Sprout Social (SPT) Risk Analysis

The market for our social media management platform is fragmented, rapidly evolving, and competitive. In addition to competing with comprehensive social media management platforms with diverse capabilities, we compete with point solutions for influencer marketing, social listening, content management and distribution, employee advocacy, relationship management and social commerce, among others, as well as native use of individual social media networks. To remain competitive, we must deliver features and functionality that enhance the utility of our platform to our new and prospective customers, without the presence of software defects, adapt to changing functionality and APIs of the social media networks and other third party platforms, maintain and develop integrations with third parties that provide value to our customers, ensure our platform and products are easy to use and deliver value to our customers, provide a superior customer success and support experience and demonstrate value to our current and prospective customers across multiple functions within their organizations. We may not be successful in delivering on some or all of the foregoing or doing so while maintaining competitive pricing of our platform and products, which could result in customer dissatisfaction and adversely affect our business. Some of our current and future competitors may benefit from competitive advantages over us, such as greater name recognition, longer operating histories, more varied products and services, larger sales and marketing or research and development budgets, more established relationships with social media networks and different or a greater number of third-party integrations. In addition, some of our competitors may make acquisitions or enter into strategic relationships to offer a broader range of products and services than we do. These combinations may make it more difficult for us to compete effectively. We expect this to continue as competitors attempt to strengthen or maintain their market positions. Many factors, including our marketing, customer acquisition and technology costs, and the pricing and marketing strategies of our competitors, can significantly affect our pricing strategies. Certain competitors offer, or may in the future offer, lower-priced products or services that compete with our platform or may bundle and offer a broader range of products and services. Similarly, certain competitors may use marketing strategies that enable them to acquire customers at a lower cost than we can. Even if such products do not include all the features and functionality that our platform provides, we could face pricing pressure to the extent that users find such alternative products to be sufficient to meet their needs. There can be no assurance that we will not be forced to engage in price-cutting initiatives or other discounts or to increase our sales and marketing and other expenses to attract and retain customers in response to competitive pressures, either of which would harm our business and operating results.

We believe that maintaining, developing, and enhancing our brand is critical to achieving widespread acceptance of our platform and products, attracting new customers, retaining existing customers, persuading existing customers to adopt additional products and use-cases, and hiring and retaining our employees. We believe that the importance of our brand will increase as our awareness and business continue to expand. Successful promotion of our brand will depend on a number of factors, including the effectiveness of our marketing efforts, our thought leadership, our ability to provide a high-quality, reliable and cost-effective platform, the actions of our employees, executives, and board members, the perceived value of our platform and products, and our ability to provide quality customer success and support experience. The promotion of our brand, however, may not directly generate customer awareness or increase revenue, and any increase in revenue may not offset the expenses we incur in building and maintaining our brand. We operate in a public-facing industry in which every aspect of our business is impacted by social media. Negative publicity, whether or not justified, can spread rapidly through social media. To the extent that we are unable to respond timely and appropriately to negative publicity, our reputation and brand could be harmed. Moreover, even if we are able to respond in a timely and appropriate manner, we cannot predict how negative publicity may affect our reputation and business. We and our employees also use social media to communicate externally. There is risk that the use of social media by us, our employees, executives, or board members to communicate about our business or other matters may give rise to liability, damage our brand, or result in public exposure of personal data of our employees or customers, each of which could affect our revenue, business, results of operations and financial condition.

We are subject to U.S. economic sanctions and export control laws and regulations that prohibit the provision of certain products and services to certain countries, governments, and persons targeted by U.S. sanctions. We have taken precautions to prevent our services from being exported in violation of U.S. export control and U.S. sanctions laws and regulations. However, we cannot be certain that the precautions we take will prevent violations of these laws. Currently, we do not allow users with IP addresses associated with countries that are the target of comprehensive U.S. economic sanctions to access our platform on a subscription or free trial basis. In the past, parties who self-identified as being in a country that is the target of comprehensive U.S. sanctions signed up for our free trial offering. However, we believe the free-trial features of our offering are consistent with the general licenses issued by the U.S. Department of the Treasury's Office of Foreign Assets Control, authorizing access to personal communication tools by parties in countries subject to comprehensive sanctions. If in the future we are found to be in violation of U.S. sanctions or export control laws, we may be fined or other penalties could be imposed. Finally, changes in export control or economic sanctions laws and enforcement could also result in increased compliance requirements and related costs, which could materially adversely affect our business, results of operations, financial condition and/or cash flows. We are also subject to various U.S. and international anti-corruption laws, such as the U.S. Foreign Corrupt Practices Act and the U.K. Bribery Act, as well as other similar anti-bribery and anti-kickback laws and regulations. These laws and regulations generally prohibit companies and their employees and intermediaries from authorizing, offering or providing improper payments or benefits to officials and other recipients for improper purposes. Our exposure for violating these laws may increase as we continue to expand our international presence, and any failure to comply with such laws could harm our business.

Securities-related class action lawsuits and/or derivative lawsuits have often been brought against companies that experience volatility in the market price of their securities. We are currently, and may become in the future, subject to securities class actions, derivative suits or other securities-related legal actions. For example, as described further in Note 11 of the Notes to the Financial Statements (Part I, Item 8 of this Annual Report), beginning in May 2024, securities class action litigation and related stockholder derivative lawsuits (the "Securities Actions") were filed against us and certain of our executives alleging violations of the federal securities laws for allegedly making false and misleading statements and omissions of fact. It is possible that additional lawsuits will be filed, or allegations received from stockholders, with respect to these same or other matters and also naming us and/or our officers and directors as defendants. The outcomes of the Securities Actions and any other related lawsuits are subject to inherent uncertainties, and the actual defense and disposition costs will depend upon many unknown factors. We could be forced to expend significant resources in the defense of the Securities Actions and any additional lawsuits, and we may not prevail. In addition, we may incur substantial legal fees and costs in connection with such lawsuits. We currently are not able to estimate the possible cost to us from these matters, as the Securities Actions are currently at an early stage, and we cannot be certain how long it may take to resolve the Securities Actions or the possible amount of any damages that we may be required to pay. Monitoring, initiating and defending against legal actions is time-consuming for our management, is likely to be expensive and may detract from our ability to fully focus our internal resources on our business activities. We could be forced to expend significant resources in the settlement or defense of the Securities Actions and any potential future lawsuits, and we may not prevail in such lawsuits. Additionally, we may not be successful in having any such lawsuits dismissed or settled within the limits of our insurance coverage. We have not established any reserve for any potential liability relating to the Securities Actions or any potential future lawsuits. It is possible that we could, in the future, incur judgments or enter into settlements of claims for monetary damages. A decision adverse to our interests in the Securities Actions, or in similar or related litigation, could result in the payment of substantial damages, or possibly fines, and could have a material adverse effect on our business, our stock price, cash flow, results of operations and financial condition. From time to time, we may also be involved in other types of litigation, disputes or regulatory inquiries that arise in the ordinary course of business. These may include claims, lawsuits and proceedings involving labor and employment, wage and hour, and commercial. We generally expect that the number, type and significance of claims, lawsuits, disputes and/or regulatory inquiries involving the Company may increase as our business expands and our company grows larger. While our agreements with customers generally limit our liability for damages arising from our platform, we cannot assure you that these contractual provisions will protect us from liability for damages in the event we are sued. Additionally, although we carry general liability insurance and director and officer liability insurance, these policies may not apply to cover all claims to which we are (or could be) exposed and/or may be inadequate to fully cover damages and/or liabilities resulting from such claims. Any claims against us, whether meritorious or not, could result in costly litigation, require significant amounts of management and employee time, adversely affect our reputation and/or result in the diversion of significant operational resources. Because litigation is inherently unpredictable, we cannot assure you that the results of any of these actions will not have a material adverse effect on our revenue, business, brand, results of operations and financial condition.

The application of indirect taxes, such as sales and use, value-added, goods and services, business, gross receipts taxes, and employment taxes to businesses like ours is a complex and evolving issue. Many of the fundamental statutes and regulations that impose these taxes were established before the adoption and growth of the internet or remote work. In many cases, the ultimate tax determination is uncertain because it is not clear how new and existing statutes might apply to our business. Significant judgment is required on an ongoing basis to evaluate applicable tax obligations and, as a result, amounts recorded are estimates and are subject to adjustments. Additionally, we often rely on third-party technology and consulting firms for tax advice and compliance tools, both of which could fail to work as intended. Our business is, or may be, subject to such indirect taxes in the United States and various foreign jurisdictions, and we may face indirect tax audits in various U.S. and foreign jurisdictions. In certain jurisdictions, we collect and remit indirect taxes. However, taxing authorities may raise questions about or challenge or disagree with our calculation, reporting or collection of such taxes and may require us to collect and remit such taxes in jurisdictions in which we do not currently do so, and could impose associated interest, penalties and fees. For example, after the U.S. Supreme Court decision in South Dakota v. Wayfair Inc., certain states have adopted, or started to enforce, laws that may require us to calculate, collect and remit taxes on sales in their jurisdictions, even if we do not have a physical presence in such jurisdictions. A successful assertion by one or more tax authorities requiring us to collect indirect taxes in jurisdictions in which we do not currently do so, to collect additional indirect taxes in a jurisdiction in which we currently collect such taxes, or to withhold additional employment taxes, could, among other things, result in substantial tax liabilities (including taxes on past sales, as well as penalties and interest), create significant administrative burdens for us, discourage users from utilizing our products or otherwise harm our business, financial condition and results of operations.

In the ordinary course of business, we collect and process personal data and other sensitive data, including proprietary and confidential business data, intellectual property, and other third-party data. For example, we process personal data about our customers' consumers, content creators, and other social media users that interact with our customers' social media pages. Our data collection and processing activities subject us to certain data privacy and security obligations, such as various laws, regulations, guidance, industry standards, external and internal privacy and security policies, contracts, and other obligations that govern the processing of personal data by us and on our behalf. While we contractually prohibit our customers from using our platform to process, store, or collect sensitive information (such as personal health information or credit card information), our customers may breach these use prohibitions and cause us to inadvertently violate laws, rules, or regulations regarding the use and protection of personal data, which in turn may adversely impact our business. In the United States, federal, state, and local governments have enacted numerous data privacy and security laws, including data breach notification laws, personal data privacy laws, and consumer protection laws (e.g., Section 5 of the Federal Trade Commission Act), and other similar laws (e.g., wiretapping laws). Numerous U.S. states have enacted comprehensive privacy laws that impose certain obligations on covered businesses, including providing specific disclosures in privacy notices and affording residents with certain rights concerning their personal data. As applicable, such rights may include the right to access, correct, or delete certain personal data, and to opt-out of certain data processing activities, such as targeted advertising, profiling, and automated decision-making. The exercise of these rights may impact our business and ability to provide our products and services. Certain states also impose stricter requirements for processing certain personal data, including sensitive information, such as conducting data privacy impact assessments. These state laws allow for statutory fines for noncompliance. For example, the California Consumer Privacy Act of 2018 ("CCPA") applies to personal data of consumers, business representatives, and employees who are California residents and requires businesses to provide specific disclosures in privacy notices and honor requests of such individuals to exercise certain privacy rights. The CCPA provides for statutory fines for intentional violations and allows private litigants affected by certain data breaches to recover significant statutory damages. Similar laws have passed and are being considered in several other states, as well as at the federal and local levels. Additionally, under various privacy laws and other obligations, we may be required to obtain certain consents to process personal data. For example, some of our data processing practices may be challenged under wiretapping laws, if we obtain consumer information from third parties through various methods, including chatbot and session replay providers, or via third-party marketing pixels. These practices may be subject to increased challenges by class action plaintiffs. Our inability or failure to obtain consent for these practices could result in adverse consequences, including class action litigation and mass arbitration demands. Outside the United States, an increasing number of laws, regulations, and industry standards apply to data privacy and security. For example, the EU GDPR and the equivalent law in the UK GDPR impose strict requirements for processing the personal data of individuals. Under the EU GDPR, government regulators may impose temporary or definitive bans on data processing, as well as fines of up to 20 million euros or 4% of annual global revenue, whichever is greater. Similar processing penalties and fines exist under the UK GDPR, and the variations in the application of GDPR in the UK following Brexit has increased the complexity of our compliance efforts. Further, individuals may initiate litigation related to our processing of their personal data. As another example, Brazil's General Data Protection Law (Lei Geral de Proteção de Dados Pessoais, or "LGPD") (Law No. 13,709/2018) applies to our operations. The LGPD broadly regulates processing of personal data of individuals in Brazil and imposes compliance obligations and penalties comparable to those of the EU GDPR. In Canada, the Personal Information Protection and Electronic Documents Act ("PIPEDA") applies to our operations. We also process personal data about our customers' consumers in Asia and therefore, may become subject to new and emerging data privacy regimes in Asia, including China's Personal Information Protection Law, Japan's Act on the Protection of Personal Information, and Singapore's Personal Data Protection Act. Additionally, we are subject to the EU's Digital Services Act, or DSA, which imposes additional legal requirements on certain types of digital service providers, including online marketplaces. The DSA aims to prevent illegal and harmful activities online and combat the spread of disinformation and sets out a framework of layered responsibilities targeted at different types of services and imposes certain additional obligations on intermediary services, including a requirement to inform consumers of any illegal products or services being offered through the relevant digital platform. Depending on how the DSA and any similar laws are implemented and interpreted, we may have to adapt our business practices, contractual arrangements, and services to comply with such obligations. In addition, some of our customers may be subject to the EU's Digital Operational Resilience Act (DORA) and similar UK regulatory requirements on operational resilience, which aim to protect against severe disruptions caused by cyberattacks and ICT issues. These laws may obligate our customers to impose contractual provisions on us, including certain mandatory third-party risk management provisions. If we fail to materially comply with these contractual requirements, we may be subject to investigations, audits or other adverse consequences. Furthermore, in Europe, the Network and Information Security Directive ("NIS2") regulates resilience and incident response capabilities of entities operating in a number of sectors, including the health sector. Non-compliance with NIS2 may lead up to administrative fines of a maximum of 10 million Euros or up to 2% of the total worldwide revenue of the preceding fiscal year. Certain jurisdictions have enacted data localization laws and cross-border personal data transfer laws. For example, absent appropriate safeguards or other circumstances, the EU GDPR, UK GDPR, and laws in Switzerland generally restrict the transfer of personal data to countries that these jurisdictions consider to not provide an adequate level of personal data protection. Although there are currently various mechanisms that can be used to transfer personal data from the EEA and UK to the United States in compliance with law, such as the EEA's standard contractual clauses, the UK's International Data Transfer Agreement / Addendum, and the EU-U.S. Data Privacy Framework and the UK extension thereto (which allows for transfers to relevant U.S.-based organizations who self-certify compliance and participate in the Framework), these mechanisms are subject to legal challenges, and there is no assurance that we can satisfy or rely on these measures to lawfully transfer personal data to the United States. In addition to European restrictions on cross-border transfers of personal data, other jurisdictions, such as China's Personal Information Protection Law and Brazil's LGPD, have enacted or are considering similar cross-border personal data transfer laws and local personal data residency laws, any of which could increase the cost and complexity of doing business in foreign jurisdictions. If we cannot implement valid compliance mechanisms for cross-border personal data transfers, we may face increased exposure to regulatory actions, substantial fines, and injunctions against processing or transferring personal data from Europe or elsewhere. The inability to import personal data to the United States could significantly and negatively impact our business operations; limit our ability to collaborate with parties that are subject to European and other data privacy and security laws; or require us to increase our personal data processing capabilities and infrastructure in Europe and/or elsewhere at significant expense. In addition to data privacy and security laws, we are contractually subject to industry standards adopted by industry groups, and we are, or may become in the future, subject to such obligations. For example, we may be subject to compliance with the Payment Card Industry Data Security Standard ("PCI DSS"). The PCI DSS requires companies to adopt certain measures to ensure the security of cardholder information, including using and maintaining firewalls, adopting proper password protections for certain devices and software, and restricting data access. We are also bound by other contractual obligations related to data privacy and security, and our efforts to comply with such obligations may not be successful. We publish privacy policies, marketing materials, and other statements, related to compliance with certain certifications or self-regulatory principles, regarding artificial intelligence, data privacy and security. Regulators in the United States are increasingly scrutinizing these statements, and if these policies, materials or statements are found to be deficient, lacking in transparency, deceptive, unfair, misleading, or misrepresentative of our practices, we may be subject to investigation, enforcement actions by regulators, or other adverse consequences. Our obligations related to data privacy and security are quickly changing in an increasingly stringent fashion, creating some uncertainty as to the effective future legal framework. These obligations may be subject to differing applications and interpretations, which may be inconsistent or in conflict among jurisdictions. As our platform and products evolve and the ways we use personal data change to meet the complex needs of our customer base, we continue to become subject to additional privacy and security obligations. Even if we believe we have satisfied compliance requirements in our activities, regulators may disagree with our compliance posture and issue high penalties and fines for noncompliance. Additionally, our sales cycles may increase due to increasingly rigorous privacy and security assessments that must be completed prior to purchasing our platform and products as a result of increased regulation. Preparation for and compliance with these obligations require us to devote significant resources (including, without limitation, financial and time-related resources). For example, the increased consumer control over the sharing of their personal data afforded by the CCPA may affect our customers' ability to share such personal data with us or may require us to delete or remove consumer information from our records or data sets, which may result in considerable costs for our organization. Further, these obligations may necessitate changes to our information technologies, systems, and practices and to those of any third parties that process personal data on our behalf. In addition, these obligations may require us to change our business model or our products. For example, social media networks (which are integral third-party services to our platform) are under heightened scrutiny from international regulators as well as individuals seeking to bring claims for alleged non-compliance. If the interpretation or application of data privacy or security laws or regulations adversely impact social media networks, this may change the APIs and data made available to us from the social media networks. Although we endeavor to comply with all applicable data privacy and security obligations, we may at times fail (or be perceived to have failed) to do so. Despite our efforts, our personnel or third parties with whom we work may fail to comply with such obligations, which could negatively impact our business operations and compliance posture. For example, any failure by a third-party that processes personal data on our behalf to comply with applicable law, regulations, or contractual obligations could result in adverse effects, including inability to operate our business and proceedings against us by governmental entities or others. If we fail, or are perceived to have failed, to address or comply with data privacy and security obligations, we could face significant consequences. These consequences may include, but are not limited to, government enforcement actions (e.g., investigations, fines, penalties, audits, inspections, and similar); litigation (including class-related claims); additional reporting requirements and/or oversight; bans on collecting or processing personal data; and orders to destroy or not use personal data. Any of these events could have a material adverse effect on our reputation, business, or financial condition, including but not limited to, loss of customers; interruptions or stoppages in our business operations; inability to process personal data or to operate in certain jurisdictions; limited ability to develop or commercialize our platform and services; expenditure of time and resources to defend any claim or inquiry; adverse publicity; or revision or restructuring of our operations. The public's increasing concerns about data privacy and the use of social media may negatively affect the use or popularity of social media networks, and, in turn, adversely affect our business. For example, negative publicity surrounding particular forums of social media may have an adverse effect on our customers' and prospective customers' perceived value of our solution and willingness to purchase subscriptions or expand such subscriptions to more users or additional departments across their organizations. Similarly, enhanced scrutiny may lead to an increase in regulation of social media, which in turn could change the data or the manner in which data is shared by social media networks to social media management providers and other developers. Any change to the data we receive from social media networks or other third parties may negatively affect the functionality of our platform and products.

The global economy, including credit and financial markets, has experienced extreme volatility and disruptions, including severely diminished liquidity and credit availability, declines in consumer confidence, declines in economic growth, increases in unemployment rates, fluctuations in inflation, interest rates and uncertainty about economic stability. For example, ongoing overseas conflict has created volatility in the global capital markets, including disruptions of the global supply chain and energy markets. In addition, fluctuations in inflation and other macroeconomic pressures in the United States and the global economy could exacerbate extreme volatility in the global capital markets and heighten unstable market conditions. Any such volatility and disruptions may have adverse consequences on us, our customers, partners or other third parties on whom we rely. If the equity and credit markets continue to deteriorate, including as a result of global geopolitical tension or a global or domestic recession or the fear thereof, it may make any necessary debt or equity financing more difficult to obtain in a timely manner or on favorable terms, more costly or more dilutive. High levels of inflation can adversely affect us by increasing our costs, including labor and employee benefit costs. In addition, high inflation also could increase our customers' operating costs, which could result in reduced social media budgets for our customers and potentially less demand for our platform and products. Any significant increases in inflation and related increases in interest rates could have a material adverse effect on our business, results of operations and financial condition.

For each of the years ended December 31, 2024, 2023 and 2022, we derived 27%, 28% and 28%, respectively, of our revenue from customers located outside of the United States. There are a variety of risks and costs associated with our international sales and operations, which include making investments prior to the proven adoption of our products, the cost of conducting our business internationally and hiring and training international employees and the costs associated with complying with local law. Furthermore, we cannot predict the rate at which our platform and products will be accepted in international markets by potential customers. We believe our ability to attract new customers to subscribe to our platform or to attract existing customers to renew or expand their use of our platform is directly correlated to the level of engagement we obtain with the customer. To the extent we are unable to effectively engage with non-U.S. customers due to our limited international sales force capacity, we may be unable to grow in international markets effectively. Due to our international presence, we have some exposure to the effects of fluctuations in currency exchange rates. While we have primarily transacted with customers and vendors in U.S. dollars historically, we expect to conduct some transactions with our customers that are denominated in foreign currencies in the future. Fluctuations in the value of the U.S. dollar and foreign currencies may make our subscriptions more expensive for international customers, which could harm our business. Additionally,we incur expenses for employee compensation and other operating expenses at our non-U.S. locations in the local currency for such locations. Fluctuations in the exchange rates between the U.S. dollar and other currencies could result in an increase to the U.S. dollar equivalent of such expenses. These fluctuations could cause our results of operations to differ from our expectations or the expectations of our investors. Additionally, such foreign currency exchange rate fluctuations could make it more difficult to detect underlying trends in our business and results of operations. We do not currently maintain a program to hedge transactional exposures in foreign currencies. However, in the future, we may use derivative instruments, such as foreign currency forward and option contracts, to hedge certain exposures to fluctuations in foreign currency exchange rates. The use of such hedging activities may not offset any or more than a portion of the adverse financial effects of unfavorable movements in foreign exchange rates over the limited time the hedges are in place. Moreover, the use of hedging instruments may introduce additional risks if we are unable to structure effective hedges with such instruments.