PagerDuty (PD) Risk Analysis

We rely upon our marketing strategy of offering a 14-day free trial and "freemium" plan, a free version of PagerDuty and an open source version of Rundeck Automation as well as other inbound, lead-generation strategies to generate new sales opportunities. Most of our customers start with the free version of our products. These strategies may not be successful in continuing to generate sufficient sales opportunities necessary to increase our revenue. A subset of users never converts from the trial or free version of a product to a paid version of such product. Further, we often depend on individuals within an organization who initiate the trial or free versions of our products being able to convince decision makers within their organization to convert to a paid version. To the extent that these users do not become, or are unable to convince others to become, paying customers, we will not realize the intended benefits of this marketing strategy, and our ability to grow our revenue will be adversely affected.

Our success is dependent, in part, upon protecting our proprietary technology. We rely on a combination of patents, copyrights, trademarks, service marks, trade secret laws, and contractual provisions in an effort to establish and protect our proprietary rights. However, the steps we take to protect our intellectual property may be inadequate. While we have been issued patents in the United States and have additional patent applications pending, we may be unable to obtain patent protection for the technology covered in our pending patent applications. In addition, any patents that are issued may not provide us with competitive advantages or may be successfully challenged by third parties. Any of our patents, trademarks, or other intellectual property rights may be challenged or circumvented by others or invalidated through administrative process or litigation. There can be no assurance that others will not independently develop similar products, duplicate any of our products, design around our patents, or use or even register our trademarks in various jurisdictions. Furthermore, legal standards relating to the validity, enforceability, and scope of protection of intellectual property rights are uncertain. Despite our precautions, it may be possible for unauthorized third parties to copy our products and use information that we regard as proprietary to create products and services that compete with ours. Some license provisions protecting against unauthorized use, copying, transfer, and disclosure of our products may be unenforceable under the laws of jurisdictions outside the United States. In addition, certain countries into which we might expand our business might require us, as examples, to do business through an entity that is partially owned by a local investor, to make available our technologies to state regulators, or to grant license rights to local partners in a manner not required by the jurisdictions in which we currently operate. As we expand our international activities, our exposure to reverse engineering of our technologies and unauthorized copying and use of our products and proprietary information, as well as unauthorized use of our trademarks, may increase. We enter into confidentiality and invention assignment agreements with our employees and consultants and enter into confidentiality agreements with the parties with whom we have strategic relationships and business alliances. No assurance can be given that these agreements will be effective in controlling access to and distribution of our products and proprietary information or in avoiding misuse of proprietary information or intellectual property. Further, these agreements do not prevent our competitors or partners from independently developing technologies that are substantially equivalent or superior to our platform. In order to protect our intellectual property rights, we may be required to spend significant resources to monitor and protect these rights. Litigation may be necessary in the future to enforce our intellectual property rights and to protect our trade secrets. Litigation brought to protect and enforce our intellectual property rights could be costly, time consuming, and distracting to management and could result in the impairment or loss of portions of our intellectual property. Furthermore, our efforts to enforce our intellectual property rights may be met with defenses, counterclaims, and countersuits attacking the validity and enforceability of our intellectual property rights. Our inability to protect our proprietary technology against unauthorized copying or use, as well as any costly litigation or diversion of our management's attention and resources, could impair or delay additional sales, renewals or customer adoption of our platform, impair the functionality of our platform, delay introductions of new products, result in our substituting inferior or more costly technologies into our platform, or injure our reputation. We will not be able to protect our intellectual property if we are unable to enforce our rights or if we do not detect unauthorized use of our intellectual property. Moreover, policing unauthorized use of our technologies, trade secrets, and intellectual property may be difficult, expensive, and time-consuming, particularly in foreign countries where the laws may not be as protective of intellectual property rights as those in the United States and where mechanisms for enforcement of intellectual property rights may be weak. If we fail to meaningfully protect our intellectual property and proprietary rights, our business, operating results, and financial condition could be adversely affected.

Our platform and related products,, including AIOps and Automation, are designed to provide quick, reliable alerts, to communicate information frequently during critical business events, such as information relevant to mitigating the damaging effects of system problems, and to automatically remediate systems problems. Due to the nature of such products, we are potentially exposed to greater risks of liability for solution or system failures than may be inherent in other businesses. Although substantially all of our subscription agreements contain provisions limiting our liability to our customers, we cannot assure you that these limitations will be enforced nor that the costs of any litigation related to actual or alleged omissions or failures would not have a material adverse effect on us even if we prevail. Further, certain of our insurance policies and the laws of some states may limit or prohibit insurance coverage for punitive or certain other types of damages or liability arising from gross negligence, and we cannot assure you that we are adequately insured against the risks that we face.

We use open-source software in our products. From time to time, there have been claims challenging the ownership of open-source software against companies that incorporate it into their products. As a result, we could be subject to lawsuits by parties claiming ownership of what we believe to be open-source software. Litigation could be costly for us to defend, have a negative effect on our operating results and financial condition, require us to devote additional research and development resources to change our products, result in customer legal allegations for impacts on their businesses, rejection or skepticism of our products, affect our reputation and brand, and negatively affect our financial results. In addition, although we employ open-source software license screening measures, if we were to combine our proprietary software products with open source software in a certain manner we could, under certain open-source licenses, be required to release the source code of our proprietary software products. If we inappropriately use or incorporate open-source software subject to certain types of open-source licenses that challenge the proprietary nature of our products, we may be required to re-engineer such products, discontinue the sale of such products, or take other remedial actions, each of which could reduce the value of our platform and technologies and materially and adversely affect our ability to sustain and grow our business.

In the ordinary course of business, we process sensitive data (as defined above). Our data processing activities subject us to numerous data privacy and security obligations, such as various laws, regulations, guidance, industry standards, external and internal privacy and security policies, contractual requirements, and other obligations relating to data privacy and security. In the United States, federal, state, and local governments have enacted numerous data privacy and security laws, including data breach notification laws, personal data privacy laws, consumer protection laws (e.g., Section 5 of the Federal Trade Commission Act), and other similar laws (e.g., wiretapping laws). For example, numerous U.S. states have enacted comprehensive privacy laws that impose certain obligations on covered businesses, including providing specific disclosures in privacy notices and affording residents with certain rights concerning their personal data. As applicable, such rights may include the right to access, correct, or delete certain personal data, and to opt-out of certain data processing activities, such as targeted advertising, profiling, and automated decision-making. The exercise of these rights may impact our business and ability to provide our products and services. Certain states also impose stricter requirements for processing certain personal data, including sensitive information, such as conducting data privacy impact assessments. These state laws allow for statutory fines for noncompliance. For example, the California Consumer Privacy Act of 2018 ("CCPA") applies to personal data of consumers, business representatives, and employees who are California residents, and requires businesses to provide specific disclosures in privacy notices and honor requests of such individuals to exercise certain privacy rights. The CCPA provides for administrative fines of up to $7,500 per intentional violation and allows private litigants affected by certain data breaches to recover significant statutory damages. These developments may further complicate compliance efforts, and increase legal risk and compliance costs for us, the third parties with whom we work, and our customers. Similar laws are being considered in several other states, as well as at the federal and local levels, and we expect more states to pass similar laws in the future. Outside the United States, an increasing number of laws, regulations, and industry standards may govern data privacy and security. For example, the European Union's General Data Protection Regulation ("EU GDPR"), the United Kingdom's GDPR ("UK GDPR"), and Canada's Personal Information Protection and Electronic Documents Act ("PIPEDA") and Canada's Anti-Spam Legislation ("CASL"), impose strict requirements for processing personal data. For example, under the EU and UK GDPR, companies may face temporary or definitive bans on data processing and other corrective actions; fines of up to 20 million Euros under the EU GDPR, £17.5 million pounds sterling under the UK GDPR or, in each case, 4% of annual global revenue, whichever is greater; or private litigation related to processing of personal data brought by classes of data subjects or consumer protection organizations authorized at law to represent their interests. Legislative proposals and present laws and regulations regulate the use of cookies and other tracking technologies, electronic communications, and marketing. For example, in the European Economic Area ("EEA") and the UK, regulators are increasingly focusing on compliance with requirements related to the targeted advertising ecosystem. It is anticipated that the ePrivacy Regulation and national implementing laws will replace the current national laws that implement the ePrivacy Directive that governs electronic communications. In the United States, the CCPA, for example, grants California residents the right to opt-out of a company's sharing of personal data for advertising purposes in exchange for money or other valuable consideration and requires covered businesses to honor user-enabled browser signals from the Global Privacy Control. Partially as a result of these developments, individuals are becoming increasingly resistant to the collection, use, and sharing of personal data to deliver targeted advertising. Individuals are now more aware of options related to consent, "do not track" mechanisms (such as browser signals from the Global Privacy Control), and "ad-blocking" software to prevent the collection of their personal data for targeted advertising purposes. As a result, we may be required to change the way we market our products, face increased challenges to our ability to reach new or existing customers, and compliance with these laws may require us to make significant operational changes or otherwise negatively affect our business. Our employees and personnel use Emerging AI Technologies to perform their work, and the disclosure and use of personal data in Emerging AI Technologies may be subject to various data privacy and security laws and other privacy obligations. Governments have passed and are likely to pass additional laws regulating AI, including Emerging AI Technologies. Our use of Emerging AI Technologies could result in additional compliance costs, regulatory investigations and actions, and consumer lawsuits. If we are unable to use Emerging AI Technologies, it could make our business less efficient and result in competitive disadvantages. We use AI, including Emerging AI Technologies in our products and services (collectively, "AI" technologies). The development and use of AI present various data privacy and security risks that may impact our business. Use of AI is subject to data privacy and security laws, as well as increasing regulation and scrutiny. Several jurisdictions around the globe, including Europe and certain U.S. states, have proposed or enacted laws governing AI. For example, the European Union's Artificial Intelligence Act ("EU AI Act") imposes strict requirements for the use of AI, and we expect other jurisdictions will adopt similar laws. Additionally, certain privacy laws extend rights to consumers (such as the right to delete certain personal data) and regulate automated decision making, which may be incompatible with our use of AI. These obligations may make it harder for us to conduct our business using AI, lead to regulatory fines or penalties, require us to change our business practices, retrain our AI, or prevent or limit our use of AI. For example, the FTC has required other companies to turn over (or disgorge) valuable insights or trainings generated through the use of AI where they allege the company has violated privacy and consumer protection laws. If we cannot use AI or that use is restricted, our business may be less efficient, or we may be at a competitive disadvantage. Additionally, under various privacy laws and other obligations, we may be required to obtain certain consents to process personal data. For example, some of our data processing practices may be challenged under wiretapping laws, if we obtain consumer information from third parties through various methods, including chatbot and session replay providers, or via third-party marketing pixels. These practices may be subject to increased challenges by class action plaintiffs. Our inability or failure to obtain consent for these practices could result in adverse consequences, including class action litigation and mass arbitration demands. In addition, we may be unable to transfer personal data from Europe and other jurisdictions to the United States or other countries due to data localization requirements or limitations on cross-border data flows. Europe and other jurisdictions have enacted laws requiring data to be localized or limiting the transfer of personal data to other countries. In particular, the EEA and the UK have significantly restricted the transfer of personal data to the United States and other countries whose privacy laws it generally believes are inadequate. Other jurisdictions may adopt or have already adopted similarly stringent data localization and cross-border data transfer laws. Although there are currently various mechanisms that may be used to transfer personal data from the EEA and UK to the United States in compliance with law, such as the EEA standard contractual clauses, the UK's International Data Transfer Agreement / Addendum, and the EU-U.S. Data Privacy Framework and the UK extension thereto (which allows for transfers to relevant U.S.-based organizations who self-certify compliance and participate in the Framework), these mechanisms are subject to legal challenges, and there is no assurance that we can satisfy or rely on these measures to lawfully transfer personal data to the United States. If there is no lawful manner for us to transfer personal data from the EEA, the UK, or other jurisdictions to the United States, or if the requirements for a legally-compliant transfer are too onerous, we could face significant adverse consequences, including the interruption or degradation of our operations, the need to relocate part of or all of our business or data processing activities to other jurisdictions (such as Europe) at significant expense, increased exposure to regulatory actions, substantial fines and penalties, the inability to transfer data and work with partners, vendors and other third parties, and injunctions against our processing or transferring of personal data necessary to operate our business. Additionally, companies that transfer personal data out of the EEA and UK to other jurisdictions, particularly to the United States, are subject to increased scrutiny from regulators, individual litigants, and activist groups. Some European regulators have ordered certain companies to suspend or permanently cease certain transfers of personal data out of Europe for allegedly violating the GDPR's cross-border data transfer limitations. In addition to data privacy and security laws, we are contractually subject to industry standards adopted by industry groups, we are, or and may become subject to such obligations in the future. We are also bound by contractual obligations related to data privacy and security, which have become increasingly stringent and complex due to changes in data privacy and security laws and regulations, and our efforts to comply with such obligations may not be successful. For example, certain privacy laws, such as the GDPR and the CCPA, require our customers to impose specific contractual restrictions on their service providers. We publish privacy policies, marketing materials, and other statements, such as statements related to compliance with certain certifications or self-regulatory principles, concerning data privacy and security. Regulators in the United States are increasingly scrutinizing these statements, and if these policies, materials, or statements are found to be deficient, lacking in transparency, deceptive, unfair, misleading, or misrepresentative of our practices, we may be subject to investigation, enforcement actions by regulators, or other adverse consequences. Obligations related to data privacy and security (and consumers' data privacy expectations) are quickly changing, becoming increasingly stringent, and creating uncertainty. Additionally, these obligations may be subject to differing applications and interpretations, which may be inconsistent or conflict among jurisdictions. Preparing for and complying with these obligations requires us to devote significant resources, which may necessitate changes to our services, information technologies, systems, and practices and to those of any third parties that process personal data on our behalf. In addition, these obligations may require us to change our business model. We may at times fail (or be perceived to have failed) in our efforts to comply with our data privacy and security obligations. Moreover, despite our efforts, our personnel or third parties with whom we work, may fail to comply with such obligations, which could negatively impact our business operations. If we or the third parties with whom we work fail, or are perceived to have failed, to address or comply with applicable data privacy and security obligations, we could face significant consequences, including but not limited to: government enforcement actions (e.g., investigations, fines, penalties, audits, inspections, and similar); litigation (including class-action claims) and mass arbitration demands; additional reporting requirements and/or oversight; bans or restrictions on processing personal data; and orders to destroy or not use personal data. In particular, plaintiffs have become increasingly more active in bringing privacy-related claims against companies, including class claims and mass arbitration demands. Some of these claims allow for the recovery of statutory damages on a per violation basis, and, if viable, carry the potential for monumental statutory damages, depending on the volume of data and the number of violations. Any of these events could have a material adverse effect on our reputation, business, or financial condition, including but not limited to: loss of customers, inability to process personal data or to operate in certain jurisdictions; limited ability to develop or commercialize our products and services; expenditure of time and resources to defend any claim or inquiry; adverse publicity; or substantial changes to our business model or operations.

We are continuing to expand our international operations to better support our growth into international markets. Our corporate structure and associated transfer pricing policies contemplate future growth in international markets, and consider the functions, risks, and assets of the various entities involved in intercompany transactions. The amount of taxes we pay in different jurisdictions may depend on the application of the tax laws of the various jurisdictions, including the United States, to our international business activities, changes in tax rates, new or revised tax laws or interpretations of existing tax laws and policies, and our ability to operate our business in a manner consistent with our corporate structure and intercompany arrangements. The taxing authorities of the jurisdictions in which we operate may challenge our methodologies for pricing intercompany transactions pursuant to our intercompany arrangements or disagree with our determinations as to the income and expenses attributable to specific jurisdictions. If such a challenge or disagreement were to occur, and our position was not sustained, we could be required to pay additional taxes, interest, and penalties, which could result in one-time tax charges, higher effective tax rates, reduced cash flows and lower overall profitability of our operations. Our financial statements could fail to reflect adequate reserves to cover such a contingency.

The first fiscal quarter of each year is usually our lowest billings and bookings quarter. Billings and bookings during our first fiscal quarter are typically lower than the prior fiscal fourth quarter. We believe that this results from the procurement, budgeting, and deployment cycles of many of our customers, particularly our enterprise customers. We expect that this seasonality will continue to affect our billings, bookings, and other operating results in the future as we continue to target larger enterprise customers.

To increase our revenue, we must continue to attract new customers, convert free customers to paying customers and increase sales to existing customers. Our ability to sell subscriptions for our products has in the past been and could in the future be impaired due to competitors introducing lower cost or differentiated products or services that are perceived to compete with our platform, and could also be impaired by market segment maturation and evolution of product and service offerings. Similarly, our subscription sales have in the past been and may in the future be adversely affected by customers or users within these organizations perceiving our products as having premium features that are not essential to their businesses, determining that features incorporated into competitive products reduce the need for our products or preferring to purchase competing products that are bundled with solutions offered by other companies, including our partners, that operate in adjacent market segments. Further, the current macroeconomic environment has made it more difficult to attract new customers and expand with existing customers, as we have seen customers display a higher level of scrutiny with their enterprise software spending and require additional sales support. As a result of these and other factors, we may be unable to attract new customers, which could have an adverse effect on our business, revenue, gross margins, and other operating results, and accordingly, on the trading price of our common stock.

Our success and future growth depend upon the continued services of our management team and other key employees. From time to time, there may be changes in our management team resulting from the hiring or departure of executives and key employees, which could disrupt our business. Our senior management and key employees are employed on an at-will basis. We currently do not have "key person" insurance on any of our employees. Certain of our key employees have been with us for a long period of time and have fully vested stock options or other long-term equity incentives that may become valuable and may be sold in the public markets, generating significant proceeds, which may reduce their motivation to continue to work for us. The loss of one or more of our senior management, particularly Jennifer Tejada, our Chief Executive Officer, or other key employees could harm our business, and we may not be able to find adequate replacements. We cannot ensure that we will be able to retain the services of any members of our senior management or other key employees, and we cannot ensure that we would be able to timely replace members of our senior management or other key employees should any of them depart.