Snowflake (SNOW) Risk Factors

In the ordinary course of our business, we store, transmit, generate, and process our, our customers', and our business partners' confidential and proprietary data. Such data includes sensitive data, such as personal information, protected health information, and financial data. We also use third-party service providers, sub-processors, and technology to help us deliver services to our customers and their end-users, as well as for our internal business operations. For example, our platform is built on the infrastructure of third-party public cloud providers, such as AWS, Azure, and GCP, and we use third-party technology to assist with securing our environment and providing access to our platform. Some of our customers also use third-party service providers to assist with their use of our platform or third-party technology, such as connectors, to access our platform. These third-party service providers may process, store, or transmit data of our employees, partners, customers, and customers' end-users or may otherwise be used to help operate our platform and corporate systems. We, our customers and business partners, and these third parties face a variety of evolving cybersecurity threats. Cybersecurity threats come from a variety of sources, including traditional computer "hackers," internal and external personnel (such as through theft or misuse), sophisticated nation-states, and nation-state-supported actors. Cybersecurity threat actors can use a wide variety of methods, including unauthorized intrusions, denial-of-service attacks, ransomware attacks, business email compromises, computer malware, infostealer malware, social engineering attacks (including through deep-fakes and phishing), internal and external personnel misconduct or error, supply-chain attacks, software vulnerabilities, software or hardware disruptions or failures, and attacks enhanced or facilitated by AI Technology, all of which are prevalent in our industry and our customers' and partners' industries. These methods change frequently and are becoming increasingly difficult to detect. Threat actors who successfully compromise networks or systems may use the unauthorized access as a vector to compromise other networks and systems. Threat actors' goals often include disrupting a company's operations or ability to provide services, obtaining unauthorized access to platforms, systems, networks, or physical facilities in which data is stored or processed, or through which data is transmitted, and stealing data. Ransomware attacks are becoming more frequent and severe. There can be no assurance that security measures designed to protect against security incidents will be effective, and our efforts to investigate, mitigate, contain, and remediate any security incidents that do occur may not be successful. Even though we may not control the security measures of third-party providers, we may incur liability or suffer reputational harm if such measures are breached. Actions taken by us, third-party cloud providers, or the other third parties with whom we work to detect, investigate, mitigate, contain, and remediate security incidents could result in outages, data losses, and disruptions of our business. We may be unable to detect, mitigate, or remediate vulnerabilities in our information security systems (such as our hardware and software, including that of third parties upon which we rely) on a timely basis. We may be unwilling or unable to make ransom payments due to, for example, applicable laws or regulations prohibiting such payments, the negative precedent such payments would set, or uncertainty over whether such payments would result in the threat actor deleting stolen data or otherwise delivering on their promised course of action. In general, cybersecurity incidents or security vulnerabilities could lead to significant interruptions in our operations, loss of data and income, reputational harm, diversion of funds, increased insurance costs, and other harm to our business, reputation, and competitive position. In addition, customers' use of our platform in violation of our terms of service, including by granting access to a single Snowflake account to various third-party entities, could amplify the impact of any cybersecurity or product incidents. Security incidents and their resulting consequences, including negative publicity, may also cause customers to stop using our platform, deter existing or prospective customers from using our platform, and negatively impact our ability to grow and operate our business. Our customers have experienced and may in the future experience security incidents in connection with their use of our platform that harm our customer relationships and our reputation, even when such incidents are due to vulnerabilities, policy violations, inadequate security controls, or credential exposures that we do not cause. We operate under a shared responsibility cybersecurity model where we are responsible for the security of our platform and underlying cloud infrastructure, while our customers are responsible for selecting, enabling, and configuring security controls for their individual environments in a manner that meets applicable cybersecurity standards and effectively reduces their information security risk. To assist customers in meeting their responsibilities, we offer and support a range of tools and features for access control, including multi-factor authentication (MFA), network access policies, and unified role-based access controls and policies. Customers may also use third-party external authentication tools, in which case we do not have visibility into whether adequate access controls (such as MFA or network restrictions) are being enforced. Regardless of whether customers use our authentication tools or external tools, if customers allow static access credentials, they are responsible for ensuring that the credentials remain private and are rotated on a regular basis. If our customers do not implement, or incorrectly implement, these features or otherwise fail to fulfill their responsibilities under our shared responsibility model, there is a higher risk that they will be the victim of cybersecurity incidents, which may harm our customer relationships, our reputation, and our business, which has occurred in the past and may happen again in the future. We have contractual and other legal obligations to notify customers and other parties of certain security incidents, and may choose to make such notifications even if not legally required to do so. For example, SEC rules require disclosure on Form 8-K of the nature, scope and timing of any material cybersecurity incident and the reasonably likely impact of such incident. Determining whether a cybersecurity incident is notifiable or reportable may not be straightforward, and any such mandatory disclosures are costly and could lead to negative publicity, loss of customer or partner confidence in the effectiveness of our security measures, diversion of management's attention, governmental investigations, and the expenditure of significant capital and other resources to investigate, respond to, or alleviate problems caused by the actual or perceived security breach. Any security breach of our platform, our operational systems, our software (including open-source software), our physical facilities, or the systems of our third-party service providers or sub-processors, or the perception that one has occurred, or unauthorized access to our customers' or partners' systems, data, or technology, could result in claims that we have breached customer contracts or other legal obligations, including as described below. In addition, we may be subject to, and have received in the past, requests by regulators (including members of Congress) for information about our security practices, our public statements about our security program, experiences, and issues. Alleged failures, problems, or issues related to our information security or our customers' use of our platform, including following such information requests, could result in additional investigations; actions from a variety of regulators, including state attorneys general, the Department of Justice, the Federal Trade Commission (FTC), and the SEC; litigation; indemnity obligations; fines; penalties; mitigation and remediation costs; reputational harm; diversion of management's attention; friction with customers; and other liabilities and damage to our business. Further, cybersecurity incidents may lead customers or prospective customers to attempt to negotiate contractual terms that are less favorable to us, such as broader indemnification obligations and higher limitations of liability. Our insurance coverage may not be adequate for liability arising from data security breaches involving us or our customers or other third parties, indemnification obligations, or other liabilities. The successful assertion of one or more large claims against us that exceeds our available insurance coverage or results in changes to our insurance policies (including premium increases or the imposition of large deductible or co-insurance requirements) could have an adverse effect on our business. In addition, we cannot be sure that our existing insurance coverage and coverage for errors and omissions will continue to be available on acceptable terms or that our insurers will not deny coverage as to any future claim. Risks related to our systems and security breaches are likely to increase as we continue to expand our platform and geographic footprint, grow our customer and partner base, acquire operating companies, and process, store, and transmit increasingly large amounts of data. For example, in May 2024, we became aware that a cybersecurity threat actor had accessed a number of our customers' Snowflake accounts as a result of such customers' failure to fulfill certain of their obligations under our shared responsibility cybersecurity model (e.g., implementing MFA and network access policies). Even though we did not identify any evidence suggesting this activity was caused by or otherwise related to any vulnerability or misconfiguration of our systems, or a breach of our platform's security or our environment, we have been the subject of multiple lawsuits, regulatory investigations, and lawmaker inquiries relating to these customer incidents. Since May 2024, we have been made aware of additional cyberattacks on customers' Snowflake accounts using similar methods to take advantage of customers' failures to implement MFA and network access policies. We are unable to predict the outcome or timeline of these matters or if any additional requests, inquiries, lawsuits, investigations or other government actions may arise. We have suffered and may continue to suffer negative publicity and reputational damage, including due to the misperception that our customers' incidents resulted from a vulnerability, misconfiguration or breach of our platform's security or systems and malicious activity within our environment. In addition, we may experience customer churn or face claims by customers, and it is possible that we are not able to fully recover any losses relating to these matters through any applicable insurance coverage or we may be required to seek indemnification from breached customers to mitigate our damages. These matters, together with any additional inquiries, regulatory or governmental investigations or other disputes that result from these customer security incidents, will require us to divert resources and may harm our reputation, business, financial condition and results of operations. Finally, some of our employees work remotely, including while traveling for business, which increases our cybersecurity risk, creates data accessibility concerns, and makes us more susceptible to security breaches or business disruptions. Any of the foregoing could have a material adverse effect on our business, financial condition, results of operations, or prospects.

From time to time, we may become subject to legal proceedings and claims, such as claims brought by our customers in connection with commercial disputes, employment claims, including claims related to the loss of employee equity grants upon termination, intellectual property claims, or securities class actions or other claims related to volatility in the trading price of our common stock. For example, we are named in a securities class action lawsuit in federal court alleging federal securities law violations, as well as several class action lawsuits alleging common law and statutory claims in connection with security matters. See the section titled "Legal Proceedings" for more information. Litigation could result in substantial costs and divert management's attention and resources, which might seriously harm our business, financial condition, and results of operations. Our existing insurance might not cover such claims, provide sufficient payments to cover all the costs to resolve one or more such claims, or continue to be available on terms acceptable to us (including premium increases or the imposition of large deductible or co-insurance requirements). A claim brought against us that is uninsured or underinsured could result in unanticipated costs, potentially harming our business, financial position, and results of operations.

We are subject to data privacy and protection laws, regulations, guidance, external and internal policies and other documentation, industry standards, certifications, and contractual and other obligations that apply to the collection, transmission, storage, use, and other processing of personal information. These obligations are rapidly evolving, extensive, complex, and include inconsistencies and uncertainties. Examples of recent and anticipated developments that have impacted or could impact our business include the following: - The European Union's (EU) General Data Protection Regulation (GDPR) and the United Kingdom's General Data Protection Regulation established strict requirements applicable to the handling of personal information. - India's Digital Personal Data Protection Act (DPDP Act), which was passed in August 2023, imposes strict rules regarding the collection, use, processing and storage of personal data in India. The DPDP Act will not come into effect until the Indian government provides notice of an effective date, which is expected in 2024. - The EU has proposed the Regulation on Privacy and Electronic Communications, which, if adopted, would impose new obligations on using personal information in the context of electronic communications, particularly with respect to online tracking technologies and direct marketing. - Certain other jurisdictions have enacted data localization laws and cross-border personal information transfer laws, such as Brazil and China, which could make it more difficult for us to transfer personal information across jurisdictions (such as transferring or receiving personal or other sensitive information that originates in the EU or China), or to enable our customers to transfer or replicate their data across jurisdictions using our platform. Existing mechanisms that may facilitate cross-border personal information transfers may change or be invalidated. Because our business model involves transmitting and mobilizing data across geographical areas, an inability or material limitation on our ability to transfer personal data to the United States or other countries could materially impact our business operations and revenue. - In the United States, federal, state, and local governments have enacted or proposed data privacy and security laws, including data breach notification laws, personal data privacy laws, and consumer protection laws. Additionally, in the past few years, numerous U.S. states-including California, Virginia, Colorado, Connecticut, and Utah-have enacted comprehensive privacy laws that impose certain obligations on covered businesses, including providing specific disclosures in privacy notices and affording residents with certain rights concerning their personal data. Such rights may include the right to access, correct, or delete certain personal data, and to opt-out of certain data processing activities, such as targeted advertising, profiling, and automated decision-making and, if exercised, may adversely impact our business and ability to provide our products and services. Certain states also impose stricter requirements for processing certain personal data, including sensitive information, such as conducting data privacy impact assessments. These state laws allow for statutory fines for noncompliance. For example, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act of 2020 (CPRA), provides increased privacy rights and protections, including the ability of individuals to opt out of specific disclosures of their personal information, and provides for fines of up to $7,500 per intentional violation and allows private litigants affected by certain data breaches to recover significant statutory damages. Other U.S. states have adopted, or are considering adopting, similar laws. - The certifications we maintain and the standards that apply to our platform (or those we may maintain or that may apply in the future), such as the U.S. Federal Risk and Authorization Management Program (FedRAMP), U.S. Department of Defense Impact Level 4 (IL4), Payment Card Industry Data Security Standards (PCI-DSS), International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) 27001, Health Information Trust Alliance Common Security Framework (HI-TRUST CSF), StateRAMP, among others, are becoming more stringent. - We may also become subject to new laws that specifically regulate non-personal data. For example, we may become subject to certain parts of the European Union's Data Act, which imposes certain data and cloud service interoperability and switching obligations to enable users to switch between cloud service providers without undue delay or cost, as well as certain requirements concerning cross-border international transfers of, and governmental access to, non-personal data outside the European Economic Area. These and other similar legal and regulatory developments could contribute to legal and economic uncertainty, increase our exposure to liability, affect how we design, market, and sell our platform, and how we operate our business, how our customers and partners process and share data, how we process and use data, and how we transfer personal data from one jurisdiction to another, any of which could increase our costs, require us to take on more onerous obligations in our contracts, impact our ability to operate in certain jurisdictions, and/or negatively impact the types of data available on or the demand for our platform. It is possible that new laws may be adopted or existing laws may be interpreted and applied in a manner that is inconsistent with our practices and our efforts to comply with the evolving data protection rules may be unsuccessful. We may incur substantial costs to comply with such laws and regulations, to meet the demands of our customers relating to their own compliance with applicable laws and regulations, and to establish and maintain internal policies, self-certifications, and third-party certifications supporting our compliance programs. Our customers may delegate certain of their GDPR compliance or other privacy law obligations to us, and we may otherwise be required to expend resources to assist our customers with such compliance obligations. Any actual or perceived non-compliance with applicable data privacy and security obligations by us or our third-party service providers and sub-processors could result in proceedings, investigations, or claims against us by regulatory authorities, customers, or others, leading to reputational harm, higher liability and indemnity obligations, significant fines, litigation costs, additional reporting requirements or oversight, bans on processing personal information, orders to destroy or not use personal information, limitations in our ability to develop or commercialize our platform, inability to process personal information or operate in certain jurisdictions, and other damages. For example, if regulators assert that we have failed to comply with the GDPR or U.K. GDPR, we may be subject to fines of up to (i) 20.0 million Euros or 17.5 million British pounds, as applicable, or (ii) 4% of our worldwide annual revenue, whichever is greater, as well as potential data processing restrictions and penalties. In addition, private plaintiffs have become increasingly active in bringing privacy- and information security-related claims against companies, including class action claims. Some of these claims allow for the recovery of statutory damages on a per violation basis, and, if viable, carry the potential for significant statutory damages, depending on the volume of data and the number of violations. Even if we are not determined to have violated these laws and other obligations, investigations into these issues typically require the expenditure of significant resources and generate negative publicity. In addition, any failure by us or our third-party service providers and sub-processors to comply with applicable obligations could result in proceedings against us. Certain regulators, such as the FTC, may prohibit our use of certain personal information as a result of such proceedings. Any of these events could have a material adverse effect on our business, financial condition, and results of operations. We publish privacy policies, certifications and other documentation regarding our security program and our collection, processing, use, and disclosure of personal information or other confidential information. We or our vendors may fail to comply with these policies, certifications, or documentation, or may be perceived to have failed to do so. Claims by regulators or private parties that we have not followed our published documentation or otherwise violated individuals' privacy rights or failed to comply with data protection laws, even if we are not found liable, could be expensive and time-consuming to defend and could result in adverse publicity that could harm our business.

A component of our growth strategy involves the further expansion of our operations and customer base internationally. Customer accounts outside the United States generated 24% of our revenue for each of the three and nine months ended October 31, 2024. We are continuing to adapt to and develop strategies to address international markets, but there is no guarantee that such efforts will have the desired effect. For example, we anticipate that we will need to establish relationships with new partners in order to expand into certain countries, including China, and if we fail to identify, establish, and maintain such relationships, we may be unable to execute on our expansion plans. We expect that our international activities will continue to grow for the foreseeable future as we continue to pursue opportunities in existing and new international markets, which will require significant dedication of management attention and financial resources. Our current and future international business and operations involve a variety of risks, including: - slower than anticipated public cloud adoption by international businesses;- changes in a specific country's or region's political, economic, or legal and regulatory environment, including the effects of pandemics, tariffs, trade wars, sanctions, or long-term environmental risks;- the need to adapt and localize our platform for China, Saudi Arabia, and other countries, including as a result of data sovereignty requirements, and the engineering and related costs that we may incur when making those changes;- greater difficulty collecting accounts receivable and longer payment cycles;- unexpected changes in, or the selective application of, trade relations, regulations, or laws;- new, evolving, and more stringent regulations relating to privacy and data security, data localization, and the unauthorized use of, or access to, commercial and personal information;- new, evolving, and potentially more stringent regulations relating to AI Technology;- differing and potentially more onerous labor regulations that are generally more advantageous to employees as compared to the United States, including regulations governing terminations in locations that do not permit at-will employment and deemed hourly wage and overtime regulations;- challenges inherent in efficiently managing, and the increased costs associated with, an increased number of employees over large geographic distances, including the need to implement appropriate systems, policies, benefits, and compliance programs that are specific to each jurisdiction;- difficulties in managing a business in new markets with diverse cultures, languages, customs, legal systems, alternative dispute systems, and regulatory systems;- increased travel, real estate, infrastructure, and legal compliance costs associated with international operations, including increased costs associated with changing and potentially conflicting environmental regulations and requirements;- currency exchange rate fluctuations and the resulting effect on our revenue, RPO, and expenses, and the cost and risk of utilizing mitigating derivative transactions and entering into hedging transactions to the extent we do so in the future;- limitations on, or charges or taxes associated with, our ability to reinvest earnings from operations in one country to fund the capital needs of our operations in other countries;- laws and business practices favoring local competitors or general market preferences for local vendors;- limited or insufficient intellectual property protection or difficulties obtaining, maintaining, protecting, or enforcing our intellectual property rights, including our trademarks and patents;- political instability, military conflict or war, or terrorist activities;- exposure to liabilities under anti-corruption and anti-money laundering laws, including the U.S. Foreign Corrupt Practices Act of 1977, as amended (FCPA), U.S. bribery laws, the U.K. Bribery Act, and similar laws and regulations in other jurisdictions;- burdens of complying with laws and regulations related to taxation; and - regulations, adverse tax burdens, and foreign exchange controls that could make it difficult or costly to repatriate earnings and cash. We expect to invest substantial time and resources to further expand our international operations, and, if we are unable to do so successfully and in a timely manner, our business and results of operations could suffer.

Our platform and the public cloud infrastructure on which our platform relies are vulnerable to damage or interruption from catastrophic events, such as earthquakes, floods, fires, power loss, telecommunication failures, cyber attacks, military conflict or war, terrorist attacks, criminal acts, sabotage, other intentional acts of vandalism and misconduct, geopolitical events, and epidemics, pandemics or other public health crises, such as the COVID-19 pandemic. Some of our U.S. corporate offices in which we operate and certain of the public cloud data centers on which our platform runs are located in the San Francisco Bay Area and Pacific Northwest, regions known for seismic activity. Despite any precautions we may take, the occurrence of a natural disaster or other unanticipated problems at our facilities or the facilities of our public cloud providers could result in disruptions, outages, and other performance and quality problems. Our customers are also subject to the risk of catastrophic events. If those events occur, demand for our platform may decrease. If we are unable to develop and maintain adequate plans to ensure that our business functions continue to operate during and after a catastrophic event and to execute successfully on those plans if such an event occurs, our business could be seriously harmed.

Our sales are currently denominated in U.S. dollars, Euros, British pounds, Australian dollars, Canadian dollars, and Brazilian reals, and will likely be denominated in other currencies in the future. Because we report our results of operations and revenue in U.S. dollars, we currently face exposure to foreign currency translation risk and may in the future face other foreign currency risks. If we are not able to successfully hedge against the risks associated with currency fluctuations, our results of operations could be adversely affected. For example, a strengthening of the U.S. dollar could increase the real cost of our platform to international customers, which could adversely affect our results of operations. In addition, as our international operations expand, an increasing portion of our operating expenses is incurred outside the United States. These operating expenses are denominated in foreign currencies and are subject to fluctuations due to changes in foreign currency exchange rates. Exposure to these risks and fluctuations could adversely affect our financial position, results of operations, and cash flows.

Our go-to-market strategy is focused on acquiring new customers and driving increased use of our platform by existing customers. The markets in which we operate are rapidly evolving and highly competitive, and the competition we face in such markets continues to increase with our investments in AI Technology, new workloads types, and new product capabilities, such as our increased support for open data formats that allow customers to use our platform for compute services without requiring storage (for example, Iceberg tables, which became generally available to our customers in June 2024). As these markets continue to mature and new technologies and competitors enter such markets, we expect competition to intensify. Our current competitors include: - large, well-established, public cloud providers that generally compete in all of our markets, including AWS, Azure, and GCP;- less-established public and private cloud companies with products that compete in some of our markets;- other established vendors of legacy database solutions or big data offerings; and - new or emerging entrants seeking to develop competing technologies. We compete based on various factors, including price, performance, product features, breadth of use cases, multi-cloud availability, brand recognition and reputation, customer support, and differentiated capabilities, including ease of implementation and data migration, ease of administration and use, scalability and reliability, data governance, security and compatibility with existing standards, programming languages, and third-party products. Many of our competitors have substantially greater brand recognition, customer relationships, and financial, technical, and other resources than we do, and may be able to respond more effectively than us to new or changing opportunities, technologies, standards, customer requirements, and buying practices. In addition, we may not be able to respond to market opportunities as quickly as smaller companies. Our support of open data formats may also reduce switching costs between us and our competitors. We currently only offer our platform on the public clouds provided by AWS, Azure, and GCP, which are also some of our primary competitors. Currently, a substantial majority of our business is run on the AWS public cloud. There is risk that one or more of these public cloud providers could use its respective control of its public clouds to embed innovations or privileged interoperating capabilities in competing products, bundle competing products, provide us unfavorable pricing, leverage its public cloud customer relationships to exclude us from opportunities, and treat us and our customers differently with respect to terms and conditions or regulatory requirements than it would treat its similarly situated customers. Further, they have the resources to acquire, invest in, or partner with existing and emerging providers of competing technologies and thereby accelerate adoption of those competing technologies. All of the foregoing could make it difficult or impossible for us to provide products and services that compete favorably with those of the public cloud providers. Some of our customers use drivers and/or connectors to connect our platform to third-party applications or databases. Attempts by third-party application or database providers to restrict the use of drivers and connectors may make it more difficult for customers to use our platform, which could lead to reduced sales and consumption. For all of these reasons, competition may negatively impact our ability to acquire new customers and maintain and grow use of our platform, or it may put downward pressure on our prices and gross margins, any of which could materially harm our business, reputation, results of operations, revenue retention rate, and financial condition.

Historically, we have received a higher volume of orders from new and existing customers in the fourth fiscal quarter of each year. As a result, we have historically seen higher non-GAAP free cash flow in the first and fourth fiscal quarters of each year, and our sequential growth in remaining performance obligations has historically been the highest in the fourth fiscal quarter of each year. We may not be successful in our attempt to align our cash outflows with our cash receipts, particularly since we expect this seasonality to become more pronounced as we continue to target large enterprise customers based on their procurement, budgeting, and deployment cycles. In addition, while consumption is typically lower during holidays, the magnitude of any decrease is difficult to predict and that may result in inaccurate financial guidance. For more information about non-GAAP free cash flow, including a definition of non-GAAP free cash flow and a reconciliation of free cash flow to the most directly comparable financial measure calculated in accordance with U.S. generally accepted accounting principles (GAAP), see the section titled "Management's Discussion and Analysis of Financial Condition and Results of Operations."

Sales to large customers involve risks that may not be present or that are present to a lesser extent with sales to smaller organizations, such as longer sales cycles, stronger customer leverage in negotiating pricing and other terms, more complex customer requirements, including in response to evolving industry regulations, the additional need to partner with third parties that advise such customers or help them integrate their IT solutions, substantial upfront sales costs, less predictability in completing some of our sales, and higher customer support expectations. For example, large customers may require considerable time to evaluate and test our platform or new features prior to making a purchase decision. In addition, large customers may be switching from legacy on-premises solutions when purchasing our products, and may rely on third parties with whom we do not have relationships when making purchasing decisions. Furthermore, large customers may have more extensive compliance and vendor diligence programs with respect to new products and services, which may increase both the time and resources needed to sell to them and also result in the inability to sell to them if we do not meet their compliance standards. A number of factors also influence the length and variability of our sales cycle, including the need to educate potential customers about the uses and benefits of our platform, the renegotiation of existing agreements to cover additional workloads, changing laws, the discretionary nature of purchasing and budget cycles, and the competitive nature of evaluation and purchasing approval processes. As a result, the length of our sales cycle, from identification of the opportunity to deal closure, may vary significantly from customer to customer, with sales to large enterprises typically taking longer to complete. We have also historically seen consumption growth from large enterprises take longer than when compared to smaller enterprises. Moreover, large customers often begin to deploy our products on a limited basis but nevertheless demand implementation services and negotiate pricing discounts, which increase our upfront investment in the sales effort with no guarantee that sales to these customers will justify our substantial upfront investment. If we fail to effectively manage these risks associated with sales cycles and sales to large customers, our business, financial condition, and results of operations could be affected.

Our success depends in part on the continued services of our executive officers, as well as our other key employees in the areas of research and development and sales and marketing. From time to time, there may be changes in our executive management team or other key employees resulting from the hiring or departure of these personnel. Our executive officers and other key employees are employed on an at-will basis, which means that these personnel could terminate their employment with us at any time. For example, in February 2024, Frank Slootman retired as Chief Executive Officer and Sridhar Ramaswamy was appointed to replace him. In July 2024, Grzegorz Czajkowski, our former EVP, Engineering and Support, resigned and left Snowflake to pursue another opportunity, and in September 2024, Vivek Raghunathan was appointed as SVP, Engineering and Support to replace him. The loss of additional executive officers or any significant change in executive leadership could harm morale, cause additional personnel to depart, or introduce operational delays or risks as successor executives learn our business, each of which could harm our operating results. In addition, to execute our growth plan, we must attract and retain highly qualified personnel. Competition for these personnel is intense, especially for engineers experienced in designing and developing cloud-based data platform products, including products with artificial intelligence capabilities, and experienced sales, customer support, and professional services personnel. We also are dependent on the continued service of our existing software engineers because of the sophistication of our platform. In order to support our growing business, we will need to continue to hire in new locations around the world and manage return to work and remote working policies, which may add to the complexity and costs of our business operations. From time to time, we have experienced, and we expect to continue to experience, difficulty in hiring and retaining employees with appropriate qualifications. Many of the companies with which we compete for experienced personnel have greater resources than we have and can provide more competitive compensation and benefits. In addition, we require the majority of our employees to work from a physical office, while certain of our competitors allow remote work environments. In addition, prospective and existing employees often consider the value of the equity awards they receive in connection with their employment. Since the beginning of fiscal 2025, our stock price has declined significantly. If the actual or perceived value of our equity awards continues to decline or undergoes significant volatility, or if our existing employees receive significant proceeds from liquidating their previously vested equity awards, it may adversely affect our ability to recruit and retain key employees. Furthermore, current and prospective employees may believe that their equity award offers have limited upside, and our competitors may be able to offer more appealing compensation packages. In order to retain our existing employees and manage potential attrition, including as a result of any stock price decreases and market volatility that impact the actual or perceived value of our equity awards, we may issue additional equity awards or provide our employees with increased cash compensation, which could negatively impact our results of operations and be dilutive to stockholders. Finally, if we hire employees from competitors or other companies, their former employers may attempt to assert that we or these employees have breached our or their legal obligations, resulting in a diversion of our time and resources. We also believe our culture has been a key contributor to our success to date and that the critical nature of the platform that we provide promotes a sense of greater purpose and fulfillment in our employees. As our workforce becomes larger and more distributed around the world, we may not be able to maintain important aspects of our culture. Any failure to preserve our culture could negatively affect our ability to retain and recruit personnel. If we fail to attract and recruit new personnel or fail to retain and motivate our current personnel, our business and future growth prospects would be harmed.