Klaviyo, Inc. Class A (KVYO) Risk Analysis

For the years ended December 31, 2024, 2023, and 2022, our research and development expenses were 25.4%, 37.6%, and 22.0% of our revenue, respectively. Research and development projects can be technically challenging and expensive, particularly as we work to expand both the channels through which we offer our products and the use cases for our products beyond marketing. In addition, our products have varying associated communication sending costs, and our research and development team may not be able to mitigate the impact of growth in any of those higher-cost channels, such as SMS, by maintaining efficiency. The nature of research and development cycles may cause us to experience delays between the time we incur expenses associated with research and development and the time we are able to offer compelling products and generate revenue, if any, from this investment. Additionally, anticipated customer demand for a product we are developing could decrease after the development cycle has commenced, and we would nonetheless be unable to avoid substantial costs associated with the development of any such product. If we expend a significant amount of resources on research and development and our efforts do not lead to the successful introduction or improvement of products that are competitive in our current or future markets or if we do not spend our research and development budget efficiently or effectively on compelling innovation and technologies, our competitive advantage may be adversely affected, which could materially adversely affect our business, financial condition, and results of operations.

We compete in markets where there are a large number of patents, copyrights, trademarks, trade secrets, and other intellectual property and proprietary rights, as well as disputes regarding infringement of these rights. Many of the holders of patents, copyrights, trademarks, trade secrets, and other intellectual property and proprietary rights have extensive intellectual property portfolios and greater resources than we do to enforce their rights. As compared to our larger competitors, our patent portfolio is relatively undeveloped and may not provide a material deterrent to such assertions or provide us with a strong basis to counterclaim or negotiate settlements. Further, to the extent assertions are made against us by entities that hold patents but are not operating companies, our patent portfolio may not provide deterrence because such entities are not concerned with counterclaims. Any intellectual property claims, with or without merit, that we may become involved with may require us to do one or more of the following: - cease selling, licensing, or using products or features that incorporate the intellectual property rights that we allegedly infringe upon, misappropriate, or violate;- make substantial payments for legal fees, settlement payments, subscription fee refunds, or other costs or damages, including indemnification of third parties;- obtain a license or enter into a royalty agreement, either of which may not be available on reasonable terms or at all, in order to obtain the right to sell, offer to sell, import, make or use the relevant intellectual property; or - redesign certain portions of the allegedly infringing products to avoid infringement, misappropriation, or violation, which could be costly, time-consuming, or impossible. Intellectual property infringement claims, with or without merit, are typically complex, time consuming, and expensive to resolve and would divert the time and attention of our management and technical personnel. These claims could also subject us to significant liability for damages, including treble damages if we are found to have willfully infringed third-party patents. It may enjoin us from continuing to use certain features or portions of allegedly infringing products or even the allegedly infringing products themselves. It may also result in adverse publicity, which could harm our reputation and ability to attract or retain customers or otherwise prevent us from competing effectively in the market. As we grow, we may experience a heightened risk of allegations of intellectual property infringement. An adverse result in any litigation claims against us could have a material adverse effect on our business, financial condition, and results of operations.

Use of our platform involves the storage, transmission, and processing of our customers' proprietary data, including personal or identifying information of their customers or employees. Unauthorized disclosure of or access to or cybersecurity incidents, data breaches or other compromises of our platform could result in the loss of data, loss of business, severe reputational damage adversely affecting customer or investor confidence, damage to our brand, diversion of management's attention, regulatory investigations and orders, litigation, indemnity obligations, damages for contract breach, penalties for violation of applicable laws or regulations, including regulatory fines, and significant costs for remediation that may include liability for stolen assets or information and repair of system damage that may have been caused, incentives offered to customers or other business partners in an effort to maintain business relationships after a breach, and other liabilities. We have incurred and expect to continue to incur significant expenses to prevent cybersecurity incidents, data breaches and other compromises, including deploying additional personnel and protection technologies, training employees, and engaging third-party experts and consultants. Even though we do not control the security measures of third parties who may have access to our customer data, our data, or our platform, we may be responsible for any cybersecurity incident or data breach impacting such measures or suffer reputational harm even where we do not have recourse to the third-party that caused the breach. In addition, any failure by our vendors to comply with applicable law or regulations could result in proceedings against us by governmental entities or others. Cyberattacks, denial-of-service attacks, ransomware attacks, business email compromises, account compromises, computer malware, viruses, and social engineering (including phishing attacks) are prevalent in our industry and our customers' industries. In addition, we may experience cyberattacks, unavailable systems, unauthorized access to systems or data or disclosure due to wrongful conduct by insider employees or vendors, denial-of-service attacks, attacks from sophisticated nation-state and nation-state supported actors, and advanced persistent threat intrusions. Electronic security attacks designed to gain access to personal, sensitive, or confidential data are constantly evolving, and such attacks continue to grow in sophistication. While we believe we have taken reasonable steps to protect our data, the techniques used to sabotage or to obtain unauthorized access to our platform, systems, networks, or physical facilities in which data is stored or through which data is transmitted change frequently, and we may be unable to implement adequate preventative measures or stop cybersecurity incidents, data breaches or other compromises while they are occurring. Like many other companies in our industry, we and our third-party vendors have previously been, and may in the future become, the target and victim of cyberattacks by third parties seeking unauthorized access to our or our customers' data or accounts or to disrupt our operations or ability to sell our products. Specifically, in July 2022, we were the victim of an attack whereby an unauthorized third-party compromised an employee's credentials and gained access to our internal systems, including email as well as some of our internal support tools, and, as a result, accessed certain information, including name, email address, and phone number, for a subset of our customers. Additionally, in October 2024, an unauthorized third-party gained access to company source code, as well as other system and application credentials. We rely on third-party service providers and technologies to operate critical business systems to process confidential and personal information in a variety of contexts, including, without limitation, encryption and authentication technology, employee email, content delivery to customers, back-office support, and other functions. Our ability to monitor these third parties' cybersecurity practices is limited. These third-party providers and technologies may not have adequate measures in place, and could experience or cause a cybersecurity incident or data breach that compromises the confidentiality, integrity or availability of the systems or technologies they provide to us or the information they process on our behalf. While we have taken steps designed to protect the proprietary, regulated, sensitive, confidential, and personal information in our control, our cybersecurity measures or those of the third parties on which we rely may not be effective against current or future security risks and threats. Cybercrime and hacking techniques are constantly evolving and a challenge of the modern global economy, and we or our third-party service providers may be unable to anticipate threats, detect or react in a timely manner, or implement adequate preventative measures, particularly given increasing use of hacking techniques designed to circumvent controls, avoid detection, and remove or obfuscate forensic artifacts. Moreover, we or our third-party service providers may be more vulnerable to such attacks in remote work environments. We have contractual and legal obligations to notify relevant stakeholders of security breaches. Most jurisdictions have enacted laws requiring companies to notify individuals, regulatory authorities, and others of security incidents or data breaches involving certain types of data. In addition, our agreements with certain customers may require us to notify them in the event of a cybersecurity incident or compromise or data breach. Such mandatory disclosures are costly, could lead to negative publicity, may cause our customers to lose confidence in the effectiveness of our security measures, and require us to expend significant capital and other resources to respond to or alleviate problems caused by the actual or perceived security incident or data breach and otherwise comply with the multitude of foreign, federal, state, and local laws and regulations relating to the unauthorized access to, or use or disclosure of, personal information. Our contracts may not contain limitations of liability, and even where they do, there can be no assurance that limitations of liability in our contracts are sufficient to protect us from liabilities, damages, or claims related to our privacy and data security obligations. If we or our third-party service providers suffer, or are perceived to have suffered, a data breach or other cybersecurity incident, we may experience a loss of customer confidence in the security of our platform and damage to our brand, reduced demand for our products and disruption of normal business operations. Such a circumstance may also require us to spend material resources to investigate, remediate or correct the issue and prevent recurrence, notify regulators, and affected stakeholders, expose us to legal liabilities, including litigation, regulatory enforcement, indemnity obligations, fines, and penalties, and adversely affect our business, financial condition, and results of operations. These risks are likely to increase as we continue to grow and process, store, and transmit increasingly large amounts of data. Additionally, as a result of a data breach, compromise or other cybersecurity incident, we could be subject to demands, claims, and litigation by private parties and investigations, related actions, and penalties by regulatory authorities. We cannot be certain that our insurance coverage will be adequate for data security liabilities actually incurred, will cover any indemnification claims against us relating to any incident or will continue to be available to us on economically reasonable terms, or at all, or that any insurer will not deny coverage as to any future claim. The successful assertion of one or more large claims against us that exceed available insurance coverage, or the occurrence of changes in our insurance policies, including premium increases or the imposition of large deductible or co-insurance requirements, could adversely affect our reputation, business, financial condition, and results of operations.

We have incorporated, and may continue to incorporate, artificial intelligence technology ("AI Technology") into our products and services, including our email, SMS, and reviews offerings, and this incorporation of AI Technology in our business and operations may become more significant over time. The use of generative AI, a newer and emerging technology in the early stages of commercial use, may expose us to additional risk, such as damage to our reputation, competitive position, additional costs, and other business, legal and regulatory risks. For example, generative AI has been known to produce false or "hallucinatory" inferences or output, and certain generative AI technology use machine learning and other predictive analysis techniques, which can produce inaccurate, incomplete, or misleading content, unintended biases, and other discriminatory or unexpected results, errors or inadequacies, any of which may not be easily detectable by us or any of our related service providers. Accordingly, while AI-powered applications may help provide more tailored or personalized user experiences, if the content, analyses, or recommendations produced by AI-powered applications are, or are perceived to be, deficient, inaccurate, biased, unethical or otherwise flawed, our reputation, competitive position, and business may be materially and adversely affected. In addition, new laws and regulations, or the interpretation of existing laws and regulations, in any of the jurisdictions in which we operate may affect our use of AI Technology and expose us to government enforcement or civil lawsuits. For example, states such as California, Colorado, and Utah, have recently passed laws regulating the use of AI Technology, which impose additional operational burdens and may require us to modify our products and services that utilize AI Technology in order to comply with these laws. Federal regulators have also issued guidance affecting the use of AI Technology in regulated sectors. In addition, the EU's Artificial Intelligence Act ("AI Act"), the world's first comprehensive artificial intelligence law, entered into force on August 1, 2024 and most provisions of the legislation will become effective on August 2, 2026. This legislation imposes significant obligations on providers and deployers of high risk artificial intelligence systems, and encourages providers and deployers of artificial intelligence systems to account for EU ethical principles in their development and use of these systems. We expect these legislative trends will continue and we may be required to devote significant attention and resources to address the frequently changing regulatory requirements, including by ensuring higher standards of data quality, transparency, and human oversight, as well as adhering to specific and potentially burdensome and costly ethical, accountability, and administrative requirements. As the legal and regulatory framework relating to use of AI Technology continues to change, there may be an increase in our operational and development expenses that impact our ability to earn revenue from or utilize certain AI Technology. Furthermore, the use of AI Technology has resulted in, and may result in, an increase in our risk with respect to intellectual property rights, privacy rights, publicity rights and cybersecurity incidents, including as it relates to personal data that we have in our possession or process on behalf of our customers. Certain output produced by us using AI Technology may not be subject to patent or copyright protection, which may adversely affect our intellectual property rights in, or ability to commercialize or use, any such output. In addition, output produced by AI Technology may include information subject to certain privacy or rights of publicity laws or constitute an unauthorized derivative work of copyrighted material used in training the underlying AI Technology, any of which could create a risk of liability for us, or adversely affect our business or operations. To the extent that we do not have sufficient rights to use the data or other material or content used in or produced by the AI Technology used in our business, or if we experience cybersecurity incidents in connection with our use of AI Technology, it could adversely affect our reputation and expose us to legal liability or regulatory risk, including with respect to third-party intellectual property rights, privacy, publicity, contractual or other rights. As the use of AI Technology becomes more prevalent, we anticipate that it will continue to present new or unanticipated legal, reputational, technical, operational, ethical, competitive, and regulatory issues. We expect that our incorporation of AI Technology in our business will require additional resources, including the incurrence of additional costs, to develop and maintain our products, services, and features to minimize potentially harmful, unintended or other adverse consequences, to comply with existing and new laws and regulations, to maintain or extend our competitive position, and to address any legal, reputational, technical, operational, ethical, competitive, and regulatory issues that may arise as a result of any of the foregoing. Our vendors may also incorporate AI Technology tools into their offerings, and the providers of these AI Technology tools may not meet existing or rapidly evolving regulatory or industry standards, including with respect to privacy and data security. Bad actors around the world are also using increasingly sophisticated methods, including the use of AI Technology, to engage in illegal activities involving the theft and misuse of personal information, confidential information and intellectual property. Finally, our competitors or other third parties may incorporate AI Technology into their products more quickly or more successfully than us, which could impair our ability to compete effectively. As a result, the challenges presented with our use of AI Technology may result in the loss of valuable property and information, cause us to breach applicable laws and regulations, and adversely affect our business, financial condition, and results of operations.

Our business offerings rely heavily on a variety of direct marketing techniques, including email marketing and marketing conducted via SMS. These activities are regulated by legislation such as CAN-SPAM and the TCPA as well as state laws regulating marketing via telecommunication services. The CAN-SPAM Act, among other things, obligates the sender of commercial emails to provide recipients with the ability to opt out of receiving future commercial emails from the sender. The ability of our customers' message recipients to opt out of receiving commercial emails may minimize the effectiveness of the email components of our platform. In addition, certain states, and foreign jurisdictions, such as Australia, Canada, the United Kingdom, and the European Union, have enacted laws that regulate sending email, and some of these laws are more restrictive than U.S. laws. For example, some foreign laws prohibit sending unsolicited email unless the recipient has provided the sender advance consent to receipt of such email, or in other words has "opted-in" to receiving it. A requirement that recipients opt into, or the ability of recipients to opt out of, receiving commercial emails may minimize the effectiveness of our platform. Any failure by us or our customers to comply fully with the CAN-SPAM Act may leave us subject to substantial fines and penalties. Foreign privacy laws also regulate our and our customers' ability to send commercial messages via email. For example, Canada's Anti-Spam Legislation ("CASL") prohibits email marketing without the recipient's consent, with limited exceptions. Failure to comply with CASL could result in significant fines and penalties or possible damage awards. We also face stringent regulation in connection with our use of telecommunication services for the transmission of marketing messages. The TCPA is a federal statute that protects consumers from unwanted telephone calls, faxes, and text messages. TCPA violations can result in significant financial penalties as a business can incur civil forfeiture penalties or criminal fines imposed by the Federal Communications Commission (the "FCC") or be fined for each violation through private litigation or state attorneys general or other state actor enforcement. Class action suits are the most common method for private enforcement. Our SMS texting product is a potential source of risk for class-action lawsuits and liability for our company. Numerous class-action suits under federal and state laws have been filed in recent years against companies who conduct call and SMS texting programs, with many resulting in multi-million-dollar settlements to the plaintiffs. While we strive to adhere to strict policies and procedures, the FCC, as the agency that implements and enforces the TCPA, may determine that our efforts to address the TCPA are insufficient and may subject us to penalties and other consequences for noncompliance. Determination by a court or regulatory agency that our platform or our products violate the TCPA could subject us to civil penalties, could invalidate all or portions of some of our client contracts, could require us to change or terminate some portions of our business, could require us to refund portions of our service fees, and could have an adverse effect on our business. Further, we could be subject to class action lawsuits for any claimed TCPA violations. Even an unsuccessful challenge by consumers or regulatory authorities of our activities could result in adverse publicity and could require a costly response from us. Additionally, the scope of the TCPA is frequently under review and future regulations interpreting the TCPA may impose new limitations on our or our customers' ability to send commercial messages via telephone calls, faxes, and text messages. Further, some states have enacted laws similar to, or broader than, the TCPA, which may be an additional source of potential claims or liability. In particular, Florida, Washington, and Oklahoma have enacted statutes that impose broader obligations than the TCPA upon companies that rely upon telephone calls or text messages for commercial communications. More U.S. states may pass similar laws in the future, and our ability to conduct our services via telephone or text message may be further limited or expose us to currently unforeseen liability. In addition, any future restrictions in laws such as CAN-SPAM, the TCPA, and various United States state laws, or new federal laws regarding marketing and solicitation or international data protection laws that govern these activities could adversely affect the continuing effectiveness of our marketing efforts and could force changes in our marketing strategies. If this occurs, we may not be able to develop adequate alternative marketing strategies, which could impact the amount and timing of our revenues.

We may be subject to potential liability for the activities of our customers on, or in connection with the content or data they store on or send through, our platform. Although our customer terms of use and our acceptable use policy ("AUP") prohibit, among other things, (1) illegal use of our platform and our products by our customers, (2) the use of our products for certain activities that do not comply with industry standards and guidelines outlined in our AUP, and (3) the use of our products in any manner that would infringe, misappropriate or otherwise violate the intellectual property rights of third parties, customers may nonetheless engage in prohibited activities or upload or store content with us in violation of our terms of use, our AUP, applicable law or the customer's own policies, which could subject us to liability and/or harm our reputation. We do not have a process in place to systematically and comprehensively monitor the content, activities, or messages of our customers in connection with their use of our services, so inappropriate content may be sent to third parties, which could subject us to legal liability. Even if we comply with legal obligations to remove or disable certain content, our customers may continue to send messages through our platform that third parties may find hostile, offensive, or inappropriate. The activities of our customers or the content of our customers' messages may lead us to experience adverse political, business, and reputational consequences, especially if such use is high profile. Conversely, actions we take in response to the activities of our customers or users, up to and including suspending their use of our platform or products, may harm our brand and reputation. There are certain statutory and common law frameworks and doctrines that offer defenses against liability for customer activities, including the Digital Millennium Copyright Act, the Communications Decency Act, the fair use doctrine in the United States and the Electronic Commerce Directive in the EU. Although these and other statutes and case law in the United States offer certain defenses against liability from customer activities under U.S. copyright law or regarding secondary liability from the TCPA or CAN-SPAM, they are subject to uncertain or evolving judicial interpretation and regulatory and legislative amendments, and in any event we cannot assure you that we will be successful in asserting them. In addition, pending or recently adopted legislation in the EU may impose additional obligations or liability on us associated with content uploaded by users to our platform. Laws governing these activities are unsettled in many international jurisdictions, or may prove difficult or impossible for us to comply with in some international jurisdictions. Even if ultimately resolved in our favor, we may become involved in related complaints, lawsuits or investigations which add cost to our doing business and may divert management's time and attention or otherwise harm our reputation.

We currently conduct our operations in the United Kingdom, Australia, and Ireland through subsidiaries. Our intercompany arrangements with those subsidiaries are subject to complex transfer pricing regulations administered by taxing authorities in those jurisdictions, and these taxing authorities may challenge our methodologies for our determinations as to the value of assets sold or acquired or income and expenses attributable to specific jurisdictions. In addition, our tax expense could be affected depending on the applicability of withholding and other taxes (including withholding and indirect taxes on software licenses and related intercompany transactions) under applicable laws. The relevant revenue and taxing authorities may also disagree with positions we have taken generally. If any such disagreements were to occur (whether with the taxing authorities in jurisdictions where we currently do business or in those of jurisdictions where we may in the future operate) and our position were not sustained, we could be required to pay additional taxes, interest, and penalties, which could result in one-time tax charges, higher effective tax rates, reduced cash flows, and lower overall profitability of our operations.

Our business and platform involves the collection, use, processing, storage, transfer, and sharing of personal information, including such information that we handle on behalf of our customers, as well as confidential information and other sensitive data. Our data processing activities are regulated by a variety of laws, regulations, and industry standards, which have become increasingly stringent in recent years, are rapidly evolving, and are likely to remain uncertain for the foreseeable future. Increasingly, laws that regulate data processing activities are extra-territorial in their scope of application. The global nature of our customer base renders us particularly exposed to being subject to a wide range of such laws and the varying, potentially conflicting compliance obligations they impose on our business. State legislatures also have been adopting new privacy laws or amending existing laws with increasing frequency, requiring attention to frequently changing regulatory requirements, and we expect that this trend will continue. For example, the California Consumer Privacy Act (the "CCPA") imposed a number of requirements on covered businesses and gave California residents certain rights related to their personal information, including the right to access and delete their personal information, to receive detailed information about how their personal information is used and shared, and to opt out of certain sharing of their personal information. The CCPA provides for civil penalties for violations of up to $7,500 for each intentional violation and created a private right of action for certain data breaches that is expected to increase data breach litigation. In addition, the California Privacy Rights Act (the "CPRA"), which has been in effect since January 1, 2023, imposed additional obligations on companies covered by the CCPA. The CPRA significantly modified the CCPA, including by expanding consumers' rights with respect to certain sensitive personal information. Similar comprehensive privacy laws have been proposed and passed in numerous other states. These comprehensive privacy laws have entered into force in many states, and several more will be entering into force in the coming years. Such proposed legislation, if enacted, may add additional complexity, variation in requirements, restrictions, and potential legal risk,require additional investment of resources in compliance programs, impact strategies, and the availability of previously useful data and could result in increased compliance costs and/or changes in business practices and policies. The existence of comprehensive privacy laws in different states in the country makes our compliance obligations more complex and costly and may increase the likelihood that we may be subject to enforcement actions or otherwise incur liability for noncompliance. In addition, other states have proposed and/or passed legislation that regulates the privacy and/or security of certain specific types of information. These various privacy and security laws may impact our business activities, including our relationships with business partners and ultimately the marketing and distribution of our products. State laws are changing rapidly and there is discussion in the U.S. Congress of a new comprehensive federal data privacy law to which we may likely become subject, if enacted. Other federal laws impose general, broad requirements designed to protect the privacy and security of personally identifiable information. For example, according to the FTC, failing to take appropriate steps to keep consumers' personal information secure constitutes unfair acts or practices in or affecting commerce in violation of Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a). In recent years, the FTC has paid increased attention to privacy and data security matters, and we expect them to continue to do so in the future. Further, through executive and legislative action, the federal government has also taken steps to restrict data transactions involving certain sensitive data categories, with persons affiliated with China, Russia, and other countries of concern. Foreign privacy laws have become more stringent in recent years and may increase the costs and complexity of offering our platform and products in new and existing geographies. Outside of the United States, we are also subject to stringent privacy and data protection laws in many jurisdictions. For example, we are subject to the EU GDPR and the UK General Data Protection Regulation (the "UK GDPR," and collectively, the "GDPR"). The GDPR applies where we are collecting or otherwise processing personal data in connection with (a) the activities of a business establishment within the United Kingdom/European Economic Area; or (b) offering goods or services to or monitoring the behavior of individuals within the United Kingdom/European Economic Area, and imposes strict obligations regarding personal data processing activities. The GDPR also imposes restrictions in relation to the international transfer of personal data. For example, in order to transfer data outside of the European Economic Area or the United Kingdom to a non-adequate country, including the United States in certain circumstances, the GDPR requires us to enter into an appropriate transfer mechanism and may require us to take additional steps to ensure an essentially equivalent level of data protection, including carrying out a transfer impact assessment to assess whether the recipient is subject to local laws which allow a public authority access to personal data and assisting controllers with such assessments if we act as processors of personal data. These transfer mechanisms are subject to change, and implementing new or revised transfer mechanisms or ensuring an essentially equivalent protection may involve additional expense and potentially increased compliance risk. Such restrictions may increase our obligations in relation to carrying out international transfers of personal data and cause us to incur additional expense and increased regulatory liabilities. Any inability to transfer personal data from Europe to the United States in compliance with data protection laws may impede our operations and may adversely affect our business and financial position. Despite Brexit, the UK GDPR remains largely aligned with EU GDPR. Currently, the most impactful point of divergence between the EU GDPR and the UK GDPR relates to these transfer mechanisms as explained above. There may be further divergence in the future, including with regard to application, interpretation, enforcement and administrative burdens. For example, the United Kingdom introduced the Data Reform Bill into the United Kingdom legislative process, which failed. A new Data Use and Access Bill (the "UK Bill") has been introduced into parliament. If passed, the final version of the UK Bill may have the effect of further altering the similarities between the United Kingdom and European Economic Area data protection regimes and threaten the United Kingdom's adequacy decision from the European Commission. This may lead to additional compliance costs and could increase our overall risk exposure. This lack of clarity on future United Kingdom laws and regulations and their interaction with those of the European Economic Area could add legal risk, uncertainty, complexity, and cost to our handling of European personal data and our privacy and security compliance programs. We may no longer be able to take a unified approach across the European Union and the United Kingdom, and we will need to amend our processes and procedures to align with the new framework. In addition, European Economic Area Member States have adopted national laws to implement the EU GDPR that may partially deviate from the EU GDPR and competent authorities in the Member States may interpret the EU GDPR obligations slightly differently from country to country. Therefore, we do not expect to operate in a uniform legal landscape in the European Economic Area. Companies that violate the GDPR can face robust regulatory enforcement and greater penalties for noncompliance, including fines of up to €20 million (or £17.5 million under the UK GDPR) or 4% of their worldwide annual turnover, whichever is greater. A wide variety of other potential enforcement powers are available to competent supervisory authorities in respect of potential and suspected violations of the GDPR, including audit and inspection rights, and powers to order temporary or permanent bans on all or some processing activities. The GDPR also confers a private right of action on data subjects and consumer associations to lodge complaints with supervisory authorities, seek judicial remedies, and obtain compensation for damages resulting from violations of the GDPR. In addition to the GDPR, other European data protection laws require that affirmative opt-in consent is procured to the placement of cookies and similar tracking technologies on users' devices (other than those that are "strictly necessary" to provide services requested by the user). These requirements may increase our exposure to regulatory enforcement actions, increase our compliance costs and reduce demand for our platform. A new regulation proposed in the EU, which would apply across the European Economic Area, known as the ePrivacy Regulation, may further restrict the use of cookies and other online tracking technologies on which our platform relies, as well as increase restrictions on the types of direct marketing campaigns that our platform enables. It is unclear whether and/or when the draft ePrivacy Regulation will enter into force. In Canada, our collection, use, disclosure, and management of personal information must comply with both federal and provincial privacy laws, which impose separate requirements, but may overlap in some instances. The federal Personal Information Protection and Electronic Documents Act ("PIPEDA") and various provincial laws impose strict requirements on companies that handle personal information. Notably, Québec's Act respecting the protection of personal information in the private sector (the "Private Sector Act") was recently amended by Bill 64, which introduced major amendments to the Private Sector Act, notably, to impose significant and stringent new obligations on Québec businesses while increasing the powers of Québec's supervisory authority. We may incur additional costs and expenses related to compliance with these laws and may incur significant liability if we are not able to comply with existing and emerging legal requirements in Canada. Apart from the requirements of privacy and data security laws, we have obligations relating to privacy and data security under our published policies and documentation and certain of our contracts. Although we endeavor to comply with these obligations, we may have failed to do so in the past and may be subject to allegations that we have failed to do so or have otherwise processed data improperly. Such failures or alleged failures could result in proceedings against us by governmental entities, private parties or others as well as negative publicity and reputational damage. Compliance with applicable privacy, data security or data protection requirements, many of which vary across jurisdictions, is a rigorous and time-intensive process, and we may be required to implement costly mechanisms to ensure compliance. The proliferation of privacy, data security, and data protection laws, regulations, policies, and standards increases the likelihood of differences in approaches across jurisdictions. These differences make it difficult to maintain a standardized global privacy program. Creating jurisdiction-specific approaches requires significant time and resources and the associated complexity increases the risk of potential non-compliance. In addition, such requirements may require us to modify our data processing practices and policies, utilize management's time and/or divert resources from other initiatives and projects. Our customers may implement compliance measures that do not align with our platform and products, which could limit the scope and type of platform and products we are able to provide. Our customers may also require us to comply with additional privacy and security obligations, causing us to incur potential disruption and expense related to our business processes. We may also be exposed to certain compliance and/or reputational risks if our customers do not comply with applicable privacy or data protection laws and/or their own privacy notices and terms of use in particular in connection with their processing of personal data, their sharing of personal data with us, the legal bases on which they rely (where applicable) under applicable privacy and data protection legislation for the processing we carry out on their behalf and/or their management of data subject requests which pertain to the processing we carry out on their behalf. In addition, we may decide not to enter into new geographic markets where we determine that compliance with such laws, regulations, policies, and standards would be prohibitively costly or difficult. Geographic markets in which we currently operate could require us to process or store regulated information within such markets only, and establishing hosting facilities in such markets could be disruptive to our business and costly. If our policies and practices, or those of our customers, service providers, contractors and/or partners, are, or are perceived to be non-compliant, we could face (1) litigation, investigations, audits, inspections, and proceedings brought by governmental entities, customers, individuals or others, (2) additional reporting requirements and/or oversight, temporary or permanent bans on all or some processing of personal data, orders to destroy or not use personal data and imprisonment of company officials, (3) fines and civil or criminal penalties for us or company officials, obligations to cease offering or to substantially modify our solutions in ways that make them less effective in certain jurisdictions, and (4) negative publicity, harm to our brand and reputation and reduced overall demand for our platform. These occurrences could adversely affect our business, financial condition, and results of operations. All of these evolving compliance and operational requirements impose significant costs, such as costs related to organizational changes, implementing additional protection technologies, training employees and engaging consultants and legal advisors, which are likely to increase over time. In addition, such requirements may require us to modify our data processing practices and policies, utilize management's time and/or divert resources from other initiatives and projects. Because the interpretation and application of privacy and data protection laws, regulations, rules, and other standards are still uncertain and likely to remain uncertain for the foreseeable future, it is possible that these laws, rules, regulations, and other obligations, such as contractual or self-regulatory obligations, may be interpreted and applied in a manner that is inconsistent with our data management practices or the features of our software. If so, in addition to the possibility of fines, lawsuits, and other claims, we could be required to fundamentally change our business activities and practices or modify our software, which we may be unable to do in a commercially reasonable manner or at all, and which could have an adverse effect on our business. Any inability to adequately address privacy concerns, even if unfounded, or comply with applicable privacy or data protection laws, rules, regulations, and other obligations, could result in additional cost and liability to us, damage our reputation, inhibit sales, and adversely affect our business, financial condition, results of operations and prospects.

We rely on third-party relationships, such as marketing agency and technology partners, to attract customers and enhance the utility of our platform. If any of the third parties on which we rely fails to perform as expected, breaches or terminates their agreement with us, or becomes engaged in a dispute with us, our reputation could be adversely affected and our business could be harmed. For example, we rely on third-party agency partners and other marketing partners to help us acquire and retain customers. If these partners fail to promote our platform or refer new customers to us, fail to support our existing customers, begin promoting competing brands in addition to or instead of ours, are forced to change their marketing practices in response to new or existing regulations or cease to be viewed as credible sources of information by our potential customers, we may face decreased demand for our solutions, higher than expected customer acquisition costs and loss of revenue. We also collaborate with third-party technology partners, including systems integrators and third-party developers, to enhance the utility of our platform. For example, these partners build integrations that extend our platform's core product functionality or bring additional data into our platform. These technology partners may fail to maintain, support, or improve their integrations, which could reduce the utility of our platform and in turn could decrease demand for our platform and products, harm our reputation and brand, and have a negative effect on our business, financial condition, and operating results. In order to grow our business, we anticipate that we will continue to depend on relationships with third parties. Identifying, negotiating, and documenting relationships with partners requires significant time and resources. Our competitors may be more effective in providing incentives to third parties to favor their products or services or to prevent or reduce use of our services. In addition, acquisitions of our partners by our competitors could result in a decrease in the number of our current and potential customers, as our partners may no longer facilitate the adoption of our service by potential customers. If we are unsuccessful in establishing or maintaining our relationships with third parties, our ability to compete in the marketplace or grow our revenues could be impaired and our business, financial condition, and operating results may suffer.

We recognize that there are inherent climate-related risks wherever business is conducted. Any of our primary office locations may be vulnerable to the adverse effects of climate change. For example, our offices globally may experience climate-related events at an increasing frequency, including drought, water scarcity, heat waves, cold waves, wildfires, and resultant air quality impacts and power shutoffs associated with wildfire prevention. While this danger currently has a low-assessed risk of disrupting our normal business operations, it has the potential to disrupt employees' abilities to commute to work or to work from home and stay connected effectively. Furthermore, it is more difficult to mitigate the impact of these events on our employees to the extent they work from home. Climate-related events, including the increasing frequency of extreme weather events and their impact on the critical infrastructure of the United States, Europe, and other major regions, have the potential to disrupt our business, our third-party suppliers and/or the business of our customers, and may cause us to experience higher attrition, losses, and additional costs to maintain or resume operations. Regulatory developments, changing market dynamics and stakeholder expectations regarding climate change may impact our business, financial condition, and results of operations.