Veeva Systems Inc.: 10-K Risk Factor Changes

Our success and ability to compete depend in part upon our intellectual property. As of January 31, 2026, we have filed numerous domestic and foreign patent applications and have been issued 111 U.S. patents and 11 international patents. We also rely on copyright, trade secret and trademark laws, trade secret protection and confidentiality or license agreements with our employees, customers, partners, consultants and others to protect our intellectual property rights. However, the steps we take to protect our intellectual property rights may be inadequate and we may not be able to prevent the unauthorized disclosure or use of our technical knowledge, trade secrets or other confidential information. Further, if there is a breach or violation of the terms of our confidentiality agreements, we may not have adequate remedies. Our ability to enforce our patent rights is subject to significant risks and uncertainties. Competitors or other third parties may be able to circumvent or design around our patents. Furthermore, the validity, scope, and enforceability of our patents may be challenged in proceedings before the U.S. Patent and Trademark Office’s Patent Trial and Appeal Board (“PTAB”), including through Inter Partes Review (“IPR”) and Post-Grant Review (“PGR”) proceedings, or in federal district court litigation. Moreover, we cannot provide assurance that our patent portfolio covers every significant feature of our solutions or that we will properly mark our products with all applicable patents. In addition, in order to protect our intellectual property rights, we may also be required to spend significant resources to maintain, monitor and protect these rights. Litigation brought to defend, protect, and enforce our intellectual property rights could be costly, time-consuming and distracting to management and could result in the impairment or loss of portions of our intellectual property (for example, if an entity against which we have asserted an intellectual property claim is successful in attacking the validity of our intellectual property). A successful challenge to our patents or a failure to adequately protect or mark our intellectual property could prevent or limit our ability to seek injunctive relief or recover damages for infringement. Furthermore, negative publicity related to a Veeva Systems Inc. | Form 10-K31 Veeva Systems Inc. | Form 10-K31 Veeva Systems Inc. | Form 10-K31 Veeva Systems Inc. | Form 10-K 31 Table of Contents Table of Contents decision by us to initiate such enforcement actions against a customer or former customer, regardless of its accuracy, may adversely impact our other customer relationships or prospective customer relationships, harm our brand and business and could cause the market price of our common stock to decline. Our failure to secure, protect and enforce our intellectual property rights could adversely affect our brand and our business.

Our success and ability to compete depend in part upon our intellectual property. As of January 31, 2025, we have filed numerous domestic and foreign patent applications and have been issued 83 U.S. patents and 13 international patents. We also rely on copyright, trade secret and trademark laws, trade secret protection and confidentiality or license agreements with our employees, customers, partners, consultants and others to protect our intellectual property rights. However, the steps we take to protect our intellectual property rights may be inadequate and we may not be able to prevent the unauthorized disclosure or use of our technical knowledge, trade secrets or other confidential information. Further, if there is a breach or violation of the terms of our confidentiality agreements, we may not have adequate remedies. In addition, in order to protect our intellectual property rights, we may also be required to spend significant resources to maintain, monitor and protect these rights. Litigation brought to protect and enforce our intellectual property rights could be costly, time-consuming and distracting to management and could result in the impairment or loss of portions of our intellectual property (for example, if an entity against which we have asserted an intellectual property claim is successful in attacking the validity of our intellectual property). Negative publicity related to a decision by us to initiate such enforcement actions against a customer or former customer, regardless of its accuracy, may adversely impact our other customer relationships or prospective customer relationships, harm our brand and business and could cause the market price of our common stock to decline. Our failure to secure, protect and enforce our intellectual property rights could adversely affect our brand and our business.

We are subject to income taxes in the United States and various foreign jurisdictions. Our domestic and international tax liabilities are subject to the allocation of expenses in differing jurisdictions and complex transfer pricing regulations administered by taxing authorities in these jurisdictions. Tax rates may change as a result of factors outside of our control or relevant taxing authorities may disagree with our determinations as to the income and expenses attributable to specific jurisdictions. In addition, changes in tax and trade laws, treaties or regulations, or their interpretation or enforcement, have become more unpredictable and may become more stringent, which could have a material adverse effect on our tax position. Additionally, volatility in our stock price would affect the excess tax benefits from our equity compensation, which may adversely impact our effective tax rate. Forecasting our estimated annual effective tax rate is complex and subject to uncertainty, and there may be material differences between our forecasted and actual tax rates. Moreover, increases in our effective tax rate would reduce our profitability. Our income tax provision could also be impacted by changes in accounting principles and changes in U.S. federal and state or international tax laws applicable to multinational corporations. For example, the One Big Beautiful Bill Act includes significant tax provisions such as the permanent extension of certain expiring provisions of the Tax Cuts and Jobs Act of 2017 (“TCJA”), modifications to the international tax framework and restoration of immediate expensing for domestic research and development expenditures, which were previously required to be capitalized and amortized over five years under TCJA. Changes in the interpretation or implementation of this new law have impacted in the past and may impact in the future the calculation of our tax payments and our financial results. Any changes in taxing jurisdictions’ administrative interpretations, decisions, policies, and positions could also impact our tax liabilities. The overall tax environment has made it increasingly challenging for multinational corporations to operate with certainty about taxation in many jurisdictions. For example, the Organisation for Economic Co-operation and Development (“OECD”) continues to implement reforms to the international tax system, including a 15% global minimum effective corporate tax rate referred to as Pillar Two. Since the initial implementation of Pillar Two by several countries in 2024, the framework has continued to evolve, most notably with the OECD/G20’s January 2026 release of the “side-by-side” package. While as a US-parented multinational business we could be exempt from certain Pillar Two provisions for fiscal years beginning on or after January 1, 2026, provided we meet specific eligibility criteria, the increasingly complex global tax environment could still have a material adverse effect on our effective tax rate, results of operations, cash flows, and financial condition. We will continue to monitor and assess the implications of OECD-related developments to the side-by-side system, and the evolving Pillar Two framework. Finally, we have been, and may be in the future, subject to income tax audits throughout the world. We believe our income, employment, and transactional tax liabilities are reasonably estimated and accounted for in accordance with applicable laws and principles, but an adverse resolution of one or more uncertain tax positions in any period could have a material impact on the results of operations for that period.

We are subject to income taxes in the United States and various foreign jurisdictions. Our domestic and international tax liabilities are subject to the allocation of expenses in differing jurisdictions and complex transfer pricing regulations administered by taxing authorities in these jurisdictions. Tax rates may change as a result of factors outside of our control or relevant taxing authorities may disagree with our determinations as to the income and expenses attributable to specific jurisdictions. In addition, changes in tax and trade laws, treaties or regulations, or their interpretation or enforcement, have become more unpredictable and may become more stringent, which could have a material adverse effect on our tax position. Additionally, volatility in our stock price would affect the excess tax benefits from our equity compensation, which may adversely impact our effective tax rate. Forecasting our estimated annual effective tax rate is complex and subject to uncertainty, and there may be material differences between our forecasted and actual tax rates. Moreover, increases in our effective tax rate would reduce our profitability. Our income tax provision could also be impacted by changes in accounting principles and changes in U.S. federal and state or international tax laws applicable to multinational corporations. For example, the Tax Cuts and Jobs Act of 2017 eliminated the option to currently deduct research and development expenditures and required taxpayers to capitalize and amortize them over five or fifteen years, which has negatively impacted our cash from operations. We made significant judgments and assumptions in the interpretation of this new law and in our calculations reflected in our financial results. Any changes in taxing jurisdictions' administrative interpretations, decisions, policies, and positions could also impact our tax liabilities. The overall tax environment has made it increasingly challenging for multinational corporations to operate with certainty about taxation in many jurisdictions. For example, the Organisation for Economic Co-operation and Development (OECD) is making progress with ongoing reforms of the international tax system, including changes to the practice of shifting profits among affiliated entities located in different tax jurisdictions. In October 2021, the OECD announced that more than 135 jurisdictions agreed on a two-pillar solution Veeva Systems Inc. | Form 10-K26 Veeva Systems Inc. | Form 10-K26 Veeva Systems Inc. | Form 10-K26 Veeva Systems Inc. | Form 10-K 26 Table of Contents Table of Contents to address the tax challenges arising from the digitalization of the economy, including a global minimum effective corporate tax rate of 15% for certain large multinational companies, referred to as Pillar Two. A number of countries, including the United Kingdom, have implemented the legislation effective January 1, 2024, and we expect others to follow. However, this did not have an adverse impact on our income tax provision for the 2025 fiscal year. We continue to monitor and assess the developments and implications surrounding changes in the global tax environment, including Pillar Two. The increasingly complex global tax environment could have a material adverse effect on our effective tax rate, results of operations, cash flows, and financial condition. Finally, we have been, and may be in the future, subject to income tax audits throughout the world. We believe our income, employment, and transactional tax liabilities are reasonably estimated and accounted for in accordance with applicable laws and principles, but an adverse resolution of one or more uncertain tax positions in any period could have a material impact on the results of operations for that period.

The markets for our solutions are highly competitive. In new sales cycles within our largest product categories, we generally compete with other cloud-based solutions from providers that make applications geared toward the life sciences industry. Our CRM solutions primarily compete with Salesforce, Inc., which has developed a life sciences industry-specific CRM application. IQVIA, which historically offered a competitive CRM solution, has licensed its CRM software to Salesforce. Our Veeva Data Cloud products as well as Veeva Crossix, compete with IQVIA, Ipsos Group S.A., Definitive Health Corp., and smaller data and data analytics providers. IQVIA, Dassault Systèmes, OpenText Corporation, Oracle Corporation, Honeywell International Inc., and other smaller application providers offer applications that compete with certain of our Veeva Development Cloud or Veeva Quality Cloud applications. Our Veeva Commercial Cloud, Veeva Development Cloud, and Veeva Quality Cloud applications also compete to replace client server-based legacy solutions offered by companies such as Oracle, Microsoft Corporation, and other smaller application providers. Our customers may also choose to use cloud-based applications or platforms that are not life sciences specific—such as Salesforce, Box.com, Amazon Web Services, or Microsoft—for certain of the functions our applications provide. Our business consulting and professional services offerings compete with a range of professional services firms, which include, at times, some of our partners. With the introduction of new technologies, we expect competition to intensify in the future, and we may face competition from new market entrants as well. As we transition from our legacy Veeva CRM application to our Vault CRM application, as discussed in more detail below, certain customers have chosen, and other customers may in the future choose, to purchase CRM solutions from a competitor. For example, Salesforce, our primary CRM competitor, has announced that certain large Veeva CRM customers have committed to purchasing its CRM solutions and a number of our customers have informed us of their intent to move to Salesforce as their CRM provider. Some of our actual and potential competitors have advantages over us, such as longer operating histories, significantly greater financial, technical, marketing or other resources, stronger brand and business recognition, larger intellectual property portfolios, and agreements with a broader set of system integrators and other partners. In addition, our competitors have offered price concessions, delayed payment terms, or other more favorable terms and conditions in light of the recent macroeconomic environment. If our actual or potential competitors’ products, services, or technologies become more accepted than our solutions, if they are successful in bringing their products or services to market earlier than we are, if their products or services are more technologically capable than ours (including as a result of new or better use of evolving AI technologies), or if customers replace our solutions with custom-built software, then our revenues could be adversely affected. Moreover, if we enter new markets, we will likely face competition and will need to adapt to competitive factors that may be different from those we face today. Pricing pressures and increased competition could result in reduced sales, reduced margins, losses, or a failure to maintain or improve our competitive market position, any of which could adversely affect our business. For all of these reasons, we may not be able to compete favorably against our current and future competitors.

The markets for our solutions are highly competitive. In new sales cycles within our largest product categories, we generally compete with other cloud-based solutions from providers that make applications geared toward the life sciences industry. Our CRM solutions primarily compete with Salesforce, Inc., which is developing a life sciences industry-specific CRM application and has entered into a partnership with IQVIA Holdings, which also offers various data products and other applications that compete with our products. Our Veeva Data Cloud products as well as Veeva Crossix, compete with IQVIA, Ipsos Group S.A., Definitive Health Corp., and smaller data and data analytics providers. IQVIA, Dassault Systèmes, OpenText Corporation, Oracle Corporation, Honeywell International Inc., and other smaller application providers offer applications that compete with certain of our Veeva Development Cloud or Veeva Quality Cloud applications. Our Veeva Commercial Cloud, Veeva Development Cloud, and Veeva Quality Cloud applications also compete to replace client server-based legacy solutions offered by companies such as Oracle, Microsoft Corporation, and other smaller application providers. Our customers may also choose to use cloud-based applications or platforms that are not life sciences specific—such as Salesforce, Inc., Box.com, Amazon Web Services, or Microsoft—for certain of the functions our applications provide. Our business consulting and professional services offerings compete with a range of professional services firms, which include, at times, some of our partners. With the introduction of new technologies, we expect competition to intensify in the future, and we may face competition from new market entrants as well. As we transition from our legacy Veeva CRM application to our Vault CRM application, as discussed in more detail below, certain customers have chosen, and other customers may in the future choose, to purchase CRM solutions from a competitor. For example, Salesforce, our primary CRM competitor, recently announced that a large Veeva CRM customer has committed to purchasing its CRM solutions. Some of our actual and potential competitors have advantages over us, such as longer operating histories, significantly greater financial, technical, marketing or other resources, stronger brand and business recognition, larger intellectual property portfolios, and agreements with a broader set of system integrators and other partners. In addition, our competitors have offered price concessions, delayed payment terms, or other more favorable terms and conditions in light of the recent macroeconomic environment. If our competitors’ products, services, or technologies become more accepted than our solutions, if they are successful in bringing their products or services to market earlier than we are, if their products or services are more technologically capable than ours (including as a result of new or better use of evolving AI technologies), or if customers replace our solutions with custom-built software, then our revenues could be adversely affected. Moreover, if we enter new markets, we will likely face competition and will need to adapt to competitive factors that may be different from those we face today. Pricing pressures and increased competition could result in reduced sales, reduced margins, losses, or a failure to maintain or improve our competitive market position, any of which could adversely affect our business. For all of these reasons, we may not be able to compete favorably against our current and future competitors.

The below is a summary of principal risks to our business and risks associated with ownership of our stock. It is only a summary. You should read the more detailed discussion of risks set forth below and elsewhere in this report for a more complete discussion of the risks listed below and other risks. •If our security measures are breached or unauthorized access to customer data is otherwise obtained, our solutions may be perceived as not being secure, customers may reduce or stop the use of our solutions, and we may incur significant liabilities. •We face intense competition in markets in which we operate—particularly in the CRM market as we transition customers from our legacy CRM application to our Vault CRM application—and if we do not compete effectively, we may lose customers and our business and operating results could be adversely affected. •Defects or disruptions in our solutions could result in diminished demand for our solutions and a reduction in our revenues, and subject us to substantial liability. •If our newer solutions are not successfully adopted by new and existing customers, the growth rate of our revenues and operating results will be adversely affected. •Our revenues are relatively concentrated within a small number of key customers, and the loss of one or more of such key customers could cause our revenues to decline. •Nearly all of our revenues are generated by sales to customers in the life sciences industry, and factors that adversely affect this industry (including government funding and staffing of relevant agencies and research, drug pricing regulation, healthcare funding and eligibility reforms, regulation of pharmaceutical advertising, or other regulatory or policy changes) could also adversely affect us. •Uncertain macroeconomic and geopolitical factors, including as a result of changes in trade policies and practices (including the imposition of additional tariffs or threats to impose additional tariffs), worldwide inflationary pressures, currency exchange fluctuations, changes in interest rates or other economic policies, geopolitical conflicts (like the Russian invasion of Ukraine and the conflict in the Middle East), and concerns about a possible domestic or global recession, may cause instability in the global economy, and disruptions within the life sciences industry that may negatively impact our business, our financial results, and our stock price. •The migration of our customers to our Vault CRM applications built on our own Veeva Vault platform could cause business disruptions for customers and adversely affect our operating results. •Over the longer term our revenue growth rates are likely to fluctuate from year to year and may decline, and, as our costs increase, we may not be able to sustain the same level of profitability we have achieved in the past. •We rely on third-party providers for computing infrastructure, secure network connectivity, and other technology-related services needed to deliver our cloud solutions, and any slowdown, failure, or disruption in the services provided by them could adversely affect our business and subject us to liability. •Difficulty attracting and retaining highly skilled employees could adversely affect our business and efforts to attract and retain such employees may increase our expenses. •Changing laws, regulations, and enforcement priorities, including increasingly complex U.S. and international data privacy and information security regulations and measures specific to the life sciences Veeva Systems Inc. | Form 10-K13 Veeva Systems Inc. | Form 10-K13 Veeva Systems Inc. | Form 10-K13 Veeva Systems Inc. | Form 10-K 13 Table of Contents Table of Contents industry, may impose additional costs for compliance, reduce demand for our solutions, and subject us to significant liabilities. •We have been and may in the future be sued for infringement or misappropriation of third-party intellectual property. We may suffer damages, which could be significant, or other harm from these lawsuits. •We may acquire other companies or technologies, which could divert our management’s attention, result in additional dilution to our stockholders, and otherwise disrupt our operations and adversely affect our operating results.

The below is a summary of principal risks to our business and risks associated with ownership of our stock. It is only a summary. You should read the more detailed discussion of risks set forth below and elsewhere in this report for a more complete discussion of the risks listed below and other risks. •If our security measures are breached or unauthorized access to customer data is otherwise obtained, our solutions may be perceived as not being secure, customers may reduce or stop the use of our solutions, and we may incur significant liabilities. •The markets in which we participate are highly competitive, and if we do not compete effectively, our business and operating results could be adversely affected. •If our newer solutions are not successfully adopted by new and existing customers, the growth rate of our revenues and operating results will be adversely affected. •Our revenues are relatively concentrated within a small number of key customers, and the loss of one or more of such key customers could cause our revenues to decline. •Defects or disruptions in our solutions could result in diminished demand for our solutions and a reduction in our revenues, and subject us to substantial liability. •The migration of our customers to our Vault CRM applications built on our own Veeva Vault platform could cause business disruptions for customers, lead to the loss of our customers to competitors, and adversely affect our operating results. •Nearly all of our revenues are generated by sales to customers in the life sciences industry, and factors that adversely affect this industry (including regulatory, funding, or policy changes) could also adversely affect us. •Uncertain macroeconomic and geopolitical factors, including as a result of worldwide inflationary pressures and changes in interest rates, currency exchange fluctuations, changes in trade policies and practices (including the imposition of tariffs) or other economic policies, geopolitical conflicts (like the Russian invasion of Ukraine and the regional conflict in the Middle East), and concerns about a possible domestic or global recession, may cause instability in the global economy, and disruptions within the life sciences industry that may negatively impact our business, our financial results, and our stock price. •Over the longer term our revenue growth rates are likely to fluctuate from year to year and may decline, and, as our costs increase, we may not be able to sustain the same level of profitability we have achieved in the past. •Difficulty attracting and retaining highly skilled employees could adversely affect our business and efforts to attract and retain such employees may increase our expenses. •If the third-party providers of healthcare professional and healthcare organization data and prescription drug sales data, such as IQVIA for instance, do not allow our customers to upload and use such data in our solutions, the demand for our solutions may decrease, and our business may be negatively impacted. •We rely on third-party providers for computing infrastructure, secure network connectivity, and other technology-related services needed to deliver our cloud solutions, and any slowdown, failure, or disruption in the services provided by them could adversely affect our business and subject us to liability. •Changing laws, regulations, and enforcement priorities, including increasingly complex U.S. and international data privacy and information security regulations and measures specific to the life sciences Veeva Systems Inc. | Form 10-K9 Veeva Systems Inc. | Form 10-K9 Veeva Systems Inc. | Form 10-K9 Veeva Systems Inc. | Form 10-K 9 Table of Contents Table of Contents industry, may impose additional costs for compliance, reduce demand for our solutions, and subject us to significant liabilities. •We are currently being sued by third parties for alleged misappropriation of trade secrets. We may suffer damages, which could be significant, or other harm from these lawsuits and we may be sued for infringement or misappropriation of third-party intellectual property in the future. •We may acquire other companies or technologies, which could divert our management’s attention, result in additional dilution to our stockholders, and otherwise disrupt our operations and adversely affect our operating results.

We use the Salesforce platform to deliver our Veeva CRM application, but we have begun to migrate our CRM customers to our Vault CRM solutions, which are built on our Veeva Vault platform. Veeva CRM will be supported until December 31, 2029. The migration of our Veeva CRM customers will require time and expense, which may be significant. These migration processes are complex and we cannot be certain that we will be successful. Additionally, the migration may lead to outages or performance problems with Vault CRM or other Vault applications if we encounter difficulties supporting the increased volume of users migrating from Veeva CRM. Any disruptions in our services or other migration-related problems, whether or not such incidents are our fault, could subject us to liability or harm our reputation. If we are unsuccessful migrating our Veeva CRM customers to Vault CRM, or encounter disruptions, delays, or other problems in the migration process, our business, operating results, and brand could be materially and adversely affected.

We currently depend on the Salesforce platform to deliver our Veeva CRM application, but we have begun to migrate our CRM customers to our Vault CRM solutions, which are built on our Veeva Vault platform. We do not intend to renew our agreement with Salesforce, Inc. for use of the Salesforce platform. Veeva CRM will be supported until September 1, 2030. The migration of our Veeva CRM customers will require time and expense, which may be significant. These migration processes are complex and we cannot be certain that we will be successful. Further, certain customers have decided, and other customers may in the future decide, not to migrate to Vault CRM and use a different CRM solution, including a CRM solution provided by Salesforce. Additionally, the migration may lead to outages or performance problems with Vault CRM or other Vault applications if we encounter difficulties supporting the increased volume of users migrating from Veeva CRM. Any disruptions in our services or other migration-related problems, whether or not such incidents are our fault, that could subject us to liability or harm our reputation. If we are unsuccessful migrating our Veeva CRM customers to Vault CRM, encounter disruptions or other problems in the migration process, or our customers do not migrate to the Vault CRM in a timely manner, or at all, our business, operating results, and brand could be materially and adversely affected. Veeva Systems Inc. | Form 10-K12 Veeva Systems Inc. | Form 10-K12 Veeva Systems Inc. | Form 10-K12 Veeva Systems Inc. | Form 10-K 12 Table of Contents Table of Contents

While we have experienced significant revenue growth in prior periods, it is not indicative of our future revenue growth. Our total revenue and subscription revenue growth rates have declined in the past and may decline in the future. In our fiscal years ended January 31, 2026, 2025, and 2024, our total revenues grew by 16%, 16%, and 10% respectively, as compared to total revenues from the prior fiscal years. In our fiscal years ended January 31, 2026, 2025, and 2024, our subscription revenues grew by 17%, 20%, and 10% respectively, as compared to subscription revenues from the prior fiscal years. Over the longer term, our revenue growth rates are likely to fluctuate from year to year and may decline. If we are unable to maintain consistent revenue growth, it may adversely impact our profitability and the value of our common stock.

While we have experienced significant revenue growth in prior periods, it is not indicative of our future revenue growth. Our total revenues and subscription services revenue growth rates have declined in the past and may decline in the future. In our fiscal years ended January 31, 2025, 2024, and 2023, our total revenues grew by 16%, 10%, and 16% respectively, as compared to total revenues from the prior fiscal years. In our fiscal years ended January 31, 2025, 2024, and 2023, our subscription services revenues grew by 20%, 10%, and 17% respectively, as compared to subscription services revenues from the prior fiscal years. Over the longer term, our revenue growth rates are likely to fluctuate from year to year and may decline. If we are unable to maintain consistent revenue growth, it may adversely impact our profitability and the value of our common stock.

We process personal data on behalf of our customers, who use our solutions to manage personal data of their employees, healthcare professionals, patients, and related individuals. We also process personal data as part of the Veeva Data Cloud offerings, which provide our customers with professionally relevant data related to healthcare providers and other industry professionals and stakeholders. In addition, we process personal data to provide services that allow healthcare marketers to reach their target audiences and to measure the impact of their media campaigns. In some cases, the personal data that we process includes sensitive personal data, such as health data. Many countries and governmental bodies have adopted or may adopt laws and regulations governing our processing of personal and other data, making compliance an increasingly complex task. For example, we are regulated under the European General Data Protection Regulation (“EU GDPR”) and the United Kingdom’s General Data Protection Regulation (“UK GDPR”), as amended by the Data (Use and Access) Act of 2025, where we act as a data controller for our data products and a data processor with respect to our software products. In China, we are regulated under China’s Personal Information Protection Law (“PIPL”), where we process data as an entrusted party on behalf of our customers who operate as data handlers. In certain cases, we are regulated under the U.S. Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) that covers protected health information collected or maintained by covered entities and their business associates. Additionally, many states in the U.S. have passed comprehensive privacy legislation, such as the California Consumer Privacy Act (amended by the California Privacy Rights Act). Some states in the U.S. also have passed legislation governing the processing of particular types of data, such as biometric data and certain other health-related data. These laws and regulations impose data subject notice or transparency requirements, mandated privacy and security standards, and registration obligations. They also grant rights to data subjects, such as allowing them to access, correct, delete, or opt out of the sale or sharing of their information. Some of these laws and regulations target certain types of marketing and advertising based on the use of personal information. For example, in response to the State of Washington’s My Health My Data Act, which placed significant restrictions on how businesses can collect, use, and disclose consumer health data, we added limitations to the audience segments on our Veeva Crossix data platform. Other states have considered, and in certain cases, enacted, similar laws. In addition, certain laws and regulations impose data localization obligations, cross-border data transfer restrictions, and other country-specific privacy and security requirements, which could be problematic to cloud software and data providers. In these cases, we are required to take steps to legitimize any personal data transfers in these jurisdictions, and to engage in contract negotiations with third parties that aid in processing personal data on our behalf. In China, for example, we offer the China CRM Suite, a CRM solution that does not require data to be transferred outside of China. We maintain active self-certifications under the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework as set forth by the U.S. Department of Commerce. We also rely on standard contractual clauses in various jurisdictions, such as the EU, Switzerland, the UK, and Brazil, as well as our technical, contractual, and security measures. These mechanisms help ensure that we, and our customers, have the appropriate legal frameworks in place for personal data to be transferred internationally. In 2025, the U.S. Department of Justice issued a final rule that places limitations, and in some cases prohibitions, on certain transfers of and access to certain personal data of U.S. persons by persons and entities located in China (and other designated countries) or controlled by a person or entity located in China (and other designated Veeva Systems Inc. | Form 10-K23 Veeva Systems Inc. | Form 10-K23 Veeva Systems Inc. | Form 10-K23 Veeva Systems Inc. | Form 10-K 23 Table of Contents Table of Contents countries). Additionally, the French governmental agency for health mandates a certification requiring that personal health data collected during healthcare activities be stored exclusively within the European Economic Area. These laws and regulations impose significant data protection obligations and carry substantial penalties for noncompliance. Furthermore, the application and interpretation of these laws and regulations are complex and, at times, unclear and inconsistent. We expect these laws and regulations to continue to evolve, and that there will continue to be new, modified, and re-interpreted laws, regulations, standards, and other obligations relating to privacy, data protection, and cybersecurity, introducing uncertainty and increasing complexity. For example, the Network and Information Security Directive II (“NIS2”), adopted in 2023, aims to enhance cybersecurity across critical infrastructure and essential services in the EU. NIS2 provides for all 27 EU member states to have issued implementing legislation by October 2024; however, several EU member states have not finalized their respective legislation and guidance. The EU Data Act, which came into effect September 12, 2025, allows our EU customers to cancel their subscriptions without cause upon providing the notice and after the transition period specified by the Act. Furthermore, new and evolving regulations relating to the use of data in AI and machine learning technologies, such as the EU AI Act, are creating an increasingly complex and fragmented regulatory framework. As we expand our data product offerings into new jurisdictions, we are required to assess, monitor, and comply with additional laws and regulations related to our collection and processing of data, which may include new registration, consent, and notification obligations. In addition to our own processing of personal data, our customers expect that our solutions can be used to enable their compliance with applicable data protection, data privacy, and cybersecurity laws and regulations. These various laws, regulations, and legislative developments have potentially far-reaching consequences and have and may continue to require us to modify our solutions, our global support business, and our data management practices and incur substantial expense in our efforts to comply. Our work to comply with these global laws and regulations has and will continue to require valuable management and employee time and resources and modification of our products or operations and may also limit use and adoption of our products. Data protection authorities from around the world will from time to time review our products and services and their compliance with applicable laws and regulations. Any actual or perceived failure to comply with such laws and regulations or other actual or asserted obligations relating to privacy, data protection, cybersecurity, or our processing of data could lead to inspections, audits, regulatory investigations and other proceedings, significant fines, penalties, and other relief imposed by government agencies and regulatory bodies, and claims, demands, and litigation by our customers or third parties, which may reduce demand for our solutions and result in reputational harm, substantial damages and other liabilities. In addition to governmental laws and regulations, privacy advocates and other key industry players have, and may continue to, establish various new standards and certifications, such as the prohibition of third-party cookies and other identifiers in certain digital environments, that may place additional burdens or resource constraints on us, limit our ability to collect, use, and otherwise process certain data, and limit our ability to generate certain analytics. Our customers may expect us to meet voluntary certifications or adhere to other standards established by third parties. Understanding and implementing industry and customer specific requirements and certifications on top of our internationally recognized security certifications could require additional investment and management attention and may subject us to significant liabilities if we are unable to comply. Moreover, the continuing evolution of these standards might cause confusion for our customers and may have an impact on the solutions we offer. If we are unable to maintain these certifications or meet these standards, it could reduce demand for our solutions and adversely affect our business and operating results.

Our customers use our solutions to collect, use, store, disclose, and otherwise process personal data regarding their employees, healthcare professionals, and patients. Patient data may include sensitive health data. In many countries, governmental bodies have adopted or may adopt laws and regulations regarding the security, collection, use, storage, disclosure, and other processing of personal data, making compliance an increasingly complex task. Under the European General Data Protection Regulation (EU GDPR) and the United Kingdom’s General Data Protection Regulation (UK GDPR), we act as a data controller for our data products and a data processor with respect to our software products. Each of the GDPR and UK GDPR impose significant data protection obligations and provide for substantial penalties and other remedies for noncompliance. We maintain active self-certifications under the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework as set forth by the U.S. Department of Commerce. We also rely on EU, Swiss, and UK Standard Contractual Clauses, as well as our technical, contractual, and security measures, to help ensure that our European customers have the appropriate legal mechanisms in place for their personal data to be accessed from within the United States. We are required to take steps to legitimize any personal data transfers impacted by these developments, and to engage in contract negotiations with third parties that aid in processing personal data on our behalf. We may be subject to increased costs of compliance and limitations on our service providers and us. In addition, these laws are complex, with the application and interpretation of them, at times, unclear and inconsistent, and significant penalties may be imposed for non-compliance. For example, in May 2023, the Irish Data Protection Commission imposed a significant fine on a large internet technology corporation for its failure to sufficiently address risks to EU data subjects when transferring data to the U.S. Other countries have imposed or may in the future impose data localization obligations, cross-border data transfer restrictions, and other country specific privacy and security requirements which could be problematic to cloud software and data providers. For example, in 2021, China adopted the Personal Information Protection Law, which, together with the Cybersecurity Law and the Data Security Law, require companies that process personal data of China residents above certain thresholds to seek approval from the Cyberspace Administration of China (CAC) to transfer such data outside of China. In 2023, certain of our Veeva CRM customers in China were required to request such approval from the CAC and had their requests denied. Customers required to request approval may need to implement a CRM solution that does not require data to be transferred outside of China and customers not subject to the requirement may nonetheless choose to do so. While we offer the China CRM Suite, a CRM solution that does not require data to be transferred outside of China, some customers have chosen, and other customers may choose, other CRM providers, which may negatively impact our CRM business in China. Currently, approximately 2% of our total revenue is attributable to China. Additionally, as we expand our data product offerings into new jurisdictions, we are required to assess, monitor, and comply with additional laws and regulations related to our collection and processing of data, which may include new registration, consent, and notification obligations. We also expect laws, regulations, industry standards and other obligations in relating to privacy, data protection, and cybersecurity to continue to evolve, and that there will continue to be new, modified, and re-interpreted laws, regulations, standards, and other obligations in these areas. For example, the Network and Information Security Directive II (NIS2), adopted in 2023, aims to enhance cybersecurity across critical infrastructure and essential services in the EU. NIS2 provides for all 27 EU member states to have issued implementing legislation by October 2024; however, several EU member states have not finalized their respective legislation and guidance. In the United States, the U.S. Department of Health and Human Services has promulgated privacy and security rules under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) that cover protected health information (PHI) by limiting use and disclosure and giving individuals the right to access, amend, and seek accounting of disclosures of their PHI. Certain of our customers may be either business associates or covered entities under HIPAA, which means we must maintain a HIPAA compliance program. There is also the potential for the U.S. federal government to pass additional data privacy laws. Veeva Systems Inc. | Form 10-K19 Veeva Systems Inc. | Form 10-K19 Veeva Systems Inc. | Form 10-K19 Veeva Systems Inc. | Form 10-K 19 Table of Contents Table of Contents U.S. federal and state data privacy laws are rapidly evolving. These laws impose new and modify existing obligations on businesses that collect personal information, create new privacy rights for individuals, and contain enhanced requirements for and restrictions on data brokers. For example, under the California Consumer Privacy Act (CCPA), as amended, we are generally considered a “service provider” for our software solutions and a “business” for our data products. Some of these laws and regulations also target certain types of marketing and advertising based on the use of personal information. The State of Washington, for example, passed the My Health My Data Act, which became effective on March 21, 2024, establishing significant new restrictions on how businesses can collect, use, and disclose consumer health data. Veeva Crossix’s data platform combines large-scale data sets, inclusive of de-identified health and consumer data, to provide insights, analytics, and audience segmentation for our life sciences customers in the U.S. In response to the Washington law, we made modifications to our audience segments that may reduce demand for our Crossix products, which, in turn, could adversely impact the business. Other states have considered, and in certain cases enacted, similar laws. Additionally, the U.S. Department of Justice recently issued a final rule that takes effect on April 8, 2025, and places limitations, and in some cases prohibitions, on certain transfers of sensitive personal data to data to business partners located in China or with other specified links to China and other designated countries. These various laws, regulations, and legislative developments have potentially far-reaching consequences and have and may continue to require us to modify our solutions and data management practices and incur substantial expense in order to comply. In addition to governmental laws and regulations, privacy advocates and other key industry players have, and may continue to, establish various new standards and certifications, such as the prohibition of third-party cookies and other identifiers in certain digital environments, that may place additional burdens or resource constraints on us, limit our ability to collect, use, and otherwise process certain data, and limit our ability to generate certain analytics. Our customers may expect us to meet voluntary certifications or adhere to other standards established by third parties. Understanding and implementing industry and customer specific requirements and certifications on top of our internationally recognized security certifications could require additional investment and management attention and may subject us to significant liabilities if we are unable to comply. Moreover, the continuing evolution of these standards might cause confusion for our customers and may have an impact on the solutions we offer. If we are unable to maintain these certifications or meet these standards, it could reduce demand for our solutions and adversely affect our business and operating results. Customers expect that our solutions can be used in compliance with applicable data protection, data privacy and cybersecurity laws and regulations. Compliance with these global laws and regulations, including any new or evolving regulations relating to the use of data in AI and machine learning technologies, such as the EU AI Act, has and will continue to require valuable management and employee time and resources and modification of our products or operations, and may also limit use and adoption of our products. Data protection authorities from around the world will from time to time review our products and services and their compliance with applicable laws and regulations. Any actual or perceived failure to comply with such laws and regulations or other actual or asserted obligations relating to privacy, data protection, or cybersecurity could lead to inspections, audits, regulatory investigations and other proceedings, significant fines, penalties, and other relief imposed by government agencies and regulatory bodies, and claims, demands, and litigation by our customers or third parties, which may reduce demand for our solutions and result in reputational harm, substantial damages and other liabilities.

Veeva AI, an initiative that adds AI to our applications across all major areas, including clinical, regulatory, safety, quality, medical, and commercial, presents new risks and challenges that could affect the adoption of our solutions and our business. If our AI offerings draw controversy due to their perceived or actual impact on privacy, security or confidentiality, inefficacy or inaccuracy, or contribution to bias, discrimination, other ethical harms, or other matters, we may experience new or enhanced governmental or regulatory scrutiny, brand or reputational harm, competitive harm, or legal liability. If our users lose confidence in the decisions, predictions, analyses, or other content that our AI offerings produce, the adoption of our offerings could be adversely affected, which may harm our operating results and financial condition. We may also use AI for research and development and other internal operational use cases, including the use of AI-enabled processes. The legal, regulatory, and policy environments around AI are evolving rapidly, such as the EU AI Act and legislation proposed and adopted in certain states in the U.S., and we Veeva Systems Inc. | Form 10-K24 Veeva Systems Inc. | Form 10-K24 Veeva Systems Inc. | Form 10-K24 Veeva Systems Inc. | Form 10-K 24 Table of Contents Table of Contents may become subject to new and evolving legal and other obligations. These and other developments may require us to make significant changes to our use of AI, including by limiting or restricting our use of AI or AI-enabled processes, and which may require us to make significant changes to our policies and practices, which may necessitate expenditure of significant time, expense, and other resources. Uncertainty around new and emerging AI applications and regulations may also require us to make significant changes to our use of AI and may cause us to incur increased research and development costs or compliance costs, or divert resources from other development efforts to address issues related to AI governance. If we are unable to mitigate these risks, or if we incur excessive expenses in our efforts to do so, our reputation, business, operating results, and financial condition may be harmed.

We recently began incorporating AI capabilities into certain of our solutions, which presents new risks and challenges that could affect the adoption of our solutions and our business. If our AI offerings draw controversy due to their perceived or actual impact on privacy, security or confidentiality, inefficacy or inaccuracy, or contribution to bias, discrimination, other ethical harms, or other matters, we may experience new or enhanced governmental or regulatory scrutiny, brand or reputational harm, competitive harm or legal liability. If our users lose confidence in the decisions, predictions, analyses, or other content that our AI offerings produce, the adoption of our offerings could be adversely affected, which may harm our operating results and financial condition. The legal, regulatory, and policy environments around AI are evolving rapidly, and we may become subject to new and evolving legal and other obligations. These and other developments may require us to make significant changes to our use of AI, including by limiting or restricting our use of AI, and which may require us to make significant changes to our policies and practices, which may necessitate expenditure of significant time, expense, and other resources. Uncertainty around new and emerging AI applications and regulations may require us to make significant changes to our use of AI, including by limiting or restricting such use, and may cause us to incur increased research and development costs or compliance costs, or divert resources from other development efforts to address issues related to AI governance. If we are unable to mitigate these risks, or if we incur excessive expenses in our efforts to do so, our reputation, business, operating results, and financial condition may be harmed. Veeva Systems Inc. | Form 10-K20 Veeva Systems Inc. | Form 10-K20 Veeva Systems Inc. | Form 10-K20 Veeva Systems Inc. | Form 10-K 20 Table of Contents Table of Contents

We expect our future expenses to increase as we continue to invest in and grow our business. We expect to incur significant future expenditures related to: Veeva Systems Inc. | Form 10-K27 Veeva Systems Inc. | Form 10-K27 Veeva Systems Inc. | Form 10-K27 Veeva Systems Inc. | Form 10-K 27 Table of Contents Table of Contents •developing new solutions and enhancing our existing solutions, and investment in our product development teams; •data acquisition costs associated with our Veeva Compass offering and costs incurred with our use of large language models associated with our Veeva AI offering; •improving the technology infrastructure, scalability, availability, security, and support for our solutions; •sales and marketing, including expansion of our direct sales organization and global marketing programs; •expansion of our professional services organization; •acquisitions and investments; and •general operations, IT systems, facilities, and administration, including legal and accounting expenses. If our efforts to increase revenues and manage our expenses are not successful, or if we incur costs, damages, fines, settlements, or judgments as a result of other risks and uncertainties described in this report, we may not be able to sustain or increase our historical levels of profitability.

We expect our future expenses to increase as we continue to invest in and grow our business. We expect to incur significant future expenditures related to: •developing new solutions and enhancing our existing solutions, including additional data acquisition costs associated with our Veeva Compass offering and investment in our product development teams; •improving the technology infrastructure, scalability, availability, security, and support for our solutions; •sales and marketing, including expansion of our direct sales organization and global marketing programs; •expansion of our professional services organization; •pending, threatened, or future legal proceedings, certain of which are described in Part I, Item 3. “Legal Proceedings” and note 14 of the notes to our consolidated financial statements, and which we expect to continue to result in significant legal expense for the foreseeable future; •international expansion; •acquisitions and investments; and •general operations, IT systems, facilities, and administration, including legal and accounting expenses. If our efforts to increase revenues and manage our expenses are not successful, or if we incur costs, damages, fines, settlements, or judgments as a result of other risks and uncertainties described in this report, we may not be able to sustain or increase our historical levels of profitability.

We are currently dependent upon the Salesforce platform to deliver Veeva CRM. However, we have begun to migrate our Veeva CRM customers to Vault CRM, which is built on our Veeva Vault platform. Our agreement with Salesforce expired on September 1, 2025, and pursuant to the terms of our agreement, during the wind-down period from September 1, 2025 to September 1, 2030, we may not sell applications that utilize the Salesforce platform to new customers and our sales of applications that utilize the Salesforce platform to a customer existing at September 1, 2025 may not exceed 150% of the seats in use by each such customer as of September 1, 2025. After September 1, 2030, we will not be able to sell applications that utilize the Salesforce platform to any customers. Salesforce also has the right, in certain circumstances, to terminate the wind-down period early, including in the event of a material breach of the agreement by us, or if Salesforce is subjected to third-party intellectual property infringement claims based on our solutions (except to the extent based on the Salesforce platform) or our Veeva Systems Inc. | Form 10-K25 Veeva Systems Inc. | Form 10-K25 Veeva Systems Inc. | Form 10-K25 Veeva Systems Inc. | Form 10-K 25 Table of Contents Table of Contents trademarks and we do not remedy such infringement in accordance with the agreement. Also, if we are acquired by specified companies, Salesforce may terminate the agreement upon notice of not less than 12 months. If the Salesforce platform for Veeva CRM becomes unavailable earlier than we anticipate, our business and operations would be adversely affected.

We are currently dependent upon the Salesforce platform to deliver Veeva CRM. However, we have begun to migrate our Veeva CRM customers to Vault CRM, which is built on our Veeva Vault platform, and we do not intend to renew our agreement with Salesforce, Inc. when the current term expires on September 1, 2025. Pursuant to the terms of our agreement, during the wind-down period from September 1, 2025 to September 1, 2030, we may not sell applications that utilize the Salesforce platform to new customers and our sales of applications that utilize the Salesforce platform to a customer existing at September 1, 2025 may not exceed 150% of the seats in use by each such customer as of September 1, 2025. After September 1, 2030, we will not be able to sell applications that utilize the Salesforce platform to any customers. Salesforce, Inc. also has the right to terminate the agreement early in certain circumstances, including in the event of a material breach of the agreement by us, or if Salesforce, Inc. is subjected to third-party intellectual property infringement claims based on our solutions (except to the extent based on the Salesforce platform) or our trademarks and we do not remedy such infringement in accordance with the agreement. Also, if we are acquired by specified companies, Salesforce, Inc. may terminate the agreement upon notice of not less than 12 months. On May 1, 2023, as allowed by the terms of our agreement, Salesforce Inc. terminated certain competition restrictions imposed by the agreement. Per the terms of the agreement, termination of those non-competition obligations by Salesforce, Inc. released us from our minimum order commitments in the future. Under the terms of our current agreement, Salesforce, Inc. is no longer prohibited from promoting third-party products that are competitive to Veeva CRM, treating another third party as a "preferred" vendor of a CRM solution in the pharma and biotech market, or developing or promoting a product that competes with Veeva CRM. For example, Salesforce, Inc. is developing a life sciences industry-specific CRM application that will compete with our offerings and has entered into a partnership with IQVIA. In addition, current or potential customers may choose a competitor, such as Salesforce or IQVIA, or build their own custom solutions on the Salesforce platform rather than buy from us. Any of these events may have a material adverse impact on our business, operating results, and financial condition.