优先股,面额$0.01,授权股数为5,000,000股,发行且流通股数为截至2024年6月30日和2023年12月31日之184,668,188股和181,364,180股。0.0000025 面值; 50,000截至2024年10月31日和2024年1月31日,共授权股份 no 截至2024年10月31日和2024年1月31日,发行并流通股份
The following table classifies the Company’s short-term investments by contractual maturities (in thousands):
October 31, 2024
January 31, 2024
Amortized cost
Fair Value
Amortized cost
Fair Value
Due within 1 year
$
633,311
$
634,277
$
619,286
$
618,765
Due between 1 year to 2 years
106,301
106,063
128,855
129,524
Total
$
739,612
$
740,340
$
748,141
$
748,289
All available-for-sale securities have been classified as current, based on management’s ability to use the funds in current operations.
Liabilities are measured at fair value on a recurring basis. The Company had contingent cash consideration from a business combination which was determined based upon the satisfaction of certain defined operational milestones and was remeasured at fair value at each reporting period through earnings. As the fair value is based on unobservable inputs, the liability is included in Level 3 of the fair value measurement hierarchy.
The Company reassessed the fair value of outstanding operational milestones during the three and nine months ended October 31, 2024. The Company recorded zero and a $3.8 million change in fair value for the three and nine months ended October 31, 2024, respectively. The change in fair value was included in general and administrative expenses in the condensed consolidated statement of operations for the three and nine months ended October 31, 2024. There were no changes to the fair value during the three and nine months ended October 31, 2023.
In October 2024, the remaining milestones were achieved, and the Company paid $6.9 million of contingent cash consideration during the three months ended October 31, 2024. The Company had $0.6 million and $3.6 million of Level 3 contingent consideration as of October 31, 2024 and January 31, 2024, respectively.
Interest accretion expense was $0.1 million and immaterial for the three months ended October 31, 2024 and 2023, respectively, and $0.1 million for both the nine months ended October 31, 2024 and 2023.
5. Supplemental Financial Statement Information
Accrued Expenses and Other Current Liabilities
Accrued expenses and other current liabilities consisted of the following (in thousands):
October 31, 2024
January 31, 2024
Income tax liability related to BAPA (1)
$
16,584
$
258,675
Accrued expenses
18,229
11,499
Acquisition related liabilities (2)
641
3,608
Income taxes payable
2,688
2,212
Customer refunds payable
5,269
3,019
Indirect taxes payable
3,086
3,928
ESPP employee contributions
5,068
2,827
Operating lease liabilities, current
256
410
Total accrued expenses and other current liabilities
$
51,821
$
286,178
(1) Refer to “Note 12. Income Taxes”.
(2)Refer to “Note 4. Cash Equivalents and Short-Term Investments”.
Other Income (Expense), Net
Other income (expense), net consisted of the following (in thousands):
On May 23, 2024 (the “Asset Acquisition Date”), the Company completed its acquisition of certain assets, primarily software intellectual property, of Rezilion Inc. and its subsidiary, Rezilion Ltd. (collectively, “Rezilion”) for approximately $7.3 million in cash.
The Rezilion transaction was accounted for as an asset acquisition because substantially all of the fair value of gross assets acquired were concentrated in the developed intellectual property. Acquisition-related direct transaction costs were capitalized as a component of the cost of the assets acquired.
On the Asset Acquisition Date, the fair value of the developed technology was $7.7 million including $0.4 million of acquisition-related direct costs. The developed technology acquired has an estimated useful life of three years.
Oxeye
On March 20, 2024 (the “Acquisition Date”), the Company completed the acquisition of Oxeye Security Limited (“Oxeye”), a cloud-native application security and risk management solution company based in Israel. The Company believes this acquisition will allow the Company to strengthen its product offerings.
The transaction was accounted for as a business combination. The Acquisition Date fair value of the consideration transferred consisted of the following (in thousands):
Closing cash consideration
$
16,737
Cash held in escrow
3,593
Total consideration
$
20,330
Total consideration includes $3.6 million deposited in an escrow account as partial security for post-closing indemnification claims made within 15 months of the Acquisition Date. As the Company is not the legal owner of the escrow account, it is not recorded on the condensed consolidated balance sheet as of October 31, 2024.
The following table summarizes options activity under the Plans, and related information:
Number of Stock Options Outstanding (in thousands)
Weighted Average Exercise Price
Weighted Average Remaining Years
Aggregate Intrinsic value (in millions)
Balances at January 31, 2024
8,503
$
13.03
5.85
$
499.2
Options granted
—
—
—
Options exercised
(1,778)
10.07
—
Options canceled
(11)
13.95
—
Options forfeited
(97)
18.36
—
Balances at October 31, 2024
6,617
$
13.66
5.41
$
265.3
Options vested at October 31, 2024
5,749
$
12.91
5.25
$
234.8
Options vested and expected to vest at October 31, 2024
6,617
$
13.66
5.41
$
265.3
During the three and nine months ended October 31, 2024, the Company recorded $3.1 million and $10.0 million stock-based compensation expense related to options, respectively. During the three and nine months ended October 31, 2023, the Company recorded $4.3 million and $13.8 million stock-based compensation expense related to options, respectively.
As of October 31, 2024, approximately $9.6 million of total unrecognized compensation cost was related to stock options granted, that is expected to be recognized over a weighted-average period of 1.1 years. The expected stock compensation expense remaining to be recognized reflects only outstanding stock awards as of the periods presented, and assumes no forfeitures.
The following table summarizes the Company’s RSU activity:
Number of Shares (in thousands) (1)
Weighted- Average grant date fair value
Balances at January 31, 2024
7,701
$
47.20
Granted
4,743
53.38
Vested
(2,323)
49.15
Canceled/forfeited
(1,530)
49.28
Balances at October 31, 2024
8,591
$
49.69
(1) The table above does not include 3 million RSUs granted to the Company’s founder and the Chief Executive Officer (“CEO”) described below.
These RSUs are grants of shares of the Company’s Class A common stock, the vesting of which is based on the requisite service requirement. Generally, the Company’s RSUs are subject to forfeiture and are expected to vest over two to four years ratably on a combination of bi-annual and quarterly basis. During the three and nine months ended October 31, 2024, the Company recorded $40.3 million and $117.1 million stock-based compensation expense related to RSUs, respectively. During the three and nine months ended October 31, 2023, the Company recorded $31.7 million and $84.9 million stock-based compensation expense related to RSUs, respectively.
As of October 31, 2024, approximately $401.7 million of total unrecognized compensation cost was related to RSUs granted to team members other than the CEO, that is expected to be recognized over a weighted-average period of 2.7 years. The expected stock compensation expense remaining to be recognized reflects only outstanding stock awards as of the periods presented, and assumes no forfeitures.
In June 2022, the Company granted 0.4 million PSUs to senior members of its management team subject to revenue performance condition and service conditions. The number of awards granted represents 100% of the target goal; under the terms of the awards, the recipient may earn between 0% and 200% of the original grant. The performance condition is set to be achieved in fiscal year 2025 and the service condition in calendar year 2025. The Company recorded $0.9 million and $1.8 million of stock-based compensation expense related to PSUs during the three and nine months ended October 31, 2024, respectively. The Company recorded a $0.4 million and $0.7 million of stock-based compensation related to PSUs during the three and nine months ended October 31, 2023, respectively. As of October 31, 2024, unrecognized stock-based compensation expense related to these PSUs was $1.4 million to be recognized over a period of 1.1 years.
CEO Performance Award
In May 2021, the Company granted 3 million RSUs tied to its Class B common stock to Sytse Sijbrandij, the Company’s co-founder and CEO, with an estimated aggregate grant date fair value of $8.8 million. During the three and nine months ended October 31, 2024, the Company recorded $0.3 million and $1.0 million of stock-based compensation expense related to the CEO RSU, respectively. During the three and nine months ended October 31, 2023, the Company recorded $0.4 million and $1.2 million of stock-based compensation expense related to the CEO RSU, respectively.
As measured from the grant date, the derived service period of the respective tranches ranges from 3 to 7 years. As of October 31, 2024, unrecognized stock-based compensation expense related to these RSUs was $3.3 million which will be recognized over 4.1 years.
2021 Employee Stock Purchase Plan (“ESPP”)
In September 2021, the Company’s board of directors and its stockholders approved the ESPP and participation of eligible team members.
The Company recorded $2.5 million and $8.6 million of stock-based compensation expense related to the ESPP during the three and nine months ended October 31, 2024, respectively. The Company recorded $4.0 million and $15.2 million of stock-based compensation expense related to the ESPP during the three and nine months ended October 31, 2023, respectively. As of October 31, 2024, approximately $8.5 million of total unrecognized compensation cost was related to the ESPP that is expected to be recognized over 1.6 years.
Stock-Based Compensation Expense
The Company recognized stock-based compensation expense as follows (in thousands):
(1) The table above includes stock-based compensation of JiHu. Refer to “Note 11. Joint Venture and Equity Method Investment” for further discussion.
The corporate income tax benefit recognized in the condensed consolidated statements of operations for stock-based compensation expense was zero for both the three and nine months ended October 31, 2024, and 2023, respectively.
Charitable Donation of Common Stock
In September 2021, the Company’s board of directors approved the reservation of up to 1,635,545 shares of Class A common stock for issuance to charitable organizations. In March 2024 and 2023, the Company’s board of directors approved the donation of $11.8 million and $10.7 million aggregate principal amount of shares of Class A common stock to the GitLab Foundation (the “Foundation”), a California nonprofit public benefit corporation, respectively. The Foundation is also a related party as certain of the Company’s officers serve as directors of the Foundation. These donations shall occur in four equal quarterly distributions.
During the three and nine months ended October 31, 2024, the Company donated 52,940 shares and 173,181 shares of Class A common stock at fair value to the Foundation, respectively. During the three and nine months ended October 31, 2023, the Company donated 53,510 shares and 186,899 shares of Class A common stock at fair value to the Foundation, respectively. The fair value of the common stock was determined based on the quoted market price on the grant date.
The donation expense of $3.0 million and $8.9 million was recorded in general and administrative expense in the condensed consolidated statements of operations for the three and nine months ended October 31, 2024, respectively. The donation expense of $2.7 million and $8.0 million was recorded in general and administrative expense in the condensed consolidated statements of operations for the three and nine months ended October 31, 2023, respectively.
10. Restructuring and Other Related Charges
In fiscal year 2025, the Company restructured certain departments to better align functions and recognized total restructuring charges of$0.1 million and $1.9 million during the three and nine months ended October 31, 2024, respectively.
In fiscal year 2024, the Company reduced its total global headcount by approximately 7%. As a result, the Company recognized total restructuring charges of an immaterial amount and $7.8 million during the three and nine months ended October 31, 2023, respectively.
The Company recognized severance and other termination benefit costs as follows (in thousands):
Three Months Ended October 31,
Nine Months Ended October 31,
2024
2023
2024
2023 (1)
Cost of revenue
$
—
$
—
$
—
$
463
Research and development
—
72
393
2,119
Sales and marketing
130
(54)
1,126
3,623
General and administrative
(11)
(4)
377
1,634
Total
$
119
$
14
$
1,896
$
7,839
(1) Excludes stock-based compensation of $1.3 million for the nine months ended October 31, 2023.
The changes in liabilities resulting from the restructuring charges and related accruals were as follows (in thousands):
Balance as of January 31, 2024
$
188
Charges
1,896
Cash payments
(2,084)
Balance as of October 31, 2024
$
—
11. Joint Venture and Equity Method Investment
Joint Venture
In February 2021, the Company along with Sequoia CBC Junyuan (Hubei) Equity Investment Partnership (Limited Partnership) and Suzhou Gaocheng Xinjian Equity Investment Fund Partnership (Limited Partnership) executed an investment agreement (the “Investment Agreement”) to establish GitLab Information Technology (Hubei) Co., LTD (“JiHu”), a legal entity in the People’s Republic of China. The Company accounted for JiHu as a variable interest entity and consolidated the entity in accordance with ASC Topic 810, Consolidation. As of October 31, 2024, the Company retains control over JiHu with its equity stake at approximately 54%.
Since fiscal year 2023, JiHu has maintained an employee stock option plan (“JiHu 2022 ESOP”) for its employees. In June 2024, the board of directors of JiHu approved a new employee stock option plan (“JiHu 2024 ESOP”) for its employees in order to grant additional shares. The fair value of restricted stock awards (“RSAs”) and stock option awards is measured on the date of grant and compensation costs related to these awards are recognized on a graded attribution method; as the grants include a performance condition for both the JiHu 2022 ESOP and JiHu 2024 ESOP (“JiHu ESOPs”).
As a result of forfeitures triggered by the departure of key executives from JiHu, during the three and nine months ended October 31, 2024, the Company reversed stock-based compensation previously recorded which resulted in a $1.0 million stock-based compensation net expense and a $0.8 million stock-based compensation net expense, respectively. As a result of forfeitures triggered by the departure of certain executives during the three and nine months ended October 31, 2023, the Company reversed stock-based compensation previously recorded for such executives. The Company recorded a $0.6 million stock-based compensation net expense and a $2.1 million net gain for the three and nine months ended October 31, 2023, respectively.
As of October 31, 2024, approximately $8.5 million of total unrecognized compensation cost was related to the JiHu ESOPs that is expected to be recognized over 3.9 years.
Operating Leases
JiHu entered into three new operating leases during the nine months ended October 31, 2024 and has various non-cancelable long-term operating leases maturing by May 25, 2027 with total lease payments of $0.5 million and a total present value of lease liabilities of $0.5 million. In addition, JiHu has various other short-term leases. Lease expense associated with short-term leases was immaterial and $0.1 million during the three and nine months ended October 31, 2024, respectively.
The Company recognized $0.1 million and $0.4 million of operating lease expense during the three and nine months ended October 31, 2024, respectively. The Company recognized $0.2 million and $0.5 million of operating lease expense during the three and nine months ended October 31, 2023, respectively.
The table below presents supplemental information related to operating leases for the nine months ended October 31, 2024 (in thousands, except weighted-average information):
Right-of-use assets obtained in exchange for new operating lease liabilities
$
327
Cash paid for amounts included in the measurement of lease liabilities
$
355
Selected Financial Information
Selected financial information of JiHu, post intercompany eliminations, is as follows (in thousands):
Three Months Ended October 31,
Nine Months Ended October 31,
2024
2023
2024
2023
Revenue
$
1,900
$
1,700
$
5,321
$
4,773
Cost of revenue
523
779
1,542
1,830
Gross profit
1,377
921
3,779
2,943
Operating expenses:
Sales and marketing
1,804
1,644
4,850
5,688
Research and development
604
1,463
970
4,146
General and administrative
1,617
1,003
3,362
966
Total operating expenses
4,025
4,110
9,182
10,800
Loss from operations
(2,648)
(3,189)
(5,403)
(7,857)
Interest income
168
262
625
817
Other income (expense), net
(341)
279
(36)
841
Net loss before income taxes
(2,821)
(2,648)
(4,814)
(6,199)
Net loss
$
(2,821)
$
(2,648)
$
(4,814)
$
(6,199)
Net loss attributable to noncontrolling interest
$
(1,298)
$
(1,197)
$
(2,216)
$
(2,755)
October 31, 2024
January 31, 2024
Cash and cash equivalents
$
40,180
$
43,896
Property and equipment, net
196
489
Operating lease right-of-use assets
444
405
Other assets
2,613
2,835
Total assets
$
43,433
$
47,625
Total liabilities
$
6,130
$
6,080
Equity Method Investment
In April 2021, the Company reorganized Meltano Inc. (“Meltano”), now operating as Arch Data, Inc. (“Arch”), which started as an internal project within the Company in July 2018, into a separate legal entity.
The Company recorded an impairment charge of $8.9 million in other income (expense), net in the condensed consolidated statement of operations during the year ended January 31, 2024 which reduced the equity method investment value to zero as of January 31, 2024.
During the three and nine months ended October 31, 2024, the Company recorded a loss from equity method investment of zero. During the three and nine months ended October 31, 2023, the Company recognized a loss from equity method investment of $0.7 million and $2.4 million, net of tax on the condensed consolidated statements of operations, respectively.
12. Income Taxes
For the three and nine months ended October 31, 2024, the Company recorded an income tax benefit of $39.4 million and $66.1 million on pretax loss of $11.2 million and $80.5 million, respectively. Included in these amounts is an income tax benefit for the three and nine months ended October 31, 2024 of $8.3 million and $46.4 million, respectively, related to the conclusion of negotiations relating to a BAPA between the U.S. Internal Revenue Service (“IRS”) and Dutch Tax Authority (“DTA”), and a benefit of $31.6 million for three and nine months ended October 31, 2024 related to the conclusion of an agreement with the DTA on a reduced rate of tax on the gain from the transfer of the economic intellectual property (“IP”) rights.
The Company executed the BAPA agreements with the IRS and DTA on October 10, 2024, and October 22, 2024, respectively. On October 28, 2024, the Company paid $187.7 million to satisfy the tax assessment issued by the DTA, which reflected the BAPA negotiations and the agreement to reduce the rate of tax on the gain from the transfer of economic IP rights. As a result of the BAPA and Dutch assessment, the 2015 through 2017 tax years are closed for GitLab B.V. Pursuant to the terms in the BAPA, the Company will file amended returns for the 2018 through 2023 fiscal years; the tax returns for the fiscal year ended January 31, 2024 were not yet due as of the end of the current fiscal quarter. All U.S. federal and state tax net operating losses (“NOLs”) and credits, as well as Netherlands NOLs, are not yet recognized due to the determination that they are not more likely than not to be realized.
For the three and nine months ended October 31, 2023, the Company recorded income tax expense of $256.8 million and $262.3 million on pretax loss of $28.8 million and $125.8 million, respectively. The income tax expense for the three and nine months ended October 31, 2023 was primarily related to an increase in tax expense for unrecognized tax benefit relating to the BAPA, and the Company's foreign and domestic operations.
The Company's provision for income taxes is based on its worldwide estimated annualized effective tax rate, except for jurisdictions for which a loss is expected for the year and no benefit can be realized for those losses, jurisdictions for which forecasted pre-tax income or loss cannot be estimated, and the tax effect of discrete items occurring during the period. The tax provision for jurisdictions for which a forecast cannot be estimated is based on actual taxes and tax reserves for the quarter.
Under the provisions of ASC 740, Income Taxes, the determination of the Company’s ability to recognize its deferred tax asset requires an assessment of both negative and positive evidence when determining the Company’s ability to recognize its deferred tax assets. As in prior years, the Company maintained that it was not more likely than not that the Company could recognize deferred tax assets in certain jurisdictions. The evidence evaluated by the Company included operating results during the most recent three-year period and future projections. More weight was given to historical results than to expectations of future profitability, which are inherently uncertain. Certain entities’ net losses in recent periods represented sufficient negative evidence to require a valuation allowance against its net deferred tax assets. This valuation allowance will be evaluated periodically and could be reversed partially or totally if business results have sufficiently improved to support realization of deferred tax assets.
As of October 31, 2024, unrecognized tax benefits were $9.9 million, of which $0.5 million would affect the effective tax rate if recognized. As of January 31, 2024, the unrecognized tax benefits were $396.8 million, of which $207.8 million would affect the effective tax rate if recognized. The Company has settled and paid the BAPA tax liability with the DTA, thereby reducing the current tax liability previously classified as an unrecognized tax benefit. For unrecognized tax benefits unrelated to the BAPA, the Company is unable to reasonably estimate the timing of the remaining long-term payments or the amount by which the liability will increase or decrease.
It is the Company's policy to classify accrued interest and penalties related to unrecognized tax benefits in the provision for income taxes. Accrued interest and penalties were $0.3 million as of October 31, 2024 and $52.1 million as of January 31, 2024, respectively.
As of October 31, 2024, the Company’s U.S. federal 2018 through 2024 tax years were open and subject to potential examination in one or more jurisdictions. In addition, in the United States, any NOLs or credits that were generated in prior years but not yet fully utilized in a year that is closed under the statute of limitations may also be subject to examination. The Company’s Netherlands tax years are currently open from tax years 2018 to 2024, subject to adjustments as a result of the recently negotiated BAPA. The Company believes that it has adequately reserved for the outcome of the BAPA. The Company regularly assesses the likelihood of adverse outcomes resulting from all existing and potential examinations to determine the adequacy of its provision for income taxes. The Company continues to monitor the progress of ongoing discussions with tax authorities and the effect, if any, of the expected expiration of the statute of limitations in various taxing jurisdictions.
The following table sets forth basic and diluted income (loss) per share for each of the periods presented (in thousands, except per share data):
Three Months Ended October 31,
Nine Months Ended October 31,
2024
2023
2024
2023
Numerator:
Net income (loss) attributable to GitLab
$
29,565
$
(285,158)
$
(12,130)
$
(387,707)
Denominator:
Weighted-average shares used to compute net income (loss) per share attributable to GitLab Class A and Class B common stockholders, basic
161,317
155,123
159,756
153,504
Dilutive impact of Stock Options
4,897
—
—
—
Dilutive impact of RSUs
1,102
—
—
—
Dilutive impact of ESPP
98
—
—
—
Dilutive impact of common stock in connection with business combination
22
—
—
—
Weighted-average shares used to compute net income (loss) per share attributable to GitLab Class A and Class B common stockholders, diluted
167,436
155,123
159,756
153,504
Net income (loss) per share attributable to GitLab Class A and Class B common stockholders, basic
$
0.18
$
(1.84)
$
(0.08)
$
(2.53)
Net income (loss) per share attributable to GitLab Class A and Class B common stockholders, diluted
$
0.18
$
(1.84)
$
(0.08)
$
(2.53)
Potentially dilutive securities that were not included in the diluted per share calculations because they would be anti-dilutive were as follows (in thousands):
As of
October 31, 2024
October 31, 2023
Shares subject to outstanding common stock options
—
9,454
Unvested restricted stock in connection with business combination
The Company’s purchase obligations of $140.5 million as of October 31, 2024, represent third-party non-cancelable hosting infrastructure agreements, subscription arrangements and other commitments used in the ordinary course of business to meet operational requirements.
Loss Contingencies
In accordance with ASC 450, Loss Contingencies, the Company accrues for contingencies when losses become probable and reasonably estimable. Accordingly, the Company has recorded an estimated liability related to certain labor matters regarding its use of contractors in certain foreign countries. As of October 31, 2024 and January 31, 2024, the estimated liability relating to these matters was $2.2 million recorded for each period presented in other non-current liabilities on the condensed consolidated balance sheets, respectively.
Warranties and Indemnifications
The Company enters into service level agreements with customers which warrant defined levels of uptime and support response times and permit those customers to receive credits for prepaid amounts in the event that those performance and response levels are not met. To date, the Company has not experienced any significant failures to meet defined levels of performance and response. In connection with the service level agreements, the Company has not incurred any significant costs and has not accrued any liabilities in the condensed consolidated financial statements.
In the ordinary course of business, the Company enters into contractual arrangements under which the Company agrees to provide indemnification of varying scope and terms to business partners and other parties with respect to certain matters, including, but not limited to, losses arising out of the breach of such agreements, intellectual property infringement claims made by third parties, and other liabilities relating to or arising from the Company’s platform or the Company’s acts or omissions. In these circumstances, payment may be conditional on the other party making a claim pursuant to the procedures specified in the particular contract. Further, the Company’s obligations under these agreements may be limited in terms of time and/or amount, and in some instances, the Company may have recourse against third parties for certain payments.
In addition, the Company has agreed to indemnify its directors and executive officers for costs associated with any fees, expenses, judgments, fines, and settlement amounts incurred by any of these persons in any action or proceeding to which any of those persons is, or is threatened to be, made a party by reason of the person’s service as a director or officer, including any action by the Company, arising out of that person’s services as the Company’s director or officer or that person’s services provided to any other company or enterprise at the Company’s request. The Company maintains director and officer insurance coverage that may enable the Company to recover a portion of any future amounts paid.
On September 4, 2024, a putative class action was filed in the United States District Court for the Northern District of California against the Company and certain of its current officers and directors. The complaint purports to assert claims under Section 10(b) of the Securities Exchange Act of 1934, as amended (the “Exchange Act”), SEC Rule 10b-5, and Section 20(a) of the Exchange Act, on behalf of persons and entities who acquired the Company’s Class A common stock between June 6, 2023 and March 4, 2024 (the “Class Period”). Plaintiff alleges that, during the Class Period, defendants made material misrepresentations or omissions regarding the Company’s use of AI features and ability to monetize its AI capabilities that artificially inflated the Company’s stock price. Plaintiff seeks, among other things, damages in an unspecified amount, as well as fees and costs. The action is in the preliminary stage and a lead plaintiff has not yet been appointed. The time for defendants to respond to the complaint has not yet passed and the Company intends to move to dismiss the complaint at the appropriate time. Based on the preliminary nature of the proceedings in this action, the outcome remains uncertain and the Company cannot estimate the potential impact, if any, on its business or financial statements at this time.
In addition to the matter described above, the Company is, and from time to time may become involved in legal proceedings or be subject to claims arising in the ordinary course of its business. The Company is not presently a party to any legal proceedings that in the opinion of management, if determined adversely to the Company, would individually or taken together have a material adverse effect on its business, financial condition or operating results.
Defending such proceedings is costly and can impose a significant burden on management and team members. The results of any current or future litigation cannot be predicted with certainty, and regardless of the outcome, litigation can have an adverse impact on the Company because of defense and settlement costs, diversion of management resources and other factors.
15. Subsequent Event
On December 5, 2024, the Company announced that Sytse Sijbrandij, co-founder of the Company, will resign from his position as the Company’s Chief Executive Officer, effective December 5, 2024. In connection with his resignation, Mr. Sijbrandij was appointed as the Executive Chair of the Company’s board of directors. On December 5, 2024, the Company also announced that William Staples has been appointed as Chief Executive Officer and a member of the Company’s board of directors.
ITEM 2. MANAGEMENT’S DISCUSSION AND ANALYSIS OF FINANCIAL CONDITION AND RESULTS OF OPERATIONS
The following discussion and analysis of our financial condition and results of operations should be read in conjunction with our unaudited condensed consolidated financial statements and the related notes included elsewhere in this Quarterly Report on Form 10-Q. You should review the section titled “Special Note Regarding Forward-Looking Statements” above in this Quarterly Report on Form 10-Q for a discussion of forward-looking statements and important factors that could cause actual results to differ materially from the results described in or implied by the forward-looking statements contained in the following discussion and analysis. Factors that could cause or contribute to such differences include, but are not limited to, those identified below, and those discussed in the section titled “Risk Factors” in this Quarterly Report on Form 10-Q. Our historical results are not necessarily indicative of the results that may be expected for any period in the future.
Overview
In today’s world, software defines the speed of innovation. Every industry, business, and every function within a company is dependent on software. Nearly all companies must digitally transform and become experts at building, delivering, and securing software to remain competitive and survive.
To meet these market needs, GitLab pioneered The DevSecOps Platform, a fundamentally new approach to software development and delivery. Our platform is uniquely built as a single application with native artificial intelligence, or AI, assisted workflows, and a single interface with a unified data model, enabling all stakeholders in the software delivery lifecycle – from development teams to operations teams to security teams – to work together in a single tool with a single workflow. With GitLab, they can build better, more secure software, faster.
GitLab is the solution to significant business transformation needs. Across every industry – and across companies of every size – technology leaders want to make developers more productive so they can deliver better products faster; they want to measure productivity so they can increase operational efficiency; they want to secure the software supply chain so they can reduce security and compliance risk; and, they want to accelerate secure cloud migration, so they can unlock digital transformation results. These technology leaders need a platform that enables a value stream-driven mindset that shortens the time from idea to customer value and establishes a powerful flywheel for data collection and aggregation. And they are looking for a platform approach that unifies the entire development experience, so that customers can be faster than their competition in moving from idea to customer value.
We believe GitLab is the shortest path to unlocking business and technology transformation results. Our DevSecOps platform accelerates our customers’ ability to create business value and innovate by reducing their software development cycle times from weeks to minutes – achieving up to 7x faster cycle time. It removes the need for point tools and delivers enhanced operational efficiency by eliminating manual work, increasing productivity, and creating a culture of innovation and velocity. GitLab also embeds security earlier into the development process, improving our customers’ software security, quality, and overall compliance.
GitLab is available to any team, regardless of the size, scope, and complexity of their deployment. As a result, we have more than 40 million registered users, and more than 50% of the Fortune 100 companies are GitLab customers. For purposes of determining the number of our active customers, we look at our customers with more than $5,000 of Annual Recurring Revenue, or ARR, in a given period, who we refer to as our Base Customers. For purposes of determining our Base Customers, a single organization with separate subsidiaries, segments, or divisions that use The DevSecOps Platform is considered a single customer.
GitLab is the only DevSecOps platform built on an open-core business model. We enable any customer and contributor to add functionality to our platform. In calendar year 2023, nearly 700 people contributed more than 2,100 merge requests back to the core product, extending GitLab’s in-house R&D efforts and empowering our most passionate users to make improvements to the DevOps tool they use every day. Our open-core approach has enabled us to build trust with our customers and maintain our high velocity of innovation so that we can rapidly create the most comprehensive DevSecOps platform.
GitLab largely exists today thanks to the vast and growing community of open source contributors worldwide. We actively work to grow open source community engagement by operating with transparency. We make our strategy, direction, and product roadmap available to the wider community, where we encourage and solicit their feedback. By making non-sensitive information public, we create a deeper level of trust with our customers and make it easier to solicit contributions and collaboration from our users and customers. See the section entitled “Key Business Metrics—Dollar-Based Net Retention Rate and ARR” below for additional information about how we define ARR.
We make our plans available through our self-managed and software-as-a-service, or SaaS, offering. For our self-managed offering, the customer installs GitLab in their own on-premise or hybrid cloud environment. For our SaaS offering, the platform is managed by GitLab and hosted either in our public cloud or in our private cloud based on the customer’s preference.
Factors Affecting Our Performance
Sustaining innovation and technology leadership
We believe we have built a highly differentiated platform that gives us an advantage over our competitors by empowering business, development, security, operations, and IT teams to collaborate in a single application across the entire DevSecOps lifecycle. Our technology leadership is an outcome of various factors, including our strong community, network of contributors, and continued enhancement of The DevSecOps Platform by developing new features and expanding the functionality of existing features with speed and consistency. We have had a history of releasing enhancements to The DevSecOps Platform every month and, as of October 31, 2024, had done so for the last 157 months. We intend to continue releasing new software on a monthly cadence.
We also intend to continue investing in research and development to further enhance The DevSecOps Platform and sustain our innovation and technology leadership. We have a history of investing in our open source community and intend to continue to leverage our open core software to accelerate innovation. We also intend to continue to add headcount to our research and development team to extend the functionality and range of The DevSecOps Platform by bringing new and improved products and services to our customers.
We expect our research and development expenses to increase on an absolute basis in future periods. We foresee that such investment in research and development will contribute to our long-term growth, but may also negatively impact our short-term profitability. As engaged members of the GitLab open-source community, our contributors often serve as subject matter experts at market-leading developer events and The DevSecOps Platform is presented on the cutting edge of innovation. We intend to continue to invest in building out this community to foster more contributions and collaboration in the space. Our open source community, in turn, accelerates our ability to innovate and provide a better platform to our customers. We intend to expend additional resources in the future to continue enhancing The DevSecOps Platform and introducing new products, features and functionality.
Our future growth depends in large part on our ability to acquire new customers. This, in turn, relies on our ability to reach teams and organizations through our marketing and sales efforts. To this end, we are making investments in our sales and marketing efforts to expand our reach and differentiate The DevSecOps Platform from competitive products and services. We believe that eventually the vast majority of organizations will switch to a DevSecOps platform and embrace a single application approach, creating a substantial opportunity to continue to grow our customer base. As a result, our Base Customers increased to 9,519 as of October 31, 2024 from 8,175 as of October 31, 2023, an increase of 16%, our $100,000 ARR customers increased to 1,144 as of October 31, 2024 from 874 as of October 31, 2023, an increase of 31%. See the section entitled “—Key Business Metrics—Dollar-Based Net Retention Rate and ARR” below for information about how we define ARR.
Our operating results and growth prospects will depend in part on our ability to attract new customers. While we believe we have a significant market opportunity that The DevSecOps Platform addresses, we will need to continue to invest in sales and marketing, research and development, and customer support to further grow our customer base, both in the United States and internationally. We believe that we have more than 40 million registered users, which includes users of our free tier offering, providing a base of potential new customers. We intend to continue to add headcount to our global sales and marketing team to acquire new customers and to increase sales to existing customers.
Retaining and Expanding Our Existing Customers
We employ a “land and expand” business strategy that focuses on efficiently acquiring new customers and growing our relationships with existing customers over time. We believe that as our customers realize the benefits of a single application approach, they will increase the use of The DevSecOps Platform, enhancing our ability to expand revenue generation within our existing customers over time. As a result of our approach, as of October 31, 2024 and 2023, our Dollar-Based Net Retention Rate was 124% and 128%, respectively. See the section entitled “—Key Business Metrics—Dollar-Based Net Retention Rate and ARR” below for information about how we define Dollar-Based Net Retention Rate.
We plan to continue investing in sales and marketing, with a focus on expanding usage of our platform with our existing customers. We believe that this expansion will provide us with substantial operating leverage because the costs to expand sales within existing customers are significantly less than the costs to acquire new customers. Our future revenue growth and our ability to achieve and maintain profitability is dependent upon our ability to continue landing new customers, expanding the adoption of The DevSecOps Platform by additional users within their organizations, selling add-on offerings, and upgrading customers to higher-priced tiers. Ultimately, our ability to increase sales to existing customers will depend on several factors, including our customers’ satisfaction with The DevSecOps Platform, our pricing, competition, and overall changes in our customers’ spending levels.
Partnerships, Alliances, Channels, and Integrations
We believe that our further growth depends in part on our ability to build and maintain successful partnerships, alliances, channels and integrations. We are continuously investing in developing a strong ecosystem and partner network, comprised of cloud and technology partners, resellers, and system integrators, as a way to expand our go-to-market strategy. We plan to continue investing in and developing these relationships to broaden our distribution footprint and drive greater awareness of our brand and The DevSecOps Platform. We believe that these partnerships will extend our sales reach and provide product and technology integrations that will accelerate implementation of The DevSecOps Platform in the United States and internationally. While expending resources in developing these partnerships and alliances may adversely impact our short-term profitability, we believe these investments will lead to longer term growth for the business as a whole.
We plan to continue investing in our business so that we can capitalize on our market opportunity. We believe that these investments will contribute to our long-term growth, although they may adversely affect our operating results in the near term. Furthermore, we expect our general and administrative expenses to increase in absolute amount for the foreseeable future given the additional expenses for accounting, compliance, and insurance as a public company. We plan to balance these investments in future growth with a continued focus on managing our operating results.
Key Business Metrics
We monitor the following key metrics to help us evaluate our business, identify trends affecting our business, formulate business plans, and make strategic decisions.
Dollar-Based Net Retention Rate and ARR
We believe that our ability to retain and expand our revenue generated from our existing customers is an indicator of the long-term value of our customer relationships and our potential future business opportunities. Dollar-Based Net Retention Rate measures the percentage change in our ARR derived from our customer base at a point in time. Our calculation of ARR and by extension Dollar-Based Net Retention Rate, includes both self-managed and SaaS subscription revenue. We report Dollar-Based Net Retention Rate on a threshold basis of 130% each quarter or the actual number if below 130%.
We calculate ARR by taking the monthly recurring revenue, or MRR, and multiplying it by 12. MRR for each month is calculated by aggregating, for all customers during that month, monthly revenue from committed contractual amounts of subscriptions, including our self-managed and SaaS offerings but excluding professional services. We calculate Dollar-Based Net Retention Rate as of a period end by starting with our customers as of the 12 months prior to such period end, or the Prior Period ARR. We then calculate the ARR from these customers as of the current period end, or the Current Period ARR. The calculation of Current Period ARR includes any upsells, price adjustments, user growth within a customer, contraction, and attrition. We then divide the total Current Period ARR by the total Prior Period ARR to arrive at the Dollar-Based Net Retention Rate.
As of October 31,
2024
2023
Dollar-Based Net Retention Rate
124%
128%
Customers with ARR of $100,000 or More
We believe that our ability to increase the number of $100,000 ARR customers is an indicator of our market penetration and strategic demand for The DevSecOps Platform. A single organization with separate subsidiaries, segments, or divisions that use The DevSecOps Platform is considered a single customer for determining each organization’s ARR. We do not count our reseller or distributor channel partners as customers. In cases where customers subscribe to The DevSecOps Platform through our channel partners, each end customer is counted separately.
Our self-managed subscriptions include support, maintenance, upgrades, and updates on a when-and-if-available basis. Revenue for self-managed subscriptions is recognized ratably over the contract period based on the stand-ready nature of subscription elements.
The typical term of a subscription contract for self-managed offerings is one to three years.
SaaS
Our SaaS subscriptions provide access to our latest managed version of our product hosted in a public or private cloud based on the customer’s preference. Revenue from our SaaS offerings is recognized ratably over the contract period when the performance obligation is satisfied.
The typical term of a subscription contract for SaaS offerings is one to three years.
License - self-managed and other
The license component of our self-managed subscriptions reflects the revenue recognized by providing customers with access to proprietary software features. License revenue is recognized up-front when the software license is made available to our customers.
Other revenue consists of professional services revenue which is derived from fixed fee and time and materials offerings, subject to customer acceptance for fixed fee offerings. Uncertainty exists about customer acceptance and therefore, control is presumed to transfer upon confirmation from the customer, as defined in each professional services contract. Accordingly, revenue is recognized upon satisfaction of all requirements per the applicable contract. Revenue from professional services provided on a time and material basis is recognized over the periods services are delivered.
Cost of Revenue
Subscription - self-managed and SaaS
Cost of revenue for self-managed and SaaS subscriptions consists primarily of allocated cloud-hosting costs paid to third-party service providers, personnel-related costs associated with our customer support personnel, including contractors, third-party payment processing fees, and allocated overhead. Personnel-related expenses consist of salaries, benefits, bonuses, and stock-based compensation. We expect our cost of revenue for self-managed and SaaS subscriptions to increase in absolute dollars as our self-managed and SaaS subscription revenue increases. As our SaaS offering makes up an increasing percentage of our total revenue, we expect to see increased associated cloud-related costs, such as hosting and managing costs, which may adversely impact our gross margins.
License - self-managed and other
Cost of self-managed license and other revenue consists primarily of contractor and personnel-related costs, including stock-based compensation expense, associated with the professional services team and customer support team, and allocated overhead. We expect our cost of revenue for self-managed license and other to increase in absolute dollars as our self-managed and other revenue increases.
Our operating expenses consist of sales and marketing, research and development, and general and administrative expenses. Personnel-related expenses are the most significant component of operating expenses and consist of salaries, benefits, bonuses, stock-based compensation, and sales commissions. Operating expenses also include IT overhead costs.
Sales and Marketing
Sales and marketing expenses consist primarily of personnel-related expenses associated with our sales and marketing personnel, advertising, travel and entertainment related expenses, branding and marketing events, promotions, software subscriptions, and our allocated cloud infrastructure expenses for our free tier. Sales and marketing expenses also include sales commissions paid to our sales force. Such costs incurred on acquisition of an initial contract are capitalized and amortized over an estimated period of benefit of three years, and any such expenses paid for the renewal of a subscription are capitalized and amortized over the contractual term of the renewal. However, prorated costs for commissions that are incremental to obtain a self-managed license contract are expensed immediately.
We expect sales and marketing expenses to increase in absolute dollars as we continue to make strategic investments in our sales and marketing organization to drive additional revenue, further penetrate the market, and expand our global customer base, but to decrease as a percentage of our total revenue over time, although our sales and marketing expenses may fluctuate as a percentage of our total revenue from period-to-period depending on the timing of these expenses.
Research and Development
Research and development expenses consist primarily of personnel-related expenses, including contractors, as well as cloud infrastructure expenses to support our internal development efforts, and software and subscription services. Costs related to research and development are expensed as incurred.
We expect research and development expenses to increase in absolute dollars as we continue to increase investments in our existing products and services. However, we anticipate research and development expenses to decrease as a percentage of our total revenue over time, although our research and development expenses may fluctuate as a percentage of our total revenue from period-to-period depending on the timing of these expenses.
General and Administrative
General and administrative expenses consist primarily of personnel-related expenses for our executives, finance, legal, and human resources teams. General and administrative expenses also include external legal, accounting, and director and officer insurance, as well as other consulting and professional services fees, software and subscription services, in-person company-wide event expenses, and any contract termination fees.
We incur expenses as a result of operating as a public company, including costs to comply with the rules and regulations applicable to companies listed on a national securities exchange, costs related to compliance and reporting obligations, costs related to Sarbanes-Oxley compliance, costs related to Environmental, Social, and Governance (ESG) compliance and expenses for insurance, investor relations, and related professional services. We expect that our general and administrative expenses will increase in absolute dollars as our business grows but will decrease as a percentage of our total revenue over time, although our general and administrative expenses may fluctuate as a percentage of our total revenue from period-to-period depending on the timing of these expenses.
Interest Income, and Other Income (Expense), Net
Interest income consists primarily of interest earned on our cash equivalents and short-term investments.
Other income (expense), net consists primarily of the foreign currency transaction gains and losses.
Loss from Equity Method Investment, Net of Tax
Loss from equity method investment, net of tax, consists of our share of losses from the results of operations of Arch, following its deconsolidation.
Provision for (Benefit from) Income Taxes
Provision for (benefit from) income taxes consists primarily of income taxes in the foreign and state jurisdictions in which we conduct business. We maintain a full valuation allowance against our deferred tax assets in certain jurisdictions because we have concluded that it is not more likely than not that the deferred tax assets will be realized.
Results of Operations
The following table sets forth our results of operations for the periods presented (in thousands):
Three Months Ended October 31,
Nine Months Ended October 31,
2024
2023
2024
2023
Revenue:
Subscription—self-managed and SaaS
$
175,257
$
130,993
$
489,617
$
364,280
License—self-managed and other
20,790
18,675
58,201
51,847
Total revenue
196,047
149,668
547,818
416,127
Cost of revenue:(1)
Subscription—self-managed and SaaS
17,170
11,559
47,639
33,321
License—self-managed and other
4,955
3,525
14,632
10,398
Total cost of revenue
22,125
15,084
62,271
43,719
Gross profit
173,922
134,584
485,547
372,408
Operating expenses:
Sales and marketing(1)
95,340
86,978
285,542
265,631
Research and development(1)
61,354
49,058
176,767
148,452
General and administrative(1)
45,960
38,815
146,615
110,882
Total operating expenses
202,654
174,851
608,924
524,965
Loss from operations
(28,732)
(40,267)
(123,377)
(152,557)
Interest income
12,586
10,874
37,443
27,301
Other income (expense), net
4,992
569
5,457
(508)
Loss before income taxes and loss from equity method investment
(11,154)
(28,824)
(80,477)
(125,764)
Loss from equity method investment, net of tax
—
(743)
—
(2,408)
Provision for (benefit from) income taxes
(39,421)
256,788
(66,131)
262,290
Net income (loss)
$
28,267
$
(286,355)
$
(14,346)
$
(390,462)
Net loss attributable to noncontrolling interest(2)
(1)Includes stock-based compensation expense as follows:
Three Months Ended October 31,
Nine Months Ended October 31,
2024
2023
2024
2023
(in thousands)
(in thousands)
Cost of revenue
$
1,993
$
1,648
$
5,924
$
4,760
Sales and marketing
17,012
16,523
54,290
51,582
Research and development
14,384
12,738
42,834
36,917
General and administrative
14,653
10,425
36,215
26,773
Total stock-based compensation expense
$
48,042
$
41,334
$
139,263
$
120,032
(2)Our results of operations include our variable interest entity, JiHu. The ownership interest of other investors is recorded as a noncontrolling interest. See “Note 11. Joint Venture and Equity Method Investment” to our condensed consolidated financial statements for additional details.
The following table sets forth the components of our condensed consolidated statements of operations as a percentage of total revenue for each of the periods presented:
Three Months Ended October 31,
Nine Months Ended October 31,
2024
2023
2024
2023
Revenue
100
%
100
%
100
%
100
%
Cost of revenue
11
10
11
11
Gross profit
89
90
89
89
Operating expenses:
Sales and marketing
49
58
52
64
Research and development
31
33
32
36
General and administrative
23
26
27
27
Total operating expenses
103
117
111
126
Loss from operations
(15)
(27)
(23)
(37)
Interest income
6
7
7
7
Other income (expense), net
3
—
1
—
Loss before income taxes and loss from equity method investment
Comparison of the Three and Nine Months Ended October 31, 2024 and 2023
Revenue
Three Months Ended October 31,
Change
Nine Months Ended October 31,
Change
2024
2023
$
%
2024
2023
$
%
(in thousands, except percentages)
(in thousands, except percentages)
Subscription—self-managed and SaaS
$
175,257
$
130,993
$
44,264
34
%
$
489,617
$
364,280
$
125,337
34
%
License—self-managed and other
20,790
18,675
2,115
11
58,201
51,847
6,354
12
Total revenue
$
196,047
$
149,668
$
46,379
31
%
$
547,818
$
416,127
$
131,691
32
%
Revenue increased $46.4 million, or 31%, to $196.0 million for the three months ended October 31, 2024 from $149.7 million for the three months ended October 31, 2023. Revenue increased $131.7 million, or 32%, to $547.8 million for the nine months ended October 31, 2024 from $416.1 million for the nine months ended October 31, 2023. The increase in both the three and nine months ended October 31, 2024 was primarily due to the ongoing demand for The DevSecOps Platform, including adding new customers, the expansion within our existing paid customers, and an increase in our number of customers with $100,000 or greater in ARR. As of October 31, 2024 and 2023, our expansion is reflected by our Dollar-Based Net Retention Rate being 124% and 128%, respectively. We had 1,144 customers with ARR over $100,000 as of October 31, 2024, increasing from 874 customers with ARR over $100,000 as of October 31, 2023.
Revenue attributed to our variable interest entity, JiHu, was $1.9 million and $1.7 million for the three months ended October 31, 2024 and 2023, respectively, and $5.3 million and $4.8 million for the nine months ended October 31, 2024 and 2023, respectively. See “Note 11. Joint Venture and Equity Method Investment” to our condensed consolidated financial statements for additional details.
Cost of Revenue, Gross Profit, and Gross Margin
Three Months Ended October 31,
Change
Nine Months Ended October 31,
Change
2024
2023
$
%
2024
2023
$
%
(in thousands, except percentages)
(in thousands, except percentages)
Cost of revenue
$
22,125
$
15,084
$
7,041
47
%
$
62,271
$
43,719
$
18,552
42
%
Gross profit
173,922
134,584
39,338
29
485,547
372,408
113,139
30
Gross margin
89
%
90
%
(1)
%
89
%
89
%
—
%
Cost of revenue increased by $7.0 million, to $22.1 million for the three months ended October 31, 2024 from $15.1 million for the three months ended October 31, 2023, primarily due to an increase of $2.0 million in third party hosting costs for increased SaaS and cloud usage, an increase of $2.0 million in the amortization of intangible assets and $1.7 million increase in personnel-related expenses, driven by an increase in our average customer support and professional services headcount and an increase of $0.3 million in stock-based compensation expenses (as discussed in the section titled “Stock-Based Compensation Expense” below). Gross margin decreased by 1% to 89% for the three months ended October 31, 2024 from 90% for the three months ended October 31, 2023.
Cost of revenue increased by $18.6 million, to $62.3 million for the nine months ended October 31, 2024 from $43.7 million for the nine months ended October 31, 2023, primarily due to an increase of $6.1 million in third-party hosting costs for increased SaaS and cloud usage. The remaining change was primarily attributable to an increase of $5.4 million in personnel-related expenses, driven by an increase in our average customer support and professional services headcount and an increase of $1.2 million in stock-based compensation expenses (as discussed in the section titled “Stock-Based Compensation Expense” below), and an increase of $4.4 million in the amortization of intangible assets. Gross margin remained at 89% for the nine months ended October 31, 2024 compared to the nine months ended October 31, 2023.
Cost of revenue attributed to our variable interest entity, JiHu, was $0.5 million and $0.8 million for the three months ended October 31, 2024 and 2023, respectively, and $1.5 million and $1.8 million for the nine months ended October 31, 2024 and 2023, respectively. See “Note 11. Joint Venture and Equity Method Investment” to our condensed consolidated financial statements for additional details.
Sales and Marketing
Three Months Ended October 31,
Change
Nine Months Ended October 31,
Change
2024
2023
$
%
2024
2023
$
%
(in thousands, except percentages)
(in thousands, except percentages)
Sales and marketing expenses
$
95,340
$
86,978
$
8,362
10
%
$
285,542
$
265,631
$
19,911
7
%
Sales and marketing expenses increased by $8.4 million, to $95.3 million for the three months ended October 31, 2024 from $87.0 million for the three months ended October 31, 2023, primarily due to an increase of $8.2 million in personnel-related expenses, driven by an increase in our average sales and marketing headcount and an increase of $0.5 million in stock-based compensation expenses (as discussed in the section titled “Stock-Based Compensation Expense” below).
Sales and marketing expenses increased by $19.9 million, to $285.5 million for the nine months ended October 31, 2024 from $265.6 million for the nine months ended October 31, 2023, primarily due to an increase of $20.3 million in personnel-related expenses, driven by an increase in our average sales and marketing headcount and an increase of $2.7 million in stock-based compensation expenses (as discussed in the section titled “Stock-Based Compensation Expense” below), partially offset by a decrease of $0.3 million in partner rebate expenses.
Sales and marketing expenses attributed to our variable interest entity, JiHu, were $1.8 million and $1.6 million for the three months ended October 31, 2024 and 2023, respectively, and $4.9 million and $5.7 million for the nine months ended October 31, 2024 and 2023, respectively. See “Note 11. Joint Venture and Equity Method Investment” to our condensed consolidated financial statements for additional details.
Research and development expenses increased by$12.3 million, to $61.4 million for the three months ended October 31, 2024 from $49.1 million for the three months ended October 31, 2023, primarily due to an increase of $10.5 million in personnel-related expenses, driven by an increase in our average research and development headcount and an increase of $1.6 million in stock-based compensation expenses (as discussed in the section titled “Stock-Based Compensation Expense” below). The remaining change was mainly due to an increase of $1.2 million in hosting costs for internal usage.
Research and development expenses increased by $28.3 million, to $176.8 million for the nine months ended October 31, 2024 from $148.5 million for the nine months ended October 31, 2023, primarily due to an increase of $26.5 million in personnel-related expenses, driven by an increase in our average research and development headcount and an increase of $5.9 million in stock-based compensation expenses (as discussed in the section titled “Stock-Based Compensation Expense” below). The remaining change was mainly due to $2.4 million in hosting costs for internal usage, partially offset by a decrease of $1.7 million in restructuring costs.
Research and development expenses attributed to our variable interest entity, JiHu, were $0.6 million and $1.5 million for the three months ended October 31, 2024 and 2023, respectively, and $1.0 million and $4.1 million for the nine months ended October 31, 2024 and 2023, respectively. See “Note 11. Joint Venture and Equity Method Investment” to our condensed consolidated financial statements for additional details.
General and Administrative
Three Months Ended October 31,
Change
Nine Months Ended October 31,
Change
2024
2023
$
%
2024
2023
$
%
(in thousands, except percentages)
(in thousands, except percentages)
General and administrative expenses
$
45,960
$
38,815
$
7,145
18
%
$
146,615
$
110,882
$
35,733
32
%
General and administrative expenses increased by $7.1 million, to $46.0 million for the three months ended October 31, 2024 from $38.8 million for the three months ended October 31, 2023, primarily driven by an increase of $3.7 million in personnel-related expenses, mainly attributable to an increase in our average general and administrative headcount and an increase of $4.2 million in stock-based compensation expenses (as discussed in the section titled “Stock-Based Compensation Expense” below), an increase of $1.4 million in consulting expenses, an increase of $0.3 million in charitable donation of common stock, an increase of $0.2 million in finance and insurance expenses and an increase of $0.2 million in privilege tax and franchise tax.
General and administrative expenses increased by $35.7 million, to $146.6 million for the nine months ended October 31, 2024 from $110.9 million for the nine months ended October 31, 2023, primarily driven by an increase of $14.3 million expense related to our in-person company-wide event. The remaining change was primarily due to an increase of $10.3 million in personnel-related expenses, mainly attributable to an increase in our average general and administrative headcount and an increase of $9.4 million in stock-based compensation expenses (as discussed in the section titled “Stock-Based Compensation Expense” below), an increase of $3.8 million from a loss attributable to the fair value remeasurement of acquisition related contingent consideration, and an increase of $0.8 million in charitable donation of common stock.
General and administrative expenses attributed to our variable interest entity, JiHu, was $1.6 million and $1.0 million for the three months ended October 31, 2024 and 2023, respectively, and $3.4 million and $1.0 million for the nine months ended October 31, 2024 and 2023, respectively. See “Note 11. Joint Venture and Equity Method Investment” to our condensed consolidated financial statements for additional details.
Stock-Based Compensation Expense
Three Months Ended October 31,
Change
Nine Months Ended October 31,
Change
2024
2023
$
%
2024
2023
$
%
(in thousands, except percentages)
(in thousands, except percentages)
Cost of revenue
$
1,993
$
1,648
$
345
21
%
$
5,924
$
4,760
$
1,164
24
%
Sales and marketing
17,012
16,523
489
3
54,290
51,582
2,708
5
Research and development
14,384
12,738
1,646
13
42,834
36,917
5,917
16
General and administrative
14,653
10,425
4,228
41
36,215
26,773
9,442
35
Total stock-based compensation expense
$
48,042
$
41,334
$
6,708
16
%
$
139,263
$
120,032
$
19,231
16
%
Stock-based compensation expense increased by $6.7 million, to $48.0 million for the three months ended October 31, 2024 from $41.3 million for the three months ended October 31, 2023, primarily due to an increase of $8.6 million of expense from RSUs, offset by a decrease of $1.1 million related to our ESPP and $1.2 million related to stock options.
Stock-based compensation expense increased by $19.2 million, to $139.3 million for the nine months ended October 31, 2024 from $120.0 million for the nine months ended October 31, 2023, primarily due to an increase of $32.2 million of expense from RSUs, offset by a decrease of $6.4 million for grant modifications, $5.2 million related to our ESPP, and $3.8 million related to stock options.
Stock-based compensation net expense attributed to our variable interest entity, JiHu, was $1.0 million and $0.6 million for the three months ended October 31, 2024 and 2023, respectively, and a $0.8 million net expense and $2.1 million net gain for the nine months ended October 31, 2024 and 2023, respectively. See “Note 11. Joint Venture and Equity Method Investment” to our condensed consolidated financial statements for additional details.
For the three and nine months ended October 31, 2024 compared to the three and nine months ended October 31, 2023, interest income increased primarily due to income earned from our cash equivalents and short-term investments as a result of investing the proceeds from our initial public offering, or IPO, into marketable securities as well as higher interest rates during the three and nine months ended October 31, 2024 compared to the three and nine months ended October 31, 2023.
The change in other income (expense), net is mainly due to currency exchange gains and losses.
Loss from Equity Method Investment, Net of Tax
Three Months Ended October 31,
Change
Nine Months Ended October 31,
Change
2024
2023
$
%
2024
2023
$
%
(in thousands, except percentages)
(in thousands, except percentages)
Loss from equity method investment, net of tax
$
—
$
(743)
$
743
(100)
%
$
—
$
(2,408)
$
2,408
(100)
%
We recorded an impairment charge of $8.9 million in other income (expense), net in the condensed consolidated statement of operations during the year ended January 31, 2024 which reduced the equity method investment value to zero as of January 31, 2024. As a result there is no loss from equity method investment for the three and nine months ended October 31, 2024.
Our effective tax rate increased by approximately 1244.3% for the three months ended October 31, 2024 as compared to the three months ended October 31, 2023. A tax benefit is expressed as a positive rate because of our pretax loss. The increase in tax benefit was primarily due to the tax effects of the BAPA negotiations between the United States and Dutch tax authorities, as well as the execution of an agreement between GitLab B.V. and the Dutch tax authority to reduce the rate of tax imposed on the tax gain recognized upon the transfer of the economic rights of the Company’s intellectual property from the Netherlands to the United States.
Our effective tax rate increased by approximately 290.8% for the nine months ended October 31, 2024 as compared to the nine months ended October 31, 2023, representing an increased tax benefit. The increase in tax benefit was primarily due to the tax effects of the BAPA negotiations between the United States and Dutch taxing authorities.
Our effective tax rate for the three and nine months ended October 31, 2024 was higher than the U.S. federal statutory tax rate of 21%, primarily due to the tax effects of the BAPA negotiations between the United States and Dutch tax authorities, and the Company’s foreign and domestic operations.
We executed the BAPA agreements with the U.S. and Dutch tax authorities on October 10, 2024, and October 22, 2024, respectively. On October 28, 2024, we paid the tax assessment issued by the Dutch Tax Authority, or the DTA, which reflected the BAPA negotiations.
Under the provisions of ASC 740, Income Taxes, the determination of our ability to recognize our deferred tax assets requires an assessment of both negative and positive evidence when determining our ability to recognize deferred tax assets. Consistent with prior years, we maintain that it is not more likely than not that we can recognize deferred tax assets in certain jurisdictions. The evidence we evaluated included operating results during the most recent three-year period and future projections. More weight is given to historical results than to expectations of future profitability, which are inherently uncertain. Certain entities’ net losses in recent periods represented sufficient negative evidence to require a valuation allowance against its net deferred tax assets. This valuation allowance will be evaluated periodically and could be reversed partially or totally if business results have sufficiently improved to support realization of deferred tax assets.
As of October 31, 2024, our U.S. federal 2018 through 2024 tax years were open and subject to potential examination in one or more jurisdictions. In addition, in the United States, any net operating losses or credits that were generated in prior years but not yet fully utilized in a year that is closed under the statute of limitations may also be subject to examination. Our Netherlands tax years are currently open for the tax years from 2018 to 2024, subject to adjustments as a result of the recently negotiated BAPA. We believe that we have adequately reserved for the outcome of the BAPA. We regularly assess the likelihood of adverse outcomes resulting from these examinations to determine the adequacy of our provision for income taxes. We continue to monitor the progress of ongoing discussions with tax authorities and the effect, if any, of the expected expiration of the statute of limitations in various taxing jurisdictions.
As of October 31, 2024, unrecognized tax benefits were $9.9 million, of which $0.5 million would affect the effective tax rate if recognized. As of January 31, 2024, the unrecognized tax benefits were $396.8 million, of which $207.8 million would affect the effective tax rate if recognized. We have settled and paid the BAPA tax liability with the DTA, thereby reducing the current tax liability previously classified as an unrecognized tax benefit to an immaterial amount. For unrecognized tax benefits unrelated to the BAPA, we are unable to reasonably estimate the timing of the remaining long-term payments or the amount by which the liability will increase or decrease.
It is our policy to classify accrued interest and penalties related to unrecognized tax benefits in provision for income taxes. Accrued interest and penalties were $0.3 million as of October 31, 2024 and $52.1 million as of January 31, 2024, respectively.
Liquidity and Capital Resources
Since inception, we have financed operations primarily through proceeds received from issuances of equity securities, preferred stock and payments received from our customers.
As of October 31, 2024 and January 31, 2024, our principal source of liquidity was cash, cash equivalents, and short-term investments aggregating to $0.9 billion and $1.0 billion, respectively, which were held for working capital and strategic investment purposes. As of October 31, 2024, cash and cash equivalents consist of cash in banks, money markets funds, treasuries, and commercial paper, while short-term investments mainly consist of treasuries, corporate debt securities, agency securities, and commercial paper.
We believe that our existing cash, cash equivalents, and short-term investments will be sufficient to support working capital and capital expenditure requirements for at least the next 12 months. Our future capital requirements will depend on many factors, including our revenue growth rate, the timing and the amount of cash received from customers, the expansion of sales and marketing activities, the timing and extent of spending to support research and development efforts, the price at which we are able to procure third-party cloud infrastructure, expenses associated with our international expansion, the introduction of platform enhancements, and the continuing market adoption of The DevSecOps Platform. In the future, we may enter into arrangements to acquire or invest in complementary businesses, products, and technologies. We may be required to seek additional equity or debt financing. In the event that we require additional financing, we may not be able to raise such financing on terms acceptable to us or at all. If we are unable to raise additional capital or generate cash flows necessary to expand our operations and invest in continued innovation, we may not be able to compete successfully, which would harm our business, operating results, and financial condition.
The following table shows a summary of our cash flows for the periods presented:
Nine Months Ended October 31, 2024
2024
2023
(in thousands)
Net cash provided by (used in) operating activities
$
(127,193)
$
10,187
Net cash used in investing activities
$
(8,553)
$
(50,466)
Net cash provided by financing activities
$
20,927
$
30,243
Operating Activities
Our largest source of operating cash is payments received from our customers. Our primary uses of cash from operating activities are for personnel-related expenses, sales and marketing expenses, third-party cloud infrastructure expenses, and overhead expenses. We have generated positive cash flows from operating activities and have supplemented working capital through net proceeds from the issuance of equity securities.
Cash used in operating activities during the nine months ended October 31, 2024 was $127.2 million, primarily consisting of our net loss of $14.3 million, adjusted for non-cash items of $178.2 million (mainly attributable to stock-based compensation expense of $139.3 million and amortization of deferred contract acquisition costs, net of $35.7 million), and net cash outflows of $291.1 million provided by changes in our operating assets and liabilities. The main drivers of the changes in operating assets and liabilities were the increase of accounts receivable of $31.7 million, the increase in deferred contract acquisition costs of $35.7 million, the decrease in accrued expenses and other liabilities of $241.7 million (mainly attributable to $187.7 million for the BAPA payment), the decrease in accrued compensation and related expenses of $8.8 million, and the decrease in other non-current liabilities of $11.1 million, partially offset by the decrease in prepaid expenses and other current assets of $2.5 million, and the increase in deferred revenue of $34.5 million.
Cash provided by operating activities during the nine months ended October 31, 2023 was $10.2 million, primarily consisting of our net loss of $390.5 million, adjusted for non-cash items of $153.4 million (mainly attributable to stock-based compensation expense of $120.0 million), and net cash outflows of $247.3 million provided by changes in our operating assets and liabilities. The main drivers of the changes in operating assets and liabilities were the increase in deferred revenue of $29.2 million and the increase in accrued compensation and related expenses of $2.8 million, partially offset by the increase in deferred contract acquisition costs of $31.8 million and the increase in accounts receivable of $5.3 million.
Investing Activities
Cash used in investing activities during the nine months ended October 31, 2024 was $8.6 million, primarily consisting of $21.5 million in proceeds from maturities, net of purchases of short-term investments, partially offset by a $20.2 million payment for a business combination, net of cash acquired, a $7.7 million payment for an asset acquisition, and $2.6 million in purchases of property and equipment.
Cash used in investing activities during the nine months ended October 31, 2023 was $50.5 million, primarily consisting of $46.7 million in purchases of short-term investments, net of proceeds from maturities, $2.5 million outflow as a result of an escrow payment related to a prior business combination, and $1.3 million in purchases of property and equipment.
Cash provided by financing activities during the nine months ended October 31, 2024 was $20.9 million, attributable to $17.9 million proceeds from the issuance of common stock upon stock options exercises, and $7.9 million of proceeds from the issuance of common stock under the ESPP, partially offset by $4.9 million of settlement of acquisition related contingent cash consideration.
Cash provided by financing activities during the nine months ended October 31, 2023 was $30.2 million, attributable to $22.5 million of proceeds from the issuance of common stock upon stock options exercises, and $7.8 million of proceeds from the issuance of common stock under the ESPP.
Adjusted Free Cash Flow
Adjusted free cash flow is a non-GAAP financial measure that we calculate as net cash provided by operating activities less cash used for purchases of property and equipment, plus any non-recurring income tax payments related to the BAPA. We believe that adjusted free cash flow is a useful indicator of liquidity that provides information to management and investors about the amount of cash generated from our operations that, after the investments in property and equipment and any non-recurring income tax payments related to the BAPA, can be used for strategic initiatives, including investing in our business, and strengthening our financial position. One limitation of adjusted free cash flow is that it does not reflect our future contractual commitments. Additionally, adjusted free cash flow does not represent the total increase or decrease in our cash balance for a given period.
The following table presents a reconciliation of adjusted free cash flow to net cash provided by (used in) operating activities, the most directly comparable financial measure calculated in accordance with GAAP, for the periods presented (in thousands):
Three Months Ended October 31,
Nine Months Ended October 31,
2024
2023
2024
2023
Computation of adjusted free cash flow
GAAP net cash provided by (used in) operating activities
$
(177,028)
$
(5,961)
$
(127,193)
$
10,187
Less: Purchases of property and equipment
(1,057)
(736)
(2,608)
(1,269)
Add: Income tax payments related to BAPA
187,735
—
187,735
—
Non-GAAP adjusted free cash flow
$
9,650
$
(6,697)
$
57,934
$
8,918
Contractual Obligations and Commitments
For more information regarding our contractual obligations, refer to “Note 14. Commitments and Contingencies” to our condensed consolidated financial statements.
Our condensed consolidated financial statements have been prepared in conformity with U.S. generally accepted accounting principles, or GAAP. The preparation of the condensed consolidated financial statements in conformity with U.S. GAAP requires management to make estimates and assumptions that affect the reported amounts of assets and liabilities, disclosure of contingent assets and liabilities at the date of the condensed consolidated financial statements, and the reported amounts of revenue and expenses during the reporting period. We base these estimates on historical and anticipated results, trends, and various other assumptions that it believes are reasonable under the circumstances, including assumptions as to future events. Actual results could differ from those estimates. To the extent that there are differences between our estimates and actual results, our future financial statement presentation, financial condition, operating results, and cash flows will be affected.
For additional information about our critical accounting policies and estimates, see the disclosure included in our Annual Report on Form 10-K for the fiscal year ended January 31, 2024, which was filed with the SEC on March 26, 2024.
Recently Issued Accounting Pronouncements
Aside from the new accounting pronouncements already discussed in our Annual Report on Form 10-K for the fiscal year ended January 31, 2024, there were no additional pronouncements issued or effective during the period that would materially affect our condensed consolidated financial statements.
ITEM 3. QUANTITATIVE AND QUALITATIVE DISCLOSURE ABOUT MARKET RISK
We have operations both within the United States and internationally. We are exposed to market risk in the ordinary course of our business. Market risk represents the risk of loss that may impact our financial condition due to adverse changes in financial market prices and rates. Our market risk exposure is primarily the result of fluctuations in interest rates and foreign currency exchange rates.
Interest Rate Risk
As of October 31, 2024 and January 31, 2024, we had $0.9 billion and $1.0 billion of cash, cash equivalents, and short-term investments, respectively. As of October 31, 2024 and January 31, 2024, our cash equivalents and short-term investments of $0.8 billion and $1.0 billion, respectively, mainly consist of money market funds, treasuries, corporate debt securities and commercial paper. Our cash, cash equivalents, and short-term investments are held for working capital and strategic investment purposes. We do not enter into investments for trading or speculative purposes. Our fixed-income portfolio is subject to fluctuations in interest rates, which could affect our results of operations. Based on our investment portfolio balance as of October 31, 2024, a hypothetical increase or decrease in interest rates of 1% (100 basis points) would result in a decrease or an increase in the fair value of our portfolio of approximately $4.2 million. Such losses would only be realized if we sell the investments prior to maturity. The weighted-average life of our investment portfolio was approximately 6 months as of October 31, 2024.
Foreign Currency Exchange Risk
To date, all of our sales contracts have been denominated in U.S. dollars, except for our variable interest entity, JiHu, which sells in local currency in its designated area. Our revenue is not subject to a material foreign currency risk. Operating expenses within the United States are primarily denominated in U.S. dollars, while operating expenses incurred outside the United States are primarily denominated in each country’s respective local currency. Our condensed consolidated results of operations and cash flows are, therefore, subject to fluctuations due to changes in foreign currency exchange rates and may be adversely affected in the future due to changes in foreign exchange rates.
Our reporting currency is the U.S. dollar, and the functional currency of our foreign subsidiaries is each country’s respective local currency. Assets and liabilities of the foreign subsidiaries are translated into U.S. dollars at the exchange rates in effect at the reporting date, and income and expenses are translated at average exchange rates during the period, with the resulting translation adjustments directly recorded as a component of accumulated other comprehensive income (loss). Foreign currency transaction gains and losses are recorded in other income (expense), net in the condensed consolidated statements of operations. The volatility of exchange rates depends on many factors that we cannot forecast with reliable accuracy. In the event our foreign currency denominated assets, liabilities, or expenses increase, our operating results may be more greatly affected by fluctuations in the exchange rates of the currencies in which we do business. Moreover, as of October 31, 2024, we have $57.4 million of cash and cash equivalents denominated in currencies other than the U.S. dollar. The value of these cash balances may materially change along with the weakness or strength of the U.S. dollar. As of October 31, 2024, a hypothetical 10% change in foreign currency exchange rates would have a material impact on our condensed consolidated financial statements.
We have not engaged in the hedging of foreign currency transactions to date, although we may choose to do so in the future.
In connection with the preparation of this Quarterly Report on Form 10-Q, as of October 31, 2024, an evaluation was performed under the supervision and with the participation of our management, including the Chief Executive Officer and Chief Financial Officer, of the effectiveness of the design and operation of our disclosure controls and procedures (as defined in Rules 13a-15(e) and 15d-15(e) under the Exchange Act). Based on that evaluation, our Chief Executive Officer and our Chief Financial Officer have concluded that, as of October 31, 2024, our disclosure controls and procedures were, in design and operation, not effective at a reasonable assurance level as a result of the material weakness described below.
Material Weakness
As disclosed in our Annual Report on Form 10-K for the fiscal year ended January 31, 2024, we previously identified a material weakness in our internal control over financial reporting. Our management determined that a material weakness exists due to a lack of policies and procedures related to the operation of control activities and inadequate communication of information to control owners and operators related to the objectives and responsibilities for internal control in a manner which supports the internal control environment at the Company.
As a result, the following material weakness exists as of October 31, 2024:
•We did not design and maintain effective controls over certain information technology, or IT, general controls for information systems used in the financial reporting processes related to revenue. In particular, we did not design and maintain effective (i) program change management controls to ensure that IT programs, data changes and migrations affecting financial IT applications and underlying records are identified, tested, authorized and implemented appropriately and (ii) user access controls to ensure appropriate segregation of duties, restricted user and privileged access to our financial applications, data and programs to the appropriate personnel. The ineffective design and operation of IT general controls resulted in the ineffective operation of automated controls and manual controls using reports and information from the impacted information systems used in the financial reporting processes related to revenue.
Notwithstanding such material weakness in internal control over financial reporting, our Chief Executive Officer and Chief Financial Officer have concluded that our unaudited condensed consolidated financial statements included in this Quarterly Report on Form 10-Q present fairly, in all material respects, our financial position, results of operations and cash flows for the periods presented in conformity with U.S. GAAP. The aforementioned material weakness also did not result in a material misstatement in any previously issued consolidated financial statements.
industry and our customers’ industries. Any security breach or disruption could result in the loss or destruction of or unauthorized access to, or use, alteration, disclosure, or acquisition of confidential and/or personal data, which may result in damage to our reputation, early termination of our contracts, litigation, regulatory investigations, or other liabilities. If our, our customers’, or our partners’ security measures are breached as a result of third-party action, team member error, misconfiguration, malfeasance (including bribery) or otherwise and, as a result, someone obtains unauthorized access to The DevSecOps Platform, including personal and/or confidential information of our customers, our reputation could be damaged, our business may suffer loss of current customers and future opportunities and we could incur significant financial liability including fines, cost of recovery, and costs related to remediation measures.
Techniques used to obtain unauthorized access or to sabotage systems change frequently. As a result, we may be unable to fully anticipate these techniques or to implement adequate preventative measures. If an actual or perceived security breach occurs, the market perception of our security measures could be harmed, and we could lose sales and customers. If we are, or are perceived to be, not in compliance with data protection, consumer privacy, or other legal or regulatory requirements or operational norms bearing on the collection, processing, storage, or other treatment of data records, including personal data, our reputation and operating performance may suffer. Further, we need to continually monitor and remain compliant with all applicable changes in local, state, national, or international legal or regulatory requirements. Any significant violations of data privacy could result in the loss of business, litigation, and regulatory investigations and penalties that could damage our reputation and adversely impact our results of operations and financial condition.
We have contractual and legal obligations to notify relevant stakeholders of security breaches. Most jurisdictions have enacted laws requiring companies to notify affected individuals, regulatory authorities, and relevant others of security breaches involving certain types of data, including personal data. In addition, our agreements with certain customers and partners may require us to notify them in the event of a security breach. Such mandatory disclosures are costly, could lead to negative publicity, may cause our customers to lose confidence in the effectiveness of our security measures, and require us to expend significant capital and other resources to respond to or alleviate problems caused by the actual or perceived security breach. In addition, in July 2023, the Securities and Exchange Commission, or the SEC, adopted a new cybersecurity rule requiring companies subject to SEC reporting requirements to formally report material cybersecurity incidents, where failure to report may result in the SEC imposing injunctions, fines, and other penalties.
A security breach may cause us to breach customer contracts. Our agreements with certain customers may require us to use industry-standard or reasonable measures to safeguard sensitive personal data or confidential information. A security breach could lead to claims by our customers, their end-users, or other relevant stakeholders that we have failed to comply with such legal or contractual obligations. As a result, we could be subject to legal action or our customers could end their relationships with us. There can be no assurance that any limitations of liability in our contracts would be enforceable or adequate or would otherwise protect us from liabilities or damages.
Litigation resulting from security breaches may adversely affect our business. Unauthorized access to The DevSecOps Platform, systems, networks, or physical facilities could result in litigation with our customers, our customers’ end-users, or other relevant stakeholders. These proceedings could force us to spend money in defense or settlement, divert management’s time and attention, increase our costs of doing business, or adversely affect our reputation. We could be required to fundamentally change our business activities and practices or modify The DevSecOps Platform capabilities in response to such litigation, which could have an adverse effect on our business. If a security breach were to occur, and the confidentiality, integrity, or availability of our data or the data of our partners, our customers or our customers’ end-users was disrupted, we could incur significant liability, or The DevSecOps Platform, systems, or networks may be perceived as less desirable, which could negatively affect our business and damage our reputation.
If we fail to detect, contain, or remediate a security breach in a timely manner, or a breach otherwise affects a large amount of data of one or more customers, or if we suffer a cyber attack that impacts our ability to operate The DevSecOps Platform, we may suffer material damage to our reputation, business, financial condition, and results of operations. Further, while we maintain cyber insurance that may provide coverage for these types of incidents, such coverage may not be adequate to cover the costs and other liabilities related to these incidents. In addition, we cannot be sure that our existing insurance coverage and coverage for errors and omissions will continue to be available on acceptable terms or that our insurers will not deny coverage as to any future claim. Our risks are likely to increase as we continue to expand The DevSecOps Platform, grow our customer base, and host, process, store, and transmit increasingly large amounts of proprietary and confidential data.
We face heightened risk of security breaches because we use third-party open source technologies and incorporate a substantial amount of open source code in our products.
The DevSecOps Platform is built using open-source technology. Using or incorporating any third-party technology can become a vector for supply-chain cyber attacks. Such attacks are prevalent in our industry and our customers’ industries, and our use of open-source technology may, or may be perceived to, leave us vulnerable to security attacks. We have previously been, and may in the future become, the target of cyber attacks by third parties seeking unauthorized access to our or our customers’ data or to disrupt our operations or ability to provide our services. If we are the target of cyber attacks as a result of our use of open source code, it may substantially damage our reputation and adversely affect our business, financial condition, and operating results.
We face intense competition and could lose market share to our competitors, which would adversely affect our business, operating results, and financial condition.
The markets for our services are highly competitive, with limited barriers to entry. Competition presents an ongoing threat to the success of our business. We expect competition in the software business generally, and in all of the stages of the software development lifecycle that our product covers, in particular, to continue to increase. We expect to continue to face intense competition from current competitors, as well as from new entrants into the market or from adjacent markets. If we are unable to anticipate or react to these challenges, our competitive position would weaken, and we would experience a decline in revenue or reduced revenue growth, and loss of market share that would adversely affect our business, financial condition, and operating results.
We face competition in several areas due to the nature of our product. Our product offering is broad across all stages of the software development lifecycle which has us competing with many providers with offerings across all stages. We compete with well-established providers such as Microsoft and Atlassian as well as other companies with offerings in fewer stages, including with respect to both code hosting and code collaboration services, as well as file storage and distribution services and artificial intelligence, or AI. Many of our competitors are significantly larger than we are and have more capital to invest in their businesses.
We believe that our ability to compete depends upon many factors both within and beyond our control, including the following:
•the ability of our products or of those of our competitors to deliver the positive business outcomes prioritized and valued by our customers and prospects;
•our ability to price our products competitively, including our ability to transition users of our free product offering to a paid version of The DevSecOps Platform;
•the timing and market acceptance of services, including the developments and enhancements to those services offered by us or our competitors, including incorporation of AI into such services;
•the amount and quality of communications, postings, and sharing by our users on public forums, which can promote improvements on The DevSecOps Platform but may also lead to disclosure of commercially sensitive details;
•our ability to monetize activity on our services;
•customer service and support efforts;
•sales and marketing efforts;
•ease of use, performance and reliability of solutions developed either by us or our competitors;
•our ability to manage our operations in a cost effective manner;
•insolvency or credit difficulties confronting our customers, affecting their ability to purchase or pay for our product offering;
•our reputation and brand strength relative to our competitors;
•introduction of new technologies or standards that compete with or are unable to be adopted in our products;
•ability to attract new team members or retain existing team members which could affect our ability to attract new customers, service existing customers, enhance our product or handle our business needs;
•our ability to maintain and grow our community of users; and
•the length and complexity of our sales cycles.
Many of our current and potential competitors have greater financial, technical, marketing and other resources and larger customer bases than we do. Furthermore, our current or potential competitors may be acquired by third parties with greater available resources and the ability to initiate or withstand substantial price competition. In addition, many of our competitors have established sales and marketing relationships and have access to larger customer bases. Our competitors may also establish cooperative relationships among themselves or with third parties that may further enhance their product offerings or resources. These factors may allow our competitors to respond more quickly than we can to new or emerging technologies and changes in customer preferences. These competitors may engage in more extensive research and development efforts, undertake more far-reaching marketing campaigns and adopt more aggressive pricing policies which may undercut our pricing policies and allow them to build a larger user base or to monetize that user base more effectively than us. If our competitors’ products, platforms, services or technologies maintain or achieve greater market acceptance than ours, if they are successful in bringing their products or services to market earlier than ours, or if their products, platforms or services are more technologically capable than ours, then our revenues could be adversely affected. In addition, some of our competitors may offer their products and services at a lower price or for free, or may offer a competing product with other services or products that together result in offering the competing product for free. If we are unable to achieve our target pricing levels, our operating results would be negatively affected. Pricing pressures and increased competition could result in reduced sales, reduced margins, losses or a failure to maintain or improve our competitive market position, any of which could adversely affect our business.
Many of our users extend the functionality of The DevSecOps Platform using third-party code editors and integrated development environments, or IDEs, including editors and IDEs developed by our competitors. Our development and distribution of integrations with such tools is subject to the integration policies and technical specifications imposed by the developer of the tool. A change to the policies and specifications pertaining to any of these third-party tools (including those developed by Microsoft), could
cause us to lose market share to competitors whose products and services continue to support integrations with such tools.
We may not be able to respond to rapid technological changes with new solutions, which could have a material adverse effect on our operating results.
The DevSecOps market is characterized by rapid technological change, fluctuating price points, and frequent new product and service introductions. Our ability to increase our user base and increase revenue from existing customers will depend heavily on our ability to enhance and improve our existing solutions, introduce new features and products, both independently and in conjunction with third-party developers and technology partners, reach new platforms and sell into new markets. Customers may require features and capabilities that our current solutions do not have. If we fail to develop solutions that satisfy customer preferences in a timely and cost-effective manner, we may fail to renew our subscriptions with existing customers and create or increase demand for our solutions, and our business may be materially and adversely affected.
The introduction of new services by competitors or the development of entirely new technologies to replace existing offerings could make our solutions obsolete or adversely affect our business. In addition, any new markets or countries into which we attempt to sell our solutions may not be receptive. We may experience difficulties, including delayed releases and upgrades, with software development, design, or marketing that could delay or prevent our development, introduction, or implementation of new solutions and enhancements. Delayed releases or upgrades, or releases with defects,could result in adverse publicity, loss of revenue, delay in market acceptance, or claims by customers brought against us, all of which could have a material adverse effect on our reputation, business, operating results, and financial condition. Moreover, upgrades and enhancements to our solutions may require substantial investment and we have no assurance that such investments will be successful. If users do not widely adopt enhancements to our solutions, we may not be able to realize a return on our investment. If we are unable to develop, license, or acquire enhancements to our existing solutions on a timely and cost-effective basis, or if such enhancements do not achieve market acceptance, our business, operating results, and financial condition may be adversely affected.
If our services fail to perform properly, whether due to material defects with the software or external issues, our reputation could be adversely affected, our market share could decline, and we could be subject to liability claims.
Our products are inherently complex and may contain material defects, software “bugs” or errors.Any defects in functionality or operational procedures that cause interruptions in the availability of our products could result in:
•loss or delayed market acceptance and sales;
•loss of data;
•breach of warranty claims;
•sales credits or refunds for prepaid amounts related to unused subscription services;
•loss of customers;
•diversion of development and customer service resources;
•loss of operational time;
•destruction or compromised integrity of data and/or intellectual property; and
The costs incurred in correcting any material defects, software “bugs” or errors might be substantial and could adversely affect our operating results.
We rely on information technology systems to process, transmit and store electronic information. Our ability to effectively manage our business depends significantly on the reliability and capacity of these systems. The operation, success and growth of our business (whether now or in the future) depends on streamlined processes made available through information systems, global communications, internet activity, and other network processes. The future operation, success and growth of our business depends on streamlined processes made available through information systems, global communications, internet activity, and other network processes.
Our information technology systems may be subject to damage or interruption from telecommunications problems, data corruption, software errors, fire, flood, acts of terror and armed conflicts, global pandemics and natural disasters, power outages, systems disruptions, system conversions, and/or human error. Our existing safety systems, data backup, access protection, user management and information technology emergency planning may not be sufficient to prevent data loss or long-term network outages. In addition, we may have to upgrade our existing information technology systems or choose to incorporate new technology systems from time to time in order for such systems to support the increasing needs of our expanding business. Introduction of new technology, or upgrades and maintenance to our existing systems, could result in increased costs or unforeseen problems which may disrupt or reduce our operating efficacy.
We may also encounter service interruptions, outage, or disruption due to issues interfacing with our customers’ IT systems, including stack misconfigurations or improper environment scaling, defective updates or upgrades, or due to cybersecurity attacks on ours or our customers’ IT systems. Any such service interruption may have an adverse impact on our reputation and future operating results.
Because of the (nature and importance of the data) that our customers collect and manage by means of our services, it is possible that failures or errors in our systems could result in data loss or corruption, and/or cause the information that we or our customers collect to be incomplete or contain inaccuracies that our customers regard as material. Furthermore, the availability or performance of our products could be adversely affected by a number of factors, including customers’ inability to access the internet, the failure of our network or software systems, security breaches, or variability in user traffic for our services. We may be required to issue credits or refunds for prepaid amounts related to unused services or otherwise be liable to our customers for damages they may incur resulting from certain of these events. For example, our customers access our products through their internet service providers. If a service provider fails to provide sufficient capacity to support our products, otherwise experiences service outages, interruption or disruption, or intentionally or unintentionally restricts or limits our ability to send, deliver, or receive electronic communications or provide services, such failure could interrupt our customers’ access to our products, adversely affect their perception of our products’ reliability and reduce our revenues. In addition to potential liability, if we experience interruptions in the availability of our products or services, our reputation could be adversely affected and we could lose customers. Our production systems might not be sufficiently resilient against regional outages and recovery from such an outage might take an extended period of time. Further, while we have in place a data recovery plan, our data backup systems might fail and our data recovery plans may be insufficient to fully recover all of ours or our customers’ data hosted on our system.
While we currently maintain errors and omissions insurance, it may be inadequate or may not be available in the future on acceptable terms, or at all. In addition, our policy may not cover all claims made against us and defending a suit, regardless of its merit, could be costly and divert management’s attention.
The market for our services is relatively new and unproven and may not grow, which would adversely affect our future results and the trading price of our Class A common stock.
Because the market for our services is relatively new and rapidly evolving, it is difficult to predict customer adoption, customer demand for our services, the size and growth rate of this market, the entry of competitive products or the success of existing competitive services. Any expansion or contraction in our market depends on a number of factors, including the cost, performance and perceived value associated with our services and the appetite and ability of customers to use and pay for the services we provide. Further, even if the overall market for the type of services we provide continues to grow, we face intense competition from larger and more well-established providers and we may not be able to compete effectively or achieve market acceptance of our products. If we or other software and SaaS providers experience security incidents, loss of customer data, or disruptions in delivery or service, the market for these applications as a whole, including The DevSecOps Platform and products, may be negatively affected. If the market for our services does not achieve widespread adoption, we do not compete effectively in this market, or there is a reduction in demand for our software or our services in our market caused by a lack of customer acceptance, implementation challenges for deployment, technological challenges, lack of accessible data, competing technologies and services, decreases in corporate spending, including as a result of global business or macroeconomic conditions, including inflation, volatile interest rates, uncertainty with respect to the federal budget and debt ceiling and potential government shutdowns related thereto, volatility of the global debt and equity markets, actual or perceived instability in the global banking sector, or otherwise, it could result in reduced customer orders and decreased revenues, which could require slowing our rate of headcount growth and would adversely affect our business operations and financial results.
We are dependent on sales and marketing strategies to drive our growth in our revenue. These sales and marketing strategies may not be successful in continuing to generate sufficient sales opportunities. Any decline in our customer renewals and expansions could harm our future operating results.
Our business model depends on generating and maintaining a large user base that is satisfied with The DevSecOps Platform. We rely on satisfied customers to expand their footprint by buying new products and services and onboarding additional users. We have implemented user limits on our free SaaS product (and plan to implement in the future storage and transfer limitations on our free SaaS product), and have limited historical data with respect to the number of current and previous free users and the rates in which customers convert to paying customers. As a result, we may not accurately predict future customer purchasing trends. In future periods, our growth could slow or our profits could decline for several reasons, including decreased demand for our product offerings and our professional services, increased competition, a decrease in the growth of our overall market, a decrease in corporate spending, including as a result of global business or macroeconomic conditions, including inflation, volatile interest rates, uncertainty with respect to the federal budget and debt ceiling and potential government shutdowns related thereto, volatility of the global debt and equity markets, actual or perceived instability in the global banking sector, or otherwise, or our failure, for any reason, to continue to capitalize on growth opportunities. We may be forced to change or abandon our subscription based revenue model in order to compete with our competitors’ offerings.
It could also become increasingly difficult to predict revenue and timing of collections as our mix of annual, multi-year and other types of transactions changes as a result of our expansion into cloud-based offerings. Our failure to execute on our revenue projections could impair our ability to meet our business objectives and adversely affect our results of operations and financial condition.
Our future success also depends in part on our ability to sell more subscriptions and additional services to our current customers. Even if customers choose to renew their current subscriptions with us, they may decline to purchase additional services or they may choose to downtier or otherwise decrease the number of seats in their subscription. If our customers do not purchase additional subscriptions and services from us, our revenue may decline and our operating results may be harmed. Paying customers
may decline or fluctuate as a result of a number of factors, including their satisfaction with our services and our end-customer support, the frequency and severity of product outages, our product uptime or latency, their satisfaction with the speed of delivering new features, the pricing of our, or competing, services, and the impact of macroeconomic conditions on our customers and their corporate spending. We have limited historical data with respect to rates of paying customers buying more seats, uptiering, downtiering and churning, so we may not accurately predict future customer trends.
Our customer expansions and renewals may decline or fluctuate, and conversely, contractions and downtiers may increase, or fluctuate, as a result of a number of factors, including: quality of our sales efforts, customer usage, customer satisfaction with our services and customer support, our prices (including price increases for our Premium tier that were generally implemented in the first quarter of fiscal year 2024), the prices of competing services, mergers and acquisitions affecting our customer base, the effects of global economic conditions, including inflation, volatile interest rates, uncertainty with respect to the federal budget and debt ceiling and potential government shutdowns related thereto, volatility of the global debt and equity markets, and actual or perceived instability in the global banking sector, or reductions in our customers’ spending levels generally (including, our customers that have or may have to downsize their operations or headcount). If we cannot use our marketing strategies in a cost-effective manner or if we fail to promote our services efficiently and effectively, our ability to acquire new customers or expand the services of our existing customers may suffer. In addition, an increase in the use of online and social media for product promotion and marketing may increase the burden on us to monitor compliance of such materials and increase the risk that such materials could contain problematic product or marketing claims in violation of applicable regulations.
Further, we have previously discontinued certain lower priced product offerings, requiring users of these products to switch to another paid offering, switch to our free product or discontinue using our products. Additionally, we have implemented user limits on our free SaaS product, and plan to implement in the future storage and transfer limitations on our free SaaS product offering. We also announced in the first quarter of fiscal year 2023 storage and transfer limitations on our paid product offerings, the extent and implementation of which varies depending on the tier. To the extent we discontinue or add additional limits on our free or lower-priced product offerings, we cannot assure you that our customers will purchase our products, and if our end customers do not purchase our products, our revenues may grow more slowly than expected or decline.
Our operating results may fluctuate significantly, which could make our future results difficult to predict and could adversely affect the trading price of our Class A common stock.
Our operating results may vary significantly from period to period, which could adversely affect our business and financial condition. Our operating results have varied significantly from period to period in the past, and we expect that our operating results will continue to vary significantly in the future such that period-to-period comparisons of our operating results may not be meaningful. Accordingly, our financial results in any one quarter or fiscal year should not be relied upon as indicative of future performance. Our quarterly or annual financial results may fluctuate as a result of several factors, many of which are outside of our control and may be difficult to predict, including:
•our ability to attract and retain new customers;
•the addition or loss of material customers, including through acquisitions or consolidations;
•the timing of recognition of revenues;
•the amount and timing of operating expenses related to the maintenance and expansion of our business, operations and infrastructure;
•general economic, industry and market conditions, in both domestic and our foreign markets, including inflation, volatile interest rates, uncertainty with respect to the federal budget and debt ceiling and potential government shutdowns related thereto, volatility of the global debt and equity
markets, and actual or perceived instability in the global banking sector, the potential effects of health pandemics or epidemics and other global events, including the impacts of the U.S. presidential election and ongoing armed conflicts in different regions of the world;
•customer renewal rates;
•the timing and success of new service introductions by us or our competitors or any other change in the competitive dynamics of our industry, including consolidation among competitors, customers or strategic partners;
•our ability to convert users of our free product offerings into subscribing customers;
•increases or decreases in the number of elements of our services or pricing changes upon any renewals of customer agreements;
•allocation of software development in customers’ budget;
•seasonal variations in sales of our products;
•decisions by potential customers to use products of our competitors;
•the timing of expenses related to the development or acquisition of technologies or businesses and potential future charges for impairment of goodwill from acquired companies;
•extraordinary expenses such as litigation or other dispute-related settlement payments or outcomes;
•future accounting pronouncements or changes in our accounting policies or practices;
•negative media coverage or publicity;
•political events;
•the amount and timing of operating costs and capital expenditures related to the expansion of our business, in the U.S. and foreign markets;
•the cost to develop and upgrade The DevSecOps Platform to incorporate new technologies; and
•increases or decreases in our expenses caused by fluctuations in foreign currency exchange rates.
In addition, we experience seasonal fluctuations in our financial results as we typically receive a higher percentage of our annual orders from new customers, as well as renewal orders from existing customers, in our last two fiscal quarters as compared to the first two fiscal quarters due to the annual budget approval process of many of our customers, the timing of our customers’ decisions to make a purchase, changes our customers experienced, or may experience, in their businesses, and other variables some of which are outside of our and our customers’ control, such as macroeconomic and general economic conditions, including inflation and volatile interest rates.
Any of the above factors, individually or in the aggregate, may result in significant fluctuations in our financial and other operating results from period to period. As a result of this variability, our historical operating results should not be relied upon as an indication of future performance. Moreover, this variability and unpredictability could result in our failure to meet our operating plan or the expectations of investors or analysts for any period. If we fail to meet such expectations for the reasons described above or any other reasons, our stock price could fall substantially.
As our product offerings mature and expand, our pricing and packaging for new products may result in existing customers purchasing new products on less favorable terms to us to replace the existing products they purchase or subscribe for from us.
As our product offerings and the markets for our services mature, or as new competitors introduce new products or services that are similar to or compete with ours, we may be unable to attract new customers at the same price or based on the same pricing model as we have used historically. Moreover, some customers may demand greater price concessions or additional functionality at the same price levels. As a result, in the future we may be required to reduce our prices or provide more features without corresponding increases in price, which could adversely affect our revenues, gross margin, profitability, financial position and cash flow.
In addition, our customers have no obligation to renew their subscriptions for our services after the expiration of the initial subscription period. A majority of our subscriptions are on a one-year period. Our customers may renew for fewer or other elements of our services or negotiate for different pricing terms. Our customers’ renewal rates may decline or fluctuate as a result of a number of factors, including their dissatisfaction with our pricing or our services, their ability to continue their operations and spending levels, and changes in other technology components used within the customer’s organization. Changes in product packaging, pricing strategy, or product offerings, or the implementation or execution of the foregoing, may not be seen favorably by our customers and may have an adverse effect on our ability to retain our current customers and acquire new ones. For example, we have previously discontinued certain lower priced product offerings, and during fiscal year 2024 we implemented a price increase in our Premium tier product offering, which may cause customers who previously used these tiers to opt for our free version or to cease using our products completely. We may also decide to raise the prices of our product offerings in the future. If our customers do not renew their subscriptions on similar pricing terms, our revenues may decline, and our business could suffer. In addition, over time the average term of our contracts could change based on renewal rates or for other reasons.
The implementation of AI and machine learning technologies in our services may result in reputational harm, liability, increased expenditures, or other adverse consequences to our business operations.
We have implemented AI capabilities throughout GitLab’s services, including as part of the GitLab Duo suite of AI features. The technologies underpinning these features are in the early stages of commercial use and exist in a nascent regulatory environment which presents regulatory, litigation, ethical, reputational, and financial risks.
Many states, regions, and supranational bodies have proposed or enacted regulations related to the use of AI and machine learning technologies, such as the E.U. Artificial Intelligence Act, which came into effect on August 1, 2024. These regulations may impose onerous obligations related to our, and our vendors’, development, offering, and use of AI technologies and expose us to an increased risk of regulatory enforcement and litigation.
Additionally, issues relating to intellectual property rights in AI-generated content have not been fully addressed by the courts, laws, or regulations. Accordingly, the implementation of generative AI technologies into our services may result in exposure to claims related to copyright infringement or other intellectual property misappropriation.
Furthermore, many of our generative AI features involve the processing of personal data and may be subject to laws, policies, legal obligations, and codes of conduct related to privacy and data protection. While there is current uncertainty about the extent to which privacy and data protection laws apply to AI technologies, any delay in addressing privacy or data protection concerns relating to our AI features may result in liability or regulatory investigations and fines, as well as damage to our sales and reputation.
Our generative AI features may also generate output that is misleading, insecure, inaccurate, harmful, or otherwise flawed, which may harm our reputation, business, or customers, or expose us to legal liability.
We rely on third-party vendors for the provision of the AI models which power many of our AI features. In the event those vendors encounter service disruption, materially and adversely change the terms on which they provide access to the models, or otherwise cease providing or change the basis on which they provide access to the models such that we can no longer obtain access, our ability to provide AI-powered features may be adversely affected.
Further, developing, testing, and offering AI-powered features may lead to greater than expected expenditures for our company because deploying AI systems involves high computing costs, which could adversely affect our gross margin, profitability, financial position, and cash flow.
Transparency is one of our core values. While we will continue to prioritize transparency, we must also promote "responsible" transparency as transparency can have unintended negative consequences.
Transparency is one of our core values. As an all-remote open-source software company, we believe transparency is essential to how we operate our business and interact with our team members, the community, and our customers. We also find it to be critical for team member recruitment, retention, efficiency and our culture. In addition, our transparency is highly valued by both our customers and our contributors. While we will continue to emphasize transparency, we also promote and educate our team members about responsible internal and external transparency, as openly sharing certain types of information can potentially lead to unintended, and sometimes negative, consequences.
As a result of our transparency, our competitors and other outside parties may have access to certain information that is often kept confidential or internal at other companies through our Handbook, our team members’ open and public use of The DevSecOps Platform to run our business, and other avenues of communication we commonly use. The public availability of this information may allow our competitors to take advantage of certain of our innovations, and may allow parties to take other actions, including litigation, that may have an adverse impact on our operating results or cause reputational harm, which in turn may have a negative economic impact.
We are also subject to Regulation FD, which imposes restrictions on the selective disclosure of material information to stockholders and other market participants, and other regulations. While we have implemented internal controls to maintain compliance with Regulation FD, if as a result of our transparency, we disclose material information in a non-Regulation FD compliant matter, we may be subject to heightened regulatory and litigation risk.
The Handbook may not be up to date or accurate, which may result in negative third-party scrutiny or be used in ways that adversely affects our business.
Consistent with our commitment to our transparency and efficiency values, we maintain a publicly available company Handbook that contains important information about our operations and business practices. This Handbook is open to the public and may be used by our competitors or bad actors in malicious ways that may adversely affect our business, operating results, and financial condition. Although we aim to keep the Handbook updated, the information in the Handbook may not be up to date at all times. Also, because any of our team members can contribute to the Handbook, the information in the Handbook may not be accurate. We have implemented disclosure controls and procedures, including internal controls over financial reporting, that comply with the U.S. securities laws; however, if we fail to successfully maintain the appropriate controls, we may face unintended disclosures of material information about the company through our Handbook, which may lead to disclosure control failures, potential securities law violations, and reputational harm.
Customers may choose to stay on our free self-managed or SaaS product offerings instead of converting into a paying customer.
Our future success depends, in part, on our ability to convert users of our free self-managed or SaaS product offerings into paying customers by selling additional products, and by upselling additional subscription services. The total number of users of our free SaaS product may decline as a result of, or due to, our enforcement of user limits and our plan to implement in the future storage and transfer limits for our free SaaS product offering. As a result of our investment in new capabilities and improvements to our free product offering, users of our free product may decline to purchase additional products or subscription services if they perceive the free product to be more attractive as compared to our paid offerings. Converting users of our free product offering may require increasingly sophisticated and costly sales efforts and may not result in additional sales. In addition, the rate at which our end-customers purchase additional products and services depends on a number of factors, including the perceived need for additional products and services, the limitations on the number of users and limitations on storage and transfers applicable to the free product offering as well as general economic conditions. If our efforts to sell additional products and services to our end-customers are not successful, our business may suffer.
Failure to effectively expand our marketing and sales capabilities could harm our ability to increase our customer base and achieve broader market acceptance of our services.
Our ability to increase our customer base and expand with existing customers will depend to a significant extent on our ability to continue to expand our marketing and sales operations. We plan to continue expanding our sales force. We also plan to continue to dedicate resources to sales and marketing programs. We are expanding our marketing and sales capabilities to target additional potential customers, including some larger organizations, but there is no guarantee that we will be successful attracting and maintaining these businesses as customers, and even if we are successful, these efforts may divert our resources away from and negatively impact our ability to attract and maintain our current customer base. All of these efforts will require us to invest financial and other resources. If we are unable to find efficient ways to deploy our marketing spend or to hire, develop, and retain talent required to maintain and support our growth, if our new sales talent are unable to achieve desired productivity levels in a reasonable period of time, or if our sales and marketing programs are not effective, our ability to increase our customer base and achieve broader market acceptance of our services could be harmed.
Any failure to offer high-quality technical support services, including success plan services, or adequately sell such services, may adversely affect our relationships with our customers and our financial results.
Once our products are deployed, our customers depend on our technical support organization to resolve technical issues. We may be unable to respond quickly enough to accommodate short-term increases in customer demand for support services, and customers may not purchase the success plan services that we offer. We also may be unable to modify the format of our support services to compete with changes in support services provided by our competitors. Increased customer demand for these services, without corresponding revenues, could increase costs and adversely affect our operating results. In addition, our sales process is highly dependent on our services and business reputation and on positive recommendations from our existing customers. Any failure to maintain high-quality technical support, or a market perception that we do not maintain high-quality support, could adversely affect our reputation, our ability to sell our services to existing and prospective customers, and our business, operating results and financial position.
Customers may demand more customized configuration and integration services, or custom features and functions that we do not offer, which could adversely affect our business and operating results.
Our current and future customers may demand more customized configuration and integration services, which increase our up-front investment in sales and deployment efforts, with no guarantee that
these customers will increase the scope of their subscription. As a result of these factors, we may need to devote a significant amount of sales, support, and professional services resources to individual customers, increasing the cost and time required to complete sales. If prospective customers require customized features or functions that we do not offer, and which would be difficult for them to deploy themselves, then the market for our applications will be more limited and our business could suffer.
If we fail to adapt and respond effectively to rapidly changing technology, evolving industry standards, and changing customer needs, requirements, or preferences, our services may become less competitive.
Our industry is subject to rapid technological change, evolving industry standards and practices, and changing customer needs, requirements, and preferences. The success of our business will depend, in part, on our ability to adapt and respond effectively to these changes on a timely basis, including our ability to timely provide enhancements and new features for our existing services or new services that achieve market acceptance or that keep pace with rapid technological developments and the competitive landscape. The success of new services and enhancements depends on several factors, including the timely delivery, introduction, and market acceptance of such services. If we are unable to develop and sell new services that satisfy our customers and provide enhancements and new features for our existing services that keep pace with rapid technological and industry change, our revenue and operating results could be adversely affected. Furthermore, we have in the past experienced delays in the planned release dates of new features and upgrades, and have discovered defects in new solutions after their introduction. There can be no assurance that new solutions or upgrades will be released according to schedule, or that when released they will not contain defects. If new technologies emerge that are able to deliver competitive products at lower prices, more efficiently, more conveniently, or more securely, such technologies could adversely impact our ability to compete.
Our services must also integrate with a variety of network, hardware, mobile, cloud, and software platforms and technologies, including third-party AI services, and we need to continuously modify and enhance our services to adapt to changes and innovation in these technologies, including changes in internet-related hardware, operating systems, cloud computing infrastructure, and other software, communication, browser and open source technologies. If developers widely adopt new software platforms, we would have to develop new versions of our products to work with those new platforms. This development effort may require significant engineering, marketing, and sales resources, all of which would affect our business and operating results. Any failure of our services to operate effectively with future infrastructure platforms and technologies could reduce the demand for our products and significantly impair our revenue growth. We may not be successful in either developing these modifications and enhancements or in bringing them to market in a timely fashion. Furthermore, uncertainties about the timing and nature of new network platforms or technologies, or modifications to existing platforms or technologies, could increase our research and development expenses. If we are unable to respond to these changes in a timely or cost-effective manner, our services may become less marketable and less competitive or obsolete, which may result in customer dissatisfaction, and adversely affect our business.
Our channel partners may provide a poor experience to customers putting our brand or company growth at risk. Channel partners may deliver poor services or a poor selling experience delaying customer purchase or hurting the company brand.
In addition to our direct sales force, we use channel partners to sell and support our products. Channel partners may become an increasingly important aspect of our business, particularly with regard to enterprise, governmental, and international sales. Our future growth in revenue and ability to achieve and sustain profitability may depend in part on our ability to identify, establish, and retain successful channel partner relationships in the United States and internationally, which will take significant time and resources and involve significant risk. If we are unable to maintain our relationships with these channel partners, or otherwise develop and expand our indirect distribution channel, our business, operating results, financial condition, or cash flows could be adversely affected.
We cannot be certain that we will be able to identify suitable indirect sales channel partners. To the extent we do identify such partners, we will need to negotiate the terms of a commercial agreement with them under which the partner would distribute The DevSecOps Platform. We cannot be certain that we will be able to negotiate commercially-attractive terms with any channel partner, if at all. In addition, all channel partners must be trained to distribute The DevSecOps Platform and must allocate appropriately skilled resources to the customers. In order to develop and expand our distribution channel, we must develop and improve our processes for channel partner introduction and training. If we do not succeed in identifying suitable indirect sales channel partners, our business, operating results, and financial condition may be adversely affected.
We also cannot be certain that we will be able to maintain successful relationships with any channel partners and, to the extent that our channel partners are unsuccessful in selling our products, our ability to sell our products and our business, operating results, and financial condition could be adversely affected. Our channel partners may offer customers the products and services of several different companies, including products and services that compete with our products. Because our channel partners generally do not have an exclusive relationship with us, we cannot be certain that they will prioritize or provide adequate resources to sell our products. Moreover, divergence in strategy by any of these channel partners may materially adversely affect our ability to develop, market, sell, or support our products. We cannot assure you that our channel partners will continue to cooperate with us. In addition, actions taken or omitted to be taken by such parties may adversely affect us. In addition, we rely on our channel partners to operate in accordance with the terms of their contractual agreements with us. For example, our agreements with our channel partners limit the terms and conditions pursuant to which they are authorized to resell or distribute our products and offer technical support and related services. We also typically require our channel partners to represent to us the dates and details of products sold through to our customers. If our channel partners do not comply with their contractual obligations to us, our business, operating results, and financial condition may be adversely affected.
We track certain performance metrics with internal tools and data models and do not independently verify such metrics. Certain of our performance metrics are subject to inherent challenges in measurement, and real or perceived inaccuracies in such metrics may harm our reputation and negatively affect our business.
Our internal tools and data models have a number of limitations and our methodologies for tracking these metrics may change over time, which could result in unexpected changes to our metrics, including the metrics we report. We calculate and track performance metrics with internal tools, which are not independently verified by any third party. While we believe our metrics are reasonable estimates of our customer base for the applicable period of measurement, the methodologies used to measure these metrics require significant judgment and may be susceptible to algorithmic or other technical errors. For example, the accuracy and consistency of our performance metrics may be impacted by changes to internal assumptions regarding how we account for and track customers, limitations on system implementations, and limitations on the ability of third-party tools to match our database. If the internal tools we use to track these metrics undercount or overcount performance or contain algorithmic or other technical errors, the data we report may not be accurate. In addition, limitations or errors with respect to how we measure data (or the data that we measure) may affect our understanding of certain details of our business, which could affect our longer-term strategies. If our performance metrics are not accurate representations of our business, user base, or traffic levels; if we discover material inaccuracies in our metrics; or if the metrics we rely on to track our performance do not provide an accurate measurement of our business, our reputation may be harmed, we may be subject to legal or regulatory actions, and our operating and financial results could be adversely affected.
We rely to a significant degree on a number of independent open source contributors, to develop and enhance the open source technologies we use to provide our products and services.
In our development process we rely upon numerous open core software programs which are outside of our direct control. Members of corresponding leadership committees and core teams, many of whom
are not employed by us, are primarily responsible for the oversight and evolution of the codebases of these open source technologies. If the project committees and contributors fail to adequately further develop and enhance open source technologies, or if the leadership committees fail to oversee and guide the evolution of the open source technologies in the manner that we believe is appropriate to maximize the market potential of our offerings, then we would have to rely on other parties, or we would need to expend additional resources, to develop and enhance our offerings. We also must devote adequate resources to our own internal contributors to support their continued development and enhancement of open source technologies, and if we do not do so, we may have to turn to third parties or experience delays in developing or enhancing open source technologies. We cannot predict whether further developments and enhancements to these technologies will be available from reliable alternative sources. In either event, our development expenses could be increased, and our technology release and upgrade schedules could be delayed. Delays in developing, completing, or delivering new or enhanced offerings could cause our offerings to be less competitive, impair customer acceptance of our offerings and result in delayed or reduced revenue for our offerings.
Our failure or inability to protect our intellectual property rights, or claims by others that we are infringing upon or unlawfully using their intellectual property, could diminish the value of our brand and weaken our competitive position, and adversely affect our business, financial condition, operating results, and prospects.
We currently rely on a combination of copyright, trademark, patent, trade secret, and unfair competition laws, as well as confidentiality agreements and procedures and licensing arrangements, to establish and protect our intellectual property rights. We have devoted substantial resources to the development of our proprietary technologies and related processes. In order to protect our proprietary technologies and processes, we rely in part on patent and trade secret laws and confidentiality agreements with our team members, licensees, independent contractors, commercial partners, and other advisors. These agreements may not effectively prevent disclosure of confidential information and may not provide an adequate remedy in the event of unauthorized disclosure of confidential information. We cannot be certain that the steps taken by us to protect our intellectual property rights will be adequate to prevent infringement of such rights by others. Additionally, the process of obtaining patent or trademark protection is expensive and time-consuming, and we may not be able to prosecute all necessary or desirable patent applications or apply for all necessary or desirable trademark applications at a reasonable cost or in a timely manner. Moreover, intellectual property protection may be unavailable or limited in some foreign countries where laws or law enforcement practices may not protect our intellectual property rights as fully as in the United States, and it may be more difficult for us to successfully challenge the use of our intellectual property rights by other parties in these countries. Costly and time-consuming litigation could be necessary to enforce and determine the scope of our proprietary rights, and our failure or inability to obtain or maintain trade secret protection or otherwise protect our proprietary rights could adversely affect our business.
We may in the future be subject to intellectual property infringement claims and lawsuits in various jurisdictions, and although we are diligent in our efforts to protect our intellectual property we cannot be certain that our products or activities do not violate the patents, trademarks, or other intellectual property rights of third-party claimants. Companies in the technology industry and other patent, copyright, and trademark holders seeking to profit from royalties in connection with grants of licenses own large numbers of patents, copyrights, trademarks, domain names, and trade secrets and frequently commence litigation based on allegations of infringement, misappropriation, or other violations of intellectual property or other rights. As we face increasing competition and gain an increasingly high profile, the likelihood of intellectual property rights claims against us may grow.
Further, from time to time, we may receive letters from third parties alleging that we are infringing upon their intellectual property rights or inviting us to license their intellectual property rights. Our technologies and other intellectual property may be found to infringe upon such third-party rights, and such successful claims against us could result in significant monetary liability, prevent us from selling some of our products and services, or require us to change our branding. In addition, resolution of claims
may require us to redesign our products, license rights from third parties at a significant expense, or cease using those rights altogether. And we may in the future bring claims against third parties for infringing our intellectual property rights. Costs of supporting such litigation and disputes may be considerable, and there can be no assurances that a favorable outcome will be obtained. Patent infringement, trademark infringement, trade secret misappropriation, and other intellectual property claims and proceedings brought against us or brought by us, whether successful or not, could require significant attention of our management and resources and have in the past and could further result in substantial costs, harm to our brand, and have an adverse effect on our business.
Our open source and source code-available business model makes our software vulnerable to authorized and unauthorized distribution and sale.
We license many significant components of our software under permissive open source software licenses which grant licensees broad permissions to use, copy, modify, and distribute the covered software. Under these licenses, third parties are entitled to distribute and sell the covered software without payment to us.
Features available on our paid tiers are source code-available subject to a proprietary software license. This proprietary license prohibits, amongst other things, distribution and sale of the covered software. Notwithstanding these prohibitions, by virtue of the source code’s being publicly available, the covered software is vulnerable to unauthorized distribution and sale by third parties.
We are or may be the defendant in lawsuits or other claims that could cause us to incur substantial liabilities.
We have from time to time been, and are likely to in the future become, defendants in actual or threatened lawsuits brought by or on behalf of our current and former team members, competitors, vendors, shareholders, governmental or regulatory bodies, or third parties who use The DevSecOps Platform. In addition, our agreements sometimes include indemnification provisions which can subject us to costs and damages in the event of a claim against an indemnified third party. In either case, the various claims in such lawsuits may include, among other things, negligence or misconduct in the operation of our business and provision of services, intellectual property infringement, unfair competition, or violation of employment or privacy laws or regulations. Such suits may seek, as applicable, direct, indirect, consequential, punitive or other penalties or monetary damages, injunctive relief, and/or attorneys’ fees. Litigation is inherently unpredictable, and it is not possible to predict the outcome of any such lawsuits, individually or in the aggregate. However, these lawsuits may consume substantial amounts of our financial and managerial resources and might result in adverse publicity, regardless of the ultimate outcome of the lawsuits. In addition, we and our subsidiaries may become subject to similar lawsuits in the same or other jurisdictions. An unfavorable outcome with respect to these lawsuits and any future lawsuits could, individually or in the aggregate, cause us to incur substantial liabilities that may have a material adverse effect upon our business, financial condition or results of operations. In addition, an unfavorable outcome in one or more of these cases could cause us to change our compensation plans for our team members, which could have a material adverse effect upon our business. Further, while we maintain insurance that may provide coverage for these types of lawsuits and other claims, such coverage may not be adequate to cover the related costs and other liabilities.
We may engage in merger and acquisition activities and joint ventures, which could require significant management attention, disrupt our business, dilute stockholder value, and adversely affect our operating results.
As part of our business strategy, we have in the past and expect to continue to make investments in and/or acquire other companies, products, or technologies. We may not be able to find suitable acquisition candidates and we may not be able to complete acquisitions on favorable terms, if at all. Even if we complete acquisitions or joint ventures, we may not ultimately strengthen our competitive position or achieve our goals, and any acquisitions or joint ventures we complete could be viewed negatively by
users or investors. In addition, if we fail to successfully integrate such acquisitions, or the assets, technologies or talent associated with such acquisitions, into our company, we may have depleted the company’s capital resources without attractive returns, and the revenue and operating results of the combined company could be adversely affected.
We may face additional risks in connection with acquisitions and joint ventures, including:
•diversion of management time and focus from operating our business to addressing acquisition integration challenges;
•coordination of research and development and sales and marketing functions;
•integration of product and service offerings;
•retention of key team members from the acquired company;
•changes in relationships with strategic partners as a result of product acquisitions or strategic positioning resulting from the acquisition;
•integration of customers from the acquired company;
•cultural challenges associated with integrating team members from the acquired company into our organization;
•integration of the acquired company’s accounting, management information, human resources and other administrative systems;
•the need to implement or improve controls, procedures and policies at a business that prior to the acquisition may have lacked sufficiently effective controls, procedures and policies;
•additional legal, regulatory or compliance requirements;
•financial reporting, revenue recognition or other financial or control deficiencies of the acquired company that we do not adequately address and that cause our reported results to be incorrect;
•liability for activities of the acquired company before the acquisition, including intellectual property infringement claims, violations of laws, commercial disputes, tax liabilities and other known and unknown liabilities;
•unanticipated write-offs or charges; and
•litigation or other claims in connection with the acquired company, including claims from terminated team members, customers, former stockholders or other third parties.
Further, we may have to pay cash, incur debt, or issue equity securities to pay for any such acquisition or joint venture, each of which could affect our financial condition or the value of our capital stock and could result in dilution to our stockholders. If we incur more debt it would result in increased fixed obligations and could also subject us to covenants or other restrictions that would impede or may be beyond our ability to manage our operations. Additionally, we may receive indications of interest from other parties interested in acquiring some or all of our business. The time required to evaluate such indications of interest could require significant attention from management, disrupt the ordinary functioning of our business, and adversely affect our operating results.
Our failure to address these risks or other problems encountered in connection with acquisitions activities and joint ventures could cause us to fail to realize the anticipated benefits of these acquisitions, investments or joint ventures, cause us to incur unanticipated liabilities, and harm our business generally.
If our estimates or judgments relating to our critical accounting policies prove to be incorrect, our operating results could be adversely affected.
The preparation of financial statements in conformity with U.S. GAAP requires management to make estimates and assumptions that affect the amounts reported in the condensed consolidated financial statements and accompanying notes. We base our estimates on historical experience and on various other assumptions that we believe to be reasonable under the circumstances, as described in the section titled “Management’s Discussion and Analysis of Financial Condition and Results of Operations” included elsewhere in this Quarterly Report on Form 10-Q. The results of these estimates form the basis for making judgments about the carrying values of assets, liabilities, and equity, and the amount of revenue and expenses that are not readily apparent from other sources. Significant assumptions and estimates used in preparing our condensed consolidated financial statements include those related to revenue recognition, deferred contract acquisition costs, income taxes, business combinations, stock-based compensation and common stock valuations. Our operating results may be adversely affected if our assumptions change or if actual circumstances differ from those in our assumptions, which could cause our operating results to fall below the expectations of securities analysts and investors, resulting in a decline in the price of our common stock.
Adverse tax laws or regulations could be enacted or existing laws could be applied to us or our customers, which could increase the costs of our services and adversely impact our business.
The application of federal, state, local, and international tax laws to services provided electronically is evolving. New sales, use, value-added tax, digital service or other tax laws, statutes, rules, regulations or ordinances could be enacted at any time (possibly with retroactive effect), and could be applied solely or disproportionately to services provided over the internet. If we are unsuccessful in collecting such taxes from our customers, we could be held liable for such costs, thereby adversely impacting our operating results and cash flows. Moreover, we are subject to the examination of our sales, use, and value-added tax returns by U.S. state and foreign tax authorities. We regularly assess the likelihood of outcomes resulting from these examinations and have reserved for potential adjustments that may result from these examinations. We cannot provide assurance that the final determination of these examinations will not have an adverse effect on our financial position and results of operations.
The termination of our relationship with our payment solutions providers could have a severe, negative impact on our ability to collect revenue from customers.
All web direct customers purchase our solution using online payment solutions such as credit cards, which represent the majority of the payment transactions we receive, and our business depends upon our ability to offer such payment options. The termination of our ability to process payments on any material payment option would significantly impair our ability to operate our business and significantly increase our administrative costs related to customer payment processing. If we fail to maintain our compliance with the data protection and documentation standards adopted by our payment processors and applicable to us, these processors could terminate their agreements with us, and we could lose our ability to offer our customers a credit card or other payment option. If these processors increase their payment processing fees because we experience excessive chargebacks or refunds or for other reasons, it could adversely affect our business and operating results. Increases in payment processing fees would increase our operating expense and adversely affect our operating results.
We process, store and use personal data and other data, which subjects us to governmental regulation and other legal obligations, including in the United States, the European Union, or the E.U., the United Kingdom, or the U.K., Canada, and Australia, related to privacy, and our actual or perceived failure to comply with such laws, regulations and contractual obligations could result in significant liability and reputational harm.
We receive, store and process personal data and other customer data. There are numerous federal, state, local and foreign laws regarding privacy and the storing, sharing, access, use, processing, disclosure and protection of personal data and other customer data, the scope of which is changing, subject to differing interpretations, and which may be inconsistent among countries or conflict with other rules.
With respect to E.U. and U.K. team members, contractors and other personnel, as well as for our customers’ and prospective customers’ personal data, such as contact and business information, we are subject to the E.U. General Data Protection Regulation, or the GDPR, and applicable national implementing legislation of the GDPR, and the U.K. General Data Protection Regulation and U.K. Data Protection Act 2018, or the U.K. GDPR, respectively. We are a controller with respect to this data.
The GDPR and U.K. GDPR impose stringent data protection requirements and, where we are acting as a controller, includes requirements to: provide detailed disclosures about how personal data is collected and processed (in a concise, intelligible and easily accessible form); demonstrate that an appropriate legal basis is in place or otherwise exists to justify data processing activities; grant rights for data subjects in regard to their personal data including the right to be “forgotten,” the right to data portability, the right to correct personal data, and the right to access personal data; notify data protection regulators or supervisory authorities (and in certain cases, affected individuals) of significant data breaches; define pseudonymized (key-coded) data; limit the retention of personal data; maintain a record of data processing; and comply with the principle of accountability and the obligation to demonstrate compliance through policies, procedures, trainings and audits. Where we act as a processor and process personal data on behalf of our customers, we are required to execute mandatory data processing clauses with those customers and maintain a record of data processing, among other requirements under the GDPR and U.K. GDPR. The GDPR and U.K. GDPR provide for penalties for noncompliance of up to the greater of €20 million or 4% of worldwide annual revenues (in the case of the GDPR) or £17 million and 4% of worldwide annual revenue (in the case of the U.K. GDPR). As we are required to comply with both the GDPR and the U.K. GDPR, we could be subject to parallel enforcement actions with respect to breaches of the GDPR or U.K. GDPR which affects both E.U. and U.K. data subjects. In addition to the foregoing, a breach of the GDPR or U.K. GDPR could result in regulatory investigations, reputational damage, orders to cease or change our processing of our personal data, enforcement notices, and/or assessment notices (for a compulsory audit). We may also face civil claims including representative actions and other class action type litigation (where individuals have suffered harm), potentially amounting to significant compensation or damages liabilities, as well as associated costs, diversion of internal resources, and reputational harm.
The GDPR and U.K. GDPR requires, among other things, that personal data only be transferred outside of the European Economic Area, or the E.E.A., or the U.K., respectively, to jurisdictions that have not been deemed adequate by the European Commission or by the U.K. data protection regulator, respectively, including the United States, if certain safeguards are taken to legitimize those data transfers. Recent legal developments in the E.U. have created complexity and uncertainty regarding such transfers. For example, on July 16, 2020, the European Court of Justice, or the CJEU, invalidated the E.U.-U.S. Privacy Shield framework, or the Privacy Shield. Further, the CJEU also advised that the Standard Contractual Clauses (a standard form of contract approved by the European Commission as an adequate personal data transfer mechanism and potential alternative to the Privacy Shield) were not alone sufficient to protect data transferred to the United States or other countries not deemed adequate. On July 10, 2023, the European Commission entered into force the E.U.-U.S. Data Privacy Framework, or the DPF, as a successor framework to the Privacy Shield. Under the DPF, certified U.S.-based organizations may receive transfers of personal data from the E.E.A. and the U.K. However, there are uncertainties
regarding the long-term viability of the DPF due to proposed legal challenges to the framework before the CJEU. Thus, the Standard Contractual Clauses will remain an important data transfer mechanism for transfers to countries outside of the E.E.A. and the U.K., but the use of Standard Contractual Clauses must still be assessed on a case-by-case basis taking into account the legal regime applicable in the destination country, in particular applicable surveillance laws and rights of individuals, and additional measures and/or contractual provisions may need to be put in place. The European Data Protection Board issued additional guidance regarding the CJEU’s decision in November 2020, which imposes higher burdens on the use of data transfer mechanisms, such as the Standard Contractual Clauses, for cross-border data transfers. The CJEU also stated that if a competent supervisory authority believes that the Standard Contractual Clauses cannot be complied with in the destination country and that the required level of protection cannot be secured by other means, such supervisory authority is under an obligation to suspend or prohibit that transfer. Since the decision by the CJEU, Supervisory Authorities, including the CNIL and the Austrian Data Protection Authority, are now looking at cross-border transfers more closely, and have publicly stated in January 2022 that the transfer of data to the United States using certain analytics tools is illegal. While these decisions related specifically to analytics tools and may be inapplicable to organizations certified under the DPF, it has been suggested that it is far-reaching and applies to any transfer of E.U. personal data to the United States. We will continue to monitor this situation, and evaluate and utilize, where appropriate, all data transfer mechanisms available to us, but this may require the removal of tools from our services and websites where data is transferred from the E.U. to the U.S., or impact the manner in which we provide our services, which could adversely affect our business. In addition, if participation in the DPF is deemed appropriate, then we would be required to update documentation and processes, which may result in further compliance costs.
In addition, following the U.K.’s withdrawal from the E.U., the E.U. issued an adequacy decision in June 2021 in favor of the U.K. permitting data transfers from the E.U. to the U.K. However, this adequacy decision is subject to a four-year term, and the E.U. could intervene during the term if it determines that the data protection laws in the U.K. are not sufficient. If the adequacy decision is not renewed after its term, or the E.U. intervenes during the term, data may not be able to flow freely from the E.U. to the U.K. unless additional measures are taken. In which case, we may be required to find alternative solutions for the compliant transfer of personal data into the U.K. from the E.U. As supervisory authorities continue to issue further guidance on personal data (including regarding data export and circumstances in which we cannot use the Standard Contractual Clauses), we could suffer additional costs, complaints, or regulatory investigations or fines, and if we are otherwise unable to transfer personal data between and among countries and regions in which we operate, it could affect the manner in which we provide our services, the geographical location or segregation of our relevant systems and operations, and could adversely affect our financial results. Loss, retention or misuse of certain information and alleged violations of laws and regulations relating to privacy and data security, and any relevant claims, may expose us to potential liability and may require us to expend significant resources on data security and in responding to and defending such allegations and claims.
We are also subject to evolving E.U. and U.K. privacy laws on cookies and e-marketing. In the E.U. and the U.K., regulators are increasingly focusing on compliance with requirements in the online behavioral advertising ecosystem, and current national laws that implement the ePrivacy Directive are highly likely to be replaced by an E.U. regulation known as the ePrivacy Regulation which will significantly increase fines for non-compliance. In the E.U. and the U.K., informed consent is required for the placement of a cookie or similar technologies on a user’s device and for direct electronic marketing. The U.K. GDPR also imposes conditions on obtaining valid consent, such as a prohibition on pre-checked consents and a requirement to ensure separate consents are sought for each type of cookie or similar technology. While the text of the ePrivacy Regulation is still under development, a recent European court decision and regulators’ recent guidance are driving increased attention to cookies and tracking technologies. If regulators start to enforce the strict approach in recent guidance, this could lead to substantial costs, limit the effectiveness of our marketing activities, divert the attention of our technology personnel, adversely affect our margins, increase costs and subject us to additional liabilities. Regulation of cookies and similar technologies, and any decline of cookies or similar online tracking technologies as
a means to identify and potentially target users, may lead to broader restrictions and impairments on our marketing and personalization activities and may negatively impact our efforts to understand users.
We depend on a number of third parties in relation to the operation of our business, a number of which process personal data on our behalf or as our sub-processor. To the extent required by applicable law, we attempt to mitigate the associated risks of using third parties by performing security assessments and detailed due diligence, entering into contractual arrangements to ensure that providers only process personal data according to our instructions or equivalent instructions to that of our customer (as applicable), and that they have sufficient technical and organizational security measures in place. Where we transfer personal data outside the E.U. or the U.K. to such third parties, we do so in compliance with the relevant data export requirements, as described above. There is no assurance that these contractual measures and our own privacy and security-related safeguards will protect us from the risks associated with the third-party processing, storage and transmission of such information. Any violation of data or security laws by our third-party processors could have a material adverse effect on our business and result in the fines and penalties under the GDPR and the U.K. GDPR outlined above.
Additionally, we are subject to the California Consumer Privacy Act, or the CCPA, which came into effect in 2020 and increases privacy rights for California consumers and imposes obligations on companies that process their personal data. The CCPA requires covered companies to, among other things, provide new disclosures to California consumers and affords such consumers new privacy rights such as the ability to opt out of certain sales of personal data and expanded rights to access and deletion of their personal data, opt out of certain personal data sharing, and receive detailed information about how their personal data is collected, used and shared. The CCPA provides for civil penalties for violations, as well as a private right of action for security breaches that may increase the likelihood of, and the risks associated with, security breach litigation. Additionally, in November 2020, California passed the California Privacy Rights Act, or the CPRA, which expands the CCPA significantly, including by expanding consumers’ rights with respect to certain personal data and creating a new state agency to oversee implementation and enforcement efforts, potentially resulting in further uncertainty and requiring us to incur additional costs and expenses in an effort to comply. Many of the CPRA’s provisions became effective on January 1, 2023. The CCPA has also prompted a number of passed laws and proposals for new federal and state privacy legislation that, if passed, could increase our potential liability and compliance costs, particularly in the event of a data breach, and adversely affect our business, including how we use personal data, our financial condition, and the results of our operations or prospects. Compliance with this new privacy legislation adds complexity and may require investment in additional resources for compliance programs, thus potentially resulting in additional costs and expense of resources to maintain compliance. Changing definitions of personal data and information may also limit or inhibit our ability to operate or expand our business, including limiting strategic partnerships that may involve the sharing of data. Also, some jurisdictions require that certain types of data be retained on servers within these jurisdictions. Our failure to comply with applicable laws, directives, and regulations may result in enforcement action against us, including fines, and damage to our reputation, any of which may have an adverse effect on our business and operating results.
We are also currently subject to China’s Personal Information Protection Law, or PIPL, which came into effect in November 2021 and which increases the protections of Chinese residents. In particular, the law is intended to protect the rights and interests of individuals, to regulate personal data processing activities, to safeguard the lawful and “orderly flow” of data, and to facilitate reasonable use of personal data. Our failure to comply with the PIPL may result in enforcement action against us, including fines, and damage to our reputation, any of which may have an adverse effect on our business and operating results. Also, the Cyberspace Administration of China has developed measures to govern cross-border transfers of personal data, such as security assessments, certifications, and Standard Contractual Clauses, all of which may impact our ability to transact with customers with operations in China. To reduce the impact of PIPL, we are in the process of transitioning certain users who are resident in China to our JiHu entity.
Further, we are subject to Payment Card Industry Data Security Standard, or PCI-DSS, a security standard applicable to companies that collect, store or transmit certain data regarding credit and debit cards, holders and transactions. We rely on vendors to handle PCI-DSS matters and to ensure PCI-DSS compliance. Despite our compliance efforts, we may become subject to claims that we have violated the PCI-DSS based on past, present, and future business practices. Our actual or perceived failure to comply with the PCI-DSS can subject us to fines, termination of banking relationships, and increased transaction fees. In addition, there is no guarantee that PCI-DSS compliance will prevent illegal or improper use of our payment systems or the theft, loss or misuse of payment card data or transaction information.
We generally seek to comply with industry standards and are subject to the terms of our privacy policies and privacy-related obligations to third parties. We strive to comply with all applicable laws, policies, legal obligations and industry codes of conduct relating to privacy and data protection to the extent possible. However, it is possible that these obligations may be interpreted and applied in a manner that is inconsistent from one jurisdiction to another and may conflict with other rules or our practices. Any failure or perceived failure by us to comply with applicable privacy and data security laws and regulations, our privacy policies, or our privacy-related obligations to users or other third parties, or any compromise of security that results in the unauthorized release or transfer of personal data or other customer data, may result in governmental enforcement actions, litigation, or public statements against us by consumer advocacy groups or others and could cause our users to lose trust in us, which would have an adverse effect on our reputation and business. It is possible that a regulatory inquiry might result in changes to our policies or business practices. Violation of existing or future regulatory orders or consent decrees could subject us to substantial monetary fines and other penalties that could negatively affect our financial condition and operating results. In addition, it is possible that future orders issued by, or enforcement actions initiated by, regulatory authorities could cause us to incur substantial costs or require us to change our business practices in a manner materially adverse to our business.
Any significant change to applicable laws, regulations or industry practices regarding the use or disclosure of our users’ data, or regarding the manner in which the express or implied consent of users for the use and disclosure of such data is obtained – or in how these applicable laws, regulations or industry practices are interpreted and enforced by state, federal and international privacy regulators – could require us to modify our services and features, possibly in a material manner, may subject us to regulatory enforcement actions and fines, and may limit our ability to develop new services and features that make use of the data that our users voluntarily share with us.
We are subject to various governmental export controls, trade sanctions, and import laws and regulations that could impair our ability to compete in international markets or subject us to liability if we violate these controls.
In some cases, our software is subject to export control laws and regulations, including the Export Administration Regulations administered by the U.S. Department of Commerce, and our activities may be subject to trade and economic sanctions, including those administered by the United States Department of the Treasury’s Office of Foreign Assets Control, or OFAC, and collectively, Trade Controls. As such, a license may be required to export or re-export our products, or provide related services, to certain countries and end-users, and for certain end-uses. For example, Trade Controls targeting Russia and Belarus, impose a license requirement for the export of our product to those countries, and have sanctioned various entities and individuals located there, while recent sanctions restrict the provision of certain cloud services to Russia. Those Trade Controls are unprecedented and expansive, and may continue to evolve. Further, our products incorporating encryption functionality may be subject to special controls applying to encryption items and/or certain reporting requirements.
We have procedures in place designed to ensure our compliance with Trade Controls, with which failure to comply could subject us to both civil and criminal penalties, including substantial fines, possible incarceration of responsible individuals for willful violations, possible loss of our export or import privileges, and reputational harm. We are currently working to enhance these procedures. Trade Controls are complex and dynamic regimes, and monitoring and ensuring compliance can be challenging,
particularly given that our products are widely distributed throughout the world and are available for download without registration. Prior to implementing certain control procedures, we inadvertently exported our software to entities located in embargoed countries and listed on denied parties lists administered by the U.S. Department of Commerce’s Bureau of Industry and Security, or BIS, and OFAC. In September 2019, we disclosed these apparent violations to BIS and OFAC, which resulted in a BIS Warning Letter and an OFAC Cautionary Letter, in January and February 2020, respectively. While BIS and OFAC did not assess any penalties, we understand that BIS and OFAC may consider our regulatory history, including these prior disclosures and warning/cautionary letters, if the company is involved in a future enforcement case for failure to comply with export control laws and regulations. Any future failure by us or our partners to comply with applicable laws and regulations would have negative consequences for us, including reputational harm, government investigations, and penalties.
In addition, various countries regulate the import of certain encryption technology, including through import permit and license requirements, and have enacted laws that could limit our ability to distribute our products or could limit our end-customers’ ability to implement our products in those countries. Changes in our products or changes in export and import regulations in such countries may create delays in the introduction of our products into international markets, prevent our end-customers with international operations from deploying our products globally or, in some cases, prevent or delay the export or import of our products to certain countries, governments, or persons altogether. Any change in export or import laws or regulations, economic sanctions or related legislation, shift in the enforcement or scope of existing export, import or sanctions laws or regulations, or change in the countries, governments, persons, or technologies targeted by such export, import or sanctions laws or regulations, could result in decreased use of our products by, or in our decreased ability to export or sell our products to, existing or potential end-customers with international operations. Any decreased use of our products or limitation on our ability to export to or sell our products in international markets could adversely affect our business, financial condition, and results of operations.
Failure to comply with anti-bribery, anti-corruption, anti-money laundering laws, and similar laws, could subject us to penalties and other adverse consequences.
We are subject to the U.S. Foreign Corrupt Practices Act of 1977, as amended, or the FCPA, the U.S. domestic bribery statute contained in 18 U.S.C. § 201, the U.S. Travel Act, the USA PATRIOT Act, the United Kingdom Bribery Act 2010 and possibly other anti-bribery and anti-money laundering laws in countries outside of the United States in which we conduct our activities. Anti-corruption and anti-bribery laws have been enforced aggressively in recent years and are interpreted broadly to generally prohibit companies, their team members, and their third-party intermediaries from authorizing, offering, or providing, directly or indirectly, improper payments or benefits to recipients in the public or private sector.
We sometimes leverage third parties to sell our products and services and conduct our business abroad. We and our third-party intermediaries may have direct or indirect interactions with officials and employees of government agencies or state-owned or affiliated entities and may be held liable for the corrupt or other illegal activities of these third-party business partners and intermediaries, our team members, representatives, contractors, partners, and agents, even if we do not explicitly authorize such activities. We cannot assure you that all of our team members and agents will not take actions in violation of applicable law, for which we may be ultimately held responsible. As we increase our international sales and business, our risks under these laws may increase.
Any allegations or actual violation of the FCPA or other applicable anti-bribery, anti-corruption laws, and anti-money laundering laws could result in whistleblower complaints, sanctions, settlements, prosecution, enforcement actions, fines, damages, adverse media coverage, investigations, loss of export privileges, severe criminal or civil sanctions, or suspension or debarment from U.S. government contracts, all of which may have an adverse effect on our reputation, business, results of operations, and prospects. Responding to any investigation or action will likely result in a materially significant diversion of management’s attention and resources and significant defense costs and other professional fees. In addition, the U.S. government may seek to hold us liable for successor liability for FCPA violations
committed by companies in which we invest or that we acquire. As a general matter, investigations, enforcement actions and sanctions could harm our reputation, business, results of operations, and financial condition.
Further, in June 2024, the U.S. Supreme Court reversed its longstanding approach under the Chevron doctrine, which provided for judicial deference to regulatory agencies. As a result of this decision, we cannot be sure whether there will be increased challenges to existing agency regulations or how lower courts will apply the decision in the context of other regulatory schemes without more specific guidance from the U.S. Supreme Court and/or federal appellate courts. For example, the U.S. Supreme Court’s decision could significantly impact consumer protection, advertising, privacy, artificial intelligence, anti-corruption and anti-money laundering practices and other regulatory regimes with which we are required to comply.
A portion of our revenue is generated by sales to government entities, which are subject to a number of challenges and risks.
Sales to government entities are subject to a number of risks. Selling to government entities can be highly competitive, expensive, and time-consuming, often requiring significant up-front time and expense without any assurance that these efforts will generate a sale. Government certification requirements for products like ours may change, thereby restricting our ability to sell into the U.S. federal government, U.S. state governments, or non-U.S. government sectors until we have attained the revised certification. Government demand and payment for our products may be affected by public sector budgetary cycles, funding authorizations, government shutdowns, and general political priorities, with funding reductions or delays adversely affecting public sector demand for our products. Additionally, any actual or perceived privacy, data protection, or data security incident, or even any perceived defect with regard to our practices or measures in these areas, may negatively impact public sector demand for our products. The U.S. federal government and other government entities are in the process of implementing specific policies and obligations relating to the use of AI, and we will need to continue to monitor these developments to ensure our products that we sell to government entities remain compliant with such applicable regulations.
Additionally, we rely on certain partners to provide technical support services to certain of our government entity customers to resolve any issues relating to our products. If our partners do not effectively assist our government entity customers in deploying our products, succeed in helping our government entity customers quickly resolve post-deployment issues, or provide effective ongoing support, our ability to sell additional products to new and existing government entity customers would be adversely affected and our reputation could be damaged.
Government entities may have statutory, contractual, or other legal rights to terminate contracts with us for convenience or due to a default, and any such termination may adversely affect our future results of operations. Governments routinely investigate and audit government contractors’ administrative processes, and any unfavorable audit could result in the government refusing to continue buying our subscriptions, a reduction of revenue, or fines or civil or criminal liability if the audit uncovers improper or illegal activities, which could adversely affect our results of operations in a material way.
Our success depends on our ability to provide users of our products and services with access to an abundance of useful, efficient, high-quality code which in turn depends on the quality and volume of code contributed by our open source contributors.
We believe that one of our competitive advantages is the quality, quantity and collaborative nature of the code on GitLab, and that access to open source code is one of the main reasons users visit GitLab. In furtherance of the foregoing competitive advantages and access, we seek to foster a broad and engaged contributor community, and we encourage individuals, companies, governments, and institutions to use our products and services to learn, code and work. If contributors, including influential contributors, do not continue to contribute code, our customer base and contributor engagement may decline. Additionally, if
we are not able to address user concerns regarding the safety and security of our products and services or if we are unable to successfully prevent abusive or other hostile behavior on The DevSecOps Platform, the size of our customer base and contributor engagement may decline. If there is a decline in the number of contributors, customer or contributor growth rate or engagement, including as a result of the loss of influential contributors and companies who provide innovative code on GitLab, paying customers of our online services may be deterred from using our products or services or reduce their spending with us or cease doing business with us, which would harm our business and operating results.
Seasonality may cause fluctuations in our sales and results of operations.
Historically, we have experienced seasonality in new customer contracts, as we typically enter into a higher percentage of subscription agreements with new customers and renewals with existing customers in the last two fiscal quarters of each year. We believe that this results from the procurement, budgeting, and deployment cycles of many of our customers, particularly our enterprise customers, along with variables outside of our and our customers’ control, such as macroeconomic and general economic conditions, including inflation, volatile interest rates, uncertainty with respect to the federal budget and debt ceiling and potential government shutdowns related thereto, volatility of the global debt and equity markets, and actual or perceived instability in the global banking sector. We expect that this seasonality, which can itself at times be unpredictable, will continue to affect our bookings, deferred revenue, and our results of operations in the future and might become more pronounced as we continue to target larger enterprise customers.
We recognize a significant portion of revenue from subscriptions over the term of the relevant subscription period, and as a result, downturns or upturns in sales are not immediately reflected in our results of operations. Further, we recognize a significant portion of our subscription revenue over the term of the relevant subscription period. As a result, much of the subscription revenue we report each fiscal quarter is the recognition of deferred revenue from subscription contracts entered into during previous fiscal quarters. Consequently, a decline in new or renewed subscriptions in any one fiscal quarter will not be fully or immediately reflected in revenue in that fiscal quarter and will negatively affect our revenue in future fiscal quarters. Accordingly, the effect of significant downturns in new or renewed sales of our subscriptions is not fully reflected in our results of operations until future periods.
The length of our sales cycle can be unpredictable, particularly with respect to sales to large customers, and our sales efforts may require considerable time and expense.
Our results of operations may fluctuate, in part, because of the length and variability of the sales cycle of our subscriptions and the difficulty in making short-term adjustments to our operating expenses. The length of our sales cycle, from initial contact from a prospective customer to contractually committing to our paid subscriptions can vary substantially from customer to customer based on deal complexity as well as whether a sale is made directly by us. It is difficult to predict exactly when, or even if, we will make a sale to a potential customer or if we can increase sales to our existing customers, the timing of our customers’ decisions to make a purchase, greater deal scrutiny by our customers, changes our customers experienced, or may experience, in their businesses, and other variables some of which are outside of our and our customers’ control, such as macroeconomic and general economic conditions, including inflation, volatile interest rates, uncertainty with respect to the federal budget and debt ceiling and potential government shutdowns related thereto, volatility of the global debt and equity markets, and actual or perceived instability in the global banking sector. Our results of operations depend in part on sales to new large customers and increasing sales to existing customers. As a result, in particular, large individual sales have, in some cases, occurred in quarters subsequent to those we anticipated, or have not occurred at all. Because a substantial proportion of our expenses are relatively fixed in the short term, our results of operations will suffer if revenue falls below our expectations in a particular quarter, which could cause the price of our Class A common stock to decline.
We rely on our management team and other key team members and will need additional personnel to grow our business, and the loss of one or more key team members or our inability to hire, integrate, train and retain qualified personnel, could harm our business.
Our future success is dependent, in part, on our ability to hire, integrate, train, retain and motivate the members of our management team and other key team members throughout our organization. The loss of key personnel, including key members of our management team, as well as certain of our key marketing, sales, finance, support, product development, human resources, or technology personnel, could disrupt our operations and have an adverse effect on our ability to grow our business.
On December 5, 2024, we announced that Sytse Sijbrandij, our co-founder, will resign from his position as our Chief Executive Officer, effective December 5, 2024. In connection with his resignation, Mr. Sijbrandij was appointed as the Executive Chair of our board of directors. On December 5, 2024, we also announced that William Staples has been appointed as our Chief Executive Officer. While we are conducting this transition in an orderly manner, any change in the leadership of the company is a significant event and may result in additional volatility in our stock price and could disrupt our operations and have an adverse effect on our ability to grow our business.
Competition for highly skilled personnel in our industry is intense, and we may not be successful in hiring or retaining qualified personnel to fulfill our current or future needs. We have, from time to time, experienced, and we may experience in the future, difficulty in hiring and retaining highly skilled team members with appropriate qualifications. In particular, recruiting and hiring senior product engineering personnel with AI and machine learning backgrounds has been, and we expect it to continue to be, challenging.
Further, many of the companies with which we compete for experienced personnel have greater resources than we have. Our competitors also may be successful in recruiting and hiring members of our management team or other key team members, and it may be difficult for us to find suitable replacements on a timely basis, on competitive terms, or at all. We have in the past, and may in the future, be subject to allegations that team members we hire have been improperly solicited, or that they have divulged proprietary or other confidential information or that their former employers own such team member’s inventions or other work product, or that they have been hired in violation of non-compete provisions or non-solicitation provisions.
In addition, job candidates and existing team members often consider the value of the benefits and equity awards they receive in connection with their employment. If the perceived value of our benefits, equity, or equity awards declines, it may adversely affect our ability to retain highly skilled team members. If we fail to attract new personnel or fail to retain and motivate our current personnel, our business and future growth prospects would be severely harmed.
Our corporate culture has contributed to our success, and if we cannot maintain this culture as we grow, we could lose the innovation, creativity, and teamwork fostered by our culture, and our business may be harmed.
We believe that our corporate culture has been and will continue to be a key contributor to our success. If we do not continue to develop our corporate culture as we grow and evolve, it could harm our ability to foster the innovation, creativity, and teamwork that we believe is important to support our growth. As our organization grows and we are required to implement more complex organizational structures, we may find it increasingly difficult to maintain the beneficial aspects of our corporate culture, which could negatively impact our future success.
We engage our team members in various ways, including direct hires, through PEOs and as independent contractors. As a result of these methods of engagement, we face certain challenges and risks that can affect our business, operating results, and financial condition.
In the locations where we directly hire our team members into one of our entities, we must ensure that we are compliant with the applicable local laws governing team members in those jurisdictions, including local employment and tax laws. In the locations where we utilize PEOs, we contract with the PEO for it to serve as “Employer of Record” for those team members engaged through the PEO in each applicable location. Under this model, team members are employed by the PEO but provide services to GitLab. We also engage team members through a PEO self-employed model in certain jurisdictions where we contract with the PEO, which in turn contracts with individual team members as independent contractors. In all locations where we utilize PEOs, we rely on those PEOs to comply with local employment laws and regulations. We also issue equity to a substantial portion of our team members, including team members engaged through PEOs and to independent contractors, and must ensure we remain compliant with securities laws of the applicable jurisdiction where such team members are located.
Additionally, in some cases, we contract directly with team members who are independent contractors. When we engage team members through a PEO or independent contractor model, we may not be utilizing the appropriate hiring model needed to be compliant with local laws or the PEO may not be complying with local regulations. Additionally, the agreements executed between PEOs and our team members or between us and team members engaged under the independent contractor model, may not be enforceable depending on the local laws because of the indirect relationship created through these engagement models. Accordingly, as a result of our engagement of team members through PEOs, and of our relationship with independent contractors, our business, financial condition and results of operations could be materially and adversely affected. Furthermore, litigation related to our model of engaging team members, if instituted against us, could result in substantial costs and divert our management’s attention and resources from our business.
If we do not effectively hire, integrate, and train additional sales personnel, and expand our sales and marketing capabilities, we may be unable to increase our customer base and increase sales to our existing customers.
Our ability to increase our customer base and achieve broader market adoption of The DevSecOps Platform will depend to a significant extent on our ability to continue to expand our sales and marketing operations. We plan to dedicate significant resources to sales and marketing programs and to expand our sales and marketing capabilities to target additional potential customers, but there is no guarantee that we will be successful in attracting and maintaining additional customers. If we are unable to find efficient ways to deploy our sales and marketing investments or if our sales and marketing programs are not effective, our business and operating results would be adversely affected.
Furthermore, we plan to continue expanding our sales force and there is significant competition for sales personnel with the skills and technical knowledge that we require. Our ability to achieve revenue growth will depend, in part, on our success in hiring, integrating, training, and retaining sufficient numbers of sales personnel to support our growth, particularly in international markets. New hires require significant training and may take significant time before they achieve full productivity. Our recent hires and planned hires may not become productive as quickly as we expect, and we may be unable to hire or retain sufficient numbers of qualified individuals in the markets where we do business or plan to do business. If we are unable to hire and train a sufficient number of effective sales personnel, or the sales personnel we hire are not successful in obtaining new customers or increasing sales to our existing customer base, our business, operating results, and financial condition will be adversely affected.
We are a remote-only company, meaning that our team members work remotely which poses a number of risks and challenges that can affect our business, operating results, and financial condition. We are increasingly dependent on technology in our operations and if our technology fails, our business could be adversely affected.
As a remote-only company, we face a number of unique operational risks. For example, technologies in our team members’ homes may not be robust enough and could cause the networks, information
systems, applications, and other tools available to team members and service providers to be limited, unreliable, or unsecure. Additionally, we are increasingly dependent on technology as a remote-only company and if we experience problems with the operation of our current IT systems or the technology systems of third parties on which we rely, that could adversely affect, or even temporarily disrupt, all or a portion of our operations until resolved. In addition, in a remote-only company, it may be difficult for us to develop and preserve our corporate culture and our team members may have decreased opportunities to collaborate in meaningful ways. Any impediments to preserving our corporate culture and fostering collaboration could harm our future success, including our ability to retain and recruit personnel, innovate and operate effectively, and execute on our business strategy.
Unfavorable media coverage could negatively impact our business.
We receive a high degree of media coverage, including due to our commitment to transparency. Unfavorable publicity or consumer perception of our service offerings could adversely affect our reputation, resulting in a negative impact on the size of our user base and the loyalty of our users. It could negatively impact our ability to acquire new customers and could lead to customers choosing to leave GitLab. As a result, our business, financial condition and results of operations could be materially and adversely affected.
Our brand, reputation, and business may be harmed if our customers, partners, team members, contributors or the public at large disagrees with, or finds objectionable, our policies and practices or organizational decisions that we make or with the actions of members of our management team.
Our customers, partners, team members, contributors or the public at large may, from time to time, disagree with, or find objectionable, our policies and practices or organizational decisions that we make or with the actions of members of our management team. As a result of these disagreements and any negative publicity associated therewith, we could lose customers or partners, or we may have difficulty attracting or retaining team members or contributors and such disagreements may divert resources and the time and attention of management from our business. Our culture of transparency may also result in customers, partners, team members, contributors or the public at large having greater insight into our policies and practices or organizational decisions. Additionally, with the importance and impact of social media, any negative publicity regarding our policies and practices or organizational decisions or actions by members of our management team, may be magnified and reach a large portion of our customer, partner, team member base or contributors in a very short period of time, which could harm our brand and reputation and adversely affect our business.
Risks Related to Our International Operations
We plan to continue expanding our international operations which could subject us to additional costs and risks, and our continued expansion internationally may not be successful.
We plan to expand our operations internationally in the future. Outside of the United States, we currently have direct and indirect subsidiaries in Canada, Germany, France, Ireland, Israel, the Netherlands, Spain, the United Kingdom, Australia, India, Japan, South Korea, and Singapore, and have team members in over 60 countries. We also have a joint venture in China. There are significant costs and risks inherent in conducting business in international markets, including:
•establishing and maintaining effective controls at foreign locations and the associated increased costs;
•adapting our technologies, products, and services to non-U.S. consumers’ preferences and customs;
•adapting to doing business in other languages and/or cultures;
•compliance with the laws of numerous taxing jurisdictions where we conduct business, potential double taxation of our international earnings, and potentially adverse tax consequences due to U.S. and foreign tax laws as they relate to our international operations;
•compliance with anti-bribery laws, such as the FCPA and the U.K. Bribery Act, by us, our team members, our service providers, and our business partners;
•difficulties in staffing and managing global operations and the increased travel, infrastructure, and compliance costs associated with multiple international locations;
•complexity and other risks associated with current and future foreign legal requirements, including legal requirements related to data privacy frameworks, such as the GDPR and U.K. GDPR;
•currency exchange rate fluctuations or limitations and related effects on our operating results;
•economic and political instability in some countries, including the potential effects of health pandemics or epidemics and the ongoing armed conflicts in different regions of the world;
•the uncertainty of protection for intellectual property rights in some countries and practical difficulties of enforcing rights abroad; and
•other costs of doing business internationally.
These factors and other factors could harm our international operations and, consequently, materially impact our business, operating results, and financial condition. Further, we may incur significant operating expenses as a result of our international expansion; such expansion may not be successful. We have limited experience with regulatory environments and market practices internationally, and we may not be able to penetrate or successfully operate in new markets. If we are unable to continue to expand internationally and manage the complexity of our global operations successfully, our financial condition and operating results could be adversely affected.
We have a limited operating history in China and we face risks with respect to conducting business in connection with our joint venture in China due to certain legal, political, economic and social uncertainties relating to China. Our ability to monetize our joint venture in China may be limited.
In February 2021, we partnered with two Chinese investment partners to form an independent company called GitLab Information Technology (Hubei) Co., Ltd. (极狐, pinyin: JiHu, pronounced Gee Who) which was formed to specifically serve the Chinese market. This company offers a dedicated distribution of The DevSecOps Platform available as both a self-managed and SaaS that is only available in mainland China, Hong Kong and Macau. The autonomous company has its own governance structure, management team, and business support functions including Engineering, Sales, Marketing, Finance, Legal, Human Relations and Customer Support.
Our participation in this joint venture in China is subject to general, as well as industry-specific, economic, political, tax, and legal developments and risks in China. The Chinese government exercises significant control over the Chinese economy, including but not limited to controlling capital investments, allocating resources, setting monetary policy, controlling and monitoring foreign exchange rates, implementing and overseeing tax regulations, providing preferential treatment to certain industry segments or companies and issuing necessary licenses to conduct business. In addition, we could face additional risks resulting from changes in China’s data privacy and cybersecurity requirements, including China’s adoption of the Personal Information Protection Law, or PIPL, which went into effect on November 1, 2021. The PIPL shares similarities with the GDPR, including extraterritorial application, data minimization, data localization, and purpose limitation requirements, and obligations to provide certain notices and rights to citizens of China. Accordingly, any adverse change in the Chinese economy, the
Chinese legal system or Chinese governmental, economic or other policies could have a material adverse effect on our business and operations in China and our prospects generally.
We face additional risks in China due to China’s historically limited recognition and enforcement of contractual and intellectual property rights. We may experience difficulty enforcing our intellectual property rights in China. Unauthorized use of our technologies and intellectual property rights by Chinese partners or competitors may dilute or undermine the strength of our brands. If we cannot adequately monitor the use of our technologies and products, or enforce our intellectual property rights in China or contractual restrictions relating to use of our intellectual property by Chinese companies, our revenue from JiHu could be adversely affected.
Our joint venture is subject to laws and regulations applicable to foreign investment in China. There are uncertainties regarding the interpretation and enforcement of laws, rules and policies in China. Because many laws and regulations are relatively new, the interpretations of many laws, regulations and rules are not always uniform. Moreover, the interpretation of statutes and regulations may be subject to government policies reflecting domestic political agendas. Enforcement of existing laws or contracts based on existing law may be uncertain and sporadic. As a result of the foregoing, it may be difficult for us to obtain swift or equitable enforcement of laws ostensibly designed to protect companies like ours, which could have a material adverse effect on our business and results of operations. Our ability to monetize our joint venture in China may also be limited. Although the joint venture entity is an autonomous company, it is the exclusive seller of GitLab in mainland China, Hong Kong and Macau and is therefore the public face of GitLab in those areas. Additionally, under U.S. GAAP, we currently consolidate the joint venture’s financials within our own and rely on the joint venture’s management for accurate and timely delivery of the joint venture’s financials. Therefore, we face reputational and brand risk as a result of any negative publicity faced by the joint venture entity. Any such reputational and brand risk can harm our business and operating results.
We are exposed to fluctuations in currency exchange rates and interest rates, which could negatively affect our results of operations and our ability to invest and hold our cash.
Revenue generated is primarily billed in U.S. dollars while expenses incurred by our international subsidiaries and activities are often denominated in the currencies of the local countries. As a result, our condensed consolidated U.S. dollar financial statements are subject to fluctuations due to changes in exchange rates as the financial results of our international subsidiaries are translated from local currencies into U.S. dollars. Our financial results are also subject to changes in exchange rates that impact the settlement of transactions in non-local currencies. To date, we have not engaged in currency hedging activities to limit the risk of exchange fluctuations and, as a result, our financial condition and operating results could be adversely affected by such fluctuations.
Our fixed-income investment portfolio is subject to fluctuations in fair value due to change in interest rates, which could adversely affect our results of operations due to a rise in interest rates in the future.
Risks Related to Financial and Accounting Matters
We have identified a material weakness in our internal controls over financial reporting and if our remediation of such material weaknessis not effective, or if we fail to develop and maintain an effective system of disclosure controls and internal controls over financial reporting, our ability to produce timely and accurate financial statements or comply with applicable laws and regulations could be impaired.
As a public company, we are subject to the reporting requirements of the Exchange Act, the Sarbanes-Oxley Act, and the rules and regulations of the applicable listing standards of the Nasdaq Global Select Market.
The Sarbanes-Oxley Act requires, among other things, that we maintain effective disclosure controls and procedures and internal control over financial reporting. In order to maintain and improve the
effectiveness of our internal controls and procedures, we have expended, and anticipate that we will continue to expend, significant resources, including accounting related costs and significant management oversight.
As disclosed in our Annual Report on Form 10-K for the year ended January 31, 2024, we had identified a material weakness in our internal control over financial reporting. A material weakness is a deficiency, or a combination of deficiencies, in internal control over financial reporting, such that there is a reasonable possibility that a material misstatement of our annual or interim financial statements will not be prevented or detected on a timely basis. We determined that a material weakness exists due to a lack of policies and procedures related to the operation of control activities and inadequate communication of information to control owners and operators related to the objectives and responsibilities for internal control in a manner which supports the internal control environment at the company.
As a result, the following material weakness exists as of October 31, 2024:
•We did not design and maintain effective controls over certain information technology (“IT”) general controls for information systems used in the financial reporting processes related to revenue. In particular, we did not design and maintain effective (i) program change management controls to ensure that IT programs, data changes and migrations affecting financial IT applications and underlying records are identified, tested, authorized and implemented appropriately and (ii) user access controls to ensure appropriate segregation of duties, restricted user and privileged access to our financial applications, data and programs to the appropriate personnel. The ineffective design and operation of IT general controls resulted in the ineffective operation of automated controls and manual controls using reports and information from the impacted information systems used in the financial reporting processes related to revenue.
Although the aforementioned material weakness did not result in a material misstatement to our annual or interim financial statements, the deficiency could result in misstatements potentially impacting the financial reporting processes related to revenue and related disclosures that would not be prevented or detected. Therefore, we concluded that the deficiency represents a material weakness in ourinternal control over financial reporting, and our internal control over financial reporting was not effective as of October 31, 2024.
Our independent registered public accounting firm, KPMG LLP, who audited the consolidated financial statements included in this Annual Report on Form 10-K, issued an adverse opinion on the effectiveness of the Company’s internal control over financial reporting for the year ended January 31, 2024. We have implemented remediation actions to enhance our internal control environment and address the material weakness. See the section entitled “Remediation Efforts and Status” for additional information.
However, we cannot guarantee that the measures we have taken to date, and actions we may take in the future, will be sufficient to remediate the control deficiencies that led to our material weakness or that they will prevent or avoid potential future material weaknesses. Our current controls and any new controls we develop may become inadequate because of changes in conditions in our business. Further, additional weaknesses in our internal controls may be discovered in the future. Any failure to develop or maintain effective controls, or any difficulties encountered in their implementation or improvement, could harm our operating results, may result in a restatement of our financial statements for prior periods, cause us to fail to meet our reporting obligations, and could adversely affect the results of periodic management evaluations and annual independent registered public accounting firm attestation reports regarding the effectiveness of our internal control over financial reporting that we are required to include in the periodic reports we will file with the SEC. Because we are a large accelerated filer, our independent registered public accounting firm is required to annually audit the effectiveness of our internal control over financial reporting, which has, and will continue to, require increased costs, expenses, and management
resources. Undetected material weaknesses in our internal control over financial reporting could lead to financial statement restatements and require us to incur the expense of remediation. We are also required to disclose changes made in our internal control over financial reporting that have materially affected, or are reasonably likely to materially affect, internal control over financial reporting on a quarterly basis. To comply with the requirements of being a public company, we have undertaken, and may need to further undertake in the future, various actions, such as implementing new internal controls and procedures and hiring additional accounting staff.
As a public company, significant resources and management oversight are required. As a result, management’s attention may be diverted from other business concerns, which could harm our business, financial condition and operating results.
We incur significant costs and devote management resources as a result of operating as a public company.
As a public company, we incur significant legal, accounting, compliance and other expenses that we did not incur as a private company. Our management and other personnel devote a substantial amount of time and incur significant expense in connection with compliance initiatives. As a public company, we bear all of the internal and external costs of preparing and distributing periodic public reports in compliance with our obligations under the securities laws.
In addition, regulations and standards relating to corporate governance and public disclosure, including the Sarbanes-Oxley Act, and the related rules and regulations implemented by the SEC, have increased legal and financial compliance costs and will make some compliance activities more time consuming. We intend to continue to invest resources to comply with evolving laws, regulations and standards, and this investment will result in increased general and administrative expenses and may divert management’s time and attention from our other business activities. If our efforts to comply with new laws, regulations and standards differ from the activities intended by regulatory or governing bodies due to ambiguities related to practice, regulatory authorities may initiate legal proceedings against us, and our business may be harmed. In connection with our initial public offering, we also increased our directors’ and officers’ insurance coverage, which increased our insurance cost. In the future, it may be more expensive or more difficult for us to obtain director and officer liability insurance, and we may be required to accept reduced coverage or incur substantially higher costs to obtain coverage. These factors would also make it more difficult for us to attract and retain qualified members of our board of directors, particularly to serve on our audit committee and compensation and leadership development committee, and qualified executive officers.
We may in the future need to raise additional capital to grow our business, and we may not be able to raise capital on terms acceptable to us or at all. In addition, any inability to generate or obtain such capital may adversely affect our operating results and financial condition.
In order to support our growth and respond to business challenges, such as developing new features or enhancements to our services to stay competitive, acquiring new technologies, and improving our infrastructure, we have made significant financial investments in our business and we intend to continue to make such investments. As a result, we may need to engage in additional equity or debt financings to provide the funds required for these investments and other business endeavors. If we need to engage in such additional equity or debt financings, we may not be able to raise needed cash on terms acceptable to us or at all. Financing may be on terms that are dilutive or potentially dilutive to our stockholders, and the prices at which new investors would be willing to purchase our securities may be significantly lower than the current price per share of our Class A common stock. The holders of new debt or equity securities may also have rights, preferences, or privileges that are senior to those of existing holders of our common stock. If new sources of financing are required, but are insufficient or unavailable, we will be
required to modify our growth and operating plans based on available funding, if any, which would harm our ability to grow our business.
If we raise additional funds through equity or convertible debt issuances, our existing stockholders may suffer significant dilution and these securities could have rights, preferences, and privileges that are superior to those of holders of our common stock. If we obtain additional funds through debt financing, we may not be able to obtain such financing on terms favorable to us. Such terms may involve restrictive covenants making it difficult to engage in capital raising activities and pursue business opportunities, including potential acquisitions. The trading prices of technology companies have been highly volatile as a result of recent global events, including increasing interest rates and inflation and the ongoing armed conflicts in different regions of the world, which may reduce our ability to access capital on favorable terms or at all. In addition, a sustained adverse market event resulting from such global events could adversely affect our business and the value of our Class A common stock. If we are unable to obtain adequate financing or financing on terms satisfactory to us when we require it, our ability to continue to support our business growth and to respond to business challenges could be significantly impaired and our business may be adversely affected, requiring us to delay, reduce, or eliminate some or all of our operations.
Changes in tax laws or other tax guidance could adversely affect our effective tax rates, financial condition, and results of operations.
We are a U.S.-based multinational company subject to taxes in multiple U.S. and foreign tax jurisdictions. In the United States and other countries where we conduct business and in jurisdictions in which we are subject to taxes, including those covered by governing bodies that enact tax laws applicable to us, we are subject to potential changes in relevant tax, accounting and other laws, regulations, guidance, and interpretations, including changes to tax laws applicable to corporate multinationals such as GitLab. These countries, governmental bodies, and intergovernmental economic organizations such as the Organization for Economic Cooperation and Development, have or could make unprecedented assertions about how taxation is determined in their jurisdictions that are contrary to the way in which we have interpreted and historically applied the rules and regulations described above in such jurisdictions. In the current global tax policy environment, any changes in laws, regulations, guidance and/or interpretations related to these assertions could adversely affect our effective tax rates, cause us to respond by making changes to our business structure, or result in other costs to us which could adversely affect our operations and financial results.
In December 2017, the U.S. federal government enacted the tax reform legislation known as the Tax Cuts and Jobs Act, or the 2017 Tax Act. The 2017 Tax Act significantly changed the existing U.S. corporate income tax laws by, among other things, lowering the U.S. corporate tax rate, implementing a partially territorial tax system, and imposing a one-time deemed repatriation tax on certain post-1986 foreign earnings. Recently the U.S. Treasury Department issued regulations for the purpose of interpreting the 2017 Tax Act, including regulations disallowing foreign tax credits for taxes which are dissimilar to income taxes, limiting the deductibility of interest, and requiring the capitalization of research and development expenses. Due to the reconciliation process used to pass the 2017 Tax Act, many provisions are in the process of being phased out, and it is uncertain whether many of the provisions in the 2017 Tax Act will be restored. The Inflation Reduction Act of 2022, enacted on August 16, 2022, further amended the U.S. federal tax code, imposing a 15% minimum tax on “adjusted financial statement income” of certain corporations as well as an excise tax on the repurchase or redemption of stock by certain corporations, beginning in the 2023 tax year.
Over the last several years, the Organization for Economic Cooperation and Development, or the OECD, has been working on a Base Erosion and Profit Shifting project that, if implemented, would change various aspects of the existing framework under which our tax obligations are determined in many of the countries in which we do business. The OECD has a framework to implement a global minimum corporate tax of 15% for companies with global revenues and profits above certain thresholds (referred to as Pillar 2), with certain aspects of Pillar 2 effective January 1, 2024 and other aspects effective January
1, 2025. While it is uncertain whether the United Stateswill enact legislation to adopt Pillar 2, certain countries in which we operate have adopted legislation. On December 15, 2022, the European Union member states agreed to implement the OECD’s global minimum tax rate of 15%. Similarly, the European Union and several countries have issued proposals that would apply to various aspects of the current tax framework under which we are taxed. These proposals include changes to the existing framework to calculate income tax, as well as proposals to change or impose new types of non-income taxes, including taxes based on a percentage of revenue. For example, several jurisdictions have proposed or enacted taxes applicable to digital services, which include business activities on digital advertising and online marketplaces, and which apply to our business.
Due to the large and expanding scale of our international business activities, many of these types of changes to the taxation of our activities described above could increase our worldwide effective tax rate, increase the amount of non-income taxes imposed on our business, and harm our financial position, results of operations, and cash flows. Such changes may also apply retroactively to our historical operations and result in taxes greater than the amounts estimated and recorded in our financial statements. There can be no assurance that future tax law changes will not increase the rate of the corporate income tax, impose new limitations on deductions, credits or other tax benefits, or make other changes that may adversely affect our business, cash flows or financial performance. Among other considerations, the applicability and impact of these tax provisions, and of other U.S. or international tax law changes could adversely affect our effective income tax rate and cash flows in future years.
We may have exposure to greater than anticipated tax liabilities.
The tax laws applicable to our business, including the laws of the United States and other jurisdictions, are subject to interpretation and certain jurisdictions are aggressively interpreting their laws to expand the tax bases. Our existing corporate structure has been implemented in a manner we believe is in compliance with current tax laws. However, the taxing authorities of the jurisdictions in which we operate may challenge our methodologies, including for valuing developed technology or intercompany arrangements, which could impact our worldwide effective tax rate and adversely affect our financial condition and results of operations, possibly with retroactive effect. Moreover, changes to our corporate structure could impact our worldwide effective tax rate and adversely affect our financial condition and results of operations.
Furthermore, U.S. and OECD Transfer Pricing Guidelines require us to analyze the functions performed by our entities, the risks incurred, and the assets owned. This functional analysis is a control to sustain the operating margins of our entities and confirm arm’s length pricing for intercompany transactions. Competent authorities could interpret, change, modify or apply adversely, existing tax laws, statutes, rules, regulations or ordinances to us (possibly with retroactive effect); which could require us to make transfer pricing corrections or to pay fines, penalties or interest for past amounts. If we are unable to make corresponding adjustments with our related entities, we would effectively be liable for additional tax, thereby adversely impacting our operating results and cash flows.
Significant judgment is required in evaluating our tax positions and our worldwide provision for taxes. During the ordinary course of business, there are many activities and transactions for which the ultimate tax determination is uncertain. Our tax obligations and effective tax rates could be adversely affected by changes in the relevant tax, accounting and other laws, regulations, principles and interpretations, including those relating to income tax nexus. The relevant taxing authorities may disagree with our determinations as to the income and expenses attributable to specific jurisdictions. If such a disagreement were to occur, and our position was not sustained, we could be required to pay additional taxes, interest and penalties, which could result in one-time tax charges, higher effective tax rates, reduced cash flows and lower overall profitability of our business, with some changes possibly affecting our tax obligations in future or past years. We regularly assess the likelihood of outcomes resulting from possible examinations to determine the adequacy of our provision for income taxes and have reserved for potential adjustments that may result from these examinations. We cannot provide assurance that the final determination of any of these examinations will not have an adverse effect on our financial position and results of operations.
Our cash and cash equivalents could be adversely affected if the financial institutions in which we hold our cash and cash equivalents fail.
We regularly maintain cash balances at third-party financial institutions in excess of the FDIC insurance limit and similar regulatory insurance limits outside the United States. If a depository institution where we maintain deposits fails or is subject to adverse conditions in the financial or credit markets, we may not be able to recover all, if any, of our deposits, which could adversely impact our operating liquidity and financial performance.
Risks Related to Ownership of Our Class A Common Stock
The market price of our Class A common stock may be volatile, and you could lose all or part of your investment.
Technology stocks historically have experienced high levels of volatility. The market price of our Class A common stock depends on a number of factors, including those described in this “Risk Factors” section, many of which are beyond our control and may not be related to our operating performance. In addition, the limited public float of our Class A common stock may increase the volatility of the trading price of our Class A common stock. These fluctuations could cause you to lose all or part of your investment in our Class A common stock, since you might not be able to sell your shares at or above the price initially paid for the stock. Factors that could cause fluctuations in the market price of our Class A common stock include the following:
•actual or anticipated changes or fluctuations in our operating results;
•the financial projections we may provide to the public, any changes in these projections or our failure to meet these projections;
•announcements by us or our competitors of new products or new or terminated significant contracts, commercial relationships or capital commitments;
•industry or financial analyst or investor reaction to our press releases, other public announcements and filings with the SEC;
•rumors and market speculation involving us or other companies in our industry;
•price and volume fluctuations in the overall stock market from time to time;
•changes in operating performance and stock market valuations of other technology companies generally, or those in our industry in particular;
•failure of industry or financial analysts to maintain coverage of us, changes in financial estimates by any analysts who follow our company, or our failure to meet these estimates or the expectations of investors;
•actual or anticipated developments in our business or our competitors’ businesses or the competitive landscape generally;
•litigation involving us, our industry or both, or investigations by regulators into our operations or those of our competitors;
•developments or disputes concerning our intellectual property rights or our solutions, or third-party proprietary rights;
•announced or completed acquisitions of businesses or technologies by us or our competitors;
•new laws or regulations or new interpretations of existing laws or regulations applicable to our business;
•the impact of interest rate increases on the overall stock market and the market for technology company stocks;
•any major changes in our management or our board of directors;
•effects of public health crises, pandemics, and epidemics;
•general economic conditions, changes in the capital markets generally, inflation, slow or negative growth of our markets and instability in the global banking sector; and
•other events or factors, including those resulting from political instability, war, incidents of terrorism or responses to these events, including those related to the ongoing armed conflicts in different regions of the world.
In addition, the stock market in general, and the market for technology companies in particular, has experienced extreme price and volume fluctuations that have often been unrelated or disproportionate to the operating performance of those companies. Broad market and industry factors may seriously affect the market price of our Class A common stock, regardless of our actual operating performance. In addition, in the past, following periods of volatility in the overall market and the market prices of a particular company’s securities, companies have been subject to increased stockholder activism or securities class action litigation. Any stockholder activism or securities litigation, if instituted against us, could result in substantial costs and divert our management’s attention and resources from our business. This could have an adverse effect on our business, operating results and financial condition.
Sales of substantial amounts of our Class A common stock in the public markets, or the perception that they might occur, could cause the market price of our Class A common stock to decline.
Sales of a substantial number of shares of our Class A common stock into the public market, particularly sales by our directors, executive officers, and greater than 5% stockholders, or the perception that these sales might occur, could cause the market price of our Class A common stock to decline or make it more difficult for you to sell your Class A common stock at a time and price that you deem appropriate.
Moreover, the holders of a significant portion of shares of our capital stock also have rights, subject to some conditions, to require us to file registration statements for the public resale of such capital stock or to include such shares in registration statements that we may file for us or other stockholders.
We may also issue our shares of our capital stock or securities convertible into shares of our capital stock from time to time in connection with a financing, acquisition, investment, or otherwise.
The dual class structure of our common stock will have the effect of concentrating voting control with those stockholders who hold our Class B capital stock, including our directors, executive officers, and beneficial owners of 5% or greater of our outstanding capital stock who hold in the aggregate a majority of the voting power of our capital stock, which will limit or preclude your ability to influence corporate matters, including the election of directors and the approval of any change of control transaction.
Our Class B common stock has ten votes per share, and our Class A common stock has one vote per share. As of October 31, 2024, the holders of our outstanding Class B common stock hold a substantial majority of the voting power of our outstanding capital stock, with our directors, executive officers, and holders of more than 5% of our common stock, and their respective affiliates, holding a majority of the voting power of our capital stock. Because of the ten-to-one voting ratio between our Class B and Class A common stock, the holders of our Class B common stock collectively will continue to control a majority of the combined voting power of our common stock and therefore will be able to control all matters submitted to our stockholders for approval until the earlier of (i) October 14, 2031, (ii) the death or disability, as defined in our restated certificate of incorporation, of Sytse Sijbrandij, (iii) the date specified
by a vote of the holders of two-thirds of the then outstanding shares of Class B common stock and (iv) the first date on which the number of shares of outstanding Class B common stock (including shares of Class B common stock subject to outstanding stock options) is less than 5% of the aggregate number of shares of outstanding common stock. This concentrated control will limit or preclude your ability to influence corporate matters for the foreseeable future, including the election of directors, amendments of our organizational documents, and any merger, consolidation, sale of all or substantially all of our assets, or other major corporate transaction requiring stockholder approval. In addition, this may prevent or discourage unsolicited acquisition proposals or offers for our capital stock that you may feel are in your best interest as one of our stockholders.
Future transfers by holders of our Class B common stock will generally result in those shares converting to Class A common stock, subject to limited exceptions, such as certain transfers effected for estate planning purposes. The conversion of Class B common stock to Class A common stock will have the effect, over time, of increasing the relative voting power of those holders of our Class B common stock who retain their shares in the long term.
The dual class structure of our common stock may adversely affect the trading market for our Class A common stock.
Several stockholder advisory firms and large institutional investors oppose the use of multiple class structures. As a result, the dual class structure of our common stock may cause stockholder advisory firms to publish negative commentary about our corporate governance practices or otherwise seek to cause us to change our capital structure, and may result in large institutional investors not purchasing shares of our Class A common stock. Any actions or publications by stockholder advisory firms or institutional investors critical of our corporate governance practices or capital structure could also adversely affect the value of our Class A common stock.
If industry or financial analysts do not continue to publish research or reports about our business, or if they issue inaccurate or unfavorable research regarding our Class A common stock, our stock price and trading volume could decline.
The trading market for our Class A common stock will depend in part on the research and reports that industry or financial analysts publish about us or our business. We do not control these analysts or the content and opinions included in their reports. If any of the analysts who cover us issues an inaccurate or unfavorable opinion regarding our stock price, our stock price may decline. In addition,if our financial results fail to meet, or exceed, our announced guidance or the expectations of analysts or public investors, analysts could downgrade our Class A common stock or publish unfavorable research about us.
We do not intend to pay dividends in the foreseeable future. As a result, your ability to achieve a return on your investment will depend on appreciation in the price of our Class A common stock.
We have never declared or paid any cash dividends on our capital stock. We currently intend to retain all available funds and any future earnings for use in the operation of our business and do not anticipate paying any dividends in the foreseeable future. Any determination to pay dividends in the future will be at the discretion of our board of directors. Accordingly, investors must for the foreseeable future rely on sales of their Class A common stock after price appreciation, which may never occur, as the only way to realize any future gains on their investments.
Provisions in our organizational documents and under Delaware law could make an acquisition of us, which could be beneficial to our stockholders, more difficult and may limit attempts by our stockholders to replace or remove our current management.
Provisions in our restated certificate of incorporation and amended and restated bylaws may have the effect of delaying or preventing a merger, acquisition or other change of control of our company that our stockholders may consider favorable. In addition, because our board of directors is responsible for appointing the members of our management team, these provisions may frustrate or prevent any attempts by our stockholders to replace or remove our current management by making it more difficult for stockholders to replace members of our board of directors. Among other things, our restated certificate of incorporation and amended and restated bylaws include provisions that:
•provide that our board of directors is classified into three classes of directors with staggered three-year terms;
•permit our board of directors to establish the number of directors and fill any vacancies and newly created directorships;
•require supermajority voting to amend some provisions in our restated certificate of incorporation and amended and restated bylaws;
•authorize the issuance of “blank check” preferred stock that our board of directors could use to implement a stockholder rights plan;
•provide that only our chief executive officer or a majority of our board of directors will be authorized to call a special meeting of stockholders;
•eliminate the ability of our stockholders to call special meetings of stockholders;
•do not provide for cumulative voting;
•provide that directors may only be removed “for cause” and only with the approval of two-thirds of our stockholders;
•provide for a dual class common stock structure in which holders of our Class B common stock may have the ability to control the outcome of matters requiring stockholder approval, even if they own significantly less than a majority of the outstanding shares of our common stock, including the election of directors and other significant corporate transactions, such as a merger or other sale of our company or its assets;
•prohibit stockholder action by written consent, which requires all stockholder actions to be taken at a meeting of our stockholders;
•provide that our board of directors is expressly authorized to make, alter, or repeal our amended and restated bylaws; and
•establish advance notice requirements for nominations for election to our board of directors or for proposing matters that can be acted upon by stockholders at annual stockholder meetings.
Moreover, Section 203 of the Delaware General Corporation Law, or DGCL, may discourage, delay, or prevent a change in control of our company. Section 203 imposes certain restrictions on mergers, business combinations, and other transactions between us and holders of 15% or more of our common stock.
Our restated certificate of incorporation and amended and restated bylaws contain exclusive forum provisions for certain claims, which may limit our stockholders’ ability to obtain a favorable judicial forum for disputes with us or our directors, officers, or team members.
Our restated certificate of incorporation provides that the Court of Chancery of the State of Delaware, to the fullest extent permitted by law, will be the exclusive forum for any derivative action or proceeding brought on our behalf, any action asserting a breach of fiduciary duty, any action asserting a claim against us arising pursuant to the DGCL, our restated certificate of incorporation, or our amended and restated bylaws, or any action asserting a claim against us that is governed by the internal affairs doctrine.
Moreover, Section 22 of the Securities Act creates concurrent jurisdiction for federal and state courts over all claims brought to enforce any duty or liability created by the Securities Act or the rules and regulations thereunder. Our restated certificate of incorporation and amended and restated bylaws provide that the federal district courts of the United States will, to the fullest extent permitted by law, be the exclusive forum for resolving any complaint asserting a cause of action arising under the Securities Act, such provision, the Federal Forum Provision. Our decision to adopt a Federal Forum Provision followed a decision by the Supreme Court of the State of Delaware holding that such provisions are facially valid under Delaware law. While there can be no assurance that federal or state courts will follow the holding of the Delaware Supreme Court or determine that the Federal Forum Provision should be enforced in a particular case, application of the Federal Forum Provision means that suits brought by our stockholders to enforce any duty or liability created by the Securities Act must be brought in federal court and cannot be brought in state court.
Section 27 of the Exchange Act creates exclusive federal jurisdiction over all claims brought to enforce any duty or liability created by the Exchange Act or the rules and regulations thereunder. In addition, the Federal Forum Provision applies to suits brought to enforce any duty or liability created by the Exchange Act. Accordingly, actions by our stockholders to enforce any duty or liability created by the Exchange Act or the rules and regulations thereunder must be brought in federal court.
Our stockholders will not be deemed to have waived our compliance with the federal securities laws and the regulations promulgated thereunder.
Any person or entity purchasing or otherwise acquiring or holding any interest in any of our securities shall be deemed to have notice of and consented to our exclusive forum provisions, including the Federal Forum Provision. These provisions may limit a stockholders’ ability to bring a claim in a judicial forum of their choosing for disputes with us or our directors, officers, or team members, which may discourage lawsuits against us and our directors, officers, and team members. Alternatively, if a court were to find the choice of forum provisions contained in our restated certificate of incorporation or amended and restated bylaws to be inapplicable or unenforceable in an action, we may incur additional costs associated with resolving such action in other jurisdictions, which could harm our business, financial condition, and operating results.
We may be adversely affected by natural disasters, pandemics and other catastrophic events, and by man-made problems such as acts of war, terrorism, that could disrupt our business operations and our business continuity and disaster recovery plans may not adequately protect us from a serious disaster.
Natural disasters, pandemics, and epidemics, or other catastrophic events such as fire or power shortages, along with man-made problems such as acts of war and terrorism, and other events beyond our control may cause damage or disruption to our operations, international commerce, and the global economy, and could have an adverse effect on our business, operating results, and financial condition. While we do not have a corporate headquarters, we have team members around the world, and any such catastrophic event could occur in areas where significant portions of our team members are located. Moreover, these conditions can affect the rate of software development operations solutions spending and could adversely affect our customers’ ability or willingness to attend our events or to purchase our services, delay prospective customers’ purchasing decisions or project implementation timing, reduce the value or duration of their subscription contracts, affect attrition rates, or result in requests from customers for payment or pricing concessions, all of which could adversely affect our future sales and operating results. As a result, we may experience extended sales cycles; our ability to close transactions with new and existing customers and partners may be negatively impacted; our ability to recognize revenue from software transactions we do close may be negatively impacted due to implementation delays or other factors; our demand generation activities, and the efficiency and effect of those activities, may be negatively affected. Recent macroeconomic conditions, including inflation and volatile interest rates, have, and may continue to, put pressure on overall spending for our products and services, and may cause our customers to modify spending priorities or delay or abandon purchasing decisions, thereby lengthening sales cycles, and may make it difficult for us to forecast our sales and operating results and to make decisions about future investments. These and other potential effects on our business may be significant and could materially harm our business, operating results and financial condition.
In the event of a natural disaster, including a major earthquake, blizzard, or hurricane, or a catastrophic event such as a fire, power loss, or telecommunications failure, we may be unable to continue our operations and may endure system interruptions, reputational harm, delays in development of our solutions, lengthy interruptions in service, breaches of data security, and loss of critical data, all of which could have an adverse effect on our future operating results. Additionally, all of the aforementioned risks may be further increased if we do not implement a disaster recovery plan or the disaster recovery plans put in place by us or our partners prove to be inadequate.
We are and could continue to be subject to securities class action litigation.
Securities class action litigation is often instituted against companies following periods of volatility in the market price of a company’s securities. See Part II, Item 1 of this Form 10-Q for additional information regarding our pending legal proceedings. Such suits may seek, as applicable, direct, indirect, consequential, punitive or other penalties or monetary damages, injunctive relief, and/or attorneys’ fees. This type of litigation could result in substantial costs, adverse publicity, and a diversion of management’s attention and resources, which could adversely affect our business operating results, or financial condition. Additionally, the cost of directors’ and officers’ liability insurance may increase, which may cause us to opt for lower overall policy limits or to forgo insurance that we may otherwise rely on to cover significant defense costs, settlements, and damages awarded to plaintiffs.
ITEM 2. UNREGISTERED SALES OF EQUITY SECURITIES, USE OF PROCEEDS, AND ISSUER PURCHASES OF EQUITY SECURITIES
(a) Recent Sales of Unregistered Equity Securities
There have been no sales of unregistered securities by the company in the quarter ended October 31, 2024.