Datadog (DDOG) Risk Analysis

Our ability to increase our customer base and achieve broader market acceptance of our products and platform capabilities will depend to a significant extent on our ability to expand our sales and marketing organization. We plan to continue expanding our direct sales force, both domestically and internationally. We also plan to dedicate significant resources to sales and marketing programs. All of these efforts will require us to invest significant financial and other resources, including in channels in which we have limited or no experience to date. Our business and results of operations will be harmed if our sales and marketing efforts do not generate significant increases in revenue or increases in revenue that are smaller than anticipated. We may not achieve anticipated revenue growth from expanding our sales force if we are unable to hire, develop, integrate and retain talented and effective sales personnel, if our new and existing sales personnel, on the whole, are unable to achieve desired productivity levels in a reasonable period of time, or if our sales and marketing programs are not effective.

Our agreements with our customers and other third parties may include indemnification provisions under which we agree to indemnify or otherwise be liable to them for losses suffered or incurred as a result of claims of infringement, misappropriation or other violation of intellectual property rights, data protection, damages caused by us to property or persons, or other liabilities relating to or arising from our software, services, platform, our acts or omissions under such agreements or other contractual obligations. Some of these indemnity agreements provide for uncapped liability and some indemnity provisions survive termination or expiration of the applicable agreement. Large indemnity payments could harm our business, financial condition and results of operations. Although we attempt to contractually limit our liability with respect to such indemnity obligations, we are not always successful and may still incur substantial liability related to them, and we may be required to cease use of certain functions of our platform or products as a result of any such claims. Any dispute with a customer or other third party with respect to such obligations could have adverse effects on our relationship with such customer or other third party and other existing or prospective customers, reduce demand for our products and services and adversely affect our business, financial conditions and results of operations. In addition, although we carry general liability insurance, our insurance may not be adequate to indemnify us for all liability that may be imposed or otherwise protect us from liabilities or damages with respect to claims alleging compromises of customer data, and any such coverage may not continue to be available to us on acceptable terms or at all.

We use open source software in our products and we expect to continue to incorporate open source software in our services in the future. Few of the licenses applicable to open source software have been interpreted by courts, and there is a risk that these licenses could be construed in a manner that could impose unanticipated conditions or restrictions on our ability to commercialize our products. Moreover, we cannot ensure that we have not incorporated additional open source software in our software in a manner that is inconsistent with the terms of the applicable license or our current policies and procedures. If we fail to comply with these licenses, we may be subject to certain requirements, including requirements that we offer our solutions that incorporate the open source software for no cost, that we make available source code for modifications or derivative works we create based upon, incorporating or using the open source software and that we license such modifications or derivative works under the terms of applicable open source licenses. If an author or other third party that distributes such open source software were to allege that we had not complied with the conditions of one or more of these licenses, we could be required to incur significant legal expenses defending against such allegations and could be subject to significant damages, enjoined from the sale of our products that contained the open source software and required to comply with onerous conditions or restrictions on these products, which could disrupt the distribution and sale of these products. From time to time, there have been claims challenging the ownership rights in open source software against companies that incorporate it into their products and the licensors of such open source software provide no warranties or indemnities with respect to such claims. As a result, we and our customers could be subject to lawsuits by parties claiming ownership of what we believe to be open source software. Litigation could be costly for us to defend, have a negative effect on our business, financial condition and results of operations, or require us to devote additional research and development resources to change our products. In addition, although we employ open source software license screening measures, if we were to combine our proprietary software products with open source software in a certain manner we could, under certain open source licenses, be required to release the source code of our proprietary software products. Some open source projects have known vulnerabilities and architectural instabilities and are provided on an "as-is" basis which, if not properly addressed, could negatively affect the performance of our product. If we inappropriately use or incorporate open source software subject to certain types of open source licenses that challenge the proprietary nature of our products, we may be required to re-engineer such products, discontinue the sale of such products or take other remedial actions.

We have legal, contractual and other applicable obligations regarding the protection and appropriate use of sensitive information that we and the third-parties with whom we work process. We are subject to a variety of federal, state, local and foreign laws, directives, regulations, and industry standards, relating to the collection, use, retention, security, disclosure, transfer and other processing of personal information. The regulatory framework for and users' expectations around privacy and security issues worldwide is rapidly evolving and as a result, implementation standards and enforcement practices are likely to remain uncertain for the foreseeable future resulting in possible significant operational costs for compliance and risk to our business. In addition, new technologies we use in our products or in our business, like AI and machine learning, may also subject us to new or enhanced governmental or regulatory scrutiny, litigation, ethical concerns, or other complications that could adversely affect our business, reputation, or financial results. Internationally, nearly every jurisdiction in which we operate has established its own data security and privacy legal framework with which we, the third-parties with whom we work, or our customers must comply. For example, the European Union's General Data Protection Regulation, or EU GDPR, and the United Kingdom's General Data Protection Regulation, or UK GDPR, contain numerous requirements and changes from previously existing law, including more robust obligations on data processors and heavier documentation requirements for data protection compliance programs by companies and data protection authorities. Under both the EU GDPR and UK GDPR, companies may face temporary or definitive bans on data processing and other corrective actions, significant monetary fines, and private litigation related to processing of personal data brought by classes of data subjects or consumer protection organizations authorized at law to represent their interests. In addition, Europe and other jurisdictions have enacted data localization laws and cross-border personal data transfer laws. For example, the European Economic Area (EEA) and the United Kingdom have significantly restricted the transfer of personal data to the United States and other countries whose privacy laws it generally believes are inadequate. Although there are currently various mechanisms that may be used to transfer personal data from the EEA and United Kingdom to the United States in compliance with law, such as the EEA standard contractual clauses, the United Kingdom's International Data Transfer Agreement/Addendum, and the EU-U.S. Data Privacy Framework and the United Kingdom extension thereto (which allows for transfers for relevant U.S.-based organizations who self-certify compliance and participate in the Framework), these mechanisms are subject to legal challenges, and there is no assurance that we can satisfy or rely on these measures to lawfully transfer personal data to the United States. Additionally, other countries outside of Europe have enacted or are considering enacting similar cross-border data transfer restrictions and laws requiring local data residency, and strict limitations to the processing of personal information, which could increase the cost and complexity of delivering our services and operating our business. For example, Brazil enacted the General Data Protection Law, New Zealand enacted the New Zealand Privacy Act, China enacted its Personal Information Protection Law, Canada introduced the Digital Charter Implementation Act and India enacted the Information Technology Act. If we are unable to implement a valid compliance mechanism for cross-border personal information transfers, we may face increased exposure to regulatory actions, substantial fines and injunctions against processing or transferring personal information from Europe or elsewhere. Inability to import personal information from other jurisdictions to the United States may significantly and negatively impact our business operations, including by lowering sales on our platform due to the difficulty of establishing a lawful mechanism for personal information transfers out of Europe or other jurisdictions, or requiring us to increase our data processing capabilities in Europe or elsewhere at significant expense. Some European regulators have ordered certain companies to suspend or permanently cease certain transfers out of Europe for allegedly violating the GDPR's cross-border data transfer limitations. Additionally, European legislative proposals and present laws and regulations apply to cookies and similar tracking technologies, electronic communications, and marketing. In the EU and the United Kingdom, regulators are increasingly focusing on compliance with requirements related to the online behavioral advertising ecosystem and requirements around consent and have issued significant fines when consent was not obtained. It is anticipated that the ePrivacy Regulation will replace the current national laws that implement the ePrivacy Directive that governs electronic communications. Outside of Europe, other laws and regulations, including legislative proposals, individual behavior and industry practices are increasingly resistant to the use of personal information to deliver targeted advertising, making certain online advertising activities more difficult and subject to additional scrutiny. For example, the California Consumer Privacy Act, or CCPA, grants California residents the right to opt-out of a company's sharing of personal information for cross-context behavioral advertising purposes. Other comprehensive U.S. state privacy laws extend similar rights to residents. As a result of these developments, we may be required to change the way we market our products, which would impair our ability to reach new or existing customers. Complying with these and other applicable laws may cause us to incur substantial operational costs or require us to change our business practices. Despite our efforts to bring practices into compliance with all applicable laws, we may not be successful in our efforts to achieve compliance either due to internal or external factors such as resource allocation limitations or a lack of vendor cooperation. Non-compliance could result in proceedings against us by governmental entities, customers, data subjects or others. We may also experience difficulty retaining or obtaining new European or multi-national customers due to the legal requirements, compliance cost, potential risk exposure, and uncertainty for these entities, and we may experience significantly increased liability with respect to these customers pursuant to the terms set forth in our engagements with them. While we utilize a data center in the EEA to maintain certain customer data (which may include personal information)originating from the EEA, we may find it necessary to establish additional systems and processes to maintain such data in the EEA, which may involve substantial expense and distraction from other aspects of our business. Domestic laws in this area are also complex and developing rapidly, and we are, or may become, subject to numerous U.S. data privacy and security laws. In the United States, laws governing data privacy and security include those promulgated under the authority of the Federal Trade Commission Act, the Electronic Communications Privacy Act, the Computer Fraud and Abuse Act, the CCPA, HIPAA, and numerous other state and federal laws relating to privacy and data security. Many state legislatures have adopted legislation that regulates how businesses operate online, including measures relating to privacy, data security and data breaches. Laws in all 50 states require businesses to provide notice to customers whose personal information has been disclosed as a result of a data breach. The laws are not consistent, and compliance in the event of a widespread data breach is costly. States are also constantly amending existing laws, requiring attention to frequently changing legal requirements. The CCPA, which became effective on January 1, 2020, gives California residents (including consumers, employees, job applicants and business representatives) expanded rights to access and delete their personal information, opt out of the sale of personal information, and receive detailed information about how their personal information is used. The CCPA provides a private right of action and statutory damages for data breaches and may increase our compliance costs and potential liability with respect to other personal information we collect about California residents. In addition, the amendments to the CCPA made by the California Privacy Rights Act, or the CPRA, went into effect on January 1, 2023. The CPRA amends the CCPA to give California residents the ability to limit the use of their sensitive personal information, provide additional penalties for CPRA violations concerning California residents under the age of 16, and establish a new California Privacy Protection Agency to implement and enforce the law. These changes to the CCPA could impact our business activities depending on how they are interpreted. Many other states have enacted or proposed comprehensive privacy laws, which either have gone into effect or are expected to go into effect over the next several years. These laws exemplify the vulnerability of our business to the evolving regulatory environment related to the protection of personal information. Because the interpretation and application of many privacy and data protection laws and regulations, along with contractually imposed industry standards are uncertain, it is possible that they may be interpreted and applied in a manner that is inconsistent with our existing data management practices or the features of our products and platform capabilities. If so, in addition to the possibility of fines, lawsuits, mass arbitration demands, regulatory investigations and imprisonment of company officials, other claims and penalties, significant costs for remediation and damage to our reputation, we could be required to fundamentally change our business activities and practices or modify our products and platform capabilities, any of which could have an adverse effect on our business. In particular, plaintiffs have become increasingly more active in bringing privacy-related claims against companies, including class claims and mass arbitration demands. Some of these claims allow for the recovery of statutory damages on a per violation basis, and, if viable, carry the potential for monumental statutory damages, depending on the volume of data and the number of violations. Any inability to adequately address privacy and security concerns, even if unfounded, or comply with applicable privacy and data security laws, regulations, or contractual obligations, could result in additional cost and liability to us, damage our reputation, inhibit sales, and adversely affect our business. Furthermore, the costs of compliance with, and other burdens imposed by, the laws, regulations, and contractual obligations that are applicable to the businesses of our customers may limit the use and adoption of, and reduce the overall demand for, our products. Privacy and data security concerns, whether valid or not valid, may inhibit market adoption of our products, particularly in certain industries and foreign countries. If we are not able to adjust to these changing laws, regulations, and contractual obligations, our business may be harmed. We publicly post our policies and other documentation regarding our practices concerning the collection, processing, use, transfer, and disclosure of data. Although we endeavor to comply with our published policies and documentation, we may at times fail to do so or be alleged to have failed to do so. The publication of our policies and other documentation that provide promises and assurances about privacy and security can subject us to potential state and federal action if they are found to be deceptive, unfair, or misrepresentative of our actual practices. Any failure by us, our third-party service providers or other parties with whom we do business to comply with our policies or other documentation could result in proceedings against us by governmental entities, private parties or others. We are or may also be subject to the terms of our external and internal privacy and security policies, codes, representations, certifications, industry standards, publications and frameworks and contractual obligations to third parties related to privacy, information security, including contractual obligations to indemnify and hold harmless third parties from the costs or consequences of non-compliance with data protection laws or other obligations.

We are expanding our international operations to better support our growth into international markets. Our corporate structure and associated transfer pricing policies contemplate future growth in international markets, and consider the functions, risks, and assets of the various entities involved in intercompany transactions. The amount of taxes we pay in different jurisdictions may depend on the application of the tax laws of the various jurisdictions, including the United States, to our international business activities, changes in tax rates, new or revised tax laws or interpretations of existing tax laws and policies, and our ability to operate our business in a manner consistent with our corporate structure and intercompany arrangements. The taxing authorities of the jurisdictions in which we operate may challenge our methodologies for pricing intercompany transactions pursuant to our intercompany arrangements or disagree with our determinations as to the income and expenses attributable to specific jurisdictions. If such a challenge or disagreement were to occur, and our position was not sustained, we could be required to pay additional taxes, interest, and penalties, which could result in one-time tax charges, higher effective tax rates, reduced cash flows and lower overall profitability of our operations. Our financial statements could fail to reflect adequate reserves to cover such a contingency.

Our future success depends in part on our ability to sell additional subscriptions and products to our existing customers, and our customers renewing their subscriptions when the contract term expires. The terms of our subscription agreements are primarily monthly or annual, with some quarterly, semiannual and multi-year. Our customers have no obligation to renew their subscriptions for our products after the expiration of their subscription period. In order for us to maintain or improve our results of operations, it is important that our customers renew or expand their subscriptions with us. Whether our customers renew or expand their subscriptions with us may be impacted by a number of factors, including business strength or weakness of our customers, customer usage, customer satisfaction with our products and platform capabilities and customer support, our prices, the capabilities and prices of competing products, mergers and acquisitions affecting our customer base, consolidation of affiliates' multiple paid business accounts into a single paid business account, or reductions in our customers' spending on IT solutions or their spending levels generally. These factors may be exacerbated by unfavorable conditions in the economy, see "Risks Associated with our Growth-Unfavorable conditions in our industry or the global economy, or reductions in information technology spending, could limit our ability to grow our business and negatively affect our results of operations" above. These factors may also be exacerbated if, consistent with our growth strategy, our customer base continues to grow to encompass larger enterprises, which may also require more sophisticated and costly sales efforts. Certain customers and cohorts of customers in specific industries have or in the future may increase usage of our product and then seek to optimize their usage, renew their subscriptions on terms less favorable to us, or not renew their subscriptions, which may result in revenue volatility. For example, in prior periods customers in our cloud-native cohort, and more recently larger customers in our AI-native cohort, which cohort includes our largest customer and represented approximately ten percentage points of our year-over-year revenue growth for the quarter ended June 30, 2025, have rapidly increased their usage of our product and then optimized or may in the future optimize their usage or fail to renew their subscriptions. If our customers do not purchase additional subscriptions and products from us, reduce their usage, fail to renew their subscriptions or renew on different terms, our revenue and dollar-based net retention may decline and our business, financial condition and results of operations may be harmed.

To increase our revenue, we must continue to attract new customers. Our success will depend to a substantial extent on the widespread adoption of our platform and products as an alternative to existing solutions. Many enterprises have invested substantial personnel and financial resources to integrate traditional on-premise architectures into their businesses and, therefore, may be reluctant or unwilling to migrate to cloud computing. Further, the adoption of SaaS business software may be slower in industries with heightened data security interests or business practices requiring highly-customizable application software. In addition, as our market matures, our products evolve, and competitors introduce lower cost or differentiated products that are perceived to compete with our platform and products, our ability to sell subscriptions for our products could be impaired. Similarly, our subscription sales could be adversely affected if customers or users within these organizations perceive that features incorporated into competitive products reduce the need for our products or if they prefer to purchase other products that are bundled with solutions offered by other companies that operate in adjacent markets and compete with our products. As a result of these and other factors, we may be unable to attract new customers, which may have an adverse effect on our business, financial condition and results of operations.