DOCU: 10-K Risk Factor Changes

We collect, store and process personal information and other data from and about our customers, employees, partners and service providers. In addition, customers use our products and solutions to obtain and store personal information, health information (including protected health information) and personal financial information. Our handling of data is thus subject to a variety of laws and regulations around the world, including regulation by various government agencies, such as the respective data protection authorities of the United Kingdom and EU member states who enforce the General Data Protection Regulation, the U.S. Federal Trade Commission (the “FTC”), the U.S. Department of Health and Human Services Office for Civil Rights (the “OCR”), the California Privacy Protection Agency, and other various federal, state, local and foreign agencies and other authorities, such as each U.S. state’s attorney general. Our data handling also is subject to contractual obligations and industry standards. We have internal and publicly posted policies, notices, and other related documentation regarding our collection, data categorization or identification, processing, use, disclosure, deletion and security of information. Although we endeavor to comply with our policies and documentation, we may at times fail to do so or be accused of having failed to do so. Increased regulatory focus on “dark patterns,” data minimization and transparency, along with heightened scrutiny of any statements related to the use of AI, all increase the risk of allegations that our notices and related documentation may be alleged to be non-compliant, deceptive, unfair or otherwise inaccurate. The publication of our privacy notices and other related documentation that provide commitments about data privacy and security can subject us to potential claims and enforcement actions if they are found to be non-compliant, deceptive, unfair, or otherwise misrepresent our actual practices. These could materially and adversely affect our business, financial condition and results of operations, and subject us to investigations, fines or penalties from regulators or government authorities, or civil litigation. We are subject to various evolving laws and regulations governing our use of our business data. For more information on these laws and regulations, see the risk factors “We are subject to laws and regulations affecting our business, including those related to e-signature, marketing, advertising, privacy, data protection and information security. Our actual or perceived failure to comply with laws or regulations could harm our business.” and “Complying with laws and regulations related to privacy and data protection could result in additional costs and liabilities to us or inhibit sales of our software.” If we are not able to comply with these laws or regulations or if we become liable under these evolving laws or regulations, we could be directly harmed, and we may be forced to implement new measures to reduce our exposure to this liability. This may require us to expend substantial resources or to discontinue certain solutions, which would negatively affect our business, operating results and financial condition. In addition, the increased attention focused upon liability issues as a result of lawsuits and legislative proposals could harm our reputation or otherwise impact the growth of our business. Any costs incurred as a result of this potential liability could harm our business and operating results. Additionally, any failure or perceived failure by us to comply with laws, regulations, policies, legal or contractual obligations, industry standards, or regulatory guidance relating to privacy or data security, may result in governmental investigations and enforcement actions, litigation, fines and penalties or adverse publicity, and could cause our customers and partners to lose trust in us, which could have an adverse effect on our reputation and business.

We receive, store and process personal information and other data from and about our customers, employees, partners and service providers. In addition, customers use our products and solutions to obtain and store personal information, health information (including protected health information) and personal financial information. Our handling of data is thus subject to a variety of laws and regulations around the world, including regulation by various government agencies, such as the respective data protection authorities of the United Kingdom and EU member states who enforce the General Data Protection Regulation, the U.S. Federal Trade Commission (the “FTC”), the U.S. Department of Health and Human Services Office for Civil Rights (the “OCR”), the California Privacy Protection Agency, and other various federal, state, local and foreign agencies and other authorities, such as each U.S. state’s attorney general. Our data handling also is subject to contractual obligations and industry standards. We have internal and publicly posted policies, notices, and other related documentation regarding our collection, data categorization or identification, processing, use, disclosure, deletion and security of information. Although we endeavor to comply with our policies and documentation, we may at times fail to do so or be accused of having failed to do so. The publication of our privacy notices and other related documentation that provide commitments about data privacy and security can subject us to potential actions if they are found to be non-compliant, deceptive, unfair, or otherwise misrepresent our actual practices, which could materially and adversely affect our business, financial condition and results of operations, and subject us to investigations, fines or penalties from regulators or government authorities, or civil litigation. We are subject to various evolving laws and regulations governing our use of our business data. For more information on these laws and regulations, see the risk factors “We are subject to laws and regulations affecting our business, including those related to e-signature, marketing, advertising, privacy, data protection and information security. Our actual or perceived failure to comply with laws or regulations could harm our business.” and “Complying with laws and regulations, in particular those related to privacy and data protection, could also result in additional costs and liabilities to us or inhibit sales of our software.” If we are not able to comply with these laws or regulations or if we become liable under these evolving laws or regulations, we could be directly harmed, and we may be forced to implement new measures to reduce our exposure to this liability. This may require us to expend substantial resources or to discontinue certain solutions, which would negatively affect our business, operating results and financial condition. In addition, the increased attention focused upon liability issues as a result of lawsuits and legislative proposals could harm our reputation or otherwise impact the growth of our business. Any costs incurred as a result of this potential liability could harm our business and operating results. Additionally, any failure or perceived failure by us to comply with laws, regulations, policies, legal or contractual obligations, industry standards, or regulatory guidance relating to privacy or data security, may result in governmental investigations and enforcement actions, litigation, fines and penalties or adverse publicity, and could cause our customers and partners to lose trust in us, which could have an adverse effect on our reputation and business.

Our products and solutions are subject to U.S. export controls, including the Export Administration Regulations and economic sanctions administered by the Office of Foreign Assets Control, and we incorporate encryption technology into certain products and solutions. These encryption products and the underlying technology may be exported outside of the U.S. to most jurisdictions only with export authorizations, including by license, a license exception or other appropriate government authorizations. Furthermore, our activities are subject to U.S. economic sanctions laws and regulations that prohibit dealings without the required authorizations with countries, governments and parties targeted by U.S. sanctions. The U.S. government may not grant us the required authorization for a particular sale. Even if the required authorization for a particular sale is ultimately granted, it may be time-consuming and may result in the delay or loss of sales opportunities. While we take precautions to prevent business dealings in violation of these laws, including obtaining government authorizations, implementing IP address blocking and screenings against U.S. government and international lists of restricted and prohibited persons, we cannot guarantee that the precautions we take will prevent violations of export control and sanctions laws. Violations of U.S. sanctions or export control laws can result in significant fines or penalties and possible incarceration for responsible employees and managers could be imposed for criminal violations of these laws. In addition, if our strategic partners fail to adhere to U.S. sanctions and export control laws, we may also be adversely affected, through reputational harm as well as other negative consequences including government investigations and penalties. We presently incorporate export control compliance requirements into our strategic partner agreements; however, no assurance can be given that our strategic partners will comply with such requirements. Foreign governments also regulate the import and export of certain encryption and other technology, and have implemented, and may in the future implement, sanctions and export control laws that could limit our ability to distribute our products and solutions or could limit our end-customers’ ability to implement our products and solutions in those countries. Changes in our products and solutions or future changes in export and import regulations may create delays in the introduction of our products and solutions in international markets, prevent our end-customers with international operations from deploying our products and solutions globally or, in some cases, prevent the export or import of our products and solutions to certain countries, governments or parties altogether. Any decreased use of our products and solutions or limitation on our ability to export or sell our products and solutions would adversely affect our business, operating results and prospects.

Our products and solutions are subject to U.S. export controls, including the Export Administration Regulations and economic sanctions administered by the Office of Foreign Assets Control, and we incorporate encryption technology into certain products and solutions. These encryption products and the underlying technology may be exported outside of the U.S. only with export authorizations, including by license, a license exception or other appropriate government authorizations, including the filing of an encryption registration. Furthermore, our activities are subject to U.S. economic sanctions laws and regulations that prohibit the shipment or distribution of certain products and services without the required export authorizations, including to countries, governments and persons targeted by U.S. embargoes or sanctions. Obtaining the necessary export license or other authorization for a particular sale may be time-consuming and may result in the delay or loss of sales opportunities even if the export license ultimately may be granted. Additionally, sanctions regimes are rapidly changing as a result of regional or global conflicts. While we take precautions to prevent our products and solutions from being exported in violation of these laws, including obtaining export authorizations, implementing IP address blocking and screenings against U.S. government and international lists of restricted and prohibited persons, we cannot guarantee that the precautions we take will prevent violations of export control and sanctions laws. Violations of U.S. sanctions or export control laws can result in significant fines or penalties and possible incarceration for responsible employees and managers could be imposed for criminal violations of these laws. In addition, if our strategic partners fail to obtain appropriate import, export or re-export licenses or permits, we may also be adversely affected, through reputational harm as well as other negative consequences including government investigations and penalties. We presently incorporate export control compliance requirements to our strategic partner agreements; however, no assurance can be given that our strategic partners will comply with such requirements. Foreign governments also regulate the import and export of certain encryption and other technology, including import and export licensing requirements, and have enacted, and may in the future enact, sanctions and export control laws that could limit our ability to distribute our products and solutions or could limit our end-customers’ ability to implement our products and solutions in those countries. Changes in our products and solutions or future changes in export and import regulations may create delays in the introduction of our products and solutions in international markets, prevent our end-customers with international operations from deploying our products and solutions globally or, in some cases, prevent the export or import of our products and solutions to certain countries, governments or persons altogether. From time to time, various governmental agencies have proposed additional regulation of encryption technology, including the escrow and government recovery of private encryption keys. Any change in export or import regulations, economic sanctions or related legislation, increased export and import controls or change in the countries, governments, persons or technologies targeted by such regulations, could result in decreased use of our products and solutions by, or in our decreased ability to export or sell our products and solutions to, existing or potential end-customers with international operations. Any decreased use of our products and solutions or limitation on our ability to export or sell our products and solutions would adversely affect our business, operating results and prospects.

Our ability to retain and grow our customer base depends on our ability to deliver excellent service and support to our customers. Any failure to maintain high-quality customer support and meet or exceed customer expectations could adversely affect customer retention, growth, and our financial condition and results of operations. To increase our revenue, we must continue to grow our customer base. As our market matures, product and service offerings evolve, and competitors introduce lower cost and/or differentiated products or solutions that compete or are perceived to compete with our products and solutions, our ability to attract new customers could be impaired. This may be especially challenging where organizations have already invested significantly in an existing solution. If our pricing is not competitive or we cannot attract new customers and subsequently maintain and expand those customer relationships, our business and operating results may be harmed. Our ability to increase our revenue also depends on our ability to expand the sales of our products and solutions to, and renew subscriptions with, existing customers and their organizations. Our existing customers, especially our enterprise customers, must increase their use of our products and solutions by purchasing new products, additional subscriptions and our enhanced products and solutions. We may also, from time to time, invest in products and functionalities to diversify our sales and marketing strategy. If these or other efforts to attract new customers or expand sales to our existing customers are not successful, our business, operating results and financial condition may suffer. Moreover, a majority of our subscription contracts are for one year. Our customers have no obligation to renew their subscriptions and we cannot guarantee that our customers will renew their subscriptions with us for a similar or greater contract period or on the same or more favorable terms. Our renewal and expansion rates may decline or fluctuate as a result of a number of factors, including customer spending levels, customer dissatisfaction, decreases in the number of users with our customers, changes in the type and size of our customers, pricing, competitive conditions, customer attrition and general economic and global market conditions, including as a result of inflation, changes in interest rates, increased debt and equity market volatility, tariffs and changes in trade policies and practices, geopolitical conflicts or public health crises. If we are unable to improve our renewal rates, our revenue may decline and our business may suffer. Furthermore, if our customers do not renew their subscriptions for our products and solutions or if they reduce their subscription amounts at the time of renewal, our revenue will decline, and our business, operating results and financial condition will suffer.

To increase our revenue, we must continue to grow our customer base. As our market matures, product and service offerings evolve, and competitors introduce lower cost and/or differentiated products or solutions that compete or are perceived to compete with our products and solutions, our ability to attract new customers could be impaired. This may be especially challenging where organizations have already invested significantly in an existing solution. If our pricing is not competitive or we cannot attract new customers and subsequently maintain and expand those customer relationships, our business and operating results may be harmed. Our ability to increase our revenue also depends on our ability to expand the sales of our products and solutions to, and renew subscriptions with, existing customers and their organizations. Our existing customers, especially our enterprise customers, must increase their use of our products and solutions by purchasing new products, additional subscriptions and our enhanced products and solutions. We may also, from time to time, invest in products and functionalities to diversify our sales and marketing strategy. If these or other efforts to attract new customers or expand sales to our existing customers are not successful, our business, operating results and financial condition may suffer. Moreover, a majority of our subscription contracts are for one year. Our customers have no obligation to renew their subscriptions and we cannot guarantee that our customers will renew their subscriptions with us for a similar or greater contract period or on the same or more favorable terms. Our renewal and expansion rates may decline or fluctuate as a result of a number of factors, including customer spending levels, customer dissatisfaction, decreases in the number of users with our customers, changes in the type and size of our customers, pricing, competitive conditions, customer attrition and general economic and global market conditions, including as a result of inflation, changes in interest rates, increased debt and equity market volatility, tariffs and trade policy changes, geopolitical conflicts or public health crises. If our customers do not renew their subscriptions for our products and solutions or if they reduce their subscription amounts at the time of renewal, our revenue will decline, and our business will suffer.

A wide variety of state, national, and international laws, regulations, and industry standards apply to the collection, use, retention, protection, disclosure, transfer and other processing of personal data and other information, the scope of which are consistently changing, subject to differing interpretations, and may be inconsistent across countries or conflict with other rules. Data protection and privacy-related laws and regulations are evolving and may result in increasing regulatory and public scrutiny and escalating levels of enforcement and sanctions. Complying with these various laws and regulations could cause us to incur substantial costs or require us to change our business practices, systems, and compliance procedures in a manner adverse to our business. For more information on these laws and their impact on our business, see the risk factor “We are subject to laws and regulations affecting our business, including those related to e-signature, marketing, advertising, privacy, data protection and information security. Our actual or perceived failure to comply with laws or regulations could harm our business.” Internationally, virtually every jurisdiction in which we operate has established its own privacy and data security legal framework, which may include compliance requirements for us, our customers and partners. For example, in Europe, the General Data Protection Regulation (the “EU GDPR”) contains robust obligations on data controllers and processors and fulsome documentation requirements for corporate data protection compliance programs. Our obligations under the EU GDPR and other similar regional European data privacy and protection regulations (collectively the “GDPR”) include stringent data protection and cybersecurity requirements, making it more costly to provide our services in a compliant manner and increasing our risk in the event of non-compliance. We are also certified under the Asia-Pacific Economic Cooperation Cross-Border Privacy Rules System and the APEC Privacy Recognition for Processors System. A breach of these or other data protection regulations could result in regulatory investigations, reputational damage, fines and sanctions, orders to cease or change our processing of data, enforcement notices, or assessment notices (for a compulsory audit). Such penalties, which under GDPR may include fines up to the greater of €20 million (£17.5 million) or 4% of global turnover, are in addition to any civil litigation claims by customers and data subjects. We may also face civil claims including representative actions and other class action-type litigation (where individuals have suffered harm), potentially amounting to significant compensation or damages liabilities, as well as associated costs, diversion of internal resources, and reputational harm. Additionally, the GDPR imposes strict rules on the transfer of personal data out of the EU or the UK to any country whose laws have not been deemed by regulators in the EU or UK to ensure an “adequate” level of data protection safeguards (such as the U.S.), and requires appropriate transfer mechanisms and, in some cases, transfer impact assessments and supplementary measures. These obligations may evolve, be interpreted or applied in a manner that is inconsistent from one jurisdiction to another and may conflict with other requirements or our practices. Legal developments in Europe, including the EU Data Act, continue to evolve, creating complexity and uncertainty regarding transfers of personal data from the EU and the UK to the U.S. We currently utilize a combination of Binding Corporate Rules and Standard Contractual Clauses as the approved data transfer mechanisms by the EU Commission for corresponding applicable data transfer activity. While we do not anticipate any immediate changes in our current operations, we will continue to monitor these legal developments. As supervisory authorities continue to issue further guidance on the cross-border transfers of personal data, we could incur greater costs and be required to modify the manner or location in which we operate.

A wide variety of state, national, and international laws, regulations, and industry standards apply to the collection, use, retention, protection, disclosure, transfer and other processing of personal data and other information, the scope of which are consistently changing, subject to differing interpretations, and may be inconsistent across countries or conflict with other rules. Data protection and privacy-related laws and regulations are evolving and may result in increasing regulatory and public scrutiny and escalating levels of enforcement and sanctions. Complying with these various laws and regulations could cause us to incur substantial costs or require us to change our business practices, systems, and compliance procedures in a manner adverse to our business. For more information on these laws and their impact on our business, see the risk factor “We are subject to laws and regulations affecting our business, including those related to e-signature, marketing, advertising, privacy, data protection and information security. Our actual or perceived failure to comply with laws or regulations could harm our business.” Internationally, virtually every jurisdiction in which we operate has established its own data privacy and security legal framework with which we, our customers and partners may need to comply. For example, in Europe, the General Data Protection Regulation (the “EU GDPR”) contains robust obligations on data controllers and processors and fulsome documentation requirements for data protection compliance programs by companies. As a result of our presence in Europe and the United Kingdom (“UK”) and our products and services being offered in the EU and the UK, we are subject to the EU GDPR and other similar regional European data privacy and protection regulations (collectively the “GDPR”), all of which impose stringent data protection and cybersecurity requirements, and could increase the risk of non-compliance and the costs of providing our services in a compliant manner. We are also certified as a Privacy Rights Processor under the Asia-Pacific Economic Cooperation. A breach of the GDPR, or other such data protection regulations, could result in regulatory investigations, reputational damage, fines and sanctions, orders to cease or change our processing of our data, enforcement notices, or assessment notices (for a compulsory audit). Such penalties, which under GDPR may include fines up to the greater of €20 million (£17.5 million) or 4% of global turnover, are in addition to any civil litigation claims by customers and data subjects. We may also face civil claims including representative actions and other class action-type litigation (where individuals have suffered harm), potentially amounting to significant compensation or damages liabilities, as well as associated costs, diversion of internal resources, and reputational harm. Additionally, the GDPR imposes strict rules on the transfer of personal data out of the EU or the UK to any country whose laws have not been deemed by regulators in the EU or UK to ensure an “adequate” level of data protection safeguards (such as the U.S.). These obligations may evolve, be interpreted or applied in a manner that is inconsistent from one jurisdiction to another and may conflict with other requirements or our practices. For example, in June 2023, the European Commission adopted an adequacy decision (“UK Adequacy Decision”) which facilitates personal data sharing from the European Economic Area (“EEA”) to the UK without the need for additional data protection safeguards. The UK Adequacy Decision includes a “sunset clause”, rendering the decision valid for four years, after which it will be reviewed by the European Commission and renewed only if the European Commission considers that the UK continues to ensure an adequate level of data protection. The European Commission also stated that it would intervene at any point within the four years if the UK deviates from the level of protection presently in place. If this adequacy decision is reversed by the European Commission, it would require that companies implement protection measures such as the approved Standard Contractual Clauses for data transfers between the EU and the UK. Legal developments in Europe continue to evolve, creating complexity and uncertainty regarding transfers of personal data from the EU and the UK to the U.S. We currently utilize respective Binding Corporate Rules and Standard Contractual Clauses as the approved data transfer mechanisms by the EU Commission for corresponding applicable data transfer activity. While we do not anticipate any immediate changes in our current operations, we will continue to monitor these legal developments.

We use AI-powered tools and services as part of operating our business, and we also incorporate AI features and applications into our products and solutions. We are also making further investments in expanding AI capabilities in our products and solutions. AI technologies can be complex and are rapidly evolving, and while we believe that product features powered by next generation AI technologies, such as generative AI, will help drive the future growth of our business, there is no guarantee that such new product features will ultimately be successful. Our competitors and other third parties may incorporate AI into their products more quickly or more successfully than us, which could impair our ability to compete effectively. Furthermore, we are increasingly developing and deploying agentic AI workflows and autonomous agents designed to perform tasks and make decisions with limited human intervention. These agentic systems may act in ways that are unpredictable, exceed their intended authorization, or fail to align with our corporate policies or legal obligations. Errors, “hallucinations,” or unintended actions taken by these agents—especially in customer-facing or operationally critical environments—could lead to significant financial loss, data breaches, contractual breaches, or regulatory non-compliance. Furthermore, we may face allegations of “AI washing” if our disclosures about our AI capabilities or our AI-related governance are deemed to be exaggerated or misleading, which could result in enforcement actions, litigation or reputational harm. The development and use of AI present various intellectual property, data privacy, and security risks. Significant investment in the development and maintenance of proprietary datasets and training models and the development of appropriate protections, safeguards, and policies for handling the processing of data, including transparency of customer data extraction and usage in training models may be costly and may subject us to legal liability. Additionally, the agentic AI systems described above may inadvertently access or disclose sensitive information beyond their intended scope or be subject to “prompt injection” and other cyberattacks that could cause the agents to take unauthorized or harmful actions. Any integration of third-party AI functionality with our products and solutions relies on safeguards implemented by the third-party developers of the underlying AI models, including those related to the accuracy, bias, and other variables of the data, and these safeguards may be insufficient. The continued use of AI technology to develop our products and solutions may give rise to risks related to intellectual property infringement. If the AI technology we use generates code or materials that are similar to other proprietary code or materials, or to software that is protected by patents, we could be subject to intellectual property infringement claims. We may also not be able to anticipate and detect security vulnerabilities in such AI-generated software code, including those that could be induced by a maliciously trained AI model. To the extent we use third-party AI technology to develop software code, the terms of use of these tools may reserve rights in the generated code. We could also suffer loss of confidentiality, trade secret rights or other intellectual property rights or cause harm to privacy rights of third parties because of our use of AI technology. Existing laws and regulations may be interpreted, or new laws and regulations regarding AI have been and may in the future be adopted and interpreted, in ways which could negatively affect the way we use AI in our products. For example, the EU Artificial Intelligence Act prohibits certain AI applications and systems with unacceptable risk and imposes additional requirements on the use of other high-risk or limited-risk AI applications or systems, which may require the implementation of additional quality assurance controls and measures to be reviewed and approved by regulatory submissions of our products. In the U.S., ongoing tension between the states and the federal government over how best to regulate AI may result in increased uncertainty, risk and compliance costs for our business. Intellectual property ownership issues, licensing and privacy rights surrounding AI technologies are evolving and have not been fully addressed by U.S. federal or state courts or foreign jurisdictions, which may expose us to claims of intellectual property infringement or misappropriation or privacy rights violations, or result in inquiries by government bodies or agencies. A number of jurisdictions, including many U.S. states such as California and Colorado, have proposed or enacted laws regarding automated decision‑making, algorithmic discrimination and so called “high‑risk” AI technologies (mandating, among other provisions, requirements for risk management, impact assessments, consumer notices and human oversight), which may impact our use of AI and AI-powered tools. If the content, analyses, or recommendations arising from our AI product offerings are, or are alleged to be, inaccurate, deficient, offensive, or biased, or if they have a perceived or actual negative impact on human rights, privacy rights, employment, or in other social contexts, we may experience brand and reputational harm or legal liability, and our business, financial condition, and results of operations may be adversely affected. The significant technical complexity of AI technology also requires specialized expertise and may increase compensation-related expenses. Competition for specialized personnel in the AI industry is intense, and failing to attract, integrate, or retain such expertise could adversely affect our business. Finally, the AI models we develop may not perform as expected when deployed, which could lead to financial losses or harm our competitive position. Any of the foregoing risks could adversely affect our business, financial condition, and results of operations.

We use AI-powered tools and services as part of operating our business, and also incorporate AI features and applications into our products and solutions and are making further investments in expanding AI capabilities in our products and solutions. AI technologies can be complex and are rapidly evolving, and while we believe that product features powered by next generation AI technologies, such as generative AI, will help drive the future growth of our business, there is no guarantee that such new product features will ultimately be successful. Our competitors and other third parties may incorporate AI into their products more quickly or more successfully than us, all of which could impair our ability to compete effectively and may adversely affect our results of operations. This use of AI in our products and solutions may present new and evolving challenges, including reputational harm, competitive harm, and legal liability, and adversely affect our results of operations. Additionally, AI technology may lower barriers to entry in our industry and we may be unable to effectively compete with the products or services offered by new competitors. AI-related changes to the products and services on offer may affect our customers’ expectations or requirements in ways we cannot adequately anticipate or adapt to, causing our business to lose sales, market share, or the ability to operate profitably and sustainably. The development and use of AI features and applications present various intellectual property, data privacy, security and reliability risks that may impact our business. We may choose to significantly invest in the development and maintenance of proprietary datasets and training models and the development of appropriate protections, safeguards, and policies for handling the processing of data, including transparency of customer data extraction and usage in training models, with our AI features and applications, which may be costly and subject us to legal liability. Furthermore, any integration of third-party AI models with our products and solutions relies on certain safeguards implemented by the third-party developers of the underlying AI models, including those related to the accuracy, bias, and other variables of the data, and these safeguards may be insufficient. These risks could negatively impact our business, financial condition, and results of operations. Existing laws and regulations may be interpreted, or new laws and regulations regarding AI have been and may in the future be adopted and interpreted, in ways which could negatively affect the way we use AI in our products. For example, the EU Artificial Intelligence Act prohibits certain AI applications and systems with unacceptable risk and imposes additional requirements on the use of other high-risk or limited-risk AI applications or systems, which may require the implementation of additional quality assurance controls and measures to be reviewed and approved by regulatory submissions of our products. Intellectual property ownership issues, licensing and privacy rights surrounding AI technologies are evolving and have not been fully addressed by U.S. federal or state courts or foreign jurisdictions, which may expose us to claims of intellectual property infringement or misappropriation or privacy rights violations, or result in inquiries by government bodies or agencies. For example, the U.S. Federal Trade Commission initiated multiple AI-related inquiries over the past several years and sent requests to technology companies, including Docusign, seeking additional information about their AI usage and policies. The rapid evolution of AI technologies will require significant resources in research and development in order to develop, test and maintain our platform and products to minimize any potential harmful impact on our business, financial condition, and results of operations. The continued use in our business and incorporation of AI-powered features and applications into our products and solutions may subject us to new and evolving regulatory scrutiny, litigation, social or ethical concerns, unforeseen operational failures, potential for biased or incorrect outputs, or other risks that could harm our business, reputation, brand, and our results of operations. For example, if the content, analyses, or recommendations arising from our AI product offerings are, or are alleged to be, inaccurate, deficient, offensive, or biased, or if they have a perceived or actual negative impact on human rights, privacy rights, employment, or in other social contexts, we may experience brand and reputational harm or legal liability, and our business, financial condition, and results of operations may be adversely affected. Additionally, the significant technical complexity of AI technology will require specialized expertise and may increase compensation-related expenses. Competition for specialized personnel in the AI industry is intense, and failing to attract, integrate, or retain such specialized expertise in AI could adversely affect our business and results of operations. There is also the possibility that the AI models we develop may not perform as expected when deployed, which could hinder our product offerings, impact our competitiveness in the market, or lead to financial losses.

•Any decrease in adoption or sales of our eSignature product, without corresponding adoption or sales of our other solutions in our IAM platform. •Our IAM platform failing to achieve market acceptance or to meet our customers’ evolving needs. •Disruptions to our business, strategy and demand for our solutions due to advances in, and uses of, AI and other technologies. •Any inability to deliver excellent service and support to customers, retain and expand sales to existing customers, and attract new customers. •Damage to our systems, data, reputation, brand and customer trust due to data breaches, cyberattacks, malicious activity, or failures of our (or third party cloud providers’) technical infrastructure. •Our inability to compete in an evolving and highly competitive market. •Any real or perceived improper use of, disclosure of, or access to sensitive customer data. •An over-estimation of our market opportunity. •Any loss of highly skilled personnel, including our management team or other key employees, or inability to attract, integrate and retain such employees necessary to support our business. •Our inability to maintain successful relationships with our strategic partners or to establish and maintain relationships with partners that provide complementary technology. •Any inability to effectively develop and expand our marketing and sales capabilities.

•Any decrease in adoption or sales of our eSignature product, without corresponding increases in our other solutions in our IAM platform. •Any inability to attract new customers and retain and expand sales to existing customers. •Our IAM platform failing to achieve market acceptance or to meet our customers’ evolving needs. •Our inability to compete in an evolving and highly competitive market. •Our systems and security measures being compromised or subject to data breaches, cyberattacks, or other malicious activity, and any harm to our business or reputation caused by malicious actors attempting to exploit our technology, platform or brand to defraud others. •Any real or perceived improper use of, disclosure of, or access to sensitive customer data. •An over-estimation of our market opportunity. •Any interruption or delay in performance from our technical infrastructure, including third-party cloud providers. •The implementation of AI in our business, and the legal, regulatory, reputational and business risks relating to its use. •Any loss of highly skilled personnel, including our management team or other key employees, or inability to attract, integrate, and retain such employees necessary to support our business. •Our inability to maintain successful relationships with our strategic partners or to establish and maintain relationships with partners that provide complementary technology. •Any inability to effectively develop and expand our marketing and sales capabilities.

We are a U.S.-based multinational company subject to tax in multiple U.S. and foreign tax jurisdictions. Significant judgment is required in determining our global provision for income taxes, deferred taxes and other tax liabilities and receivables, and in evaluating our tax positions and other tax attributes on a worldwide basis. We are subject to the periodic examination of our domestic and foreign tax returns by the Internal Revenue Service, state, local, and foreign tax authorities, some of whom are challenging our tax positions. We regularly assess the likelihood of adverse outcomes from these examinations in determining the adequacy of our provision for income taxes and other tax liabilities and have reserved for potential adjustments that may result from these examinations. While we believe our tax estimates are reasonable, the ultimate outcome may differ from the amounts recorded in our financial statements and could materially affect our financial results in the period or periods for which such determination is made. We consider many factors when evaluating and estimating our tax positions and tax benefits, which may require periodic adjustments and may not accurately forecast actual tax audit outcomes. If the ultimate determination of income and other tax liabilities differ from the amounts recorded or accrued, our business, financial condition or results of operations may be adversely impacted. Changes in tax laws or tax rulings, or changes in interpretations of existing laws, could materially affect our financial position, results of operations, and cash flows. Tax laws are regularly being re-examined and evaluated globally. New laws and interpretations of the law are taken into account for financial statement purposes in the quarter or year that they become applicable. Tax authorities are increasingly scrutinizing the tax positions and transfer pricing of companies and we are (and may continue to be) subject to tax audits in a number of jurisdictions. Over the last several years, the Organization for Economic Cooperation and Development (“OECD”) has been working on a Base Erosion and Profit Shifting Project that, if implemented, would change various aspects of the existing framework under which our tax obligations are determined in many of the countries in which we do business. A number of countries have enacted legislation to implement the OECD’s 15% global minimum tax regime. As additional jurisdictions enact legislation, transitional relief expires, and other provisions of the minimum tax legislation become effective, our effective tax rate and cash tax payments could increase in future years.

We operate globally and are subject to taxes in the U.S. and numerous other jurisdictions throughout the world, and the tax regimes we are subject to or operate under, including income and non-income taxes, are unsettled and may be subject to significant change. The U.S., other jurisdictions or governmental bodies, such as the European Commission of the European Union, and intergovernmental economic organizations, such as the Organization for Economic Cooperation and Development, have made or could make unprecedented assertions about how taxation is determined and, in some cases, have proposed or enacted new laws that are contrary to the way in which rules or regulations have historically been interpreted and applied. For example, in 2021, the Organization for Economic Cooperation and Development announced Pillar Two Model Rules defining the global minimum tax, which calls for the taxation of large multinational corporations at a minimum of 15%. Many non-U.S. tax jurisdictions have either recently enacted legislation to adopt certain components of the Pillar Two Model Rules beginning in 2024, including the adoption of additional components in later years, or announced their plans to enact legislation in future years. Our effective tax rate could increase in future years as a result of these changes, which could have an adverse impact on our business and operating results. Additionally, our corporate structure and associated transfer pricing policies contemplate future growth into international markets, and consider the functions, risks and assets of the various entities involved in the intercompany transactions. We may be subject to taxation in international jurisdictions with increasingly complex tax laws and precedents which could have an adverse effect on our liquidity and operating results. The amount of taxes we pay in these different jurisdictions may depend on the application of the tax laws of those jurisdictions, including the U.S., to our international business activities, changes in tax rates, new or revised tax laws or interpretations of existing tax laws and policies and our ability to operate our business in a manner consistent with our corporate structure and intercompany arrangements. Furthermore, tax authorities in the jurisdictions in which we operate may challenge our transfer pricing policies and intercompany arrangements or disagree with our determinations as to the income and expenses attributable to specific jurisdictions. If such a challenge or disagreement were to occur, and our position was not sustained, we could be required to pay additional taxes, interest and penalties, which could result in one-time tax charges, higher effective tax rates, reduced cash flows and lower overall profitability of our operations. Our financial statements could fail to reflect adequate reserves to cover such a contingency. In addition, the authorities in these jurisdictions could review our tax returns and impose additional tax, interest and penalties, and the authorities could claim that various withholding requirements apply to us or to our subsidiaries or assert that benefits of tax treaties are not available to us or our subsidiaries which could have a material impact on us and the results of our operations.