Cloudflare Inc.: 10-K Risk Factor Changes

We have incurred net losses in all periods since we began operations and we may not achieve or maintain profitability in the future. We experienced net losses of $183.9 million, $193.4 million, and $260.3 million for the years ended December 31, 2023, 2022, and 2021, respectively, and as of December 31, 2023, we had an accumulated deficit of $1,023.8 million. Because the markets for our products are rapidly evolving, it is difficult for us to predict our future results of operations. We expect our operating expenses to increase over the next several years as we continue to hire additional personnel, expand our operations and infrastructure both domestically and internationally, and continue to develop our products. If we fail to increase our revenue to offset the increases in our operating expenses, we may not achieve or sustain profitability in the future.

We have incurred net losses in all periods since we began operations and we may not achieve or maintain profitability in the future. We experienced net losses of $193.4 million, $260.3 million, and $119.4 million for the years ended December 31, 2022, 2021, and 2020, respectively, and as of December 31, 2022, we had an accumulated deficit of $839.9 million. Because the markets for our products are rapidly evolving, it is difficult for us to predict our future results of operations. We expect our operating expenses to increase over the next several years as we continue to hire additional personnel, expand our operations and infrastructure both domestically and internationally, and continue to develop our products. In addition to the expected costs to grow our business, we also are incurring significant additional legal, accounting, and other expenses as a public company, as described in greater detail in the risk factors below. If we fail to increase our revenue to offset the increases in our operating expenses, we may not achieve or sustain profitability in the future.

In August 2021, we issued $1,293.8 million in aggregate principal amount of the 2026 Notes. As of December 31, 2023, the remaining aggregate principal amount was $1,293.8 million of the 2026 Notes. Our ability to make scheduled payments of the principal of, or to refinance our indebtedness, including the 2026 Notes, depends on our future performance, which is subject to economic, financial, competitive, and other factors beyond our control. Our business may not generate cash flow from operations in the future sufficient to service our debt and make necessary capital expenditures. If we are unable to generate such cash flow, we may be required to adopt one or more alternatives, such as selling assets, restructuring debt, or obtaining additional debt financing or equity capital on terms that may be onerous or highly dilutive. Our ability to refinance any future indebtedness will depend on the capital markets and our financial condition at such time. We may not be able to engage in any of these activities or engage in these activities on desirable terms, which could result in a default on our debt obligations. In addition, any of our future debt agreements may contain restrictive covenants that may prohibit us from adopting any of these alternatives. Our failure to comply with these covenants could result in an event of default which, if not cured or waived, could result in the acceleration of our debt. In addition, our indebtedness, combined with our other financial obligations and contractual commitments, could have other important consequences. For example, it could: •make us more vulnerable to adverse changes in general U.S. and worldwide economic, industry, and competitive conditions and adverse changes in government regulation; •limit our flexibility in planning for, or reacting to, changes in our business and our industry; •place us at a disadvantage compared to our competitors who have less debt; •limit our ability to borrow additional amounts to fund acquisitions, for working capital, and for other general corporate purposes; and •make an acquisition of our company less attractive or more difficult. Any of these factors could harm our business, results of operations, and financial condition. In addition, if we incur additional indebtedness, the risks related to our business and our ability to service or repay our indebtedness would increase.

In May 2020, we issued $575.0 million in aggregate principal amount of the 2025 Notes and in August 2021, we issued $1,293.8 million in aggregate principal amount of the 2026 Notes. Our ability to make scheduled payments of the principal of, to pay interest on or to refinance our indebtedness, including the Notes, depends on our future performance, which is subject to economic, financial, competitive, and other factors beyond our control. Our business may not generate cash flow from operations in the future sufficient to service our debt and make necessary capital expenditures. If we are unable to generate such cash flow, we may be required to adopt one or more alternatives, such as selling assets, restructuring debt, or obtaining additional debt financing or equity capital on terms that may be onerous or highly dilutive. Our ability to refinance any future indebtedness will depend on the capital markets and our financial condition at such time. We may not be able to engage in any of these activities or engage in these activities on desirable terms, which could result in a default on our debt obligations. In addition, any of our future debt agreements may contain restrictive covenants that may prohibit us from adopting any of these alternatives. Our failure to comply with these covenants could result in an event of default which, if not cured or waived, could result in the acceleration of our debt. In addition, our indebtedness, combined with our other financial obligations and contractual commitments, could have other important consequences. For example, it could: •make us more vulnerable to adverse changes in general U.S. and worldwide economic, industry, and competitive conditions and adverse changes in government regulation; •limit our flexibility in planning for, or reacting to, changes in our business and our industry; •place us at a disadvantage compared to our competitors who have less debt; •limit our ability to borrow additional amounts to fund acquisitions, for working capital, and for other general corporate purposes; and •make an acquisition of our company less attractive or more difficult. Any of these factors could harm our business, results of operations, and financial condition. In addition, if we incur additional indebtedness, the risks related to our business and our ability to service or repay our indebtedness would increase. 63 63 63 Table of contents Table of contents

We believe our offering of an integrated global network that includes facilities in China is important to our existing and potential future customers. Our ability to continue to offer an integrated network presence that includes China currently is dependent on our commercial relationship with JD Cloud. Regulation of Internet infrastructure and traffic by the Chinese government creates challenges to the peering of Chinese and non-Chinese networks. We have a strategic agreement with JD Cloud to provide solutions that accommodate the requirements imposed by Chinese regulations through JD Cloud's development and operation of facilities in China that are included as part of our network. Our original agreement with JD Cloud was announced in 2020 and was set to expire in April 2023. A new agreement, extending the relationship, was executed in April 2023 and is set to expire in March 2026. The new agreement contains economic terms that are less favorable to us than the terms of the original agreement. Consistent with the original agreement, our new agreement with JD Cloud is subject to earlier termination by either party under certain circumstances such as the other party’s material breach and can be terminated by JD Cloud 56 56 56 Table of contents Table of contents under certain circumstances if necessary Chinese governmental approvals are revoked or become limited or impaired or if public law or regulatory action by the Chinese or U.S. government expressly prohibits or materially restricts the collaboration contemplated by the agreement. The risk of such an early termination event may have increased during the current environment of economic trade negotiations and tensions between the Chinese and U.S. governments. Our customers that use our network presence in China through our JD Cloud commercial relationship are subject to Chinese laws and regulations of Internet infrastructure, traffic, and content. Under our agreement with JD Cloud, in some circumstances, these customers’ use of our Chinese network presence can be terminated if they violate these laws and regulations. The removal of our customers from our Chinese network presence could result in these customers deciding to terminate their overall relationship with us. In addition, any adverse publicity associated with the removal of some or all of our customers from our Chinese network presence as a result of the application of Chinese laws and regulations could cause us to experience adverse reputational and business consequences. If our commercial relationship with JD Cloud is terminated, identifying an alternative solution in China could be difficult, time-consuming, and expensive. Even if an alternative solution is identified, we cannot be certain that the economic terms or performance of any such alternative arrangement will be comparable to our existing relationship with JD Cloud, which could materially negatively impact our financial results and customer satisfaction with such alternative arrangement. A lack of network presence in China would represent a significant loss of utility to many of our customers and could materially harm our business, financial condition, or results of operations.

We believe our offering of an integrated global network that includes facilities in China is important to our existing and potential future customers. Our ability to continue to offer an integrated network presence that includes China currently is dependent on our commercial relationship with JD Cloud. Regulation of Internet infrastructure and traffic by the Chinese government creates challenges to the peering of Chinese and non-Chinese networks. We have a strategic agreement with JD Cloud to provide solutions that accommodate the requirements imposed by Chinese regulations through JD Cloud's development and operation of facilities in China that are included as part of our network. Our agreement with JD Cloud was announced in 2020 and the term of the agreement expires on April 1, 2023. We are in the process of negotiating a new or extended agreement with JD Cloud but there can be no assurance that we will be able to extend our agreement with JD Cloud in the future. In addition, even if we are successful in extending the agreement, we currently believe the terms likely will be less favorable to us than the existing terms of the agreement. Our agreement with JD Cloud is subject to earlier termination by either party under certain circumstances such as the other party’s material breach. In addition, this agreement can be terminated by JD Cloud under certain circumstances if necessary Chinese governmental approvals are revoked or become limited or impaired or if public law or regulatory action by the Chinese or U.S. government expressly prohibits or materially restricts the collaboration contemplated by the agreement. The risk of such an early termination event may have increased during the current environment of economic trade negotiations and tensions between the Chinese and U.S. governments. Our customers that use our network presence in China through our JD Cloud commercial relationship are subject to Chinese laws and regulations of Internet infrastructure, traffic, and content. Under our agreement with JD Cloud, in some circumstances, these customers’ use of our Chinese network presence can be terminated if they violate these laws and regulations. The removal of our customers from our Chinese network presence could result in these customers deciding to terminate their overall relationship with us. In addition, any adverse publicity associated with the removal of some or all of our customers from our Chinese network presence as a result of the application of Chinese laws and regulations could cause us to experience adverse reputational and business consequences. If our commercial relationship with JD Cloud is terminated, identifying an alternative solution in China could be difficult, time-consuming, and expensive. Even if an alternative solution is identified, we cannot be certain that the economic terms or performance of any such alternative arrangement will be comparable to our existing relationship with JD Cloud, which could materially negatively impact our financial results and customer satisfaction with such alternative arrangement. A lack of network presence in China would represent a significant loss of utility to many of our customers and could materially harm our business, financial condition, or results of operations.

We operate in a number of tax jurisdictions globally, including in the United States at the federal, state, and local levels, and in many other countries, and plan to continue to expand the scale of our operations in the future. As a result, we are subject to income tax in the United States and a number of other jurisdictions. In the ordinary course of our global business, we are also subject to various jurisdictional rules regarding the timing and allocation of revenue and expenses, resulting in intercompany transactions and calculations where the ultimate tax determination is uncertain. To the extent taxing authorities may disagree with our positions, it could result in additional taxes, interest, and penalties. Significant judgment is required in determining our worldwide provision for income taxes. Our effective income tax rate may be impacted by changes in the mix of earnings in countries with differing statutory tax rates, changes in non-deductible expenses, changes in excess tax benefits from stock-based compensation, changes in the valuation of deferred tax assets and liabilities and our ability to utilize them, the applicability of withholding taxes, and the effects from acquisitions. Changes in accounting principles, changes in global tax laws, regulations or rates, or changes in taxing jurisdictions’ administrative interpretations, decisions, policies, and positions could also impact our provision for income taxes. For example, the United States enacted the Inflation Reduction Act in August 2022, which, among other provisions, implements a 15% corporate alternative minimum tax on adjusted financial statement income, effective in taxable years beginning after December 31, 2022, and a 1% excise tax on share repurchases, effective for repurchases made after December 31, 2022, which could include transactions with respect to capped call transactions such as those we entered into in 2020 and 2021. Additionally, the Organization for Economic Cooperation and Development (OECD) published model rules within the OECD/G20 Inclusive Framework on Base Erosion and Profit Shifting (the Inclusive Framework) to address the challenges arising from the digitalization of the global economy. The Inclusive Framework includes provisions related to the taxation of the digital economy and the establishment of a 15% global minimum tax under Pillar Two. While several countries have adopted, or intend to adopt, parts of the Inclusive Framework, some other countries are considering similar changes to their existing tax laws. Any of the foregoing changes could have an adverse impact on our results of operations, cash flows, and financial condition. From time to time, we may be subject to income tax audits. While we believe our tax estimates are reasonable and that we have complied with all applicable tax laws, there can be no assurance that a governing tax authority will not have a different interpretation of the law and assess us with additional taxes, including with respect to intercompany transfer pricing. We cannot ensure that the final determination of tax audits or tax disputes will not be different from 52 52 52 Table of contents Table of contents what is reflected in our historical income tax provisions and accruals and that the outcomes from these continuous examinations will not have an adverse effect on our results of operations.

We operate in a number of tax jurisdictions globally, including in the United States at the federal, state, and local levels, and in many other countries, and plan to continue to expand the scale of our operations in the future. As a result, we are subject to income tax in the United States and a number of other jurisdictions. Our domestic and international income tax liabilities are subject to various jurisdictional rules regarding the timing and allocation of revenue and expenses. Significant judgment is required in determining our worldwide provision for income taxes. In the ordinary course of our global business, there are many intercompany transactions and calculations where the ultimate tax determination is uncertain. Our effective income tax rate may be impacted by changes in the mix of earnings in countries with differing statutory tax rates, changes in non-deductible expenses, changes in excess tax benefits from stock-based compensation, changes in the valuation of deferred tax assets and liabilities and our ability to utilize them, the applicability of withholding taxes, and effects from acquisitions. Our tax provision for income taxes could also be impacted by changes in accounting principles, changes in U.S. federal, state, or international tax laws, regulations or rates, or changes in taxing jurisdictions’ administrative interpretations, decisions, policies, and positions. For example, the United States enacted the Inflation Reduction Act in August 2022, which, among other provisions, implements a 15% corporate alternative minimum tax on adjusted financial statement income, effective in taxable years beginning after December 31, 2022, and a 1% excise tax on share repurchases, effective for repurchases made after December 31, 2022, which could include transactions with respect to our capped calls. Additionally, the Organization for Economic Cooperation and Development has published proposals related to a number of issues, including a long-term, multilateral proposal on the taxation of the digital economy, and a global minimum tax. A number of other jurisdictions are also considering enacting, or have enacted, similar digital tax regimes aimed at capturing tax revenue on digital services more immediately. Any of the foregoing changes could have an adverse impact on our results of operations, cash flows, and financial condition. From time to time, we may be subject to income tax audits. While we believe our tax estimates are reasonable and that we have complied with all applicable tax laws, there can be no assurance that a governing tax authority will not have a different interpretation of the law and assess us with additional taxes, including with respect to intercompany transfer pricing. We cannot ensure that the final determination of tax audits or tax disputes will not be different from what is reflected in our historical income tax provisions and accruals and that the outcomes from these continuous examinations will not have an adverse effect on our results of operations.

We receive, store, use, and otherwise process personal information and other information relating to individuals. There are numerous federal, state, local, and international laws and regulations regarding privacy, data protection, information security, and the storing, sharing, use, processing, transfer, disclosure, and protection of personal information and other content, the scope of which are changing, subject to differing interpretations, and may be inconsistent among jurisdictions, or conflict with other rules. Not only is the number of data protection laws rising 49 49 49 Table of contents Table of contents globally and within the United States, but existing laws and regulations are evolving. Together, this legislative framework may result in ever-increasing regulatory and public scrutiny and escalating levels of enforcement and sanctions. For example, the EU’s General Data Protection Regulation (GDPR) imposes stringent data protection requirements and provides for penalties for noncompliance of up to the greater of €20 million or four percent of worldwide annual revenues. In addition, the GDPR and the data protection laws of a number of other jurisdictions such as Japan, China, and South Korea, prohibit cross-border data transfers unless certain contractual and other conditions are met. This requires us to incur substantial costs and engage in additional contract negotiations with some of our customers and vendors to ensure the conditions established by these data protection regulations are met. Some countries are also considering or have enacted legislation and/or certification schemes requiring local storage and processing of data, or other sovereignty-oriented requirements, that could increase the cost and complexity of delivering our services. For example, the European Union Agency for Cybersecurity’s draft version of the European Cybersecurity Certification Scheme for Cloud Services would require EU data sovereignty for companies seeking to obtain the highest certification level. In addition, the interpretation of existing privacy, data protection, and information security laws and regulations by governmental entities and the courts may change significantly over time in a manner that can have a significantly adverse impact on both our business and our customers’ businesses. For example, in July 2020, the Court of Justice of the European Union (CJEU) in the "Schrems II" case invalidated the U.S.-EU Privacy Shield that was widely used by us and other companies to allow for the lawful transfer of personal data of European Economic Area (EEA) residents to the United States for processing under the GDPR and placed additional requirements on the use of the EU Standard Contractual Clauses (EU SCCs) as a mechanism for transferring EEA personal data to the United States. We incurred substantial costs and needed to engage in additional contract negotiations with some of our customers and vendors in connection with updated EU SCCs and the United Kingdom addendum to the EU SCCs or other appropriate contractual provisions that we sought to put in place with our customers and vendors. In July 2023, the European Commission adopted an adequacy decision for the new EU-U.S. Data Privacy Framework, which is designed to address the concerns raised in the Schrems II case. However, the European Commission’s adequacy decision regarding this framework will be subject to future reviews and may be subject to suspension, amendment, repeal, or limitations to its scope by the European Commission. While this new framework may serve as a means for cloud service providers like our company to freely transfer EU personal data to the United States, many aspects of this new framework remain uncertain. It has already been subject to legal challenge, and some customers and vendors are unwilling to rely on the new framework due to this uncertainty. In addition, in January 2023, the European Data Protection Board issued its 2022 Coordinated Enforcement Action on the use of cloud-based services by the public sector, in which it expressed concerns that EU public sector entities may not be able to use U.S.-based cloud service providers consistently with GDPR due to their concerns about the ability of U.S. government agencies to access EU personal data. Whether as a result of this or otherwise, we may continue to see more findings from privacy regulators around the world against cloud service providers relating to cross-border personal data transfers, and may find it necessary or appropriate to modify our policies and practices to address any such findings or other legislative developments relating to cross-border personal data transfers. Implementing any new guidance from applicable regulatory authorities and otherwise responding to or addressing developments relating to cross-border personal data transfers may result in substantial costs, require changes to our policies and business practices, require us to engage in additional contractual negotiations, limit our ability to provide certain products in certain jurisdictions, limit our ability to provide certain products to certain customers, or materially adversely affect our business and operating results. Meanwhile, the United Kingdom's data protection legislation is substantially consistent with the GDPR, and the UK has adopted an extension to the EU-U.S. Data Privacy Framework, but it remains to be seen how data transfers to and from the United Kingdom will be regulated and enforced in the longer term. To the extent future United Kingdom data protection requirements diverge significantly from the GDPR, they may result in substantial costs, require changes to our business practices, limit our ability to provide certain products in certain jurisdictions, limit our ability to provide certain products to certain customers, or materially adversely affect our business and operating results. We also expect that there will continue to be new, and amendments to existing, laws, regulations, and industry standards concerning privacy, data protection, and information security proposed and enacted in the United States and various individual U.S. states. In the United States, various federal laws and regulations already apply to the 50 50 50 Table of contents Table of contents collection, processing, disclosure and security of certain types of data, including the Electronic Communications Privacy Act, the Computer Fraud and Abuse Act, the Health Insurance Portability and Accountability Act of 1996, and the Gramm-Leach-Bliley Act. In addition, there are also a number of recently enacted or proposed U.S. federal and state privacy and data protection bills in Congress and state legislatures across the country. We are also subject to the terms of our privacy policies and contractual obligations to third parties related to privacy, data protection, and information security. We strive to comply with applicable laws, regulations, policies, and other legal obligations relating to privacy, data protection, and information security to the extent possible. However, the regulatory framework for privacy and data protection worldwide is evolving rapidly, and it is possible that these or other actual or alleged obligations may be interpreted and applied in a manner that is inconsistent from one jurisdiction to another and may conflict with other rules or our practices. As data protection compliance complexity grows, we may be required to incur substantial costs to adapt our policies and business practices as well as engage in additional contractual negotiations. Any failure or perceived failure by us to comply with our privacy policies, our privacy-related obligations to customers or other third parties, applicable laws or regulations, or any of our other legal obligations relating to privacy, data protection, or information security may result in governmental investigations or enforcement actions, litigation, claims, or public statements against us by consumer advocacy groups or others and could result in significant liability or cause our customers to lose trust in us, which could cause them to cease or reduce use of our products and otherwise have an adverse effect on our reputation and business. Furthermore, the costs of compliance with, and other burdens imposed by, the laws, regulations, and policies that are applicable to the businesses of our customers may limit the adoption and use of, and reduce the overall demand for, our products. Additionally, if third parties we work with, such as sub-processors, vendors, or developers, violate applicable laws or regulations, contractual obligations, or our policies—or if it is perceived that such violations have occurred—such actual or perceived violations may also have an adverse effect on our business. Further, any significant change to applicable laws, regulations, or industry practices regarding the collection, use, retention, security, disclosure, or other processing of users’ content, or regarding the manner in which the express or implied consent of users for the collection, use, retention, disclosure, or other processing of such content is obtained, could increase our costs and require us to modify our network, products, and features, possibly in a material manner, which we may be unable to complete, and may limit our ability to store and process customer data or develop new products and features.

We receive, store, use, and otherwise process personal information and other information relating to individuals. There are numerous federal, state, local, and international laws and regulations regarding privacy, data protection, information security, and the storing, sharing, use, processing, transfer, disclosure, and protection of personal information and other content, the scope of which are changing, subject to differing interpretations, and may be inconsistent among jurisdictions, or conflict with other rules. These laws and regulations are evolving and may result in ever-increasing regulatory and public scrutiny and escalating levels of enforcement and sanctions. For example, the EU’s General Data Protection Regulation (the GDPR) imposes stringent data protection requirements and provides for penalties for noncompliance of up to the greater of €20 million or four percent of worldwide annual revenues. The number of data protection laws globally is rising as well as more countries have in place or are exploring new or updated comprehensive data protection regimes. Some countries are also considering or have enacted legislation requiring local storage and processing of data that could increase the cost and complexity of delivering our services. For example, China, Korea, and Japan maintain comprehensive privacy and data protection regimes that, among other matters, regulate cross-border data transfers. In addition, the interpretation of existing privacy, data protection, and information security laws and regulations by governmental entities and the courts may change significantly over time in a manner that can have a significantly adverse impact on both our business and our customers’ businesses. For example, in July 2020, the Court of Justice of the European Union (CJEU) in the "Schrems II" case invalidated the U.S.-EU Privacy Shield that was widely used under the GDPR to allow for the lawful transfer of personal data of European Economic Area (EEA) residents to the United States for processing and placed additional requirements on the use of the EU Standard Contractual Clauses (EU SCCs) as a mechanism for transferring EEA personal data to the United States. In order to comply with the applicable deadlines to have 48 48 48 Table of contents Table of contents updated EU SCCs, and the United Kingdom addendum to the EU SCCs or other appropriate contractual provisions, in place with our customers and vendors, we may incur substantial costs or need to engage in additional contract negotiations. The CJEU decision created regulatory uncertainty that has been compounded by varying interpretations of the decision by independent data protection regulators throughout Europe, including in the EEA and Switzerland. For example, in December 2022, the Portuguese data protection authority, Comissão Nacional de Protecção de Dados (CNPD), issued a decision fining the Portuguese National Statistics Institute, I.P. (INE) €4.3 million for violations of the GDPR, finding in part that INE’s implementation of Cloudflare’s services was in violation of the GDPR. Other EU data protection authorities have also issued decisions directing EU private- and public-sector entities to stop using specific U.S. cloud service providers where they found that use of those providers resulted in the transfer of EEA personal data to the United States in a manner that did not meet the standard set in the Schrems II case. Recently, the European Data Protection Board (EDPB) issued its 2022 Coordinated Enforcement Action on the use of cloud-based services by the public sector in which they expressed concerns that EU public sector entities may not be able to use U.S.-based cloud service providers consistently with GDPR due to their concerns about the ability of U.S. government agencies to access EU personal data stored in Europe pursuant to the U.S. CLOUD Act. In December 2022, the European Commission issued a positive draft adequacy decision paving the way for a new EU-U.S. Privacy Framework potentially to take effect in 2023, that is designed to address the concerns raised in the Schrems II case. While this new framework, if and when implemented, may serve as a means for cloud service providers to address concerns raised in the Schrems II case, many aspects of this new framework and steps necessary for its implementation remain uncertain, and it is unclear we will find it appropriate for our use or seek to use it. It also may be subject to legal challenge. We may continue to see more findings from privacy regulators against cloud service providers relating to cross-border personal data transfers, and may find it necessary or appropriate to modify our policies and practices to address any such findings or other legislative developments relating to cross-border personal data transfers. Implementing any new guidance from applicable regulatory authorities and otherwise responding to or addressing developments relating to cross-border personal data transfers may result in substantial costs, require changes to our policies and business practices, require us to engage in additional contractual negotiations, limit our ability to provide certain products in certain jurisdictions, limit our ability to provide certain products to certain customers, or materially adversely affect our business and operating results. Meanwhile, although the United Kingdom has enacted legislation that is substantially consistent with the GDPR and the European Commission formally adopted an adequacy decision under GDPR to provide for the free flow of personal data between the EU and the United Kingdom, it remains to be seen how data transfers to and from the United Kingdom will be regulated and enforced in the longer term. To the extent future United Kingdom data protection requirements diverge significantly from the GDPR, they may result in substantial costs, require changes to our business practices, limit our ability to provide certain products in certain jurisdictions, limit our ability to provide certain products to certain customers, or materially adversely affect our business and operating results. We also expect that there will continue to be new laws, regulations, and industry standards concerning privacy, data protection, and information security proposed and enacted in the United States and various individual U.S. states. In the United States, various federal laws and regulations already apply to the collection, processing, disclosure and security of certain types of data, including the Electronic Communications Privacy Act, the Computer Fraud and Abuse Act, the Health Insurance Portability and Accountability Act of 1996, and the Gramm-Leach-Bliley Act. In addition, there are also a number of recently enacted or proposed U.S. federal and state privacy and data protection bills in Congress and state legislatures across the country. For example, the California Consumer Privacy Act (as amended effective January 1, 2023) requires covered companies to provide new disclosures to California consumers, to afford such consumers new abilities to access and delete their personal information, and to opt-out of certain sales of personal information. A Virginia privacy law also went into effect January 1, 2023, and privacy laws in Colorado, Connecticut, and Utah will go into effect in 2023. Moreover, numerous other U.S. states in which we operate and the U.S. federal government are also considering privacy legislation. We are also subject to the terms of our privacy policies and contractual obligations to third parties related to privacy, data protection, and information security. We strive to comply with applicable laws, regulations, policies, and other legal obligations relating to privacy, data protection, and information security to the extent possible. However, the regulatory framework for privacy and data protection worldwide is evolving rapidly, and it is possible that these or other actual or alleged obligations may be interpreted and applied in a manner that is inconsistent from one jurisdiction to another and may conflict with other rules or our practices. 49 49 49 Table of contents Table of contents Any failure or perceived failure by us to comply with our privacy policies, our privacy-related obligations to customers or other third parties, applicable laws or regulations, or any of our other legal obligations relating to privacy, data protection, or information security may result in governmental investigations or enforcement actions, litigation, claims, or public statements against us by consumer advocacy groups or others and could result in significant liability or cause our customers to lose trust in us, which could cause them to cease or reduce use of our products and otherwise have an adverse effect on our reputation and business. Furthermore, the costs of compliance with, and other burdens imposed by, the laws, regulations, and policies that are applicable to the businesses of our customers may limit the adoption and use of, and reduce the overall demand for, our products. Additionally, if third parties we work with, such as sub-processors, vendors, or developers, violate applicable laws or regulations, contractual obligations, or our policies—or if it is perceived that such violations have occurred—such actual or perceived violations may also have an adverse effect on our business. Further, any significant change to applicable laws, regulations, or industry practices regarding the collection, use, retention, security, disclosure, or other processing of users’ content, or regarding the manner in which the express or implied consent of users for the collection, use, retention, disclosure, or other processing of such content is obtained, could increase our costs and require us to modify our network, products, and features, possibly in a material manner, which we may be unable to complete, and may limit our ability to store and process customer data or develop new products and features.

We generate revenue primarily from subscriptions to our products. We offer subscription plans that provide varying degrees of functionality, and also offer separate subscriptions to various add-on products and network functionality. We have limited experience with respect to determining the optimal prices and pricing models for some of our newer subscription plans and products, as well as our bundled sales of products and solutions and our recently-introduced 30 30 30 Table of contents Table of contents professional services to assist some of our large customers in their migration from existing vendors and otherwise with the configuration and use of our products. As the markets for our products mature, as we enter into newer product markets for our business, as we shift the way in which we sell our products and solutions, or as new competitors introduce new products or services that compete with ours, we may be unable to attract new customers or retain existing customers at the same price or based on the same pricing model as we have used historically. Moreover, our increasing focus on larger customers may lead to greater price concessions in the future or have a more significant impact period to period on our revenue and results of operations. As a result, in the future we may be required to reduce our prices, which could adversely affect our revenue, gross margin, profitability, financial condition, and cash flow. We also have limited experience in determining which products and functionality to offer as part of our subscription plans, which to offer as add-on products, and which related products to sell in bundles. Our limited experience in determining the optimal manner in which to bundle and price our various products and functionalities could reduce our ability to capture the value delivered by our offerings, which could adversely impact our business, results of operations, and financial condition.

We generate revenue primarily from subscriptions to our network and products. We offer subscription plans that provide varying degrees of functionality, and also offer separate subscriptions to various add-on products and network functionality. We have limited experience with respect to determining the optimal prices and pricing models for our subscription plans and products, particularly with respect to our newer products and solutions. As the markets for our products mature, as we enter into newer product markets for our business, or as new competitors introduce new products or services that compete with ours, we may be unable to attract new customers or retain existing customers at the same price or based on the same pricing model as we have used historically. Moreover, our increasing focus on larger customers may lead to greater price concessions in the future or have a more significant impact period to period on our revenue and results of operations. As a result, in the future we may be required to reduce our prices, which could adversely affect our revenue, gross margin, profitability, financial condition, and cash flow. We also have limited experience in determining which products and functionality to offer as part of our subscription plans and which to offer as add-on products. Our limited experience in determining the optimal manner in which to bundle our various products and functionalities could reduce our ability to capture the value delivered by our offerings, which could adversely impact our business, results of operations, and financial condition.

Any interruption or delay in our customers’ or partners’ access to our network and products will negatively impact our customers. Our customers depend on the continuous availability of our network for the delivery and use of our products, and our products are designed to operate without interruption, including up to 100% uptime guarantee for our Business and Enterprise plans. If all or a portion of our network were to fail, our customers and partners could lose access to their internal network and/or the Internet as a whole until such disruption is resolved or they deploy disaster recovery options that allow them to bypass our network. The adverse effects of any network interruptions 40 40 40 Table of contents Table of contents on our reputation and financial condition may be heightened due to the nature of our business and our customers’ expectation of continuous and uninterrupted Internet access and low tolerance for interruptions of any duration. In addition, because some of our customers’ most critical applications are protected by our products and network and these customers may not be using other providers for similar services, the adverse effect of network disruptions to these customers could be particularly severe. The impact of an interruption in access to our network and products could also impact the ability to run our own business because we use a number of our products in the operation of our business. While we do not consider them to have been material, we have experienced a limited number of network outages over the past five years, and we may in the future experience network disruptions and other performance problems, in each case due to a variety of factors. The following factors, many of which are beyond our control, can affect the delivery, performance, and availability of our network and products: •the development, maintenance, and functioning of the infrastructure of the Internet as a whole; •the performance and availability of third-party telecommunications services with the necessary speed, data capacity, and security for providing reliable Internet access and services; •decisions by the owners and operators of the co-location and ISP-partner facilities where our network infrastructure is deployed or by global telecommunications service provider partners who provide us with network bandwidth to terminate our contracts, discontinue services to us, shut down operations or facilities, increase prices, change service levels, limit bandwidth, declare bankruptcy, breach their contracts with us, or prioritize the traffic of other parties; •the occurrence of earthquakes, floods, weather events, fires, power loss, system failures, physical or electronic break-ins, acts of war or terrorism (including the ongoing conflicts between Hamas and Israel and between Russia and Ukraine or potential consequence of geopolitical tensions in other areas of the world), human error or interference (including by disgruntled employees, former employees, or contractors), and other catastrophic events; •cyber attacks targeted at us, facilities where our network infrastructure is located, our global telecommunications service provider partners, or the infrastructure of the Internet; •errors, defects, or performance problems in the deployment, maintenance, and expansion of our network and products, including the software we use to operate our network and products and provide our related products to our customers; •our customers’ or partners’ improper deployment or configuration of our customers' access to our network and products; •the maintenance of the APIs in our systems that our partners use to interact with us; •the failure of our redundancy systems, in the event of a service disruption at one of the facilities hosting our network infrastructure, to redistribute load to other components of our network; and •the failure of our disaster recovery and business continuity arrangements. The occurrence of any of these factors, or our inability to efficiently and cost-effectively fix such errors or other problems that may be identified, could damage our reputation, negatively impact our relationship with our customers, or otherwise materially harm our business, results of operations, and financial condition.

Any interruption or delay in our customers’ or channel partners’ access to our network and products will negatively impact our customers. Our customers depend on the continuous availability of our network for the delivery and use of our products, and our products are designed to operate without interruption, including up to 100% uptime guarantee for our Business and Enterprise plans. If all or a portion of our network were to fail, our customers and partners could lose access to their internal network and/or the Internet as a whole until such disruption is resolved or they deploy disaster recovery options that allow them to bypass our network. The adverse effects of any network interruptions on our reputation and financial condition may be heightened due to the nature of our business and our customers’ expectation of continuous and uninterrupted Internet access and low tolerance for interruptions of any 39 39 39 Table of contents Table of contents duration. In addition, because some of our customers’ most critical applications are protected by our products and network and these customers may not be using other providers for similar services, the adverse effect of network disruptions to these customers could be particularly severe. The impact of an interruption in access to our network and products could also impact the ability to run our own business because we use a number of our products in the operation of our business. While we do not consider them to have been material, we have experienced, and may in the future experience, network disruptions and other performance problems due to a variety of factors. For example, in July 2019, we deployed an update to our web application firewall and certain aspects of the related software code resulted in excessive consumption of computing resources across our network, resulting in an outage on our network. In April 2020, our core co-location facility in the U.S. Pacific Northwest experienced an outage of approximately 4-1/2 hours as a result of an error that occurred during planned maintenance activities at that facility and, during the outage, our customers lost access to certain features included in our products. In addition, in July 2020, a configuration error in our backbone network caused increased latency and slowness for customers using our products in certain areas lasting approximately 30 minutes, and in June 2022, we suffered an outage of approximately 1-1/2 hours that affected traffic in 19 of our co-location facilities as a result of an internal change to the network configuration in those locations. The following factors, many of which are beyond our control, can affect the delivery, performance, and availability of our network and products: •the development, maintenance, and functioning of the infrastructure of the Internet as a whole; •the performance and availability of third-party telecommunications services with the necessary speed, data capacity, and security for providing reliable Internet access and services; •decisions by the owners and operators of the co-location and ISP-partner facilities where our network infrastructure is deployed or by global telecommunications service provider partners who provide us with network bandwidth to terminate our contracts, discontinue services to us, shut down operations or facilities, increase prices, change service levels, limit bandwidth, declare bankruptcy, breach their contracts with us, or prioritize the traffic of other parties; •the occurrence of earthquakes, floods, fires, power loss, system failures, physical or electronic break-ins, acts of war or terrorism (including the ongoing conflict between Russia and Ukraine or potential consequence of geopolitical tensions in other areas of the world), human error or interference (including by disgruntled employees, former employees, or contractors), and other catastrophic events; •cyber attacks targeted at us, facilities where our network infrastructure is located, our global telecommunications service provider partners, or the infrastructure of the Internet; •errors, defects, or performance problems in the software we use to operate our network and products and provide our related products to our customers; •our customers’ or channel partners’ improper deployment or configuration of our customers' access to our network and products; •the maintenance of the APIs in our systems that our partners use to interact with us; •the failure of our redundancy systems, in the event of a service disruption at one of the facilities hosting our network infrastructure, to redistribute load to other components of our network; and •the failure of our disaster recovery and business continuity arrangements. The occurrence of any of these factors, or our inability to efficiently and cost-effectively fix such errors or other problems that may be identified, could damage our reputation, negatively impact our relationship with our customers, or otherwise materially harm our business, results of operations, and financial condition.

The markets for our network and products are intensely competitive and characterized by rapid changes in technology, customer requirements, industry standards, and frequent introductions of new, and improvements of, existing products. Our broad portfolio of products exposes us to competition from a large number of competitors in a number of different markets, including companies and their product and services offerings in, among others, virtual private networks, internal and external firewalls, web security (including web application firewalls and content filtering), distributed denial-of-service (DDoS) prevention, intrusion detection and prevention, application delivery controls, content delivery networks, domain name systems, email security vendors, advanced threat prevention, and wide area network (WAN) technology. Our competitors provide both on-premises, appliance-based solutions, and cloud-based services that have functionality similar to our network and products. We expect competition to increase as other established and emerging companies and start-ups enter the markets for products and solutions for security, performance, and reliability, in particular with respect to cloud-based solutions, as customer requirements evolve and as new products, services, and technologies are introduced. If we are unable to anticipate or effectively react to these competitive challenges, our competitive position could weaken, and we could experience a decline in revenue or our growth rate that could materially and adversely affect our business and results of operations. Our potential competitors include large companies with substantial infrastructure, such as global telecommunications services provider partners and public cloud providers. These companies could choose to enter the markets for products and solutions for security, performance, and reliability, including by acquiring existing companies, developing their own internal solutions, or establishing cooperative relationships with businesses that may allow them to offer more comprehensive solutions or to offer solutions for lower prices or to adapt more quickly than us to new technologies and customer needs. As our business continues to grow and we increase our market share for various products and services, these larger companies may increase their focus on us as a competitor and the actions they undertake to compete with our business and products. Additionally, if an increasing portion of web content is housed on another company’s network or portions of the Internet are otherwise privatized, it could reduce the demand for our products and increase competitive pressure on us. These competitive pressures in our markets or our failure to compete effectively may result in price reductions, fewer subscriptions, reduced revenue and gross margin, increased net losses, and loss of market share. Our current competitors include a number of different types of companies, including: •on-premises network hardware vendors; •point solution vendors, which provide cloud-based products and services to address a single use case or challenge, in various categories including cloud security vendors, content delivery network (CDN) vendors, domain name system (DNS) services vendors, email security vendors, and cloud SD-WAN vendors; and •traditional public cloud vendors. Many of our existing and potential competitors have or could have substantial competitive advantages including, among others: 25 25 25 Table of contents Table of contents •greater name recognition; •longer operating histories; •larger customer bases; •larger sales and marketing budgets and capital resources; •broader distribution and established relationships with channel partners and customers; •greater customer support resources; •greater resources to make acquisitions and enter into strategic partnerships; •lower labor and research and development costs; •more mature products and services developed for large customers; •larger and more mature intellectual property rights portfolios; •control of significant technologies, standards, or networks, including operating systems, with which our products must interoperate; •higher or more difficult to obtain security certifications than we possess; and •substantially greater financial, technical, and other resources. In addition, some of our larger competitors have substantially broader and more diverse product and services offerings, which may allow them to leverage existing commercial relationships, incorporate functionality into existing products, sell products and services with which we compete at zero or negative margins, offer fee waivers and reductions or other economic and non-economic concessions, bundle products and solutions, maintain closed technology platforms, or render our products unable to interoperate with such platforms. If they were to engage in predatory competitive practices, it could harm our existing product offerings or prevent us from creating viable products in other segments of the markets in which we participate. If our competitors are able to exploit their advantages or are able to persuade our customers or potential customers that their products are superior to ours, we may not be able to compete effectively and our business, financial condition, and results of operations may be materially affected.

The markets for our network and products are intensely competitive and characterized by rapid changes in technology, customer requirements, industry standards, and frequent introductions of new, and improvements of, existing products. Our broad portfolio of products exposes us to competition from a large number of competitors in a number of different markets, including companies and their product and services offerings in, among others, virtual private networks, internal and external firewalls, web security (including web application firewalls and content filtering), distributed denial of service prevention, intrusion detection and prevention, application delivery controls, content delivery networks, domain name systems, email security vendors, advanced threat prevention, and wide area network (WAN) technology. Our competitors provide both on-premises, appliance-based solutions, and cloud-based services that have functionality similar to our network and products. We expect competition to increase as other established and emerging companies and start-ups enter the markets for products and solutions for security, performance, and reliability, in particular with respect to cloud-based solutions, as customer requirements evolve and as new products, services, and technologies are introduced. If we are unable to anticipate or effectively react to these competitive challenges, our competitive position could weaken, and we could experience a decline in revenue or our growth rate that could materially and adversely affect our business and results of operations. Our potential competitors include large companies with substantial infrastructure, such as global telecommunications services provider partners and public cloud providers. These companies could choose to enter the markets for products and solutions for security, performance, and reliability, including by acquiring existing 24 24 24 Table of contents Table of contents companies, developing their own internal solutions, or establishing cooperative relationships with businesses that may allow them to offer more comprehensive solutions or to offer solutions for lower prices or to adapt more quickly than us to new technologies and customer needs. As our business continues to grow and we increase our market share for various products and services, these larger companies may increase their focus on us as a competitor and the actions they undertake to compete with our business and products. Additionally, if an increasing portion of web content is housed on another company’s network or portions of the Internet are otherwise privatized, it could reduce the demand for our products and increase competitive pressure on us. These competitive pressures in our markets or our failure to compete effectively may result in price reductions, fewer subscriptions, reduced revenue and gross margin, increased net losses, and loss of market share. Our current competitors include a number of different types of companies, including: •on-premises network hardware vendors (such as Cisco Systems Inc., F5 Networks, Inc., Check Point Software Technologies Ltd., FireEye, Inc., Imperva, Inc., Palo Alto Networks, Inc., Fortinet, Inc., Juniper Networks, Inc., Riverbed Technology, Inc., and Broadcom Inc.); •point solution vendors, which provide cloud-based products and services to address a single use case or challenge, in various categories including cloud security vendors (such as Zscaler, Inc., Cisco Systems Inc. through Umbrella, and Menlo Security, Inc.), content delivery network (CDN) vendors (such as Akamai Technologies, Inc., Fastly, Inc., and Edgio, Inc.), domain name system (DNS) services vendors (such as Oracle Corporation through DYN and Neustar Security Services), email security vendors (such as Mimecast Limited and Proofpoint, Inc.), and cloud SD-WAN vendors; and •traditional public cloud vendors (such as Amazon.com, Inc. through Amazon Web Services, Alphabet Inc. through Google Cloud Platform, Microsoft Corporation through Azure, and Alibaba Group Holding Limited through Alibaba Cloud). Many of our existing and potential competitors have or could have substantial competitive advantages including, among others: •greater name recognition; •longer operating histories; •larger customer bases; •larger sales and marketing budgets and capital resources; •broader distribution and established relationships with channel partners and customers; •greater customer support resources; •greater resources to make acquisitions and enter into strategic partnerships; •lower labor and research and development costs; •more mature products and services developed for large customers; •larger and more mature intellectual property rights portfolios; •control of significant technologies, standards, or networks, including operating systems, with which our products must interoperate; •higher or more difficult to obtain security certifications than we possess; and •substantially greater financial, technical, and other resources. In particular, some of our larger competitors have substantially broader and more diverse product and services offerings, which may allow them to leverage existing commercial relationships, incorporate functionality into existing products, sell products and services with which we compete at zero or negative margins, offer fee waivers and reductions or other economic and non-economic concessions, bundle products and solutions, maintain closed technology platforms, or render our products unable to interoperate with such platforms. If they were to engage in predatory practices, it could harm our existing product offerings or prevent us from creating viable products in other segments of the markets in which we participate. If our competitors are able to exploit their advantages or are able to persuade our customers or potential customers that their products are superior to ours, we may not be able to compete effectively and our business, financial condition, and results of operations may be materially affected. 25 25 25 Table of contents Table of contents

Under the 1940 Act, a company generally will be deemed to be an “investment company” if (1) it is, or holds itself out as being, engaged primarily, or proposes to engage primarily, in the business of investing, reinvesting or trading in securities or (2) it engages, or proposes to engage, in the business of investing, reinvesting, owning, holding or trading in securities and it owns or proposes to acquire investment securities having a value exceeding 40% of the value of its total assets (exclusive of U.S. government securities and cash items) on an unconsolidated basis. We do not believe that we are an “investment company” under the 1940 Act. We have historically qualified for an exemption from registration under the 1940 Act for “research and development companies” as defined in Rule 3a-8 promulgated under the 1940 Act. To provide clarity on our investment company status in the longer term, we applied for and, in April 2023, received an order from the SEC stating that we are primarily engaged in a business other than that of investing, reinvesting, owning, holding or trading in securities, and therefore not an investment company, subject to compliance with certain conditions. Notwithstanding the exemptive order, we believe that we have never been an investment company because, among other reasons, we are primarily engaged in the business of a global cloud services provider. We intend to operate our business as described in the exemptive order; however, it is possible that our business will change in the future. If the SEC were to find that the circumstances that gave rise to the issuance of the exemptive order no longer exist, the SEC may revoke the exemptive order. If the exemptive order were revoked or we are unable otherwise to rely on the exemptive order or another applicable exemption, we may be required to institute burdensome requirements to comply with the 1940 Act, which may restrict our activities in a way that could adversely affect our business, results of operations, and financial condition.

Under the 1940 Act, a company generally will be deemed to be an “investment company” if (1) it is, or holds itself out as being, engaged primarily, or proposes to engage primarily, in the business of investing, reinvesting or trading in securities or (2) it engages, or proposes to engage, in the business of investing, reinvesting, owning, holding or trading in securities and it owns or proposes to acquire investment securities having a value exceeding 40% of the value of its total assets (exclusive of U.S. government securities and cash items) on an unconsolidated basis. We do not believe that we are an “investment company” under the 1940 Act. We have historically qualified for an exemption from registration under the 1940 Act for “research and development companies” as defined in Rule 3a-8 promulgated under the 1940 Act. We intend to conduct our operations so that we will not be deemed an investment company. However, if we were to be deemed an investment company or no longer qualified for the “research and development companies” exemption, we may need to alter certain of our investments and such new investments may result in lower returns that could have a material adverse effect on our business, financial condition and results of operations.

If the conditional conversion feature of the 2026 Notes is triggered, holders of the 2026 Notes are entitled to convert their 2026 Notes at any time during specified periods at their option. If one or more holders elect to convert their 2026 Notes, unless we elect to satisfy our conversion obligation by delivering solely shares of our Class A common stock (other than paying cash in lieu of delivering any fractional share), we would be required to settle a portion or all of our conversion obligation through the payment of cash, which could adversely affect our liquidity. In addition, we could be required under applicable accounting rules to reclassify all or a portion of the outstanding principal of the 2026 Notes as a current rather than long-term liability, which would result in a material reduction of our net working capital.

If the conditional conversion feature of either series of Notes is triggered, holders of the applicable series are entitled to convert their Notes at any time during specified periods at their option. If one or more holders elect to convert their Notes, unless we elect to satisfy our conversion obligation by delivering solely shares of our Class A common stock (other than paying cash in lieu of delivering any fractional share), we would be required to settle a portion or all of our conversion obligation through the payment of cash, which could adversely affect our liquidity. During the fourth quarter of 2021, the 2025 Notes were convertible at the option of the holder, and we received conversion requests from the holders of approximately $16.6 million in aggregate principal amount of the 2025 Notes, which we satisfied during the first quarter of 2022 through a combination of cash and shares of our Class A common stock. In addition, even if holders do not elect to convert their Notes, we could be required under applicable accounting rules to reclassify all or a portion of the outstanding principal of the Notes as a current rather than long-term liability, which would result in a material reduction of our net working capital.

The Hamas-Israel and Russia-Ukraine conflicts, or other areas of geopolitical tension around the world, or any worsening or expansion of those conflicts or geopolitical tensions, and any related challenging macroeconomic 20 20 20 Table of contents Table of contents conditions globally, could decrease the spending of our existing and potential new customers, adversely affect demand for our products, cause one or more of our customers, vendors, and partners to file for bankruptcy protection or go out of business, cause one or more of our customers to fail to renew, terminate, or seek to renegotiate their contracts with us, affect the ability of our sales team to travel to potential customers, impact expected spending from existing and potential new customers, and negatively impact collections of accounts receivable, all of which could adversely affect our business, results of operations, and financial condition. Any of the negative impacts of the Hamas-Israel and Russia-Ukraine conflicts, other areas of geopolitical tension around the world, or any worsening of those conflicts or geopolitical tensions, and any related challenging macroeconomic conditions, may have a material adverse effect on our business and operations, results of operations, financial condition, and cash flows. Any of these negative impacts, alone or in combination with others, also could exacerbate many of the other risk factors discussed in this Part I, Item 1A “Risk Factors” of this Annual Report on Form 10-K, including volatility in the trading prices of our Class A common stock. The full extent to which these factors will negatively affect our business and operations, results of operations, financial condition, and cash flows will depend on future developments that are highly uncertain and cannot be predicted, including the scope, severity, and duration of the Hamas-Israel and Russia-Ukraine conflicts, other areas of geopolitical tension around the world, and any economic downturns and the actions taken by governmental authorities and other third parties in response.

The Russia-Ukraine conflict, or other areas of geopolitical tension around the world, or any worsening of that conflict or geopolitical tensions, and the related challenging macroeconomic conditions globally, could decrease the spending of our existing and potential new customers, adversely affect demand for our products, cause one or more of our customers, vendors, and partners to file for bankruptcy protection or go out of business, cause one or more of our customers to fail to renew, terminate, or seek to renegotiate their contracts with us, affect the ability of our sales team to travel to potential customers, impact expected spending from existing and potential new customers, and negatively impact collections of accounts receivable, all of which could adversely affect our business, results of operations, and financial condition. Further, the sales cycle for new customers of our technology and services could lengthen in the future as a result of the pandemic, geopolitical tensions, and related challenging macroeconomic conditions, resulting in a potentially longer delay between increasing operating expenses and the generation of corresponding revenue, if any. For example, during the first half of 2022, potentially as a result of these various macroeconomic impacts on our customers, we experienced a lengthening of the sales cycle for our large customers, a slowdown in our pipeline of potential new customers, and a lengthening of the timing of payment from some of our customers. During the third and fourth quarters of 2022, our sales cycle continued to lengthen. We may also experience increases in new and existing customers requesting concessions in terms of payment amounts and/or timing and earlier or additional termination rights in the future as the challenging macroeconomic conditions continue or worsen. Any of the negative impacts of the Russia-Ukraine conflict, other areas of geopolitical tension around the world, or any worsening of that conflict or geopolitical tensions, and the related challenging macroeconomic conditions, including, among others, those described above, alone or in combination with others, may have a material adverse effect on our business and operations, results of operations, financial condition, and cash flows. Any of these negative impacts, alone or in combination with others, also could exacerbate many of the other risk factors discussed in this Part I, Item 1A “Risk Factors” of this Annual Report on Form 10-K, including volatility in the trading prices of our Class A common stock. The full extent to which these factors will negatively affect our business and operations, results of operations, financial condition, and cash flows will depend on future developments that are highly uncertain and cannot be predicted, including the scope, severity, and duration of the Russia-Ukraine conflict, other areas of geopolitical tension around the world, and any economic downturns and the actions taken by governmental authorities and other third parties in response.

Our operations and financial performance depend in part on worldwide economic conditions and the impact these conditions have on levels of spending on products and solutions for network security, performance, and reliability. Our business depends on the overall demand for these products and on the economic health and general willingness of our current and prospective customers to purchase our products. The United States, Europe, and the United Kingdom have recently experienced historically high levels of inflation. Although inflation levels have begun to decrease in the United States, the United Kingdom, and Eurozone, the U.S. Federal Reserve, the European Central Bank, and the Bank of England have raised, and may continue to raise or maintain, high interest rates and may implement fiscal policy interventions. Even if these interventions lower inflation, they may also reduce economic growth rates, create a recession, and result in other similar or unexpected effects. For example, the decrease in values of government-issued securities resulting from higher interest rates may have played a significant role in the failures of Silicon Valley Bank and Signature Bank during the first quarter of 2023, the circumstances resulting in the UBS takeover of Credit Suisse during the second quarter of 2023, and generalized uncertainty confronting a number of other financial institutions. Downturns in economic conditions — including inflation, rising interest rates, reductions in business confidence and activity, the curtailment of government or corporate spending, volatile financial markets, the actual or perceived failure or financial difficulties of additional financial institutions, ongoing supply chain disruptions, and reduced demand for products and services across a variety of industries — have in the past and may in the future affect our business and our current and prospective customers and their industries adversely. For example, during an economic downturn, our current and prospective customers may suffer from reduced operating budgets. Some of our paying customers may view a subscription to our products as a discretionary purchase and may reduce their discretionary spending on our products or reduce or cut their budget to otherwise expand their subscriptions to our products. Moreover, our competitors may respond to market conditions by lowering prices and attempting to lure away our customers. Further, the sales cycle for new customers of our technology and services could lengthen in the future as a result of challenging macroeconomic conditions, resulting in a potentially longer delay between increasing operating expenses and the generation of corresponding revenue, if any. For example, potentially as a result of these various macroeconomic impacts on our customers, since the first half of 2022, we periodically have experienced lengthening of the average sales cycles for certain types of customers and sales, slowdowns in our pipeline of potential new customers and in the rate of converting sales pipeline opportunities into new sales, increases in average days sales outstanding, higher levels of churn in our paying customer base (which is when any of our paying customers cease to be a paying customer for any reason, including any pay-as-you-go customer converting to a free subscription plan), and lengthening of the timing of payment from some of our customers, all of which may have contributed to a slowdown in our revenue growth over that period (including with respect to new customers). We may also experience increases in new and existing customers requesting concessions in terms of payment amounts and/or timing and earlier or additional termination rights in the future as the challenging macroeconomic conditions continue or worsen. We continue to monitor economic conditions to assess possible implications to our business and to take appropriate actions in an effort to mitigate the adverse consequences of uncertainty or negative trends. However, there can be no assurances that initiatives we undertake will be sufficient or successful. If there is an economic downturn that affects our current and prospective customers, or if we are unable to address and mitigate the risks associated with any of the foregoing, our business, results of operations and financial condition could be adversely affected.

Our operations and financial performance depend in part on worldwide economic conditions and the impact these conditions have on levels of spending on products and solutions for network security, performance, and reliability. Our business depends on the overall demand for these products and on the economic health and general willingness of our current and prospective customers to purchase our products. The United States, Europe, and the United Kingdom have recently experienced historically high levels of inflation. According to the U.S. Department of Labor, the annual inflation rate for the United States was approximately 6.5% as of December 2022. During the same period, the annual inflation rate in the Eurozone was approximately 9% and in the United Kingdom was over 10%. In response to high levels of inflation and recession fears, the U.S. Federal Reserve, the European Central Bank, and the Bank of England have raised, and may continue to raise, interest rates and implement fiscal policy interventions. Even if these interventions lower inflation, they may also reduce economic growth rates, create a recession, and other similar effects. A further downturn in economic conditions, including inflation, rising interest rates, a reduction in business confidence and activity, the curtailment of government or corporate spending, volatile financial markets, ongoing supply chain disruptions, reduced demand for products and services across a variety of industries, and the impacts of the Russia-Ukraine conflict, other areas of geopolitical tension around the world, or any worsening of that conflict or escalating geopolitical tensions, and other geopolitical developments and uncertainty have in the past and may in the future affect our business and our 19 19 19 Table of contents Table of contents current and prospective customers and their industries adversely. For example, during an economic downturn, our customers may suffer from reduced operating budgets. Some of our paying customers may view a subscription to our products as a discretionary purchase and may reduce their discretionary spending on our products. Moreover, our competitors may respond to market conditions by lowering prices and attempting to lure away our customers. Weak economic conditions, including a reduction in spending on products and solutions for security, performance, and reliability, could reduce sales, lengthen sales cycles, increase churn, and lower demand for our products, any of which could adversely affect our business, results of operations, and financial condition. We continue to monitor the ongoing economic and geopolitical conditions to assess possible implications to our business and to take appropriate actions in an effort to mitigate the adverse consequences of uncertainty or negative trends. However, there can be no assurances that initiatives we undertake will be sufficient or successful. If there is an economic downturn or adverse geopolitical developments that affect our current and prospective customers, or if we are unable to address and mitigate the risks associated with any of the foregoing, our business, results of operations and financial condition could be adversely affected.

Holders of the 2026 Notes have the right to require us to repurchase their 2026 Notes upon the occurrence of a fundamental change (which is defined in the 2026 Indenture) at a repurchase price equal to 100% of the principal amount of such 2026 Notes to be repurchased, plus accrued and unpaid interest, if any, to, but excluding, the fundamental change repurchase date for such series of 2026 Notes. In addition, upon conversion of the 2026 Notes, unless we elect to deliver solely shares of our Class A common stock to settle such conversion (other than paying cash in lieu of delivering any fractional share), we will be required to make cash payments in respect of the 2026 Notes being converted. However, we may not have enough available cash or be able to obtain financing at the time we are required to make repurchases of the 2026 Notes surrendered or 2026 Notes being converted. In addition, our ability to repurchase the 2026 Notes or to pay cash upon conversions of the 2026 Notes may be limited by law, by regulatory authority or by agreements governing our future indebtedness. Our failure to repurchase the 2026 Notes at a time when the repurchase is required by the 2026 Indenture or to pay any cash payable on future conversions of the 2026 Notes as required by the 2026 Indenture would constitute a default. A default under the 2026 Indenture or the occurrence of a fundamental change under the 2026 Notes could also lead to a default under agreements governing our future indebtedness. If the repayment of the related indebtedness were to be accelerated after any applicable notice or grace periods, we may not have sufficient funds to repay the indebtedness and repurchase the 2026 Notes or make cash payments upon conversions thereof in accordance with 65 65 65 Table of contents Table of contents the terms of the 2026 Indenture. Any failure by us to repay the indebtedness and repurchase the 2026 Notes or make cash payments upon conversions thereof, in each case, when required to do so pursuant to the terms of the 2026 Indenture could harm our business, results of operations, and financial condition.

Holders of the Notes have the right to require us to repurchase their Notes of the applicable series upon the occurrence of a fundamental change (which is defined in the applicable Indenture) at a repurchase price equal to 100% of the principal amount of such Notes to be repurchased, plus accrued and unpaid interest, if any, to, but excluding, the fundamental change repurchase date for such series of Notes. In addition, upon conversion of the Notes, unless we elect to deliver solely shares of our Class A common stock to settle such conversion (other than paying cash in lieu of delivering any fractional share), we will be required to make cash payments in respect of the Notes being converted. However, we may not have enough available cash or be able to obtain financing at the time we are required to make repurchases of Notes surrendered therefore or Notes being converted. In addition, our ability to repurchase the Notes or to pay cash upon conversions of the Notes may be limited by law, by regulatory authority or by agreements governing our future indebtedness. Our failure to repurchase the Notes of a series at a time when the repurchase is required by the applicable Indenture or to pay any cash payable on future conversions of the Notes of such series as required by such Indenture would constitute a default under such Indenture. A default under either Indenture or the occurrence of a fundamental change under either series of Notes could also lead to a default under agreements governing our future indebtedness. If the repayment of the related indebtedness were to be accelerated after any applicable notice or grace periods, we may not have sufficient funds to repay the indebtedness and repurchase the Notes or make cash payments upon conversions thereof in accordance with the terms of the applicable Indenture. Any failure by us to repay the indebtedness and repurchase the Notes or make cash payments upon conversions thereof, in each case, when required to do so pursuant to the terms of the applicable Indenture could harm our business, results of operations, and financial condition.