PowerSchool (PWSC) Risk Analysis

Our customers can use our platform to collect, use, and store certain types of personal or identifying information regarding their employees and students. Federal, state, and foreign government bodies and agencies have adopted, are considering adopting, or may adopt laws and regulations regarding the collection, use, storage, and disclosure of personal information obtained from consumers and individuals, such as compliance with the Health Insurance Portability and Accountability Act of 1996 in the U.S. and the General Data Protection Regulation ("GDPR") in the EU. The costs of compliance with, and other burdens imposed by, such laws and regulations that are applicable to the businesses of our customers may limit the use and adoption of our platform and reduce overall demand or lead to significant fines, penalties, or liabilities for any noncompliance with such privacy laws. Furthermore, privacy concerns may cause our customers' employees to resist providing the personal data necessary to allow our customers to use our platform effectively. Even the perception of privacy concerns, whether or not valid, may inhibit market adoption of our platform in certain industries. All of these domestic and international legislative and regulatory initiatives may adversely affect our customers' ability to process, handle, store, use, and transmit demographic and personal information from their employees, customers, and suppliers, which could reduce demand for our platform. The EU and many countries in Europe have stringent privacy laws and regulations, which may affect our ability to operate cost-effectively in certain European countries. In particular, the EU has adopted the GDPR, and contains numerous requirements and changes, including more robust obligations on data processors and heavier documentation requirements for data protection compliance programs by companies. Specifically, the GDPR introduced numerous privacy-related changes for companies operating in the EU, including greater control for data subjects (e.g., the "right to be forgotten"), increased data portability for EU consumers, data breach notification requirements, and increased fines. In particular, under the GDPR, fines of up to 20 million Euros or up to 4% of the annual global revenue of the noncompliant company, whichever is greater, could be imposed for violations of certain of the GDPR's requirements. Complying with the GDPR may cause us to incur substantial operational costs or require us to change our business practices. Despite our efforts to bring practices into compliance with the GDPR, we may not be successful either due to internal or external factors such as resource allocation limitations or a lack of vendor cooperation. Non-compliance could result in proceedings against us by governmental entities, customers, data subjects, or others. We may also experience difficulty retaining or obtaining new European or multi-national customers due to the compliance cost, potential risk exposure, and uncertainty for these entities, and we may experience significantly increased liability with respect to these customers pursuant to the terms set forth in our engagements with them. Legal developments in Europe have created complexity and regulatory compliance uncertainty regarding certain transfers of personal information from the EEA to the United States. For example, on July 16, 2020, the Court of Justice of the European Union ("CJEU") invalidated the EU-U.S. Privacy Shield Framework ("Privacy Shield") under which personal information could be transferred from the EU to U.S. entities who had self-certified under the Privacy Shield program. While the CJEU upheld the adequacy of EU-specified standard contractual clauses as an adequate personal information transfer mechanism, it made clear that reliance on them alone may not necessarily be sufficient in all circumstances and that their use must be assessed on a case-by-case basis taking into account the surveillance laws in and the right of individuals afforded by, the destination country. The CJEU went on to state that, if the competent supervisory authority believes that the standard contractual clauses cannot be complied with in the destination country and the required level of protection cannot be secured by other means, such supervisory authority is under an obligation to suspend or prohibit that transfer unless the data exporter has already done so itself. The U.S. and the EU in March 2022 agreed in principle on a replacement framework for the Privacy Shield, called the EU-U.S. Data Privacy Framework. In December 2022, the European Commission published a draft "adequacy" determination for this new framework. A failure to finalize implementation of the EU-U.S. Data Privacy Framework, or the framework's invalidation in EU courts, could compound that uncertainty and result in additional blockages of data transfers. We rely on a mixture of mechanisms to transfer personal data from the EU to the U.S. (including having previously relied on Privacy Shield) and are evaluating what additional mechanisms may be required to establish adequate safeguards for personal information. As supervisory authorities continue to issue further guidance on personal information export mechanisms, including circumstances where the standard contractual clauses cannot be used and/or start taking enforcement action, we could suffer additional costs, complaints, and/or regulatory investigations or fines. Moreover, if we are otherwise unable to transfer personal information between and among countries and regions in which we operate, it could affect the manner in which we provide our services, and we may find it necessary to establish systems in the EU to maintain personal data originating from the EU, which may involve substantial expense and distraction from other aspects of our business. In the meantime, there could be uncertainty as to how to comply with EU privacy law. In addition to the changing regulatory landscape in the E.U., legal developments in the United States have also created complexity and regulatory compliance uncertainty. For example, California enacted the California Consumer Privacy Act of 2018 ("CCPA"), which broadly defines personal information, gives California residents expanded privacy rights, allows consumers to opt out of certain data sharing with third parties, provides for civil penalties for violations, and includes a new cause of action for data breaches. Moreover, a new privacy law, the California Privacy Rights Act ("CPRA"), certified by the California Secretary of State to appear as a ballot initiative was passed by Californians during the November 3, 2020, election. The CPRA significantly modifies the CCPA, and imposes additional data protection obligations on companies doing business in California, potentially resulting in further complexity. The effects of this legislation are potentially far-reaching and may require us to modify our data management practices and to incur substantial expense in an effort to comply. In addition, the FERPA, generally prohibits educational institutions that receive federal funding from disclosing PII from a student's education records without the student's consent. Through our solutions, our customers and users disclose to us certain information that may originate from or comprise a student education record, as the term is defined under FERPA. As an entity that provides services to institutions, we are often subject to contractual clauses that impose restrictions derived from FERPA on our ability to collect, process, transfer, disclose, and store student data, under which we may not transfer or otherwise disclose any PII from a student record to another party other than in a manner permitted under the statute. If we violate our obligations to any of our educational institution customers relating to the privacy of student records subject to FERPA, such a violation could constitute a material breach of contract with one or more of our customers and could harm our reputation. Further, in the event that we disclose student information in a manner that results in a violation of FERPA by one of our educational customers, the U.S. Department of Education could require that customer to suspend our access to the customer's student information that is covered under FERPA for a period of at least five years. We are also subject to the Children's Online Privacy Protection Act, ("COPPA"),, which applies to operators of commercial websites and online services directed to U.S. children under the age of 13 that collect personal information from children, and to operators of general audience websites with actual knowledge that they are collecting information from U.S. children under the age of 13. Some of our solutions are directed, in part, at children under the age of 13. Through our solutions, we collect certain personal information, including names and email addresses from children. COPPA is subject to interpretation by courts and other governmental authorities, including the FTC, and the FTC is authorized to promulgate, and has promulgated, revisions to regulations implementing provisions of COPPA, and provides non-binding interpretive guidance regarding COPPA that changes periodically with little or no public notice. Although we strive to ensure that our platform and applications are compliant with applicable COPPA provisions, these provisions may be modified, interpreted, or applied in new manners that we may be unable to anticipate or prepare for appropriately, and we may incur substantial costs or expenses in attempting to modify our systems, platform, applications, or other technology to address changes in COPPA or interpretations thereof. If we fail to accurately anticipate the application, interpretation or legislative expansion of COPPA we could be subject to governmental enforcement actions, litigation, fines and penalties, or adverse publicity and we could be in breach of our customer contracts and our customers could lose trust in us, which could harm our reputation and business. In addition to government regulation, privacy advocates and industry groups may propose self-regulatory standards, such as the Student Privacy Pledge, from time to time. These and other industry standards may legally or contractually apply to us, or we may elect to comply with such standards or to facilitate our customers' compliance with such standards. Following these privacy standards and adapting to future standards involves significant operational challenges. In addition, any inability or decision not to join these industry initiatives could damage our reputation, inhibit sales, slow our sales cycles, and adversely affect our business. Because the interpretation and application of many privacy and data protection laws along with contractually imposed industry standards are uncertain, it is possible that these laws may be interpreted and applied in a manner that is inconsistent with our existing data management practices or the features of our solutions and platform capabilities. If so, in addition to the possibility of fines, lawsuits, and other claims and penalties, we could be required to fundamentally change our business activities and practices or modify our solutions and platform capabilities, which could have an adverse effect on our business. Any inability to adequately address privacy and security concerns, even if unfounded, or comply with applicable privacy and data security laws, regulations, and policies, could result in additional cost and liability to us, damage our reputation, inhibit sales, and adversely affect our business. Furthermore, the costs of compliance with, and other burdens imposed by, the laws, regulations, and policies that are applicable to the businesses of our customers may limit the use and adoption of, and reduce the overall demand for, our solutions. Privacy and data security concerns, whether valid or not valid, may inhibit market adoption of our solutions, particularly in certain industries and foreign countries. If we are not able to adjust to changing laws, regulations, and standards related to the Internet, our business may be harmed.

Our platform and solutions store and transmit proprietary and confidential school, student, and company information, which may include personal information of students, prospective students, faculty, and employees, that is subject to stringent legal and regulatory obligations. As a technology company, we face an increasing number of threats to our platform and computer systems, including unauthorized activity and access, system viruses, worms, malicious code, denial of service attacks, phishing attacks, and organized cyberattacks, any of which could breach our security and disrupt our platform and our school clients' offerings. Although we devote significant resources to prevent unwanted intrusions and to protect our systems and data, whether such data is housed internally or by external third parties, the techniques used by computer hackers and cyber criminals to obtain unauthorized access to data or to sabotage computer systems change frequently and generally are not detected until after an incident has occurred. Cyber threat actors are becoming more sophisticated and coordinated in their attempts to access information technology (IT) systems and data. While we have implemented certain safeguards and processes to thwart unwanted intrusions and to protect the data in our platform and computer systems, whether housed internally or externally by third parties, such safeguards and the cybersecurity measures taken by our third-party service providers may be unable to anticipate, detect, or prevent all attempts to compromise our platform and systems. We and certain of our third-party service providers have experienced and may continue to experience cyber incidents of varying degrees and type in the conduct of our business. Although such incidents did not have a material adverse effect on our operating results in 2023, there can be no assurance of a similar result in the future. If our security measures are breached or fail as a result of third-party action, user error, malfeasance or otherwise, it could result in the loss or misuse of proprietary and confidential school, student (including prospective student), employee, and company information, or harm the safety, wellbeing, or academic outcomes of students, all of which could subject us to significant liability, or interrupt our business, potentially over an extended period of time. For example, data breaches or failures could result in a student's grades being misreported on that student's transcripts, which could negatively affect students' emotional health and educational and career prospects. Any or all of these issues could harm our reputation, adversely affect our ability to attract new school clients and students, cause existing school clients to scale back their offerings or elect not to renew their agreements, cause prospective students not to enroll or existing students to not stay enrolled in our offerings, or subject us to third-party lawsuits, regulatory fines, or other action or liability. Further, any reputational damage resulting from breach of our security measures could create distrust of our company by prospective school clients or students. In addition, our insurance coverage may not be adequate to cover costs, expenses, and losses associated with such events, and in any case, such insurance may not cover all of the types of costs, expenses, and losses we could incur to respond to and remediate a security breach. As a result, we may be required to expend significant additional resources to protect against the threat of these disruptions and security breaches or to alleviate problems caused by such disruptions or breaches. Many governments have enacted laws that require companies and institutions to notify impacted individuals of data breach incidents, usually in writing. Under the terms of our contracts with our school clients, we would be responsible for the costs of investigating and disclosing data breaches to the school clients and their students. In addition to costs associated with investigating and fully disclosing a data breach, we could be subject to regulatory proceedings or private claims by affected parties, which could result in substantial monetary fines or damages, and our reputation would likely be harmed.

The market for the software we sell is highly competitive, with relatively low barriers to entry within certain areas of our product portfolio. Our competitors include well-established providers of K-12 non-instructional educational software, including Frontline Education and Instructure, that have long-standing relationships with many customers. Some customers may be hesitant to switch or to adopt our cloud-based software and prefer to maintain their existing relationships with their legacy software vendors. We may also in the future face competition from new entrants to our market, some of whom would be able to invest massive resources (e.g., Microsoft, Amazon, or Google) to develop a unified platform that competes directly with ours or to acquire one or more of our competitors to compete with us. If existing or new companies develop or market solutions similar to ours, develop an entirely new software platform for the K-12 education sector, acquire one of our existing competitors, or form a strategic alliance with one of our competitors or other industry participants, our ability to compete effectively could be significantly impacted, which would have a material adverse effect on our business, results of operations, and financial condition. Our competitors may offer software on a standalone basis at a low price or bundled as part of a larger product sale. In order to take advantage of customer demand for cloud-based software, legacy vendors are expanding their cloud-based software through acquisitions and organic development. Legacy vendors may also seek to partner with other leading cloud providers. We also face competition from custom-built software vendors and from vendors of specific applications, some of which offer cloud-based solutions. We may also face competition from a variety of vendors of cloud-based and on-premises software products that may have some of the core functionality of our solutions but that address only a portion of the capabilities and features of our platform. In addition, other companies that provide cloud-based software in different target markets may develop software or acquire companies that operate in our target markets, and some potential customers may elect to develop their own internal software. With the introduction of new technologies and market entrants, we expect this competition to intensify in the future. Furthermore, our current or potential competitors may be acquired by third parties with greater available resources and the ability to initiate or withstand substantial price competition. In addition, many of our competitors have established marketing relationships, access to larger customer bases, and major distribution agreements with consultants, system integrators, and resellers. Our competitors may also establish cooperative relationships among themselves or with third parties that may further enhance their product offerings or resources. If our platform does not become more accepted relative to our competitors', or if our competitors are successful in bringing their products or services to market earlier than ours, or if their products or services are more technologically advanced than ours, then our revenue could be adversely affected. In addition, some of our competitors may offer their products and services at a lower price. If we are unable to achieve our target pricing levels, our operating results will be negatively affected. Pricing pressures and increased competition could result in reduced sales, reduced margins, losses, or a failure to maintain or improve our competitive market position, any of which could adversely affect our business.

We believe that maintaining, enhancing, and protecting our brand is critical to support the marketing and sale of our existing and future solutions to new customers and expand sales of our solutions to existing customers. We also believe that the importance of brand recognition will increase as competition in our market increases. Successfully maintaining, enhancing, and protecting our brand will depend largely on the effectiveness of our marketing efforts, our ability to provide reliable solutions that continue to meet the needs of our customers at competitive prices, our ability to maintain our customers' trust, our ability to continue to develop new functionality and use cases, our ability to successfully differentiate our solutions and solution capabilities from competitive products, and our ability to obtain, maintain, protect, and enforce trademark and other intellectual property protection for our brand. Our brand promotion activities may not generate customer awareness or yield increased revenue, and even if they do, any increased revenue may not offset the expenses we incur in building our brand. If we fail to successfully promote, maintain, or protect our brand, our business, financial condition, and results of operations may suffer.

Our success depends largely upon the continued services of our key executive officers. In particular, our chief executive officer, Hardeep Gulati, is critical to our vision, strategic direction, culture, and overall business success. We also rely on our leadership team in the areas of research and development, marketing, sales, services, and general and administrative functions, and on mission-critical individual contributors in research and development. From time to time, there have been and may in the future be changes in our executive management team resulting from the hiring or departure of executives, which could disrupt our business. We do not maintain key-man insurance for Mr. Gulati or any other member of our senior management team. We do not have employment agreements with our executive officers or other key personnel that require them to continue to work for us for any specified period and, therefore, they could terminate their employment with us at any time. The loss of one or more of our executive officers or key employees could have a serious adverse effect on our business. Our future success also depends upon our ability to continue to attract, train, integrate, and retain highly skilled employees, including in our sales and marketing personnel, SaaS operations personnel, professional services personnel, and software engineers. Our inability to attract and retain qualified personnel, or delays in hiring necessary personnel, may seriously harm our business, results of operations, and financial condition. If U.S. immigration policy related to skilled foreign workers were materially adjusted, such a change could hamper our efforts to hire highly skilled foreign employees, including highly specialized engineers, which would adversely impact our business. We face competition for qualified individuals from numerous software and other technology companies. Competition for these personnel is intense, especially for engineers with high levels of experience in designing and developing software for Internet-related services. We have, from time to time, experienced, and we expect to continue to experience, difficulty in hiring and retaining employees with appropriate qualifications. Many of the companies with which we compete for experienced personnel have greater resources than we have. If we hire employees from competitors or other companies, their former employers may attempt to assert that these employees or our company have breached their legal obligations, resulting in a diversion of our time and resources. In addition, job candidates and existing employees often consider the value of the stock awards they receive in connection with their employment. If the perceived value of our stock awards declines, it may adversely affect our ability to recruit and retain highly skilled employees. Further, significant amounts of time and resources are required to train technical, sales, services, and other personnel. We may incur significant costs to attract, train and retain such personnel, and we may lose new employees to our competitors or other technology companies before we realize the benefit of our investment after recruiting and training them. Also, to the extent that we hire personnel from competitors, we may be subject to allegations that such personnel have been improperly solicited or have divulged proprietary or other confidential information. In addition, we have a limited number of sales people and the loss of several sales people within a short period of time could have a negative impact on our sales efforts. We may be unable to attract and retain suitably qualified individuals who are capable of meeting our growing technical, operational, and managerial requirements, or we may be required to pay increased compensation in order to do so. Our ability to expand geographically depends, in large part, on our ability to attract, retain, and integrate managers with the appropriate skills to lead local operations and employees. Similarly, our profitability depends on our ability to effectively utilize personnel with the right mix of skills and experience to perform services for our customers, including our ability to transition employees to new assignments on a timely basis. If we are unable to effectively deploy our employees globally on a timely basis to fulfill the needs of our customers, our reputation could suffer and our ability to attract new customers may be harmed. Because of the technical nature of our solutions and the dynamic market in which we compete, any failure to attract, integrate, and retain qualified technical, sales, services, and other personnel, as well as our contract workers, could harm our ability to generate sales or successfully develop new solutions and professional services and enhancements of existing solutions.

Our revenue, results of operations, and cash flows depend on the overall demand for our solutions. Concerns about the systemic impact of the current inflationary and interest rate environments and political and economic instability (including as a result of Russian actions in Ukraine, the Israel-Hamas war, and the relationship between China and Taiwan), and actual and potential shifts in U.S. and foreign trade, economic and other policies, and trade tensions between the United States and China, as well as other global events could lead to increased market volatility, decreased consumer confidence, and diminished growth expectations in the U.S. economy and abroad, which in turn could result in reductions in IT spending by our existing and prospective customers. Prolonged economic slowdowns may result in customers delaying or canceling IT projects, choosing to focus on in-house development efforts or seeking to lower their costs by requesting us to renegotiate existing contracts on less advantageous terms, defaulting on payments due on existing contracts, or not renewing at the end of existing contract terms. As a result, broadening or protracted extension of an economic downturn could harm our business, revenue, results of operations, and cash flows.