Procore Technologies (PCOR) Risk Factors

In the ordinary course of business, we collect, receive, store, generate, use, transfer, disclose, make accessible, protect, secure, dispose of, transmit, and share (collectively, "process") proprietary, confidential, and sensitive information and data, including personal data, intellectual property, trade secrets, and sensitive third-party and customer data (collectively, "sensitive information"). For example, our customers store sensitive information on our platform, such as building plans and other information related to government works or projects for regulated industries, such as banks and healthcare facilities. Our data processing activities subject us to numerous data privacy and security obligations, such as various laws, regulations, guidance, industry standards, internal and external privacy and security policies, contracts (including with our customers and other third parties), and other obligations that govern the processing of certain sensitive information by us and on our behalf. In the U.S., federal, state, and local governments have enacted numerous data privacy and security laws, including data breach notification laws, personal data privacy laws, consumer protection laws (e.g., Section 5 of the Federal Trade Commission Act), and other similar laws (e.g., wiretapping laws). For example, in the past few years, numerous U.S. states, including California, have enacted comprehensive privacy laws that impose certain obligations on covered businesses, including providing specific disclosures in privacy notices and affording residents with certain rights concerning their personal information. As applicable, such rights may include the right to access, correct, or delete certain personal information, and to opt out of certain data processing activities, such as targeted advertising, profiling, and automated decision-making. The exercise of these rights may impact our business and ability to provide our products and services. These state laws also allow for statutory fines for noncompliance. For example, the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (collectively, the "CCPA") applies to personal information of consumers, business representatives, and employees who are California residents, and requires businesses to provide specific disclosures in privacy notices and honor requests of California residents to exercise certain privacy rights. The CCPA provides for administrative fines of up to $7,500 per violation and allows private litigants affected by certain data breaches to recover significant statutory damages. Additionally, several states and localities have enacted measures related to the use of AI and machine learning in products and services. Moreover, under various privacy laws and other obligations, we may be required to obtain certain consents to process personal data. Our data processing practices are subject to increased challenges by class action plaintiffs. Our inability or failure to obtain consent for these practices could result in adverse consequences, including class action litigation and mass arbitration demands. Additional data privacy and security laws have also been proposed at the federal, state, and local levels in recent years, which could further complicate compliance efforts. As we expand globally, our obligations related to data protection may increase. Outside the U.S., an increasing number of laws, regulations, and industry standards apply to data privacy and security. For example, the European Union's ("EU") General Data Protection Regulation (the "EU's GDPR") and the United Kingdom's ("U.K.") General Data Protection Regulation (the "U.K.'s GDPR") impose strict requirements for processing personal data. Under the EU's GDPR, government regulators may impose temporary or definitive bans on data processing, as well as fines of up to 20 million euros or 4% of annual global revenue, whichever is greater, for certain violations. Similarly, under the U.K.'s GDPR, government regulators may impose fines of up to 17.5 million pounds sterling or 4% of annual global turnover, whichever is greater, for certain violations. The application of the EU's GDPR alongside the U.K.'s GDPR exposes us to two parallel regimes, each of which potentially authorizes similar fines and other potentially divergent enforcement actions for certain violations. The relationship between the U.K. and the EU in relation to certain aspects of data protection law remains in flux. This may require investing in additional resources and more technology. In addition, individuals and consumer protection agencies (which are authorized by law to represent individuals' interests) may initiate litigation related to the processing of individuals' personal data. There are also stringent local data protection requirements in Germany and cloud-server initiatives in France which may impact our operations in these countries. In Europe, regulators have reached political agreement on the text of the Artificial Intelligence Act, which, when adopted and in force, will have a direct effect across all EU jurisdictions and could impose onerous obligations related to the use of AI-related systems. The act may also influence the approach taken to AI in other jurisdictions, including the U.S. and the U.K. We may have to change our business practices to comply with such obligations. Furthermore, as our business continues to expand and evolve, the EU's GDPR, the U.K.'s GDPR, and similar data protection regulations may apply additional obligations on us to further secure personal data, provide further rights to data subjects, and require additional reporting to regulators. In Canada, the Personal Information Protection and Electronic Documents Act and various related provincial laws, as well as Canada's Anti-Spam Legislation, applies to our operations, as does Australia's Privacy Act 1988. We also have operations in Singapore and the UAE, which means that we may be subject to Singapore's Personal Data Protection Act and the UAE's Federal Data Protection Law No. 45 of 2021, respectively. In addition, Brazil's General Data Protection Law (Lei Geral de Proteção de Dados Pessoais) (Law No. 13,709/2018) (the "LGPD") may apply to our operations. The LGPD broadly regulates processing personal data of individuals in Brazil and imposes compliance obligations and penalties comparable to those of the EU's GDPR. Additionally, India's new privacy legislation, the Digital Personal Data Protection Act, may also apply to our operations. Further, in certain limited applications or situations, we use generative AI in our products and services. In addition, our employees and personnel use generative AI technologies to perform their work. Several jurisdictions around the globe, including Europe and certain U.S. states, have proposed, enacted, or are considering laws governing AI, including the EU's AI Act, and we expect other jurisdictions will adopt similar laws. Additionally, certain privacy laws extend rights to consumers (such as the right to delete certain personal data) and regulate automated decision-making, which may be incompatible with our use of AI and may make it harder for us to conduct our business using AI, lead to regulatory fines or penalties, require us to change our business practices, retrain our AI, or prevent our use of AI. For example, the Federal Trade Commission has required other companies to turn over or disgorge valuable insights or trainings generated through the use of AI where they allege the company has violated privacy and consumer protection laws. Our use of this technology could also result in additional compliance costs, regulatory investigations and actions, and consumer lawsuits. In the ordinary course of business, we may transfer personal data from Europe and other jurisdictions to the U.S. or other countries. Europe and other jurisdictions have enacted laws requiring data to be localized or limiting the transfer of personal data to other countries. In particular, the European Economic Area ("EEA") and the U.K. have significantly restricted the transfer of personal data to the U.S. and other countries whose privacy laws it generally believes are inadequate. Other jurisdictions may adopt similarly stringent interpretations of their data localization and cross-border data transfer laws. Although there are currently various mechanisms that may be used to transfer personal data from the EEA and the U.K. to the U.S. in compliance with law, such as the EEA and U.K.'s standard contractual clauses, the U.K.'s International Data Transfer Agreement / Addendum, and the EU-U.S. Data Privacy Framework (which allows for transfers of personal data to relevant U.S.-based organizations that participate in and self-certify compliance with the framework), these mechanisms are subject to legal challenges, and there is no assurance that we can satisfy or rely on these measures to lawfully transfer personal data to the U.S. If there is no lawful manner for us to transfer personal data from the EEA, the U.K., or other jurisdictions to the U.S., or if the requirements for a legally-compliant transfer are too onerous, we could face significant adverse consequences, including the interruption or degradation of our operations, the need to relocate part or all of our business or data processing activities to other jurisdictions at significant expense, increased exposure to regulatory actions, substantial fines and penalties, the inability to transfer data and work with partners, vendors, and other third parties, and injunctions against our processing or transferring of personal data necessary to operate our business. Additionally, companies that transfer personal data out of the EEA and the U.K. to other jurisdictions, particularly to the U.S., are subject to increased scrutiny from regulators, individual litigants, and activist groups. Some European regulators have ordered certain companies to suspend or permanently cease certain transfers out of Europe for allegedly violating the cross-border data transfer limitations of the EU's GDPR. For example, in May 2023, the Irish Data Protection Commission determined that a major social media company's use of standard contractual clauses to transfer personal data from Europe to the U.S. was insufficient and levied a 1.2 billion euro fine against the company and prohibited it from transferring personal data to the U.S. We are bound by contractual obligations and laws related to data privacy and security, and our efforts to comply with such obligations and laws may not be successful. For example, certain privacy laws, such as the EU's GDPR, the U.K.'s GDPR, and the CCPA, require our customers to impose specific contractual restrictions on their service providers. We also publish privacy policies, marketing materials, and other statements, such as compliance with certain certifications, standards, or self-regulatory principles, regarding data privacy and security. If any of these policies, materials, or statements are found by our customers or regulators to be overly broad, deficient, lacking in transparency, deceptive, unfair, or misrepresentative of our practices, we may be subject to investigation, enforcement actions by regulators, or other adverse consequences. In addition, privacy advocates and industry groups have proposed, and may further propose, standards with which we are legally or contractually bound to comply. For example, we are subject to the Payment Card Industry Data Security Standard (the "PCI DSS"). The PCI DSS requires companies to adopt certain measures to ensure the security of cardholder information, including using and maintaining firewalls, adopting proper password protections for certain devices and software, and restricting data access. Noncompliance with the PCI DSS can result in penalties ranging from $5,000 to $100,000 per month by credit card companies, litigation, damage to our reputation, and loss of revenue. We also rely on vendors to process payment card data who may also be subject to the PCI DSS, and our business may be negatively impacted if our vendors are fined or suffer other consequences as a result of noncompliance with the PCI DSS. Our obligations related to data privacy and security are quickly changing in an increasingly stringent fashion, creating some uncertainty as to the effect of future legal frameworks. Additionally, these obligations may be subject to differing applications and interpretations, which may be inconsistent or conflict among jurisdictions. Preparing for and complying with these obligations requires significant resources and may necessitate changes to our information technologies, systems, and practices and to those of any third parties that process personal data on our behalf. In addition, these obligations may require us to change our business practices. Although we endeavor to comply with all applicable data privacy and security obligations, we may at times fail, or be perceived to have failed, to do so. Moreover, despite our efforts, our personnel or third parties upon which we rely, such as vendors or developers, may fail to comply with such obligations, which could negatively impact our business operations and compliance posture. For example, any failure by a third-party processor to comply with applicable law, regulations, or contractual obligations could result in adverse consequences for us,including our inability to, or interruption in our ability to, operate our business and proceedings against us by governmental entities or others. If we or the third parties on which we rely fail, or are perceived to have failed, to address or comply with data privacy and security obligations, we could face significant consequences, including, but not limited to, government enforcement actions (e.g., investigations, audits, inspections, fines, and penalties), litigation (including class-related claims), additional reporting requirements and oversight, restrictions or bans on processing personal data, orders to destroy or not use personal data, the imprisonment of company officials, the inability to operate in certain jurisdictions, limited ability to develop or commercialize our products and services, loss of revenue or profits, loss of customers or sales (including a decline in customer subscription renewals), interruptions or stoppages in or modifications to our operations, negative publicity (including public statements against us by consumer advocacy groups or others), and reputational harm, any of which could materially adversely affect our business, financial condition, results of operations, and prospects.

UPL generally refers to a person or entity that is not licensed to practice law but that gives legal advice or advertises its services as the practice of law. As a result of our acquisition of Levelset in November 2021, certain lien rights management services that we now offer involve activities that could represent an alternative to traditional legal services and, as a result, may potentially subject us to UPL allegations. Our lien rights management business model includes the provision of document-processing services in connection with the filing of mechanic's liens. In the past, various aspects of Levelset's lien rights management offering have been subject to claims of UPL. We currently face, and may in the future, continue to face, similar claims, actions, or proceedings. The laws and regulations that define UPL, and the governing bodies that enforce UPL rules, differ among the various jurisdictions in which we operate, and the scope of these laws and regulations is often vague, broad, and evolving. As a result, the application and interpretation of these laws and regulations can be uncertain and conflicting. For example, regulation of legal document processing, a component of our lien rights management offering, varies among the jurisdictions in which we conduct business. Compliance with these disparate laws and regulations may require us to structure our business and services differently in certain jurisdictions, which could lead to operating inefficiencies. Maintaining compliance with UPL rules across various jurisdictions may cause us to incur significant expenses and may require that we dedicate significant management time to dealing with UPL issues, which could divert management's attention from other matters. As we continue to support our lien rights management offering or expand into new jurisdictions, we may face increased scrutiny and risk of additional UPL claims, actions, or proceedings. Any failure or perceived failure by us to comply with applicable UPL laws and regulations may subject us to regulatory inquiries, actions, lawsuits, or proceedings. Levelset has incurred in the past, and we expect to incur in the future, costs associated with responding to, defending, resolving, and settling UPL claims, actions, and proceedings. We can give no assurance that we will prevail in any such matters on commercially reasonable terms or at all. Responding to, defending, and settling regulatory inquiries, action, lawsuits, and proceedings may be time-consuming and divert management and financial resources or have other adverse effects on our business. A negative outcome in any of these proceedings may result in claims, actions, changes to or discontinuance of some of our services, potential liabilities, and additional costs that could materially adversely affect our business, financial condition, results of operations, and prospects.

Our products, services, and platform are subject to various restrictions under U.S. export control and sanctions laws and regulations, including the U.S. Department of Commerce's Export Administration Regulations, and various economic and trade sanctions regulations administered by the U.S. Department of the Treasury's Office of Foreign Assets Control. The U.S. export control laws and U.S. economic sanctions laws include restrictions or prohibitions on the sale or supply of certain products and services to embargoed or sanctioned countries, governments, persons, and entities, identified by the U.S., and also require authorization for the export of certain encryption items. Furthermore, U.S. export control laws and economic sanctions prohibit the shipment of certain cloud-based solutions to countries, governments, and persons targeted by U.S. sanctions. In addition, various countries regulate the import of certain encryption technology, including through import permitting and licensing requirements, and have enacted or could enact laws that could limit our ability to make available or implement our platform in those countries. While we have implemented certain procedures to facilitate compliance with applicable laws and regulations in connection with the collection of this information, we cannot assure you that these procedures have been effective or that we, or third parties, many of whom we do not control, have complied with all laws or regulations in this regard. Failure by our customers, employees, representatives, contractors, partners, agents, intermediaries, or other third parties to comply with applicable laws and regulations in the collection of this information also could have negative consequences to us, including reputational harm, government investigations, and penalties. Although we take precautions to prevent our information collection practices from being in violation of such laws, our information collection practices may have been in the past, and could in the future be, in violation of such laws. If we or our employees, representatives, contractors, partners, agents, intermediaries, or other third parties fail to comply with these laws and regulations, we could be subject to civil or criminal penalties, including the possible loss of export privileges and fines and penalties. We may also be adversely affected through other penalties, reputational harm, loss of access to certain countries, or otherwise. Obtaining the necessary authorizations, including any required license, for a particular transaction may be time-consuming, is not guaranteed and may result in the delay or loss of sales opportunities. While we are working to implement additional controls designed to prevent similar activity from occurring in the future, these controls may not be fully effective. Changes in our platform, or changes in sanctions and import and export laws, may delay the introduction and sale of subscriptions to access our products or services internationally, prevent our customers with international operations from using our platform, or in some cases, prevent the access or use of our platform to and from certain countries, governments, persons, or entities altogether. Further, any change in export or import regulations, economic sanctions, or related laws, shift in the enforcement or scope of existing regulations, or change in the countries, governments, persons, or technologies targeted by such regulations could result in decreased use of our platform or in our decreased ability to export or sell subscriptions to use our platform to existing or prospective customers with international operations. Any decreased use of our platform or limitation on our ability to export or sell subscriptions to use our platform could materially adversely affect our business, financial condition, results of operations, and prospects. We are also subject to the U.S. Foreign Corrupt Practices Act of 1977 (the "FCPA"), the U.K. Bribery Act 2010 (the "Bribery Act"), and other anti-corruption, sanctions, anti-bribery, anti-money laundering, and similar laws in the U.S. and other countries in which we conduct activities. Anti-corruption and anti- bribery laws, which have been enforced aggressively and are interpreted broadly, prohibit companies and their employees, agents, intermediaries, and other third parties from promising, authorizing, making, or offering improper payments or other benefits to government officials and others in the private sector. In the future, we may leverage third parties, including intermediaries, agents, and partners, to conduct our business in the U.S. and abroad and to sell subscriptions. We and these third parties may have direct or indirect interactions with officials and employees of government agencies or state-owned or affiliated entities, and we may be held liable for the corrupt or other illegal activities of these third-party partners and intermediaries, our employees, representatives, contractors, partners, agents, intermediaries, and other third parties, even if we do not explicitly authorize such activities. While we have policies and procedures to facilitate compliance with the FCPA, the Bribery Act, and other anti-corruption, sanctions, anti-bribery, anti-money laundering, and similar laws, we cannot assure you that they will be effective, or that all of our employees, representatives, contractors, partners, agents, intermediaries, or other third parties have taken, or will not take actions, in violation of our policies and procedures and applicable law, for which we may be ultimately held responsible. As we increase our international sales and business, our risks under these laws may increase. Noncompliance with these laws could subject us to investigations, severe criminal or civil sanctions, settlements, prosecution, loss of export privileges, suspension or debarment from U.S. government contracts, other enforcement actions, disgorgement of profits, significant fines, damages, other civil and criminal penalties or injunctions, whistleblower complaints, adverse media coverage, and other consequences. Any investigations, actions, or sanctions could materially adversely affect our business, financial condition, results of operations, and prospects.

We are expanding our international operations and personnel to support our business internationally. We generally conduct our international operations through wholly-owned subsidiaries and are or may be required to report our taxable income in various jurisdictions worldwide based upon our business operations in those jurisdictions. Our intercompany relationships are subject to complex transfer pricing regulations administered by tax authorities in various jurisdictions. The amount of taxes we pay in different jurisdictions may depend on the application of the tax laws of such jurisdictions, including the U.S., to our international business activities, changes in tax rates, new or revised tax laws, or interpretations of existing tax laws and policies, and our ability to operate our business in a manner consistent with our corporate structure and intercompany arrangements. The taxing authorities of the jurisdictions in which we operate may challenge our methodologies for pricing intercompany transactions, which are generally required to be computed on an arm's-length basis pursuant to intercompany arrangements, or may disagree with our determinations as to the income and expenses attributable to specific jurisdictions. If such a disagreement were to occur, and our position was not sustained, we could be required to pay additional taxes, interest, and penalties, which could result in one-time tax charges, higher effective tax rates, reduced cash flows, and lower overall profitability of our operations. We are subject to federal, state, and local income, sales, and other taxes in the U.S. and income, withholding, transaction, and other taxes in numerous foreign jurisdictions. Evaluating our tax positions and our worldwide provision for taxes is complicated and requires the exercise of significant judgment. During the ordinary course of business, there are many activities and transactions for which the ultimate tax determination is uncertain. We may be audited in various jurisdictions, and such jurisdictions may assess additional taxes against us. Although we believe our tax estimates are reasonable, the final determination of any tax audits or litigation could differ materially from our historical tax provisions and accruals, which could have an adverse effect on our results of operations or cash flows in the period or periods for which a determination is made.