CS Disco (LAW) Risk Analysis

In the ordinary course of business, we and the third parties with whom we work, collect, receive, store, process, generate, use, transfer, disclose, make accessible, protect, secure, dispose of, transmit and share (collectively, process) potentially highly sensitive and confidential electronic documentation for use by our law firm and non-law firm customers in various legal matters, including litigation and governmental investigations and, as a result, we and the third parties with whom we work face a variety of evolving threats. Due to the nature of our services, and the legal and regulatory context in which our services are utilized by customers, our ability to protect the confidentiality, availability and integrity of our customers' information is critical to our ability to attract and retain customers, generate revenue and the overall success of our business, and our failure or perceived failure to maintain adequate protections could materially affect our business. Our information technology systems and those of third parties with whom we work are potentially vulnerable to breakdown or other damage or interruption from service interruptions, system malfunction, natural disasters, terrorism, war and telecommunication, electrical failures and security incidents. Cyberattacks and other malicious internet-based activity continue to increase and are increasingly difficult to detect, respond to and mitigate. Other evolving threats to our information systems and data include, but are not limited to, social engineering attacks (including through phishing attacks), malicious code (such as viruses and worms), malware, denial-of-service attacks (such as credential stuffing), credential harvesting, personnel misconduct or error, and supply-chain attacks. In addition to traditional computer "hackers," threat actors, internal personnel, sophisticated nation-state and nation-state supported actors and organized criminals now engage in attacks. We have and may in the future experience a security incident or significant vulnerability, including without limitation, those resulting from acts, errors or omissions of our personnel (including those caused by our, or our vendors', employees or contractors), including inadvertent storage or disclosure of personal information, our confidential information, or our customers' confidential information, or coding errors, defects and bugs, or accidentally providing a customer with access to or copies of another customer's confidential information. Ransomware and cyber extortion attacks, including those perpetrated by organized criminal threat actors, nation-states, and nation-state-supported actors, are becoming increasingly prevalent and can lead to significant interruptions in our operations, loss of data and income, leaks and public disclosures of sensitive information, extortion of our customers, reputational harm, and diversion of funds. Extortion payments may alleviate the negative impact of a ransomware attack, but we may be unwilling or unable to make such payments due to, for example, applicable laws or regulations prohibiting such payments. It may be difficult and/or costly to detect, investigate, mitigate, contain, and remediate a security incident. Our efforts to do so may not be successful. Actions taken by us or the third parties with whom we work to detect, investigate, mitigate, contain, and remediate a security incident could result in outages, data losses, and disruptions of our business. Threat actors may also gain access to other networks and systems after a compromise of our networks and systems. Additionally, our employees are routinely working remotely, which may pose additional data security risks to our information technology systems and data, as more of our employees utilize network connections, computers, and devices outside our premises or network, including working at home, while in transit and in public locations. Future or past business transactions (such as acquisitions or integrations) could expose us to additional cybersecurity risks and vulnerabilities, as our systems could be negatively affected by vulnerabilities present in acquired or integrated entities' systems and technologies. Furthermore, we may discover security issues that were not found during due diligence of such acquired or integrated entities, and it may be difficult to integrate companies into our information technology environment and security program. Any of these threats and issues may lead to a security incident and significant adverse consequences, including compromise of our system infrastructure or the loss, destruction, alteration, denial of access to, disclosure or dissemination of, or damage or unauthorized access to, our information technology systems, data (including trade secrets or other confidential information, intellectual property, proprietary business information and personal information) or data that is processed or maintained on our behalf, or other assets. We rely on third-party service providers and technologies to operate critical business systems to process personal information, confidential information, customer information, intellectual property and other sensitive information in a variety of contexts, including, without limitation, cloud-based infrastructure, data center facilities, encryption and authentication technology, employee email, content delivery to customers, and other functions. We work with third-parties to provide other products, services, parts, or otherwise to operate our business. Our ability to monitor these third parties' information security practices is limited, and these third parties may not have adequate information security measures in place. If the third-parties with whom we work experience a security incident or other interruption, we could experience adverse consequences. While we may be entitled to damages if our third-party service providers fail to satisfy their privacy or security-related obligations to us, any award may be insufficient to cover our damages, or we may be unable to recover such award. In addition, supply-chain attacks have increased in frequency and severity, and we cannot guarantee that third parties' infrastructure in our supply chain or our third-party partners' supply chains have not been compromised. While we have implemented security measures designed to protect against security incidents, there can be no assurance that these measures will be effective. We may expend significant resources or modify our business activities to try to protect against security incidents. Additionally, certain data privacy and security obligations may require us to implement and maintain specific security measures to protect our information technology systems and sensitive data. We take steps designed to detect, mitigate and remediate security vulnerabilities in our information systems (such as our hardware and/or software, including that of third parties upon which we rely). We may not, however, detect and remediate them all on a timely basis. Further, we may experience delays in developing and deploying remedial measures designed to address any such identified vulnerabilities, bugs, errors and vulnerabilities. Even if we have issued or otherwise made patches or information for vulnerabilities available in our software applications, products or services, our customers may be unwilling or unable to deploy such patches and use such information effectively and in a timely manner. Vulnerabilities could be exploited and result in a security incident. These vulnerabilities, bugs, errors or defects alone, or a combination of them, could pose material risks to our business. Further, the cost to respond to a security breach and/or to mitigate any security vulnerabilities that may be identified could be significant, our efforts to address these issues may not be successful, and these issues could result in interruptions, delays, cessation of service, negative publicity, loss of customer trust, diminished use of our product offerings as well as other harms to our business and our competitive position. These adverse consequences could force us to spend money, divert management's time and attention, increase our costs of doing business, or adversely affect our reputation. If we, or the third parties with whom we work, experience a security incident or are perceived to have experienced a security incident, we may experience adverse consequences, which could include: government enforcement actions (for example, investigations, fines, penalties, audits, and inspections); additional reporting requirements and/or oversight; breach of our customer contracts, restrictions on processing information (including personal information); litigation (including class action claims); indemnification obligations; negative publicity; reputational harm; loss of customers; monetary fund diversions; diversion of management attention; restrict our ability to engage with new customers; interruptions in or the cessation of our operations (including availability of data); financial loss; competitive disadvantage; and other similar harms. Security incidents and attendant consequences may prevent or cause customers to stop using our services, deter new customers from using our services, and negatively impact our ability to grow and operate our business. We could be required to fundamentally change our business activities and practices or modify our product offerings and/or platform capabilities, which could have an adverse effect on our business. Additionally, there can be no assurance that the limitations of liability in our contracts would be enforceable or adequate or would otherwise protect us from liabilities or damages and in some cases our customer agreements do not limit our remediation costs or liability with respect to data breaches. In addition to experiencing a security incident, third parties may gather, collect, or infer sensitive data about us from public sources, data brokers, or other means that reveals competitively sensitive details about our organization and could be used to undermine our competitive advantage or market position. Additionally, sensitive data of the Company or our customers could be leaked, disclosed, or revealed as a result of or in connection with our employees', personnel's, or vendors' use of generative AI technologies. Any sensitive information (including confidential, competitive, proprietary, or personal information) that we input into a third party generative AI/ML platform could be leaked or disclosed to others, including if sensitive information is used to train the third parties' AI/ML model. Additionally, where an AI/ML model ingests personal information and makes connections using such data, those technologies may reveal other personal or sensitive information generated by the model. Moreover, AI/ML models may create flawed, incomplete, or inaccurate outputs, some of which may appear correct. This may happen if the inputs that the model relied on were inaccurate, incomplete or flawed (including if a bad actor "poisons" the AI/ML with bad inputs or logic), or if the logic of the AI/ML is flawed (a so-called "hallucination"). We may use AI/ML outputs to make certain decisions. Due to these potential inaccuracies or flaws, the model could be biased and could lead us to make decisions that could bias certain individuals (or classes of individuals), and adversely impact their rights, employment, and ability to obtain certain pricing, products, services, or benefits. Notifications and follow-up actions related to a security incident could impact our reputation, result in a loss of customers and prospects, and cause us to incur significant costs, including legal expenses and remediation costs. We may have contractual and legal obligations under applicable data privacy and security laws to notify relevant stakeholders of security breaches, or we may voluntarily choose to notify relevant stakeholders including affected individuals, customers, regulators, and investors, of security incidents, or to take other actions, such as providing credit monitoring and identify theft protection services. Such disclosures and related actions can be costly, and the disclosure or the failure to comply with such applicable requirements could lead to adverse consequences including negative publicity, which may cause our customers or prospective customers to lose confidence in the effectiveness of our security measures and require us to expend significant capital and other resources to respond to and/or alleviate problems caused by the actual or perceived security breach.

We are, and may become, subject to legal proceedings and claims that arise in the ordinary course of business, such as claims brought by our customers in connection with commercial disputes or employment claims made by our current or former employees. We also are, and may become, subject to securities litigation. For example, in September 2023 and November 2023, purported stockholder class action lawsuits were filed against us and certain of our current and former officers alleging violation of the federal securities laws for allegedly making materially false or misleading statements. While the class action lawsuit filed in November 2023 was dismissed in January 2024, the September 2023 matter is still pending, and we may be the target of additional litigation of this type in the future. Currently ongoing or future litigation might result in substantial costs and may divert management's attention and resources, which might seriously harm our business, financial condition and results of operations. Insurance might not cover such claims, might not provide sufficient payments to cover all the costs to resolve one or more such claims and might not continue to be available on terms acceptable to us. A claim brought against us that is uninsured or underinsured could result in unanticipated costs, potentially harming our business, financial position and results of operations.

In the ordinary course of business, we collect, receive, store, process, generate, use, transfer, disclose, make accessible, protect, secure, dispose of, transmit, and share (collectively, process) personal information, client information, and other sensitive information, including proprietary and confidential business information, trade secrets, intellectual property, and sensitive third-party data. As a result, we are, or may become, subject to numerous federal, state, local and foreign laws and regulations, guidance, industry standards and other obligations regarding privacy, data protection, information security and processing and protection of personal information and other content, the scope of which is changing, subject to differing interpretations and may be inconsistent among countries, or conflict with other rules. We are also subject to the terms of our privacy policies and obligations to third parties (including contractual) related to privacy, data protection and information security. We strive to comply with applicable laws, regulations, policies and other legal obligations relating to privacy, data protection and information security. However, the regulatory framework for privacy and data protection worldwide is unclear and evolving, and is likely to remain uncertain, for the foreseeable future. We expect that there will continue to be new laws, regulations and industry standards concerning privacy, data protection and information security proposed and enacted in various jurisdictions. There is a risk that the requirements of these laws and regulations, or of contractual or other obligations relating to data privacy or information security, will be interpreted or applied in a manner that is, or is alleged to be, inconsistent with our management and processing practices, our policies or procedures or the features of our product offerings. We may face challenges in addressing these requirements and making necessary changes to our policies and practices and may incur significant costs and expenses in an effort to do so. Outside the United States, an increasing number of laws, regulations, and industry standards apply to privacy, data protection and information security and impose strict requirements for processing personal information, including the European Union's General Data Protection Regulation, or EU GDPR and the United Kingdom's version of the GDPR or UK GDPR. The EU GDPR and UK GDPR are wide-ranging in scope and impose numerous requirements, including requiring that consent of individuals to whom the personal information relates is obtained in certain circumstances, requiring additional disclosures to individuals regarding data processing activities, requiring that appropriate safeguards are implemented to protect the security and confidentiality of personal information, creating mandatory data breach notification requirements in certain circumstances and requiring that certain measures (including contractual requirements) are put in place when engaging third-party data processors. The EU GDPR, permits data protection authorities to impose large penalties for violations of the regulation, including potential fines of up to €20 million, 17.5 million pounds sterling under the UK GDPR or, in each case, 4% of annual global revenue, whichever is greater; or private litigation related to processing of personal information brought by classes of data subjects or consumer protection organizations authorized at law to represent their interests. The EU GDPR also provides individuals with various rights in respect of their personal information, including rights of access, erasure, portability, rectification, restriction and objection and confers a private right of action on data subjects and consumer associations to lodge complaints with supervisory authorities (including group actions), seek judicial remedies and obtain compensation for damages resulting from violations of the EU GDPR. The EU GDPR requirements may apply not only to third-party transactions, but also to transfers of information between us and our subsidiaries, including employee information. Furthermore, several jurisdictions have enacted measures related to the use of artificial intelligence and machine learning in products and services. For example, the EU Artificial Intelligence Act (EUAIA) imposes onerous obligations related to the use of AI related systems. Other similar laws may be passed in other jurisdictions and may require us to change our business practices, or else be subject to regulatory action and/or fines. Moreover, in the ordinary course of business, we may transfer personal information from Europe and other jurisdictions to the United States or other countries. Europe and other jurisdictions have enacted data laws requiring data to be localized or limiting the transfer of personal information to other countries. For example, absent appropriate safeguards, the EU GDPR generally restricts the transfer of personal information to countries outside the EEA absent certain safeguards. Laws in Switzerland and the UK similarly restrict personal information transfers outside of those jurisdictions to countries such as the United States of America that do not provide an adequate level of protection for personal information. Although there are currently various mechanisms that may be used to transfer personal information from the EEA and UK to the United States in compliance with law, such as the EEA standard contractual clauses, the UK's International Data Transfer Agreement / Addendum, and the EU-U.S. Data Privacy Framework and the UK extension thereto (which allows for transfers to relevant U.S.-based organizations who self-certify compliance and participate in the Framework), these mechanisms are subject to legal challenges, and there is no assurance that we can satisfy or rely on these measures to lawfully transfer personal information to the United States. If there is no lawful manner for us to transfer personal information from the EEA, the UK, or other jurisdictions to the United States, or if the requirements for a legally-compliant transfer are too onerous, we could face significant adverse consequences, including the interruption or degradation of our operations, the need to relocate part of or all of our business or data processing activities to other jurisdictions at significant expense, increased exposure to regulatory actions, substantial fines and penalties, the inability to transfer data and work with partners, vendors and other third parties, and injunctions against our processing or transferring of personal information necessary to operate our business. Some European regulators have prevented companies from transferring personal information out of Europe for allegedly violating the GDPR's cross-border data transfer limitations. Regulators in the United States are also increasingly scrutinizing certain personal information transfers and may impose data localization requirements, for example, the Biden Administration's executive order Preventing Access to Americans' Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern. In the United States, federal, state, and local governments have enacted numerous privacy, data protection and information security laws, including data breach notification laws, personal information privacy laws, and consumer protection laws. For example, California enacted the California Consumer Privacy Act of 2018, or CCPA, which imposes obligations on businesses to which it applies. The CCPA gives California residents rights to access and require deletion of their personal information, opt out of certain personal information sharing and receive detailed information about how their personal information is used. The CCPA provides for civil penalties for violations (up to $7,500 per intentional violation), as well as a private right of action for data breaches that may increase data breach litigation. At least eighteen other states have also passed comprehensive privacy laws some of which go into effect in 2024 and the coming years. If we become subject to these or other new state or federal data privacy laws, we may have to comply with additional obligations which may increase legal risk and compliance costs for us and third parties with whom we work. We are also bound by contractual obligations related to data privacy and security, and our efforts to comply with such obligations may not be successful. For example, certain privacy, data protection and information security laws, such as the GDPR and the CCPA, require our customers to impose specific contractual restrictions on their service providers. We publish privacy policies, marketing materials and other statements, such as compliance with certain certifications or self-regulatory principles, regarding data privacy and security. Although we endeavor to comply with our published information security and privacy policies, certifications and documentation, we may at times fail to do so or may be perceived to have failed to do so. Moreover, despite our efforts, we may not be successful in achieving compliance if our employees or vendors do not comply with our published policies, certifications, and documentation. Any failure or perceived failure by us to comply with our policies, certifications and documentation, our data privacy- or information security-related obligations to customers or other third parties or any of our other legal obligations relating to data privacy or information security may result in significant consequences. These consequences may include, but are not limited to, governmental investigations or enforcement actions (e.g., investigations, fines, penalties, audits, inspections), litigation, claims or public statements against us by consumer advocacy groups or others, which could result in significant liability or cause our customers to lose trust in us, additional reporting requirements and/or oversight, bans on processing personal information, or orders to destroy or not use personal information, any of which could have an adverse effect on our reputation and business. Furthermore, the costs of compliance with, and other burdens imposed by, the laws, documentation, certifications, regulations and policies that are applicable to the businesses of our customers may limit the adoption and use of, and reduce the overall demand for, our product offerings. Additionally, if third parties with whom we work, such as vendors or developers, violate applicable data privacy or security laws or regulations, certifications, documentation or our policies, such violations may also put our customers' content at risk and could in turn have an adverse effect on our business. Our employees and personnel use generative artificial intelligence (AI) technologies to perform their work, and the disclosure and use of personal information in generative AI technologies is subject to various privacy laws and other privacy obligations. Governments have passed and are likely to pass additional laws regulating generative AI. Our use of this technology could result in additional compliance costs, regulatory investigations and actions, and lawsuits. If we are unable to use generative AI, it could make our business less efficient and result in competitive disadvantages. We use AI and machine learning (ML), to assist us in making certain decisions, which is regulated by certain privacy laws. Due to inaccuracies or flaws in the inputs, outputs, or logic of the AI/ML, the model could be biased and could lead us to make decisions that could bias certain individuals (or classes of individuals), and adversely impact their rights, employment, and ability to obtain certain pricing, products, services, or benefits. We use AI, including generative AI, and ML technologies in our products and services (collectively, AI/ML technologies). The development and use of AI/ML present various privacy and security risks that may impact our business. AI/ML are subject to privacy, data protection and information security laws, as well as increasing regulation and scrutiny. Several jurisdictions around the globe, including Europe and certain U.S. states, have proposed, enacted, or are considering laws governing the development and use of AI/ML, such as the EU's AI Act. We expect other jurisdictions will adopt similar laws. Additionally, certain privacy laws extend rights to consumers (such as the right to delete certain personal information) and regulate automated decision making, which may be incompatible with our use of AI/ML. These obligations may make it harder for us to conduct our business using AI/ML, lead to regulatory fines or penalties, require us to change our business practices, retrain our AI/ML, or prevent or limit our use of AI/ML. For example, the FTC has required other companies to turn over (or disgorge) valuable insights or trainings generated through the use of AI/ML where they allege the company has violated privacy and consumer protection laws. If we cannot use AI/ML or that use is restricted, our business may be less efficient, or we may be at a competitive disadvantage. Any significant change to applicable laws, regulations or industry practices regarding the collection, use, retention, security or disclosure of our customers' data, or regarding the manner in which the express or implied consent of customers for the collection, use, retention or disclosure of such content is obtained, could increase our costs and require us to modify our product offerings, possibly in a material manner, which we may be unable to complete and may limit our ability to store and process customer data or develop new applications and features. Preparing for and complying with these obligations requires us to devote significant resources and may necessitate changes to our services, information technologies, systems, and practices and to those of any third parties that process personal information on our behalf. Our business is reliant on revenue from behavioral, interest-based, or tailored advertising (collectively, "targeted advertising"), but delivering targeted advertisements is becoming increasingly difficult due to changes to our ability to gather information about user behavior through third party platforms, new laws and regulations, and consumer resistance. Major technology platforms on which we rely to gather information about consumers have adopted or proposed measures to provide consumers with additional control over the collection, use, and sharing of their personal information for targeted advertising purposes. For example, in 2021, Apple began allowing users to more easily opt-out of activity tracking across devices. In February 2022, Google announced similar plans to adopt additional privacy controls on its Android devices to allow users to limit sharing of their data with third parties and reduce cross-device tracking for advertising purposes. Additionally, Google has announced that it intends to phase out third-party cookies in its Chrome browser, which could make it more difficult for us to target advertisements. Other browsers, such as Firefox and Safari, have already adopted similar measures. In addition, legislative proposals and present laws and regulations regulate the use of cookies and other tracking technologies, electronic communications, and marketing. For example, in the EEA and the UK, regulators are increasingly focusing on compliance with requirements related to the targeted advertising ecosystem. European regulators have issued significant fines in certain circumstances where the regulators alleged that appropriate consent was not obtained in connection with targeted advertising activities. It is anticipated that the ePrivacy Regulation and national implementing laws will replace the current national laws implementing the ePrivacy Directive, which may require us to make significant operational changes. In the United States, the CCPA, for example, grants California residents the right to opt-out of a company's sharing of personal information for targeted advertising purposes as well as a company's disclosure of personal information in exchange for money or other valuable consideration, and requires covered businesses to honor user-enabled browser opt-out signals from the Global Privacy Control. Partially as a result of these developments, individuals are becoming increasingly resistant to the collection, use, and sharing of personal information to deliver targeted advertising. Individuals are now more aware of options related to consent, "do not track" mechanisms (such as browser opt-out signals from the Global Privacy Control), and "ad-blocking" software to prevent the collection of their personal information for targeted advertising purposes. As a result, we may be required to change the way we market our products, and any of these developments or changes could materially impair our ability to reach new or existing customers or otherwise negatively affect our operations.

The market for technology solutions for law firms, private enterprises and government and other organizations is highly fragmented, competitive and constantly evolving. With the introduction of new technologies and market entrants, we expect that the competitive environment in which we compete will remain intense going forward. Almost all potential customers have existing solutions for ediscovery and legal document review in place, which typically consists of a mix of cloud-based solutions, on-premise point solutions and human professional service providers to deliver these solutions. Our competitors include (i) legal services providers, including large dedicated legal services providers such as Consilio LLC, Epiq Systems, Inc. and KLDiscovery Inc., the legal services divisions of large professional firms such as Deloitte & Touche LLP, Ernst and Young LLP, KPMG LLP and PricewaterhouseCoopers LLP, as well as a large number of smaller regional and local services companies and certain law firms providing in-house ediscovery and document review solutions; (ii) legacy on-premise software providers, such as Nuix Limited, Open Text Corporation and Relativity ODA LLC, or Relativity, RELX PLC and Thomson Reuters Corporation; and (iii) cloud software providers, such as Everlaw, Inc., Relativity through its RelativityOne offering, and Reveal Data Corporation (recently acquired Logik Systems, Inc. - d.b.a. Logikcull). In addition, we expect to expand our product offerings to address additional areas of the legal function and we likely face further competition from existing companies in such areas. Some of our competitors have made or may make acquisitions or be acquired by private equity sponsors, enterprises or special purpose acquisition companies or may enter into commercial relationships or other strategic relationships that may provide more comprehensive offerings than they individually had offered. Such acquisitions or relationships may help competitors achieve greater economies of scale than us. In addition, new entrants not currently considered to be competitors may enter the market through acquisitions, partnerships or strategic relationships. We compete on the basis of a number of factors, including: - our product offerings' functionality, scalability, performance, ease of use, reliability, security, availability and cost-effectiveness relative to that of our competitors' products and services;- our ability to utilize new and proprietary technologies to offer services and features previously not available in the marketplace;- our ability to identify new markets, applications and technologies;- our ability to attract and retain customers;- our brand, reputation and trustworthiness;- perceptions about the security, privacy and availability of our product offerings relative to competitive products and services;- the quality of our customer support;- our ability to recruit software developers and sales and marketing personnel; and - our ability to protect our intellectual property. Our competitors vary in size and in the breadth and scope of the products and services offered. Many of our competitors and potential competitors have greater name recognition, greater market penetration, longer operating histories, more established customer relationships and installed customer bases and substantially greater financial, human, technical and other resources than we do and may be able to offer competing solutions to potential customers on more favorable terms than us. While some of our competitors provide a platform with applications to support one or more use cases, many others provide point solutions that address a single use case. Other potential competitors not currently offering competitive applications may expand their product offerings to compete with our product offerings. Our competitors may be able to respond more quickly and effectively than we can to new or changing opportunities, technologies, standards and customer requirements. An existing competitor or new entrant could introduce new technology that reduces demand for our product offerings. In addition to application and technology competition, we face pricing competition. Some of our competitors offer their applications or services at a lower price, which has resulted in pricing pressures. Some of our larger competitors have the operating flexibility to bundle competing applications and services with other offerings, including offering them at a lower price or for no additional cost to customers as part of a larger sale of other products. For all of these reasons, we may not be able to compete successfully and competition could result in the failure of our product offerings to achieve or maintain market acceptance, any of which could harm our business.

We believe that maintaining and enhancing our brand is important to continued market acceptance of our existing and future product offerings, attracting new customers and retaining existing customers. We also believe that the importance of brand recognition will increase as competition in our market increases. Successfully maintaining and enhancing our brand will depend largely on the effectiveness of our marketing efforts and strategies, our ability to provide reliable product offerings that continue to meet the needs of our customers at competitive prices, our ability to maintain our customers' trust, our ability to continue to develop new functionality for our product offerings and our ability to successfully differentiate our product offerings from competitive products and services. Additionally, our brand and reputation may be affected if customers do not have a positive experience with our law firm and other legal services provider partners' services. Our brand promotion activities may not generate customer awareness or yield increased revenue, and even if they do, any increased revenue may not offset the expenses we incurred in building our brand. If we fail to successfully promote and maintain our brand, our business may be harmed. Furthermore, any negative publicity relating to our employees, customers or others associated with these parties may also tarnish our own reputation and may reduce the value of our brand. For example, we have experienced negative publicity following the departure of our former Chief Executive Officer, which negative publicity may affect perception of our brand. Damage to our brand and reputation may result in reduced demand for our product offerings and increased risk of losing market share to our competitors. Any efforts to restore the value of our brand and rebuild our reputation may be costly and may not be successful.

Our results of operations may vary based on the impact of changes in the global economy on us, our industry or our customers and potential customers. Negative conditions in the general economy both in the United States and abroad, including conditions resulting from a global or domestic recession or the fear thereof, inflation, fluctuations in interest rates, changes in gross domestic product growth, financial and credit market fluctuations, political turmoil, natural catastrophes, lower corporate earnings, reduction in business confidence and activity, warfare and terrorist attacks on the United States, Europe, the Asia-Pacific region, or elsewhere, could cause a decrease in business investments, including spending on information technology, which would harm our business. This risk is presently heightened by the uncertain economic impact of ongoing inflation, fluctuations in interest rates and other macroeconomic pressures in the U.S. and the global economy, as well as the impact of Russia-Ukraine and Israel-Hamas wars and the related political and economic response. To the extent that our product offerings are perceived by customers and potential customers as too costly, or difficult to deploy or migrate to, our revenue may be disproportionately affected by delays or reductions in general information technology spending. Moreover, corporate entities may elect to reduce legal spending, both internally and through outside counsel, or be less willing to try alternatives to the traditional legal function. Also, our competitors, many of which are larger and have greater financial resources than we do, may respond to market conditions by lowering prices and attempting to lure away our customers. The increased pace of consolidation in certain industries, in part due to opportunistic acquisitions in a depressed valuation environment, may also result in reduced overall spending on information technology and legal services. We cannot predict the timing, strength or duration of any economic slowdown, instability or recovery, generally or within any particular industry.

A component of our growth strategy involves the further expansion of our operations and customer base internationally. For the three and nine months ended September 30, 2024, the percentage of revenue generated from customers outside the United States was less than 10% of our total revenue. We are continuing to adapt to and develop strategies to address international markets but there is no guarantee that such efforts will have the desired effect. In connection with such expansion, we may face difficulties, including costs associated with expansion, varying seasonality patterns, potential adverse movement of currency exchange rates, longer payment cycle difficulties in collecting accounts receivable in some countries, increased management, travel, infrastructure and legal compliance costs associated with having operations and developing our business in multiple jurisdictions, different technical standards, existing or future regulatory and certification requirements and required features and functionality, political and economic conditions and uncertainty in each country or region in which we operate and general economic and political conditions and uncertainty around the world, tariffs and trade barriers, a variety of regulatory or contractual limitations on our ability to operate, adverse tax events, reduced protection of intellectual property rights in some countries and a geographically and culturally diverse workforce and customer base. In addition, our product offerings have been developed with a focus on the practice of law in the United States and the rules and regulations applicable domestically in the United States and we may be required to expend substantial time and resources to update our product offerings or develop new applications to address alternative systems of legal resolution in other jurisdictions. Furthermore, in certain jurisdictions in which we seek to enter, the rules and regulations governing the practice of law and e-discovery may impose additional obligations or restrictions on our operations. Failure to overcome any of these difficulties could harm our business. Our limited experience in operating our business internationally increases the risk that any potential future expansion efforts that we may undertake will not be successful. If we invest substantial time and resources to further expand our international operations and are unable to do so successfully and in a timely manner, our business may be harmed.

Our sales contracts are primarily denominated in U.S. dollars and therefore substantially all of our revenue is not subject to foreign currency risk. However, a strengthening of the U.S. dollar could increase the real cost of our product offerings to our customers outside of the United States, which could adversely affect our operating results. In addition, an increasing portion of our operating expenses are incurred and an increasing portion of our assets are held outside the United States. These operating expenses and assets are denominated in foreign currencies and are subject to fluctuations due to changes in foreign currency exchange rates. While we do not currently engage in hedging efforts, if we do not successfully hedge against the risks associated with currency fluctuations as our international operations and customer base grow, our business may be harmed.