Okta Inc.: 10-K Risk Factor Changes

In connection with running our business, we receive, store, use and otherwise process personal data, including on behalf of our customers. Our customers’ storage and use of personal data concerning, among others, their employees, contractors, partners and customers is essential to their use of our platforms. We and our customers are therefore subject to global data protection laws and regulations, as well as other privacy-related requirements. For example, data protection laws, such as those applicable in the European Union, Canada and certain of its provinces, United Kingdom, Asia and certain states in the United States, have enhanced data protection obligations for companies that handle personal data. Obligations include, for example, expanded disclosures about how personal data is to be used, individual rights in relation to personal data, limitations on retention of personal data, mandatory data breach notification requirements and strict obligations on service providers, and restrictions on online marketing and the use of cookies and tracking technologies. The costs of compliance with, and other burdens imposed by, such laws and regulations that are applicable to our business and the operations of our customers may limit the use and adoption of our service and reduce overall demand for it. These privacy and data security related laws and regulations are evolving and may result in increasing regulatory and public scrutiny and escalating levels of enforcement and sanctions. In addition, we are subject to certain contractual obligations regarding the collection, use, storage, transfer, disclosure and/or processing of personal data. Although we are working to comply with those federal, state and foreign laws and regulations, industry standards, contractual obligations and other legal obligations that apply to us, those laws, regulations, standards and obligations are evolving and may be modified, interpreted and applied in an inconsistent manner from one jurisdiction to another and may conflict with one another, other requirements or legal obligations, our practices or the features of our platforms. Additionally, while we have implemented various features intended to enable our customers to better comply with applicable privacy and security requirements in their collection and use of data within our platforms, these features have, in the past, not ensured and may, in the future, not ensure our customers’ compliance and may not be effective against all potential privacy or related regulatory concerns. We also expect that there will continue to be new proposed laws, regulations, self-regulatory and industry standards concerning privacy, data protection, digital services and information security in the United States, the European Union and other jurisdictions, and we cannot yet determine the impact such future laws, regulations and standards may have on our business. In the United States, the Federal Trade Commission and state regulators enforce a variety of data privacy issues, such as promises made in privacy policies or failures to appropriately protect information about individuals, as unfair or deceptive acts or practices in or affecting commerce in violation of the Federal Trade Commission Act or similar state laws. Many U.S. states have also adopted new or modified privacy and security laws. These laws create a patchwork of legislation and regulation that impose heightened transparency obligations about data collection, use and sharing practices; add restrictions on the “sale” or “sharing” or transfer of personal information to third parties for purposes such as advertising or analytics; create new data privacy rights for consumers including the ability to limit the use of personal information for advertising; and carry 25 25 25 significant enforcement penalties for non-compliance, including monetary and injunctive relief. This patchwork may also give rise to conflicts or differing views of personal privacy rights. For example, certain state laws may be more stringent or broader in scope, or offer greater individual rights, with respect to personal data than federal, international or other state laws, and such laws may differ from each other, all of which may complicate compliance efforts. We may expend significant resources attempting to comply with conflicting and overlapping state privacy regulations, and the cost and complexity of complying with such regulations could adversely affect our business or increase our potential liability if we fail to comply. This influx of state privacy regimes indicates a trend toward more stringent privacy legislation in the United States, including a potential federal privacy law, which could also increase our potential liability and adversely affect our business. In Europe, the General Data Protection Regulation 2016/679 (the “GDPR”) imposes a strict data protection compliance regime in relation to the collection and processing of personal data, and various European and other foreign laws also restrict the use of cookies, tracking technologies and certain marketing activities. Future laws, regulations, standards and other obligations and changes in the interpretation of existing laws, regulations, standards and other obligations could impair our or our customers’ ability to collect, use or disclose information relating to consumers, which could decrease demand for our applications, restrict our business operations, or increase our costs and impair our ability to maintain and grow our customer base and increase our revenue. Such laws and regulations may require companies to implement privacy and security policies, permit users to exercise various data rights, inform individuals of security breaches that affect their personal data and, in some cases, obtain individuals’ consent to use personal data for certain purposes. Any failure or perceived failure by us or our third-party service providers to comply with federal, state or foreign laws or regulations, industry standards, contractual obligations or other legal obligations, compliance frameworks with which we have contractually committed to comply, or any actual or suspected privacy or security incident, even if unfounded, whether or not resulting in unauthorized access to, or acquisition, release or transfer of personal data or other data, may result in investigations and enforcement actions and prosecutions, private litigation (including class action lawsuits), fines, penalties and censure, claims for damages by customers and other affected individuals or adverse publicity and could cause our customers to lose trust in us, which could have an adverse effect on our reputation and business. Additionally, plaintiffs have become increasingly active in bringing privacy-related claims against companies. Some of these claims allow for the recovery of statutory damages on a per violation basis and, if viable, carry the potential for significant statutory damages, depending on the volume of data and the number of violations. We also publicly post our privacy policies and practices concerning our processing, use and disclosure of the personal data provided to us by our website visitors and by our customers and other individuals with whom we interact. Our publication of our privacy policies and other statements we publish that provide promises and assurances about privacy and security can subject us to potential state and federal action if they are found to be unfair, deceptive or misrepresentative of our practices. Moreover, if our platforms are perceived to cause, or are otherwise unfavorably associated with, violations of privacy or data security requirements, it may subject us or our customers to public criticism and potential legal liability. Existing and potential privacy laws and regulations concerning privacy and data security and increasing sensitivity of consumers to unauthorized processing of personal data may create negative public reactions to technologies, solutions and services such as ours. Public concerns regarding personal data processing, privacy and security may cause some of our customers’ end users to be less likely to visit their websites or otherwise interact with them. If enough end users choose not to visit our customers’ websites or otherwise interact with them, our customers could stop using our platforms. This, in turn, may reduce the value of our service, slow or eliminate the growth of our business or cause our business to contract. Privacy is a key issue for us and for our customers. We have attained multiple privacy certifications, such as the Data Privacy Network, Privacy Recognition for Processors and the European Union Cloud Code of Conduct, Level 2. If we fail to maintain our privacy certifications, or if we fail to seek expansion of their applicability to acquired and/or newly-developed solutions, we may fail to meet our contractual commitments and we may fail to retain our existing customers or attract new customers, and our business, results of operations and financial condition could suffer. 26 26 26

Our customers’ storage and use of data concerning, among others, their employees, contractors, partners and customers is essential to their use of our platforms. We have implemented various features intended to enable our customers to better comply with applicable privacy and security requirements in their collection and use of data within our online service, but these features have, in the past, not ensured and may, in the future, not ensure our customers’ compliance and may not be effective against all potential privacy or related regulatory concerns. Many jurisdictions have enacted or are considering enacting or revising privacy and/or data security legislation, including laws and regulations applying to the collection, use, storage, transfer, disclosure and/or processing of personal data. The costs of compliance with, and other burdens imposed by, such laws and regulations that are applicable to the operations of our customers may limit the use and adoption of our service and reduce overall demand for it. These privacy and data security related laws and regulations are evolving and may result in increasing regulatory and public scrutiny and escalating levels of enforcement and sanctions. In addition, we are subject to certain contractual obligations regarding the collection, use, storage, transfer, disclosure and/or processing of personal data. Although we are working to comply with those federal, state and foreign laws and regulations, industry standards, contractual obligations and other legal obligations that apply to us, those laws, regulations, standards and obligations are evolving and may be modified, interpreted and applied in an inconsistent manner from one jurisdiction to another, and may conflict with one another, other requirements or legal obligations, our practices or the features of our platforms. We also expect that there will continue to be new proposed laws, regulations, self-regulatory and industry standards concerning privacy, data protection, digital services, and information security in the United States, China, the European Union, India and other jurisdictions, and we cannot yet determine the impact such future laws, regulations and standards may have on our business. In the United States, the Federal Trade Commission and state regulators enforce a variety of data privacy issues, such as promises made in privacy policies or failures to appropriately protect information about individuals, as unfair or deceptive acts or practices in or affecting commerce in violation of the Federal Trade Commission Act or similar state laws. On the U.S. state level, over a dozen states have adopted new or modified privacy and security laws. These laws create a patchwork of legislation and regulation that impose heightened transparency obligations about data collection, use, and sharing practices, add restrictions on the “sale” or “sharing” or transfer of personal information to third parties for purposes such as advertising or analytics, create new data privacy rights for consumers including the ability to limit the use of personal information for advertising, and carry significant enforcement penalties for non-compliance, including monetary and injunctive relief. This patchwork may also give rise to conflicts or differing views of personal privacy rights. For example, certain state laws may be more stringent or broader in scope, or offer greater individual rights, with respect to personal data than federal, international or other state laws, and such laws may differ from each other, all of which may complicate compliance efforts. We may expend significant resources attempting to comply with conflicting and overlapping state privacy regulations, and the cost and complexity of complying with such regulations could adversely affect our business or increase our potential liability if we fail to comply. This influx of state privacy regimes indicates a trend toward more stringent privacy legislation in the United States, including a potential federal privacy law, which could also increase our potential liability and adversely affect our business. In Europe, the General Data Protection Regulation 2016/679 (the “GDPR”) imposes a strict data protection compliance regime in relation to the collection and processing of personal data, and various European and other foreign laws also restrict the use of cookies, tracking technologies, and certain marketing activities. Future laws, regulations, standards and other obligations, and changes in the interpretation of existing laws, regulations, standards and other obligations could impair our or our customers’ ability to collect, use or disclose information relating to consumers, which could decrease demand for our applications, restrict our business operations, or increase our costs and impair our ability to maintain and grow our customer base and increase our revenue. Such laws and regulations may require companies to implement privacy and security policies, permit users to exercise various data rights, inform individuals of security breaches that affect their personal data, and, in some cases, obtain individuals’ consent to use personal data for certain purposes. If we, or the third parties on which we rely, fail to comply with federal, state and international data privacy laws and regulations our ability to successfully operate our business and pursue our business goals could be harmed. Additionally, plaintiffs have become increasingly more active in bringing privacy-related claims against companies. Some of these claims allow for the recovery of statutory damages on a per violation basis, and, if viable, carry the potential for significant statutory damages, depending on the volume of data and the number of violations. 27 27 27 With respect to cybersecurity in the United States, the development of rules and guidance pursuant to various executive orders may apply to us, including, for example, pursuant to Executive Order 14028 for “critical software.” While the rules and guidance coming from the Order are still being developed, we are likely to be categorized as a provider of critical software, which may increase our compliance costs and delay or prevent our ability to execute contracts with customers, including in particular with government entities. Any failure or perceived failure by us or our third-party service providers to comply with federal, state or foreign laws or regulations, industry standards, contractual obligations or other legal obligations, compliance frameworks with which Okta, Inc. has contractually committed to comply, or any actual or suspected privacy or security incident, even if unfounded, whether or not resulting in unauthorized access to, or acquisition, release or transfer of personal data or other data, may result in investigations and enforcement actions and prosecutions, private litigation (including class action lawsuits), fines, penalties and censure, claims for damages by customers and other affected individuals, or adverse publicity and could cause our customers to lose trust in us, which could have an adverse effect on our reputation and business. We publicly post our privacy policies and practices concerning our processing, use and disclosure of the personal data provided to us by our website visitors and by our customers, and other individuals with whom we interact. Our publication of our privacy policies and other statements we publish that provide promises and assurances about privacy and security can subject us to potential state and federal action if they are found to be unfair, deceptive, or misrepresentative of our practices. If our platforms are perceived to cause, or are otherwise unfavorably associated with, violations of privacy or data security requirements, it may subject us or our customers to public criticism and potential legal liability. Existing and potential privacy laws and regulations concerning privacy and data security and increasing sensitivity of consumers to unauthorized processing of personal data may create negative public reactions to technologies, solutions and services such as ours. Public concerns regarding personal data processing, privacy and security may cause some of our customers’ end users to be less likely to visit their websites or otherwise interact with them. If enough end users choose not to visit our customers’ websites or otherwise interact with them, our customers could stop using our platforms. This, in turn, may reduce the value of our service, and slow or eliminate the growth of our business, or cause our business to contract. Privacy is a key issue for Okta, Inc. and for our customers. We have attained multiple privacy certifications, such as the Privacy Recognition for Processors, and the European Union Cloud Code of Conduct, Level 2. If we fail to maintain our privacy certifications, or if we fail to seek expansion of their applicability to acquired and/or newly-developed solutions, we may fail to meet our contractual commitments and we may fail to retain our existing customers or attract new customers, and our business, results of operations and financial condition could suffer.

The conversion of some or all of the 2026 Notes would dilute the ownership interests of existing stockholders to the extent we satisfy our conversion obligation by delivering shares of our Class A common stock upon any conversion of such notes. Our 2026 Notes may become in the future convertible at the option of their holders under certain circumstances. If holders of the 2026 Notes elect to convert their notes, we may settle our conversion obligation by delivering to them a significant number of shares of our Class A common stock, which would cause dilution to our existing stockholders. We have in the past and may in the future, engage in exchanges, repurchase or induce conversions of the 2026 Notes. Holders of the 2026 Notes that participate in any of these exchanges, repurchases or induced conversions may enter into or unwind various derivatives with respect to our Class A common stock or sell shares of our Class A common stock in the open market to hedge their exposure in connection with these transactions. These activities could decrease (or reduce the size of any increase in) the market price of our Class A common stock or the 2026 Notes, or dilute the ownership interests of our stockholders. In addition, the market price of our Class A common stock is likely to be affected by short sales of our Class A common stock or the entry into or unwind of economically equivalent derivative transactions with respect to our Class A common stock by investors that do not participate in the exchange transactions and by the hedging activity of the counterparties to our capped call transactions (“Capped Calls”) or their respective affiliates. In addition, in connection with the issuance of the 2026 Notes, we entered into Capped Calls with certain financial institutions (the “Option Counterparties”). The Capped Calls are generally expected to reduce potential dilution to our Class A common stock upon any conversion or settlement of the 2026 Notes and/or offset any cash payments we are required to make in excess of the principal amount of converted 2026 Notes, as the case may be, with such reduction and/or offset subject to a cap. If we unwind the Capped Calls in connection with 2026 Notes repurchases or otherwise, we would lose the anti-dilutive impact of any unwound Capped Calls. From time to time, the Option Counterparties or their respective affiliates may modify their hedge positions by entering into or unwinding various derivative transactions with respect to our Class A common stock and/or purchasing or selling our Class A common stock or other securities of ours in secondary market transactions prior to the maturity of the 2026 Notes. This activity could cause a decrease in the market price of our Class A common stock.

The conversion of some or all of the Notes would dilute the ownership interests of existing stockholders to the extent we satisfy our conversion obligation by delivering shares of our Class A common stock upon any conversion of such Notes. Our 2025 Notes and 2026 Notes may become in the future convertible at the option of their holders under certain circumstances. If holders of our Notes elect to convert their notes, we may settle our conversion obligation by delivering to them a significant number of shares of our Class A common stock, which would cause dilution to our existing stockholders. We have in the past, and may in the future, engage in exchanges, repurchase, or induce conversions of the Notes. Holders of the Notes that participate in any of these exchanges, repurchases, or induced conversions may enter into or unwind various derivatives with respect to our Class A common stock or sell shares of our Class A common stock in the open market to hedge their exposure in connection with these transactions. These activities could decrease (or reduce the size of any increase in) the market price of our Class A common stock or the Notes, or dilute the ownership interests of our stockholders. In addition, the market price of our Class A common stock is likely to be affected by short sales of our Class A common stock or the entry into or unwind of economically equivalent derivative transactions with respect to our Class A common stock by investors that do not participate in the exchange transactions and by the hedging activity of the counterparties to our capped call transactions ("Capped Calls") or their respective affiliates. In addition, in connection with the issuance of the 2025 Notes and 2026 Notes, we entered into Capped Calls with certain financial institutions (the “Option Counterparties”). The Capped Calls are generally expected to reduce potential dilution to our Class A common stock upon any conversion or settlement of the 2025 Notes and 2026 Notes and/or offset any cash payments we are required to make in excess of the principal amount of converted 2025 Notes and 2026 Notes, as the case may be, with such reduction and/or offset subject to a cap. If we unwind the Capped Calls in connection with Note repurchases or otherwise, we would lose the anti-dilutive impact of any unwound Capped Calls. From time to time, the Option Counterparties or their respective affiliates may modify their hedge positions by entering into or unwinding various derivative transactions with respect to our Class A common stock and/or purchasing or selling our Class A common stock or other securities of ours in secondary market transactions prior to the maturity of the Notes. This activity could cause a decrease in the market price of our Class A common stock.

This risk factor summary contains a high-level summary of risks associated with our business. It does not contain all of the information that may be important to you, and you should read this risk factor summary together with the more detailed discussion of risks and uncertainties set forth following this summary. A summary of our risks includes, but is not limited to, the following: •Adverse general economic, market and industry conditions and reductions in workforce identity and customer identity spending have, in the past and may, in the future, reduce demand for our solutions, which could harm our revenue, results of operations and cash flows. •Our business depends on our ability to retain existing customers, and our revenues and results of operations could be adversely impacted if they do not renew their subscriptions or purchase additional licenses or subscriptions with us. •If we are unable to grow our customer base, our revenue growth and profitability could be harmed. •We face intense competition, especially from larger, well-established companies, and we may lack sufficient financial or other resources to maintain or improve our competitive position. •We may experience quarterly fluctuations in our results of operations due to a number of factors that make our future results difficult to predict and could cause our results of operations to fall below analyst or investor expectations. •Interruptions or performance problems that impact the functionality of our technology, systems or infrastructure could result in delays in the deployment of our platforms. •In the past, we have experienced cybersecurity incidents that allowed unauthorized access to our systems or data or our customers’ data, harmed our reputation, created additional liability and adversely impacted our financial results. We and our third-party service providers may experience similar incidents in the future which may also include disabling access to our service. •Any actual or perceived failure by us, our third-party service providers or our customers to comply with new or existing laws, regulations or other requirements relating to the privacy, security and processing of personal information could adversely affect our business, results of operations or financial condition. •If we are unable to ensure that our solutions integrate or interoperate with a variety of operating systems, platforms, services, software applications devices, mobile phones and other hardware form factors that are developed by others, our platforms may become less competitive and our results of operations may be harmed. •Real or perceived errors, failures, vulnerabilities or bugs in our solutions, including deployment complexity, have in the past and could, in the future, harm our business and results of operations. •Issues with our use, development, adoption, deployment and maintenance of AI and machine learning technologies, combined with an uncertain regulatory environment, may result in reputational harm, liability or other adverse consequences to our business operations. •Because we generally recognize revenue from our subscriptions and support services over the term of the relevant service period, a decrease in sales during a reporting period may not be immediately reflected in our results of operations for that period. 15 15 15 •The stock price of our Class A common stock may be volatile or may decline. •The dual class structure of our common stock has the effect of concentrating voting control with those stockholders who held our capital stock prior to the completion of our IPO, including our directors, executive officers, and their affiliates, who held in the aggregate 32% of the voting power of our capital stock as of January 31, 2026. This will limit or preclude your ability to influence corporate matters, including the election of directors, amendments of our organizational documents, and any merger, consolidation, sale of all or substantially all of our assets or other major corporate transaction requiring stockholder approval. •Transactions relating to our convertible notes may affect the value of our Class A common stock. •We depend on our executive officers and other key employees, and the loss of one or more of these employees or an inability to attract and retain other highly skilled employees could harm our business.

This risk factor summary contains a high-level summary of risks associated with our business. It does not contain all of the information that may be important to you, and you should read this risk factor summary together with the more detailed discussion of risks and uncertainties set forth following this summary. A summary of our risks includes, but is not limited to, the following: •Adverse general economic, market and industry conditions and reductions in workforce identity and customer identity spending have, in the past, and may, in the future, reduce demand for our solutions, which could harm our revenue, results of operations and cash flows. •We have experienced rapid growth in prior periods, and any failure to effectively manage future growth could harm our business and future prospects. •If we fail to manage our growth effectively or fail to execute our business plan, we may not be able to maintain high levels of service and customer satisfaction or adequately address competitive challenges. •We face intense competition, especially from larger, well-established companies, and we may lack sufficient financial or other resources to maintain or improve our competitive position. •We have a history of losses, and we may not be consistently profitable in the future. •Our business depends on our ability to retain existing customers, and our revenues and results of operations could be adversely impacted if they do not renew their subscriptions or purchase additional licenses or subscriptions with us. •If we are unable to grow our customer base, our revenue growth and profitability could be harmed. •We may experience quarterly fluctuations in our results of operations due to a number of factors that make our future results difficult to predict and could cause our results of operations to fall below analyst or investor expectations. •Interruptions or performance problems that impact the functionality of our technology, systems, or infrastructure could result in delays in the deployment of our platforms. •In the past, we have experienced cybersecurity incidents that allowed unauthorized access to our systems or data or our customers’ data, harmed our reputation, created additional liability, and adversely impacted our financial results. We and our third-party service providers may experience similar incidents in the future which may also include disabling access to our service. •We and our third-party service providers have, in the past, failed or been perceived to have failed to fully comply with the privacy or security provisions of our privacy policy, our contracts and/or legal or regulatory requirements, which could result in proceedings, actions or penalties against us. We may experience similar incidents in the future. •If we are unable to ensure that our solutions integrate or interoperate with a variety of operating systems, platforms, services, software applications devices, mobile phones and other hardware form factors that are developed by others, our platforms may become less competitive and our results of operations may be harmed. 16 16 16 •Real or perceived errors, failures, vulnerabilities or bugs in our solutions, including deployment complexity, have, in the past and could, in the future, harm our business and results of operations. •Because we generally recognize revenue from our subscriptions and support services over the term of the relevant service period, a decrease in sales during a reporting period may not be immediately reflected in our results of operations for that period. •The stock price of our Class A common stock may be volatile or may decline. •The dual class structure of our common stock has the effect of concentrating voting control with those stockholders who held our capital stock prior to the completion of our IPO, including our directors, executive officers, and their affiliates, who held in the aggregate 35.3% of the voting power of our capital stock as of January 31, 2025. This will limit or preclude your ability to influence corporate matters, including the election of directors, amendments of our organizational documents, and any merger, consolidation, sale of all or substantially all of our assets, or other major corporate transaction requiring stockholder approval. •Transactions relating to our convertible notes may affect the value of our Class A common stock. •We depend on our executive officers and other key employees, and the loss of one or more of these employees or an inability to attract and retain other highly skilled employees could harm our business.

Our revenue, results of operations and cash flows depend on the overall demand for our solutions. International and regional economic conditions, including instability or security concerns abroad, such as widespread downturns and recessions; geopolitical events; changes in trade policies, trade restrictions, economic sanctions or the threat of such actions; the instability of financial institutions; the availability and cost of credit; fluctuations in the inflation and interest rate environment; health epidemics; or energy costs have and could continue to lead to increased market volatility, decreased consumer confidence and diminished growth expectations in the U.S. economy and abroad, which in turn could result in reductions in spending on our platforms by our existing and prospective customers. These economic conditions can occur abruptly. Prolonged economic slowdowns may result in customers requesting us to renegotiate existing contracts on less advantageous terms to us than those currently in place or defaulting on payments due on existing contracts or not renewing at the end of the contract term. To the extent there is a sustained general economic downturn, and our platforms and services are perceived by customers or potential customers as costly, or too difficult to deploy or migrate to, our revenue may be disproportionately affected by delays or reductions in spending.

Our revenue, results of operations and cash flows depend on the overall demand for our solutions. Concerns about the inflation and interest rate environment, the instability of financial institutions, health epidemics, the systemic impact of a widespread recession (in the United States or internationally), energy costs, geopolitical issues, such as Russia’s invasion of Ukraine, or the availability and cost of credit have and could continue to lead to increased market volatility, decreased consumer confidence and diminished growth expectations in the U.S. economy and abroad, which in turn could result in reductions in spending on our platforms by our existing and prospective customers. These economic conditions can occur abruptly. Prolonged economic slowdowns may result in customers requesting us to renegotiate existing contracts on less advantageous terms to us than those currently in place or defaulting on payments due on existing contracts or not renewing at the end of the contract term. For example, rising interest rates in the United States have affected businesses across many industries, including ours, by increasing the costs of labor, employee healthcare and other components, which may further constrain our, our customers’ and prospective customers’ budgets. To the extent there is a sustained general economic downturn, and our platforms and services are perceived by customers or potential customers as costly, or too difficult to deploy or migrate to, our revenue may be disproportionately affected by delays or reductions in spending.

In the past, we have at times adjusted our prices either for individual customers in connection with long-term agreements or for a particular solution. We expect that we may need to change our pricing in future periods and potentially in response to increased costs, including as a result of the inflation and interest rate environment, geopolitical considerations, as well as changes in trade policies, trade restrictions or the threat of such actions. Further, as competitors introduce new solutions that compete with ours, or if they reduce their prices or adopt preferable pricing models for evolving technologies, such as AI agents, we may be unable to attract new customers or retain existing customers based on our historical pricing. As we further expand internationally and into additional verticals, we also must determine the appropriate price to enable us to compete effectively. In addition, if our mix of solutions sold changes, then we may need to, or choose to, revise our pricing. As a result, we may be required or choose to reduce our prices or change our pricing model, which could harm our business, results of operations and financial condition.

In the past, we have at times adjusted our prices either for individual customers in connection with long-term agreements or for a particular solution. We expect that we may need to change our pricing in future periods and potentially in response to the inflation and interest rate environment and increased costs. Further, as competitors introduce new solutions that compete with ours or reduce their prices, we may be unable to attract new customers or retain existing customers based on our historical pricing. As we expand internationally, we also must determine the appropriate price to enable us to compete effectively internationally. In addition, if our mix of solutions sold changes, then we may need to, or choose to, revise our pricing. As a result, we may be required or choose to reduce our prices or change our pricing model, which could harm our business, results of operations and financial condition.

We use internally developed and third-party developed machine learning and AI technologies (collectively, “AI Technologies”) in our offerings and business, and we are making investments in expanding our AI capabilities in our portfolio, including ongoing deployment and improvement of existing AI Technologies, as well as developing new product features using AI Technologies. We expect to rely on AI Technologies to help drive future growth and efficiency in our business. While our use of AI Technologies may become more important to our operations or to our future growth over time, we may not be able to realize the desired or anticipated benefits from AI in a timely or cost-effective manner. AI Technologies are complex and rapidly evolving, and we face significant competition from other companies as well as an evolving regulatory landscape. For example, in the European Union, the EU Artificial Intelligence Act now establishes obligations on the use of AI based on the type of AI and its potential risks to society. Additionally, in the United States, legislation related to AI Technologies has been introduced at the federal level and is advancing at the state level. It is possible that further new laws and regulations will be adopted in the United States and in other non-U.S. jurisdictions, or that existing laws and regulations, including competition and antitrust laws, may be interpreted or challenged in ways that would limit our ability to use AI Technologies for our business, or require us to change the way we use AI Technologies in a manner that negatively affects the performance of our products, services, and business. We may need to expend resources to adjust our products or services in certain jurisdictions if the laws, regulations, or decisions are not consistent across jurisdictions. Further, the introduction of AI Technologies into new or existing solutions may result in new or enhanced governmental or regulatory scrutiny, litigation, confidentiality or security risks, ethical concerns or other complications that could adversely affect our business, reputation or financial results. For example, even if permitted by our privacy policy and contractual rights, our use of data in novel AI applications may, in time, expand beyond customer expectations. The intellectual property ownership and license rights, including copyright, surrounding AI Technologies has not been fully addressed by courts or national or local laws or regulations, and the use or adoption of third-party AI Technologies into our solutions may result in exposure to claims of copyright infringement or other intellectual property misappropriation. In addition, we are working to incorporate generative AI Technologies (i.e., those that can produce and output new content, software code, data and information) into our offerings and internal business practices. Uncertainty around new and emerging AI Technologies, such as generative AI Technologies, may require additional investment in the development and maintenance of proprietary and third-party datasets and machine learning models, development of new approaches and processes to provide attribution or remuneration to creators of training data, and development of appropriate protections and safeguards for handling the use of customer data with AI Technologies, which may be costly and could impact our expenses as we continue to expand generative AI Technologies into our product offerings. If such investments do not deliver anticipated benefits or are not otherwise successful, our business and results of operations may be harmed. Furthermore, there is a risk that generative AI Technologies may create content that appears correct but is factually inaccurate or misleading, or that creates other discriminatory content or unexpected results or behaviors. Our customers or others may rely on or use this misleading content to their detriment, which may expose us to brand or reputational harm, competitive harm and/or legal liability. The use of AI Technologies presents emerging ethical and social issues, and if we enable or offer solutions that draw scrutiny or controversy due to their perceived or actual impact on customers or on society as a whole, we may experience brand or reputational harm, competitive harm and/or legal liability.

We use internally developed and third-party developed machine learning and AI technologies in our offerings and business, and we are making investments in expanding our AI capabilities in our portfolio, including ongoing deployment and improvement of existing machine learning and AI technologies, as well as developing new product features using AI technologies, including, for example, generative AI. AI technologies are complex and rapidly evolving, and we face significant competition from other companies as well as an evolving regulatory landscape. For example, in the European Union, the Artificial Intelligence Act establishes obligations on the use of AI based on the type of AI and its potential risks to society. Additionally, in the United States, federal and state legislatures and agencies are introducing legal frameworks and rules governing AI. The introduction of AI technologies into new or existing solutions may result in new or enhanced governmental or regulatory scrutiny, litigation, confidentiality or security risks, ethical concerns, or other complications that could adversely affect our business, reputation, or financial results. For example, even if permitted by our privacy policy and contractual rights, our use of data in novel AI applications may, in time, expand beyond customer expectations. The intellectual property ownership and license rights, including copyright, surrounding AI technologies has not been fully addressed by courts or national or local laws or regulations, and the use or adoption of third-party AI technologies into our solutions may result in exposure to claims of copyright infringement or other intellectual property misappropriation. Uncertainty around new and emerging AI technologies, such as generative AI, may require additional investment in the development and maintenance of proprietary datasets and machine learning models, development of new approaches and processes to provide attribution or remuneration to creators of training data, and development of appropriate protections and safeguards for handling the use of customer data with AI technologies, which may be costly and could impact our expenses as we continue to expand generative AI into our product offerings. AI technologies, including generative AI, may create content that appears correct but is factually inaccurate or flawed. Our customers or others may rely on or use this flawed content to their detriment, which may expose us to brand or reputational harm, competitive harm, and/or legal liability. The use of AI technologies presents emerging ethical and social issues, and if we enable or offer solutions that draw scrutiny or controversy due to their perceived or actual impact on customers or on society as a whole, we may experience brand or reputational harm, competitive harm, and/or legal liability.

Investors, regulators, customers and other stakeholders, both in the United States and internationally, are increasingly attentive to, and have evolving expectations about, sustainability and social issues, initiatives and disclosures. We have undertaken certain sustainability-related initiatives, goals and commitments, which we have communicated on our website, in our SEC filings and elsewhere, and may undertake additional actions in the future. These actions, including establishing certain sustainability goals or targets to respond to stakeholder demands or requirements, may result in increased costs (including, but not limited to, increased costs related to compliance, stakeholder engagement and meeting our contractual commitments). Our ability to perform or carry out such actions may be subject to numerous conditions that are outside our control, and we cannot guarantee that any actions or 22 22 22 outcomes will have the desired effect. Our actual or perceived failure to achieve such goals or targets could negatively impact our reputation and otherwise affect our business performance.

Increased attention to environmental sustainability and social issues, as well as societal expectations regarding voluntary sustainability initiatives and disclosures, may result in increased costs (including but not limited to, increased costs related to compliance, stakeholder engagement and contracting), impact our reputation, or otherwise affect our business performance. We have undertaken certain sustainability-related initiatives, goals and commitments, which we have communicated on our website, in our SEC filings and elsewhere. We may undertake additional actions, including establishing certain sustainability goals or targets, to improve our sustainability profile and/or respond to demand from investors, regulators, customers and other stakeholders, both U.S.-based and internationally. However, such actions may be costly or subject to numerous conditions that are outside our control, and we cannot guarantee that such actions will have the desired effect. Our actual or perceived failure to achieve such goals or targets could negatively impact our reputation and impact our ability to compete as effectively to recruit or retain employees.

Holders of the 2026 Notes have the right to require us to repurchase their 2026 Notes upon the occurrence of a fundamental change (as defined in the indentures governing their respective Notes) at a repurchase price equal to 100% of the principal amount of the 2026 Notes to be repurchased, plus accrued and unpaid interest, if any. Upon conversion of the 2026 Notes, unless we elect to deliver solely shares of our Class A common stock to settle such conversion (other than paying cash in lieu of delivering any fractional share), we will be required to make cash payments in respect of the 2026 Notes being converted. We may not have enough available cash or be able to obtain financing at the time we are required to make repurchases of 2026 Notes surrendered or those being converted. In addition, our ability to repurchase the 2026 Notes or to pay cash upon conversions of the 2026 Notes may be limited by law, by regulatory authority or by agreements governing our future indebtedness. Our failure to repurchase 2026 Notes at a time when the repurchase is required by the indenture governing such notes or to pay any cash payable on future conversions of the 2026 Notes as required by such indenture would constitute a default under such indenture. A default under the indenture governing the 2026 Notes or the fundamental change itself could also lead to a default under agreements governing our future indebtedness. If the repayment of the related indebtedness were to be accelerated after any applicable notice or grace periods, we may not have sufficient funds to repay the indebtedness and repurchase the 2026 Notes or make cash payments upon conversions. In addition, our indebtedness, combined with our other financial obligations and contractual commitments, could have other important consequences. For example, it could: •make us more vulnerable to adverse changes in general U.S. and worldwide economic, industry and competitive conditions and adverse changes in government regulation; •limit our flexibility in planning for, or reacting to, changes in our business and our industry; •place us at a disadvantage compared to our competitors who have less debt; 38 38 38 •limit our ability to borrow additional amounts to fund acquisitions, for working capital and for other general corporate purposes; and •make an acquisition of our company less attractive or more difficult. Any of these factors could harm our business, results of operations and financial condition. In addition, if we incur additional indebtedness, the risks related to our business and our ability to service or repay our indebtedness would increase.

Holders of the Notes have the right to require us to repurchase their Notes upon the occurrence of a fundamental change (as defined in the indentures governing their respective Notes) at a repurchase price equal to 100% of the principal amount of the Notes to be repurchased, plus accrued and unpaid interest, if any. Upon conversion of the Notes, unless we elect to deliver solely shares of our Class A common stock to settle such conversion (other than paying cash in lieu of delivering any fractional share), we will be required to make cash payments in respect of the Notes being converted. We may not have enough available cash or be able to obtain financing at the time we are required to make repurchases of Notes surrendered or Notes being converted. In addition, our ability to repurchase the Notes or to pay cash upon conversions of the Notes may be limited by law, by regulatory authority or by agreements governing our future indebtedness. Our failure to repurchase Notes at a time when the repurchase is required by the indenture governing such notes or to pay any cash payable on future conversions of the Notes as required by such indenture would constitute a default under such indenture. A default under the indenture governing the Notes or the fundamental change itself could also lead to a default under agreements governing our future indebtedness. If the repayment of the related indebtedness were to be accelerated after any applicable notice or grace periods, we may not have sufficient funds to repay the indebtedness and repurchase the Notes or make cash payments upon conversions. In addition, our indebtedness, combined with our other financial obligations and contractual commitments, could have other important consequences. For example, it could: •make us more vulnerable to adverse changes in general U.S. and worldwide economic, industry and competitive conditions and adverse changes in government regulation; •limit our flexibility in planning for, or reacting to, changes in our business and our industry; •place us at a disadvantage compared to our competitors who have less debt; •limit our ability to borrow additional amounts to fund acquisitions, for working capital and for other general corporate purposes; and •make an acquisition of our company less attractive or more difficult. Any of these factors could harm our business, results of operations and financial condition. In addition, if we incur additional indebtedness, the risks related to our business and our ability to service or repay our indebtedness would increase. 40 40 40

In the event the conditional conversion features of the 2026 Notes are triggered, holders of the 2026 Notes will be entitled to convert them at any time during specified periods at their option. If one or more holders elect to convert their 2026 Notes, unless we elect to satisfy our conversion obligation by delivering solely shares of our Class A common stock (other than paying cash in lieu of delivering any fractional share), we would be required to settle a portion or all of our conversion obligation through the payment of cash, which could adversely affect our liquidity. From the date of issuance through January 31, 2026, the conditions allowing holders of the 2026 Notes to convert were not met. As of January 31, 2026, the 2026 Notes are classified as a current liability due to their upcoming maturity on June 15, 2026.

In the event the conditional conversion features of the 2025 Notes and the 2026 Notes are triggered, holders of the Notes will be entitled to convert the Notes, as applicable, at any time during specified periods at their option. If one or more holders elect to convert their Notes, unless we elect to satisfy our conversion obligation by delivering solely shares of our Class A common stock (other than paying cash in lieu of delivering any fractional share), we would be required to settle a portion or all of our conversion obligation through the payment of cash, which could adversely affect our liquidity. The conditional conversion features of the 2025 Notes were triggered as of January 31, 2021 and the 2025 Notes were convertible at the option of the holders between February 1, 2021 and April 30, 2021; however, as of January 31, 2025, the conditions allowing holders of the 2025 Notes to convert were not met. From the date of issuance through January 31, 2025, the conditions allowing holders of the 2026 Notes to convert were not met. In addition, even if holders do not elect to convert their Notes, we could be required under applicable accounting rules to reclassify all or a portion of the outstanding principal of the Notes as a current rather than long-term liability, which would result in a material reduction of our net working capital and could limit our ability to raise future capital. As of January 31, 2025, the 2025 Notes have been classified as a current liability on our balance sheet due to their upcoming maturity on September 1, 2025.

Our revenue growth depends on several factors, including pricing our platforms to attract new and retain existing customers; managing demand for our solutions; competing against larger companies and new market entrants; capitalizing on new acquisitions, technologies or growth opportunities; and other conditions described in these risk factors. If we are unable to grow our revenue, it will be difficult to maintain our profitability, or maintain or increase our cash flow on a consistent basis. We expect our operating expenses to increase in future periods as we continue to expand our business. If our revenue growth does not increase to offset these anticipated increases in our operating expenses, our business, financial position and results of operations will be harmed, and we may not be able to consistently maintain profitability.

Our prior revenue growth rates may not be indicative of our future growth or performance. We have experienced revenue growth rates of 43%, 22% and 15% during fiscal 2023, 2024 and 2025, respectively. Our revenue for any quarterly or annual period should not be relied upon as an indication of our future revenue or revenue growth for any future period, as we may not be able to sustain revenue growth consistent with recent history, or at all. Revenue growth depends on several factors, including pricing our platforms to attract new and retain existing customers; managing demand for our solutions; competing against larger companies and new market entrants; capitalizing on new acquisitions, technologies or growth opportunities; and other conditions described in these risk factors. If we are unable to grow our revenue, it will be difficult to maintain our profitability, or maintain or increase our cash flow on a consistent basis. We expect our operating expenses to increase in future periods as we continue to expand our business. If our revenue growth does not increase to offset these anticipated increases in our operating expenses, our business, financial position and results of operations will be harmed, and we may not be able to achieve or consistently maintain profitability. Additionally, the sales cycle for the evaluation and implementation of our platforms, which typically extends for multiple months for enterprise deals, may also cause us to experience a delay between increasing operating expenses and generating corresponding revenue, if any. We may not be able to prepare accurate internal financial forecasts or replace anticipated revenue that we lost as a result of such delays, and our results of operations in future reporting periods could differ materially from our 17 17 17 estimates and forecasts, or may not meet the expectations of our investors, which could cause our business to suffer and our stock price to decline.