Veeva Systems Inc.: 10-K Risk Factor Changes

In our fiscal year ended January 31, 2024, we derived approximately 52% of our subscription services revenues and approximately 50% of our total revenues from our Commercial Solutions. In our fiscal quarter ended January 31, 2024, we derived approximately 50% of our subscription services revenues and approximately 49% of our total revenues from our Commercial Solutions. A significant percentage of our Commercial Solutions subscription services revenues are derived from subscriptions for our core CRM application, and we have realized substantial sales penetration among pharmaceutical and biotechnology companies for our core Veeva CRM application. If we are not able to sell additional user subscriptions for our core CRM application, if we fail to renew existing subscriptions for our core CRM application, or if subscription levels for our core CRM application are reduced at renewal (as a result of reductions in sales representatives that use our solutions, change in demand for our solutions, or for other reasons), the growth of our Commercial Solutions revenues may be negatively impacted. For example, in recent years, certain life sciences companies have reduced the number of sales representatives they employ due to an increased preference for digitally-enabled sales channels, which negatively impacted sales of Veeva CRM and certain of our other Commercial Solutions.

In our fiscal year ended January 31, 2023, we derived approximately 55% of our subscription services revenues and approximately 52% of our total revenues from our Commercial Solutions. In our fiscal quarter ended January 31, 2023, we derived approximately 53% of our subscription services revenues and approximately 51% of our total revenues from our Commercial Solutions. A significant percentage of our Commercial Solutions subscription Veeva Systems Inc. | Form 10-K 15 Veeva Systems Inc. | Form 10-K 15 Veeva Systems Inc. | Form 10-K 15 Veeva Systems Inc. | Form 10-K 15 Table of Contents Table of Contents services revenues are derived from subscriptions for our core CRM application, and we have realized substantial sales penetration among pharmaceutical and biotechnology companies for our core Veeva CRM application. If we are not able to sell additional user subscriptions for our core CRM application, if we fail to renew existing subscriptions for our core CRM application, or if subscription levels for our core CRM application are reduced at renewal (as a result of reductions in sales representatives that use our solutions, change in demand for our solutions, or for other reasons), the growth of our Commercial Solutions revenues may be negatively impacted. In the quarter ended October 31, 2020, we disclosed that we expected life sciences companies to reduce the number of sales representatives that they employ by roughly 10%. While the majority of these reductions were completed by the end of our fiscal year ended January 31, 2023, we expect additional reductions to take place through the end of our fiscal year ending January 31, 2024. Such reductions could negatively impact sales of Veeva CRM and certain of our other Commercial Solutions, but we cannot be certain of the timing or magnitude of such reductions.

Our bylaws provide that the Court of Chancery of the State of Delaware is the exclusive forum for any derivative action or proceeding brought on our behalf, any action asserting a breach of fiduciary duty, any action asserting a Veeva Systems Inc. | Form 10-K 31 Veeva Systems Inc. | Form 10-K 31 Veeva Systems Inc. | Form 10-K 31 Veeva Systems Inc. | Form 10-K 31 Table of Contents Table of Contents claim against us arising pursuant to the Delaware General Corporation Law or any action asserting a claim against us that is governed by the internal affairs doctrine. Our bylaws also provide that, unless we consent in writing to the selection of an alternative forum, the federal district courts of the United States shall be the sole and exclusive forum for any action asserting a claim arising pursuant to the Securities Act, such a provision known as a “Federal Forum Provision.” Any person or entity purchasing or otherwise acquiring any interest in our shares of capital stock shall be deemed to have notice of and consented to these provisions. These choice of forum provisions may limit a stockholder's ability to bring a claim in a judicial forum that it finds favorable for disputes with us or our directors, officers, or other employees and may discourage these types of lawsuits. Alternatively, if a court were to find the choice of forum provision contained in our bylaws to be inapplicable or unenforceable in an action, we may incur additional costs associated with resolving such action in other jurisdictions, which could harm our business, operating results, and financial condition.

Our certificate of incorporation provides that the Court of Chancery of the State of Delaware is the exclusive forum for any derivative action or proceeding brought on our behalf, any action asserting a breach of fiduciary duty, any action asserting a claim against us arising pursuant to the Delaware General Corporation Law or any action asserting a claim against us that is governed by the internal affairs doctrine. Our bylaws also provide that, unless we consent in writing to the selection of an alternative forum, the federal district courts of the United States shall be the sole and exclusive forum for any action asserting a claim arising pursuant to the Securities Act, such a provision known as a “Federal Forum Provision.” Any person or entity purchasing or otherwise acquiring any interest in our shares of capital stock shall be deemed to have notice of and consented to these provisions. These choice of forum provisions may limit a stockholder's ability to bring a claim in a judicial forum that it finds favorable for disputes with us or our directors, officers, or other employees and may discourage these types of lawsuits. Alternatively, if a court were to find the choice of forum provision contained in our certificate of incorporation or bylaws to be inapplicable or unenforceable in an action, we may incur additional costs associated with resolving such action in other jurisdictions, which could harm our business, operating results, and financial condition.

Our corporate headquarters are located in Pleasanton, California and our primary third-party hosted computing infrastructure is located in the United States, the European Union, Japan, and South Korea. The west coast of the United States, Japan, and South Korea each contain active earthquake zones. Additionally, we rely on our network and third-party infrastructure and enterprise applications, internal technology systems, and our website, for our development, marketing, operational support, hosted services, and sales activities. In the event of a major earthquake, hurricane, or other natural disaster, or catastrophic event such as an actual or threatened public health emergency (e.g., a global pandemic), fire, extreme weather event, power loss, telecommunications failure, cyber-attack, armed conflicts (including the Russian invasion of Ukraine and the Israel-Hamas conflict), or terrorist attack, we may be unable to continue our operations at full capacity or at all and may experience system interruptions, reputational harm, delays in our solution development, lengthy interruptions in our services, breaches of data 14Veeva Systems Inc. | Form 10-K 14Veeva Systems Inc. | Form 10-K 14Veeva Systems Inc. | Form 10-K 14 Veeva Systems Inc. | Form 10-K Table of Contents Table of Contents security, loss of key employees, and loss of critical data, all of which could have an adverse effect on our future operating results.

Our corporate headquarters are located in Pleasanton, California and our primary third-party hosted computing infrastructure is located in the United States, the European Union, Japan, and South Korea. The west coast of the United States, Japan, and South Korea each contain active earthquake zones. Additionally, we rely on our network and third-party infrastructure and enterprise applications, internal technology systems, and our website, for our development, marketing, operational support, hosted services, and sales activities. In the event of a major earthquake, hurricane, or other natural disaster, or catastrophic event such as an actual or threatened public health emergency (e.g., COVID-19), fire, extreme weather event, power loss, telecommunications failure, cyber-attack, war (including the Russian invasion of Ukraine), or terrorist attack, we may be unable to continue our operations at full capacity or at all and may experience system interruptions, reputational harm, delays in our solution development, lengthy interruptions in our services, breaches of data security, loss of key employees, and loss of critical data, all of which could have an adverse effect on our future operating results.

We expect our future expenses to increase as we continue to invest in and grow our business. We expect to incur significant future expenditures related to: •developing new solutions and enhancing our existing solutions, including additional data acquisition costs associated with our Veeva Compass offering and investment in our product development teams; •improving the technology infrastructure, scalability, availability, security, and support for our solutions; •sales and marketing, including expansion of our direct sales organization and global marketing programs; •expansion of our professional services organization; •pending, threatened, or future legal proceedings, certain of which are described in Part II, Item 1. “Legal Proceedings” and note 14 of the notes to our consolidated financial statements, and which we expect to continue to result in significant expense for the foreseeable future; •international expansion; •acquisitions and investments; and •general operations, IT systems, facilities, and administration, including legal and accounting expenses. If our efforts to increase revenues and manage our expenses are not successful, or if we incur costs, damages, fines, settlements, or judgments as a result of other risks and uncertainties described in this report, we may not be able to sustain or increase our historical levels of profitability.

We expect our future expenses to increase as we continue to invest in and grow our business. We expect to incur significant future expenditures related to: •developing new solutions and enhancing our existing solutions, including additional data acquisition costs associated with our Veeva Compass offering and investment in our product development teams; •improving the technology infrastructure, scalability, availability, security, and support for our solutions; •sales and marketing, including expansion of our direct sales organization and global marketing programs; •expansion of our professional services organization; •pending, threatened, or future legal proceedings, certain of which are described in Part II, Item 3. “Legal Proceedings” and note 14 of the notes to our consolidated financial statements, and which we expect to continue to result in significant expense for the foreseeable future; 24Veeva Systems Inc. | Form 10-K 24Veeva Systems Inc. | Form 10-K 24Veeva Systems Inc. | Form 10-K 24 Veeva Systems Inc. | Form 10-K Table of Contents Table of Contents •international expansion; •acquisitions and investments; and •general operations, IT systems, facilities, and administration, including legal and accounting expenses. In light of the worldwide labor market conditions and inflationary pressure, our global compensation increases in connection with our annual compensation review process, which took place in our fiscal quarter ended April 30, 2022, were higher than previous years, which has increased our expenses. If our efforts to increase revenues and manage our expenses are not successful, or if we incur costs, damages, fines, settlements, or judgments as a result of other risks and uncertainties described in this report, we may not be able to sustain or increase our historical levels of profitability.

The below is a summary of principal risks to our business and risks associated with ownership of our stock. It is only a summary. You should read the more detailed discussion of risks set forth below and elsewhere in this report for a more complete discussion of the risks listed below and other risks. •If our security measures are breached or unauthorized access to customer data is otherwise obtained, our solutions may be perceived as not being secure, customers may reduce or stop the use of our solutions, and we may incur significant liabilities. •The markets in which we participate are highly competitive, and if we do not compete effectively, our business and operating results could be adversely affected. •If our newer solutions are not successfully adopted by new and existing customers, the growth rate of our revenues and operating results will be adversely affected. •Our revenues are relatively concentrated within a small number of key customers, and the loss of one or more of such key customers could cause our revenues to decline. •Our plans to migrate our customers to our Vault CRM applications built on our own Veeva Vault platform could cause business disruptions for customers, lead to the loss of our customers to competitors, and adversely affect our operating results. •Nearly all of our revenues are generated by sales to customers in the life sciences industry, and factors that adversely affect this industry could also adversely affect us. •Over the longer term our revenue growth rates are likely to fluctuate from year to year and may decline, and, as our costs increase, we may not be able to sustain the same level of profitability we have achieved in the past. •Unique and uncertain macroeconomic and geopolitical factors, including as a result of worldwide inflationary pressures and changes in interest rates, volatility in the financial sector, concerns about a possible domestic or global recession, currency exchange fluctuations, the Russian invasion of Ukraine, and the Israel-Hamas conflict may cause instability and volatility in the global financial markets, and disruptions within the life sciences industry that may negatively impact our business, our financial results, and our stock price. •Difficulty attracting and retaining highly skilled employees could adversely affect our business and efforts to attract and retain such employees may increase our expenses. •If the third-party providers of healthcare professional and healthcare organization data and prescription drug sales data, such as IQVIA for instance, do not allow our customers to upload and use such data in our solutions, the demand for our solutions may decrease, and our business may be negatively impacted. •We rely on third-party providers for computing infrastructure, secure network connectivity, and other technology-related services needed to deliver our cloud solutions, and any disruption in the services provided by them could adversely affect our business and subject us to liability. •Changing laws and regulations, including increasingly complex data privacy and information security regulations, in the U.S. and internationally, life sciences industry regulations, and trade policies, may impose additional costs for compliance, reduce demand for our solutions, and subject us to significant liabilities. Veeva Systems Inc. | Form 10-K 9 Veeva Systems Inc. | Form 10-K 9 Veeva Systems Inc. | Form 10-K 9 Veeva Systems Inc. | Form 10-K 9 Table of Contents Table of Contents •We are currently being sued by third parties for alleged misappropriation of trade secrets. We may suffer damages, which could be significant, or other harm from these lawsuits and we may be sued for infringement or misappropriation of third-party intellectual property in the future. •We may acquire other companies or technologies, which could divert our management’s attention, result in additional dilution to our stockholders, and otherwise disrupt our operations and adversely affect our operating results.

The below is a summary of principal risks to our business and risks associated with ownership of our stock. It is only a summary. You should read the more detailed discussion of risks set forth below and elsewhere in this report for a more complete discussion of the risks listed below and other risks. •If our security measures are breached or unauthorized access to customer data is otherwise obtained, our solutions may be perceived as not being secure, customers may reduce or stop the use of our solutions, and we may incur significant liabilities. •The markets in which we participate are highly competitive, and if we do not compete effectively, our business and operating results could be adversely affected. •If our newer solutions are not successfully adopted by new and existing customers, the growth rate of our revenues and operating results will be adversely affected. •Our revenues are relatively concentrated within a small number of key customers, and the loss of one or more of such key customers could cause our revenues to decline. •Our plans to migrate our CRM applications from the Salesforce platform to our own Veeva Vault platform could cause business disruptions for customers, lead to the loss of our customers to competitors, and adversely affect our operating results. •Nearly all of our revenues are generated by sales to customers in the life sciences industry, and factors that adversely affect this industry could also adversely affect us. •We expect our longer-term revenue growth rates to decline in future periods and, as our costs increase, we may not be able to sustain the same level of profitability we have achieved in the past. •Unique and uncertain macroeconomic and geopolitical factors, including as a result of worldwide inflationary pressures and rising interest rates, volatility in the financial sector, concerns about a possible domestic or global recession, currency exchange fluctuations and the Russian invasion of Ukraine may cause instability and volatility in the global financial markets and disruptions within the life sciences industry that may negatively impact our business, our financial results, and our stock price. •Difficulty attracting and retaining highly skilled employees could adversely affect our business and efforts to attract and retain such employees may increase our expenses. •If the third-party providers of healthcare professional and healthcare organization data and prescription drug sales data, such as IQVIA for instance, do not allow our customers to upload and use such data in our solutions, the demand for our solutions may decrease, and our business may be negatively impacted. •We rely on third-party providers for computing infrastructure, secure network connectivity, and other technology-related services needed to deliver our cloud solutions, and any disruption in the services provided by them could adversely affect our business and subject us to liability. •We are currently being sued by third parties for alleged misappropriation of trade secrets. We may suffer damages, which could be significant, or other harm from these lawsuits and we may be sued for infringement or misappropriation of third-party intellectual property in the future. •Our status as a PBC may not result in the benefits that we anticipate, requires our directors to balance the interest of stockholders with other interests, and may subject us to legal uncertainty and other risks. Veeva Systems Inc. | Form 10-K 9 Veeva Systems Inc. | Form 10-K 9 Veeva Systems Inc. | Form 10-K 9 Veeva Systems Inc. | Form 10-K 9 Table of Contents Table of Contents •Until its expiration on October 15, 2023, the dual-class structure of our common stock has the effect of concentrating voting control with certain individuals and their affiliates, which will limit or preclude the ability of our investors to influence corporate matters.

Our Veeva CRM application, and certain portions of the multichannel CRM applications that complement our Veeva CRM application, utilize the Salesforce platform of Salesforce, Inc., and we are currently dependent upon the Salesforce platform to deliver our CRM application. However, on December 1, 2022, we announced our intent to migrate our Veeva CRM customers to Vault CRM, which is built on our Veeva Vault platform, and we do not intend to renew our agreement with Salesforce, Inc. when the current term expires on September 1, 2025. Pursuant to the terms of our agreement, during the wind-down period from September 1, 2025 to September 1, 2030, we may not sell applications that utilize the Salesforce platform to new customers and our sales of applications that utilize the Salesforce platform to a customer existing at September 1, 2025 may not exceed 150% of the seats in use by each such customer as of September 1, 2025. After September 1, 2030, we will not be able to sell applications that utilize the Salesforce platform to any customers. Salesforce, Inc. also has the right to terminate the agreement early in certain circumstances, including in the event of a material breach of the agreement by us, or if Salesforce, Inc. is subjected to third-party intellectual property infringement claims based on our solutions (except to the extent based on the Salesforce platform) or our trademarks and we do not remedy such infringement in accordance with the agreement. Also, if we are acquired by specified companies, Salesforce, Inc. may terminate the agreement upon notice of not less than 12 months. On May 1, 2023, as allowed by the terms of our agreement, Salesforce Inc. terminated certain competition restrictions imposed by the agreement. Per the terms of the agreement, termination of those non-competition Veeva Systems Inc. | Form 10-K 21 Veeva Systems Inc. | Form 10-K 21 Veeva Systems Inc. | Form 10-K 21 Veeva Systems Inc. | Form 10-K 21 Table of Contents Table of Contents obligations by Salesforce, Inc. released us from our minimum order commitments in the future. Under the terms of our current agreement, Salesforce, Inc. is no longer prohibited from promoting third parties' products that are competitive to Veeva CRM, treating another third party as a "preferred" vendor of a CRM solution in the pharma and biotech market, or developing or promoting a product that competes with Veeva CRM. In addition, current or potential customers of ours may choose a competitor, such as IQVIA, that uses the Salesforce platform or build their own custom solutions on the Salesforce platform rather than buy from us. Any of these events may have a material adverse impact on our business, operating results, and financial condition. Also, in 2019, Salesforce, Inc. announced a strategic partnership with Alibaba, a Chinese company, through which Alibaba will become the exclusive provider of Salesforce in mainland China, Hong Kong, Macau, and Taiwan. The timeframe and exact parameters of changes to Salesforce, Inc. offerings in the listed regions has not been announced. Our existing agreement with Salesforce, Inc. allows us to sell our CRM solutions to drug makers in the pharmaceutical and biotechnology industries in mainland China, Hong Kong, Macau, and Taiwan, and our right to do so is not impacted by the Alibaba partnership. However, our ability to offer our CRM solutions from data centers located in the listed regions may be limited if Salesforce, Inc. does not operate data centers in the listed regions in the future and we do not contract for such data center services from Alibaba. If our inability to offer our CRM solutions from data centers located in the listed regions negatively impacts the performance of our solutions in those regions or causes legal compliance concerns, or if customers in the listed regions prefer their CRM solutions to be hosted from local data centers, our business may be negatively affected.

Our Veeva CRM application, and certain portions of the multichannel CRM applications that complement our Veeva CRM application, utilize the Salesforce platform of Salesforce, Inc., and we are currently dependent upon the Salesforce platform to deliver our CRM application. However, we recently announced our intent to migrate our applications built on the Salesforce platform to our Veeva Vault platform and we do not intend to renew our agreement with Salesforce, Inc. when the current term expires on September 1, 2025. Pursuant to the terms of our agreement, during the wind-down period from September 1, 2025 to September 1, 2030, we may not sell applications that utilize the Salesforce platform to new customers and our sales of applications that utilize the Salesforce platform to a customer existing at September 1, 2025 may not exceed 150% of the seats in use by each such customer as of September 1, 2025. After September 1, 2030, we will not be able to sell applications that utilize the Salesforce platform to any customers. Through the expiration of the wind-down period, our agreement with Salesforce, Inc. provides that we can use the Salesforce platform as combined with our proprietary Veeva CRM application to sell sales automation solutions only to drug makers in the pharmaceutical and biotechnology industries for human and animal treatments, which does not include the medical device industry or products for non-drug departments of pharmaceutical and biotechnology companies. Sales of the Salesforce platform in combination with our Veeva CRM application to additional industries would require the review and approval of Salesforce, Inc. Our inability to freely sell our Veeva CRM application using the Salesforce platform outside of drug makers in the pharmaceutical and biotechnology industries may adversely impact our growth. Salesforce, Inc. also has the right to terminate the agreement early in certain circumstances, including in the event of a material breach of the agreement by us, or if Salesforce, Inc. is subjected Veeva Systems Inc. | Form 10-K 21 Veeva Systems Inc. | Form 10-K 21 Veeva Systems Inc. | Form 10-K 21 Veeva Systems Inc. | Form 10-K 21 Table of Contents Table of Contents to third-party intellectual property infringement claims based on our solutions (except to the extent based on the Salesforce platform) or our trademarks and we do not remedy such infringement in accordance with the agreement. Also, if we are acquired by specified companies, Salesforce, Inc. may terminate the agreement upon notice of not less than 12 months. For the period through September 1, 2025, our existing agreement provides that Salesforce, Inc., subject to certain exceptions including pre-existing arrangements, will not position, develop, promote, invest in, or acquire applications directly competitive to the Veeva CRM application for sales automation that directly target drug makers in the pharmaceutical and biotechnology industry or the pharma/biotech industry. During the same period, the agreement also restricts Salesforce, Inc. from competing with us with respect to sales opportunities for sales automation solutions for the pharmaceutical and biotechnology industry unless such competition has been pre-approved by Salesforce Inc.’s senior management based on certain criteria specified in the agreement, and imposes certain limits on Salesforce, Inc. from entering into new arrangements after March 3, 2014 that are similar to ours with other parties with respect to sales automation applications for the pharmaceutical and biotechnology industry. However, the agreement does not restrict a Salesforce, Inc. customer’s ability (or the ability of Salesforce, Inc. on behalf of a specific Salesforce, Inc. customer) to customize or configure the Salesforce platform. Moreover, our remedy for a breach of these commitments by Salesforce, Inc. is limited to early termination of the agreement or continue the agreement but be released from our minimum order commitments from the date of Salesforce, Inc.’s breach forward. After September 1, 2025, Salesforce, Inc. may develop a product that competes directly or indirectly with us or enter into arrangements similar to ours with competitors. Current or potential customers of ours may choose a competitor, such as IQVIA, that uses the Salesforce platform or build their own custom solutions on the Salesforce platform rather than buy from us. Any of these events may have a material adverse impact on our business, operating results, and financial condition. Also, in 2019, Salesforce, Inc. announced a strategic partnership with Alibaba, a Chinese company, through which Alibaba will become the exclusive provider of Salesforce in mainland China, Hong Kong, Macau, and Taiwan. The timeframe and exact parameters of changes to Salesforce, Inc. offerings in the listed regions has not been announced. Our existing agreement with Salesforce, Inc. allows us to sell our CRM solutions to drug makers in the pharmaceutical and biotechnology industries in mainland China, Hong Kong, Macau, and Taiwan, and our right to do so is not impacted by the Alibaba partnership. However, our ability to offer our CRM solutions from data centers located in the listed regions may be limited if Salesforce, Inc. does not operate data centers in the listed regions in the future and we do not contract for such data center services from Alibaba. If our inability to offer our CRM solutions from data centers located in the listed regions negatively impacts the performance of our solutions in those regions or causes legal compliance concerns, or if customers in the listed regions prefer their CRM solutions to be hosted from local data centers, our business may be negatively affected.

Our success depends in a large part upon the continued service of our senior management team and other key personnel. For example, our founder and Chief Executive Officer, Peter P. Gassner, is critical to our vision, strategic direction, culture, products, and technology. Leadership transitions can be inherently difficult to manage, and an unsuccessful transition may cause disruption to our business. If our succession planning for key personnel is inadequate, the loss of one or more of our key employees could harm our business. In addition, changes in our senior management team may create uncertainty among our customers, investors, employees, or job candidates concerning Veeva’s future direction and performance. Any disruption in our operations or uncertainty around our ability to execute could have an adverse effect on our business, financial condition, or results of operations.

Our success depends in a large part upon the continued service of our senior management team or other key personnel. In particular, our founder and Chief Executive Officer, Peter P. Gassner, is critical to our vision, strategic direction, culture, products, and technology. We do not maintain key-man insurance for Mr. Gassner or any other member of our senior management team. In our fiscal year ended January 31, 2023, in response to a competitive talent environment, we made significant awards to our senior management, other than Mr. Gassner, outside of our regular compensation program, but we cannot guarantee those awards will be sufficient to retain all of these individuals. In addition, in the past several years we have experienced changes to our senior leadership team. Such leadership transitions can be inherently difficult to manage, and an unsuccessful transition may cause disruption to our business. In addition, change in the senior management team may create uncertainty among investors and employees or candidates concerning Veeva’s future direction and performance. Any disruption in our operations or uncertainty around our ability to execute could have an adverse effect on our business, financial condition, or results of operations.

While we have experienced significant revenue growth in prior periods, it is not indicative of our future revenue growth. Our total revenues and subscription services revenue growth rates have declined in the past and may decline in the future. In our fiscal years ended January 31, 2024, 2023, and 2022, our total revenues grew by 10%, 16%, and 26% respectively, as compared to total revenues from the prior fiscal years. In our fiscal years ended January 31, 2024, 2023, and 2022, our subscription services revenues grew by 10%, 17%, and 26% respectively, as compared to subscription services revenues from the prior fiscal years. In the fiscal year ended January 31, 2024, our revenue growth rate was negatively impacted by macroeconomic conditions, including lower funding levels within segments of our customer base and increased scrutiny for certain potential projects, a contracting change in the master subscription agreements that govern our multi-year orders, which affected the timing of revenue recognition for such orders, and foreign currency exchange fluctuations. While we expect our revenue growth rates to accelerate in our fiscal year ending January 31, 2025, as compared to the prior fiscal year, the year-over-year acceleration is in part due to the reduction in our revenues in the fiscal year ended January 31, 2024 from the contracting change discussed above. Over the longer term, our revenue growth rates are likely to fluctuate from year to year and may decline. If we are unable to maintain consistent revenue growth, it may adversely impact our profitability and the value of our common stock.

While we have experienced significant revenue growth in prior periods, it is not indicative of our future revenue growth. We expect our longer-term revenue growth rates will decline. In our fiscal years ended January 31, 2023, 2022, and 2021, our total revenues grew by 16%, 26%, and 33%, respectively, as compared to total revenues from the prior fiscal years. In our fiscal years ended January 31, 2023, 2022, and 2021, our subscription services revenues grew by 17%, 26%, and 32%, respectively, as compared to subscription services revenues from the prior fiscal years. In our fiscal quarter ended January 31, 2023, our total revenues grew by 16% and our subscription services revenues grew by 16% as compared to the same quarterly period in the prior fiscal year. Our year-over-year growth in the fiscal year ended January 31, 2023 was negatively impacted by foreign currency exchange fluctuations discussed in “Quantitative and Qualitative Disclosures about Market Risk---Foreign currency exchange risk” and as a result of macroeconomic factors, including lower funding levels within segments of our customer base and increased project scrutiny for certain potential projects. Moreover, a contracting change in the master subscription agreement for our multi-year orders, which became effective February 1, 2023, will affect the timing of revenue recognition for such orders. As a result, our total revenue and subscription services revenue growth rates will be negatively affected in the fiscal year ending January 31, 2024 compared to the prior fiscal year. Our total revenues and subscription services revenue growth rates have declined in the past, and we expect them to decline again in the future. If we are unable to maintain consistent revenue growth, it may adversely impact our profitability and the value of our Class A common stock.

Our customers use our solutions to collect, use, store, disclose, and otherwise process personal data regarding their employees, healthcare professionals, and patients. Patient data may include sensitive health data. In many countries, governmental bodies have adopted or may adopt laws and regulations regarding the security, collection, use, storage, disclosure, and other processing of personal data, making compliance an increasingly complex task. Under the European General Data Protection Regulation (EU GDPR) and the United Kingdom’s General Data Protection Regulation (UK GDPR), we act as a data controller for our data products and a data processor with respect to our software products. Each of the GDPR and UK GDPR impose significant data protection obligations and provide for substantial penalties and other remedies for noncompliance. We maintain active self-certifications under the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework as set forth by the U.S. Department of Commerce. We also rely on the EU Standard Contractual Clauses and UK Standard Contractual Clauses, as well as our technical, contractual, and security measures, to help ensure that our European customers have the appropriate legal mechanisms in place for their personal data to be accessed from within the United States. We are required to take steps to legitimize any personal data transfers impacted by these developments, and to engage in contract negotiations with third parties that aid in processing personal data on our behalf. We may be subject to increased costs of compliance and limitations on our service providers and us. In addition, these laws are complex, with the application and interpretation of them, at times, unclear and inconsistent, and may impose significant penalties for non-compliance. For example, in May 2023, the Irish Data Protection Commission imposed a significant fine on a large internet technology corporation for its failure to sufficiently address risks to EU data subjects when transferring data to the U.S. Other countries have imposed or may in the future impose data localization obligations, cross-border data transfer restrictions, and other country specific privacy and security requirements which could be problematic to cloud software providers. For example, in 2021, China adopted the Personal Information Protection Law, which, together with the Cybersecurity Law and the Data Security Law, require companies that process personal data of China residents above certain thresholds to seek approval from the Cyberspace Administration of China (CAC) to transfer such data outside of China. Certain of our Veeva CRM customers in China were required to request such approval from the CAC and had their requests denied. As a result, we expect that over the next twelve months, such customers may be required to implement a CRM solution that does not require data to be transferred outside of China. While we offer a CRM solution, called China SFA, that does not require data to be transferred outside of China, certain of our Veeva CRM customers in China may choose to implement a competitor’s CRM solution and our CRM business in China may be negatively impacted. Currently, approximately 3% of our total revenue is attributable to China. In the United States, the U.S. Department of Health and Human Services promulgated privacy and security rules under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) that cover protected health information (PHI) by limiting use and disclosure and giving individuals the right to access, amend, and seek accounting of disclosures of their PHI. Certain of our customers may be either business associates or covered entities under HIPAA, which means we must maintain a HIPAA compliance program. There is also the potential for the U.S. federal government to pass additional data privacy laws. U.S. federal and state data privacy laws are rapidly evolving. These laws impose new and modify existing obligations on businesses that collect personal information and create new privacy rights for individuals. For example, under the California Consumer Privacy Act (CCPA), as amended, we are generally considered a “service provider” for our software solutions and a “business” for our data and analytics products. Some of these laws and regulations also target certain types of marketing and advertising based on the use of personal information. The State of Washington, for example, recently passed the My Health My Data Act, which became effective on March Veeva Systems Inc. | Form 10-K 19 Veeva Systems Inc. | Form 10-K 19 Veeva Systems Inc. | Form 10-K 19 Veeva Systems Inc. | Form 10-K 19 Table of Contents Table of Contents 21, 2024, establishing significant new restrictions on how businesses can collect, use, and disclose consumer health data. Veeva Crossix’s data platform combines large-scale data sets, inclusive of de-identified health and consumer data, to provide insights, analytics, and audience segmentation for our life sciences customers in the U.S. The law may curtail our ability to use data of Washington consumers, which may limit the accuracy of and reduce demand for our Crossix products, which, in turn, could adversely impact the business. These various laws, regulations, and legislative developments have potentially far-reaching consequences and may require us to modify our solutions and data management practices and incur substantial expense in order to comply. In addition to government regulations, privacy advocates and other key industry players have, and may continue to, establish various new standards and certifications, such as the prohibition of third-party cookies and other identifiers in certain digital environments, that may place additional burdens or resource constraints on us, limit our ability to collect, use, and otherwise process certain data, and limit our ability to generate certain analytics. Our customers may expect us to meet voluntary certifications or adhere to other standards established by third parties. Understanding and implementing industry and customer specific requirements and certifications on top of our internationally recognized security certifications could require additional investment and management attention and may subject us to significant liabilities if we are unable to comply. Moreover, the continuing evolution of these standards might cause confusion for our customers and may have an impact on the solutions we offer. If we are unable to maintain these certifications or meet these standards, it could reduce demand for our solutions and adversely affect our business and operating results. Customers expect that our solutions can be used in compliance with applicable data protection, data privacy and cybersecurity laws and regulations. Compliance with these global laws and regulations, including any new or evolving regulations relating to the use of data in AI and machine learning technologies, such as the proposed EU AI Act, has and will continue to require valuable management and employee time and resources and modification of our products or operations, and may also limit use and adoption of our products. Data protection authorities from around the world will from time to time review our products and services and their compliance with applicable laws and regulations. Any actual or perceived failure to comply with such laws and regulations or other actual or asserted obligations relating to privacy, data protection, or cybersecurity could lead to inspections, audits, regulatory investigations and other proceedings, significant fines, penalties, and other relief imposed by government agencies and regulatory bodies, and claims, demands, and litigation by our customers or third parties, which may reduce demand for our solutions and result in reputational harm, substantial damages and other liabilities.

Our customers use our solutions to collect, use, process, store, and disclose personal data regarding their employees, healthcare professionals, and patients. Patient data may include sensitive health data. In many countries, governmental bodies have adopted or may adopt laws and regulations regarding the collection, use, processing, storage, and disclosure of personal data, making compliance an increasingly complex task. Under the European General Data Protection Regulation (GDPR), we act as a data controller for our data products and a data processor with respect to our software solutions. Since the European Court of Justice invalidated the EU-U.S. Privacy Shield Framework, we now rely on the EU Standard Contractual Clauses (SCCs), as updated, as well as our technical, contractual, and security measures, to ensure that our European customers have the appropriate legal mechanisms in place for their personal data to be accessed from within the United States. We are required to take steps to legitimize any personal data transfers impacted by these developments, and to engage in contract negotiations with third parties that aid in processing personal data on our behalf. We may be subject to increased costs of compliance and limitations on our service providers and us. In the United States, the U.S. Department of Health and Human Services promulgated privacy and security rules under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) that cover protected health information (PHI) by limiting use and disclosure and giving individuals the right to access, amend, and seek accounting of their PHI. Certain of our customers may be either business associates or covered entities under HIPAA, which means we must maintain a HIPAA compliance program. There is also the potential for the U.S. federal government to pass additional data privacy laws. Several states have laws or have indicated an intention to enact laws imposing additional obligations and limitations on businesses that collect personal information and creating new privacy rights for individuals. For example, under the California Consumer Privacy Act (CCPA), as amended, we are generally considered a “service provider” for our software solutions and a “business” for our data and analytics products. Some of these laws and regulations also target certain types of marketing and advertising based on the use of personal information. Veeva Crossix, for instance, provides analytics derived from de-identified third-party health and consumer data on U.S. residents that life sciences companies use for measurement of their advertising objectives. These various laws, regulations, and legislative developments have potentially far-reaching consequences and may require us to modify our solutions and data management practices and incur substantial expense in order to comply. There is also a trend toward countries enacting data localization obligations, cross-border data transfer restrictions, and other country specific privacy and security requirements which could be problematic to cloud software providers. For example, in 2021, China adopted the Personal Information Protection Law (PIPL), which, together with the Cybersecurity Law (CSL) and the Data Security Law (DSL), has required and will continue to require significant investment and resources to develop our position and provide compliant solutions for our customers. Understanding and implementing country, industry, and customer specific requirements and certifications on top of our internationally recognized security certifications could require additional investment and management attention and may subject us to significant liabilities if we are unable to comply. Compliance with global laws, regulations, and customer demand relating to privacy, data protection, and cybersecurity has and will continue to require valuable management and employee time and resources, and any actual or perceived failure to comply with these laws and regulations could include severe penalties, reputational harm, and reduce demand for our solutions. Veeva Systems Inc. | Form 10-K 19 Veeva Systems Inc. | Form 10-K 19 Veeva Systems Inc. | Form 10-K 19 Veeva Systems Inc. | Form 10-K 19 Table of Contents Table of Contents In addition to government regulations, privacy advocates and other key industry players have established and may establish various new, additional, or different policies or self-regulatory standards, such as the prohibition of third-party cookies and other identifiers in certain digital environments that may place additional burdens or resource constraints on us, limit our ability to collect and use certain data, and limit our ability to generate certain analytics. Our customers may expect us to meet voluntary certifications or adhere to other standards established by third parties. Moreover, the continuing evolution of these standards might cause confusion for our customers and may have an impact on the solutions we offer, including our data products. If we are unable to maintain these certifications or meet these standards, it could reduce demand for our solutions and adversely affect our business and operating results. Customers expect that our solutions can be used in compliance with applicable data protection and data privacy laws and regulations. The functional and operational requirements and costs of compliance with such laws and regulations may adversely impact our business. Data protection authorities from around the world will from time to time review our products and services and their compliance with applicable laws and regulations. Failure to comply with such laws and regulations could lead to inspections, audits, regulatory investigations and other proceedings, significant fines, penalties, and other relief imposed by government agencies and regulatory bodies, and claims, demands, and litigation by our customers or third parties, which may result in substantial damages and other liabilities. All of these domestic and international legislative and regulatory initiatives could adversely affect our customers’ ability or desire to collect, use, process, store, and disclose personal information and health data using our solutions, or to license data products from us, which could reduce demand for our solutions.

We currently depend on the Salesforce platform to deliver our multichannel CRM applications, but in December 2022 we announced plans to migrate our CRM customers to our Vault CRM solutions, which are built on our Veeva Vault platform. We also announced that we do not intend to renew our agreement with Salesforce, Inc. for use of the Salesforce platform. Vault CRM is currently used by early adopters and we intend to make Vault CRM generally available to all customers in April 2024. Veeva CRM will be supported until September 1, 2030. The migration of our Veeva CRM customers will require time and expense, which may be significant. These migration processes are complex and we cannot be certain that we will be successful or that the Veeva Vault platform will be ready for migration on our intended timeline or the timeline necessary to support our customers. Further, some existing customers may decide not to migrate to Vault CRM and may decide to use a different CRM solution. Additionally, Vault CRM may encounter difficulties supporting the increased volume of users migrating from Veeva CRM, leading to outages or other performance problems. Any disruptions in our services or other migration-related problems, whether or not such incidents are our fault, that could subject us to liability or harm our reputation. If we are unsuccessful migrating our Veeva CRM customers to Vault CRM, encounter disruptions or other problems in the migration process, or our customers do not migrate to the Vault CRM in a timely manner, or at all, our business, operating results, and brand could be materially and adversely affected.

We currently depend on the Salesforce platform to deliver our multichannel CRM applications, but we recently announced plans to migrate those applications to our Veeva Vault platform. We also recently announced that we do not intend to renew our agreement with Salesforce, Inc. for use of the Salesforce platform. We currently intend to make our CRM applications available on the Veeva Vault platform in 2024 for early adopters and in 2025 for all customers, but we may not be successful in achieving this timeline. All existing CRM customers will be required to migrate to the Veeva Vault platform by September 1, 2030. The migration of our CRM applications and the migration of existing customers will require time and expense, which may be significant. These migration processes are complex and we cannot be certain that we will be successful or that the Veeva Vault platform will be ready for migration on our intended timeline or the timeline necessary to support our customers. Further, some existing customers may decide not to migrate to the Veeva Vault platform and may decide to use a different CRM solution. During the migration period, there may be disruptions in our services or other migration-related problems, whether or not such incidents are our fault, that could subject us to liability or harm our reputation. If we are unsuccessful migrating our multichannel CRM applications to the Veeva Vault platform, encounter disruptions or other problems in the migration process, or our customers do not migrate to the Veeva Vault platform in a timely manner, or at all, our business, operating results and brand could be materially and adversely affected.