Zoom Video Communications (ZM) Risk Analysis

The communications and collaboration technologies market is characterized by rapid technological change and frequent new product and service introductions. Our ability to grow our customer base and increase our revenue will depend heavily on our ability to enhance and improve our platform; introduce new features and products; and interoperate across an increasing range of devices, operating systems, and third-party applications. Our customers may require features and capabilities that our current platform does not have. In particular, advancements in technology such as AI and machine learning are changing the way people work, and businesses that are slow to adopt these new technologies may face a competitive disadvantage. We invest significantly in research and development, and our goal is to focus our spending on measures that improve quality and ease of adoption, enhance privacy and security, and create organic demand for our platform. There is no assurance that new additions or other future enhancements to our platform or new product experiences, features, or capabilities will be compelling to our customers or gain market acceptance, or that they will perform as expected. If our research and development investments do not accurately anticipate demand or if we fail to develop our platform in a manner that satisfies customer preferences and requirements in a timely and cost-effective manner, we may fail to retain our existing customers or increase demand for our platform. The introduction of new products and services by competitors or the development of entirely new technologies to replace existing offerings, such as AI-powered communication and collaboration tools, could make our platform obsolete or adversely affect our business, results of operations, and financial condition. We may experience difficulties with software development, design, or marketing that could delay or prevent our development, introduction, or implementation of new product experiences, features, or capabilities. We have in the past experienced delays in our internally planned release dates of new features and capabilities and there can be no assurance that new product experiences, features, or capabilities will be released according to schedule. Any delays could result in adverse publicity, loss of revenue or market acceptance, or claims by users brought against us, all of which could harm our business. Moreover, new productivity features to our platform may require substantial investment, and we have no assurance that such investments will be successful. If customers and users do not widely adopt our new product experiences, features, and capabilities, or they do not perform as expected, we may not be able to realize a return on our investment. If we are unable to develop, license, or acquire new features and capabilities to our platform on a timely and cost-effective basis, or if such enhancements do not achieve market acceptance, our business would be harmed.

We protect our intellectual property through patents, copyrights, trademarks, domain names, and trade secrets and, from time to time, are subject to litigation based on allegations of infringement, misappropriation, or other violations of intellectual property or other proprietary rights of others. Some companies, including some of our competitors, own large numbers of patents, as well as valuable copyrights and trademarks, which they may use to assert claims against us. As we face increasing competition and gain an increasingly high profile, the possibility of intellectual property rights claims, commercial claims, and other assertions against us grows. We have in the past been, are currently, and may from time to time in the future become, a party to litigation and disputes related to our use of intellectual property, our business practices, and our platform. While we intend to defend these lawsuits vigorously and believe that we have valid defenses to these claims, litigation can be costly and time consuming, divert the attention of our management and key personnel from our business operations and dissuade potential customers from subscribing to our services, which would harm our business. Furthermore, with respect to these lawsuits, there can be no assurances that favorable outcomes will be obtained. We may need to settle litigation and disputes on terms that are unfavorable to us, or we may be subject to an unfavorable judgment that may not be reversible upon appeal. The terms of any settlement or judgment may require us to cease some or all of our operations or pay substantial amounts to the other party. In addition, our agreements with certain larger customers include certain provisions for indemnifying them against liabilities if our services infringe a third party's intellectual property rights, which could require us to make payments to our customers. During the course of any litigation or dispute, we may make announcements regarding the results of hearings and motions and other interim developments. If securities analysts and investors regard these announcements as negative, the market price of our Class A common stock may decline. With respect to any intellectual property rights claim, we may have to seek a license to continue practices found to be in violation of third-party rights, which may not be available on reasonable terms and may significantly increase our operating expenses. A license to continue such practices may not be available to us at all, and we may be required to develop alternative non-infringing technology or practices or discontinue the practices. The development of alternative, non-infringing technology or practices could require significant effort and expense. Our business could be harmed as a result.

Unlike traditional communications and collaboration technologies, our services depend on our users' high-speed broadband access to the internet, usually provided through a cable or digital subscriber line connection. Increasing numbers of users and increasing bandwidth requirements may degrade the performance of our platform due to capacity constraints and other internet infrastructure limitations. As our number of users has grown and their usage of communications capacity has increased, we have been required to make additional investments in network capacity to maintain adequate data transmission speeds, the availability of which may be limited, or the cost of which may be on terms unacceptable to us. If adequate capacity does not continue to be available to us to support our user base in the future, our network may be unable to achieve or maintain sufficiently high data transmission capacity, reliability, or performance. In addition, if internet service providers and other third parties providing internet services have outages or deteriorations in their quality of service, our users will not have access to our platform or may experience a decrease in the quality of our platform. Furthermore, as the rate of adoption of new technologies increases, the networks our platform relies on may not be able to sufficiently adapt to the increased demand for these services, including ours. Frequent or persistent interruptions could cause current or potential users to believe that our systems or platform are unreliable, leading them to switch to our competitors or to avoid our platform, which could permanently harm our business. In addition, users who access our platform through mobile devices, such as smartphones and tablets, must have a high-speed connection, such as 3G, 4G, 5G, LTE, satellite, or Wi-Fi, to use our services and applications. Currently, this access is provided by companies that have significant and increasing market power in the broadband and internet access marketplace,including incumbent phone companies, cable companies, satellite companies, and wireless companies. Some of these providers offer products and subscriptions that directly compete with our own offerings, which can potentially give them a competitive advantage. Also, these providers could take measures that degrade, disrupt, or increase the cost of user access to third-party services, including our platform, by restricting or prohibiting the use of their infrastructure to support or facilitate third-party services or by charging increased fees to third parties or the users of third-party services, any of which would make our platform less attractive to users and reduce our revenue. On January 4, 2018, the Federal Communications Commission ("FCC") released an order reclassifying broadband internet access as an information service, a regulatory regime generally referred to as network neutrality, subject to certain provisions of Title I of the Communications Act. The order requires broadband providers to publicly disclose accurate information regarding network management practices, performance characteristics, and commercial terms of their broadband internet access services sufficient to enable consumers to make informed choices regarding the purchase and use of such services, and entrepreneurs and other small businesses to develop, market, and maintain internet offerings. The new rules went into effect on June 11, 2018. Numerous parties filed judicial challenges to the order, and on October 1, 2019, the United States Court of Appeals for the District of Columbia Circuit released a decision that rejected nearly all of the challenges to the new rules, but reversed the FCC's decision to prohibit all state and local regulation targeted at broadband internet service, requiring case-by-case determinations as to whether state and local regulation conflicts with the FCC's rules. The court also required the FCC to reexamine three issues from the order but allowed the order to remain in effect, while the FCC conducts that review. On October 27, 2020, the FCC adopted an order concluding that the three issues remanded by the court did not provide a basis to alter its conclusions in the 2018 order. On October 19, 2023, the FCC adopted a notice of proposed rulemaking proposing to reinstate the 2015 rules, and on April 24, 2024, adopted an order that substantially reinstated those rules. On January 2, 2025, the U.S. Court of Appeals for the Sixth Circuit issued a decision overturning the FCC order. That decision remains subject to potential further appeals. We cannot predict the impact of the new rules on our operations or business. In addition, a number of states have adopted or are adopting or considering legislation or executive actions that would regulate the conduct of broadband providers, including legislation to impose state-level network requirements in New York. After a federal court judge denied a request for a preliminary injunction against California's state-specific network neutrality law, California began enforcing that law on March 25, 2021. A number of other states have adopted or are adopting or considering legislation or executive actions that would regulate the conduct of broadband providers. A similar law in Vermont is subject to a pending challenge, but went into effect on April 20, 2022 and the challenge has been suspended until an appeal in another case addressing state powers to adopt internet regulation is resolved. The FCC's April 24 order, which, as described above, was overturned by the Sixth Circuit Court of Appeals, permits it to preempt any state-level network neutrality requirements that go beyond the requirements adopted in that order, but specifically held that the California law would not be preempted. We cannot predict whether the FCC order or other state initiatives will be enforced, modified, overturned, or vacated by legal action of the court, federal legislation, or the FCC. Under the FCC's 2018 rules, which currently remain in effect, broadband internet access providers may be able to charge web-based services such as ours for priority access or favor services offered by our competitors or by the internet access providers themselves, which could result in increased costs and a loss of existing customers, impair our ability to attract new customers, and harm our business but the 2024 rules, if they go into effect, are intended to limit the ability of broadband internet access providers to engage in such behavior. If there are changes to the regulatory structures in the United States or elsewhere that reduce investment in infrastructure by internet service providers, including a return of the network neutrality regulations that were overturned, any impacts of reduced investment that reduce network capacity or speed could have a negative effect on our business, operating results, and financial condition.

In the ordinary course of business, we collect, receive, store, process, generate, use, transfer, disclose, make accessible, protect, secure, dispose of, transmit, and share confidential, proprietary, and sensitive information, including personal information, customer and user content, business data, trade secrets, intellectual property, third-party data, business plans, transactions, and financial information. Our data processing activities subject us to numerous privacy, data protection, and information security obligations, such as various laws, regulations, guidance, industry standards, external and internal privacy and security policies, and contractual requirements. Laws in the United States In the United States, federal, state, and local governments have enacted numerous privacy, data protection, and information security laws, including data breach notification laws, personal information privacy laws, consumer protection laws (e.g., Section 5 of the Federal Trade Commission Act), and other similar laws (e.g., wiretapping laws). Numerous U.S. states have enacted comprehensive privacy laws that impose certain obligations on covered businesses, including providing specific disclosures in privacy notices and affording residents with certain rights concerning their personal data. As applicable, such rights may include the right to access, correct, or delete certain personal data, and to opt-out of certain data processing activities, such as targeted advertising, profiling, and automated decision-making. The exercise of these rights may impact our business and ability to provide our products and services. Certain states also impose stricter requirements for processing certain personal data, including sensitive information, such as conducting data privacy impact assessments. These state laws allow for statutory fines for noncompliance. For example, the California Consumer Privacy Act of 2018 ("CCPA") applies to personal information of consumers, business representatives, and employees, and requires businesses to provide specific disclosures in privacy notices and honor requests of California residents to exercise certain privacy rights. The CCPA provides for fines and allows private litigants affected by certain data breaches to recover significant statutory damages. Similar laws are being considered in several other states, as well as at the federal and local levels and we expect more states to pass similar laws in the future. These developments may further complicate compliance efforts and increase legal risk and compliance costs for us and the third parties upon whom we rely. Under various laws and other obligations related to privacy, data protection, and information security, we are required to obtain certain consents to process personal information. For example, some of our data processing practices may be challenged under wiretapping laws when we obtain consumer information from third parties through various methods, including chatbot and session replay providers, or via third-party marketing pixels. These practices are subject to increased challenges by class action plaintiffs. Several states and foreign jurisdictions have enacted statutes imposing obligations on businesses collecting or processing biometric information. For example, Illinois' Biometric Information Privacy Act ("BIPA") regulates the collection, use, safeguarding, and storage of biometric information and provides for substantial penalties and statutory damages. The Federal Trade Commission ("FTC"), has indicated that use of biometric technologies (including facial recognition technologies) may be subject to additional scrutiny. Our inability or failure to obtain consent for these practices could result in adverse consequences, including class action litigation, mass arbitration demands, and regulatory attention. Additionally, the U.S. Department of Justice issued a rule entitled the Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons, which places additional restriction on certain data transactions involving countries of concern (e.g., China, Russia, Iran) and covered individuals (i.e., individuals and entities located in or controlled by individuals or entities located in those jurisdictions) that may impact certain business activities such as vendor engagements, sale or sharing of data, employment of certain individuals, and investor agreements. Violations of the rule could lead to significant civil and criminal fines and penalties. Laws Outside of the United States Outside the United States, an increasing number of laws, regulations, and industry standards related to privacy, data protection, and information security may govern. For example, the European Union's General Data Protection Regulation ("EU GDPR"), the United Kingdom's GDPR ("UK GDPR"), Brazil's General Data Protection Law (Lei Geral de Proteção de Dados Pessoais, or "LGPD") (Law No. 13,709/2018), and China's Personal Information Protection Law ("PIPL") impose strict requirements for processing personal information. For example, under the EU GDPR, companies may face temporary or definitive bans on data processing and other corrective actions; fines of up to 20 million Euros under the EU GDPR and 17.5 million pounds sterling under the UK GDPR, or 4% of annual global revenue, in each case, whichever is greater; or private litigation related to processing of personal information brought by classes of data subjects or consumer protection organizations authorized at law to represent their interests. China's PIPL imposes a set of specific obligations on covered businesses in connection with their processing and transfer of personal information and imposes fines of up to RMB 50 million or 5% of the prior year's total annual revenue of the violator. The Swiss Federal Act on Data Protection ("FADP"), also applies to the collection and processing of personal information, including health-related information, by companies located in Switzerland, or in certain circumstances, by companies located outside of Switzerland. We also market to customers in Asia and have operations in Japan, Singapore and India, and may be subject to new and emerging privacy, data protection, and information security regimes in the region, including Japan's Act on the Protection of Personal Information, Singapore's Personal Data Protection Act, and India's new privacy legislation, the Digital Personal Data Protection Act. In addition, we may be unable to transfer personal information from Europe and other jurisdictions to the United States or other countries due to data localization requirements or limitations on cross-border data flows. Europe and other jurisdictions have enacted laws requiring data to be localized or limiting the transfer of personal information to other countries. In particular, the European Economic Area ("EEA") and the United Kingdom ("UK") have significantly restricted the transfer of personal information to the United States and other countries whose privacy laws they generally believe are inadequate. Other jurisdictions have in the past and may continue to adopt similarly stringent data localization and cross-border data transfer laws. Although there are currently various mechanisms that may be used to transfer personal information from the EEA and UK to the United States in compliance with law, such as the EEA's standard contractual clause, and the EU-U.S. Data Privacy Framework and the UK extension thereto (which allow for transfers to relevant U.S.-based organizations who self-certify compliance and participate in the Framework), these mechanisms can be subject to legal challenges, and there is no assurance that we can satisfy or rely on these measures to lawfully transfer personal information to the United States. If there is no lawful manner for us to transfer personal information from the EEA, the UK, or other jurisdictions to the United States, or if the requirements for a legally-compliant transfer are too onerous, we could face significant adverse consequences, including the interruption or degradation of our operations, the need to relocate part of or all of our business or data processing activities to other jurisdictions at significant expense, increased exposure to regulatory actions, substantial fines and penalties, the inability to transfer data and work with partners, vendors and other third parties, and injunctions against our processing or transferring of personal information necessary to operate our business. Additionally, companies that transfer personal information out of the EEA and UK to other jurisdictions, particularly to the United States, are subject to increased scrutiny from regulators, individual litigants, and activist groups. Some European regulators have ordered certain companies to suspend or permanently cease certain transfers of personal information out of Europe for allegedly violating the EU GDPR's cross-border data transfer limitations. For example, in May 2023, the Irish Data Protection Commission determined that a major social media company's use of the standard contractual clauses to transfer personal information from Europe to the United States was insufficient and levied a 1.2 billion Euro fine against the company and prohibited the company from transferring personal information to the United States. The United States is also increasingly scrutinizing certain data transfers and may also impose certain data localization requirements. We may also become subject to new laws that regulate non-personal information. For example, the European Union's Data Act imposes certain data and cloud service interoperability and switching obligations to enable users to switch between cloud service providers without undue delay or cost, as well as certain requirements concerning cross-border international transfers of, and governmental access to, non-personal information outside the EEA. Depending on how this Act and any similar laws are implemented and interpreted, we may have to adapt our business practices, contractual arrangements, and products and services to comply with such obligations. Artificial Intelligence Our development and use of AI technologies is subject to privacy, data protection, IP, and information security laws, industry standards, external and internal privacy and security policies, and contractual requirements, as well as increasing regulation and scrutiny. Several jurisdictions around the globe, including the EU, the UK and certain U.S. states, have proposed, enacted, or are considering laws governing the development and use of technology featuring AI. For example, the EU's AI Act enters in phases this year and will have a direct effect across all EU jurisdictions. The EU AI Act sets out a risk-based framework, subjecting certain AI technologies to numerous compliance obligations, including transparency, conformity and risk assessment, monitoring and human oversight requirements. Under the EU AI Act, non-compliant companies may be subject to administrative fines of up to 35 million Euros or 7% of a company's total worldwide annual turnover for the preceding financial year, whichever is the higher. Obligations on AI may make it harder for us to conduct our business using, or build products incorporating, AI, require us to change our business practices, require us to retrain our algorithms, require us to disclose or provide greater transparency regarding the nature of our AI tools and the data we have employed to train them, or prevent or limit our use of AI. For example, the FTC has required other companies to turn over (or disgorge) valuable insights or trainings generated through the use of AI where they allege the company has violated privacy and consumer protection laws. Additionally, certain privacy laws extend rights to consumers (such as the right to delete certain personal information) and regulate automated decision making, which may be incompatible with our use of AI. If we do not develop or incorporate AI in a manner consistent with these factors, and consistent with customer expectations, it has in the past and may in the future result in an adverse impact to our reputation, our business may be less efficient, or we may be at a competitive disadvantage. Similarly,if customers and users do not widely adopt our new product AI experiences, features, and capabilities, or they do not perform as expected, we may not be able to realize a return on our investment. Laws Relating to Minors Additionally, regulators are increasingly scrutinizing companies that process minors' data and/or provide online services or other interactive platforms used by minors. Numerous laws, regulations, and legally-binding codes, such as the Children's Online Privacy Protection Act ("COPPA"), California's Age Appropriate Design Code, the CCPA, other U.S. state comprehensive privacy laws, the EU and UK GDPR, the EU's Digital Services Act ("DSA"), the UK's Online Safety Act ("OSA") and the UK Age Appropriate Design Code, impose various obligations on companies that process minors' data and/or provide online services, or other interactive platforms used by children, including prohibiting showing minors advertising, requiring age verification, limiting the use of minors' personal information, requiring certain consents to process such data and extending certain rights to children and their parents with respect to that data. These laws may, and in some cases already have been subject to legal challenges and changing interpretations which may further complicate our efforts to comply with laws applicable to us. Some of these obligations have wide ranging applications, including for services that do not intentionally target child users (defined in some circumstances as a user under the age of 18 years old). In particular, COPPA is a U.S. Federal law that applies to operators of commercial websites and online services directed to U.S. children under the age of 13 that collect personal information from children, and to operators of general audience websites with actual knowledge that they are collecting personal information from U.S. children under the age of 13. We provide video communications and collaboration services to schools, school districts, and school systems to support traditional, virtual, and hybrid classrooms, distance learning, educational office hours, guest lectures, and other services. As part of these services, Zoom may be used by students, including students under the age of 13, and we collect personal information from such students on behalf of our school subscribers. School subscribers must contractually consent to Zoom's information practices on behalf of students, prior to students using the services. If we fail to accurately anticipate the application, interpretation, or legislative expansion of these laws, regulations, and legally-binding codes, we could be subject to governmental enforcement actions, data processing restrictions, litigation, fines and penalties, adverse publicity or loss of customers. Moreover, as a result of any such failures, we could be in breach of our K-12 school customer contracts, and our customers could lose trust in us, which could harm our reputation and business. Consumer Preferences and Protection Individuals are increasingly resistant to the collection, use, and sharing of personal information to deliver targeted advertising. Third-party platforms have introduced (or plan to introduce) measures to provide users with more privacy controls over targeted advertising activities, and regulators (including in the EEA/UK) are heavily scrutinizing the use of technologies used to deliver such advertisements. Major technology platforms on which we rely to gather information about consumers have adopted or proposed measures to provide consumers with additional control over the collection, use, and sharing of their personal information for targeted advertising or other purposes. For example, in 2021, Apple began allowing users to more easily opt-out of activity tracking across devices. In February 2022, Google announced similar plans to adopt additional privacy controls on its Android devices to allow users to limit sharing of their data with third parties and reduce cross-device tracking for advertising purposes. Additionally, Google has announced that it intends to phase out third-party cookies in its Chrome browser, which could make it more difficult for us to target advertisements. Other browsers, such as Firefox and Safari, have already adopted similar measures. In addition, legislative proposals and present laws and regulations regulate the use of cookies and other tracking technologies, electronic communications, and marketing. For example, in the EEA and the UK, regulators are increasingly focusing on compliance with requirements related to the targeted advertising ecosystem. European regulators have issued significant fines in certain circumstances where the regulators alleged that appropriate consent was not obtained in connection with targeted advertising activities. In the EU, it is anticipated that the ePrivacy Regulation and national implementing laws will replace the current national laws implementing the ePrivacy Directive, which may require us to make significant operational changes. In the United States, the CCPA, for example, grants California residents the right to opt-out of a company's sharing of personal information for advertising purposes in exchange for money or other valuable consideration, and requires covered businesses to honor user-enabled browser signals from the Global Privacy Control. Partially as a result of these developments, individuals are becoming increasingly resistant to the collection, use, and sharing of personal information to deliver targeted advertising or other types of tracking. Individuals are now more aware of options related to consent, "do not track" mechanisms (such as browser signals from the Global Privacy Control), and "ad-blocking" software to prevent the collection of their personal information for targeted advertising purposes. As a result, we may be required to change the way we market our products, and any of these developments or changes could materially impair our ability to reach new or existing customers or otherwise negatively affect our operations. We are also subject to consumer protection laws that may affect our sales and marketing efforts, including laws related to subscriptions, billing, and auto-renewal. These laws, as well as any changes in these laws, could adversely affect our self-serve model and make it more difficult for us to retain and upgrade customers and attract new customers. For example, in September 2024, the FCC adopted new rules scheduled to take effect in 2027 that require video conferencing services to include features that expand accessibility requirements for consumers of our products and services. Additionally, we have in the past, are currently, and may from time to time in the future become the subject of inquiries and other actions by regulatory authorities as a result of our business practices, including our subscription, billing, and auto-renewal policies. Consumer protection laws may be interpreted or applied by regulatory authorities in a manner that could require us to make changes to our operations or incur fines, penalties, or settlement expenses, which may result in harm to our business. Industry Standards In addition to privacy, data protection and information security laws, we are contractually subject to certain industry standards adopted by industry groups and may become subject to additional such obligations in the future. We also have certain privacy, data protection, information security obligations arising from the practices in our industry or of companies similar to us. We are also bound by other contractual obligations related to privacy, data protection, and information security, and our efforts to comply with such obligations may not be successful. If we fall below such industry standard or cannot comply with such contractual obligations, our reputation and business may be harmed. We also publish privacy policies, marketing materials, whitepapers and other statements, such as compliance with certain certifications or self-regulatory principles, regarding privacy, data protection, artificial intelligence and information security. Regulators in the United States have scrutinized and are increasingly scrutinizing these statements, and if these policies, materials or statements are found to be deficient, lacking in transparency, deceptive, unfair, misleading or misrepresentative of our practices, we may be subject to investigation, enforcement actions by regulators, or other adverse consequences. Government Inquiries and Investigations We have in the past and may in the future receive inquiries or be subject to investigations by domestic and international government entities regarding, among other things, our privacy, data protection, and information security practices. The result of these proceedings could impact our brand reputation, subject us to monetary remedies and costs, interrupt or require us to change our business practices, divert resources and the attention of management from our business, or subject us to other remedies that adversely affect our business. We also face litigation regarding our privacy and security practices, including alleged data sharing with third parties, in various jurisdictions. See Part I, Item 3 "Legal Proceedings" for additional information. In June 2020, we received a grand jury subpoena from the Department of Justice's U.S. Attorney's Office for the EDNY, which requested information regarding our interactions with foreign governments and foreign political parties, including the Chinese government, as well as information regarding storage of and access to user data, the development and implementation of Zoom's privacy policies, and the actions we took responding to law enforcement requests from the Chinese government. In July 2020, we received subpoenas from the Department of Justice's U.S. Attorney's Office for the NDCA and the SEC. Both subpoenas seek documents and information relating to various security, data protection, and privacy matters, including our encryption, and our statements relating thereto, as well as calculation of usage metrics and related public statements. In addition, the NDCA subpoena seeks information relating to any contacts between our employees and representatives of the Chinese government, and any attempted or successful influence by any foreign government in our policies, procedures, practices, and actions as they relate to users in the United States. We have since received additional subpoenas from EDNY and NDCA seeking related information. We are fully cooperating with all of these investigations and have conducted our own thorough internal investigation. These investigations are ongoing, and a negative outcome in any or all of these matters could cause us to incur substantial fines, penalties, or other financial exposure, as well as material reputational harm, a loss of customer and user confidence and business, additional expenses, and other harm to our business. As of the date hereof, in regard to the SEC matter, a tentative settlement of $18.0 million is now outstanding and remains subject to SEC approval. We do not know when these matters will be completed, including the SEC matter, which facts we will ultimately discover as a result of the investigations, or what actions the government may or may not take. We were also the subject of an investigation by the FTC relating to our privacy and security representations and practices. We have reached a settlement agreement with the FTC, which the FTC voted to make final on January 19, 2021. We could fail or be perceived to fail to comply with the terms of the settlement with the FTC or any other orders or settlements relating to litigation or governmental investigations with respect to our privacy and security practices. Any failure or perceived failure to comply with such orders or settlements may increase the possibility of additional adverse consequences, including litigation, additional regulatory actions, injunctions, or monetary penalties, or require further changes to our business practices, significant management time, or the diversion of significant operational resources. Furthermore, the costs of compliance with, and other burdens imposed by, the laws, regulations, policies, and other obligations that are applicable to the businesses of our users may limit the adoption and use of, and reduce the overall demand for, our platform and services, which could have an adverse impact on our business. Consents Additionally, we rely on the administrators of our customers in the healthcare and education industries to obtain the necessary consents from users of our products and services and to ensure their account settings are configured correctly for their compliance under applicable laws and regulations, including HIPAA. Furthermore, if third parties we work with, such as vendors or developers, make misrepresentations, violate applicable laws and regulations, or our policies, such misrepresentations and violations may also put our users' content at risk and could in turn have an adverse effect on our business. Any significant change to applicable laws, regulations, or industry practices regarding the collection, use, retention, security, or disclosure of our users' content, or regarding the manner in which the express or implied consent of users for the collection, use, retention, or disclosure of such content is obtained, could increase our costs and require us to modify our services and features, possibly in a material manner, which we may be unable to complete and may limit our ability to store and process user data or provide or develop new services and features. Public Perception Increased usage of our services and additional awareness of Zoom and our brand has led to greater public scrutiny of, press related to, or a negative perception of our collection, use, storage, disclosure, and processing of personal information, and our privacy policies and practices. For example, users and customers, particularly those that are new to Zoom, may not have significant IT or security knowledge or have their own IT controls like those of a larger organization to configure our service in a manner that provides them with control over user settings. This has resulted in reports of users and customers experiencing meeting disruptions by malicious actors. Additional unfavorable publicity and scrutiny has led to increased governmental and regulatory scrutiny and litigation exposure, and could result in material reputational harm, a loss of customer and user confidence, additional expenses and other harm to our business. Failure to Comply with our Obligations Obligations related to privacy, data protection, information security, the use of AI, the provision of online services and other interactive platforms (and consumers' expectations regarding them) are quickly changing, becoming increasingly stringent, and creating uncertainty. Additionally, these obligations may be subject to differing applications and interpretations, which may be inconsistent or conflict among jurisdictions. Preparing for and complying with these obligations requires us to devote significant resources and has and may continue to necessitate changes to our services, information technologies, systems, and practices and to those of any third parties that process personal information on our behalf. We may at times fail (or be perceived to have failed) in our efforts to comply with our obligations relating to privacy, data protection, information security, the use of AI and the provision of online services and other interactive platforms. Moreover, despite our efforts, our personnel or third parties with whom we work may fail to comply with such obligations, which could negatively impact our business operations. If we or the third parties with whom we work fail, or are perceived to have failed, to address or comply with applicable privacy, data protection, and information security obligations, we could face significant consequences, including but not limited to: government enforcement actions (e.g., investigations, fines, penalties, audits, inspections, and similar); litigation (including class-action claims) and mass arbitration demands; additional reporting requirements and/or oversight; bans or restrictions on processing personal information; and orders to destroy or not use personal information. In particular, plaintiffs have become increasingly more active in bringing privacy-related claims against companies, including class claims and mass arbitration demands. Some of these claims allow for the recovery of statutory damages on a per violation basis, and, if viable, carry the potential for monumental statutory damages, depending on the volume of data and the number of violations. Any of these events could have a material adverse effect on our reputation, business, or financial condition, including but not limited to: loss of customers; inability to process personal information or to operate in certain jurisdictions; limited ability to develop or commercialize our products; expenditure of time and resources to defend any claim or inquiry; adverse publicity; or substantial changes to our business model or operations.

We are subject to income taxes in the United States and various jurisdictions outside of the United States. Our effective tax rate could fluctuate due to changes in the proportion of our earnings and losses in countries with differing statutory tax rates. Our tax expense could also be impacted by changes in non-deductible expenses; changes in tax benefits of stock-based compensation expense; changes in the valuation of, or our ability to use, deferred tax assets; the applicability of withholding taxes; and effects from acquisitions. The provision for taxes on our condensed consolidated financial statements could also be impacted by changes in accounting principles, changes in U.S. federal, state, or foreign tax laws applicable to corporate multinationals, other fundamental changes in tax law currently being considered by many countries, and changes in taxing jurisdictions' administrative interpretations, decisions, policies, and positions. In addition, we are subject to review and audit by U.S. federal, state, local, and foreign tax authorities. Such tax authorities may disagree with tax positions we take, and if any such tax authority were to successfully challenge any such position, our business could be adversely impacted. The Tax Cuts and Jobs Act of 2017 requires the capitalization and amortization of research and development expenses effective for years beginning after December 31, 2021. The mandatory capitalization requirement increased our cash tax liabilities but also decreased our effective tax rate due to increasing the foreign-derived intangible income deduction. Although Congress has been considering legislation that would defer the amortization requirement to later years, we have no assurance that the provision will be repealed or otherwise modified. Absent a change in legislation, we expect the mandatory capitalization requirement will continue to have a material impact on our cash flows. We may also be subject to additional tax liabilities due to changes in non-income-based taxes resulting from changes in U.S. federal, state, local, or foreign tax laws; changes in taxing jurisdictions' administrative interpretations, decisions, policies, and positions; results of tax examinations, settlements, or judicial decisions; changes in accounting principles, changes to our business operations, including acquisitions; as well as the evaluation of new information that results in a change to a tax position taken in a prior period. Further, the Organization for Economic Cooperation and Development ("OECD") and the Inclusive Framework of G20 and other countries have issued proposals related to the taxation of the digital economy. In addition, several countries have proposed or enacted Digital Services Taxes ("DST"), many of which would apply to revenue derived from certain digital services. Future developments related to such proposals, in particular any unilateral actions outside of the OECD's Inclusive Framework such as the imposition of DST rules, could have an adverse impact on our business by increasing our future tax obligations. The OECD has also been working on a Base Erosion and Profits Shifting project that, upon implementation, would change various aspects of the existing framework under which our tax obligations are determined in many of the countries in which we operate. In this regard, the OECD has proposed policies aiming to modernize global tax systems, including a country-by-country 15% minimum effective tax rate ("Pillar Two") for multinational companies. Numerous countries have enacted, or are in the process of enacting, legislation to implement the Pillar Two model rules with a subset of the rules becoming effective during our fiscal year ended January 31, 2025, and the remaining rules becoming effective for our fiscal year ending January 31, 2026, or in later periods. As these rules continue to evolve with new legislation and guidance, we will continue to monitor and account for the enactment of Pillar Two rules in the countries where we operate, and the potential impacts such rules may have on our effective tax rate and cash flows in future years.

We expect to continue selling our products and services to U.S. federal and state and foreign governmental agency customers, which may occur through sales to other companies that re-sell our services to government customers and/or through direct sales to government entities. While we are a U.S. Federal Risk and Authorization Management Program ("FedRAMP") authorized SaaS service, selling to government entities and other government contractors presents a number of unique challenges and risks including the following: - selling to governmental entities can be more competitive, expensive, and time-consuming than selling to private entities, often requiring significant up-front time and expense and ongoing compliance costs without any assurance that these efforts will generate a sale;- contracts with governmental entities are subject to termination for the convenience of the customer;- government certification requirements may change, or we may be unable to achieve or sustain one or more government certifications, including FedRAMP, which may restrict our ability to sell into the government sector until we have attained such certificates;- contracts with governmental entities and other government contractors, including resellers in the government market, contain terms that are less favorable than what we generally agree to in our standard agreements, including, terms and conditions required by regulation that are not negotiable with the customer;- non-compliance with terms and conditions of government contracts, or with representations or certifications made in connection with government contracts, can result in significantly more adverse consequences than we typically would expect in the commercial market, including, depending on the circumstances, criminal liability, liability under the civil False Claims Act, and/or suspension or debarment from doing business with governmental entities;- as a U.S. government contractor, we may be subject to executive orders and regulatory changes affecting various aspects of our operations, including compliance with nondiscrimination plans, and any required elimination or modification of such plans in response to new executive orders could pose challenges in hiring or retaining employees and may lead to other adverse operational impacts, while failure to comply with these requirements could expose us to administrative, civil, or criminal liabilities, including fines, penalties, repayments or suspension or debarment from eligibility for future U.S. government contracts; and - government demand and payment for our products may be influenced, among other things, by public sector budgetary cycles and funding authorizations, with funding reductions or delays having an adverse impact on public sector demand for our products. To the extent that we become more reliant on contracts with government entities and/or other government contractors in the future, our exposure to such risks and challenges could increase, which in turn could adversely impact our business. In May 2021, the Biden Administration issued an Executive Order requiring federal agencies to implement additional information technology security measures, including, among other things, requiring agencies to adopt multifactor authentication and encryption for data at rest and in transit to the maximum extent consistent with Federal records laws and other applicable laws. The Executive Order will lead to the development of secure software development practices and/or criteria for a consumer software labeling program, which will reflect a baseline level of secure practices, for software that is developed and sold to the U.S. federal government. Software developers will be required to provide visibility into their software and make security data publicly available. Due to this Executive Order, federal agencies may require us to modify our cybersecurity practices and policies, thereby increasing our compliance costs. If we are unable to meet the requirements of the Executive Order, our ability to work with the U.S. government may be impaired and may result in a loss of revenue. In January 2025, the current administration began issuing Executive Orders identifying new government policy and directing U.S. federal agencies to evaluate their current actions, including certain spending, to ensure that such actions are consistent with new Administration priorities. Some of those Executive Orders are the subjects of pending litigation, and there remains significant uncertainty about the ways in which agencies will implement the new Executive Orders. Such implementation could negatively affect our current and future business with U.S. government agencies.

Our business may be significantly affected by changes in the economy, such as high inflation and the responses by central banking authorities to control such inflation, recessionary or uncertain environments, fluctuations in the foreign currency exchange rates and geopolitical tensions and military conflicts, including the ongoing conflicts between Russia and Ukraine and in the Middle East, and tariffs, the threat of new or increased tariffs and trade tensions, including the United States' ongoing trade disputes with China and other countries. While some customers may view a subscription to our platform as a cost-saving purchase, decreasing the need for business travel, others may view a subscription to our platform as a discretionary purchase, and our customers may reduce their information technology spending on our platform during an economic downturn or during times of economic uncertainty. Given current economic conditions, including inflation, we have experienced and may continue to experience a loss of users and customers, as well as a reduction in demand for our platform, especially if the effects of the current economic environment have a prolonged impact on various industries that our unified communications and collaboration platform addresses. In addition to the foregoing, adverse developments that affect financial institutions, transactional counterparties or other third parties, such as bank failures, or concerns or speculation about any similar events or risks, could lead to market-wide liquidity problems, which in turn may cause third parties, including customers, to become unable to meet their obligations under various types of financial arrangements as well as general disruptions or instability in the financial markets. Moreover, we have lost and may continue to lose customers as a result of such customers ceasing to do business, and we have experienced and may continue to experience a material increase in longer payment cycles and greater difficulty in collecting accounts receivable from certain customers. These issues may continue in the future if current economic conditions continue or worsen.

There are inherent climate-related risks wherever business is conducted. We have a global workforce, and operate in leased office spaces and data centers, and the short, medium and long term climate impacts to our business are unclear. Changing market dynamics, global policy developments and the increasing frequency and impact of extreme weather events to infrastructure in the U.S. and elsewhere have the potential to disrupt our business, the business of our third-party suppliers and the business of our customers, and may cause us to experience losses and additional costs to maintain or resume operations. In addition, we may be subject to increased regulations, reporting requirements, standards or expectations regarding the environmental impacts of our business.

We sell to customers globally and have international operations primarily in Australia, China, and the U.K. As we continue to expand our international operations, we will become more exposed to the effects of fluctuations in currency exchange rates. Although the majority of our cash generated from revenue is denominated in U.S. dollars, a portion of our revenue is denominated in foreign currencies, and our expenses are generally denominated in the currencies of the jurisdictions in which we conduct our operations. For the three months ended April 30, 2025 and 2024, 19.3% and 19.4% of our revenue, respectively, and 16.5% and 15.6% of our expenses, respectively, were denominated in currencies other than U.S. dollars. Because we conduct business in currencies other than U.S. dollars but report our results of operations in U.S. dollars, we also face remeasurement exposure to fluctuations in currency exchange rates, which could hinder our ability to predict our future results and earnings and could materially impact our results of operations. For example, for the fiscal year ended April 30, 2025, our total revenue was lower than anticipated in part due to the strengthening of the U.S. dollar. We do not currently maintain a program to hedge exposures to non-U.S. dollar currencies.

Our success depends in a large part upon the continued service of key members of our senior management team. In particular, our founder, President and Chief Executive Officer, Eric S. Yuan, is critical to our overall management, as well as the continued development of our products, services, the Zoom platform, our culture, our strategic direction, engineering, and our global operations, including regions such as the United States, Europe, Middle East, and Africa ("EMEA"), and Asia Pacific ("APAC"). All of our executive officers are at-will employees, and we do not maintain any key person life insurance policies. Any changes in our senior management team in particular, even in the ordinary course of business, including the transition of our Chief Financial Officer in 2024, may be disruptive to our business. Such changes may result in a loss of institutional knowledge and cause disruptions to our business. If our senior management team fails to work together effectively or execute our plans and strategies on a timely basis as a result of management turnover or otherwise, our business could be harmed.