ZoomInfo Technologies (ZI) Risk Analysis

Our platform depends on the ability of our users to access the internet and our platform could be blocked or restricted in some countries for various reasons. Further, it is possible that governments of one or more foreign countries may seek to limit access to or certain features of our platform in their countries, or impose other restrictions that may affect the availability of our platform, or certain features of our platform, in their countries for an extended period of time or indefinitely. In addition, governments in certain countries may seek to restrict or prohibit access to our platform if they consider us to be in violation of their laws (including privacy laws) and may require us to disclose or provide access to information in our possession. If we fail to anticipate developments in the law or fail for any reason to comply with relevant law, our platform could be further blocked or restricted and we could be exposed to significant liability that could harm our business. In the event that access to our platform is restricted, in whole or in part, in one or more countries or our competitors are able to successfully penetrate geographic markets that we cannot access, our ability to add new customers or renew or grow the subscriptions of existing customers may be adversely affected, we may not be able to maintain or grow our revenue as anticipated and our business, results of operations, and financial condition could be adversely affected. New laws and regulations in the area of AI may also impact our business. For example, the European Union's Artificial Intelligence Act ("AI Act"), which achieved a consensus between the European Parliament and Council on December 9, 2023, introduces a regulatory landscape that businesses will need to navigate with caution. The AI Act's stringent measures against certain AI applications may impact businesses in our sector. Such measures include prohibitions on AI technologies that utilize sensitive personal attributes for biometric categorization, restrictions on indiscriminate collection of facial images for recognition databases, and limitations on emotion recognition systems that could be employed in consumer analysis or employee monitoring. Businesses must also be aware of the comprehensive transparency requirements mandated for general-purpose AI systems. This entails maintaining detailed technical documentation and ensuring compliance with EU copyright laws, with even more rigorous standards for high-impact general AI models. These models require exhaustive evaluations, risk assessments related to systemic impacts, adversarial testing, and reporting on aspects like energy efficiency, indicating a significant compliance burden for businesses. The scale of penalties for non-compliance range up to €35 million or 7% of global turnover, underscoring the importance of adherence to the new regulations where applicable. The AI Act demands a proactive approach to regulatory compliance, risk management, and an investment in infrastructure to align with the EU's vision of a safe and ethical AI environment.

There is considerable patent and other intellectual property development activity in our market, and litigation, based on allegations of infringement or other violations of intellectual property, is frequent in software and internet-based industries. We may receive communications from third parties, including practicing entities and non-practicing entities, claiming that we have infringed their intellectual property rights. In addition, we may be sued by third parties for breach of contract, defamation, negligence, unfair competition, data breaches, privacy compliance, or copyright or trademark infringement or claims based on other theories. We could also be subject to claims that the collection or provision of certain information, including personal information by us or by third-parties with whom we interact breached laws or regulations relating to privacy or data protection. As a result of claims against us regarding suspected infringement, our technologies may be subject to injunction, we may be required to pay damages, or we may have to seek a license to continue certain practices (which may not be available on reasonable terms, if at all), all of which may significantly increase our operating expenses or may require us to restrict our business activities and limit our ability to deliver our products and services and/or certain features, integrations, and capabilities of our platform. As a result, we may also be required to develop alternative non-infringing technology, which could require significant effort and expense and/or cause us to alter our products or services, which could negatively affect our business. In addition, many of our subscription agreements require us to indemnify our customers for third-party intellectual property infringement claims, so any alleged infringement by us resulting in claims against such customers would increase our liability. Our exposure to risks associated with various claims may be greater if we acquire other companies or technologies. For example, we may have a lower level of visibility into the development process with respect to intellectual property or the care taken to safeguard against infringement risks with respect to the acquired company or technology. In addition, third parties may make claims after we have acquired a company or technology that had not been asserted prior to our acquisition. In the ordinary course of business, we may be involved in and subject to litigation for a variety of claims or disputes and receive regulatory inquiries. These claims, lawsuits, and proceedings could include labor and employment, wage and hour, commercial, data protection and privacy, intellectual property, antitrust, alleged securities law violations or other investor claims, and other matters. The number and significance of these potential claims and disputes may increase as our business expands. Any claim against us, regardless of its merit, could be costly, divert management's attention and operational resources, and harm our reputation. In addition, we have entered into indemnification agreements with each of our directors and officers, pursuant to which we have agreed to indemnify our directors and officers to the fullest extent permitted by Delaware law. As a result, any claims for indemnification by our directors and officers may reduce our available funds to satisfy successful third-party claims against us and may reduce the amount of money available to us. As litigation is inherently unpredictable, we cannot assure you that any potential claims or disputes will not have a material adverse effect on our business, results of operations, and financial condition. Any claims or litigation, even if fully indemnified or insured, could make it more difficult to compete effectively or to obtain adequate insurance in the future. In addition, we may be required to spend significant resources to monitor and protect our contractual, property, and other rights, including collection of payments and fees. Litigation has been and may be necessary in the future to enforce such rights. Such litigation could be costly, time consuming, and distracting to management and could result in the impairment or loss of our rights. Furthermore, our efforts to enforce our rights may be met with defenses, counterclaims, and countersuits attacking the validity and enforceability of such rights. Our inability to protect our rights, as well as any costly litigation or diversion of our management's attention and resources, could have an adverse effect on our business, results of operations, and financial condition or injure our reputation.

The business contact information and other data we collect and process are an integral part of our products and services. Regulators around the world have adopted or proposed requirements regarding the collection, use, transfer, security, storage, destruction, and other processing of personal data. Our products and services rely heavily on the collection and use of information to provide effective insights to our customers and users. In recent years, there has been an increase in attention to and regulation of data protection and data privacy across the globe, including the enactment of the GDPR, the United Kingdom's transposition of GDPR into its domestic laws following Brexit in January 2021, India's Digital Personal Data Protection Act passed in August 2023, the California Consumer Privacy Act as amended by the California Privacy Rights Act, and similar comprehensive privacy laws adopted in eighteen other states, including Colorado, Connecticut, Virginia, and Utah. Meanwhile, around the world there are ongoing discussions about how best to revise and modernize existing laws in jurisdictions such as Canada and Australia. Laws such as these give rise to an increasingly complex set of compliance obligations on us, as well as on many of our customers. These laws are not always uniform in the way they define and treat certain data types, including business-to-business data, biometric data or so called "sensitive" data, and we must often update our consumer notices and adapt our compliance programs to account for the differences between applicable laws. These laws can impose restrictions on our ability to gather personal data and provide such personal data to our customers, provide individuals with additional rights around their personal data, and place downstream obligations on our customers relating to their use of the information we provide. Domestically, as members of the Republican Party now control both the White House and Congress, the national landscape has shifted. It is unclear if members of Congress will have enough votes to pass a Federal privacy law and while AI remains top of discussion in Congress, members of the Republican Party have indicated a pivot from comprehensive regulations in favor of less restrictions. Additionally, at Federal agencies including the FTC, it is unclear what the current Administration's enforcement priorities will be and how the push to move away from additional regulations will be reflected at each relevant agency. This likely means states will continue to pursue both AI and privacy legislation. Nineteen states now have comprehensive privacy laws, and recently, dozens of additional states have pending legislation for both AI and privacy. These complex laws may be implemented, interpreted, or enforced in a non-uniform or inconsistent way across jurisdictions and we may not be aware of every development that impacts our business. These laws may also require us to make additional changes to our services in order for us or our customers to comply with such legal requirements. It may also increase our potential liability as a result of higher potential penalties for noncompliance. These and other legal requirements could reduce our ability to gather personal data used in our products and services. They could reduce demand for our services, require us to take on more onerous obligations in our contracts, require us to add new provisions in our customer contracts related to the processing of personal information, and restrict our ability to store, transfer and process personal data. In some cases, it may impact our ability or our customers' ability to offer our services in certain locations, to deploy our solutions, to reach current and prospective customers, or to derive insights from data globally. One area of particular risk remains data transfers between the United States and the European Union. On July 10, 2023, the European Commission adopted its adequacy decision for the EU-US DPF, 18 months after its predecessor, the EU-US Privacy Shield, was invalidated. While this does, for the time, assert that entities operating in the United States who have certified to the DPF ensure an adequate level of protection for transferring personal data from the European Union to the United States, future challenges seem imminent. The privacy advocacy organization NOYB, which previously challenged and facilitated the demise of both the Safe Harbor (Schrems I) and Privacy Shield (Schrems II) has already criticized the DPF for not doing enough to provide non-US citizens with reasonable privacy protections afforded to US citizens. The NOYB has more recently called the validity of the DPF into question in light of changes the White House is making to the members of the U.S. Privacy and Civil Liberties Oversight Board, which is tasked with overseeing U.S. surveillance practices and addressing complaints from EU citizens under the DPF. ZoomInfo is certified under the DPF, but still utilizes Standard Contractual Clauses as its cross-border transfer mechanism due to the uncertain future of the DPF. In the event any court blocks personal data transfers to or from a particular jurisdiction on the basis that certain or all such transfer mechanisms are not legally adequate, this could give rise to operational interruption in the performance of services for customers and internal processing of employee information, greater costs to implement alternative data transfer mechanisms that are still permitted, regulatory liabilities, or reputational harm. The cost of complying with existing or new data privacy or data protection laws and regulations may limit our ability to gather the personal data needed to provide our products and services. It could negatively impact the use or adoption of our products and services or products and services similar to ours, reduce overall demand for our products and services, or products and services similar to ours, make it more difficult for us or competitive solutions to meet expectations from or commitments to customers and users, lead to significant fines, penalties, or liabilities for noncompliance, impact our reputation, or slow the pace at which we close sales transactions, any of which could harm our business. Furthermore, the uncertain and shifting regulatory environment and trust climate may cause concerns regarding data privacy and may cause our vendors, customers, users, or our customers' customers to decline to provide the data necessary to allow us to offer our services to our customers and users effectively, or could prompt individuals to opt out of our collection of their personal data. Even the perception that the privacy of personal data is not satisfactorily protected or does not meet regulatory requirements could discourage prospective customers from subscribing to our products or services or discourage current customers from renewing their subscriptions. In addition, the regulatory landscape is particularly complex and rapidly evolving with respect to AI technologies. New regulations specifically targeting AI development, deployment, and data usage are being proposed and implemented across various jurisdictions. These regulations may impose additional obligations related to algorithmic transparency, bias testing, and specific data protection measures for AI systems. Our AI-driven products and services may be subject to increased scrutiny under these new frameworks. Compliance with any of the foregoing laws and regulations can be costly and can delay or impede the development of new products or services. We may incur substantial fines if we violate any laws or regulations relating to the collection or use of personal data. Our actual or alleged failure to comply with applicable privacy or data protection laws, regulations, and policies, or to protect personal data, could result in enforcement actions and significant penalties against us, which could result in negative publicity or costs, subject us to claims or other remedies, and have a material adverse effect on our business, financial condition, and results of operations.

Our success is dependent, in part, upon our ability to protect and enforce our intellectual property rights, including in our proprietary information and technology. No assurance can be given that our confidentiality, non-disclosure, or invention assignment agreements with employees, consultants, or other parties will not be breached and will otherwise be effective in controlling access to and distribution of our platform, or certain aspects of our platform, and proprietary information. Further, these agreements may not prevent our competitors from independently developing technologies that are substantially equivalent or superior to our platform. Additionally, certain unauthorized use of our intellectual property may go undetected, or we may face legal or practical barriers to enforcing our legal rights even where unauthorized use is detected. Current laws may not provide for adequate protection of our platform or data. In addition, legal standards relating to the validity, enforceability, and scope of protection of proprietary rights in internet-related businesses are uncertain and evolving, and changes in these standards may adversely impact the viability or value of our proprietary rights. Some license provisions protecting against unauthorized use, copying, transfer, and disclosure of our platform, or certain aspects of our platform may be unenforceable under the laws of certain jurisdictions. Further, the laws of some countries do not protect proprietary rights to the same extent as the laws of the United States, and mechanisms for enforcement of intellectual property rights in some foreign countries may be inadequate. To the extent we expand our international activities, our exposure to unauthorized copying and use of our data or certain aspects of our platform, or our data may increase. Further, competitors, foreign governments, foreign government-backed actors, criminals, or other third parties may gain unauthorized access to our proprietary information and technology. Accordingly, despite our efforts, we may be unable to prevent third parties from infringing upon or misappropriating our technology and intellectual property. To monitor and protect our intellectual property rights, we may be required to spend significant resources, and we may or may not be able to detect infringement by our customers or third parties. Litigation has been and may be necessary in the future to enforce our intellectual property rights and to protect our trade secrets. Such litigation could be costly, time consuming, and distracting to management and could result in the impairment or loss of portions of our intellectual property. Furthermore, our efforts to enforce our intellectual property rights may be met with defenses, counterclaims, and countersuits attacking the validity and enforceability of our intellectual property rights. Our inability to protect our proprietary technology against unauthorized copying or use, as well as any costly litigation or diversion of our management's attention and resources, could delay further sales or the implementation of our platform, impair the functionality of our platform, delay introductions of new features, integrations, and capabilities, result in our substituting inferior or more costly technologies into our platform, or injure our reputation. In addition, we may be required to license additional technology from third parties to develop and market new features, integrations, and capabilities, which may not be available on commercially reasonable terms, or at all, and our inability to license this technology could harm our ability to compete.

Threats to network and data security are constantly evolving and becoming increasingly diverse and sophisticated and have increased in scope and frequency. Our products and services, as well as our servers and computer systems and those of third parties that we rely on in our operations could be vulnerable to cybersecurity risks and threats or other events that could disrupt our IT systems and/or subject us to liability such as manmade or natural disasters (including those as a result of climate change) or software vulnerabilities. In addition, many of our employees work remotely, which increases our cyber security risk, creates data accessibility concerns, and makes us more susceptible to security breaches or business disruptions. We have in the past been the target of attempts, and experienced incidents of attempts, to identify and exploit system vulnerabilities and/or penetrate or bypass our security measures in order to gain unauthorized access to our systems, including to use our platform and data for purposes other than its intended purpose or to create products that compete with our platform. We employ multiple methods at different layers of our systems designed to defend against intrusion and attack, to protect our systems and to resolve and mitigate the impact of any incidents. Despite our efforts to keep our systems secure and to remedy identified vulnerabilities, future attacks could be successful and could result in substantial liability or business risk. We expect that third parties will continue to attempt to gain unauthorized access to our systems or facilities through various means, including hacking into our systems or facilities, or those of our customers or vendors, or attempting to fraudulently induce our employees, customers, vendors or other users of our systems into disclosing sensitive information, which may in turn be used to access our IT systems. Our cybersecurity programs and efforts to protect our systems and data, and to prevent, detect and respond to data security incidents, may not prevent these threats or provide adequate security. We may experience breaches of our security measures due to human error, malfeasance, system errors or vulnerabilities, or other irregularities including attempts by former, current or future employees to misuse their authorized access and/or gain unauthorized access to our systems. Such events could result in the release to the public of confidential information about our operations and financial condition and performance. Actual or perceived breaches of our security could subject us to regulatory investigations and orders, litigation, indemnity obligations, damages, penalties, fines and other costs in connection with actual and alleged contractual breaches, violations of applicable laws and regulations and other liabilities. Moreover, a security compromise or ransomware event could require us to devote significant management resources to address the problems created by the issue and to expend significant additional resources to upgrade further the security measures we employ to guard personal and confidential information against cyber-attacks and other attempts to access or otherwise compromise such information and could result in a disruption of our operations, particularly our digital operations. Any such incident could also materially damage our reputation and harm our business, results of operations and financial condition. We maintain errors, omissions, and cyber liability insurance policies covering certain security and privacy damages. However, we cannot be certain that our coverage will be adequate for liabilities actually incurred or that insurance will continue to be available to us on economically reasonable terms, or at all. Further, we may be subject to additional liability risks associated with data security breaches or other incidents by virtue of the private right of action granted to individuals under certain data privacy laws for actions arising from certain data security incidents.

We have historically derived substantially all of our revenue from subscription services and expect to continue to generate revenue from the sale of subscriptions to our platform and data. As a result, the continued use of telephones and email as a primary means of B2B sales, marketing, and recruiting, and the continued use of internet cloud-based platforms to access telephone, email, and related information for such purposes, is critical to our future growth and success. If the sales and marketing information market fails to grow, or grows more slowly than we currently anticipate, or if there is a decrease in the use of telephones and email as primary means of B2B communication, demand for our platform and data would be negatively affected. Changes in user preferences for sales, marketing, and recruiting platforms may have a disproportionately greater impact on us than if we offered disparate products and services. Demand for sales, marketing, and recruiting platforms in general, and our platform and data in particular, is affected by a number of factors, many of which are beyond our control. Some of these potential factors include: - awareness and acceptance of the sales, marketing, and recruiting platform categories generally, and the growth, contraction and evolution of the categories;- availability of products and services that compete with ours;- brand recognition;- pricing;- ease of adoption and use;- performance, features, and user experience, and the development and acceptance of new features, integrations, and capabilities;- customer support;- accessibility across several devices, operating system, and applications;- integration with CRM and other related technologies; and - the potential for the development of new systems and protocols for B2B communication. The market is subject to rapidly changing user demand and preference trends. If we fail to successfully predict and address these changes and trends, meet user demands or achieve more widespread market acceptance of our platform and data, our business, results of operations, and financial condition could be harmed.

Our success depends in part on our ability to expand our sales and operations outside of the United States. Any new markets or countries into which we attempt to sell subscriptions to our platform may not be as receptive to our products and services as we anticipate. We may also experience challenges expanding and operating internationally. A significant increase in international customers or an expansion of our operations into other countries, either directly or through third parties, could create additional risks and challenges, including: - a need to localize our products and services, including translation into foreign languages and associated expenses;- competition from local incumbents that better understand the local market, customs, and culture may market and operate more effectively, and may enjoy greater local affinity or awareness;- a need to comply with foreign regulatory frameworks or business practices (including with respect to data privacy and security), which among other things may favor local competitors;- evolving domestic and international tax environments;- foreign currency fluctuations and controls, which may make our products and services more expensive for international customers and could add volatility to our operating results;- vetting and monitoring internal or external sales or customer experience resources in new and evolving markets to confirm they maintain standards consistent with our brand and reputation;- different pricing environments;- different or lesser protection of our intellectual property;- potential or actual violations of domestic and international anti-corruption laws, export controls, anti-bribery laws, and sanctions regulations, which likelihood may increase with an increase of sales and operations in foreign jurisdictions;- changes in diplomatic and trade relationships, including the imposition of new trade restrictions, trade protection measures, including tariffs and retaliatory tariffs, as well as any direct and indirect economic effects on the domestic and international markets, import or export requirements, trade embargoes, and other trade barriers; and - other factors beyond our control, such as terrorism, war, natural disasters, climate change and pandemics, could result in restrictions on business activity, or materially affect our targeted return to operations timeline after one of these declared incidents, which may vary significantly by region. Any of these factors could negatively impact our business and results of operations.

Our success depends largely upon the continued services of our executive officers and other key employees, including newly hired personnel. We rely on our leadership team in the areas of research and development, operations, security, analytics, marketing, sales, customer experience, and general and administrative functions and on individual contributors in our research and development and operations. From time to time, there have been, and may continue to be, changes in our executive management team resulting from the hiring or departure of executives, which could disrupt our business. The loss of one or more of our executive officers or key employees could harm our business. Changes in our executive management team, or failure or delay in integrating new members of the executive management team and other key employees into our business, may also cause disruptions in, and harm to, our business. The Company continues to be led by our CEO and co-founder, Henry Schuck, who plays an important role in driving the Company's culture, determining the strategy, and executing against that strategy across the Company. If Mr. Schuck's services became unavailable to the Company for any reason, it may be difficult or impossible for the Company to find an adequate replacement, which could cause us to be less successful in maintaining our culture and developing and effectively executing on our company strategies. In addition, to execute our growth plan, we must attract and retain highly qualified personnel. Competition for highly skilled personnel in our industry can be intense. Competitors for technical and sales talent increasingly seek to hire our employees, and the availability of flexible, hybrid, or work-from-home arrangements has both intensified and expanded competition. Our increased emphasis on in-office work and associated hiring plans may reduce the talent pools from which we recruit and can increase the difficulty of hiring the highest quality personnel in efficient timeframes. Also, as we continue to grow, we face challenges of integrating, developing, training, and motivating our employee base, and maintaining our company culture around the world. If we fail to hire and retain highly skilled employees or fail to manage organizational change in a manner that preserves our efficacy and the key aspects of our corporate culture, the quality of our products and services may suffer, which could negatively affect our brand and reputation and harm our ability to attract users, employees, and organizations.