MariaDB (MRDB) Risk Analysis

Our operations involve the collection, use, retention, processing and transfer of data, including the personal data of our customers. Consequently, we are subject to complex and evolving U.S., U.K., European, Asian and other jurisdictions' laws, rules, regulations, orders and directives (referred to as "privacy laws"), where we offer our software and services. The regulatory framework for privacy issues worldwide is rapidly evolving and is likely to remain uncertain for the foreseeable future. Many federal, state and foreign government bodies and agencies have adopted or are considering adopting laws, rules and regulations regarding the collection, use, storage and disclosure of personal information and breach notification procedures. Our customers who are located all over the world can use our software and services to collect, process and store personal information. Interpretation of these laws, rules and regulations and their application to our software and professional services in the United States and foreign jurisdictions is ongoing and cannot be fully determined at this time. Any failure, or perceived failure, by us to comply with any applicable privacy laws in one or more jurisdictions could result in proceedings or actions against us by governmental entities or others, including class action privacy litigation in certain jurisdictions, leading to significant fines, penalties, judgments and reputational damage to us, changes to our business practices and increased costs and complexity of compliance, any of which could materially and adversely affect our business, financial condition, results of operations and prospects. In the United States, these include rules and regulations promulgated under the authority of the Federal Trade Commission, the Electronic Communications Privacy Act, Computer Fraud and Abuse Act, the Health Insurance Portability and Accountability Act of 1996, or HIPAA, the Gramm Leach Bliley Act and state laws relating to privacy and data security. Internationally, virtually every jurisdiction in which we operate has established its own data security and privacy legal framework with which we or our customers must comply, including but not limited to the United Kingdom and the EU. The EU's data protection landscape could result in significant operational costs for internal compliance and risk to our business. The EU has adopted the General Data Protection Regulation, or GDPR, and together with national legislation, regulations and guidelines of EU member states, contains numerous requirements with increased jurisdictional reach of the European Commission, more robust obligations on data processors and additional requirements for data protection compliance programs by companies. EU member states are tasked under the GDPR to enact, and have enacted, certain legislation that adds to or further interprets the GDPR requirements and potentially extends our obligations and potential liability for failing to meet such obligations. Among other requirements, the GDPR regulates transfers of personal data subject to the GDPR to the United States as well as other third countries that have not been found to provide adequate protection to such personal data. The GDPR provides greater control for data subjects (for example, the "right to be forgotten"), increased data portability for EU consumers, data breach notification requirements and increased fines. In particular, under the GDPR, fines of up to 20 million euros or 4% of the annual global revenue of the noncompliant company, whichever is greater, could be imposed for violations of certain of the GDPR's requirements. Such penalties are in addition to any civil litigation claims by customers and data subjects. The GDPR requirements apply not only to third-party transactions, but also to transfers of information between us and our subsidiaries, including employee information. While we have taken steps to mitigate the impact on us with respect to transfers of data, the efficacy and longevity of these transfer mechanisms remains uncertain. The occurrence of unanticipated events and development of evolving technologies often rapidly drives the adoption of legislation or regulation affecting the use, collection or other processing of data and the manner in which we conduct our business. The GDPR imposes strict rules on the transfer of personal data out of the EU to a "third country," including the United States. These obligations may be interpreted and applied in a manner that is inconsistent from one jurisdiction to another and may conflict with other requirements or our practices. The Court of Justice of the European Union, or CJEU, on July 16, 2020 invalidated the EU-U.S. Privacy Shield framework, which provided companies with a mechanism to comply with data protection requirements when transferring personal data from the EU to the United States, on the grounds that the Privacy Shield had failed to offer adequate protections to EU personal data transferred to the United States. In addition, the CJEU imposed additional obligations on companies when relying on standard contractual clauses approved by the European Commission (a standard form of contract used as an adequate personal data transfer mechanism, and potential alternative to the Privacy Shield), making it clear that reliance on them alone may not necessarily be sufficient in all circumstances. Use of the standard contractual clauses must now be assessed on a case-by-case basis taking into account the legal regime applicable in the destination country, in particular applicable surveillance laws and rights of individuals. The use of standard contractual clauses for the transfer of personal data specifically to the United States remains under review by a number of European data protection supervisory authorities, along with those of some other EU member states. German and Irish supervisory authorities have indicated, and enforced in recent rulings, that the standard contractual clauses alone provide inadequate protections for EU – U.S. data transfers. On August 10, 2020, the U.S. Department of Commerce and the European Commission announced new discussions to evaluate the potential for an enhanced EU – U.S. Privacy Shield framework to comply with the July 16, 2020 judgment of the CJEU. Further, on June 7, 2021, the European Commission published new versions of the standard contractual clauses, or the "SCCs," for comment. This creates an additional compliance obligation on our business, as new contracts need to incorporate the new SCCs and existing contracts using the old SCCs need to be amended to incorporate the new SCCs within the 18-month time period designated by the European Commission. As of September 27, 2021, organizations must use the new SCCs when entering into new contracts. Furthermore, organizations were required to update existing contracts by December 27, 2022, to incorporate the new SCCs and take appropriate measures to comply with any requirements arising from such new SCCs. On March 25, 2022, the European Commission and the United States announced that they have agreed in principle on a new Trans-Atlantic Data Privacy Framework, which must now be transcribed into legal text that will form the basis of a draft adequacy decision to be proposed by the European Commission. The foregoing places additional onerous obligations on us, which has and will continue to result in increased costs and changes in business practices and policies to comply with these various obligations. The Swiss Federal Data Protection and Information Commissioner also has stated that it no longer considers the Swiss-U.S. Privacy Shield adequate for the purposes of personal data transfers from Switzerland to the United States. The United Kingdom's decision to exit from the EU created a need for the U.K. to adopt its own data privacy laws and regulations, which have sometimes led to an absence of clearly applicable U.K. law where the U.K.'s timeline for creating laws and regulations lagged behind the EU. For example, in the U.K., the Data Protection Act contains provisions, including its own derogations, for how the GDPR is applied in the U.K. We have to comply with the GDPR and also the U.K.'s Data Protection Act. We may be required to take additional steps to legitimize any personal data transfers impacted by these or other developments and be subject to increasing costs of compliance and limitations on our customers and us. More generally, we may find it necessary or desirable to modify our data handling practices, and the CJEU decision or other legal challenges relating to cross-border data transfer may serve as a basis for our personal data handling practices, or those of our customers and vendors, to be challenged and may otherwise adversely affect our business, results of operations and financial condition. On June 28, 2021, the European Commission issued the U.K. with an "adequacy decision" to facilitate the continued free flow of personal data from EU member states to the U.K. However, this adequacy decision has a limited duration of four years in case there is a future divergence between EU and U.K. data protection laws. In the event that the U.K. maintains an equivalent standard at the end of the four-year period, it is open to the European Commission to renew its finding. In the event that the adequacy decision is not renewed after this time, the adjustments required to facilitate data transfers from EU member states to the U.K. may lead to additional costs as we try to ensure compliance with new privacy legislation and will increase our overall risk exposure. We are also subject to evolving EU privacy laws on cookies and e-marketing. In the EU, regulators are increasingly focusing on compliance with requirements in the online behavioral advertising ecosystem, and an EU regulation known as ePrivacy Regulation will significantly increase fines for non-compliance once in effect. In the EU, informed consent, including a prohibition on pre-checked consents and a requirement to ensure separate consents for each cookie, is required for the placement of a cookie or similar technologies on a user's device and for direct electronic marketing. As regulators start to enforce the strict approach in recent guidance, this could lead to substantial costs, require significant system changes, limit the effectiveness of our marketing activities, divert the attention of our technology personnel, negatively impact our efforts to understand customers, adversely affect our margins, increase costs, and subject us to additional liabilities. In August 2021, China passed its Personal Information Protection Law, or PIPL, which became effective in November 2021. PIPL provides a comprehensive set of rules for how business operators should collect, use, process, share and transfer personal data, and for companies that are certified as critical information infrastructure operators, require personal data to be stored on servers physically located in China. PIPL extends to data processing activities outside China if the purpose is to provide products or services to individuals located in China or to analyze or assess the behaviors of individuals located in China. PIPL includes monetary penalties for noncompliance, which include 5% of a company's previous year's revenues and the potential for a company's business license to be revoked. It is unclear how PIPL will be interpreted and applied and its impact on our operations. We may find it necessary or desirable to modify our data handling practices, create policies or procedures, enter into certain contractual agreements, adopt additional data transfer mechanisms, implement increased security measures, modify our operations, or take any other legal or business steps to comply with PIPL to the extent it is deemed to apply to any parts of our business or data processing. In addition, domestic data privacy laws at the state and local level continue to evolve and could require us to modify our data processing practices and policies and expose us to further regulatory or operational burdens. For example, the California Consumer Privacy Act ("CCPA") took effect in January 2020 and was subsequently modified by the California Privacy Rights Act ("CPRA"), which took effect in January 2023. The CCPA imposes obligations on companies that process California residents' personal information, including an obligation to provide certain new disclosures to such residents and creates new consumer rights. The CCPA provides for civil penalties for violations, as well as a private right of action for certain data breaches that result in the loss of personal information. This private right of action may increase the likelihood of, and risks associated with, data breach litigation. The CPRA also created a new state agency vested with authority to implement and enforce the CCPA and the CPRA. Additionally, other states, including Colorado, Connecticut, Indiana, Iowa, Tennessee, Utah, Montana, Florida, Oregon, Texas and Virginia, have enacted privacy laws that have gone into effect or will go into effect in the coming years. While these new privacy laws may share similarities with each other, they differ in many ways and we must comply with each if our operations fall within their scopes. Similar laws have been proposed in other states and at the federal level. We expect that existing and any new legislation will continue to add additional complexity and potential legal risk, require additional investment of resources in compliance programs, impact strategies and the availability of previously useful data and could result in increased compliance costs or changes in business practices and policies. Complying with these laws, regulations, amendments to or re-interpretations of existing laws and regulations and contractual or other obligations relating to data privacy, security, protection, transfer, localization and information security may require us to make changes to our products and services to enable us or our customers to meet new legal requirements, incur substantial operational costs, modify our data practices and policies and restrict our business operations. In addition to government regulation, privacy advocates and industry groups may propose new and different self-regulatory standards, and our customers may expect us to meet certain voluntary certification and other standards established by such third parties. Any actual or perceived failure by us to comply with these laws, regulations or other obligations or standards may lead to significant fines, penalties, regulatory investigations, lawsuits, significant costs for remediation, damage to our reputation or other liabilities. Additionally, because the interpretation and application of many data privacy, security and protection laws along with contractually imposed industry standards are uncertain, it is possible that these laws may be interpreted and applied in a manner that is inconsistent with our existing data management practices or the features of our products and services. If so, in addition to the possibility of fines, lawsuits, regulatory enforcement or orders, investigations, imprisonment of company employees and public censure, other claims and penalties, significant costs for remediation and damage to our reputation, we could be required to fundamentally change our business activities and practices or modify our services and product capabilities, any of which could require significant additional expense and have an adverse effect on our business, including impacting our ability to innovate, delaying our product development roadmap and adversely affecting our relationships with customers and our ability to effectively compete. Furthermore, the costs of compliance with, and other burdens imposed by, the laws, regulations, rules, standards, contractual obligations, policies and other obligations related to privacy, data protection and security- that are applicable to the businesses of our customers may limit the use and adoption of, and reduce the overall demand for, our products and services. Privacy concerns, whether valid or not valid, may inhibit market adoption of our products and services, particularly in certain industries and foreign countries.

We collect, use, store, transmit and process data as part of our business operations, including personal data for our customers in and across multiple jurisdictions. We also use third-party service providers to collect, use, store, transmit, maintain and otherwise process such information. Increasingly, a variety of cyber threats have become more prevalent in our industry and our customers' industries. With our employees and many employees of third-party service providers working remotely, we may be exposed to increased risks of security breaches or incidents. Security incidents could result in unauthorized access to, damage to, misuse of, disclosure of, modification of, destruction of or loss of our data or customer data (including personal data), software or systems, or disrupt our ability to provide our products and services. Any actual or perceived security incident could interrupt our operations, harm our reputation and brand, result in significant remediation and cybersecurity protection costs, result in lost revenue, lead to regulatory investigations and orders, litigation, disputes, indemnity obligations, damages for breach of contract, penalties for violation of applicable laws and regulations and other legal risks, increase our insurance premiums, and result in any other financial exposure. We have taken steps to protect the data on our systems and IT infrastructure, but no security measures can protect against all anticipated risks with certainty, and our security measures or those of our customers or third-party service providers could be breached as a result of third-party action, employee or user errors, technological limitations, defects or vulnerabilities in our systems or offerings or those of our third-party service providers, malfeasance, fraud, computer malware, viruses, cyber incidents, or from accidental technological failure or otherwise. We have experienced and may continue to experience security incidents and attacks of varying degrees from time to time. We may need to enhance the security of our products and services, our data, our systems and our internal IT infrastructure, which may require additional resources and substantial costs and may not be successful. We have developed systems and processes to protect the integrity, confidentiality, availability and security of our data and software, but our security measures or those of our customers or third-party service providers may not mitigate against current or future security threats and could result in unauthorized access to, damage to, disablement or encryption of, use or misuse of, disclosure of, modification of, destruction of or loss of such data and software. Through contractual provisions and third-party risk management processes, we take steps to require that our third-party providers and their subcontractors protect our data, but because we do not control our third-party service providers and our ability to monitor their data security is limited, we cannot ensure the security measures they take will be sufficient to protect our data. A vulnerability in a third-party provider's or a customer's software or systems, a failure of our customers' or third-party providers' safeguards, policies or procedures or a breach of a customer's or third-party provider's software or systems could result in the compromise of the confidentiality, integrity or availability of our systems or the data housed in our third-party solutions. Further, because there are many different security breach techniques, which can originate from a wide variety of sources, including outside groups (such as external service providers, organized crime affiliates, terrorist organizations, or hostile foreign governments or agencies), and such techniques continue to evolve, including through the use of AI to launch more automated, targeted and coordinated attacks, and may not be not detected until after an incident has occurred, we may be unable to implement adequate preventative measures, anticipate or prevent attempted security breaches or other security incidents or react in a timely manner. Even when a security breach or incident is detected, the full extent of the breach or incident may not be determined immediately. The costs to us to mitigate technological failures, bugs, viruses, computer malware and security vulnerabilities could be significant and, while we have implemented security measures to protect our systems and IT infrastructure, our efforts to address these problems may not be successful. Many governments have enacted laws requiring companies to notify individuals of data security incidents or unauthorized transfers involving certain types of personal data. Accordingly, security incidents that we, our competitors, our customers or our third-party service providers experience may lead to negative publicity and harm our reputation. Any security breach or other security incident that we or our third-party service providers experience, or the perception that one has occurred, could result in a loss of customer confidence in the security of our products and services, harm our reputation and brand, reduce the demand for our products and services, disrupt normal business operations, require us to spend material resources to investigate or correct the breach and to prevent future security breaches and incidents or expose us to legal liabilities, including claims, litigation, regulatory enforcement and orders, investigations, indemnity obligations, significant costs for remediation, any of which could adversely affect our operations. Moreover, our insurance coverage, subject to applicable deductibles, may not be adequate for liabilities incurred or cover any indemnification claims against us relating to any security incident or breach or an insurer may deny or exclude from coverage certain types of claims. In addition, our remediation efforts may not be successful. We cannot ensure that any limitation of liability provisions in our customer, partner, vendor and other contracts would be enforceable or adequate with respect to any security lapse or breach or other security incident or would otherwise protect us from any liabilities or damages with respect to any particular claim. These risks may increase as we continue to grow and evolve our offerings to collect, host, process, store and transmit increasing volumes of data. In addition, these risks may increase if the type of data that we collect, host, process, store and transmit increasingly include sensitive and regulated data, such as protected health information or credit card information.

The database software market, for both relational and non-relational database products, is highly competitive, rapidly evolving and others may offer competing database solutions or sell services in connection with existing open source databases, including ours. The principal competitive factors in our market include: mindshare with software developers and IT executives; product capabilities, including flexibility, scalability, performance, security and reliability; flexible deployment model, including in the cloud, on-premise or in a hybrid environment; ease of deployment; breadth of use cases supported; ease of integration with existing IT infrastructure; robustness of professional services and customer support; price; overall cost of use; adherence to industry standards and certifications; size of customer base and level of user adoption; strength of subscription sales and marketing efforts; and brand awareness and reputation. If we fail to compete effectively with respect to any of these competitive factors, we may fail to attract new customers or lose or fail to renew existing customers, which would cause our business operations to suffer. We primarily compete with legacy relational database software providers such as IBM, Microsoft and Oracle, as well as providers of NoSQL database solutions, such as MongoDB and Couchbase. We also compete with public cloud service providers such as Amazon Web Services (AWS), Google Cloud, Microsoft Azure, Alibaba Cloud, IBM Cloud and Oracle Cloud, that offer database functionalities or managed database services based on a variety of database technologies (including open source databases such as MySQL, MariaDB, or PostgreSQL). In the future, other large software and internet companies may seek to enter our market. Additionally, potential customers may also adopt other open-source relational database offerings, such as PostgreSQL and MySQL. Some of our actual and potential competitors, in particular the legacy relational database providers, have advantages over us, such as longer operating histories, more established relationships with current or potential customers and commercial partners, significantly greater financial, technical, marketing or other resources, stronger brand recognition, larger intellectual property portfolios and broader global distribution and presence. Such competitors may make their products available at a low cost or no cost basis in order to enhance their overall relationships with current or potential customers. Our competitors may also be able to respond more quickly and effectively than we can to new or changing opportunities, technologies, standards, laws and regulations or customer requirements. With the introduction of new technologies and new market entrants, we expect competition to intensify in the future. In addition, some of our larger competitors have substantially broader offerings and can bundle competing products with hardware or other software offerings, including their cloud computing and customer relationship management platforms. As a result, customers may choose a bundled offering from our competitors, even if individual products have more limited functionality compared to our software. These larger competitors are also often in a better position to withstand any significant reduction in technology spending, and will therefore not be as susceptible to competition or economic downturns. In addition, some competitors may offer products or services that address one or a limited number of functions at lower prices, with greater depth than our products or in geographies where we do not operate. Furthermore, our actual and potential competitors may establish cooperative relationships among themselves or with third parties that may further enhance their resources and offerings in the markets we address. In addition, third parties with greater available resources may acquire current or potential competitors. As a result of such relationships and acquisitions, our actual or potential competitors might be able to adapt more quickly to new technologies and customer needs, devote greater resources to the promotion or sale of their products, initiate or withstand substantial price competition, take advantage of other opportunities more readily or develop and expand their offerings more quickly than we do. For all these reasons, competition may negatively impact our ability to maintain and grow consumption of our products and services or may put downward pressure on our prices and gross margins, any of which could materially hurt our reputation, business, results of operations or financial condition.

Our MariaDB Enterprise Server is available by subscription only, and. many of our subscription contracts for MariaDB Enterprise Server were one year in duration in the fiscal years ended September 30, 2022 and September 30, 2023. For us to maintain or improve our results of operations, it is important that our customers renew their subscriptions with us when the existing subscription term expires, and renew on the same or more favorable terms and expand the products and services they use. Our customers have no obligation to renew their subscriptions, and we may not be able to accurately predict customer renewal rates. Historically, some of our customers have elected not to renew their subscriptions with us for a variety of reasons, including because of changes in their strategic IT priorities, budgets, costs, and, in some instances, due to competing solutions. Our revenue retention rate may also decline or fluctuate as a result of a number of other factors, including our customers' satisfaction or dissatisfaction with our software, the increase in the contract value of subscription and support contracts from new customers, the effectiveness of our customer support services, our pricing, the prices of competing products or services, mergers and acquisitions affecting our customer base, global economic conditions, and the other risk factors described herein. As a result, we cannot assure you that customers will renew subscriptions or increase their usage of our software and related services. If our customers do not renew their subscriptions or renew on less favorable terms, or if we are unable to expand our customers' use of database products and related services, our business, results of operations and financial condition may be adversely affected.

We believe that developing and maintaining widespread awareness of our brand, including with developers, is critical to achieving widespread acceptance of our products and services and attracting new customers. Our brand promotion activities may not be successful at attracting developers or customers. In addition, independent industry analysts often provide reports of our products and services, as well as the offerings of our competitors, and perception of our products and services in the marketplace may be significantly influenced by these reports. If these reports are negative, or less positive as compared to those of our competitors, our reputation and brand may be adversely affected. If we fail to successfully promote and maintain our brand, we may fail to attract or retain the developers and customers necessary to realize a sufficient return on our brand-building efforts, or to achieve the widespread brand awareness that is critical for broad adoption of our products. If we are unable to establish name recognition and differentiate our products and services, then we may not be able to compete effectively and our business may be adversely affected. The maintenance and promotion of our brand requires us to make substantial expenditures, and we anticipate that the expenditures will increase as our market becomes more competitive, we expand into new geographies, and markets and more sales are generated through our partners. Because our technology, including the MariaDB Community Server, is available on an open source basis, other companies may promote it as part of their other commercial products and services, which may lead to market confusion and dilution of the MariaDB brand. For instance, public clouds, including AWS and Azure, offer managed database services based on the MariaDB Community Server through their platforms using the MariaDB trademark without licenses or other agreements with us beyond the open source license to the MariaDB Community Server. Additionally, we may be unable to successfully differentiate our brand from the activities of the MariaDB Foundation, which was established to steward the MariaDB Open Source Project. While we have been a long-term sponsor of the MariaDB Foundation, the foundation is a distinct entity that operates separately from us. Our brand promotion activities may not generate customer awareness or yield increased revenue. In addition, any increase in revenue from such brand promotion initiatives may not offset the increased expenses we incur. If we do not successfully maintain and enhance our reputation and brand, we may have reduced pricing power relative to our competitors, we could lose customers, and we could fail to attract new customers or expand sales to our existing customers, all of which may materially and adversely affect our business, financial condition and results of operations.

A component of our growth strategy involves the further expansion of our operations and customer base internationally. As of September 30, 2023, we have employees or utilize contractors in 28 different countries. The company's primary geographic markets are North and South America (Americas), Europe, Middle East and Africa ("EMEA") and Asia Pacific ("APAC"). We are continuing to adapt to and develop strategies to address international markets, but there is no guarantee that such efforts will have the desired effect. For example, we anticipate that we will need to broaden existing relationships or establish relationships with new partners in order to expand into certain countries, and if we fail to identify, establish and maintain such relationships, we may be unable to execute on our expansion plans. We expect that our international activities will continue to grow for the foreseeable future as we continue to pursue opportunities in existing and new international markets, which will require significant dedication of management attention and financial resources. Our current and future international business and operations involve a variety of risks, including: - the regulatory and operational challenges of efficiently managing, as well as the increased costs associated with, a dispersed workforce of employees and contractors over large geographic distances, including with recruiting and retaining talent and implementing appropriate systems, policies, benefits and compliance programs that are specific to each jurisdiction;- changes in a specific country's or region's political, economic or legal and regulatory environment, pandemics, tariffs, trade wars or long-term environmental risks;- risks associated with trade and investment restrictions and foreign legal requirements, including regarding importation, exportation, certification and localization of our products and services in foreign countries;- greater difficulty collecting accounts receivable and longer payment cycles;- costs of compliance with foreign laws and regulations and the risks and costs of non-compliance with such laws and regulations, including, but not limited to, laws and regulations governing our corporate governance, employees and contractors, product licenses, data privacy, data protection and data security regulations, particularly in the EU and China;- unexpected changes in trade relations, regulations or laws;- new, evolving and more stringent regulations and enforcement relating to foreign investments (such as CFIUS), privacy and data security and the unauthorized use of, or access to, commercial, technical, and personal information, particularly in connection with Europe and Asia;- differing and potentially more onerous labor regulations, especially in Europe, where labor laws are generally more advantageous to employees as compared to the United States, including deemed hourly wage, overtime and time off regulations in these locations;- difficulties in managing a business in new markets with diverse cultures, languages, customs, legal systems, alternative dispute systems and regulatory systems;- increased travel, real estate, infrastructure and legal compliance costs associated with international operations;- currency exchange rate fluctuations and the resulting effect on our revenue and expenses, and the cost and risk of entering into hedging transactions if we chose to do so in the future;- limitations on our ability to reinvest earnings from operations in one country to fund the capital needs of our operations in other countries;- laws and business practices favoring local competitors or general market preferences for local vendors;- limited or insufficient intellectual property protection or difficulties obtaining, maintaining, protecting or enforcing our intellectual property rights, including our trademarks and patents;- political instability, warfare or terrorist activities;- exposure to regional or global public health issues, pandemics or epidemics, such as the outbreak of the COVID-19 pandemic, that could result in decreased economic activity in certain markets, decreased use of our products and services, or in our decreased ability to import, export or sell our products and services to existing or new customers in international markets;- exposure to liabilities under anti-corruption and anti-money laundering laws, including the FCPA, U.S. bribery laws, the U.K. Bribery Act and similar laws and regulations in other jurisdictions;- burdens of complying with laws and regulations related to taxation; and - regulations, adverse tax burdens and foreign exchange controls that could make it difficult to repatriate earnings and cash. If we invest substantial time and resources to further expand our international operations and are unable to do so successfully and in a timely manner, our business, results of operations and financial condition will suffer.

Our corporate headquarters is located in Redwood City, California, and we have offices in a number of other locations. A significant natural disaster or man-made problem, such as an earthquake, fire, flood or an act of terrorism or war, occurring in any of these locations or where a business partner is located, could adversely affect our business, results of operations and financial condition. Further, if a natural disaster or man-made problem were to affect datacenters used by our cloud infrastructure service providers, this could adversely affect the ability of our customers to use our products. In addition, natural disasters and acts of terrorism or war could cause disruptions in our or our customers' businesses, national economies or the world economy as a whole. In the event of a major disruption caused by a natural disaster or man-made problem, we may be unable to continue our operations and may endure system interruptions, reputational harm, delays in our development activities, lengthy interruptions in service, breaches of data security and loss of critical data, any of which could adversely affect our business, results of operations and financial condition. In addition, as computer malware, viruses, and computer hacking, fraudulent use attempts, phishing and other cyberattacks have become more prevalent, including attacks by state-sponsored organizations or sophisticated groups of hackers, we face increased risk from these activities to maintain the performance, reliability, security and availability of our subscription offerings and related services and technical infrastructure to the satisfaction of our customers, which may harm our reputation and our ability to retain existing customers and attract new customers.

As we continue to solidify our international operations, we become more exposed to the effects of fluctuations in currency exchange rates. Often, contracts executed by our foreign operations are denominated in the currency of that country or region and, therefore, revenue generated from international operations can be subject to foreign currency risks. A strengthening of the U.S. dollar could increase the real cost of our subscription offerings and related services to our customers outside of the United States, adversely affecting our business, results of operations and financial condition. We incur expenses for employee compensation and other operating expenses at our non-U.S. locations in the local currency. Fluctuations in the exchange rates between the U.S. dollar and other currencies could result in the dollar equivalent of such expenses being higher. This could have a negative impact on our reported results of operations. To date, we have not engaged in any hedging strategies, and any such strategies, such as forward contracts, options and foreign exchange swaps related to transaction exposures that we may implement in the future to mitigate this risk may not eliminate our exposure to foreign exchange fluctuations. Moreover, the use of hedging instruments may introduce additional risks if we are unable to structure effective hedges with such instruments.