Freshworks (FRSH) Risk Factors

In the ordinary course of business, we and the third parties upon which we rely collect, receive, access, store, process, generate, use, transfer, disclose, share, make accessible, protect, secure, and dispose of (collectively, Process or Processing) a large amount of information from our users, customers, and our own employees, including personal information and other sensitive and confidential information including proprietary and confidential business data, trade secrets, intellectual property, sensitive third-party data, business plans, transactions, and financial information (collectively, Sensitive Information). As a result, we and the third parties upon which we rely face a variety of evolving threats that could cause security incidents. Cyber-attacks, malicious internet-based activity, online and offline fraud, and other similar activities threaten the confidentiality, integrity, and availability of our sensitive data and information technology systems, and those of the third parties upon which we rely. Such threats are prevalent and continue to rise, are increasingly difficult to detect, and come from a variety of sources, including traditional computer "hackers," threat actors, "hacktivists," organized criminal threat actors, personnel (such as through theft or misuse), sophisticated nation states, and nation-state-supported actors. We and the third parties upon which we rely are susceptible to a variety of evolving threats, including, but not limited to, damage, disruptions, or shutdowns, software or hardware vulnerabilities, security incidents, server malfunctions, software bugs, ransomware attacks, social engineering attacks (including through deep fakes, which may be increasingly more difficult to identify as fake, and phishing attacks), supply-chain attacks, failures during the process of upgrading or replacing software, databases, or components, power outages, fires, natural disasters, hardware failures, malicious code (such as viruses, worms, spyware), malware (including as a result of advanced persistent threat intrusions), denial-of-service attacks, credential harvesting or stuffing, attacks by computer hackers, personnel misconduct or error, telecommunication failures, attacks enhanced or facilitated by AI, user errors (including non-employees who may have authorized access to our networks), user malfeasance, catastrophic events, or other similar threats. Some actors now engage and are expected to continue to engage in cyber-attacks, including without limitation nation-state actors for geopolitical reasons and in conjunction with military conflicts and defense activities. During times of war and other major geopolitical conflicts, we and the third parties upon which we rely may be vulnerable to a heightened risk of these attacks, including retaliatory cyber-attacks, that could materially disrupt our systems and operations, supply chain, and ability to produce, sell and distribute our services. While we have implemented security measures, technical controls, and contractual precautions designed to identify, detect, and prevent unauthorized Processing of Sensitive Information, our security measures, as well as those of our third-party service providers, could fail or may be insufficient, resulting in the unauthorized access to or the disclosure, modification, misuse, unavailability, destruction, or loss of our or our customers' data or other Sensitive Information. Ransomware attacks in particular are becoming increasingly prevalent and severe, and can lead to significant interruptions in operations, loss of Sensitive Information and income, reputational harm, and diversion of funds. Extortion payments may alleviate the negative impact of a ransomware attack, but we may be unwilling or unable to make such payments, for example, due to applicable laws or regulations prohibiting such payments. Similarly, our reliance on third-party service providers could introduce new cybersecurity risks and vulnerabilities, including supply-chain attacks, and other threats to our business operations. We rely on third-party service providers and technologies to operate critical business systems to process sensitive data in a variety of contexts, including, without limitation, cloud-based infrastructure, data center facilities, encryption and authentication technology, employee email, content delivery to customers, and other functions. We also rely on third-party service providers to provide other products, services, parts, or otherwise to operate our business. Our ability to monitor these third parties' information security practices is limited, and these third parties may not have adequate information security measures in place. If our third-party service providers experience a security incident or other interruption, we could experience adverse consequences. While we may be entitled to damages if our third-party service providers fail to satisfy their privacy or security-related obligations to us, any award may be insufficient to cover our damages, or we may be unable to recover such award. In addition, supply-chain attacks have increased in frequency and severity, and we cannot guarantee that third parties' infrastructure in our supply chain or our third-party partners' supply chains have not been compromised. Remote work has become more common and has increased risks to our information technology systems and data, as more of our employees utilize network connections, computers, and devices outside our premises or network, including working at home, while in transit and in public locations. Additionally, future or past business transactions (such as acquisitions or integrations) could expose us to additional cybersecurity risks and vulnerabilities, as our systems could be negatively affected by vulnerabilities present in acquired or integrated entities' systems and technologies. Furthermore, we may discover security issues that were not found during due diligence of such acquired or integrated entities, and it may be difficult to integrate companies into our information technology environment and security program. Despite our efforts to maintain the security, privacy, integrity, confidentiality, availability, and authenticity of our Processing, information, and IT networks and systems, we or our third-party vendors have not in the past and may not in the future be able to anticipate or implement effective preventive and remedial measures against all data security and privacy threats. No security solution, strategy, or measures can address all possible security threats or block all methods of penetrating a network or otherwise perpetrating a security incident. For example, we and our third-party providers have been in the past and may in the future be compromised by threats like those described above, and result in unauthorized, unlawful, or accidental Processing of our information, or vulnerabilities in the products or systems upon which we rely. The risk of unauthorized circumvention of our security measures or those of our third-party providers, customers, and partners has been heightened by advances in computer and software capabilities and the increasing sophistication of hackers who employ complex techniques. Because the techniques used by hackers change frequently, we may be unable to anticipate these techniques or implement adequate preventive measures to protect against them. Our applications, systems, networks, software, and physical facilities could have material vulnerabilities, be breached, or personal or confidential information could be otherwise compromised due to employee error or malfeasance, if, for example, third parties attempt to fraudulently induce our personnel or our customers to disclose information or usernames and/or passwords, or otherwise compromise the security of our networks, systems, and/or physical facilities. Third parties may also exploit vulnerabilities in, or obtain unauthorized access to, platforms, software, applications, systems, networks, Sensitive Information, and/or physical facilities utilized by our vendors. Additionally, although we have implemented security measures designed to protect against security incidents, there can be no assurance that these measures will be effective. We take steps designed to detect and remediate vulnerabilities in our information systems (such as our hardware and/or software, including that of third parties upon which we rely). We may not, however, detect and remediate all such vulnerabilities including on a timely basis. Further, we may experience delays in developing and deploying remedial measures designed to address any such identified vulnerabilities. Vulnerabilities could be exploited and result in a security incident. Following a breach of security or other incident, we cannot guarantee that recovery protocols and backup systems will be sufficient to prevent data loss or ensure that we are able to recover promptly any data rendered inaccessible. Additionally, breaches of security or other incidents can damage our reputation and brand, cause our business to suffer, and could require us to expend significant capital and other resources to alleviate problems caused by such breaches or incidents, and we could be exposed to risk of loss, litigation, or regulatory action, and other potential liability. Actual or perceived security breaches or attacks on our systems or those of our third-party service providers can cause us to incur increasing costs, including costs to deploy additional personnel and protection technologies, train employees, and engage third-party experts and consultants and may require notification under applicable data privacy regulations or contractual obligations, or for customer relations or publicity purposes, which could result in additional reputational harm, costly litigation (including class action litigation), material contract breaches, liability, settlement costs, loss of sales, regulatory scrutiny, actions or investigations, a loss of confidence in our business, systems and Processing, a diversion of management's time and attention, and significant fines, penalties, assessments, fees, and expenses. While we may be entitled to damages if our third-party service providers fail to satisfy their privacy or security-related obligations to us, any award may be insufficient to cover our damages, or we may be unable to recover such award. We continue to devote significant resources to protect against security breaches or other incidents, and we may need to devote significant resources in the future to address problems caused by breaches, including notifying affected individuals, regulators, investors, customers, or other relevant stakeholders of security incidents, and responding to any resulting litigation, which in turn, diverts resources from the growth and expansion of our business. Actual or anticipated security breaches, including a breach of the systems or networks of our third-party providers, could compromise our systems or networks, creating system outages, disruptions or slowdowns and exploiting security vulnerabilities of our networks. In addition, the information stored on our network, or the networks of our third-party providers could be accessed, publicly disclosed, altered, lost or stolen, which could subject us to liability and cause us financial harm. A breach of the security measures of one of our third-party providers could result in the destruction, modification or exfiltration of confidential corporate information or other data that may provide additional avenues of attack. Breaches or perceived breaches of our systems or networks or the systems or networks of our third-party providers, whether or not any such breach is due to a vulnerability in our platform, may also undermine confidence in us or our industry and result in damage to our reputation, negative publicity, loss of users, partners and sales, increased remediation costs, and costly litigation or regulatory fines. The costs to respond to a security breach and/or to mitigate any security vulnerabilities that may be identified could be significant, our efforts to address these problems may not be successful, and these problems could result in unexpected interruptions, delays, cessation of service, and other harm to our business and our competitive position. We could be required to fundamentally change our business activities and practices in response to a security breach or incident, or related regulatory actions or litigation, which could have an adverse effect on our business. We may not have adequate insurance coverage for security incidents or breaches, including fines, judgments, settlements, penalties, costs, attorney fees, and other impacts that arise out of incidents or breaches. If the impacts of a security incident or breach, or the successful assertion of one or more large claims against us exceeds our available insurance coverage, or results in changes to our insurance policies (including premium increases or the imposition of large deductible or co-insurance requirements), it could have an adverse effect on our business. In addition, we cannot be sure that our existing insurance coverage, cyber coverage, and coverage for errors and omissions will continue to be available on acceptable terms or that our insurers will not deny coverage as to all or part of any future claim or loss (including, for example, as a result of the payment of ransomware) or that our insurance premiums will not increase as a result of any claims. Our risks are likely to increase as we continue to expand, grow our customer base, and Process increasingly large amounts of Sensitive Information. Additionally, policing unauthorized use of our know-how, technology and intellectual property is difficult and may not be effective. Despite our precautions, it may be possible for unauthorized third parties to copy our platform or technology and use information that we regard as proprietary to create products or services that compete with our offerings. Some of the provisions of our agreements that protect us against unauthorized use, copying, transfer and disclosure of our platform may be unenforceable under the laws of certain jurisdictions and foreign countries. Further, these agreements do not prevent our competitors from independently developing technologies that are substantially equivalent or superior to ours. We cannot guarantee that others will not independently develop technology with the same or similar functions to any proprietary technology we rely on to conduct our business and differentiate ourselves from our competitors. Unauthorized parties may also attempt to copy or obtain and use our technology to develop applications with the same functionality as our solutions. Any unauthorized disclosure or use of our trade secrets or other confidential proprietary information could make it more expensive to do business, thereby harming our operating results. In addition to experiencing a security incident, third parties may gather, collect, or infer Sensitive Information about us from public sources, data brokers, or other means that reveals competitively sensitive details about our organization and could be used to undermine our competitive advantage or market position. Additionally, our Sensitive Information or our customers' Sensitive Information could be leaked, disclosed, or revealed as a result of or in connection with our employees', personnel's, or vendors' use of generative AI technologies. Some generative AI tools may be offered under terms that do not protect the confidentiality of the prompts or inputs that users submit to such tools, and even if the terms do include confidentiality protections, the vendors of these generative AI tools may fail to comply with their contractual obligations regarding the confidentiality or security of any data or other inputs provided to such vendor, or outputs generated by their generative AI tools. Additionally, the providers of generative AI tools could use inputs to further train the third parties' AI/ML model. Not all providers offer an option to opt-out of such usage, and, even where we do opt-out, we cannot guarantee that the opt-out will be fully effective. Additionally, where an AI/ML model ingests personal information and makes connections using such data, those technologies may reveal other personal or Sensitive Information generated by the model. We do not have formal policies and procedures in place to review and track our employees', personnel' and vendors' use of generative AI, and accordingly, these risks could be particularly difficult to eliminate or manage, and, if not addressed, could have a material adverse effect on our business, results of operations, financial condition, and future prospects. Moreover, AI/ML models may create flawed, incomplete, or inaccurate outputs, some of which may appear correct. This may happen if the inputs that the model relied on were inaccurate, incomplete or flawed (including if a bad actor "poisons" the AI/ML with bad inputs or logic), or if the logic of the AI/ML is flawed (a so-called "hallucination"). We may use AI/ML outputs to make certain decisions. Due to these potential inaccuracies or flaws, the model could be biased and could lead us to make decisions that could bias certain individuals (or classes of individuals), and adversely impact their rights, employment,and ability to obtain certain pricing, products, services, or benefits, including exposure to reputational and competitive harm, customer loss, and legal liability.

There is an increasing focus from certain investors, regulators, customers, employees, and other stakeholders concerning ESG matters. Some investors may use these non-financial performance factors to guide their investment strategies and, in some cases, may choose not to invest in us if they believe our policies and actions relating to ESG are inadequate. We may also face reputational damage in the event that we do not meet the ESG standards set by various constituencies. As ESG best practices and reporting standards continue to develop, we may incur increasing costs relating to ESG monitoring and reporting and complying with ESG initiatives. For example, proposed or adopted climate and other ESG reporting regulations from the SEC, California, and other jurisdictions may increase our compliance costs. Our disclosures on ESG matters or a failure to meet evolving stakeholder expectations for ESG practices and reporting may potentially harm our reputation and customer relationships. Due to new regulatory standards and market standards, certain new or existing customers, particularly those in the EU, may impose stricter ESG guidelines or mandates for, and may scrutinize relationships more closely with, their counterparties, including us, which may lengthen sales cycles or increase our costs. Furthermore, if our competitors' ESG performance is perceived to be better than ours, potential or current investors may elect to invest with our competitors instead. In addition, in the event that we communicate certain initiatives or goals regarding ESG matters, we could fail, or be perceived to fail, in our achievement of such initiatives or goals, or we could be criticized for the scope of such initiatives or goals. If we fail to satisfy the expectations of investors, customers, employees and other stakeholders or our initiatives are not executed as planned, our business, financial condition, results of operations, and prospects could be adversely affected.

We believe that the brand identity that we have developed has significantly contributed to the success of our business with our existing customer base. We also believe that maintaining and enhancing the "Freshworks" brand is critical to expanding our customer base and establishing and maintaining relationships with partners. Successful promotion of our brand will depend largely on the effectiveness of our marketing efforts and on our ability to ensure that our products remain high-quality, reliable, and useful at competitive prices, as well as with respect to our free trial version. Maintaining and enhancing our brand may require us to make substantial investments, and these investments may not be successful. If we fail to promote and maintain the "Freshworks" brand, or if we incur excessive expenses in this effort, our business, results of operations, and financial condition would be adversely affected. We anticipate that, as our market becomes increasingly competitive, maintaining and enhancing our brand may become more difficult and expensive.

Global economic and business activities continue to face widespread macroeconomic uncertainties, including inflation, supply chain disruptions, labor shortages, as well as recession risks, which may continue for an extended period and which have resulted and may in the future result in decreased business spending by our customers and prospective customers and business partners and third-party business partners, reduced demand for our products, lower renewal rates by our customers, longer or delayed sales cycles, including due to existing customers and prospective customers delaying contracts, entering into new subscriptions, renewing existing subscriptions, or reducing budgets related to the products that we offer, all of which could have an adverse impact on our business operations and financial condition. To the extent that macroeconomic uncertainties continue to harm our business, many of the other risks described in these risk factors may be exacerbated including but not limited to, those relating to our ability to increase sales to existing and new customers, develop and deploy new offerings and applications and maintain effective marketing and sales capabilities.

Natural disasters or other catastrophic events may cause damage or disruption to our operations, international commerce, and the global economy, and thus could harm our business. Our business operations are subject to interruption by natural disasters such as earthquakes, monsoons, cyclones, floods, extreme heat, and other effects of climate change, pandemics such as COVID-19, and other catastrophic events such as fire, power loss, terrorism, political unrest, telecommunications failure, vandalism, cyberattacks, geopolitical instability, war, and other events beyond our control. The majority of our research and development activities, customer service operations, IT systems, and other critical business operations are located in India. Although we maintain disaster response plans, such events could require significant time to resume operations to deliver our services to our customers, could decrease demand for our services, could cause us to incur substantial expense and may cause reputational harm, delays in our sales efforts, delays in our products' development, breaches of data security, and loss of critical data, all of which would harm our business, results of operations, and financial condition. Acts of terrorism would also cause disruptions to the internet or the economy as a whole. In addition, the insurance we maintain would likely not be adequate to cover our losses resulting from disasters or other business interruptions. Our disaster recovery plan may not be sufficient to address all aspects or any unanticipated consequence or incident, and our insurance may not be sufficient to compensate us for the losses that could occur. In addition, the impacts of climate change on the global economy and the technology industry are rapidly evolving and unclear. While we seek to partner with organizations that mitigate their business risks associated with climate change, we recognize that there are inherent climate-related risks wherever business is conducted. Any of our primary locations may be vulnerable to the adverse effects of climate change. For example, our California headquarters has experienced, and may continue to experience, climate-related events at an increasing frequency and severity, including drought and air quality impacts and power shutoffs associated with wildfires and our India office has experienced, and may continue to experience, climate-related events, including cyclones, flooding, and heat waves. Climate-related events, including the increasing frequency of extreme weather events and their impact on the United States, India, Europe, and other major regions' critical infrastructure, have the potential to disrupt our business, our third-party suppliers and/or the business of our customers, and may cause us to experience higher attrition, losses and additional costs to maintain or resume operations. Regulatory developments, changing market dynamics and stakeholder expectations regarding climate change may impact our business, financial condition and results of operations. Furthermore, we may be subject to increased costs, regulations, reporting requirements, standards or expectations regarding the environmental impacts of our business.

While we have historically transacted in U.S. dollars with our customers and vendors, we have transacted in some foreign currencies with such parties and for our payroll in those foreign jurisdictions where we have operations, and expect to continue to transact in more foreign currencies in the future. We actively manage the exposure of our foreign currency risk pursuant to our foreign currency risk management policy, however these efforts may not be successful. Fluctuations in the value of foreign currencies relative to the U.S. dollar, have in the past and may in the future continue to adversely affect our revenue, operating expenses and results of operations due to transactional and translational remeasurement that is reflected in our earnings. Specifically, our results of operations and cash flows are subject to currency fluctuations primarily in the Indian Rupee, British Pound and Euro against the U.S. dollar. These exposures may change over time as business practices evolve, economic and political conditions change and evolving tax regulations come into effect. Also, fluctuations in the values of foreign currencies relative to the U.S. dollar could make it more difficult to detect underlying trends in our business and results of operations. Additionally, global events as well as geopolitical developments, such as the conflict between Russia and Ukraine and the evolving events in Israel and Gaza, fluctuating commodity prices, trade tariff developments and inflation have caused, and may in the future cause, global economic uncertainty and uncertainty about the interest rate environment, which could amplify the volatility of currency fluctuations. In 2023, we entered into foreign exchange forward contracts to hedge a portion of our forecasted foreign currency expenses denominated in Indian Rupee. Our hedging program is designed to reduce, but does not eliminate, the risk that our earnings and cash flows may be adversely affected by changes in exchange rates. We may enter into other hedging transactions in the future if our exposure to foreign currency becomes more significant.

Our success depends largely upon the continued services and performance of our senior management and other key personnel. From time to time, there have been and may in the future be changes in our senior management team resulting from the hiring or departure of executives and key employees, which could disrupt our business. Our senior management and key employees are employed on an at-will basis. We currently do not have "key person" insurance on any of our employees. The loss of key personnel may cause disruptions in, and harm to, our operations and have an adverse effect on our ability to grow our business and our results of operations and financial condition. In addition, to execute our business model, we must attract and retain highly qualified personnel. Competition for executive officers, software engineers and product managers (particularly with AI and machine learning backgrounds), sales personnel, and other key personnel in our industry and in the San Francisco Bay Area, where our headquarters is located, in India where our engineering, product, and inside sales resources are concentrated, and in other locations where we maintain offices, is intense. As we become a more mature company, we may find our recruiting efforts more challenging. The incentives to attract, retain, and motivate employees provided by our equity awards, or by other compensation arrangements, may not be as effective as in the past. Many of the companies with which we compete for experienced personnel have greater resources than we have. In addition, to remain competitive in India, we must maintain our reputation as a premier employer in India, including by providing competitive wages and benefits. Our recruiting efforts may also be limited by laws and regulations, such as restrictive immigration laws, and restrictions on travel or availability of visas. Furthermore, any actual or perceived decline in the value of our equity awards as a result of volatility in our stock price could harm our hiring and retention efforts. If we do not succeed in attracting highly qualified personnel or retaining or motivating existing personnel, we may be unable to support our continued growth. We believe that a critical component of our success has been our culture. We have invested substantial time and resources in building out our team with an emphasis on shared values and a commitment to diversity and inclusion. As we continue to develop the infrastructure to support our growth, we will need to maintain our culture among a larger number of employees dispersed in various geographic regions, including those who may be working remotely outside of an office environment. Any failure to preserve our culture could negatively affect our future success, including our ability to retain and recruit personnel.

We rely on third parties maintaining open digital marketplaces, including the Apple App Store and Google Play, which make our mobile applications for our Freshdesk, Freshchat, Freshcaller, Freshservice, and Freshsales, products available for download. We cannot assure you that the marketplaces through which we distribute these mobile applications will maintain their current structures or that such marketplaces will not charge us fees to list our application for download. We are also dependent on these third-party marketplaces to enable us and our users to timely update these mobile applications, and to incorporate new features, integrations, and capabilities. In addition, Apple and Google, among others, for competitive or other reasons, could stop allowing or supporting access to our mobile applications through their products, could allow access for us only at an unsustainable cost, or could make changes to the terms of access in order to make our mobile applications less desirable or harder to access. Furthermore, the promulgation of new laws or regulations in the European Union (EU) and the United Kingdom (UK), such as the EU Digital Markets Act (DMA), EU Digital Services Act (DSA), and the UK Online Safety Act (OSA) that restrict or otherwise unfavorably impact the marketplaces through which we distribute our products could require us to change certain aspects of our business and operations. In addition, our products are enabled to allow our customers to use multiple communication methods with their consumers, including email, web widget, WhatsApp, SMS, and iMessage among others. To comply with the DMA, third parties may increase the cost of or otherwise limit our ability to integrate our products with certain communication methods.

We currently accept payments using a variety of methods, including credit card and debit card, and a large number of our customers authorize us to bill their credit card accounts through our third-party payment processing partners for subscriptions to our products. We are subject to regulations and compliance requirements, such as the payment card association operating rules and certification requirements, including the Payment Card Industry Data Security Standard (PCI-DSS) and rules governing electronic funds transfers, which could change or be reinterpreted to make it difficult or impossible for us to comply. If we (or a third-party processing payment card transactions on our behalf) suffer a security breach affecting payment card information, we may have to pay significant fines, penalties, and assessments arising out of the major card brands' rules and regulations, contractual indemnifications, or liability contained in merchant agreements and similar contracts, and we may lose our ability to accept payment cards for payment for our goods and services, which could materially impact our operations and financial performance. If customers pay for their subscription plans with stolen credit cards, we could incur substantial third-party vendor costs for which we may not be reimbursed or able to recover. Further, our customers provide us with credit card billing information online, and we do not review the physical credit cards used in these transactions, which increases our risk of exposure to fraudulent activity. We also incur chargebacks from the credit card companies for claims that the customer did not authorize the credit card transaction for subscription plans, something that we have experienced in the past. If the number of claims of unauthorized credit card transactions becomes excessive, we could be assessed substantial fines for excess chargebacks, and we could lose the right to accept credit cards for payment. In addition, credit card issuers may change merchant standards, including data protection and documentation standards, required to utilize their services from time to time. Our third-party payment processing partners must also maintain compliance with current and future merchant standards to accept credit cards as payment for our paid subscription plans. Substantial losses due to fraud or our inability to accept credit card payments would cause our customer base to significantly decrease and would harm our business.