PagerDuty (PD) Risk Factors

Our ability to increase our customer base and achieve broader market acceptance of our digital operations platform will depend to a significant extent on our ability to expand our marketing and sales organizations. We plan to continue expanding our direct sales force and partners, both domestically and internationally. We also plan to dedicate significant resources to sales and marketing programs, including inbound marketing and online advertising. The effectiveness of these programs has varied over time and may vary in the future due to competition for key search terms, changes in search engine use, changes in the search algorithms used by major search engines and the European Union's General Data Protection Regulation ("EU GDPR"), the United Kingdom's GDPR ("U.K. GDPR") and other similar data privacy initiatives. All of these efforts will require us to invest significant financial and other resources. Our business and operating results will be harmed if our sales and marketing efforts do not generate significant increases in revenue. We may not achieve anticipated revenue growth from expanding our sales force if we are unable to hire, develop, integrate, and retain talented and effective sales personnel, if our new and existing sales personnel, on the whole, are unable to achieve desired productivity levels in a reasonable period of time, or if our sales and marketing programs are not effective.

The market in which we compete is relatively new and subject to rapid technological change, evolving industry standards, and changing regulations, as well as changing customer needs, requirements, and preferences. The success of our business will depend, in part, on our ability to adapt and respond effectively to these changes on a timely basis. In particular, advancements in technology such as artificial intelligence ("AI") and machine learning ("ML") are changing the technology landscape, and businesses that are slow to adopt these new technologies may face a competitive disadvantage. If we were unable to continue enhancing and evolving our digital operations platform or delivering new products that keep pace with rapid technological and regulatory change, or if new technologies emerge that are able to deliver competitive value at lower prices, more efficiently, more conveniently, more reliably, or more securely than our products, our business, results of operations, and financial condition would be adversely affected.

Our agreements with customers and other third parties may include indemnification provisions under which we agree to indemnify them for losses suffered or incurred as a result of claims of intellectual property infringement, inadequate data privacy and security, damages caused by us to property or persons, or other liabilities relating to or arising from our platform or other contractual obligations. Some of these agreements provide for uncapped liability and some indemnity provisions survive termination or expiration of the applicable agreement. Large indemnity payments could harm our business, results of operations, and financial condition. Although we normally contractually limit our liability with respect to such obligations, we may still incur substantial liability, and we may be required to cease use of certain functions of our platform or products as a result of any such claims. Any dispute with a customer with respect to such obligations could have adverse effects on our relationship with that customer and other existing or new customers, harming our business and results of operations. In addition, although we carry various insurance policies, our insurance may not be adequate to cover our indemnification obligations or to indemnify us for all liability that may be imposed or otherwise protect us from liabilities or damages with respect to claims alleging infringement of our intellectual property or compromises of customer data, and any such coverage may not continue to be available to us on acceptable terms or at all.

The functionality and popularity of our platform depend, in part, on our ability to integrate our platform with third-party applications, tools, and software. These third-parties may change the features of their technologies, restrict our access to their applications, tools or other software or alter the terms governing their use in a manner that is adverse to our business and our ability to market and sell our digital operations platform. Such third parties could also develop features and functionality that limit or prevent our ability to use these third-party technologies in conjunction with our platform, which would negatively affect adoption of our platform and harm our business. If we fail to integrate our platform with third-party applications, tools, or other software that our customers use, use publicly available APIs for our integrations, or expose APIs for our customers to use, we may not be able to offer the functionality that our customers require, which would negatively affect our results of operations and growth prospects. Further, we are subject to requirements imposed by mobile application stores such as those operated by Apple and Google, who may change their technical requirements or policies in a manner that adversely impacts the way in which we or our partners collect, use and share data from users. Similarly, new technical requirements and policies that our partners put in place or are subject to could impact our ability to operate as expected in certain jurisdictions. If we do not comply with these requirements, we could lose access to the application store and users, and our business would be harmed.

We currently serve our customers using third-party cloud providers, including those operated by AWS. Our customers need to be able to access our platforms at any time, without interruption or degradation of performance. In some cases, third-party cloud providers run their own platforms that we access, and we are, therefore, vulnerable to their service interruptions. We therefore depend on our third-party cloud providers' ability to protect their data centers against damage or interruption from natural disasters, power or telecommunications failures, criminal acts, and similar events. In the event that our data center arrangements are terminated, or if there are any lapses of service or damage to a data center, we could experience lengthy interruptions in our service as well as delays and additional expenses in arranging new facilities and services. Even with current and planned disaster recovery arrangements, including the existence of redundant data centers that become active during certain lapses of service or damage at a primary data center, our reputation and business could be harmed. Design and mechanical errors, spikes in usage volume, and failure to follow system protocols and procedures could cause our IT systems and infrastructure to fail, resulting in interruptions in our digital operations platform. We have from time to time in the past experienced service disruptions, and we cannot assure you that we will not experience interruptions or delays in our service in the future. Any interruptions or delays in our service or damage to our products, whether caused by modification or upgrades, third parties, terrorist attacks, state-sponsored attacks, geopolitical tensions or armed conflicts, export controls and sanctions, natural disasters, the effect of climate change (such as drought, flooding, wildfires and resultant air quality effects and related preventative power shutdowns, increased storm severity, and sea level rise), power loss, utility outages, telecommunication failures, computer viruses, supply-chain attacks, computer denial of service attacks, phishing schemes, security breaches, or other attempts to harm or access our system, could harm our relationships with customers and cause our revenue to decrease or our expenses to increase. Also, in the event of damage or interruption, our insurance policies may not adequately compensate us for any losses that we may incur. These factors in turn could further reduce our revenue, subject us to liability, and cause us to issue credits or cause customers to fail to renew their subscriptions, any of which could adversely affect our business.

We are increasingly building AI capabilities into many of our products and services. Concerns relating to the responsible use of new and evolving technologies, such as AI, in our offerings may result in reputational and/or financial harm and liability and may cause us to incur costs to resolve such issues. AI poses emerging legal, social, and ethical issues and presents risks and challenges that could affect its adoption, and therefore our business. If our offerings draw controversy due to their perceived or actual impact on society, such as AI solutions that have unintended consequences or are controversial because of their impact on human rights, privacy, employment, or other social, economic, or political issues, or if we are unable to develop effective internal policies and frameworks relating to the responsible development and use of AI models and systems, we may experience brand, reputational, and/or competitive harm, or could face legal liability. Complying with multiple regulations from different jurisdictions related to AI could increase our cost of doing business, may change the way that we operate in certain jurisdictions, or may impede our ability to offer certain products and services in certain jurisdictions if we are unable to comply with regulations. Our failure to address concerns and regulation relating to the responsible use of AI could slow adoption of AI in our products and services or cause reputational and/or financial harm.

We sell to U.S. federal, state, and local, as well as foreign, governmental agency customers, as well as to customers in highly regulated industries such as financial services, pharmaceuticals, insurance, healthcare, and life sciences. Sales to such entities are subject to a number of challenges and risks. Some such entities have industry-specific compliance requirements relating to certain security or regulatory standards, such as FedRAMP, that may be required to compete effectively. Working towards compliance with these standards can be expensive and time-consuming. If we cannot adequately comply with particular compliance requirements, our growth may be adversely impacted. Selling to such entities can also be highly competitive, expensive, and time-consuming, often requiring significant upfront time and expense without any assurance that these efforts will generate a sale. Government contracting requirements may change and in doing so restrict our ability to sell into the government sector until we have attained the revised certification. Government demand and payment for our offerings are affected by public sector budgetary cycles and funding authorizations, with funding reductions or delays adversely affecting public sector demand for our offerings. Further, governmental and highly regulated entities may demand contract terms that differ from our standard arrangements and may require expensive and time- consuming compliance efforts. Such entities may have statutory, contractual, or other legal rights to terminate contracts with us or our partners due to a default or for other reasons. Any such termination may adversely affect our reputation, business, results of operations, and financial condition.

The technology industry is subject to intense media, political and regulatory scrutiny, which exposes us to government investigations, legal actions, and penalties. Various regulatory agencies, including competition, consumer protection, and privacy authorities, have active proceedings and investigations concerning multiple technology companies. Although we are not currently aware of any such investigations, if investigations targeted at other companies result in determinations that practices we follow are unlawful, including practices related to use of machine- and customer-generated data or AI, we could be required to change our products and services or alter our business operations, which could harm our business. Legislators and regulators also have proposed new laws and regulations intended to restrain the activities of technology companies. If such laws or regulations are enacted, they could have impacts on us, even if they are not intended to affect our company. In addition, the introduction of new products, expansion of our activities in certain jurisdictions, or other actions that we may take may subject us to additional laws, regulations, or other government scrutiny. The increased scrutiny of certain acquisitions in the technology industry also could affect our ability to enter into strategic transactions or to acquire other businesses. Compliance with new or modified laws and regulations could increase our cost of conducting the business, limit the opportunities to increase our revenues, or prevent us from offering products or services. Further, as a result of new SEC rules and regulations, we are required to disclose additional information about the business, including human capital and diversity, and climate change and sustainability. Similar laws and regulations are enacted or proposed in California, the EU and various other jurisdictions. Compliance with any such new laws and regulations will be costly, time consuming and, as a global commercial organization, require expenditure of our limited resources to be in compliance with the various standards across the jurisdictions in which we operate. Failure to adequately meet these new and upcoming disclosure requirements may affect the manner and locations in which we choose to conduct our business and could adversely affect our profitability and returns to our investors. Any failure or perceived failure by us in this regard could have a material adverse effect on our reputation with investors, governments, customers, employees other third parties and the communities and industries in which we operate and on our business, share price, financial condition, access to capital or results of operations, including the sustainability of our business over time. We also could be harmed by government investigations, litigation, or changes in laws and regulations directed at our business partners, or suppliers in the technology industry that have the effect of limiting our ability to do business with those entities or that affect the services we can obtain from them. For example, the U.S. government recently has taken action against companies operating in China intended to limit their ability to do business in the U.S. or with U.S. companies. There can be no assurance that our business will not be materially adversely affected, individually or in the aggregate, by the outcomes of such investigations, litigation or changes to laws and regulations in the future.

Our business is subject to regulation by various federal, state, local, and foreign governments. For example, the Telephone Consumer Protection Act of 1991 restricts telemarketing and the use of automatic short message service ("SMS") text messages without proper consent. The scope and interpretation of the laws that are or may be applicable to the delivery of text messages and other communications are continuously evolving and developing. If we do not comply with these laws or regulations or if we become liable under these laws or regulations due to the failure of our customers to comply with these laws by obtaining proper consent, we could face direct liability. In certain jurisdictions, these regulatory requirements may be more stringent than those in the United States. Noncompliance with applicable regulations or requirements could also limit the features in our platform related to SMS text messaging or other communications in various jurisdictions, result in loss of customers, and subject us to customer litigation or investigations, sanctions, enforcement actions, disgorgement of profits, fines, damages, civil and criminal penalties, injunctions, or other collateral consequences. If any governmental sanctions are imposed, or if we do not prevail in any possible civil or criminal litigation, our business, results of operations, and financial condition could be materially adversely affected. In addition, responding to any action will likely result in a significant diversion of management's attention and resources and an increase in professional fees. Enforcement actions and sanctions could harm our business, reputation, results of operations, and financial condition.

In the ordinary course of business, we collect, receive, store, process, generate, use, transfer, disclose, make accessible, protect, secure, dispose of, transmit, and share (collectively, "processing") personal data and other sensitive information, including proprietary and confidential business data, trade secrets, intellectual property, sensitive third-party data, business plans, transactions, and financial information (collectively, "sensitive data"). Our data processing activities subject us to numerous data privacy and security obligations, such as laws, regulations, guidance, industry standards, external and internal privacy and security policies, contractual requirements, and other obligations relating to data privacy and security. In the United States, federal, state, and local governments have enacted numerous data privacy and security laws, including data breach notification laws, personal data privacy laws, consumer protection laws (e.g., Section 5 of the Federal Trade Commission Act), and other similar laws (e.g., wiretapping laws). For example, the California Consumer Privacy Act of 2018 ("CCPA") applies to personal data of consumers, business representatives, and employees who are California residents, and requires businesses to provide specific disclosures in privacy notices and honor requests such individuals to exercise certain privacy rights, such as those noted below. The CCPA provides for administrative fines of up to $7,500 per violation and allows private litigants affected by certain data breaches to recover significant statutory damages. In addition, the California Privacy Rights Act of 2020 ("CPRA") expanded the CCPA's requirements, including by adding a new right for individuals to correct their personal data and establishing a new regulatory agency ("CPPA") to implement and enforce the law. Other states, such as Virginia and Colorado, have also passed comprehensive privacy laws, and similar laws are being considered in several other states, as well as at the federal and local levels. These state laws and the CCPA provide individuals with certain rights concerning their personal data, including the right to access, correct, or delete certain personal data, and opt-out of certain data processing activities, such as targeted advertising, profiling, and automated decision-making. The exercise of these rights may impact our business and ability to provide our products and services. These developments may further complicate compliance efforts, and increase legal risk and compliance costs for us and the third parties upon whom we rely. Outside the United States, an increasing number of laws, regulations, and industry standards may govern data privacy and security. For example, the European Union's General Data Protection Regulation ("EU GDPR"), the United Kingdom's GDPR ("UK GDPR"), and Canada's Personal Information Protection and Electronic Documents Act ("PIPEDA") and Canada's Anti-Spam Legislation ("CASL"), impose strict requirements for processing personal data. For example, under the EU and UK GDPR, companies may face temporary or definitive bans on data processing and other corrective actions; fines of up to 20 million Euros under the EU GDPR, £17.5 million pounds sterling under the UK GDPR or, in each case, 4% of annual global revenue, whichever is greater; or private litigation related to processing of personal data brought by classes of data subjects or consumer protection organizations authorized at law to represent their interests. European legislative proposals and present laws and regulations regulate the use of cookies and other tracking technologies, electronic communications, and marketing. For example, in the European Economic Area ("EEA") and the UK, regulators are increasingly focusing on compliance with requirements related to the targeted advertising ecosystem. It is anticipated that the ePrivacy Regulation and national implementing laws will replace the current national laws that implement the ePrivacy Directive that governs electronic communications. Compliance with these laws may require us to make significant operational changes. Our employees and personnel use generative AI technologies to perform their work, and the disclosure and use of personal data in generative AI technologies is subject to various data privacy and security laws and other privacy obligations. Governments have passed and are likely to pass additional laws regulating generative AI. Our use of this technology could result in additional compliance costs, regulatory investigations and actions, and consumer lawsuits. If we are unable to use generative AI, it could make our business less efficient and result in competitive disadvantages. We use AI, including generative AI, and ML technologies in our products and services (collectively, "AI/ML" technologies). The development and use of AI/ML present various data privacy and security risks that may impact our business. AI/ML are subject to data privacy and security laws, as well as increasing regulation and scrutiny. Several jurisdictions around the globe, including Europe and certain U.S. states, have proposed or enacted laws governing AI/ML. For example, European regulators have proposed a stringent AI regulation, and we expect other jurisdictions will adopt similar laws. Additionally, certain privacy laws extend rights to consumers (such as the right to delete certain personal data) and regulate automated decision making, which may be incompatible with our use of AI/ML. These obligations may make it harder for us to conduct our business using AI/ML, lead to regulatory fines or penalties, require us to change our business practices, retrain our AI/ML, or prevent or limit our use of AI/ML. For example, the FTC has required other companies to turn over (or disgorge) valuable insights or trainings generated through the use of AI/ML where they allege the company has violated privacy and consumer protection laws. If we cannot use AI/ML or that use is restricted, our business may be less efficient, or we may be at a competitive disadvantage. Additionally, under various privacy laws and other obligations, we may be required to obtain certain consents to process personal data. For example, some of our data processing practices may be challenged under wiretapping laws, if we obtain consumer information from third parties through various methods, including chatbot and session replay providers, or via third-party marketing pixels. These practices may be subject to increased challenges by class action plaintiffs. Our inability or failure to obtain consent for these practices could result in adverse consequences, including class action litigation and mass arbitration demands. In addition, we may be unable to transfer personal data from Europe and other jurisdictions to the United States or other countries due to data localization requirements or limitations on cross-border data flows. Europe and other jurisdictions have enacted laws requiring data to be localized or limiting the transfer of personal data to other countries. In particular, the European Economic Area ("EEA") and the UK have significantly restricted the transfer of personal data to the United States and other countries whose privacy laws it generally believes are inadequate. Other jurisdictions may adopt similarly stringent interpretations of their data localization and cross-border data transfer laws. Although there are currently various mechanisms that may be used to transfer personal data from the EEA and UK to the United States in compliance with law, such as the EEA and UK's standard contractual clauses, the UK's International Data Transfer Agreement / Addendum, and the EU-U.S. Data Privacy Framework and the UK extension thereto (which allows for transfers for relevant U.S.-based organizations who self-certify compliance and participate in the Framework), these mechanisms are subject to legal challenges, and there is no assurance that we can satisfy or rely on these measures to lawfully transfer personal data to the United States. If there is no lawful manner for us to transfer personal data from the EEA, the UK, or other jurisdictions to the United States, or if the requirements for a legally-compliant transfer are too onerous, we could face significant adverse consequences, including the interruption or degradation of our operations, the need to relocate part of or all of our business or data processing activities to other jurisdictions (such as Europe) at significant expense, increased exposure to regulatory actions, substantial fines and penalties, the inability to transfer data and work with partners, vendors and other third parties, and injunctions against our processing or transferring personal data necessary to operate our business. Additionally, companies that transfer personal data out of the EEA and UK to other jurisdictions, particularly to the United States, are subject to increased scrutiny from regulators, individual litigants, and activist groups. Some European regulators have ordered certain companies to suspend or permanently cease certain transfers of personal data out of Europe for allegedly violating the GDPR's cross-border data transfer limitations. In addition to data privacy and security laws, we are contractually subject to industry standards adopted by industry groups and may become subject to such obligations in the future. We are also bound by other contractual obligations related to data privacy and security, which have become increasingly stringent and complex due to changes in data privacy and security laws and regulations, and our efforts to comply with such obligations may not be successful. We publish privacy policies, marketing materials and other statements, such as compliance with certain certifications or self-regulatory principles, regarding data privacy and security. If these policies, materials, or statements are found to be deficient, lacking in transparency, deceptive, unfair, or misrepresentative of our practices, we may be subject to investigation, enforcement actions by regulators, or other adverse consequences. Obligations related to data privacy and security (and consumers' expectations regarding them) are quickly changing, becoming increasingly stringent, and creating uncertainty. Additionally, these obligations may be subject to differing applications and interpretations, which may be inconsistent or conflict among jurisdictions. Preparing for and complying with these obligations requires us to devote significant resources and may necessitate changes to our services, information technologies, systems, and practices and to those of any third parties that process personal data on our behalf. We may at times fail (or be perceived to have failed) in our efforts to comply with our data privacy and security obligations. Moreover, despite our efforts, our personnel or third parties on whom we rely, may fail to comply with such obligations, which could negatively impact our business operations. If we or the third parties on which we rely fail, or are perceived to have failed, to address or comply with applicable data privacy and security obligations, we could face significant consequences, including but not limited to: government enforcement actions (e.g., investigations, fines, penalties, audits, inspections, and similar); litigation (including class-action claims) and mass arbitration demands; additional reporting requirements and/or oversight; bans on processing personal data; and orders to destroy or not use personal data. In particular, plaintiffs have become increasingly more active in bringing data privacy-related claims against companies, including class claims and mass arbitration demands. Some of these claims allow for the recovery of statutory damages on a per violation basis, and, if viable, carry the potential for monumental statutory damages, depending on the volume of data and the number of violations. Any of these events could have a material adverse effect on our reputation, business, or financial condition, including but not limited to: loss of customers, inability to process personal data or to operate in certain jurisdictions; limited ability to develop or commercialize our products and services; expenditure of time and resources to defend any claim or inquiry; adverse publicity; or substantial changes to our business model or operations.

New tax laws, statutes, rules, regulations, or ordinances could be enacted at any time. Further, existing tax laws, statutes, rules, regulations, or ordinances could be interpreted differently, changed, repealed, or modified at any time. Any such enactment, interpretation, change, repeal, or modification could adversely affect us, possibly with retroactive effect. For instance, the Inflation Reduction Act, or IRA, imposes, among other rules, a 15% minimum tax on the book income of certain large corporations and a 1% excise tax on certain corporate stock repurchases. The Tax Cuts and Jobs Act of 2017, or TCJA, as amended by the Coronavirus Aid, Relief, and Economic Security Act significantly reformed the Code by lowering U.S. federal corporate income tax rates, changing the utilization of future net operating loss carryforwards, permitting for the expensing of certain capital expenditures, eliminating the option to currently deduct research and development expenditures and requiring taxpayers to capitalize and amortize U.S.-based and non-U.S.-based research and development expenditures over five and fifteen years, respectively, and putting into effect significant changes to U.S. taxation of international business activities. The IRA, TCJA, or any future tax reform legislation could have a material impact on the value of our deferred tax assets, result in significant one-time charges, and increase our future tax expenses.

Our customers rely on our customer support personnel to resolve issues and realize the full benefits that our platform provides. High-quality support is also important for the renewal and expansion of our subscriptions with existing customers. The importance of our support function will increase as we expand our business and pursue new customers. If we do not help our customers quickly resolve issues and provide effective ongoing support, our ability to maintain and expand our subscriptions to existing and new customers could suffer, and our reputation with existing or potential customers would be harmed.

All of our cloud-hosted subscription agreements contain service-level commitments. If we are unable to meet the stated service-level commitments, including our failure to meet the uptime and delivery requirements under these customer subscription agreements, we may be contractually obligated to provide these customers with service credits which could significantly affect our revenue in the periods in which the uptime or delivery failure occurs or when the credits are applied. We could also face subscription terminations, which could significantly affect both our current and future revenue. Any service-level failures could also damage our reputation, which could also adversely affect our business and results of operations.

To increase our revenue, in addition to selling to new customers, we must retain existing customers and convince them to expand their use of our platform across their organizations - in terms of increasing the number of users, subscribing for additional functionality, and broadening the user base across multiple departments and business units. Our ability to retain our customers and increase the amount of their subscriptions could be impaired for a variety of reasons, including customer reaction to changes in the pricing of our products or the other risks described herein. As a result, we may be unable to renew our subscriptions with existing customers or attract new business from existing customers, which would have an adverse effect on our business, revenue, gross margins, and other operating results, and accordingly, the trading price of our common stock. Our ability to sell additional functionality and services to our existing customers may require more sophisticated and costly sales efforts, especially as we target larger enterprises and more senior management who make these purchasing decisions. Similarly, the rate at which our customers purchase additional products and services from us depends on a number of factors, including general economic conditions and the pricing of the additional product functionality and services. If our efforts to sell additional functionality and services to our customers are not successful, our business and growth prospects would suffer. Our customers have no obligation to renew their subscriptions with us after the expiration of their subscription period. Our subscriptions with our customers are typically one year in duration but can range from monthly to multi-year. In order for us to maintain or improve our results of operations, it is important that our customers renew their subscriptions with us on the same or more favorable terms. We cannot accurately predict renewal or expansion rates given the diversity of our customer base, in terms of size, industry, and geography. Our renewal and expansion rates may decline or fluctuate as a result of a number of factors, including customer spending levels, customer dissatisfaction with our products and services, decreases in the number of users at our customers, changes in the type and size of our customers, pricing changes, competitive conditions, the acquisition of our customers by other companies, and general economic conditions. If our customers do not renew their subscriptions with us, or if they reduce their subscription amounts at the time of renewal, our revenue and other results of operations will decline and our business will suffer. If our renewal or expansion rates fall significantly below the expectations of the public market, securities analysts, or investors, the trading price of our common stock would likely decline.