ServiceNow Inc.: 10-K Risk Factor Changes

Natural disasters or other catastrophic events may damage or disrupt our operations, international commerce and the global economy, and thus could have a negative effect on our business. Our business operations are subject to interruption by natural disasters, flooding, fire, extreme heat, power shortages, pandemics such as COVID-19, terrorism, political unrest, telecommunications failure, vandalism, cyberattacks, geopolitical instability, war, the effects of climate change and other events beyond our control. While we maintain crisis management and disaster response plans, such planning may not account for all possible events and the occurrence of such events could make it difficult or impossible for us to deliver our services to our customers, could decrease demand for our services, and could cause us to incur substantial expense. Our insurance may not be sufficient to cover losses or additional expenses we may sustain. Although we have backup systems in place, in the event of major natural disasters or catastrophic events, customer data could be lost, and resumption of operations could require significant time. We may be subject to increased costs, regulations, reporting requirements, standards or expectations regarding climate change-driven impacts on our business. While we seek to mitigate our business risks associated with climate change by establishing robust environmental programs as part of our ESG strategy and partnering with organizations that are focused on mitigating their own climate-related risks, certain of those risks are inherent wherever business is conducted. Any of our primary locations may be vulnerable to the adverse effects of climate change. For example, our California headquarters have experienced, and may continue to experience, climate-related events at an increasing frequency and severity, including drought, water scarcity, heat waves, wildfires and air quality impacts and power shutoffs associated with wildfires. Changing market dynamics, global policy developments and increasing frequency and impact of extreme weather events on critical infrastructure in the U.S. and elsewhere have the potential to disrupt our business, the business of our customers and third-party suppliers and may cause us to experience higher attrition, losses and additional costs to maintain or resume operations.

Natural disasters or other catastrophic events may cause damage or disruption to our operations, international commerce and the global economy, and thus could have a negative effect on us. Our business operations are subject to interruption by natural disasters, flooding, fire, extreme heat, power shortages, pandemics such as COVID-19, terrorism, political unrest, telecommunications failure, vandalism, cyberattacks, geopolitical instability, war, the effects of climate change and other events beyond our control. Although we maintain crisis management and disaster response plans, such events could make it difficult or impossible for us to deliver our services to our customers, could decrease demand for our services, and could cause us to incur substantial expense. Our insurance may not be sufficient to cover losses or additional expenses we may sustain. The majority of our research and development activities, offices, IT systems, and other critical business operations are located near major seismic faults in California and Washington. Customer data could be lost, resumption of operations could require significant time and our financial condition and operating results could be adversely affected in the event of a major natural disaster or catastrophic event. In addition, the impacts of climate change on the global economy and our industry are rapidly evolving. We may be subject to increased costs, regulations, reporting requirements, standards or expectations regarding the environmental impacts of our business. While we seek to mitigate our business risks associated with climate change by establishing robust environmental programs as part of our ESG strategy and partnering with organizations who are focused on mitigating their own climate-related risks, certain of those risks are inherent wherever business is conducted. Any of our primary locations may be vulnerable to the adverse effects of climate change. For example, our California headquarters have experienced, and may continue to experience, climate-related events at an increasing frequency and severity, including drought, water scarcity, heat waves, wildfires and air quality impacts and power shutoffs associated with wildfires. Changing market dynamics, global policy developments and increasing frequency and impact of extreme weather events on critical infrastructure in the U.S. and elsewhere have the potential to disrupt our business, the business of our customers and third-party suppliers and may cause us to experience higher attrition, losses and additional costs to maintain or resume operations. 18 18 18 Table of Contents Table of Contents

Our ability to make payments on, repay or refinance the 2030 Notes in the future will depend on our future performance which is subject to a variety of risks and uncertainties, many of which are beyond our control. If we decide to refinance the 2030 Notes, we may be required to do so on different or less favorable terms or we may be unable to refinance the 2030 Notes at all, both of which may adversely affect our financial condition. Maintenance of our indebtedness, contractual restrictions, and additional issuances of indebtedness could: •cause us to dedicate a substantial portion of our cash flows towards debt service obligations and principal repayments; •increase our vulnerability to adverse changes in general economic, industry and competitive conditions; •limit our flexibility in planning for, or reacting to, changes in our business and our industry; •impair our ability to obtain future financing for working capital, capital expenditures, acquisitions, general corporate or other purposes; and •due to limitations within the debt instruments, restrict our ability to grant liens on property, enter into certain mergers, dispose of all or substantially all of our or our subsidiaries’ assets, taken as a whole, materially change our business or incur subsidiary indebtedness, subject to customary exceptions. We are required to comply with the covenants set forth in the indentures governing the 2030 Notes. Our ability to comply with these covenants may be affected by events beyond our control. If we breach any of the covenants and do not obtain a waiver from the note holders or lenders, then, subject to applicable cure periods, any outstanding indebtedness may be declared immediately due and payable. In addition, changes by any rating agency to our credit rating may negatively impact the value and liquidity of our securities. Downgrades in our credit ratings could restrict our ability to obtain additional financing in the future and could affect the terms of any such financing. 24 24 24 Table of Contents Table of Contents

As of December 31, 2022, we have $1.5 billion aggregate principal amount of the 2030 Notes payable outstanding due on September 1, 2030, as described in Note 11 in the notes to our consolidated financial statements included elsewhere in this Annual Report on Form 10-K. Our ability to make payments on, repay or refinance the 2030 Notes in the future will depend on our future performance which is subject to a variety of risks and uncertainties, many of which are beyond our control. If we decide to refinance the 2030 Notes, we may be required to do so on different or less favorable terms or we may be unable to refinance the 2030 Notes at all, both of which may adversely affect our financial condition. Maintenance of our indebtedness, contractual restrictions, and additional issuances of indebtedness could: •cause us to dedicate a substantial portion of our cash flows from operations towards debt service obligations and principal repayments; •increase our vulnerability to adverse changes in general economic, industry and competitive conditions; 24 24 24 Table of Contents Table of Contents •limit our flexibility in planning for, or reacting to, changes in our business and our industry; •impair our ability to obtain future financing for working capital, capital expenditures, acquisitions, general corporate or other purposes; and •due to limitations within the debt instruments, restrict our ability to grant liens on property, enter into certain mergers, dispose of all or substantially all of our or our subsidiaries’ assets, taken as a whole, materially change our business or incur subsidiary indebtedness, subject to customary exceptions. We are required to comply with the covenants set forth in the indentures governing the 2030 Notes. Our ability to comply with these covenants may be affected by events beyond our control. If we breach any of the covenants and do not obtain a waiver from the note holders or lenders, then, subject to applicable cure periods, any outstanding indebtedness may be declared immediately due and payable. In addition, changes by any rating agency to our credit rating may negatively impact the value and liquidity of our securities. Downgrades in our credit ratings could restrict our ability to obtain additional financing in the future and could affect the terms of any such financing.

We generally recognize revenues from customers ratably over the terms of their subscriptions. Net new annual contract value from new subscriptions and expansion contracts entered into during a period can generally be expected to generate revenues for the duration of the subscription term. As a result, a significant portion of the revenues we report in each period are derived from the recognition of deferred revenues relating to subscriptions entered into during previous periods. Consequently, a decrease in new or renewed subscriptions, expansion contracts in any single reporting period will have a limited impact on our revenues for that period, but they will negatively affect our operating results in future periods. Our subscription model also makes it difficult for us to rapidly increase our revenues through additional sales in any period, as revenues from new customers are generally recognized over the applicable subscription term. Also, our ability to adjust our cost structure in the event of a decrease in new or renewed subscriptions may be limited.

We generally recognize revenues from customers ratably over the terms of their subscriptions. Net new annual contract value from new subscriptions and expansion contracts entered into during a period can generally be expected to generate revenues for the duration of the subscription term. As a result, a significant portion of the revenues we report in each period are 23 23 23 Table of Contents Table of Contents derived from the recognition of deferred revenues relating to subscriptions entered into during previous periods. Consequently, a decrease in new or renewed subscriptions in any single reporting period will have a limited impact on our revenues for that period. Also, our ability to adjust our cost structure in the event of a decrease in new or renewed subscriptions may be limited. A decline in new subscriptions, expansion contracts, renewals or sales and market acceptance of our services, in a given period may not be fully reflected in our operating results for that period, but they will negatively affect our operating results in future periods. Our subscription model also makes it difficult for us to rapidly increase our revenues through additional sales in any period, as revenues from new customers are generally recognized over the applicable subscription term.

Sales outside of North America represented 36% and 35% of our total revenues for the years ended December 31, 2023 and 2022, respectively. The growth of our business and future prospects depend on our ability to increase our sales outside of the U.S. as a percentage of our total revenues. Additionally, operating in international markets requires significant investment and management attention and subjects us to varying regulatory, political and economic risks. We 15 15 15 Table of Contents Table of Contents have made, and will continue to make, substantial investments in data centers, geographic-specific service delivery models, advisory councils, cloud computing infrastructure, sales, marketing, partnership arrangements, personnel and facilities in new geographic markets. When we make these investments, it is typically unclear when we will see a return on our investment, and we may significantly underestimate the level of investment and time required to be successful. Our rate of acquisition of new large enterprise customers, a factor affecting our growth, has been generally lower in territories where we are less established and where there may be heightened or evolving regulations and operational and IP risks. We have experienced, and may continue to experience, difficulties in new geographic markets, including hiring qualified sales management personnel, penetrating the target market, and managing local operations. Risks associated with making our products and services available in international markets include, for example: •compliance with multiple, conflicting and changing governmental laws and regulations; •requirements to have local partner(s), local entity ownership limitations or technology transfer or sharing requirements, or to comply with data residency and transfer laws and regulations, privacy and data protection laws and regulations, which may increase operational costs and restrictions; •the possibility that illegal or unethical activities of our local employees or business partners will be attributed to us or cause us harm; •longer and potentially more complex sales and accounts receivable payment cycles and other collection difficulties; •different pricing and distribution environments; •potential changes in international trade policies, tariffs, agreements and practices, including the adoption and expansion of formal or informal trade restrictions or regulatory frameworks that may favor local competitors; •governmental direction, business practices and/or cultural norms that may favor local competitors; •more prevalent cybersecurity and intellectual property risks; and •localization of our services, including translation into foreign languages and associated expenses. If we are unable to manage these risks, our revenue growth rate, business and operating results will be adversely affected.

Sales outside of North America represented 35% and 36% of our total revenues for the years ended December 31, 2022 and 2021, respectively. The growth of our business and future prospects depend on our ability to increase our sales outside the U.S. as a percentage of our total revenues. Additionally, operating in international markets requires significant investment and management attention and subjects us to different regulatory, political and economic risks from those in the U.S. We have made, and will continue to make, substantial investments in data centers, geographic specific service delivery models, advisory councils, cloud computing infrastructure, sales, marketing, partnership arrangements, personnel and facilities as we enter and expand in new geographic markets. When we make these investments, it is typically unclear whether, and when, sales in the new market will justify our investments. We may significantly underestimate the level of investment and time required to be successful. Our rate of acquisition of new large enterprise customers, a factor affecting our growth, has been generally lower in territories where we are less established and where there may be increased or changing regulations and operational and IP risks, as compared to our more established locations. We have experienced, and may continue to experience, difficulties in some of our investments in geographic expansion, including hiring qualified sales management personnel, penetrating the target market, and managing foreign operations in such locales. Risks inherent with making our products and services available in international markets include, for example: •compliance with multiple, conflicting and changing governmental laws and regulations, including with respect to employment, tax, competition, COVID-19 and ESG matters; •requirements to have local partner(s), local entity ownership limitations or technology transfer or sharing requirements, or to comply with data residency and transfer laws and regulations, privacy and data protection laws and regulations, which may increase operational costs and restrictions; •the risk that illegal or unethical activities of our local employees or business partners will be attributed to or result in liability to us or damage our reputation; •longer and potentially more complex sales and accounts receivable payment cycles and other collection difficulties; •different pricing and distribution environments; •potential changes in international trade policies, tariffs, agreements and practices, including the adoption and expansion of formal or informal trade restrictions or regulatory frameworks favoring local competitors; •local governmental direction, business practices and/or cultural norms that may favor local competitors; •cybersecurity and intellectual property risks that are more prevalent in jurisdictions in which we have historically chosen not to operate; and •localization of our services, including translation into foreign languages and associated expenses. If we are unable to manage these risks, if our required investments in these international markets are greater than anticipated, or if we are unsuccessful in increasing sales in emerging markets, our revenue growth rate, business and operating results will be adversely affected.

We have acquired and invested in companies and technologies as part of our business strategy and will continue to evaluate and enter into potential strategic transactions, including acquisitions of or investments in businesses, technologies, services, products and other assets, to expand or improve our service offerings and functionality, go-to-market and sales efforts, our operations or our ability to source necessary expertise and provide services in international locations. Although we conduct reasonably extensive due diligence regarding these businesses and assets, our efforts may not reveal every material issue. Strategic transactions involve numerous risks, including: •difficulties assimilating or integrating the businesses, technologies, products, personnel or operations of the acquired companies; •failing to achieve the expected benefits of the acquisition or investment; •potential loss of employees of the acquired company; •inability to maintain relationships with customers, suppliers and partners of the acquired business; •potential adverse tax consequences; •disruption to our business and diversion of management attention and other resources; •potential financial, credit or regulatory risks associated with acquired customers, suppliers and partners of the acquired business; •dependence on acquired technologies or licenses for which alternatives may not be available to us or which may involve significant cost or complexity; •in the case of foreign acquisitions, the challenges associated with integrating operations across different cultures, languages, and legal regimes and any currency and regulatory risks associated with specific countries; •introducing increased complexity and burden to maintain the technology platform; •introducing vulnerabilities or threats by integrating acquired technologies or businesses; •data security or privacy risks, compliance requirements, or integration costs from the acquired technology or company; •impairment of our investments or the possibility our investees will be unable to obtain future funding on favorable terms or at all; and •potential unknown liabilities or disputes associated with the acquired businesses. In addition, the amount or form of consideration we pay for acquisitions could adversely affect our financial condition or stock price. For example, if we finance an acquisition by issuing equity or convertible debt securities or loans, our existing shareholders may be diluted, or we could face constraints related to the terms of those securities or indebtedness. The occurrence of any of these risks could harm our business, operating results and financial condition.

We have acquired or invested in companies and technologies as part of our business strategy and will continue to evaluate and execute potential strategic transactions, including acquisitions of or investments in businesses, technologies, services, products and other assets. We have and will continue to enter into strategic transactions or relationships with other businesses to expand our service offerings, go-to-market and sales efforts, functionality or our ability to provide services in international locations. Although we conduct reasonably extensive due diligence of these businesses, our efforts may not reveal every material issue. Strategic transactions involve numerous risks, including: •difficulties assimilating or integrating the businesses, technologies, products, personnel or operations of the acquired companies; •failing to achieve the expected benefits of the acquisition or investment; •potential loss of key employees of the acquired company; •inability to maintain relationships with customers and partners of the acquired business; •potential adverse tax consequences; •disruption to our business and diversion of management attention and other resources; •potential financial and credit risks associated with acquired customers; •dependence on acquired technologies or licenses for which alternatives may not be available to us without significant cost or complexity; •in the case of foreign acquisitions, the challenges associated with integrating operations across different cultures and languages and any currency and regulatory risks associated with specific countries; •introducing increased complexity and burden to maintain the technology platform or introducing vulnerabilities or threats by integrating acquired technologies; •increased data security or privacy compliance requirements from integrating the acquired technology or company; •impairment to our investments if our investees are unable to obtain future funding on favorable terms or at all; and •potential unknown liabilities associated with the acquired businesses. In addition, we may pay cash, incur debt or issue equity or equity-linked securities to pay for acquisitions, any of which could adversely affect our financial condition or stock price. Furthermore, if we finance acquisitions by issuing equity, convertible or other debt securities or loans, our existing shareholders may be diluted, or we could face constraints related to the terms of and repayment obligation related to the incurrence of indebtedness that could affect our stock price. The occurrence of any of these risks could harm our business, operating results and financial condition.

•Because we generally recognize revenues from our subscription service over the subscription term, a decrease in new subscriptions or renewals may not be immediately reflected in our operating results. •As our business grows, we expect our revenue growth rate to decline over the long term. •Changes in our effective tax rate or disallowance of our tax positions may adversely affect our financial position and results. •Our debt service obligations may adversely affect our financial condition.

•Our operating results may vary significantly from period to period, and if we fail to meet the financial performance expectations of investors or securities analysts, the price of our common stock could decline substantially. •Because we generally recognize revenues from our subscription service over the subscription term, a decrease in new subscriptions or renewals during a reporting period may not be immediately reflected in our operating results for that period. •As our business grows, we expect our revenue growth rate to decline over the long term. •Changes in our effective tax rate or disallowance of our tax positions may adversely affect our financial position and results. •Our debt service obligations may adversely affect our financial condition and cash flows from operations.

Our stock price is likely to continue to be volatile and subject to wide fluctuations. In addition, technology companies in general have highly volatile stock prices, and the volatility in stock price and trading volume of securities is often unrelated or disproportionate to the financial performance of the companies issuing the securities. Factors affecting our stock price, some of which are beyond our control, include, among other factors: •changes in the estimates of our operating results, revenue growth, or changes in recommendations by securities analysts; •changes in the average contract term of our customer agreements, timing of renewals and renewal rates; •our ability to meet our financial guidance or financial performance expectations of the securities analysts or investors; •announcements of new products, services or technologies, new applications or enhancements to services, strategic alliances, acquisitions, or other significant events by us or by our competitors; •fluctuations in company valuations, such as high-growth or cloud companies, perceived to be comparable to us; 25 25 25 Table of Contents Table of Contents •changes to our management team; •trading activity by directors, executive officers and significant shareholders, or the market’s perception that large shareholders intend to sell their shares; •the inclusion, exclusion, or removal of our stock from any major trading indices; •the size of our market float; •the trading volume of our common stock, including sales following the exercise of outstanding options or vesting of equity awards; •changes in laws or regulations impacting the delivery of our services; •significant litigation or regulatory actions; •the amount and timing of customer payments, payment defaults, operating costs and capital expenditures •the amount and timing of equity awards and the related financial statement expenses; •the impact of new accounting pronouncements; •the inability to conclude that our internal controls over financial reporting are effective; •our ability to accurately estimate the total addressable market for our products and services; and •overall performance of the equity markets. Following periods of volatility in the market price of a company’s securities, securities class action litigation has often been brought against that company. Securities litigation could result in substantial costs and divert management’s attention and resources from our business. This could materially adversely affect our business, operating results, and financial condition.

Our stock price is likely to continue to be volatile and subject to wide fluctuations. In addition, technology companies in general have highly volatile stock prices, and the volatility in stock price and trading volume of securities is often unrelated or disproportionate to the financial performance of the companies issuing the securities. Factors affecting our stock price, some of which are beyond our control, include: •changes in the estimates of our operating results, revenue growth, or changes in recommendations by securities analysts; •announcements of new products, services or technologies, new applications or enhancements to services, strategic alliances, acquisitions, or other significant events by us or by our competitors; •fluctuations in company valuations, such as high-growth or cloud companies, perceived to be comparable to us; •changes to our management team; •trading activity by directors, executive officers and significant shareholders, or the market’s perception that large shareholders intend to sell their shares; •the inclusion, exclusion, or removal of our stock from any major trading indices; •the size of our market float; •the trading volume of our common stock, including sales following the exercise of outstanding options or vesting of equity awards; •the economy as a whole, including, among others, macroeconomic uncertainty, economic and market downturns, geopolitical destabilization, inflation, increases in interest rates and fluctuations in foreign exchange rates; •market conditions in our industry and the industries of our customers; •changes to our credit ratings; •the inability to conclude that our internal controls over financial reporting are effective; •investor, customers, and potential customers perception of our ESG program and other issues impacting our reputation; and •overall performance of the equity markets. Following periods of volatility in the market price of a company’s securities, securities class action litigation has often been brought against that company. Securities litigation could result in substantial costs and divert management’s attention and resources from our business. This could materially adversely affect our business, operating results, and financial condition.

We compete in markets that continue to evolve rapidly. The pace of innovation will continue to accelerate as customers recognize the advantages of acquiring leading digital technologies and adopting modern cloud-based infrastructure. As digital transformation accelerates across a customer’s enterprise, cutting-edge capabilities such as AI, machine learning, hyper automation, low-code/no-code application development, system observability and predictive insights become increasingly relevant to the customer’s evolving needs. Accordingly, to compete effectively, we must: •identify and innovate in the right technologies; •keep pace with rapidly changing technological developments, such as AI, which may disrupt talent needs and the enterprise software marketplace; •accurately predict our customers’ changing digital transformation needs, priorities and adoption practices, including their technology infrastructures and buying and budgetary practices; •invest in and continually optimize our own technology platform so that we continue to meet the very high-performance expectations of our customers; •successfully deliver new, scalable technologies and products to meet customer needs and priorities; •efficiently integrate with technologies within our customers’ digital environments; •expand our offerings into industries and to buyers who are not familiar with our offerings; •profitably and efficiently market and sell products in markets where our sales and marketing teams have less experience; •successfully adapt new pricing models; •effectively secure our platform, data and customers’ data; and •effectively deliver, directly or through our partner ecosystem, the digital transformation process planning, IT systems architecture planning, and product implementation services that our customers require to be successful. Further, in response to evolving customer needs, we may make significant investments in changing how we offer our products or services, such as bundling offerings or shifting to a subscription-based model for support services or how our services are delivered or priced. If customers are dissatisfied with these changes, our business could be materially adversely impacted.

We compete in markets that continue to evolve rapidly. The pace of innovation will continue to accelerate as customers increasingly evaluate their purchases based on the advantages of digital technologies and their need to shift to modern cloud-based infrastructure. As digital transformation accelerates across a customer’s enterprise, capabilities such as AI, machine learning, hyper automation, low-code/no-code application development, system observability, database scalability, consumer-grade user experiences, collaboration, Internet-connected devices, security, cryptography, internal software development operations, and application and service awareness become increasingly relevant to the customer’s evolving needs. Our customers and prospective customers are either facing competing imperatives to adopt digital technologies, or their systems are already built on fully digital, modern, dynamic IT technologies. Accordingly, to compete effectively, we must: •identify and innovate in the right emerging technologies; •keep pace with rapidly changing technological developments, such as AI, that may disrupt the enterprise software marketplace; •accurately predict our customers’ changing digital transformation needs, priorities and adoption practices, including their technology infrastructures and buying and budgetary practices; •invest in and continually optimize our own technology platform so that we continue to meet the very high-performance expectations of our customers; •successfully deliver new, scalable platform and database technologies and products to meet customer needs and priorities; •efficiently integrate with other technologies within our customers’ digital environments; •expand our offerings into industries and to buyers who are not familiar with our offerings; •profitably market and sell products to companies in markets where our sales and marketing teams have less experience; •successfully adapt new pricing models; 14 14 14 Table of Contents Table of Contents •effectively secure our platform, data and customers’ data, and •effectively deliver, directly or through our partner ecosystem, the digital transformation process planning, IT systems architecture planning, and product implementation services that our customers require to be successful. If we fail to meet any of these requirements, our competitive position, strategic relevance and business prospects may be harmed. Further, we may make significant investments in changing the way we offer our products or services, such as bundling offerings and shifting to a subscription-based model for support services, in response to evolving customer needs. Customers may be dissatisfied with the change in the manner and scope of how the services are delivered and the resulting change in the pricing model and may resist or be slow to adopt changes to our offerings, all of which may adversely impact our ability to compete.

There is increasingly intense competition for talent in the technology industry. Our success depends substantially upon the continued services of our management team, particularly our chief executive officer, chief operating officer and the other members of our executive staff. From time to time in the ordinary course of business, there have been and may continue to be changes in our management team. While we seek to manage these transitions carefully, such changes may result in a loss of institutional knowledge and negatively affect our business. In the highly competitive technology industry, we face ongoing challenges in attracting and retaining top talent across various roles, such as product development and engineering (particularly with AI and machine learning backgrounds), sales, operations and cybersecurity. These key individual contributors are critical to our success and can command very significant compensation in the market. Our ability to achieve significant revenue growth may depend on our success in recruiting, training and retaining sufficient qualified personnel to support our growth. We have faced and may continue to face difficulties attracting, hiring and retaining highly-skilled, qualified personnel and may not be able to fill positions in desired geographic areas or at all. Further, as we continue to grow and expand our workforce globally, we may face operational and workplace culture challenges that could negatively impact our ability to maintain the effectiveness of our business execution and the beneficial aspects of our corporate culture. While our work model, where a substantial portion of our employees work partially or fully remote, increased our access to talent, we may not be able to take advantage of a broader talent pool if our competitors offer the same work model or if we continue to lean heavily on our primary operating locations for talent. We are continually evaluating and, as appropriate, enhancing the attractiveness of our compensation packages. As a result, we have experienced and may continue to experience increased costs that may not be offset by either improved productivity or higher sales, potentially resulting in a reduction in our profitability. In addition, we grant equity awards to our employees and sustained declines in our stock price or lower stock price performance relative to our competitors reduces the retention value of such awards, which can impact the competitiveness of our compensation. Many of our employees, including all of our executive officers, are employed “at-will” and may terminate their employment with us at any time. If we fail to attract qualified, new personnel or fail to retain and motivate our current personnel, our business and future growth prospects could be adversely affected.

Competition for talent in the technology industry has become increasingly intense. Our success depends substantially upon the continued services of our management team, particularly of our chief executive officer, chief operating officer and the other members of our executive staff. Although, in response to this highly competitive talent environment, we made significant performance-based equity awards to our executive staff outside of our regular compensation program, we cannot guarantee those awards will be sufficient to retain all of these individuals. From time to time in the ordinary course of business, there have been and may continue to be changes in our management team. While we seek to manage these transitions carefully, such changes may result in a loss of institutional knowledge, cause disruptions to our business and negatively affect our business. The technology industry is subject to substantial and continuous competition for diverse talent in product development and engineering (particularly with AI and machine learning backgrounds), sales, operations, and cybersecurity. Many key individual contributors, particularly in research and development, engineering and sales, are critical to our success and can command very significant compensation in the market. Our ability to achieve significant revenue growth may depend on our success in recruiting, training and retaining sufficient qualified personnel to support our growth. We have faced and may continue to face difficulties attracting, hiring and retaining highly-skilled, qualified personnel and may not be able to fill positions in desired geographic areas or at all. While our hybrid work model, where some employees work remote for part of the week and some employees are fully remote, increased our access to talent, we may not be able to take advantage of a broader talent pool if our competitors offer the same work model or if we continue to lean heavily on our primary operating locations for talent. We are continually evaluating and, as appropriate, enhancing the attractiveness of our compensation packages. As a result, we have experienced and may continue to experience increased costs that may not be offset by either improved productivity or higher sales, potentially resulting in a reduction in our profitability. Many of our employees, including all of our executive officers, are employed “at-will” and may terminate their employment with us at any time. If we fail to attract qualified, new personnel or fail to retain and motivate our current personnel, our business and future growth prospects could be adversely affected. In addition, we believe our corporate culture of fostering innovation, teamwork and employee satisfaction has been a key contributor to our success to date. As we continue to grow and expand globally and navigate shifting workforce priorities, including the hybrid work model, we may find it difficult to maintain important aspects of our corporate culture, which could negatively affect our ability to retain and recruit personnel who are essential to our future success and could ultimately have a negative impact on our ability to innovate our technology and our business. Further, as of December 31, 2022, approximately 27.6% of our employees have been employed by us for a year or less. We must be able to effectively integrate, develop and motivate a large number of new employees, while maintaining the effectiveness of our business execution and the beneficial aspects of our corporate culture. Such challenges may be exacerbated by the hybrid work model. 20 20 20 Table of Contents Table of Contents

•Actual or perceived cybersecurity events experienced by us or our third-party service providers may create the perception that our platform is not secure, and we may lose customers or incur significant liabilities, which would harm our business, financial condition and operating results. •If we lose key members of our management team or qualified employees or are unable to attract and retain the employees we need, our costs may increase and our business and operating results may be adversely affected. •Delays in the release of, or actual or perceived defects in, our products may slow the adoption of our latest technologies, reduce our ability to efficiently provide services, decrease customer satisfaction, and adversely impact future product sales. •Disruptions or defects in our services could damage our customers’ businesses, subject us to substantial liability and harm our reputation and financial results. •Delays in improving our information systems and processes could interfere with our ability to support our existing and growing customer and employee base and could adversely impact our business. •Lawsuits by third parties that allege we infringe their intellectual property rights could harm our business and operating results. •Our intellectual property protections may not provide us with a competitive advantage, and defending our intellectual property may result in substantial expenses that harm our operating results. •Our use of open-source software could harm our ability to sell our products and services and subject us to possible litigation. •Various factors, including our customers’ business, integration, migration, compliance and security requirements, or errors by us, our partners, or our customers, may cause implementations of our products to be delayed, inefficient or otherwise unsuccessful. 13 13 13 Table of Contents Table of Contents •Our failure or perceived failure to achieve our ESG goals or maintain ESG practices that meet evolving stakeholder expectations could adversely affect us. •Natural disasters, including climate change, and other events beyond our control could harm our business.

•If we or our third-party service providers experience an actual or perceived cybersecurity event, our platform may be perceived as not being secure, and we may lose customers or incur significant liabilities, which would harm our business and operating results. •If we lose key members of our management team or qualified employees or are unable to attract and retain the employees we need, our costs will increase and our business and operating results will be adversely affected. •Disruptions or defects in our services could damage our customers’ businesses, subject us to substantial liability and harm our reputation and financial results. •Lawsuits against us by third parties that allege we infringe their intellectual property rights could harm our business and operating results. •Our intellectual property protections may not provide us with a competitive advantage, and defending our intellectual property may result in substantial expenses that harm our operating results. •Our use of open source software could harm our ability to sell our products and services and subject us to possible litigation. •Various factors, including our customers’ business, integration, migration, compliance and security requirements, or errors by us, our partners, or our customers, may cause implementations of our products to be delayed, inefficient or otherwise unsuccessful. •Natural disasters, including climate change, and other events beyond our control could harm our business. 12 12 12 Table of Contents Table of Contents

The markets for our enterprise cloud solutions are rapidly evolving and highly competitive, with relatively low barriers to entry. As the market for digital workflow products and offerings matures and new technologies, in-house solutions and competitors enter the market, we increasingly compete with alternative solutions and approaches to solve customer needs or experience customer reluctance or unwillingness to migrate away from their current solutions. Further, we expect additional competition as we shift our products and services to compete with providers in adjacent markets. Some of our existing competitors and potential competitors are larger and have greater name recognition, the ability to more efficiently scale their business, more established operations and customer relationships, and greater financial and technical resources than we do. Competitors, regardless of their size, may be able to respond more quickly and effectively to new or changing opportunities, technologies, standards, customer requirements and buying practices. They may introduce new technology, solve similar problems in different ways or more effectively utilize existing technology that reduces demand for our services. They may utilize acquisitions, integrations or consolidations to offer integrated or bundled products, enhanced functionality or other advantages. “Systems of record” operators may attempt to create technology solutions or other mechanisms that would prevent our systems from integrating with theirs. They may create pricing pressures by reducing the price of competing products, services or subscriptions or bundling their offerings causing our offerings to appear relatively more expensive. In addition, competition from cloud-based vendors may increase as they partner with on-premises hardware providers to deliver their cloud platform as an on-premises or data localized solution. If we are not able to compete successfully, we could experience reduced sales and margins, losses or failure of our products to achieve or maintain market acceptance, any of which could harm our business.

The markets for our enterprise cloud solutions are rapidly evolving and highly competitive, with relatively low barriers to entry. As the market for digital workflow products and offerings matures and new technologies, in-house solutions and competitors enter the market, we find ourselves increasingly competing with solutions and alternative approaches to solving customer needs or experiencing reluctance or unwillingness from customers to migrate away from their current solutions. Further, as our offerings have become more widely adopted and successful in the market, more competitors are developing competing offerings, including those competitors from adjacent segments. For example, while the Now Platform was designed to quickly integrate with and offers solutions that are complementary to the offerings of many well-established systems traditionally operating as “systems of record,” competition from those companies has been increasing. Additionally, sources of alternative solutions and approaches include those provided by: •enterprise application software vendors, such as Oracle, SAP, Salesforce and Workday; •new technology vendors and entrants; •in-house solutions of current and prospective customers; and •cloud-based vendors. Some of our existing competitors and potential competitors are larger and have greater name recognition and scale, longer operating histories, more established customer relationships, larger marketing budgets and greater financial and technical resources than we do. Competitors and new entrants may be able to respond more quickly and effectively to new or changing opportunities, technologies, standards, customer requirements and buying practices. They may introduce new technology, solve similar problems in different ways or more effectively utilize existing technology that reduces demand for our services. They may utilize acquisitions, integrations or consolidations to offer integrated or bundled products, enhanced functionality or other advantages. “Systems of record” operators may attempt to create technology solutions that would prevent our systems from integrating with theirs. Enterprise software application vendors may reduce the price of or offer free-of-charge competing products, services or subscriptions creating pricing pressures, or bundle them with their other offerings causing our offerings to appear relatively more expensive. Smaller competitors, new technology vendors and new entrants may also accelerate pricing pressures in the various markets in which we compete. Additionally, companies may expand their services to compete with our services, or we may shift our products and services to compete with current and future competitors in adjacent markets. We have expanded and expect to continue to expand the breadth of our services to include offerings in new markets and industries, the use of our platform by developers and generally in low-code/no-code capabilities. As a result, we expect increasing competition from companies focused on these other areas. Also, as customers increasingly adopt a hybrid (on-premises and off-premises) approach for their IT workloads, our cloud services may fail to address evolving customer requirements, including data localization, which could cause a decline in demand for our services and cause us to experience lower growth. Competition from cloud-based vendors may increase as they partner with on-premises hardware providers to deliver their cloud platform as an on-premises or data localized solution. If we are not able to compete successfully, we could experience reduced sales and margins, losses or failure of our products to achieve or maintain market acceptance, any of which could harm our business.

Governments have adopted, and likely will continue to adopt, laws and regulations affecting the use, storage and movement of data, including laws related to data privacy and security, the use of machine learning and artificial intelligence (“AI”), and data sovereignty or residency requirements. Changing laws, regulations and standards applying to the collection, storage, use, sharing, portability, transfer or other control or processing of data, including personal data, could affect our ability to efficiently and cost-effectively offer our services and to develop our products and services for maximum utility, as well as our customers’ ability to use data or share data. Such changes may restrict our ability to use, store or otherwise process customer data in connection with providing services and could alter or increase our compliance requirements. In some cases, this could impact our ability to offer our services in certain locations or our customers’ ability to deploy our services globally. For example, the EU Data Act is a proposed law with potential significant requirements regarding data portability, interoperability and accessibility and unclear data transfer restrictions, any of which could impact our operations. In addition, although the new Trans-Atlantic Data Privacy Framework (which replaced the prior Privacy Shield) has been approved, which could facilitate the transfer of data between the United States (“U.S.”) and European Union (“EU”), there remains a possibility that this framework could be challenged in court. As we continue to innovate and improve the offerings on our platform by leveraging machine learning and AI, our business model may be affected by global trends and laws that regulate the use of AI and machine learning. Such laws or regulations not only may cause us to modify our data handling practices, which could be costly or burdensome, it also may impact our ability to use certain data for developing our products or impede customers regulated by such laws and regulations to adopt our products. In addition, we may become subject to new or heightened legal, ethical or other challenges arising out of the perceived or actual impact of AI on human rights, intellectual property, privacy, and employment, among other issues, and we may experience brand or reputational harm, legal liability or increased costs associated with those issues. We offer region-specific services, by which customer data is hosted locally and customers may elect to receive support from locally based ServiceNow teams. Setting up and maintaining these region-specific services require significant investment, including to comply with applicable laws and regulations. Actual or perceived non-compliance with those laws and regulations could result in proceedings or investigations against us by regulatory authorities or others, lead to significant fines, damages, orders, litigation or reputational harm and may otherwise adversely impact our business, financial condition and operating results. We will also need to continually adapt to customer privacy and security requirements as they change over time. For example, as customers increasingly adopt a hybrid (on-premises and off-premises/hyperscale cloud) approach for their IT workloads, our cloud services may fail to address evolving customer requirements, including data localization. Further, due to heightened concerns relating to privacy and security regulatory matters, our customers may request certain certifications and failure to obtain, or consistently maintain, those certifications may adversely impact our reputation and business. 14 14 14 Table of Contents Table of Contents

Governments have adopted, and may likely continue to adopt, laws and regulations affecting the use, storage and movement of data, including laws related to data privacy, the use of machine learning and artificial intelligence (“AI”), and data sovereignty or residency requirements. As a cloud-based service provider, we optimize performance of our products and services by utilizing data centers located in, and support provided from, different jurisdictions. As we continue to innovate and improve the offerings on our platform, we leverage machine learning and AI to create more efficient and effective workflows for our customers. Changing laws, regulations and standards applying to the collection, storage, use, sharing, transfer or other control or processing of data, including personal data such as employee or marketing data, could affect our ability to efficiently and cost-effectively offer our services, to develop our products and services to maximize their utility, as well as our customers’ ability to use data or share data with service providers. Such changes may restrict our ability to use, store or otherwise process data of our customers in connection with providing and supporting our services. In some cases, this could impact our ability to offer our services in certain locations or our customers’ ability to deploy our services globally. Existing and upcoming laws and regulations globally, including European and state specific privacy laws in the United States (“U.S.”), global trends to regulate the use of AI and machine learning, the ruling of the European Court of Justice in Schrems v. Facebook Ireland and interpretations of that ruling by regulators and customers, recommendations issued by the European Data Protection Board, Standard Contractual Clauses issued by the European Commission, and other global privacy, data residency, sovereignty and transfer laws, regulations and standards (including self-regulatory standards) may cause us to incur substantial operational costs or require us to modify our data handling practices and/or policies, may limit the development, use and adoption of our services, and could reduce overall demand for our services. While a new Privacy Shield has been proposed to permit the transfer of data between the U.S. and the European Union, the timing and precise requirements of the Privacy Shield are uncertain, as is the possibility that any agreement would be challenged in court. Laws or regulations related to the use of AI and machine learning technology may impact our ability to use certain data for developing our products and may also become an impediment to the adoption of our products for customers regulated by such laws and regulations. In 2022, we began offering an EU-centric services delivery model, by which customers may elect to receive support from EU‑based ServiceNow teams, with an EU, cloud‑hosted digital workflow solution. This offering required a significant investment in financial and human resources, and we may see similar requests for local solutions in other territories. In addition, actual or perceived non-compliance with those laws and regulations could result in proceedings or investigations against us by regulatory authorities or others, lead to significant fines, damages, orders or reputational harm and may otherwise adversely impact our business, financial condition and operating results. Changes in our developed or acquired products and how such products utilize data could also alter or increase our compliance requirements. As a result, our innovation and business drivers in developing or acquiring new and emerging technologies and the demand for our products could be impacted. 13 13 13 Table of Contents Table of Contents

In the ordinary course of our business, we store, transmit, generate, and process our and our customers’ confidential, proprietary and sensitive data. As our business expands across the globe, the number of employees, contractors, vendors and other third parties remotely accessing our systems continues to grow. Our growing business operations increase our exposure to cyberattacks by a range of actors, who have used and will continue to use assorted tactics, techniques, and 18 18 18 Table of Contents Table of Contents procedures, including malicious code, ransomware, social engineering, business email compromises, supply chain attacks, denial of service attacks and similar internet-enabled, fraudulent activity. Further, during times of war and other major conflicts, we and our third-party providers may be vulnerable to a heightened risk of geopolitically motivated attacks, including cyberattacks, that could materially disrupt our systems and operations, supply chain and ability to provide our services. The cybersecurity threats are not limited to actors operating in the systems we control directly. Our increasing reliance on third-party providers and public cloud infrastructure introduces new cybersecurity risks to our business operations. We rely on third-party service providers and technologies to operate business systems in a variety of contexts, and supply chain attacks have increased in frequency and severity. While we have a vendor security review process, we cannot guarantee that our third-party service providers or our supply chain infrastructure have not been compromised or that they do not contain exploitable defects or bugs that could result in a breach of or disruption to our platform, systems and network or the systems and networks of third parties that support us and our business. Our ability to monitor the data security measures of our third-party providers is limited, and we necessarily depend in part on our providers to have in place and maintain adequate security measures to protect against unauthorized access, cyberattacks and the mishandling of data. Further, employee error or malfeasance in configuring, maintaining and using these services could impact our ability to monitor and secure them effectively. While we have identified vulnerabilities in our products and services in the past and will continue to do so in the future, we cannot be certain that we will be able to identify all vulnerabilities or address the vulnerabilities of which we become aware. Further, there have been delays and may continue to be delays in developing patches that can be effectively deployed to address vulnerabilities. Third parties have, in the past, actively searched for and exploited actual and potential vulnerabilities in our software and will do so in the future. Moreover, the incorporation of third-party or open-source software code into our or our customers’ systems increases the risk of exploitation of vulnerabilities, such as the vulnerability in the Java logging library known as “log4j” that affected our industry. We also have inherited and may in the future inherit additional security risks from acquiring or partnering with other companies. In most instances, our customers are responsible for administering access to the data held in their particular instance for their employees and service providers. While our software is delivered with certain preset configurations, we understand that our customers require flexibility to configure the Now Platform to their specific business needs. We work closely with our customers to help them evaluate their security configurations, including providing guidance to align configuration settings with their business needs. Yet, in configuring our platform, both our employees and customers have made errors in the past and may do so again in the future. We are aware that, on occasion, our customers and ServiceNow have configured certain settings on our platform, or retained preset configurations, in a manner not aligned with their preferred security levels, which can result in, and has resulted in, information being made more widely accessible than intended. Such misconfigurations can be, and have been, identified publicly, increasing the risk of data being exposed unintentionally. While we have security measures and a data governance framework in place designed to protect our and our customers’ information and prevent data loss, these measures may not be effective at preventing material breaches caused by intentional or unintentional actions or inactions by employees, contractors or third parties. Techniques used to sabotage or to obtain unauthorized access to systems are constantly evolving and may go undetected until a successful attack occurs. Moreover, we have experienced security incidents, which may reoccur in the future, that resulted in unauthorized access to, loss, or inadvertent disclosure of confidential, proprietary and sensitive information. We have observed attempts by third parties to induce or deceive our employees, contractors or users to fraudulently obtain access to our or our customers’ data or assets. Further, our employees have fallen victim to phishing attacks in the past and may again in the future. An actual or perceived security breach can have a material effect on ServiceNow’s operations, finances and reputation. The adverse consequences can include accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to data; disruptions to our services; diversion of funds; litigation; indemnification and other contractual obligations; regulatory investigations; government fines and penalties; reputational damage; negative publicity; loss of sales, customers, and partners; mitigation and remediation expenses; and other material costs and liabilities. In addition, the assessment and response to security incidents, as well as implementation of appropriate safeguards to protect against future incidents, can lead to material economic and operational consequences. These consequences can result regardless of whether the incident is suffered by us, affects our third-party service providers or stems from customers action or inaction. Moreover, even if a breach is unrelated to our security programs or practices, it could still cause us reputational harm and require us to undertake significant efforts to assess and respond to the breach, including further protecting our customers from their own vulnerabilities. There can be no assurance that any limitations of liability provisions in our subscription agreements, terms of use or other agreements would be enforceable or adequate or would otherwise protect us from any such liabilities or damages with respect to any particular claim. In addition, while we maintain insurance coverage, we cannot be certain that such coverage will continue to be available on acceptable terms or 19 19 19 Table of Contents Table of Contents in sufficient amounts to cover potential losses from a security incident or that an insurer will not deny coverage as to any future claim.

Our operations involve the storage, transmission and processing of our customers’ confidential, proprietary and sensitive data, which may include personally identifiable information, protected health information, financial information and, in some cases, government information. While we have security measures and a data governance framework in place designed to protect customer information and prevent data loss, these protective mechanisms we have implemented may not be effective at preventing material breaches caused by intentional or unintentional action or inaction by employees or third parties, which may result in the unauthorized access or release of our instances and ultimately our or our customers’ data, IP and other confidential business information. Third parties have attempted to fraudulently induce employees, contractors, or users to disclose information or to gain access to our or our customers’ data, and we have been the target of increasingly sophisticated email and text message scams that attempt to acquire personal information or company assets. Further, we have experienced an increase in the number and sophistication of cyberattacks and security challenges as the growing number of employees, vendors and other third parties that remotely access our systems increase our exposure to attack. Computer malware, ransomware, viruses, hacking, phishing and denial of service attacks by third parties have become more prevalent in our industry, and similar malicious attacks have been made against our and our third-party service providers’ systems in the past and may occur again in the future. Our employees have fallen victim to phishing attacks in the past and may again in the future. The frequency and sophistication of these attacks have increased, and it appears that cyber crimes and cyber criminal networks, some of which may be state-supported, have substantial resources and may target U.S. enterprises or our customers and their use of our products. In addition, we have established extensive development and testing environments for our engineers developing new products and features. Security protocols in those environments have necessarily been less rigorous than in environments housing customer data, but a vulnerability or security defect arising out of our development and testing environment could become incorporated in code imported to our environments housing customer data. Similarly, in the unique circumstances where customer data may be utilized in developer environments for testing or learning, that data may be at greater risk. Because techniques used to sabotage, obtain unauthorized access to systems or prohibit authorized access to systems change frequently and generally may not be detected until successfully launched against a target, we have been and may continue to be unable to anticipate these techniques or to implement adequate preventative measures. This has included and may continue to include underlying infiltration of pre-existing systems, including those of our third-party service providers or customers, perpetrated by more sophisticated or state-supported attackers, including foreign cybersecurity attacks on U.S. technology companies and retaliatory cybersecurity attacks stemming from the Russian invasion of Ukraine or other geopolitical tensions. It may also include exploitation of vulnerabilities in third party or open source software code that may be incorporated into our own or our customers’ systems, such as the vulnerability in the Java logging library known as “log4j” identified in late 2021 that affected our industry. The occurrence of these and other more sophisticated or state-supported attack campaigns may increase as geopolitical tensions and intermittent warfare continue or escalate outside of the U.S. For example, due to the Russia-Ukraine conflict, rising tensions between the U.S. and North Korea and rising tensions with China, we and our customers, third-party vendors and service providers are subject to a heightened risk of cybersecurity attacks, phishing attacks, viruses, malware, ransomware, hacking or similar breaches from state-supported actors, including attacks that could materially disrupt our systems and operations, supply chain, and ability to make available or sell our products and services. We devote significant financial and personnel resources to implement and maintain security measures while meeting customer expectations as to the performance of our systems; however, as cybersecurity threats develop and grow more complex and sophisticated over time, such as in connection with geopolitical warfare, we will continue to make significant further investments to protect data and infrastructure, but a residual risk may remain despite our preventative efforts. A security breach suffered by us or our third-party service providers, an attack against our service availability or unauthorized access or loss of data could result in a disruption to our service, litigation, service level agreement claims, indemnification and other contractual obligations, regulatory investigations, government fines and penalties, reputational damage, loss of sales and customers, mitigation and remediation expenses and other significant costs and liabilities. In addition, we may incur significant economic and operational consequences in order to appropriately assess and respond to security incidents and to implement appropriate safeguards to protect against future incidents. We also cannot be certain that insurance coverage will continue to be available on acceptable terms or in sufficient amounts to cover the potentially significant losses that may result from a security incident or an insurer will not deny coverage as to any future claim. 19 19 19 Table of Contents Table of Contents Additionally, as we increase reliance on third-party and public cloud infrastructure, we depend in part on third-party security measures to protect against unauthorized access, cyberattacks and the mishandling of data. However, our ability to monitor our third-party service providers’ data security is limited. Similarly, employee error or malfeasance in configuring, maintaining, and using services offered by third-party providers may affect our ability to monitor and secure such services. Employees have made errors in this area in the past and may do so again in the future. Any breach of our providers’ security measures or misconfiguration or misuse of our software or our providers’ services may result in unauthorized access to, or the misuse, loss or destruction of, our and our customers’ data or in a violation of our terms or applicable law, which may result in reputational harm or liability. Further, in most instances, our customers administer access to the data held in their particular instance for their employees and service providers. While we offer tools and support, customers are not required to utilize them and may suffer a cybersecurity attack on their own systems, unrelated to our own, and allow a malicious actor access to the customer’s information held on our platform. Even if such a breach is unrelated to our security programs or practices, such breach could cause us reputational harm and require us to incur significant economic and operational consequences in order to adequately assess and respond to the breach, including further protecting our customers from their own vulnerabilities, and to implement appropriate safeguards to protect against future breaches. Digital supply chain attacks have increased in frequency and severity. We cannot guarantee that third parties and our supply chain infrastructure have not been compromised or that they do not contain exploitable defects or bugs that could result in a breach of or disruption to our platform, systems and network or the systems and networks of third parties that support us and our business. Third parties may also exploit vulnerabilities in, or obtain unauthorized access to, platforms, systems, networks, or physical facilities utilized by us or our third-party vendors or service providers. Furthermore, supply chain disruptions due to the Russian invasion of Ukraine (and resulting legal or regulatory developments) and any indirect effects may further complicate any existing supply chain constraints.

As we target more of our sales efforts at larger enterprise customers, we may face heightened costs, longer sales cycles, greater competition and less predictability in our ability to close sales. Larger enterprise customers tend to require considerable time evaluating and testing our platform prior to making a purchasing decision, require multiple levels of review and approval, and demand more configuration, integration services and features, particularly when switching from legacy on-premises solutions. As a result, these sales opportunities may require us to devote significant sales support and professional services to a smaller number of larger transactions, diverting those resources from other sales opportunities. If we fail to effectively manage these risks, our business, financial condition, and results of operations may be negatively affected.

As we target more of our sales efforts at larger enterprise customers, we may face heightened costs, longer sales cycles, greater competition and less predictability in completing some of our sales. With such customers, their decision to use our services may be an enterprise-wide decision, requiring multiple levels of sign off. Such sales require considerable time for the customer to evaluate and test our platform prior to making a purchasing decision and the customer may even rely on third parties with whom we do not have a relationship, which require us to provide greater levels of education regarding the use and benefits of our services, as well as addressing concerns regarding data security, compliance with privacy and data protection laws and regulations of prospective customers with international operations or whose own customers operate internationally. In addition, larger enterprise customers may demand more configuration, integration services and features, particularly when switching from legacy on-premises solutions. As a result of these factors, these sales opportunities may require us to devote greater sales support and professional services resources to individual customers, driving up costs and time required to complete sales and diverting our sales and professional services resources to a smaller number of larger transactions. If we fail to effectively manage these risks associated with sales cycles and sales to larger enterprise customers, our business, financial condition, and results of operations may be affected. 17 17 17 Table of Contents Table of Contents