ZM: 10-K Risk Factor Changes

Our ability to increase our customer base and achieve broader market acceptance of our products and services will depend to a significant extent on our ability to expand our marketing and sales operations. We plan to continue expanding our sales and marketing capabilities, including through strategic partners, both domestically and internationally. If we are unable to expand our sales and marketing operations, our future revenue growth and business could be adversely impacted. Identifying and recruiting qualified sales representatives and training them is time consuming and resource intensive, and they may not be fully trained and productive for a significant amount of time. We also plan to dedicate significant resources to sales and marketing programs, including internet and other online advertising. All of these efforts will require us to invest significant financial and other resources, as the cost to acquire customers through these efforts is high. Our business will be harmed if our efforts do not generate a correspondingly significant increase in revenue.

Our ability to increase our customer and host base and achieve broader market acceptance of our products and services will depend to a significant extent on our ability to expand our marketing and sales operations. We plan to continue expanding our sales force and strategic partners, both domestically and internationally. If we are unable to hire a sufficient number of qualified sales personnel in the near term, our future revenue growth and business could be adversely impacted. Identifying and recruiting qualified sales representatives and training them is time consuming and resource intensive, and they may not be fully trained and productive for a significant amount of time. We also plan to dedicate significant resources to sales and marketing programs, including internet and other online advertising. All of these efforts will require us to invest significant financial and other resources. In addition, the cost to acquire customers and hosts is high due to these marketing and sales efforts. Our business will be harmed if our efforts do not generate a correspondingly significant increase in revenue. We will not achieve anticipated revenue growth from expanding our sales force if we are unable to hire, develop, and retain talented sales personnel, our new sales personnel are unable to achieve desired productivity levels in a reasonable period of time, or if our sales and marketing programs are not effective.

We have a significant number of employees, primarily engineers, in China, where personnel costs are less expensive than in many other geographies. The number or proportion of our employees in China has fluctuated in the past and may fluctuate in the future due to a number of factors, including macroeconomic changes and internal restructuring. Geopolitical and national security tensions between the United States and China, or between other countries and China, have in the past, currently are and could in the future lead to increased scrutiny of our business operations in China and a negative perception among current and potential customers regarding our collection, use, storage, disclosure, and processing of personal information, and our privacy policies, any of which may harm our reputation and business. Additionally, we may face certain adverse consequences, as a 27 27 27 Table of Contents Table of Contents result of geopolitical and national security tensions between the United States and China, including interference with, or restrictions on, our local operations that would impair our ability to operate in China. As an example, if local or national Chinese government agencies interfered with or placed restrictions on our research and development operations in China, our ability to design new products, features, and functionality on a timely basis or at all, or our ability to effectively deliver our service, would be adversely impacted as a significant portion of our research and development organization resides in China. In June and July 2020, we received subpoenas from the Department of Justice’s U.S. Attorney’s Office for the Eastern District of New York (“EDNY”) and the Department of Justice’s U.S. Attorney’s Office for the Northern District of California (“NDCA”). The EDNY and NDCA subpoenas requested information about (among other things) our interactions with foreign governments and/or foreign political parties, including the Chinese government, as well as about storage of and access to user data, including the use of servers based overseas. In addition, the EDNY subpoena requested information about the actions we took responding to law enforcement requests from the Chinese government. The NDCA subpoena also requested documents and information about (among other things) contacts between our employees and representatives of the Chinese government, and any attempted or successful influence by any foreign government in our policies, procedures, practices, and actions as they relate to users in the United States. We are fully cooperating with these investigations and have been conducting our own thorough internal investigation. These investigations are ongoing, and we do not know when they will be completed, which facts we will ultimately discover as a result of the investigations, or what actions the government may or may not take. We cannot predict the outcome of these investigations, and a negative outcome in any or all of these matters could cause us to incur substantial fines, penalties, or other financial exposure, as well as material reputational harm, a loss of customer and user confidence and business, additional expenses, and other harm to our business.

We have a significant number of employees, primarily engineers, in China, where personnel costs are less expensive than in many other geographies. The number or proportion of our employees in China has fluctuated in the past and may fluctuate in the future due to a number of factors, including macroeconomic changes and internal restructuring. Geopolitical and national security tensions between the United States and China, or between other countries and China, have in the past, currently are and could in the future lead to increased scrutiny of our business operations in China. In June and July 2020, we received subpoenas from the Department of Justice’s U.S. Attorney’s Office for the Eastern District of New York (“EDNY”) and the Department of Justice’s U.S. Attorney’s Office for the Northern District of California (“NDCA”). The EDNY and NDCA subpoenas requested information about (among other things) our interactions with foreign governments and/or foreign political parties, including the Chinese government, as well as about storage of and access to user data, including the use of servers based overseas. In addition, the EDNY subpoena requested information about the actions we took relating to videoconference commemorations of the crackdown on the 1989 Tiananmen Square democracy protests. The NDCA subpoena also requested documents and information about (among other things) contacts between our employees and representatives of the Chinese government, and any attempted or successful influence by any foreign government in our policies, procedures, practices, and actions as they relate to users in the United States. We are fully cooperating with these investigations and have been conducting our own thorough internal investigation. These investigations are ongoing, and we do not know when they will be completed, which facts we will ultimately discover as a result of the investigations, or what actions the government may or may not take. We cannot predict the outcome of these investigations, and a negative outcome in any or all of these matters could cause us to incur substantial fines, penalties, or other financial exposure, as well as material reputational harm, a loss of customer and user confidence and business, additional expenses, and other harm to our business. 26 26 26 Table of Contents Table of Contents

We invest significant resources into sales to large organizations. Large organizations typically undertake a significant evaluation and negotiation process due to their leverage, size, organizational structure, and approval requirements, all of which have and may continue to lengthen our sales cycle. We have also faced and may in the future face unexpected deployment challenges with large organizations or more complicated deployment of our some or all aspects of our platform. Large organizations may demand additional features, support services and pricing concessions, or require additional security management or control features. We may spend substantial time, effort, and money on sales efforts to large organizations without any assurance that our efforts will produce any sales or that these customers will deploy our platform widely enough across their organization to justify our substantial up-front investment. As a result, we anticipate increased sales to large organizations will lead to higher up-front sales costs and greater unpredictability in our business, results of operations, and financial condition. 17 17 17 Table of Contents Table of Contents

We have begun investing more resources into sales to large organizations. Large organizations typically undertake a significant evaluation and negotiation process due to their leverage, size, organizational structure, and approval requirements, all of which can lengthen our sales cycle. We may also face unexpected deployment challenges with large organizations or more complicated deployment of our platform. Large organizations may demand additional features, support services and pricing concessions, or require additional security management or control features. We may spend substantial time, effort, and money on sales efforts to large organizations without any assurance that our efforts will produce any sales or that these customers will deploy our platform widely enough across their organization to justify our substantial up-front investment. As a result, we anticipate increased sales to large organizations will lead to higher up-front sales costs and greater unpredictability in our business, results of operations, and financial condition.

Occurrence of any catastrophic event, including earthquake, fire, flood, tsunami or other weather event, power loss, telecommunications failure, software or hardware malfunctions, cyber-attack, war, terrorist attack, disease, or health epidemics, could result in lengthy interruptions in our service. In particular, our U.S. headquarters and some of the data centers we utilize are located in the San Francisco Bay Area, a region known for seismic activity, and our insurance coverage may not compensate us for losses that may occur in the event of an earthquake or other significant natural disaster. In addition, acts of terrorism could cause disruptions to the internet or the economy as a whole. Even with our disaster recovery arrangements, our service could be interrupted. Moreover, if our systems were to fail or be negatively impacted as a result of a natural disaster or other event, our ability to deliver products to our users would be impaired, or we could lose critical data. If we are unable to develop adequate plans to ensure that our business functions continue to operate during and after a disaster and to execute successfully on those plans in the event of a disaster or emergency, our business would be harmed. We also face risks related to health epidemics. An outbreak of a contagious disease, and other adverse health developments could have an adverse effect on global economic conditions and on our business. The effects could include business and service disruptions, such as the temporary closure of our facilities, restrictions on our employees' ability to travel to support our facilities and services, and difficulties in hiring new employees.

Occurrence of any catastrophic event, including earthquake, fire, flood, tsunami or other weather event, power loss, telecommunications failure, software or hardware malfunctions, cyber-attack, war, terrorist attack, disease, or health epidemics, could result in lengthy interruptions in our service. In particular, our U.S. headquarters and some of the data centers we utilize are located in the San Francisco Bay Area, a region known for seismic activity, and our insurance coverage may not compensate us for losses that may occur in the event of an earthquake or other significant natural disaster. In addition, acts of terrorism could cause disruptions to the internet or the economy as a whole. Even with our disaster recovery arrangements, our service could be interrupted. Moreover, if our systems were to fail or be negatively impacted as a result of a natural disaster or other event, our ability to deliver products to our users would be impaired, or we could lose critical data. If we are unable to develop adequate plans to ensure that our business functions continue to operate during and after a disaster and to execute successfully on those plans in the event of a disaster or emergency, our business would be harmed. We also face risks related to health epidemics, such as the COVID-19 pandemic, which impacted virtually every country in the world. An outbreak of a contagious disease, and other adverse health developments could have an adverse effect on global economic conditions and on our business. The effects could include business and service disruptions, such as the temporary closure of our facilities, restrictions on our employees' ability to travel to support our facilities and services, and difficulties in hiring new employees. While we have seen increased usage of our service globally, a significant portion of such increase is attributable to free Basic accounts, which do not generate any revenue. We cannot make any assurances that we will experience an increase in paid hosts or that new or existing users will continue to utilize our services at the same levels during the COVID-19 pandemic recovery. Furthermore, such increased usage by free Basic account users during this time has required and will continue to require us to expand our network capacity which will increase our operating costs.

Unlike traditional communications and collaborations technologies, our services depend on our users’ high-speed broadband access to the internet, usually provided through a cable or digital subscriber line connection. Increasing numbers of users and increasing bandwidth requirements may degrade the performance of our platform due to capacity constraints and other internet infrastructure limitations. As our number of users has grown and their usage of communications capacity has increased, we have been required to make additional investments in network capacity to maintain adequate data transmission speeds, the availability of which may be limited, or the cost of which may be on terms unacceptable to us. If adequate capacity does not continue to be available to us to support our user base in the future, our network may be unable to achieve or maintain sufficiently high data transmission capacity, reliability, or performance. In addition, if internet service providers and other third parties providing internet services have outages or deteriorations in their quality of service, our users will not have access to our platform or may experience a decrease in the quality of our platform. Furthermore, as the rate of adoption of new technologies increases, the networks our platform relies on may not be able to sufficiently adapt to the increased demand for these services, including ours. Frequent or persistent interruptions could cause current or potential users to believe that our systems or platform are unreliable, leading them to switch to our competitors or to avoid our platform, which could permanently harm our business. In addition, users who access our platform through mobile devices, such as smartphones and tablets, must have a high-speed connection, such as 3G, 4G, 5G, LTE, satellite, or Wi-Fi, to use our services and applications. Currently, this access is provided by companies that have significant and increasing market power in the broadband and internet access marketplace, including incumbent phone companies, cable companies, satellite companies, and wireless companies. Some of these providers offer products and subscriptions that directly compete with our own offerings, which can potentially give them a competitive advantage. Also, these providers could take measures that degrade, disrupt, or increase the cost of user access to third-party services, including our platform, by restricting or prohibiting the use of their infrastructure to support or facilitate third-party services or by charging increased fees to third parties or the users of third-party services, any of which would make our platform less attractive to users and reduce our revenue. 20 20 20 Table of Contents Table of Contents On January 4, 2018, the Federal Communications Commission (“FCC”) released an order reclassifying broadband internet access as an information service, a regulatory regime generally referred to as network neutrality, subject to certain provisions of Title I of the Communications Act. The order requires broadband providers to publicly disclose accurate information regarding network management practices, performance characteristics, and commercial terms of their broadband internet access services sufficient to enable consumers to make informed choices regarding the purchase and use of such services, and entrepreneurs and other small businesses to develop, market, and maintain internet offerings. The new rules went into effect on June 11, 2018. Numerous parties filed judicial challenges to the order, and on October 1, 2019, the United States Court of Appeals for the District of Columbia Circuit released a decision that rejected nearly all of the challenges to the new rules, but reversed the FCC’s decision to prohibit all state and local regulation targeted at broadband internet service, requiring case-by-case determinations as to whether state and local regulation conflicts with the FCC’s rules. The court also required the FCC to reexamine three issues from the order but allowed the order to remain in effect, while the FCC conducts that review. On October 27, 2020, the FCC adopted an order concluding that the three issues remanded by the court did not provide a basis to alter its conclusions in the 2018 order. On October 19, 2023, the FCC adopted a notice of proposed rulemaking that would reinstate the 2018 rules and asked for comment on that proposal and on potential changes to those rules. We cannot predict whether or when the FCC will adopt new rules or the impact of any rules that may be adopted on our operations or business. In addition, a number of states have adopted or are adopting or considering legislation or executive actions that would regulate the conduct of broadband providers. After a federal court judge denied a request for a preliminary injunction against California’s state-specific network neutrality law, California began enforcing that law on March 25, 2021. A number of other states have adopted or are adopting or considering legislation or executive actions that would regulate the conduct of broadband providers. A similar law in Vermont is subject to a pending challenge, but went into effect on April 20, 2022 and the challenge has been suspended until an appeal in another case addressing state powers to adopt internet regulation is resolved. We cannot predict whether the FCC order or other state initiatives will be enforced, modified, overturned, or vacated by legal action of the court, federal legislation, or the FCC. In addition, the status of state regimes may be affected by the FCC's action in its new network neutrality proceeding. Under the FCC’s current rules, broadband internet access providers may be able to charge web-based services such as ours for priority access or favor services offered by our competitors or by the internet access providers themselves, which could result in increased costs and a loss of existing customers, impair our ability to attract new customers, and harm our business. If there are changes to the regulatory structures in the United States or elsewhere that reduce investment in infrastructure by internet service providers, including a return of the network neutrality regulations that were repealed, any impacts of reduced investment that reduce network capacity or speed could have a negative effect on our business, operating results, and financial condition. Our security measures, and those of third parties upon which we rely, have been compromised in the past and may be compromised in the future. If our security measures are compromised in the future or if our information technology fails, this could harm our reputation, expose us to significant fines and liability, impair our sales, and harm our business. In addition, our products and services may be perceived as not being secure. This perception may result in customers and users curtailing or ceasing their use of our products, our incurring significant liabilities, and our business being harmed. In the ordinary course of our business, we and the third parties upon which we rely collect, receive, store, process, generate, use, transfer, disclose, make accessible, protect, secure, dispose of, transmit, and share confidential, proprietary, and sensitive data, including data of ours, our customers, and our users, the data which includes personal information, customer and user content, health-related data, intellectual property, trade secrets, business plans, and financial information. We and the third parties upon which we rely face a variety of evolving threats, including but not limited to ransomware attacks, which could cause security incidents. Security incidents have occurred in the past and may occur in the future, resulting in unauthorized access to, loss or unauthorized disclosure of, or inadvertent disclosure of confidential, proprietary, and sensitive information. Cyberattacks, other malicious internet-based activity, online and offline fraud, and other similar activities threaten the confidentiality, integrity, and availability of our proprietary, confidential, and sensitive data and information technology systems, and those of the third parties upon which we rely. Cloud-based platform providers of products and services have been and are expected to continue to be targeted. Threats are prevalent and continue to rise, are increasingly difficult to detect, and come from a variety of sources, including traditional computer “hackers,” threat actors, “hacktivists,” organized criminal threat actors, personnel (such as through theft or misuse), sophisticated nation-state and nation-state supported actors, and advanced persistent threat intrusions. Some actors now engage and are expected to continue to engage in cyberattacks, including without limitation nation-state actors for geopolitical reasons and in conjunction with military conflicts and defense activities. During times of war and other major conflicts, we and the third parties upon which we rely may be vulnerable to a heightened risk of these attacks, which could materially disrupt our systems and operations, supply chain, and ability to provide our services. We may be subject to a variety of evolving threats, including but not limited to social-engineering attacks (including through deep fakes, which may be increasingly more difficult to identify as fake, and phishing attacks), malicious code (such as viruses and worms), malware (including as a result of advanced persistent threat intrusions), denial-of-service attacks, credential stuffing, 21 21 21 Table of Contents Table of Contents personnel misconduct or error, supply-chain attacks, software bugs, server malfunctions, software or hardware failures, loss of data or other information technology assets, adware, telecommunications failures, attacks enhanced or facilitated by AI, earthquakes, fires, floods, and other similar threats. Ransomware attacks, including those perpetrated by organized criminal threat actors, nation-states, and nation-state-supported actors, are becoming increasingly prevalent and severe and can lead to significant interruptions in our operations or our ability to provide our products or services, loss of data and income, reputational harm, and diversion of funds. Extortion payments may alleviate the negative impact of a ransomware attack, but we may be unwilling or unable to make such payments due to, for example, applicable laws or regulations prohibiting such payments. Additionally, our platform, products, and services are relied on by a large number of companies worldwide and as a result, if our platform, products, or solutions are compromised, a significant number or all of our customers and their data could be simultaneously affected. The potential liability and associated consequences we could suffer as a result of such a large-scale event could be catastrophic and result in irreparable harm. Future or past business transactions (such as acquisitions or integrations) could expose us to additional cybersecurity risks and vulnerabilities, as our systems could be negatively affected by vulnerabilities present in acquired or integrated entities’ systems and technologies. Furthermore, we may discover security issues that were not found during due diligence of such acquired or integrated entities, and it may be difficult to integrate companies into our information technology environment and security program. In addition, our reliance on third-party service providers could introduce new cybersecurity risks and vulnerabilities, including supply-chain attacks, and other threats to our business operations. We rely on third-party service providers and technologies to operate critical business systems to process confidential, proprietary, and sensitive data in a variety of contexts, including, without limitation, cloud-based infrastructure, data center facilities, encryption and authentication technology, employee email, content delivery to customers, and other functions. We also rely on third-party service providers to provide other products, services and parts, or otherwise to operate our business. Our ability to monitor these third parties’ information security practices is limited, and these third parties may not have adequate information security measures in place. If our third-party service providers experience a security incident or other interruption, we could experience adverse consequences. While we may be entitled to damages if our third-party service providers fail to satisfy their privacy or security-related obligations to us, any award may be insufficient to cover our damages, or we may be unable to recover such award. In addition, supply-chain attacks have increased in frequency and severity, and we cannot guarantee that third parties’ infrastructure in our supply chain or our third-party partners’ supply chains have not been compromised. If our security measures are compromised, our reputation could be damaged; our data, information or intellectual property, or that of our customers, may be destroyed, stolen, or otherwise compromised; our business may be harmed; and we could incur significant liability. We take steps designed to detect and remediate vulnerabilities in our information systems and those of third parties upon whom we rely, but we may not detect or remediate all such vulnerabilities or do so in a timely manner. The threats and techniques used to exploit vulnerabilities change frequently and are often sophisticated in nature, and may be difficult to detect by security tools. Vulnerabilities could be exploited and result in a security incident. We have limited budgetary and human resources for detecting and remediating vulnerabilities and have experienced difficulties in hiring and retaining qualified security personnel, especially after our recent restructuring actions. We may experience delays in developing and deploying remedial measures, including patches, designed to address identified vulnerabilities, and our remedial measures may require action by our customers such as installing patches or updates, which may increase the amount of time a vulnerability remains unremediated. We have not always been able in the past and may be unable in the future to anticipate or prevent threats or techniques used to detect or exploit vulnerabilities in our information systems or third-party software, or obtain unauthorized access to or compromise our systems. In addition, security researchers and other individuals have in the past and will continue in the future to actively search for and exploit actual and potential vulnerabilities in our software or services. This activity may increase because of increased demand for our services and increased media scrutiny of our unified communications and collaboration platform, and can lead to additional adverse publicity, reputational harm, extortion threats, business and operational interruptions, security incidents, additional expenses, litigation, regulatory investigations and actions, and substantial harm to our business, some of which we have experienced. For example, in July 2019, a security researcher published a blog highlighting concerns with the Zoom Meeting platform, including certain video-on features. We were able to release updates to the software addressing these vulnerabilities, and we are not aware of any customers being affected or meetings compromised by these vulnerabilities. In most cases customers are responsible for installing this update to the software, and their software is subject to these vulnerabilities until they do so. Additionally, in March 2020, a security researcher reported certain vulnerabilities related to our macOS version that could have allowed an unauthorized person to gain root access to a user’s system. Given the nature of our business and operations, our products and services will inevitably contain vulnerabilities or critical security defects that have not been identified or remediated and cannot be disclosed without compromising security. We have identified high or critical vulnerabilities in our products, services and information systems in the past, and we expect that we will continue to identify such vulnerabilities in the future. We cannot be certain that we will be able to address any vulnerabilities in our products, 22 22 22 Table of Contents Table of Contents services and information systems that we may become aware of in the future, or there may be delays in developing patches that can be effectively deployed to address vulnerabilities. We will continue to make prioritization decisions based on, among other things, our available resources, the efficacy of our security tools, and the increasing workload to meet certain security obligations, to determine which vulnerabilities or security defects to fix and the timing of these fixes, which could result in an exploit that compromises security. In some cases, customers are responsible for installing our software updates, and until they do so, their service remains subject to the vulnerabilities addressed in the software update. Vulnerabilities and critical security defects, errors in remediating vulnerabilities or security defects, failure of third-party providers to remediate vulnerabilities or security defects, or customers not deploying security releases or deciding not to install software updates could result in claims of liability against us, damage our reputation, or otherwise harm our business. Security incidents and vulnerabilities, and concerns regarding privacy, data protection, and information security may also prevent some of our customers and users from using or cause some of our customers and users to stop using our solutions and fail to upgrade or renew their subscriptions. Failures to meet customers’ and users’ expectations with respect to security and confidentiality of their data and information could damage our reputation and affect our ability to retain customers and users, attract new customers and users, and grow our business. In addition, cybersecurity events or security vulnerabilities could result in breaches of our agreements with customers, lawsuits against us (including class action litigation), regulatory investigations or actions, and significant increases in costs, including costs for remediating the effects of such an event or vulnerability, lost revenue due to network downtime, and a decrease in customer and user trust, increases in insurance premiums due to cybersecurity incidents, increased costs to address cybersecurity issues, and attempts to prevent future incidents, fines, penalties, judgments and settlements, and attorney fees, and harm to our business and our reputation because of any such incident. Any of the previously identified or similar threats could cause a security incident or other interruption that could result in unauthorized, unlawful, or accidental acquisition, modification, destruction, loss, alteration, encryption, disclosure of, or access to confidential, proprietary, or sensitive data or our information technology systems, or those of the third parties upon whom we rely. A security incident or other interruption could disrupt our ability (and that of third parties upon whom we rely) to provide our services. We may expend significant resources or modify our business activities to try to protect against security incidents. Additionally, certain privacy, data protection, and information security obligations may require us to implement and maintain specific security measures or industry-standard or reasonable security measures to protect our information technology systems and sensitive data. Many governments have enacted laws requiring companies to provide notice of data security incidents, including those recently promulgated by the SEC. Such laws are inconsistent, and compliance in the event of a widespread data breach is costly. In addition, some of our customers require us to notify them of data security breaches. Actual or perceived security gaps or security compromises experienced in our industry or by our competitors, our customers, a third party upon whom we rely, or us could cause us to experience adverse consequences, such as government enforcement actions (for example, investigations, fines, penalties, audits, and inspections); additional reporting requirements and/or oversight; restrictions on processing sensitive data (including personal information); litigation (including class claims); indemnification obligations; negative publicity; reputational harm; monetary fund diversions; diversion of management attention; interruptions in our operations (including availability of data); financial loss; and other similar harms. Security incidents and attendant consequences may cause customers to stop using our services, deter new customers from using our services, and negatively impact our ability to grow and operate our business. In addition, while more than half of our employees are based in the United States, like many similarly situated technology companies, we have a sizable number of research and development personnel outside of the United States, including in China, which has exposed and could continue to expose us to governmental and regulatory as well as market and media scrutiny regarding the actual or perceived integrity of our platform or data security and privacy features. Increased usage of our services, novel uses of our services, and additional awareness of Zoom and our brand has led and could in the future lead to greater public scrutiny of, press related to, or a negative perception of our information security and potential vulnerabilities associated with our platform. For example, during the COVID-19 pandemic, we opened our platform to unprecedented numbers of first-time users, leading to challenges for users who did not have full IT support or established protocols for security and privacy like our larger customers. As a result, we have experienced negative publicity related to meeting disruptions and security and privacy issues, including on encryption. Such unfavorable publicity and scrutiny could result in material reputational harm, a loss of customer and user confidence, increased regulatory or litigation exposure, additional expenses, and other harm to our business. There can be no assurance that any limitations of liability provisions in our subscription agreements, terms of use or other agreements would be enforceable or adequate or would otherwise protect us from any such liabilities or damages with respect to any particular claim. We also cannot be sure that our existing general liability insurance coverage and coverage for cyber liability or errors or omissions will continue to be available on acceptable terms or will be available in sufficient amounts 23 23 23 Table of Contents Table of Contents to cover one or more large claims or that the insurer will not deny coverage as to any future claim. The successful assertion of one or more large claims against us that are not covered or exceed available insurance coverage, or the occurrence of changes in our insurance policies, including premium increases or the imposition of large deductible or co-insurance requirements, could harm our business. In addition to experiencing a security incident, third parties may gather, collect, or infer sensitive information about us from public sources, data brokers, or other means that reveals competitively sensitive details about our organization and could be used to undermine our competitive advantage or market position.

In the ordinary course of our business, we and the third parties upon which we rely collect, receive, store, process, generate, use, transfer, disclose, make accessible, protect, secure, dispose of, transmit, and share confidential, proprietary, and sensitive data, including data of ours, our customers, and our users, the data which includes personal information, customer and user content, health-related data, intellectual property, trade secrets, business plans, and financial information. We and the third parties upon which we rely face a variety of evolving threats, including but not limited to ransomware attacks, which could cause security incidents. Security incidents have occurred in the past and may occur in the future, resulting in unauthorized access to, loss or unauthorized disclosure of, or inadvertent disclosure of confidential, proprietary, and sensitive information. Cyber-attacks, malicious internet-based activity, online and offline fraud, and other similar activities threaten the confidentiality, integrity, and availability of our proprietary, confidential, and sensitive data and information technology systems, and those of the third parties upon which we rely. Cloud-based platform providers of products and services have been and are expected to continue to be targeted. Threats are prevalent and continue to rise, are increasingly difficult to detect, and come from a variety of sources, including traditional computer “hackers,” threat actors, “hacktivists,” organized criminal threat actors, personnel (such as through theft or misuse), sophisticated nation-state and nation-state supported actors, and advanced persistent threat intrusions. Some actors now engage and are expected to continue to engage in cyberattacks, including without limitation nation-state actors for geopolitical reasons and in conjunction with military conflicts and defense activities. During times of war and other major conflicts, we and the third parties upon which we rely may be vulnerable to a heightened risk of these attacks, including cyberattacks, that could materially disrupt our systems and operations, supply chain, and ability to provide our services. We may be subject to a variety of evolving threats, including but not limited to social-engineering attacks (including through phishing attacks), malicious code (such as viruses and worms), malware (including as a result of advanced persistent threat intrusions), denial-of-service attacks (such as credential stuffing), personnel misconduct or error, supply-chain attacks, software bugs, server malfunctions, software or hardware failures, loss of data or other information technology assets, adware, telecommunications failures, earthquakes, fires, floods, and other similar threats. Ransomware attacks, including those perpetrated by organized criminal threat actors, nation-states, and nation-state-supported actors, are becoming increasingly 20 20 20 Table of Contents Table of Contents prevalent and severe and can lead to significant interruptions in our operations, loss of data and income, reputational harm, and diversion of funds. Extortion payments may alleviate the negative impact of a ransomware attack, but we may be unwilling or unable to make such payments due to, for example, applicable laws or regulations prohibiting such payments. Additionally, our platform, products, and services are relied on by a large number of companies worldwide and as a result, if our platform, products, or solutions are compromised, a significant number or all of our customers and their data could be simultaneously affected. The potential liability and associated consequences we could suffer as a result of such a large-scale event could be catastrophic and result in irreparable harm. Future or past business transactions (such as acquisitions or integrations) could expose us to additional cybersecurity risks and vulnerabilities, as our systems could be negatively affected by vulnerabilities present in acquired or integrated entities’ systems and technologies. Furthermore, we may discover security issues that were not found during due diligence of such acquired or integrated entities, and it may be difficult to integrate companies into our information technology environment and security program. In addition, our reliance on third-party service providers could introduce new cybersecurity risks and vulnerabilities, including supply-chain attacks, and other threats to our business operations. We rely on third-party service providers and technologies to operate critical business systems to process confidential, proprietary, and sensitive data in a variety of contexts, including, without limitation, cloud-based infrastructure, data center facilities, encryption and authentication technology, employee email, content delivery to customers, and other functions. We also rely on third-party service providers to provide other products, services, parts, or otherwise to operate our business. Our ability to monitor these third parties’ information security practices is limited, and these third parties may not have adequate information security measures in place. If our third-party service providers experience a security incident or other interruption, we could experience adverse consequences. While we may be entitled to damages if our third-party service providers fail to satisfy their privacy or security-related obligations to us, any award may be insufficient to cover our damages, or we may be unable to recover such award. In addition, supply-chain attacks have increased in frequency and severity, and we cannot guarantee that third parties’ infrastructure in our supply chain or our third-party partners’ supply chains have not been compromised. Any of the previously identified or similar threats could cause a security incident or other interruption that could result in unauthorized, unlawful, or accidental acquisition, modification, destruction, loss, alteration, encryption, disclosure of, or access to confidential, proprietary, or sensitive data or our information technology systems, or those of the third parties upon whom we rely. A security incident or other interruption could disrupt our ability (and that of third parties upon whom we rely) to provide our services. We may expend significant resources or modify our business activities to try to protect against security incidents. Additionally, certain privacy, data protection, and information security obligations may require us to implement and maintain specific security measures or industry-standard or reasonable security measures to protect our information technology systems and sensitive data. If our security measures are compromised, our reputation could be damaged; our data, information or intellectual property, or that of our customers, may be destroyed, stolen, or otherwise compromised; our business may be harmed; and we could incur significant liability. We take steps to detect and remediate vulnerabilities, but we may not be able to detect and remediate all vulnerabilities because the threats and techniques used to exploit the vulnerability change frequently and are often sophisticated in nature. Therefore, such vulnerabilities could be exploited but may not be detected until after a security incident has occurred. These vulnerabilities pose material risks to our business. Further, we may experience delays in developing and deploying remedial measures designed to address any such identified vulnerabilities. We have not always been able in the past and may be unable in the future to anticipate or prevent threats or techniques used to detect or exploit vulnerabilities in our services or software or third-party software, or obtain unauthorized access to or compromise our systems. In addition, security researchers and other individuals have in the past and will continue in the future to actively search for and exploit actual and potential vulnerabilities in our software or services. This activity may increase because of increased demand for our services and increased media scrutiny of our unified communications and collaboration platform, and can lead to additional adverse publicity, reputational harm, extortion threats, business and operational interruptions, security incidents, additional expenses, litigation, regulatory investigations and actions, and substantial harm to our business, some of which we have experienced during the COVID-19 pandemic. For example, in July 2019, a security researcher published a blog highlighting concerns with the Zoom Meeting platform, including certain video-on features. We were able to release updates to the software addressing these vulnerabilities, and we are not aware of any customers being affected or meetings compromised by these vulnerabilities. In most cases customers are responsible for installing this update to the software, and their software is subject to these vulnerabilities until they do so. Additionally, in March 2020, a security researcher reported certain vulnerabilities related to our macOS version that could have allowed an unauthorized person to gain root access to a user’s system. Given the nature of our business and operations, our products and services will inevitably contain vulnerabilities or critical security defects that have not been identified or remediated and cannot be disclosed without compromising security. We have identified vulnerabilities in our products and services in the past, and we expect that we will continue to identify vulnerabilities in the future. We cannot be certain that we will be able to address any vulnerabilities in our software products 21 21 21 Table of Contents Table of Contents and services that we may become aware of in the future, or there may be delays in developing patches that can be effectively deployed to address vulnerabilities. We will continue to make prioritization decisions to determine which vulnerabilities or security defects to fix and the timing of these fixes, which could result in an exploit that compromises security. Further, in many cases, customers are responsible for installing our software updates, and until they do so, their service remains subject to the vulnerabilities addressed in the software update. Vulnerabilities and critical security defects, errors in remediating vulnerabilities or security defects, failure of third-party providers to remediate vulnerabilities or security defects, or customers not deploying security releases or deciding not to install software updates could result in claims of liability against us, damage our reputation, or otherwise harm our business. Security incidents and vulnerabilities, and concerns regarding privacy, data protection, and information security may also cause some of our customers and hosts to stop using our solutions and fail to upgrade or renew their subscriptions. Failures to meet customers’ and hosts’ expectations with respect to security and confidentiality of their data and information could damage our reputation and affect our ability to retain customers and hosts, attract new customers and hosts, and grow our business. In addition, cybersecurity events or security vulnerabilities could result in breaches of our agreements with customers, lawsuits against us (including class action litigation), regulatory investigations or actions, and significant increases in costs, including costs for remediating the effects of such an event or vulnerability, lost revenue due to network downtime, and a decrease in customer, host, and user trust, increases in insurance premiums due to cybersecurity incidents, increased costs to address cybersecurity issues, and attempts to prevent future incidents, fines, penalties, judgments and settlements, and attorney fees, and harm to our business and our reputation because of any such incident. Many governments have enacted laws requiring companies to provide notice of data security incidents involving certain types of personal information. Such laws are inconsistent, and compliance in the event of a widespread data breach is costly. In addition, some of our customers require us to notify them of data security breaches. Actual or perceived security compromises experienced in our industry or by our competitors, our customers, a third party upon whom we rely, or us could cause us to experience adverse consequences, such as government enforcement actions (for example, investigations, fines, penalties, audits, and inspections); additional reporting requirements and/or oversight; restrictions on processing sensitive data (including personal data); litigation (including class claims); indemnification obligations; negative publicity; reputational harm; monetary fund diversions; interruptions in our operations (including availability of data); financial loss; and other similar harms. Security incidents and attendant consequences may cause customers to stop using our services, deter new customers from using our services, and negatively impact our ability to grow and operate our business. In addition, while more than half of our employees are based in the United States, like many similarly situated technology companies, we have a sizable number of research and development personnel in China, which has exposed and could continue to expose us to governmental and regulatory as well as market and media scrutiny regarding the actual or perceived integrity of our platform or data security and privacy features. Increased usage of our services, novel uses of our services, and additional awareness of Zoom and our brand could lead to greater public scrutiny of, press related to, or a negative perception of our information security and potential vulnerabilities associated with, our platform. For example, during the COVID-19 pandemic, we opened our platform to unprecedented numbers of first-time users, leading to challenges for users who did not have full IT support or established protocols for security and privacy like our larger customers. As a result, we have experienced negative publicity related to meeting disruptions and security and privacy issues, including on encryption. Such unfavorable publicity and scrutiny could result in material reputational harm, a loss of customer and user confidence, increased regulatory or litigation exposure, additional expenses, and other harm to our business. There can be no assurance that any limitations of liability provisions in our subscription agreements, terms of use, or other agreements would be enforceable or adequate or would otherwise protect us from any such liabilities or damages with respect to any particular claim. We also cannot be sure that our existing general liability insurance coverage and coverage for cyber liability or errors or omissions will continue to be available on acceptable terms or will be available in sufficient amounts to cover one or more large claims or that the insurer will not deny coverage as to any future claim. The successful assertion of one or more large claims against us that are not covered or exceed available insurance coverage, or the occurrence of changes in our insurance policies, including premium increases or the imposition of large deductible or co-insurance requirements, could harm our business. In addition to experiencing a security incident, third parties may gather, collect, or infer sensitive information about us from public sources, data brokers, or other means that reveals competitively sensitive details about our organization and could be used to undermine our competitive advantage or market position.

Our revenue growth has fluctuated in prior periods. You should not rely on the revenue growth of any prior quarterly or annual period as an indication of our future performance. There are no assurances we will be able to sustain or increase our revenue growth in future periods, and our revenue growth rate may continue to decline in future periods. Many factors may contribute to declines in our growth rate, including higher market penetration, increased competition, macroeconomic conditions, such as inflation, recessionary or uncertain economic environments, fluctuating foreign currency exchange rates, slowing demand for our platform, a lower than anticipated capitalization on growth opportunities, and the maturation of our 14 14 14 Table of Contents Table of Contents business, among others. Our growth rate could adversely affect investors’ perceptions of our business and the trading price of our Class A common stock could be adversely affected.

Our revenue growth has fluctuated in prior periods. We have previously experienced periods of significant revenue growth. You should not rely on the revenue growth of any prior quarterly or annual period as an indication of our future performance. Our revenue growth rate over the past year has stabilized but there are no assurances we will be able to sustain or increase it in future periods, and our revenue growth rate may decline in future periods. Many factors may contribute to declines in our growth rate, including higher market penetration, increased competition, macroeconomic conditions, such as high inflation, recessionary or uncertain environments and fluctuating foreign currency exchange rates, slowing demand for our platform, especially during the COVID-19 pandemic recovery, which has led to users returning to work or school or are otherwise no longer being subject to limitations on in-person meetings, a lower than anticipated capitalization on growth opportunities, and the maturation of our business, among others. Our growth rate could adversely affect investors’ perceptions of our business and the trading price of our Class A common stock could be adversely affected.

We are subject to income taxes in the United States and various jurisdictions outside of the United States. Our effective tax rate could fluctuate due to changes in the proportion of our earnings and losses in countries with differing statutory tax rates. Our tax expense could also be impacted by changes in non-deductible expenses; changes in tax benefits of stock-based compensation expense; changes in the valuation of, or our ability to use, deferred tax assets; the applicability of withholding taxes; and effects from acquisitions. 30 30 30 Table of Contents Table of Contents The provision for taxes on our consolidated financial statements could also be impacted by changes in accounting principles, changes in U.S. federal, state, or foreign tax laws applicable to corporate multinationals, other fundamental changes in tax law currently being considered by many countries, and changes in taxing jurisdictions’ administrative interpretations, decisions, policies, and positions. In addition, we are subject to review and audit by U.S. federal, state, local, and foreign tax authorities. Such tax authorities may disagree with tax positions we take, and if any such tax authority were to successfully challenge any such position, our business could be adversely impacted. The Tax Cuts and Jobs Act of 2017 requires the capitalization and amortization of research and development expenses effective for years beginning after December 31, 2021. The mandatory capitalization requirement increased our cash tax liabilities but also decreased our effective tax rate due to increasing the foreign-derived intangible income deduction. Although Congress is considering legislation that would defer the amortization requirement to later years, we have no assurance that the provision will be repealed or otherwise modified. Absent a change in legislation, we expect the mandatory capitalization requirement will continue to have a material impact on our cash flows. We may also be subject to additional tax liabilities due to changes in non-income-based taxes resulting from changes in U.S. federal, state, local, or foreign tax laws; changes in taxing jurisdictions’ administrative interpretations, decisions, policies, and positions; results of tax examinations, settlements, or judicial decisions; changes in accounting principles, changes to our business operations, including acquisitions; as well as the evaluation of new information that results in a change to a tax position taken in a prior period. Further, the Organization for Economic Cooperation and Development (“OECD”) and the Inclusive Framework of G20 and other countries have issued proposals related to the taxation of the digital economy. In addition, several countries have proposed or enacted Digital Services Taxes (“DST”), many of which would apply to revenue derived from digital services. Future developments related to such proposals, in particular any unilateral actions outside of the OECD's Inclusive Framework such as the imposition of DST rules, could have an adverse impact on our business by increasing our future tax obligations. The OECD has also been working on a Base Erosion and Profits Shifting project that, upon implementation, would change various aspects of the existing framework under which our tax obligations are determined in many of the countries in which we operate. In this regard, the OECD has proposed policies aiming to modernize global tax systems, including a country-by-country 15% minimum effective tax rate (“Pillar Two”) for multinational companies. Numerous countries have enacted, or are in the process of enacting, legislation to implement the Pillar Two model rules with a subset of the rules becoming effective during our fiscal year ending January 31, 2025, and the remaining rules becoming effective for our fiscal year ending January 31, 2026, or in later periods. At this point in time, we do not expect material tax impacts associated with Pillar Two rules in the countries where we operate for the fiscal year ending January 31, 2025. As these rules continue to evolve with new legislation and guidance, we will continue to monitor and account for the enactment of Pillar Two rules in the countries where we operate, and the potential impacts such rules may have on our effective tax rate and cash flows in future years.

We are subject to income taxes in the United States and various jurisdictions outside of the United States. Our effective tax rate could fluctuate due to changes in the proportion of our earnings in countries with differing statutory tax rates. Our tax expense could also be impacted by changes in non-deductible expenses; changes in excess tax benefits of stock-based compensation expense; changes in the valuation of, or our ability to use, deferred tax assets; the applicability of withholding taxes; and effects from acquisitions. The provision for taxes on our consolidated financial statements could also be impacted by changes in accounting principles; changes in U.S. federal, state, or foreign tax laws applicable to corporate multinationals (including provisions of the recently enacted federal tax legislation titled the Inflation Reduction Act); other fundamental changes in tax law currently being considered by many countries; and changes in taxing jurisdictions’ administrative interpretations, decisions, policies, and positions. In addition, we are subject to review and audit by U.S. federal, state, local, and foreign tax authorities. Such tax authorities may disagree with tax positions we take, and if any such tax authority were to successfully challenge any such position, our business could be adversely impacted. The Tax Cuts and Jobs Act of 2017 requires the capitalization and amortization of research and development expenses effective for years beginning after December 31, 2021. The mandatory capitalization requirement increased our cash tax liabilities but also decreased our effective tax rate due to increasing the foreign-derived intangible income deduction. There is a possibility that Congress will defer, repeal, or otherwise modify this requirement in future periods. Absent a change in legislation, we expect it will have a material impact on our cash flows beginning the current fiscal year ending January 31, 2023. We may also be subject to additional tax liabilities due to changes in non-income-based taxes resulting from changes in U.S. federal, state, local, or foreign tax laws; changes in taxing jurisdictions’ administrative interpretations, decisions, policies, and positions; results of tax examinations, settlements, or judicial decisions; changes in accounting principles, changes to our business operations, including acquisitions; as well as the evaluation of new information that results in a change to a tax position taken in a prior period. Further, the Organization for Economic Co-operation and Development (“OECD”) and the Inclusive Framework of G20 and other countries have issued proposals related to the taxation of the digital economy. In addition, several countries have proposed or enacted Digital Services Taxes (“DST”), many of which would apply to revenue 29 29 29 Table of Contents Table of Contents derived from digital services. Future developments related to such proposals, in particular any unilateral actions outside of the OECD's Inclusive Framework such as the imposition of DST rules, could have an adverse impact on our business by increasing our future tax obligations.

Increased user demand for support may result in increased costs that may harm our results of operations. For example, during the COVID-19 pandemic we saw surging demand requiring us to allocate additional resources to support our expanded customer and user base, including many who were using our platform for the first time, placing additional pressure on our support organization. In addition, as we continue to support our global user base, we need to be able to continue to provide efficient support that meets our customers and users’ needs globally at scale. If we are unable to provide efficient user support globally at scale or if we need to hire additional support personnel, our business may be harmed. Our new customer signups are highly dependent on our business reputation and on recommendations from our existing customers and users. Any failure to maintain high-quality support, or a market perception that we do not maintain high-quality support for our customers and users, would harm our business.

Increased user demand for support, may result in increased costs that may harm our results of operations. For example, during the COVID-19 pandemic we saw surging demand requiring us to allocate additional resources to support our expanded user base, including many hosts and customers who are using our platform for the first time. In addition, as we continue to grow our operations and support our global user base, we need to be able to continue to provide efficient support that meets our customers and hosts’ needs globally at scale. As the number of our users has grown significantly, it has put additional pressure on our support organization. If we are unable to provide efficient user support globally at scale or if we need to hire additional support personnel, our business may be harmed. Our new customer and host signups are highly dependent on our business reputation and on recommendations from our existing customers and hosts. Any failure to maintain high-quality support, or a market perception that we do not maintain high-quality support for our customers and hosts, would harm our business.

There is an increasing focus from regulators, investors, customers and other stakeholders concerning environmental, social and governance matters (“ESG”). Regulators are driving legislation to bring consistency and transparency to ESG disclosures. Some investors may use these ESG performance factors to guide their investment strategies and, in some cases, may choose not to invest in us if they believe our policies and actions relating to ESG are inadequate. We may face reputational damage in the event that we do not meet the ESG standards set by various constituencies. Our voluntary ESG and climate disclosures, as well as our reporting under related disclosure regulations, or a failure to meet evolving stakeholder expectations for ESG reporting and practices, may potentially harm our reputation and customer relationships or expose us to liability. Due to new regulatory standards and market standards, certain new or existing customers may impose stricter ESG guidelines or contractual language for, and may scrutinize relationships more closely with, their counterparties, including us, which may lengthen sales cycles or increase our costs. Furthermore, if our competitors’ ESG performance is perceived to be better than ours, potential or current investors may elect to invest with our competitors instead. In addition, in the event that we communicate certain initiatives or goals regarding ESG matters, we could fail, or be perceived to fail, in our achievement of such initiatives or goals, or we could be criticized for the scope of such initiatives or goals.

There is an increasing focus from certain investors, customers, employees, and other stakeholders concerning environmental, social and governance matters (“ESG”). Some investors may use these non-financial performance factors to guide their investment strategies and, in some cases, may choose not to invest in us if they believe our policies and actions relating to ESG are inadequate. We may face reputational damage in the event that we do not meet the ESG standards set by various constituencies. As ESG best practices and reporting standards continue to develop, we may incur increasing costs relating to ESG monitoring and reporting and complying with ESG initiatives. For example, the SEC has recently proposed climate change and ESG reporting requirements, which, if approved, would increase our compliance costs. We may also face greater costs to comply with new ESG standards or initiatives in the European Union. We recently published our ESG Report for fiscal year 2022, which describes, among other things, the measurement of our greenhouse gas emissions in 2021 and our efforts to reduce emissions. In addition, our ESG Report provides highlights of how we are supporting our workforce, including our efforts to promote diversity, equity, and inclusion. Our disclosures on these matters, or a failure to meet evolving stakeholder expectations for ESG practices and reporting, may potentially harm our reputation and customer relationships. Due to new 45 45 45 Table of Contents Table of Contents regulatory standards and market standards, certain new or existing customers, particularly those in the European Union, may impose stricter ESG guidelines or mandates for, and may scrutinize relationships more closely with, their counterparties, including us, which may lengthen sales cycles or increase our costs. Furthermore, if our competitors’ ESG performance is perceived to be better than ours, potential or current investors may elect to invest with our competitors instead. In addition, in the event that we communicate certain initiatives or goals regarding ESG matters, we could fail, or be perceived to fail, in our achievement of such initiatives or goals, or we could be criticized for the scope of such initiatives or goals. If we fail to satisfy the expectations of investors, customers, employees and other stakeholders or our initiatives are not executed as planned, our business, financial condition, results of operations, and prospects could be adversely affected.

Federal Regulation Zoom Phone is provided through our wholly owned subsidiary, Zoom Voice Communications, Inc., which is regulated by the FCC as an interconnected voice over internet protocol (“VoIP”) service provider. As a result, Zoom Phone is subject to existing or potential FCC regulations, including, but not limited to, regulations relating to privacy, disability access, porting of numbers, federal Universal Service Fund (“USF”), contributions and other regulatory assessments, emergency calling/Enhanced 911 (“E-911”), access charges for long distance services, and law enforcement access. Congress or the FCC may expand the scope of Zoom Phone’s regulatory obligations at any time. In addition, FCC classification of Zoom Phone as a common carrier or telecommunications service could result in additional federal and state regulatory obligations. If we do not comply with any current or future state regulations that apply to our business, we could be subject to substantial fines and penalties, we may have to restructure our product offerings, exit certain markets, or raise the price of our products, any of which could ultimately harm our business and results of operations. Any enforcement action by the FCC, which may be a public process, would hurt our reputation in the industry, possibly impair our ability to sell Zoom Phone to our customers and harm our business. As described above, the FCC could reinstate its prior network neutrality regulations or adopt new regulations. See Part 1A. Failures in internet infrastructure or interference with broadband access could cause current or potential users to believe that our systems are unreliable, possibly leading our customers to switch to our competitors, or to cancel their subscriptions to our platform. Changes in FCC regulation of the internet and internet-based services also could impose new regulatory obligations on our other services. Such action could result in extension of common carrier regulation to internet-based communications services like the ones we offer. The imposition of common carrier regulation would increase our costs, and we could be required to modify our service offerings to comply with regulatory requirements. The failure to comply with such regulation could result in substantial fines and penalties and other sanctions. On December 13, 2023, the FCC adopted revised rules on reporting of breaches of private customer information, known as CPNI. The revised rules could broaden the types of CPNI breaches that must be reported, but also could limit the number of reports that must be filed by adopting a minimum threshold for the number of customers affected and not requiring reporting in certain circumstances when customers are not harmed. The rules also require that breach reports be provided directly to the FCC, which could increase the risk of enforcement action, including fines and behavioral remedies. These rules are not yet in effect. The FCC has adopted rules that prohibit Chinese companies that are deemed to be a national security risk by other federal agencies from obtaining new authorizations and placed on a list known as the Covered List to sell telecommunications equipment in the U.S. and is considering proposed rules that would ban those companies from selling previously-authorized equipment or could prohibit use of their equipment in the U.S. Zoom does not currently have any equipment from the companies subject to the ban in its network, but if other companies are added to the Covered List and the FCC adopts rules that ban sales or use of equipment from such companies, we could be required to find new sources for similar equipment or replace existing equipment entirely. State Regulation State telecommunications regulation of Zoom Phone is generally preempted by the FCC. However, states are allowed to assess state USF contributions, E-911 fees, and other surcharges. A number of states require us to contribute to state USF and pay E-911 and other assessments and surcharges, while others are actively considering extending their programs to include the products we offer. The California Public Utilities Commission is now taking the position that it can require VoIP providers like Zoom Phone to obtain authority to operate in that state. We generally pass USF, E-911 fees, and other surcharges through to our customers where we are permitted to do so, which may result in our products becoming more expensive. We expect that state 39 39 39 Table of Contents Table of Contents public utility commissions will continue their attempts to apply state telecommunications regulations to services like Zoom Phone. If we do not comply with any current or future state regulations that apply to our business, we could be subject to substantial fines and penalties, and we may have to restructure our product offerings, exit certain markets, or raise the price of our products, any of which could harm our business. Certain states have adopted or are adopting or considering legislation or executive actions that would regulate the conduct of broadband providers. California’s state-specific network neutrality law has taken effect and Vermont’s law took effect, but a challenge to that law remains pending. We cannot predict whether other state initiatives will be enforced, modified, overturned, or vacated. International Regulation As we expand internationally, we may be subject to telecommunications, consumer protection, privacy, data protection, and other laws and regulations in the foreign countries where we offer our products. If we do not comply with any current or future international regulations that apply to our business, we could be subject to substantial fines and penalties, we may have to restructure our product offerings, exit certain markets, or raise the price of our products, any of which could harm our business.

Federal Regulation Zoom Phone is provided through our wholly owned subsidiary, Zoom Voice Communications, Inc., which is regulated by the FCC as an interconnected voice over internet protocol (“VoIP”) service provider. As a result, Zoom Phone is subject to existing or potential FCC regulations, including, but not limited to, regulations relating to privacy, disability access, porting of numbers, federal Universal Service Fund (“USF”), contributions and other regulatory assessments, emergency calling/Enhanced 911 (“E-911”), access charges for long distance services, and law enforcement access. Congress or the FCC may expand the scope of Zoom Phone’s regulatory obligations at any time. In addition, FCC classification of Zoom Phone as a common carrier or telecommunications service could result in additional federal and state regulatory obligations. If we do not comply with any current or future state regulations that apply to our business, we could be subject to substantial fines and penalties, we may have to restructure our product offerings, exit certain markets, or raise the price of our products, any of which could ultimately harm our business and results of operations. Any enforcement action by the FCC, which may be a public 36 36 36 Table of Contents Table of Contents process, would hurt our reputation in the industry, possibly impair our ability to sell Zoom Phone to our customers and harm our business. As described above, the FCC could reinstate its prior network neutrality regulations or adopt new regulations. See Part 1A – Failures in internet infrastructure or interference with broadband access could cause current or potential users to believe that our systems are unreliable, possibly leading our customers and hosts to switch to our competitors, or to cancel their subscriptions to our platform. Changes in FCC regulation of the internet and internet-based services also could impose new regulatory obligations on our other services. Such action could result in extension of common carrier regulation to internet-based communications services like the ones we offer. The imposition of common carrier regulation would increase our costs, and we could be required to modify our service offerings to comply with regulatory requirements. The failure to comply with such regulation could result in substantial fines and penalties and other sanctions. There have been various Congressional and executive efforts to eliminate or modify Section 230 of the Communications Act of 1934, enacted as part of the Communications Decency Act of 1996. President Biden and many Members of Congress from both parties support the reform or repeal of Section 230, so the possibility of Congressional action remains. In addition, the FCC is considering a petition, filed by the Trump Administration, to adopt rules interpreting Section 230, which limits the liability of internet platforms for third-party content that is transmitted via those platforms and for good-faith moderation of offensive content. No date has been set for a vote on that proposal and the FCC has not released any document describing the rules that would be proposed. The Democratic members of the FCC have indicated that they are opposed to the petition and now control the agenda of the FCC. There is no schedule for action by the FCC on the petition. If Congress revises or repeals Section 230 or the FCC adopts rules, we may no longer be afforded the same level of protection offered by Section 230. In addition, there are pending cases before the judiciary that may result in changes to the protections afforded to internet platforms, including a lawsuit by former President Trump that, if successful, would greatly limit the scope of Section 230. Further, on October 3, 2022, the U.S. Supreme Court agreed to hear a case to determine whether Google should be liable for damages because YouTube’s suggestion algorithm promoted radical Islamic videos that incited a terrorist attack in France. A decision in that case is expected by the end of June 2023. These various efforts to limit the protections provided by Section 230 would increase the risks faced by internet-based businesses, like Zoom, that rely on third-party content. Even if claims asserted against us do not result in liability, we may incur substantial costs in investigating and defending such claims. If we are found liable for our customers’ or other users’ activities, we could be required to pay fines or penalties, redesign business methods or otherwise expend resources to remedy any damages caused by such actions and to avoid future liability. The FCC has proposed to revise its rules requiring reporting of breaches of private customer information, known as CPNI. If adopted, the proposed rules could broaden the types of CPNI breaches that must be reported, but also could limit the number of reports that must be filed by adopting a minimum threshold for the number of customers affected. The proposed rules also would require that breach reports be provided directly to the FCC, which could increase the risk of enforcement action, including fines and behavioral remedies. The FCC has adopted rules that prohibit Chinese companies that are deemed to be a national security risk by other federal agencies from obtaining new authorizations and placed on a list known as the Covered List to sell telecommunications equipment in the U.S. and is considering proposed rules that would ban those companies from selling previously-authorized equipment or could prohibit use of their equipment in the U.S. Zoom does not currently have any equipment from the companies subject to the ban in its network, but if other companies are added to the Covered List and the FCC adopts rules that ban sales or use of equipment from companies on the Covered List, we could be required to find new sources for similar equipment or replace existing equipment entirely. State Regulation State telecommunications regulation of Zoom Phone is generally preempted by the FCC. However, states are allowed to assess state USF contributions, E-911 fees, and other surcharges. A number of states require us to contribute to state USF and pay E-911 and other assessments and surcharges, while others are actively considering extending their programs to include the products we offer and the California Public Utilities Commission is now taking the position that it can require VoIP providers like Zoom Phone to obtain authority to operate in that state. We generally pass USF, E-911 fees, and other surcharges through to our customers where we are permitted to do so, which may result in our products becoming more expensive. We expect that state public utility commissions will continue their attempts to apply state telecommunications regulations to services like Zoom Phone. If we do not comply with any current or future state regulations that apply to our business, we could be subject to substantial fines and penalties, we may have to restructure our product offerings, exit certain markets, or raise the price of our products, any of which could harm our business. A federal court judge denied a request for a preliminary injunction against California’s state-specific network neutrality law, and as a result, California began enforcing that law on March 25, 2021. Trade associations representing internet service providers appealed the district court’s ruling denying the preliminary injunction, and the appeal was denied on January 28, 2022. On April 20, 2022 the Ninth Circuit declined to rehear the case and the appellants have since announced that they will not 37 37 37 Table of Contents Table of Contents file for an appeal with the U.S. Supreme Court. We cannot predict whether other state initiatives will be enforced, modified, overturned, or vacated. Legislation has been adopted in Florida and Texas that is intended to reduce or eliminate the power of businesses operating on the Internet to moderate user-generated content, implicitly eliminating the federal protections granted under Section 230. Similar legislation has been introduced in other states in 2022, including a bill that has passed the Georgia State Senate and is pending before the Georgia House. Implementation of the Florida and Texas statutes has been stayed by various federal courts, including the U.S. Supreme Court. On August 18, the parties in the Florida case requested, and were granted, a stay of the appeals court mandate pending Supreme Court review, and on September 21, 2022, Florida requested that the Supreme Court review the case. On September 16, the U.S. Court of Appeals for the Fifth Circuit issued a decision upholding the Texas law. On September 30, the parties in that case filed an unopposed motion to stay the Fifth Circuit decision pending Supreme Court review, and the Fifth Circuit granted that request on October 13, 2022. The parties opposing the Texas law requested that the Supreme Court review the case on December 15, 2022. The conflict between the decisions on the two laws increases the likelihood that the Supreme Court will review these statutes. Florida recently amended its statute in an effort to address issues that led the court to issue the stay. It is likely that any other such state legislation also would be challenged under the First Amendment to the U.S. Constitution and on the ground that it is preempted by Section 230. We cannot predict whether any such state legislation will be adopted, enforced, modified, overturned, or vacated. International Regulation As we expand internationally, we may be subject to telecommunications, consumer protection, privacy, data protection, and other laws and regulations in the foreign countries where we offer our products. If we do not comply with any current or future international regulations that apply to our business, we could be subject to substantial fines and penalties, we may have to restructure our product offerings, exit certain markets, or raise the price of our products, any of which could harm our business.

Our business may be significantly affected by changes in the economy, such as high inflation and the responses by central banking authorities to control such inflation, recessionary or uncertain environments, U.S. federal debt ceiling negotiations and the risk of a U.S. government shutdown, fluctuations in the foreign currency exchange rates and global impacts, including the Russian invasion of Ukraine, the conflict in Israel and the surrounding area and the United States' ongoing trade disputes with China and other countries. While some customers may view a subscription to our platform as a cost-saving purchase, decreasing the need for business travel, others may view a subscription to our platform as a discretionary purchase, and our customers may reduce their information technology spending on our platform during an economic downturn or during times of economic uncertainty. Given current economic conditions, including inflation, we have experienced and may continue to experience a loss of users and customers, as well as a reduction in demand for our platform, especially if the effects of the current economic environment have a prolonged impact on various industries that our unified communications and collaboration platform addresses. In addition to the foregoing, adverse developments that affect financial institutions, transactional counterparties or other third parties, such as bank failures, or concerns or speculation about any similar events or risks, could lead to market-wide liquidity problems, which in turn may cause third parties, including customers, to become unable to meet their obligations under various types of financial arrangements as well as general disruptions or instability in the financial markets. Moreover, we have lost and may continue to lose customers as a result of such customers ceasing to do business, and we have experienced and may continue to experience a material increase in longer payment cycles and greater difficulty in collecting accounts receivable from certain customers. These issues may continue in the future if current economic conditions continue or worsen.

Our business may be affected by changes in the economy, such as high inflation, recessionary or uncertain environments, fluctuations in the foreign currency exchange rates and global impacts, including the Russian invasion of Ukraine and the United States' ongoing trade disputes with China and other countries. Some customers may view a subscription to our platform as a cost-saving purchase, decreasing the need for business travel, others may view a subscription to our platform as a discretionary purchase, and our customers may reduce their information technology spending on our platform during an economic downturn or during times of economic uncertainty. Given current economic conditions, including inflation, we could experience a reduction in demand and loss of customers, especially if the effects of the current economic environment have a prolonged impact on various industries that our unified communications and collaboration platform addresses. We would lose 16 16 16 Table of Contents Table of Contents customers as a result of customers ceasing to do business, and we could experience a material increase in longer payment cycles and greater difficulty in collecting accounts receivable from certain customers.

We may be subject to, or respond to requests from law enforcement that are legally valid, appropriately scoped, and sufficiently detailed in connection with enforcement of, various civil and criminal laws, including those covering copyright, indecent content, child protection, consumer protection, telecommunications services, taxation, and similar matters. It may be difficult, expensive, and disruptive for us to address law enforcement requests, subpoenas and other legal process, and laws in various jurisdictions may conflict and hamper our ability to satisfy or comply with such requests, subpoenas and other legal process. There have been instances where improper or illegal content has been shared on our platform without our knowledge. As a service provider and as a matter of policy, we do not monitor user meetings. However, to protect user safety and prevent conduct that is illegal, violent, or harmful to others, we enforce our terms of service through use of a mix of tools that suggest when such activity may be occurring on our platform. Our trust and safety team may take further action as appropriate, including suspension or termination of the participant's account or referral to law enforcement. The laws in this area are currently in a state of flux and vary widely between jurisdictions. Accordingly, it may be possible that in the future we and our competitors may be subject to legal actions along with the users who shared such content. In addition, regardless of any legal liability we may face, our reputation could be harmed should there be an incident generating extensive negative publicity about the content shared on our platform. Such publicity would harm our business.

We may be subject to, or assist law enforcement with enforcement of, various laws, including those covering copyright, indecent content, child protection, consumer protection, telecommunications services, taxation, and similar matters. It may be difficult, expensive, and disruptive for us to address law enforcement requests, subpoenas and other legal process, and laws in various jurisdictions may conflict and hamper our ability to satisfy or comply with such requests, subpoenas and other legal process. There have been instances where improper or illegal content has been shared on our platform without our knowledge. As a service provider and as a matter of policy, we do not monitor user meetings. However, to ensure user safety and prevent conduct that is illegal, violent, or harmful to others, we enforce our terms of service through use of a mix of tools that suggest when such activity may be occurring on our platform. We also recently created an in-product security feature that allows the host or co-host of a meeting to easily select a meeting participant that may be engaging in illegal or harmful behavior and send a report about that behavior to our trust and safety team for evaluation. Our trust and safety team may take further action as appropriate, including suspension or termination of the participant's account or referral to law enforcement. While to date we have not been subject to material legal or administrative actions as a result of improper or illegal content, the laws in this area are currently in a state of flux and vary widely between jurisdictions. Accordingly, it may be possible that in the future we and our competitors may be subject to legal actions along with the users who shared such content. In addition, regardless of any legal liability we may face, our reputation could be harmed should there be an incident generating extensive negative publicity about the content shared on our platform. Such publicity would harm our business. We are also subject to consumer protection laws that may affect our sales and marketing efforts, including laws related to subscriptions, billing, and auto-renewal. These laws, as well as any changes in these laws, could adversely affect our self-serve model and make it more difficult for us to retain and upgrade customers and attract new customers and hosts. Additionally, we have in the past, are currently, and may from time to time in the future become the subject of inquiries and other actions by regulatory authorities as a result of our business practices, including our subscription, billing, and auto-renewal policies. Consumer protection laws may be interpreted or applied by regulatory authorities in a manner that could require us to make changes to our operations or incur fines, penalties, or settlement expenses, which may result in harm to our business. Our platform depends on the ability of our customers, hosts, and users to access the internet, and our platform has been blocked or restricted in some countries for various reasons. If we fail to anticipate developments in the law, or fail for any reason to comply with relevant law, our platform could be further blocked or restricted, and we could be exposed to significant liability that could harm our business. We are also subject to various U.S. and international anti-corruption laws, such as the U.S. Foreign Corrupt Practices Act of 1977, as amended (the “FCPA”), and the U.K. Bribery Act 2010, as well as other similar anti-bribery and anti-kickback laws and regulations. These laws and regulations generally prohibit companies and their employees and intermediaries, from directly or indirectly authorizing, offering, or providing improper payments or benefits to government officials and other recipients for improper purposes. The FCPA also requires public companies to make and keep books and records that accurately and fairly reflect the transactions of the corporation and to device and maintain an adequate system of internal accounting controls. Although we take precautions to prevent violations of anti-corruption laws, our exposure for violating these laws increases as we continue to expand our international presence, and any failure to comply with such laws could harm our business, financial condition, and results of operations.

Our business depends upon our ability to attract new customers, and maintain and expand our relationships with our existing customers, including upselling additional products and new product categories to our existing customers and upgrading users from a free plan to one of our paid offerings. Our business is subscription based, and customers are not obligated to, and may choose not to, renew their subscriptions after their existing subscriptions expire. Customers may also terminate or reduce the size of their existing subscriptions. As a result, we cannot provide assurance that customers will renew their subscriptions utilizing the same tier of plan, upgrade to a higher-priced tier, or purchase additional products, if they renew at all. Renewals of subscriptions to our platform may decline or fluctuate because of several factors, such as dissatisfaction with our products and support, a customer no longer having a need for our products, or a belief that a competitor’s product is better, more secure, or less expensive than our products and platform. For example, during the COVID-19 pandemic, we saw a significant increase in usage and subscriptions. As a result, our customer base shifted largely from businesses and enterprises to a mix of businesses, enterprises, and consumers. Following the pandemic, some of our customers reduced or discontinued their use of our platform, and additional customers may do so in the future. Additionally, this shift in mix has resulted and may continue to result in higher non-renewal rates than we have experienced in the past. Renewals are also impacted by reductions in customer information technology spending budgets or a decision by the customer to consolidate their spending budgets on one of our competitor’s platforms, both of which are more likely to occur during periods of high inflation or recessionary or uncertain economic environments. We must continually add new customers and licenses to grow our business and to replace customers and licenses who choose not to continue to use our platform. Finally, any decrease in user satisfaction with our products or support would harm our brand, word-of-mouth referrals, and ability to grow. We encourage customers to purchase additional products and encourage users of our free offering to upgrade to one of our paid offerings by recommending additional features and through in-product prompts and notifications. However, free users may never upgrade to one of our paid offerings. We also seek to expand within organizations by adding new licenses, having workplaces purchase additional products, or expanding the use of our platform into other teams and departments within an organization. If we fail to upsell our customers or upgrade free users to one of our paid offerings or expand the number of licenses within organizations, our business would be harmed.

Our business depends upon our ability to attract new customers, and maintain and expand our relationships with our existing customers, including upselling additional products and new product categories to our existing customers and upgrading hosts to a paid Zoom Meeting plan. A host is any user of our unified communications and collaboration platform who initiates a Zoom Meeting and invites one or more participants to join that meeting. We refer to hosts who subscribe to a paid Zoom Meeting plan as “paid hosts.” Our business is subscription based, and customers are not obligated to, and may choose not to, renew their subscriptions after their existing subscriptions expire. As a result, we cannot provide assurance that customers will renew their subscriptions utilizing the same tier of their Zoom Meeting plan, upgrade to a higher-priced tier, or purchase additional products, if they renew at all. Renewals of subscriptions to our platform may decline or fluctuate because of several factors, such as dissatisfaction with our products and support, a customer or host no longer having a need for our products, including any new customers or hosts that have subscribed to our services during the COVID-19 pandemic that may subsequently reduce or discontinue their use after the impact of the pandemic have tapered, a reduction in customer information technology spending budgets, or a consolidation of spending budgets on our competitors' platforms, during periods of high inflation or recessionary or uncertain economic environments or the perception that competitive products provide better, more secure, or less expensive options. In addition, some customers downgrade their Zoom Meeting plan or do not renew their subscriptions. Furthermore, as a result of the increased usage of our platform during the COVID-19 pandemic, our customer base has shifted largely from businesses and enterprises to a mix of businesses, enterprises, and consumers. This shift in mix could result in higher non-renewal rates than we have experienced in the past. We must continually add new customers and hosts to grow our business beyond our current user base and to replace customers and hosts who choose not to continue to use our platform. Finally, any decrease in user satisfaction with our products or support would harm our brand, word-of-mouth referrals, and ability to grow. We encourage customers to purchase additional products and encourage hosts to upgrade to our paid offerings by recommending additional features and through in-product prompts and notifications. Additionally, we seek to expand within organizations by adding new hosts, having workplaces purchase additional products, or expanding the use of our platform into other teams and departments within an organization. At the same time, we encourage hosts that subscribe to our free Zoom 13 13 13 Table of Contents Table of Contents Meeting plan to upgrade to a paid Zoom Meeting plan. However, a majority of these hosts, including those that initially subscribed to our free plan during the COVID-19 pandemic as a result of shelter-in-place and work-from-home mandates, may never upgrade to a paid Zoom Meeting plan. If we fail to upsell our customers or upgrade hosts of our free Zoom Meeting plan to paid subscriptions or expand the number of paid hosts within organizations, our business would be harmed. In addition, our user growth rate may slow or decline in the future as our market penetration rates increase. If we are not able to continue to expand our user base, our revenue may grow more slowly than expected or decline. While we continue to add paid users to our customer base, we expect our user growth rate to continue to slow or decline during the COVID-19 pandemic recovery, particularly as users return to work or school or are otherwise no longer subject to limitations on in-person meetings.

While our employee headcount both in the United States and internationally has generally increased over time, we have undertaken, and may undertake from time to time in the future, restructuring actions to better align our financial model and. For example, in February 2023, we commenced certain restructuring actions, designed to reduce operating costs and continue advancing our ongoing commitment to profitable growth. These organizational changes may not achieve or sustain the targeted benefits, or the benefits, even if achieved, may not be adequate to meet our long-term profitability and operational expectations. Steps we take to manage our business operations, including workplace policies for employees, and to align our operations with our strategies for future growth, may adversely affect our reputation and brand, our ability to recruit, retain and motivate highly skilled personnel. Additionally, while we expect to continue to grow our business and operations over time, we have encountered in the past, and may encounter in the future, risks and uncertainties frequently experienced by growing companies in rapidly changing industries. Our ability to manage our growth and business operations effectively and to integrate new employees, technologies and acquisitions into our existing business will require us to continue to expend resources to continue to support our global user-base and to retain, attract, train, motivate and manage employees. This places a continuous, significant strain on our management, operational, and financial resources. If we fail to achieve the necessary level of efficiency in our organization as it grows, or if we are not able to accurately forecast future growth, our business would be harmed.

Since our founding in 2011, our employee headcount, both in the United States and internationally, has increased significantly over time. The growth and expansion of our business places a continuous, significant strain on our management, operational, and financial resources. Further growth of our operations to support our user base, our expanding third-party relationships, our information technology systems, and our internal controls and procedures may not be adequate to support our operations. In addition, as we continue to grow, we face challenges integrating, developing, and motivating our employee base in various countries around the world. Many of our personnel work remotely, which may lead to challenges in productivity and collaboration. Certain members of our management have not previously worked together for an extended period of time, and some do not have prior experience managing a public company, which may affect how they manage our growth effectively. In addition, from time to time, we implement organizational changes to pursue greater efficiency and realign our business and strategic priorities. In February 2023, we commenced certain restructuring actions (the “Restructuring Plan”), designed to reduce operating costs and continue advancing our ongoing commitment to profitable growth. We may encounter challenges in the execution of these efforts, and these challenges could impact our financial results. Although we believe that the Restructuring Plan will reduce operating costs and improve operating margins, we cannot guarantee that the Restructuring Plan will achieve or sustain the targeted benefits, or that the benefits, even if achieved, will be adequate to meet our long-term profitability and operational expectations. As a result of these actions, we will incur additional charges in the near term, including those related to employee transition, severance payments, employee benefits, and stock-based compensation. Additional risks associated with the continuing impact of the Restructuring Plan include employee attrition beyond our intended reduction in force and adverse effects on employee morale (which may also be further exacerbated by actual or perceived declining value of equity awards), diversion of management attention, adverse effects to our reputation as an employer (which could make it more difficult for us to hire new employees in the future), and potential failure or delays to meet operational and growth targets due to the loss of qualified employees. If we do not realize the expected benefits of our restructuring efforts on a timely basis or at all, our business, results of operations and financial condition could be adversely affected. In addition, our historical rapid growth may make it difficult to evaluate our future prospects. Our ability to forecast our future results of operations is subject to a number of uncertainties, including our ability to effectively plan for and model future growth. We have encountered in the past, and may encounter in the future, risks and uncertainties frequently experienced by growing companies in rapidly changing industries. If we fail to achieve the necessary level of efficiency in our organization as it grows, or if we are not able to accurately forecast future growth, our business would be harmed.