss or corruption, and other performance problems due to various factors, including introductions of new capabilities, technology errors, infrastructure changes, distributed denial of service attacks, or other security related incidents. For instance, in December 2017, researchers identified significant CPU architecture vulnerabilities commonly known as "Spectre" and "Meltdown" that have required software updates and patches, including for providers of public cloud services, to mitigate such vulnerabilities and such updates and patches have required servers to be offline and potentially slow their performance. We may not be able to rapidly switch to new data centers or move customers from one data center to another in the event of any adverse event. Despite precautions taken at these facilities, the occurrence of a natural disaster, an act of terrorism or other act of malfeasance, a decision to close the facilities without adequate notice or other unanticipated problems at these facilities could result in lengthy interruptions in our service and the loss or corruption of, or unauthorized access to or acquisition of, customer data. In addition, if we do not accurately predict our infrastructure capacity requirements, customers could experience service shortfalls. The provisioning of additional cloud hosting capacity and data center infrastructure requires lead time. As we continue to add data centers, restructure our data management plans, and increase capacity in existing and future data centers, we may be required to move or transfer our data and customers' data. Despite precautions taken during such processes and procedures, any unsuccessful data transfers may impair customers' use of our platform, and we may experience costs or downtime in connection with the transfer of data to other facilities, which may lead to, among other things, customer dissatisfaction and non-renewals. The owners of our data center facilities have no obligation to renew their agreements with us on commercially reasonable terms, or at all. If we are unable to renew these agreements on commercially reasonable terms, we may be required to transfer to new data center facilities, and we may incur significant costs and possible service interruption in connection with doing so. Our ability to provide services and solutions to customers also depends on our ability to communicate with customers through the public internet and electronic networks that are owned and operated by third parties. In addition, in order to provide services on-demand and promptly, our computer equipment and network servers must be functional 24 hours per day, which requires access to telecommunications facilities managed by third parties and the availability of electricity, which we do not control. A severe disruption of one or more of these networks or facilities, including as a result of utility or third-party system interruptions, could impair our ability to process information and provide services to our customers. Any unavailability of, or failure to meet our requirements by, third-party data centers or other third-party technologies or services, or any disruption of the internet or the third-party networks or facilities that we rely upon, could impede our ability to provide services to customers, harm our reputation, result in a loss of customers, cause us to issue refunds or service credits to customers, subject us to potential liabilities, result in contract terminations, and adversely affect our renewal rates. Any of these circumstances could adversely affect our business and operating results.

We rely on our reputation and recommendations from key customers in order to promote subscriptions to our platform. The loss of, or failure to renew by, any of our key customers could have a significant effect on our revenue, reputation and our ability to obtain new customers. In addition, acquisitions of our customers could lead to cancellation of such customers' contracts, thereby reducing the number of our existing and potential customers.

To increase our revenue, we must add new customers. Demand for our platform is affected by a number of factors, many of which are beyond our control, such as continued market acceptance of our platform for existing and new use cases, the timing of development and release of new applications and features, technological change, growth or contraction in our addressable market, and accessibility across mobile devices, operating systems, and applications, and macroeconomic changes, including the impact of public health epidemics or pandemics on the demand for technology solutions like ours. In addition, if competitors introduce lower cost or differentiated products or services that are perceived to compete with our features, our ability to sell our features based on factors such as pricing, technology and functionality could be impaired. As a result, we may be unable to attract new customers at rates or on terms that would be favorable or comparable to prior periods, which could negatively affect the growth of our revenue. Even if we do attract customers, the cost of new customer acquisition may prove so high as to prevent us from achieving or sustaining profitability. We recognize subscription revenue ratably over the term of the subscription period. In general, customer acquisition costs and other upfront costs associated with new customers are much higher in the first year than the aggregate revenue we recognize from those new customers in the first year. As a result, the profitability of a customer to our business in any particular period depends in part upon how long a customer has been a subscriber and the degree to which it has expanded its usage of our platform. Additionally, we intend to continue to hire additional sales personnel to grow our domestic and international operations. If our sales and marketing efforts do not result in substantial increases in revenue, our business, results of operations, and financial condition may be adversely affected.

Limited liquidity, defaults, non-performance or other adverse developments affecting financial institutions or parties with which we do business, or perceptions regarding these or similar risks, have in the past and may in the future lead to market-wide liquidity problems. Such developments, and their effects on the broader financial system, could result in a variety of material and adverse impacts on our business operations and financial conditions, including, but not limited to: - delayed access to deposits or other financial assets or the uninsured loss of deposits or other financial assets;- loss of access to revolving existing credit facilities or other working capital sources or the inability to refund, roll over or extend the maturity of, or enter into new credit facilities or other working capital resources;- potential or actual breach of obligations, including U.S. federal and state wage laws and contracts that may require us to maintain letters or credit or other credit support arrangements; and - termination of cash management arrangements or delays in accessing or actual loss of funds subject to cash management arrangements. For example, on March 10, 2023, Silicon Valley Bank (SVB) was closed and placed in receivership and subsequently, additional financial institutions have been placed into receivership. Prior to SVB's closure, we had approximately $12.4 million in deposit accounts with SVB and an additional $18.3 million subject to SVB sweep account arrangements (with amounts held in custodial accounts with third-party financial institutions). As a result of U.S. government intervention, we subsequently regained access to our accounts at SVB, and Silicon Valley Bridge Bank has assumed SVB's obligations to honor our standby letter of credit. However, there remains significant uncertainty surrounding the impact of these bank closures on the broader financial system. Moreover, there is no guarantee that the U.S. government will intervene to provide access to uninsured funds in the future in the event of the failure of other financial institutions, or that they would do so in a timely fashion. In such an event, parties with which we have commercial agreements, including customers and suppliers, may be unable to satisfy their obligations to, or enter into new commercial arrangements with us. Concerns regarding the U.S. or international financial systems could impact the availability and cost of financing, thereby making it more difficult for us to acquire financing on acceptable terms or at all. In addition, instability in the financial services industry could spur a deterioration in the macroeconomic environment and dampen demand for our products. Any of these risks could materially impact our operating results, liquidity, financial condition and prospects.

We receive, store, and otherwise process personal information and other data from and about customers and other individuals in addition to our employees and service providers. Our handling of data is subject to a variety of laws and regulations, including regulation by various government agencies, such as the U.S. Federal Trade Commission (FTC) and various state, local, and foreign agencies. Our data handling also is subject to contractual obligations and may be alleged or deemed to be subject to industry standards, including certain industry standards that we undertake to comply with. In the United States, various laws and regulations apply to the collection, disclosure, and other processing of certain types of data, including with respect to security measures used to protect such data. Additionally, the FTC and many state attorneys general are interpreting federal and state consumer protection laws as imposing standards for the collection, use, dissemination, security, and other processing of data. The laws and regulations relating to privacy and data security are evolving, can be subject to significant change, and may result in ever-increasing regulatory and public scrutiny and escalating levels of enforcement and sanctions. For example, California in 2018 enacted the California Consumer Privacy Act (CCPA), which went into effect on January 1, 2020. The CCPA requires covered companies to, among other things, provide disclosures to California consumers and afford such consumers new abilities to opt-out of certain sales of personal information. Additionally, the California Privacy Rights Act (CPRA) was approved by California voters in the November 3, 2020 election. The CPRA amends and expands the CCPA in numerous respects, including by expanding the CCPA's private right of action. The CPRA created additional obligations relating to consumer data beginning on January 1, 2022, and became effective January 1, 2023. Following enactment of the CCPA, many other states have adopted or considered privacy legislation, many of which are comprehensive laws similar to the CCPA and CPRA. For example, Virginia, Colorado, Utah, and Connecticut have adopted such legislation that became effective in 2023, Texas, Montana, Oregon, and Florida have adopted such legislation that will become effective in 2024, Delaware, Iowa and Tennessee have adopted such legislation that will become effective in 2025, and Indiana has adopted such legislation that will become effective in 2026. Broad federal privacy legislation has also been proposed. Additionally, states have adopted other laws and regulations relating to privacy and information security, such as Washington's My Health, My Data Act, which includes a private right of action. These and other new and evolving laws and regulations relating to privacy in the U.S. could increase our potential liability and adversely affect our business. Aspects of these laws and regulations and their interpretation and enforcement remain uncertain. We cannot fully predict the impact of these or other new and evolving laws and regulations relating to privacy and information security on our business or operations, but they may require us to modify our data processing practices and policies and to incur substantial costs and expenses in an effort to comply. In addition, several foreign countries and governmental bodies, including the E.U., as well as the United Kingdom, Australia, Brazil, the People's Republic of China (the PRC), India, and Japan, where we maintain offices or other operational presences, have laws and regulations dealing with the handling and processing of personal data obtained from their residents, which in certain cases are more restrictive than those in the United States. Laws and regulations in these jurisdictions apply broadly to the collection, use, storage, security, disclosure, and other processing of various types of data, including data that identifies or may be used to identify an individual. Such laws and regulations may be modified or subject to new or different interpretations, and new laws and regulations may be enacted in the future. Within the E.U., in May 2018, a far-reaching regulation governing data and privacy practices called the General Data Protection Regulation (GDPR) became effective. The GDPR includes stringent operational requirements for processors and controllers of personal data and imposes significant penalties for non-compliance of up to the greater of €20 million or 4% of global annual revenues. Complying with the GDPR, the CCPA, and other laws and regulations governing privacy, data protection, and information security may cause us to incur substantial operational costs or require us to modify our data handling practices. Actual or alleged non-compliance could result in proceedings against us by governmental entities or others (including a private right of action for affected individuals in certain instances) and substantial penalties, fines, and other liabilities, and may otherwise adversely impact our business, financial condition, and operating results. Further, the United Kingdom has enacted a Data Protection Act and a version of the GDPR referred to as the UK GDPR that, collectively, substantially implement the GDPR in the United Kingdom and provide for penalties of up to the greater of £17.5 million and 4% of total annual revenue. Uncertainty remains, however, regarding aspects of data protection in the United Kingdom in the medium to long term, and the United Kingdom is contemplating new data protection legislation. On June 28, 2021, the European Commission announced a decision of "adequacy" concluding that the United Kingdom ensures an equivalent level of data protection to the GDPR, which provides some relief regarding the legality of continued personal data flows from the European Economic Area to the United Kingdom. This adequacy determination must be renewed after four years, however, and may be modified or revoked in the interim. Further, United Kingdom data protection law imposes restrictions on personal data transfers to the U.S., similar to those imposed by the GDPR, and the United Kingdom's Information Commissioner's Office issued new standard contractual clauses, effective March 21, 2022, that are required to be implemented. We previously were certified under the E.U.-U.S. Privacy Shield and the Swiss-U.S. Privacy Shield with respect to our transfer of certain personal data from the E.U. and Switzerland to the United States. The E.U.-U.S. Privacy Shield framework and the use of E.U. Standard Contractual Clauses (the SCCs) to protect data exports between the E.U. and the U.S. have been subject to legal challenges in the E.U, and on July 16, 2020, the Court of Justice of the European Union (the CJEU), Europe's highest court, held in the "Schrems II" case that the E.U.-U.S. Privacy Shield was invalid, and imposed additional obligations in connection with the use of the SCCs. The Swiss data protection and information commissioner concluded that the Swiss-U.S. Privacy Shield was invalid on similar grounds in September 2020. The European Commission issued new SCCs on June 4, 2021, addressing aspects of the CJEU's opinion in the Schrems II case, which were required to be implemented. The European Commission and United States agreed in principle in March 2022 to a new EU-U.S. Data Privacy Framework (DPF), which would permit transfers of personal data from the E.U. to the U.S., by participating entities. The European Commission adopted an adequacy decision with respect to the DPF in July 2023, allowing for the DPF to be implemented and available for companies to use to legitimize transfers of personal data from the E.U. to the U.S. We have self-certified to the DPF and to the Swiss-U.S. Data Privacy Framework (the Swiss DPF). Each of these frameworks may be subject to legal challenge. Additionally, the European Commission's adequacy decision regarding the DPF provides that it will be subject to future reviews and may be subject to suspension, amendment, repeal, or limitations to its scope by the European Commission. We and many other companies may need to implement different or additional measures to establish or maintain legitimate means for the transfer and receipt of personal data from the E.U., Switzerland, and the United Kingdom to the U.S., and we may, in addition to other impacts, be required to engage in additional contractual negotiations and experience additional costs associated with increased compliance burdens, and we and our customers face the potential for regulators to apply different standards to the transfer of personal data from the E.U., Switzerland and the United Kingdom to the U.S., and to block or require additional measures taken with respect to certain data flows from the E.U., Switzerland, and the United Kingdom to the U.S. We and our customers may face a risk of enforcement actions by data protection authorities in the E.U. and other jurisdictions relating to personal data transfers. Any such enforcement actions could result in substantial costs and diversion of resources, distract management and technical personnel and negatively affect our business, operating results, and financial condition. We may be at risk of experiencing reluctance or refusal of European or multi-national customers to use our solutions and being subject to regulatory action or incurring penalties. Any of these developments may have an adverse effect on our business. Other jurisdictions have adopted laws and regulations addressing privacy, data protection, and information security, many of which share similarities with the GDPR. For example, Law no. 13.709/2018 of Brazil, the Lei Geral de Proteção de Dados Pessoais (LGPD) entered into effect in 2020, authorizing a private right of action for violations. Penalties include fines of up to 2% of the organization's revenue in Brazil in the previous year or 50 million Brazilian reais. The LGPD applies to businesses (both inside and outside Brazil) that process the personal data of users who are located in Brazil. The LGPD provides users with similar rights as the GDPR regarding their data. Additionally, the Personal Information Protection Law (PIPL) of the PRC was adopted and went into effect in 2021. The PIPL shares similarities with the GDPR, including extraterritorial application, data minimization, data localization, and purpose limitation requirements, and obligations to provide certain notices and rights to PRC citizens. The PIPL allows for fines of up to 50 million renminbi or 5% of a covered company's revenue in the prior year. Additionally, we may be or become subject to data localization laws mandating that data collected in a foreign country be processed only within that country. These or other laws relating to privacy or data protection could require us to expand data storage facilities in foreign jurisdictions or to obtain new local data storage in such countries. The expenditures this would require, as well as costs of compliance generally, could harm our financial condition. The regulatory environment applicable to the collection, use, and other processing of personal data of residents of the E.U., United Kingdom, Switzerland, Brazil, the PRC, and other foreign jurisdictions, and our actions taken in response, may cause us to be required to undertake additional contractual negotiations, modify policies and procedures, and otherwise to assume additional liabilities or incur additional costs, and could result in our business, operating results, and financial condition being harmed. We enter into business associate agreements with our customers who require them in order to comply with the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act, and therefore we are directly subject to certain provisions of HIPAA applicable to business associates. We may collect and process protected health information as part of our designated service, which may subject us to a number of data protection, security, privacy, and other government- and industry-specific requirements. In addition, if we are unable to comply with our obligations relating to the protection and processing of protected health information, we could be found to have breached our contracts with customers with whom we have a business associate relationship. Noncompliance with laws and regulations relating to privacy and security of personal information, including HIPAA, or with contractual obligations, including under any business associate agreement, may lead to significant fines, civil and criminal penalties, and other liabilities. The U.S. Department of Health and Human Services (HHS) audits the compliance of business associates and enforces HIPAA privacy and security standards. HHS enforcement activity has increased in recent years and HHS has signaled its intent to continue this trend. In addition to HHS, state attorneys general are authorized to bring civil actions seeking either injunctions or damages to the extent violations implicate the privacy of state residents. Federal, state, and foreign laws, regulations, and other actual or asserted obligations relating to privacy, data protection, or information security may be interpreted and applied in manners that are, or are alleged to be, inconsistent with our practices. Any failure or perceived failure by us to comply with federal, state, or foreign laws, regulations, policies, legal or contractual obligations, industry standards, regulatory guidance or other actual or asserted obligations relating to privacy, data protection, information security, marketing, or consumer communications may result in governmental investigations and enforcement actions, claims, demands, and litigation by private entities, fines, penalties, and other liabilities, harm to our reputation and adverse publicity, and could cause our customers and partners to lose trust in us, which could materially affect our business, operating results, and financial condition. We expect that there will continue to be new laws, regulations, industry standards and other actual and asserted obligations relating to privacy, data protection, marketing, consumer communications, and information security proposed and enacted or otherwise implemented in the United States, the E.U., and other jurisdictions, and we cannot fully predict the impact such future laws, regulations, standards, and obligations may have on our business. Future laws, regulations, standards, and other actual or asserted obligations, or any changed interpretation of existing laws or regulations could impair our ability to develop and market new features and maintain and grow our customer base and increase revenue. Future restrictions on the collection, use, sharing, disclosure, or other processing of data could require us to incur additional costs or modify our platform, possibly in a material manner, which we may be unable to achieve in a commercially reasonable manner or at all, and which could limit our ability to develop new features. In addition to the privacy regulations described above, our business is also subject to contractual obligations to maintain compliance with leading security frameworks and standards such as AICPA's SOC 1 and SOC 2; International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) standards for ISO 27001 and ISO 27018; HITRUST Alliance's HITRUST CSF; and Texas Department of Information Resources' TX-RAMP certification. Annually, we also perform an internal/self-analysis of our adherence to the requirements stated in Australian Cyber Security Center (ASCS)'s IRAP framework and UK's National Cyber Security Centre's Cyber Essentials. Any failure or perceived failure by us to comply with these contractual obligations, industry standards, regulatory guidance or other actual or asserted obligations relating to privacy, data protection and information security may result in loss of certification, governmental investigations and enforcement actions, claims, demands, and litigation by private entities, fines, penalties, and other liabilities, harm to our reputation and adverse publicity, and could cause our customers and partners to lose trust in us, which could materially affect our business, operating results, and financial condition.

As of January 31, 2024, we had net operating loss (NOL) carryforwards for federal and state income tax purposes of approximately $1,178.3 million and $1,352.8 million, respectively, which may be available to offset taxable income in the future. The federal NOLs will begin to expire in various years beginning in 2032 if not utilized. The state NOLs will expire depending on the various rules in the state jurisdictions in which we operate. A lack of future taxable income could adversely affect our ability to utilize these NOLs before they expire. In general, under Section 382 of the Internal Revenue Code of 1986, as amended (the Code), a corporation that undergoes an "ownership change" (as defined under Section 382 of the Code and applicable Treasury Regulations) is subject to limitations on its ability to utilize its pre-ownership change NOLs to offset its future taxable income. An ownership change under Section 382 of the Code could affect our ability to utilize the NOLs to offset our income. Furthermore, our ability to utilize NOLs of companies that we have acquired or may acquire in the future may be subject to limitations. We have historically contracted third parties to perform a Section 382 analysis to evaluate limitations on our NOLs due to ownership changes, with the most recent analysis being through January 31, 2023. There is also a risk that due to regulatory changes, such as suspensions on the use of NOLs or other unforeseen reasons, our existing NOLs could expire or otherwise be unavailable to reduce future income tax liabilities for federal and state tax purposes. For these reasons, we may not be able to utilize a material portion of our NOLs, even if we attain profitability, which could potentially result in increased future tax liability to us and could adversely affect our operating results and financial condition.