nCino (NCNO) Risk Analysis

We envision a future where artificial intelligence and machine learning is embedded throughout nCino's platform to help our customers maximize their productivity. We have incorporated and may continue to incorporate AI/ML solutions and features into our solutions, and otherwise within our business, and these solutions and features may become more important to our operations or to our future growth over time. There can be no assurance that we will realize the desired or anticipated benefits from AI/ML, or at all, and we may fail to properly implement or market our AI/ML solutions and features. Our competitors may incorporate AI/ML into their products, offerings, and solutions more quickly or more successfully than we do, which could impair our ability to compete effectively, and adversely affect our results of operations. Additionally, our AI/ML solutions and features may expose us to additional claims, demands, and proceedings by private parties and regulatory authorities and subject us to legal liability as well as brand and reputational harm. The legal, regulatory, and policy environments around AI/ML are evolving rapidly, and we may become subject to new legal and other obligations in connection with our use of AI/ML, which could require us to make significant changes to our policies and practices, necessitating expenditure of significant time, expense, and other resources. For example, in the EU/UK, laws and regulation regarding AI are developing at a fast pace. On March 13, 2024 the EU adopted its standalone law to govern the offering and use of AI systems in the EU (the "AI Act") and the UK intends to regulate AI via a sector-specific, principle-centered approach.

Certain elements of our solutions, particularly our analytics applications, process and store personally identifiable information ("PII") such as banking and personal information of our customers' clients, and we may also have access to PII during various stages of the implementation process or during the course of providing customer support. Furthermore, as we develop or acquire additional functionality, such as nCino Mortgage, we may gain greater access to PII. We maintain policies, procedures, and technological safeguards designed to protect the confidentiality, integrity, and availability of this information and our information technology systems. However, we and our third party service providers, frequently defend against and respond to data security incidents. We cannot entirely eliminate the risk of improper or unauthorized access to or disclosure of PII or other security events that impact the integrity or availability of PII or our systems and operations, or the related costs we may incur to mitigate the consequences from such events. Further, our products are flexible and complex software solutions and there is a risk that configurations of, or defects in, our solutions or errors in implementation could create vulnerabilities to security breaches. There may be continued unlawful attempts to disrupt or gain access to our information technology systems or the PII or other data of our customers or their clients that may disrupt our or our customers' operations. In addition, because we leverage third-party providers, including cloud, software, data center, and other critical technology vendors to deliver our solutions to our customers and their clients, we rely heavily on the data security technology practices and policies adopted by these third-party providers. A vulnerability in a third-party provider's software or systems, a failure of our third-party providers' safeguards, policies or procedures, or a breach of a third-party provider's software or systems could result in the compromise of the confidentiality, integrity, or availability of our systems or the data housed in our solutions. Cyberattacks and other malicious internet-based activity, including increased threats from the use of artificial intelligence, continue to increase and evolve, and cloud-based providers of products and services have been and are expected to continue to be targeted. In addition to traditional computer "hackers," malicious code (such as viruses and worms), phishing, employee theft or misuse, and denial-of-service attacks, sophisticated criminal networks as well as nation-state and nation-state supported actors now engage in attacks, including advanced persistent threat intrusions. Current or future criminal capabilities, discovery of existing or new vulnerabilities, and attempts to exploit those vulnerabilities or other developments, may compromise or breach our systems or solutions. In the event our or our third-party providers' protection efforts are unsuccessful and our systems or solutions are compromised, we could suffer substantial harm. A security breach could result in operational disruptions, loss, compromise or corruption of customer or client data or data we rely on to provide our solutions, including our analytics initiatives and offerings that impair our ability to provide our solutions and meet our customers' requirements resulting in decreased revenues and otherwise materially negatively impacting our financial results. Also, our reputation could suffer irreparable harm, causing our current and prospective customers to decline to use our solutions in the future. Further, we could be forced to expend significant financial and operational resources in response to a security breach, including repairing system damage, increasing security protection costs by deploying additional personnel and protection technologies, and defending against and resolving legal and regulatory claims, all of which could be costly and divert resources and the attention of our management and key personnel away from our business operations. Federal and state regulations may require us or our customers to notify individuals of data security incidents involving certain types of personal data or information technology systems, and those laws and regulations continue to evolve to add more reporting requirements on faster timelines. Security compromises experienced by others in our industry, our customers, or us may lead to public disclosures and widespread negative publicity. Any security compromise in our industry, whether actual or perceived, could erode customer confidence in the effectiveness of our security measures, negatively impact our ability to attract new customers, cause existing customers to elect not to renew or expand their use of our solutions, or subject us to third-party lawsuits, regulatory fines, or other actions or liabilities, which could materially and adversely affect our business and results of operations. In addition, some of our customers contractually require notification of data security compromises and include representations and warranties in their contracts with us that our solutions comply with certain legal and technical standards related to data security and privacy and meets certain service levels. In certain of our contracts, a data security compromise or operational disruption impacting us or one of our critical vendors, or system unavailability or damage due to other circumstances, may constitute a material breach and give rise to a customer's right to terminate their contract with us. In these circumstances, it may be difficult or impossible to cure such a breach in order to prevent customers from potentially terminating their contracts with us. Furthermore, although our customer contracts typically include limitations on our potential liability, there can be no assurance that such limitations of liability would be adequate. We also cannot be sure that our existing general liability insurance coverage and coverage for errors or omissions will be available on acceptable terms or will be available in sufficient amounts to cover one or more claims, or that our insurers will not deny or attempt to deny coverage as to any future claim. The successful assertion of one or more claims against us, the inadequacy or denial of coverage under our insurance policies, litigation to pursue claims under our policies, or the occurrence of changes in our insurance policies, including premium increases or the imposition of large deductible or coinsurance requirements, could materially and adversely affect our business and results of operations. As cyber threats have evolved and continue to evolve, vulnerabilities in our solutions and information technology systems have been and will in the future be detected, and we expect to expend additional resources to continue to modify or enhance our layers of defense to remediate such vulnerabilities. System enhancements and updates create risks associated with implementing new systems and integrating them with existing ones, including risks associated with the effectiveness of our, our customers' and our third-party providers' software development lifecycles. Due to the complexity and interconnectedness of our systems and solutions, the process of enhancing our layers of defense, including addressing hardware-based vulnerabilities, can itself create a risk of systems disruptions and security issues. Customer utilization of older versions of our solutions can increase the risk and complexity of security vulnerabilities and the resources and time required to address them.

We currently compete with providers of technology and services in the financial services industry, primarily point solution vendors that focus on building functionality that competes with specific components of our solutions. From time to time, we also compete with systems internally developed by FIs. Many of our competitors have significantly more financial, technical, marketing and other resources than we have, may devote greater resources to the development, promotion, sale and support of their systems than we can, have more extensive customer bases and broader customer relationships than we have and have longer operating histories and greater name recognition than we do. We may also face competition from new companies entering our markets, which may include large established businesses that decide to develop, market or resell cloud-based banking technology, acquire one of our competitors or form a strategic alliance with one of our competitors or with Salesforce. In addition, new companies entering our markets may choose to offer cloud-based banking applications at little or no additional cost to the customer by bundling them with their existing applications, including adjacent banking technologies. Competition from these new entrants may make attracting new customers and retaining our current customers more difficult, which may adversely affect our results of operations. If we are unable to compete in this environment, sales and renewals of the nCino Bank Operating System could decline and adversely affect our business and results of operations. With the introduction of new technologies and potential new entrants into the cloud-based banking technology market, we expect competition to intensify in the future, which could harm our ability to increase sales and achieve profitability.

Our customers and prospective customers are highly regulated and are generally required to comply with stringent regulations in connection with performing business functions that our solutions address. As a provider of technology to FIs, we have been, and expect to continue to be, examined on a periodic basis by various regulatory agencies and may be required to review certain of our suppliers and partners. In addition, while much of our operations are not directly subject to the same regulations applicable to FIs, we are generally obligated to our customers to provide software solutions and maintain internal systems and processes that comply with certain federal and state regulations applicable to them. For example, as a result of obligations under some of our customer contracts, we are required to comply with certain provisions of the Gramm-Leach-Bliley Act ("GLBA") related to the privacy of consumer information and may be subject to other privacy and data security laws because of the solutions we provide to FIs. The GLBA includes limitations on FI's disclosure of nonpublic personal information about a consumer to nonaffiliated third parties, in certain circumstances requiring FIs to limit the use and further disclosure of nonpublic personal information to nonaffiliated third parties and requiring FIs to safeguard nonpublic personal information. Banking regulations for information security and breach notification also impose obligations on us due to our relationships with customers that increase our information security obligations and customers may impose additional information security standards upon us, such as those relating to the New York Department of Financial Services Cybersecurity Regulation. Matters subject to review and examination by federal and state FI regulatory agencies and external auditors include our internal information technology controls in connection with our performance of data processing services, the agreements giving rise to those processing activities, and the design of our solutions. Any inability to satisfy these examinations and maintain compliance with applicable regulations could adversely affect our ability to conduct our business, including attracting and maintaining customers. If we have to make changes to our internal processes and solutions as result of these regulations, we could be required to invest substantial additional time and funds and divert time and resources from other corporate purposes to remedy any identified deficiency. The evolving, complex, and often unpredictable regulatory environment in which our customers operate could result in our failure to provide compliant solutions, which could result in customers not purchasing our solutions or terminating their contracts with us or the imposition of fines or other liabilities for which we may be responsible. In addition, federal, state, and/or foreign agencies may attempt to further regulate our activities in the future which could adversely affect our business and results of operations.

We are presently subject to a purported stockholder derivative lawsuit alleging violation of fiduciary duties with the series of mergers in which we became the parent of nCino OpCo and SimpleNexus. The court dismissed these claims and that decision is currently under appeal. We may, in the future, become subject, from time to time, to other legal proceedings and claims that arise in the ordinary course of business, such as claims brought by our customers in connection with commercial disputes or employment claims made by current or former employees. Legal proceedings might result in damages and harm to our operations and prospects, reputational damage, substantial costs, and may divert management's attention and resources, which might adversely impact our business, overall financial condition, and results of operations. Insurance might not cover such claims, might not provide sufficient payments to cover all the costs to resolve one or more such claims, and might not continue to be available on terms acceptable to us. Moreover, any negative impact to our reputation will not be adequately covered by any insurance recovery. A claim brought against us that is uninsured or underinsured could result in unanticipated costs, thereby reducing our results of operations and leading analysts or potential investors to reduce their expectations of our performance, which could reduce the value of our common stock.

The rules dealing with U.S. federal, state, and local income taxation are constantly under review by persons involved in the legislative process and by the Internal Revenue Service and the U.S. Treasury Department. Changes to tax laws (which changes may have retroactive application) could adversely affect us or holders of our common stock. In recent years, many such changes have been made and changes are likely to continue to occur in the future. For example, the Tax Cuts and Jobs Act was enacted in 2017 and made a number of significant changes to the current U.S. federal income tax rules, including reducing the generally applicable corporate tax rate from 35% to 21%, imposing additional limitations on the deductibility of interest, placing limits on the utilization of NOLs, and making substantial changes to the international tax rules. In addition, on March 27, 2020, the CARES Act was signed into law, which included certain changes in tax law intended to stimulate the U.S. economy in light of the COVID-19 pandemic, including temporary beneficial changes to the treatment of net operating losses, interest deductibility limitations, and payroll tax matters. Many of the provisions of the Tax Cuts and Jobs Act still require guidance through the issuance and/or finalization of regulations by the U.S. Treasury Department in order to fully assess their effects, and there may be substantial delays before such regulations are promulgated and/or finalized, increasing the uncertainty as to the ultimate effects of the Tax Cuts and Jobs Act on us and our stockholders. There also may be technical corrections legislation or other legislative changes proposed with respect to the Tax Cuts and Jobs Act, the effects of which cannot be predicted and may be adverse to us or our stockholders.

Personal privacy, information security, and data protection are significant issues in the U.S., the European Union ("EU"), the United Kingdom ("UK") and a number of other jurisdictions where we offer our solutions. The regulatory framework governing the collection, processing, storage, and use of certain information, particularly financial and other PII, is rapidly evolving. Any failure or perceived failure by us to comply with applicable privacy, security, or data protection laws, regulations, or industry standards may materially and adversely affect our business and results of operations. We expect that there will continue to be new proposed and adopted laws, regulations, and industry standards concerning privacy, data protection, and information security in the U.S., the EU, and other jurisdictions in which we operate. For instance, the California Consumer Privacy Act (the "CCPA") became effective on January 1, 2020. The CCPA gives California residents expanded rights to access and delete their personal information, receive detailed information about how their personal information is used and shared by requiring covered companies to provide new disclosures to California consumers (as that term is broadly defined), and provide such consumers rights to opt-out of certain sales of personal information. The CCPA provides for potential civil penalties for violations, as well as a private right of action for data breaches that is expected to increase data breach litigation. The California Privacy Rights Act (the "CPRA"), which expands the CCPA, passed in November 2020 and went into effect on January 1, 2023, potentially requiring still to be determined additional compliance investment and potential business process changes. Among other things, the CPRA imposes additional data protection obligations on companies doing business in California, including additional consumer rights processes, limitations on data uses, new audit requirements for higher risk data, and opt outs for certain uses of sensitive data. It has also created a new California data protection agency authorized to issue substantive regulations which could result in increased privacy and information security enforcement. Additionally, other U.S. states are proposing and enacting laws and regulations that impose obligations similar to the CCPA or that otherwise involve significant obligations and restrictions. If passed, such laws will require additional resources to ensure compliance, and may have potentially conflicting requirements that would make compliance challenging. Privacy and cybersecurity laws continue to evolve to impose ever stricter standards for the collection, use, dissemination and security of personally identifiable information, including financial information. Actual, potential, or perceived violations of such laws could result in regulatory investigations, fines, orders to cease/change our use of such technologies and processing of personal data, as well as civil claims including class actions, reputational damage and ongoing compliance costs, any of which could harm our business, results of operations and financial condition. Moreover, federal, and state regulation around artificial intelligence may be expected in the near future, including developments in response to the recent Executive Order on Safe, Secure, and Trustworthy Artificial Intelligence issued on October 30, 2023. Similarly, the European Economic Area (the "EEA") (comprised of the EU Member States and Iceland, Liechtenstein and Norway) adopted the General Data Protection Regulation (2016/679) (the "EU GDPR") in May 2018 and the UK implemented the EU GDPR by virtue of section 3 of the European Union (Withdrawal) Act 2018 which sits alongside the UK Data Protection Act 2018 (known as the "UK GDPR", and together with the "EU GDPR", the "GDPR"). The GDPR has a direct effect where an entity is established in the EEA or the UK and has extra-territorial effect where an entity established outside of the EEA or UK processes personal data in relation to the offering of goods or services to individuals in the EEA and/or the UK or the monitoring of their behavior. The GDPR imposes a number of obligations on controllers, including, among others: (i) accountability and transparency requirements which require controllers to demonstrate and record compliance with the GDPR and to provide more detailed information to data subjects regarding processing; (ii) enhanced requirements for obtaining valid consent where consent is the lawful basis for processing; (iii) obligations to consider data protection as any new products or services are developed and to limit the amount of personal data processed; (iv) obligations to comply with data protection rights of data subjects including a right of access to and rectification of personal data, a right to obtain restriction of processing or to object to processing of personal data and a right to ask for a copy of personal data to be provided to a third party in a useable format and erasing personal data in certain circumstances and the right not to be subject to solely automated decision-making; (v) obligations to implement appropriate technical and organizational security measures to safeguard personal data; and (vi) obligations to report certain personal data breaches to the relevant supervisory authority without undue delay (and no later than 72 hours where feasible) and affected individuals, where the personal data breach is likely to result in a high risk to their rights and freedoms. Processors are required to notify the controller without undue delay after becoming aware of a personal data breach. In addition, the EU GDPR prohibits the international transfer of personal data from the EEA to countries outside of the EEA unless made to a country deemed to have adequate data privacy laws by the European Commission or a data transfer mechanism in accordance with the EU GDPR has been put in place or a derogation under the EU GDPR can be relied on. In July 2020, the Court of Justice of the European Union (the "CJEU") in its Schrems II ruling invalidated the EU-U.S. Privacy Shield framework, a self-certification mechanism that facilitated the lawful transfer of personal data from the EEA to the U.S., with immediate effect. The CJEU upheld the validity of standard contractual clauses ("SCCs") as a legal mechanism to transfer personal data but companies relying on SCCs will need to carry out a transfer privacy impact assessment ("TIA") which, among other things, assesses laws governing access to personal data in the recipient country and considers whether supplementary measures that provide privacy protections additional to those provided under SCCs will need to be implemented to ensure an ‘essentially equivalent' level of data protection to that afforded in the EEA. The EU and U.S. governments have recently advanced the EU-U.S. Data Privacy Framework to foster EU-to-U.S. data transfers and address the concerns raised in the aforementioned CJEU decision, but it is uncertain whether this framework will be overturned in court like the previous two EU-U.S. bilateral cross-border transfer mechanism to replace the EU-US Privacy Shield framework. The UK GDPR imposes similar restrictions on transfers of personal data from the UK to jurisdictions that the UK does not consider adequate. The UK Government has published its own form of the EU SCCs, known as the International Data Transfer Agreement and an International Data Transfer Addendum to the new EU SCCs. The UK Information Commissioner's Office ("ICO") has also published its own version of the TIA and guidance on international transfers, although entities may choose to adopt either the EU or UK-style TIA. Further, on September 21, 2023, the UK Secretary of State for Science, Innovation and Technology established a UK-U.S. data bridge (i.e., a UK equivalent of the Adequacy Decision) and adopted UK regulations to implement the UK-U.S. data bridge ("UK Adequacy Regulations"). Personal data may now be transferred from the UK under the UK-U.S. data bridge through the UK extension to the DPF to organizations self-certified under the UK extension to DPF. This may have implications for our cross-border data flows and may result in additional compliance costs. The GDPR also introduces fines of up to €20 million (under the EU GDPR) or £17.5 million (under the UK GDPR) or up to 4% of the annual global revenue of the noncompliant company, whichever is greater, for serious violations of certain of the GDPR's requirements. The GDPR identifies a list of points to consider when determining the level of fines to impose (including the nature, gravity and duration of the infringement). Data subjects also have a right to compensation for financial or non-financial losses (e.g., distress). Complying with the GDPR may cause us to incur substantial operational and compliance costs or require us to change our business practices. Despite our efforts to bring practices into compliance with the GDPR, we may not be successful either due to internal or external factors such as resource allocation limitations or a lack of vendor cooperation. Non-compliance could result in proceedings against us by governmental entities, regulators, customers, data subjects, suppliers, vendors or other parties. Further, there is a risk that the measures will not be implemented correctly or that individuals within the business will not be fully compliant with the new procedures. If there are breaches of these measures, we could face significant administrative and monetary sanctions as well as reputational damage which may have a material adverse effect on our operations, financial condition and prospects. The E.U. has also proposed the draft ePrivacy Regulation which, once finalized and in effect, will replace both the ePrivacy Directive and all the national laws implementing this Directive. The ePrivacy Regulation, as proposed in its current form, would impose strict opt-in marketing rules, change rules about the use of cookies, web beacons, and related technologies, and significantly increase penalties for violations. It would also retain the additional consent standards as required under the EU GDPR. Such regulations may have a negative effect on businesses, including ours, that collect, process, and use personal data in the EU and UK, including online usage information for consumer acquisition and marketing and may increase the potential civil liability and cost of operating a business that collects, processes, or uses such information and undertakes online marketing. From a cybersecurity perspective, the GDPR does not provide for a specific set of cybersecurity requirements or measures to be implemented, but rather requires a controller or processor to implement appropriate cyber and data security measures in accordance with the then-current risk, the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing. The GDPR however does explicitly require that controllers notify personal data breaches as described above. On January 17, 2023, the EU Network and Information Systems Security 2 Directive ("NISD2") entered into force and will take full effect following implementation into EU Member State law (i.e., by October 17, 2024). Under the NISD2, more stringent cybersecurity and incident reporting requirements are imposed on ‘essential' and ‘important' entities, which include information and communication technology ("ICT") managed service providers. NISD2 states that any maximum fine which national implementing law provides for should at least be set at €10 million or 2% of total worldwide turnover, whichever is higher, where essential entities are concerned. Other sanctions may include (i) a temporary suspension to provide services in the EU (by suspending relevant authorizations/certifications); (ii) an order to make public certain elements of the infringement and/or inform customers; and (iii) injunctions to immediately cease infringing conduct. Importantly, NISD2 also provides that senior members of staff can be held personally liable, and face administrative fines or be temporarily suspended from exercising managerial functions at the legal representative or chief executive officer level. On January 16, 2023, the EU Digital Operational Resilience Act ("DORA") entered into force and will apply from January 17, 2025. DORA imposes regulatory obligations to reinforce the digital operational resilience of entities operating in the financial services industry, and to adequately manage and remediate risks related to the engagement of ICT third-party service providers. DORA only imposes direct regulatory obligations on ICT third-party service providers that are considered ‘critical' within the meaning of DORA. Non-critical ICT third-party service providers are only indirectly impacted by DORA, by virtue of the mandatory contractual terms that DORA requires financial entities to implement with ICT third-party service providers. DORA does not provide for minimum or maximum monetary sanctions but empowers EU Member State competent authorities to enforce DORA and determine the appropriate sanction on the basis of the factors set out in DORA, including the gravity and duration of the infringement. Sanctions may be administrative or criminal in nature, and DORA also provides that individual members of the management body can be held personally liable for any non-compliance. We cannot yet fully determine the impact these or future laws, rules, and regulations may have on our business or operations. Any such laws, rules, and regulations may be inconsistent among different jurisdictions, subject to differing interpretations or may conflict with our current or future practices. Additionally, we may be bound by contractual requirements applicable to our collection, use, processing, and disclosure of various types of information including financial and PII, and may be bound by, or voluntarily comply with, self-regulatory or other industry standards relating to these matters that may further change as laws, rules, and regulations evolve. Any failure or perceived failure by us, or any third parties with which we do business, to comply with these laws, rules, and regulations, or with other obligations to which we or such third parties are or may become subject, may result in actions or other claims against us by governmental entities or private actors, the expenditure of substantial costs, time, and other resources, or the incurrence of fines, penalties, or other liabilities. There is also a risk that we could be impacted by a cybersecurity incident that results in loss or unauthorized disclosure of personal data, potentially resulting in us facing harms similar to those described above. In addition, any such action, particularly to the extent we were found to be guilty of violations or otherwise liable for damages, would damage our reputation and adversely affect our business and results of operations.

Our overall performance depends on economic conditions, which may be challenging at various times in the future. Financial developments, monetary and other developments seemingly unrelated to us or our industry may adversely affect us. For example, the higher interest rate environment in the U.S., undertaken as a means to manage inflation, has had an impact on the real estate market in the U.S. and specifically, the demand for mortgage and mortgage-related products and services, which has had a negative impact on our nCino Mortgage business and may continue to adversely impact that business to the extent the higher interest rate environment persists. Moreover, domestic and international economies have from time-to-time been impacted by falling demand for a variety of goods and services, tariffs and other trade issues, threatened sovereign defaults and ratings downgrades, restricted credit, threats to major multinational companies, poor liquidity, reduced corporate profitability, volatility in credit, equity and foreign exchange markets, bankruptcies, and overall uncertainty, including uncertainty as a result of geopolitical events such as the conflicts in and around Ukraine, the Middle East and other parts of the world. We cannot predict the timing, strength, or duration of the current or any future potential economic slowdown in the U.S. or globally. These conditions affect the rate of technology spending generally and could adversely affect our customers' ability or willingness to purchase our solutions, delay prospective customers' purchasing decisions, reduce the value or duration of their subscriptions, or affect renewal rates, any of which could adversely affect our results of operations.

For the fiscal years ended January 31, 2022, 2023, and 2024, sales to customers outside the U.S. accounted for 15.9%, 15.1% and 18.7%, respectively, of our total revenues. Our revenues include the revenues of SimpleNexus from the date of acquisition on January 7, 2022. A key element of our growth strategy is to further expand our international operations and worldwide customer base. We have expended significant resources to build out our sales and professional services organizations outside of the U.S. and we may not realize a suitable return on this investment in the near future, if at all. We have limited operating experience in international markets, and we cannot assure you that our international expansion efforts will be successful. Our experience in the U.S. may not be relevant to our ability to expand in any international market. Operating in international markets requires significant resources and management attention and subjects us to regulatory, economic, and political risks that are different from those in the U.S. Export control regulations in the U.S. may increasingly be implicated in our operations as we expand internationally. These regulations may limit the export of our solutions and provision of our solutions outside of the U.S., or may require export authorizations, including by license, a license exception, or other appropriate government authorizations, including annual or semi-annual reporting and the filing of an encryption registration. Changes in export or import laws, or corresponding sanctions, may delay the introduction and sale of our solutions in international markets, or, in some cases, prevent the export or import of our solutions to certain countries, regions, governments, persons, or entities altogether, which could adversely affect our business, financial condition, and results of operations. We are also subject to various domestic and international anti-corruption laws, such as the U.S. Foreign Corrupt Practices Act and the U.K. Bribery Act, as well as other similar anti-bribery and anti-kickback laws and regulations. These laws and regulations generally prohibit companies and their employees and intermediaries from authorizing, offering, or providing improper payments or benefits to officials and other recipients for improper purposes. Although we take precautions to prevent violations of these laws, our exposure for violating these laws increases as our international presence expands and as we increase sales and operations in foreign jurisdictions. In addition, we face risks in doing business internationally that could adversely affect our business, including: - unanticipated costs;- the need to localize and adapt our solutions for specific countries;- complying with varying and sometimes conflicting data privacy laws and regulations;- difficulties in staffing and managing foreign operations, including employment laws and regulations;- unstable regional, economic, or political conditions;- different pricing environments, longer sales cycles, and collections issues;- new and different sources of competition;- weaker protection for intellectual property and other legal rights than in the U.S. and practical difficulties in enforcing intellectual property and other rights outside of the U.S.;- laws and business practices favoring local competitors;- compliance challenges related to the complexity of multiple, conflicting, and changing governmental laws and regulations, including employment, tax, and anti-bribery laws and regulations;- increased financial accounting and reporting burdens and complexities;- restrictions on the transfer of funds; and - adverse tax consequences. Our international contracts often provide for payment denominated in local currencies, and the majority of our local costs are denominated in local currencies. Therefore, fluctuations in the value of the U.S. dollar and foreign currencies may impact our results of operations when translated into U.S. dollars. We do not currently engage in currency hedging activities to limit the risk of exchange rate fluctuations.

A significant portion of our employee base, operating facilities, and infrastructure are centralized in Wilmington, North Carolina. Any of our facilities may be harmed or rendered inoperable by natural or man-made disasters, including hurricanes, tornadoes, wildfires, floods, earthquakes, nuclear disasters, acts of terrorism or other criminal activities, infectious disease outbreaks or pandemic events, power outages, and other infrastructure failures, which may render it difficult or impossible for us to operate our business for some period of time. Our facilities would likely be costly to repair or replace, and any such efforts would likely require substantial time. Any disruptions in our operations could adversely affect our business and results of operations and harm our reputation. Moreover, although we have disaster recovery plans, they may prove inadequate. We may not carry sufficient business insurance to compensate for losses that may occur. Any such losses or damages could have a material adverse effect on our business and results of operations. In addition, the facilities of our third-party providers, including Salesforce and AWS, may be harmed or rendered inoperable by such natural or man-made disasters, which may cause disruptions, difficulties, or otherwise materially and adversely affect our business.

We must attract and retain highly qualified personnel. In particular, we are dependent upon the services of our senior leadership team, and the loss of any member of this team could adversely affect our business. Competition for executive officers, software developers, sales personnel, and other key employees in our industry is intense. In particular, we compete with many other companies for software developers with high levels of experience in designing, developing, and managing cloud-based software, as well as for skilled sales and operations professionals. Our principal operations are in Wilmington, North Carolina, where the pool of potential employees with the skills we need is more limited than it may be in larger markets, and we are sometimes required to induce prospective employees to relocate. Many of the companies with which we compete for experienced personnel have greater resources than we do. If we fail to attract new personnel or fail to retain and motivate our current personnel, our growth prospects could be severely harmed. In addition, job candidates and existing employees often consider the actual and potential value of the equity awards they receive as part of their overall compensation. Thus, if the perceived value or future value of our stock declines, our ability to attract and retain highly skilled employees may be adversely affected.

We use software and content licensed from, and services provided by, a variety of third parties in connection with the operation of our solutions. Any performance issues, errors, bugs, or defects in third-party software, content, or services could result in errors or a failure of our solutions, which could adversely affect our business and results of operations. In the future, we might need to license other software, content, or services to enhance our solutions and meet evolving customer demands and requirements. Any limitations in our ability to use third-party software, content, or services could significantly increase our expenses and otherwise result in delays, a reduction in functionality, or errors or failures of our solutions until equivalent technology or content is either developed by us or, if available, identified, obtained through purchase or license, and integrated into our solutions. In addition, third-party licenses may expose us to increased risks, including risks associated with the integration of new technology, the diversion of resources from the development of our own proprietary technology, and our inability to generate revenues from new technology sufficient to offset associated acquisition and maintenance costs, all of which may increase our expenses and materially and adversely affect our business and results of operations.