TWLO: 10-K Risk Factor Changes

As of December 31, 2025, we had U.S. federal, state and foreign net operating loss carryforwards (“NOLs”), of $2.9 billion, $2.4 billion and $1.0 billion, respectively. Utilization of these NOLs depends on our future taxable income, and there is risk that a portion of our existing NOLs could expire unused and the use of our unexpired NOLs could be subject to limitations, which could materially and adversely affect our operating results. Under current law, our U.S. federal NOLs can generally be carried forward indefinitely, but the deductibility of such NOLs is generally limited to 80% of taxable income. Our state NOLs may also be subject to limitations, including periods during which the use of state NOLs is suspended or otherwise limited, which could accelerate or permanently increase state taxes owed. For example, California legislation limits the use of state NOLs for taxable years beginning on or after January 1, 2024 and before January 1, 2027. Under Sections 382 and 383 of the Internal Revenue Code of 1986, as amended (the “Code”), and corresponding provisions of state law, a corporation that undergoes an “ownership change” (generally defined as a greater than 50-percentage-point cumulative change (by value) in the equity ownership of certain stockholders over a rolling three-year period) is subject to limitations on its ability to utilize its pre-change NOLs and other pre-change tax attributes to offset post-change taxable income and taxes. Our existing NOLs and other tax attributes may be subject to limitations arising from previous ownership changes, and if we undergo an ownership change in the future (which may be outside of our control), our ability to utilize NOLs and other tax attributes could be further limited.

As of December 31, 2024, we had U.S. federal, state and foreign net operating loss carryforwards (“NOLs”), of $2.8 billion, $2.4 billion and $0.8 billion, respectively. Utilization of these NOL carryforwards depends on our future taxable income, and there is risk that a portion of our existing NOLs could expire unused, and that even if we achieve profitability, the use of our unexpired NOLs would be subject to limitations, which could materially and adversely affect our operating results. U.S. federal NOLs generated in taxable years beginning before January 1, 2018, may be carried forward only 20 years to offset future taxable income, if any. Under current law, U.S. federal NOLs generated in taxable years beginning after December 31, 2017 can be carried forward indefinitely, but the deductibility of such U.S. federal NOLs is generally limited to 80% of taxable income. Our state NOLs may also be subject to limitations, including periods during which the use of state NOL carryforwards is suspended or otherwise limited, which could accelerate or permanently increase state taxes owed. For example, California recently enacted legislation that limits the use of state NOLs for taxable years beginning on or after January 1, 2024 and before January 1, 2027. Under Sections 382 and 383 of the Internal Revenue Code of 1986, as amended (the “Code”), and corresponding provisions of state law, a corporation that undergoes an “ownership change” (generally defined as a greater than 50-percentage-point cumulative change (by value) in the equity ownership of certain stockholders over a rolling three-year period) is subject to limitations on its ability to utilize its pre-change NOLs and other pre-change tax attributes to offset post-change taxable income and taxes. Our existing NOLs and other tax attributes may be subject to limitations arising from previous ownership changes, 38 38 38 Table of Contents Table of Contents and if we undergo an ownership change in the future, our ability to utilize NOLs could be further limited by Section 382 of the Code. Future changes in our stock ownership, some of which may be outside of our control, could result in an ownership change under Section 382 of the Code.

Our future success depends in part on our ability to obtain allocations of geographical, mobile, regional, local and toll-free direct inward dialing numbers or phone numbers as well as short codes and alphanumeric sender IDs (collectively, “Numbering Resources”) in the United States and foreign countries at a reasonable cost and without overly burdensome restrictions. Our ability to obtain allocations of, assign and retain Numbering Resources depends on factors outside of our control, such as applicable regulations, the practices of authorities that administer national numbering plans and the requirements of network service providers from whom we can provision Numbering Resources, such as conditional minimum volume call level requirements, as well as related costs and competitive demand. In addition, in order to obtain allocations of, assign and retain Numbering Resources in many international jurisdictions, we are often required to be licensed by local telecommunications regulatory authorities. We have obtained licenses and are in the process of obtaining licenses in various countries in which we do business, but in some countries, the regulatory regime around provisioning of Numbering Resources is unclear, subject to change over time, and sometimes may conflict from jurisdiction to jurisdiction. These regulations and governments’ approach to their enforcement, as well as our products and services, are evolving and we may be unable to maintain compliance with applicable regulations, or enforce compliance by our customers, on a timely basis or without significant cost or changes in products or business practices that result in reduced revenue. In some countries where our or our customers’ assignment and/or use of Numbering Resources in certain ways may violate applicable rules and regulations, we have been subjected to government inquiries and audits, and may in the future be subject to significant penalties or further governmental action, and in extreme cases, may be precluded from doing business in that particular country. We have also been required to reclaim Numbering Resources from our customers as a result of certain events of non-compliance. These reclamations result in loss of customers, loss of revenue, reputational harm, erosion of customer trust, and may also result in breach of contract claims, all of which could have an adverse effect on our business, results of operations and financial condition. If we are unable to acquire or retain Numbering Resources, our voice and messaging products may be less attractive to potential customers. Certain popular area code prefixes have limited availability, and restrictive rules generally prevent us from obtaining or assigning certain number types. In addition, future growth in our customer base and those of other CPaaS providers may make it increasingly difficult to source larger quantities of Numbering Resources, and Numbering Resources may become more expensive or subject to more stringent regulation or conditions of usage. Additionally, in some geographies, we support number portability, which allows our customers to transfer their existing phone numbers to us and thereby retain their existing phone numbers when subscribing to our voice and messaging products. Transferring existing numbers is a manual process that can take up to 15 business days or longer to complete. Any delay that we experience in transferring these numbers typically results from our dependency on network service providers to transfer these numbers, and these network service providers may refuse or substantially delay the transfer of these numbers to us. Number portability is an important feature to many potential customers, and failure to reduce delays may result in adverse regulatory enforcement, increased difficulty in acquiring new customers, or costs to compensate customers for certain failures in the porting process.

Our future success depends in part on our ability to obtain allocations of geographical, mobile, regional, local and toll-free direct inward dialing numbers or phone numbers as well as short codes and alphanumeric sender IDs (collectively, “Numbering Resources”) in the United States and foreign countries at a reasonable cost and without overly burdensome restrictions. Our ability to obtain allocations of, assign and retain Numbering Resources depends on factors outside of our control, such as applicable regulations, the practices of authorities that administer national numbering plans or of network service providers from whom we can provision Numbering Resources, such as offering these Numbering Resources with conditional minimum volume call level requirements, the cost of these Numbering Resources and the level of overall competitive demand for new Numbering Resources. In addition, in order to obtain allocations of, assign and retain Numbering Resources in the EU or certain other regions, we are often required to be licensed by local telecommunications regulatory authorities, some of which have been increasingly monitoring and regulating the categories of Numbering Resources that are eligible for provisioning to us or our customers, including restricting the use of types of numbers for particular use cases. For example, France has prohibited the use of mobile numbers for certain use cases, and Spain is considering similar rules. We have obtained licenses and are in the process of obtaining licenses in various countries in which we do business, but in some countries, the regulatory regime around provisioning of Numbering Resources is unclear, subject to change over time, and sometimes may conflict from jurisdiction to jurisdiction. Furthermore, these regulations and governments’ approach to their enforcement, as well as our products and services, are still evolving and we may be unable to maintain compliance with applicable regulations, or enforce compliance by our customers, on a timely basis or without significant cost. Also, compliance with these types of regulation may require changes in products or business practices that result in reduced revenue. Due to our or our customers’ assignment and/or use of Numbering Resources in certain countries in a manner that may violate applicable rules and regulations, we have been subjected to government inquiries and audits, and may in the future be subject to significant penalties or further governmental action, and in extreme cases, may be precluded from doing business in that particular country. We have also been forced to reclaim Numbering Resources from our customers as a result of certain events of non-compliance. These reclamations result in loss of customers, loss of revenue, reputational harm, erosion of customer trust, and may also result in breach of contract claims, all of which could have an adverse effect on our business, results of operations and financial condition. Due to their limited availability, there are certain popular area code prefixes that we generally cannot obtain. Our inability to acquire or retain Numbering Resources for our operations may make our voice and messaging products less attractive to potential customers in the affected local geographic areas. In addition, future growth in our customer base, together with growth in the customer bases of other providers of cloud communications, has increased, which increases our dependence on needing sufficiently large quantities of Numbering Resources. It may become increasingly difficult to source larger quantities of Numbering Resources as we scale and we may need to pay higher costs for Numbering Resources, and Numbering Resources may become subject to more stringent regulation or conditions of usage such as the registration and ongoing compliance requirements discussed above. 31 31 31 Table of Contents Table of Contents Additionally, in some geographies, we support number portability, which allows our customers to transfer their existing phone numbers to us and thereby retain their existing phone numbers when subscribing to our voice and messaging products. Transferring existing numbers is a manual process that can take up to 15 business days or longer to complete. Any delay that we experience in transferring these numbers typically results from the fact that we depend on network service providers to transfer these numbers, a process that we do not control, and these network service providers may refuse or substantially delay the transfer of these numbers to us. Number portability is considered an important feature by many potential customers, and if we fail to reduce any related delays, then we may experience increased difficulty in acquiring new customers. We may also be required to compensate customers for certain failures in the porting process.

The actual or perceived improper sending of text messages, voice calls, or e-mail may subject us to potential risks, including liabilities or claims relating to consumer protection laws and regulatory enforcement, including fines. For example, the TCPA restricts telemarketing and the use of text messages without prior express consent. TCPA violations can result in significant financial penalties, as businesses can incur civil or criminal penalties imposed by the FCC, FTC, state attorneys general or other state actors or through private litigation. Regulatory enforcement is often public, which would result in reputational harm. Class action suits are the most common method for private enforcement. This has resulted in civil claims against our company and requests for information through third-party subpoenas. The scope and interpretation of the laws that are or may be applicable to the delivery of text messages, voice calls, or e-mail are continuously evolving and developing. If we do not comply with these laws or regulations or if we become liable under these laws or regulations due to the failure of our customers to comply with these laws, we could face direct liability. Moreover, certain customers and others have in the past, and despite our prevention efforts, may in the future, use our platform to transmit unwanted, offensive or illegal communications, spam, social engineering scams, and website links to harmful applications, reproduce and distribute copyrighted material or the trademarks of others without permission, and report inaccurate or fraudulent data or information. These actions violate our policies. Our efforts to defeat spamming attacks, illegal robocalls and other fraudulent activity will not prevent all such activity, particularly as it is facilitated or enhanced by evolving technologies, including AI. Such activity could damage our reputation and the effectiveness of our platform, and we could face claims for damages, regulatory enforcement, copyright or trademark infringement, defamation, negligence, or fraud. Furthermore, enacting more stringent controls on use of our platform to combat such activity could increase friction for our legitimate customers and decrease their use of our platform. Similarly, our products may be subject to fraudulent usage, including but not limited to revenue share fraud, domestic traffic pumping, subscription fraud, premium text message scams and other fraudulent schemes, such as phishing. Although our customers are required to set passwords or personal identification numbers to protect their accounts, third parties have in the past been, and may in the future be, able to access customers’ accounts through fraudulent means and use the accounts for fraudulent activity. Furthermore, spammers attempt to use our products to send targeted and untargeted spam communications. We cannot be certain that our efforts to defeat spamming attacks will be successful in eliminating all spam communications from being sent using our platform. In addition, a security breach of, or security incident impacting, our customers’ systems could result in exposure of their authentication credentials, unauthorized access to their accounts or fraudulent calls on their accounts, any of which could adversely affect our business, results of operations and financial condition. Our customers’ and other users’ promotion of their products and services through our platform might not comply with federal, state, and foreign laws or of contractual requirements imposed by carriers, such as the CTIA Shortcode Agreement, The Campaign Registry, carrier codes of conduct and similar policies. We rely on contractual representations made to us by our customers that their use of our platform will comply with our policies and applicable law, including, without limitation, our 29 29 29 Table of Contents Table of Contents email and messaging policies. Although we retain the right to verify that customers and other users are abiding by certain contractual terms, our Acceptable Use Policy and our email and messaging policies and, in certain circumstances, to review their email, messages and distribution lists, our customers and other users are ultimately responsible for compliance with our policies, and we do not systematically audit our customers or other users to confirm compliance with our policies. We cannot predict whether our role in facilitating our customers’ or other users’ activities will result in violations of carrier policies which could result in fines, administrative delays, or service interruptions. We also cannot predict whether our role in facilitating our customers’ or other users’ activities would expose us to liability under applicable state or federal law, or whether that possibility could become more likely if changes to current laws regulating content moderation, such as Section 230 of the Communications Decency Act, are enacted. If we are found liable for our customers’ or other users’ activities, we could be required to pay fines or penalties, redesign business methods or otherwise expend resources to remedy any damages caused by such actions and to avoid future liability.

The actual or perceived improper sending of text messages or voice calls may subject us to potential risks, including liabilities or claims relating to consumer protection laws and regulatory enforcement, including fines. For example, the TCPA restricts telemarketing and the use of automatic SMS text messages without prior express consent. TCPA violations can result in significant financial penalties, as businesses can incur penalties or criminal fines imposed by the FCC or be fined up to $1,500 per violation through private litigation or state attorneys general or other state actor enforcement. Class action suits are the most common method for private enforcement. This has resulted in civil claims against our company and requests for information through third-party subpoenas. The scope and interpretation of the laws that are or may be applicable to the delivery of text messages or voice calls are continuously evolving and developing. If we do not comply with these laws or regulations or if we become liable under these laws or regulations due to the failure of our customers to comply with these laws, we could face direct liability. Moreover, certain customers may use our platform to transmit unwanted, offensive or illegal messages, calls, spam, phishing scams, and website links to harmful applications, reproduce and distribute copyrighted material or the trademarks of others without permission, and report inaccurate or fraudulent data or information. These issues also arise with respect to a portion of those users who use our platform on a free trial basis or upon initial use. These actions are in violation of our policies and in particular, our Acceptable Use Policy. For example, in 2023, we received a cease-and-desist letter from the FCC alleging that we were transmitting illegal robocall traffic that originated from an independent software vendor customer and their end user customer. In response, we suspended the customers’ accounts and sent the FCC a follow-up letter detailing our fraud mitigation practices and various planned improvements to reduce future risks. However, our efforts to defeat spamming attacks, illegal robocalls and other fraudulent activity will not prevent all such attacks and activity. Such use of our platform could damage our reputation and we could face claims for damages, regulatory enforcement, copyright or trademark infringement, defamation, negligence, or fraud. Furthermore, enacting more stringent controls on our customers’ use of our platform to 32 32 32 Table of Contents Table of Contents combat such violations of our Acceptable Use Policy could increase friction for our legitimate customers and decrease their use of our platform. Our customers’ and other users’ promotion of their products and services through our platform might not comply with federal, state, and foreign laws or of contractual requirements imposed by carriers, such as the CTIA Shortcode Agreement, The Campaign Registry, and similar policies. We rely on contractual representations made to us by our customers that their use of our platform will comply with our policies and applicable law, including, without limitation, our email and messaging policies. Although we retain the right to verify that customers and other users are abiding by certain contractual terms, our Acceptable Use Policy and our email and messaging policies and, in certain circumstances, to review their email, messages and distribution lists, our customers and other users are ultimately responsible for compliance with our policies, and we do not systematically audit our customers or other users to confirm compliance with our policies. We cannot predict whether our role in facilitating our customers’ or other users’ activities will result in violations of carrier policies which could result in fines, administrative delays, or service interruptions. We also cannot predict whether our role in facilitating our customers’ or other users’ activities would expose us to liability under applicable state or federal law, or whether that possibility could become more likely if changes to current laws regulating content moderation, such as Section 230 of the Communications Decency Act, are enacted. If we are found liable for our customers’ or other users’ activities, we could be required to pay fines or penalties, redesign business methods or otherwise expend resources to remedy any damages caused by such actions and to avoid future liability. Additionally, our products may be subject to fraudulent usage, including but not limited to revenue share fraud, domestic traffic pumping, subscription fraud, premium text message scams and other fraudulent schemes, such as phishing. Although our customers are required to set passwords or personal identification numbers to protect their accounts, third parties have in the past been, and may in the future be, able to access and use their accounts through fraudulent means. Furthermore, spammers attempt to use our products to send targeted and untargeted spam messages. We cannot be certain that our efforts to defeat spamming attacks will be successful in eliminating all spam messages from being sent using our platform. In addition, a security breach of, or security incident impacting, our customers’ systems could result in exposure of their authentication credentials, unauthorized access to their accounts or fraudulent calls on their accounts, any of which could adversely affect our business, results of operations and financial condition.

We have experienced substantial growth in our business and operations, which has placed, and may continue to place, significant demands on our management, operational and financial resources and systems, especially as we continue to focus on improving our operating efficiency. Although we have conducted workforce reductions in the past, we may experience employee growth in the future. We have also experienced significant growth in the number of customers, usage and amount of data that our platform and associated infrastructure support. To manage our current and anticipated future growth effectively, we must continue to improve our operational, financial and management controls as well as our reporting systems and procedures, which has required, and will continue to require, us to commit substantial financial, operational, and technical resources. We continue to scale the capacity of, and enhance the capability and reliability of, our technical infrastructure to support increased activity on our platform. Any failure to maintain performance, reliability, security, integrity and availability of our products and infrastructure to the satisfaction of our customers may harm our reputation and our ability to retain existing customers or attract new customers. If we fail to efficiently scale and manage our infrastructure, or if our customers experience service disruptions or outages, our business, financial condition and operating results may be adversely impacted. 16 16 16 Table of Contents Table of Contents

We have experienced substantial growth in our business and operations, which has placed, and may continue to place, significant demands on our management, operational and financial resources and systems, especially as we continue to focus on improving our operating efficiency. Although we have conducted workforce reductions in the past, we may experience employee growth in the future. We have also experienced significant growth in the number of customers, usage and amount of data that our platform and associated infrastructure support. To manage our current and anticipated future growth effectively, we must continue to improve our operational, financial and management controls as well as our reporting systems and procedures, which has required, and will continue to require, us to commit substantial financial, operational, and technical resources. As part of our growth strategy, we have in the past reorganized, and may in the future reorganize, our business or change our reporting structure, which requires significant expenditures, allocation of valuable management resources and significant demands on our operational and financial infrastructure. Any anticipated benefits from any restructuring initiatives we may take may be realized later than expected or not at all, and the ongoing costs of implementing these measures may be greater than anticipated. Additionally, if we are unable to maintain reliable service levels for our customers or if the level of efficiency in our organization suffers as we grow and transform our business and operating model, then our business, results of operations and financial condition could also be adversely affected. We continue to scale the capacity of, and enhance the capability and reliability of, our technical infrastructure to support increased activity on our platform. Any failure to maintain performance, reliability, security, integrity and availability of our products and infrastructure to the satisfaction of our customers may harm our reputation and our ability to retain existing customers or attract new customers. If we fail to efficiently scale and manage our infrastructure, or if our customers experience service disruptions or outages, our business, financial condition and operating results may be adversely impacted.

The current and prospective markets for our products are rapidly evolving, significantly fragmented and highly competitive, in some cases with relatively low barriers to entry, and may fail to grow as expected or decline over time. The principal competitive factors of these markets include completeness of offering, credibility with customers, ability to differentiate our products against competing offerings, global reach, ease of integration and programmability, product features, platform scalability, reliability, deliverability, security and performance, brand awareness and reputation, the strength of sales and marketing efforts, customer support, and the cost of deploying and using products, as well as our customers’ perception of the value and necessity of our products and platform. Our competitors are primarily (i) CPaaS companies that offer communications products and applications, (ii) regional network service providers that offer limited developer functionality on top of their own physical infrastructure, (iii) customer relationship management and customer experience vendors, (iv) standalone customer data platform vendors and (v) other software companies that compete with portions of our product line. Some of our competitors and potential competitors are larger and have greater name recognition, longer operating histories, more established customer relationships, larger budgets, lower operating costs, and significantly greater resources than we do. As a result, our competitors may be able to respond more quickly and effectively than we can to new or changing opportunities, technologies, standards, customer requirements or changing economic conditions. Our competitors may also offer products or services that address one or a limited number of functions at lower prices, with greater depth than our products or in different geographies. Our current and potential competitors have in the past and may in the future develop and market products and services with comparable functionality to our products, and this could lead us to decrease prices in order to remain competitive. In addition, customers may reduce or delay spending on our products or substitute alternative solutions in response to pricing pressures, budget constraints or changing business priorities. With the introduction of new products and services and new market entrants, we expect competition to intensify in the future. Industry developments and evolving technology, such as AI, may also impact our competitive landscape and the factors required to compete effectively in current or prospective markets. Our ability to grow will depend in part on our success in expanding the scope of our products and entering new markets, and there can be no assurance that the markets will grow or that our products will achieve meaningful adoption within them. As we expand the scope of our products, we may face additional competition and, in some cases, may find our products in competition with those of our customers, which could cause them to replace our products with competitive offerings. If one or more of our competitors were to merge or partner with another of our competitors or our suppliers, the change in the competitive landscape could also adversely affect our ability to compete effectively. For example, certain of our competitors have engaged in acquisition activity, and we expect that our competitors will continue to evaluate the acquisition of companies and technologies that could increase competition with our products in the future. In addition, some of our competitors have lower list prices than us, which may be attractive to certain customers even if those products have different or lesser functionality. Pricing pressures and increased competition generally could result in reduced revenue, reduced margins, increased losses or the failure of our products to achieve or maintain widespread market acceptance, any of which could harm our business, results of operations and financial condition. Our business, results of operations and financial condition also depends, in part, on our ability to establish, maintain and expand relationships through resellers, distributors, and strategic partners, including ISVs, technology partners and systems integrators. A portion of our revenue is derived from sales made by these partners and any one of them may later decide to sell their own products or those of third parties that may be competitive with our products. A loss or reduction in sales of our products through these third parties could adversely affect our revenue and other results of operations. 17 17 17 Table of Contents Table of Contents

The current and prospective markets for our products are rapidly evolving, significantly fragmented and highly competitive, with relatively low barriers to entry in some segments. The principal competitive factors these markets include completeness of offering, credibility with customers, ability to differentiate our products against competing offerings, global reach, ease of integration and programmability, product features, platform scalability, reliability, deliverability, security and performance, brand awareness and reputation, the strength of sales and marketing efforts, customer support, and the cost of deploying and using products. Our competitors are primarily (i) CPaaS companies that offer communications products and applications, (ii) other software companies that compete with portions of our communications product line, (iii) regional network service providers that offer limited developer functionality on top of their own physical infrastructure, (iv) customer relationship management and customer experience vendors and (v) standalone customer data platform vendors. Some of our competitors and potential competitors are larger and have greater name recognition, longer operating histories, more established customer relationships, larger budgets, lower operating costs, and significantly greater resources than we do. As a result, our competitors may be able to respond more quickly and effectively than we can to new or changing opportunities, technologies, standards, customer requirements or changing economic conditions. Our competitors may also offer products or services that address one or a limited number of functions at lower prices, with greater depth than our products or in different geographies. Our current and potential competitors have in the past and may in the future develop and market products and services with comparable functionality to our products, and this could lead us to decrease prices in order to remain competitive. With the introduction of new products and services and new market entrants, we expect competition to intensify in the future. As we expand the scope of our products, we may face additional competition and, in some cases, may find our products in competition with those of our customers, which could cause them to replace our products with competitive offerings. If one or more of our competitors were to merge or partner with another of our competitors or our suppliers, the change in the competitive landscape could also adversely affect our ability to compete effectively. For example, certain of our competitors have engaged in acquisition activity and we expect that our competitors will continue to evaluate the acquisition of companies and technologies that could increase competition with our products in the future. In addition, some of our competitors have lower list prices than us, which may be attractive to certain customers even if those products have different or lesser functionality. Pricing pressures and increased competition generally could result in reduced revenue, reduced margins, increased losses or the failure of our products to achieve or maintain widespread market acceptance, any of which could harm our business, results of operations and financial condition. 18 18 18 Table of Contents Table of Contents Our business, results of operations and financial condition also depends, in part, on our ability to establish, maintain and expand relationships through resellers, distributors, and strategic partners, including independent software vendors, technology partners and systems integrators. A portion of our revenue is derived from sales made by these partners and any one of them may later decide to sell their own products or those of third parties that may be competitive with our products. A loss or reduction in sales of our products through these third parties could adversely affect our revenue and other results of operations.

To grow our business, we must continue to attract new customers, increase usage of our existing products and new product adoption by existing customers, and successfully market new products, including products with higher gross margins, and do so in a cost-effective manner. Our sales and marketing teams work closely together to drive awareness and adoption of our platform. We leverage our brand, marketing programs and conferences, such as SIGNAL, to expand our go-to-market 14 14 14 Table of Contents Table of Contents motions. Our go-to-market model has three motions: our self-service platform, primarily aimed at developers and other technical customers; our direct sales motion, primarily aimed at enterprises and other organizations with complex, high-scale business needs; and our partner-led motion, including resellers, distributors, and strategic partners, such as ISVs, technology partners and systems integrators, which is primarily aimed at customers who do not have the available developer resources or expertise to build our products into their own applications. Our sales and marketing strategies, and their effectiveness, are influenced by numerous factors. We have made, and may in the future make, changes to the organization of our sales force and sales motions in response to changes in company strategy, new market opportunities, new products or features, sales performance or effectiveness, changes in sales headcount, changes to the compensation structure of our sales organization, or other factors. Such changes may not lead to wider adoption of our products or to the cost-effective acquisition of additional customers or increased revenue from existing customers as quickly or to the extent we expect, or at all, and have resulted, and may in the future result, in a reduction of productivity, which could negatively impact our growth rate and results of operations. For example, in recent years, we have reduced the size of our sales force to drive further efficiencies in our sales operations and are continuing to improve and rely more heavily on our use of self-service capabilities to drive sales of our products to customers that do not require direct account coverage. We are also introducing AI and automation in our self-service platform aimed at improving sales and customer support. These efforts may not continue to be as effective as we anticipate in driving adoption or increased usage of our products, or may take longer than we expect to drive growth or increase efficiency. In addition, if the costs of the marketing channels we use increase, then we may choose to use alternative or less expensive channels, which may not be as effective as the channels we currently use. New products that we develop or markets that we pursue may require increasingly sophisticated and more costly sales efforts and result in longer sales cycles. For example, we are focusing increasingly on sales to enterprises, such as through our Segment product, which is primarily aimed at complex customer data platform implementations at larger companies, and additional product innovations combining our communications products with contextual data and AI. As we seek to increase the adoption of our products by enterprises, we expect to encounter higher costs and more complex sales efforts for these customers. For enterprises, the decision to adopt our products may require the approval of multiple technical and business decision makers, and enterprise customers may require extensive education about our products and significant customer support before they will commit to deploying our products at scale, which may place additional strain on our product and engineering resources. Enterprises may also engage in protracted pricing and contract negotiations, leading to higher costs and longer sales cycles. Enterprise customers may not use our products enough for us to generate revenue that justifies our cost to obtain such customers, or may choose to develop their own solutions that do not include our products. They may also demand reductions in pricing as their usage of our products increases, notwithstanding increased costs incurred by us to provide such products, which could have an adverse impact on our gross margin. If our efforts to increase the adoption and usage of our products or sell additional products to existing customers are more expensive or time-consuming than we expect or are otherwise ineffective, then our business, results of operations and financial condition would be adversely affected.

To grow our business, we must continue to attract new customers, increase usage of our existing products and new product adoption by existing customers, and successfully market new products, including products with higher gross margins, in a cost-effective manner. Our sales and marketing teams work closely together to drive awareness and adoption of our platform. We leverage our brand, marketing programs, developer network and conferences, such as SIGNAL, to expand our go- 13 13 13 Table of Contents Table of Contents to-market motions. Our go-to-market model has three motions: our self-service platform, primarily aimed at developers, marketers, and other technical users; our direct sales motion, primarily aimed at enterprise and commercial customers; and our partner-led motion, including resellers, distributors, and strategic partners, such as independent software vendors, technology partners and systems integrators, which is primarily aimed at customers who do not have the available developer resources to build their own applications. If the costs of the marketing channels we use increase, then we may choose to use alternative or less expensive channels, which may not be as effective as the channels we currently use. We have made in the past, and may make in the future, significant expenditures and investments of time and resources in new marketing campaigns and sales motions, and changes to the organization of our sales force, and we cannot guarantee that any such investments or changes will lead to wider adoption of our products or to the cost-effective acquisition of additional customers or increased revenue from existing customers as quickly or to the extent that we expect, or at all. In addition, new products that we develop or markets that we pursue may require increasingly sophisticated and more costly sales efforts and result in a longer sales cycle. If we are unable to maintain effective sales and marketing programs, our ability to efficiently attract new customers and increase revenue from existing customers could be adversely affected. In addition, in recent years, we have reduced the size of our sales force to drive further efficiencies in our sales operations. With a more streamlined workforce, we are continuing to improve and rely more heavily on our use of self-service capabilities to drive sales of our products to customers that do not require direct account coverage. Additionally, we are introducing AI and automation in our self-service platform aimed at improving sales and customer support. Our self-service capabilities may not be as effective as we anticipate in driving adoption or increased usage of our products, or may take longer than we expect to drive growth. If our efforts to increase the adoption and usage of our products or sell additional products to existing customers are more expensive or time-consuming than we expect or otherwise ineffective, then our business, results of operations and financial condition would be adversely affected.

Our ability to attract new customers and increase revenue from existing customers depends in large part on our ability to enhance and improve our existing products and to introduce compelling new products and enhancements that reflect the changing nature of our markets, technology, industry standards, and customer needs and preferences. Anticipating these factors requires that we allocate significant resources without any guarantee that our investments of these resources will result in increased adoption of our products by current and prospective customers. For example, we have committed, and expect to continue to commit, significant resources towards developing new products and enhancements by combining our communications products with contextual data and AI. The success of any enhancements or new products depends on several factors, including timely completion, adequate quality testing, actual performance quality, market-accepted pricing levels, customer value and the ability to provide rapid time-to-value for our customers, and the emergence of competing products and services that may be delivered at lower prices, more efficiently, conveniently or securely, or render our products obsolete. For example, if user authentication practices evolve to reduce or eliminate the use of one-time passwords, our revenue could be adversely affected. Enhancements and new products that we develop may not be introduced in a timely or cost-effective manner, may contain errors or defects, may require reworking features and capabilities, may have interoperability difficulties with our platform or other products or may not achieve the broad market acceptance necessary to generate significant revenue or increase our gross profits. Furthermore, our ability to increase the usage of our products depends, in part, on the development of new use cases for our products, which is at times driven by our developer community and may be outside of our control. 15 15 15 Table of Contents Table of Contents If we are unable to successfully and cost-effectively develop and drive adoption of new products, anticipate and keep pace with changes in technology, customers’ needs and expectations, and industry standards, or provide rapid time-to-value to our current and prospective customers, our business, results of operations and financial condition would be adversely affected.

Our ability to attract new customers and increase revenue from existing customers depends in large part on our ability to enhance and improve our existing products and to introduce compelling new products and enhancements that reflect the changing nature of our markets, technology, industry standards, and customer needs and preferences. For example, we are focused on continued product innovations to combine our communications products with contextual data and AI in order to address evolving customer needs and expectations. The success of any enhancements or new products we introduce depends on several factors, including timely completion, adequate quality testing, actual performance quality, market-accepted pricing levels, the ability to provide rapid time-to-value for our customers, and overall market acceptance. Enhancements and new products that we develop may not be introduced in a timely or cost-effective manner, may contain errors or defects, may require reworking features and capabilities, may have interoperability difficulties with our platform or other products or may not achieve the broad market acceptance necessary to generate significant revenue or increase our gross profits. Furthermore, our ability to increase the usage of our products depends, in part, on the development of new use cases for our products, which is at times driven by our developer community and may be outside of our control. The current and prospective markets for our products are subject to rapid technological change, evolving industry standards, and changing regulations, as well as changing customer needs, requirements and preferences. These are all uncertain and we cannot predict the consequences, effects, or introduction of new, disruptive, emerging technologies or the manner and pace at which our markets develop over time, and our ability to compete in these markets depends on predicting and adapting to these changing circumstances to meet current and prospective customer needs. The success of our business will depend, in part, on our ability to adapt and respond effectively to these changes on a timely basis, and anticipating these factors requires that we allocate significant resources without any guarantee that any such investments and efforts will result in increased adoption of our products in the marketplace. For example, with the development of next-generation solutions that utilize new and advanced features, including AI and ML, we have committed, and expect to continue to commit, significant resources to developing new products and enhancements and there is no guarantee that our investments and efforts will result in wider adoption of our products in the marketplace. If new technologies emerge that are able to deliver competitive products and services at lower prices, or more efficiently, quickly, conveniently or securely, or if new products are introduced into the market that could render our existing products obsolete, such technologies and products could adversely impact our ability to compete effectively and may lead to customers reducing or terminating their usage of our products. For example, if user authentication practices evolve to reduce or eliminate the use of one-time passwords, our revenue could be adversely affected. If we are unable to successfully and cost-effectively increase adoption and usage of our existing products, develop and drive adoption of new products, anticipate and keep pace with changes in technology, customers’ needs and expectations, and industry standards, or provide rapid time-to-value to our current and prospective customers, our business, results of operations and financial condition would be adversely affected.

We interconnect with fixed and mobile network service providers around the world to deliver our products. Although we have, or are in the process of acquiring, authorization to provide voice and messaging services and for direct access to phone numbers in many countries, we expect to continue to rely to some extent on network service providers for these services. Reliance on network service providers subjects us to regulatory, competitive and other industry related changes over which we have little or no control. In addition, our reliance on network service providers subjects us to fees, penalties, administrative and technical requirements, each of which are subject to change. Similarly, in some cases, we utilize intermediaries for direct access to networks. Although we have, or are in the process of securing, direct connections with network service providers in many countries, we expect to continue to rely on intermediaries for these services to some extent. These intermediaries also charge us changing fees and at times have offerings that compete directly with our products. We also interconnect with internet service providers around the world to deliver our email products, and expect to continue to rely on such providers. Reliance on these providers poses risks to the quality of our services, primarily by limiting our control, operating flexibility, and ability to timely identify and respond to necessary service changes, and by subjecting us to service interruptions or outages. Reliance on such providers in the past has caused, and may in the future cause, errors, service outages, security incidents, or poor-quality communications on our products, and we could encounter difficulty identifying the source of the problem. This has in the past, and may in the future, cause harm to our brand, result in lost revenue, and cause us to lose existing and prospective customers. The fees we pay to these providers also subject us to risks. We are exposed to significant fluctuations in applicable fees paid to network service providers, intermediaries, and internet service providers. These fees are outside of our control and we are not able to predict the magnitude or timing of changes to such fees. Additional or increased fees charged by such providers have resulted, and could in the future result, in increases to our costs and other impacts on our financial results. For example, recent increases to A2P messaging fees charged by major U.S. mobile carriers are expected to create a modest headwind on our margins going forward, and such fees may increase further over time. In some markets, fees charged by our network service providers change daily or weekly. We may not be able to change our customer pricing as rapidly, and absorbing these costs could adversely affect our business and results of operations. Further, even when we do pass fee increases through to customers, it typically increases revenue and cost of revenue such that while gross profit dollars are not impacted, it has a negative impact on gross margins. While historically we have responded to many fee increases through negotiating efforts, absorbing increased costs or passing fees through to customers, we may be unable to respond in these ways in the future without a material negative impact to our business. Our ability to respond to fee increases may also be constrained by equivalent increases by other providers in a particular market, fees that are disproportionately large compared to underlying prices paid by our customers, or market or other conditions limiting our ability to increase the prices we charge for our products. We also face risks related to losing access to these services. Many of these providers do not have long-term committed contracts with us and may interrupt services or terminate their agreements with us without notice. We may not be able to replace these services on a cost-effective basis, or at all, and even if we can, replacing providers may be time-consuming, costly and result in delays. 19 19 19 Table of Contents Table of Contents Any of the foregoing consequences of our reliance on network service providers, intermediaries and internet service providers to deliver our products could adversely impact our business, results of operations and financial condition.

We currently interconnect with fixed and mobile network service providers around the world to enable our customers to use our products over their networks. Although we are in the process of acquiring authorization in many countries for direct access to phone numbers and for the provision of voice and messaging services on the networks of fixed and mobile network service providers, we expect that we will continue to rely on network service providers for these services. Where we do not have direct access to phone numbers, our reliance on network service providers has reduced our operating flexibility, ability to make timely service changes and control quality of service. In addition, the fees that we are charged by network service providers may change daily or weekly and we can be subject to the imposition of additional fees, penalties, or other administrative or technical requirements, and even service interruption, due to regulatory, competitive, or other industry related changes over which we have little to no control. For example, in recent years, multiple major U.S. mobile carriers have introduced A2P SMS service offerings that added a new fee for A2P SMS messages delivered to their respective subscribers, and, from time to time, other U.S. mobile carriers have added similar fees. While we have historically responded to these types of fee increases through a combination of further negotiating efforts with our network service providers, absorbing the increased costs or passing the fees through to customers, there is no guarantee that we will continue to be able to respond in these ways in the future without a material negative impact to our business. We typically do not change our customers’ pricing as rapidly and, as a result, such fee increases could adversely affect our business and results of operations. In addition, passing these fees through to our customers typically has the 20 20 20 Table of Contents Table of Contents effect of increasing our revenue and cost of revenue, but typically does not impact the gross profit dollars received for sending these messages and, as a result, has a negative impact on our gross margins. Additionally, our ability to respond to any new fees may be constrained if all network service providers in a particular market impose equivalent fee structures, if the magnitude of the fees is disproportionately large when compared to the underlying prices paid by our customers, or if the market conditions limit our ability to increase the prices we charge our customers. Furthermore, many of these network service providers do not have long-term committed contracts with us and may interrupt services or terminate their agreements with us without notice. If a significant portion of our network service providers stop providing us with access to their infrastructure, fail to provide these services to us on a cost-effective basis, cease operations, or otherwise terminate these services, the delay caused by qualifying and switching to other network service providers could be time consuming and costly and could adversely affect our business, results of operations and financial condition. Further, if problems occur with our network service providers, such problems have in the past caused, and may in the future cause, errors, service outages, security incidents, or poor-quality communications on our products, and we could encounter difficulty identifying the source of the problem. The occurrence of errors, service outages, security incidents, or poor-quality communications on our products, whether caused by our platform or a network service provider, may result in the loss of our existing customers or the delay of adoption of our products by potential customers and may adversely affect our business, results of operations and financial condition. Further, we sometimes access network services through intermediaries who have direct access to network service providers. Although we are in the process of securing direct connections with network service providers in many countries, we expect that we will continue to rely on intermediaries for these services for some period of time. These intermediaries sometimes have offerings that directly compete with our products and may stop providing services to us on a cost-effective basis. If a significant portion of these intermediaries stop providing services or stop providing services on a cost-effective basis, our business could be adversely affected. We also interconnect with internet service providers around the world to enable the use of our email products by our customers, and we expect to continue to rely on internet service providers for network connectivity going forward. Our reliance on internet service providers reduces our control over quality of service and exposes us to potential service outages and rate fluctuations. The occurrence of poor-quality of service or service outages on our products may result in the loss of our existing customers or the delay of adoption of our products by potential customers and may adversely affect our business, results of operations and financial condition. Similarly, if a significant portion of our internet service providers stop providing us with access to their network infrastructure, fail to provide access on a cost-effective basis, cease operations, or otherwise terminate access, the delay caused by qualifying and switching to other internet service providers could be time consuming and costly and could adversely affect our business, results of operations, and financial condition.

We are subject to increasing legal, regulatory, and contractual obligations relating to privacy, data protection and cybersecurity that affect how we process personal data in the jurisdictions where we and our customers operate. Our obligations change frequently due to new or modified laws and regulations, as well as court rulings interpreting or invalidating them. These evolving obligations involve significant compliance costs and operational challenges, and increasingly expose us to enforcement actions and other proceedings or actions, sanctions, and litigation, as well as regulatory and public scrutiny of our practices relating to personal information. We expect the increasing breadth and depth, and changing nature of, these obligations to continue to require significant resources, including to review our technology, systems and processes against changing requirements. They may also limit our ability to use personal data for new products, including those relying on AI-related technologies. In the United States, for example, the California Consumer Privacy Act (as amended by the California Privacy Rights Act of 2020, the “CCPA”) provides our customers, employees, and other individuals certain rights related to their personal information. The federal government has also proposed, and numerous other states are considering or have proposed and/or enacted, laws and regulations addressing privacy and cybersecurity. Internationally, the regulatory landscape is increasingly complex and fragmented and compliance increasingly financially burdensome. For example, in the European Union (“EU”), the General Data Protection Regulation (“GDPR”) imposes significant requirements regarding the processing of personal information, including related to transparency, individuals’ privacy rights, compliance contracting, data minimization, data breach notification, data retention, security, and international data transfers. Other international privacy and data protection laws also impose strict requirements, such as related to marketing communications and deployment of cookies. Together, this patchwork of global requirements presents significant compliance challenges, and subjects us to possible fines, sanctions, litigation, and other adverse consequences. For example, under the GDPR, regulators may impose temporary or definitive bans on data transfers or other processing, require deletion, and impose significant fines, potentially ranging up to 4% of our worldwide revenue. We must also comply with increasing laws and regulations relating to data residency, data localization, and the transfer of data across territorial boundaries, arising from the fact that our primary data processing facilities are in the United States. For 23 23 23 Table of Contents Table of Contents example, the GDPR restricts the transfer of personal data from the EU to the United States and other countries that are not deemed to have implemented adequate data protection measures, and other jurisdictions have proposed and enacted laws relating to cross-border data transfer or requiring personal information to be stored in the jurisdiction of origin. We use a variety of legal transfer mechanisms to transfer personal data across borders, including standard contractual clauses and the E.U.-U.S. Data Privacy Framework, whose use is subject to ongoing review and litigation, and we may not be able to continue to rely on these or other transfer mechanisms. As a result of this uncertainty, we have encountered hesitancy, reluctance or refusal by European and multinational customers to use our services. If we are unable to maintain valid mechanisms for cross-border data transfer, we and our customers may face increased exposure to regulatory actions, significant fines, or injunctions against processing or transferring personal information from Europe or elsewhere. Any inability to transfer personal information to the United States or other jurisdictions, or costly restrictions on such transfer, may also limit our ability to collaborate with partners and customers, require us to increase our data processing capabilities in Europe and/or other jurisdictions at significant expense, and/or otherwise negatively impact our business. Additionally, as a provider of interconnected VoIP service, we must also comply with certain U.S. federal privacy laws and regulations, including Section 222 of the Communications Act of 1934, as amended, and the FCC’s customer proprietary network information rules. We are also subject to state rules and obligations that have been proposed or adopted, or may be in the future. We are also subject to other rapidly changing technology- and industry-specific laws, regulations and obligations. For example, we expect increased global regulation in the use of AI and ML such as the recent AI Act in Europe, which imposes onerous obligations related to the development, placement on the market and use of AI systems. Various countries and a growing number of U.S. states are also enacting legislation regulating aspects of AI or AI generally. We may need to change our business practices to comply with obligations under these or other new and evolving regimes, and face significant compliance challenges, liability, or other risks. We also have contractual obligations relating to privacy, data protection and cybersecurity that are increasingly stringent due to related legal and regulatory changes and the expansion of our offerings. For example, certain laws and regulations, such as the GDPR and CCPA, require our customers to impose contractual restrictions on their service providers. In addition, we support customer workloads involving the processing of protected health information and are required to sign business associate agreements with customers that subject us to certain requirements under federal and state laws governing health information, such as the Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act of 2009. Taken together, evolving legal, regulatory and contractual obligations pertaining to privacy, data protection, cybersecurity and AI may require us to expend resources to modify our practices and products, reduce demand for our platform, increase our costs, restrict our ability to store and process data, inhibit product functionality or the development of new products and features, or impact our ability to operate in certain locations, any of which could impair growth or otherwise harm our business. Further, any actual or perceived non-compliance with these laws, regulations, contractual commitments, or other actual or asserted obligations, including industry standards, pertaining to privacy, data protection , cybersecurity or AI could subject us to regulatory audits or inquiries, civil and criminal penalties, or significant fines, or lead to costly legal action, breach of contract claims, adverse publicity, significant liability, inability to process data, and decreased demand for our services, any of which could adversely affect our business, results of operations, and financial condition.

We and our customers are subject to numerous domestic (for example, the California Consumer Privacy Act (“CCPA”)) and foreign (for example, the General Data Protection Regulation (“GDPR”) in the European Union (“EU”)) privacy, data protection and cybersecurity laws and regulations that restrict the collection, use, disclosure and processing of personal information, including financial and health data. These laws and regulations are expanding globally, evolving, and being tested in courts, may result in increasing regulatory and public scrutiny of our practices relating to personal information and may increase our exposure to regulatory enforcement action, sanctions and litigation. The breadth and depth of changes in data protection obligations has required significant time and resources, including a review of our technology and systems against the requirements of the GDPR. The CCPA (as amended by the California Privacy Rights Act of 2020) imposes obligations on businesses to which it applies. These obligations include, but are not limited to, providing specific disclosures in privacy notices and affording California residents (both consumers and employees) certain rights related to their personal information. The CCPA allows for statutory fines for noncompliance. Similar laws have been enacted in 18 other states with 13 laws currently in effect and the remainder becoming effective later in 2025 and 2026. Numerous other states, and the U.S. federal government, also have proposed general privacy legislation recently. Additionally, other states have proposed, and in certain cases enacted, other laws and regulations addressing privacy and cybersecurity, such as Washington’s My Health, My Data Act, which includes a private right of action. If we become subject to new privacy, data protection or cybersecurity laws, the risk of enforcement action against us could increase because we may become subject to additional obligations, and the number of individuals or entities that can initiate actions against us may increase, including individuals, via a private right of action, and state actors. Outside the United States, an increasing number of laws, regulations, and industry standards apply to privacy, data protection and cybersecurity. For example, the GDPR, the United Kingdom’s General Data Protection Regulation and Data Protection Act 2018 (“UK GDPR”) and the Swiss Federal Act on Data Protection, impose strict requirements for processing the personal information of individuals protected by the legislation, whether their data is processed within or outside the European Economic Area (“EEA”), the United Kingdom (“UK”) and Switzerland, respectively (such jurisdictions, collectively, “Europe”). For example, the GDPR imposes significant requirements regarding the processing of individuals’ personal information, including in relation to transparency, lawfulness of processing, individuals’ privacy rights, compliant contracting, data minimization, data breach notification, data re-usage, data retention, security of processing and international data transfers. Under the GDPR and UK GDPR, government regulators may impose temporary or definitive bans on data processing or data transfers, require a company to delete data, as well as impose significant fines, potentially ranging up to 20 million Euros under the GDPR, 17.5 million GBP under the UK GDPR, or 4% of a company’s worldwide revenue, whichever is higher. Further, individuals may initiate compensation claims or litigation related to our processing of their personal information. Other privacy and data protection laws in Europe impose strict requirements around marketing communications and the deployment of cookies on users’ devices. As another example, Brazil’s General Data Protection Law (Lei Geral de Proteção de Dados Pessoais, or “LGPD”) (Law No. 13,709/2018) may apply to our operations. The LGPD broadly regulates processing of personal information of individuals in Brazil and imposes compliance obligations and penalties comparable to those of the GDPR. Additionally, we expect an increase in the regulation of the use of AI and ML in products and services. For example, in Europe, the Artificial Intelligence Act (“AI Act”), once effective, will impose onerous obligations related to the development, placing on the market and use of AI-related systems. In the United States, numerous states have established study commissions that could lead to regulation of AI, and certain states have enacted legislation regulating aspects of AI. Other countries also are contemplating laws regulating AI and ML. We may have to change our business practices to comply with obligations under these or other new and evolving regimes. Further, the interpretation and application of new domestic and foreign laws and regulations in many cases is uncertain, and our legal and regulatory obligations in such jurisdictions are subject to frequent and unexpected changes, including the potential for various regulatory or other governmental bodies to enact new or additional laws or regulations, to issue rulings that invalidate prior laws or regulations, or to increase penalties significantly. For example, the EU’s Digital Services Act, Digital Markets Act and Data Act entered into force in 2024, and the EU’s Network and Information Security Directive II, adopted in 2023, provides for EU member states to have issued implementing legislation by October 2024. Additionally, the EU’s Digital Operational Resiliency Act entered into force on January 17, 2025. 25 25 25 Table of Contents Table of Contents Similarly, with our registration as an interconnected VoIP provider for certain products with the Federal Communications Commission (“FCC”), we also must comply with privacy laws associated with customer proprietary network information rules in the United States. In addition, states such as California have increasingly adopted or proposed, or may propose, regulations that may classify our services in such a manner as to subject us to additional privacy-related compliance obligations under state law. If we fail or are perceived to have failed to maintain compliance with these requirements, we could be subject to regulatory audits or inquiries, civil and criminal penalties, fines and breach of contract claims, as well as reputational damage, which could impact the willingness of customers to do business with us. In addition to our legal obligations, our contractual obligations relating to privacy, data protection and cybersecurity have become increasingly stringent due to changes in laws and regulations and the expansion of our offerings. Certain privacy, data protection and cybersecurity laws, such as the GDPR and the CCPA, require our customers to impose specific contractual restrictions on their service providers. In addition, we support customer workloads that involve the processing of protected health information and are required to sign business associate agreements with customers that subject us to requirements under the federal Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act of 2009, as well as state laws that govern health information. Our actual or perceived failure to comply with laws, regulations, contractual commitments, or other actual or asserted obligations, including certain industry standards, regarding privacy, data protection and cybersecurity could lead to costly legal action, adverse publicity, significant liability, inability to process data, and decreased demand for our services, which could adversely affect our business, results of operations and financial condition. As a cumulative example of these risks, because our primary data processing facilities are in the United States, we have experienced hesitancy, reluctance, or refusal by European or multinational customers to continue to use our services due to potential risks arising from the Court of Justice’s July 2020 ruling in the “Schrems II” case, as well as related guidance from regulators and enforcement action against Meta by the Irish Data Protection Commission. For example, absent appropriate safeguards or other circumstances, the GDPR and laws in Switzerland and the UK generally restrict the transfer of personal information to many countries outside of such jurisdictions, such as the United States. On July 10, 2023, the European Commission adopted its adequacy decision for the EU-U.S. Data Privacy Framework. Based on this decision, personal information can flow from the EU to U.S. companies participating in the EU-U.S. Data Privacy Framework without having to put in place additional data protection safeguards. We are certified under the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework. If we cannot maintain a valid mechanism for cross-border data transfers, we and our customers may face increased exposure to regulatory actions, substantial fines, and injunctions against processing or transferring personal information from Europe or elsewhere. The inability to transfer personal information to the United States could significantly and negatively impact our business operations; limit our ability to collaborate with parties that are subject to data privacy and security laws; or require us to increase our personal information processing capabilities in Europe and/or elsewhere at significant expense. In addition, outside of Europe, other jurisdictions have proposed and enacted laws relating to cross-border data transfer or requiring personal information, or certain subcategories of personal information, to be stored in the jurisdiction of origin. If we are unable to increase our data processing capabilities and storage in Europe and other countries to limit or eliminate the need for data transfers out of Europe and other applicable countries quickly enough, and valid solutions for personal information transfers to the United States or other countries are not available or are difficult to implement in the interim, we will likely face continuing reluctance from European and multinational customers to use our services and increased exposure to regulatory actions, substantial fines and injunctions against processing or transferring personal information across borders. Evolving laws, regulations, and other actual and asserted obligations relating to privacy, data protection, and cybersecurity, as well as any new or evolving obligations relating to the use of AI and ML technologies, could reduce demand for our platform, increase our costs, impair our ability to grow our business, or restrict our ability to store and process data or, in some cases, impact our ability to offer our service in some locations and may subject us to liability. Further, in view of new or modified federal, state or foreign laws and regulations, industry standards, contractual obligations and other actual and asserted obligations, or any changes in their interpretation, we may find it necessary or desirable to fundamentally change our business activities and practices or to expend significant resources to modify our practices and platform and otherwise adapt to these changes. We may be unable to make such changes and modifications in a commercially reasonable manner or at all, and our ability to develop new products and features could be limited.

Global economic and business activities continue to face widespread macroeconomic uncertainties, including market volatility, changes in international economic and trade relations, supply chain disruptions, changes in the labor market, elevated interest rates and potential increases in inflation, foreign currency exchange rate fluctuations and recession risks, which may continue for an extended period. Additionally, the instability in the political environment in many parts of the world, including in the United States, and changes and uncertainty with respect to trade policies, actual or threatened tariffs, treaties, government regulations, executive orders, directives and enforcement priorities, as well as any ongoing or potential U.S. federal government shutdown, may adversely affect the global economy and/or our business. Given that a majority of our revenue is usage-based and therefore impacted by general consumer sentiment and activity, our business may be more immediately and severely impacted by adverse macroeconomic conditions than those that rely primarily on subscription revenue. Additionally, increased prices resulting from the effects of tariffs and inflation could increase our operating expenses. Adverse macroeconomic conditions have in the past resulted in, and may in the future result in, decreased or delayed business spending by our current and prospective customers and business partners, reduced demand for or usage of our products, lower renewal rates by our customers, longer or delayed sales cycles, including current and prospective customers delaying contract signing or contract renewals, reduced budgets or minimum commitments related to the products that we offer, or delays in customer payments or our ability to collect accounts receivable, all of which could negatively affect revenue and revenue growth. Additionally, our customers may be affected by changes and uncertainty in the global political environment with respect to trade and other policies. For example, uncertainty regarding the impact of tariffs on certain countries by the U.S. administration, as well as potential or actual retaliatory measures taken by trade partners, have adversely affected trade relations, put increased pressure on supply chains, and led to increased market volatility, and such effects may continue. Any resulting harm to our customers’ businesses could depress their usage levels and/or purchasing power and lead them to reduce their spending with us. Macroeconomic and political conditions and uncertainties have in the past adversely affected, and may in the future adversely affect, our business, results of operations and financial condition, and could exacerbate many of the other risks described in this “Risk Factors” section.

Global economic and business activities continue to face widespread macroeconomic uncertainties, including changes in the labor market and supply chain disruptions, inflation and monetary supply shifts, volatility in the banking and financial services sectors, and recession risks, which may continue for an extended period. Additionally, the instability in the geopolitical environment in many parts of the world, changes in public policy, international trade relations, actual or potential tariffs, and other disruptions to global and regional economies and markets may continue to cause or exacerbate uncertain economic conditions. Given that a majority of our revenue is usage-based and impacted by general consumer sentiment and activity, our business may be more immediately and severely impacted by adverse macroeconomic conditions than those that rely primarily on subscription revenue. Adverse macroeconomic conditions have resulted in, and may continue to result in, decreased or delayed business spending by our current and prospective customers and business partners, reduced demand for or usage of our products, lower renewal rates by our customers, longer or delayed sales cycles, including current and prospective customers delaying contract signing or contract renewals, reduced budgets or minimum commitments related to the products that we offer, or delays in customer payments or our ability to collect accounts receivable, all of which could negatively affect revenue and revenue growth. Additionally, changes in the U.S. political environment could lead to changes in macroeconomic conditions and to the legal and regulatory environment in the United States and globally, including changes to international trade relations, economic and monetary policies or other legislation, regulations, executive orders, directives or enforcement priorities, any of which could have an adverse impact on the global economy and/or our business. If customers fail to pay us or reduce their spending with us as a result of adverse macroeconomic or geopolitical conditions or otherwise, we may be required to take steps to enforce the terms of our contracts and collect amounts due, including through litigation, which could increase our operating expenses. For example, in February 2023, one of our customers, Oi SA, a Brazilian telecom company, initiated reorganization proceedings in a Brazilian bankruptcy court as well as a secondary proceeding under Chapter 15 in the United States and exposed us to risks on collections of pre-petition receivables and ongoing revenue, as detailed in Part II, Item 7, “Management’s Discussion and Analysis of Financial Condition and Results of Operations—Factors Affecting Our Results of Operations.” If macroeconomic and geopolitical conditions and uncertainties adversely affect our business and the businesses of our current and prospective customers, our results of operations and financial condition may continue to be harmed, and many of the other risks described in this “Risk Factors” section will be exacerbated.

We are subject to taxes in both the United States and numerous international jurisdictions. Significant judgment is required in determining our worldwide provision for taxes. In the ordinary course of our business, there are many transactions and calculations where the ultimate tax determination is uncertain. Our effective tax rates may fluctuate significantly on a quarterly basis because of a variety of factors, including changes in the mix of earnings and losses in countries with differing statutory tax rates, changes in our business or structure, or the expiration of or disputes about certain tax agreements in a particular country. We are subject to audit by various tax authorities. In accordance with GAAP, we recognize income tax benefits, net of required valuation allowances and accrual for uncertain tax positions. Although we believe our tax estimates are reasonable, the final determination of tax audits and any related litigation could be materially different than that which is reflected in our historical income tax provisions and accruals. Should additional taxes be assessed as a result of an audit or litigation, an adverse effect on our results of operations, financial condition and cash flows in the period or periods for which that determination is made could result. Changes in tax laws, including recently enacted U.S. federal tax legislation commonly referred to as the One Big Beautiful Bill Act (the “OBBB Act”), or tax rulings, or changes in interpretations of existing laws, could cause us to be subject to additional taxes, which in turn could materially affect our financial position and results of operations. The OBBB Act could potentially increase our effective tax rate as we continue to expand our international operations in the coming years. Additionally, new, changed, modified, or newly interpreted or applied tax laws could increase our customers’ and our compliance, operating and other costs, as well as the costs of our products. As another example, the Organization for Economic Co-operation and Development (the “OECD”) has proposed a global minimum tax (“Pillar Two”), contemplating a minimum tax rate of 15% for large multinational companies, and various countries have proposed or enacted implementing legislation. Notwithstanding the OECD’s side-by-side elective safe harbor announced in January 2026 for U.S. parented groups, we may still face increased tax rates, compliance complexity and tax provision volatility as a result of Pillar Two.

We are subject to income taxes in both the United States and numerous international jurisdictions. Significant judgment is required in determining our worldwide provision for income taxes. In the ordinary course of our business, there are many transactions and calculations where the ultimate tax determination is uncertain. Our effective tax rates may fluctuate significantly on a quarterly basis because of a variety of factors, including changes in the mix of earnings and losses in countries with differing statutory tax rates, changes in our business or structure, changes in tax laws that could adversely impact our income or non-income taxes or the expiration of or disputes about certain tax agreements in a particular country. We are subject to audit by various tax authorities. In accordance with GAAP, we recognize income tax benefits, net of required valuation allowances and accrual for uncertain tax positions. Although we believe our tax estimates are reasonable, the final determination of tax audits and any related litigation could be materially different than that which is reflected in historical income tax provisions and accruals. Should additional taxes be assessed as a result of an audit or litigation, an adverse effect on our results of operations, financial condition and cash flows in the period or periods for which that determination is made could result. Changes in tax laws or tax rulings, or changes in interpretations of existing laws, could cause us to be subject to additional income-based taxes and non-income taxes (such as payroll, sales, use, value-added, digital tax, net worth, property, and goods and services taxes), which in turn could materially affect our financial position and results of operations. Additionally, new, changed, modified, or newly interpreted or applied tax laws could increase our customers’ and our compliance, operating and other costs, as well as the costs of our products. For example, on August 16, 2022, the Inflation Reduction Act of 2022 was signed into law, with tax provisions primarily focused on implementing a 15% minimum tax on global adjusted financial statement income of corporations with adjusted financial statement income exceeding $1.0 billion, effective for tax years beginning after December 31, 2022, and a 1% excise tax on share repurchases occurring after December 31, 2022, which resulted in an excise tax payable calculated on our 2023 and 2024 share repurchases. As another example, beginning in 2022, the Tax Cuts and Jobs Act of 2017 (the “Tax Act”) eliminates the option to deduct research and development expenditures currently and requires taxpayers to capitalize and amortize them over five or fifteen years pursuant to Section 174 of the Code, which impacts our effective tax rate and our cash tax liability in 2024. If the requirement to capitalize Section 174 expenditures is not modified by legislation, it will continue to impact our effective tax rate and our cash tax liability. On October 8, 2021, the Organization for Economic Co-operation and Development (the “OECD”) announced the OECD/G20 Inclusive Framework on Base Erosion and Profit Shifting (the “Framework”) which agreed to a two-pillar solution to address tax challenges arising from digitalization of the economy. On December 20, 2021, the OECD released Pillar Two Model Rules defining the global minimum tax rules, which contemplate a minimum tax rate of 15% for large multinational companies. On December 15, 2022, the European Union (EU) Member States formally adopted the EU’s Pillar Two Directive and various countries have enacted or are in the process of enacting legislation on these rules. These changes, when enacted by various countries in which we do business, may increase our taxes in these countries. Changes to these and other areas in relation to international tax reform, including future actions taken by foreign governments in response to the Tax Act, could increase uncertainty and may adversely affect our tax rate and cash flow in future years.

We depend upon our IT systems to conduct virtually all of our business operations, ranging from our internal operations and research and development activities to our marketing and sales efforts and communications with our customers, vendors and other business partners. Moreover, our platform stores, transmits, and otherwise processes our, our customers’ and our partners’ proprietary, confidential, and sensitive data. We also rely on various third-party service providers – including network service providers, internet service providers, telecommunications carriers, and providers of cloud infrastructure and cloud communications – for business operations, to operate our platform and to deliver our products, as well as third-party technology and intellectual property. We have been targeted by threat actors seeking unauthorized access to our systems or data, or that of our customers or third-party service providers, or to disrupt our operations or ability to provide our services. Our third-party service providers have also been targeted. Our platform and our underlying infrastructure, the information we store and process, and those of our third-party service providers, are subject to evolving threats and have in the past and may in the future be subject to breaches, compromises, disruptions, or other incidents, including as a result of the following: •fraud, social-engineering attacks (such as phishing) and other third-party attempts to induce our employees, customers or partners to disclose sensitive information to gain access to our customers’ data or systems, or our data or our systems; •efforts by hackers or sophisticated groups, such as criminal organizations, state-sponsored organizations or nation-states, to launch coordinated cyberattacks on internally built infrastructure or on third-party cloud-computing platform providers, including malicious code, ransomware, destructive malware, supply chain attacks and distributed denial-of-service attacks; •third-party attempts to abuse our marketing, advertising, messaging or products and functionalities to impersonate persons or organizations and disseminate information that is false, misleading or malicious; •attacks on, malfunctions or unavailability of, or other vulnerabilities in, the underlying networks and services that power the internet or that our products otherwise depend on, many of which are not under our control or the control of our customers or partners; •attacks facilitated or enhanced by AI, including deep fakes; and •employee fraud, misconduct or error, including resulting from efforts to bribe, extort, infiltrate or otherwise compromise our or our service providers’ workforce. Cyberattacks and other malicious activity continue to become more sophisticated, targeted and inexpensive to conduct, and to increase in frequency and magnitude. These include ransomware and cyber extortion attacks, which can lead to significant interruptions in our operations, loss of data and income, reputational harm, and diversion of funds. Extortion payments may reduce the negative impact of a ransomware attack, but we may be unwilling or unable to make such payments, such as due to applicable laws or regulations prohibiting such payments. Geopolitical tensions and events may further heighten risks we and our service providers face from breaches and other incidents. We make, and expect to continue to make, significant investments in processes and controls designed to mitigate risks associated with breaches and other incidents, including to evaluate and respond to known and potential risks. These investments are, and could increasingly be, costly, and may not be effective or prevent a material incident. Our ability to effectively mitigate these risks may be impacted by, among other factors: •the rapidly evolving nature of techniques to breach, compromise, or disrupt IT systems and infrastructure, including increasing use of AI technologies, such that we may not be able to recognize such techniques until launched against a target, or anticipate, prevent, or timely respond to them, increasing the likelihood and magnitude of damage of a breach or other incident; 22 22 22 Table of Contents Table of Contents •the increasing complexity of our internal IT systems, including as we adopt new technologies, including AI solutions, and incorporate and secure IT environments from acquired companies; •our reliance on third-party technology and service providers; and •our limited control over customers and third-party providers (including those authorized by customers to access their data) and the processing of data by third-party providers, which may prevent us from maintaining the integrity or security of such data. In the normal course of business, we experience, and have experienced, cyberattacks and other security incidents, which have in the past and may in the future cause harm to our business. For example, in 2022, one such incident resulted in threat actors obtaining employee credentials and accessing customer data, and required us to notify affected customers and regulators and take steps to remediate the incident. While to date the security events we have experienced have not had a material financial impact, we may experience significant and material future incidents. Any security incident can result in loss, corruption, unavailability, or other unauthorized processing of confidential information or sensitive personal information. Any such event, or the perception that it has occurred, may also result in damage to our reputation, erosion of customer trust, loss of customers, litigation, regulatory investigation, fines, penalties, and other consequences and liabilities that could adversely affect our business, results of operation and financial condition. Laws and regulations require us to maintain security measures, and we may have contractual or other legal obligations to notify customers, government agencies, impacted individuals or other relevant stakeholders of security breaches or other incidents, which disclosures are costly and may cause widespread negative publicity and resulting harm, among other adverse consequences. Further, the detection, prevention, and remediation of known and potential security incidents, including determining whether an incident is notifiable or reportable, may not be straightforward and result in additional direct or indirect costs to respond or alleviate the consequences of the actual or perceived incident, such as additional infrastructure capacity spending to mitigate system degradation or reallocation of resources from development activities. We maintain errors, omissions and cyber liability insurance policies covering certain security and privacy damages, but such insurance may not be sufficient to cover the potentially significant losses resulting from a security breach or other incident, may be denied with respect to a particular claim, or may not remain available in the future on acceptable terms or at all.

We depend upon our IT systems to conduct virtually all of our business operations, ranging from our internal operations and research and development activities to our marketing and sales efforts and communications with our customers and business partners. We have in the past and will in the future be subject to a variety of evolving threats, including but not limited to social-engineering attacks (including through phishing attacks), malicious code (such as viruses and worms), malware (including as a result of advanced persistent threat intrusions), denial-of-service attacks (such as credential stuffing), personnel or service provider misconduct or error, ransomware attacks, supply-chain attacks, software bugs, server malfunctions, software or hardware failures, loss or unavailability of data or other information technology assets, adware, telecommunications failures, earthquakes, fires, floods, natural disasters, and other similar threats. Individuals or entities have in the past attempted and will in the future attempt to penetrate the security of our platform, or of our network or systems, and to cause harm to our business operations, including by misappropriating our proprietary information or that of our customers, employees and business partners or to cause interruptions of our products and platform. In particular, cyberattacks and other malicious internet-based activity continue to increase in frequency and in magnitude generally, and cloud-based companies have been targeted in the past. In addition to threats from traditional computer hackers, malicious code, software vulnerabilities, supply chain attacks and vulnerabilities through our third-party partners, employee theft or misuse, password spraying, phishing, smishing, vishing, credential stuffing and denial-of-service attacks, we also face threats from sophisticated organized crime, nation-state, and nation-state supported actors who engage in attacks (including advanced persistent threat intrusions) that add to the risk to our systems (including those hosted on cloud services), internal networks, our customers’ systems, our service providers’ networks, and the information that they store and process. Ransomware and cyber extortion attacks, including those perpetrated by organized criminal threat actors, nation-states, and nation-state-supported actors, are becoming increasingly prevalent and severe and can lead to significant interruptions in our operations, loss of data and income, reputational harm, and diversion of funds. Extortion payments may alleviate or reduce the negative impact of a ransomware attack, but we may be unwilling or unable to make such payments due to, for example, applicable laws or regulations prohibiting such payments. Geopolitical tensions and events may further heighten risks we and 23 23 23 Table of Contents Table of Contents our service providers face from these and other types of attacks. Because the techniques used to access, disrupt or sabotage devices, systems and networks change frequently and may not be recognized until launched against a target, we expect to be required to make further investments over time to protect data and infrastructure as cybersecurity threats develop, evolve and grow more complex over time. We may also be unable to anticipate these techniques, and we may not become aware in a timely manner of any security breach or incident, which could exacerbate any damage we experience. We depend upon our employees and contractors to appropriately handle confidential and sensitive data, including customer data, and to deploy our IT resources in a safe and secure manner that does not expose our network systems to security breaches or incidents or the loss, alteration, unavailability, or other unauthorized processing of data. We have been and expect to be subject to cybersecurity threats and incidents, including denial-of-service attacks, employee errors or individual attempts to gain unauthorized access to information systems. We also continue to incorporate AI solutions and features into our platform, which may result in security incidents or otherwise increase cybersecurity risks. Further, AI technologies may be used in connection with certain cybersecurity attacks, resulting in heightened risks of security breaches and incidents. Any security incidents, including internal malfeasance or inadvertent disclosures by our employees or a third-party’s fraudulent inducement of our employees to disclose information, unauthorized access or usage, the introduction of viruses or other malicious code or any other breach or incident or disruption of our platform, systems, or networks or those of our service providers, could result in loss, corruption, unavailability, or other unauthorized processing of confidential information, and any such event, or the perception that it has occurred, may result in damage to our reputation, erosion of customer trust, loss of customers, litigation, regulatory investigations, fines, penalties and other liabilities. For example, in June and August 2022, we became aware that threat actors had conducted sophisticated social engineering campaigns against some of our employees after having obtained employee names and mobile phone numbers from unknown sources. The attack identified in August 2022, which involved smishing text messages that purported to be from our IT department, resulted in the threat actor obtaining some of our employees’ credentials and access to certain data of approximately 209 customers out of our total customer base of approximately 270,000 at that time. We notified and worked with our affected customers. We also notified appropriate regulators and addressed their questions about the incident. We also took steps to remediate the incident, including enhancing our security training, improving our two factor authentication requirements, implementing additional layers of control within our VPN, reducing access to certain internal applications and tools, running simulated phishing attempts to increase employee security awareness, and increasing the refresh frequency for access to certain internal applications. Industry reports indicate that the threat actors also attacked other technology, telecommunication and cryptocurrency companies. We also rely on various third-party service providers to operate our platform and deliver our products, including network service providers, internet service providers, telecommunications carriers, providers of cloud infrastructure and cloud communications, and third-party technology and intellectual property. Our service providers (or their sub-service providers) have in the past experienced, and may in the future experience, security breaches and incidents, including unauthorized access or inadvertent disclosures, that have exposed and may expose or make available to threat actors our data or that of our customers. Even when our systems are not compromised, if our service providers experience breaches or incidents that impact our data or our customers’ data, then our reputation, customer trust, business, results of operations and financial condition could be adversely affected. Furthermore, we are required to comply with laws and regulations that require us to maintain security measures designed to protect personal information and we may have contractual and other legal obligations to notify customers, regulators, government agencies, impacted individuals or other relevant stakeholders of security breaches. Such disclosures are costly, and the disclosures or the failure to comply with such requirements could lead to adverse consequences. If we (or a third party upon whom we rely) experience a security incident or are perceived to have experienced a security incident, we may experience adverse consequences. Consequences associated with such security incidents may include: government enforcement actions and other actions or proceedings (for example, investigations, audits, and inspections), and related fines, penalties, required remedial actions, or other obligations and liabilities; additional reporting requirements and/or oversight; restrictions on processing or transferring data (including personal data); claims, demands, and litigation (including class claims); indemnification obligations; monetary fund diversions; interruptions in our operations (including availability of data); financial loss and other similar harms. Actual and perceived security incidents and attendant consequences could also lead to negative publicity and reputational harm, may cause our customers to lose confidence in the effectiveness of our security measures and require us to expend significant capital and other resources to respond to and/or mitigate the security incident. Accordingly, if our cybersecurity measures or those of our third-party service providers fail to protect against unauthorized access, attacks (which may include sophisticated cyberattacks), or if our employees or contractors compromise or mishandle data, then our reputation, customer trust, business, results of operations and financial condition could be adversely affected. While we maintain errors, omissions and cyber liability insurance policies covering certain security and privacy damages, we cannot be certain that our existing insurance coverage will continue to be available on acceptable terms or will be 24 24 24 Table of Contents Table of Contents available, and in sufficient amounts, to cover the potentially significant losses that may result from a security incident or breach or that the insurer will not deny coverage as to any future claim.

In many of the jurisdictions in which we operate, non-income-based taxes, such as sales tax, value-added tax, goods and services tax, and telecommunications taxes, are assessed on our operations or our sales to customers. Such tax laws and rates vary by jurisdiction. One or more states or countries may seek to impose incremental or new indirect tax collection obligations on us. Any additional fees and taxes levied on our services by any state may adversely impact our results of operations. Historically, we have not billed or collected indirect taxes in certain jurisdictions and, in accordance with GAAP, we have recorded a provision for our tax exposure in these jurisdictions when it is both probable that a liability has been incurred and the amount of the exposure can be reasonably estimated. We reserved $42.8 million on our December 31, 2025 balance sheet for these tax payments. These estimates include several key assumptions, including, but not limited to, the taxability of our products, the jurisdictions in which we believe we have nexus or a permanent establishment, and the sourcing of revenues to those jurisdictions. In the event these jurisdictions challenge our assumptions and analysis, our actual exposure could differ materially from our current estimates and reserves. If the actual payments we make to any jurisdiction exceed the accrual in our balance sheet, our results of operations would be harmed. In addition, some customers may question the incremental tax charges and seek to negotiate lower pricing from us, which could adversely affect our business, results of operations and financial condition. 35 35 35 Table of Contents Table of Contents We are in discussions with certain jurisdictions regarding potential sales and other indirect taxes for prior periods that we may owe. If any of these jurisdictions disagree with management’s assumptions and analysis, the assessment of our tax exposure could differ materially from management’s current estimates, which may increase our costs of doing business and negatively affect the prices our customers pay for our products.

Significant judgments and estimates are required in determining our provision for income taxes and other tax liabilities. Our tax expense may be impacted, for example, if tax laws change or are clarified to our detriment or if tax authorities successfully challenge the tax positions that we take, such as, for example, positions relating to the arm’s-length pricing standards for our intercompany transactions and our indirect tax positions. In determining the adequacy of our provision for income taxes, we assess the likelihood of adverse outcomes that could result if our tax positions were challenged by the Internal Revenue Service (“IRS”), and other tax authorities. Should the IRS or other tax authorities assess additional taxes as a result of examinations, we may be required to record charges to operations that could adversely affect our results of operations and financial condition. We conduct operations in many tax jurisdictions throughout the United States and internationally. In many of these jurisdictions, non-income-based taxes, such as sales, value-added tax, goods and services tax, and telecommunications taxes, are assessed on our operations or our sales to customers. We are subject to indirect taxes, and may be subject to certain other taxes, in some of these jurisdictions. We collect certain telecommunications-based taxes from our customers in certain jurisdictions, and we expect to continue expanding the number of jurisdictions in which we will collect these taxes in the future. Many states are also pursuing legislative expansion of the scope of goods and services that are subject to sales and similar taxes as well as the circumstances in which a vendor of goods and services must collect such taxes. Following the United States Supreme Court decision in South Dakota v. Wayfair, Inc., states are now free to levy taxes on sales of goods and services based on an “economic nexus,” regardless of whether the seller has a physical presence in the state. Any additional fees and taxes levied on our services by any state may adversely impact our results of operations. Historically, we have not billed or collected taxes in certain jurisdictions and, in accordance with GAAP, we have recorded a provision for our tax exposure in these jurisdictions when it is both probable that a liability has been incurred and the amount of the exposure can be reasonably estimated. We reserved $41.4 million on our December 31, 2024 balance sheet for these tax payments. These estimates include several key assumptions, including, but not limited to, the taxability of our products, the jurisdictions in which we believe we have nexus or a permanent establishment, and the sourcing of revenues to those jurisdictions. In the event these jurisdictions challenge our assumptions and analysis, our actual exposure could differ materially from our current estimates and reserves. If the actual payments we make to any jurisdiction exceed the accrual in our balance sheet, our results of operations would be harmed. In addition, some customers may question the incremental tax charges and seek to negotiate lower pricing from us, which could adversely affect our business, results of operations and financial condition. We are in discussions with certain jurisdictions regarding potential sales and other indirect taxes for prior periods that we may owe. If any of these jurisdictions disagree with management’s assumptions and analysis, the assessment of our tax exposure could differ materially from management’s current estimates. For example, in 2020, San Francisco City and County assessed us for $38.8 million in taxes, including interest and penalties, which exceeded the $11.5 million we had accrued for that assessment. We paid the full amount under protest and filed a lawsuit on May 27, 2021 contesting the assessment. We entered into a settlement agreement in November 2023 pursuant to which San Francisco paid us $18.0 million in settlement of our claims.

We face risks associated with optimally pricing our products, particularly given the dynamic nature of our usage-based pricing. The fees that we pay to network service providers can vary, in some markets daily or weekly, differ across countries, and are affected by volume and other factors that may be outside of our control and which are difficult to predict. As a result, we may incur increased costs that we may be unable or unwilling to pass through to our customers. If we do pass increased fees through to our customers, it could adversely affect customer relationships or cause customers to seek lower-cost alternatives. We periodically adjust the pricing for our products and expect to continue to. Many of our usage-based customers have contracts with negotiated pricing, and our subscription contracts also have negotiated pricing. New products or price reductions by competitors may prevent us from retaining or attracting customers based on our historical pricing, and we may otherwise be required or choose to reduce our pricing. Any such price reductions, lost customers, or other failure to optimize our pricing could adversely impact our business, results of operations and financial condition.

For certain of our products, we primarily charge our customers based on their usage of such products. One of the challenges of this usage-based pricing model is the variability of the fees that we pay to network service providers over whose networks we transmit communications. Such network fees can vary daily or weekly, differ across countries, and are affected by volume and other factors that may be outside of our control and which are difficult to predict. This can result in us incurring increased costs that we may be unable or unwilling to pass through to our customers, which could adversely impact our business, results of operations and financial condition. If we elect to pass through increased fees to our customers, it could adversely affect our relationship with our customers and our customers may look for lower cost alternatives. We adjust the pricing models for our products from time to time and expect that we will continue to do so. Many of our usage-based customers enter into contracts with negotiated pricing, and our subscription customers are also subject to negotiated pricing. As competitors introduce new products or services that compete with ours or reduce their prices, we may be unable to attract new customers or retain existing customers based on our historical pricing. If we are required or choose to reduce our prices, it could adversely affect our business, results of operations and financial condition.

As a provider of communications products and a licensed telecommunications provider, we are required to comply with many changing federal, state and international regulations, including relating to privacy, security, telecommunications, consumer protection, fraud and scam prevention, Know Your Customer and Know Your Traffic and other requirements and obligations, which often vary across the numerous jurisdictions in which we operate. Compliance with these requirements involves significant management attention and compliance costs, and can present operational challenges, onboarding delays and friction for our customers, require us to raise prices, restructure or discontinue our products, or limit our ability to expand into certain jurisdictions. If we do not comply with such requirements, we could face enforcement actions, significant fines, remedial directions to implement audits or new processes, loss of licenses, restrictions or prohibitions on our ability to operate or offer certain of our products, eroded customer trust, and damage to our brand and reputation, and other consequences. Any of the foregoing could adversely affect our business, results of operations and financial condition. In the United States, at the federal level, we and/or our customers are required to comply with laws and regulations limiting telemarketing and certain technologies that enable automatic calling and/or messaging and establishing quiet hours for solicitations, such as the Telephone Consumer Protection Act of 1991 (“TCPA”), laws requiring assistance to law enforcement in electronic surveillance, requirements to pay regulatory fees and contributions to various federally administered funds, requirements to safeguard the privacy of certain customer information, and requirements aimed at mitigating illegal robocalls and robotexts, such as the implementation of call authentication technologies, and other compliance requirements. At the state level, some states have adopted, proposed or may propose, regulations that may subject us to additional registration, reporting, resiliency and/or compliance obligations, including laws similar to the TCPA. We are also subject to varying international licensing obligations and communications regulations, including related to reporting requirements, provision of emergency services and of information to support emergency services, number portability, combatting scam and fraud, payment into universal service funds, and licensing fees, among others. As we expand into new countries, our potential regulatory and licensing obligations, and related scrutiny, increase. The international landscape continues to evolve, and in many cases involves significant uncertainties related to how the CPaaS business model fits into the communications regulatory framework. There is significant variation in requirements across international jurisdictions, including as to whether some or all of the services we offer are considered regulated telecommunications services. In addition, certain of our products may be used by customers located in countries where voice and other forms of Internet Protocol (“IP”) communications may be illegal or require special licensing or in countries on a U.S. embargo list, and users in such countries may continue to use our products in those countries notwithstanding the illegality or embargo, or a local partner that we use to 27 27 27 Table of Contents Table of Contents provide services may not comply with applicable governmental regulations, subjecting us to potential penalties or governmental actions that may be costly, harm our business and damage our brand and reputation. Both in the United States and internationally, these requirements continue to change. For example, new federal, state, or international requirements could impose more or different robocall or robotext mitigation measures, limit the customers we are able to serve, extend telecommunications regulations to our non-interconnected VoIP services or messaging products, subject us to additional registration, reporting or resiliency compliance obligations, or subject us to other fees, taxes or obligations. The changing nature of these requirements increases the associated compliance costs, operational challenges, possibility of enforcement actions and other associated risks, and new or changed requirements, or interpretations or judicial actions related to them, may also adversely affect our business, results of operations and financial condition.

As a provider of communications products, we are subject to existing or potential FCC and state regulations relating to privacy, telecommunications, consumer protection and other requirements. In addition, the extension of telecommunications regulations to our non-interconnected VoIP services could result in additional federal and state regulatory obligations and taxes. We are also in discussions with certain jurisdictions regarding potential sales and other taxes for prior periods that we may owe. In the event any of these jurisdictions disagree with management’s assumptions and analysis, the assessment of our tax exposure could differ materially from management's current estimates, which may increase our costs of doing business and negatively affect the prices our customers pay for our services. If we do not comply with FCC rules and regulations, we could be subject to FCC enforcement actions, fines, loss of licenses and possibly restrictions on our ability to operate or offer certain of our products. For example, in 2023, we received a “cease-and-desist” letter from the FCC related to reported fraudulent traffic on our messaging platform. We subsequently removed the identified traffic and sent a follow-up letter to the agency detailing our fraud mitigation practices and various planned improvements to reduce future risks. Any enforcement action by the FCC, which may be a public process, would hurt our reputation in the industry, could erode customer trust, possibly impair our ability to sell our VoIP, other telecommunications products and/or other services to customers and could adversely affect our business, results of operations and financial condition. In addition, states such as California have increasingly adopted or proposed, or may propose, regulations that may subject us to additional registration, reporting, resiliency and/or compliance obligations. If we become subject to several new and/or different interconnected and/or non-interconnected VoIP regulations at the state level, it may increase our compliance costs and the risk of enforcement action against us, which in turn could adversely affect our business, results of operations and financial condition. 29 29 29 Table of Contents Table of Contents Certain of our products are subject to a number of FCC regulations and laws that are administered by the FCC. Among others, we must comply (in whole or in part) with: •the Communications Act of 1934, as amended, which regulates communications services and the provision of such services; •the Telephone Consumer Protection Act, which limits the use of automatic dialing systems for calls and texts, artificial or prerecorded voice messages and fax machines; •the Communications Assistance for Law Enforcement Act, which requires covered entities to assist law enforcement in undertaking electronic surveillance; •the Pallone-Thune Telephone Robocall Abuse Criminal Enforcement and Deterrence Act (“TRACED”); •requirements to safeguard the privacy of certain customer information; •payment of annual FCC regulatory fees and contributions to FCC-administered funds based on our interstate and international revenues; and •rules pertaining to access to our services by people with disabilities and contributions to the Telecommunications Relay Services fund. In addition, Congress and the FCC are attempting to mitigate the prevalence of robocalls by requiring participation in a technical standard called Signature-based Handling of Asserted Information Using toKENs (“SHAKEN”) and Secure Telephone Identity Revisited (“STIR”) (together, “SHAKEN/STIR”), which allows voice carriers to authenticate caller ID, prohibiting malicious spoofing. The FCC continues to increase its focus on robocall mitigation, including by implementing orders and holding open proceedings related to robocalls and robotexts. We cannot predict whether the FCC will require more than the robocall and robotexting measures that we have started to implement. If the FCC were to implement new regulations or requirements that limited the types of customers allowed to use our platform or overly burdensome requirements for our customers, those actions could limit the customers that we are able to serve. Similarly, in May 2021, the Biden administration issued an Executive Order requiring federal agencies to implement additional information technology security measures, including, among other things, requiring agencies to adopt multifactor authentication and encryption for data at rest and in transit to the maximum extent consistent with federal records laws and other applicable laws. Due to this Executive Order, federal agencies may require us to modify our cybersecurity practices and policies, thereby increasing our compliance costs. If we are unable to meet the requirements of the Executive Order, our ability to work with the U.S. government, whether directly or indirectly, may be impaired and may result in a loss of revenue. If we do not comply with any current or future rules or regulations that apply to our business, we could be subject to substantial fines and penalties, and we may have to restructure our offerings, exit certain markets or raise the price of our products. In addition, any uncertainty regarding whether particular regulations apply to our business, and how they apply, could increase our costs or limit our ability to grow. As we continue to expand internationally, we have become subject to telecommunications laws and regulations in the foreign countries where we offer our products. Internationally, we currently offer our products in more than 180 countries and territories. Our international regulatory and business obligations, and the related challenges and resources involved, increase when we enter new countries and as our presence and market share in such countries grow. Our international operations are subject to country-specific governmental regulation and related actions that have increased and will continue to increase our compliance costs or impact our products and platform or prevent us from offering or providing our products in certain countries. Moreover, the regulation of CPaaS companies like us is continuing to evolve internationally and many existing regulations may not fully contemplate the CPaaS business model or how they fit into the communications regulatory framework. As a result, interpretation and enforcement of regulations often involve significant uncertainties. In many countries, including those in the European Union, a number of our products or services are subject to licensing and communications regulatory requirements which increases the level of scrutiny and enforcement by regulators. Future legislative, regulatory or judicial actions impacting CPaaS services could also increase the cost and complexity of compliance and expose us to liability. For example, in some countries, some or all of the services we offer are not considered regulated telecommunications services, while in other countries they are subject to telecommunications regulations, including but not limited to payment into universal service funds, licensing fees, provision of emergency services, provision of 30 30 30 Table of Contents Table of Contents information to support emergency services and number portability as well as requirements to combat scams and fraud. Failure to comply with these regulations could result in our Company being issued remedial directions to undertake independent audits and implement effective systems, processes and practices to ensure compliance, significant fines or being prohibited from providing telecommunications services in a jurisdiction. In addition, from time to time we implement Know-Your-Customer and/or Know-Your-Traffic related processes in the jurisdictions in which we operate, which may create friction for our customers, require management attention, and increase our compliance costs. Moreover, certain of our products may be used by customers located in countries where voice and other forms of Internet Protocol (“IP”) communications may be illegal or require special licensing or in countries on a U.S. embargo list. Even where our products are reportedly illegal or become illegal or where users are located in an embargoed country, users in those countries may be able to continue to use our products in those countries notwithstanding the illegality or embargo. We may be subject to penalties or governmental action if consumers continue to use our products in countries where it is illegal to do so or if we use a local partner to provide services in a country and the local partner does not comply with applicable governmental regulations. Any such penalties or governmental action may be costly and may harm our business and damage our brand and reputation. We may be required to incur additional expenses to meet applicable international regulatory requirements or be required to raise the prices of services, or restructure or discontinue those services if required by law or if we cannot or will not meet those requirements. Any of the foregoing could adversely affect our business, results of operations and financial condition.

We review our intangible assets, goodwill and equity method investment for impairment in accordance with applicable accounting requirements. As of December 31, 2025, we carried a net $5.4 billion of goodwill and intangible assets and $301.6 million related to our equity method investment. An adverse change in market conditions or significant changes in accounting conclusions, particularly if such changes have the effect of changing one of our critical assumptions or estimates, have in the past resulted, and could in the future result, in a change to the estimation of fair value resulting in an impairment charge to the underlying asset. Our results of operations may be adversely affected as a result of any such charges. For example, during the year ended December 31, 2025, we recorded an impairment of our equity method investment totaling approximately $80.6 million, as described in additional detail in Note 12 to our consolidated financial statements included elsewhere in this Annual Report on Form 10-K.

We review our intangible assets for impairment when events or changes in circumstances indicate the carrying value may not be recoverable. Goodwill is required to be tested for impairment at least annually. As of December 31, 2024, we carried a net $5.5 billion of goodwill and intangible assets. An adverse change in market conditions or significant changes in accounting conclusions, particularly if such changes have the effect of changing one of our critical assumptions or estimates, could result in a change to the estimation of fair value that could result in an impairment charge to our goodwill or intangible assets. For example, during the year ended December 31, 2023, we recorded an impairment of intangible assets related to Segment totaling approximately $285.7 million, as described in additional detail in Note 6 to our consolidated financial statements included in our Annual Report on Form 10-K filed with the SEC on February 27, 2024. Any such charges may adversely affect our results of operations.