Upland Software (UPLD) Risk Factors

The overall market for software is rapidly evolving and subject to changing technology, shifting customer needs, and frequent introductions of new applications, including without limitation AI in its multiple forms. Our ability to attract new customers and increase revenue from existing customers will depend, in large part, on our ability to develop or acquire new applications and enhance and improve existing applications. To achieve market acceptance for our applications, we must effectively anticipate and offer applications that meet changing customer demands in a timely manner. Customers may require features and capabilities not offered by our current applications. We may experience difficulties that could delay or prevent our development, acquisition, or implementation of new applications and enhancements. If we are unable to successfully develop or acquire new software capabilities and functionality, enhance our existing applications to anticipate and meet customer preferences, sell our applications into new markets, or adapt to changing industry standards in software, our revenue and results of operations would be adversely affected.

Our applications involve the storage and transmission of our customers' proprietary and confidential information, including personal or identifying information regarding their employees and customers and are subject to attempted cyberattacks. Any security breaches, unauthorized access, unauthorized usage, virus, or similar breach or disruption could result in loss of confidential information, damage to our reputation, early termination of our contracts, litigation, regulatory investigations, indemnity obligations, or other liabilities. If our security measures or those of our third-party software providers and data centers are breached as a result of third-party action, employee error, malfeasance or otherwise, resulting in unauthorized access to customer data, our reputation will be damaged, our business may suffer, and we could incur significant liability. Unauthorized parties may attempt to misappropriate or compromise our confidential information or that of third parties, create system disruptions, product or service vulnerabilities or cause shutdowns. These perpetrators of cyberattacks also may be able to develop and deploy viruses, worms, malware and other malicious software programs that directly or indirectly attack our products, services or infrastructure (including our third party cloud service providers). Because the techniques used to obtain unauthorized access or sabotage systems change frequently and generally are not identified until they are launched against a target, we may be unable to anticipate these techniques or to implement adequate preventative measures. Any or all of these issues could negatively affect our ability to attract new customers, cause existing customers to elect not to renew or upgrade their subscriptions, result in reputational damage, or subject us to third-party lawsuits, regulatory fines, or other action or liability, which could adversely affect our operating results. In addition, to the extent we are diverting our resources to address and mitigate these vulnerabilities, it may hinder our ability to deliver and support our solutions and customers in a timely manner. Despite our efforts to build secure services, we can make no assurance that we will be able to detect, prevent, timely and adequately address, or mitigate the negative effects of cyberattacks or other security breaches.

We are subject to governmental export and import controls that could impair our ability to compete in international markets due to licensing requirements and subject us to liability if we are not in compliance with applicable laws. Our applications are subject to export control and import laws and regulations, including the U.S. Export Administration Regulations, U.S. Customs regulations, and various economic and trade sanctions regulations administered by the U.S. Treasury Department's Office of Foreign Assets Controls. Exports of our applications must be made in compliance with these laws and regulations. If we fail to comply with these laws and regulations, we and certain of our employees could be subject to substantial civil or criminal penalties, including: the possible loss of export or import privileges; fines, which may be imposed on us and responsible employees or managers; and, in extreme cases, the incarceration of responsible employees or managers. Obtaining the necessary authorizations, including any required license, for a particular sale may be time-consuming, is not guaranteed, and may result in the delay or loss of sales opportunities. In addition, changes in our applications or changes in applicable export or import regulations may create delays in the introduction and sale of our applications in international markets, prevent our customers with international operations from deploying our applications, or, in some cases, prevent the export or import of our applications to certain countries, governments, or persons altogether. Any change in export or import regulations, shift in the enforcement or scope of existing regulations, or change in the countries, governments, persons or technologies targeted by such regulations, could also result in decreased use of our applications, or in our decreased ability to export or sell our applications to existing or potential customers with international operations. Any decreased use of our applications or limitation on our ability to export or sell our applications would likely adversely affect our business. Furthermore, we incorporate encryption technology into certain of our applications. Various countries regulate the import of certain encryption technology, including through import permitting and licensing requirements, and have enacted laws that could limit our ability to distribute our applications or could limit our customers' ability to implement our applications in those countries. Encrypted applications and the underlying technology may also be subject to export control restrictions. Governmental regulation of encryption technology and regulation of imports or exports of encryption products, or our failure to obtain required import or export approval for our applications, when applicable, could harm our international sales and adversely affect our revenue. Compliance with applicable regulatory requirements regarding the export of our applications, including with respect to new releases of our applications, may create delays in the introduction of our applications in international markets, prevent our customers with international operations from deploying our applications throughout their globally-distributed systems or, in some cases, prevent the export of our applications to some countries altogether. Moreover, U.S. export control laws and economic sanctions programs prohibit the shipment of certain products and services to countries, governments, and persons that are subject to U.S. economic embargoes and trade sanctions. Even though we take precautions to prevent our applications from being shipped or provided to U.S. sanctions targets, our applications and services could be shipped to those targets or provided by third parties despite such precautions. Any such shipment could have negative consequences, including government investigations, penalties and reputational harm.

The regulatory framework for privacy and data security matters around the world is rapidly evolving and is likely to remain volatile for the foreseeable future. We are subject to privacy and data security obligations in the United States, United Kingdom, European Union and other foreign jurisdictions relating to the collection, use, sharing, retention, security, transfer and other handling of personal data about individuals, including our users and employees around the world. Data protection, consumer protection and privacy laws may differ, conflict and be interpreted and applied inconsistently, from country to country. In many cases, these laws apply not only to user data, employee data and third-party transactions, but also to transfers of personal data between or among ourselves, our subsidiaries, and other parties with which we have commercial relations, in addition to methods of communication and consent for such communication. These laws continue to develop in the U.S. and around the globe, including through regulatory and legislative action and judicial decisions, in ways we cannot predict and that may harm our business. For example, a new Quebec data protection law took effect in September 2023, and updates to Canadian federal privacy legislation are pending. India passed the Digital Personal Data Protection Act in 2023. In addition, the United States, through the Federal Communications Commission, recently implemented new lead generation "robot-text" and "robo-calls" regulations under the Telephone Consumer Protection Act (TCPA). As the particulars of these regulations are unknown at this time, these new consumer protection regulations could impact our organization's corporate go-to-market sales initiatives, as well as certain feature sets in our current product stack. Any failure to comply with applicable laws, regulations or contractual obligations may harm our business, results of operations and financial condition. If we are subject to an investigation or litigation or suffer a breach of security of personal data, we may incur costs or be subject to forfeitures and penalties that could reduce our profitability. In addition, compliance with these laws may restrict our ability to provide services to our customers that they may find to be valuable. For example, the General Data Protection Regulation ("GDPR") became effective in May 2018. The GDPR, which applies to personal data collected in the context of all of our activities conducted from an establishment in the European Union, related to products and services offered to individuals in the European Union or related to the monitoring of individuals' behavior in Europe, imposes a range of significant compliance obligations regarding the handling of personal data. Actions required to comply with these obligations depend in part on how particular and strict regulators interpret and apply them. If we fail to comply with the GDPR, or if regulators assert we have failed to comply with the GDPR, we may be subject to, for example, regulatory enforcement actions, that can result in monetary penalties of up to 4% of our annual worldwide revenue or EUR 20 million (whichever higher), private lawsuits, class actions, regulatory orders to stop processing and delete data, and reputational damage. In June 2021, the European Commission published new versions of the Standard Contractual Clauses, which are used as a legal cross-border mechanism allowing companies to transfer/allow access to personal data outside the European Economic Area. Use of the previous versions of the Standard Contractual Clauses is no longer allowed and all contracts that include the earlier versions should have been amended to replace them with the new versions by December 27, 2022. Also in June 2021, the European Data Protection Board finalized its recommendations regarding supplemental transfer measures to protect personal data during cross-border transfers. We must incur costs and expenses to comply with the new requirements, which may impact the cross-border transfer of personal data throughout our organization and to/from third parties. In the United States, at least thirteen states have adopted generally applicable and comprehensive privacy laws. These new and developing state laws provide a number of new privacy rights for residents of these states and impose corresponding obligations on organizations doing business in these states. Not only do these laws require that we make new disclosures to consumers, business contacts, employees, job applicants and others about our data collection, use and sharing practices, but they also require that we provide new rights, such as the rights to access, delete and correct personal data. While the California Consumer Privacy Act (the "CCPA") became effective in 2020, it has already been amended significantly, and compliance with the amended law, the California Privacy Protection Act (the "CPRA") was required as of January 2023. Compliance with the other states' laws will be required at different times during 2023. In addition, a number of other U.S. states are considering adopting laws and regulations imposing obligations regarding the handling of personal data. Compliance with the GDPR, the new state laws, and other current and future applicable U.S. and international privacy, data protection, cybersecurity, artificial intelligence and other data-related laws can be costly and time-consuming. Complying with these varying requirements could cause us to incur substantial costs and/or require us to change our business practices in a manner adverse to our business. Violations of data and privacy-related laws can result in significant penalties. Australia recently amended its Privacy Act, increasing the maximum penalties available for serious or repeated data breaches from AUS 2.2 million to the greater of: (i) AUS 50 million; (ii) three times the value of any benefit obtained through misuse of the information; or (iii) 30% of a company's adjusted turnover in the relevant period. We also may be bound by additional, more stringent contractual obligations relating to our collection, use and disclosure of personal data or may find it necessary or desirable to join industry or other self-regulatory bodies or other privacy or security related organizations that require compliance with their rules pertaining to privacy and data protection. We post on our websites our privacy notices and practices concerning the collection, use, sharing, disclosure, deletion and retention of our user data. Any failure, or perceived failure, by us to comply with our posted privacy notices or with any regulatory requirements or orders or other federal, state or international privacy -related laws and regulations, including the GDPR, CCPA and CPRA, could result in proceedings or actions against us by governmental entities or others (e.g., class action plaintiffs), subject us to significant penalties and negative publicity, require us to change our business practices, increase our costs and adversely affect our business. We may also experience security breaches and likely will in the future, which themselves may result in a violation of these laws and give rise to regulatory enforcement and/or private litigation.

We face risks related to an epidemic, pandemic or contagious disease which has impacted, and in the future could impact, the markets in which we operate and could have a material adverse effect on our business, results of operations and financial condition. The impact of an epidemic, pandemic or other health crisis and measures to prevent the spread of such an event could materially and adversely affect our business in a number of ways. For example, existing and potential customers may choose to reduce or delay technology spending in response, or attempt to renegotiate contracts and obtain concessions, which could materially and negatively impact our operating results, financial condition and prospects.

Our customers are generally invoiced in the currency of the country in which they are located. In addition, we incur a portion of our operating expenses in foreign currencies, including Australian dollars, British pounds, Canadian dollars, Indian Rupees, Euros and Israeli New Shekels, and in the future, as we expand into other foreign countries, we expect to incur operating expenses in other foreign currencies. As a result, we are exposed to foreign exchange rate fluctuations as the financial results of our international operations and our revenue and operating results could be adversely affected. We have not previously engaged in foreign currency hedging. If we decide to hedge our foreign currency exchange rate exposure, we may not be able to hedge effectively due to lack of experience, unreasonable costs, or illiquid markets.

The overall market for software is rapidly evolving and subject to changing technology, shifting customer needs and frequent introductions of new applications. The intensity and nature of our competition varies significantly across our family of software applications. Many of our competitors and potential competitors are larger and have greater brand name recognition, longer operating histories, larger marketing budgets, and significantly greater resources than we do. Some of our smaller competitors may offer applications on a stand-alone basis at a lower price than our price due to lower overhead or other factors, while some of our larger competitors may offer applications at a lower price in an attempt to cross-sell additional products in the future or retain a customer using a different application. We believe there are a limited number of direct competitors that provide a comprehensive software offering. However, we face competition both from point solution providers, including legacy on-premise enterprise systems, and other cloud-based work management software vendors that may address one or more of the functional elements of our applications, but are not designed to address a broad range of software needs. In addition, we face competition from manual processes and traditional tools, such as paper-based techniques, spreadsheets, and email. If our competitors' products, service, or technologies become more accepted than our software applications, if they are successful in bringing their products or services to market earlier than ours, or if their products or services are more technologically capable than ours, our revenues could be adversely affected.

Our success depends, in part, upon the continued service of our key executive officers, as well as other key personnel. The employment agreements with our executive officers and other key personnel do not require them to continue to work for us for any specified period; therefore, they may terminate employment with us at any time with no advance notice. The replacement of our senior management team or other key personnel likely would involve significant time and costs, and the loss of these employees may significantly delay or prevent the achievement of our business objectives. We face intense competition for qualified individuals from numerous technology and software companies. If we fail to attract and retain suitably qualified individuals, including software engineers and sales personnel, our ability to implement our business plan and develop and maintain our applications could be adversely affected. As a result, our ability to compete would decrease, our operating results would suffer, and our revenue would decrease.