Salesforce Inc.: 10-K Risk Factor Changes

Whether we continue to pay cash dividends, as well as the rate at which we pay cash dividends, in the future is subject to continued capital availability, general economic and market conditions, applicable laws and agreements and our Board continuing to determine that the declaration of dividends is in the best interests of the Company and its stockholders. The declaration and payment of any dividend may be discontinued at any time and dividend amounts may be reduced at any time. A discontinuation of or reduction in our dividend payments could have a negative effect on our stock price. 29 29 29 29 29 29 Table of Contents Table of Contents Table of Contents

Whether we continue to pay cash dividends, as well as the rate at which we pay cash dividends, in the future is subject to continued capital availability, general economic and market conditions, applicable laws and agreements and our Board continuing to determine that the declaration of dividends is in the best interests of the Company and its stockholders. The declaration and payment of any dividend may be discontinued at any time and dividend amounts may be reduced at any time. A discontinuation of or reduction in our dividend payments could have a negative effect on our stock price.

We continue to experience significant growth in our customer base, including through acquisitions, which has placed a strain on our management, administrative, operational and financial infrastructure. We anticipate that significant additional investments, including in human capital software, agentic AI and other technologies, will be required to scale our operations and increase productivity, address the needs of our customers, develop and enhance our services, expand into new geographic areas and support continued growth. These investments will increase our cost base, making it more difficult to offset any future revenue shortfalls by reducing expenses in the short term. We may not be able to make these investments as quickly or effectively as necessary to successfully scale our operations. We regularly upgrade or replace our software systems and processes. If the implementations of these new applications are delayed, or if we encounter problems with our new systems and processes or in migrating away from our existing systems and processes, our operations could be negatively impacted. For example, in the second quarter of fiscal 2026, we implemented a new enterprise resource planning system (“ERP”). Among other things, our ERP is essential to our financial planning, reporting, and compliance programs, and any unforeseen problems with our new ERP or in migrating away from previous systems and processes could harm our ability to manage our business. Our success will depend in part upon the ability of our senior management to plan and manage our projected growth effectively. We must continue to increase the productivity of our existing employees and to hire, train and manage employees as needed. Additionally, changes in our work environment and workforce may not meet the needs and expectations of our workforce or may create operational and workplace culture challenges, which could negatively impact our ability to increase employee productivity or attract and retain our employees and could adversely affect our operations. Furthermore, new AI offerings and technologies, which are integrated into our operations, may disrupt workforce needs and could adversely affect our operations if not managed properly. To manage the expected growth of our operations and personnel, we will need to continue to improve our operational, financial and management controls, our reporting systems and procedures and our utilization of real estate. If we fail to successfully scale our operations and increase productivity, we may be unable to execute our business plan and the value of our common stock could decline.

We continue to experience significant growth in our customer base, including through acquisitions, which has placed a strain on and in the future may strain our management, administrative, operational and financial infrastructure. We anticipate that significant additional investments, including in human capital software, as well as leveraging agentic AI and other technologies, will be required to scale our operations and increase productivity, to address the needs of our customers, to further develop and enhance our services, to expand into new geographic areas and to scale with our overall growth. These investments will increase our cost base, making it more difficult for us to offset any future revenue shortfalls by reducing expenses in the 15 15 15 15 15 15 Table of Contents Table of Contents Table of Contents short term. We may not be able to make these investments as quickly or effectively as necessary to successfully scale our operations. We regularly upgrade or replace our various software systems and processes. If the implementations of these new applications are delayed, or if we encounter unforeseen problems with our new systems and processes or in migrating away from our existing systems and processes, our operations and our ability to manage our business could be negatively impacted. Our success will depend in part upon the ability of our senior management to plan and manage our projected growth effectively. To do so, we must continue to increase the productivity of our existing employees and to hire, train and manage new employees as needed. Additionally, changes in our work environment and workforce may not meet the needs and expectations of our workforce or may create operational and workplace culture challenges, which could negatively impact our ability to increase employee productivity or attract and retain our employees and could adversely affect our operations. To manage the expected domestic and international growth of our operations and personnel, we will need to continue to improve our operational, financial and management controls, our reporting systems and procedures and our utilization of real estate. If we fail to successfully scale our operations and increase productivity, we may be unable to execute our business plan and the value of our common stock could decline.

Our success depends on the willingness of a growing community of third-party developers and vendors to build applications and provide integrations, data and content that are complementary to our services. Without the continued development of these applications and provision of such integrations, data and content, both current and potential customers may not find our services sufficiently attractive, which could impact future sales. In addition, for those customers who authorize a third-party technology partner to access their data, we do not provide any warranty related to the functionality, security or integrity of the data access, transmission or processing. Despite contract provisions to protect us, customers may look to us to support and provide warranties for the third-party applications, integrations, data and content, even though not developed or sold by us, which may expose us to potential claims, liabilities and obligations, all of which could harm our reputation and our business.

Our success depends on the willingness of a growing community of third-party developers and technology providers to build applications and provide integrations, data and content that are complementary to our services. Without the continued development of these applications and provision of such integrations, data and content, both current and potential customers may not find our services sufficiently attractive, which could impact future sales. In addition, for those customers who authorize a third-party technology partner to access their data, we do not provide any warranty related to the functionality, security or integrity of the data access, transmission or processing. Despite contract provisions to protect us, customers may look to us to 20 20 20 20 20 20 Table of Contents Table of Contents Table of Contents support and provide warranties for the third-party applications, integrations, data and content, even though not developed or sold by us, which may expose us to potential claims, liabilities and obligations, all of which could harm our reputation and our business.

We sell our services throughout the world and are subject to risks and challenges associated with international business. The risks and challenges associated with sales to customers outside the United States or those that can affect international operations generally, include: •regional economic and political conditions, natural disasters, acts of war, terrorism and actual or threatened public health emergencies, or other geopolitical events, including the evolving relations between the United States and China, the United States and Russia, and ongoing conflicts, such as the war in Ukraine and the regional conflict in the Middle East; •localization of our services, including translation into foreign languages and associated expenses; •regulatory frameworks or business practices favoring local competitors; •pressure on the creditworthiness of sovereign nations, where we have customers and a balance of our cash, cash equivalents and marketable securities; •foreign currency fluctuations and controls, which may make our services more expensive for international customers and could add volatility to or negatively impact our operating results; •compliance with complex and evolving governmental laws and regulations, such as those governing AI; •liquidity issues or political actions by sovereign nations, including nations with a controlled currency environment, could result in decreased values of these balances or potential difficulties protecting our foreign assets or satisfying local obligations; •vetting and monitoring our third-party resellers in new and evolving markets to confirm they maintain standards consistent with our brand and reputation; •treatment of revenue from international sources, evolving domestic and international tax environments and changes to tax codes, including being subject to and paying withholding taxes under foreign tax laws; •uncertainty regarding changes in trade policies, including trade wars, the threat or imposition of tariffs or other trade restrictions, as well as any retaliatory actions; •perceptions of U.S.-based companies in the regions where we operate or plan to operate; •perceptions of regions or governments in the regions where we operate or plan to operate, resulting in negative publicity or reputational harm; •different pricing environments; •difficulties in staffing and managing foreign operations; •different or lesser protection of our intellectual property, including increased risk of theft of our proprietary technology and other intellectual property, and more prevalent cybersecurity risks, particularly in jurisdictions in which we have historically chosen not to operate; and •longer accounts receivable payment cycles and other collection difficulties. Any of these factors could negatively impact our business and results of operations. The above factors may also negatively impact our ability to successfully expand into emerging market countries, where we have little or no operating experience, where it can be costly and challenging to establish and maintain operations, including hiring and managing required personnel, and difficult to promote our brand, and where we may not benefit from any first-to-market advantage or otherwise succeed.

We sell our services throughout the world and are subject to risks and challenges associated with international business. We intend to seek to continue to expand our international sales efforts. The risks and challenges associated with sales to customers outside the United States or those that can affect international operations generally, include: •regional economic and political conditions, natural disasters, acts of war, terrorism and actual or threatened public health emergencies; •localization of our services, including translation into foreign languages and associated expenses; •regulatory frameworks or business practices favoring local competitors; 16 16 16 16 16 16 Table of Contents Table of Contents Table of Contents •pressure on the creditworthiness of sovereign nations, where we have customers and a balance of our cash, cash equivalents and marketable securities; •foreign currency fluctuations and controls, which may make our services more expensive for international customers and could add volatility to or negatively impact our operating results; •compliance with complex and evolving governmental laws and regulations, including employment, tax, anti-corruption, import/export, customs, anti-boycott, sanctions and embargoes, antitrust, cybersecurity, sustainability and industry-specific laws and regulations, including rules related to compliance by our third-party resellers; •liquidity issues or political actions by sovereign nations, including nations with a controlled currency environment, could result in decreased values of these balances or potential difficulties protecting our foreign assets or satisfying local obligations; •vetting and monitoring our third-party resellers in new and evolving markets to confirm they maintain standards consistent with our brand and reputation; •treatment of revenue from international sources, evolving domestic and international tax environments and changes to tax codes, including being subject to and paying withholding taxes under foreign tax laws; •uncertainty regarding the imposition of and changes in trade policies, including trade wars, tariffs or other trade restrictions or the threat of such actions, or other geopolitical events, including the evolving relations between the United States and China, the United States and Russia, and ongoing conflicts, such as the war in Ukraine and the regional conflict in the Middle East; •perceptions of regions or governments in the regions where we operate or plan to operate, resulting in negative publicity or reputational harm; •regional data privacy laws and other regulatory requirements that apply to outsourced service providers and to the transmission of our customers’ data across international borders; •different pricing environments; •difficulties in staffing and managing foreign operations; •different or lesser protection of our intellectual property, including increased risk of theft of our proprietary technology and other intellectual property, and more prevalent cybersecurity risks, particularly in jurisdictions in which we have historically chosen not to operate; and •longer accounts receivable payment cycles and other collection difficulties. Any of these factors could negatively impact our business and results of operations. The above factors may also negatively impact our ability to successfully expand into emerging market countries, where we have little or no operating experience, where it can be costly and challenging to establish and maintain operations, including hiring and managing required personnel, and difficult to promote our brand, and where we may not benefit from any first-to-market advantage or otherwise succeed.

Our customers have no obligation to renew their subscriptions after the expiration of their contractual subscription period, which is typically 12 to 36 months, and in the normal course of business, some customers have elected not to renew. Our customers may renew for fewer subscriptions, renew for shorter contract lengths or switch to lower cost offerings of our services. It is difficult to predict attrition rates given our varied customer base and the number of multi-year subscription contracts. Our attrition rates may increase or fluctuate as a result of various factors, including customer dissatisfaction, customers’ spending levels, mix of customer base, decreases in the number of users at our customers, competition, pricing increases or changes, such as the increased prevalence of consumption-based pricing models and economic downturns. Our future success depends in part on our ability to sell additional features and services, more subscriptions or enhanced editions of our services to our current customers. This may also require increasingly sophisticated and costly sales efforts that are targeted at senior management. Similarly, the rate at which our customers purchase new or enhanced services depends on a 16 16 16 16 16 16 Table of Contents Table of Contents Table of Contents number of factors, including general economic conditions and customer receptiveness to price changes related to these additional features and services. In addition, the markets and monetization strategies for certain offerings, including Agentforce and Data 360, remain relatively new and uncertain and may present additional risks and challenges.

Our customers have no obligation to renew their subscriptions for our services after the expiration of their contractual subscription period, which is typically 12 to 36 months, and in the normal course of business, some customers have elected not to renew. In addition, our customers may renew for fewer subscriptions, renew for shorter contract lengths or switch to lower cost offerings of our services, particularly in times of general economic uncertainty. It is difficult to predict attrition rates given our varied customer base and the number of multi-year subscription contracts. Our attrition rates may increase or fluctuate as a result of various factors, including customer dissatisfaction with our services, customers’ spending levels, mix of customer base, decreases in the number of users at our customers, competition, pricing increases or changes, such as the increased prevalence of consumption-based pricing models and economic downturns. Our future success also depends in part on our ability to sell additional features and services, more subscriptions or enhanced editions of our services to our current customers. This may also require increasingly sophisticated and costly sales efforts that are targeted at senior management. Similarly, the rate at which our customers purchase new or enhanced services depends on a number of factors, including general economic conditions and customer receptiveness to any price changes related to these additional features and services. In addition, the markets and monetization strategies for certain offerings, including Agentforce and Data Cloud, remain relatively new and uncertain and as a result our expansion into such offerings, and related investments, may present additional risks and challenges. For example, we offer certain products, including Agentforce and Data Cloud, through a consumption-based business model and may increase the number of products through which we do so. We have limited experience with determining optimal pricing for our consumption-based contracts. Additionally, due to customer flexibility in the timing of their consumption, we could have lower levels of customer consumption of our products than we expect which may result in suboptimal pricing for consumption-based contracts.

We are subject to income taxes in the United States and various other jurisdictions. Significant judgment is often required in the determination of our worldwide provision for income taxes. Our effective tax rate could be impacted by changes in our earnings and losses in countries with differing statutory tax rates, changes in operations, changes in non-deductible expenses, changes in the tax effects of stock-based compensation expense, changes in the valuation of deferred tax assets and liabilities and our ability to utilize them, the applicability of withholding taxes, effects from acquisitions and changes in accounting principles and tax laws. Any changes, ambiguity or uncertainty in taxing jurisdictions’ administrative interpretations, decisions, policies and positions could also materially impact our income tax liabilities. For example, as a result of the One Big Beautiful Bill Act (“OBBBA”), we could be subject to Corporate Alternative Minimum Tax (“CAMT”). While certain changes brought forth by the OBBBA, notably, the immediate deduction of domestic research and development expenditures favorably impact our cash flows from operating activities, our tax provision may be adversely impacted to the extent additional clarification or interpretive guidance related to the OBBBA is released, or if there are changes to our valuation allowance assessment related to CAMT. We may also be subject to additional tax liabilities and penalties due to changes in non-income based taxes resulting from changes in federal, state, local or international tax laws, changes in taxing jurisdictions’ administrative interpretations, decisions, policies and positions, results of tax examinations, settlements or judicial decisions, changes in accounting principles, or changes to our business operations, including as a result of acquisitions. Any resulting increase in our tax obligation or cash taxes paid could adversely affect our cash flows and financial results. We are also subject to tax examinations or engaged in alternative resolutions in multiple jurisdictions. While we regularly evaluate new information that may change our judgment resulting in recognition, derecognition or changes in measurement of a tax position taken, there can be no assurance that the final determination of any examinations will not have an adverse effect on our operating results or financial position. As our business continues to grow, increasing our brand recognition and profitability, we may be subject to increased scrutiny and corresponding tax disputes, which may impact our cash flows and financial results. Furthermore, our growing prominence may bring public attention to our tax profile, and if perceived negatively, may cause brand or reputational harm. Global tax developments may have a material impact to our business, cash flows, or financial results. For example, heightened interest in multinationals participating in the digital economy led many countries to adopt Pillar Two, a 15% corporate minimum tax proposed by the Organization for Economic Cooperation and Development (“OECD”). In January 2026, the OECD introduced new guidance including a "side-by-side safe harbor" which, if elected, exempts U.S. parented groups from certain provisions of Pillar Two. However, the election does not relieve foreign subsidiaries from certain jurisdiction specific minimum taxes. The guidance will need to be incorporated into local tax legislation to be effective.

We are subject to income taxes in the United States and various other jurisdictions. Significant judgment is often required in the determination of our worldwide provision for income taxes. Our effective tax rate could be impacted by changes in our earnings and losses in countries with differing statutory tax rates, changes in operations, changes in non-deductible expenses, changes in the tax effects of stock-based compensation expense, changes in the valuation of deferred tax assets and liabilities and our ability to utilize them, the applicability of withholding taxes, effects from acquisitions and changes in accounting principles and tax laws. Any changes, ambiguity or uncertainty in taxing jurisdictions’ administrative interpretations, decisions, policies and positions could also materially impact our income tax liabilities. We may also be subject to additional tax liabilities and penalties due to changes in non-income based taxes resulting from changes in federal, state, local or international tax laws, changes in taxing jurisdictions’ administrative interpretations, decisions, policies and positions, results of tax examinations, settlements or judicial decisions, changes in accounting principles, or changes to our business operations, including as a result of acquisitions. Any resulting increase in our tax obligation or cash taxes paid could adversely affect our cash flows and financial results. We are also subject to tax examinations or engaged in alternative resolutions in multiple jurisdictions. While we regularly evaluate new information that may change our judgment resulting in recognition, derecognition or changes in measurement of a tax position taken, there can be no assurance that the final determination of any examinations will not have an adverse effect on our operating results or financial position. As our business continues to grow, increasing our brand recognition and profitability, we may be subject to increased scrutiny and corresponding tax disputes, which may impact our cash flows and financial results. Furthermore, our growing prominence may bring public attention to our tax profile, and if perceived negatively, may cause brand or reputational harm. Global tax developments applicable to multinational businesses may have a material impact to our business, cash flows, or financial results. Such developments, for example, may include certain provisions introduced by certain Organization for Economic Co-operation and Development’s proposals including the implementation of the global minimum tax under the Pillar Two model rules, and the European Commission’s and certain major jurisdictions’ heightened interest in and taxation of 26 26 26 26 26 26 Table of Contents Table of Contents Table of Contents companies participating in the digital economy. Furthermore, governments’ responses to macroeconomic factors and tax revenue needs may lead to tax rule changes that could materially and adversely affect our cash flows and financial results.

We rely on third-party data center hosting facilities and cloud computing platform providers located in the United States and other countries, as well as the many different underlying networks and services that power the Internet, to deliver our products and services and operate critical business systems. We also rely on hardware purchased or leased from, software licensed from, and cloud computing platforms provided by third parties in order to offer our products and services, including database software, hardware and data from multiple vendors. Any disruption, degradation or failure of our systems, or those of the third parties on which we rely, could result in service interruptions and harm our business. We have experienced service interruptions and interruptions may occur in the future. As our reliance on these third-party systems increases, and particularly on third-party cloud computing platforms, our exposure to service interruptions and performance or quality issues may also increase. Service interruptions or other performance or quality issues may cause us to issue credits or pay penalties, cause customers to assert warranty or other claims or terminate their subscriptions, and adversely affect attrition rates and our ability to attract new customers, which could reduce revenue. Our business and reputation would also be harmed if our customers and potential customers perceive our services as unreliable. For many of our offerings, our production environment and customer data are replicated at geographically separate facilities. Certain offerings, including those added through acquisitions, may be delivered through alternate facilities or arrangements. We do not control the operation of any of these facilities, and they may be vulnerable to damage or interruption from events outside of our control, such as natural disasters or supply chain disruptions. Despite precautions taken at these facilities, such as disaster recovery and business continuity arrangements, unanticipated events, problems, operational failures 14 14 14 14 14 14 Table of Contents Table of Contents Table of Contents or other disruptions could result in prolonged service interruptions, and there can be no assurance that such interruptions would be remediated without significant cost, in a timely manner or at all. The hardware, software, data and cloud computing platforms that we rely on, including, for example, the large language models leveraged in our AI offerings, may not continue to be available at reasonable prices, on commercially reasonable terms or at all. Any loss of the right to use such hardware, software, data or cloud computing platforms could significantly increase our expenses and disrupt or delay the provision of our services until equivalent technology is either developed internally or obtained from third parties and integrated into our systems. There can be no assurance that such replacement technology would be available or implemented in a timely manner or at all. As we scale our operations, the volume and nature of data processed by our offerings continue to evolve, including as a result of the deployment of AI technologies, and our infrastructure capacity requirements, including network capacity, computing power and energy requirements, may increase as a result. Additionally, increased energy consumption, including as a result of AI adoption, climate-related events, energy market volatility, and power grid disruptions may increase the operational costs related to inputs across our value chain, including for data centers. If we experience significant strains on our data center capacity, whether due to insufficient infrastructure capacity or for other reasons outside of our control, our customers could experience performance degradation or service outages that may subject us to financial liabilities, result in customer losses, subject us to litigation and harm our reputation and business. As we add data centers and capacity and continue to move to cloud computing platform providers, we move or transfer our data and our customers’ data from time to time. Despite precautions taken during this process, any unsuccessful data transfers may impair the delivery of our services, which may damage our business.

We currently rely on third-party data center hosting facilities and cloud computing platform providers located in the United States and other countries, as well as the many different underlying networks and services that power the Internet, to deliver our products, services and business operations and to operate critical business systems. We also rely on computer hardware purchased or leased from, software licensed from, and cloud computing platforms provided by, third parties in order to offer our services, including database software, hardware and data from a variety of vendors. Any disruption or damage to, or failure of our systems generally, including the systems of third-party providers we rely on, could result in service interruptions and harm our business. We have from time to time experienced service interruptions and such interruptions may occur in the future. As we increase our reliance on these third-party systems, particularly with respect to third-party cloud computing platforms, our exposure to damage from service interruptions or other performance or quality issues may increase. Service interruptions or other performance or quality issues may cause us to issue credits or pay penalties, cause customers to make warranty or other claims against us or to terminate their subscriptions, and adversely affect our attrition rates and our ability to attract new customers, all of which would reduce our revenue. Our business and reputation would also be harmed if our customers and potential customers believe our services are unreliable. For many of our offerings, our production environment and customers’ data are replicated in a separate facility located elsewhere. Certain offerings, including some offerings of companies added through acquisitions, may be served through alternate facilities or arrangements. We do not control the operation of any of these facilities, and they may be vulnerable to damage or interruption from earthquakes, floods, fires, power loss, telecommunications failures and similar events. They may also be subject to break-ins, sabotage, intentional acts of destruction or vandalism or similar misconduct, as well as local administrative actions, changes to legal or permitting requirements and litigation to stop, limit or delay operation. In addition, supply chain disruptions due to geopolitical developments in Europe may lead to power disruptions in regions where our facilities are located. Despite precautions taken at these facilities, such as disaster recovery and business continuity arrangements, the occurrence of any of the foregoing events or risks, or a natural disaster or public health emergency, an act of terrorism, a decision to close the facilities without adequate notice or other unanticipated problems or operational failures at these facilities could result in lengthy service interruptions, and no assurance can be provided that any such interruptions would be remediated without significant cost or in a timely manner or at all. The hardware, software, data and cloud computing platforms that we rely on, including, for example, the large language models leveraged in our AI offerings, may not continue to be available at reasonable prices, on commercially reasonable terms or at all. Any loss of the right to use any of these hardware, software, data or cloud computing platforms could significantly increase our expenses and disrupt or otherwise result in delays in the provisioning of our services until equivalent technology is either developed by us, or, if available, is identified, obtained through purchase or license and integrated into our services, and no assurance can be provided that such equivalent technology would be developed or obtained in a timely manner or at all. As we scale our operations, the amount and type of information transferred on our offerings continues to evolve, including as a result of the deployment of AI technologies, and our infrastructure capacity requirements, including network capacity and computing power, may increase as a result. If we do not accurately plan for our infrastructure capacity requirements and we experience significant strains on our data center capacity, our customers could experience performance degradation or service outages that may subject us to financial liabilities, result in customer losses and harm our reputation and business. As we add data centers and capacity and continue to move to cloud computing platform providers, we move or transfer our data and our customers’ data from time to time. Despite precautions taken during this process, any unsuccessful data transfers may impair the delivery of our services, which may damage our business.

As part of our business strategy, we periodically acquire complementary businesses, joint ventures, services and technologies and intellectual property rights. We continue to evaluate such opportunities and expect to make such acquisitions and other transactions and arrangements in the future, which may involve numerous risks and could create unforeseen operating difficulties and expenditures, including: •potential failure to achieve the expected benefits on a timely basis or at all; •potential identified or unknown security vulnerabilities in acquired products or technologies that expose us to additional cybersecurity risks, delay integration into our service offerings, or create challenges in increasing or maintaining the security standards of the acquired technologies; •difficulty of transitioning the acquired technology onto our existing platforms; •brand or reputational harm associated with our acquired companies; •challenges converting the acquired company’s revenue recognition policies and forecasting the related revenues, including both consumption- and subscription-based revenues and term software license revenue; •in the case of foreign acquisitions, challenges with integrating operations across different cultures and languages and addressing the particular economic, currency, political, cybersecurity, regulatory and market risks associated with certain countries; •operational and financial difficulties and strains on resources in integrating acquired operations, technologies, services, platforms and personnel (including cultural integration and retention of employees); •regulatory challenges from antitrust or other regulatory authorities that may block, delay or impose conditions on the completion of transactions or the integration of acquired operations; •challenges with maintaining the acquired company’s customers, partners and third-party service providers; •known and potential unknown liabilities associated with the acquired businesses, including due to litigation; •difficulties in managing, or potential write-offs of, acquired assets, and potential financial and credit risks associated with acquired customers; •negative impact to our results of operations because of the depreciation and amortization of acquired intangible assets, fixed assets and operating lease right-of-use assets; •additional stock-based compensation issued or assumed in connection with the acquisition, including the impact on stockholder dilution and our results of operations; •ineffective or inadequate controls, procedures and policies at the acquired company; and •the tax effects related to integration and business operation changes, realizability of our deferred tax assets, and uncertain tax liabilities. 15 15 15 15 15 15 Table of Contents Table of Contents Table of Contents Any of these risks could harm our business or negatively impact our results of operations. In addition, to facilitate acquisitions, we may seek additional equity or debt financing, which may not be available on terms favorable to us or at all, which may affect our ability to complete subsequent acquisitions, and which may affect the risks of owning our common stock. If we finance acquisitions by issuing equity or convertible or other debt securities or taking out loans, our existing stockholders may be diluted, or we could face constraints related to the terms of, and repayment obligation related to, the incurrence of indebtedness that could affect our stock price. For example, in connection with our acquisition of Informatica, we entered into the Informatica Credit Agreements on an unsecured basis. In November 2025, the Company borrowed the full $6.0 billion available under the Informatica Credit Agreements to finance a portion of the cash consideration for the acquisition, repay existing indebtedness of Informatica and its subsidiaries, and pay related fees, costs, and expenses. For more information, see Note 9 “Debt” to the consolidated financial statements in Item 8 of Part 2. Our ability to acquire other businesses or technologies, or integrate acquired businesses effectively, may be impaired by trade tensions and increased global scrutiny of foreign investments and acquisitions in the technology sector. Governments may continue to adopt or tighten restrictions of this nature, some of which may apply to acquisitions or integrations of businesses by us, and such restrictions or government actions could negatively impact our business and financial results.

As part of our business strategy, we periodically acquire complementary businesses, joint ventures, services and technologies and intellectual property rights. We continue to evaluate such opportunities and expect to make such acquisitions in the future. Acquisitions and other transactions and arrangements involve numerous risks and could create unforeseen operating difficulties and expenditures, including: •potential failure to achieve the expected benefits on a timely basis or at all; •potential identified or unknown security vulnerabilities in acquired products that expose us to additional security risks or delay our ability to integrate the product into our service offerings, as well as difficulties in increasing or maintaining the security standards for acquired technology; 14 14 14 14 14 14 Table of Contents Table of Contents Table of Contents •difficulty of transitioning the acquired technology onto our existing platforms and customer acceptance of multiple platforms on a temporary or permanent basis; •brand or reputational harm associated with our acquired companies; •challenges converting the acquired company’s revenue recognition policies and forecasting the related revenues, including both consumption- and subscription-based revenues and term software license revenue, as well as appropriate allocation of the customer consideration to the individual deliverables; •challenges entering into new markets in which we have little or no experience or where competitors may have stronger market positions; •currency and regulatory risks associated with foreign countries and potential additional cybersecurity and compliance risks resulting from entry into new markets; •operational and financial difficulties and strains on resources in integrating acquired operations, technologies, services, platforms and personnel; •regulatory challenges from antitrust or other regulatory authorities that may block, delay or impose conditions (such as divestitures, ownership or operational restrictions or other structural or behavioral remedies) on the completion of transactions or the integration of acquired operations; •failure to fully assimilate, integrate or retrain acquired employees, which may lead to retention risk with respect to both key acquired employees and our existing key employees or disruption to existing teams or our workplace culture; •challenges with maintaining the acquired company’s customers, partners and third-party service providers; •known and potential unknown liabilities associated with the acquired businesses, including due to litigation; •difficulties in managing, or potential write-offs of, acquired assets, and potential financial and credit risks associated with acquired customers; •negative impact to our results of operations because of the depreciation and amortization of acquired intangible assets, fixed assets and operating lease right-of-use assets; •difficulties in and financial costs of addressing acquired compensation structures inconsistent with our compensation structure; •additional stock-based compensation issued or assumed in connection with the acquisition, including the impact on stockholder dilution and our results of operations; •ineffective or inadequate controls, procedures and policies at the acquired company; and •the tax effects related to integration and business operation changes, realizability of our deferred tax assets, and uncertain tax liabilities. Any of these risks could harm our business or negatively impact our results of operations. In addition, to facilitate acquisitions, we may seek additional equity or debt financing, which may not be available on terms favorable to us or at all, which may affect our ability to complete subsequent acquisitions, and which may affect the risks of owning our common stock. For example, if we finance acquisitions by issuing equity or convertible or other debt securities or loans, our existing stockholders may be diluted, or we could face constraints related to the terms of, and repayment obligation related to, the incurrence of indebtedness that could affect the market price of our common stock. Our ability to acquire other businesses or technologies, or integrate acquired businesses effectively, may be impaired by trade tensions and increased global scrutiny of foreign investments and acquisitions in the technology sector. For example, several countries, including the United States and countries in Europe and the Asia-Pacific region, are considering or have adopted restrictions of varying kinds on transactions involving foreign investments and acquisitions. Antitrust authorities in a number of countries have also reviewed acquisitions in the technology industry with increased scrutiny. Governments may continue to adopt or tighten restrictions of this nature, some of which may apply to acquisitions or integrations of businesses by us, and such restrictions or government actions could negatively impact our business and financial results.

•Any breaches in our security measures or those of our third-party data center providers, cloud computing platform providers, customers, partners, or other third-party vendors, or the underlying Internet infrastructure that cause unauthorized access to, disclosure, alteration, corruption, destruction or loss of customer data, our data or our IT systems, or disruption of authorized access thereto. •Any defects or disruptions in our services that diminish demand for our services. 11 11 11 11 11 11 Table of Contents Table of Contents Table of Contents •Any interruptions or delays in services from third parties, including data center hosting facilities, cloud computing platform providers and other hardware and software vendors, as well as Internet infrastructure, or from our inability to adequately plan for and manage service interruptions or infrastructure capacity requirements. •An inability to realize the expected business or financial benefits of company and technology acquisitions. •Strain on our personnel resources and infrastructure from supporting our existing and growing customer base or an inability to scale our operations and increase productivity. •Customer attrition, or our inability to accurately predict subscription renewals and upgrade rates. •Disruptions caused by periodic changes to our sales organization. •Exposure to risks inherent in international operations from sales to customers outside the United States. •A more time-consuming and expensive sales cycle, pricing pressure and implementation and configuration challenges for sales efforts to larger enterprise customers. •Any loss of key members of our management team or development and operations personnel, or inability to attract and retain employees necessary to support our operations and growth. •Any failure in the delivery of high-quality professional and technical support services related to our online applications.

•Any breaches in our security measures or those of our third-party data center hosting facilities, cloud computing platform providers or third-party service partners, or the underlying infrastructure of the Internet that cause unauthorized access to a customer’s data, our data or our IT systems, or the blockage or disablement of authorized access to our services. •Any defects or disruptions in our services that diminish demand for our services. •Any interruptions or delays in services from third parties, including data center hosting facilities, cloud computing platform providers and other hardware and software vendors, as well as internet availability, or from our inability to adequately plan for and manage service interruptions or infrastructure capacity requirements. •An inability to realize the expected business or financial benefits of company and technology acquisitions. •Strain on our personnel resources and infrastructure from supporting our existing and growing customer base or an inability to scale our operations and increase productivity. •Customer attrition, or our inability to accurately predict subscription renewals and upgrade rates. •Disruptions caused by periodic changes to our sales organization. •Exposure to risks inherent in international operations from sales to customers outside the United States. •A more time-consuming and expensive sales cycle, pricing pressure and implementation and configuration challenges as we target more of our sales efforts at larger enterprise customers. •Any loss of key members of our management team or development and operations personnel, or inability to attract and retain employees necessary to support our operations and growth. •Any failure in the delivery of high-quality professional and technical support services related to our online applications.

Due to the unpredictability of future general economic and financial market conditions, we may not be able to realize our projected revenue growth plans. We plan our expense and investment levels based on estimates of future revenue and future anticipated rate of growth. We may not be able to adjust our spending appropriately if the addition of new subscriptions or the renewals of existing subscriptions fall short of our expectations, and unanticipated events may cause us to incur expenses beyond what we anticipated. A portion of our expenses may also be fixed in nature for some minimum amount of time, such as with costs capitalized to obtain revenue contracts, data center and infrastructure service contracts or office leases, so it may not be possible to reduce costs in a timely manner, or at all, without the payment of fees to exit certain obligations early. Additionally, if sales through indirect channels or for consumption-based product offerings increase, this may lead to greater difficulty in forecasting revenue and anticipated rate of growth. As a result, our revenues, operating results and cash flows may 26 26 26 26 26 26 Table of Contents Table of Contents Table of Contents fluctuate significantly on a quarterly basis and revenue growth rates may not be sustainable and may decline in the future. If we are not able to provide continued operating margin expansion, our business could be harmed and our stock price could decline.

Due to the unpredictability of future general economic and financial market conditions, including from the global economic impact of ongoing conflicts, such as the war in Ukraine and the regional conflict in the Middle East; the pace of change and innovation in enterprise cloud computing services; the impact of foreign currency exchange rate fluctuations; uncertainty regarding changes in trade policy; changing interest rates and inflation; the growing complexity of our business, including the use of multiple pricing and packaging models and the increasing amount of revenue from term software license sales; and our increasing focus on enterprise cloud computing services, we may not be able to realize our projected revenue growth plans. We plan our expense and investment levels based on estimates of future revenue and future anticipated rate of growth. We may not be able to adjust our spending appropriately if the addition of new subscriptions or the renewals of existing subscriptions fall short of our expectations, and unanticipated events may cause us to incur expenses beyond what we anticipated. A portion of our expenses may also be fixed in nature for some minimum amount of time, such as with costs capitalized to obtain revenue contracts, data center and infrastructure service contracts or office leases, so it may not be possible to reduce costs in a timely manner, or at all, without the payment of fees to exit certain obligations early. Additionally, if sales through indirect channels or for consumption-based product offerings increase, this may lead to greater difficulty in forecasting revenue and anticipated rate of growth. As a result, our revenues, operating results and cash flows may fluctuate significantly on a quarterly basis and revenue growth rates may not be sustainable and may decline in the future. If we are not able to provide continued operating margin expansion, our business could be harmed and the market price of our common stock could decline.

Regulation related to the provision of services over the Internet continues to evolve, as federal, state and foreign governments adopt new, or modify existing, laws and regulations addressing data privacy, cybersecurity, data protection, data sovereignty and the collection, storage, hosting, transfer, use and other processing of data. The volume, complexity and scope of these regulatory requirements may continue to increase, including in response to heightened geopolitical tensions. In some cases, data privacy laws and regulations, such as the EU’s General Data Protection Regulation (“GDPR”), impose obligations directly on us as both a data controller and a data processor, as well as on many of our customers. In addition, domestic data privacy laws, such as the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA”), and similar laws that have passed, gone into effect or are being considered in numerous other U.S. states, impose obligations on us and many of our customers, potentially as both a covered business and service provider. These laws continue to evolve and expand, including through the adoption of new comprehensive data protection regimes such as India’s Digital Personal Data Protection Act 2023, and through the introduction of additional implementing rules and regulations in various jurisdictions. As a result, we and our customers may become subject to additional regulatory burdens. New EU laws, including the DSA, the Data Act and the AI Act, have also been adopted and, depending on how they are implemented, interpreted and enforced, may impose additional rules, restrictions or compliance requirements on the development, deployment or use of our products and services, including AI-enabled features. Historically, certain legal frameworks have provided safe harbors to companies that host or transmit content provided by others, including limitations on liability for monetary damages arising from copyright infringement or defamation based on customer-provided content. There is increasing legislative, regulatory and judicial scrutiny of these safe harbors, and ongoing legal efforts to repeal, narrow or limit these protections that were previously available to us. The loss or further erosion of these protections may require us to alter, limit or discontinue certain of our services, or may impose additional contractual terms on customers to mitigate potential liability for customer misconduct. 22 22 22 22 22 22 Table of Contents Table of Contents Table of Contents Compliance with these laws and regulations may require us to make changes to our practices, products or services to enable us or our customers to meet applicable legal requirements, and may increase our potential liability exposure through new or higher potential penalties, fines, investigations or litigation, including in connection with data breaches. Privacy and data protection laws and regulations are also subject to differing interpretations and may be inconsistent or conflicting across jurisdictions. These factors have increased scrutiny from customers, particularly those in the public sector and highly regulated industries and may be perceived differently from customer to customer. In addition, we may be subject to increased liability exposure or regulatory scrutiny related to the use of certain technologies associated with the collection, management or processing of data, including the use of cookies and similar technologies. These developments could reduce demand for our services, require us to take on more onerous contractual obligations, restrict our ability to store, transfer and otherwise process data or, in some cases, limit our or our customers’ ability to offer our services in certain locations, deploy our solutions, reach current or prospective customers, or derive insights from customer data on a global basis. For example, statutory damages available through a private right of action for certain data breaches under the CCPA may increase our and our customers’ potential liability exposure and the demands customers place on us. In July 2020, the Court of Justice of the European Union (“CJEU”) invalidated the EU-U.S. Privacy Shield Framework, one of the mechanisms that previously permitted transfers of personal data from the European Economic Area (“EEA”) to the United States. Even though the CJEU decision upheld the use of Standard Contractual Clauses (“SCCs”) as a lawful transfer mechanism, the decision created ongoing uncertainty regarding EU-to-U.S. data transfers. While the EU and U.S. governments have since adopted the EU-U.S. Data Privacy Framework to facilitate such transfers and address the concerns raised by the CJEU, it remains uncertain whether this framework will withstand future legal challenges. As a result, regulators may continue to interpret the CJEU’s decision and the reasoning underlying it as significantly restricting certain cross-border data transfers increasing the cost and complexity of providing our services in certain markets. Certain countries outside of the EEA have enacted or are considering enacting laws that require varying degrees of local data residency or localization. Additionally, recent governmental actions and geopolitical developments have increased the perceived risk that our services, particularly in the EU, could be disrupted, suspended or terminated. The costs of compliance with, and other burdens imposed by, privacy laws, regulations and standards may limit the use and adoption of our services, reduce overall demand for our services, make it more difficult to meet expectations from our commitments to customers and our customers’ customers, lead to significant fines, penalties or liabilities for noncompliance, impact our reputation or slow the pace at which we close sales transactions particularly where customers request specific warranties or broad indemnities for noncompliance with privacy laws, any of which could harm our business. In addition to government activity, privacy advocates and industry groups have established or may establish new self-regulatory standards or voluntary certification requirements that customers may expect us to meet. If we are unable to maintain required certifications or comply with such standards, our ability to provide our services to certain customers could be adversely affected. We have also observed increased private enforcement of data protection obligations, including through private actions for alleged noncompliance, which could result in litigation, harm to our business, reputational harm or liability. For example, in 2020 we were named as a defendant in a legal proceeding brought by a Dutch privacy advocacy group (the Privacy Collective) on behalf of certain Dutch citizens alleging violations of the GDPR and Dutch Telecommunications Act. Although the claims were initially dismissed, that decision was later reversed on appeal, and that matter remains pending before the Dutch Supreme Court. Although we believe we have strong defenses in these or similar matters, current or future claims of this nature could cause reputational harm or liability. In addition, a shift in consumers’ data privacy expectations or other social, economic or political developments could impact regulatory enforcement priorities, require our cooperation with regulators and increase the cost of compliance with applicable privacy regulations. Furthermore, the uncertain and evolving regulatory environment and broader trust climate may heighten concerns regarding data privacy, cybersecurity, and artificial intelligence, particularly where advanced analytics or automated functionality is involved, which could cause our customers or their end users to limit the data they provide or their use of our products and services. Even the perception that personal data is not adequately protected or that our products or services do not comply with applicable regulatory requirements could inhibit sales, reduce adoption of our offerings or otherwise adversely affect our business.

Regulation related to the provision of services over the Internet is evolving, as federal, state and foreign governments continue to adopt new, or modify existing, laws and regulations addressing data privacy, cybersecurity, data protection, data sovereignty and the collection, processing, storage, hosting, transfer and use of data, generally. In some cases, data privacy laws and regulations, such as the EU’s General Data Protection Regulation (“GDPR”), impose obligations directly on us as both a data controller and a data processor, as well as on many of our customers. In addition, domestic data privacy laws, such as the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA”), and laws that have recently passed and/or gone into effect in many other states similarly impose new obligations on us and many of our customers, potentially as both a covered business and service provider. These laws continue to evolve, including, for example, India’s Digital Personal Data Protection Act 2023, and as various jurisdictions introduce similar proposals, which often include subsequent rules and regulation, we and our customers become subject to additional regulatory burdens. New EU laws, including the DSA, the Data Act and the AI Act, may impose additional rules and restrictions on the use of our products and services. In addition, various safe harbors have historically been provided to those who hosted content provided by others, such as safe harbors from monetary damages for copyright infringement arising from copyrighted content provided by customers and others and for defamation and other torts arising from information provided by customers and others. There is an increasing demand for repealing or limiting these safe harbors by either judicial decision or legislation, and we have active legal proceedings that have been impacted by the repeal or limiting of safe harbors that were previously available to us. Loss of these safe harbors may require altering or limiting some of our services or may require additional contractual terms to avoid liabilities for our customers’ misconduct. Although we monitor the regulatory, judicial and legislative environment and have invested in addressing these developments, these laws may require us to make additional changes to our practices and services to enable us or our customers to meet the new legal requirements, and may also increase our potential liability exposure through new or higher potential penalties for noncompliance, including as a result of penalties, fines and lawsuits related to data breaches. Furthermore, privacy laws and regulations are subject to differing interpretations and may be inconsistent among jurisdictions. These and other requirements are causing increased scrutiny among customers, particularly in the public sector and highly regulated industries, and may be perceived differently from customer to customer. These developments could reduce demand for our services, require us to take on more onerous obligations in our contracts, restrict our ability to store, transfer and process data or, in some cases, impact our ability or our customers’ ability to offer our services in certain locations, to deploy our solutions, to reach current and prospective customers, or to derive insights from customer data globally. For example, in July 2020, the Court of Justice of the European Union (“CJEU”) invalidated the EU-U.S. Privacy Shield Framework, one of the mechanisms that allowed companies, including us, to transfer personal data from the European Economic Area (“EEA”) to the United States. Even though the CJEU decision upheld the Standard Contractual Clauses (“SCCs”) as an adequate transfer mechanism, the decision created uncertainty around the validity of all EU-to-U.S. data transfers. While the EU and U.S. governments have since adopted the EU-U.S. Data Privacy Framework to foster EU-to-U.S. data transfers and address the concerns raised in the aforementioned CJEU decision, it is uncertain whether this framework will be overturned in court like the previous two EU-U.S. bilateral cross-border transfer frameworks. As a result, regulators may continue to be inclined to interpret the CJEU’s decision, and the logic behind it, as significantly restricting certain cross-border transfers and the cost and complexity of providing our services in certain markets may increase. Certain countries outside of the EEA have also passed or are considering passing laws requiring varying degrees of local data residency. By way of further example, statutory damages available through a private right of action for certain data breaches under the CCPA, may increase our and our customers’ potential liability and the demands our customers place on us. The costs of compliance with, and other burdens imposed by, privacy laws, regulations and standards may limit the use and adoption of our services, reduce overall demand for our services, make it more difficult to meet expectations from our commitments to customers and our customers’ customers, lead to significant fines, penalties or liabilities for noncompliance, impact our reputation, or slow the pace at which we close sales transactions, in particular where customers request specific warranties and unlimited indemnity for noncompliance with privacy laws, any of which could harm our business. 22 22 22 22 22 22 Table of Contents Table of Contents Table of Contents In addition to government activity, privacy advocates and other industry groups have established or may establish new self-regulatory standards that may place additional burdens on our ability to provide our services globally. Our customers expect us to meet voluntary certification and other standards established by third parties. If we are unable to maintain these certifications or meet these standards, it could adversely affect our ability to provide our solutions to certain customers and could harm our business. In addition, we have seen a trend toward the private enforcement of data protection obligations, including through private actions for alleged noncompliance, which could harm our business and negatively impact our reputation. For example, in 2020 we were made a party to a legal proceeding brought by a Dutch privacy advocacy group (the Privacy Collective) on behalf of certain Dutch citizens that claims we violated the GDPR and Dutch Telecommunications Act through the processing and sharing of data in connection with our Audience Studio and Data Studio products. In December 2021, the Amsterdam District Court declared the Privacy Collective’s claims against us inadmissible and dismissed the case, however, this ruling was appealed by the Privacy Collective. The appeal hearing took place in the Amsterdam Court of Appeal in February 2024 and the appellate court reversed the district court’s judgment. We have appealed that appellate decision to the Dutch Supreme Court. We were also named as a defendant in a similar lawsuit brought in the UK, which has subsequently been dismissed. Although we believe we have a strong defense for these claims, these or similar future claims could cause reputational harm to our brand or result in liability. In addition, a shift in consumers’ data privacy expectations or other social, economic or political developments could impact the regulatory enforcement of privacy regulations, which could require our cooperation and increase the cost of compliance with the imposed regulations. Furthermore, the uncertain and shifting regulatory environment and trust climate may raise concerns regarding data privacy and cybersecurity, which may cause our customers or our customers’ customers to resist providing the data necessary to allow our customers to use our services effectively. In addition, new products we develop or acquire in connection with changing events may expose us to liability or regulatory risk. Even the perception that the privacy and security of personal information are not satisfactorily protected or do not meet regulatory requirements could inhibit sales of our products or services and could limit adoption of our cloud-based solutions.

Geopolitical crises, natural disasters or other catastrophic events have in the past and may in the future cause damage or disruption to our people, operations, international commerce and the global economy, and thus could have a strong negative effect on us. Our business operations, as well as the business operations of our customers and third-party providers or suppliers that we rely on, are subject to interruption by geopolitical crises, natural disasters, fire, power or water shutoffs or shortages, telecommunications failures, terrorist attacks, acts of violence, political and/or civil unrest, acts of war or other military actions, actual or threatened public health emergencies and other events beyond our control. For example, the occurrence of regional conflicts, epidemics or a global pandemic have in the past and may in the future materially affect how we and our customers operate our businesses, as well as our operating results and cash flows. Although we maintain crisis management and disaster response plans, if such catastrophic events occur it could make it difficult or impossible for us to deliver our services to our customers or negatively impact demand for our services, which could materially and adversely affect our financial condition and operating results.

Geopolitical crises, natural disasters or other catastrophic events have in the past and may in the future cause damage or disruption to our people, operations, international commerce and the global economy, and thus could have a strong negative effect on us. Our business operations, the business operations of third-party providers or suppliers that we rely on to conduct our business and the business operations of our customers are subject to interruption by geopolitical crises, natural disasters, fire, power or water shutoffs or shortages, telecommunications failures, terrorist attacks, acts of violence, political and/or civil unrest, acts of war or other military actions, actual or threatened public health emergencies and other events beyond our control. 30 30 30 30 30 30 Table of Contents Table of Contents Table of Contents For example, the occurrence of regional conflicts, epidemics or a global pandemic have in the past and may in the future materially affect how we and our customers operate our businesses, as well as our operating results and cash flows. Although we maintain crisis management and disaster response plans, such events could make it difficult or impossible for us to deliver our services to our customers, and could decrease demand for our services. Our corporate headquarters, and a significant portion of our personnel, research and development activities and other critical business operations, are located near major seismic faults in the San Francisco Bay Area. Because we do not carry earthquake insurance for direct earthquake-related losses and significant recovery time could be required to resume operations, our financial condition and operating results could be materially and adversely affected in the event of a major earthquake or catastrophic event, and the adverse effects of any such catastrophic event would be exacerbated if experienced at the same time as another unexpected and adverse event.

Our business depends, in part, on sales to government organizations, and significant changes in the contracting or fiscal policies of such government organizations could adversely affect our business and operating results. Contracting with federal, state, local and foreign governments or state-owned entities subjects us to various procurement regulations and other requirements relating to these contracts’ formation, administration and performance, and how we engage with government officials. Government contracts may also at times be modified or terminated for convenience. We are from time to time subject to audits, inquiries and investigations relating to our government contracts, which may result in adverse perceptions of our business, reductions in utilization of our services or termination of our contracts without cause and at any time. Additionally, any violations could result in various civil and criminal penalties and administrative sanctions, including termination of 25 25 25 25 25 25 Table of Contents Table of Contents Table of Contents contracts, refunding or suspending of payments, forfeiture of profits, payment of fines and suspension or debarment from future government business, as well as reputational harm. Additionally, our relationships with certain government entities may result in negative publicity or reputational harm. Furthermore, pressures on and uncertainty regarding the U.S. federal government’s budget and potential changes in budgetary priorities could adversely affect the funding for and purchases of our services by government organizations. The occurrence of any of the foregoing could adversely impact our future sales, costs of doing business and operating results.

Contracting with federal, state, local and foreign governments or state-owned entities subjects us to various procurement regulations and other requirements relating to these contracts’ formation, administration and performance, and how we engage with government officials. We are from time to time subject to audits, inquiries and investigations relating to our government contracts, which may result in adverse perceptions of our business, reductions in utilization of our services or termination of our contracts without cause and at any time. Additionally, any violations could result in various civil and criminal penalties and administrative sanctions, including termination of contracts, refunding or suspending of payments, forfeiture of profits, payment of fines and suspension or debarment from future government business, as well as reputational harm. Additionally, our contracting with certain government entities may result in negative publicity or reputational harm. Any of these risks related to contracting with governmental entities could adversely impact our future sales, costs of doing business and operating results.

We have in the past and may in the future identify defects in or experience disruptions to our services. Such issues may arise in a variety of circumstances, including from customers using our services in unanticipated ways that disrupt access for other customers; from employee, contractor or other third-party action or inaction; or from the complexity of our services, which incorporate a variety of hardware, proprietary software and third-party and open-source software. Across the industry, cloud services frequently contain undetected errors when first introduced or when new versions or enhancements are released. We have experienced and may in the future experience defects in our, our customers’, or third-party vendors’ products and components, which may create vulnerabilities that inadvertently permit unauthorized access to protected customer data. We can provide no assurance that such defects or vulnerabilities will not occur in the future, have a material adverse effect on our business or subject us to substantial liability. Vulnerabilities in open-source, proprietary or third-party products and components can persist even after security patches have been issued if updates are not timely implemented or if threat actors exploit vulnerabilities before remediation is complete. In some cases, vulnerabilities may not be immediately detected, which may make it difficult to recover critical services and lead to damaged assets. Since our customers rely on our products and services for important aspects of their operations, errors, defects, service disruptions or other performance issues have in the past adversely impacted our customers and could do so in the future. As a result, customers could elect to not renew their services, delay or withhold payment or make warranty or other claims against us. Such outcomes could reduce future sales, increase in our allowance for doubtful accounts, increase collection cycles and expose us to litigation and related expenses.

We have in the past and may in the future find defects in or experience disruptions to our services. Such issues may arise in a variety of circumstances, including due to our customers using our services in unanticipated ways that may cause a disruption in services for other customers attempting to access their data; as a result of employee, contractor or other third-party action or inaction; or due to the complexity of our services, which incorporate a variety of hardware, proprietary software and third-party and open-source software. Across the industry, cloud services frequently contain undetected errors when first introduced or when new versions or enhancements are released. We may also encounter difficulties integrating acquired or licensed technologies into our services and in augmenting the technologies we use to meet quality standards that are consistent with our brand and reputation, which may result in our services containing errors or defects. We have experienced and may in the future experience defects in our products that create vulnerabilities that inadvertently permit access to protected customer data. We can provide no assurance that such product defects or other vulnerabilities will not occur in the future, have a material adverse effect on our business or subject us to substantial liability. Vulnerabilities in open source or any proprietary or third-party product can persist even after security patches have been issued if customers have not installed the most recent updates, or if the attackers exploited the vulnerabilities before patching was complete. In some cases, vulnerabilities may not be immediately detected, which may make it difficult to recover critical services and lead to damaged assets. Since our customers use our services for important aspects of their business, errors, defects, disruptions in service or other performance problems have in the past adversely impacted our customers’ businesses and could do so in the future. As a result, customers could elect to not renew our services or delay or withhold payment to us. We could also lose future sales or customers may make warranty or other claims against us, which could result in an increase in our allowance for doubtful accounts, an increase in collection cycles for accounts receivable or the expense and risk of litigation. 13 13 13 13 13 13 Table of Contents Table of Contents Table of Contents

Our certificate of incorporation and bylaws contain provisions that could depress our stock price by acting to discourage, delay or prevent a change in control of the Company or changes in our management that our stockholders may deem advantageous. These provisions among other things: •permit the Board to establish the number of directors; •authorize the issuance of “blank check” preferred stock that our board could use to implement a stockholder rights plan (also known as a “poison pill”); •prohibit stockholder action by written consent, requiring all stockholder actions to be taken at a stockholder meeting; •permit the Board to make, alter or repeal our bylaws; and •establish advance notice requirements for nominations for election to our board or for proposing matters that can be acted upon by stockholders at annual stockholder meetings. In addition, Section 203 of the Delaware General Corporation Law may discourage, delay or prevent a change in control of our company. Section 203 imposes certain restrictions on merger, business combinations and other transactions between us and holders of 15 percent or more of our common stock.

Our amended and restated certificate of incorporation and bylaws contain provisions that could depress the market price of our common stock by acting to discourage, delay or prevent a change in control of the Company or changes in our management that the stockholders of the Company may deem advantageous. These provisions among other things: •permit the Board to establish the number of directors; •authorize the issuance of “blank check” preferred stock that our board could use to implement a stockholder rights plan (also known as a “poison pill”); •prohibit stockholder action by written consent, which requires all stockholder actions to be taken at a meeting of our stockholders; •provide that the Board is expressly authorized to make, alter or repeal our bylaws; and •establish advance notice requirements for nominations for election to our board or for proposing matters that can be acted upon by stockholders at annual stockholder meetings. In addition, Section 203 of the Delaware General Corporation Law may discourage, delay or prevent a change in control of our company. Section 203 imposes certain restrictions on merger, business combinations and other transactions between us and holders of 15 percent or more of our common stock.

Equality and sustainability are core values of the Company. In furtherance of these values, we have in the past and may in the future establish and disclose quantitative and qualitative statements related to equality and sustainability matters, which are subject to numerous risks and dependencies. The proliferation of regulations and guidance addressing climate, human capital and other topics at the regional, state and national levels has required and may continue to require significant effort and resources, and our practices, processes and controls may not ensure compliance with evolving standards. Further, various regulations or guidance may conflict with each other, making universal compliance challenging as a multinational company, and our status as a government contractor in various jurisdictions, including but not limited to the U.S. where we are headquartered, may also result in greater exposure or differentiated obligations or requirements with which we would seek to comply. The standards and frameworks for tracking and reporting on these matters continue to evolve, and our use, interpretation or application of such frameworks and standards may change from time to time or differ from those of other companies, which may result in a lack of consistent or meaningful comparative data from period to period or between Salesforce and other companies. In addition, our practices and disclosures may not satisfy, appropriately respond to the concerns of or be supported by all investors, customers, partners, regulators, enforcement authorities or other stakeholders, whose expectations and requirements are evolving, varied, and oftentimes conflicting. Any violation of, non-compliance with or failure to meet such expectations or requirements, or negative publicity related to our practices or disclosures, could result in harm to our reputation, our ability to attract or retain employees, and our attractiveness as an investment, business partner, acquiror or service provider, could expose us to increased scrutiny or to regulatory or enforcement actions or litigation, and could cause us to incur increased costs to address or defend against such actions.

Equality and sustainability are core values of the Company. In furtherance of these values, we have in the past and may in the future establish and disclose quantitative and qualitative statements related to ESG matters, which are aspirational and subject to numerous risks and dependencies. The proliferation of regulations addressing climate, human capital and other ESG topics at the regional, state, national and international levels has required and may continue to require significant effort and resources, and our practices, processes and controls may not ensure compliance with evolving standards. Further, various regulations may conflict with each other, making universal compliance challenging as a multinational company, and our status as a government contractor in various jurisdictions, including but not limited to the U.S. where we are headquartered, may also result in greater exposure or differentiated obligations or requirements with which we would seek to comply. The standards and frameworks for tracking and reporting on ESG matters continue to evolve, and our use, interpretation or application of such frameworks and standards may change from time to time or differ from those of other companies, which may result in a lack of consistent or meaningful comparative data from period to period or between Salesforce and other companies. In addition, our ESG practices and disclosures may not satisfy, appropriately respond to the concerns of or be supported by all investors, customers, partners, regulators, enforcement authorities or other stakeholders (including those in support of and those in 21 21 21 21 21 21 Table of Contents Table of Contents Table of Contents opposition to various ESG practices), whose expectations and requirements are evolving and varied. Any violation of, non-compliance with or failure to meet such expectations or requirements, or negative publicity related to our ESG practices or disclosures, could result in harm to our reputation, our ability to attract or retain employees, and our attractiveness as an investment, business partner, acquiror or service provider, could expose us to increased scrutiny or criticism or to regulatory or enforcement actions or litigation, and could cause us to incur increased costs to address or defend against such actions.

While we seek to mitigate our business risks associated with climate change by establishing appropriate environmental programs and partnering with organizations who are focused on mitigating their own climate-related risks, there are inherent climate-related risks where our business is conducted. In particular, increased energy consumption, including as a result of AI-related growth, climate-related events, energy market volatility, and power grid disruptions, may increase the operational costs related to inputs across our value chain, including for data centers. Any of our primary locations may be vulnerable to the adverse effects of climate change. For example, our offices globally are projected to continue to experience climate-related events at increased frequency, including drought, water scarcity, heat waves, cold waves, flooding, wildfires and resultant air quality impacts and power shutoffs. These events in turn have impacts on inflation risks, the cost and availability of insurance, food security, water security (including for water availability for data center cooling), energy security and on our employees’ health, productivity and well-being. Changing market dynamics, global policy developments and the increasing frequency and impact of extreme weather events on critical infrastructure in the United States and elsewhere have the potential to disrupt our business, as well as the business of the companies we invest in, third-party providers or suppliers that we rely on, and our customers, and may cause us to experience higher attrition, losses and additional costs to maintain or resume operations. 30 30 30 30 30 30 Table of Contents Table of Contents Table of Contents

While we seek to mitigate our business risks associated with climate change by establishing appropriate environmental programs and partnering with organizations who are also focused on mitigating their own climate-related risks, there are inherent climate-related risks where our business is conducted. Any of our primary locations may be vulnerable to the adverse effects of climate change. For example, our offices globally have historically experienced, and are projected to continue to experience, climate-related events at an increasing frequency, including drought, water scarcity, heat waves, cold waves, flooding, wildfires and resultant air quality impacts and power shutoffs associated with climate-related events. These events in turn have impacts on inflation risks, the cost and availability of insurance, food security, water security (including for water availability for data center cooling), energy security and on our employees’ health, productivity and well-being. Furthermore, it is more difficult to mitigate the impact of these events on our employees working remotely or at client sites. Changing market dynamics, global policy developments and the increasing frequency and impact of extreme weather events on critical infrastructure in the United States and elsewhere have the potential to disrupt our business, the business of companies we invest in, the business of third-party providers or suppliers that we rely on to conduct our business and the business of our customers, and may cause us to experience higher attrition, losses and additional costs to maintain or resume operations. In particular, climate-related events, energy market volatility, and power grid disruptions may increase the operational costs related to inputs across our value chain, including for data centers. Perceived associations with data centers’ growing energy demand or data center/AI-related changes to existing environmental pledges in certain jurisdictions may also result in increased targeting of our sites and operations by activists. Additionally, failure to uphold, meet or make timely forward progress against our public commitments and goals related to climate action could adversely impact the resilience of our business to the impacts of climate-related events. 31 31 31 31 31 31 Table of Contents Table of Contents Table of Contents

•An inability to compete effectively in the intensely competitive markets in which we participate. •Any failure to expand our services and to develop and integrate our existing services in order to keep pace with technological developments. •An inability to maintain and enhance our brands. •Partial or complete loss of invested capital, or significant changes in the fair value, of our strategic investment portfolio. •Any discontinuance by third-party developers and vendors in embracing our technology delivery model and enterprise cloud computing services, or customers asking us for warranties for third-party applications, integrations, data and content. •Social, ethical, and regulatory issues, including the development, deployment, use or capabilities of AI in our offerings. •The evolving landscape related to environmental, social and governance matters.

•An inability to compete effectively in the intensely competitive markets in which we participate. •Any failure to expand our services and to develop and integrate our existing services in order to keep pace with technological developments. •An inability to maintain and enhance our brands. •Partial or complete loss of invested capital, or significant changes in the fair value, of our strategic investment portfolio. •Any discontinuance by third-party developers and providers in embracing our technology delivery model and enterprise cloud computing services, or customers asking us for warranties for third-party applications, integrations, data and content. •Social and ethical issues, including the use or capabilities of AI in our offerings. 11 11 11 11 11 11 Table of Contents Table of Contents Table of Contents •The evolving landscape related to ESG matters.

Our quarterly results have fluctuated, and are likely to fluctuate in the future, as a result of a number of known and unknown factors, including: the factors described in this Item 1, Part 1A of this Annual Report; the cyclical nature and seasonality of our sales cycle and our customers’ businesses, especially our Commerce service offering customers; the global economic impact of geopolitical events, including ongoing conflicts and uncertainty about the interest rate environment; the timing of contract execution and term software license sales; the amount and timing of operating costs and capital expenditures related to the operations and expansion of our business; the timing of commission, bonus and other compensation payments to 28 28 28 28 28 28 Table of Contents Table of Contents Table of Contents employees; expenses related to our real estate or changes in the nature or extent of our use of existing real estate, including our office leases and data centers; expenses related to significant, unusual or discrete events, which are recorded in the period in which the events occur, including litigation or other dispute-related settlement payments; and equity or debt issuances, including as consideration in or in conjunction with acquisitions. In addition, our fiscal fourth quarter has historically been our strongest quarter for new business and renewals, and the year-over-year compounding effect of this seasonality in billing patterns and overall new business and renewal activity causes the value of invoices that we generate in the fourth quarter to continually increase in proportion to our billings in the other three quarters of our fiscal year. As a result, our fiscal first quarter has typically been our largest collections and operating cash flow quarter. Many of these factors are outside of our control, and the occurrence of one or more of them might negatively and materially impact our operating results.

Our quarterly results are likely to fluctuate. Fluctuations have occurred due to known and unknown risks, such as the global economic impact of ongoing conflicts, including the war in Ukraine and the regional conflict in the Middle East, and uncertainty about the interest rate environment. In addition, our fiscal fourth quarter has historically been our strongest quarter for new business and renewals, and the year-over-year compounding effect of this seasonality in billing patterns and overall new business and renewal activity causes the value of invoices that we generate in the fourth quarter to continually increase in proportion to our billings in the other three quarters of our fiscal year. As a result, our fiscal first quarter has typically in the past been our largest collections and operating cash flow quarter. Additionally, some of the important factors that may cause our revenues, operating results and cash flows to fluctuate from quarter to quarter include: •general economic or geopolitical conditions, including the impacts of the war in Ukraine and the regional conflict in the Middle East; financial market conditions; uncertainty regarding the imposition of and changes in trade policies, including trade wars, tariffs or other trade restrictions or the threat of such actions; and increasing costs of operation; •our ability to retain and increase sales to existing customers, attract new customers and satisfy our customers’ requirements, including large enterprise customers; •the attrition rates for our services; •the size and productivity of our workforce, as well as the cost to recruit and train new employees; •the length of the sales cycle for our services; •new product and service introductions by our competitors; •changes in unearned revenue and remaining performance obligation; •our ability to realize benefits from strategic partnerships, acquisitions or investments; •our ability to execute and realize benefits from restructuring actions and other workforce reductions, or any similar actions taken in the future; •variations in the revenue mix of our services and growth rates of our subscription and support offerings; •the seasonality of our sales cycle, as well as timing of contract execution and term software license sales; •the lack of certainty regarding customer usage and associated costs for consumption-based product offerings; •changes in and expenses associated with our pricing policies and terms of contracts; •the seasonality of our customers’ businesses, especially our Commerce service offering customers; •fluctuations in foreign currency exchange rates; •the amount and timing of operating costs and capital expenditures related to the operations and expansion of our business; •the timing of commission, bonus and other compensation payments to employees; •the cost, timing and management effort required for the introduction of new features to our services; •the costs associated with acquiring and integrating new businesses and technologies; •expenses related to our real estate or changes in the nature or extent of our use of existing real estate, including our office leases and our data center capacity and expansion; •timing of additional investments in our enterprise cloud computing application and platform services and in our consulting services; •expenses related to significant, unusual or discrete events, which are recorded in the period in which the events occur, including litigation or other dispute-related settlement payments; 28 28 28 28 28 28 Table of Contents Table of Contents Table of Contents •income tax effects resulting from, but not limited to, tax law changes, court decisions on tax matters, global tax developments applicable to multinational corporations, changes in operations or business structures and acquisition activity; •the timing of stock awards to employees and payroll and other withholding tax expenses; •technical difficulties or service interruptions; •changes in interest rates and our mix of investments, which impact the return on our investments in cash and marketable securities; •changes in the fair value of our strategic investments, including changes due to impairments, particularly in periods of significant market fluctuations; •equity or debt issuances, including as consideration in or in conjunction with acquisitions; •evolving regulations of cloud computing, AI and cross-border data transfer restrictions and similar regulations; and •regulatory compliance and acquisition costs. Many of these factors are outside of our control, and the occurrence of one or more of them might negatively and materially impact our operating results. If we fail to meet or exceed operating results expectations or if securities analysts and investors have estimates and forecasts of our future performance that are unrealistic or that we do not meet, the market price of our common stock could decline. In addition, if one or more of the securities analysts who cover us adversely change their recommendations regarding our stock, the market price of our common stock could decline.

17 17 17 17 17 17 Table of Contents Table of Contents Table of Contents We may face greater costs, longer sales cycles, greater competition and less predictability in completing some of our sales to large enterprise customers, including governmental entities and customers in regulated industries. In these market segments, the customer’s decision to use our services is often an enterprise-wide decision and may require us to provide greater levels of education regarding the use and benefits of our services, as well as address other concerns, such as heightened privacy and data protection requirements. In addition, larger enterprise customers and governmental entities often demand more configuration, integration services and features. These sales opportunities often require us to devote greater sales support and professional services resources to individual customers, driving up costs and time required to complete sales and diverting our own sales and professional services resources to a smaller number of larger transactions, while potentially requiring us to delay revenue recognition on some of these transactions until the technical or implementation requirements have been met. Pricing and packaging strategies for enterprise and other customers for our existing and future service offerings, including for our AI offerings such as Agentforce, may not be widely accepted by new or existing customers. Our adoption of or failure to adopt, as well as the manner and time of, changes to our pricing and packaging models and strategies may harm our business.

As we target more of our sales efforts at larger enterprise customers, including governmental entities, and specific industries, such as financial services and healthcare and life sciences, we may face greater costs, longer sales cycles, greater competition and less predictability in completing some of our sales. In these market segments, the customer’s decision to use our services is often an enterprise-wide decision and, if so, may require us to provide greater levels of education regarding the use and benefits of our services, as well as addressing concerns regarding privacy and data protection laws and regulations of prospective customers with international operations or whose own customers operate internationally. In addition, larger customers and governmental entities often demand more configuration, integration services and features. As a result of these factors, these sales opportunities often require us to devote greater sales support and professional services resources to individual customers, driving up costs and time required to complete sales and diverting our own sales and professional services resources to a smaller number of larger transactions, while potentially requiring us to delay revenue recognition on some of these transactions until the technical or implementation requirements have been met. Pricing and packaging strategies for enterprise and other customers for our existing and future service offerings, including for our AI offerings such as Agentforce, may not be widely accepted by new or existing customers. We offer certain products, such as Agentforce and Data Cloud, through a consumption-based pricing model, and we have limited experience with determining the optimal pricing for our consumption-based contracts. Due to customer flexibility in the timing of their consumption, we could have lower levels of customer consumption of our products than we expect may result in suboptimal 17 17 17 17 17 17 Table of Contents Table of Contents Table of Contents pricing for consumption-based contracts. Our adoption of or failure to adopt, as well as the manner and time of, changes to our pricing and packaging models and strategies may harm our business.

•Fluctuations in our quarterly results. •Volatility in our stock price and associated litigation. 12 12 12 12 12 12 Table of Contents Table of Contents Table of Contents •Provisions in our governing documents and Delaware law that might discourage, delay or prevent a change of control of the Company or changes in our management.

•Fluctuations in our quarterly results. •Volatility in the market price of our common stock and associated litigation. •Provisions in our certificate of incorporation and bylaws and Delaware law that might discourage, delay or prevent a change of control of the Company or changes in our management.

If our security measures, or those of our third-party data center providers, cloud computing platform providers, customers, partners, other third-party vendors or the underlying Internet infrastructure, are breached or otherwise compromised, resulting in the unauthorized access to, disclosure, alteration, corruption, destruction or loss of customer data, our data or our IT systems, or disruption of authorized access thereto, our services may be perceived as insecure, customers may reduce or terminate their use of our services, and we may incur significant reputational harm, legal liability, regulatory scrutiny or a negative financial impact. Our services involve the storage and transmission of our customers’ and our customers’ customers’ proprietary and other sensitive data, including financial, health and other personal information. Our services and underlying infrastructure have in the past and may in the future be breached or compromised, including, for example, as a result of the following: •attempts to fraudulently induce our employees, customers, partners, or third-party vendors to disclose sensitive information to gain unauthorized access to our or our customers’ data or IT systems; •efforts by threat actors, including criminal organizations, state-sponsored actors and nation-states, to launch coordinated cyberattacks or supply chain attacks on our infrastructure or that of our third-party vendors, including through ransomware, destructive malware, distributed denial-of-service attacks or exploitation of previously unknown “zero-day” vulnerabilities; •attempts to misuse our marketing, advertising, messaging or social products and functionalities to impersonate persons or organizations and disseminate information that is false, misleading or malicious; •vulnerabilities arising from new technologies and infrastructures, including those from acquisitions, enhancements and updates to our existing products, and the adoption and deployment of AI technologies within our products, services, internal systems, which may introduce novel security, data governance, or operational risks; •vulnerabilities in products or components within the broad ecosystem in which our services operate and upon which they depend; •attacks on, or vulnerabilities in, the underlying networks and services that power the Internet on which our products depend, most of which are not under our control or the control of our third-party vendors, partners or customers; and •employee or contractor errors, omissions or intentional acts that compromise our security systems. Although we devote significant resources to protecting our data and IT systems, we can provide no assurances that our security measures, including systems and processes designed to protect the confidentiality, integrity and availability of our customers’ and our customers’ customers’ proprietary and sensitive data, will be effective or that a material cybersecurity incident will not occur. Our ability to mitigate these risks may be impacted by the following: •evolving and increasingly sophisticated techniques used to breach or disrupt IT systems and infrastructure, including the use or exploitation of AI technologies by threat actors to accelerate, scale or personalize cyberattacks, which may increase speed and effectiveness and limit our ability to anticipate, detect or mitigate such threats; •the increasing complexity of our internal IT systems as we integrate acquired businesses and adopt new technologies and data-sharing models; and •our limited control over our customers, partners, and third-party vendors (including those authorized by customers to access their data), or over the processing of data by such third parties, which may limit our ability to maintain the integrity or security of such transmissions or processing. In the normal course of business, we and our customers are and have been the target of malicious cyberattacks and other security threats. Although to date we have not identified any security incidents involving our systems that have had a material financial impact on us, there can be no assurance that future incidents will not be material or significant. As our market presence grows, we may face increased risks of cyberattacks and other security threats. Additionally, as AI technologies, including generative and agentic AI, continue to evolve, threat actors are using and exploiting these technologies to enhance the sophistication, scale, speed and effectiveness of security threats that may be more difficult to detect and defend against. Any delay in detecting, containing, or remediating a cybersecurity incident may result in additional harm, and in certain cases the full scope and impact of any such incident may not be immediately apparent. 13 13 13 13 13 13 Table of Contents Table of Contents Table of Contents A cybersecurity incident could result in unauthorized access to, or the loss or denial of authorized access to, our IT systems or data, or those of our customers, including intellectual property and other proprietary, sensitive or confidential information. We are subject to contractual, regulatory and other legal obligations to notify relevant stakeholders of certain security incidents. For example, SEC rules require disclosure on Form 8-K of the nature, scope and timing of any material cybersecurity incident and the reasonably likely impact of such incident. Assessing whether an incident is material or reportable may require complex judgment and investigation, and disclosure of an incident may itself adversely affect our reputation, customer relationships and exposure to legal or regulatory proceedings. A security incident or related disclosure could result in loss of confidence in the security of our services, harm our reputation, negatively impact future sales, disrupt our business operations, increase insurance premiums and result in legal, regulatory and financial liability. Additionally, it may take considerable time for us to investigate and evaluate the full impact of cybersecurity attacks, particularly for sophisticated attacks, which may inhibit our ability to provide prompt, full and reliable information about the incident to our customers, regulators and the public. Further, there can be no assurance that our insurance coverage will be sufficient in type or amount to cover the losses arising from a cybersecurity incident. In addition, prevention, detection, investigation and remediation of actual or suspected vulnerabilities or incidents, including determining whether notification or disclosure is required, may not be straightforward, may result in significant direct and indirect costs, including increased infrastructure and security spending and the diversion of resources from development activities.

Our services involve the storage and transmission of our customers’ and our customers’ customers’ proprietary and other sensitive data, including financial, health and other personal information. Our services and underlying infrastructure may in the future be materially breached or compromised as a result of the following: •third-party attempts to fraudulently induce our employees, partners or customers to disclose sensitive information to gain access to our customers’ data or IT systems, or our data or our IT systems; •efforts by hackers or sophisticated groups, such as criminal organizations, state-sponsored organizations or nation-states, to launch coordinated cyberattacks on internally built infrastructure or on third-party cloud-computing platform providers, including ransomware, destructive malware and distributed denial-of-service attacks; •third-party attempts to abuse our marketing, advertising, messaging or social products and functionalities to impersonate persons or organizations and disseminate information that is false, misleading or malicious; •vulnerabilities existing within new technologies and infrastructures, including those from acquired companies, or resulting from enhancements and updates to our existing service offerings; •vulnerabilities in the products or components across the broad ecosystem that our services operate in conjunction with and are dependent on; •attacks on, or vulnerabilities in, the many different underlying networks and services that power the Internet that our products depend on, most of which are not under our control or the control of our vendors, partners or customers; and 12 12 12 12 12 12 Table of Contents Table of Contents Table of Contents •employee or contractor errors or intentional acts that compromise our security systems. These risks are mitigated, to the extent possible, by our ability to maintain and improve business and data governance policies and enhance processes and internal security controls, including our ability to escalate and respond to known and potential risks. We can provide no assurances that our security measures, including implemented systems and processes designed to protect our customers’ and our customers’ customers’ proprietary and other sensitive data, will provide absolute security or otherwise be effective or that a material breach will not occur. For example, our ability to mitigate these risks may be impacted by the following: •evolving techniques used to breach or sabotage IT systems and infrastructure, including as a result of the increased use of AI technologies by bad actors, which are generally not recognized until launched against a target, and could result in our being unable to anticipate or implement adequate measures to prevent such techniques; •the increasing complexity of our internal IT systems as we incorporate and secure IT environments from acquired companies and early adoption of new technologies and new ways of sharing data; and •our limited control over our customers or third-party technology providers (including those authorized by customers to access their data), or the processing of data by third-party technology providers, which may not allow us to maintain the integrity or security of such transmissions or processing. In the normal course of business, we are and have been the target of malicious cyberattacks and have experienced other security incidents. Although, to date, such identified security events have not had a material financial impact, there can be no assurance that future cyberattacks will not be material or significant. Additionally, as our market presence grows, we may face increased risks of cyberattacks or security threats, and as AI technologies, including generative AI models, develop rapidly, threat actors are using these technologies to create new sophisticated attack methods that are increasingly automated, targeted and coordinated and more difficult to defend against. A security breach or incident could result in unauthorized parties obtaining access to, or the denial of authorized access to, our IT systems or data, or our customers’ systems or data, including intellectual property and proprietary, sensitive or other confidential information. We have contractual and other legal obligations to notify relevant stakeholders of security breaches. For example, SEC rules require disclosure on Form 8-K of the nature, scope and timing of any material cybersecurity incident and the reasonably likely impact of any such incident. A security breach or resulting mandatory disclosure could result in a loss of confidence in the security of our services, damage our reputation, negatively impact our future sales, disrupt our business and lead to increases in insurance premiums and legal, regulatory and financial exposure and liability. Further, there can be no assurance that our insurance coverage will be sufficient to cover the financial, legal, business, or reputational losses that may result from a cybersecurity incident or breach of our IT systems. Finally, the detection, prevention and remediation of known or potential security vulnerabilities, including determining whether a cybersecurity incident is notifiable or reportable, may not be straightforward and may result in additional financial burdens due to additional direct and indirect costs to respond to or alleviate problems caused by the actual or perceived security breach, such as additional infrastructure capacity spending to mitigate any system degradation and the reallocation of resources from development activities.

Policies we adopt or choose not to adopt, on social and ethical issues, particularly regarding the development, deployment or use of our products, may be viewed as controversial by employees, customers, potential customers, or regulators who have varied, evolving and oftentimes conflicting expectations. These perceptions have in the past, and may in the future, impact our ability to attract or retain employees and customers and may result in negative publicity or reputational harm. Our decisions about whether to conduct business with potential customers, or whether to continue or expand relationships with existing customers, may also impact our stakeholder relationships and reputation. Actions taken by our customers or employees, including through the use or misuse of our products or technologies for unlawful activities, improper information sharing or other harmful purposes, may result in reputational harm, regulatory scrutiny or legal liability. Regulatory frameworks such as the EU Digital Services Act (“DSA”), the EU AI Act and other rapidly evolving and sometimes conflicting global laws and regulations related to AI, privacy and consumer protection could increase compliance costs, restrict features or data flows, delay launches and expose us to penalties or litigation. We are increasingly building AI into many of our offerings, including generative and agentic AI. As with many technical innovations, AI offerings, such as Agentforce, and our Agentforce 360 Platform present additional risks and challenges that could affect customer adoption and therefore our business. For example, the development and deployment of AI offerings, including those involving information regarding our customers’ customers, raise emerging ethical, legal and operational considerations. If we enable or offer solutions that draw controversy due to their perceived or actual impact on human rights, privacy, employment or other social concerns, we may experience new or heightened governmental or regulatory scrutiny, investigations, enforcement actions, fines or penalties and reputational or competitive harm. As we develop and deploy AI applications in our products and services, including in customer-facing contexts, the speed, scale and complexity of related data processing may increase. AI applications may be targeted or misused, or may perform in ways that are inaccurate, biased, unreliable or otherwise harmful, or that implicate personal or proprietary data in ways that may be difficult to anticipate, detect or control. Such issues could result in regulatory scrutiny, litigation, contractual disputes, loss of customer trust or reputational harm. Inadequate or ineffective AI development, testing, deployment, content labeling, governance, monitoring or oversight, whether by us or others, could result in our AI applications not operating as intended or with reduced functionality, reduced acceptance of our products and services or diminished confidence in the decisions, predictions, analysis or other content that our AI applications produce. Such risks may be heightened as AI applications are integrated into a broader range of our products and services. This could subject us to regulatory scrutiny, competitive harm, legal liability and reputational damage. We may rely in part on third-party models, datasets, cloud infrastructure or other technologies in developing or offering certain AI applications. Our reliance on such third parties exposes us to risks relating to performance, availability, security vulnerabilities, intellectual property claims, licensing restrictions, cost increases or changes in terms of service. If a third-party provider modifies, suspends or terminates access to its models, data or infrastructure, or if such technologies fail to perform as expected, our ability to offer, scale or support certain AI applications may be adversely affected, and we may incur additional costs to mitigate such impacts. The rapid evolution of AI technologies and related regulatory requirements will require the allocation of significant resources to develop, test, monitor and maintain our products and services in order to comply with applicable laws and regulations and to address concerns relating to accuracy, bias, transparency, explainability, security and data provenance. Uncertainty surrounding new and emerging AI applications, including generative AI content creation and AI agents, may require additional investment in compliance programs, governance frameworks, licensing arrangements, documentation, auditing and risk mitigation processes, which may be complex, costly and could impact our profit margins. Moreover, 21 21 21 21 21 21 Table of Contents Table of Contents Table of Contents expansion of our AI capabilities to content generation, including through Agentforce and other generative AI offerings, introduces additional risks and responsibilities. AI technologies may produce content that is inaccurate, misleading, biased, offensive or unsafe, and may implicate privacy, security or intellectual property rights, including through the generation of copyrighted or other protected material. If our customers or others rely on such content to their detriment, or if regulators or rights holders assert claims relating to AI-generated content, we may be exposed to litigation, regulatory investigations, enforcement actions, indemnification obligations, monetary penalties or other liabilities, or reputational harm. Developing, testing and deploying AI technologies may also increase the cost profile of our offerings due to the computing costs required. If we are unable to effectively mitigate these risks, or if our mitigation efforts result in excessive costs, our reputation, business, operating results and financial condition may be adversely affected.

Policies we adopt or choose not to adopt on social and ethical issues, especially regarding the use of our products, may be unpopular with some of our employees or with our customers or potential customers, and have in the past impacted and may in the future impact our ability to attract or retain employees and customers. Our decisions about whether to conduct business with potential customers, or whether to continue or expand business with existing customers, may also impact our ability to attract or retain employees and customers, and could result in negative publicity or reputational harm. Further, actions taken by our customers and employees, including through the use or misuse of our products or new technologies for illegal activities or improper information sharing, may result in reputational harm or possible liability, particularly in light of regulatory requirements like the Digital Services Act (“DSA”) from the EU. For example, we have been subject to allegations in legal proceedings that we should be liable for the use of certain of our products by third parties. Although we believe that we have a strong defense against these allegations, legal proceedings can be lengthy, expensive and disruptive to our operations and the outcome of any claims or litigation, regardless of the merits, is inherently uncertain. Regardless of outcome, these types of claims could cause reputational harm to our brand or result in liability. We are increasingly building AI into many of our offerings, including generative and agentic AI. As with many innovations, AI offerings, such as Agentforce, and our Salesforce Platform present additional risks and challenges that could affect their adoption and therefore our business. For example, the development of our AI offerings and the Salesforce Platform, which provides information regarding our customers’ customers, present emerging ethical issues. If we enable or offer solutions that draw controversy due to their perceived or actual impact on human rights, privacy, employment, or in other social contexts, we may experience new or enhanced governmental or regulatory scrutiny, brand or reputational harm, competitive harm or legal liability, especially as geopolitical turmoil creates increasingly volatile political and market conditions. Inadequate or ineffective AI development, deployment, content labeling or governance by us or others that result in controversy could also impair the acceptance of AI solutions or result in unintended performance of the services. This in turn could undermine confidence in the decisions, predictions, analysis or other content that our AI applications produce, subjecting us to competitive harm, legal liability and brand or reputational harm. The rapid evolution of AI will require the application of resources to develop, test and maintain our products and services to help ensure that AI is implemented ethically in order to minimize unintended, harmful impact. Uncertainty around new and emerging AI applications such as generative AI content creation and AI agents will require additional investment in compliance, governance and the licensing or development of proprietary datasets, machine learning models and systems to test for accuracy, bias and other variables, which are often complex, may be costly and could impact our profit margin. Moreover, the move from AI content classification to AI content generation through our development of Agentforce and other generative AI products brings additional risks and responsibility. Known risks of generative AI currently include risks related to accuracy, bias, toxicity, privacy and security and data provenance. For example, AI technologies, including generative AI, may create content that appears correct but is factually inaccurate or flawed, or contains copyrighted or other protected material, and if our customers or others use this flawed or protected content to their detriment, or the owners of such copyrighted material seek to enforce their rights, we may be exposed to brand or reputational harm, competitive harm and/or legal liability. Developing, testing and deploying AI systems may also increase the cost profile of our offerings due to the nature of the computing costs involved in such systems. If we are unable to mitigate these risks, or if we incur excessive expenses in our efforts to do so, our reputation, business, operating results and financial condition may be harmed.

The stock market in general, and the market for technology companies in particular, has historically been highly volatile. Accordingly, our stock price has been and is likely to continue to be subject to wide fluctuations. Our stock price could be affected by many factors, some of which are beyond our control, including: the factors described in this Item 1, Part 1A of this Annual Report; announcements or rumors by us or our competitors regarding technological innovations, new services or service enhancements, strategic alliances, mergers, other strategic acquisitions or significant agreements, customer additions, customer cancellations or delays in customer purchases; investor sentiment regarding AI-related business models, our competitors, and our industry in general; variations in our financial results and how those results compare to analyst expectations; changes to guidance or long-range targets, in the estimates of our operating results or in recommendations by securities analysts that follow our stock; variations in investors’ or analysts’ valuation metrics and modeling for our business; the issuance of, changes to, or our ability to meet or exceed, our forward-looking guidance and long-range targets, estimates or recommendations by analysts, or expectations of investors, analysts or others; the coverage of our business in the press, social media, and analyst community; the economy as a whole, geopolitical conditions, including global trade and health concerns, market conditions in our and our customers’ industries, and financial institution instability; trading activity by our stockholders, including institutional or activist investors; changes in the amounts and frequency of share repurchases or dividends; issuance of equity, debt or other convertible securities; changes to our credit ratings; and issues impacting our brand and reputation. Some companies that have experienced volatility in their stock price have been the subject of securities class action litigation, such as the securities litigation brought against Slack before our acquisition. Such litigation, whether against us or an acquired subsidiary, could result in substantial costs and a diversion of management’s attention and resources and any liability resulting from or the settlement of such litigation could result in material adverse impacts to our operating cash flows or results of operations for a given period.

The trading prices of the securities of technology companies have historically been highly volatile. Accordingly, the market price of our common stock has been and is likely to continue to be subject to wide fluctuations. Factors affecting the market price of our common stock include: •variations in our financial results and how those results compare to analyst expectations; •variations in, and limitations of, the various financial and other metrics and modeling used by analysts in their research and reports about our business; •forward-looking guidance to industry and financial analysts related to future operating results, the accuracy of which may be impacted by various factors, many of which are beyond our control; •our ability to meet or exceed forward-looking guidance we have given or to meet or exceed the expectations of investors, analysts or others; our ability to give forward-looking guidance consistent with past practices; •changes to previous guidance or long-range targets, in the estimates of our operating results or in recommendations by securities analysts that elect to follow our common stock; •announcements or rumors of technological innovations, new services or service enhancements, strategic alliances, mergers or other strategic acquisitions or significant agreements by us or within our industry; •announcements of customer additions and customer cancellations or delays in customer purchases; •the coverage of our common stock by the financial media; •recruitment or departure of key personnel; •disruptions in our service due to computer hardware, software, network or data center problems; •the economy as a whole, geopolitical conditions, including global trade and health concerns, market conditions in our industry and the industries of our customers, and financial institution instability; •trading activity or positions by a limited number of stockholders who together beneficially own a significant portion of our outstanding common stock, as well as other institutional or activist investors; •our ability to execute on our Share Repurchase Program as planned, including whether we meet internal or external expectations around the timing or price of share repurchases, and any changes to the program; •issuance of equity, debt or other convertible securities; •any increase to or reduction, suspension or elimination of dividend payments; •the inability to conclude that our internal controls over financial reporting are effective; •changes to our credit ratings; and •issues impacting our reputation. In addition, if the market for technology stocks or the greater securities market in general experience uneven investor confidence, the market price of our common stock has and could in the future decline for reasons unrelated to us, including as a reaction to events that affect other companies within, or outside, our industry. Some companies that have experienced volatility 29 29 29 29 29 29 Table of Contents Table of Contents Table of Contents in the trading price of their stock have been the subject of securities class action litigation, such as the securities litigation against Slack that was brought before our acquisition. Such litigation, whether against us or an acquired subsidiary, could result in substantial costs and a diversion of management’s attention and resources and any liability resulting from or the settlement of such litigation could result in material adverse impacts to our operating cash flows or results of operations for a given period.