JFrog (FROG) Risk Analysis

We make a limited-functionality version of JFrog Artifactory that only supports Java-based packages, and also lacks other features required for organization-wide adoption by DevOps teams, available under an open source license, the Affero General Public License version 3.0 ("AGPL"). The AGPL grants licensees broad freedom to view, use, copy, modify, and redistribute the source code of this limited version of JFrog Artifactory. Anyone can download a free copy of this limited version of JFrog Artifactory from the Internet, and we neither know who all of our AGPL licensees are, nor have visibility into how JFrog Artifactory is being used by licensees, so our ability to detect violations of the open source license is extremely limited. The AGPL has a "copyleft" requirement that further distribution of AGPL-licensed software and modifications or adaptations to that software be made available pursuant to the AGPL as well. This leads some commercial enterprises to consider AGPL-licensed software to be unsuitable for commercial use. However, the AGPL would not prevent a commercial licensee from taking this open source version of JFrog Artifactory under AGPL and using it for internal purposes for free. AGPL also would not prevent a commercial licensee from taking this open source version of JFrog Artifactory under AGPL and using it to compete in our markets by providing it for free. This competition can develop without the degree of overhead and lead time required by traditional proprietary software companies, due to the permissions allowed under AGPL. It is also possible for competitors to develop their own software based on our open source version of JFrog Artifactory. Although this software would also need to be made available for free under the AGPL, it could reduce the demand for our products and put pricing pressure on our subscriptions. We cannot guarantee that we will be able to compete successfully against current and future competitors, some of which may have greater resources than we have, or that competitive pressure or the availability of new open source software will not result in price reductions, reduced operating margins, and loss of market share, any one of which could harm our business, financial condition, results of operations, and cash flows.

Although our products do not involve the processing of large amounts of personal data or personal information, our platform and products support customers' software, which may involve the processing of large amounts of personal data, personal information, and information that is confidential or otherwise sensitive or proprietary. Data security incidents affecting widely trusted data security architecture (such as historical incidents affecting SolarWinds Orion, the incident involving Accellion FTA, the incident affecting Microsoft Exchange, the incident affecting Kaseya VSA, the incident involving Log4j, the software update incident involving CrowdStrike – none of which have directly affected us) may increase customer expectations regarding the security, testing, and compliance documentation of our platform and products for secure software development operations, management, automation, and releases. In addition, these or other incidents may trigger new laws and regulations that increase our compliance burdens, add reporting obligations, or otherwise increase costs for oversight and monitoring of our platform, products, and supply chain. We do collect and store certain sensitive and proprietary information, and to a lesser degree, personal data and personal information, in the operation of our business. This information includes trade secrets, intellectual property, employee data, and other confidential data. We have taken measures to protect our own sensitive and proprietary information, personal data, and personal information, as well as such information that we otherwise obtain, including from our customers. We also engage vendors and service providers to store and otherwise process some of our and our customers' data, including sensitive and proprietary information, personal data, and personal information. Our vendors and service providers have been and, in the future may be, the targets of cyberattacks, malicious software, supply chain attacks, phishing schemes, fraud, and other risks to the confidentiality, security, and integrity of their systems and the data they process for us. Our ability to monitor our vendors and service providers' data security is limited, and, in any event, third parties may be able to circumvent those security measures, resulting in the unauthorized or unlawful access to, misuse, disclosure, loss, acquisition, corruption, unavailability, alteration, modification, or destruction of our and our customers' data, including sensitive and proprietary information, personal data, and personal information. Security breaches and other security incidents that affect us may result from employee or contractor error or negligence or those of vendors, service providers, and strategic partners on which we rely. These attacks may come from individual hackers, criminal groups, and state-sponsored organizations. There have been and may continue to be significant supply chain attacks, and we cannot guarantee that our or our vendors or service providers' systems and networks have not been breached or that they do not contain exploitable vulnerabilities, defects, or bugs that could result in a breach of or disruption to our systems and networks or the systems and networks of third parties that support us and our services. In addition, our customers and users may also disclose or leak their passwords, API keys, or secrets that could lead to unauthorized access to their accounts and data, including information about their software, source code, and security environment, stored within our products. As we continue to expand the products that we can offer our customers, including through the acquisition of complementary businesses, such as our acquisition of Vdoo in 2021 and our acquisition of Qwak in July 2024, and through internal development, such as developing new security services, our products will likely have access to more sensitive and personal information of our customers, which could result in greater adverse effects from security breaches and other security incidents. Also, our expansion into new services and products could subject us to additional regulations. In addition, we are subject to other laws and regulations that obligate us to employ reasonable security measures. From time to time, we do identify product vulnerabilities, including through our bug bounty program. Certain vulnerabilities under certain circumstances could be exploited if our customers do not patch vulnerable versions of the product. In the future, we also may experience security breaches, including breaches resulting from a cybersecurity attack, phishing attack, or other means, including unauthorized access, unauthorized usage, malware, or similar breaches or disruptions. We incur significant costs in an effort to detect and prevent security breaches and other security-related incidents, including those to secure our product development, test, evaluation, and deployment activities, and we expect our costs will increase as we make improvements to our systems and processes to prevent future breaches and incidents. Despite our efforts, our systems and those of our vendors, service providers, and strategic partners also are potentially vulnerable to computer malware, malicious access or delivery of ransomware or other malicious software to our customers, AI risks, viruses, computer hacking, fraudulent use, social engineering attacks, phishing attacks, ransomware attacks, credential stuffing attacks, denial-of-service attacks, unauthorized access, exploitation of bugs, defects, and vulnerabilities, breakdowns, damage, interruptions, system malfunctions, power outages, terrorism, acts of vandalism, failures, security breaches and incidents, inadvertent or intentional actions by our employees, contractors, consultants, partners, and/or other third parties, and other real or perceived cyberattacks. Our risks of cyberattacks and other sources of security breaches and incidents, and those faced by our vendors, service providers, and strategic partners, may be heightened in connection with the war between Israel, Hamas and Hezbollah, the regional conflict in the Middle East, the war between Russia and Ukraine, and other associated geopolitical tensions and regional instability. Any of these incidents or any compromise of our security or any unauthorized access to or breaches of the security of our or our service providers' systems or data processing tools or processes, or of our platform and product offerings, as a result of third-party action, employee error, vulnerabilities, defects or bugs, malfeasance, or otherwise, could result in unauthorized or unlawful access to, misuse, disclosure, loss, acquisition, corruption, unavailability, alteration, modification, or destruction of our and our customers' data, including sensitive and proprietary information, personal data and personal information, or a risk to the security of our or our customers' systems. We, our vendors, service providers, and strategic partners may be unable to anticipate these techniques and vulnerabilities, react, remediate, or otherwise address any security breach or other security incident in a timely manner, or implement adequate preventative measures. We may be more susceptible to security breaches and other security incidents in view of many of our employees and employees of our service providers working remotely, because we and our service providers have less capability to implement, monitor, and enforce our information security and data protection policies for those employees. Based on the examples set in other recent incidents, the more widespread our platform and products become, the more they may be viewed by malicious cyber threat actors as an attractive target for such an attack. We and our service providers may be unable to anticipate these techniques, react, remediate, or otherwise address any security breach or other security incident in a timely manner, or implement adequate preventative measures. In the past, we have experienced vulnerabilities, none of which led to account takeover and all such known vulnerabilities have been remedied. A security breach or other incident could result in reputational damage, litigation, regulatory investigations and orders, loss of business, indemnity obligations, damages for contract breach, penalties for violation of applicable laws, regulations, or contractual obligations, and significant costs, fees, and other monetary payments for remediation, including in connection with forensic examinations and costly and burdensome breach notification requirements. Any belief by customers or others that a security breach or other incident has affected us or any of our vendors or service providers, even if a security breach or other incident has not affected us or any of our vendors or service providers or has not actually occurred, could have any or all of the foregoing impacts on us, including damage to our reputation. Even the perception of inadequate security may damage our reputation and negatively impact our ability to gain new customers and retain existing customers. In the event of any such breach or incident, we could be required to expend significant capital and other resources to address our or our vendor or service provider's incident. Considering the SolarWinds Orion incident and the Kaseya VSA incident, if our products were compromised in a way that offered a means of malicious access or delivery of ransomware or other malicious software to our customers, the impact of such an incident would likely be significant. Techniques used to sabotage or obtain unauthorized access to systems or networks are constantly evolving and, in some instances, are not identified until launched against a target. For example, AI technologies may be used in connection with certain cybersecurity attacks, resulting in heightened risks of security breaches and incidents. We and our vendors and service providers may be unable to anticipate these techniques, react, remediate, or otherwise address any security breach or other security incident in a timely manner, or implement adequate preventative measures. In addition, laws, regulations, government guidance, and industry standards and practices in the U.S. and elsewhere are rapidly evolving to combat these threats. We may face increased compliance burdens regarding such requirements with regulators and customers regarding our products and services and also incur additional costs for oversight and monitoring of our own supply chain. Further, any provisions in our customer and user agreements, contracts with our vendors and service providers, or other contracts relating to limitations of liability, may not be enforceable or adequate or otherwise protect us from any liabilities or damages with respect to any particular claim relating to a security breach or other security-related matter. While our insurance policies include liability coverage for certain of these matters, subject to applicable deductibles, if we experienced a widespread security breach or other incident that impacted a significant number of our customers, we could be subject to indemnity claims or other damages that exceed our insurance coverage. If such a breach or incident occurred, our insurance coverage might not be adequate for data handling or data security liabilities actually incurred, such insurance may not continue to be available to us in the future on economically reasonable terms, or at all, and insurers may deny us coverage as to any future claim. The successful assertion of one or more large claims against us that exceed available insurance coverage, or the occurrence of changes in our insurance policies, including premium increases or the imposition of large deductible or co-insurance requirements, could have a material adverse effect on our business, including our financial condition, operating results, and reputation.

Our products are often operated in large scale, complex IT environments. Our customers and some partners require training and experience in the proper use of and the benefits that can be derived from our products to maximize their potential. If users of our products do not implement, use, or update our products correctly or as intended, then inadequate performance and/or security vulnerabilities may result. Because our customers rely on our products to manage a wide range of operations, the incorrect implementation, use of, or our customers' failure to update, our products or our failure to train customers on how to use our products productively has in the past and may in the future result in customer dissatisfaction and negative publicity and may adversely affect our reputation and brand. Our failure to effectively provide training and implementation services to our customers could result in lost opportunities for follow-on sales to these customers and decrease subscriptions by new customers, which would adversely affect our business and growth prospects.

We expect to derive a significant portion of our revenue from renewals of existing subscriptions. Our customers have no contractual obligation to renew their subscriptions after the completion of their subscription term. Our self-managed subscriptions are offered on an annual and multi-year basis, while our SaaS subscriptions are offered on a monthly, annual, and multi-year basis and can consist of fixed and usage-based fees. Our customers' renewals may decline or fluctuate as a result of a number of factors, including their satisfaction with our products and our customer support, the frequency and severity of product outages, our product uptime or latency, the pricing of our, or competing, products, additional new features and capabilities that we offer, new integrations, and updates to our products as a result of updates by technology partners. If our customers renew their subscriptions, they may renew for shorter subscription terms or on other terms that are less economically beneficial to us. We may not accurately predict future renewal trends. If our customers do not renew their subscriptions, or renew on less favorable terms, our revenue may grow more slowly than expected or decline.

Our subscription agreements typically contain service-level commitments. If we are unable to meet the stated service-level commitments, including failure to meet the uptime and response time requirements under our customer subscription agreements, we may be contractually obligated to provide these customers with certain credits which could significantly affect our revenue in the periods in which the failure occurs and the credits are applied. We could also face subscription terminations and a reduction in renewals, which would significantly affect our future revenue. We offer multiple tiers of subscriptions to our products and as such our service-level commitments will increase if more customers choose subscriptions of JFrog Pro X, JFrog Enterprise X, and JFrog Enterprise Plus. Any service-level failures could also damage our reputation, which could also adversely affect our business, financial condition, and results of operations.

In some cases, our software is subject to export control laws and regulations, including the Export Administration Regulations administered by the U.S. Department of Commerce, and our activities may be subject to trade and economic sanctions, including those administered by the United States Department of the Treasury's Office of Foreign Assets Control ("OFAC") (collectively, "Trade Controls"). As such, a license may be required to export or re-export our products, or provide related services, to certain countries and end-users, and for certain end-uses. Further, our products incorporating encryption functionality may be subject to special controls applying to encryption items and/or certain reporting requirements. While we take precautions and maintain procedures to prevent our products and solutions from being exported in violation of these laws, we cannot guarantee that the precautions we take will prevent violations of export control and sanctions laws. We are currently working to enhance these procedures, with which failure to comply could subject us to both civil and criminal penalties, including substantial fines, possible incarceration of responsible individuals for willful violations, possible loss of our export or import privileges, and reputational harm. Further, the process for obtaining necessary licenses may be time-consuming or unsuccessful, potentially causing delays in sales or losses of sales opportunities. Trade Controls are complex and dynamic regimes, and monitoring and ensuring compliance can be challenging, particularly given that our products are widely distributed throughout the world and are available for download without registration. Although we have no knowledge that our activities have resulted in violations of Trade Controls, any failure by us or our partners to comply with applicable laws and regulations would have negative consequences for us, including reputational harm, government investigations, and penalties. In addition, various countries regulate the import of certain encryption technology, including through import permit and license requirements, and have enacted laws that could limit our ability to distribute our products or could limit our end-customers' ability to implement our products in those countries. Changes in our products or changes in export and import regulations in such countries may create delays in the introduction of our products into international markets, prevent our end-customers with international operations from deploying our products globally or, in some cases, prevent or delay the export or import of our products to certain countries, governments, or persons altogether. Any change in export or import laws or regulations, economic sanctions or related legislation, shift in the enforcement or scope of existing export, import or sanctions laws or regulations, or change in the countries, governments, persons, or technologies targeted by such export, import, or sanctions laws or regulations, could result in decreased use of our products by, or in our decreased ability to export or sell our products to, existing or potential end-customers with international operations. Any decreased use of our products or limitation on our ability to export to or sell our products in international markets could adversely affect our business, financial condition, and results of operations.

The tax laws applicable to our business, including the laws of Israel, the U.S., and other jurisdictions, are subject to interpretation and certain jurisdictions may aggressively interpret their laws in an effort to raise additional tax revenue. The tax authorities of the jurisdictions in which we operate may challenge our methodologies for valuing developed technology or intercompany arrangements or our revenue recognition policies, which could increase our worldwide effective tax rate and harm our financial position and results of operations. It is possible that tax authorities may disagree with certain positions we have taken and any adverse outcome of such a review or audit could have a negative effect on our financial position and results of operations. Further, the determination of our worldwide provision for income taxes and other tax liabilities requires significant judgment by management, and there are transactions where the ultimate tax determination is uncertain. Although we believe that our estimates are reasonable, the ultimate tax outcome may differ from the amounts recorded in our consolidated financial statements and may materially affect our financial results in the period or periods for which such determination is made. In addition, we typically invoice customers for the full contract amount at the time of entering into a contract, but recognize revenue over the term of the subscription period. Applicable tax authorities may challenge our tax reporting position and may accelerate our tax obligation based on cash received, which may materially affect our financial results.

The war between Israel, Hamas and Hezbollah, and regional conflict in the Middle East, the war between Russia and Ukraine, and other areas of geopolitical tension around the world continue to impact worldwide economic activity and financial markets. As a result, we could experience disruptions in our business or the business of our partners, customers, or the economy as a whole, any of which could adversely affect and could materially adversely impact our business, results of operations, and overall financial condition in future periods. The extent and continued impact of the war between Israel, Hamas and Hezbollah, the regional conflict in the Middle East, the Russia-Ukraine war, and related global economic disruptions on our operational and financial condition will depend on certain developments, including: government responses to the wars; the impact of the wars on our customers and our sales cycles; their impacts on customer, industry, or technology-based community events; and their effect on our partners, some of which are uncertain, difficult to predict, and not within our control. General economic conditions and disruptions in global markets due to the war between Israel, Hamas and Hezbollah, the regional conflict in the Middle East, the Russia-Ukraine war, and other areas of geopolitical tension around the world, and any actions taken by governmental authorities and other third parties in response may also affect our future performance. As of the date of this Annual Report on Form 10-K, the full impact of the war between Israel, Hamas and Hezbollah, the regional conflict in the Middle East, the war between Russia and Ukraine, and related global economic disruptions on our financial condition and results of operations remains uncertain. Furthermore, because of our subscription-based business model, the impact of these factors may not be fully reflected in our results of operations and overall financial condition until future periods, if at all.

Our primary research and development operations are located in Israel. As of December 31, 2024, we had customers located in over 90 countries, and our strategy is to continue to expand internationally. In addition, as a result of our strategy of leveraging a distributed workforce. As of December 31, 2024, we had employees located primarily in ten countries. Our current international operations involve, and we expect future initiatives will involve, a variety of risks, including: - challenges inherent to efficiently managing an increased number of employees over large geographic distances, including the need to implement appropriate systems, policies, benefits, and compliance programs;- different labor regulations, especially in Israel, the EU and India, where labor laws are generally more advantageous to employees as compared to the U.S., including differing hourly wages and overtime regulations in these locations;- exposure to many stringent and potentially inconsistent worldwide and industry-specific laws and regulations applicable to JFrog, directly or through customer contractual obligations relating to privacy, data protection, cybersecurity, AI, and data security;- unexpected changes in practices, tariffs, export quotas, custom duties, trade disputes, tax laws and treaties, particularly due to economic tensions and trade negotiations or other trade restrictions;- changes in a specific country's or region's political or economic conditions, such as the war between Israel, Hamas and Hezbollah, the regional conflict in the Middle East, the war between Russia and Ukraine and associated geopolitical tensions, as well as economic sanctions the U.S., the EU, and other countries have imposed on Russia and certain of its allies and the impact of the foregoing on the global economy;- risks resulting from changes in currency exchange rates, in particular, fluctuations in the value of the NIS compared to the U.S. dollar;- risks relating to the implementation of exchange controls, including restrictions promulgated by the OFAC, and other similar trade protection regulations and measures in the U.S., the EU, or in other jurisdictions;- reduced ability to timely collect amounts owed to us by our customers in countries where our recourse may be more limited;- slower than anticipated availability and adoption of cloud and hybrid infrastructures by international businesses;- limitations on our ability to reinvest earnings from operations derived from one country to fund the capital needs of our operations in other countries;- limited or unfavorable intellectual property protection; and - exposure to liabilities under anti-corruption and anti-money laundering laws, including the U.S. Foreign Corrupt Practices Act of 1977, as amended, and similar applicable laws and regulations in other jurisdictions. If we are unable to address these difficulties and challenges or other problems encountered in connection with our international operations and expansion, we may incur unanticipated liabilities or otherwise suffer harm to our business generally.

Given the global nature of our business, we have diversified U.S. and non-U.S. investments. Credit ratings and pricing of our investments can be negatively affected by liquidity, credit deterioration, financial results, economic risk, political risk, sovereign risk, or other factors. As a result, the value and liquidity of our investments may fluctuate substantially. Therefore, although we have not realized any significant losses on our investments, future fluctuations in their value could result in a significant realized loss.