--- ticker: DOCU company: DOCU filing_type: 10-K year_current: 2025 year_prior: 2024 risks_added: 0 risks_removed: 4 risks_modified: 11 risks_unchanged: 43 source: SEC EDGAR url: https://riskdiff.com/docu/2025-vs-2024/ markdown_url: https://riskdiff.com/docu/2025-vs-2024/index.md generated: 2026-05-10 --- # DOCU: 10-K Risk Factor Changes 2025 vs 2024 > Source: U.S. Securities and Exchange Commission (EDGAR) > Generated: 2026-05-10 > All data extracted directly from official filings. No hallucinated content. > **[AI-Generated Summary]** The paragraph below was produced by a language > model and may contain errors. All other content on this page is deterministically > extracted from the original SEC filing. > DocuSign removed four growth and profitability-related risks from its 2025 filing, reflecting confidence in achieving sustainable profitability and managing debt obligations. The company maintained 43 unchanged risks while substantively modifying 11 others, with notable revisions to scaling efficiency and cybersecurity disclosures that suggest evolving operational and security challenges. No new risk factors were introduced, indicating the company's primary strategic shift was to streamline its risk narrative by eliminating forward-looking growth uncertainties. --- ## Summary | Status | Count | |--------|-------| | New risks added | 0 | | Risks removed | 4 | | Risks modified | 11 | | Unchanged | 43 | --- ## No Match in Current: Our prior rapid growth may not be indicative of our future growth. *This section from the 2024 filing does not have a high-confidence textual match in 2025. It may have been removed, merged, or substantially reworded.* Our revenue grew from $2.5 billion in the fiscal year ended January 31, 2023 to $2.8 billion in the fiscal year ended January 31, 2024. We expect that, in the future, as our revenue increases, our revenue growth rate could decline as the scale of our business increases. While we experienced an increase in paying customers and revenue in the past, in part due to macro-economic conditions, including the pandemic, there is no assurance that we will experience a continued increase in paying customers or that new or existing customers will utilize our products at similar levels as businesses continue to return to more normalized, hybrid or in-person work environments. Additionally, future revenue growth rates may fail to meet the expectations of investors or securities analysts, particularly if measured against periods of accelerated revenue growth such as those experienced during the earlier phases of the COVID-19 pandemic and the resulting increased adoption of remote work and reduced seasonality experienced during such periods. We believe that future growth of our revenue depends on a number of factors, including our ability to: ▪price our products and solutions effectively so that we are able to attract and retain customers; ▪attract new customers, increase our existing customers' use of our products and solutions and provide our customers with excellent customer support; ▪expand our product offerings for our customers, including our ability to successfully implement such product offerings and ensure successful adoption of new or enhanced product offerings by our customers; ▪effectively implement our sales strategies, including the expansion of self-serve capabilities; ▪continue to introduce our products and solutions to new markets outside of the U.S.; ▪mitigate and effectively manage the increased pace of the digital transformation of business and the costs of monitoring and complying with evolving governmental mandates; ▪hire, retain, train, and integrate our employee base including our sales force, customer success, research and development teams and key employees; ▪successfully identify and develop, acquire or invest in businesses, products or technologies that we believe could complement or expand our products and solutions; and ▪increase global awareness of our brand. We may not successfully accomplish any of these objectives. We expect to continue to expend substantial financial and other resources on: ▪product development and innovation; ▪sales, including our omni channel: direct, self-serve and partners; ▪marketing to expand brand awareness both in the U.S. and internationally; ▪our technology infrastructure, including information technology systems, systems architecture, management tools, scalability, availability, performance and security, as well as disaster recovery measures; ▪acquisitions or strategic investments; ▪international expansion; and ▪general administration, including legal and accounting expenses. In addition to growth in revenue, we have also experienced significant growth in the number of our customers and users, the number and complexity of the transactions we handle, and the amount of data that our infrastructure supports. Our growth has placed and may continue to place significant demands on our management and our operational and financial resources. Finally, our business is becoming more complex as we increase our product offerings, expand internationally and acquire complementary companies, products and technologies. In connection with this increased complexity, we are working to improve our operational, financial and management controls as well as our reporting systems and procedures, including streamlining or automating manual processes, all of which requires capital expenditures and management attention. Failure to effectively manage our growth and operations could have an adverse effect on our business, operating results and financial condition. --- ## No Match in Current: We have historically experienced operating losses and may not achieve or sustain profitability in the future. *This section from the 2024 filing does not have a high-confidence textual match in 2025. It may have been removed, merged, or substantially reworded.* We began operations in 2003 and, until recently, we have historically experienced net losses. We generated net income of $74.0 million in the year ended January 31, 2024 and a net loss of $97.5 million and $70.0 million in the years ended January 31, 2023 and 2022, respectively. As of January 31, 2024, we had an accumulated deficit of $1.7 billion. We will need to continue to generate and sustain increased revenue levels in future periods to become or remain profitable and, even in periods in which we generate net income, we may not be able to maintain or increase our level of profitability. We intend to continue to incur significant expenses to support growth, further develop and enhance our products and solutions, expand our infrastructure and technology, incentivize and enable our sales organization and marketing activities, and grow our international operations and customer base. Our efforts to grow our business may be costlier than we expect, and we may not be able to increase our revenue enough to offset our increased operating expenses. We may incur significant losses in the future for a number of reasons, including the other risks described in this "Risk Factors" section, and unforeseen expenses, difficulties, complications and delays and other unknown events. If we are unable to achieve or sustain profitability in the future, the value of our business and common stock may significantly decrease. --- ## No Match in Current: We have in the past incurred substantial indebtedness and may in the future incur substantial indebtedness that may decrease our business flexibility, access to capital and/or increase our borrowing costs, which may adversely affect our operations and financial results. *This section from the 2024 filing does not have a high-confidence textual match in 2025. It may have been removed, merged, or substantially reworded.* As of January 31, 2024, we had available borrowing capacity of $500.0 million under our credit facility. If we decide to borrow a portion or the full amount under our credit facility, such indebtedness may: ▪limit our ability to borrow additional funds for working capital, capital expenditures, acquisitions or other general business purposes; ▪limit our ability to use our cash flow or obtain additional financing for future working capital, capital expenditures, acquisitions or other general business purposes; ▪require us to use a substantial portion of our cash flow from operations to make debt service payments; ▪limit our flexibility to plan for, or react to, changes in our business and industry; ▪place us at a competitive disadvantage compared to our less leveraged competitors; and ▪increase our vulnerability to the impact of adverse economic and industry conditions, including inflation and volatile interest rates, and actual or perceived instability in the global banking sector. --- ## No Match in Current: If securities or industry analysts do not publish research or publish unfavorable or inaccurate research about our business, our stock price and trading volume could decline. *This section from the 2024 filing does not have a high-confidence textual match in 2025. It may have been removed, merged, or substantially reworded.* The trading market for our common stock depends, in part, on the research and reports that securities or industry analysts publish about us or our business. We do not have any control over these analysts. If the number of analysts that cover us declines or if analysts do not publish research or reports about our business, delay publishing reports about our business or publish negative reports about our business, regardless of accuracy, our stock price and trading volume could decline. Regardless of accuracy, unfavorable interpretations of our financial information and other public disclosures could have a negative impact on our stock price. If our financial performance fails to meet analyst estimates or one or more of the analysts who cover us downgrade our common stock or change their opinion of our common stock, our stock price would likely decline. --- ## Modified: We may not be able to scale our business quickly enough to meet the growing needs of our customers and if we are not able to grow efficiently, our operating results could be harmed. **Key changes:** - Removed sentence: "For example, in fiscal 2023, we launched a new enterprise resource planning ("ERP") system, which is designed to accurately maintain our financial records, enhance the flow of financial information, improve data management, and provide timely information to our management team." - Removed sentence: "ERP system implementations are complex projects that require significant investment of capital and human resources, the reengineering of many business processes and the attention of many employees who would otherwise be focused on other aspects of our business." - Removed sentence: "Our failure to improve our systems and processes or their failure to operate in the intended manner, could harm our business, financial condition, and operating results." - Removed sentence: "Additionally, if the ERP system does not operate as intended, the effectiveness of our internal control over financial reporting could be adversely affected." **Prior (2024):** As use of our products and solutions grows and as customers use them for more types of transactions, we will need to devote additional resources to improving our application architecture, integrating with third-party systems and maintaining or scaling our technology infrastructure and performance. In addition, we will need to appropriately scale our internal business systems and our services organization, including customer support and professional services, to serve our growing customer base. Any failure of or delay in these efforts could cause impaired system performance and reduced customer satisfaction. These issues make our products and solutions less attractive to customers, resulting in decreased sales to new customers, lower renewal rates by existing customers, or the issuance of service credits or refunds, which could hurt our revenue growth and our reputation. Even if we are able to upgrade our systems and expand our staff, any such expansion will be expensive and complex, requiring management time and attention. We could also face inefficiencies or operational failures as a result of our efforts to scale our infrastructure. Moreover, there are inherent risks associated with upgrading, improving and expanding our systems infrastructure. We cannot be sure that the expansion and improvements to our systems infrastructure will be effectively implemented on a timely basis, if at all. These efforts may be costly and could adversely affect our financial results. For example, in fiscal 2023, we launched a new enterprise resource planning ("ERP") system, which is designed to accurately maintain our financial records, enhance the flow of financial information, improve data management, and provide timely information to our management team. ERP system implementations are complex projects that require significant investment of capital and human resources, the reengineering of many business processes and the attention of many employees who would otherwise be focused on other aspects of our business. Our failure to improve our systems and processes or their failure to operate in the intended manner, could harm our business, financial condition, and operating results. Additionally, if the ERP system does not operate as intended, the effectiveness of our internal control over financial reporting could be adversely affected. Additionally, from time to time, we realign our resources and talent to implement stage-appropriate business strategies, which could include furloughs, layoffs and reductions in force. For more information on reductions in force, see the risk factor above "We rely on the performance of highly skilled personnel, including our management and other key employees, and failing to attract, integrate, or retain such employees could harm our business." If there are unforeseen expenses associated with such realignments in our business strategies, and we incur unanticipated charges or liabilities, then we may not be able to effectively realize the expected cost savings or other benefits of such actions. Failure to manage any growth or any scaling back of our operations could have an adverse effect on our business, operating results, and financial condition. **Current (2025):** As use of our products and solutions grows and as customers use them for more types of transactions, we will need to devote additional resources to improving our application architecture, integrating with third-party systems and maintaining or scaling our technology infrastructure and performance. In addition, we will need to appropriately scale our internal business systems and our services organization, including customer support and professional services, to serve our growing customer base. Any failure of or delay in these efforts could cause impaired system performance and reduced customer satisfaction. These issues make our products and solutions less attractive to customers, resulting in decreased sales to new customers, lower renewal rates by existing customers, or the issuance of service credits or refunds, which could hurt our revenue growth and our reputation. Even if we are able to upgrade our systems and expand our staff, any such expansion will be expensive and complex, requiring management time and attention. We could also face inefficiencies or operational failures as a result of our efforts to scale our infrastructure. Moreover, there are inherent risks associated with upgrading, improving and expanding our systems infrastructure. We cannot be sure that the expansion and improvements to our systems infrastructure will be effectively implemented on a timely basis, if at all. These efforts may be costly and could adversely affect our financial results. Additionally, from time to time, we realign our resources and talent to implement stage-appropriate business strategies, which could include furloughs, layoffs and reductions in force. For more information on reductions in force, see the risk factor above "We rely on the performance of highly skilled personnel, including our management and other key employees, and failing to attract, integrate, or retain such employees could harm our business." If there are unforeseen expenses associated with such realignments in our business strategies, and we incur unanticipated charges or liabilities, then we may not be able to effectively realize the expected cost savings or other benefits of such actions. Failure to manage any growth or any scaling back of our operations could have an adverse effect on our business, operating results, and financial condition. --- ## Modified: Our systems and security measures have been, and may in the future be, compromised or subject to data breaches, cyberattacks, or other malicious activity, and third parties have attempted and may continue to attempt to exploit our platform or brand to defraud others, which could result in customers reducing or stopping their use of our products, our reputation being harmed, and significant liabilities and adverse effects on our operating results and financial condition. **Key changes:** - Reworded sentence: "Our operations involve the storage and transmission of customer data, personal data and other sensitive or confidential information, and our corporate environment contains important company data and/or business records, employee data and data from partner, vendor or other relationships, as well as a wide variety of our own internal company, partner and employee information." - Reworded sentence: "We also rely on third-party and public-cloud infrastructure, and we depend in part on third-party security measures on such infrastructure to protect against unauthorized access, cyberattacks and the mishandling of customer data." - Reworded sentence: "While we have security measures in place designed to protect our production and development environments and other systems, maintain the integrity of customer, company, partner and employee information, and prevent data loss, misappropriation and other security breaches and incidents, we are a frequent target of cyberattacks and have faced security incidents in the past that did not have a material impact on our operations." - Reworded sentence: "Like other organizations providing valuable technology and services, we are subject to increasing cyberattacks from malicious third parties using widely varying and frequently changing tactics, including phishing and fraud campaigns targeting our personnel via email, text, instant messaging and voice calls." - Reworded sentence: "In addition, we face increased risk in our ability to maintain the performance, reliability, security and availability of our products and technical infrastructure to the satisfaction of our customers." **Prior (2024):** Our operations involve the storage and transmission of customer data, personal data and other sensitive information, and our corporate environment contains important company data and/or business records, employee data and data from partner, vendor or other relationships, as well as a wide variety of our own internal company, partner and employee information. Our employees, service providers and third parties often work on a remote or hybrid arrangement basis, which may involve relying on less secure systems and may increase the risk of cybersecurity related incidents. We cannot guarantee these private work environments and electronic connections to our work environment have the same robust security measures as those deployed in our physical offices. We also rely on third-party and public-cloud infrastructure, and we depend in part on third-party security measures to protect against unauthorized access, cyberattacks and the mishandling of customer data. Our ability to monitor our third-party service providers' data security is limited and any breach of our providers' security measures may result in unauthorized access to, or misuse, loss or destruction of, our and our customers' data. While we have security measures in place designed to protect our production and development environment and other systems, maintain the integrity of customer, company, partner and employee information, and prevent data loss, misappropriation and other security breaches and incidents, we have faced security incidents in the past that did not have a material impact on our operations. In these cases, upon detection, we took prompt action to prevent any additional unauthorized access, put further security controls in place and worked with law enforcement agencies. These efforts may not completely eliminate potential risks from such incidents. Furthermore, there can be no assurance that there will be no impact to our operations from these or similar incidents in the future. Despite our prevention and response efforts, any security incident or breach, even if immaterial and properly addressed, could result in negative publicity, loss of customers, damage to our reputation and could impair our sales and harm our business. Like other organizations providing valuable technology and services, we are subject to increasing cyberattacks from malicious third parties using a wide variety of tactics. The frequency and sophistication of such threats continues to increase and often becomes further heightened in connection with geopolitical tensions. In addition, we face increased risk to maintain the performance, reliability, security and availability of our products and technical infrastructure to the satisfaction of our customers. Advances in technology and the increasing sophistication of attackers have led to more frequent and effective cyberattacks, including advanced persistent threats by state-sponsored actors, cyberattacks relying on complex social engineering or "phishing" tactics, ransomware attacks and other methods including credential stuffing and account takeover attacks, denial or degradation of service attacks, malicious code (e.g., viruses and worms), and many other techniques that may lead to the loss, theft or misuse of personal, corporate or financial information, fraudulent payments and identity theft. If bad actors gain improper access to our systems or databases or those of our partners, service providers, and other third parties who have access to our data, they may be able to steal, publish, delete, copy, unlawfully or fraudulently use or modify data, including personal information and/or blackmail us to pay a ransom. If our security measures, or the security measures of our partners, service providers, or customers, are compromised, our reputation could be damaged, our ability to attract and retain customers could be adversely affected, we could be subject to negative publicity, increased costs to remedy any problems and otherwise respond to any incident, monetary and other losses for us or our customers, identity theft for our customers, the inability to expand our business, additional scrutiny, restrictions, fines or penalties from regulatory or governmental authorities, loss of customers and customer confidence in our services, ongoing regulatory oversight, assessments and audits, exposure to civil litigation, and/or a breach of our contracts with third parties, all of which could expose us to significant liability and harm our business, financial condition, and operating results. Despite significant efforts to identify vulnerabilities and create security barriers to such threats, it is virtually impossible for us, our service providers, our partners and our customers to entirely mitigate these risks. Further, we could be forced to expend significant financial and operational resources in response to a security breach, including repairing system damage, increasing security protection costs, investigating and remediating any information security vulnerabilities, complying with data breach notification obligations and applicable laws, and defending against and resolving legal and regulatory claims, all of which could divert resources and the attention of our management and key personnel away from our business operations and materially and adversely affect our business, financial condition, and operating results. In July 2023, the Securities and Exchange Commission (the "SEC") also adopted a new cybersecurity rule (effective in December 2023) requiring companies subject to SEC reporting requirements to formally report material cyber security incidents, where failure to report may result in the SEC imposing injunctions, fines and other penalties. Additionally, there can be no assurance that any limitations of liability provisions in our contracts would be enforceable or adequate in the event of a security breach or would otherwise protect us from any such liabilities or damages with respect to any particular claim. We also cannot be sure that our existing general liability insurance coverage, our cybersecurity coverage, and coverage for errors or omissions will continue to be available on acceptable terms or will be available in sufficient amounts to cover one or more large claims, or that insurers will not deny coverage as to any future claim. Security breaches may result in increased costs for such insurance as well. One or more large, successful claims against us in excess of our available insurance coverage, or changes in our insurance policies, including premium increases or large deductible or coinsurance requirements, could have an adverse effect on our business, operating results and financial condition. **Current (2025):** Our operations involve the storage and transmission of customer data, personal data and other sensitive or confidential information, and our corporate environment contains important company data and/or business records, employee data and data from partner, vendor or other relationships, as well as a wide variety of our own internal company, partner and employee information. Our employees, service providers and third parties providing services to us often work on a remote or hybrid arrangement basis, which may involve relying on less secure systems and may increase the risk of cybersecurity related incidents. We cannot guarantee these private work environments and electronic connections to our work environment have the same robust security measures as those deployed in our physical offices. We also rely on third-party and public-cloud infrastructure, and we depend in part on third-party security measures on such infrastructure to protect against unauthorized access, cyberattacks and the mishandling of customer data. Our ability to monitor our third-party service providers' data security is limited and any breach of our providers' security measures may result in unauthorized access to, or misuse, loss or destruction of, our and our customers' data. While we have security measures in place designed to protect our production and development environments and other systems, maintain the integrity of customer, company, partner and employee information, and prevent data loss, misappropriation and other security breaches and incidents, we are a frequent target of cyberattacks and have faced security incidents in the past that did not have a material impact on our operations. In these cases, upon detection, we took prompt action to prevent any additional unauthorized access, put further security controls in place and worked with law enforcement agencies, when appropriate. While we have taken and will continue to take steps to address cyberattacks and security incidents, these efforts may not always be entirely successful, and there can be no assurance that there will be no impact to our operations from these or similar incidents in the future. Despite our prevention and response efforts, any security incident or breach, even if immaterial and properly addressed, could result in negative publicity, loss of customers, damage to our reputation and could impair our sales and harm our business. Like other organizations providing valuable technology and services, we are subject to increasing cyberattacks from malicious third parties using widely varying and frequently changing tactics, including phishing and fraud campaigns targeting our personnel via email, text, instant messaging and voice calls. The frequency and sophistication of such threats continues to increase and often becomes further heightened in connection with geopolitical tensions. In addition, we face increased risk in our ability to maintain the performance, reliability, security and availability of our products and technical infrastructure to the satisfaction of our customers. Advances in technology and the increasing sophistication of attackers have led to more frequent and effective cyberattacks, including advanced persistent threats by state-sponsored actors, cyberattacks relying on complex social engineering or "phishing" tactics, ransomware attacks and other methods including credential stuffing and account takeover attacks, denial or degradation of service attacks, malicious code (e.g., viruses and worms), and many other techniques that may lead to the loss, theft or misuse of personal, corporate or financial information, fraudulent payments and identity theft. Bad actors, nation-states, and nation-state-supported actors now engage, and are expected to continue to engage, in cyberattacks, including for geopolitical reasons and in connection with global or regional conflicts and operations. During major global or regional conflicts, we and our partners, service providers, or customers may be vulnerable to heightened risk of such cyberattacks. If bad actors gain improper access to our systems or databases or those of our partners, service providers, and other third parties who have access to our data, they may be able to steal, publish, delete, copy, unlawfully or fraudulently use or modify data, including personal information and/or blackmail us to pay a ransom. Additionally, "bad actors" have misused our platform and/or our brand name to attempt to deceive or defraud others, and may continue to do so. If our efforts to prevent these activities, or limit their impact, are unsuccessful, our reputation and brand could be harmed, we could lose customers, and our business and financial condition could be adversely affected. If our security measures, or the security measures of our partners, service providers, or customers, are compromised, our reputation could be damaged, our ability to attract and retain customers could be adversely affected, we could be subject to negative publicity, increased costs to remedy any problems and otherwise respond to any incident, monetary and other losses for us or our customers, identity theft for our customers, the inability to expand our business, additional scrutiny, restrictions, fines or penalties from regulatory or governmental authorities, loss of customers and customer confidence in our services, ongoing regulatory oversight, assessments and audits, exposure to civil litigation, and/or a breach of our contracts with third parties, all of which could expose us to significant liability and harm our business, financial condition, and operating results. Despite significant efforts to identify vulnerabilities and create security barriers to such threats, it is virtually impossible for us, our service providers, our partners and our customers to entirely mitigate these risks. Further, we could be forced to expend significant financial and operational resources in response to a cyberattack or security incident or breach, including repairing system damage, increasing security protection costs, investigating and remediating any information security vulnerabilities, complying with data breach notification obligations and applicable laws, and defending against and resolving legal and regulatory claims, all of which could divert resources and the attention of our management and key personnel away from our business operations and materially and adversely affect our business, financial condition, and operating results. Additionally, there can be no assurance that any limitations of liability provisions in our contracts would be enforceable or adequate in the event of a security breach or would otherwise protect us from any such liabilities or damages with respect to any particular claim. We also cannot be sure that our existing general liability insurance coverage, cybersecurity coverage, and coverage for errors or omissions will continue to be available on acceptable terms or will be available in sufficient amounts to cover one or more large claims, or that insurers will not deny coverage as to any future claim. Cyberattacks or security incidents may result in increased costs for such insurance as well. One or more large, successful claims against us in excess of our available insurance coverage, or changes in our insurance policies, including premium increases or large deductible or coinsurance requirements, could have an adverse effect on our business, operating results and financial condition. --- ## Modified: Our sales to government entities and highly regulated organizations are subject to a number of challenges and risks. **Key changes:** - Reworded sentence: "Selling to such entities can be highly competitive, expensive and time-consuming, often requiring significant upfront time and expense to meet unique compliance requirements, some of which may be statutory or regulatory without any assurance that these efforts will generate a sale." - Reworded sentence: "For example, recently proposed executive orders in the U.S." **Prior (2024):** We sell to U.S. federal, state and local, as well as foreign, government agencies and public sector customers, as well as to customers in highly regulated industries such as financial services, pharmaceuticals, insurance, healthcare and life sciences. Sales to such entities are subject to a number of challenges and risks, including those related to our status as a service provider to U.S. state and federal governmental agencies. Selling to such entities can be highly competitive, expensive and time-consuming, often requiring significant upfront time and expense to meet unique compliance requirements, some of which may be statutory or regulatory, without any assurance that these efforts will generate a sale. These longer sale cycles make the timing of future revenue from these entities difficult to predict. Further, government compliance requirements may change, restricting our ability to sell into the government sector until we have met those revised requirements. Failure to meet government contract compliance obligations can create the risk of statutory penalties as well as standard breach of contract risk. Government demand and payment for our offerings are affected by public sector budgetary cycles and funding authorizations, and funding reductions or delays, including as a result of macro-economic factors, including inflation, volatile interest rates, a potential U.S. government shutdown, actual or perceived instability in the global banking sector, regional or global conflicts and public health crises, may adversely affect public sector demand for our products and solutions. In addition, both government agencies and entities in highly regulated industries may demand shorter subscription periods or other contract terms that differ from our standard arrangements, including terms that can lead those customers to obtain broader rights in our offerings than would be standard. Such agencies and entities may have statutory, contractual or other legal rights to terminate contracts with us or our partners due to a default or for other reasons, and any such termination may adversely affect our business, operating results and financial condition. **Current (2025):** We sell to U.S. federal, state and local, as well as foreign, government agencies and public sector customers, as well as to customers in highly regulated industries such as financial services, pharmaceuticals, insurance, healthcare and life sciences. Sales to such entities are subject to a number of challenges and risks, including those related to our status as a service provider to U.S. state and federal governmental agencies. Selling to such entities can be highly competitive, expensive and time-consuming, often requiring significant upfront time and expense to meet unique compliance requirements, some of which may be statutory or regulatory without any assurance that these efforts will generate a sale. These longer sale cycles make the timing of future revenue from these entities difficult to predict. Further, government compliance requirements may change, restricting our ability to sell into the government sector until we have met those revised requirements. For example, recently proposed executive orders in the U.S. may impose new limits or restrictions on federal contractors, and noncompliance with such limits or restrictions could impact our business with government entities. Failure to meet government contract compliance obligations can also create the risk of statutory penalties as well as standard breach of contract risk. Government demand and payment for our offerings are affected by public sector budgetary cycles and funding authorizations, and funding reductions or delays, including as a result of macro-economic factors, including inflation, changes in interest rates, government shutdowns or reductions in the government workforce, geopolitical conflicts and public health crises, may adversely affect public sector demand for our products and solutions. We sell to public sector customers primarily through third-party resellers and distributors, who contract directly with government customers and are subject to complex laws, regulations and contractual requirements applicable to government contractors. If our third-party resellers and distributors fail to comply with these obligations, are suspended, debarred or otherwise lose the ability to sell to public sector customers, our public sector sales and growth prospects could suffer and our operating results could be adversely affected. In addition, both government agencies and entities in highly regulated industries may demand shorter subscription periods or other contract terms that differ from our standard arrangements, including terms that can lead those customers to obtain broader rights in our offerings than would be standard. Such agencies and entities may have statutory, contractual or other legal rights to terminate contracts with us or our partners due to a default or for other reasons, and any such termination may adversely affect our business, operating results and financial condition. --- ## Modified: We depend on co-located data centers and third-party cloud providers, as well as our own technical operations infrastructure, to provide our products and solutions to our customers in a timely manner. Interruptions or delays in performance of our products and solutions could result in customer dissatisfaction, damage to our reputation, loss of customers, limited growth and reduction in revenue. **Prior (2024):** We currently serve our customers from third-party data center hosting facilities and cloud service providers. Our customers need to be able to access our products at any time, without interruption or degradation of performance. In some cases, third-party cloud providers run their own platforms that we access, and we are, therefore, vulnerable to their service interruptions. As a result, we depend, in part, on our providers' ability to protect our service supply chain against damage or interruption, including from natural disasters, regional or global conflicts, power or telecommunications failures, criminal acts and similar events. In the event that our data center and service arrangements are terminated, or if there are any lapses of service or damage to a data center, we could experience lengthy interruptions in our service as well as delays and additional expenses in arranging new facilities and services. Even with current and planned disaster recovery arrangements, our disaster recovery planning may not account for all eventualities and our business could be harmed. In addition to third-party data centers and cloud service providers, we also rely on our own technical operations infrastructure to support and serve our increasing customer base. We must maintain sufficient excess capacity in our operations infrastructure to ensure that our products and solutions are accessible within an acceptable load time. Design and mechanical errors, spikes in usage volume and failure to follow system protocols and procedures could cause our systems to fail, resulting in interruptions in our products and solutions. Any interruptions or delays in our service, whether or not caused by our products, whether as a result of third-party error, our own error, natural disasters and the effects of climate change, operational disruptions related to labor shortages, public health crises, or security breaches, whether accidental or willful, could harm our relationships with customers and cause our revenue to decrease and/or our expenses to increase. Also, in the event of damage or interruption, our insurance policies may not adequately compensate us for any losses that we may incur. These factors in turn could further reduce our revenue, subject us to liability and cause us to issue credits or cause customers to fail to renew their subscriptions, any of which could adversely affect our business. **Current (2025):** We currently serve our customers from third-party data center hosting facilities and cloud service providers. Our customers need to be able to access our products at any time, without interruption or degradation of performance. In some cases, third-party cloud providers run their own platforms that we access, and we are, therefore, vulnerable to their service interruptions. As a result, we depend, in part, on our providers' ability to protect our service supply chain against damage or interruption, including from natural disasters, regional or global conflicts, power or telecommunications failures, criminal acts and similar events. In the event that our data center and service arrangements are terminated, or if there are any lapses of service or damage to a data center, we could experience lengthy interruptions in our service as well as delays and additional expenses in arranging new facilities and services. Even with current and planned disaster recovery arrangements, our disaster recovery planning may not account for all eventualities and our business could be harmed. In addition to third-party data centers and cloud service providers, we also rely on our own technical operations infrastructure to support and serve our increasing customer base. We must maintain sufficient excess capacity in our operations infrastructure to ensure that our products and solutions are accessible within an acceptable load time. Design and mechanical errors, spikes in usage volume and failure to follow system protocols and procedures could cause our systems to fail, resulting in interruptions in our products and solutions. Any interruptions or delays in our service, whether or not caused by our products, whether as a result of third-party error, our own error, natural disasters and the effects of climate change, operational disruptions related to labor shortages, public health crises, or security breaches, whether accidental or willful, could harm our relationships with customers and cause our revenue to decrease and/or our expenses to increase. Also, in the event of damage or interruption, our insurance policies may not adequately compensate us for any losses that we may incur. These factors in turn could further reduce our revenue, subject us to liability and cause us to issue credits or cause customers to fail to renew their subscriptions, any of which could adversely affect our business. --- ## Modified: If our IAM platform, products and solutions do not evolve to meet the needs of our customers or fail to achieve sufficient market acceptance, our financial results and competitive position will suffer. **Key changes:** - Reworded sentence: "For example, in April 2024, we launched our new IAM platform." **Prior (2024):** We spend substantial amounts of time and money to research, develop and enhance our existing products, add new offerings, incorporate additional functionality, and solve new use cases to meet our customers' rapidly evolving demands. Maintaining adequate research and development resources, such as the appropriate personnel and development technology, to meet the demands of our customers and potential customers is essential to our business. If we are unable to develop products and solutions internally due to a lack of research and development resources, we may be forced to rely on acquisitions to expand into certain markets or technologies, which can be costly. When we develop or acquire new or enhanced products and solutions, we typically incur expenses and expend resources upfront to develop, market, promote and sell them. As a result, when we introduce new or enhanced products and solutions, they must achieve high levels of market acceptance to justify the amount of our investment in developing or acquiring them and bringing them to market. New products, solutions or enhancements to our existing products and solutions could also fail to attain sufficient market acceptance for many reasons, including: ▪failure to predict market demand for particular features or functions, or to timely meet demand; ▪defects, errors or failures in our products and solutions; ▪negative publicity about their performance or effectiveness; ▪changes in applicable legal or regulatory requirements, or increased legal or regulatory scrutiny, adversely affecting our products and solutions; ▪delays in releasing our products and solutions to the market; ▪negative customer perception of our sales-directed strategies, including the pricing of new products or enhancements; and ▪introduction or anticipated introduction of competing products by our competitors. For example, we have made, and intend to continue making, significant investments in developing products that incorporate AI, and while we believe that such new products will drive future growth of our business, the development of such new features involves significant risks and costs, and there is no guarantee that any such offerings will ultimately be successful. If the release of these or other new and enhanced products, solutions or functionalities do not meet customer needs or if our customers do not accept them, our business, operating results and financial condition would be harmed. The adverse effect on our financial results may be particularly acute because of the significant research, development, marketing, sales and other expenses we will have incurred. **Current (2025):** We spend substantial amounts of time and money to research, develop and enhance our existing products, add new offerings, incorporate additional functionality, and solve new use cases to meet our customers' rapidly evolving demands. Maintaining adequate research and development resources, such as the appropriate personnel and development technology, to meet the demands of our customers and potential customers is essential to our business. If we are unable to develop products and solutions internally due to a lack of research and development resources, we may be forced to rely on acquisitions to expand into certain markets or technologies, which can be costly. When we develop or acquire new or enhanced products and solutions, we typically incur expenses and expend resources upfront to develop, market, promote and sell them. For example, in April 2024, we launched our new IAM platform. When we introduce new or enhanced products and solutions, they must achieve high levels of market acceptance to justify the amount of our investment in developing or acquiring them and bringing them to market. Our platform, products, solutions or enhancements to our existing products and solutions could also fail to attain sufficient market acceptance for many reasons, including: ▪failure to predict market demand for particular features or functions, or to timely meet demand; ▪defects, errors or failures in our platform, products and solutions; ▪negative publicity about their performance or effectiveness; ▪changes in applicable legal or regulatory requirements, or increased legal or regulatory scrutiny, adversely affecting our products and solutions; ▪delays in releasing our products and solutions to the market; ▪negative customer perception of our IAM platform or new products and solutions; ▪inability to effectively execute our go-to-market and sales-directed strategies for our IAM platform, including the implementation of additional pricing models for products or enhancements; and ▪introduction or anticipated introduction of competing products by our competitors. For example, we have made, and intend to continue making, significant investments in our platform and developing products that incorporate AI, and while we believe that these investments will drive future growth of our business, the development of such new features involves significant risks and costs, and there is no guarantee that any such offerings will ultimately be successful. If the release of these or other new and enhanced products, solutions or functionalities as part of our platform do not meet customer needs or if our customers do not accept them, our business, operating results and financial condition would be harmed. The adverse effect on our financial results may be particularly acute because of the significant research, development, marketing, sales and other expenses we will have incurred. --- ## Modified: Complying with laws and regulations related to privacy and data protection could result in additional costs and liabilities to us or inhibit sales of our software. **Key changes:** - Reworded sentence: "A wide variety of state, national, and international laws, regulations, and industry standards apply to the collection, use, retention, protection, disclosure, transfer and other processing of personal data and other information, the scope of which are consistently changing, subject to differing interpretations, and may be inconsistent across countries or conflict with other rules." - Reworded sentence: "A breach of the GDPR, or other such data protection regulations, could result in regulatory investigations, reputational damage, fines and sanctions, orders to cease or change our processing of our data, enforcement notices, or assessment notices (for a compulsory audit)." - Reworded sentence: "Additionally, the GDPR imposes strict rules on the transfer of personal data out of the EU or the UK to any country whose laws have not been deemed by regulators in the EU or UK to ensure an "adequate" level of data protection safeguards (such as the U.S.)." - Removed sentence: "On June 4, 2021, the European Commission finalized new versions of the Standard Contractual Clauses, with the Implementing Decision now in effect." - Removed sentence: "The UK Information Commissioner's Office of the Data Protection Authority published the UK version of the Standard Contractual Clauses, and by March 2024, we will be required to use and honor these clauses for transfers of UK residents' personal data to a foreign country that does not have adequate data protection." **Prior (2024):** Internationally, many countries have established their own data privacy and security legal framework with which we, our customers and partners may need to comply. For example, in Europe, the General Data Protection Regulation (the "GDPR") has been enacted as national legislation for respective member states and contains robust obligations on data controllers and processors and fulsome documentation requirements for data protection compliance programs by companies. As a result of our presence in Europe and the United Kingdom ("UK") and our products and services being offered in the EU and the UK, we are subject to the GDPR, UK GDPR, the UK Data Protection Act 2018, and other similar regional European data protection regulations, all of which impose stringent data protection and cybersecurity requirements, and could increase the risk of non-compliance and the costs of providing our services in a compliant manner. We are also certified as a Privacy Rights Processor under the Asia-Pacific Economic Cooperation. A breach of the GDPR, UK GDPR or other such data protection regulations, could result in regulatory investigations, reputational damage, fines and sanctions, orders to cease or change our processing of our data, enforcement notices, or assessment notices (for a compulsory audit). Such penalties, which may include fines up to the greater of €20 million (£17.5 million) or 4% of global turnover, are in addition to any civil litigation claims by customers and data subjects. We may also face civil claims including representative actions and other class action-type litigation (where individuals have suffered harm), potentially amounting to significant compensation or damages liabilities, as well as associated costs, diversion of internal resources, and reputational harm. Additionally, both the GDPR and UK GDPR impose strict rules on the transfer of personal data out of the EU and the UK to a "third country," or a country whose laws do not ensure an adequate level of data protection safeguards (such as the U.S.). These obligations may evolve, be interpreted or applied in a manner that is inconsistent from one jurisdiction to another and may conflict with other requirements or our practices. For example, in June 2023, the European Commission adopted an adequacy decision ("UK Adequacy Decision") which facilitates personal data sharing from the European Economic Area ("EEA") to the UK without the need for additional data protection safeguards. The UK Adequacy Decision includes a "sunset clause", rendering the decision valid for four years, after which it will be reviewed by the European Commission and renewed only if the European Commission considers that the UK continues to ensure an adequate level of data protection. The European Commission also stated that it would intervene at any point within the four years if the UK deviates from the level of protection presently in place. If this adequacy decision is reversed by the European Commission, it would require that companies implement protection measures such as the approved Standard Contractual Clauses for data transfers between the EU and the UK. Legal developments in Europe continue to evolve, creating complexity and uncertainty regarding transfers of personal data from the EU and the UK to the U.S. On June 4, 2021, the European Commission finalized new versions of the Standard Contractual Clauses, with the Implementing Decision now in effect. The UK Information Commissioner's Office of the Data Protection Authority published the UK version of the Standard Contractual Clauses, and by March 2024, we will be required to use and honor these clauses for transfers of UK residents' personal data to a foreign country that does not have adequate data protection. On July 10, 2023, the European Commission adopted an adequacy decision for the EU-U.S. Data Privacy Framework (a new cooperative effort between U.S. and European officials to overcome the security issues raised by the EU-U.S. Privacy Shield regarding personal transfers from the EU to the U.S.). In October 2023, the UK ICO adopted the UK-U.S. data bridge to allow self-certifying companies to effect personal data transfers from the UK to the U.S. without additional safeguards. This new Data Privacy Framework could be subject to legal challenge in front of the Court of Justice of the European Union, which had previously invalidated the Privacy Shield. We currently utilize respective Binding Corporate Rules and Standard Contractual Clauses as the approved data transfer mechanisms by the EU Commission for corresponding applicable data transfer activity. While we do not anticipate any immediate changes in our current operations, we will continue to monitor these legal developments. **Current (2025):** A wide variety of state, national, and international laws, regulations, and industry standards apply to the collection, use, retention, protection, disclosure, transfer and other processing of personal data and other information, the scope of which are consistently changing, subject to differing interpretations, and may be inconsistent across countries or conflict with other rules. Data protection and privacy-related laws and regulations are evolving and may result in increasing regulatory and public scrutiny and escalating levels of enforcement and sanctions. Complying with these various laws and regulations could cause us to incur substantial costs or require us to change our business practices, systems, and compliance procedures in a manner adverse to our business. For more information on these laws and their impact on our business, see the risk factor "We are subject to laws and regulations affecting our business, including those related to e-signature, marketing, advertising, privacy, data protection and information security. Our actual or perceived failure to comply with laws or regulations could harm our business." Internationally, virtually every jurisdiction in which we operate has established its own data privacy and security legal framework with which we, our customers and partners may need to comply. For example, in Europe, the General Data Protection Regulation (the "EU GDPR") contains robust obligations on data controllers and processors and fulsome documentation requirements for data protection compliance programs by companies. As a result of our presence in Europe and the United Kingdom ("UK") and our products and services being offered in the EU and the UK, we are subject to the EU GDPR and other similar regional European data privacy and protection regulations (collectively the "GDPR"), all of which impose stringent data protection and cybersecurity requirements, and could increase the risk of non-compliance and the costs of providing our services in a compliant manner. We are also certified as a Privacy Rights Processor under the Asia-Pacific Economic Cooperation. A breach of the GDPR, or other such data protection regulations, could result in regulatory investigations, reputational damage, fines and sanctions, orders to cease or change our processing of our data, enforcement notices, or assessment notices (for a compulsory audit). Such penalties, which under GDPR may include fines up to the greater of €20 million (£17.5 million) or 4% of global turnover, are in addition to any civil litigation claims by customers and data subjects. We may also face civil claims including representative actions and other class action-type litigation (where individuals have suffered harm), potentially amounting to significant compensation or damages liabilities, as well as associated costs, diversion of internal resources, and reputational harm. Additionally, the GDPR imposes strict rules on the transfer of personal data out of the EU or the UK to any country whose laws have not been deemed by regulators in the EU or UK to ensure an "adequate" level of data protection safeguards (such as the U.S.). These obligations may evolve, be interpreted or applied in a manner that is inconsistent from one jurisdiction to another and may conflict with other requirements or our practices. For example, in June 2023, the European Commission adopted an adequacy decision ("UK Adequacy Decision") which facilitates personal data sharing from the European Economic Area ("EEA") to the UK without the need for additional data protection safeguards. The UK Adequacy Decision includes a "sunset clause", rendering the decision valid for four years, after which it will be reviewed by the European Commission and renewed only if the European Commission considers that the UK continues to ensure an adequate level of data protection. The European Commission also stated that it would intervene at any point within the four years if the UK deviates from the level of protection presently in place. If this adequacy decision is reversed by the European Commission, it would require that companies implement protection measures such as the approved Standard Contractual Clauses for data transfers between the EU and the UK. Legal developments in Europe continue to evolve, creating complexity and uncertainty regarding transfers of personal data from the EU and the UK to the U.S. We currently utilize respective Binding Corporate Rules and Standard Contractual Clauses as the approved data transfer mechanisms by the EU Commission for corresponding applicable data transfer activity. While we do not anticipate any immediate changes in our current operations, we will continue to monitor these legal developments. --- ## Modified: We may need to reduce or change our pricing model to remain competitive. **Key changes:** - Reworded sentence: "Different pricing structures apply to our Docusign product offerings." **Prior (2024):** Different pricing structures apply to our DocuSign product offerings. For DocuSign eSignature, we price our subscriptions based on the functionality required by our customers and the quantity of Envelopes provisioned. We expect that we may need to change our pricing or pricing structures from time to time, including in connection with the launch of new or enhanced offerings for automating the agreement process or in response to competitive pressures. As new or existing competitors introduce new competitive products or reduce their prices, we may be unable to attract new customers or retain existing customers based on our historical pricing. As we expand internationally, we must also determine the appropriate price to enable us to compete effectively in non-U.S. markets. Moreover, mid- to large-size enterprises may demand substantial price discounts as part of the negotiation of sales contracts. As a result, we may be required or choose to reduce our prices or otherwise change our pricing model, which could adversely affect our business, operating results and financial condition. **Current (2025):** Different pricing structures apply to our Docusign product offerings. For eSignature, we price our subscriptions based on the functionality required by our customers and the quantity of Envelopes required by our customers. We expect that we may need to change our pricing or pricing structures from time to time, including in connection with the launch of our IAM platform and new or enhanced offerings or in response to competitive pressures. For example, in the second quarter of fiscal 2025, we began to offer our IAM platform on a user-based subscription with transaction-based add-ons. The rollout of our IAM platform and additional pricing model began gradually, starting in the second quarter of fiscal 2025. Additionally, as new or existing competitors introduce new competitive products or reduce their prices, we may be unable to attract new customers or retain existing customers based on our historical pricing. As we expand internationally, we must also determine the appropriate price to enable us to compete effectively in non-U.S. markets. Moreover, mid- to large-size enterprises may demand substantial price discounts as part of the negotiation of sales contracts. As a result, we may be required or choose to reduce our prices or otherwise change our pricing model, which could adversely affect our business, operating results and financial condition. --- ## Modified: Risks Related to our Common Stock **Key changes:** - Removed sentence: "•Securities analysts publishing unfavorable or inaccurate research about us, or not publishing research." **Prior (2024):** •Any volatility in the market price of our common stock. •Securities analysts publishing unfavorable or inaccurate research about us, or not publishing research. **Current (2025):** •Any volatility in the market price of our common stock. --- ## Modified: We rely on the performance of highly skilled personnel, including our management and other key employees, and failing to attract, integrate, or retain such employees could harm our business. **Key changes:** - Reworded sentence: "For example, in August 2024, Steve Shute, our President, Worldwide Field Operations, departed the Company and Paula Hansen was appointed as our President, Chief Revenue Officer." - Removed sentence: "For example, in September 2022, in response to changing economic conditions and in an effort to reduce our operational costs and improve our organizational efficiency, we authorized a restructuring plan, which included a restructuring and reduction of the current workforce by approximately 9%." - Removed sentence: "The execution of this restructuring plan was substantially completed at the end of fiscal 2023." - Removed sentence: "Additionally, in February 2023, in an effort to support our growth, scale and profitability objectives, we authorized an additional restructuring plan, which included a restructuring and reduction of the current workforce by approximately 10%." - Removed sentence: "The execution of this restructuring plan was substantially completed at the end of the second quarter of fiscal 2024." **Prior (2024):** Our success and future growth depend upon the continued services of highly skilled personnel, including our management team and other key employees. Changes in our management team resulting from the hiring or departure of executives and key employees from time to time could disrupt our business. In the last 12 months, there have been significant changes to our senior leadership team. For example, in June 2023, Cynthia Gaylor, our Chief Financial Officer, resigned from the Company and Blake Grayson was appointed as our new Chief Financial Officer, and in January 2024, Inhi Cho Suh, our President, Product and Engineering, departed the Company. These changes and any future significant leadership changes or senior management transitions involve inherent risk. In addition, executive leadership transition periods can be disruptive and may result in a loss of personnel with deep institutional or technical knowledge, or result in changes to business strategy or objectives, and may negatively impact our operations and relationships with employees and customers due to increased or unanticipated expenses, operational inefficiencies, uncertainty regarding changes in strategy, decreased employee morale and productivity, and increased turnover. Our future success, and our ability to achieve our operational and business objectives, depends in large part on the successful recruitment, integration and continued service of senior management and other key personnel. In particular, we are highly dependent on the services of our senior management team, many of whom are essential to the development of our technology, platform, future vision, and strategic direction. Our senior management and key employees are employed on an at-will basis, meaning that we may terminate their employment at any time, with or without cause, and they may resign at any time, with or without cause. If we lose one or more of our senior management or other key employees and are unable to find adequate replacements, or if we fail to attract, integrate, retain and motivate members of our senior management team and key employees or otherwise fail to retain a significant portion of our workforce, our business could be harmed. For example, in September 2022, in response to changing economic conditions and in an effort to reduce our operational costs and improve our organizational efficiency, we authorized a restructuring plan, which included a restructuring and reduction of the current workforce by approximately 9%. The execution of this restructuring plan was substantially completed at the end of fiscal 2023. Additionally, in February 2023, in an effort to support our growth, scale and profitability objectives, we authorized an additional restructuring plan, which included a restructuring and reduction of the current workforce by approximately 10%. The execution of this restructuring plan was substantially completed at the end of the second quarter of fiscal 2024. Further, in February 2024, in an effort to strengthen and support our financial and operational efficiency while continuing to invest in product and related initiatives, we authorized an additional restructuring plan, which included a restructuring and reduction of the current workforce by approximately 6%. We expect this restructuring plan to be completed during the first and second quarters of fiscal 2025. These restructuring plans could negatively impact our ability to attract, integrate, retain and motivate key employees. We also are dependent on the continued service of our existing software engineers because of the complexity of our products and solutions. In particular, we compete with many other companies for software developers with high levels of experience and skilled sales and operations professionals in a tight U.S. labor market. We also require skilled product development, marketing, sales, finance and operations professionals, and we may not be successful in attracting and retaining the professionals we need, particularly in our principal U.S. locations in the San Francisco Bay Area and Seattle. Additionally, while we currently employ a hybrid model where employees have the flexibility to work from home, changes to our workplace arrangements could impact our ability to maintain our corporate culture or productivity, increase attrition or limit our ability to attract employees if individuals prefer to work full time at home or in the office. Competition for employees in our industry (and especially in our principal U.S. locations) is intense, and many of the companies we compete with for experienced personnel have greater resources than we do. To remain competitive, we may experience increased compensation-related expenses. **Current (2025):** Our success and future growth depend upon the continued services of highly skilled personnel, including our management team and other key employees. Changes in our management team resulting from the hiring or departure of executives and key employees from time to time could disrupt our business. In the last 12 months, there have been significant changes to our senior leadership team. For example, in August 2024, Steve Shute, our President, Worldwide Field Operations, departed the Company and Paula Hansen was appointed as our President, Chief Revenue Officer. These changes and any future significant leadership changes or senior management transitions involve inherent risk. In addition, executive leadership transition periods can be disruptive and may result in a loss of personnel with deep institutional or technical knowledge, or result in changes to business strategy or objectives, and may negatively impact our operations and relationships with employees and customers due to increased or unanticipated expenses, operational inefficiencies, uncertainty regarding changes in strategy, decreased employee morale and productivity, and increased turnover. Our future success, and our ability to achieve our operational and business objectives, depends in large part on the successful recruitment, integration and continued service of senior management and other key personnel. In particular, we are highly dependent on the services of our senior management team, many of whom are essential to the development of our technology, platform, future vision, and strategic direction. Our senior management and key employees are employed on an at-will basis, meaning that we may terminate their employment at any time, with or without cause, and they may resign at any time, with or without cause. If we lose one or more of our senior management or other key employees and are unable to find adequate replacements, or if we fail to attract, integrate, retain and motivate members of our senior management team and key employees or otherwise fail to retain a significant portion of our workforce, our business could be harmed. We also are dependent on the continued service of our existing software engineers because of the complexity of our products and solutions. In particular, we compete with many other companies for software developers with high levels of experience and skilled sales and operations professionals in a tight U.S. labor market. We also require skilled product development, marketing, sales, finance and operations professionals, and we may not be successful in attracting and retaining the professionals we need, particularly in our principal U.S. locations in the San Francisco Bay Area and Seattle. Additionally, while we currently employ a hybrid model where most employees have the flexibility to work from home, changes to our workplace arrangements could impact our ability to maintain our corporate culture or productivity, increase attrition or limit our ability to attract employees if individuals prefer to work full time at home or in the office. Competition for employees in our industry (and especially with expertise in AI technology and at our principal U.S. locations) is intense, and many of the companies we compete with for experienced personnel have greater resources than we do. To remain competitive, we may experience increased compensation-related expenses. --- ## Modified: Business and Industry Risks **Key changes:** - Reworded sentence: "•Any decrease in adoption or sales of our eSignature product, without corresponding increases in our other solutions in our IAM platform." - Added sentence: "•Our IAM platform failing to achieve market acceptance or to meet our customers' evolving needs." - Reworded sentence: "•Our systems and security measures being compromised or subject to data breaches, cyberattacks, or other malicious activity, and any harm to our business or reputation caused by malicious actors attempting to exploit our technology, platform or brand to defraud others." - Reworded sentence: "•An over-estimation of our market opportunity." **Prior (2024):** •Any decrease in adoption of our eSignature product, without a corresponding increase in our other products. •Any inability to attract new customers and retain and expand sales to existing customers. •Our inability to compete in an evolving and highly competitive market. •Our systems and security measures being compromised or subject to data breaches, cyberattacks, or other malicious activity. •Any real or perceived improper use of, disclosure of, or access to sensitive customer data. •Our products and solutions not evolving to meet the needs of our customers or failing to achieve market acceptance. •Any inability to manage our growth effectively. •An over-estimation of the size of our total addressable market. •Any interruption or delay in performance from our technical operations infrastructure, co-located data centers and third-party cloud providers. •Any loss of highly skilled personnel, including our management team or other key employees, or inability to attract, integrate, and retain such employees necessary to support our business. •Our inability to maintain successful relationships with our strategic partners or to establish and maintain relationships with partners that provide complementary technology. •Any inability to effectively develop and expand our marketing and sales capabilities. **Current (2025):** •Any decrease in adoption or sales of our eSignature product, without corresponding increases in our other solutions in our IAM platform. •Any inability to attract new customers and retain and expand sales to existing customers. •Our IAM platform failing to achieve market acceptance or to meet our customers' evolving needs. •Our inability to compete in an evolving and highly competitive market. •Our systems and security measures being compromised or subject to data breaches, cyberattacks, or other malicious activity, and any harm to our business or reputation caused by malicious actors attempting to exploit our technology, platform or brand to defraud others. •Any real or perceived improper use of, disclosure of, or access to sensitive customer data. •An over-estimation of our market opportunity. •Any interruption or delay in performance from our technical infrastructure, including third-party cloud providers. •The implementation of AI in our business, and the legal, regulatory, reputational and business risks relating to its use. •Any loss of highly skilled personnel, including our management team or other key employees, or inability to attract, integrate, and retain such employees necessary to support our business. •Our inability to maintain successful relationships with our strategic partners or to establish and maintain relationships with partners that provide complementary technology. •Any inability to effectively develop and expand our marketing and sales capabilities. --- ## Modified: If we have overestimated our market opportunity, our future growth rate may be limited. **Key changes:** - Reworded sentence: "We have estimated our market size and opportunity based on internally generated data and assumptions, as well as data published by third parties, which we have not independently verified." - Reworded sentence: "Even if our market size estimates are correct, we may not continue to grow our share of the market and our business could be harmed." **Prior (2024):** We have estimated the size of our total addressable market based on internally generated data and assumptions, as well as data published by third parties, which we have not independently verified. While we believe our market size estimates are reasonable, such information is inherently imprecise and subject to a high degree of uncertainty. If our third-party or internally generated data prove to be inaccurate or we make errors in our assumptions based on that data, our actual market may be more limited than our estimates. In addition, these inaccuracies or errors may cause us to misallocate capital and other critical business resources, which could harm our business. Even if our total addressable market meets our size estimates and experiences growth, we may not continue to grow our share of the market. **Current (2025):** We have estimated our market size and opportunity based on internally generated data and assumptions, as well as data published by third parties, which we have not independently verified. While we believe our market size estimates are reasonable, such information is inherently imprecise and subject to a high degree of uncertainty. If our third-party or internally generated data prove to be inaccurate or we make errors in our assumptions based on that data, our actual market may be more limited than our estimates. In addition, these inaccuracies or errors may cause us to misallocate capital and other critical business resources, which could harm our business. Even if our market size estimates are correct, we may not continue to grow our share of the market and our business could be harmed. --- *Data sourced from SEC EDGAR. Last updated 2026-05-10.*