Atlassian (TEAM) Risk Factors

We currently offer and sell both Data Center and Cloud offerings of certain of our products. For these products, our Cloud offering enables quicker setup and subscription pricing, while our Data Center offering permits more customization, a term license fee structure, and complete application control. Although a substantial majority of our revenue was historically generated from customers using our Server and Data Center products, over time our customers have moved and we expect them to continue to move to our Cloud offerings, resulting in our Cloud offerings becoming more central to our distribution model. As a part of this transition, we ceased sales of new perpetual licenses for our Server products in February 2021 and, subject to limited exceptions, ended maintenance and support for Server products in February 2024. We may be subject to additional competitive and pricing pressures for our Cloud offerings compared to our Data Center offerings, which could harm our business. Further, revenues from our Cloud offerings are typically lower in the initial year compared to our Data Center offerings, which may impact our near-term revenue growth rates and margins, and we incur higher or additional costs to supply our Cloud offerings, such as fees associated with hosting our Cloud infrastructure. We have and expect to continue to see increased expenses and lower margins due such hosting costs increasing in this transition. Additionally, we offered discounts to certain of our enterprise-level Server customers to incentivize migration to our Cloud offerings, which impacted our near-term revenue growth. Our revenue growth rates and profitability may also be negatively impacted by Server customers that did not transition to our Cloud or Data Center offerings or Data Center customers that do not migrate to our Cloud offerings in the future. If our Cloud offerings do not develop as quickly as we expect, if we are unable to continue to scale our systems to meet the requirements of successful, large Cloud offerings, or if we lose customers currently using our Data Center products due to our increased focus on our Cloud offerings or our inability to successfully migrate them to our Cloud products, our business could be harmed. We are directing a significant portion of our financial and operating resources to implement robust Cloud offerings for our products and to migrate our existing customers to our Cloud offerings, but even if we continue to make these investments, we may be unsuccessful in growing or implementing our Cloud offering that competes successfully against our current and future competitors and our business, results of operations, and financial condition could be harmed.

There is considerable patent and other intellectual property development activity in our industry. Our future success depends in part on not infringing upon or misappropriating the intellectual property rights of others. We have received, and may receive in the future, communications and lawsuits from third parties, including practicing entities and non-practicing entities, claiming that we are infringing upon or misappropriating their intellectual property rights, and we may be found to be infringing upon or misappropriating such rights. We may be unaware of the intellectual property rights of others that may cover some or all of our technology, or technology that we obtain from third parties. Furthermore, the intellectual property ownership and license rights, including copyright, surrounding AI technologies has not been fully addressed by courts or national or local laws or regulations, and the use or adoption of third-party AI technologies into our products and services may result in exposure to claims of copyright infringement or other intellectual property misappropriation. Any claims or litigation could cause us to incur significant expenses and, if successfully asserted against us, could require that we pay substantial damages or ongoing royalty or license payments, prevent us from offering our products or using certain technologies, require us to implement expensive workarounds, refund fees to customers or require that we comply with other unfavorable terms. In the case of infringement or misappropriation caused by technology that we obtain from third parties, any indemnification or other contractual protections we obtain from such third parties, if any, may be insufficient to cover the liabilities we incur as a result of such infringement or misappropriation. We may also be obligated to indemnify our customers or business partners in connection with any such claims or litigation and to obtain licenses, modify our products or refund fees, which could further exhaust our resources. Even if we were to prevail in the event of claims or litigation against us, any claim or litigation regarding our intellectual property could be costly and time-consuming and divert the attention of our management and other employees from our business operations and disrupt our business.

We rely heavily on our network infrastructure and information technology systems for our business operations, and our continued growth depends in part on the ability of our existing and potential customers to access our solutions at any time and within an acceptable amount of time. In addition, we rely almost exclusively on our websites for the downloading of, and payment for, all our products. We have experienced, and may in the future experience, disruptions, data loss and corruption, outages and other performance problems with our infrastructure and websites due to a variety of factors, including infrastructure changes, introductions of new functionality, human or software errors, capacity constraints, denial of service attacks, or other security-related incidents. In some instances, we have not been able to, and in the future may not be able to, identify the cause or causes of these performance problems within an acceptable period of time. It may become increasingly difficult to maintain and improve our performance, especially during peak usage times and as our products and websites become more complex and our user traffic increases. If our products and websites are unavailable, if our users are unable to access our products within a reasonable amount of time, or at all, or if our information technology systems for our business operations experience disruptions, delays or deficiencies, our business could be harmed. Moreover, we provide service level commitments under certain of our paid customer cloud contracts, pursuant to which we guarantee specified minimum availability. If we fail to meet these contractual commitments, we could be obligated to provide credits for future service, or face contract termination with refunds of prepaid amounts related to unused subscriptions, which could harm our business, results of operations, and financial condition. From time to time, we have granted, and in the future will continue to grant, credits to paid customers pursuant to, and sometimes in addition to, the terms of these agreements. For example, in April 2022, a subset of our customers experienced a full outage across their Atlassian Cloud products due to a faulty script used during a maintenance procedure. While we restored access for these customers with minimal to no data loss, these affected customers experienced disruptions in using our Cloud products during the outage. We incurred certain costs associated with offering service level credits and other concessions to these customers, although the overall impact did not have a material impact on our results of operations or financial condition. However, other future events like this may materially and adversely impact our results of operations or financial condition. Further, disruptions, data loss and corruption, outages and other performance problems in our cloud infrastructure may cause customers to delay or halt their transition to our Cloud offerings, to the detriment of our increased focus on our Cloud offerings, which could harm our business, results of operations and financial condition. Additionally, we depend on services from various third parties, including Amazon Web Services, to maintain our infrastructure and distribute our products via the internet. Any disruptions in these services, including as a result of actions outside of our control, would significantly impact the continued performance of our products. In the future, these services may not be available to us on commercially reasonable terms, or at all. Any loss of the right to use any of these services could result in decreased functionality of our products until equivalent technology is either developed by us or, if available from another provider, is identified, obtained and integrated into our infrastructure. To the extent that we do not effectively address capacity constraints, upgrade our systems as needed, and continually develop our technology and network architecture to accommodate actual and anticipated changes in technology, our business, results of operations and financial condition could be harmed.

Our marketing model has relied on the strength of our products and organic user demand, driven by word-of-mouth marketing and viral expansion within organizations. We offer free trials, limited free versions and affordable starter licenses for certain products in order to promote additional usage, brand and product awareness, and adoption. If we are not able to organically attract customers, our revenue may grow more slowly than expected, or decline. In addition, high levels of customer satisfaction and market adoption are central to our marketing model. Any decrease in our customers' satisfaction with our products, including as a result of our own actions or actions outside of our control, could harm word-of-mouth referrals and our brand. If our customer base does not continue to grow with our marketing model, we may be required to incur significantly higher marketing and sales expenses in order to acquire new subscribers, which could harm our business and results of operations. In addition, our strategy of offering free trials, limited free versions or affordable starter licenses for certain products could be ineffective. Users may not perceive value in the additional benefits and services we offer beyond our free trials or limited free versions and, historically, a majority of users never convert to a paid version of our products from these free trials or limited free versions or upgrade beyond the starter license. Our marketing strategy also depends in part on persuading users who use free trials, limited free versions or starter licenses of our products to convince others within their organization to purchase and deploy our products. To the extent that these users do not become, or lead others to become, customers, we will not realize the intended benefits of this marketing strategy, and our ability to grow our business could be harmed.

Under Sections 3(a)(1)(A) and (C) of the Investment Company Act of 1940, as amended (the "Investment Company Act"), a company generally will be deemed to be an "investment company" for purposes of the Investment Company Act if (i) it is, or holds itself out as being, engaged primarily, or proposes to engage primarily, in the business of investing, reinvesting, or trading in securities or (ii) it engages, or proposes to engage, in the business of investing, reinvesting, owning, holding, or trading in securities and it owns or proposes to acquire investment securities having a value exceeding 40% of the value of its total assets (exclusive of U.S. government securities and cash items) on an unconsolidated basis. We do not believe that we are an "investment company," as such term is defined in either of these sections of the Investment Company Act. We currently conduct, and intend to continue to conduct, our operations so that neither we, nor any of our subsidiaries, is required to register as an "investment company" under the Investment Company Act. If we were obligated to register as an "investment company," we would have to comply with a variety of substantive requirements under the Investment Company Act that impose, among other things, limitations on capital structure, restrictions on specified investments, prohibitions on transactions with affiliates, and compliance with reporting, record keeping, voting, proxy disclosure and other rules and regulations that would increase our operating and compliance costs, could make it impractical for us to continue our business as contemplated, and could harm our results of operations.

We are subject to income taxes as well as non-income-based taxes in the U.S., Australia and various other jurisdictions. Significant judgment is often required in the determination of our worldwide provision for income taxes. Our effective tax rate could be impacted by changes in our earnings and losses in countries with differing statutory tax rates, changes in transfer pricing, changes in operations, changes in nondeductible expenses, changes in excess tax benefits of stock-based compensation expense, changes in the valuation of deferred tax assets and liabilities and our ability to utilize them, the applicability of withholding taxes, effects from acquisitions, and changes in accounting principles and tax laws. Any changes or uncertainty in taxing jurisdictions' administrative interpretations, decisions, policies and positions could also materially impact our income tax liabilities. Our intercompany relationships are subject to complex transfer pricing regulations administered by taxing authorities in various jurisdictions. The relevant revenue and taxing authorities may disagree with positions we have taken generally, or our determinations as to the value of assets sold or acquired, or income and expenses attributable to specific jurisdictions. For example, during fiscal year 2024, we entered into a unilateral advanced pricing arrangement with the Australian Tax Office in relation to our transfer pricing arrangements between Australia and the U.S. for the tax years ended June 30, 2019 to June 30, 2025 that resulted in us making a tax payment of $117.4 million. We will continue to pursue advanced pricing arrangements in Australia and other jurisdictions to proactively manage and mitigate the risk of transfer pricing disputes with tax authorities. In addition, in the ordinary course of our business we are subject to tax audits from various taxing authorities. Although we believe our tax positions are appropriate, the final determination of any future tax audits could be materially different from our income tax provisions, accruals and reserves. If such a disagreement were to occur, we could be required to pay additional taxes, interest and penalties, which could result in one-time tax charges, a higher effective tax rate, reduced cash flows and lower overall profitability of our operations. Tax laws in the U.S. and in foreign jurisdictions are subject to change. For example, the Tax Cuts and Jobs Act ("TCJA"), signed into law in 2017, enacted significant tax law changes which impacted our tax obligations and effective tax rate beginning in our fiscal year 2023. The TCJA eliminates the option to deduct research and development expenditures, instead requiring taxpayers to capitalize and amortize such expenditures over five or fifteen years beginning in fiscal year 2023. Although Congress is considering legislation that would defer or eliminate the capitalization and amortization requirement, there is no assurance as to whether the provision will be repealed or otherwise modified or whether any change would apply retroactively or prospectively. The Inflation Reduction Act ("IRA"), signed into law in 2022, includes various corporate tax provisions including a new alternative corporate minimum tax on applicable corporations. The IRA tax provisions may become applicable to us in future years, which could result in additional taxes, a higher effective tax rate, reduced cash flows and lower overall profitability of our operations. Certain government agencies in jurisdictions where we do business have had an extended focus on issues related to the taxation of multinational companies. In addition, the Organization for Economic Cooperation and Development (the "OECD") has introduced various guidelines changing the way tax is assessed, collected and governed. Of note are the efforts around base erosion and profit shifting which seek to establish certain international standards for taxing the worldwide income of multinational companies. These measures have been endorsed by the leaders of the world's 20 largest economies. In March 2018, the EC proposed a series of measures aimed at ensuring a fair and efficient taxation of digital businesses operating within the EU. As collaborative efforts by the OECD and EC continue, some countries have unilaterally moved to introduce their own digital service tax or equalization levy to capture tax revenue on digital services more immediately. Notably France, Italy, Austria, Spain, the UK and Turkey have enacted this tax, generally 2% on specific in-scope sales above a revenue threshold. The EU and the UK have established a mandate that focuses on the transparency of cross-border arrangements concerning at least one EU member state through mandatory disclosure and exchange of cross-border arrangements rules. The mandate is further extended to include certain domestic arrangements in Poland. These regulations (known as MDR in the UK and Poland and DAC 6 in the other EU countries) require taxpayers to disclose certain transactions to the tax authorities resulting in an additional layer of compliance and require careful consideration of the tax benefits obtained when entering into transactions that need to be disclosed. The OECD introduced significant changes to the international tax law framework through the Pillar Two guidelines. The framework outlines a coordinated set of rules to prevent multinational enterprises from shifting profits to low-tax jurisdictions by implementing a 15% global minimum tax. Many countries in which we operate, including the member states of the EU, have enacted Pillar Two. Pillar Two rules will apply to us beginning in this fiscal year 2025. The potential effects of Pillar Two may vary depending on the specific provisions and rules implemented by each country that adopts Pillar Two and may include tax rate changes, higher effective tax rates, potential tax disputes and adverse impacts to our cash flows, tax liabilities, results of operations and financial position Global tax developments applicable to multinational companies may continue to result in new tax regimes or changes to existing tax laws, regulations and taxation officer interpretations. If the U.S. or foreign taxing authorities change tax laws, our overall taxes could increase, lead to a higher effective tax rate, harm our cash flows, results of operations and financial position.

Regulation related to the provision of services over the internet is evolving, as federal, state and foreign governments continue to adopt new, or modify existing, laws and regulations addressing data privacy, cybersecurity, data protection, data sovereignty and the collection, processing, storage, hosting, transfer and use of data, generally. In the United States, the Federal Trade Commission and state regulators enforce a variety of data privacy issues, such as promises made in privacy policies or failures to appropriately protect information about individuals, as unfair or deceptive acts or practices in or affecting commerce in violation of the Federal Trade Commission Act or similar state laws. In addition, new U.S. state data privacy laws, such as the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CPRA"), and laws that have recently passed and/or gone into effect in many other states similarly impose new obligations on us and many of our customers, potentially as both businesses and service providers. These laws continue to evolve, and as various states introduce similar proposals, we and our customers could be exposed to additional regulatory burdens. In the European Economic Area ("EEA") and the UK, data privacy laws and regulations, such as the European Union General Data Protection Regulation ("EU GDPR") and United Kingdom General Data Protection Regulation and Data Protection Act 2018 (collectively, the "UK GDPR," and, together with the EU GDPR, the "GDPR"), impose comprehensive obligations directly on Atlassian as both a data controller and a data processor, as well as on many of our customers, in relation to our collection, processing, sharing, disclosure and other use of personal data. We are also subject to evolving privacy laws on cookies, tracking technologies and e-marketing. For example, the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 establishes certain requirements for commercial email messages and specifies penalties for the transmission of commercial email messages that are intended to deceive the recipient as to source or content. In addition, certain states and foreign jurisdictions, such as Australia, Canada and the European Union ("EU"), have enacted laws that regulate sending email, and some of these laws are more restrictive than U.S. laws. In the EU and UK, informed consent is required for the placement of certain cookies or similar tracking technologies on an individual's device and for direct electronic marketing. Consent is tightly defined and includes a prohibition on pre-checked consents and a requirement to obtain separate consents for each type of cookie or similar technology. Recent European court and regulator decisions are driving increased attention to cookies and similar tracking technologies. In addition, various safe harbors have historically been provided to those who hosted content provided by others, such as safe harbors from monetary damages for copyright infringement arising from copyrighted content provided by customers and others, and for defamation and other torts arising from information provided by customers and others. There is an increasing demand for repealing or limiting these safe harbors by either judicial decision or legislation. Loss of these safe harbors may require altering or limiting some of our services or may require additional contractual terms to avoid liabilities for our customers' misconduct. We monitor the regulatory, judicial and legislative environment and have invested in addressing these developments, and these new laws may require us to make additional changes to our practices and services to enable us or our customers to meet the new legal requirements, and may also increase our potential liability exposure through new or higher potential penalties for noncompliance, including as a result of penalties, fines and lawsuits related to data breaches. For instance, the Digital Services Act ("DSA") in the EU came into force on November 16, 2022 and the majority of its substantive provisions took effect in February 2024. The DSA imposes new obligations around illegal services or content on our platform, traceability of business users, and enhanced transparency measures, and failure to comply can result in fines of up to 6% of total annual worldwide turnover. Record-breaking enforcement actions globally have shown that regulators wield their right to impose substantial fines for violations of privacy regulations, and these enforcement actions could result in guidance from regulators that would require changes to our current compliance strategy. Furthermore, privacy laws and regulations are subject to differing interpretations and may be inconsistent among jurisdictions. These and other requirements are causing increased scrutiny among customers, particularly in the public sector and highly regulated industries, and may be perceived differently from customer to customer. These developments could reduce demand for our services, require us to take on more onerous obligations in our contracts, restrict our ability to store, transfer and process data, require us to fundamentally change our business activities and practices or modify our products, or, in some cases, impact our ability or our customers' ability to offer our services in certain locations, to deploy our solutions, to reach current and prospective customers, or to derive insights from customer data globally. For example, in July 2020, the Court of Justice of the European Union ("CJEU") invalidated the EU-U.S. Privacy Shield Framework, one of the mechanisms that allowed companies, including Atlassian, to transfer personal data from the European Economic Area ("EEA") to the United States. Even though the CJEU decision upheld the Standard Contractual Clauses as an adequate transfer mechanism, the decision created uncertainty around the validity of all EU-to-U.S. data transfers. While the EU and U.S. governments have recently adopted the EU-U.S. Data Privacy Framework to foster EU-to-U.S. data transfers and address the concerns raised in the aforementioned CJEU decision, it is uncertain whether this framework will eventually be overturned in court like the previous two EU-U.S. bilateral cross-border transfer frameworks. Certain countries outside of the EEA have also passed or are considering passing laws requiring varying degrees of local data residency. By way of further example, statutory damages available through a private right of action for certain data breaches under the CPRA and potentially other U.S. states' laws, may increase our and our customers' potential liability and the demands our customers place on us. As another example, jurisdictions are considering legal frameworks on AI, which is a trend that may increase now that the first such framework has entered into force in the EU. The costs of compliance with, and other burdens imposed by, privacy laws, regulations and standards may limit the use and adoption of our services, reduce overall demand for our services, make it more difficult to meet expectations from our commitments to customers and our customers' users, lead to significant fines, penalties or liabilities for noncompliance, impact our reputation, or slow the pace at which we close sales transactions, in particular where customers request specific warranties and unlimited indemnity for noncompliance with privacy laws, any of which could harm our business. We have adopted and continue to adopt data residency in certain territories. These services may enhance our ability to attract and retain customers operating in the relevant jurisdictions, but may also increase the cost and complexity of supporting those customers, the scope of our residency offering may not align with customer needs, and our customers may request similar offerings in other territories. In addition to government activity, privacy advocates and other industry groups have established or may establish new self-regulatory standards that may place additional burdens on our ability to provide our services globally. Our customers expect us to meet voluntary certification and other standards established by third parties. If we are unable to maintain these certifications or meet these standards, it could adversely affect our ability to provide our solutions to certain customers and could harm our business. In addition, we have seen a trend toward the private enforcement of data protection obligations, including through private actions for alleged noncompliance, which could harm our business and negatively impact our reputation. In addition, a shift in consumers' data privacy expectations or other social, economic or political developments could impact the regulatory enforcement of privacy regulations, which could require our cooperation and increase the cost of compliance with the imposed regulations. Further, any failure or perceived failure by us to comply with our posted privacy policies, our privacy-related obligations to users or other third parties, or any other legal obligations or regulatory requirements relating to privacy, data protection or information security may result in governmental investigations or enforcement actions, litigation, claims or public statements against us by consumer advocacy groups or others and could result in significant liability, cause our users to lose trust in us, and otherwise materially and adversely affect our reputation and business. Furthermore, the costs of compliance with, and other burdens imposed by, the laws, regulations and policies that are applicable to the businesses of our users may limit the adoption and use of, and reduce the overall demand for, our platform. Additionally, if third parties we work with violate applicable laws, regulations or agreements, such violations may put our users' data at risk, could result in governmental investigations or enforcement actions, fines, litigation, claims, or public statements against us by consumer advocacy groups or others and could result in significant liability, cause our users to lose trust in us and otherwise materially and adversely affect our reputation and business. Further, public scrutiny of, or complaints about, technology companies or their data handling or data protection practices, even if unrelated to our business, industry or operations, may lead to increased scrutiny of technology companies, including us, and may cause government agencies to enact additional regulatory requirements, or to modify their enforcement or investigation activities, which may increase our costs and risks. Our business also increasingly relies on AI to improve our services and tailor our interactions with our customers. However, in recent years use of these methods has come under increased regulatory scrutiny. New laws, guidance and/or decisions in this area may limit our ability to use our AI models, or require us to make changes to our operations that may decrease our operational efficiency, result in an increase to operating costs and/or hinder our ability to improve our services. For example, there are specific rules on the use of automated decision making under the GDPR that require the existence of automated decision making to be disclosed to the data subject with a meaningful explanation of the logic used in such decision making in certain circumstances, and safeguards must be implemented to safeguard individual rights, including the right to obtain human intervention and to contest any decision. Finally, the uncertain and shifting regulatory environment and trust climate may raise concerns regarding data privacy and cybersecurity, which may cause our customers or our customers' users to resist providing the data necessary to allow our customers to use our services effectively. In addition, new products we develop or acquire may expose us to liability or regulatory risk. Even the perception that the privacy and security of personal information are not satisfactorily protected or do not meet regulatory requirements could inhibit sales of our products or services and could limit adoption of our cloud offerings.

Natural disasters, pandemics other public health emergencies, geopolitical conflicts, social or political unrest, or other catastrophic events may cause damage or disruption to our operations, international commerce and the global economy, and thus could harm our business. We have a large employee presence and operations in Australia and the San Francisco Bay Area of California. Australia has experienced significant wildfires and flooding that have impacted our employees. The west coast of the United States contains active earthquake zones and is often at risk from wildfires. In the event of a major earthquake, hurricane, typhoon or catastrophic event such as fire, power loss, telecommunications failure, cyber-attack, war or terrorist attack in any of the regions or localities in which we operate, we may be unable to continue our operations and may endure system interruptions, reputational harm, delays in our application development, lengthy interruptions in our product availability, breaches of data security and loss of critical data, all of which could harm our business, results of operations and financial condition. Additionally, we rely on our network and suppliers of third-party infrastructure and applications, internal technology systems, and our websites for our development, marketing, internal controls, operational support, hosted services and sales activities. If these systems were to fail or be negatively impacted as a result of a malfunction, natural disaster, disease or pandemic, or catastrophic event, our ability to conduct normal business operations and deliver products to our customers could be impaired. As we grow our business, the need for business continuity planning and disaster recovery plans will grow in significance. If we are unable to develop adequate plans to ensure that our business functions continue to operate during and after a disaster, disease or pandemic, or catastrophic event, or if we are unable to successfully execute on those plans, our business and reputation could be harmed.

While we primarily sell our products in U.S. dollars, we incur expenses in currencies other than the U.S. dollar, which exposes us to foreign currency exchange rate fluctuations. A large percentage of our expenses are denominated in the Australian dollar and the Indian rupee, and fluctuations in these currencies could have a material negative impact on our results of operations. Moreover, our subsidiaries, other than our U.S. subsidiaries, maintain net assets that are denominated in currencies other than the U.S. dollar. In addition, we transact in non-U.S. dollar currencies for our products, and, accordingly, changes in the value of non-U.S. dollar currencies relative to the U.S. dollar could affect our revenue and results of operations due to transactional and translational remeasurements that are reflected in our results of operations. We have a foreign exchange hedging program to hedge a portion of certain exposures to fluctuations in non-U.S. dollar currency exchange rates. We use derivative instruments, such as foreign currency forward contracts, to hedge the exposures. The use of such hedging instruments may not fully offset the adverse financial effects of unfavorable movements in foreign currency exchange rates over the limited time the hedges are in place. Moreover, the use of hedging instruments may introduce additional risks if we are unable to structure effective hedges with such instruments or if we are unable to forecast hedged exposures accurately.