Veritone (VERI) Risk Factors

In order for us to grow our business and achieve profitability, we must expand our revenue base by expanding our customer base and increasing our business with existing customers. We may not be able to succeed with respect to these efforts. Many factors may adversely affect our ability to grow the business for our aiWARE platform, including but not limited to: - Failure to add market-specific applications to our aiWARE platform with sufficient levels of capability to provide compelling benefits to users in our target vertical markets;- Failure to add AI models with sufficient levels of capability or trainability into our platform, difficulties integrating AI models, loss of access to, or increases in the cost of, AI models;- Inability to expand the number of AI models in different classes that can operate in a network-isolated manner, which would limit the capabilities of aiWARE available in our FedRAMP environment or under private cloud, on-premises and hybrid deployment models;- Difficulties in adding technical capabilities to our platform and ensuring future compatibility of additional third party providers;- Failure to articulate the perceived benefits of our solution, or to generate broad customer acceptance of or interest in our solutions;- Introduction of competitive offerings by larger, better financed and more well-known companies;- Introduction of new products or technologies that have performance and/or cost advantages over our aiWARE platform;- Inability to integrate our platform with products of other companies to pursue particular vertical markets, or the failure of such relationships to achieve their anticipated benefits;- Long and complex sales cycles, particularly for customers in the Government & Regulated Industries markets; and - Challenges in operating our platform on secure government cloud platforms and complying with government security requirements. If we fail to develop a successful business for our aiWARE platform, our business, results of operations and financial condition will suffer.

Our success depends, in part, on our ability to protect our brand and the proprietary methods and technologies that we develop under patent and other intellectual property laws of the United States and foreign jurisdictions so that we can prevent others from using our inventions and proprietary information. As of March 25, 2024, in the United States, we have 33 issued patents, which expire between 2029 and 2042, and have 14 patent applications pending for examination. As of such date, we also had 20 issued patents and 5 patent applications pending for examination in foreign jurisdictions (including international PCT applications), all of which are based on counterpart U.S. patent applications pursued by us. We may not be issued any additional patents and any patents that have been issued or that may be issued in the future may not provide significant protection for our intellectual property. In addition, we have registered, or have applied for registration of, numerous trademarks, including Veritone and aiWARE, in the United States and in several foreign jurisdictions. If we fail to protect our intellectual property rights adequately, our competitors might gain access to our technology and our business, results of operations and financial condition may be adversely affected. The particular forms of intellectual property protection that we seek, or our business decisions about when to file patent applications and trademark applications, may not be adequate to protect our business. We could be required to spend significant resources to monitor and protect our intellectual property rights. Litigation may be necessary in the future to enforce our intellectual property rights, determine the validity and scope of our proprietary rights or those of others, or defend against claims of infringement or invalidity. Such litigation could be costly, time-consuming and distracting to management, result in a diversion of significant resources, lead to the narrowing or invalidation of portions of our intellectual property and have an adverse effect on our business, results of operations and financial condition. We also rely, in part, on confidentiality agreements with our business partners, employees, consultants, advisors, customers and others in our efforts to protect our proprietary technology, processes and methods. These agreements may not effectively prevent disclosure of our confidential information, and it may be possible for unauthorized parties to copy our software or other proprietary technology or information, or to develop similar software independently without our having an adequate remedy for unauthorized use or disclosure of our confidential information. In addition, others may independently discover our trade secrets and proprietary information, and in these cases, we would not be able to assert any trade secret rights against those parties. Costly and time-consuming litigation could be necessary to enforce and determine the scope of our proprietary rights, and the failure to obtain or maintain trade secret protection could adversely affect our competitive business position. In addition, the laws of some countries do not protect intellectual property and other proprietary rights to the same extent as the laws of the United States. To the extent we expand our international activities, our exposure to unauthorized copying, transfer and use of our proprietary technology or information may increase. Our means of protecting our intellectual property and proprietary rights may not be adequate or our competitors could independently develop similar technology. If we fail to meaningfully protect our intellectual property and proprietary rights, our business, results of operations and financial condition could be adversely affected.

Our business success depends in part on the ability of customers to access our Software Products & Services and Managed Services at any time and within an acceptable amount of time. We have experienced, and may in the future experience, disruptions, outages and other performance problems due to a variety of factors, including infrastructure changes, introductions of new applications and functionality, software errors and defects, capacity constraints due to an increasing number of users accessing our platform or initiating large volumes of processing simultaneously, or security related incidents. In addition, we rely on third parties, including AWS and Azure, to operate critical business systems and process sensitive information in a variety of contexts, including for hosting, storage and other critical services, required to operate our Software Products & Services and Managed Services. Our ability to monitor these third parties' information security practices is limited, and these third parties may not have adequate information security measures in place. As such, we are vulnerable to service interruptions, delays and outages experienced or caused by these third parties, and we may experience adverse consequences in the event these third-party service providers experience a security incident or other service interruption, delay or outage. While we may be entitled to damages if our third-party service providers fail to satisfy their privacy or security-related obligations to us, any award may be insufficient to cover our damages, or we may be unable to recover such award. Because we also incorporate diverse software and hosted services from many third-party vendors, we may encounter difficulties and delays in integrating and synthesizing these applications and programs, which may cause downtimes or other performance problems. It may become increasingly difficult to maintain and improve the performance of our platform, especially during peak usage times and as our platform becomes more complex or usage increases. Additionally, our reliance on third parties could introduce new cybersecurity risks and vulnerabilities, including supply-chain attacks. Such supply-chain attacks have increased in frequency and severity, and we cannot guarantee that third parties' infrastructure in our supply chain or our third-party partners' supply chains have not been compromised. Certain of our customer contracts include service level obligations, including system uptime commitments and/or required response times in the case of technical issues. If our Software Products & Services and Managed Services are unavailable or if our users are unable to access them within a reasonable amount of time or at all, we may be in breach of our contractual obligations, we may be required to issue credits or refunds to customers, and/or our customers may be entitled to terminate their contracts with us. AWS and Azure provide us with hosting, computing and storage services pursuant to agreements that may be canceled under certain circumstances. If any of our agreements with AWS or Azure is terminated, we could experience interruptions on our platform and in our ability to make our platform available to customers, as well as delays and additional expenses in arranging alternative cloud infrastructure services. Any of the above circumstances or events may harm our reputation, cause customers to stop using our platform, impair our ability to increase revenue from existing customers, impair our ability to grow our customer base, subject us to financial penalties and liabilities under our service level agreements and otherwise harm our business, results of operations and financial condition.

Our ten largest customers by revenue accounted for approximately 39% and 55% of our net revenues in fiscal years 2023 and 2022, respectively. One customer accounted for approximately 12% of net revenues in fiscal year 2023 and 25% in 2022. Ten customers accounted for approximately 44% of our total Software Products & Services revenues in 2023, with one customer accounting for approximately 22% of our total Software Products & Services revenues. Ten customers accounted for approximately 50% of our total Managed Services revenues in 2023, with one customer accounting for approximately 12% of our total Managed Services revenues. If any of our key customers, particularly our key advertising customers which have the ability to terminate our agreements on short notice, decides to terminate or not to renew its contract with us, renews on less favorable terms, or suffers downturns in its business leading to a reduction in its marketing spending, and we are not able to gain additional customers or increase our revenue from other customers to offset the reduction of revenues, our business, results of operations and financial condition would be harmed.

The media placement industry is highly competitive, and certain advertising customers periodically put their advertising and marketing business up for competitive review. Customers also review the cost and benefit of servicing all or a portion of their advertising and marketing needs in-house. We have won and lost accounts in the past as a result of these reviews. Because our advertising contracts generally can be canceled by our customers upon 30 to 90 days' prior written notice, clients can easily change media providers on short notice without any penalty. In addition, from time to time, customers cancel media campaigns for their internal business reasons. If we are not able to retain key customers, or if any of our key customers significantly reduce their advertising spend, our revenue may be adversely affected, which could have a material and adverse effect on our business, results of operations and financial position.

Our ability to acquire new advertising customers and to retain existing customers may, in some cases, be limited by customers' perceptions of, or policies concerning, conflicts of interest arising from other customer relationships. If we are unable to manage these customer relationships and avoid potential conflicts of interest, our business, results of operations and financial position may be adversely affected. Our ability to acquire new advertising customers and to retain existing customers is dependent in large part upon our ability to attract and retain our key personnel in that business, who are an important aspect of our competitiveness. If we are unable to attract and retain key personnel, our ability to provide our services in the manner customers have come to expect may be adversely affected, which could harm our reputation and result in a loss of customers, which could have a material adverse effect on our business, results of operations and financial position.

In the ordinary course of business, we process sensitive information. Our customers also utilize our Software Products & Services and Managed Services to process data, which may contain personal data that is subject to data protection and privacy laws in various jurisdictions. Our data processing activities subject us to numerous data privacy and security obligations. Federal, state, local and foreign government bodies and agencies have adopted, or may in the future adopt, laws, regulations and guidance regarding the processing of personal data. These include, but are not limited to, the GDPR, the CCPA (as amended by the California Privacy Rights Act (the "CPRA") and other data protection and privacy laws, regulations and guidance adopted in other jurisdictions, including other states within the United States. In addition to government laws, regulations and guidance, privacy advocates and industry groups may propose various self-regulatory standards that may legally or contractually apply to our business. We may also be subject to other data protection and privacy obligations, such as external and internal privacy and security policies, other public representations and contractual requirements. The regulatory framework relating to privacy and data protection issues worldwide is evolving rapidly and is likely to remain uncertain for the foreseeable future. Consumers' data privacy expectations are also quickly changing, becoming increasingly stringent, and creating uncertainty. Because the interpretation and application of many privacy and data protection obligations are uncertain, it is possible that these obligations may be interpreted and applied in a manner inconsistent with our existing privacy and data management practices. Preparing for and complying with these obligations requires us to devote significant resources, which may necessitate changes to our services, information technologies, systems, and practices and to those of any third parties that process personal data on our behalf. In addition, these obligations may require us to change our business model. Our business model materially depends on our ability to process personal data, including sensitive and highly regulated types of data such as biometric information, so we are particularly exposed to the risks associated with the rapidly changing legal landscape. For example, we may be at heightened risk of regulatory scrutiny, and any changes in the regulatory framework could require us to fundamentally change our business model. As we expand into new jurisdictions or markets, we will be required to understand and comply with various new requirements applicable in those jurisdictions or markets. For example, we have entered into agreements and are actively pursuing opportunities to provide our Software Products & Services and Managed Services to customers in Europe, which involve processing of personal data. Europe and other jurisdictions have enacted or proposed laws with stringent obligations and significant penalties. For example, the EU GDPR imposes financial penalties for non-compliance, which can be up to four percent of global revenue or 20 million Euros, whichever is greater. In particular, in the ordinary course of business, we may transfer personal data from Europe and other jurisdictions to the United States or other countries. Europe and other jurisdictions have enacted laws limiting the transfer of personal data to other countries or, in some cases, requiring data to be localized. In particular, the European Economic Area (EEA) and the UK have significantly restricted the transfer of personal data to the United States and other countries whose privacy laws they generally believe are inadequate. Other jurisdictions may adopt similarly stringent interpretations of their data localization and cross-border data transfer laws. Although there are currently various mechanisms that may be used to transfer personal data from the EEA and UK to the United States in compliance with law, these mechanisms are subject to potential legal challenges, and there is no assurance that we can satisfy or rely on these measures to lawfully transfer personal data to the United States. If there is no lawful manner for us to transfer personal data from the EEA and the UK or other jurisdictions to the United States, or if the requirements for a legally-compliant transfer are too onerous, we could face significant adverse consequences, including the interruption or degradation of our operations, the need to relocate part of or all of our business or data processing activities to other jurisdictions at significant expense, increased exposure to regulatory actions, substantial fines and penalties, the inability to transfer data and work with partners, vendors and other third parties, and injunctions against our processing or transferring of personal data necessary to operate our business. Furthermore, companies that transfer personal data out of the EEA and UK to other jurisdictions, particularly to the United States, are subject to increased scrutiny from regulators, individual litigants, and activist groups. Some European regulators have ordered certain companies to suspend or permanently cease certain transfers of personal data out of Europe for allegedly violating the GDPR's cross-border data transfer limitations. In the United States, federal, state, and local governments have enacted numerous data privacy and security laws, including data breach notification laws, personal data privacy laws, consumer protection laws (e.g., Section 5 of the Federal Trade Commission Act), and other similar laws (e.g., wiretapping laws). In the past few years, numerous U.S. states-including California, Virginia, Colorado, Connecticut, and Utah-have enacted comprehensive privacy laws that impose certain obligations on covered businesses, including providing specific disclosures in privacy notices and affording residents with certain rights concerning their personal data. As applicable, such rights may include the right to access, correct, or delete certain personal data, and to opt-out of certain data processing activities, such as targeted advertising, profiling, and automated decision-making. The exercise of these rights may impact our business and ability to provide our products and services. Certain states also impose stricter requirements for processing certain personal data, including sensitive information, such as conducting data privacy impact assessments. These state laws allow for statutory fines for noncompliance. For example, the CCPA applies to personal data of consumers, business representatives, and employees who are California residents, and requires businesses to provide specific disclosures in privacy notices and honor requests of such individuals to exercise certain privacy rights. The CCPA provides for fines of up to $7,500 per intentional violation and allows private litigants affected by certain data breaches to recover significant statutory damages. We are also bound by contractual obligations related to data privacy and security, and our efforts to comply with such obligations may not be successful. For example, certain privacy laws, such as the GDPR and the CCPA, require our customers to impose specific contractual restrictions on their service providers. Additionally, some of our customer contracts require us to host personal data locally. We also publish privacy policies, marketing materials and other statements, such as compliance with certain certifications or self-regulatory principles, regarding data privacy and security. If these policies, materials or statements are found to be deficient, lacking in transparency, deceptive, unfair, or misrepresentative of our practices, we may be subject to investigation, enforcement actions by regulators or other adverse consequences. To the extent applicable to our business or the businesses of our customers, these obligations could have negative effects on our business, including by increasing our costs and operating expenses, and delaying or impeding our deployment of new core functionality and products. Compliance with these obligations requires significant management time and attention, and actual or perceived failure to comply could result in government enforcement actions (e.g., investigations, inspections, etc.), negative publicity, litigation (including class action claims) and mass arbitration demands, subject us to contractual liability, fines or penalties, additional reporting requirements and/or oversight or result in demands that we modify or cease existing business practices (including bans on processing personal data or orders to destroy personal data). In addition, the costs of compliance with, and other burdens imposed by, such laws, regulations and industry standards may adversely affect our customers' ability or desire to collect, use, process and store personal information using our software solutions, which could reduce overall demand for them. Even the perception of privacy and data security concerns, whether or not valid, may inhibit market acceptance of our software solutions in certain markets. Furthermore, privacy and data security concerns may cause our customers' customers, vendors, employees and other industry participants to resist providing the personal information necessary to allow our customers to use our products and services effectively. Additionally, plaintiffs have become increasingly more active in bringing privacy-related claims, including class claims and mass arbitration demands. Some of these claims allow for the recovery of statutory damages on a per violation basis, and, if viable, carry the potential for monumental statutory damages, depending on the volume of data and the number of violations. Any of these outcomes could adversely affect our business and operating results. Additionally, under various privacy laws and other obligations, we may be required to obtain certain consents to process personal data. For example, some of our data processing practices may be challenged under wiretapping laws, if we obtain consumer information from third parties through various methods, including chatbot and session replay providers, or via third-party marketing pixels. These practices may be subject to increased challenges by class action plaintiffs. Our inability or failure to obtain consent for these practices could result in adverse consequences, including class action litigation and mass arbitration demands. Our employees and personnel use generative AI technologies to perform their work, and the disclosure and use of personal data in generative AI technologies is subject to various privacy laws and other privacy obligations. Governments have passed and are likely to pass additional laws regulating generative AI. Our use of this technology could result in additional compliance costs, regulatory investigations and actions, and lawsuits. If we are unable to use generative AI, it could make our business less efficient and result in competitive disadvantages. Finally, governments and regulators in certain jurisdictions, including Europe, are increasingly seeking to regulate the use, transfer and other processing of non-personal data, an area which has typically been the subject of very limited or no specific regulation. This means that, if and to the extent such regulations are relevant to our operations or those of our customers, certain of the risks and considerations outlined herein may apply equally to our processing of both personal and non-personal data. For example, we may become subject to certain parts of the European Union's Data Act, which imposes certain data and cloud service interoperability and switching obligations to enable users to switch between service providers without undue delay or cost, as well as certain requirements concerning cross-border international transfers of, and governmental access to, non-personal data outside the EEA. Depending on how these laws are interpreted, we may have to adapt our business practices, contractual arrangements and products to comply with such obligations.