ForgeRock Inc (FORG) Risk Analysis

As a provider of identity and security solutions, we pose a potential attack vector for cyberattacks. The security measures we have integrated into our internal systems and platform, which are designed to detect unauthorized access or activity and prevent or minimize security breaches and incidents, may not function as expected or may not be sufficient to protect our internal networks and platform against certain attacks and other security breaches and incidents. In addition, techniques used to sabotage or to obtain unauthorized access to networks in which data is stored or through which data is transmitted change frequently, become more complex over time and generally are not recognized until launched against a target. As a result, we and our third-party service providers may be unable to anticipate these techniques or implement adequate preventative measures quickly enough to prevent either an electronic intrusion into our systems or services or a compromise of customer data, and we and they may face difficulties or delays in identifying or otherwise responding to any potential security breach or incident. Additionally, our remediation efforts and other response to any potential security breach or incident may not be successful or timely. The military conflict in Ukraine may create additional risks of cyberattacks, and of security breaches and incidents. Third parties may attempt to fraudulently induce employees, contractors, customers, or our customers' users into disclosing sensitive information, such as user names, passwords, or other information or otherwise compromise the security of our internal networks, electronic systems, or physical facilities in order to gain access to our data or our customers' data, which could result in significant legal and financial exposure, a loss of confidence in the security of our platform, interruptions, or malfunctions in our operations, account lock outs, and, ultimately, harm to our business, financial condition, and results of operations. With many of our employees and contractors working remotely, the risks of these types of compromise, and certain other security risks, may be heightened. Our customers' use of ForgeRock to access business systems and store data concerning, among other things, their employees, contractors, partners and customers is essential to their use of our platform, which collects, uses, stores, transmits, and otherwise processes customers' proprietary information and personal data. If a security breach or incident impacting customer data or systems on our platform were to occur, as a result of third-party action, technology limitations, employee or contractor error, malfeasance or otherwise, and the confidentiality, integrity or availability of our customers' data or systems was disrupted, or if this was perceived to have occurred, we could face claims, demands, and litigation by, and incur significant liability to our customers and to individuals or businesses whose information was being stored by our customers, could face regulatory or governmental investigations, inquiries, or other proceedings, and our platform may be perceived as less desirable, any of which could negatively affect our business and damage our reputation. Further, and notwithstanding any contractual rights or remedies we may have, because we do not control our third-party service providers, including their security measures and the processing of data by our third-party service providers, we cannot ensure the integrity or security of measures they take to protect customer information and prevent data loss. In addition, security breaches or incidents impacting our platform, including from ransomware, could result in a risk of loss or unauthorized disclosure or other processing of critical information, including personal data, or the denial of access to or other inability to access this information, which, in turn, could lead to enforcement actions, litigation, regulatory or governmental audits, investigations, inquiries, or other proceedings and possible significant liability, and increased requests by individuals regarding their personal data. Actual or perceived security breaches and incidents could also damage our relationships with and ability to attract customers and partners, and trigger service availability, indemnification, and other contractual obligations. Security breaches and incidents may also cause us to incur significant investigation, mitigation, remediation, notification and other expenses, including necessitating that we put in place additional measures designed to prevent further security breaches or incidents. We may be required to expend significant capital and financial resources to protect against such threats or to alleviate problems caused by security breaches and incidents. Furthermore, as a provider of identity and security solutions, any such breach or incident, including a breach of our customers' systems, could compromise systems secured by our products, creating system disruptions or slowdowns and exploiting security vulnerabilities of our or our customers' systems, and the information stored on our or our customers' systems could be improperly accessed, publicly disclosed, altered, lost, stolen, made unavailable, or otherwise processed, which could result in a loss of intellectual property and subject us to claims, demands, and litigation from private parties, as well as regulatory or governmental investigations and other proceedings, fines, penalties, and other liabilities, harm to our reputation and market position, and financial harm. While we maintain cybersecurity insurance, our insurance may be insufficient to cover all liabilities incurred in these incidents, and any incidents may result in loss of, or increased costs of, our cybersecurity insurance. We also cannot ensure that our existing insurance coverage will continue to be available on acceptable terms or will be available in sufficient amounts to cover one or more large claims related to a security incident or breach, or that the insurer will not deny coverage as to any future claim. The successful assertion of one or more large claims against us that exceed available insurance coverage, or the occurrence of changes in our insurance policies, including premium increases or the imposition of large deductible or co-insurance requirements, could adversely affect our reputation and our business, financial condition, and results of operations. We also cannot ensure that any limitations of liability provisions in our customer agreements, contracts with third-party service providers and other contracts for a security lapse or breach or other security-related matter would be enforceable or adequate or would otherwise protect us from any liabilities or damages with respect to any particular claim. Any breach or incident, or any perceived breach or incident, of our systems, our customers' systems, or other systems or networks secured by our products, whether or not any such breach or incident is due to a vulnerability in our platform, may also undermine confidence in our platform or our industry and result in damage to our reputation and brand, negative publicity, loss of partners, customers and sales, increased costs to remedy any problem, costly litigation, regulatory or governmental investigations, inquiries, or other proceedings, and other liability. In addition, a breach or violation of the security measures of one of our partners could result in the exfiltration of confidential corporate information or other data that may provide additional avenues of attack, and if a high profile security breach or incident occurs with respect to a comparable identity and access management provider, our customers and potential customers may lose trust in identity and access management providers generally, which could adversely impact our ability to retain existing customers or attract new ones, potentially causing a negative impact on our business. Any of these negative outcomes could negatively impact market acceptance of our platform and our business, financial condition, and results of operations could be adversely affected.

Our customers' collection, storage, use and other processing of data concerning, among others, their employees, contractors, partners and customers is essential to their use of our platform. We have implemented various features intended to enable our customers to better comply with applicable privacy, data protection and information security requirements in their collection, use and other processing of data within our online service, but these features do not ensure their compliance and may not be effective against all potential concerns relating to privacy, data protection or information security. Many jurisdictions have enacted or are considering enacting or revising privacy, data protection or information security legislation, including laws, rules and regulations applying to the collection, use, storage, transfer, disclosure or other processing of personal data, including for purposes of marketing and other communications. The costs of compliance with, and other burdens imposed by, such laws, rules and regulations that are applicable to the operations of our business, or those of our customers, may limit the use and adoption of our service and reduce overall demand for it. These privacy, data protection and information security related laws, rules and regulations are evolving and may result in increasing regulatory and public scrutiny and escalating levels of enforcement and sanctions. In addition, we are subject to certain contractual obligations regarding the collection, use, storage, transfer, disclosure or other processing of personal data. Although we are working to comply with applicable federal, state, and foreign laws, rules and regulations, industry standards, contractual obligations and other legal obligations that apply to us, those laws, rules, regulations, standards and obligations are evolving and may be modified, interpreted and applied in an inconsistent manner from one jurisdiction to another, and may conflict with one another, other requirements or legal obligations, our practices or the features of our platform. We also expect that there will continue to be new proposed laws, regulations and industry standards concerning privacy, data protection and information security in the United States, the European Union and other jurisdictions, and we cannot yet determine the impact such future laws, regulations and standards may have on our business. California has enacted the CCPA, which took effect on January 1, 2020 and established a new privacy framework for covered businesses such as ours, which may require us to modify our data processing practices and policies and incur compliance-related costs and expenses. The CCPA broadly defines personal information and gives California residents expanded privacy rights and protections, such as affording them the right to access and request deletion of their information and to opt out of certain sharing and sales of personal information. The law also prohibits covered businesses from discriminating against California residents (for example, charging more for services) for exercising any of their CCPA rights. The CCPA provides for severe civil penalties and statutory damages for violations and a private right of action for certain data breaches that result in the loss of personal information. This private right of action is expected to increase the likelihood of, and risks associated with, data breach litigation. In November 2020, California voters passed the California Privacy Rights Act of 2020, or CPRA. Effective in most material respects as of January 1, 2023, the CPRA imposes additional obligations on companies covered by the legislation and significantly modifies the CCPA, including by expanding the CCPA with additional data privacy compliance requirements that may impact our business. The CPRA also establishes a regulatory agency dedicated to enforcing the CCPA and the CPRA. The effects of the CPRA, the CCPA, other similar state or federal laws, and other future changes in laws or regulations relating to privacy, data protection and information security, particularly any new or modified laws or regulations that require enhanced protection of certain types of data or new obligations with regard to data retention, transfer or disclosure, are significant, may require us to modify our data processing practices and policies, and could greatly increase the cost of providing our offerings, require significant changes to our operations or even prevent us from providing certain offerings in jurisdictions in which we currently operate and in which we may operate in the future or incur potential liability in an effort to comply with such legislation. Other state legislatures are currently contemplating, and may pass, their own comprehensive data privacy and security laws, with potentially greater penalties and more rigorous compliance requirements relevant to our business, and many state legislatures have already adopted legislation that regulates how businesses operate online, including measures relating to privacy, data security, data breaches and the protection of sensitive and personal information. For example, in March 2021, Virginia enacted the Virginia Consumer Data Protection Act, or CDPA, which took effect on January 1, 2023; in June 2021, Colorado enacted the Colorado Privacy Act, or CPA, which becomes effective on July 1, 2023; in March 2022, Utah enacted the Utah Consumer Privacy Act, or UCPA, which becomes effective on December 31, 2023; in May 2022, Connecticut enacted the Connecticut Act Concerning Personal Data Privacy and Online Monitoring, or CPOMA, which takes effect on December 31, 2023; and in March 2023, Iowa enacted an Act Relating to Consumer Data Protection, or ICDPA, which takes effect on January 1, 2025. The CDPA, CPA, UCPA, CPOMA, and ICDPA are comprehensive privacy statutes that share similarities with the CCPA, the CPRA, and legislation proposed in other states. The U.S. federal government also is contemplating federal privacy legislation. Laws in all 50 states require businesses to provide notice under certain circumstances to customers whose personal information has been disclosed as a result of a data breach. New laws, amendments to or re-interpretations of existing laws and regulations, industry standards, contractual obligations and other obligations may require us to incur additional costs and restrict our business operations. Such laws and regulations may require companies to implement privacy and security policies, permit users to access, correct and delete personal data stored or maintained by such companies, inform individuals of security breaches that affect their personal data, and, in some cases, obtain individuals' consent to use personal data for certain purposes. If we, or the third parties on which we rely, fail to comply with federal, state or international laws or regulations relating to privacy, data protection or information security, our ability to successfully operate our business and pursue our business goals could be harmed. In addition to government activity, privacy advocacy groups and technology and other industries are considering various new, additional or different self-regulatory standards that may place additional burdens on us. Future laws, regulations, standards and other obligations, and changes in the interpretation of existing laws, regulations, standards and other obligations may require us to modify our data processing practices and policies, and could impair our or our customers' ability to collect, use or disclose information relating to consumers, which could decrease demand for our applications, increase our costs and impair our ability to maintain and grow our customer base and increase our revenue. Internationally, many jurisdictions have established their own legal frameworks governing privacy, data protection, and information security with which we may need to comply. For example, the European Union has adopted the GDPR, which went into effect in May 2018 and contains numerous requirements and changes from previous EU law, including more robust obligations on data processors and heavier documentation requirements for data protection compliance programs. The GDPR requires data controllers to implement more stringent operational requirements for processors and controllers of personal data, including, for example, transparent and expanded disclosure to data subjects about how their personal data is to be used, imposes limitations on retention of information, introduces mandatory data breach notification requirements, and sets higher standards for data controllers to demonstrate that they have obtained valid consent for certain data processing activities. The GDPR also imposes strict rules on the transfer of personal data to countries outside the European Economic Area, or the EEA, including the United States. In 2016, the EU and United States agreed to a transfer framework for data transferred from the EEA to the United States, called the EU-U.S. Privacy Shield, but the EU-U.S. Privacy Shield was invalidated in July 2020 by the Court of Justice of the EU, or CJEU. On September 8, 2020, the Swiss Federal Data Protection and Information Commissioner invalidated the Swiss-U.S. Privacy Shield on similar grounds. The standard contractual clauses issued by the European Commission for the transfer of personal data, or the SCCs, a potential alternative to the EU-U.S. Privacy Shield, also have been drawn into question for use under certain circumstances, and regulators have issued additional guidance regarding considerations and requirements that we and other companies must consider and undertake when using the SCCs. In its decision invalidating the EU-U.S. Privacy Shield, the CJEU imposed additional obligations on companies when relying on the SCCs to transfer personal data. The CJEU decision may result in European data protection regulators applying differing standards for, and requiring ad hoc verification of, transfers of personal data from the EEA and Switzerland to the U.S. On June 4, 2021, the European Commission published new SCCs that are required to be implemented, and it remains to be seen whether additional means for lawful data transfers will become available. The revised SCCs, recommendations and opinions of regulators, and other developments relating to cross-border data transfer, may require us to implement additional contractual and technical safeguards for any personal data transferred out of the EEA and Switzerland, which may increase compliance and related costs, lead to increased regulatory scrutiny or liability, necessitate additional contractual negotiations, and adversely impact our business, financial condition, and results of operations. Fines for noncompliance with the GDPR are significant and can be up to the greater of €20.0 million or 4% of annual global turnover. The GDPR also provides that EU member states may introduce further conditions, including limitations, and make their own laws and regulations further limiting the processing of ‘special categories of personal data,' including personal data related to health, biometric data used for unique identification purposes and genetic information, which could limit our ability to collect, use and share EU data, and could cause our compliance costs to increase, ultimately having an adverse impact on our business, financial condition, and results of operations. Further, the United Kingdom's exit from the European Union and ongoing developments in the United Kingdom have created uncertainty with regard to data protection regulation in the United Kingdom. Data processing in the United Kingdom is governed by a United Kingdom version of the GDPR (combining the GDPR and the United Kingdom's Data Protection Act 2018), which authorizes significant fines, up to the greater of £17.5 million or 4% of global turnover, and exposes us to two parallel regimes and other potentially divergent enforcement actions for certain violations. On June 28, 2021, the European Commission announced a decision that the United Kingdom is an "adequate country" to which personal data could be exported from the EEA, but this decision must be renewed and may face challenges in the future, creating uncertainty regarding transfers of personal data to the United Kingdom from the EEA. Furthermore, there exists the potential over time for divergence in application, interpretation and enforcement of the data protection law as between the United Kingdom and EEA. On February 2, 2022, the United Kingdom's Information Commissioner's Office issued new standard contractual clauses, or the UK SCCs, to support personal data transfers out of the United Kingdom. The UK SCCs became effective March 21, 2022, and like the EU SCCs, also are required to be implemented. We may, in addition to other impacts, experience additional costs associated with increased compliance burdens and be required to engage in new contract negotiations with third parties that aid in processing personal data on our behalf or localize certain personal data of United Kingdom data subjects. Other countries have also passed or are considering passing laws requiring local data residency or restricting the international transfer of data. Additionally, many jurisdictions outside the United States, EEA, and United Kingdom in which we have operations or for which such jurisdictions' laws or regulations may apply to us or our operations, including Canada, Australia, New Zealand, and Singapore, maintain laws and regulations relating to privacy, data protection, and information security that provide for extensive obligations in connection with the use, collection, protection, and processing of personal data. Many of these legal regimes provide for substantial fines, penalties, or other consequences for noncompliance. We may be required to implement new measures or policies, or change our existing policies and measures or the features of our platform, in an effort to comply with U.S. and international laws, rules, and regulations relating to privacy, data protection and information security, which may require us to expend substantial financial and other resources and which may otherwise be difficult to undertake. Any failure or perceived failure by us to comply with federal, state or foreign laws, rules or regulations, industry standards, contractual or other legal obligations relating to privacy, data protection or information security, or any actual, perceived or suspected security incident, whether or not resulting in unauthorized access to, or acquisition, release or transfer of personal data or other data, may result in enforcement actions and prosecutions, private litigation, significant fines, penalties and censure, claims for damages by customers and other affected individuals, regulatory inquiries and investigations or adverse publicity and could cause our customers to lose trust in us, any of which could have an adverse effect on our reputation and business. Since many of our offerings involve the processing of personal data from our customers and their employees, contractors, customers, partners and others, any inability to adequately address privacy, data protection or information security concerns, even if unfounded, or comply with applicable laws, rules, regulations, policies, industry standards, contractual or other legal obligations could result in additional cost and liability to us, damage our reputation, inhibit sales and adversely affect our business, financial condition, and results of operations. Around the world, there are numerous lawsuits in process against various technology companies that process personal data. If those lawsuits are successful, it could increase the likelihood that our company may be exposed to liability for our own policies and practices concerning the processing of personal data and could hurt our business. Furthermore, the costs of compliance with, and other burdens imposed by laws, regulations and policies concerning privacy, data protection and information security that are applicable to the businesses of our customers may limit the use and adoption of our platform and reduce overall demand for it. Concerns relating to privacy, data protection or information security whether or not valid, may inhibit market adoption of our platform. Additionally, concerns about privacy, data protection or information security may result in the adoption of new legislation that restricts the implementation of technologies like ours or requires us to make modifications to our platform, which could significantly limit the adoption and deployment of our technologies or result in significant expense to modify our platform. We publicly post our privacy policies and practices concerning our collection, use, disclosure and other processing of the personal data provided to us by our website visitors and by our customers. Although we endeavor to comply with our public statements and documentation, we may at times fail to do so or be alleged to have failed to do so. Our publication of our privacy policies and other statements we publish that provide promises and assurances about privacy, data protection and information security can subject us to potential regulatory action if they are found to be deceptive, unfair or misrepresentative of our actual practices. Evolving and changing definitions of what constitutes "personal information" and "personal data" within the EEA, the United States and elsewhere, especially relating to classification of IP addresses, machine or device identification numbers, location data and other information, may limit or inhibit our ability to operate or expand our business, including limiting technology alliance partners that may involve the sharing of data. In addition, rapidly-evolving privacy laws and frameworks distinguish between a data processor and data controller (or under the CCPA, whether a business is a ‘service provider'), and different risks and requirements may apply to us, depending on the nature of our data processing activities. If our business model expands and changes over time, different sets of risks and requirements may apply to us, requiring us to re-orient the business accordingly. If our platform is perceived to cause, or is otherwise unfavorably associated with, violations of privacy, data protection or information security requirements, it may subject us or our customers to public criticism and potential legal liability. Existing and potential laws, rules and regulations concerning privacy, data protection and information security and increasing sensitivity of consumers to unauthorized processing of personal data may create negative public reactions to technologies, products and services such as ours. Public concerns regarding personal data processing, privacy, data protection and information security may cause some of our customers' end users to be less likely to visit their websites or otherwise interact with them. If enough end users choose not to visit our customers' websites or otherwise interact with them, our customers could stop using our platform. This, in turn, may reduce the value of our service, and slow or eliminate the growth of our business, or cause our business to contract.

The identity and access management market is intensely competitive, and we expect competition to increase in the future from established competitors and new market entrants. We face competition from (1) established providers such as CA Technologies, IBM and Oracle, (2) cloud-only providers such as Okta, (3) companies that offer a broad array of IT solutions that compete in our market such as Microsoft, (4) companies that provide a subset of functionality across identity, access and governance such as Okta, Ping Identity, SailPoint, Saviynt, and Transmit Security, and (5) homegrown solutions that are designed to solve identity use cases. With the continued increase in merger and acquisition transactions in the technology industry, particularly transactions involving cloud-based technologies, there is a significant likelihood that we will compete with other large technology companies in the future. For example, other technology companies could acquire or develop an identity and access management or digital identity platform that competes directly with our platform. These companies have significant name recognition, considerable resources and existing IT infrastructures and powerful economies of scale and scope, which allow them to rapidly develop and deploy new solutions. Many of our existing competitors have, and some of our potential competitors could have, substantial competitive advantages such as greater name recognition and brand awareness, longer operating histories, larger customer bases, larger sales and marketing budgets and resources, broader distribution and established relationships with partners and customers, greater professional services and customer support resources, greater resources to make acquisitions and enter into strategic partnerships, lower labor and research and development costs, larger and more mature intellectual property portfolios and substantially greater financial, technical and other resources. Certain of our competitors may also have greater ease of implementation of their products with customers in our market, as well as flexibility, scale, and breadth of integration points. In addition, some of our larger competitors have substantially broader product offerings and leverage their relationships based on other products they offer or incorporate functionality into existing products to gain business in a manner that discourages users from purchasing our offerings, including through selling at zero or negative margins, product bundling or closed technology platforms. Potential customers may also prefer to purchase from their existing suppliers rather than a new supplier regardless of product performance or features. Our larger competitors often have broader product lines and market focus and are less susceptible to downturns in a particular market. Our competitors may also seek to repurpose their existing offerings to provide identity solutions with subscription models. Conditions in our market could change rapidly and significantly as a result of technological advancements, partnering by our competitors or continuing market consolidation. Further, industry trends, such as the migration to cloud and the transition to Zero Trust, could give competitors an advantage in the market if they are better positioned to address such industry trends. Additionally, start-up companies that innovate and large competitors that are making significant investments in research and development may invent similar or superior products and technologies that compete with our solutions or solution packages. Consolidation in the markets in which we compete may affect our competitive position. This is particularly true in circumstances where customers are seeking to obtain a broader set of solutions and services than we are currently able to provide. In addition, some of our competitors may enter into new alliances with each other or may establish or strengthen cooperative relationships with system integrators, third-party consulting firms, or other parties. Any such consolidation, acquisition, alliance, or cooperative relationship could lead to pricing pressure and loss of our market share and could result in a competitor with greater financial, technical, marketing, service, and other resources, all of which could harm our ability to compete. Furthermore, organizations may be more willing to incrementally add solutions to their existing infrastructure from competitors than to replace their existing infrastructure with our offerings. Any failure to meet and address the foregoing could adversely affect our business, financial condition, and results of operations.

We believe that developing and maintaining awareness of our brand in a cost-effective manner is critical to achieving widespread adoption of our platform and offerings and is critical to our ability to attract new customers. Furthermore, we believe that the importance of brand recognition will increase as competition in our market increases. Successful promotion of our brand will depend largely on the effectiveness of our marketing efforts, our ability to provide reliable and useful offerings at competitive prices, our ability to maintain our customers' trust and our ability to successfully differentiate our services and platform capabilities from competitive products and services, any of which we may not be able to do effectively. In the past, our efforts to build our brand have involved significant expenses. Brand promotion activities may not yield increased revenue, and even if they do, any increased revenue may not offset the expenses we incur in building our brand. If we fail to successfully promote and maintain our brand, or incur substantial expenses in an unsuccessful attempt to promote and maintain our brand, we may fail to attract new customers or retain our existing customers to the extent necessary to realize a sufficient return on our brand-building efforts, and our business, financial condition, and results of operations could be adversely affected.

We have historically generated a substantial portion of our revenue outside the United States. Our growth strategy depends, in part, on our continued international expansion. We are continuing to adapt to and develop strategies to address international markets, but there is no guarantee that such efforts will be successful. Additionally, our international sales and operations are subject to a number of risks, including the following: - unexpected costs and errors in the localization of our platform, including translation into foreign languages and adaptation for local practices and regulatory requirements;- lack of familiarity and burdens of complying with foreign laws, legal standards, privacy standards, regulatory requirements, tariffs, and other barriers;- laws and business practices favoring local competitors or commercial parties;- costs and liabilities related to compliance with foreign data privacy, protection and security laws, rules, regulations, standards and enforcement, including the GDPR;- fluctuations in exchange rates that may increase the volatility of our foreign-based revenue and expense;- risk that our foreign employees or partners will fail to comply with U.S. and foreign laws;- practical difficulties of obtaining, maintaining, defending, protecting, and enforcing intellectual property rights in countries with fluctuating laws and standards and reduced or varied protection for intellectual property rights in some countries;- restrictive governmental actions focusing on cross-border trade, including taxes, trade laws, tariffs, import and export restrictions, controls, or quotas, barriers, sanctions, custom duties, or other trade restrictions;- unexpected changes in legal and regulatory requirements;- difficulties in managing partners;- differing technology standards;- longer accounts receivable payment cycles and difficulties in collecting accounts receivable;- difficulties in managing and staffing international operations, including compliance with differing employer-employee relationships and local employment laws;- political, economic and social instability, war (including the military conflict in Ukraine, resulting sanctions imposed by the U.S. and other countries and retaliatory actions taken by Russia in response to such sanctions), armed conflict, or terrorist activities;- health pandemics or epidemics, such as COVID-19, influenza, and other highly communicable diseases or viruses; and - potentially adverse tax consequences, including the complexities of foreign value added tax (or other tax) systems, and restrictions on the repatriation of earnings. Operating in international markets also requires significant management attention and financial resources. We cannot be certain that the investment and additional resources required in establishing operations in other countries will produce desired levels of revenue or profitability. Any of the foregoing factors could harm our ability to generate revenue outside of the United States and, consequently, adversely affect our business, financial condition, and results of operations. Some of our business partners also have international operations and are subject to the risks described above. Even if we are able to successfully manage the risks of international operations, our business may be adversely affected if our business partners are not able to successfully manage these risks.

A substantial portion of our international customer contracts are denominated in local currencies. In addition, the majority of our international costs are denominated in local currencies. As a result, fluctuations in the value of the U.S. Dollar and foreign currencies may affect our results of operations when translated into U.S. Dollars. We do not currently engage in currency hedging activities to limit the risk of exchange rate fluctuations. However, in the future, we may use derivative instruments, such as foreign currency forward and option contracts, to hedge certain exposures to fluctuations in foreign currency exchange rates. The use of such hedging activities may not offset any or more than a portion of the adverse financial effects of unfavorable movements in foreign exchange rates over the limited time the hedges are in place. Moreover, the use of hedging instruments may introduce additional risks if we are unable to structure effective hedges with such instruments.

We depend on the continued contributions of our management team, key personnel, and other highly skilled personnel. Our management team and key personnel are at-will employees, which means they may terminate their relationship with us at any time. The loss of the services of any of our key personnel or delays in hiring required personnel, particularly within our product, engineering, and go to market teams, could adversely affect our business, financial condition, and results of operations. Our future success also depends, in part, on our ability to continue to attract and retain highly skilled personnel. Competition for these personnel in the San Francisco Bay Area, where our headquarters is located, and in other locations where we maintain offices, is high, and the industry in which we operate has in the past been characterized by significant competition for skilled personnel as well as high employee attrition. Competitors for technical talent increasingly seek to hire our employees, and the increased availability of work-from-home arrangements has both intensified and expanded competition while also reducing regional salary differences. We have remained focused on retaining our talent. To help attract, retain, and motivate qualified employees, we use stock-based awards, such as RSUs, and performance-based cash incentive awards. Sustained declines in our stock price, or lower stock price performance relative to competitors, can reduce the retention value of our stock-based awards. Our employee hiring and retention also depend on our ability to build and maintain a diverse and inclusive workplace culture and be viewed as an employer of choice. To the extent our compensation programs and workplace culture are not viewed as competitive, our ability to attract, retain, and motivate employees can be weakened, which could harm our results of operations. If we fail to attract and integrate new personnel or retain and motivate our current personnel, our business, financial condition, and results of operations could be adversely affected.

We offer professional services associated with implementing our platform and training customers on the use of our platform, and our revenue from professional services carries a negative gross margin compared to our subscription revenue. We price our professional services to be attractive to customers because we believe that our professional services help achieve customer success on our platform, which assists us in retaining customers and expanding our relationships with them. If we are unable to manage and improve the margin associated with our professional services, our business, financial condition, and results of operations could be adversely affected.