Company Quick10K Filing
Cloudflare
10-Q 2020-06-30 Filed 2020-08-10
10-Q 2020-03-31 Filed 2020-05-11
10-K 2019-12-31 Filed 2020-03-04
10-Q 2019-09-30 Filed 2019-11-12
S-1 2019-08-15 Public Filing
8-K 2020-08-06 Earnings, Regulation FD, Exhibits
8-K 2020-06-02
8-K 2020-05-12
8-K 2020-05-07
8-K 2020-02-13
8-K 2020-01-07
8-K 2019-11-07

NET 10K Annual Report

Part I
Item 1. Business
Item 1A. Risk Factors
Item 1B. Unresolved Staff Comments
Item 2. Properties
Item 3. Legal Proceedings
Item 4. Mine Safety Disclosures
Part II
Item 5. Market for Registrant's Common Equity, Related Stockholder Matters and Issuer Purchases of Equity Securities
Item 6. Selected Financial and Other Data
Item 7. Management's Discussion and Analysis of Financial Condition and Results of Operations
Item 7A. Quantitative and Qualitative Disclosures About Market Risk
Item 8. Financial Statements and Supplementary Data
Note 1. Organization and Basis of Presentation
Note 2. Summary of Significant Accounting Policies
Note 3. Revenue
Note 4. Fair Value Measurements
Note 5. Balance Sheet Components
Note 6. Note Payable
Note 7. Commitments and Contingencies
Note 8. Redeemable Convertible Preferred Stock
Note 9. Common Stock
Note 10. Stock - Based Compensation
Note 11. Net Loss per Share Attributable To Common Stockholders
Note 12. Income Taxes
Note 13. Related Party Transactions
Note 14. Segment and Geographic Information
Note 15. Subsequent Events
Item 9. Changes in and Disagreements with Accountants on Accounting and Financial Disclosure
Item 9A. Controls and Procedures
Item 9B. Other Information
Part III
Item 10. Directors, Executive Officers and Corporate Governance
Item 11. Executive Compensation
Item 12. Security Ownership of Certain Beneficial Owners and Management and Related Stockholder Matters
Item 13. Certain Relationships and Related Transactions, and Director Independence
Item 14. Principal Accounting Fees and Services
Part IV
Item 15. Exhibits and Financial Statement Schedules
Item 16. Form 10 - K Summary
EX-4.3 a10-kex43xdescriptiono.htm
EX-23.1 a10-kex231xkpmgconsent.htm
EX-31.1 a10-kex311.htm
EX-31.2 a10-kex312.htm
EX-32.1 a10-kex321.htm

Cloudflare Earnings 2019-12-31

Balance SheetIncome StatementCash Flow

cloud-20191231
FALSE0001477333FY2019--12-31P4YP4YP1Y0M0DP4YP4YP3YP4YP6MP6MP0Y0M0D100014773332019-01-012019-12-31iso4217:USD00014773332019-09-17xbrli:shares0001477333us-gaap:CommonClassAMember2020-02-210001477333us-gaap:CommonClassBMember2020-02-210001477333us-gaap:IPOMember2019-01-012019-12-310001477333us-gaap:CommonClassBMember2018-01-012018-12-3100014773332019-12-3100014773332018-12-31iso4217:USDxbrli:shares0001477333us-gaap:CommonClassAMember2018-12-310001477333us-gaap:CommonClassAMember2019-12-310001477333us-gaap:CommonClassBMember2018-12-310001477333us-gaap:CommonClassBMember2019-12-3100014773332018-01-012018-12-3100014773332017-01-012017-12-310001477333us-gaap:RetainedEarningsMember2018-01-012018-12-310001477333us-gaap:RedeemableConvertiblePreferredStockMember2016-12-310001477333us-gaap:CommonStockMemberus-gaap:CommonClassAMember2016-12-310001477333us-gaap:CommonClassBMemberus-gaap:CommonStockMember2016-12-310001477333us-gaap:AdditionalPaidInCapitalMember2016-12-310001477333us-gaap:RetainedEarningsMember2016-12-310001477333us-gaap:AccumulatedOtherComprehensiveIncomeMember2016-12-3100014773332016-12-310001477333us-gaap:CommonClassBMemberus-gaap:CommonStockMember2017-01-012017-12-310001477333us-gaap:AdditionalPaidInCapitalMember2017-01-012017-12-310001477333us-gaap:RetainedEarningsMember2017-01-012017-12-310001477333us-gaap:AccumulatedOtherComprehensiveIncomeMember2017-01-012017-12-310001477333us-gaap:RedeemableConvertiblePreferredStockMember2017-12-310001477333us-gaap:CommonStockMemberus-gaap:CommonClassAMember2017-12-310001477333us-gaap:CommonClassBMemberus-gaap:CommonStockMember2017-12-310001477333us-gaap:AdditionalPaidInCapitalMember2017-12-310001477333us-gaap:RetainedEarningsMember2017-12-310001477333us-gaap:AccumulatedOtherComprehensiveIncomeMember2017-12-3100014773332017-12-310001477333us-gaap:RedeemableConvertiblePreferredStockMember2018-01-012018-12-310001477333us-gaap:CommonClassBMemberus-gaap:CommonStockMember2018-01-012018-12-310001477333us-gaap:AdditionalPaidInCapitalMember2018-01-012018-12-310001477333us-gaap:AccumulatedOtherComprehensiveIncomeMember2018-01-012018-12-310001477333us-gaap:RedeemableConvertiblePreferredStockMember2018-12-310001477333us-gaap:CommonStockMemberus-gaap:CommonClassAMember2018-12-310001477333us-gaap:CommonClassBMemberus-gaap:CommonStockMember2018-12-310001477333us-gaap:AdditionalPaidInCapitalMember2018-12-310001477333us-gaap:RetainedEarningsMember2018-12-310001477333us-gaap:AccumulatedOtherComprehensiveIncomeMember2018-12-310001477333us-gaap:CommonStockMemberus-gaap:CommonClassAMember2019-01-012019-12-310001477333us-gaap:AdditionalPaidInCapitalMember2019-01-012019-12-310001477333us-gaap:RedeemableConvertiblePreferredStockMember2019-01-012019-12-310001477333us-gaap:CommonClassBMemberus-gaap:CommonStockMember2019-01-012019-12-310001477333us-gaap:RetainedEarningsMember2019-01-012019-12-310001477333us-gaap:AccumulatedOtherComprehensiveIncomeMember2019-01-012019-12-310001477333us-gaap:RedeemableConvertiblePreferredStockMember2019-12-310001477333us-gaap:CommonStockMemberus-gaap:CommonClassAMember2019-12-310001477333us-gaap:CommonClassBMemberus-gaap:CommonStockMember2019-12-310001477333us-gaap:AdditionalPaidInCapitalMember2019-12-310001477333us-gaap:RetainedEarningsMember2019-12-310001477333us-gaap:AccumulatedOtherComprehensiveIncomeMember2019-12-310001477333us-gaap:IPOMemberus-gaap:CommonClassAMember2019-09-012019-09-300001477333us-gaap:OverAllotmentOptionMemberus-gaap:CommonClassAMember2019-09-012019-09-300001477333us-gaap:OverAllotmentOptionMemberus-gaap:CommonClassAMember2019-09-300001477333cloud:SeriesDRedeemableConvertiblePreferredStockMember2019-09-012019-09-300001477333us-gaap:CommonClassAMember2019-09-012019-09-300001477333cloud:SeriesASeriesBAndSeriesCRedeemableConvertiblePreferredStockMember2019-09-012019-09-300001477333us-gaap:CommonClassBMember2019-09-012019-09-300001477333cloud:FormerEmployeesMemberus-gaap:CommonClassAMember2019-09-012019-09-300001477333us-gaap:CommonClassBMembercloud:FormerEmployeesMember2019-09-012019-09-3000014773332019-09-012019-09-300001477333us-gaap:EmployeeStockOptionMember2019-01-012019-12-310001477333us-gaap:RestrictedStockUnitsRSUMember2019-01-012019-12-310001477333us-gaap:TechnologyEquipmentMember2019-01-012019-12-310001477333us-gaap:BuildingMember2019-01-012019-12-310001477333us-gaap:OfficeEquipmentMember2019-01-012019-12-310001477333us-gaap:FurnitureAndFixturesMember2019-01-012019-12-310001477333us-gaap:SoftwareDevelopmentMember2019-01-012019-12-310001477333us-gaap:DevelopedTechnologyRightsMember2019-01-012019-12-3100014773332017-11-012017-11-30cloud:segment0001477333srt:MinimumMember2019-01-012019-12-310001477333srt:MaximumMember2019-01-012019-12-310001477333country:US2019-01-012019-12-31xbrli:pure0001477333us-gaap:GeographicConcentrationRiskMembercountry:USus-gaap:RevenueFromContractWithCustomerMember2019-01-012019-12-310001477333country:US2018-01-012018-12-310001477333us-gaap:GeographicConcentrationRiskMembercountry:USus-gaap:RevenueFromContractWithCustomerMember2018-01-012018-12-310001477333country:US2017-01-012017-12-310001477333us-gaap:GeographicConcentrationRiskMembercountry:USus-gaap:RevenueFromContractWithCustomerMember2017-01-012017-12-310001477333us-gaap:EMEAMember2019-01-012019-12-310001477333us-gaap:EMEAMemberus-gaap:GeographicConcentrationRiskMemberus-gaap:RevenueFromContractWithCustomerMember2019-01-012019-12-310001477333us-gaap:EMEAMember2018-01-012018-12-310001477333us-gaap:EMEAMemberus-gaap:GeographicConcentrationRiskMemberus-gaap:RevenueFromContractWithCustomerMember2018-01-012018-12-310001477333us-gaap:EMEAMember2017-01-012017-12-310001477333us-gaap:EMEAMemberus-gaap:GeographicConcentrationRiskMemberus-gaap:RevenueFromContractWithCustomerMember2017-01-012017-12-310001477333srt:AsiaPacificMember2019-01-012019-12-310001477333srt:AsiaPacificMemberus-gaap:GeographicConcentrationRiskMemberus-gaap:RevenueFromContractWithCustomerMember2019-01-012019-12-310001477333srt:AsiaPacificMember2018-01-012018-12-310001477333srt:AsiaPacificMemberus-gaap:GeographicConcentrationRiskMemberus-gaap:RevenueFromContractWithCustomerMember2018-01-012018-12-310001477333srt:AsiaPacificMember2017-01-012017-12-310001477333srt:AsiaPacificMemberus-gaap:GeographicConcentrationRiskMemberus-gaap:RevenueFromContractWithCustomerMember2017-01-012017-12-310001477333country:CN2019-01-012019-12-310001477333country:CNus-gaap:GeographicConcentrationRiskMemberus-gaap:RevenueFromContractWithCustomerMember2019-01-012019-12-310001477333country:CN2018-01-012018-12-310001477333country:CNus-gaap:GeographicConcentrationRiskMemberus-gaap:RevenueFromContractWithCustomerMember2018-01-012018-12-310001477333country:CN2017-01-012017-12-310001477333country:CNus-gaap:GeographicConcentrationRiskMemberus-gaap:RevenueFromContractWithCustomerMember2017-01-012017-12-310001477333cloud:OtherGeographicalRegionsMember2019-01-012019-12-310001477333us-gaap:GeographicConcentrationRiskMembercloud:OtherGeographicalRegionsMemberus-gaap:RevenueFromContractWithCustomerMember2019-01-012019-12-310001477333cloud:OtherGeographicalRegionsMember2018-01-012018-12-310001477333us-gaap:GeographicConcentrationRiskMembercloud:OtherGeographicalRegionsMemberus-gaap:RevenueFromContractWithCustomerMember2018-01-012018-12-310001477333cloud:OtherGeographicalRegionsMember2017-01-012017-12-310001477333us-gaap:GeographicConcentrationRiskMembercloud:OtherGeographicalRegionsMemberus-gaap:RevenueFromContractWithCustomerMember2017-01-012017-12-310001477333us-gaap:GeographicConcentrationRiskMemberus-gaap:RevenueFromContractWithCustomerMember2019-01-012019-12-310001477333us-gaap:GeographicConcentrationRiskMemberus-gaap:RevenueFromContractWithCustomerMember2018-01-012018-12-310001477333us-gaap:GeographicConcentrationRiskMemberus-gaap:RevenueFromContractWithCustomerMember2017-01-012017-12-310001477333us-gaap:SalesChannelThroughIntermediaryMember2019-01-012019-12-310001477333us-gaap:SalesChannelThroughIntermediaryMembercloud:SalesChannelConcentrationRiskMemberus-gaap:RevenueFromContractWithCustomerMember2019-01-012019-12-310001477333us-gaap:SalesChannelThroughIntermediaryMember2018-01-012018-12-310001477333us-gaap:SalesChannelThroughIntermediaryMembercloud:SalesChannelConcentrationRiskMemberus-gaap:RevenueFromContractWithCustomerMember2018-01-012018-12-310001477333us-gaap:SalesChannelThroughIntermediaryMember2017-01-012017-12-310001477333us-gaap:SalesChannelThroughIntermediaryMembercloud:SalesChannelConcentrationRiskMemberus-gaap:RevenueFromContractWithCustomerMember2017-01-012017-12-310001477333us-gaap:SalesChannelDirectlyToConsumerMember2019-01-012019-12-310001477333cloud:SalesChannelConcentrationRiskMemberus-gaap:SalesChannelDirectlyToConsumerMemberus-gaap:RevenueFromContractWithCustomerMember2019-01-012019-12-310001477333us-gaap:SalesChannelDirectlyToConsumerMember2018-01-012018-12-310001477333cloud:SalesChannelConcentrationRiskMemberus-gaap:SalesChannelDirectlyToConsumerMemberus-gaap:RevenueFromContractWithCustomerMember2018-01-012018-12-310001477333us-gaap:SalesChannelDirectlyToConsumerMember2017-01-012017-12-310001477333cloud:SalesChannelConcentrationRiskMemberus-gaap:SalesChannelDirectlyToConsumerMemberus-gaap:RevenueFromContractWithCustomerMember2017-01-012017-12-310001477333cloud:SalesChannelConcentrationRiskMemberus-gaap:RevenueFromContractWithCustomerMember2019-01-012019-12-310001477333cloud:SalesChannelConcentrationRiskMemberus-gaap:RevenueFromContractWithCustomerMember2018-01-012018-12-310001477333cloud:SalesChannelConcentrationRiskMemberus-gaap:RevenueFromContractWithCustomerMember2017-01-012017-12-3100014773332020-01-012019-12-3100014773332021-01-012019-12-31cloud:arrangement0001477333cloud:ExchangeOfRespectiveServicesMember2019-01-012019-12-310001477333cloud:ExchangeOfRespectiveServicesMember2018-01-012018-12-310001477333cloud:ExchangeOfRespectiveServicesMember2017-01-012017-12-310001477333us-gaap:CashMember2019-12-310001477333us-gaap:CashAndCashEquivalentsMemberus-gaap:FairValueMeasurementsRecurringMemberus-gaap:CashMember2019-12-310001477333us-gaap:FairValueMeasurementsRecurringMembercloud:DebtSecuritiesAvailableForSaleCurrentMemberus-gaap:CashMember2019-12-310001477333cloud:RestrictedCashNoncurrentMemberus-gaap:FairValueMeasurementsRecurringMemberus-gaap:CashMember2019-12-310001477333us-gaap:FairValueInputsLevel1Memberus-gaap:MoneyMarketFundsMember2019-12-310001477333us-gaap:FairValueInputsLevel1Memberus-gaap:MoneyMarketFundsMemberus-gaap:CashAndCashEquivalentsMemberus-gaap:FairValueMeasurementsRecurringMember2019-12-310001477333us-gaap:FairValueInputsLevel1Memberus-gaap:MoneyMarketFundsMemberus-gaap:FairValueMeasurementsRecurringMembercloud:DebtSecuritiesAvailableForSaleCurrentMember2019-12-310001477333us-gaap:FairValueInputsLevel1Membercloud:RestrictedCashNoncurrentMemberus-gaap:MoneyMarketFundsMemberus-gaap:FairValueMeasurementsRecurringMember2019-12-310001477333us-gaap:FairValueInputsLevel2Memberus-gaap:CorporateBondSecuritiesMember2019-12-310001477333us-gaap:CashAndCashEquivalentsMemberus-gaap:FairValueInputsLevel2Memberus-gaap:FairValueMeasurementsRecurringMemberus-gaap:CorporateBondSecuritiesMember2019-12-310001477333us-gaap:FairValueInputsLevel2Memberus-gaap:FairValueMeasurementsRecurringMemberus-gaap:CorporateBondSecuritiesMembercloud:DebtSecuritiesAvailableForSaleCurrentMember2019-12-310001477333cloud:RestrictedCashNoncurrentMemberus-gaap:FairValueInputsLevel2Memberus-gaap:FairValueMeasurementsRecurringMemberus-gaap:CorporateBondSecuritiesMember2019-12-310001477333us-gaap:USTreasurySecuritiesMemberus-gaap:FairValueInputsLevel2Member2019-12-310001477333us-gaap:USTreasurySecuritiesMemberus-gaap:CashAndCashEquivalentsMemberus-gaap:FairValueInputsLevel2Memberus-gaap:FairValueMeasurementsRecurringMember2019-12-310001477333us-gaap:USTreasurySecuritiesMemberus-gaap:FairValueInputsLevel2Memberus-gaap:FairValueMeasurementsRecurringMembercloud:DebtSecuritiesAvailableForSaleCurrentMember2019-12-310001477333us-gaap:USTreasurySecuritiesMembercloud:RestrictedCashNoncurrentMemberus-gaap:FairValueInputsLevel2Memberus-gaap:FairValueMeasurementsRecurringMember2019-12-310001477333us-gaap:USGovernmentAgenciesDebtSecuritiesMemberus-gaap:FairValueInputsLevel2Member2019-12-310001477333us-gaap:USGovernmentAgenciesDebtSecuritiesMemberus-gaap:CashAndCashEquivalentsMemberus-gaap:FairValueInputsLevel2Memberus-gaap:FairValueMeasurementsRecurringMember2019-12-310001477333us-gaap:USGovernmentAgenciesDebtSecuritiesMemberus-gaap:FairValueInputsLevel2Memberus-gaap:FairValueMeasurementsRecurringMembercloud:DebtSecuritiesAvailableForSaleCurrentMember2019-12-310001477333us-gaap:USGovernmentAgenciesDebtSecuritiesMembercloud:RestrictedCashNoncurrentMemberus-gaap:FairValueInputsLevel2Memberus-gaap:FairValueMeasurementsRecurringMember2019-12-310001477333us-gaap:CommercialPaperMemberus-gaap:FairValueInputsLevel2Member2019-12-310001477333us-gaap:CommercialPaperMemberus-gaap:CashAndCashEquivalentsMemberus-gaap:FairValueInputsLevel2Memberus-gaap:FairValueMeasurementsRecurringMember2019-12-310001477333us-gaap:CommercialPaperMemberus-gaap:FairValueInputsLevel2Memberus-gaap:FairValueMeasurementsRecurringMembercloud:DebtSecuritiesAvailableForSaleCurrentMember2019-12-310001477333cloud:RestrictedCashNoncurrentMemberus-gaap:CommercialPaperMemberus-gaap:FairValueInputsLevel2Memberus-gaap:FairValueMeasurementsRecurringMember2019-12-310001477333us-gaap:FairValueInputsLevel2Member2019-12-310001477333us-gaap:CashAndCashEquivalentsMemberus-gaap:FairValueInputsLevel2Memberus-gaap:FairValueMeasurementsRecurringMember2019-12-310001477333us-gaap:FairValueInputsLevel2Memberus-gaap:FairValueMeasurementsRecurringMembercloud:DebtSecuritiesAvailableForSaleCurrentMember2019-12-310001477333cloud:RestrictedCashNoncurrentMemberus-gaap:FairValueInputsLevel2Memberus-gaap:FairValueMeasurementsRecurringMember2019-12-310001477333us-gaap:CashAndCashEquivalentsMemberus-gaap:FairValueMeasurementsRecurringMember2019-12-310001477333cloud:DebtSecuritiesAvailableForSaleCurrentMemberus-gaap:FairValueMeasurementsRecurringMember2019-12-310001477333cloud:RestrictedCashNoncurrentMemberus-gaap:FairValueMeasurementsRecurringMember2019-12-310001477333us-gaap:CashMember2018-12-310001477333us-gaap:CashAndCashEquivalentsMemberus-gaap:FairValueMeasurementsRecurringMemberus-gaap:CashMember2018-12-310001477333us-gaap:FairValueMeasurementsRecurringMembercloud:DebtSecuritiesAvailableForSaleCurrentMemberus-gaap:CashMember2018-12-310001477333cloud:RestrictedCashNoncurrentMemberus-gaap:FairValueMeasurementsRecurringMemberus-gaap:CashMember2018-12-310001477333us-gaap:FairValueInputsLevel1Memberus-gaap:MoneyMarketFundsMember2018-12-310001477333us-gaap:FairValueInputsLevel1Memberus-gaap:MoneyMarketFundsMemberus-gaap:CashAndCashEquivalentsMemberus-gaap:FairValueMeasurementsRecurringMember2018-12-310001477333us-gaap:FairValueInputsLevel1Memberus-gaap:MoneyMarketFundsMemberus-gaap:FairValueMeasurementsRecurringMembercloud:DebtSecuritiesAvailableForSaleCurrentMember2018-12-310001477333us-gaap:FairValueInputsLevel1Membercloud:RestrictedCashNoncurrentMemberus-gaap:MoneyMarketFundsMemberus-gaap:FairValueMeasurementsRecurringMember2018-12-310001477333us-gaap:FairValueInputsLevel2Memberus-gaap:CorporateBondSecuritiesMember2018-12-310001477333us-gaap:CashAndCashEquivalentsMemberus-gaap:FairValueInputsLevel2Memberus-gaap:FairValueMeasurementsRecurringMemberus-gaap:CorporateBondSecuritiesMember2018-12-310001477333us-gaap:FairValueInputsLevel2Memberus-gaap:FairValueMeasurementsRecurringMemberus-gaap:CorporateBondSecuritiesMembercloud:DebtSecuritiesAvailableForSaleCurrentMember2018-12-310001477333cloud:RestrictedCashNoncurrentMemberus-gaap:FairValueInputsLevel2Memberus-gaap:FairValueMeasurementsRecurringMemberus-gaap:CorporateBondSecuritiesMember2018-12-310001477333us-gaap:USTreasurySecuritiesMemberus-gaap:FairValueInputsLevel2Member2018-12-310001477333us-gaap:USTreasurySecuritiesMemberus-gaap:CashAndCashEquivalentsMemberus-gaap:FairValueInputsLevel2Memberus-gaap:FairValueMeasurementsRecurringMember2018-12-310001477333us-gaap:USTreasurySecuritiesMemberus-gaap:FairValueInputsLevel2Memberus-gaap:FairValueMeasurementsRecurringMembercloud:DebtSecuritiesAvailableForSaleCurrentMember2018-12-310001477333us-gaap:USTreasurySecuritiesMembercloud:RestrictedCashNoncurrentMemberus-gaap:FairValueInputsLevel2Memberus-gaap:FairValueMeasurementsRecurringMember2018-12-310001477333us-gaap:USGovernmentAgenciesDebtSecuritiesMemberus-gaap:FairValueInputsLevel2Member2018-12-310001477333us-gaap:USGovernmentAgenciesDebtSecuritiesMemberus-gaap:CashAndCashEquivalentsMemberus-gaap:FairValueInputsLevel2Memberus-gaap:FairValueMeasurementsRecurringMember2018-12-310001477333us-gaap:USGovernmentAgenciesDebtSecuritiesMemberus-gaap:FairValueInputsLevel2Memberus-gaap:FairValueMeasurementsRecurringMembercloud:DebtSecuritiesAvailableForSaleCurrentMember2018-12-310001477333us-gaap:USGovernmentAgenciesDebtSecuritiesMembercloud:RestrictedCashNoncurrentMemberus-gaap:FairValueInputsLevel2Memberus-gaap:FairValueMeasurementsRecurringMember2018-12-310001477333us-gaap:CommercialPaperMemberus-gaap:FairValueInputsLevel2Member2018-12-310001477333us-gaap:CommercialPaperMemberus-gaap:CashAndCashEquivalentsMemberus-gaap:FairValueInputsLevel2Memberus-gaap:FairValueMeasurementsRecurringMember2018-12-310001477333us-gaap:CommercialPaperMemberus-gaap:FairValueInputsLevel2Memberus-gaap:FairValueMeasurementsRecurringMembercloud:DebtSecuritiesAvailableForSaleCurrentMember2018-12-310001477333cloud:RestrictedCashNoncurrentMemberus-gaap:CommercialPaperMemberus-gaap:FairValueInputsLevel2Memberus-gaap:FairValueMeasurementsRecurringMember2018-12-310001477333us-gaap:FairValueInputsLevel2Member2018-12-310001477333us-gaap:CashAndCashEquivalentsMemberus-gaap:FairValueInputsLevel2Memberus-gaap:FairValueMeasurementsRecurringMember2018-12-310001477333us-gaap:FairValueInputsLevel2Memberus-gaap:FairValueMeasurementsRecurringMembercloud:DebtSecuritiesAvailableForSaleCurrentMember2018-12-310001477333cloud:RestrictedCashNoncurrentMemberus-gaap:FairValueInputsLevel2Memberus-gaap:FairValueMeasurementsRecurringMember2018-12-310001477333us-gaap:CashAndCashEquivalentsMemberus-gaap:FairValueMeasurementsRecurringMember2018-12-310001477333cloud:DebtSecuritiesAvailableForSaleCurrentMemberus-gaap:FairValueMeasurementsRecurringMember2018-12-310001477333cloud:RestrictedCashNoncurrentMemberus-gaap:FairValueMeasurementsRecurringMember2018-12-310001477333us-gaap:MoneyMarketFundsMember2019-12-310001477333us-gaap:MoneyMarketFundsMember2018-12-310001477333us-gaap:FairValueInputsLevel3Member2019-12-310001477333us-gaap:FairValueInputsLevel3Membercloud:LongTermLiabilityMember2019-12-310001477333us-gaap:FairValueInputsLevel3Member2018-12-310001477333us-gaap:FairValueInputsLevel3Membercloud:LongTermLiabilityMember2018-12-310001477333cloud:WarrantLiabilityMember2016-12-310001477333cloud:WarrantLiabilityMember2017-01-012017-12-310001477333cloud:WarrantLiabilityMember2017-12-310001477333cloud:WarrantLiabilityMember2018-01-012018-12-310001477333cloud:WarrantLiabilityMember2018-12-310001477333cloud:WarrantLiabilityMember2019-01-012019-12-310001477333cloud:WarrantLiabilityMember2019-12-310001477333us-gaap:TechnologyEquipmentMember2019-12-310001477333us-gaap:TechnologyEquipmentMember2018-12-310001477333us-gaap:BuildingMember2019-12-310001477333us-gaap:BuildingMember2018-12-310001477333us-gaap:ConstructionInProgressMember2019-12-310001477333us-gaap:ConstructionInProgressMember2018-12-310001477333us-gaap:SoftwareDevelopmentMember2019-12-310001477333us-gaap:SoftwareDevelopmentMember2018-12-310001477333us-gaap:OfficeEquipmentMember2019-12-310001477333us-gaap:OfficeEquipmentMember2018-12-310001477333us-gaap:FurnitureAndFixturesMember2019-12-310001477333us-gaap:FurnitureAndFixturesMember2018-12-310001477333cloud:SoftwareMember2019-12-310001477333cloud:SoftwareMember2018-12-310001477333us-gaap:LeaseholdImprovementsMember2019-12-310001477333us-gaap:LeaseholdImprovementsMember2018-12-310001477333us-gaap:RemediationPropertyForSaleAbandonmentOrDisposalMember2019-12-310001477333us-gaap:RemediationPropertyForSaleAbandonmentOrDisposalMember2018-12-310001477333us-gaap:DevelopedTechnologyRightsMember2019-12-310001477333us-gaap:DevelopedTechnologyRightsMember2018-12-31cloud:installment_purchase_agreement0001477333us-gaap:NotesPayableOtherPayablesMembercloud:NotePayableInstallmentPurchaseAgreementsMember2015-11-30cloud:supplier0001477333us-gaap:NotesPayableOtherPayablesMembercloud:NotePayableInstallmentPurchaseAgreementsMembersrt:MinimumMember2015-11-300001477333srt:MaximumMemberus-gaap:NotesPayableOtherPayablesMembercloud:NotePayableInstallmentPurchaseAgreementsMember2015-11-300001477333us-gaap:NotesPayableOtherPayablesMembercloud:NotePayableInstallmentPurchaseAgreementsMember2019-12-310001477333us-gaap:NotesPayableOtherPayablesMembercloud:NotePayableInstallmentPurchaseAgreementsMember2018-12-310001477333us-gaap:RedeemableConvertiblePreferredStockMember2019-09-012019-09-3000014773332019-09-300001477333cloud:SeriesARedeemableConvertiblePreferredStockMember2018-12-310001477333cloud:SeriesBRedeemableConvertiblePreferredStockMember2018-12-310001477333cloud:SeriesCRedeemableConvertiblePreferredStockMember2018-12-310001477333cloud:SeriesDRedeemableConvertiblePreferredStockMember2018-12-310001477333cloud:WarrantToPurchaseSeriesBRedeemablePreferredStockMember2011-04-300001477333cloud:WarrantToPurchaseSeriesBRedeemablePreferredStockMember2011-10-310001477333cloud:WarrantToPurchaseSeriesBRedeemablePreferredStockMember2011-10-012011-10-310001477333cloud:WarrantToPurchaseSeriesBRedeemablePreferredStockMember2012-01-310001477333cloud:WarrantToPurchaseSeriesBRedeemablePreferredStockMember2012-01-012012-01-310001477333us-gaap:MeasurementInputExpectedTermMember2018-12-310001477333us-gaap:MeasurementInputPriceVolatilityMember2018-12-310001477333us-gaap:MeasurementInputRiskFreeInterestRateMember2018-12-310001477333us-gaap:MeasurementInputExpectedDividendRateMember2018-12-310001477333us-gaap:CommonClassBMember2019-01-012019-12-310001477333us-gaap:CommonClassBMember2019-10-012019-12-31cloud:vote0001477333us-gaap:EmployeeStockOptionMember2019-12-310001477333us-gaap:EmployeeStockOptionMember2018-12-310001477333cloud:EquityIncentivePlan2010Member2019-12-310001477333cloud:EquityIncentivePlan2010Member2018-12-310001477333cloud:EquityIncentivePlan2019Member2019-12-310001477333cloud:EquityIncentivePlan2019Member2018-12-310001477333cloud:ExerciseOfRedeemableConvertiblePreferredStockWarrantsMember2019-12-310001477333cloud:ExerciseOfRedeemableConvertiblePreferredStockWarrantsMember2018-12-310001477333us-gaap:RestrictedStockUnitsRSUMember2019-12-310001477333us-gaap:RestrictedStockUnitsRSUMember2018-12-310001477333us-gaap:EmployeeStockMember2019-12-310001477333us-gaap:EmployeeStockMember2018-12-310001477333us-gaap:EmployeeStockOptionMembercloud:TwoThousandAndTenEquityIncentivePlanMemberus-gaap:CommonStockMember2019-01-012019-12-310001477333cloud:TwoThousandAndTenEquityIncentivePlanMemberus-gaap:CommonStockMember2018-12-310001477333cloud:TwoThousandAndTenEquityIncentivePlanMemberus-gaap:CommonStockMember2019-12-310001477333cloud:TwoThousandAndNineteenEquityIncentivePlanMemberus-gaap:CommonClassAMember2019-12-310001477333cloud:TwoThousandAndNineteenEquityIncentivePlanMembercloud:ClassAAndClassBCommonStockMember2019-01-012019-12-310001477333cloud:TwoThousandAndNineteenEquityIncentivePlanMemberus-gaap:RestrictedStockUnitsRSUMemberus-gaap:CommonClassAMember2019-01-012019-12-310001477333us-gaap:EmployeeStockOptionMembercloud:TwoThousandAndTenEquityIncentivePlanMember2019-01-012019-12-3100014773332016-01-012016-12-310001477333us-gaap:EmployeeStockOptionMember2018-01-012018-12-310001477333us-gaap:EmployeeStockOptionMember2017-01-012017-12-310001477333us-gaap:ShareBasedCompensationAwardTrancheOneMemberus-gaap:RestrictedStockUnitsRSUMember2019-01-012019-12-310001477333us-gaap:ShareBasedCompensationAwardTrancheTwoMemberus-gaap:RestrictedStockUnitsRSUMember2019-01-012019-12-310001477333us-gaap:RestrictedStockUnitsRSUMember2017-01-012017-12-310001477333us-gaap:RestrictedStockUnitsRSUMember2018-01-012018-12-310001477333us-gaap:RestrictedStockUnitsRSUMember2019-01-012019-03-310001477333us-gaap:EmployeeStockMembercloud:TwoThousandAndNineteenEmployeeStockPurchasePlanMemberus-gaap:CommonClassAMember2019-09-130001477333us-gaap:EmployeeStockMembercloud:TwoThousandAndNineteenEmployeeStockPurchasePlanMembercloud:ClassAAndClassBCommonStockMember2019-09-132019-09-130001477333us-gaap:EmployeeStockMembercloud:TwoThousandAndNineteenEmployeeStockPurchasePlanMember2019-09-132019-09-130001477333us-gaap:EmployeeStockMembercloud:TwoThousandAndNineteenEmployeeStockPurchasePlanMemberus-gaap:CommonClassAMember2019-09-132019-09-130001477333us-gaap:EmployeeStockMembercloud:TwoThousandAndNineteenEmployeeStockPurchasePlanMemberus-gaap:CommonClassAMember2019-12-312019-12-310001477333us-gaap:EmployeeStockMembercloud:TwoThousandAndNineteenEmployeeStockPurchasePlanMember2019-12-310001477333us-gaap:EmployeeStockMembercloud:TwoThousandAndNineteenEmployeeStockPurchasePlanMember2018-12-310001477333us-gaap:EmployeeStockMembercloud:TwoThousandAndNineteenEmployeeStockPurchasePlanMember2019-01-012019-12-310001477333us-gaap:EmployeeStockMembercloud:TwoThousandAndNineteenEmployeeStockPurchasePlanMember2018-01-012018-12-310001477333us-gaap:EmployeeStockMember2019-01-012019-12-310001477333us-gaap:CostOfSalesMember2019-01-012019-12-310001477333us-gaap:CostOfSalesMember2018-01-012018-12-310001477333us-gaap:CostOfSalesMember2017-01-012017-12-310001477333us-gaap:SellingAndMarketingExpenseMember2019-01-012019-12-310001477333us-gaap:SellingAndMarketingExpenseMember2018-01-012018-12-310001477333us-gaap:SellingAndMarketingExpenseMember2017-01-012017-12-310001477333us-gaap:ResearchAndDevelopmentExpenseMember2019-01-012019-12-310001477333us-gaap:ResearchAndDevelopmentExpenseMember2018-01-012018-12-310001477333us-gaap:ResearchAndDevelopmentExpenseMember2017-01-012017-12-310001477333us-gaap:GeneralAndAdministrativeExpenseMember2019-01-012019-12-310001477333us-gaap:GeneralAndAdministrativeExpenseMember2018-01-012018-12-310001477333us-gaap:GeneralAndAdministrativeExpenseMember2017-01-012017-12-310001477333us-gaap:CommonStockMember2018-01-012018-12-310001477333us-gaap:CommonStockMember2017-01-012017-12-310001477333us-gaap:RedeemableConvertiblePreferredStockMember2019-01-012019-12-310001477333us-gaap:RedeemableConvertiblePreferredStockMember2018-01-012018-12-310001477333us-gaap:RedeemableConvertiblePreferredStockMember2017-01-012017-12-310001477333cloud:RedeemableConvertiblePreferredStockWarrantsMember2019-01-012019-12-310001477333cloud:RedeemableConvertiblePreferredStockWarrantsMember2018-01-012018-12-310001477333cloud:RedeemableConvertiblePreferredStockWarrantsMember2017-01-012017-12-310001477333cloud:ShareBasedPaymentArrangementSharesSubjectToRepurchaseMember2019-01-012019-12-310001477333cloud:ShareBasedPaymentArrangementSharesSubjectToRepurchaseMember2018-01-012018-12-310001477333cloud:ShareBasedPaymentArrangementSharesSubjectToRepurchaseMember2017-01-012017-12-310001477333us-gaap:EmployeeStockOptionMember2019-01-012019-12-310001477333us-gaap:EmployeeStockOptionMember2018-01-012018-12-310001477333us-gaap:EmployeeStockOptionMember2017-01-012017-12-310001477333cloud:RestrictedStockAwardAndRestrictedStockUnitRSUsAwardMember2019-01-012019-12-310001477333cloud:RestrictedStockAwardAndRestrictedStockUnitRSUsAwardMember2018-01-012018-12-310001477333cloud:RestrictedStockAwardAndRestrictedStockUnitRSUsAwardMember2017-01-012017-12-310001477333us-gaap:EmployeeStockMember2019-01-012019-12-310001477333us-gaap:EmployeeStockMember2018-01-012018-12-310001477333us-gaap:EmployeeStockMember2017-01-012017-12-310001477333us-gaap:DomesticCountryMember2019-12-310001477333us-gaap:DomesticCountryMember2018-12-310001477333us-gaap:DomesticCountryMemberus-gaap:ResearchMember2019-12-310001477333us-gaap:StateAndLocalJurisdictionMember2019-12-310001477333us-gaap:StateAndLocalJurisdictionMember2018-12-310001477333us-gaap:StateAndLocalJurisdictionMemberus-gaap:ResearchMember2019-12-310001477333us-gaap:ForeignCountryMember2019-12-310001477333us-gaap:ForeignCountryMember2018-12-310001477333cloud:RelatedPartyTransactionPurchaseOfCommonStockFromFoundersMembersrt:AffiliatedEntityMember2018-09-012018-09-300001477333cloud:RelatedPartyTransactionPurchaseOfCommonStockFromFoundersMembersrt:AffiliatedEntityMember2018-01-012018-12-310001477333cloud:RelatedPartyTransactionPurchaseOfCommonStockFromFoundersMembersrt:AffiliatedEntityMember2019-01-012019-12-310001477333country:US2019-12-310001477333country:US2018-12-310001477333us-gaap:NonUsMember2019-12-310001477333us-gaap:NonUsMember2018-12-310001477333cloud:S2SystemsCorporationMemberus-gaap:SubsequentEventMember2020-01-012020-01-01
Table of contents


UNITED STATES
SECURITIES AND EXCHANGE COMMISSION
Washington, D.C. 20549
__________________________________________________
FORM 10-K
__________________________________________________
(Mark One)
ANNUAL REPORT PURSUANT TO SECTION 13 OR 15(d) OF THE SECURITIES EXCHANGE ACT OF 1934
For the fiscal year ended December 31, 2019
or
TRANSITION REPORT PURSUANT TO SECTION 13 OR 15(d) OF THE SECURITIES EXCHANGE ACT OF 1934
For the transition period from                to              
Commission file number: 001-39039
__________________________________________________
Cloudflare, Inc.
(Exact name of registrant as specified in its charter)
__________________________________________________
Delaware

27-0805829
(State or other jurisdiction of
incorporation or organization)

(I.R.S. Employer
Identification Number)
101 Townsend Street
San Francisco, California 94107
(Address of principal executive offices and zip code)
(888) 993-5273
(Registrant’s telephone number, including area code)
__________________________________________________
Securities registered pursuant to Section 12(b) of the Act:
Title of Each ClassTrading SymbolName of Each Exchange on Which Registered
Class A Common Stock, $0.001 par valueNETThe New York Stock Exchange
Indicate by check mark if the registrant is a well-known seasoned issuer, as defined in Rule 405 of the Securities Act. Yes ☐  No
Indicate by check mark if the registrant is not required to file reports pursuant to Section 13 or Section 15 (d) of the Act. Yes ☐  No
Indicate by check mark whether the registrant (1) has filed all reports required to be filed by Section 13 or 15(d) of the Securities Exchange Act of 1934 during the preceding 12 months (or for such shorter period that the registrant was required to file such reports), and (2) has been subject to such filing requirements for the past 90 days.  Yes ☒  No ☐
Indicate by check mark whether the registrant has submitted electronically every Interactive Data File required to be submitted pursuant to Rule 405 of Regulation S-T (§232.405 of this chapter) during the preceding 12 months (or for such shorter period that the registrant was required to submit such files).  Yes ☒  No ☐
Indicate by check mark whether the registrant is a large accelerated filer, an accelerated filer, a non-accelerated filer, a smaller reporting company, or an emerging growth company. See the definitions of “large accelerated filer,” “accelerated filer,” “smaller reporting company,” and “emerging growth company” in Rule 12b-2 of the Exchange Act.
Large accelerated filer

Accelerated filer
Non-accelerated filer

Smaller reporting company



Emerging growth company
If an emerging growth company, indicate by check mark if the registrant has elected not to use the extended transition period for complying with any new or revised financial accounting standards provided pursuant to Section 13(a) of the Exchange Act.
Indicate by check mark whether the registrant is a shell company (as defined in Rule 12b-2 of the Act).  Yes   No ☒
2

Table of contents
The aggregate market value of the common stock held by non-affiliates of the registrant, based on the closing price of the shares of Class A common stock on September 17, 2019 as reported by the New York Stock Exchange on such date was approximately $1,905 million. The registrant has elected to use September 17, 2019, which was the closing date of its initial public offering of Class A common stock, as the calculation date because on June 30, 2019 (the last business day of the registrant's most recently completed second fiscal quarter), the registrant was a privately held company. Shares of the registrant's common stock held by each executive officer and director and by each other person who may be deemed to be an affiliate of the registrant have been excluded from this computation. This calculation does not reflect a determination that certain persons are affiliates of the registrant for any other purpose.
As of February 21, 2020, 94,569,695 shares of the registrant's Class A common stock were outstanding and 208,066,163 shares of the registrant's Class B common stock were outstanding.
DOCUMENTS INCORPORATED BY REFERENCE
Portions of the registrant's definitive Proxy Statement relating to the 2020 Annual Meeting of Stockholders are incorporated herein by reference in Part III of this Annual Report on Form 10-K to the extent stated herein. Such Proxy Statement will be filed with the Securities and Exchange Commission within 120 days of the registrant's fiscal year ended December 31, 2019.

3

Table of contents
TABLE OF CONTENTS
Page
Item 1.
Item 1A.
Item 1B.
Item 2.
Item 3.
Item 4.
Item 5.
Item 6.
Item 7.
Item 7A.
Item 8.
Item 9.
Item 9A.
Item 9B.
Item 10.
Item 11.
Item 12.
Item 13.
Item 14.
Item 15.
Item 16.

4

Table of contents
SPECIAL NOTE REGARDING FORWARD-LOOKING STATEMENTS
This Annual Report on Form 10-K contains forward-looking statements within the meaning of Section 27A of the Securities Act of 1933, as amended, and Section 21E of the Securities Exchange Act of 1934, as amended, which statements involve substantial risks and uncertainties. Forward-looking statements generally relate to future events or our future financial or operating performance. In some cases, you can identify forward-looking statements because they contain words such as “may,” “will,” “should,” “expects,” “plans,” “anticipates,” “could,” “intends,” “target,” “projects,” “contemplates,” “believes,” “estimates,” “predicts,” “potential,” or “continue,” or the negative of these words, or other similar terms or expressions that concern our expectations, strategy, plans, or intentions.
Forward-looking statements contained in this Annual Report on Form 10-K include, but are not limited to, statements about:
our ability to retain and upgrade paying customers;
our ability to attract new customers or convert free customers to paying customers;
our future financial performance, including trends in revenue, costs of revenue, gross profit or gross margin, operating expenses, paying customers, and free cash flow;
our ability to achieve or maintain profitability;
the consequences we may face resulting from the activities of our customers and the actions we take in response, including associated theories of liability;
the demand for our products or for solutions for security, performance, and reliability in general;
possible harm caused by significant disruption of service, loss or unauthorized access to customers’ content, or the actual or perceived failure of our products to prevent security incidents;
our ability to compete successfully in competitive markets;
our ability to respond to rapid technological changes;
our ability to continue to innovate and develop new products;
our expectations and management of future growth;
our ability to maintain existing co-location relationships, ISP partnerships, and other interconnection arrangements around the world;
our ability to offer high-quality customer support;
our ability to manage our global operations;
our expectations of and ability to comply with applicable laws around the world;
our ability to correctly estimate our tax obligations around the world;
our ability to attract and retain key personnel and other highly qualified personnel;
our ability to maintain our brand;
our ability to prevent serious errors or defects across, and to otherwise maintain the uninterrupted operation of, our network;
our ability to maintain, protect, and enhance our intellectual property; and
our ability to successfully identify, acquire, and integrate companies and assets.
You should not rely upon forward-looking statements as predictions of future events. We have based the forward-looking statements contained in this Annual Report on Form 10-K primarily on our current expectations and projections about future events and trends that we believe may affect our business, financial condition, results of operations, and prospects. The outcome of the events described in these forward-looking statements is subject to risks, uncertainties, and other factors described in the section titled “Risk Factors” and elsewhere in this Annual Report on Form 10-K. Readers are urged to carefully review and consider the various disclosures made in this Annual Report on Form 10-K and in other documents we file from time to time with the Securities and Exchange Commission (SEC) that disclose risks and uncertainties that may affect our business. Moreover, we operate in a very competitive and rapidly changing environment. New risks and uncertainties emerge from time to time, and it is
5

Table of contents
not possible for us to predict all risks and uncertainties that could have an impact on the forward-looking statements contained in this Annual Report on Form 10-K. We cannot assure you that the results, events, and circumstances reflected in the forward-looking statements will be achieved or occur, and actual results, events, or circumstances could differ materially from those described in the forward-looking statements.
The forward-looking statements made in this Annual Report on Form 10-K relate only to events as of the date on which the statements are made. We undertake no obligation to update any forward-looking statements made in this Annual Report on Form 10-K to reflect events or circumstances after the date of this Annual Report on Form 10-K or to reflect new information or the occurrence of unanticipated events, except as required by law. We may not actually achieve the plans, intentions, or expectations disclosed in our forward-looking statements, and you should not place undue reliance on our forward-looking statements. Our forward-looking statements do not reflect the potential impact of any future acquisitions, mergers, dispositions, joint ventures, or investments we may make.
In addition, statements that “we believe” and similar statements reflect our beliefs and opinions on the relevant subject. These statements are based upon information available to us as of the date of this Annual Report on Form 10-K, and while we believe such information forms a reasonable basis for such statements, such information may be limited or incomplete, and our statements should not be read to indicate that we have conducted an exhaustive inquiry into, or review of, all potentially available relevant information. These statements are inherently uncertain and investors are cautioned not to unduly rely upon these statements.
6

Table of contents
PART I

Item 1. Business
Overview
Cloudflare’s mission is to help build a better Internet.
Today, the Internet is the lifeblood of business and the primary vehicle of commerce and communication for people around the world. While it was brilliantly architected to deliver fault tolerance and robust connectivity, it was not designed to deliver the security, millisecond performance, and reliability required for businesses today.
For decades, a number of vendors have looked to address the core limitations and vulnerabilities of the Internet for businesses that operate online. These vendors built a range of standalone hardware boxes to address the emerging requirements for security, performance, and reliability. These boxes could be deployed in on-premise data centers to deliver functions such as virtual private network (VPN), firewall, routing, traffic optimization, load balancing, and other network services. While they created massive complexity, cost, technical debt, and a tangled web of dependencies for the organizations that deployed them, the approach generally worked and these on-premise “band-aid boxes” were able to alleviate some of the Internet’s fundamental security, performance, and reliability problems.
And then the cloud happened.
In recent years, the technology industry has undergone a massive transition from on-premise hardware and software that customers buy, to services in the cloud that they rent. Organizations find themselves at different points in this transition to the cloud. Regardless of where organizations are in their transition, they all face a common set of challenges: they exist in a complex, heterogeneous infrastructure environment which exacerbates the fundamental problems of the Internet more than ever, and the on-premise band-aid boxes that they once relied upon to solve these problems were never designed to work in such an environment. As more workloads move to the cloud, there is no point in installing additional band-aid boxes on premise. An on-premise box will not solve the problems organizations now face. Nor can a business ship a band-aid box to a cloud vendor. Even if they wanted to, there is literally no place to install such a box in the cloud.
The result is that a major architectural shift at the network layer is now underway. Previously, enterprises would often string together a diverse set of on-premise band-aid boxes from different vendors to solve their network challenges. As these solutions move to the cloud, the network latency, support complexity, and cost of overhead makes stringing together multiple point-cloud solutions that only address a specific network need untenable. Customers are therefore looking to consolidate behind a single platform.
Cloudflare has built a global cloud platform that delivers a broad range of network services to businesses of all sizes and in all geographies—making them more secure, enhancing the performance of their business-critical applications, and eliminating the cost and complexity of managing individual network hardware. Our platform serves as a scalable, easy-to-use, unified control plane to deliver security, performance, and reliability across on-premise, hybrid, cloud, and software-as-a-service (SaaS) applications. Customers who join our platform using one product can adopt our other seamlessly integrated products with a single click. We serve comprehensive customer needs across security, performance, and reliability. Our platform and business model are designed to make rolling out new products fast and efficient. As of December 31, 2019, more than 10% of the Fortune 1,000 were paying Cloudflare customers.
Our Network
We have built an efficient, scalable network that forms the basis of our platform on which we can rapidly develop and deploy our products for our customers. Together, the development of our network and products create the interconnected flywheels that drive our business.
7

Table of contents
cloud-20191231_g1.jpg
Network Flywheel: We have created a network architecture that is flexible, scalable, and gets more and more efficient as it expands. We designed and built our network to be able to grow capacity quickly and inexpensively; to allow for every server, in every city, to run every Cloudflare service; and to allow us to shift customers and traffic across our network efficiently. We refer to this architecture as “serverless” because it means we can deploy standard, commodity hardware, and our product developers and customers do not need to worry about the underlying servers. Our software manages the deployment and execution of our product developers’ code and our customers’ code across our network. Because we manage the execution and prioritization of code running across our network, it means that we are both able to optimize the performance of our highest paying customers, and also effectively leverage idle capacity across our network. We have chosen to utilize this idle capacity to create a free tier of service—which has generated substantial global scale for us. In turn, this scale makes us attractive partners for Internet Service Providers (ISPs) globally, which reduces our co-location and bandwidth costs. As our network grows, these dynamics become even more powerful. Today, our network spans 200 cities in over 90 countries and interconnects with over 8,500 networks globally, including major ISPs, cloud services, and enterprises.
Product Flywheel: We operate our business with the idea of serving the broadest possible market. To do this, we made our products easy to use and affordable, and were able to provide our entry level plan for free in part because of the cost advantage of our network. We leverage the resulting customer scale and diversity to continuously make our products better. Our machine learning systems improve our products with every customer’s request, optimizing our security, performance, and reliability globally. The over 26 million Internet properties (e.g., domains, websites, application programming interface (API), and mobile applications) that use our platform comprise a global sensor network, which functions like an immune system for the Internet—routing around congestion, optimizing for traffic conditions, and using data on cyber attacks against any one of our customers to better protect them all.
Feedback from our diverse, global customer base helps us expand into new, adjacent product areas. Since our customers’ traffic is already passing through our network, our serverless architecture means we can add products on our platform to solve new network challenges without significantly increasing our incremental costs. This allows us to provide new products at competitive prices and further expand the overall market.

8

Table of contents
Growth Strategy
Key elements of our growth strategy include:
Acquire New Customers: We believe that any person or business that relies on the Internet to deliver products, services, or content can be a Cloudflare customer. We will continue to grow our customer base across all of our offerings—free, pay-as-you-go (which we previously referred to as self-serve customers), and contracted (which we previously referred to as enterprise customers).
Free: We will continue to invest in awareness and functionality of our products to drive overall customer growth beyond the over 26 million Internet properties using Cloudflare today.
Pay-as-you-go and Contracted: We believe we have an opportunity to continue to grow our paying customer base, from small customers through to large contracted customers. In order to do this, we will continue to focus on growth in our pay-as-you-go channels by improving targeting and conversion as well as expanding our product offering. In addition, we intend to leverage our proven sales force to sell our products to larger and larger contracted customers.

Expand Our Relationships with Existing Customers: Customers expand their relationships with us by upgrading to premium plans, increasing their usage of our platform, or adding products. Once a customer has adopted one product on our platform, it can easily add additional products with a single click.
Develop New Products and Solutions: We continue to invest in new product development and building new solutions for our customers, and as we onboard more customers and more traffic on our network, our ability to identify promising new avenues for innovation improves. We have proven our ability to launch new products, having successfully brought many new products and product families to market. For example, we recently announced a new suite of products called Cloudflare for Teams to protect the internal resources of organizations.
Extend Our Serverless Platform Strategy: We have seen a growing number of customers that have chosen to bring applications to market using Cloudflare Workers. This opens up an entirely new market for us: storage and compute. Our Cloudflare Workers offering is attractive in the market for reasons of our architecture and the power of our network, and we believe adoption of Cloudflare Workers will continue to grow as we further invest in it.
Our Products
We deliver a platform of deeply integrated products that serve as a unified control plane for our customers. Customers can quickly and easily join Cloudflare by using just one of our products on our platform and expand over time by adding most products with a single click. Our integrated suite of products consists of (1) solutions for an organization's infrastructure to deliver security, performance, and reliability, (2) solutions to serve an organization's internal resources, (3) platform-based solutions, and (4) consumer offerings.
Cloudflare for Infrastructure
Cloudflare for Infrastructure is a suite of products to help ensure the resources and infrastructure that are exposed to the Internet are safe from attack, fast, and reliable.
Security
We provide an integrated cloud-based security solution designed to secure any combination of platforms, including public cloud, private cloud, on-premise, SaaS applications, and IoT devices. Our key security product offerings include:
Cloud Firewall: Protects a customer’s Internet properties from common vulnerabilities like SQL injection attacks, cross-site scripting, and cross-site forgery requests, with no changes to its existing infrastructure.
Bot Management: Blocks undesired or malicious Internet traffic created by malicious software algorithms called bots, while still allowing useful bots to access Internet properties through machine learning and behavioral analytics.
9

Table of contents
Distributed Denial of Service (DDoS): Protects a customer’s Internet properties from a Distributed Denial of Service attack (product known as “Unmetered Mitigation”).
Infrastructure Protection: Extends the benefits of our network to customers’ on-premise and data center networks (product known as “Magic Transit”). Magic Transit is deployed in front of an enterprise network and protects it at the IP layer from DDoS attacks and enables provisioning of a full suite of virtual network functions, including IP packet filtering and firewalling, load balancing, and traffic management tools.
IoT: Protects IoT devices through the specialized application of our cloud-based security products (product known as “Cloudflare Orbit”).
SSL / TLS: Manages encrypted web traffic to prevent data theft and tampering to improve security as well as application and website productivity (products known as “SSL for SaaS,” “Dedicated & Custom Certs,” “Universal SSL,” “Keyless SSL,” and “GeoKey Manager”).
Secure Origin Connection: Creates an encrypted tunnel between a customer’s origin web server and the closest servers on our network without risking opening any public inbound ports (product known as “Cloudflare Argo Tunnel”).
Rate Limiting: Provides the ability to configure thresholds, define responses, and gain valuable insights into specific URLs of websites, applications, or API endpoints.
Performance
Our performance solutions improve conversions, reduce churn, and improve visitor experiences by accelerating web and mobile performance, while keeping applications available. Our key performance product offerings include:
Content Delivery: Accelerates content delivery time by automatically serving our customers most popular content from our network locations close to our customers’ users.
Intelligent Routing: Improves Internet performance by intelligently routing end users through less congested and more reliable paths over the Internet using our network (product known as “Cloudflare Argo”).
Content Optimization: Automatically adjusts the way content is delivered based on the particular device accessing the site to improve speed without affecting the customer’s Internet property look or features.
Mobile Optimization: Provides mobile-specific optimization and caching of content for fast delivery to mobile end users.
Image Optimization: Automatically adjusts the size and quality of the image to the device and network connection for improved end-user experience.
Mobile Software Development Kit (SDK): Offers developers cutting-edge network diagnostic tools for any application without dependencies on infrastructure, enabling them to more easily create high performing and engaging applications.
Reliability
Our reliability solutions improve the overall operational experience of the Internet and allow our customers to run their digital operations much more efficiently. Our key reliability product offerings include:
Load Balancing: Enhances performance and reliability for single, hybrid-cloud, and multi-cloud environments. Our cloud-based products provide local and global load balancing to reduce latency by distributing traffic across multiple servers or by routing traffic to the closest geolocation region.
Anycast Network: Enhances performance and reliability by globally and automatically load balancing Internet-scale traffic across our network based on proximity of request and other factors.
Virtual Backbone: Connects our global network, and by extension, our customer’s Internet properties, into a virtual network that is always encrypted, optimized for performance, and highly redundant.
DNS: Keeps Internet properties online and available around the world (products known as “Cloudflare DNS” and “Cloudflare Secondary DNS”).
DNS Resolver: Returns the IP addresses of servers when a user enters a domain name. We are one of the world’s fastest public DNS Resolvers, which benefits our DNS customers.
10

Table of contents
Always Online: Serves a limited copy of a cached website, to keep it online for a customer’s visitors should the customer’s origin server go down.
Cloudflare for Teams
Cloudflare for Teams provides a comprehensive solution to protect an organization’s internal resources — devices, users, applications, and data. The solution has two components: one to provide simple, secure access for internal applications; and another to provide a secure path to the Internet for users and devices. Together, they deliver holistic internal security for organizations.
Zero Trust Security and Access Management: Secures, authenticates, and monitors user access to internal applications and infrastructure hosted on-premise or in cloud environments, ensuring that every connection has been validated and logged (product known as “Cloudflare Access”).
Secure Web Gateway: Announced solution for release in stages during 2020 that is designed to secure and filter outbound Internet traffic to protect employees from threats on the public Internet and to help protect Internet-browsing employees from bringing malware or vulnerable code into an organization (product known as “Cloudflare Gateway”). In January 2020, we acquired S2 Systems Corporation, a company that has developed patented browser isolation technology to make everyday web browsing safer and faster, and we expect to incorporate this technology into Cloudflare Gateway.
Platform
By using our platform, developers can build serverless applications that scale without needing to spend time and effort on infrastructure or operations. This enables them to deliver more performant applications that have instant global scale, all while improving their productivity. Our key serverless products include:
Serverless Computing/Programmable Network: Allows developers to augment existing applications or create entirely new ones through a lightweight execution environment without configuring or maintaining infrastructure (product known as “Cloudflare Workers”).
Cloudflare Apps: Offers an open platform of tools which can be installed instantly with just a few clicks. We have further expanded our offering through Cloudflare Apps with Workers, which allows developers to package Cloudflare Workers, delivering new Cloudflare Workers-powered experiences to our customers.
Analytics: Provides insights into the traffic of our customers’ Internet properties that are unique and proprietary to our platform. We help our customers monitor threats, search for specific search engine crawlers, understand DNS query traffic, and analyze real time data traffic.
Consumer Offerings
Our consumer products make it easy for individuals to have a performant and secure Internet experience. Adoption of our consumer offerings makes our business offerings more powerful and adoption of our business offerings improves our consumer offerings. Our consumer offerings also have been an effective and differentiated marketing channel to increase the awareness of our brand. Our key consumer product offerings include:

Consumer DNS Resolver: A consumer app that provides a fast and private way to browse the Internet (product known as "1.1.1.1"). 1.1.1.1 is a public DNS resolver, but unlike most DNS resolvers, we do not sell user data to advertisers. Our implementation of 1.1.1.1 makes it among the fastest resolvers available, and we support DNS over HTTPS (DoH) which encrypts and secures consumers’ DNS requests.
Consumer VPN: A VPN for consumers designed to secure and accelerate traffic on mobile devices (product known as "Warp"). The basic version of Warp is included as an option with the 1.1.1.1 App for free; and a premium version that accelerates a user's Internet access is available for purchase.
Our Customers
We view our approximately 2.6 million free and paying customers (excluding customers of our consumer offerings), which manage over 26 million Internet properties on our platform, as part of a broad, global community.
11

Table of contents
As of December 31, 2019, we had approximately 83,000 paying customers across more than 160 countries. Our paying customer base is highly diversified across organizations of all sizes in every major industry vertical including technology, healthcare, financial services, consumer and retail, industrial, non-profit, and government. Our large customer count has increased from 184 as of December 31, 2017 to 313 as of December 31, 2018 to 550 as of December 31, 2019. Refer to Part II, Item 7, Management's Discussion and Analysis of Financial Condition and Results of Operations for additional information regarding the definitions of "paying customers" and our "large customers."
No single customer accounted for more than 10% of our revenue in the years ended December 31, 2019, 2018, or 2017.
Our Technology
Our distributed and proprietary network is the core of our technology, and enables us to move data seamlessly from nearly any point on earth in a fast, efficient, and reliable manner. Our network has been built from the ground up as a single software stack we developed that runs our products in 200 cities and over 90 countries worldwide. This allows us to scale quickly while offering a wide range of products and simultaneously lowering operating expenses.

Efficient Serverless Network Design

We have developed a single software stack that is responsible for all of our products. We have been able to efficiently scale our network by building it with inexpensive, commodity hardware components that are powered by our proprietary software. This integrated stack has made scaling, debugging, optimizing, and operating our platform easier and cheaper than competing services. It also allows us to deploy changes across our entire worldwide network in a matter of seconds. In addition, we embed encryption chips into the motherboards of our servers that are designed to preclude anyone else from running unauthorized software on our equipment. This allows us to securely, quickly, and inexpensively expand our infrastructure far and wide in order to offer the best service and drive down operating costs.
Our serverless network design allows each individual machine in our global network to run the complete suite of our software and provide all of our products. We have built coordination software that ties together these thousands of machines into a single global network that allows us to efficiently route traffic to different physical locations and to individual machines. This enables us to maximize utilization of our commodity hardware and provide different service levels to different customers. It also allows our network to get more efficient and powerful as we add each incremental server, regardless of where it is located. Every time we add a server or add a new city, our entire network improves.

Network Flexibility

Our platform is API-driven and designed for developers. We have an API-first mentality, which means that anything that a customer can do via our web interface can also be performed by our API. This allows our customers to easily embed our service in their own workflows. For example, a customer can use our web interface or API to change its custom configuration and that will be rolled out globally by our configuration software in seconds. This contrasts with many vendors’ solutions where configuration changes can take hours and require professional services.
Our software dynamically spreads loads across our entire distributed network depending on current network conditions and traffic priority. This enables us to deliver different quality of service depending on what customers pay us, ensuring our highest paying customers get the best performance and permitting us to serve our lower paying and free customers from excess capacity.
Given the distributed and highly efficient nature of our network, we can easily develop new features and products on our platform and deploy them without significant incremental costs. The flexibility of our serverless platform now allows us to open it to third parties to write code directly on our network through our Cloudflare Workers product.
12

Table of contents
Research and Development
Our research and development organization is responsible for the design, development, testing, and delivery of our global platform and products. Our R&D team's structure allows us to build a broad swathe of products while continuing to innovate. One group works closely with our product management organization to improve, refine and expand our existing products. A second independent group builds greenfield opportunities that aim to expand our market and reach new markets. In addition, our research team ensures our platform and customers are secured with the latest cryptography.
We prioritize investment in research and development. Those investments have continued to result in the launch of new products that have helped us attract new customers and sell more products to our existing customers. Our research and development organization currently is distributed primarily across three cities: London, United Kingdom; San Francisco, California; and Austin, Texas.
Sales
We have a multi-pronged go to market approach that allows us to efficiently serve the needs of very small to very large customers. By using a combination of web sales, direct sales, and indirect sales, we are able to serve the greatest diversity of customers across all sizes.
We sell our pay-as-you-go plans through our website and hosting partners where a customer can either start on a free or paid plan and, as we demonstrate value, upgrade over time. Our pay-as-you-go customers are able to sign up for our Pro or Business plans that are payable monthly. Pay-as-you-go customers are able to onboard and customize our products through our website and pay for their subscription using a credit card. Our automated and easy to use process enables us to efficiently onboard thousands of new customers per day without requiring any interaction with our sales team. As pay-as-you-go customers evolve their usage of our products, some upgrade to an Enterprise plan for greater control, higher service levels, or productivity-related tools.
We sell our Enterprise plan directly through our technically-oriented inside and field sales teams, and also indirectly through our ecosystem of partners. Our Enterprise plan customers, which we refer to as our contracted customers, typically are replacing on-premise hardware with cloud network services, or consolidating multiple existing cloud services onto one platform with Cloudflare. For large contracted customers, our relationships often start with a portion of the customer’s overall network needs and expand over time as they consolidate other vendors’ services and increase their adoption of our platform.
Marketing
Our marketing aims to clearly communicate the value of our offerings to a large and diverse set of global customers at scale. We drive organic awareness and adoption of our platform by providing a free offering that enables millions of users to experience the benefits of our global cloud platform before they adopt our pay-as-you-go offerings or contract for our Enterprise plan. We engage with developers across blogs, social media, and other channels to help build our brand and visibility among technical communities. In addition, our consumer products, including 1.1.1.1 and Warp, provide an effective and differentiated marketing channel to expand the awareness of our brand.

We invest in a variety of targeted digital and non-digital marketing activities and programs to build awareness, engage with prospects, and build pipeline for our global sales teams. We also share stories of how large customers are rapidly adopting our services across use cases, industry verticals, and geographies, to communicate customer trust and our market momentum.
Competition
We compete in the market for network services primarily across three categories:
On-premise network hardware vendors such as Cisco Systems, Inc., F5 Networks, Inc., Check Point Software Technologies Ltd., FireEye, Inc., Imperva, Inc., Palo Alto Networks, Inc., Juniper Networks, Inc.,
13

Table of contents
and Riverbed Technology, Inc. We compete with these companies to provide security, performance, and reliability services. Today, they represent our primary competition. We believe we are positioned favorably against these vendors with our cloud-based, multitenant approach that is better suited to an increasingly cloud-based world and that allows customers to treat our services as operational as opposed to capital costs.
Point-cloud solution vendors in various categories including cloud security vendors (such as Zscaler, Inc. and Cisco Systems, Inc. through Umbrella (formerly known as OpenDNS)), CDN vendors (such as Akamai Technologies, Inc., Limelight Networks, Inc., Fastly, Inc., and Verizon Communications Inc. through Edgecast), DNS services vendors (such as Oracle Corporation through DYN, Neustar, Inc., and UltraDNS Corporation), and cloud SD-WAN vendors. These providers are all focused on delivering point-cloud solutions. However, customers are increasingly looking for an integrated platform offering security, performance, and reliability through a single vendor.
A subset of services provided by traditional public cloud vendors such as Amazon.com, Inc. through Amazon Web Services, Alphabet Inc. through Google Cloud Platform, Microsoft Corporation through Azure, and Alibaba Group Holding Limited through Alibaba Cloud. Today, we work closely with these companies, some of whom are both partners and investors. In the long term, we may increasingly compete with them. We believe customers want the ability to set a consistent policy across their on-premise, cloud, hybrid, and SaaS vendors, and be able to enforce that policy through an independent platform. Customers are concerned about being locked in to any one public cloud provider. Our ability to efficiently and inexpensively move data between multiple clouds allows our customers to pick and choose the best from any cloud provider without fearing lock-in. Furthermore, unlike some public cloud providers, our business model aligns fully with the interests of our customers. We do not sell user data. We do not aim to compete with our customers.
As we open our serverless platform to third-party developers, we believe we will increasingly compete with public cloud vendors for storage and compute workloads. Because of the efficiency of our Cloudflare Workers product, we are able to offer it at prices that are highly competitive with public cloud vendors, and because it is distributed across our entire network, it enables the development of applications that were not previously possible on the traditional public cloud.

The principal competitive factors in the markets in which we operate include:
breadth of platform features and continued innovation;
integrated solutions across security, performance, and reliability;
unified control plane across on-premise, cloud, hybrid, and SaaS infrastructure;
performance, availability, and effectiveness;
platform scalability;
total cost of ownership;
ease of adoption and use;
global network coverage;
quality of customer support;
programmability and extensibility of platform; and
independence, reputation, and trust.

We believe that we are positioned favorably against our competitors based on these principal competitive factors.
Core Values, Initiatives We Support, and Employees
Core Values

Cloudflare’s mission is to help build a better Internet. Our core values are at the heart of how we live up to our mission. We have three core values: we are principled, we are curious, and we are transparent. By principled, we mean thoughtful, consistent, and long-term oriented about what the right course of action is. By curious, we mean taking on big challenges and understanding the why and how behind things. Finally, by transparent, we mean being clear in the why and the how we decide to do things both internally and externally. These core values are embodied
14

Table of contents
in everything we do. They guide our actions on a day to day basis. They highlight to customers and potential prospects what we stand for, and we look for them in all the employees we hire.

Initiatives We Support

We have launched various initiatives to help build a better Internet, including:

Project Galileo: Since 2014, we have equipped at-risk public interest groups with a set of our products at no cost to defend themselves against attacks that would otherwise censor their work. The nearly 1,000 recipients of services under Project Galileo include independent journalists reporting on repressive regimes, minority rights and arts groups in closed societies, and civil society organizations supporting democratic movements.
Athenian Project: We created Athenian Project to ensure that state and local governments’ election websites have the highest level of protection and reliability for free. We have provided these benefits to more than 150 state and local election websites.
Cloudflare for Campaigns: In January 2020, we announced the Cloudflare for Campaigns program that provides security services to help political campaigns in the United States and around the world defend against cyberattacks and election interference. We allow any eligible campaign to access a variety of our security services, including enhanced firewall protection, DDoS attack mitigation, as well as internal data management and security controls.

Our Employees

As of December 31, 2019, we had 1,270 full-time employees, including 439 employees located outside of the United States. We also engage contractors and consultants. None of our employees are represented by a labor union. We have not experienced any work stoppages and we believe that our employee relations are strong.
Intellectual Property
Our success depends in part upon our ability to protect and use our core technology and intellectual property rights. We rely on a combination of patents, copyrights, trademarks, trade secrets, know-how, contractual provisions, and confidentiality procedures to protect our intellectual property rights. As of December 31, 2019, we had over 110 issued patents and over 70 pending patent applications in the United States and abroad. These patents and patent applications seek to protect our proprietary inventions relevant to our business. Our issued patents are scheduled to expire between 2030 and 2039, and cover various aspects of our platform and products. In addition, we have registered “Cloudflare” as a trademark in the United States and other jurisdictions and we have filed other trademark applications in the United States. We are also the registered holder of a variety of domestic and international domain names that include “Cloudflare” (including “Cloudflare.com”).
In addition to the protection provided by our intellectual property rights, we enter into proprietary information and invention assignment agreements or similar agreements with our employees, consultants, and contractors. We further seek to control the use of our proprietary technology and intellectual property rights through provisions in our subscription agreements.
Corporate Information
Cloudflare, Inc. was incorporated in the state of Delaware in July 2009. Our principal executive offices are located at 101 Townsend Street, San Francisco, California 94107, and our telephone number is (888) 993-5273. We
15

Table of contents
completed our initial public offering in September 2019, and our Class A common stock is listed on the New York Stock Exchange under the symbol “NET.”
Additional Information
Our website is located at https://www.cloudflare.com, our investor relations website is located at cloudflare.NET, our news site is located at https://www.cloudflare.com/press, our corporate blog’s address is https://blog.cloudflare.com, and our Twitter account is @Cloudflare. We have used, and intend to continue to use, our website, investor relations website, news site, blog, and Twitter account as a means of disclosing material non-public information and for complying with our disclosure obligations under Regulation FD. The following filings are available through our investor relations website after we file them with the Securities and Exchange Commission (SEC): Annual Report on Form 10-K, Quarterly Reports on Form 10-Q, current reports on Form 8-K, and our Proxy Statement for our annual meeting of stockholders. These filings are also available for download free of charge on our investor relations website. The SEC also maintains an Internet website that contains reports, proxy statements and other information about issuers, like us, that file electronically with the SEC. The address of that website is www.sec.gov.
We webcast our earnings calls and certain events we participate in or host with members of the investment community on our investor relations website. Additionally, we provide notifications of news or announcements regarding our financial performance, including SEC filings, investor events, press and earnings releases, and blogs as part of our investor relations website. Further corporate governance information, including our corporate governance guidelines, code of business conduct and ethics, and committee charters is also available on our investor relations website under the heading "Governance."
The contents of the websites provided above are not intended to be incorporated by reference into this Annual Report on Form 10-K or in any other report or document we file with the SEC. Further, our references to the URLs for these websites are intended to be inactive textual references only.
Item 1A. Risk Factors
Our business involves significant risks, some of which are described below. You should carefully consider the risks and uncertainties described below, together with all of the other information in this Annual Report on Form 10-K, including the section titled “Management’s Discussion and Analysis of Financial Condition and Results of Operations” and our consolidated financial statements and related notes. Any of the following risks could have an adverse effect on our business, results of operations, financial condition, or prospects, and could cause the trading price of our Class A common stock to decline. Our business, results of operations, financial condition, or prospects could also be harmed by risks and uncertainties that are not presently known to us or that we currently believe are not material. In that event, the market price of our Class A common stock could decline, and you could lose part or all of your investment.
Risks Related to Our Business and Our Industry
We have a history of net losses and may not be able to achieve or sustain profitability in the future.
We have incurred net losses in all periods since we began operations and we expect we will continue to incur net losses for the foreseeable future. We experienced net losses of $105.8 million, $87.2 million, and $10.7 million for the years ended December 31, 2019, 2018, and 2017, respectively, and as of December 31, 2019, we had an accumulated deficit of $301.7 million. Because the markets for our products are rapidly evolving, it is difficult for us to predict our future results of operations. We expect our operating expenses to increase over the next several years as we continue to hire additional personnel, expand our operations and infrastructure both domestically and internationally, and continue to develop our products. In addition to the expected costs to grow our business, we also are incurring significant additional legal, accounting, and other expenses as a public company, as described in greater detail in the risk factors below. If we fail to increase our revenue to offset the increases in our operating expenses, we may not achieve or sustain profitability in the future.
We have experienced rapid revenue growth, which may not be indicative of our future performance.
16

Table of contents
We have experienced rapid revenue growth in recent periods, with revenue of $287.0 million, $192.7 million, and $134.9 million for the years ended December 31, 2019, 2018, and 2017, respectively. You should not consider our recent growth in revenue as indicative of our future performance. In particular, our revenue growth rates may decline in the future and may not be sufficient to achieve and sustain profitability, as we also expect our costs to increase in future periods. We believe that historical comparisons of our revenue may not be meaningful and should not be relied upon as an indication of future performance. Accordingly, you should not rely on our revenue and other growth for any prior quarter or year as an indication of our future revenue or revenue growth.
Our rapid growth may also make it difficult to evaluate our future prospects. Our ability to forecast our future results of operations is subject to a number of uncertainties, including our ability to effectively plan for and model future growth. If we fail to achieve the necessary level of efficiency in our organization as it grows, or if we are not able to accurately forecast future growth, our business, results of operations, and financial condition could be harmed.
If we are unable to attract new paying and free customers, our future results of operations could be harmed.
The success of our business principally depends on our ability to attract new paying and free customers. To do so, we must persuade decision makers at potential customers that our products offer significant advantages over those of our competitors. Other factors, many of which are out of our control, may now or in the future impact our ability to add new paying and free customers, including:
potential customers’ commitments to existing equipment or vendors;
potential customers’ greater familiarity and/or comfort with on-premises, appliance-based products;
actual or perceived switching costs;
our failure to obtain or maintain government or industry security certifications for our network and products;
negative media, industry, or financial analyst commentary regarding our products and the identities and activities of some of our paying and free customers;
the adoption of new, or amendment of existing, laws, rules, or regulations that negatively impact the utility of our network and products;
our failure to expand, retain, and motivate our sales and marketing personnel;
our failure to develop or expand relationships with existing channel partners or to attract new channel partners;
our failure to help our customers to successfully deploy and use our products;
our failure to educate our customers about our platform and products;
the perceived risk, commencement, or outcome of litigation; and
deteriorating general economic conditions.
If our efforts to attract new paying customers are not successful, our revenue and rate of revenue growth may decline, we may not achieve profitability, and our future results of operations could be materially harmed. If our efforts to attract new free customers are not successful, the benefits to our network and product development cycles from our strategy of providing a free subscription plan will be diminished.
Our business depends on our ability to retain and upgrade paying customers and, to a lesser extent, convert free customers to paying customers, and any decline in renewals, upgrades, or conversions could adversely affect our future results of operations.
Our business is subscription-based and it is important for our business and financial results that our paying customers renew their subscriptions for our products when existing contract terms expire. Our pay-as-you-go customers pay with a credit card on a monthly basis and can terminate their subscriptions at will with little advance notice. Because pay-as-you-go customers that subscribe to our basic subscription plans are an important source of revenue, this ease of termination could cause our results of operations to fluctuate significantly from quarter to quarter. Our contracted customers, which consist of customers that sign up for our Enterprise plan, enter into longer term agreements ranging from one to three years, and they generally have no obligation to renew their subscriptions for our products after the expiration of their contractual period and are allowed to cancel their subscriptions in the case of an uncured material breach of the agreement. Some contracted customers also have
17

Table of contents
agreements that allow them to terminate the agreement without cause upon little or no advance written notice, or upon our failure to meet certain service level commitments, or to obtain and maintain industry security certifications within a specified time frame. Due to our varied customer base and short average subscription periods, it is difficult to accurately predict our long-term customer retention rate. Our customer retention may decline or fluctuate as a result of a number of factors, including our customers’ satisfaction with the security, performance, and reliability of our products, our prices and subscription plans, our customers’ budgetary restrictions, mergers, acquisitions, joint ventures, and business partnerships and relationships involving our customers, the perception that competitive products provide better or less expensive options, negative public perception of us or our free and paying customers, and deteriorating general economic conditions.
Our future financial performance also depends in part on our ability to continue to upgrade paying customers to higher-tier subscriptions or additional paid products and, to a lesser extent, to convert free customers into paying customers. Conversely, our paying customers may convert to lower-cost or free plans if they do not see the marginal value in paying for our higher-cost plans, thereby impacting our ability to increase revenue. Moreover, our free customers have no obligation to transition to paying customers at any point. In order to expand our commercial relationship with our customers, existing paying and free customers must decide that the incremental cost associated with such an upgrade is justified by the additional functionality. For example, some of our paying customers may decide that our enterprise offerings do not provide sufficient incremental value to upgrade from our pay-as-you-go offering. Our customers’ decision whether to upgrade their subscription is driven by a number of factors, including customer satisfaction with the security, performance, and reliability of our platform and products, customer security and networking issues and requirements, general economic conditions, and customer reaction to the price for additional products. If our efforts to expand our relationship with our existing paying and free customers are not successful, our financial condition and results of operations may materially suffer.
Problems with our internal systems, networks, or data, including actual or perceived breaches or failures, could cause our network or products to be perceived as insecure, underperforming, or unreliable, our reputation to be damaged, and our financial results to be negatively impacted.
We face security threats from malicious third parties that could obtain unauthorized access to our internal systems, networks, and data, including the equipment at our network and core co-location facilities. It is virtually impossible for us to entirely mitigate the risk of these security threats and the security, performance, and reliability of our platform and products may be disrupted by third parties, including nation-states, competitors, hackers, disgruntled employees, former employees, or contractors. We also face the possibility of security threats from other sources, such as employee or contractor errors, or malfeasance. For example, hostile third parties, including nation-states, may seek to bribe, extort, or otherwise manipulate our employees or contractors to compromise our platform and products. While we have implemented security measures internally and have integrated security measures into our platform and products, these measures may not function as expected and may not detect or prevent all unauthorized activity, prevent all security breaches, mitigate all security breaches, or protect against all attacks or incidents. Because the equipment in our network co-location facilities is designed to run all of our products, any insertion of malicious code on, unauthorized access to, or other security breach with respect to, this equipment could potentially impact all of our products running on this equipment. We may also experience security breaches and other incidents that may remain undetected for an extended period and, therefore, may have a greater impact on our products and the networks and systems used in our business, and the proprietary and other confidential data contained on our platform or otherwise stored or processed in our operations, and ultimately on our business. We expect to incur significant costs in our efforts to detect and prevent security breaches and other security-related incidents, and we may face increased costs in the event of an actual or perceived security breach or other security-related incident. Our internal systems are exposed to the same cybersecurity risks and consequences of a breach as our customers and other enterprises, any of which could have an adverse effect on our business or reputation. These cybersecurity risks pose a particularly significant risk to a business like ours that is focused on providing highly secure products to customers.
Unauthorized access to, other security breaches of, or security incidents affecting, systems, networks, and data used in our business, including those of our vendors, contractors, or those with which we have strategic relationships, even if not resulting in an actual or perceived breach of our customers’ networks, systems, or data, could result in the loss, compromise or corruption of data, loss of business, reputational damage adversely affecting customer or investor confidence, regulatory investigations and orders, litigation, indemnity obligations, damages for contract breach, penalties for violation of applicable laws or regulations, significant costs for remediation, and other liabilities.
18

Table of contents
Additionally, in the absence of malicious actions, our platform and products may experience errors, failures, vulnerabilities, or bugs that cause our products not to perform as intended. For example, from time to time we are subject to “route leaks” that involve the accidental or, less commonly, illegitimate advertisement of prefixes, or blocks of IP addresses, which propagate across networks such as ours and can lead to incorrect routing of traffic across our network, taking traffic offline, or in extreme cases, potential interception of customers’ traffic by attackers. In June 2019, a route leak spread by a major telecommunications services provider caused significant disruption to our traffic and that of many other providers. Although events like this are outside our control, they could materially harm our reputation and diminish the confidence of our current and potential customers in our platform and products. In addition, deployment of our platform and products into other computing environments may expose these errors, failures, vulnerabilities, or bugs in our products. Any such errors, failures, vulnerabilities, or bugs may not be found until after they are deployed to our customers and may create the perception that our platform and products are insecure, underperforming, or unreliable. In July 2019, we deployed an update to our web application firewall and certain aspects of the related software code resulted in excessive consumption of computing resources across our network, resulting in an outage on our network. While the June 2019 route leak and July 2019 outage did not have a material impact on our results of operations or financial condition, any similar events that may occur in the future may have a material adverse impact on our results of operations or financial condition. We also provide frequent updates and fundamental enhancements to our platform and products, which increase the possibility of errors. Our quality assurance procedures and efforts to report, track, and monitor issues with our network may not be sufficient to ensure we detect any such defects in a timely manner. For example, in February 2017, a bug in our software code that processes computer information requests was identified. Instead of the requested data, in certain circumstances this bug, which became known as “Cloudbleed,” caused our servers to output data that was not requested. The erroneous data output by our system included, but was not limited to, a portion of our customers’ secure data. There can be no assurance that our software code is or will remain free from actual or perceived errors, failures, vulnerabilities, or bugs, or that we will accurately route or process all requests and traffic on our network. Given the trillions of Internet requests that route through our network on a monthly basis and the large array of Internet properties (e.g., domains, websites, application programming interfaces (APIs), and mobile applications) we service, the impact of any such error, failure, vulnerability, or bug can be large in terms of absolute numbers of affected requests and customers.
Problems with our network or systems, or those of our vendors, contractors, or those with which we have strategic relationships, could result in actual or perceived breaches of our or our customers’ networks and systems or data. Actual or perceived breaches or other security incidents from these or other causes could lead to claims and litigation, indemnity obligations, regulatory audits, proceedings, and investigations and significant legal fees, significant costs for remediation, the expenditure of significant financial resources in efforts to analyze, correct, eliminate, remediate, or work around errors or defects, to address and eliminate vulnerabilities, and to address any applicable legal or contractual obligations relating to any actual or perceived security breach. They could damage our relationships with our existing customers and have a negative impact on our ability to attract and retain new customers. Because our business is focused on providing secure and high performing network services to our customers, we believe that our products and the networks and systems we use in our business could be targets for hackers and others, and that an actual or perceived breach of, or security incident affecting, our networks, systems, or data, could be especially detrimental to our reputation, customer and channel partner confidence in our solution, and our business. Additionally, our products are designed to operate without interruption, including up to a 100% uptime guarantee for our Business and Enterprise plans. If a breach or security incident were to impact the availability of our platform and products, our business, results of operations, and financial condition, as well as our reputation, could be adversely affected.
Any cybersecurity insurance that we carry may be insufficient to cover all liabilities incurred by us in connection with any privacy or cybersecurity incidents or may not cover the kinds of incidents for which we submit claims. For example, insurers may consider cyber attacks by a nation-state as an “act of war” and any associated damages as uninsured. We also cannot be certain that our insurance coverage will be adequate for data handling or data security liabilities actually incurred, that insurance will continue to be available to us on economically reasonable terms, or at all, or that any insurer will not deny coverage as to any future claim. The successful assertion of one or more large claims against us that exceed available insurance coverage, or the occurrence of changes in our insurance policies, including premium increases or the imposition of large deductible or co-insurance requirements, could have a material adverse effect on our business, results of operations, and financial condition, as well as our reputation.
19

Table of contents
Activities of our paying and free customers or the content of their websites and other Internet properties could subject us to liability.
Through our network, we provide a wide variety of products that enable our customers to exchange information, conduct business, and engage in various online activities both domestically and internationally. Our customers represent more than 26 million Internet properties, many of which utilize our free plan. Our customers may use our platform and products in violation of applicable law or in violation of our terms of service or the customer’s own policies. The existing laws relating to the liability of providers of online products and services for activities of their users are highly unsettled and in flux both within the United States and internationally. We are currently and, in the future, may be subject to lawsuits and/or liability arising from the conduct of our customers. Additionally, the conduct of our customers may subject us to regulatory enforcement actions and/or liability. We are a defendant in lawsuits, both in the United States and abroad, seeking injunctive relief and/or damages against us based on content that is made available through our customers’ websites. A number of these lawsuits involve copyright infringement claims, and courts in Italy and Germany recently disagreed with our position and directed us to take action by removing access to content of certain sites on our network. There can be no assurance that we will not face similar litigation in the future or that we will prevail in any litigation we are facing or may face. An adverse decision in one or more of these lawsuits could materially and adversely affect our business, results of operations, and financial condition.
Several U.S. federal statutes may apply to us with respect to various activities of our customers, including: the Digital Millennium Copyright Act (the DMCA), which provides recourse for owners of copyrighted material who believe their rights under U.S. copyright law have been infringed on the Internet; and section 230 of the Communications Decency Act (the CDA), which addresses blocking and screening of content on the Internet. Although these and other similar legal provisions, such as the EU e-Commerce Directive, provide limited protections from liability for service providers like us, those protections may not be interpreted in a way that applies to us, may be amended in the future, or may not provide us with complete protection from liability claims. If we are found not to be protected by the safe harbor provisions of the DMCA, CDA or other similar laws, or if we are deemed subject to laws in other countries that may not have the same protections or that may impose more onerous obligations on us, we may owe substantial damages and our brand, reputation, and financial results may be harmed.
Current and future litigation subjects us to claims for very large potential damages based on a significant number of online occurrences under statutory or other damage theories. Such claims may result in liability that exceeds our ability to pay or our insurance coverage. Even if claims against us are ultimately unsuccessful, defending against such claims will increase our legal expenses and divert management’s attention from the operation of our business, which could materially and adversely impact our business and results of operations.
Policies and laws in this area remain highly dynamic, and we may face additional theories of intermediary liability in various jurisdictions. For example, in 2019, the European Union (the EU) recently approved a copyright directive that will impose additional obligations on online platforms and failure to comply could give rise to significant liability. And other recent laws in Germany (extremist content), Australia (violent content), and Singapore (online falsehoods), as well as other new laws like them, may also expose Internet companies like us to significant liability. We may incur additional costs to comply with these new laws, which may have an adverse effect on our business, results of operations, and financial condition.
Activities of our paying and free customers or the content of their websites or other Internet properties, as well as our response to those activities, could cause us to experience significant adverse political, business, and reputational consequences with customers, employees, suppliers, government entities, and others.
Activities of our paying and free customers or the content of their websites and other Internet properties could cause us to experience significant adverse political, business, and reputational consequences with customers, employees, suppliers, government entities, and other third parties. Even if we comply with legal obligations to remove or disable customer content, we may maintain relationships with customers that others find hostile, offensive, or inappropriate. For example, we experienced significant negative publicity in connection with the use of our network by The Daily Stormer, a neo-Nazi, white supremacist website, around the time of the 2017 protests in Charlottesville, Virginia. We also received negative publicity in connection with the use of our network by 8chan, a forum website that served as inspiration for the 2019 attacks in El Paso, Texas and Christchurch, New Zealand. We are aware of some potential customers that have indicated their decision to not subscribe to our products was impacted, at least in part, by the actions of certain of our paying and free customers. We may also experience other adverse political, business and
20

Table of contents
reputational consequences with prospective and current customers, employees, suppliers, and others related to the activities of our paying and free customers, especially if such hostile, offensive, or inappropriate use is high profile.
Conversely, actions we take in response to the activities of our paying and free customers, up to and including banning them from using our products, may harm our brand and reputation. Following the events in Charlottesville, Virginia, we terminated the account of The Daily Stormer. Similarly, following the events in El Paso, Texas, we terminated the account of 8chan. We received significant adverse feedback for these decisions from those concerned about our ability to pass judgment on our customers and the users of our platform, or to censor them by limiting their access to our products, and we are aware of potential customers who decided not to subscribe to our products because of this.
Although offering a free plan for certain of our products is an important part of our business strategy, we may not be able to realize all of the expected benefits of this strategy and the costs and other detriments associated with our free plan could outweigh the benefits we receive from our free customers.
We have historically offered a free plan for certain of our products. We believe that this strategy is valuable to us and it is an important part of our overall business strategy. However, to the extent that we do not achieve the expected benefits of this strategy, our business may be adversely affected by the costs and detriments of making certain of our products available on a free basis. While we do not receive any revenue from our free customers, we bear incremental expenses and other liabilities as a result of our free customers’ continuing free access to our platform and certain of our products. Adverse political, business, and reputational consequences associated with Internet properties we serve that are perceived as hostile, offensive, or inappropriate may also be disproportionately common among our free customers. The vast majority of our customers do not pay for our products. In addition, a substantial majority of our free customers historically have not converted to paying customers and we expect this will continue in the future.
The actual or perceived failure of our products to block malware or prevent a security breach could harm our reputation and adversely impact our business, results of operations, and financial condition.
Our security products are designed to reduce the threat to our customers posed by malware and other Internet security threats. Our security products may fail to detect or prevent malware or security breaches for any number of reasons. Even where our security products perform as intended, the performance of our security products can be negatively impacted by our failure to enhance, expand, or update our network and products; improper classification of websites by our employees, automated systems, and partners which identify and track malicious websites; improper deployment or configuration of our products; and many other factors.
Companies are increasingly subject to a wide variety of attacks on their networks and systems, including traditional computer hackers; malicious code, such as viruses and worms; distributed denial-of-service attacks; sophisticated attacks conducted or sponsored by nation-states; advanced persistent threat intrusions; ransomware; phishing attacks and other forms of social engineering; employee, vendor, or contractor errors or malfeasance; and theft or misuse of intellectual property or business or personal data, including by disgruntled employees, former employees, or contractors. No security solution, including our products, can address all possible security threats or block all methods of penetrating a network or otherwise perpetrating a security incident. Accordingly, our security products may be unable to detect or prevent a threat until after our customers are impacted. As our products are adopted by an increasing number of enterprises, it is possible that the individuals and organizations behind cyber threats will focus on identifying ways to circumvent or defeat our security products. If our network is targeted by attacks specifically designed to disrupt it, it could create the perception that our security products are not capable of providing adequate security. As a provider of security products, any perceived lack of security to our network or any of our products could erode our customers’ and potential customers’ trust in our platform and products. Moreover, a high-profile security breach of another cloud services provider could cause our customers and potential customers to lose trust in cloud solutions generally, and cloud-based products like ours in particular. Any such loss of trust could materially and adversely impact our ability to retain existing customers or attract new customers.
Our customers must rely on complex network and security infrastructures, which include products and services from multiple vendors, to secure their networks. If any of our customers becomes infected with malware, or experiences a security breach, they could be disappointed with our products, regardless of whether our security products are intended to block the attack or would have blocked the attack if the customer had properly configured our products or their network, or taken other steps within their control. For example, in April 2017, we published details of a web cache deception attack method that exploits the misconfiguration of websites to circumvent reverse-proxy systems
21

Table of contents
such as ours. While the vulnerability associated with this attack method relates to misconfiguration of websites outside of our control, a customer experiencing a security event related to this vulnerability may nevertheless blame us or become dissatisfied with our products as a result. Additionally, if any enterprises that are publicly known to use our platform and products are the subject of a cyber attack that becomes publicized, this could harm our reputation and our current or potential customers may look to our competitors for alternatives to our platform and products.
From time to time, industry or financial analysts and research firms test our platform and related security products against other security products. Our products may fail to detect or prevent threats in any particular test for a number of reasons, including misconfiguration. To the extent potential customers, industry or financial analysts, or testing firms believe that the occurrence of a failure to detect or prevent any particular threat is a flaw or indicates that our products do not provide significant value or provide less value than competitive solutions, our reputation and business could be materially harmed.
Any real or perceived flaws in our network, or any actual or perceived security breaches of our customers, could result in:
a loss of existing or potential customers or channel partners;
delayed or lost sales and harm to our financial condition and results of operations;
a delay in attaining, or the failure to attain, market acceptance of our products;
the expenditure of significant financial resources in efforts to analyze, correct, eliminate, remediate, or work around errors or defects, to address and eliminate vulnerabilities, and to address any applicable legal or contractual obligations relating to any actual or perceived security breach;
negative publicity and damage to our reputation and brand; and
legal claims and demands (including for stolen assets or information, repair of system damages, and compensation to customers and business partners), litigation, regulatory audits, proceedings or investigations, and other liability.
Any of the above results could materially and adversely affect our business, results of operations, and financial condition.
If our global network that delivers our products or the core co-location facilities we use to operate our network are damaged or otherwise fail to meet the requirement of our business, our ability to provide access to our platform and products to our customers and maintain the performance of our network could be negatively impacted, which could cause our business, results of operations and financial condition to suffer.
As of December 31, 2019, we hosted our global network and served our customers from co-location and ISP-partner facilities located in 200 cities and over 90 countries around the world. In addition to these global facilities, much of the infrastructure for our global network and for our business and operations is maintained through a core co-location facility located in the U.S. Pacific Northwest, a second core co-location facility located in Luxembourg that provides certain redundancy to the U.S. core facility, and through a limited number of other U.S. co-location facilities that provide limited subsets of our network support. While we have electronic and, to a lesser extent, physical access to the components and infrastructure of our network and co-location facilities that are hosted by third parties—including ISP-partner facilities—we do not control the operation of these third-party facilities. Consequently, we may be subject to service disruptions as well as failures to provide adequate support for reasons that are outside of our direct control. All of our co-location and ISP-partner facilities and network infrastructure are vulnerable to damage or interruption from a variety of sources including earthquakes; floods; fires; power loss; system failures; computer viruses; physical or electronic break-ins; human error; malfeasance; or interference, including by disgruntled employees, former employees, or contractors; terrorism; and other catastrophic events. Co-location facilities housing our network infrastructure may also be subject to local administrative actions, changes to legal or permitting requirements, labor disputes, and litigation to stop, limit, or delay operations. Despite precautions taken at these facilities, such as disaster recovery and business continuity arrangements, the occurrence of a natural disaster or an act of terrorism, a decision to close the co-location facilities without adequate notice, or other unanticipated problems at these facilities could result in interruptions or delays in the availability of our network and products, impede our ability to scale our operations, or have other adverse impacts upon our business, results of operations, and financial condition.
22

Table of contents
The components of our global network are interrelated, such that disruptions or outages affecting one or more of our network co-location facilities may increase the strain on other components of our network. Concurrent disruptions or outages at a number of our network co-location facilities may lead to a cascading effect in which heightened strain on our network causes further disruptions or outages, particularly within the regions where the disruptions and outages occur. In addition, the failure of any of our core co-location facilities for any significant period of time, particularly our U.S. core co-location facility, could place a significant strain upon the ongoing operation of our business, as we have only limited redundant functionality for these facilities. Such a failure of a core co-location facility could degrade and slow down our network, reduce the functionality of our products for our customers, impact our ability to bill our customers, and otherwise materially and adversely impact our business, reputation, and results of operations.
If our customers’ or channel partners’ access to our platform and products is interrupted or delayed for any reason, our business could suffer.
Any interruption or delay in our customers’ or channel partners’ access to our platform and products will negatively impact our customers. Our customers depend on the continuous availability of our network for the delivery and use of our products, and our products are designed to operate without interruption, including up to 100% uptime guarantee for our Business and Enterprise plans. If all or a portion of our network were to fail, our customers and partners could lose access to the Internet until such disruption is resolved or they deploy disaster recovery options that allow them to bypass our network. The adverse effects of any network interruptions on our reputation and financial condition may be heightened due to the nature of our business and our customers’ expectation of continuous and uninterrupted Internet access and low tolerance for interruptions of any duration. While we do not consider them to have been material, we have experienced, and may in the future experience, network disruptions and other performance problems due to a variety of factors. For example, in July 2019, we deployed an update to our web application firewall and certain aspects of the related software code resulted in excessive consumption of computing resources across our network, resulting in an outage on our network.
The following factors, many of which are beyond our control, can affect the delivery, performance, and availability of our platform and products:
the development, maintenance, and functioning of the infrastructure of the Internet as a whole;
the performance and availability of third-party telecommunications services with the necessary speed, data capacity, and security for providing reliable Internet access and services;
decisions by the owners and operators of the co-location and ISP-partner facilities where our network infrastructure is deployed or by global telecommunications service provider partners who provide us with network bandwidth to terminate our contracts, discontinue services to us, shut down operations or facilities, increase prices, change service levels, limit bandwidth, declare bankruptcy, breach their contracts with us, or prioritize the traffic of other parties;
the occurrence of earthquakes, floods, fires, power loss, system failures, physical or electronic break-ins, acts of war or terrorism, human error or interference (including by disgruntled employees, former employees, or contractors), and other catastrophic events;
cyber attacks targeted at us, facilities where our network infrastructure is located, our global telecommunications service provider partners, or the infrastructure of the Internet;
errors, defects, or performance problems in the software we use to operate our platform and provide our related products to our customers;
our customers’ or channel partners’ improper deployment or configuration of our customer’s access to our platform and products;
the maintenance of the APIs in our systems that our partners use to interact with us;
the failure of our redundancy systems, in the event of a service disruption at one of the facilities hosting our network infrastructure, to redistribute load to other components of our network; and
the failure of our disaster recovery and business continuity arrangements.
23

Table of contents
The occurrence of any of these factors, or our inability to efficiently and cost-effectively fix such errors or other problems that may be identified, could damage our reputation, negatively impact our relationship with our customers, or otherwise materially harm our business, results of operations, and financial condition.
Detrimental changes in, or the termination of, any of our co-location relationships, ISP partnerships, or our other interconnection relationships with ISPs could adversely impact our business, results of operations, and financial condition.
Our relationships with ISP partners and other vendors that provide co-location services for our network infrastructure and the pricing and other material contract terms we have with these vendors are important for the maintenance, development, and expansion of our global network. If any of our co-location agreements were to expire or the pricing and other material terms of these agreements were to worsen, our business, results of operations, and financial condition would be adversely affected unless we were able to find a substitute vendor for the impacted facility on comparable or better terms. Moreover, a significant number of our important co-location agreements are with a single company and if our arrangements with this company were to change in a manner adverse to us, we could face difficulty in maintaining or growing our network on commercially viable terms. In addition, as part of our arrangements with some of our ISP partners, the ISP partner has agreed to host our equipment for free or at a discount to the partner’s customary rate. There can be no assurances that these ISP partners will continue to provide these types of favorable equipment hosting arrangements in the future.
The efficient and effective operation of our network also relies upon a series of mutually beneficial arrangements with other Internet infrastructure companies. These arrangements are often referred to as “peering” or “interconnection” agreements, and allow us and our ISP partners to reduce bandwidth costs related to operating our respective networks. If the underlying competitive, business, or operational incentives supporting these arrangements were to change, we or our partners might terminate these agreements or allow them to expire. Many of our peering or interconnection agreements have a term of three years or less, after which such agreements auto-renew on an annual basis. Changes to the underlying incentive structure of peering arrangements may result from parties seeking to take advantage of an essential position or enter into exclusive arrangements, changes to U.S. or international laws, regulations, policies, or changes in the norms governing the relationships among Internet infrastructure providers. Without favorable peering arrangements, we would incur significantly increased costs to continue to provide our products at their current levels and such increased costs could adversely impact our business, results of operations, and financial condition. To the extent that additional countries begin to regulate peering with outside networks, our costs may increase and our business and results of operations could be adversely impacted.
Abuse or misuse of our internal network services tools could cause significant harm to our business and reputation.
In order to provide real-time support to our customers, we have created internal network services tools that are used by our employees to diagnose and correct customer security, performance, and reliability issues. If our employees were to intentionally abuse these tools by interfering with or altering our customers’ Internet properties, our customers could be significantly harmed. Our employees’ inadvertent misuse of these tools could similarly harm our customers. For example, third parties have in the past attempted to induce our employees to use their administrative access to reveal, remove, or disable our customers’ information and content, including by submitting fraudulent law enforcement requests, copyright takedown requests, or other content-based complaints. Any such improper disclosure or removal could significantly and adversely impact our business and reputation. While our tools have been developed only for authorized use by our employees, any unauthorized release of these tools to third parties would represent a significant vulnerability in our products. Accordingly, any abuse or misuse of our network services tools could significantly harm our business and reputation. If it became necessary to further restrict the availability or use of our network services tools by our employees in response to any abuse or misuse, our ability to deliver high-quality and timely customer support could be harmed.
We may choose to make public disclosures of negative events about our network, systems, and products when we are not otherwise required by applicable law and those disclosures could materially and adversely impact our business, reputation, and results of operations.
In the past we have been, and in the future we expect to be, transparent about our network, systems, and products with our customers and the public in general. We believe that being rigorously and promptly transparent is an essential part of maintaining trust with our customers. At times, this transparency may result in us publicly disclosing
24

Table of contents
information regarding negative events about our network, systems, and products in circumstances where we may not be required to do so by applicable law. If and when we choose to make these types of non-legally required public disclosures, we may suffer reputational damage, loss of business, litigation, indemnity obligations, damages for contract breach, penalties for violation of applicable laws or regulations, significant costs for remediation, and other liabilities that could materially and adversely impact our business, reputation, and results of operations.
Our network presence within China is dependent upon our commercial relationship with Baidu, and any detrimental changes in, or the termination of, that relationship could jeopardize our ability to offer an integrated global network that includes China.
We believe our offering of an integrated global network that includes facilities in China is important to our existing and potential future customers. Our ability to continue to offer an integrated network presence that includes China currently is dependent on our commercial relationship with an affiliate of Baidu. Regulation of Internet infrastructure and traffic by the Chinese government creates challenges to the peering of Chinese and non-Chinese networks. We have a strategic agreement with Baidu to provide a solution that accommodates the requirements imposed by Chinese regulations through Baidu’s development and operation of facilities in China that are included as part of our network. We have needed to periodically negotiate extensions to our existing agreement with Baidu and there can be no assurance that future extensions will be available on comparable terms. The term of our current agreement with Baidu expires at the end of 2020, but is subject to earlier termination by either party under certain circumstances such as the other party’s material breach. In addition, the agreement with Baidu can be terminated by Baidu under certain circumstances if necessary Chinese governmental approvals are revoked or become limited or impaired or if public law or regulatory action by the Chinese or U.S. government expressly prohibits or materially restricts the collaboration contemplated by the agreement. The risk of such an early termination event may have increased during the current environment of economic trade negotiations and tensions between the Chinese and U.S. governments. Although we have been successful in negotiating extensions of this agreement in the past, we cannot provide any assurance that we will continue to be able to do so in the future if we determine that we would like to continue to extend the agreement. If our commercial relationship with Baidu were terminated, identifying an alternative solution in China could be difficult, time-consuming, and expensive. Even if an alternative solution is identified, we cannot be certain that the economic terms or performance of any such alternative arrangement will be comparable to our existing relationship with Baidu, which could materially negatively impact our financial results and customer satisfaction with such alternative arrangement. A lack of network presence in China would represent a significant loss of utility to many of our customers and could materially harm our business.
Our customers that use our network presence in China through our Baidu commercial relationship are subject to Chinese laws and regulations of Internet infrastructure, traffic, and content. Under our agreement with Baidu, in some circumstances, these customers’ use of our Chinese network presence can be terminated if they violate these laws and regulations. The removal of our customers from our Chinese network presence could result in these customers deciding to terminate their overall relationship with us. In addition, any adverse publicity associated with the removal of some or all of our customers from our Chinese network presence as a result of the application of Chinese laws and regulations could cause us to experience adverse reputational and business consequences.
Our international operations expose us to significant risks, and failure to manage those risks could materially and adversely impact our business.
Historically, we have derived a significant portion of our revenue from outside the United States. We derived 50%, 52%, and 52% of our revenue from our international customers for the years ended December 31, 2019, 2018, and 2017, respectively. We are continuing to adapt to and develop strategies to address international markets and our growth strategy includes expansion into geographies around the world, but there is no guarantee that such efforts will be successful. In addition, our global network includes co-location facilities located in 200 cities and over 90 countries around the world as of December 31, 2019. We expect that our international sales and network activities will continue to grow in the future, as we continue to pursue opportunities in international markets and further grow our network around the world. These international operations will require significant management attention and financial resources and are subject to substantial risks, including:
political, economic, and social uncertainty, including the potential nationalization of key peering partners by foreign governments, potential terrorist activities, and the unknown impact of regional or global health crises, or epidemic or pandemic diseases, such as the coronavirus that originated in China in 2019 and began to spread globally in early 2020;
25

Table of contents
changes in a specific country’s or region’s political or economic conditions, including in the United Kingdom as a result of its withdrawal from the EU, which is often referred to as "Brexit";
unexpected costs for the localization of our products, including translation into foreign languages and adaptation for local practices and regulatory requirements;
greater difficulty in enforcing contracts and accounts receivable collection, and longer collection periods;
reduced or uncertain protection for intellectual property rights in some countries;
greater risk of unexpected changes in regulatory practices, tariffs, and tax laws and treaties, including with respect to our business in China;
greater risk of a failure of foreign employees and channel partners to comply with both U.S. and foreign laws, including antitrust regulations, anti-bribery laws, export and import control laws, and any applicable trade regulations ensuring fair trade practices;
heightened security risks associated with our co-location facilities in high-risk countries and the software code and systems access shared with our service providers located in such countries;
greater risks associated with third-party contractors that we use to install and maintain our hardware in co-location facilities in foreign countries and the limited background checks and screening that we can perform on such service providers;
regulations related to privacy, data protection, security requirements, data localization, or content restriction that could pose risks to our intellectual property, increase the cost of doing business in a country, or create other disadvantages to our business;
changes in laws, regulations, and costs affecting our U.K. operations and local employees due to Brexit;
increased expenses incurred in establishing and maintaining office space and equipment for our international operations;
greater difficulty in identifying, attracting, and retaining local qualified personnel and the costs and expenses associated with such activities;
differing employment practices and labor relations issues, which may make expansion or contraction of our workforce, or changes in the terms of employment, in such countries more costly and time-consuming and subject us to a greater risk of disputes or litigation;
increased regulatory requirements and litigation risk related to the presence of our physical infrastructure in countries around the world;
difficulties in managing and staffing international offices and increased travel, infrastructure, and legal compliance costs associated with operating multiple international locations; and
fluctuations in exchange rates between the U.S. dollar and foreign currencies in markets where we do business, particularly the United Kingdom and Singapore where we have large offices and pay employees in local currency.
The expansion of our existing international operations and entry into additional international markets will require significant management attention and financial resources. Our failure to successfully manage our international operations and the associated risks could limit the future growth of our business. In particular, we are exposed to risks in China, which amounts to a significant part of both our short-term and long-term revenue growth plans. Our Chinese operations are substantially dependent on our relationship with Baidu, and due to economic and political challenges in servicing the Chinese market, the loss of this arrangement could have a significant adverse effect on our business and results of operations.
Geo-political events such as Brexit may increase the likelihood of certain of these risks materializing or heighten their impact on us in affected regions. In particular, it is possible that the level of economic activity in the United Kingdom and the rest of Europe will be adversely impacted and that we will face increased regulatory and legal complexities, including those related to tax, trade, data privacy, security, and employee relations, as a result of Brexit. Given the significance of our presence in the United Kingdom, such changes could be particularly costly and disruptive to our operations and business relationships. In addition, heightened use of trade restrictions such as tariffs or prohibitions on technology transfers to achieve diplomatic ends, including with respect to the current
26

Table of contents
environment of economic trade negotiations and tensions between the Chinese and U.S. governments, could impact our ability to conduct our business as planned.
Our business could be adversely impacted by the decision of foreign governments, Internet service providers, or others, to block transmission from Cloudflare IP addresses in order to enforce certain Internet content blocking efforts.
Some of our security products involve making origin IP addresses and other operational assets of our customers more difficult for cyber attackers to target. The evolving design of our platform and products may create challenges for various organizations, including governments, that seek to block certain content based on IP address “black lists” or other mechanisms. This problem is exacerbated by the fact that a single Cloudflare IP address may be used for a number of Internet properties, and the Cloudflare IP used for any one Internet property may change over time. This means that efforts by ISPs to block a single domain name may end up blocking a number of other domains that share that Cloudflare IP address or domains that use that same Cloudflare IP address previously or subsequently. If these challenges become too difficult for those organizations to overcome, they could make the decision to block content in an overbroad manner or block completely websites and other Internet properties that are using our network and/or transmitted using known Cloudflare IP addresses. Some of these blocking efforts would be out of our control once they have been put in place and may limit our ability to provide our products on a fully global basis, which could reduce demand for our products among current or potential customers that are focused on the impacted regions or could otherwise adversely impact our business, results of operations, and financial condition.
We are subject to governmental trade sanctions laws, and export and import controls, that could impair our ability to compete in international markets and subject us to liability if we are not in full compliance with applicable laws.
Our business activities are subject to various economic and trade sanctions regulations administered by the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) and U.S. export control and similar foreign laws and regulations, including the U.S. Department of Commerce’s Export Administration Regulations (EAR). We incorporate encryption technology into certain of our products, and the encryption products and the underlying technology may be exported outside the United States only with the required export authorizations, including by license, a license exception, or other appropriate government authorizations, including the filing of classification requests or self-classification reports. Further, the U.S. economic sanctions laws and export control laws include restrictions or prohibitions on the sale or supply of most products and services to U.S. embargoed or sanctioned countries, governments, persons, and entities. Even though we take precautions and have implemented policies and practices to assist in compliance, there is a risk that we may not be in full compliance with these laws.
In 2019, we learned that we may have failed to comply with certain U.S. export-related filing and reporting requirements and may have submitted incorrect information to the U.S. government in connection with certain hardware exports. Upon learning of these potential violations and associated export control requirements, we promptly initiated a voluntary internal review and are taking remedial measures to prevent similar export control anomalies from occurring in the future. In May 2019, we submitted an initial voluntary self-disclosure to the Bureau of Industry and Security regarding potential violations of EAR and a voluntary self-disclosure to the Census Bureau regarding potential violations of the Foreign Trade Regulations. In July 2019, we filed the full and complete voluntary self-disclosures. The voluntary self-disclosure to the Census Bureau was completed with no penalties in November 2019. In January 2020, we responded to additional questions from the Bureau of Industry and Security. The voluntary self-disclosure to the Bureau of Industry and Security remains under review.
In May 2019, we submitted an initial voluntary self-disclosure to OFAC related to our non-compliance with certain economic and trade sanctions programs, and we filed the full and complete voluntary self-disclosure to OFAC in July 2019. Specifically, we identified that our products were used by, or for the benefit of, certain individuals and entities included in OFAC’s Specially Designated Nationals and Blocked Persons List, including entities identified in OFAC’s counter-terrorism and counter-narcotics trafficking sanctions programs, or affiliated with governments currently subject to comprehensive U.S. sanctions. A small number of these parties made payments to us in connection with their use of our platform. Although we have implemented, and are working to implement additional controls and screening tools designed to prevent similar activity from occurring in the future, there is no guarantee that we will not inadvertently provide our products to additional individuals, entities, or governments prohibited by U.S. sanctions in the future. In January 2020, we responded to additional questions from OFAC. The voluntary self-disclosure remains under review by OFAC.
27

Table of contents
Additionally, we currently provide products to certain OFAC-sanctioned regions based upon general licenses issued by OFAC to engage in such activity. We continue to review the OFAC sanctions and our practices to verify compliance.
These efforts related to export controls and OFAC sanctions could result in negative consequences for us, including costs related to government investigations, financial penalties and harm to our reputation. The impact on us related to these matters could be substantial.
In addition, various countries regulate the import of certain technologies and have enacted or could enact laws that could limit our ability to provide our products and operate our network or could limit our customers’ ability to access or use our platform and products in those countries.
If we are found to have violated the U.S. or foreign laws and regulations, we and certain of our employees could be subject to civil or criminal penalties, including the possible loss of export privileges and fines. We may be materially and adversely affected through penalties, reputational harm, loss of access to certain markets, loss of customers, or otherwise. Obtaining the necessary authorizations, including any required license, for a particular transaction may be time-consuming, is not guaranteed, and may result in the delay or loss of sales opportunities. In addition, changes in our platform, products, or screening process, or changes in export, sanctions, and import laws, could delay the introduction and sale of subscriptions to our products in international markets, prevent customers in certain countries from accessing our platform and products or, in some cases, prevent the provision of our platform and products to certain countries, governments, persons, or entities altogether. Any decrease in our ability to sell our products could materially and adversely affect our business, results of operations, and financial condition.
We face intense and increasing competition, which could adversely affect our business, financial condition, and results of operations.
The markets for our platform and products are intensely competitive and characterized by rapid changes in technology, customer requirements, industry standards, and frequent introductions of new, and improvements of, existing products. Our broad portfolio of products exposes us to competition from a large number of competitors in a number of different markets, including companies and their product and services offerings in, among others, virtual private networks, internal and external firewalls, web security (including web application firewalls and content filtering), distributed denial of service prevention, intrusion detection and prevention, application delivery controls, content delivery networks, domain name systems, advanced threat prevention, and wide area network (WAN) technology.
Our competitors provide both on-premises, appliance-based solutions, and cloud-based services that have functionality similar to our platform and products. We expect competition to increase as other established and emerging companies and start-ups enter the markets for products and solutions for security, performance, and reliability, in particular with respect to cloud-based solutions, as customer requirements evolve and as new products, services, and technologies are introduced. If we are unable to anticipate or effectively react to these competitive challenges, our competitive position could weaken, and we could experience a decline in revenue or our growth rate that could materially and adversely affect our business and results of operations.
Our potential competitors include large companies with substantial infrastructure, such as global telecommunications services provider partners and public cloud providers. These companies could choose to enter the markets for products and solutions for security, performance, and reliability, including by acquiring existing companies, developing their own internal solutions, or establishing cooperative relationships with businesses that may allow them to offer more comprehensive solutions or to offer solutions for lower prices or to adapt more quickly than us to new technologies and customer needs. Additionally, if an increasing portion of web content is housed on another company’s platform or portions of the Internet are otherwise privatized, it could reduce the demand for our products and increase competitive pressure on us. These competitive pressures in our markets or our failure to compete effectively may result in price reductions, fewer subscriptions, reduced revenue and gross margin, increased net losses, and loss of market share.
Our current and potential future competitors include a number of different types of companies, including:
on-premise hardware network vendors, such as Cisco Systems Inc., F5 Networks, Inc., Check Point Software Technologies Ltd., FireEye, Inc., Imperva, Inc., Palo Alto Networks, Inc., Juniper Networks, Inc., and Riverbed Technology, Inc.;
28

Table of contents
point-cloud solution vendors, including cloud security vendors such as Zscaler, Inc. and Cisco Systems Inc. through Umbrella (formerly known as OpenDNS), content delivery network vendors such as Akamai Technologies, Inc., Limelight Networks, Inc., Fastly, Inc., and Verizon Communications Inc. through Edgecast, domain name system vendors services such as Oracle Corporation through DYN, NeuStar, Inc., and UltraDNS Corporation, and cloud SD-WAN vendors; and
traditional public cloud vendors, such as Amazon.com, Inc. through Amazon Web Services, Alphabet Inc. through Google Cloud Platform, Microsoft Corporation through Azure, and Alibaba Group Holding Limited through Alibaba Cloud.
Many of our existing and potential competitors have or could have substantial competitive advantages including, among others:
greater name recognition;
longer operating histories and larger customer bases;
larger sales and marketing budgets and capital resources;
broader distribution and established relationships with partners and customers;
greater customer support resources;
greater resources to make acquisitions and enter into strategic partnerships;
lower labor and research and development costs;
larger and more mature intellectual property rights portfolios;
control of significant technologies, standards, or networks, including operating systems, with which our products must interoperate;
higher or more difficult to obtain security certifications than we possess; and
substantially greater financial, technical, and other resources.
In particular, some of our larger competitors have substantially broader and more diverse product and services offerings, which may allow them to leverage existing commercial relationships, incorporate functionality into existing products, sell products and services with which we compete at zero or negative margins, offer fee waivers and reductions or other economic and non-economic concessions, bundle products and solutions, maintain closed technology platforms, or render our products unable to interoperate with such platforms. If they were to engage in predatory practices, it could harm our existing product offerings or prevent us from creating viable products in other segments of the markets in which we participate. If our competitors are able to exploit their advantages or are able to persuade our customers or potential customers that their products are superior to ours, we may not be able to compete effectively and our business, financial condition, and results of operations may be materially affected.
Our policies regarding user privacy could cause us to experience adverse business and reputational consequences with customers, employees, suppliers, government entities, and other third parties.
As a company, we strive to protect our customers’ privacy consistent with applicable law. Consequently, we generally do not provide personal information about our customers without legal process. From time to time, government entities may also seek our assistance with obtaining information about our customers or could request that we modify our platform and products in a manner to permit access or monitoring. In light of our privacy commitments, we may legally challenge law enforcement requests to provide a feed of content transiting our network, to obtain encryption keys, or to modify or weaken encryption. We may face complaints from individuals who assert we have provided their information improperly to law enforcement or in response to third-party abuse complaints, despite policies we have in place to protect that information. To the extent that we do not provide assistance to or comply with requests from government entities or challenge those requests publicly or in court, we may experience adverse political, business, and reputational consequences. We may also face such adverse political, business, and reputational consequences to the extent that we provide, or are perceived as providing, assistance to government entities that exceeds our legal obligations. For example, we periodically receive requests for information purportedly originating from law enforcement agencies or pursuant to legal process, but which are fraudulent or improper attempts to cause us to reveal customer information. Any such disclosure could significantly and adversely impact our business and reputation.
29

Table of contents
We publish a transparency report on a semi-annual basis to provide details of law enforcement and government requests we receive. Our transparency report also includes a list of certain actions we have not taken in response to law enforcement requests. If we are ever required by law enforcement to take one or more of the actions covered by those disclosures, then we would have to remove the applicable disclosures from our transparency report. Both the publishing of our transparency report and, conversely, the potential narrowing of the list of actions we have not taken in response to law enforcement requests could damage our business and reputation.
If we do not effectively expand, train, and retain our sales force, we may be unable to add new Enterprise plan customers, or increase sales to our existing customers and our business would be adversely affected.
A majority of our revenue in the year ended December 31, 2019 was from Enterprise plan customers that were acquired through our inside and field sales teams. We expect this trend will continue for the foreseeable future. As a result, our financial condition and results of operations are dependent to a significant degree on the ability of our dedicated sales personnel to acquire new contracted customers and expand our relationships with our existing contracted customers. Our sales representatives typically engage in direct interaction with our prospective contracted customers. Increasing our customer base and achieving broader market acceptance of our platform and products will depend, to a significant extent, on our ability to expand and further invest in our sales and marketing operations and activities. There is significant competition for sales personnel with the advanced sales skills and technical knowledge we need. We believe that selling subscriptions to our products requires particularly talented sales personnel that understand both cloud-based and appliance-based solutions, as well as the key differences between them. Our ability to achieve significant growth in revenue in the future will depend, in large part, on our success in recruiting, training, and retaining sufficient numbers of these talented sales personnel in both the United States and international markets. New sales hires require significant training and may take significant time before they achieve full productivity. As a result, our new sales hires and planned sales hires may not become as productive as we would like or as quickly as we expect, and we may be unable to hire or retain sufficient numbers of qualified individuals. As a result of our rapid growth, a large percentage of our sales team is new to our company and inexperienced in selling subscriptions to our products, and therefore these personnel may be less effective than our more seasoned employees. Experienced sales personnel are particularly sought after in our industry and we may have to expend significant resources to retain our most productive sales employees. Even with considerable effort, we may be unsuccessful at retaining our experienced sales employees, which would adversely impact our business, results of operations, and financial condition.
Furthermore, hiring sales personnel in new countries, or expanding our existing presence in the countries in which we currently operate, requires upfront and ongoing expenditures that we may not recover if the sales personnel fail to achieve full productivity or that may be recovered on a more delayed basis than expected. We cannot predict whether, or when or to what extent, our sales will increase as we expand our sales force or how long it will take for sales personnel to become productive. If we are unable to hire, train, and retain a sufficient number of effective sales personnel, or the sales personnel we hire are not successful in obtaining new customers or increasing sales to our existing customer base, our business and future growth prospects will be materially and adversely affected.
If we fail to effectively manage our growth, we may be unable to execute our business plan, maintain high-quality levels of support, ensure the security of our network, adequately address competitive challenges, or maintain our corporate culture, and our business, financial condition, and results of operations would be harmed.
We have recently experienced, and continue to experience, a period of rapid growth. For example, our headcount grew from 540 employees as of December 31, 2017, to 865 employees as of December 31, 2018, to 1,270 employees as of December 31, 2019. We also have offices around the world, including opening offices in Beijing and Munich during 2018, an office in Sydney in January 2019, an office in Lisbon in August 2019, and an office in Kirkland, Washington in January 2020. In addition, we expanded our network into 35, 46, and 17 new cities in 2019, 2018, and 2017, respectively. The number of customers, users, and requests on our network also has increased rapidly in recent years. While we expect to continue to expand our operations and to increase our headcount, network, and products significantly in the future, both domestically and internationally, our growth may not be sustainable. Our growth has placed, and future growth will continue to place, a significant strain on our management and our administrative, operational, and financial infrastructure. Our success will depend in part on our ability to manage this growth effectively, which will require that we continue to improve our administrative, operational, financial, and management systems and controls by, among other things:
30

Table of contents
effectively attracting, training, and integrating a large number of new employees, particularly members of our sales, engineering, and management teams;
ensuring the integrity and security of our network and IT infrastructure throughout the world;
maintaining our corporate culture, which we believe fosters innovation, teamwork, and an emphasis on customer-focused results and contributes to our cost-effective business model;
further improving our key business applications, processes, and IT infrastructure, including our core co-location facilities, to support our business needs;
enhancing our information and communication systems to ensure that our employees and offices around the world are well coordinated and can effectively communicate with each other and our growing base of channel partners, customers, and users;
maintaining high levels of customer support; and
appropriately documenting and testing our IT systems and business processes.
Managing our growth will require significant capital expenditures and allocation of valuable management and employee resources. If we fail to manage our expected growth, the uninterrupted and secure operation of our network and products and key business systems, our corporate culture, our compliance with the rules and regulations applicable to our operations, the quality of our products, and our ability to compete could suffer. Any failure to preserve our culture also could further harm our ability to retain and recruit personnel, innovate and create new products, operate effectively, and execute on our business strategy.
Our quarterly results may fluctuate significantly and may not fully reflect the underlying performance of our business.
Our quarterly results of operations, including, without limitation, our revenue, gross margin, operating margin, profitability, cash flow from operations, and deferred revenue, may vary significantly in the future and period-to-period comparisons of our results of operations may not be meaningful. Accordingly, the results of any one quarter should not be relied upon as an indication of future performance. Our quarterly results of operations may fluctuate as a result of a variety of factors, many of which are outside of our control, and as a result, may not fully reflect the underlying performance of our business. Fluctuation in quarterly results may negatively impact the trading price of our Class A common stock. Factors that may cause fluctuations in our quarterly results of operations include, without limitation:
our ability to attract new paying customers and, to a lesser extent, convert free customers to paying customers;
our ability to retain and upgrade paying customers;
the timing of expenses and recognition of revenue;
the amount and timing of operating expenses related to the maintenance and expansion of our business, operations, and infrastructure, as well as entry into operating and capital leases and co-location, interconnection, and similar agreements related to the expansion of our network;
the timing of expenses related to acquisitions;
any large indemnification payments to our customers or other third parties;
changes in our pricing policies or those of our competitors;
the timing and success of new product feature and service introductions by us or our competitors;
network outages or actual or perceived security breaches;
our involvement in litigation or regulatory enforcement efforts, or the threat thereof;
changes in the competitive dynamics of our industry, including consolidation among competitors;
the length of the sales cycle for our contracted customers;
changes in laws and regulations that impact our business; and
general political, economic, market, and social conditions.
31

Table of contents
For example, the full impact of the coronavirus that originated in China in 2019 and began to spread globally in early 2020 is unknown at this time but could result in material adverse changes in our results of operations for an unknown period of time as the virus and its related political, social, and economic impacts spread.
We rely on our key technical, sales, and management personnel to grow our business, and the loss of one or more key employees or the inability to attract and retain qualified personnel could harm our business.
Our future success is substantially dependent on our ability to attract, retain, and motivate the members of our management team and other key employees throughout our organization, particularly Matthew Prince, our Chief Executive Officer, and Michelle Zatlyn, our Chief Operating Officer. We rely on our leadership team in the areas of operations, security, marketing, sales, support, research and development, and general and administrative functions, and on individual contributors on our research and development team. Although we have entered into employment offer letters with our key personnel, these agreements have no specific duration and constitute at-will employment. We do not maintain key person life insurance policies on any of our employees. The loss of one or more of our executive officers or key employees could seriously harm our business.
To execute our growth plan, we must attract and retain highly qualified personnel. In particular, it is critical for us to attract and retain engineering talent in our fast growing industry. Competition for these personnel in the San Francisco Bay Area, where our headquarters is located, and in London, Singapore, Austin, Texas, and other locations where we maintain offices, is intense, especially for experienced sales professionals and for engineers experienced in designing and developing cloud applications. We have from time to time experienced, and we expect to continue to experience, difficulty in hiring and retaining employees with appropriate qualifications. For example, in recent years, recruiting, hiring, and retaining employees with expertise in the cybersecurity industry has become increasingly difficult as the demand for cybersecurity professionals has increased as a result of high-profile cybersecurity attacks on global corporations and governments. Many of the companies with which we compete for experienced personnel have greater resources than we have and may provide higher levels of compensation. In addition, job candidates and existing employees often consider the value of the equity awards they receive in connection with their employment. Volatility or lack of performance in our stock price may affect our ability to attract and retain our key employees. Upon vesting of equity awards, many of our employees have acquired or may soon acquire a substantial amount of personal wealth. This may make it more difficult for us to retain and motivate these employees, and this wealth could affect their decision about whether or not they continue to work for us. Any failure to successfully attract, integrate, or retain qualified personnel to fulfill our current or future needs could materially and adversely affect our business, results of operations, and financial condition.
We believe our long-term value as a company will be greater if we focus on growth, which may negatively impact our profitability.
A significant part of our business strategy is to focus on long-term growth. For example, in the year ended December 31, 2019 we increased our operating expenses to $331.5 million as compared to $234.0 million and $115.9 million in the years ended December 31, 2018 and 2017, respectively. In the year ended December 31, 2019 our net loss increased to $105.8 million from $87.2 million and $10.7 million in the years ended December 31, 2018 and 2017, respectively. As a result, we may continue to operate at a loss or our profitability may be lower than it would be if our strategy were to maximize short-term profitability. Significant expenditures on sales and marketing efforts, and expenditures on growing our platform and expanding our research and development and portfolio of products, each of which we intend to continue to invest in, may not ultimately grow our business or cause long-term profitability. If we are ultimately unable to achieve or improve profitability at the level or during the time frame anticipated by industry or financial analysts and our stockholders, our stock price may decline.
If we are not able to maintain our brand, our business and results of operations may be adversely affected.
We believe that maintaining our reputation as a provider of products with the highest levels of security, performance, and reliability is critical to our relationship with our existing customers and our ability to attract new customers. The successful promotion of our brand will depend on a number of factors, including our record of security, performance, and reliability; our marketing efforts; our ability to continue to develop high-quality features and products for our platform; and our ability to successfully differentiate our products from competitive products and services. Our brand promotion activities may not be successful or yield increased revenue.
Independent industry and financial analysts often provide reviews of our products, as well as those of our competitors. Perception of our offerings in the marketplace may be significantly influenced by these expert reviews.
32

Table of contents
In addition, the difficulty or inability of us to periodically provide certain types of financial information about our business and products requested by industry analysts could adversely impact these analysts’ reviews of our products. If reviews of our products are negative, or less positive than those of our competitors’, our brand may be adversely affected. The performance of our channel partners also may affect our brand and reputation, particularly if customers do not have a positive experience with our channel partners. The promotion of our brand requires us to make substantial expenditures, and we anticipate that the expenditures will increase as our markets become more competitive and we expand into new markets. Expenditures intended to maintain and enhance our brand may not be cost-effective or effective at all. If we do not successfully maintain and enhance our brand, we may have reduced pricing power relative to our competitors, we could lose customers, or we could fail to attract potential new customers or expand sales to our existing customers, all of which could materially and adversely affect our business, results of operations, and financial condition.
We provide service level commitments under our Enterprise plan customer contracts and our Business plan terms of service. If we fail to meet these contractual commitments, we could be obligated to provide credits for future service or allow customers to terminate their subscriptions and our business could suffer.
Our Enterprise plan agreements and our Business plan terms of service typically provide for service level commitments, which contain specifications regarding the availability and performance of our network. In particular, our Enterprise plan subscriptions and our Business plan terms of service include up to a 100% uptime guarantee. Any failure of or disruption to our infrastructure could adversely impact the security, performance, and reliability of our platform and products for our customers. If we are unable to meet our stated service level commitments or if we suffer extended periods of poor performance or unavailability of our platform and products, these customers could seek to bring claims against us or terminate their agreements with us and, in the case of our contracted customers, we may be contractually obligated to provide affected customers with service credits that they may apply against future subscription fees otherwise owed to us, and, in certain cases, refunds of pre-paid and other fees. For example, the June 2019 route leak and the July 2019 outage on our network triggered certain of these types of obligations. The impact of the June 2019 route leak and July 2019 outage did not have a material impact on our results of operations or financial condition; however, other future events like these may materially and adversely impact our results of operations or financial condition. Our revenue, other results of operations, and financial condition could be harmed if we suffer performance issues or downtime that exceeds the service level commitments under our agreements and terms of service with our paying customers.
If our products do not obtain and maintain market acceptance, our ability to grow our business and our results of operations may be adversely affected.
Our products are still evolving and it is difficult to predict customer demand and adoption rates for our product offerings. We believe that our platform and cloud-based products represent a major shift from traditional solutions. Many of our potential customers, particularly large enterprises and government entities, face barriers to adopting our offerings because of their prior investment in, and the familiarity of their IT personnel with, on-premises, appliance-based solutions. As a result, our sales process often involves extensive efforts to educate our customers about our products, particularly as we continue to pursue customer relationships with large organizations. Our customers also expect us to meet voluntary certifications or adhere to standards established by third parties and may demand that they be provided a report from our auditors that we are in compliance. Although we currently have certain certifications such as SOC2 Type 1 and Type 2, SOC3, PCI DSS, and ISO 27001, we may not be successful in continuing to maintain those certifications or in obtaining other certifications. In addition, sales to government entities and other large enterprises may in particular be conditioned upon adherence to the Federal Risk and Authorization Management Program (FedRAMP) and Electronic Identification and Trust Services Regulation standards in the United States and the EU, respectively, and we do not currently have these certifications. The costs of obtaining and maintaining certification pursuant to any of these standards are significant, and any failure to obtain and maintain such certifications for our platform and products could reduce demand for them, which would harm our business, results of operations, and financial condition. To the extent our competitors have, and we do not have, these certifications, we may lose the opportunity to obtain subscriptions from certain potential paying customers.
Despite our efforts, we can provide no assurance that our cloud-based products will obtain market acceptance or that competing products or services based on other cloud-based and/or on-premises technologies will not achieve market acceptance. If we fail to achieve market acceptance of our products or are unable to keep pace with industry changes or obtain necessary product certifications, our ability to grow our business, results of operations, and financial condition will be materially and adversely affected.
33

Table of contents
We may not be able to respond to rapid technological changes or develop new products and features that are attractive to our current and prospective future customers.
The industry in which we compete is characterized by rapid technological change, including frequent introductions of new products and services, evolving industry standards, changing regulations, and the development of novel cyber-attacks by hostile parties, as well as changing customer needs, requirements, and preferences. Our need for continuous innovation is driven not only by competitive forces within our industry but also by our need to out-innovate the highly motivated third parties seeking to breach or compromise our network and those of our customers for economic, political, military, or other purposes.
Our ability to attract new customers and increase revenue from existing customers will depend in significant part on our ability to anticipate and respond effectively to these forces on a timely basis and continue to introduce enhancements to our platform and develop new products. If new technologies emerge that deliver competitive products and services at lower prices, more efficiently, more conveniently, more securely or reliably, or are higher performing, these technologies could render our platform and existing products less attractive to our current and prospective future customers, or obsolete. The development of novel attacks or exploits by criminal or malicious elements or hostile state actors also could render our platform and existing products less effective or obsolete. The success of our business depends on our continued investment in our research and development organization to increase the integrity, reliability, availability, and scalability of our products. We may experience difficulties with development, design, or marketing of such enhancements to our platform and products that could delay or prevent their development, introduction, or implementation. We have in the past experienced delays in the planned expansion of our network and in our internally planned or publicly announced release dates of new products and new features and capabilities, and there can be no assurance that planned expansions of our network will occur on schedule and that new products, features, or capabilities will be released according to schedule. Any delays could result in adverse publicity, loss of revenue or market acceptance, or claims by customers brought against us, all of which could have a material and adverse effect on our reputation, business, results of operations, and financial condition.
Adverse economic conditions, including reduced spending on products and solutions for network security, performance, and reliability, may adversely impact our revenue and profitability.
Our operations and financial performance depend in part on worldwide economic conditions and the impact these conditions have on levels of spending on products and solutions for network security, performance, and reliability. Our business depends on the overall demand for these products and on the economic health and general willingness of our current and prospective customers to purchase our products. For example, the full impact of the coronavirus that originated in China in 2019 and began to spread globally in early 2020 is unknown at this time but has resulted in an adverse impact on economic conditions in China and other Asian countries, which adverse impact could spread to other countries around the globe as the virus and its political, social, and economic impact spread. Some of our paying customers may view a subscription to our products as a discretionary purchase and may reduce their discretionary spending on our products during an economic downturn. Weak economic conditions, including a reduction in spending on products and solutions for security, performance, and reliability, could reduce sales, lengthen sales cycles, increase churn, and lower demand for our products, any of which could adversely affect our business, results of operations, and financial condition.
Our relatively limited operating history makes it difficult to evaluate our current business and prospects, and may increase the risk that we will not be successful.
Our relatively limited operating history makes it difficult to evaluate our current business and prospects, and to plan for our anticipated future growth. We began operations in 2010 and much of our growth has occurred in recent years. As a result, our business model has not been fully proven, which subjects us to a number of uncertainties, including our ability to plan for and model future growth. While we have continued to expand our network and develop additional reliability products, we have encountered, and will continue to encounter, risks and uncertainties frequently experienced by rapidly growing companies in developing industries, including our ability to achieve broad market acceptance of our products, attract additional customers, identify and grow partnerships, withstand increasing competition in our existing and future markets, and manage increasing expenses as we continue to grow our business. If our assumptions regarding these risks and uncertainties are incorrect or change in response to changes in the markets for products and solutions for network security, performance, and reliability, our business could suffer and our results of operations and financial condition could differ materially from our expectations.
34

Table of contents
We have limited experience with our pricing models, and may not accurately predict the long-term rate of paying customer adoption or renewal, or the impact these will have on our revenue or results of operations.
We generate revenue primarily from subscriptions to our platform and products. We offer subscription plans that provide varying degrees of functionality, and also offer separate subscriptions to various add-on products and platform functionality. We have limited experience with respect to determining the optimal prices and pricing models for our subscription plans and products, particularly with respect to our newer products and solutions such as our recently announced Cloudflare for Teams suite of products. As the markets for our products mature, as we enter into newer product markets for our business, or as new competitors introduce new products or services that compete with ours, we may be unable to attract new customers or retain existing customers at the same price or based on the same pricing model as we have used historically. Moreover, our increasing focus on larger customers may lead to greater price concessions in the future or have a more significant impact period to period on our revenue and results of operations. As a result, in the future we may be required to reduce our prices, which could adversely affect our revenue, gross margin, profitability, financial condition, and cash flow.
We also have limited experience in determining which products and functionality to offer as part of our subscription plans and which to offer as add-on products. Our limited experience in determining the optimal manner in which to bundle our various products and functionalities could reduce our ability to capture the value delivered by our offerings, which could adversely impact our business, results of operations, and financial condition.
As we expand our sales to large customers, our sales cycle could lengthen and become unpredictable.
Historically, the implementation period to start using our products has been short, with most customers under our pay-as-you-go plans implementing usage of our products within a matter of minutes and our sales cycle for customers under our Enterprise plan typically lasting less than one quarter. As our business evolves, we are investing more resources into sales efforts directed to larger enterprises. These larger enterprises may undertake a significant evaluation and negotiation process, which could lengthen our sales cycle materially. The timing of sales to large customers can be more difficult to predict because of the length and unpredictability of the sales cycle for these customers. Our sales efforts typically involve educating our prospective large customers about the uses, benefits, and value proposition of our platform and products. Potential large customers often view the subscription to our products as a significant strategic decision and, as a result, in some cases require considerable time to evaluate, test, and qualify our platform and products prior to entering into or expanding a relationship with us.
Our sales force develops relationships directly with our customers and our channel partners on account penetration, account coordination, sales, and overall market development. We spend substantial time and resources on our sales efforts without any assurance that our efforts will produce a sale. Subscriptions to our products often are subject to budget constraints, multiple approvals, and unanticipated administrative, processing, and other delays. As a result, it is difficult to predict whether or when a sale to a prospective large customer will be completed and when revenue from a subscription will be recognized.
Sales to large customers involve risks that may not be present, or that are present to a lesser extent, with sales to smaller customers, including:
competition from companies that traditionally target larger enterprises and that may have pre-existing relationships or purchase commitments from such customers;
longer evaluation periods, more detailed evaluations, and more cumbersome contract negotiation and approval processes;
increased purchasing power and leverage in negotiating contractual arrangements with us;
requirements for more technically complex configurations, integrations, deployments, or features;
more stringent requirements in our support obligations; and
longer sales cycles and the associated risk that substantial time and resources may be spent on a potential customer that elects not to purchase our products.
These additional risks also can potentially act as a disincentive to our sales team’s pursuit of these large customers. As a result, sales to large customers may lead to greater unpredictability in our business, results of operations, and financial condition. If our sales efforts are not successful or cost-effective, we could lose other sales opportunities or incur expenses that are not offset by an increase in revenue, either of which could harm our business.
35

Table of contents
Our growth depends, in part, on the success of our strategic relationships with third parties.
To grow our business, we anticipate that we will continue to depend on relationships with third parties, such as channel partners. Identifying partners, negotiating and documenting relationships with them, and maintaining APIs that some of our partners use to interact with our business, each require significant time and resources. Our competitors may be effective in providing incentives to third parties to favor their products or services over subscriptions to our products. In addition, acquisitions of such partners by our competitors could result in a decrease in the number of our current and potential customers, as these partners may no longer facilitate the adoption of our applications by potential customers. Further, some of our partners are or may become competitive with certain of our products and may elect to no longer integrate with our platform and products. If we are unsuccessful in establishing or maintaining our relationships with third parties, our ability to compete in the marketplace or to grow our revenue could be impaired, and our results of operations may suffer. Even if we are successful, we cannot assure you that these relationships will result in increased customer usage of our products or increased revenue.
Our ability to maintain customer satisfaction depends in part on the quality of our customer support. Failure to maintain high-quality customer support could have an adverse effect on our business, results of operation, and financial condition.
We believe that the successful use of our platform and products requires a high level of support and engagement for many of our customers, particularly our large customers. In order to deliver appropriate customer support and engagement, we must successfully assist our customers in deploying and continuing to use our platform and products, resolving performance issues, addressing interoperability challenges with the customers’ existing IT infrastructure, and responding to security threats and cyber attacks and performance and reliability problems that may arise from time to time. The IT architecture of our contracted customers, particularly the larger organizations, is very complex and may require high levels of focused support to effectively utilize our platform and products. Because our platform and products are designed to be highly configurable and to rapidly implement customers’ reconfigurations, customer errors in configuring our platform and products can result in significant disruption to our customers. Our support organization faces additional challenges associated with our international operations, including those associated with delivering support, training, and documentation in languages other than English. Increased demand for customer support, without corresponding increases in revenue, could increase our costs and adversely affect our business, results of operations, and financial condition.
We also rely on channel partners in order to provide frontline support to some of our customers, including in regions where we do not have a significant physical presence or the customers primarily speak languages other than English. If our channel partners do not provide support to the satisfaction of our customers, we may be required to hire additional personnel and to invest in additional resources in order to provide an adequate level of support, generally at a higher cost than that associated with our channel partners. There can be no assurance that we will be able to hire sufficient support personnel as and when needed, particularly if our sales exceed our internal forecasts. To the extent that we are unsuccessful in hiring, training, and retaining adequate support resources, our ability to provide high-quality and timely support to our customers will be negatively impacted, and our customers’ satisfaction with our platform and products could be adversely affected. Any failure to maintain high-quality customer support, or a market perception that we do not maintain high-quality customer support, could adversely affect our reputation, business, results of operations, and financial condition, particularly with respect to our large customers.
If our platform and products do not interoperate with our customers’ internal networks and infrastructure or with third-party products, websites, or services, our network may become less competitive and our results of operations may be harmed.
Our platform and products must interoperate with our customers’ existing internal networks and infrastructure. These complex internal systems are developed, delivered, and maintained by the customer and a myriad of vendors and service providers. As a result, the components of our customers’ infrastructure have different specifications, rapidly evolve, utilize multiple protocol standards, include multiple versions and generations of products, and may be highly customized. We must be able to interoperate and provide products to customers with highly complex and customized internal networks, which requires careful planning and execution between our customers, our customer support teams and, in some cases, our channel partners. Further, when new or updated elements of our customers’ infrastructure or new industry standards or protocols are introduced, we may have to update or enhance our network to allow us to continue to provide our products to customers. Our competitors or other vendors may refuse to work with us to allow their products to interoperate with our platform and products, which could make it difficult for
36

Table of contents
our platform and products to function properly in customer internal networks and infrastructures that include these third-party products.
We may not deliver or maintain interoperability quickly or cost-effectively, or at all. These efforts require capital investment and engineering resources. If we fail to maintain compatibility of our platform and products with our customers’ internal networks and infrastructures, our customers may not be able to fully utilize our platform and products, and we may, among other consequences, lose or fail to increase our market share and number of customers and experience reduced demand for our products, which would materially harm our business, results of operations, and financial condition.
Because we provide some of our products through a reverse-proxy, which is a network arrangement in which Internet user requests initially are directed to our network’s servers rather than those of our customers, the source of some traffic may be difficult to ascertain. When they cannot identify the source of the traffic, some governments, third-party products, websites, or services may block our traffic or blacklist our IP addresses. If our customers experience significant instances of traffic blockages, they will experience reduced functionality or other inefficiencies, which would reduce customer satisfaction with our platform and products and likelihood of renewal.
We rely on a limited number of suppliers for certain components of the equipment we use to operate our network and any disruption in the availability of these components could delay our ability to expand or increase the capacity of our global network or replace defective equipment.
We rely on a limited number of suppliers for several components of the equipment we use to operate our network and provide products to our customers. Our reliance on these suppliers exposes us to risks, including reduced control over production costs and constraints based on the then current availability, terms, and pricing of these components. For example, we generally rely on a single source to purchase the servers that we use in our network and we ordinarily purchase these components on a purchase-order basis, without any long-term contracts guaranteeing supply. While the network equipment and servers we purchase generally are commodity equipment and we believe an alternative supply source for servers on substantially similar terms could be identified quickly, our business could be adversely affected until those efforts were completed. In addition, the technology equipment industry has experienced component shortages and delivery delays in the past, and we may experience shortages or delays, including as a result of natural disasters, increased demand in the industry, or our suppliers lacking sufficient rights to supply the components in all jurisdictions in which we have co-location facilities that support our global network. For example, the coronavirus that originated in China in 2019 and began to spread globally in early 2020 could result in disruptions and delays for these components. If our supply of certain components is disrupted or delayed, there can be no assurance that additional supplies or components can serve as adequate replacements for the existing components or that supplies will be available on terms that are favorable to us, if at all. Any disruption or delay in the supply of our hardware components may delay the opening of new co-location facilities, limit capacity expansion or replacement of defective or obsolete equipment at existing co-location facilities, or cause other constraints on our operations that could damage our customer relationships.
Our business could be adversely impacted by changes in Internet access for our customers or laws specifically governing the Internet.
Our network performance and reliability depends on the quality of our customers’ access to the Internet. Certain features of our network require significant bandwidth and fidelity to work effectively. Internet access is frequently provided by companies that have significant market power that could take actions that degrade, disrupt, or increase the cost of user access to our network, which would negatively impact our business. We could incur greater operating expenses and our customer acquisition and retention could be negatively impacted if other network operators:
implement usage-based pricing;
discount pricing for competitive products;
otherwise materially change their pricing rates or schemes;
charge us to deliver our traffic at certain levels or at all;
throttle traffic based on its source or type;
implement bandwidth caps or other usage restrictions; or
37

Table of contents
otherwise try to monetize or control access to their networks.
In addition, there are various laws and regulations that could impede the growth of the Internet or online services, and new laws and regulations may be adopted in the future. These laws and regulations could involve interconnection and network management; taxation; tariffs; privacy; data protection; content; copyrights; distribution; electronic contracts and other communications; consumer protection; and requirements for the characteristics and quality of services, any of which could decrease the demand for, or the usage of, our products. Legislators and regulators may make legal and regulatory changes, or interpret and apply existing laws, in ways that require us to incur substantial costs, expose us to unanticipated civil or criminal liability, or cause us to change our business practices. If these changes are implemented, it could have an adverse and negative impact on our business. In addition, we may be banned from providing our products in certain countries, which would prevent our ability to grow our business in such markets and would also have a detrimental impact on the performance and scope of our network. These changes or increased costs could materially harm our business, results of operations, and financial condition.
Failure to comply with laws and regulations applicable to our business could subject us to fines and penalties and could also cause us to lose customers or otherwise harm our business.
Our business is subject to regulation by various federal, state, local, and foreign governmental agencies, including agencies responsible for monitoring and enforcing compliance with various legal obligations, such as privacy and data protection laws and regulations, intellectual property laws, employment and labor laws, workplace safety, environmental laws, consumer protection laws, anti-bribery laws, governmental trade sanctions laws, import and export controls, anti-corruption and anti-bribery laws, federal securities laws, and tax laws and regulations. In certain jurisdictions, these regulatory requirements may be more stringent than in the United States. These laws and regulations impose added costs on our business. Noncompliance with applicable regulations or requirements could subject us to:
investigations, enforcement actions, and sanctions;
mandatory changes to our network and products;
disgorgement of profits, fines, and damages;
civil and criminal penalties or injunctions;
claims for damages by our customers or channel partners;
termination of contracts;
loss of intellectual property rights; and
temporary or permanent debarment from sales to government organizations.
If any governmental sanctions are imposed, or if we do not prevail in any possible civil or criminal litigation, our business, results of operations, and financial condition could be adversely affected. In addition, responding to any action will likely result in a significant diversion of our management’s attention and resources and an increase in professional fees. Enforcement actions and sanctions could materially harm our business, results of operations, and financial condition.
Additionally, companies in the technology industry have recently experienced increased regulatory scrutiny. Any reviews by regulatory agencies or legislatures may result in substantial regulatory fines, changes to our business practices, and other penalties, which could negatively affect our business and results of operations. Changes in social, political, and regulatory conditions or in laws and policies governing a wide range of topics may cause us to change our business practices. Further, our expansion into a variety of new fields also could raise a number of new regulatory issues. These factors could negatively affect our business and results of operations in material ways.
Our actual or perceived failure to comply with privacy, data protection, and information security laws, regulations, and obligations could harm our business.
We receive, store, use, and otherwise process personal information and other information relating to individuals. There are numerous federal, state, local, and international laws and regulations regarding privacy, data protection, information security, and the storing, sharing, use, processing, transfer, disclosure, and protection of personal information and other content, the scope of which are changing, subject to differing interpretations, and may be
38

Table of contents
inconsistent among jurisdictions, or conflict with other rules. These data protection and privacy-related laws and regulations are evolving and may result in ever-increasing regulatory and public scrutiny and escalating levels of enforcement and sanctions. For example, the EU’s General Data Protection Regulation (the GDPR), in effect since May 25, 2018, imposes more stringent data protection requirements than previously effective EU data protection law and provides for penalties for noncompliance of up to the greater of €20 million or four percent of worldwide annual revenues. Additionally, Brexit has created additional uncertainty with regard to the regulation of data protection in the United Kingdom. In particular, although the United Kingdom has enacted a Data Protection Act that is designed to be consistent with the GDPR, it is unclear how data transfers to and from the United Kingdom will be regulated after Brexit. In addition, the California Consumer Privacy Act (the CCPA) went into effect on January 1, 2020. Among other things, the CCPA requires covered companies to provide new disclosures to California consumers and afford such consumers new abilities to access and delete their personal information, and to opt-out of certain sales of personal information. The California Attorney General is expected to issue regulations implementing the CCPA in the spring of 2020, and it remains unclear how significantly these regulations will impact covered companies’ CCPA compliance efforts already in place or underway. There is also an effort by a privately funded citizen group to further change the CCPA by introducing a new initiative to appear on the November 2020 California ballot called the California Privacy Rights and Enforcement Act. We cannot yet predict the impact of the CCPA and its implementing regulations on our business or operations, but it may require us to modify our data processing practices and policies and to incur substantial costs and expenses in an effort to comply.
We are also subject to the terms of our privacy policies and contractual obligations to third parties related to privacy, data protection, and information security. We strive to comply with applicable laws, regulations, policies, and other legal obligations relating to privacy, data protection, and information security to the extent possible. However, the regulatory framework for privacy and data protection worldwide is, and is likely to remain, uncertain for the foreseeable future, and it is possible that these or other actual or alleged obligations may be interpreted and applied in a manner that is inconsistent from one jurisdiction to another and may conflict with other rules or our practices.
We also expect that there will continue to be new laws, regulations, and industry standards concerning privacy, data protection, and information security proposed and enacted in various jurisdictions. For example, in the United States, various laws and regulations apply to the collection, processing, disclosure and security of certain types of data, including the Electronic Communications Privacy Act, the Computer Fraud and Abuse Act, the Health Insurance Portability and Accountability Act of 1996, the Gramm-Leach-Bliley Act, and state laws relating to privacy and data security. Additionally, there are a number of proposed U.S. federal and state privacy and data protection bills under consideration in Congress and state legislatures across the country.
Any failure or perceived failure by us to comply with our privacy policies, our privacy-related obligations to customers or other third parties, applicable laws or regulations, or any of our other legal obligations relating to privacy, data protection, or information security may result in governmental investigations or enforcement actions, litigation, claims, or public statements against us by consumer advocacy groups or others and could result in significant liability or cause our customers to lose trust in us, which could cause them to cease or reduce use of our products and otherwise have an adverse effect on our reputation and business. Furthermore, the costs of compliance with, and other burdens imposed by, the laws, regulations, and policies that are applicable to the businesses of our customers may limit the adoption and use of, and reduce the overall demand for, our products.
Additionally, if third parties we work with, such as sub-processors, vendors, or developers, violate applicable laws or regulations, contractual obligations, or our policies—or if it is perceived that such violations have occurred—such actual or perceived violations may also have an adverse effect on our business. Further, any significant change to applicable laws, regulations, or industry practices regarding the collection, use, retention, security, disclosure, or other processing of users’ content, or regarding the manner in which the express or implied consent of users for the collection, use, retention, disclosure, or other processing of such content is obtained, could increase our costs and require us to modify our network, products, and features, possibly in a material manner, which we may be unable to complete, and may limit our ability to store and process customer data or develop new products and features.
We are subject to anti-corruption, anti-bribery, and similar laws, and noncompliance with such laws can subject us to criminal penalties or significant fines and harm our business and reputation.
We are subject to the U.S. Foreign Corrupt Practices Act of 1977, the UK Bribery Act 2010, and other anti-corruption, anti-bribery, anti-money laundering, and similar laws in the United States and other countries in which we conduct activities. Anti-corruption and anti-bribery laws, which have been enforced aggressively and are interpreted broadly, prohibit companies and their employees and agents from promising, authorizing, making, or
39

Table of contents
offering improper payments or other benefits to government officials and others in the public sector. We leverage third parties, including channel partners, to sell subscriptions to our products, host many of our co-location facilities for our network, and conduct our business abroad. We and these third parties may have direct or indirect interactions with officials and employees of government agencies or state-owned or affiliated entities and we may be held liable for the corrupt or other illegal activities of our business partners and intermediaries, our employees, representatives, contractors, channel partners and agents, even if we do not explicitly authorize such activities. Further, some of our international sales activity occurs, and some of our network infrastructure is located, in parts of the world that are recognized as having a greater potential for business practices that violate anti-corruption, anti-bribery, or similar laws.
We cannot assure you that all of our employees and agents have complied with, or in the future will comply with, our policies and applicable law. As we continue to increase our international sales and business and expand our network globally, our risks under these laws may increase. The investigation of possible violations of these laws, including internal investigations and compliance reviews that we may conduct from time to time, could have a material adverse effect on our business. Noncompliance with these laws could subject us to investigations, severe criminal or civil sanctions, settlements, prosecution, loss of export privileges, suspension or debarment from U.S. government contracts and other contracts, other enforcement actions, the appointment of a monitor, disgorgement of profits, significant fines, damages, other civil and criminal penalties or injunctions, whistleblower complaints, adverse media coverage and other consequences. Other internal and government investigations, regulatory proceedings, or litigation, including private litigation filed by our stockholders, may also follow as a consequence. Any investigations, actions, or sanctions could materially harm our reputation, business, results of operations, and financial condition. Further, the promulgation of new laws, rules or regulations or new interpretations of current laws, rules or regulations could impact the way the we do business in other countries, including requiring us to change certain aspects of our business to ensure compliance, which could reduce revenue, increase costs, or subject us to additional liabilities.
We may face fines, penalties, or other costs, either directly or vicariously, if any of our partners, resellers, contractors, vendors or other third parties fail to adhere to their compliance obligations under our policies and applicable law.
We use a number of third parties to perform services or act on our behalf in areas like sales, network infrastructure, administration, research, and marketing. It may be the case that one or more of those third parties fail to adhere to our policies or violate applicable federal, state, local, and international laws, including but not limited to, those related to corruption, bribery, economic sanctions, and export/import controls. Despite the significant challenges in asserting and maintaining control and compliance by these third parties, we may be held fully liable for third parties’ actions as fully as if they were a direct employee of ours. Such liabilities may create harm to our reputation, inhibit our plans for expansion, or lead to extensive liability either to private parties or government regulators, which could adversely impact our business, results of operations, and financial condition.
We are currently, and may be in the future, party to intellectual property rights claims and other litigation matters that, if resolved adversely, could have a material impact on our business, results of operations, or financial condition.
We own a large number of patents, copyrights, trademarks, domain names, and trade secrets and, from time to time, are subject to litigation based on allegations of infringement, misappropriation, or other violations of intellectual property or other rights. As we face increasing competition and gain an increasingly high profile, the possibility of intellectual property rights claims, commercial claims, and other assertions against us grows. In addition, a number of companies in our industry hold a large number of patents and also protect their copyright, trade secret, and other intellectual property rights, and companies in the networking and security industry frequently enter into litigation based on allegations of patent infringement or other violations of intellectual property rights. We have in the past been, are currently, and may from time to time in the future become, a party to litigation and disputes related to intellectual property, our business practices, and our products. For example, we are a defendant in lawsuits, both in the United States and abroad, seeking injunctive relief and/or damages against us based on content that is made available through our customers’ websites, and a number of these lawsuits involve copyright infringement claims. We may also be subject to governmental and other regulatory investigations from time to time. The costs of supporting litigation and dispute resolution proceedings are considerable, and there can be no assurances that a favorable outcome will be obtained. Disputes, whether or not favorably resolved, may generate negative publicity and damage our reputation. We may need to settle litigation and disputes on terms that are unfavorable to us, or we may be subject to an unfavorable judgment that may not be reversible upon appeal. The terms of any settlement or
40

Table of contents
judgment may require us to cease some or all of our operations or pay substantial amounts to the other party. With respect to any intellectual property rights claim, we may have to seek a license to continue practices found to be in violation of third-party rights, which may not be available on reasonable terms and may significantly increase our operating expenses. A license to continue such practices may not be available to us at all, and we may be required to develop alternative non-infringing technology or practices or discontinue the practices. The development of alternative, non-infringing technology or practices could require significant effort and expense. Our business, results of operations, and financial condition could be materially and adversely affected as a result.
Indemnity provisions in various agreements potentially expose us to substantial liability for intellectual property infringement and other losses.
Our agreements with certain of our customers or other third parties may include indemnification or other provisions under which we agree to indemnify or otherwise be liable to them for losses suffered or incurred as a result of claims of intellectual property infringement, damages caused by us to property or persons, or other liabilities relating to or arising from the use of our platform or other acts or omissions. The term of these contractual provisions often survives termination or expiration of the applicable agreement. We have in the past been sued on the basis of alleged violation of intellectual property rights in the form of patents and trade secrets. Although we were successful in defending the claims to date, as we continue to grow, the possibility of these and other intellectual property rights claims against us may increase. For any intellectual property rights indemnification claim against us or our customers, we may incur significant legal expenses and have to pay damages, pay license fees and/or stop using technology found to be in violation of the third party’s rights. Large indemnity payments could harm our business, results of operations, and financial condition. We may also have to seek a license for the disputed technology. Such license may not be available on reasonable terms, if at all, and may significantly increase our operating expenses or may require us to restrict our business activities and limit our ability to deliver certain products. As a result, we may also be required to develop alternative non-infringing technology, which could require significant effort and expense and/or cause us to alter our platform, which could negatively affect our business.
From time to time, customers require us to indemnify or otherwise be liable to them for breach of confidentiality, violation of applicable law, or failure to implement adequate security measures with respect to their data stored, transmitted, or accessed using our platform. Our standard Enterprise plan agreements provide limited indemnification to our customers based on third-party claims related to our violation of intellectual property rights, and some of our Enterprise plan agreements offer indemnification for claims beyond that scope. The existence of such a dispute may have adverse effects on our customer relationship and reputation and we may still incur substantial liability related to them.
Any assertions by a third party, whether or not successful, with respect to such indemnification obligations could subject us to costly and time-consuming litigation, expensive remediation and licenses, divert management attention and financial resources, harm our relationship with that customer and other current and prospective customers, reduce demand for our products, and harm our brand, business, results of operations, and financial condition.
Our failure to protect our intellectual property rights and proprietary information could diminish our brand and other intangible assets.
We rely and expect to continue to rely on a combination of patent, patent licenses, trade secret, domain name protection, trademarks, copyrights, and confidentiality and license agreements with our employees, consultants, and third parties in order to protect our intellectual property and proprietary rights. As of December 31, 2019, we had over 110 issued patents and over 70 pending patent applications in the United States and abroad. However, third parties may knowingly or unknowingly infringe our proprietary rights. Third parties may challenge our proprietary rights, pending and future patent, trademark, and copyright applications may not be approved, and we may not be able to prevent infringement without incurring substantial expense. We have also devoted substantial resources to the development of our proprietary technologies and related processes, and we provide access to these technologies and processes to certain of our vendors and partners, including Baidu with respect to the facilities included within our network in China. We must protect this proprietary information in order to realize commercial benefit from our investment.
In order to protect our proprietary technologies and processes, we rely in part on trade secret laws and confidentiality agreements with our employees, consultants, and third parties. These agreements may not effectively prevent disclosure of confidential information and may not provide an adequate remedy in the event of unauthorized disclosure of confidential information. In addition, others may independently discover our trade secrets or develop
41

Table of contents
similar technologies and processes, in which case we would not be able to assert trade secret rights against them. Laws in certain jurisdictions may afford little or no trade secret protection, and any changes in, or unexpected interpretations of, the intellectual property laws in any country in which we operate may compromise our ability to enforce our intellectual property rights. We may not be effective in policing unauthorized use of our intellectual property rights, and even if we do detect violations, costly and time-consuming litigation could be necessary to enforce and determine the scope of our proprietary rights, and any such litigation could be unsuccessful, lead to the invalidation of our proprietary rights, or lead to counterclaims by other parties against us. If the protection of our proprietary rights is inadequate to prevent use or appropriation by third parties, the value of our platform, brand, and other intangible assets may be diminished and competitors may be able to more effectively replicate our platform and its features. Any of these events could materially and adversely affect our business, results of operations, and financial condition.
We depend and rely upon software and technologies licensed from third parties to operate our business, and interruptions or the unavailability of these technologies may adversely affect our products, network, business, and results of operations.
We rely on software, services, and other technology from third parties that we incorporate into, or integrate with, our platform and products. We also rely on software, services, and other technology from third parties in order to operate critical functions of our business, including enterprise resource planning and customer relationship management services. If the software, services, or other technology we rely on become unavailable due to extended outages, the third-party provider disabling our access, expiration or termination of licenses, or because they are otherwise no longer available on commercially reasonable terms, our expenses could increase, and our ability to operate our network, provide our products, and our results of operations could be impaired until equivalent software, technology, or services are obtained or replacements are developed, all of which could adversely affect our business.
If we are unable to license necessary technology from third parties now or in the future, we may be forced to acquire or develop alternative technology, which we may be unable to do in a commercially feasible manner or at all, and we may be required to use alternative technology of lower quality or performance. This could limit and delay our ability to offer new or competitive products and increase our costs of production. As a result, our business and results of operations could be significantly harmed.
We cannot be certain that those from whom we license software and other technology are not infringing the intellectual property rights of third parties or have sufficient rights to the licensed intellectual property in all jurisdictions in which we may sell our products. Accordingly, our use of this intellectual property may expose us to third-party claims of infringement. In addition, many licenses are non-exclusive and may not prevent our competitors from licensing the same technology on equivalent or more favorable terms.
Some of our technology incorporates “open source” software, we license some of our software through open source projects and we voluntarily make available some of our software on an open source basis, which could negatively affect our ability to sell our products, subject us to possible litigation, and be used by other companies to compete against us.
Our platform and products incorporate software licensed under open source licenses, including open source software included in software we receive from third-party commercial software vendors. Use of open source software may entail greater risks than use of third-party commercial software, as open source licensors generally do not provide support, updates, or warranties, or other contractual protections regarding infringement claims or the quality of the software. In addition, the wide availability of source code incorporated in our products could allow hostile parties to more easily identify security vulnerabilities in our platform and products. The terms of some open source licenses may provide that under certain conditions we could be required to release the source code of our proprietary software, and to make our proprietary software available under open source licenses, including authorizing further modification and redistribution. In the event that certain portions of our proprietary software are determined to be subject to such requirements by an open source license, we could be required to publicly release the affected portions of our source code, re-engineer all or a portion of our network or applicable products, or otherwise be limited in the licensing of our products, each of which provide an advantage to our competitors or other entrants to the market, create security vulnerabilities in our products, and could reduce or eliminate the value of our products. Because the terms of open source licenses are novel and have not been widely interpreted by courts, we could be subject to lawsuits by parties claiming ownership of what we believe to be open source software or by third parties seeking to enforce the terms of open source licenses against us in a manner we do not anticipate. In
42

Table of contents
addition, we voluntarily make available certain portions of our software on an open source basis to the public and such software could then be used by other companies to compete against us.
Any unanticipated disclosure of, or litigation regarding, our source code and any open source software incorporated into our source code could result in adverse judgments and liabilities, require us to reengineer all or a portion of our platform and products, limit the marketing of our products, provide an advantage to our competitors or other entrants to the market, create new security vulnerabilities or highlight existing security vulnerabilities in our platform and products, and reduce or eliminate the value of our platform and products. We cannot assure you that our processes for controlling our use of open source software in our platform and products will be effective.
Our business depends, in part, on sales to U.S. and foreign government organizations, which are subject to a number of challenges and risks.
We derive a portion of our revenue from contracts with government organizations, and we believe the success and growth of our business will in part depend on adding additional public sector customers. However, demand from government organizations is often unpredictable, and we cannot assure you that we will be able to maintain or grow our revenue from the public sector. Sales to government entities are subject to substantial additional risks that are not present in sales to other customers, including:
selling to government agencies can be more highly competitive, expensive, and time-consuming than sales to other customers, often requiring significant upfront time and expense without any assurance that such efforts will generate a sale;
U.S., European, or other government certification and audit requirements potentially applicable to our network, including the FedRAMP in the U.S., are often difficult and costly to obtain and maintain, and failure to do so will restrict our ability to sell to government customers;
government demand and payment for our products may be impacted by public sector budgetary cycles, funding authorizations, or government shutdowns;
governments routinely investigate and audit government contractors’ administrative processes and any unfavorable audit could result in fines, civil or criminal liability, further investigations, damage to our reputation, and debarment from further government business;
governments often require contract terms that differ from our standard customer arrangements, including terms that can lead to those customers obtaining broader rights in our products than would be expected under a standard commercial contract and terms that can allow for early termination; and
governments may demand better pricing terms and public disclosure of such pricing terms, which may harm our ability to negotiate pricing terms with our non-government customers.
In addition, we must comply with laws and regulations relating to the formation, administration, and performance of contracts with the public sector, including U.S. federal, state, and local governmental organizations, which affect how we and our channel partners do business with governmental agencies. Selling our products to the U.S. government, whether directly or through channel partners, also subjects us to certain regulatory and contractual requirements. Failure to comply with these requirements by either us or our channel partners could subject us to investigations, fines, and other penalties, which could have an adverse effect on our business, results of operations, and financial condition. For example, the U.S. Department of Justice (the DOJ) and the General Services Administration (the GSA) have in the past pursued claims against and financial settlements with vendors under the False Claims Act and other statutes related to pricing and discount practices and compliance with certain provisions of GSA contracts for sales to the federal government. The DOJ and GSA continue to actively pursue such claims. Violations of certain regulatory and contractual requirements could also result in us being suspended or debarred from future government contracting. Any of these outcomes could have a material adverse effect on our revenue, results of operations, and financial condition. Any inability to address these risks and challenges could reduce the commercial benefit to us or otherwise preclude us from selling subscriptions to our products to government organizations.
We may have exposure to greater than anticipated income tax liabilities and may be affected by changes in tax laws, which could adversely impact our results of operations.
We operate in a number of tax jurisdictions globally, including in the United States at the federal, state, and local levels, and in many other countries, and plan to continue to expand the scale of our operations in the future.
43

Table of contents
Accordingly, we are subject to income taxes in the United States and various jurisdictions outside of the United States. While to date we have not incurred significant income taxes in operating our business, we may in the future face significant tax liabilities. Our tax expense could also be impacted by changes in non-deductible expenses, changes in excess tax benefits from stock-based compensation, changes in the valuation of deferred tax assets and liabilities and our ability to utilize them, the applicability of withholding taxes, and effects from acquisitions.
Our tax provision could also be impacted by changes in accounting principles, changes in U.S. federal, state, or international tax laws applicable to corporate multinationals such as the recent legislation enacted in the United States, other fundamental law changes currently being considered by many countries, and changes in taxing jurisdictions’ administrative interpretations, decisions, policies, and positions. For example, on December 22, 2017, tax reform legislation referred to as the Tax Cuts and Jobs Act (the Tax Act) was enacted in the United States. The Tax Act significantly revises U.S. federal income tax law, including lowering the corporate income tax rate to 21%, requiring companies to pay a one-time transition tax on certain unrepatriated earnings of foreign subsidiaries, implementing a modified territorial tax system, requiring a current inclusion in U.S. federal taxable income of certain earnings of controlled foreign corporations, and creating a base erosion anti-abuse tax.
Additionally, in October 2015, the Organisation for Economic Co-Operation and Development (the OECD) released final guidance covering various topics, including transfer pricing, country-by-country reporting, and definitional changes to permanent establishment that could ultimately impact our tax liabilities. In March 2018, the European Commission released a proposal for a European Council directive on taxation of specified digital services. The proposal calls for an interim tax on certain revenues from digital activities, as well as a longer-term regime that creates a taxable presence for digital services and imposes tax on digital profits. We do not yet know the impact this proposal, if implemented, would have on our financial results. A number of other jurisdictions, including the United Kingdom, are considering enacting similar digital tax regimes. These efforts are alongside the OECD’s ongoing work, as part of its Base Erosion and Profit Shifting Action Plan, to issue a final report in 2020 that provides a long-term, multilateral proposal on taxation of the digital economy. Any of the foregoing changes could have an adverse impact on our results of operations, cash flows, and financial condition.
Our results of operations may be harmed if we are required to collect sales and use, gross receipts, value-added, or similar taxes for our products in jurisdictions where we have not historically done so.
Sales and use, value-added, goods and services, and similar tax laws and rates vary greatly by jurisdiction. Our customers can be located in one jurisdiction, utilize our platform and products through our network equipment in a different jurisdiction, and pay us from an account located in a third jurisdiction. This divergence, along with the jurisdiction-by-jurisdiction variance in tax laws, causes significant uncertainty in the tax treatment of our business. There is further uncertainty as to what constitutes sufficient physical presence or nexus for a national, state, or local jurisdiction to levy taxes, fees, and surcharges for sales made over the Internet, and there is also uncertainty as to whether our characterization of our platform and products as not taxable in certain jurisdictions will be accepted by national, state, and local taxing authorities. In determining our tax filing obligations, management has made judgments regarding whether our activities in a jurisdiction rise to the level of taxability. These judgments may prove inaccurate, and one or more states or countries may seek to impose additional sales, use, or other tax collection obligations on us, including for past sales by us. It is possible that we could face sales tax audits and that our liability for these taxes could exceed our estimates as state and other tax authorities could still assert that we are obligated to collect additional amounts as taxes from our customers and remit those taxes to those authorities. Furthermore, the U.S. Supreme Court’s ruling in South Dakota v. Wayfair may permit wider enforcement of sales tax collection requirements. A successful assertion by a state, country, or other jurisdiction that we should have been or should be collecting additional sales, use, or other taxes on our platform and products could, among other things, result in substantial tax liabilities for past sales, create significant administrative burdens for us, discourage customers from purchasing our platform and products, or otherwise harm our business, results of operations, and financial condition.
Our international operations require us to exercise judgment in determining the applicability of tax laws, which may subject us to potentially adverse tax consequences.
We are subject to income taxes as well as non-income-based taxes, such as payroll, sales, use, value-added, property, and goods and services taxes, in both the United States and various foreign jurisdictions. Our domestic and international tax liabilities are subject to various jurisdictional rules regarding the timing and allocation of revenue and expenses. Additionally, the amount of income taxes paid is subject to our interpretation of applicable tax laws in the jurisdictions in which we file and to changes in tax laws. Significant judgment is required in
44

Table of contents
determining our worldwide provision for income taxes and other tax liabilities. From time to time, we may be subject to income and non-income tax audits. While we believe we have complied with all applicable income tax laws, there can be no assurance that a governing tax authority will not have a different interpretation of the law and assess us with additional taxes, including with respect to intercompany transfer pricing and the collection of sales and use tax, value-added tax, and goods and services tax. Should we be assessed with additional taxes, there could be a material adverse effect on our business, results of operations, and financial condition.
Our future effective tax rate may be affected by such factors as changes in tax laws, regulations, or rates, changing interpretation of existing laws or regulations, the impact of accounting for stock-based compensation, the impact of accounting for business combinations, changes in our international organization, and changes in our overall levels of income before tax. In addition, in the ordinary course of our global business, there are many intercompany transactions and calculations where the ultimate tax determination is uncertain. Although we believe that our tax estimates are reasonable, we cannot ensure that the final determination of tax audits or tax disputes will not be different from what is reflected in our historical income tax provisions and accruals. There can be no assurance that the outcomes from these continuous examinations will not have an adverse effect on our results of operations.
Our ability to use our net operating loss carryforwards and certain other tax attributes may be limited.
As of December 31, 2019, we had net operating loss carryforwards for U.S. federal income tax purposes of $221.5 million, net of uncertain tax positions, available to offset future U.S. federal taxable income that will begin to expire in 2029 for tax years beginning before December 31, 2017. Also as of December 31, 2019, we had net operating loss carryforwards for state income tax purposes of $104.7 million, net of uncertain tax positions, available to offset future state taxable income that will begin to expire in 2026. As of December 31, 2019, we had foreign tax credit carryforwards for federal income tax purposes of $1.8 million that will begin to expire, if not utilized, in 2025. Also as of December 31, 2019, we had federal research and development tax credit carryforwards of $8.5 million that will begin to expire in 2029 and state research and development tax credit carryforwards of $6.5 million that can be carried forward indefinitely.
Utilization of our net operating loss carryforwards and other tax attributes, such as research and development tax credits, may be subject to annual limitations, or could be subject to other limitations on utilization or benefit due to the ownership change limitations provided by Sections 382 and 383 of the Internal Revenue Code of 1986, as amended (the Code), and other similar provisions. Under Sections 382 and 383 of the Code, if a corporation undergoes an “ownership change,” the corporation’s ability to use its pre-change net operating loss carryforwards and other pre-change attributes, such as research tax credits, to offset its post-change income may be limited. In general, an “ownership change” will occur if there is a cumulative change in our ownership by “5-percent shareholders” that exceeds 50 percentage points over a rolling three-year period. Similar rules may apply under state tax laws. We may have experienced various ownership changes, as defined by the Code, as a result of past financing transactions (or other activities), and we may experience ownership changes in the future as a result of subsequent changes in our stock ownership, some of which may be outside our control. Accordingly, our ability to utilize the aforementioned carryforwards may be limited.
Further, the Tax Act changed the federal rules governing net operating loss carryforwards. For net operating loss carryforwards arising in tax years beginning after December 31, 2017, the Tax Act limits a taxpayer’s ability to utilize such carryforwards to 80% of taxable income. In addition, net operating loss carryforwards arising in tax years ending after December 31, 2017 can be carried forward indefinitely, but carryback is generally prohibited. Net operating loss carryforwards generated before January 1, 2018 will not be subject to the Tax Act’s taxable income limitation and will continue to have a twenty-year carryforward period. Nevertheless, our net operating loss carryforwards and other tax assets could expire before utilization and could be subject to limitations, which could harm our business, revenue, and financial results.
We rely on third-party software for certain essential financial and operational services, and a failure or disruption in these services could materially and adversely affect our ability to manage our business effectively.
We rely on third-party software to provide many essential financial and operational services to support our business, including NetSuite, Salesforce, Atlassian, and Workday. Many of these vendors are less established and have shorter operating histories than traditional software vendors. Moreover, these vendors provide their services to us via a cloud-based model instead of software that is installed on our premises. As a result, we depend upon these vendors to provide us with services that are always available and are free of errors or defects that could cause
45

Table of contents
disruptions in our business processes. Any failure by these vendors to do so, or any disruption in our ability to access the Internet, would materially and adversely affect our ability to manage our operations.
Our business is exposed to risks associated with credit card and other online payment processing methods.
Many of our customers pay for our service using a variety of different payment methods, including credit and debit cards, prepaid cards, direct debit, and online wallets. We rely on internal systems as well as those of third parties to process payments. Acceptance and processing of these payment methods are subject to certain rules and regulations and require payment of interchange and other fees. To the extent there are increases in payment processing fees, material changes in the payment ecosystem, such as large re-issuances of payment cards, delays in receiving payments from payment processors, changes to rules or regulations concerning payment processing, loss of payment partners, and/or disruptions or failures in our payment processing systems or payment products, including products we use to update payment information, our revenue, operating expenses, and results of operation could be adversely impacted. In addition, from time to time, we encounter fraudulent use of payment methods, which could impact our results of operations and if not adequately controlled and managed could create negative consumer perceptions of our service. If we are unable to maintain our chargeback rate at acceptable levels, card networks may impose fines and our card approval rate may be impacted. If we fail to comply with the rules or requirements applicable to processing payments, or if our data security systems are breached, compromised, or otherwise unable to detect or prevent fraudulent activity, we may be liable for card issuing banks’ costs, subject to fines and higher transaction fees, and lose our ability to accept certain payments from our customers. The termination of our ability to process payments using any major payment method our business, results of operations, and financial condition could be harmed.
Because we recognize revenue from subscriptions for our products over the term of the subscription, downturns or upturns in new business may not be immediately reflected in our results of operations and may be difficult to discern.
We generally recognize revenue from customers ratably over the term of their subscription, which in the case of our contracted customers range from one to three years and in the case of our pay-as-you-go customers is typically monthly. Consequently, any increase or decline in new sales or renewals to these customers in any one period may not be immediately reflected in our revenue for that period. Any such change, however, may affect our revenue in future periods. Accordingly, the effect of downturns or upturns in new sales and potential changes in our rate of renewals may not be fully reflected in our results of operations until future periods. We may also be unable to reduce our cost structure in line with a significant deterioration in sales or renewals. Our subscription model also makes it difficult for us to rapidly increase our revenue through additional sales in any period, as revenue from new customers must be recognized over the applicable subscription term.
By contrast, a significant majority of our costs are expensed as incurred, which occurs as soon as a customer starts using our platform. As a result, an increase in customers could result in our recognition of more costs than revenue in the earlier portion of the subscription term. We may not attain sufficient revenue to maintain positive cash flow from operations or achieve profitability in any given period.
We are exposed to fluctuations in currency exchange rates, which could negatively affect our results of operations.
Substantially all of our sales contracts are denominated in U.S. dollars and, therefore, substantially all of our revenue is not subject to foreign currency risk. However, a strengthening of the U.S. dollar could increase the real cost of our products to our customers outside of the United States, which could reduce demand for our products and adversely affect our financial condition and results of operations.
As our international operations expand, an increasing portion of our revenue and operating expenses is incurred outside the United States and is denominated in foreign currencies, such as the British Pound and Singapore Dollar. Accordingly, our revenue and operating expenses are increasingly subject to fluctuations due to changes in foreign currency exchange rates. As we continue to expand our international operations, we may become more exposed to foreign currency risk or remeasurement risk. If we become more exposed to currency fluctuations and are not able to successfully hedge against the risks associated with currency fluctuations, our results of operations could be materially and adversely affected.
46

Table of contents
If our estimates or judgments relating to our critical accounting policies prove to be incorrect or financial reporting standards or interpretations change, our results of operations could be adversely affected.
The preparation of financial statements in conformity with generally accepted accounting principles in the United States (U.S. GAAP) requires our management to make estimates and assumptions that affect the amounts reported and disclosed in our consolidated financial statements and accompanying notes. We base our estimates and assumptions on historical experience and on various other assumptions that we believe to be reasonable under the circumstances. The results of these estimates form the basis for making judgments about the carrying values of assets, liabilities, and equity, and the amount of revenue and expenses that are not readily apparent from other sources. Significant assumptions and estimates used in preparing our consolidated financial statements include those related to determination of deferred contract acquisitions costs, the period of benefit generated from our deferred contract acquisition costs, the capitalization and estimated useful life of internal-use software, useful lives of property and equipment, the valuation and recognition of stock-based compensation, uncertain tax positions, and the recognition and measurement of current and deferred income tax assets and liabilities. Our results of operations may be adversely affected if our assumptions change or if actual circumstances differ from those in our assumptions, which could cause our results of operations to fall below the expectations of industry or financial analysts and investors, resulting in a decline in the trading price of our common stock.
Additionally, we regularly monitor our compliance with applicable financial reporting standards and review new pronouncements and drafts thereof that are relevant to us. As a result of new standards, or changes to existing standards, and changes in their interpretation, we might be required to change our accounting policies, alter our operational policies and implement new or enhance existing systems so that they reflect new or amended financial reporting standards, or we may be required to restate our published financial statements. Such changes to existing standards or changes in their interpretation may have an adverse effect on our reputation, business, financial condition, and profit and loss, or cause an adverse deviation from our revenue and operating profit and loss target, which may negatively impact our results of operations.
If we fail to maintain an effective system of disclosure controls and internal control over financial reporting, our ability to produce timely and accurate financial statements or comply with applicable regulations could be impaired.
We are subject to the reporting requirements of the Securities Exchange Act of 1934, as amended (the Exchange Act), the Sarbanes-Oxley Act of 2002 (the Sarbanes-Oxley Act), and the rules and regulations of the applicable listing standards of the New York Stock Exchange (the NYSE). We expect that the requirements of these rules and regulations will continue to increase our legal, accounting, and financial compliance costs, make some activities more difficult, time-consuming, and costly, and place significant strain on our personnel, systems, and resources.
The Sarbanes-Oxley Act requires, among other things, that we maintain effective disclosure controls and procedures and internal control over financial reporting. We are continuing to develop and refine our disclosure controls and other procedures that are designed to ensure that information required to be disclosed by us in the reports that we file with the SEC is recorded, processed, summarized, and reported within the time periods specified in SEC rules and forms and that information required to be disclosed in reports under the Exchange Act is accumulated and communicated to our principal executive and financial officers. We are also continuing to improve our internal control over financial reporting. In order to maintain and improve the effectiveness of our disclosure controls and procedures and internal control over financial reporting, we have expended, and anticipate that we will continue to expend, significant resources, including accounting-related costs, and significant management oversight.
Our current controls and any new controls that we develop may become inadequate because of changes in conditions in our business. Further, weaknesses in our disclosure controls and internal control over financial reporting may be discovered in the future. Any failure to develop or maintain effective controls or any difficulties encountered in their implementation or improvement could harm our results of operations or cause us to fail to meet our reporting obligations and may result in a restatement of our financial statements for prior periods. Any failure to implement and maintain effective internal control over financial reporting also could adversely affect the results of periodic management evaluations and annual independent registered public accounting firm attestation reports regarding the effectiveness of our internal control over financial reporting that we will eventually be required to include in our periodic reports that will be filed with the SEC. Ineffective disclosure controls and procedures and internal control over financial reporting could also cause investors to lose confidence in our reported financial and other information, which would likely have a negative effect on the trading price of our Class A common stock. In
47

Table of contents
addition, if we are unable to continue to meet these requirements, we may not be able to remain listed on the NYSE. We will be required to provide an annual management report on the effectiveness of our internal control over financial reporting commencing with our second annual report on Form 10-K.
In the period ended December 31, 2017, we identified one material weakness in our internal control over financial reporting related to our lack of a formal process over stock administration and lack of adequate controls to ensure that all stock issuances and stock-based compensation transactions were completely and accurately documented, executed, and properly reflected in our consolidated financial statements and our capitalization table. Although the material weakness was remediated as of December 31, 2018, there can be no assurance that we will maintain internal control over financial reporting sufficient to enable us to identify or avoid material weaknesses in the future.
Our independent registered public accounting firm is not required to formally attest to the effectiveness of our internal control over financial reporting until after we are no longer an “emerging growth company” as defined in the JOBS Act. At such time, our independent registered public accounting firm may issue a report that is adverse in the event it is not satisfied with the level at which our internal control over financial reporting is documented, designed, or operating. Any failure to maintain effective disclosure controls and internal control over financial reporting could materially and adversely affect our business, results of operations, and financial condition and could cause a decline in the trading price of our Class A common stock.
Our business is subject to the risks of catastrophic events.
The occurrence of any catastrophic event, including an earthquake, fire, flood, tsunami, or other weather event, power loss, telecommunications failure, software or hardware malfunctions, epidemic or pandemic diseases (such as the coronavirus that originated in China in 2019 and began to spread globally in early 2020), cyber-attack, war, or terrorist attack, could result in lengthy interruptions in our service. Our corporate headquarters is located in the San Francisco Bay Area and one of our core co-location facilities is located in the U.S. Pacific Northwest, both regions known for seismic activity, and we also have a second core co-location facility in Luxembourg. Our insurance coverage may not compensate us for losses that may occur in the event of an earthquake or other significant natural disaster. In addition, acts of terrorism could cause disruptions to the Internet or the economy as a whole. Even with our disaster recovery arrangements, our service could be interrupted. If our systems were to fail or be negatively impacted as a result of a natural disaster or other event, our ability to deliver products to our customers would be impaired or we could lose critical data.
Our partners, suppliers, and customers are also subject to the risk of catastrophic events. In those events, our ability to deliver our products in a timely manner, as well as the demand for our products, may be divided on account of factors outside our control.
Future acquisitions, strategic investments, partnerships, or alliances could be difficult to identify and integrate, divert the attention of key management personnel, disrupt our business, dilute stockholder value, and adversely affect our results of operations, financial condition, and prospects.
Part of our business strategy is to make acquisitions of other companies, products, and technologies. For example, in January 2020, we acquired S2 Systems Corporation, a company that has developed patented browser isolation technology. We have limited experience in making acquisitions. We also may not be able to find suitable acquisition candidates and we may not be able to complete acquisitions on favorable terms, if at all. If we do complete acquisitions, we may not ultimately strengthen our competitive position or achieve our goals, and any acquisitions we complete could be viewed negatively by customers, developers, or investors. In addition, we may not be able to integrate acquired businesses successfully or effectively manage the combined company following an acquisition. If we fail to successfully integrate our acquisitions, or the people or technologies associated with those acquisitions, into our company, the results of operations of the combined company could be adversely affected. Any integration process will require significant time and resources, require significant attention from management, and disrupt the ordinary functioning of our business, and we may not be able to manage the process successfully, which could adversely affect our business, results of operations, and financial condition. In addition, we may not successfully evaluate or utilize the acquired technology and accurately forecast the financial impact of an acquisition transaction, including accounting charges.
In order to expand our network and product offerings, we also may enter into relationships with other businesses, which could involve joint ventures, preferred or exclusive licenses, additional channels of distribution, or investments in other companies. Negotiating these transactions can be time-consuming, difficult, and costly, and our ability to
48

Table of contents
close these transactions may be subject to third-party approvals, such as government regulatory approvals, which are beyond our control. Consequently, we cannot assure you that these transactions, once undertaken and announced, will close or will lead to commercial benefit for us.
In connection with the foregoing strategic transactions, we may:
issue additional equity securities that would dilute our stockholders;
use cash that we may need in the future to operate our business;
incur debt on terms unfavorable to us or that we are unable to repay;
incur large charges or substantial liabilities;
encounter difficulties integrating diverse business cultures; and
become subject to adverse tax consequences, substantial depreciation, or deferred compensation charges.
These challenges related to acquisitions or other strategic transactions could adversely affect our business, results of operations, financial condition, and prospects.
Certain of our key business metrics could prove to be inaccurate, and any real or perceived inaccuracies may harm our reputation and negatively affect our business.
We rely on assumptions and estimates to calculate certain of our key business metrics, such as dollar-based net retention rate. We regularly review and may adjust our processes for calculating our key business metrics to improve their accuracy. For example, we recently announced a change in how we will calculate our key business metrics starting during 2020 so that they will be based on revenue instead of billings. Our key business metrics may differ from estimates published by third parties or from similarly titled metrics of our competitors due to differences in methodology. If investors or analysts do not perceive our key business metrics to be accurate representations of our business, or if we discover material inaccuracies in our key business metrics, our reputation, business, results of operations, and financial condition would be harmed.
The requirements of being a public company may strain our resources, divert management’s attention, and affect our ability to attract and retain executive management and qualified board members.
We are subject to the reporting requirements of the Exchange Act, the Sarbanes-Oxley Act, the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010, the listing requirements of the NYSE, and other applicable securities rules and regulations. Compliance with these rules and regulations increases our legal and financial compliance costs, makes some activities more difficult, time-consuming, or costly, and increases demand on our systems and resources. The Exchange Act requires, among other things, that we file annual, quarterly, and current reports with respect to our business and results of operations. The Sarbanes-Oxley Act requires, among other things, that we maintain effective disclosure controls and procedures and internal control over financial reporting. In order to maintain and, if required, improve our disclosure controls and procedures and internal control over financial reporting to meet this standard, significant resources and management oversight is required. We are required to disclose changes made in our internal control and procedures on a quarterly basis and we will be required to furnish a report by management on, among other things, the effectiveness of our internal control over financial reporting. As a result of the complexity involved in complying with the rules and regulations applicable to public companies, our management’s attention may be diverted from other business concerns, which could adversely affect our business and results of operations. Although we have already hired additional employees and have engaged outside consultants to assist us in complying with these requirements, we may need to hire more employees in the future or engage additional outside consultants, which will increase our operating expenses.
In addition, changing laws, regulations, and standards relating to corporate governance and public disclosure are creating uncertainty for public companies, increasing legal and financial compliance costs, and making some activities more time consuming. These laws, regulations, and standards are subject to varying interpretations, in many cases due to their lack of specificity, and, as a result, their application in practice may evolve over time as new guidance is provided by regulatory and governing bodies. This could result in continuing uncertainty regarding compliance matters and higher costs necessitated by ongoing revisions to disclosure and governance practices. We intend to invest substantial resources to comply with evolving laws, regulations, and standards, and this investment may result in increased general and administrative expenses and a diversion of management’s time and attention from revenue-generating activities to compliance activities. If our efforts to comply with new laws, regulations, and
49

Table of contents
standards differ from the activities intended by regulatory or governing bodies due to ambiguities related to their application and practice, regulatory authorities may initiate legal proceedings against us and our business may be adversely affected.
Failure to comply with the aforementioned rules and regulations may make it more expensive for us to maintain director and officer liability insurance, and in the future we may be required to accept reduced coverage or incur substantially higher costs to obtain coverage. These factors could also make it more difficult for us to attract and retain qualified members of our Board of Directors, particularly to serve on our audit committee and compensation committee, and qualified executive officers.
As a result of disclosure of information in our filings with the SEC, our business and financial condition are visible, which we believe may result in threatened or actual litigation, including by competitors and other third parties. If such claims are successful, our business and results of operations could be adversely affected, and even if the claims do not result in litigation or are resolved in our favor, these claims, and the time and resources necessary to resolve them, could divert the resources of our management and adversely affect our business and results of operations.
Our management team has limited experience managing a public company.
Most members of our management team have limited experience managing a publicly traded company, interacting with public company investors, and complying with the increasingly complex laws pertaining to public companies. Our management team may not successfully or efficiently manage our company, which is subject to significant regulatory oversight and reporting obligations under the federal securities laws and the continuous scrutiny of securities analysts and investors. These new obligations and constituents require significant attention from our senior management and could divert their attention away from the day-to-day management of our business, which could harm our business, results of operations, and financial condition.
Risks Related to Ownership of Our Class A Common Stock
The trading price of our Class A common stock may be volatile, and you could lose all or part of your investment.
Prior to our IPO, there was no public market for shares of our Class A common stock. The trading price of our Class A common stock is likely to be volatile and could be subject to fluctuations in response to various factors, some of which are beyond our control. These fluctuations could cause you to lose all or part of your investment in our Class A common stock. Factors that could cause fluctuations in the trading price of our Class A common stock include:
price and volume fluctuations in the overall stock market from time to time;
volatility in the trading prices and trading volumes of technology stocks;
changes in operating performance and stock market valuations of other technology companies generally, or those in our industry in particular;
sales of shares of our Class A common stock and Class B common stock by us or our stockholders;
failure of securities analysts to maintain coverage of us, changes in financial estimates by securities analysts who follow our company, or our failure to meet these estimates or the expectations of investors;
the financial projections we may provide to the public, any changes in those projections, or our failure to meet those projections;
announcements by us or our competitors of new products, features, or services;
the public’s reaction to our press releases, other public announcements, and filings with the SEC;
rumors and market speculation involving us or other companies in our industry;
actual or anticipated changes in our results of operations or fluctuations in our results of operations;
actual or anticipated developments in our business, our competitors’ businesses or the competitive landscape generally;
50

Table of contents
litigation involving us, our industry, or both, or investigations by regulators into our operations or those of our competitors;
developments or disputes concerning our intellectual property or other proprietary rights;
actual or perceived data security breaches or other data security incidents;
announced or completed acquisitions of businesses, products, services, or technologies by us or our competitors;
new laws or regulations or new interpretations of existing laws or regulations applicable to our business;
changes in accounting standards, policies, guidelines, interpretations, or principles;
any significant change in our management; and
general economic conditions and slow or negative growth of our markets.
In addition, in the past, following periods of volatility in the overall market and the market price of a particular company’s securities, securities class action litigation has often been instituted against these companies. This litigation, if instituted against us, could result in substantial costs and a diversion of our management’s attention and resources.
We may need additional capital, and we cannot be certain that additional financing will be available on favorable terms, or at all.
Historically, we have financed our operations primarily through the sale of our equity securities as well as payments received from customers using our global cloud platform. Although we currently anticipate that our existing cash, cash equivalents, and available-for-sale securities, and cash flow from operations will be sufficient to meet our working capital and capital expenditure needs for at least the next 12 months, we may require additional financing. We evaluate financing opportunities from time to time, and our ability to obtain financing will depend, among other things, on our development efforts, business plans, and operating performance, and the condition of the capital markets at the time we seek financing. We cannot assure you that additional financing will be available to us on favorable terms when required, or at all. If we raise additional funds through the issuance of equity or equity-linked or debt securities, those securities may have rights, preferences or privileges senior to the rights of our Class A common stock, and, in the case of equity or equity-linked securities, our stockholders may experience dilution.
The dual-class structure of our common stock has the effect of concentrating voting control with those stockholders who held our capital stock prior to the completion of our initial public offering, and it may depress the trading price of our Class A common stock.
Our Class B common stock has 10 votes per share and our Class A common stock has one vote per share. As of December 31, 2019, our directors, executive officers, and holders of more than 5% of our common stock, and their respective affiliates, held in the aggregate 84.6% of the voting power of our capital stock. Because of the ten-to-one voting ratio between our Class B and Class A common stock, the holders of our Class B common stock collectively continue to control a majority of the combined voting power of our common stock and therefore are able to control all matters submitted to our stockholders for approval. This concentrated control will limit or preclude the ability of holders of Class A common stock to influence corporate matters for the foreseeable future, including the election of directors, amendments of our organizational documents, and any merger, consolidation, sale of all or substantially all of our assets, or other major corporate transaction requiring stockholder approval. In addition, this may prevent or discourage unsolicited acquisition proposals or offers for our capital stock that you may feel are in your best interest as one of our stockholders.
Future transfers by holders of shares of Class B common stock and the cessation of employment by holders of our Class B common stock generally result in those shares converting to Class A common stock, subject to limited exceptions, such as certain transfers effected for estate planning purposes and transfers between related entities. The conversion of Class B common stock to Class A common stock will have the effect, over time, of increasing the relative voting power of those individual holders of Class B common stock who retain their shares in the long-term.
In July 2017, FTSE Russell and Standard & Poor’s announced that they would cease to include most newly public companies utilizing dual or multi-class capital structures in their indices. Affected indices include the Russell 2000 and the S&P 500, S&P MidCap 400, and S&P SmallCap 600, which together make up the S&P Composite 1500.
51

Table of contents
Under the announced policies, our multi-class capital structure likely makes us ineligible for inclusion in any of these indices, and as a result, mutual funds, exchange-traded funds, and other investment vehicles that attempt to passively track these indices may not invest in our stock. These policies are still new and it is as of yet unclear what effect, if any, they will have on the valuations of publicly traded companies excluded from the indices, but it is possible that they may depress these valuations compared to those of other similar companies that are included.
Substantial future sales could depress the market price of our Class A common stock.
The market price of our Class A common stock could decline as a result of sales of a large number of shares of such stock, and the perception that these sales could occur may also depress the market price of our Class A common stock.
Under our investors’ rights agreement, certain stockholders can require us to register shares owned by them for public sale in the United States. In addition, we file registration statements to register shares reserved for future issuance under our equity compensation plans. As a result, subject to the satisfaction of applicable exercise periods, the shares issued upon exercise of outstanding stock options or upon settlement of outstanding RSU awards are available for immediate resale in the United States in the open market.
Sales of our shares may make it more difficult for us to sell equity securities in the future at a time and at a price that we deem appropriate. These sales also could cause the trading price of our Class A common stock to fall and make it more difficult for you to sell shares of our Class A common stock.
We have broad discretion over the use of the net proceeds from our IPO and we may not use them effectively.
We cannot specify with any certainty the particular uses of the net proceeds that we received from our IPO and our management has broad discretion in the application of the net proceeds. The failure by our management to apply these proceeds effectively could adversely affect our business, results of operations, and financial condition. Pending their use, we may invest our proceeds in a manner that does not produce income or that loses value. Our investments may not yield a favorable return to our investors and may negatively impact the price of our Class A common stock.
We are an “emerging growth company” and we cannot be certain if the reduced disclosure requirements applicable to emerging growth companies will make our Class A common stock less attractive to investors.
We are an “emerging growth company,” as defined in the JOBS Act, and we intend to take advantage of certain exemptions from various reporting requirements that are applicable to other public companies that are not “emerging growth companies,” including not being required to comply with the auditor attestation requirements of Section 404 of the Sarbanes-Oxley Act, reduced disclosure obligations regarding executive compensation in our periodic reports and proxy statements, exemptions from the requirements of holding a non-binding advisory vote on executive compensation and stockholder approval of any golden parachute payments not previously approved, and exemptions from complying with new or revised financial accounting standards until private companies are required to comply with the new or revised accounting standards. We may take advantage of these exemptions for so long as we are an “emerging growth company,” which could be as long as five years following the IPO. We expect, however, that we will cease being an “emerging growth company” prior to such time. We cannot predict if investors will find our Class A common stock less attractive to the extent that we rely on these exemptions. If some investors find our common stock less attractive as a result, there may be a less active trading market for our common stock and the price of our common stock may be more volatile.
Delaware law and provisions in our amended and restated certificate of incorporation and amended and restated bylaws could make a merger, tender offer, or proxy contest difficult, thereby depressing the market price of our Class A common stock.
Our status as a Delaware corporation and the anti-takeover provisions of the Delaware General Corporation Law may discourage, delay, or prevent a change in control by prohibiting us from engaging in a business combination with an interested stockholder for a period of three years after the person becomes an interested stockholder, even if a change of control would be beneficial to our existing stockholders. In addition, our amended and restated
52

Table of contents
certificate of incorporation and amended and restated bylaws contain provisions that may make the acquisition of our company more difficult, including the following:
our dual-class common stock structure, which provides Mr. Prince and Ms. Zatlyn with the ability to significantly influence the outcome of matters requiring stockholder approval, even if they own significantly less than a majority of the shares of our outstanding Class A common stock and Class B common stock;
our Board of Directors is classified into three classes of directors with staggered three-year terms and directors are only able to be removed from office for cause;
vacancies on our Board of Directors will be able to be filled only by our Board of Directors and not by stockholders;
only the Chair of our Board of Directors, our Chief Executive Officer, or a majority of our entire Board of Directors are authorized to call a special meeting of stockholders;
certain litigation against us can only be brought in Delaware;
our amended and restated certificate of incorporation authorizes undesignated preferred stock, the terms of which may be established and shares of which may be issued, without the approval of the holders of Class A common stock;
advance notice procedures apply for stockholders to nominate candidates for election as directors or to bring matters before an annual meeting of stockholders;
our stockholders will only be able to take action at a meeting of stockholders and not by written consent; and
any amendment of the above anti-takeover provisions in our amended and restated certificate of incorporation or amended and restated bylaws will require the approval of two-thirds of the combined vote of our then-outstanding shares of Class A common stock and Class B common stock.
These anti-takeover defenses could discourage, delay, or prevent a transaction involving a change in control of our company. These provisions could also discourage proxy contests and make it more difficult for stockholders to elect directors of their choosing and to cause us to take other corporate actions they desire, any of which, under certain circumstances, could limit the opportunity for our stockholders to receive a premium for their shares of our capital stock, and could also affect the price that some investors are willing to pay for our Class A common stock.
Our amended and restated bylaws designate a state or federal court located within the State of Delaware as the exclusive forum for substantially all disputes between us and our stockholders, which could limit our stockholders’ ability to choose the judicial forum for disputes with us or our directors, officers or employees.
Our amended and restated bylaws provide that the Court of Chancery of the State of Delaware is the exclusive forum for the following types of actions or proceedings under Delaware statutory or common law: (i) any derivative action or proceeding brought on our behalf; (ii) any action asserting a claim of breach of a fiduciary duty owed by any of our directors, officers, or other employees to us or our stockholders; (iii) any action arising pursuant to any provision of the Delaware General Corporation Law, our amended and restated certificate of incorporation or our amended and restated bylaws; or (iv) any other action asserting a claim that is governed by the internal affairs doctrine shall be the Court of Chancery of the State of Delaware (or, if the Court of Chancery does not have jurisdiction, the federal district court for the District of Delaware), in all cases subject to the court having jurisdiction over indispensable parties named as defendants. The provisions would not apply to suits brought to enforce a duty or liability created by the Exchange Act. Additionally, nothing in our amended and restated bylaws precludes stockholders that assert claims under the Securities Act from bringing such claims in state or federal court, subject to applicable law.
Any person or entity purchasing or otherwise acquiring any interest in any of our securities shall be deemed to have notice of and consented to this provision. This exclusive-forum provision may limit a stockholder’s ability to bring a claim in a judicial forum of its choosing for disputes with us or our directors, officers, or other employees, which may discourage lawsuits against us and our directors, officers, and other employees. If a court were to find the exclusive-forum provision in our amended and restated bylaws to be inapplicable or unenforceable in an action, we may incur additional costs associated with resolving the dispute in other jurisdictions, which could harm our results of operations.
53

Table of contents
Our Class A common stock market price and trading volume could decline if equity or industry analysts do not publish research or publish inaccurate or unfavorable research about our business.
The trading market for our Class A common stock depends in part on the research and reports that equity or industry analysts publish about us or our business. The analysts’ estimates are based upon their own opinions and are often different from our estimates or expectations. If one or more of the analysts who cover us downgrade our Class A common stock or publish inaccurate or unfavorable research about our business, the price of our securities would likely decline. If few securities analysts commence coverage of us, or if one or more of these analysts cease coverage of us or fail to publish reports on us regularly, demand for our securities could decrease, which might cause the price and trading volume of our Class A common stock to decline.
An active trading market for our Class A common stock may not be sustained.
Our Class A common stock is listed on the NYSE under the symbol “NET.” However, we cannot assure you of the likelihood that an active trading market for our Class A common stock will be maintained, the liquidity of any trading market, your ability to sell your shares of our Class A common stock when desired, or the prices that you may obtain for your shares.
We do not intend to pay dividends for the foreseeable future.
We have never declared nor paid cash dividends on our capital stock. We currently intend to retain any future earnings to finance the operation and expansion of our business, and we do not expect to declare or pay any dividends in the foreseeable future. As a result, stockholders must rely on sales of their Class A common stock after price appreciation as the only way to realize any future gains on their investment.

Item 1B. Unresolved Staff Comments
None.

Item 2. Properties
Our corporate headquarters is located in San Francisco, California, where we lease approximately 81,000 square feet. Of the total leased space in San Francisco, approximately 66,000 square feet is concentrated in our adjoining buildings located at 101 Townsend Street and 111 Townsend Street pursuant to lease agreements expiring in October 2022. In addition, we lease approximately 15,000 square feet at 634 Second Street pursuant to a lease agreement expiring in December 2027. We also maintain offices in multiple locations in the United States, including Austin, Texas; Champaign, Illinois; New York, New York; San Jose, California; and Washington, D.C., as well as multiple locations internationally, including Australia, China, Germany, Portugal, Singapore and the United Kingdom to support our global team.
We believe that our facilities are suitable to meet our current needs. We intend to expand our facilities or add new facilities as we add employees and enter new geographic markets, and we believe that suitable additional or alternative space will be available as needed to accommodate any such growth.

Item 3. Legal Proceedings
From time to time we are subject to legal proceedings and claims arising in the ordinary course of business. We are not presently a party to any legal proceeding that we believe is likely to have a material impact on our business, results of operations, or financial condition.
Future litigation may be necessary, among other things, to defend ourselves or our customers by determining the scope, enforceability, and validity of third-party proprietary rights or to establish our proprietary rights. The results of any litigation cannot be predicted with certainty, particularly in the areas of unsettled and evolving law in which we operate, and an unfavorable resolution in any legal proceedings could materially affect our future business, results
54

Table of contents
of operations, or financial condition. Regardless of the outcome, litigation can have an adverse impact on us because of defense and settlement costs, diversion of management resources, and other factors. For additional information, see "Risk Factors - Activities of our paying and free customers or the content of their websites and other Internet properties could subject us to liability" and "We are currently, and may be in the future, party to intellectual property rights claims and other litigation matters that, if resolved adversely, could have a material impact on our business, results of operations, or financial condition" and Note 7. Commitments and Contingencies - Legal Matters to the consolidated financial statements included elsewhere in this Annual Report on Form 10-K.

Item 4. Mine Safety Disclosures
Not applicable.
55

Table of contents
PART II

Item 5. Market for Registrant's Common Equity, Related Stockholder Matters and Issuer Purchases of Equity Securities
Market Information for Our Class A Common Stock
Our Class A common stock has been listed on the New York Stock Exchange (NYSE) under the symbol "NET" since September 13, 2019. Prior to that date, there was no public trading market for our Class A common stock. There is no public trading market for our Class B common stock.
Holders of Record
As of February 21, 2020, we had 505 holders of record of our Class A and Class B common stock. The actual number of stockholders is greater than this number of record holders and includes stockholders who are beneficial owners but whose shares are held in street name by brokers and other nominees.
Dividend Policy
We have never declared nor paid any cash dividends on our capital stock. We currently intend to retain any future earnings and do not expect to pay any dividends in the foreseeable future. Any future determination to declare cash dividends will be made at the discretion of our Board of Directors, subject to applicable laws, and will depend on a number of factors, including our financial condition, results of operations, capital requirements, contractual restrictions, general business conditions, and other factors that our Board of Directors may deem relevant.
Securities Authorized for Issuance Under Equity Compensation Plans
The information required by this item with respect to our equity compensation plans is incorporated by reference to our Proxy Statement for the 2020 Annual Meeting of Stockholders to be filed with the Securities and Exchange Commission within 120 days of the fiscal year ended December 31, 2019.
Stock Performance Graph
This performance graph shall not be deemed “soliciting material” or to be “filed” with the Securities and Exchange Commission, or the SEC, for purposes of Section 18 of the Securities Exchange Act of 1934, as amended, or the Exchange Act, or otherwise subject to the liabilities under that Section, and shall not be deemed to be incorporated by reference into any of our filings under the Securities Act of 1933, as amended, or the Securities Act.
The following graph compares (i) the cumulative total stockholder return on our Class A common stock from September 13, 2019 (the date our Class A common stock commenced trading on the NYSE) through December 31, 2019 with (ii) the cumulative total return of the Standard & Poor's 500 Index and Standard & Poor's Information Technology Index over the same period, assuming the investment of $100 in our Class A common stock and in each index on September 13, 2019 and the reinvestment of dividends. The graph uses the closing market price on September 13, 2019 of $18.00 per share as the initial value of our common stock. The comparisons are based on historical data and are not indicative of, nor intended to forecast, future performance of our Class A common stock.


56

Table of contents
cloud-20191231_g2.jpg

Company/IndexBase Period
9/13/2019
9/30/201912/31/2019
Cloudflare$100.00  $103.17  $94.78  
S&P 500 Index100.00  98.98  107.43  
S&P 500 Information Technology Index100.00  99.44  113.36  

Unregistered Sales of Equity Securities
From January 1, 2019 through September 13, 2019 (the date of the filing of our registration statement on Form S-8), we granted to our directors, officers, employees, consultants and other service providers options to purchase an aggregate of 393,716 shares of our Class B common stock under our 2010 Equity Incentive Plan (our 2010 Plan) at exercise prices ranging from $8.56 to $9.97 per share.
From January 1, 2019 through September 13, 2019 (the date of the filing of our registration statement on Form S-8), we granted to our directors, officers, employees, consultants and other service providers restricted stock units for an aggregate of 6,465,154 shares of Class B common stock under our 2010 Plan.
From January 1, 2019 through September 13, 2019 (the date of the filing of our registration statement on Form S-8), we issued and sold to our employees, consultants, and other services providers an aggregate of 2,548,237 shares of Class B common stock upon the exercise of options issued under our 2010 Plan at exercises prices ranges from $0.07 to $9.97, for an aggregate exercise price of $5,702,085 and an aggregate of zero shares of Class A common stock upon the exercise of options issued under our 2010 Plan.
On September 9, 2019, we entered into an Exchange Agreement with certain of our existing stockholders, pursuant to which we exchanged, for no consideration, an aggregate of 2,200,000 shares of Class B common stock for an equivalent number of newly issued shares of Class B common stock.
On September 19, 2019, we also issued an aggregate of 174,347 shares of Class B common stock to a warrant holder upon the exercise of an outstanding warrant to purchase an aggregate of 177,410 shares of Class B common stock pursuant to a net exercise mechanism under the warrant. The warrant had an exercise price of $0.3382 per share.
57

Table of contents
None of the foregoing transactions involved any underwriters, underwriting discounts or commissions, or any public offering. We believe the offers, sales, and issuances of the above securities were exempt from registration under the Securities Act (or Regulation D or Regulation S promulgated thereunder) by virtue of Section 4(a)(2) of the Securities Act because the issuance of securities to the recipients did not involve a public offering, Section 3(a)(9) of the Securities Act because the issuance of securities involved an exchange with existing securityholders for no consideration, or in reliance on Rule 701 because the transactions were pursuant to compensatory benefit plans or contracts relating to compensation as provided under such rule. The recipients of the securities in each of these transactions represented their intentions to acquire the securities for investment only and not with a view to or for sale in connection with any distribution thereof, and appropriate legends were placed upon the stock certificates issued in these transactions. All recipients had adequate access, through their relationships with us, to information about us. The sales of these securities were made without any general solicitation or advertising.
Issuer Purchases of Equity Securities
None.
Use of Proceeds from Initial Public Offering of Class A Common Stock
In September 2019, we closed our initial public offering in which we sold 40,250,000 shares of Class A common stock at a price to the public of $15.00 per share, including shares sold in connection with the exercise of the underwriters’ option to purchase additional shares. The offer and sale of all of the shares in the IPO were registered under the Securities Act pursuant to a registration statement on Form S-1 (File No. 333-233296), which was declared effective by the SEC on September 12, 2019. We raised aggregate net proceeds of $565.0 million from the IPO, after deducting underwriting discounts and commissions and offering costs. There has been no material change in the planned use of proceeds from the IPO as described in our final prospectus filed with the SEC on September 13, 2019 pursuant to Rule 424(b)(4).
The managing underwriters of the IPO were Goldman Sachs & Co. LLC, Morgan Stanley & Co. LLC and J.P. Morgan Securities LLC. No payments were made by us to directors, officers, or persons owning ten percent or more of our common stock or to their associates, or to our affiliates, other than payments in the ordinary course of business to officers for salaries and to non-employee directors pursuant to our director compensation policy.

Item 6. Selected Financial and Other Data
The following selected consolidated financial and other data should be read in conjunction with the section titled "Management's Discussion and Analysis of Financial Condition and Results of Operations" and the consolidated financial statements and related notes included elsewhere in this Annual Report on Form 10-K. The selected consolidated statements of operations data presented below for the years ended December 31, 2019, 2018, and 2017 and the consolidated balance sheet data as of December 31, 2019 and 2018, are derived from our audited consolidated financial statements that are included elsewhere in this Annual Report on Form 10-K. Our historical results are not necessarily indicative of our future results. The selected consolidated financial data in this section are not intended to replace the consolidated financial statements and are qualified in their entirety by the consolidated financial statements and related notes included elsewhere in this Annual Report on Form 10-K.


58

Table of contents
Year Ended December 31,
2019201820172016
(in thousands, except per share data)
Consolidated Statements of Operations Data:
Revenue$287,022  $192,674  $134,915  $84,791  
Cost of revenue(1)
63,423  43,537  28,788  23,962  
Gross profit
223,599  149,137  106,127  60,829  
Operating expenses:
Sales and marketing(1)
159,298  94,394  61,899  40,122  
Research and development(1)
90,669  54,463  33,650  23,663  
General and administrative(1)
81,578  85,179  20,308  14,073  
Total operating expenses331,545  234,036  115,857  77,858  
Loss from operations(107,946) (84,899) (9,730) (17,029) 
Non-operating income (expense):
Interest income
5,787  1,895  762  626  
Interest expense
(1,112) (992) (862) (654) 
Other income (expense), net
(1,442) (2,091) 115  (208) 
Total non-operating income (expense), net3,233  (1,188) 15  (236) 
Loss before income taxes(104,713) (86,087) (9,715) (17,265) 
Provision for income taxes1,115  1,077  1,033  69  
Net loss$(105,828) $(87,164) $(10,748) $(17,334) 
Net loss per share attributable to common stockholders, basic and diluted(2)
$(0.72) $(1.08) $(0.14) $(0.23) 
Weighted-average shares used in computing net loss per share attributable to common stockholders, basic and diluted(2)
146,306  80,981  77,147  75,721  
_______________
(1)Includes stock-based compensation expense as follows:
(2)Refer to Note 11 to our consolidated financial statements included elsewhere in this Annual Report on Form 10-K for an explanation of the method used to calculate our basic and diluted net loss per share attributable to common stockholders and the weighted-average number of shares used in the computation of per share amounts.

Year Ended December 31,
2019201820172016
(in thousands)
Cost of revenue$716  $119  $47  $64  
Sales and marketing8,709  979  488  381  
Research and development13,037  1,532  969  1,043  
General and administrative14,165  24,717  1,251  4,212  
Total stock-based compensation expense$36,627  $27,347  $2,755  $5,700  





59

Table of contents
December 31,
201920182017
(in thousands)
Consolidated Balance Sheet Data
Cash, cash equivalents, and available-for-sale securities$636,948  $160,657  $73,407  
Working capital(1)
$605,989  $135,358  $64,861  
Property and equipment, net$101,466  $73,210  $51,423  
Total assets$830,824  $298,380  $163,143  
Deferred revenue, current and noncurrent$31,647  $17,037  $12,134  
Redeemable convertible preferred stock$—  $331,521  $181,546  
Accumulated deficit$(301,706) $(195,878) $(108,714) 
Total stockholders’ (deficit) equity$725,828  $(113,505) $(59,834) 
_______________
(1)Working capital is defined as current assets less current liabilities.

60

Table of contents
Item 7. Management's Discussion and Analysis of Financial Condition and Results of Operations
The following discussion and analysis of our financial condition and results of operations should be read in conjunction with our consolidated financial statements and related notes appearing elsewhere in this Annual Report on Form 10-K. In addition to historical financial information, the following discussion contains forward-looking statements that are based upon current plans, expectations, and beliefs that involve risks and uncertainties. Our actual results may differ materially from those anticipated in these forward-looking statements as a result of various factors, including those set forth under the section titled “Risk Factors” included elsewhere in this Annual Report on Form 10-K. Our fiscal year end is December 31.
Overview
Cloudflare’s mission is to help build a better Internet. We have built a global cloud platform that delivers a broad range of network services to businesses of all sizes and in all geographies—making them more secure, enhancing the performance of their business-critical applications, and eliminating the cost and complexity of managing individual network hardware. Our platform serves as a scalable, easy-to-use, unified control plane to deliver security, performance, and reliability across their on-premise, hybrid, cloud, and software-as-a-service (SaaS) applications.

Our Business Model
Our business model benefits from our ability to serve the needs of all customers ranging from individual developers to the largest enterprises, in a cost-effective manner. Our products are easy to deploy and allow for rapid and efficient onboarding of new customers and expansion of our relationships with customers over time. Given the large customer base we have and the immense amount of Internet traffic that we manage, we are able to negotiate mutually beneficial agreements with Internet Service Providers (ISPs) that allow us to place our equipment directly in their data centers, which dramatically drives down our bandwidth and co-location expenses. This symbiotic relationship that we have with ISPs and the efficiency of our serverless network architecture allows us to introduce new products on our platform at low marginal cost.
We generate revenue primarily from sales to our customers of subscriptions to access our platform. We offer a variety of plans to our free and paying customers depending on their required features and functionality.
Pay-As-You-Go Customers. For our pay-as-you-go customers (and which we previously referred to as self-serve customers), we offer Pro and Business subscription plans through our website per registered domain, and it is common for customers to purchase subscriptions to cover multiple Internet properties (e.g., domains, websites, application programming interfaces (APIs), and mobile applications). Our Pro plan provides basic functionality to improve the security, performance, and reliability of applications, such as enhanced web application firewall and image and mobile optimization. Our Business plan includes additional functionality often required by larger organizations, including service level agreements of up to 100% uptime, dynamic content acceleration, and enhanced customer support. Our implementation period for pay-as-you-go customers is extremely short with most customers implementing our services within a matter of minutes. While our Pro and Business plans offer significant value to customers, customers can subscribe to add-on products and platform functionality we offer to meet their more advanced needs. Our pay-as-you-go customers typically pay with a credit card on a monthly basis.
Contracted Customers. Our contracted customers, which consist of customers that enter into contracts for our Enterprise subscription plan (and which we previously referred to as enterprise customers), have contracts that range from one to three years and are typically billed on a monthly basis. Our contracted customer sales cycle typically lasts less than one quarter. Our agreements with contracted customers are tailored and priced to meet their varying needs and requirements. Enterprise subscription plan agreements for our contracted customers generally include a base subscription and a smaller portion based on usage.
Key elements of our business model include:
Free customer base. Free customers are an important part of our business. These customers, like our pay-as-you-go customers, sign up for our service through our website and are typically individual developers, early stage startups, hobbyists, and other users. Our free customers create scale, serve as
61

Table of contents
efficient brand marketing, and help us attract developers, customers, and potential employees. These free customers expose us to diverse traffic, threats, and problems, often allowing us to see potential security, performance, and reliability issues at the earliest stage. This knowledge allows us to improve our products and deliver more effective solutions to our paid customers. In addition, the added scale and diversity of this traffic makes us valuable to a diverse set of global ISPs, improving the breadth and economic terms of our interconnections, bandwidth costs, and co-location expenses. Finally, the enthusiastic engagement of our free customer base represents a "virtual quality assurance" function that allows us to maintain a high rate of product innovation, while ensuring our products are extensively tested in real world environments before they are deployed to enterprise customers.