The rapidly evolving framework of privacy, data protection, data transfers, or other laws or
regulations worldwide may limit the use and adoption of our services and adversely affect our business.
We are subject to a variety of federal,
state, local, and international laws, directives, and regulations, as well as contractual obligations, relating to the collection, use, retention, security, disclosure, transfer, and other processing of personal information and other data. The
regulatory framework for privacy, data protection, and data transfers worldwide is rapidly evolving and is likely to remain uncertain for the foreseeable future. For example, the European Court of Justice in July 2020 struck down the EU-U.S. Privacy Shield framework, which provided companies with a mechanism to comply with data protection requirements when transferring personal data from the EU to the United States. In some cases, data privacy
laws and regulations, such as the EUs General Data Protection Regulation (GDPR), which took effect in May 2018, impose obligations on us and on many of our customers, including with respect to cross-border data transfers.
Further, the Data Security Law of China (DSL), which took effect on September 1, 2021 and the Personal Information Protection Law of China
(PIPL), which took effect on November 1, 2021, implement comprehensive regulation of data and personal data processing activities across all industries and operations such as collecting, utilizing, processing, sharing and
transferring data and personal information in and out of China. The DSL and PIPL apply not only to the processing of data within China, but also seeks to regulate cross-border data transfers as well as certain activities outside of China that relate
to data originating from China. Limitations imposed by the DSL and PIPL and uncertainty regarding their application in practice may impact us, our data suppliers, and the volume and quality of data that we are able to provide to our customers. Any
disruption in our ability to access or transmit data as a result of the DSL and the PIPL could reduce the quality or volume of data we are able to provide to our customers, impair our ability to execute on our operating plan and disrupt our
business.
In addition, domestic data privacy laws, such as the California Consumer Privacy Act (the CCPA), which took effect in January 2020,
and the recently passed California Privacy Rights Act (the CPRA), and the Virginia Consumer Data Protection Act (the CDPA), each of which take effect January 1, 2023, and the Colorado Privacy Act (the CPA),
which takes effect July 1, 2023, continue to evolve and could expose us to further regulatory or operational burdens. Some countries also are considering or have passed legislation requiring local storage and processing of data, or similar
requirements, which could increase the cost and complexity of delivering our platform. Complying with the GDPR, DSL, PIPL, CCPA, CPRA, CDPA, CPA, or other laws, regulations, amendments to or re-interpretations
of existing laws and regulations, and contractual or other actual or alleged obligations relating to privacy, data protection, data transfers, data localization, or information security may require us to make changes to our services to enable us,
our data suppliers or our customers to meet new legal requirements, incur substantial operational costs, modify our data practices and policies, engage in additional contractual negotiations, and restrict our business operations. Any actual or
perceived failure by us to comply with these laws, regulations, or other obligations may lead to significant fines, penalties, regulatory investigations, lawsuits, significant costs for remediation, damage to our reputation, or other liabilities.
In addition to government activity, privacy advocacy and other industry groups have established or may establish new self-regulatory standards that may
place additional burdens on our ability to provide our services globally, and which we may comply with or face asserted or actual obligations to comply with. Our customers also may require or expect us to meet certain voluntary certification and
other standards established by third parties. If we are unable to maintain these certifications or meet these standards, we could adversely affect our ability to provide our services to certain customers and could harm our business. Furthermore, the
uncertain and shifting regulatory environment may cause concerns regarding data privacy and may cause our customers or our customers customers to resist providing the data necessary to allow our customers to use our services effectively. Even
the perception that the privacy of personal information is not satisfactorily protected or does not meet regulatory requirements could inhibit sales of our services and limit adoption of our platform. Additionally, some statutory requirements, both
in the United States and abroad, include obligations for companies to notify individuals of security breaches involving particular personal information, which could result from breaches experienced by us or our service providers. Any actual or
perceived security breach or incident that we or our service providers suffer could harm our reputation and brand, expose us to potential claims, liability, and proceedings, or require us to expend significant resources on data security and in
responding to any such actual or perceived breach or incident.
These laws, regulations, standards, or other obligations relating to privacy, data
protection, data transfers, data localization, or information security could require us to take on more onerous obligations in our contracts, restrict our ability to store, transfer, and process data or, in some cases, impact our ability to offer
our services in certain locations, to deploy our solutions, to reach current and prospective customers, or to derive insights from data globally. If we are obligated to fundamentally change our business activities and practices or modify our
platform, we may be unable to make such changes and modifications in a commercially reasonable manner, or at all, and our ability to develop new platform features could be limited. The costs of compliance with, and other burdens imposed by, these
laws, regulations, standards, and obligations, or any inability to adequately address privacy, data protection, or information security-related concerns, even if unfounded, may limit the use and adoption of our services, reduce overall demand for
our services, make it more difficult to meet expectations from or commitments to customers, impact our reputation, or slow the pace at which we close sales transactions, any of which could harm our business, financial condition, and results of
operations.
We rely on Amazon Web Services to deliver our platform to our customers, and any disruption of, or interference with, our use of Amazon
Web Services could adversely affect our business, financial condition, and results of operations.
Amazon Web Services (AWS) is a
third-party provider of cloud infrastructure services. We outsource substantially all of the infrastructure relating to our platform to AWS. Our customers need to be able to access our platform at any time, without interruption or degradation of
performance. Our platform depends, in part, on the virtual cloud infrastructure hosted in AWS. Although we have disaster recovery plans that utilize multiple AWS locations, any incident affecting their infrastructure that may be caused by fire,
flood, severe storm, earthquake or other natural disasters, power loss, telecommunications failures, cyber-attacks, terrorist or other attacks, and other similar events beyond our control, could adversely affect our cloud-native platform.
Additionally, AWS may
70