Zscaler Inc.: 10-K Risk Factor Changes

We currently host our cloud platform and serve our customers from a global network of over 160 public exchanges globally and thousands of private exchanges at the edge. While we have electronic access to the components and infrastructure of our cloud platform that are hosted by third parties, we do not control the operation of these facilities. Consequently, we may be subject to service disruptions as well as a lack of adequate support for our data center operations due to reasons that are outside of our control. Our data centers are vulnerable to damage and connections to our data centers may be interrupted by a variety of sources, including earthquakes, floods, fires, power loss, system or infrastructure failures, computer viruses, physical or electronic break-ins, human error or interference (including by disgruntled or negligent, current or former employees or contractors) and other catastrophic events. Our data centers may also be subject to national or local administrative actions, changes in government regulations, including, for example, the impact of global economic and other sanctions like those levied in response to the current conflict between Russia and Ukraine, changes to legal or permitting requirements and litigation to stop, limit or delay operations. Despite precautions taken at these facilities, a decision to close the facilities without adequate notice or other unanticipated problems at these facilities could result in interruptions or delays in our services, impede our ability to scale our operations or have other adverse impacts upon our business. In addition, if we do not accurately plan for our infrastructure capacity requirements or experience significant strains on our data center capacity, we may experience delays and additional expenses in arranging new data centers, and our customers could experience performance degradation or service outages that may subject us to financial liabilities, result in customer losses and materially harm our business.

We currently host our cloud platform and serve our customers from a global network of over 160 data centers. While we have electronic access to the components and infrastructure of our cloud platform that are hosted by third parties, we do not control the operation of these facilities. Consequently, we may be subject to service disruptions as well as a lack of adequate support for our data center operations due to reasons that are outside of our direct control. Our data centers are vulnerable to damage and connections to our data centers may be interrupted by a variety of sources, including earthquakes, floods, fires, power loss, system or infrastructure failures, computer viruses, physical or electronic break-ins, human error or interference (including by disgruntled employees, former employees or contractors) and other catastrophic events, including those exacerbated by the effects of climate change. Our data centers may also be subject to national or local administrative actions, changes in government regulations, including, for example, the impact of global economic and other sanctions like those levied in response to the current conflict between Russia and Ukraine, changes to legal or permitting requirements and 27 27 27 Table of Contents Table of Contents litigation to stop, limit or delay operations. Despite precautions taken at these facilities, such as disaster recovery and business continuity arrangements, the occurrence of a natural disaster or an act of terrorism, a decision to close the facilities without adequate notice or other unanticipated problems at these facilities could result in interruptions or delays in our services, impede our ability to scale our operations or have other adverse impacts upon our business. In addition, if we do not accurately plan for our infrastructure capacity requirements or experience significant strains on our data center capacity, we may experience delays and additional expenses in arranging new data centers, and our customers could experience performance degradation or service outages that may subject us to financial liabilities, result in customer losses and materially harm our business. For example, to manage a dramatic increase in ZPA traffic resulting from our customers' employees working from home at the outset of the COVID-19 pandemic, we temporarily increased our use of public cloud infrastructure, which is substantially more expensive than our own data centers. If we must again materially increase our use of public cloud infrastructure in the future, our results of operations could be negatively impacted.

We are increasingly utilizing AI and ML capabilities, including, for example, those relating to generative AI and large language models, into our product offerings. The rapid evolution of AI and ML requires the application of resources to develop, test and maintain our products and services to help ensure that AI and ML are implemented responsibly to benefit our business, while also minimizing any unintended or harmful impact. As with many developing technologies, AI and ML present risks and challenges, many of which may be unknown, that could affect their further development, adoption and use. These risks and challenges could undermine public confidence in AI and ML, which could slow or even halt its adoption and negatively affect our business. Further, a quickly evolving legal and regulatory environment may cause us to incur increased research and development costs, or divert resources from other development efforts, to address social and ethical issues related to AI and ML. In addition, as the regulatory landscape for AI and ML evolves, we must develop and maintain robust internal policies and standards that clarify functional roles and responsibilities for the responsible and compliant development and deployment of AI technologies. The use of AI technologies presents emerging ethical issues that could become controversial and failure, or perceived failure, to establish or enforce such policies and clear lines of accountability could increase our risk of noncompliance, operational errors or reputational harm. As a result of these and other challenges associated with our use, implementation and training of AI and ML, or misunderstandings or misrepresentations by third parties about the type of data that we use to train AI or ML, we may in the future be subject to legal liability, competitive harm, negative media coverage or regulatory action, including new proposed, and in certain cases enacted, rules and legislation regulating AI in jurisdictions such as the European Union, new applications of existing data protection, privacy, cybersecurity, information security, intellectual property and other laws, and brand or reputational harm.

We are increasingly utilizing and have recently begun building and executing AI and ML capabilities, including, for example, those relating to generative AI and large language models, into our product offerings. The rapid evolution of AI and ML requires the application of resources to develop, test and maintain our products and services to help ensure that AI and ML are implemented responsibly in order to benefit our business, while also minimizing any unintended or harmful impact. As with many developing technologies, AI and ML present risks and challenges, many of which may be unknown, that could affect their further development, adoption, and use. These risks and challenges could undermine public confidence in AI and ML, which could slow or even halt its adoption and negatively affect our business. Further, a quickly evolving legal and regulatory environment may cause us to incur increased research and development costs, or divert resources from other development efforts, to address social and ethical issues related to AI and ML. The use of AI technologies also presents emerging ethical issues that could become controversial. As a result of these and other challenges associated with our use and implementation of AI and ML, we may in the future be subject to legal liability, competitive harm, regulatory action, including new proposed rules and legislation regulating AI in jurisdictions such as the European Union, new applications of existing data protection, privacy, cybersecurity, information security, intellectual property, and other laws, and brand or reputational harm.

The regulatory framework for privacy, data protection and security matters are rapidly evolving and are likely to remain volatile for the foreseeable future. Our handling of personal data is subject to various data protection, cybersecurity, information security and other telecommunications regulations or requirements where we offer our solutions around the world. We also may find it necessary or desirable to join industry or other self-regulatory bodies or other cybersecurity or information security or data protection-related organizations that require us to comply with rules pertaining to privacy, data protection, cybersecurity and information security. Further, we may be bound by additional, more stringent contractual obligations and other actual and asserted obligations, such as industry standards, relating to our collection, use and disclosure of personal, financial and other data. Changes in laws or regulations that adversely affect the use of the internet, including laws impacting net neutrality, could also impact our business. The U.S. federal government, and various state and foreign governments, have adopted or proposed laws and regulations on the collection, distribution, use, storage, transfer and other processing of information relating to individuals. Such laws and regulations may, among other things, require companies to implement privacy and security policies, permit customers to access, correct and delete information stored or maintained by companies, inform individuals of security breaches that affect their information and, in some cases, obtain individuals’ consent to use information for certain purposes. Numerous U.S. states have enacted, and others are expected to enact, privacy laws, and a federal privacy law is being considered. In addition, in certain jurisdictions, regulatory requirements may be more stringent than those in the U.S. For example, the European Union's General Data Protection Regulation, provides for substantial obligations relating to the handling, storage, disclosure, transfer and other processing of information relating to individuals and fines of up to €20 million or 4% of the annual global revenue of the noncompliant company, whichever is greater. Furthermore, cross-border data transfers face increasing restrictions and compliance requirements. Following the invalidation of the EU-US Privacy Shield and ongoing challenges to Standard Contractual Clauses, data localization requirements and transfer restrictions continue to evolve. Various countries have implemented or are considering data residency requirements that could limit our ability to provide global services efficiently or require significant infrastructure investments. In addition, the number of emerging and existing data protection, privacy and security laws and regulations creates the risk that obligations may be interpreted inconsistently between jurisdictions, which may make it difficult for us to comply with our privacy, data protection and security obligations globally. We expect that there will continue to be new proposed laws, regulations and industry standards concerning privacy, data protection, cybersecurity, information security and telecommunications services in the jurisdictions in which we operate or may operate, and we cannot yet determine the impact such future laws, regulations and standards may have on our business. Needing to address new obligations and changes in the interpretation of existing obligations could require us to modify our solutions, restrict our business operations, increase our costs and impair our ability to maintain and grow our customer base and increase our revenue. New and evolving requirements may increase compliance costs, lead to increased regulatory scrutiny or liability, may require additional contractual negotiations, and may adversely impact our business, financial condition and operating results. Any failure or perceived failure by us to comply with applicable laws, regulations, standards or actual or asserted obligations, or any actual, perceived or purported security breach or other security incident, whether or not resulting in unauthorized access to, or acquisition, release or transfer of information relating to individuals or other data, may result in governmental investigations, enforcement actions and other proceedings, private claims and litigation, fines and penalties or adverse publicity, and could cause our customers and prospective customers to lose trust in us, which could have an adverse effect on our reputation and business. 46 46 46 Table of Contents Table of Contents

The regulatory framework for privacy, data protection and security matters are rapidly evolving and are likely to remain volatile for the foreseeable future. Our handling of personal data is subject to various data protection, cybersecurity, information security and other telecommunications regulations or requirements where we offer our solutions around the world. We also may find it necessary or desirable to join industry or other self-regulatory bodies or other cybersecurity or information security or data protection-related organizations that require us to comply with rules pertaining to privacy, data protection, cybersecurity and information security. Further, we may be bound by additional, more stringent contractual obligations and other actual and asserted obligations, such as industry standards, relating to our collection, use and disclosure of personal, financial and other data. Changes in laws or regulations that adversely affect the use of the internet, including laws impacting net neutrality, could also impact our business. The U.S. federal government, and various state and foreign governments, have adopted or proposed laws and regulations on the collection, distribution, use, storage and other processing of information relating to individuals. Such laws and regulations may, among other things, require companies to implement privacy and security policies, permit customers to access, correct and delete information stored or maintained by such companies, inform individuals of security breaches that affect their information and, in some cases, obtain individuals’ consent to use information for certain purposes. For example, the California Consumer Privacy Act, or CCPA, took effect in January 2020 and was subsequently modified by the California Privacy Rights Act, or CPRA, which took effect in January 2023. Numerous other states have enacted, and others are expected to enact, privacy laws that have gone into effect, or will go into effect through 2026, and a federal privacy law is being considered. In addition, in certain jurisdictions, regulatory requirements may be more stringent than those in the U.S. For example, the European Union has implemented the General Data Protection Regulation, which provides for substantial obligations relating to the handling, storage and other processing of information relating to individuals and fines of up to €20 million or 4% of the annual global revenue of the noncompliant company, whichever is greater. The number of emerging and existing data protection, privacy and security laws and regulations creates the risk that obligations may be interpreted inconsistently between jurisdictions which may generate tension with our efforts to align our practices to comply with our privacy, data protection, and security obligations globally. Many of these laws and regulations impose substantial penalties for noncompliance. We expect that there will continue to be new proposed laws, regulations and industry standards concerning privacy, data protection, cybersecurity, information security and telecommunications services jurisdictions in which we operate or may operate, and we cannot yet determine the impact such future laws, regulations and standards may have on our business. Needing to address new and evolving laws, regulations, standards and other obligations, and changes in the interpretation of existing laws, regulations, standards and other obligations, relating to privacy, data protection or security could require us to modify our solutions, restrict our business operations, increase our costs and impair our ability to maintain and grow our customer base and increase our revenue. New and evolving requirements may increase compliance costs, lead to increased regulatory scrutiny or liability, may require additional contractual negotiations, and may adversely impact our business, financial condition and operating results. In view of the foregoing, we cannot assure our compliance with all such laws, regulations, standards and obligations. Any failure or perceived failure by us to comply with applicable laws, regulations, standards or actual or asserted obligations, or any actual, perceived or purported security breach or other security incident, whether or not resulting in unauthorized access to, or acquisition, release or transfer of information relating to individuals or other data, may result in governmental investigations, enforcement actions and other proceedings, private claims and 44 44 44 Table of Contents Table of Contents litigation, fines and penalties or adverse publicity, and could cause our customers and prospective customers to lose trust in us, which could have an adverse effect on our reputation and business.

We are expanding our international operations and staff to support our business in international markets. Our corporate structure and associated transfer pricing policies contemplate the business flows and future growth into the international markets, and consider the functions, risks and assets of the various entities involved in the intercompany transactions. The amount of taxes we pay in different jurisdictions may depend on the application of the tax laws of the various jurisdictions, including the United States, to our international business activities, changes in tax rates, new or revised tax laws or interpretations of existing tax laws and policies, and our ability to operate our business in a manner consistent with our corporate structure and intercompany arrangements. For example, certain jurisdictions have recently introduced a digital services tax, which is generally a tax on gross revenue generated from users or customers located in those jurisdictions, and other jurisdictions are considering enacting similar laws. The taxing authorities of the jurisdictions in which we operate may challenge our methodologies for pricing intercompany transactions pursuant to the intercompany arrangements or disagree with our determinations as to the income and expenses attributable to specific jurisdictions. If such a challenge or disagreement were to occur, and our position was not sustained, or if there are changes in tax laws or the way existing tax laws are interpreted or applied, we could be required to pay additional taxes, interest and penalties, which could result in one-time tax charges, higher effective tax rates, reduced cash flows and lower overall profitability of our operations. Our financial statements could fail to reflect adequate reserves to cover such a contingency. Many countries are beginning to implement legislation and other guidance to align their international tax rules with the Organization for Economic Cooperation and Development’s, or OECD, Base Erosion and Profit Shifting recommendations and action plan that aim to standardize and modernize global corporate tax policy, including changes to cross-border tax, transfer pricing documentation rules and nexus-based tax incentive practices. The OECD is also continuing discussions surrounding fundamental changes in allocation of profits among tax jurisdictions in which companies do business, as well as the implementation of a global minimum tax (namely the “Pillar One” and “Pillar Two” proposals). Many countries have enacted or begun the process of enacting laws based on Pillar Two proposals, which may adversely impact our provision for income taxes, net income and cash flows. 48 48 48 Table of Contents Table of Contents

We are expanding our international operations and staff to support our business in international markets. Our corporate structure and associated transfer pricing policies contemplate the business flows and future growth into the international markets, and consider the functions, risks and assets of the various entities involved in the intercompany transactions. The amount of taxes we pay in different jurisdictions may depend on the application of the tax laws of the various jurisdictions, including the United States, to our international business activities, changes in tax rates, new or revised tax laws or interpretations of existing tax laws and policies, and our ability to operate our business in a manner consistent with our corporate structure and intercompany arrangements. For example, certain jurisdictions have recently introduced a digital services tax, which is generally a tax on gross revenue generated from users or customers located in those jurisdictions, and other jurisdictions are considering enacting similar laws. The taxing authorities of the jurisdictions in which we operate may challenge our methodologies for pricing intercompany transactions pursuant to the intercompany arrangements or disagree with our determinations as to the income and expenses attributable to specific jurisdictions. If such a challenge or disagreement were to occur, and our position was not sustained, or if there are changes in tax laws or the way existing tax laws are interpreted or applied, we could be required to pay additional taxes, interest and penalties, which could result in one-time tax charges, higher effective tax rates, reduced cash flows and lower overall profitability of our operations. Our financial statements could fail to reflect adequate reserves to cover such a contingency. In 2021, the Organization for Economic Cooperation and Development announced an Inclusive Framework on Base Erosion and Profit Shifting including Pillar Two Model Rules defining the global minimum tax, which calls for the taxation of large multinational corporations at a minimum rate of 15%. Subsequently multiple sets of administrative guidance have been issued. Many countries have implemented or are in the process of implementing the Pillar Two legislation, which will apply to us beginning in fiscal 2025. Management is currently assessing the jurisdictions that could give rise to additional taxation as well as any potential impacts as a result of the implementation of the rules.

To increase our revenue and achieve and maintain profitability, we must add new customers. To add new customers, we must successfully convince IT decision makers that security delivered through our cloud platform provides significant advantages over legacy on-premises appliance-based security products and competing cloud-based products. Additionally, many of our customers broadly deploy our products, which requires a significant commitment of resources from our customers. These factors significantly impact our ability to add new customers and increase the time, resources and sophistication required to do so. 21 21 21 Table of Contents Table of Contents In addition, numerous other factors, many of which are out of our control, have impacted and may in the future impact our ability to add new customers, including: •potential customers’ commitments to legacy IT security vendors and products; •real or perceived switching costs; •the current or potential implementation of tariffs or retaliatory measures due to tariffs on the sales of our products in countries where our customers or potential paying customers are located; •competition from hybrid or cloud security products; •our failure to expand, retain and motivate our sales and marketing personnel; •our failure to develop or expand relationships with our channel partners or to attract new channel partners; •failure by us or our partners to help our customers to successfully deploy our cloud platform; •negative media or industry or financial analyst commentary regarding us or our solutions, or similar solutions offered by other vendors; •litigation; and •general economic conditions. As a result of challenging or uncertain macroeconomic conditions, we have experienced and may experience in the future increased scrutiny and a longer approval process for initial purchases by new customers, particularly for larger transactions. We cannot predict how challenging or uncertain macroeconomic conditions will impact potential customers' purchasing decisions and whether potential customers may decide to delay purchases, decrease the size of purchases or entirely forego purchasing our services. If our efforts to attract new customers are not successful, our revenue and rate of revenue growth may decline, we may not achieve profitability and our future results of operations could be materially harmed.

To increase our revenue and achieve and maintain profitability, we must add new customers. To add new customers, we must successfully convince IT decision makers that security delivered through our cloud platform provides significant advantages over legacy on-premises appliance-based security products and competing cloud-based products. Additionally, many of our customers broadly deploy our products, which requires a significant commitment of resources from our customers. These factors significantly impact our ability to add new customers and increase the time, resources and sophistication required to do so. 20 20 20 Table of Contents Table of Contents In addition, numerous other factors, many of which are out of our control, have impacted and may in the future impact our ability to add new customers, including potential customers’ commitments to legacy IT security vendors and products, real or perceived switching costs, competition from hybrid or cloud security products, our failure to expand, retain and motivate our sales and marketing personnel, our failure to develop or expand relationships with our channel partners or to attract new channel partners, failure by us or our partners to help our customers to successfully deploy our cloud platform, negative media or industry or financial analyst commentary regarding us or our solutions, or similar solutions offered by other vendors, litigation and general economic conditions. As a result of challenging macroeconomic conditions, we have experienced and may experience in the future increased scrutiny and a longer approval process for initial purchases by new customers, particularly for larger transactions. We cannot predict how long these challenging macroeconomic conditions will persist, and customer cautiousness could continue or worsen or result in potential customers deciding to forego our services entirely. If our efforts to attract new customers are not successful, our revenue and rate of revenue growth may decline, we may not achieve profitability and our future results of operations could be materially harmed.

We rely on a limited number of suppliers for several components of our cloud platform and the systems we use to operate our business and provide services to our customers, including sole or limited sourced hardware, software and SaaS services. Some of our suppliers also temporarily hold a portion of our assets for us. Our reliance on these suppliers exposes us 41 41 41 Table of Contents Table of Contents to risks, including reduced control over production costs, constraints based on the then-current availability, terms and pricing of these components and potential loss of assets. For example, we generally purchase equipment or the components of equipment on a purchase order basis, and do not have long-term contracts guaranteeing supply. We also rely on sole or limited sourced SaaS vendors to provide critical services that we use to operate our business. In addition, the technology industry has experienced component shortages, delivery delays, price increases and service interruptions in the past, and we may experience shortages, delays, materially increased costs or service interruptions in the future, including as a result of natural disasters, acts of war or international conflicts, epidemics or global pandemics, increased demand in the industry or if our suppliers do not have sufficient rights to supply the components in all jurisdictions in which we may host our services. While global economic conditions have not yet had a material impact on our supply chain, these conditions have increased our costs in the past and could result in disruptions and delays for components in the future. Additionally, changes to existing international trade agreements, tariffs, export controls or other trade measures and regulations that impact our sourcing partners or us could lead to increased costs to operate our business and to disruptions in our supply chain, which could limit our ability to support our customers. For instance, there is a risk that current geopolitical, diplomatic and other developments affecting the relationship between China and Taiwan may materially and negatively impact the availability of certain critical components that we use in our data centers, which we source from overseas. If our supply of certain components is disrupted or delayed, there can be no assurance that available alternatives can serve as adequate replacements for the existing components or that alternatives will be available on terms that are favorable to us, if at all, as it may take several months or longer to identify, qualify and engage a new supplier or integrator. Any disruption or delay in access to components may delay opening new data centers, delay increasing capacity or replacing defective equipment at existing data centers, cause other constraints on our operations that could damage our channel partner or customer relationships or otherwise have a material adverse impact on our business.

We rely on a limited number of suppliers for several components of the equipment we use to operate our cloud platform and provide services to our customers. Our reliance on these suppliers exposes us to risks, including reduced control over production costs and constraints based on the then-current availability, terms and pricing of these components. For example, we generally purchase these components on a purchase order basis, and do not have long-term contracts guaranteeing supply. In addition, the technology industry has experienced component shortages, delivery delays and price increases in the past, and we may experience shortages, delays or materially increased costs, including as a result of natural disasters, acts of war or international conflicts, epidemics or global pandemics, increased demand in the industry or if our suppliers do not have sufficient rights to supply the components in all jurisdictions in which we may host our services. While global economic conditions have not yet had a material impact on our supply chain, these conditions have increased our costs in the past and could result in disruptions and delays for components in the future. For instance, there is a risk that current geopolitical, diplomatic and other developments affecting the relationship between China and Taiwan may materially and negatively impact the availability of certain critical components that we use in our data centers, which we source from overseas. If our supply of certain components is disrupted or delayed, there can be no assurance that additional supplies or components can serve as adequate replacements for the existing components or that supplies will be available on terms that are favorable to us, if at all. Any disruption or delay in the supply of our components may delay opening new data centers, delay increasing capacity or replacing defective equipment at existing data centers or cause other constraints on our operations that could damage our channel partner or customer relationships.

In connection with the pricing of the 2028 Notes, we entered into privately negotiated capped call transactions with certain of the initial purchasers and/or their respective affiliates and other financial institutions, or the Option Counterparties. The capped call transactions are expected generally to reduce the potential dilution to our common stock upon conversion of the 2028 Notes and/or offset any cash payments we are required to make in excess of the principal amount of converted 2028 Notes, as the case may be, with such reduction and/or offset subject to a cap. The Option Counterparties or their respective affiliates may modify their hedge positions by entering into or unwinding various derivatives with respect to our common stock and/or purchasing or selling our common stock or other securities of ours in secondary market transactions prior to the maturity of the 2028 Notes (and are likely to do so during the observation period related to a conversion of the 2028 Notes, in connection with any fundamental change repurchase of the 2028 Notes and, to the extent we unwind a corresponding portion of the capped call transactions, following any other repurchase of the 2028 Notes). This activity could also cause or avoid an increase or a decrease in the market price of our common stock or the 2028 Notes.

In connection with the pricing of the Notes, we entered into privately negotiated capped call transactions with certain of the initial purchasers and/or their respective affiliates and other financial institutions, or the Option Counterparties. The capped call transactions are expected generally to reduce the potential dilution upon conversion of the Notes and/or offset any cash payments we are required to make in excess of the principal amount of converted Notes, as the case may be, with such reduction and/or offset subject to a cap. We have been advised that, in connection with establishing their initial hedges of the capped call transactions, the Option Counterparties purchased shares of our common stock and/or entered into various derivative transactions with respect to our common stock concurrently with or shortly after the pricing of the Notes. In addition, the Option Counterparties or their respective affiliates may modify their hedge positions by entering into or unwinding various derivatives with respect to our common stock and/or purchasing or selling our common stock or other securities of ours in secondary market transactions prior to the maturity of the Notes (and are likely to do so following any conversion, repurchase or redemption of the Notes, to the extent we exercise the relevant election under the capped call transactions). This activity could also cause or avoid an increase or a decrease in the market price of our common stock.

Sales of a substantial number of shares of our common stock in the public market, particularly sales by our directors, executive officers and significant stockholders, or the perception that these sales could occur, could adversely affect the market price of our common stock and may make it more difficult for you to sell your common stock at a time and price that you deem appropriate. We may also issue our shares of common stock or securities convertible into shares of our common stock from time to time in connection with a financing, acquisition, investments or otherwise. Any such issuance could result in substantial dilution to our existing stockholders, cause the market price of our common stock to decline and dilute your voting power. For instance, prior to April 15, 2028, our 0.0% Convertible Senior Notes due 2028, or the 2028 Notes, are convertible at the option of the holders only under certain conditions or upon the occurrence of certain events. After April 15, 2028, holders may convert all or any portion of the 2028 Notes at their option at any time. If one or more holders elect to convert their 2028 Notes and we elect to settle all or any portion of such conversions in shares of our common stock, any sales in the public market of the common stock issuable upon such conversion could adversely affect prevailing market prices of our common stock. In addition, certain holders of the 2028 Notes may engage in short selling to hedge their position in the 2028 Notes. Any anticipated future issuances of shares of our common stock upon conversion of the 2028 Notes could also depress the price of our common stock.

Sales of a substantial number of shares of our common stock in the public market, particularly sales by our directors, executive officers and significant stockholders, or the perception that these sales could occur, could adversely affect the market price of our common stock and may make it more difficult for you to sell your common stock at a time and price that you deem appropriate. We may also issue our shares of common stock or securities convertible into shares of our common stock from time to time in connection with a financing, acquisition, investments or otherwise. Any such issuance could result in substantial dilution to our existing stockholders and cause the market price of our common stock to decline.

On July 3, 2025, we issued $1,725 million in aggregate principal amount of our 0.0% Convertible Senior Notes due 2028, which mature on July 15, 2028. Prior to April 15, 2028, the 2028 Notes are convertible at the option of the holders only under certain conditions or upon the occurrence of certain events. During the quarter ended July 31, 2025, the conditions allowing holders of the 2028 Notes to convert were not met. After April 15, 2028, holders may convert all or any portion of their 2028 Notes at their option at any time. If one or more holders elect to convert their 2028 Notes when eligible, unless we elect to deliver solely shares of our common stock to settle such conversion (other than paying cash in lieu of delivering any fractional share), we will be required to make cash payments in respect of the 2028 Notes being converted. Additionally, holders of the 2028 Notes have the right to require us to repurchase the 2028 Notes upon the occurrence of a fundamental change (as defined in the indenture governing the 2028 Notes) at a repurchase price equal to 100% of the principal amount of such 2028 Notes to be repurchased, plus accrued and unpaid interest, if any, to, but excluding, the 53 53 53 Table of Contents Table of Contents fundamental change repurchase date for such 2028 Notes. If the 2028 Notes have not previously been converted or repurchased, we will be required to repay the 2028 Notes in cash at maturity. Our ability to make such payments or to refinance our indebtedness, including the 2028 Notes, depends on our future performance, which is subject to economic, financial, competitive and other factors beyond our control. Such payments will reduce the funds available to us for working capital, capital expenditures and other corporate purposes and may limit our ability to obtain additional financing for working capital, capital expenditures, expansion plans and other investments. We plan to evaluate, on an ongoing basis, market conditions, our liquidity profile and various financing alternatives (including the issuance of equity, equity-linked or debt securities) for opportunities to enhance our capital structure.

On June 25, 2020, we issued $1,150 million in aggregate principal amount of our 0.125% Convertible Senior Notes due 2025, or the Notes, which mature on July 1, 2025. We may be required to use a substantial portion of our cash flows from operations to pay interest, principal or other required payments on our indebtedness. For instance, holders of the Notes have the right to require us to repurchase their Notes upon the occurrence of a fundamental change (which is defined in the indenture governing the Notes) at a repurchase price equal to 100% of the principal amount of such Notes to be repurchased, plus accrued and unpaid interest, if any, to, but excluding, the fundamental change repurchase date for such Notes. Additionally, upon conversion of the Notes, unless we elect to deliver solely shares of our common stock to settle such conversion (other than paying cash in lieu of delivering any fractional share), we will be required to make cash payments in respect of the 2025 Notes being converted. Our ability to make such payments or to refinance our indebtedness, including the Notes, depends on our future performance, which is subject to economic, financial, competitive and other factors beyond our control. Such payments will reduce the funds available to us for working capital, capital expenditures and other corporate purposes and may limit our ability to obtain additional financing for working capital, capital expenditures, expansion plans and other investments. Our business may not continue to generate cash flow from operations in the future sufficient to service our debt and make necessary capital expenditures. If we are unable to generate such cash flow, we may be required to adopt one or more alternatives, such as selling assets, restructuring debt or obtaining additional equity capital on terms that may be onerous or highly dilutive. If we are unable to engage in any of these activities or engage in these activities on desirable terms, it could result in a default on our debt obligations, which would adversely affect our financial condition. 51 51 51 Table of Contents Table of Contents