10-K 1 okta-20240131.htm 10-K okta-20240131
false00016601342024FYhttp://fasb.org/us-gaap/2023#AccountingStandardsUpdate202006MemberP1YP3Yhttp://fasb.org/us-gaap/2023#OtherLiabilitiesCurrenthttp://fasb.org/us-gaap/2023#OtherLiabilitiesCurrent0.00529910.00419123333333333339300016601342023-02-012024-01-3100016601342023-07-31iso4217:USD0001660134us-gaap:CommonClassAMember2024-02-26xbrli:shares0001660134us-gaap:CommonClassBMember2024-02-2600016601342024-01-3100016601342023-01-31iso4217:USDxbrli:shares0001660134us-gaap:CommonClassAMember2023-01-310001660134us-gaap:CommonClassAMember2024-01-310001660134us-gaap:CommonClassBMember2024-01-310001660134us-gaap:CommonClassBMember2023-01-310001660134us-gaap:SubscriptionAndCirculationMember2023-02-012024-01-310001660134us-gaap:SubscriptionAndCirculationMember2022-02-012023-01-310001660134us-gaap:SubscriptionAndCirculationMember2021-02-012022-01-310001660134us-gaap:TechnologyServiceMember2023-02-012024-01-310001660134us-gaap:TechnologyServiceMember2022-02-012023-01-310001660134us-gaap:TechnologyServiceMember2021-02-012022-01-3100016601342022-02-012023-01-3100016601342021-02-012022-01-310001660134us-gaap:CommonStockMemberus-gaap:CommonClassAMember2021-01-310001660134us-gaap:CommonStockMemberus-gaap:CommonClassBMember2021-01-310001660134us-gaap:AdditionalPaidInCapitalMember2021-01-310001660134us-gaap:AccumulatedOtherComprehensiveIncomeMember2021-01-310001660134us-gaap:RetainedEarningsMember2021-01-3100016601342021-01-310001660134us-gaap:CommonStockMemberus-gaap:CommonClassAMember2021-02-012022-01-310001660134us-gaap:AdditionalPaidInCapitalMember2021-02-012022-01-310001660134us-gaap:CommonStockMemberus-gaap:CommonClassBMember2021-02-012022-01-310001660134us-gaap:CommonStockMemberus-gaap:CommonClassAMemberokta:ConversionOfConvertibleDebtMember2021-02-012022-01-310001660134us-gaap:AdditionalPaidInCapitalMemberokta:ConversionOfConvertibleDebtMember2021-02-012022-01-310001660134okta:ConversionOfConvertibleDebtMember2021-02-012022-01-310001660134us-gaap:AccumulatedOtherComprehensiveIncomeMember2021-02-012022-01-310001660134us-gaap:RetainedEarningsMember2021-02-012022-01-310001660134us-gaap:CommonStockMemberus-gaap:CommonClassAMember2022-01-310001660134us-gaap:CommonStockMemberus-gaap:CommonClassBMember2022-01-310001660134us-gaap:AdditionalPaidInCapitalMember2022-01-310001660134us-gaap:AccumulatedOtherComprehensiveIncomeMember2022-01-310001660134us-gaap:RetainedEarningsMember2022-01-3100016601342022-01-310001660134us-gaap:AdditionalPaidInCapitalMembersrt:CumulativeEffectPeriodOfAdoptionAdjustmentMember2022-01-310001660134srt:CumulativeEffectPeriodOfAdoptionAdjustmentMemberus-gaap:RetainedEarningsMember2022-01-310001660134srt:CumulativeEffectPeriodOfAdoptionAdjustmentMember2022-01-310001660134us-gaap:CommonStockMemberus-gaap:CommonClassAMember2022-02-012023-01-310001660134us-gaap:CommonStockMemberus-gaap:CommonClassBMember2022-02-012023-01-310001660134us-gaap:AdditionalPaidInCapitalMember2022-02-012023-01-310001660134us-gaap:CommonStockMemberus-gaap:CommonClassAMemberokta:ConversionOfCommonStockMember2022-02-012023-01-310001660134us-gaap:CommonStockMemberokta:ConversionOfCommonStockMemberus-gaap:CommonClassBMember2022-02-012023-01-310001660134us-gaap:CommonStockMemberus-gaap:CommonClassAMemberokta:ConversionOfConvertibleDebtMember2022-02-012023-01-310001660134us-gaap:AdditionalPaidInCapitalMemberokta:ConversionOfConvertibleDebtMember2022-02-012023-01-310001660134okta:ConversionOfConvertibleDebtMember2022-02-012023-01-310001660134us-gaap:AccumulatedOtherComprehensiveIncomeMember2022-02-012023-01-310001660134us-gaap:RetainedEarningsMember2022-02-012023-01-310001660134us-gaap:CommonStockMemberus-gaap:CommonClassAMember2023-01-310001660134us-gaap:CommonStockMemberus-gaap:CommonClassBMember2023-01-310001660134us-gaap:AdditionalPaidInCapitalMember2023-01-310001660134us-gaap:AccumulatedOtherComprehensiveIncomeMember2023-01-310001660134us-gaap:RetainedEarningsMember2023-01-310001660134us-gaap:CommonStockMemberus-gaap:CommonClassAMember2023-02-012024-01-310001660134us-gaap:AdditionalPaidInCapitalMember2023-02-012024-01-310001660134us-gaap:CommonStockMemberus-gaap:CommonClassAMemberokta:ConversionOfCommonStockMember2023-02-012024-01-310001660134us-gaap:CommonStockMemberokta:ConversionOfCommonStockMemberus-gaap:CommonClassBMember2023-02-012024-01-310001660134us-gaap:AccumulatedOtherComprehensiveIncomeMember2023-02-012024-01-310001660134us-gaap:RetainedEarningsMember2023-02-012024-01-310001660134us-gaap:CommonStockMemberus-gaap:CommonClassAMember2024-01-310001660134us-gaap:CommonStockMemberus-gaap:CommonClassBMember2024-01-310001660134us-gaap:AdditionalPaidInCapitalMember2024-01-310001660134us-gaap:AccumulatedOtherComprehensiveIncomeMember2024-01-310001660134us-gaap:RetainedEarningsMember2024-01-31okta:segment0001660134srt:MinimumMember2023-02-012024-01-310001660134srt:MaximumMember2023-02-012024-01-310001660134srt:MaximumMember2024-01-310001660134srt:MinimumMember2024-01-310001660134us-gaap:ComputerSoftwareIntangibleAssetMember2024-01-31xbrli:pure0001660134us-gaap:RestrictedStockUnitsRSUMembersrt:MinimumMember2023-02-012024-01-310001660134us-gaap:RestrictedStockUnitsRSUMembersrt:MaximumMember2023-02-012024-01-310001660134us-gaap:ComputerEquipmentMember2024-01-310001660134us-gaap:FurnitureAndFixturesMember2024-01-310001660134okta:A2023RestructuringPlanMember2022-11-012023-01-31okta:employee0001660134okta:A2024RestructuringPlanMember2023-11-012024-01-310001660134us-gaap:EmployeeSeveranceMember2022-01-310001660134us-gaap:EmployeeSeveranceMember2022-02-012023-01-310001660134us-gaap:EmployeeSeveranceMember2023-01-310001660134us-gaap:EmployeeSeveranceMember2023-02-012024-01-310001660134us-gaap:EmployeeSeveranceMember2024-01-310001660134us-gaap:MoneyMarketFundsMemberus-gaap:CashAndCashEquivalentsMember2024-01-310001660134us-gaap:CashAndCashEquivalentsMember2024-01-310001660134us-gaap:USTreasurySecuritiesMemberus-gaap:ShortTermInvestmentsMember2024-01-310001660134us-gaap:CorporateDebtSecuritiesMemberus-gaap:ShortTermInvestmentsMember2024-01-310001660134us-gaap:CertificatesOfDepositMemberus-gaap:ShortTermInvestmentsMember2024-01-310001660134us-gaap:ShortTermInvestmentsMember2024-01-310001660134us-gaap:MoneyMarketFundsMemberus-gaap:CashAndCashEquivalentsMember2023-01-310001660134us-gaap:CashAndCashEquivalentsMember2023-01-310001660134us-gaap:USTreasurySecuritiesMemberus-gaap:ShortTermInvestmentsMember2023-01-310001660134us-gaap:CorporateDebtSecuritiesMemberus-gaap:ShortTermInvestmentsMember2023-01-310001660134us-gaap:ShortTermInvestmentsMember2023-01-31okta:investment0001660134us-gaap:DevelopedTechnologyRightsMember2024-01-310001660134us-gaap:CustomerRelationshipsMember2024-01-310001660134us-gaap:TradeNamesMember2024-01-310001660134us-gaap:OtherIntangibleAssetsMember2024-01-310001660134us-gaap:ComputerSoftwareIntangibleAssetMember2023-01-310001660134us-gaap:DevelopedTechnologyRightsMember2023-01-310001660134us-gaap:CustomerRelationshipsMember2023-01-310001660134us-gaap:TradeNamesMember2023-01-310001660134us-gaap:OtherIntangibleAssetsMember2023-01-310001660134us-gaap:DevelopedTechnologyRightsMember2023-02-012024-01-310001660134us-gaap:DevelopedTechnologyRightsMember2022-02-012023-01-310001660134us-gaap:CustomerRelationshipsMember2023-02-012024-01-310001660134us-gaap:CustomerRelationshipsMember2022-02-012023-01-310001660134us-gaap:TradeNamesMember2023-02-012024-01-310001660134us-gaap:TradeNamesMember2022-02-012023-01-310001660134us-gaap:FurnitureAndFixturesMember2023-01-310001660134us-gaap:LeaseholdImprovementsMember2024-01-310001660134us-gaap:LeaseholdImprovementsMember2023-01-3100016601342024-02-012024-01-310001660134okta:ConvertibleSeniorNotesDue2025Memberus-gaap:SeniorNotesMember2023-02-012024-01-310001660134us-gaap:SeniorNotesMemberokta:ConvertibleSeniorNotesDue2026Member2023-02-012024-01-310001660134okta:ConvertibleSeniorNotesDue2025Memberus-gaap:SeniorNotesMember2020-03-010001660134okta:ConvertibleSeniorNotesDue2025Memberus-gaap:SeniorNotesMember2024-01-31okta:tradingDay0001660134okta:ConvertibleSeniorNotesDue2025Memberus-gaap:SeniorNotesMember2023-01-310001660134okta:ConvertibleSeniorNotesDue2025Memberus-gaap:SeniorNotesMember2022-01-310001660134okta:ConvertibleSeniorNotesDue2025Memberus-gaap:SeniorNotesMember2022-02-012023-01-310001660134okta:ConvertibleSeniorNotesDue2025Memberus-gaap:SeniorNotesMember2021-02-012022-01-310001660134us-gaap:ConvertibleDebtSecuritiesMemberokta:ConvertibleSeniorNotesDue2025Member2023-02-012024-01-310001660134okta:ConvertibleSeniorNotesDue2025Member2023-02-012024-01-310001660134us-gaap:SeniorNotesMemberokta:ConvertibleSeniorNotesDue2026Member2024-01-310001660134okta:ConvertibleSeniorNotesDue2026Member2023-02-012024-01-310001660134us-gaap:SeniorNotesMemberokta:ConvertibleSeniorNotesDue2026Member2023-01-310001660134us-gaap:SeniorNotesMemberokta:ConvertibleSeniorNotesDue2026Member2022-01-310001660134us-gaap:SeniorNotesMemberokta:ConvertibleSeniorNotesDue2026Member2022-02-012023-01-310001660134us-gaap:SeniorNotesMemberokta:ConvertibleSeniorNotesDue2026Member2021-02-012022-01-310001660134us-gaap:ConvertibleDebtSecuritiesMemberokta:ConvertibleSeniorNotesDue2026Member2023-02-012024-01-310001660134us-gaap:CarryingReportedAmountFairValueDisclosureMemberokta:ConvertibleSeniorNotesDue2025Memberus-gaap:SeniorNotesMember2024-01-310001660134us-gaap:EstimateOfFairValueFairValueDisclosureMemberokta:ConvertibleSeniorNotesDue2025Memberus-gaap:SeniorNotesMember2024-01-310001660134us-gaap:CarryingReportedAmountFairValueDisclosureMemberus-gaap:SeniorNotesMemberokta:ConvertibleSeniorNotesDue2026Member2024-01-310001660134us-gaap:EstimateOfFairValueFairValueDisclosureMemberus-gaap:SeniorNotesMemberokta:ConvertibleSeniorNotesDue2026Member2024-01-3100016601342023-05-152023-05-150001660134okta:SanFranciscoTenYearLeaseMember2024-01-31okta:renewalOption0001660134us-gaap:LetterOfCreditMember2024-01-310001660134us-gaap:LetterOfCreditMember2023-01-310001660134okta:DerivativeLawsuitMember2022-11-282022-12-13okta:plaintiff0001660134us-gaap:CommonClassAMember2023-02-012024-01-31okta:vote0001660134us-gaap:CommonClassBMember2023-02-012024-01-310001660134okta:StockOptionsAndRestrictedStockUnitsMember2024-01-310001660134us-gaap:EmployeeStockMember2024-01-310001660134us-gaap:ContributionOfNonmonetaryAssetsToCharitableOrganizationMemberus-gaap:CommonClassAMember2023-02-012024-01-310001660134us-gaap:ContributionOfNonmonetaryAssetsToCharitableOrganizationMemberus-gaap:CommonClassAMember2022-02-012023-01-310001660134us-gaap:ContributionOfNonmonetaryAssetsToCharitableOrganizationMemberus-gaap:CommonClassAMember2021-02-012022-01-31okta:numberOfIncentivePlan0001660134okta:A2017EquityIncentivePlanMemberus-gaap:CommonClassAMember2024-01-310001660134okta:A2017EquityIncentivePlanMemberus-gaap:CommonClassBMember2024-01-310001660134us-gaap:EmployeeStockOptionMember2023-02-012024-01-310001660134us-gaap:EmployeeStockOptionMember2022-02-012023-01-310001660134us-gaap:EmployeeStockOptionMember2021-02-012022-01-310001660134us-gaap:RestrictedStockUnitsRSUMember2023-02-012024-01-310001660134us-gaap:RestrictedStockUnitsRSUMember2022-02-012023-01-310001660134us-gaap:RestrictedStockUnitsRSUMember2021-02-012022-01-310001660134us-gaap:EmployeeStockMember2023-02-012024-01-310001660134us-gaap:EmployeeStockMember2022-02-012023-01-310001660134us-gaap:EmployeeStockMember2021-02-012022-01-310001660134us-gaap:RestrictedStockMember2023-02-012024-01-310001660134us-gaap:RestrictedStockMember2022-02-012023-01-310001660134us-gaap:RestrictedStockMember2021-02-012022-01-310001660134okta:CostofServicesLicensesandServicesMember2023-02-012024-01-310001660134okta:CostofServicesLicensesandServicesMember2022-02-012023-01-310001660134okta:CostofServicesLicensesandServicesMember2021-02-012022-01-310001660134okta:TechnologyServicesCostsMember2023-02-012024-01-310001660134okta:TechnologyServicesCostsMember2022-02-012023-01-310001660134okta:TechnologyServicesCostsMember2021-02-012022-01-310001660134us-gaap:ResearchAndDevelopmentExpenseMember2023-02-012024-01-310001660134us-gaap:ResearchAndDevelopmentExpenseMember2022-02-012023-01-310001660134us-gaap:ResearchAndDevelopmentExpenseMember2021-02-012022-01-310001660134us-gaap:SellingAndMarketingExpenseMember2023-02-012024-01-310001660134us-gaap:SellingAndMarketingExpenseMember2022-02-012023-01-310001660134us-gaap:SellingAndMarketingExpenseMember2021-02-012022-01-310001660134us-gaap:GeneralAndAdministrativeExpenseMember2023-02-012024-01-310001660134us-gaap:GeneralAndAdministrativeExpenseMember2022-02-012023-01-310001660134us-gaap:GeneralAndAdministrativeExpenseMember2021-02-012022-01-310001660134us-gaap:ShareBasedCompensationAwardTrancheOneMemberus-gaap:EmployeeStockOptionMember2023-02-012024-01-310001660134us-gaap:RestrictedStockUnitsRSUMember2023-01-310001660134us-gaap:RestrictedStockUnitsRSUMember2024-01-310001660134okta:MarketBasedRSUsMember2022-03-012022-03-310001660134srt:MinimumMemberokta:MarketBasedRSUsMember2022-03-012022-03-310001660134srt:MaximumMemberokta:MarketBasedRSUsMember2022-03-012022-03-310001660134okta:MarketBasedRSUsMember2023-03-012023-03-310001660134srt:MinimumMemberokta:MarketBasedRSUsMember2023-03-012023-03-310001660134srt:MaximumMemberokta:MarketBasedRSUsMember2023-03-012023-03-310001660134us-gaap:RestrictedStockMemberokta:Auth0AndAtSpokeMember2021-02-012022-01-310001660134us-gaap:RestrictedStockMemberokta:Auth0AndAtSpokeMember2024-01-310001660134us-gaap:RestrictedStockMemberokta:Auth0AndAtSpokeMember2023-02-012024-01-31okta:offering_period0001660134us-gaap:EmployeeStockMembersrt:MinimumMember2023-02-012024-01-310001660134us-gaap:EmployeeStockMembersrt:MaximumMember2023-02-012024-01-310001660134us-gaap:EmployeeStockMembersrt:MinimumMember2022-02-012023-01-310001660134us-gaap:EmployeeStockMembersrt:MaximumMember2022-02-012023-01-310001660134us-gaap:EmployeeStockMembersrt:MinimumMember2021-02-012022-01-310001660134us-gaap:EmployeeStockMembersrt:MaximumMember2021-02-012022-01-310001660134us-gaap:EmployeeStockMember2023-01-310001660134us-gaap:ShareBasedCompensationAwardTrancheOneMemberokta:MarketBasedRSUsMember2022-03-012022-03-310001660134us-gaap:ShareBasedCompensationAwardTrancheOneMemberokta:MarketBasedRSUsMember2023-03-012023-03-310001660134okta:MarketBasedRSUsMemberus-gaap:ShareBasedCompensationAwardTrancheTwoMember2022-03-012022-03-310001660134okta:MarketBasedRSUsMemberus-gaap:ShareBasedCompensationAwardTrancheTwoMember2023-03-012023-03-310001660134us-gaap:ShareBasedCompensationAwardTrancheThreeMemberokta:MarketBasedRSUsMember2022-03-012022-03-310001660134us-gaap:ShareBasedCompensationAwardTrancheThreeMemberokta:MarketBasedRSUsMember2023-03-012023-03-310001660134us-gaap:DomesticCountryMember2024-01-310001660134us-gaap:StateAndLocalJurisdictionMember2024-01-310001660134country:GB2024-01-310001660134us-gaap:DomesticCountryMemberus-gaap:ResearchMember2024-01-310001660134us-gaap:StateAndLocalJurisdictionMemberus-gaap:ResearchMember2024-01-310001660134us-gaap:CommonStockMemberus-gaap:CommonClassBMember2023-02-012024-01-310001660134us-gaap:CommonClassAMember2022-02-012023-01-310001660134us-gaap:CommonClassBMember2022-02-012023-01-310001660134us-gaap:CommonClassAMember2021-02-012022-01-310001660134us-gaap:CommonClassBMember2021-02-012022-01-310001660134us-gaap:EmployeeStockOptionMember2023-02-012024-01-310001660134us-gaap:EmployeeStockOptionMember2022-02-012023-01-310001660134us-gaap:EmployeeStockOptionMember2021-02-012022-01-310001660134us-gaap:RestrictedStockUnitsRSUMember2023-02-012024-01-310001660134us-gaap:RestrictedStockUnitsRSUMember2022-02-012023-01-310001660134us-gaap:RestrictedStockUnitsRSUMember2021-02-012022-01-310001660134okta:MarketBasedRSUsMember2023-02-012024-01-310001660134okta:MarketBasedRSUsMember2022-02-012023-01-310001660134okta:MarketBasedRSUsMember2021-02-012022-01-310001660134us-gaap:RestrictedStockMember2023-02-012024-01-310001660134us-gaap:RestrictedStockMember2022-02-012023-01-310001660134us-gaap:RestrictedStockMember2021-02-012022-01-310001660134us-gaap:EmployeeStockMember2023-02-012024-01-310001660134us-gaap:EmployeeStockMember2022-02-012023-01-310001660134us-gaap:EmployeeStockMember2021-02-012022-01-310001660134us-gaap:ConvertibleDebtSecuritiesMember2023-02-012024-01-310001660134us-gaap:ConvertibleDebtSecuritiesMember2022-02-012023-01-310001660134us-gaap:ConvertibleDebtSecuritiesMember2021-02-012022-01-310001660134okta:A2023ConvertibleSeniorNotesMember2023-02-012024-01-310001660134okta:A2023ConvertibleSeniorNotesMember2022-02-012023-01-310001660134okta:A2023ConvertibleSeniorNotesMember2021-02-012022-01-310001660134okta:SharesRelatedto2025ConvertibleSeniorNotesMember2023-02-012024-01-310001660134okta:SharesRelatedto2025ConvertibleSeniorNotesMember2022-02-012023-01-310001660134okta:SharesRelatedto2025ConvertibleSeniorNotesMember2021-02-012022-01-310001660134okta:SharesRelatedTo2026ConvertibleSeniorNotesMember2023-02-012024-01-310001660134okta:SharesRelatedTo2026ConvertibleSeniorNotesMember2022-02-012023-01-310001660134okta:SharesRelatedTo2026ConvertibleSeniorNotesMember2021-02-012022-01-310001660134country:US2023-02-012024-01-310001660134country:US2022-02-012023-01-310001660134country:US2021-02-012022-01-310001660134us-gaap:NonUsMember2023-02-012024-01-310001660134us-gaap:NonUsMember2022-02-012023-01-310001660134us-gaap:NonUsMember2021-02-012022-01-310001660134okta:SperaCybersecurityIncMemberus-gaap:SubsequentEventMember2024-02-012024-02-010001660134okta:ShellyeArchambeauMember2023-02-012024-01-310001660134okta:ShellyeArchambeauMember2023-11-012024-01-3100016601342023-11-012024-01-310001660134okta:ShellyeArchambeauMember2024-01-31


UNITED STATES
SECURITIES AND EXCHANGE COMMISSION
Washington, D.C. 20549
FORM 10-K
(Mark One)
ANNUAL REPORT PURSUANT TO SECTION 13 OR 15(d) OF THE SECURITIES EXCHANGE ACT OF 1934
For the fiscal year ended January 31, 2024
or
TRANSITION REPORT PURSUANT TO SECTION 13 OR 15(d) OF THE SECURITIES EXCHANGE ACT OF 1934
For the transition period from              to             
Commission File Number: 001-38044
Okta, Inc.
(Exact name of Registrant as specified in its charter)
Delaware
100 First Street, Suite 600
26-4175727
(State or Other Jurisdiction of
Incorporation or Organization)
San Francisco
(I.R.S. Employer
Identification Number)
California
94105
(Address of Principal executive offices)
Registrant’s telephone number, including area code: (888) 722-7871
___________________________________________________
Securities registered pursuant to Section 12(b) of the Act:
(Title of each class)Trading Symbol(s)(Name of each exchange on which registered)
Class A common stock, par value $0.0001 per share
OKTA
The Nasdaq Stock Market LLC
Securities registered pursuant to Section 12(g) of the Act: None
___________________________________________________
Indicate by check mark if the Registrant is a well-known seasoned issuer, as defined in Rule 405 of the Securities Act. Yes ☒ No 
Indicate by check mark if the Registrant is not required to file reports pursuant to Section 13 or Section 15(d) of the Act. Yes 
  No  ☒
Indicate by check mark whether the Registrant (1) has filed all reports required to be filed by Section 13 or 15(d) of the Securities Exchange Act of 1934 during the preceding 12 months (or for such shorter period that the Registrant was required to file such reports), and (2) has been subject to such filing requirements for the past 90 days.    Yes  ☒    No  
Indicate by check mark whether the Registrant has submitted electronically every Interactive Data File required to be submitted pursuant to Rule 405 of Regulation S-T (§232.405 of this chapter) during the preceding 12 months (or for such shorter period that the Registrant was required to submit such files).    Yes  ☒    No  
Indicate by check mark whether the Registrant is a large accelerated filer, an accelerated filer, a non-accelerated filer, smaller reporting company, or an emerging growth company. See the definitions of “large accelerated filer,” “accelerated filer,” “smaller reporting company,” and “emerging growth company” in Rule 12b-2 of the Exchange Act.
Large Accelerated Filer
Accelerated filer
Non-accelerated filer
Smaller reporting company
Emerging growth company
If an emerging growth company, indicate by check mark if the Registrant has elected not to use the extended transition period for complying with any new or revised financial accounting standards provided pursuant to Section 13(a) of the Exchange Act.
Indicate by check mark whether the Registrant has filed a report on and attestation to its management’s assessment of the effectiveness of its internal control over financial reporting under Section 404(b) of the Sarbanes-Oxley Act (15 U.S.C. 7262(b)) by the registered public accounting firm that prepared or issued its audit report.
If securities are registered pursuant to Section 12(b) of the Act, indicate by check mark whether the financial statements of the Registrant included in the filing reflect the correction of an error to previously issued financial statements.
Indicate by check mark whether any of those error corrections are restatements that required a recovery analysis of incentive-based compensation received by any of the Registrant’s executive officers during the relevant recovery period pursuant to §240.10D-1(b).
Indicate by check mark whether the Registrant is a shell company (as defined in Rule 12b-2 of the Act).    Yes  
    No  
The aggregate market value of the stock of the Registrant as of July 31, 2023 (based on a closing price of $76.86 per share) held by non-affiliates was approximately $12.0 billion. As of February 26, 2024, there were 160,106,072 shares of the Registrant’s Class A Common Stock and 7,291,091 shares of the Registrant's Class B Common Stock outstanding.
DOCUMENTS INCORPORATED BY REFERENCE
Portions of the registrant's definitive Proxy Statement relating to the 2024 Annual Meeting of Stockholders are incorporated herein by reference in Part III of this Annual Report on Form 10-K to the extent stated herein. Such Proxy Statement will be filed with the Securities and Exchange Commission within 120 days of the registrant's fiscal year ended January 31, 2024.




Okta, Inc.
Form 10-K
For the Fiscal Year Ended January 31, 2024
TABLE OF CONTENTS
Page
Part I
Part II
Part III
Part IV




Special Note Regarding Forward-Looking Statements 
This Annual Report on Form 10-K contains "forward-looking statements" within the meaning of the “safe harbor” provisions of the Private Securities Litigation Reform Act of 1995, including but not limited to, statements regarding our financial outlook, product development, business strategy, plans, market trends, opportunities and positioning. These forward-looking statements are made as of the date they were first issued and were based on current expectations, estimates, forecasts and projections as well as the beliefs and assumptions of management. Words such as “expect,” “anticipate,” “should,” “believe,” “hope,” “target,” “project,” “goals,” “estimate,” “potential,” “predict,” “may,” “will,” “might,” “could,” “intend,” “shall” and variations of these terms or the negative of these terms and similar expressions are intended to identify these forward-looking statements, although not all forward-looking statements include these identifying words. The forward-looking statements are contained principally in “Management’s Discussion and Analysis of Financial Condition and Result of Operations” and “Risk Factors."
Forward-looking statements contained in this Annual Report on Form 10-K include, but are not limited to, statements about:
our future financial performance, including our revenue, costs of revenue, gross profits, margins and operating expenses;
the impact of general economic, business and market conditions, including general economic downturn or recession, market volatility, and the inflation and interest rate environment;
trends in our key business metrics;
our growth strategy and ability to compete;
the sufficiency of our cash and cash equivalents, investments and cash provided by sales of our products and services to meet our liquidity needs;
market or other opportunities arising from business combinations;
our ability to maintain the security and availability of our internal networks and platform;
our ability to increase our number of customers;
our ability to sell additional products to and retain our existing customers;
our ability to successfully expand in our existing markets and into new markets;
our ability to effectively manage our growth and future expenses;
our ability to expand our network of channel partners;
our ability to form and expand partnerships with independent software vendors and system integrators;
our ability to introduce new products, enhance existing products and address new use cases;
our ability to add new integration partners;
our ability to grow our international business;
our ability to maintain, protect and enhance our intellectual property;
our ability to comply with modified or new laws and regulations applying to our business;
the attraction and retention of qualified employees and key personnel;
our anticipated investments in sales and marketing and research and development;
our ability to comply with modified or new laws and regulations applying to our business, including the General Data Protection Regulation, and other privacy regulations that may be implemented in the future;
the impact of recent accounting pronouncements on our financial statements;
our ability to successfully defend litigation brought against us; and
our ability to successfully integrate and realize the benefits of strategic acquisitions or investments, including our acquisition of Auth0, Inc. ("Auth0").
Forward-looking statements are subject to a number of risks and uncertainties, many of which involve factors or circumstances that are beyond our control. Our actual results could differ materially from those stated or implied in forward-looking statements due to a number of factors, including but not limited to, risks detailed in “Risk Factors” in this Annual Report on Form 10-K as well as other documents that may be filed by us from time to time with the Securities and Exchange Commission ("SEC"). Moreover, we operate in a very competitive and rapidly changing environment. New risks emerge from time to time. It is not possible for our management to predict all risks, nor can we assess the impact of all factors on our business or the extent to which any factor, or combination of factors, may cause actual results to differ materially from those contained in any forward-looking statements we



may make. In light of these risks, uncertainties and assumptions, the forward-looking events and circumstances discussed in this Annual Report on Form 10-K may not occur and actual results could differ materially and adversely from those anticipated or implied in the forward-looking statements.
You should not rely upon forward-looking statements as predictions of future events. Although we believe that the expectations reflected in the forward-looking statements are reasonable, we cannot guarantee that the future results, levels of activity, performance or events and circumstances reflected in the forward-looking statements will be achieved or occur. Moreover, except as required by law, neither we nor any other person assumes responsibility for the accuracy and completeness of the forward-looking statements. We undertake no obligation to update publicly any forward-looking statements for any reason after the date of this Annual Report on Form 10-K to conform these statements to actual results or to changes in our expectations.



Part I
Item 1. Business
Overview
Okta is the leading independent identity partner. Our vision is to free everyone to safely use any technology, and we believe identity is the key to making that happen. Our purpose is to bring simple and secure digital access to people and organizations everywhere. Our Workforce Identity Cloud and Customer Identity Cloud, powered by Auth0, enable our customers to securely connect the right people to the right technologies and services at the right time.
The acceleration of digital transformation, cloud adoption and the evolving security threat landscape are driving a shift in how organizations securely manage the identity of their employees, contractors and partners on the internet. At the same time, changing consumer expectations favoring simple, secure digital experiences are driving the adoption of new consumer identity technologies. Our Workforce Identity Cloud and Customer Identity Cloud help organizations effectively harness the power of cloud, mobile and web technologies by securing users and connecting them with the applications and technology they use. Every day, thousands of organizations and millions of people use Okta to securely access a wide range of cloud, mobile, web and Software-as-a-Service ("SaaS") applications, on-premises servers, application programming interfaces ("APIs"), IT infrastructure providers, and services from a multitude of devices. Employees and contractors sign into Workforce Identity Cloud to seamlessly and securely access the applications they need to do their most important work. Organizations use our platform to collaborate with their partners and to provide their customers with more modern and secure experiences in the cloud and via mobile devices. Developers leverage our Customer Identity Cloud and Workforce Identity Cloud to securely and efficiently embed identity into the software they build, allowing them to innovate and focus on their core mission. Our approach to customer identity provides organizations—from companies to government agencies—with the scale, interoperability, extensibility and security they need to build applications with seamless and private experiences that serve a wide variety of users, from customers to citizens. As we add new customers, users, developers and integrations to our platform, our business, customers, partners and users benefit from powerful network effects that increase the value and security of our Workforce Identity Cloud and Customer Identity Cloud.
Given the growth trends in the number of applications and cloud adoption and the movement to remote and hybrid workforces, identity is becoming the most critical layer of an organization’s security. As organizations shift from network-based security models to a Zero Trust security model focusing on adaptive and context-aware controls, identity has become the most reliable way to manage user access and protect digital assets. Our approach to identity allows our customers to simplify and efficiently scale their security infrastructures across internal IT systems and external customer-facing applications.
As of January 31, 2024, more than 18,950 customers across nearly every industry used Okta to secure and manage identities around the world. Our customers consist of leading global organizations ranging from the largest enterprises to small- and medium-sized businesses, universities, nonprofits and government agencies. We partner with leading application, infrastructure and security vendors, such as Amazon Web Services ("AWS"), CrowdStrike, Google, LexisNexis Risk Solutions, Microsoft, Netskope, Palo Alto Networks, Plaid, Proofpoint, Salesforce, ServiceNow, VMware, Workday, Yubico and Zscaler. We had over 7,000 integrations with cloud, mobile and web applications and IT infrastructure providers as of January 31, 2024, which, while not directly correlated to revenue, shows the breadth and acceptance of our platform.
We employ a SaaS business model and generate revenue primarily by selling multi-year subscriptions to our cloud-based offerings. We focus on acquiring and retaining our customers and increasing the value we provide to our customers over time and thus their spending with us through expanding the number of users who access our Workforce Identity Cloud and Customer Identity Cloud and up-selling additional product offerings. We sell our product offerings directly through our field and inside sales teams, as well as indirectly through our network of channel partners, including resellers, system integrators and other distribution partners.
5


Our Platform
Okta is an independent and neutral cloud-based identity solution that allows our customers to integrate with nearly any application, service or cloud that they choose through our secure, reliable and scalable platform and cloud infrastructure. Our technological neutrality allows our customers to easily adopt the best technologies, and our two clouds are designed to securely connect users to the technology that they choose. We prioritize the compatibility of our platform with public clouds, on-premises infrastructures and hybrid clouds.
Our platform is used by organizations in two distinct and powerful ways. Our customers use it to manage and secure their employees, contractors and partners, which we refer to as workforce identity as supported by our Workforce Identity Cloud. Our customers also use it to enable, manage and secure the identities of their customers, which we refer to as customer identity as supported by our Customer Identity Cloud.
Workforce Identity Cloud
Workforce Identity Cloud simplifies the way an organization’s employees, contractors and partners connect to its applications and data from any device while increasing efficiency and keeping IT environments secure. Workforce Identity Cloud can be used as the central system for an organization’s connectivity, access, authentication and identity lifecycle management needs spanning all of its users, technology and applications. Our customers use Workforce Identity Cloud to secure their workforces, to create solutions that make their partner networks more collaborative, and to provide more seamless and secure experiences for their end users, which, combined with our open approach, enables our customers to future-proof their environments. We enable our customers to easily deploy, manage and secure applications and devices, and to provision and support users across their IT environments, with a simple, intuitive, consumer-like user experience. Once deployed, we enable administrators to enforce contextual access management decisions based on conditions such as user identity, device, location, application identity, IP reputation and time of day.
We enable organizations to provide their workforces with immediate and secure access to every application they need from any device they use, without requiring multiple credentials, which significantly enhances user connectivity and productivity. We offer our customers an additional security layer through our Adaptive Multi-Factor Authentication (“Adaptive MFA”) product offering. Our Universal Directory product offering also serves as a system of record to help our customers organize, customize and manage their users. Our Lifecycle Management product offering enables customers to manage users’ access privileges through their entire lifecycle with a no-code approach that improves administrative efficiency and productivity. Okta Identity Governance, our unified identity access management and identity governance product offering, helps our customers improve their security and compliance posture while mitigating modern security risks and increasing efficiency. Our Privileged Access Management product offering provides unified access and governance for privileged resources and increases visibility, compliance and security without compromising user experience. Our Access Gateway product offering enables our customers to extend Workforce Identity Cloud to their existing on-premises applications. Workforce Identity Cloud enables our customers to automate access across their growing ecosystem of employees, contractors and partners, increasing collaboration across their workforces.
Customer Identity Cloud
Customer Identity Cloud, powered by Auth0, enables companies, nonprofits and governmental agencies to transform their own customers’ or citizens’ experiences by empowering development teams to rapidly and securely build customer- and citizen-facing cloud, mobile or web applications. Our Customer Identity Cloud primarily supports consumer and SaaS applications. It empowers application builders to innovate faster by removing the complexity from identity and making it simple, extensible and customizable. We enable organizations to integrate our powerful identity platform into their cloud, web and mobile applications. This makes it easier for them to authenticate, manage, scale and secure their applications through comprehensive APIs, software development kits and extensive developer tools, enabling rapid time to market for the business. Organizations are able to streamline user experience and improve security across all their applications, leading to increased customer acquisition, retention and loyalty.
Customer Identity Cloud provides multiple enhanced security capabilities including bot detection, Adaptive MFA, fraud prevention, and account takeover attack protection while delivering a high level of security. In addition to security and authentication, Customer Identity Cloud also supports authorization.
6


Growth Strategy
Key elements of our growth strategy are to:
Execute with Our Platform
Drive New Customer Growth.  To increase our market share, we intend to continue to grow our customer base using a land-and-expand sales model, with a focus on key markets by size of customers, as well as key verticals, including highly regulated sectors.
Deepen Relationships Within Our Existing Customer Base.  We strive to further increase revenue from our existing customers by cross-selling and up-selling additional and new product offerings. We also believe we can expand our footprint by focusing on current customers that have deployed our Workforce Identity Cloud and expanding those customers’ use of our Customer Identity Cloud, or vice versa.
Leverage Partner Ecosystem. We plan to further leverage the sales efforts of resellers, system integrators, managed service providers, and other distribution partners, for growth, scale and specialized expertise. For example, in fiscal 2024, we launched the Okta Elevate Partner Program designed to incentivize partners to deliver and manage Okta solutions.
Expand Our International Footprint.  With 21% of our revenue generated outside of the United States in fiscal 2024, and our international revenue growing 19% from fiscal 2023 to fiscal 2024, we believe there is a significant opportunity to continue to grow our international business. We believe global demand for our product offerings will continue to be a long-term opportunity as organizations outside the United States fully embrace the transition to cloud computing, and larger international organizations take advantage of technology consolidation within their global locations.
Increase Our Opportunities
Innovate and Extend Our Platform with New Products.  We intend to continue making significant investments in research and development, hiring top technical talent and maintaining an agile organization. By continuing to innovate, introduce new product offerings and extend our platform, we believe that we can offer increasing value to our existing and potential customers.
Extend Our Accessible Market with New Use Cases. As technology and our customers’ needs evolve, we plan to use our platform to help our customers address new challenges, regulatory requirements and use cases.
Leverage Our Integrations.  The Okta Integration Network is an extensive ecosystem, which includes over 7,000 integrations with cloud, mobile and web applications as well integrated solutions with IT infrastructure providers. These integrations include both Okta-maintained and vendor-maintained solutions. We continue to add new integrations as we expand the surface area of our identity platform. We view our investment in these partnerships as a force multiplier that enables us to build and promote complementary capabilities that benefit our customers.
Expand our Developer Ecosystem. We want to empower every application developer to use our platform to securely integrate identity into any application. We believe that our platform enables developers to focus their time and attention on innovating within their core application capabilities while relying on our platform for their identity-related requirements, leading to more secure and convenient experiences for their own customers.
Leverage Our Unique Data Assets with Powerful Analytics. Our position at the intersection of people, devices, applications and infrastructure gives us unique access to powerful data, and the opportunity to provide differentiated insights based on that data, as well as predictive capabilities based on that data to help keep customers more secure. We expect the value of our analytics to our customer base will increase as customers continue to connect more devices, applications and users to their networks and as we add more customers. We also expect that our analytics ability will enable our customers to use our data and third-party data from our partners, to help customers make more informed and secure access decisions. We do not currently derive direct revenue from our unique data assets, but we may explore opportunities for monetization in the future. For example, in fiscal 2024 we announced Okta AI, which is designed to use AI
7


models and Okta’s unique crowdsourced threat intelligence identity data to power real-time identity actions, such as the industry’s first real Universal Logout solution.
Mergers and Acquisitions and Investments. From time to time, we evaluate opportunities to acquire or invest in emerging and adjacent technologies to complement our organic investments and improve our product offerings, services and customers’ experiences. We will continue to use these types of strategic levers as opportunities arise.
Our Product Offerings
Okta's suite of product offerings and services is used to manage and secure identities. Most of our product offerings can be used for both customer identity and for workforce identity use cases and we are continuously enhancing our product offerings and services. Our workforce identity product offerings are consumed through web and mobile interfaces and provide simple ways for IT organizations to manage identities for their employees, contractors and business partners. For customer identity, our APIs are also used by developers to embed Okta identity functionality into their own customer-facing mobile or web applications. We continuously improve our Workforce Identity Cloud and Customer Identity Cloud through the release and development of additional product offerings, features and services.
Workforce Identity Product Offerings
Access Management
Single Sign-on. When used to manage and secure identities for a customer’s workforce, Single Sign-On enables users to access all of their applications, whether in the cloud or on-premises, from any device, with a single entry of their user credentials. We combine secure access, modern protocols, flexible policies and a consumer-like user experience to permit organizations to easily allow customers or partners to sign in to their applications with their existing identity information. With Okta FastPass, we enable our customers to provide their users with a passwordless experience across any device and every major operating system. Single Sign-On also enables built-in reporting and analytics that provide real-time search functionalities across users, devices, applications and the associated access and usage activity.
Adaptive Multi-Factor Authentication.  Adaptive MFA is a comprehensive, but simple-to-use, product that provides an additional layer of security for an organization’s cloud, mobile and web applications and data. We offer an intelligent approach to security, built on contextual data. Adaptive MFA includes a policy framework that is integrated with a broad set of cloud and on-premises applications and network infrastructures. It offers adaptive, risk-based authentication that leverages data intelligence from across the Okta network of thousands of organizations as well as from our partner ecosystem.
API Access Management.  API Access Management enables organizations to secure APIs as systems connect to each other. Access to these APIs is managed based on the user, which enables organizations to centrally maintain one set of permissions for any employee, partner or customer across every point of access. API Access Management reduces development time, boosts security, helps in achieving compliance and enables seamless end-user experiences by providing a unified portable service for authorizing secure and always available access to any API.
Access Gateway. Access Gateway enables organizations to extend Workforce Identity Cloud, which is a cloud-native platform, from the cloud to their existing on-premises applications so that they can harness the benefits of Okta to manage all of their critical systems, whether in the cloud, on-premises or hybrid. Extending the benefits of Workforce Identity Cloud to hybrid IT environments delivers a single point of management for our customers’ administrators and a single location from which end users can access their critical applications.
Okta Device Access. Okta Device Access extends Okta's secure access management to the device login experience. Okta Device Access enables end users to securely log in to their devices with their Okta credentials and meet MFA challenges from a set of strong factors, helping organizations to harden their security posture by protecting a user's device with the same experience Okta provides for applications and resources.
8


Identity Governance and Administration (“IGA”)
Universal Directory. Universal Directory provides a centralized, cloud-based system of record to store and secure user, application and device profiles for an organization. Users and profiles stored in the directory can be used with our Single Sign-On product to manage passwords and authentication, or can be used by developers to store and authenticate the users of their applications. When used for workforce identity, Universal Directory becomes a customer’s system of record for all of its employees, contractors and partners.
Lifecycle Management. Lifecycle Management enables IT organizations or developers to manage a user's identity throughout its lifecycle, from onboarding to offboarding. It automates IT processes and ensures user accounts are created and deactivated at the appropriate times, including the workflow and policies needed to power those processes, and helps ensure compliance requirements are met as user roles evolve and access levels change.
Okta Identity Governance. Okta Identity Governance provides a unified identity access management and identity governance solution focused on improving an organization’s security and compliance posture, helping customers to mitigate everyday security risks and improve IT efficiency. Okta Identity Governance includes governance capabilities relating to access requests, access certifications and access reporting. Through these capabilities, Okta Identity Governance simplifies and automates the process of requesting and approving access to applications and resources.
Privileged Access Management
Advanced Server Access. Advanced Server Access offers continuous, contextual access management to secure cloud infrastructure. Organizations can continuously manage and secure access to on-premises Windows and Linux servers and across leading Infrastructure-as-a-Service vendors, including AWS, Google Cloud Platform and Microsoft Azure. Advanced Server Access enables our customers to centralize access controls in a seamless manner to better mitigate the risk of credential theft, reuse, sprawl and abandoned administrative accounts.
Okta Privileged Access. Okta Privileged Access enables organizations to reduce risk with unified access and governance management for on-premises and cloud privileged resources, for better visibility, compliance, and security for critical applications, resources and infrastructure requiring privileged access.
Workforce Identity Cloud Platform: Extensibility
Okta Workforce Identity Workflows. Designed to enable IT and security teams to move faster, more accurately and more cost effectively as they scale, Okta Workflows enables the building of identity-related business processes with minimal or no code, such as automating user onboarding and provisioning, creating just-in-time authorization for software development and IT processes, automating identity-centric security responses, and orchestrating customer data across backend systems.
Customer Identity Cloud Product Offerings
Universal Login. Universal Login is a standards-based login infrastructure with centralized feature management and configuration for websites and applications that can be integrated with a wide range of social media login credential providers, enterprise login services and customer-provided databases. Universal Login enables our customers to provide a consistent login experience across many different applications and devices.
Attack Protection. Attack Protection is a suite of security capabilities that protect our customers from different types of malicious traffic, including bots, breached passwords, suspicious IP addresses and brute force attacks. Attack Protection enables our customers to minimize risks associated with the ever-growing volume of identity-targeted attacks.
Adaptive Multi-Factor Authentication. Simple-to-use and adaptable MFA that minimizes friction to end users. When using Adaptive MFA, our customers leverage risk-assessment algorithms that present MFA challenges only to select authentication attempts that require additional validation.
9


Passwordless. Passwordless authentication enables users to login without a password and supports a variety of different login methods, including advanced device biometrics such as passkeys.
Machine to Machine. Machine to Machine provides standards-based authentication and authorization with non-interactive devices and applications.
Private Cloud. Private Cloud is a deployment option that allows our customers to run a dedicated cloud instance of Customer Identity Cloud. Private Cloud capability supports multiple cloud providers.
Organizations. Organizations enable our customers to support a large number of partners or customers of their own with independent configurations, login experiences and security options.
Actions and Extensibility. Actions and extensibility allow our customers to create customized identity flows that address their unique requirements through a drag-and-drop interface to add pre-built partner integrations and their own custom logic across an authentication flow.
Enterprise Connections. Enterprise Connections enable Enterprise Federation using pre-built integrations with commonly used Enterprise Identity Systems.
Through our broad and deep product offerings that support a wide range of workforce and customer identity use cases, we deliver multiple critical business outcomes for our customers. These include boosting their cybersecurity posture, reducing IT spending, addressing regulations, reducing fraud, increasing new customer conversions, creating frictionless customer experiences and helping technical teams deliver products to market faster.
Our Technology
We focus on engineering an intuitive and comprehensive platform to solve complex identity management and security challenges. Our cloud architecture is multi-tenant, encrypted and third-party validated. Our service also allows us to integrate into our customers’ on-premises components and hybrid configurations.
Differentiated Administration, User and Developer Experience
Workforce Identity Cloud and Customer Identity Cloud offer administrators and users a consistent, easy-to-use, consumer-like experience across our product offerings. Our technology integrates with industry-leading browsers and mobile applications to provide seamless access to nearly any web or native mobile application. We also heavily leverage operating system management and security technologies across desktops, laptops and mobile devices to provide a transparent, but secure experience for users across a range of devices. These integrations allow us to seamlessly deliver identity, access, security and management use cases that previously required significant custom development to achieve.
Robust Security
Security is essential for Okta and for our customers. Our approach to security spans day-to-day operational practices from the design and development of our software to how customer data is segmented and secured within our multi-tenant platform. The Okta platform and features are updated regularly, and along with continuous security testing, there are periodic security reviews that provide audited and verifiable security checkpoints to ensure the quality of our source code. A number of our product offerings have attained multiple certifications, including SOC 2 Type II Attestations, CSA Star Level 2 Attestation, ISO/IEC 27001:2013, ISO/IEC 27017:2015, ISO/IEC 27018:2019, multiple agency Federal Risk and Authorization Management Program ("FedRAMP") Authorities to Operate, Department of Defense Impact Level 4, are in accordance with Health Insurance Portability and Accountability Act ("HIPAA"), and comply with many other international security frameworks. Workforce Identity Cloud also supports FIPS 140-2 encryption requirements.
Additional information regarding our cybersecurity risk management strategy and governance is included in “Cybersecurity” under Part I, Item 1C of this Annual Report on Form 10-K. For additional information regarding the cybersecurity risks that we face, see “Risk Factors” included under Part I, Item 1A of this Annual Report on Form 10-K.
10


Scalability and Uptime
Our technical operations and engineering models are designed around the concept of an always-on, highly redundant and available platform that we seek to upgrade without customer disruption. Our product offerings and architecture were built entirely in and for the cloud with availability, resiliency and scalability at the center of the design. We have zero planned downtime, including during our maintenance windows.
Okta's proprietary architecture includes redundant, active-active-active availability zones with cross-continental disaster recovery regions, real-time database replication and geo-distributed storage. If one of our systems goes down, another is quickly promoted. Our architecture is designed to scale both vertically by increasing the size of the application tiers and horizontally by adding new geo-distributed cells.
Our Workforce Identity Cloud and Customer Identity Cloud are monitored not only at the infrastructure level, but also at the application and third-party integration level. Synthetic transaction monitoring allows our technical operations team to detect and resolve issues proactively.
Okta Integration Network and Auth0 Marketplace
The Okta Integration Network contains over 7,000 integrations with cloud, mobile and web applications, IoT devices and IT infrastructure providers, including AWS, Atlassian, DocuSign, Google, Microsoft Office 365, NetSuite, Oracle, Palo Alto Networks, Proofpoint, Salesforce, SAP, ServiceNow, Slack, Splunk, VMware, Workday, Zendesk and Zoom. Our patented technology allows our customers to seamlessly connect to any application or type of device that is already integrated into our network. In addition, customers can extend the benefits of the Okta Integration Network by creating their own integrations to both cloud and on-premises proprietary applications.
Similarly, the Auth0 Marketplace is a trusted catalog of integrations that enables application teams to easily assemble complete identity solutions. The Auth0 Marketplace connects customers with service providers and builders who solve integration use cases and implement integrations with Customer Identity Cloud.
Our Customers
As of January 31, 2024, we had more than 18,950 customers, including more than 4,485 customers with an annual contract value greater than $100,000. Our customers span nearly all industry verticals and range from small organizations with fewer than 100 employees to companies in the Fortune 50, with up to hundreds of thousands of employees, some of which use our platform to manage millions of their customers' identities.
Sales and Marketing
Sales
We sell directly to customers through our direct inside and field sales force and also indirectly through our extensive ecosystem of channel partners. We also use a self-service approach for developers to sign up for free trials of our Customer Identity Cloud. which may transition to paid offerings. We often leverage our expansion sales model to generate incremental revenue, often within the term of the initial agreement, through the addition of new users and the sale of additional product offerings. In many instances, we find that initial customer success with our platform results in key internal decision-makers expanding their deployments, for example, from initial use for workforce identity to expanded use for their customer identity needs. Furthermore, as our customers are successful in their businesses and increase headcount, the number of their customers or their monthly active users, we share in their growth as the number of identities that we manage increases. Conversely, if our customers reduce the size of their workforce, then the number of identities that we manage, and therefore our revenue, decreases.
Our sales organization is structured to address the specific needs of each segment of our target market. Our sales team is divided by geography and customer size, and in some cases by industry vertical. Our direct sales force is supported by our sales engineers, security team, cloud architects, professional services team and other technical resources.
We benefit from an expansive partner ecosystem that helps drive additional sales. Nearly all of the leading cloud application providers are our partners, and many of them drive further customer acquisition for us through co-selling arrangements, building our offerings directly into their products, and product demonstrations running on Okta. We also partner with several of the large technology companies that are driving the movement to the cloud. In
11


addition to these technology partners, we leverage our channel partners, including system integrators, traditional value-added resellers ("VARs") and Government VARs, to broaden the range of customers we reach.
Marketing
Our most valuable marketing features our customers and their successes and is informed by a deeply data-driven approach, giving us insights into the efficacy of our efforts. Our marketing efforts focus on promoting our industry-leading product lines, establishing our brand, generating awareness, creating sales leads and cultivating the Okta Communities.
A centerpiece of our marketing strategy is our annual customer conference, Oktane, which features customers sharing their success stories, new product and feature announcements, and hands-on product labs. We also host a number of other events where we engage with both existing customers and new prospects, as well as deliver product training.
Research and Development
Our research and development organization is responsible for the design, architecture, creation and quality of our platform. The research and development organization also works closely with our technical operations team to ensure the successful deployment and monitoring of our platform. We use test automation and application monitoring to ensure our services are always on.
Customer Support and Professional Services
Our product offerings are designed for ease of use and fast deployments. As part of our customer-first strategy, we are focused on customer success and offer several programs to help our customers maximize their success with our product offerings. These programs leverage the expertise and best practices that we have built while helping thousands of customers adopt and deploy our product offerings.
Customer Support and Training Services
We offer three tiers of support, each of which builds upon the previous tier. We provide 24/7 support for the highest support tiers as well as access to Customer Success and Technical Account Managers. We also provide on-demand access to a robust online digital community and customer success hub, where our customers can find answers to common use cases, information about product features, and interact with Okta experts and industry peers.
Professional Services
Our professional services team provides assistance to customers in the deployment of our Workforce Identity Cloud and Customer Identity Cloud and includes identity and security experts, customized deployment plans, SmartStart, which provides a quick path to implementation, and Okta Expert Assist, in which we provide Workforce Identity Cloud and Customer Identity Cloud customers with recommendations and best practices designed to improve their security posture.
Okta Community
We have created the Okta Community, an online community available to all of our customers that enables them to connect with other customers and partners to ask questions and find answers.
Intellectual Property
We protect our intellectual property through a combination of trademarks, domain names, copyrights, trade secrets and patents, as well as contractual provisions and restrictions on access to our proprietary technology.
As of January 31, 2024, we had fifty-two issued patents in the United States, which expire between 2030 and 2043 and cover various aspects of our product offerings. In addition, as of such date, we also had seventy-three issued patents granted outside of the United States, which expire between 2033 and 2043 and cover various aspects of our product offerings.
12


We have registered “Okta” and "Auth0" as trademarks in many jurisdictions throughout the world to protect our brands. We also have filed other trademark applications pending in various jurisdictions throughout the world. We also have registered other trademarks in the United States including “Okta Workforce Identity Cloud,” “Okta Customer Identity Cloud,” “The World’s Identity Company,” and “Oktane".
We are the registered holder of a variety of domestic and international domain names that include “Okta,” "Auth0" and similar variations.
In addition to the protection provided by our intellectual property rights, we enter into confidentiality and proprietary rights or similar agreements with our employees, consultants and contractors. Our employees, consultants and contractors are also subject to invention assignment agreements. We further control the use of our proprietary technology and intellectual property through provisions in both general and product-specific terms of use.
Additional information regarding certain risks related to our intellectual property is included in “Risk Factors” under Part I, Item 1A of this Annual Report on Form 10-K.
Our Competitors
The markets for our product offerings are rapidly evolving, highly competitive and subject to shifting customer needs and frequent introductions of new competing technologies. As the markets in which we operate continue to mature and new technologies and competitors enter those markets, we expect competition to intensify. Our competitor categories include:
Authentication providers;
Identity governance providers;
Multi-factor authentication providers;
Infrastructure-as-a-service providers;
Other customer identity and access management providers; and
Solutions developed in-house by our potential customers.
We compete with both cloud-based and on-premises enterprise application software providers. We also compete against open-source technologies that customers can use to build their own identity solutions. Our competitors vary in size and in the breadth and scope of the products and services offered. However, certain of our competitors have substantial competitive advantages, such as significantly greater financial, technical, sales and marketing, distribution, customer support or other resources, longer operating histories, greater resources to make strategic acquisitions, and greater name recognition than we have. Our principal competitor is Microsoft.
Due to the flexibility and breadth of our platform, we can and often do co-exist alongside our competitors’ products within our customer base.
Principal competitive factors in our markets include flexibility, independence, product capabilities, total cost of ownership, time to value, scalability, user experience, number of pre-built integrations, customer satisfaction, global reach and ease of integration, management and use. We believe our product strategy, platform architecture, technology and independence as well as our company culture allow us to compete favorably on each of these factors.
We expect competition to increase as other established and emerging companies enter our markets, as customer requirements evolve, and as new products and technologies are introduced. We expect this to be particularly true as we are a cloud-based offering, and our competitors may also seek to acquire new offerings or repurpose their existing offerings to provide identity management solutions with subscription models. With the continuing merger and acquisition activity in the technology industry, particularly transactions involving security or identity and access management technologies, there is a greater likelihood that we will compete with other large technology companies in the future in both the workforce identity and customer identity markets.
Additional information regarding our competition is included in “Risk Factors” under Part I, Item 1A of this Annual Report on Form 10-K.
13


Human Capital Resources
Our core values—love our customers, never stop innovating, act with integrity, be transparent and empower our people—inform and guide our human capital initiatives and objectives. In order to continue to innovate and drive customer success, it is crucial that we continue to attract, develop and retain exceptional talent and balanced teams. To that end, we strive to make Okta a diverse and inclusive workplace, with opportunities for our employees to grow and develop in their careers, supported by fair and competitive compensation, benefits and wellness programs, and by initiatives that foster connections between and among our employees and their communities and a sense of belonging.
As of January 31, 2024, we had 5,908 employees, of which approximately 67% were in the United States and 33% were in our international locations. We have not experienced any work stoppages, and we consider our relations with our employees to be good. Our employee engagement program helps us understand employee sentiment on a wide range of topics throughout the employee lifecycle, providing insights that inform our decisions about company initiatives, employee programs, talent risks, management opportunities and more. In fiscal 2024, 83% of our eligible employees participated in our annual employee engagement survey.
We encourage you to review the “Diversity, Inclusion and Belonging,” “Responsibility,” “Careers” and “Okta for Good” pages of our website at www.okta.com for more detailed information regarding our human capital programs and initiatives. Additional information on our diversity, inclusion and belonging strategy, diversity metrics and programs can be found in our most recent State of Inclusion at Okta annual report located on our website at www.okta.com/state-of-inclusion-at-okta, and additional information on our compensation, benefits and wellness programs is available on our Total Rewards website at rewards.okta.com.
Builder and Owner Culture
“Build and own it” is one of our core values. Our goal is to create a shared sense of ownership in achieving our company vision where career growth, competitive rewards, and purpose empower our employees to do great work. We want every employee to feel ownership of Okta.
Diversity, Inclusion and Belonging
We strive to foster a culture of inclusion and belonging and to build a diverse workforce to drive innovation and collective growth. Our diversity, inclusion and belonging (“DIB”) initiatives—spearheaded by our DIB team and employee resource groups ("ERGs"), in partnership with various other teams—focus on DIB in our workforce, our workplace and the marketplace.
We employ inclusive recruitment and hiring practices to source talent from marginalized and underrepresented groups. Our engagement with diversity sourcing programs and partnerships allows us to both source top talent from underrepresented groups for current open roles, and further strengthen our ability to build and nurture talent communities for future roles. We also continue to recruit from a range of colleges and engage with organizations that support students and job seekers from marginalized and underrepresented groups through our social impact arm, Okta for Good.
Nurturing a culture of inclusion and belonging in our workplace is a key priority. We empower our employees to be authentic and grow through open conversations and engagement resources, including facilitated workshops that focus on precise language and inclusive calibrations, personalized DIB learning tools, mentoring and workplace development programs focused on supporting talent from underrepresented communities, and sponsorship of ERGs that strengthen our DIB culture. We currently have ERGs supporting women, people of collective cultures, veterans, the LGBTQIA+ community, neurodivergent people, and caregivers.
Growth and Development
We invest significant resources to develop talent and actively foster a learning culture where employees are empowered to drive their personal and professional growth. We provide our employees with a wide range of learning and development opportunities, including in-person, virtual, social and self-directed learning, mentoring, coaching and external development. We offer extensive onboarding and training programs through our internal learning initiative to prepare our employees at all levels for career progression and individual development. Our employee onboarding program helps our employees get off to the right start, our manager development program helps to build a solid foundation for our people managers, and our technical training program brings our new technical employees up to speed on our product offerings.
14


Compensation, Benefits and Wellness
We provide robust compensation, benefits and wellness programs that help support the varying needs of our employees. In addition to market-competitive base pay, short-term bonus incentives and long-term equity incentives, our total rewards program offers comprehensive employee benefits that may vary by country/region, including an employee stock purchase plan, a 401(k) plan in the United States with company matching contributions, comprehensive medical, dental and vision insurance, life and disability insurance, health savings accounts, charitable donation matching, flexible time off, volunteer time off, gender-neutral paid parental leave, fertility and adoption support, family care resources, mobile and internet reimbursement, mental health and lifestyle support programs and a variety of other health and wellness resources.
We are committed to fair compensation and opportunity in our workplace. We conduct regular equal pay assessments and adjust as needed to attempt to ensure our employees are paid equitably without regard to gender or ethnicity.
Hybrid and Remote Work
We help our employees succeed by providing flexibility in where and how they work. For many years, Okta has embraced a hybrid approach to enable our employees to work remotely or from one of our offices. We believe a hybrid approach can increase employee empowerment, satisfaction and productivity, drive efficiency and enable us to hire from a broader, more diverse pool of talent.
Community and Social Impact
The mission of our social impact arm, Okta for Good, is to build a safely connected world where everyone can belong and thrive. We mobilize our people, products and financial resources in service of our communities.
Our employees are passionate about many causes and Okta for Good connects them with numerous giving and volunteering opportunities in service of our communities. We believe this fosters a more meaningful, fulfilling and enjoyable workplace. In addition, through Okta for Good we donate and discount access to our service for non-profit organizations. These organizations use Okta to make their teams more efficient and secure, allowing them to focus on their important missions. We also engage in philanthropic grantmaking via the Okta for Good Fund, a donor-advised fund held at Tides Foundation. Grantmaking focus areas include:
Tech for Good;
Digital Equity; and
Climate Action.
Prior to our initial public offering ("IPO") in April 2017, we reserved 300,000 shares of our common stock to fund and support the operations of Okta for Good, of which 56,250 shares of Class A common stock remained reserved for future issuances as of January 31, 2024. Okta for Good is a part of our company and not a separate legal entity. Additional information can be found on the "Okta for Good" page of our website at www.okta.com.
Sustainability
In fiscal 2021, we launched our Environmental, Social and Governance (“ESG”) program. We established an oversight structure to provide strategic direction for our ESG program. Our ESG efforts are overseen by our executive leadership team and are reviewed by the nominating and corporate governance committee of our board of directors. Our ESG program covers issues relevant to our business under three categories: Protecting Our Customers, Investing in Our People and Supporting Our Communities.
We have set public commitments to climate targets. Our climate strategy to address emissions is currently aimed at energy consumption reduction, electrification, purchasing renewable energy and engaging with vendors to address their emissions. We have a renewable energy program, which matches our electricity consumption from our offices, our remote workforce and cloud services with renewable electricity. Additional information on our ESG programs and initiatives can be found in our “ESG Fact Sheet” on the “Responsibility” page of our website at www.okta.com.
15


Financial Information
The financial information required under this Item 1 is incorporated herein by reference to “Financial Statements and Supplementary Data” included in Part II, Item 8 of this Annual Report on Form 10-K. For financial information regarding our business, see “Management’s Discussion and Analysis of Financial Condition and Results of Operations” included in Part II, Item 7 of this Annual Report on Form 10-K and our consolidated audited financial statements and related notes included elsewhere in this Annual Report on Form 10-K.
Corporate Information
We were incorporated in 2009 as Saasure Inc., a California corporation, and were later reincorporated in 2010 under the name Okta, Inc. as a Delaware corporation. Our principal executive offices are located at 100 First Street, Suite 600, San Francisco, California 94105, and our telephone number is (888) 722-7871. Our website address is www.okta.com.
Additional Information
The following filings are available through our investor relations website after we file them with the SEC: Annual Report on Form 10-K, Quarterly Reports on Form 10-Q and our Proxy Statement for our annual meeting of stockholders. These filings are also available for download free of charge on our investor relations website. Our investor relations website is located at investor.okta.com. The SEC also maintains an internet website that contains reports, proxy statements and other information about issuers, like us, that file electronically with the SEC. The address of that website is www.sec.gov.
We webcast our earnings calls and certain events we participate in or host with members of the investment community on our investor relations website. Supplemental financial and other information can be accessed through the Company’s investor relations website. Okta uses its investor.okta.com website and okta.com/blog websites (including the Security Blog, Okta Developer Blog and Auth0 Developer Blog) as a means of disclosing material non-public information, announcing upcoming investor conferences and for complying with its disclosure obligations under Regulation FD. Accordingly, you should monitor our investor relations and okta.com/blog websites in addition to following our press releases, SEC filings and public conference calls and webcasts. Further corporate governance information, including our corporate governance guidelines and code of conduct, is also available on our investor relations website under the heading "Corporate Governance." Information contained on, or that can be accessed through, our websites is not incorporated by reference into this Annual Report on Form 10-K or in any other report or document we file with the SEC, and any references to our websites are intended to be inactive textual references only.
Item 1A. Risk Factors
A description of the risks and uncertainties associated with our business is set forth below. You should carefully consider the risks and uncertainties described below, as well as the other information in this Annual Report on Form 10-K, including our consolidated financial statements and the related notes and “Management’s Discussion and Analysis of Financial Condition and Results of Operations.” The occurrence of any of the events or developments described below, or of additional risks and uncertainties not presently known to us or that we currently deem immaterial, could materially and adversely affect our business, results of operations, financial condition and growth prospects. In such an event, the market price of our Class A common stock could decline, and you could lose all or part of your investment.
Risk Factor Summary
This risk factor summary contains a high-level summary of risks associated with our business. It does not contain all of the information that may be important to you, and you should read this risk factor summary together with the more detailed discussion of risks and uncertainties set forth following this summary. A summary of our risks includes, but is not limited to, the following:
Adverse general economic, market and industry conditions and reductions in workforce identity and customer identity spending have, in the past, and may, in the future, reduce demand for our products, which could harm our revenue, results of operations and cash flows.
In the past we have experienced cybersecurity incidents that allowed unauthorized access to our systems or data or our customers’ data, harmed our reputation, created additional liability and adversely impacted
16


our financial results. We may experience similar incidents in the future which may also include disabling access to our service.
We have experienced rapid growth in prior periods, and any failure to effectively manage future growth could harm our business and future prospects.
Our prior growth rates may not be indicative of our future growth. As our costs increase, we may not be able to generate sufficient revenue to achieve and, if achieved, maintain profitability.
We have a history of losses, and we expect to incur losses for the foreseeable future.
If we fail to manage our growth effectively, we may be unable to execute our business plan, maintain high levels of service and customer satisfaction or adequately address competitive challenges.
We face intense competition, especially from larger, well-established companies, and we may lack sufficient financial or other resources to maintain or improve our competitive position.
If we are unable to attract new customers, sell additional products to our existing customers or develop new products and enhancements to our products that achieve market acceptance, our revenue growth and profitability will be harmed.
Our business depends on our customers renewing their subscriptions and purchasing additional licenses or subscriptions from us. Any material decline in our Dollar-Based Net Retention Rate would harm our future results of operations.
Customer growth has slowed in recent periods and could fall below expectations.
We may experience quarterly fluctuations in our results of operations due to a number of factors that make our future results difficult to predict and could cause our results of operations to fall below analyst or investor expectations.
If there are interruptions or performance problems associated with our technology or infrastructure, our existing customers may experience service outages, and our new customers may experience delays in the deployment of our platform.
We have, in the past, failed or been perceived to have failed to fully comply with the privacy or security provisions of our privacy policy, our contracts and/or legal or regulatory requirements, which could result in proceedings, actions or penalties against us. We may experience similar incidents in the future.
The stock price of our Class A common stock may be volatile or may decline.
The dual class structure of our common stock has the effect of concentrating voting control with those stockholders who held our capital stock prior to the completion of our IPO, including our directors, executive officers, and their affiliates, who held in the aggregate 40.4% of the voting power of our capital stock as of January 31, 2024. This will limit or preclude your ability to influence corporate matters, including the election of directors, amendments of our organizational documents, and any merger, consolidation, sale of all or substantially all of our assets, or other major corporate transaction requiring stockholder approval.
Servicing our debt may require a significant amount of cash. We may not have sufficient cash flow from our business to pay our indebtedness.
We depend on our executive officers and other key employees, and the loss of one or more of these employees or an inability to attract and retain other highly skilled employees could harm our business.
Risks Related to Our Business and Industry
Adverse general economic, market and industry conditions and reductions in workforce identity and customer identity spending have, in the past, and may, in the future, reduce demand for our products, which could harm our revenue, results of operations and cash flows.
Our revenue, results of operations and cash flows depend on the overall demand for our products. Concerns about the inflation and interest rate environment, the instability of financial institutions, health epidemics, the systemic impact of a widespread recession (in the United States or internationally), energy costs, geopolitical
17


issues, such as Russia’s invasion of Ukraine, or the availability and cost of credit have and could continue to lead to increased market volatility, decreased consumer confidence and diminished growth expectations in the U.S. economy and abroad, which in turn could result in reductions in workforce identity and customer identity spending by our existing and prospective customers. These economic conditions can occur abruptly. Prolonged economic slowdowns may result in customers requesting us to renegotiate existing contracts on less advantageous terms to us than those currently in place or defaulting on payments due on existing contracts or not renewing at the end of the contract term. For example, rising interest rates in the United States have begun to affect businesses across many industries, including ours, by increasing the costs of labor, employee healthcare and other components, which may further constrain our, our customers’ and prospective customers’ budgets. To the extent there is a sustained general economic downturn, and our platforms and services are perceived by customers or potential customers as costly, or too difficult to deploy or migrate to, our revenue may be disproportionately affected by delays or reductions in spending.
Our customers may merge with other entities who use alternative identity solutions and, during weak economic times, there is an increased risk that one or more of our customers will file for bankruptcy protection, either of which may harm our revenue, profitability and results of operations. We also face risk from international customers that file for bankruptcy protection in foreign jurisdictions, particularly given that the application of foreign bankruptcy laws may be more difficult to predict. In addition, we may determine that the cost of pursuing any claim may outweigh the recovery potential of such claim. As a result, if economic growth in countries where we do business slows or if such countries experience further economic recession, it could harm our business, revenue, results of operations and cash flows.
We have experienced rapid growth in prior periods, and any failure to effectively manage future growth could harm our business and future prospects.
We have experienced rapid growth since our founding in 2009. As we continue efforts to expand our business globally, we have faced new macroeconomic conditions, as well as operational and organizational challenges, that make it difficult to forecast our revenue and evaluate our business and future prospects. We have encountered and will continue to encounter risks and uncertainties that growing companies frequently experience in rapidly changing industries and macroeconomic environments, including the risks and uncertainties described in this document. Additionally, the sales cycle for the evaluation and implementation of our platform, which typically extends for multiple months for enterprise deals, may also cause us to experience a delay between increasing operating expenses and the generation of corresponding revenue, if any. Accordingly, we may be unable to prepare accurate internal financial forecasts or replace anticipated revenue that we do not receive as a result of delays arising from these factors, and our results of operations in future reporting periods may be below the expectations of investors. If we do not address these risks successfully, our results of operations could differ materially from our estimates and forecasts or the expectations of investors, causing our business to suffer and our stock price to decline.
Our prior growth rates may not be indicative of our future growth. As our costs increase, we may not be able to generate sufficient revenue to achieve and, if achieved, maintain profitability.
From fiscal 2022 to fiscal 2023, our revenue grew from $1,300 million to $1,858 million, an increase of 43%, and from fiscal 2023 to fiscal 2024, our revenue grew from $1,858 million to $2,263 million, an increase of 22%. In future periods, we may not be able to sustain revenue growth consistent with recent history, or at all. We believe our revenue growth depends on a number of factors, such as macroeconomic conditions including the inflation and interest rate environment and budget constraints, as well as, but not limited to, our ability to:
price our platform effectively so that we are able to attract and retain customers without compromising our profitability;
attract new customers, successfully deploy and implement our platform, upsell or otherwise increase our existing customers’ use of our platform, obtain customer renewals and provide our customers with excellent customer support;
increase our network of channel partners;
adequately expand our sales force, and maintain or increase our sales force’s productivity;
protect against security breaches of, technical difficulties with, or interruptions to, the delivery and use of our platform and products, and any negative market perception or customer reactions related to, or arising from the disclosure of, such breaches, difficulties or interruptions;
18


successfully identify and enter into agreements with suitable acquisition targets, integrate any acquisitions and integrate acquired technologies into our existing products or use them to develop new products;
successfully introduce new products, enhance existing products and address new use cases;
introduce our platform to new markets outside of the United States;
successfully compete against larger companies and new market entrants; and
increase awareness of our brand on a global basis.
If we are unable to accomplish any of these tasks, our revenue growth will be harmed. We also expect our operating expenses to increase in future periods, and if our revenue growth does not increase to offset these anticipated increases in our operating expenses, our business, financial position and results of operations will be harmed, and we may not be able to achieve or maintain profitability.
We have a history of losses, and we expect to incur losses for the foreseeable future.
We have incurred significant net losses in each year since our inception, including net losses of $848 million, $815 million and $355 million in fiscal 2022, 2023 and 2024, respectively. We expect to continue to incur net losses for the foreseeable future. We expect our operating expenses to significantly increase over the next several years as we hire additional personnel, particularly in sales and marketing, expand and improve the effectiveness of our distribution channels, expand our operations and infrastructure, both domestically and internationally, pursue business combinations and continue to develop our platform. If our revenue does not increase to offset these increases in our operating expenses, we will not be profitable in future periods. While historically, our total revenue has grown, not all components of our total revenue have grown consistently. Further, in future periods, our revenue growth could slow or our revenue could decline for a number of reasons, including slowing demand for our software, increasing competition, any failure to gain or retain channel partners, a decrease in the growth of our overall market, or our failure, for any reason, to continue to capitalize on growth opportunities. As a result, our past financial performance should not be considered indicative of our future performance. Any failure by us to achieve or sustain profitability on a consistent basis could cause the value of our common stock to decline.
If we fail to manage our growth effectively, we may be unable to execute our business plan, maintain high levels of service and customer satisfaction or adequately address competitive challenges.
We have experienced, and may continue to experience, rapid growth and organizational change, which has placed, and may continue to place, significant demands on our management and our operational and financial resources. For example, our headcount has grown from 5,030 employees as of January 31, 2022 to 5,908 employees as of January 31, 2024. In order to manage our growth and better align our organizational structure and resources with our business priorities, we may undertake restructuring plans from time to time. For example, during the first quarter of each of fiscal 2024 and fiscal 2025, we announced separate world-wide restructuring plans intended to reduce operating expenses and improve profitability that involved a reduction of our workforce by approximately 300 and 400 full-time employees, respectively. We may encounter challenges in the execution of these restructuring efforts, such as adverse impacts on employee morale or attrition beyond the intended reductions, and these challenges could impact our ability to execute on our business initiatives, which could cause our restructuring efforts to not be as effective as anticipated and harm our financial results.
We have also experienced significant growth in the number of customers, users and logins and in the amount of data that our SaaS infrastructure supports. Finally, our organizational structure is becoming more complex as we improve our operational, financial and management controls as well as our reporting systems and procedures. We will require significant capital expenditures and the allocation of valuable management resources to grow and change in these areas without undermining our culture of rapid innovation, teamwork and attention to customer success, which has been central to our growth so far. If we fail to manage our anticipated growth and change in a manner that preserves the key aspects of our corporate culture, the quality of our platform may suffer, which could negatively affect our brand and reputation and harm our ability to retain and attract customers and employees.
We have established international offices in the Americas, Asia-Pacific and Europe, and we plan to continue to expand our international operations in the future. Our expansion has placed, and our expected future growth will continue to place, a significant strain on our managerial, customer operations, research and development, marketing and sales, administrative, financial and other resources. If we are unable to manage our continued growth successfully, our business and results of operations could suffer.
19


In addition, as we expand our business, it is important that we continue to maintain a high level of customer service and satisfaction. As our customer base continues to grow, we will need to expand our account management, customer service and other personnel, and our network of independent software vendors (“ISVs”), system integrators and other channel partners, to provide personalized account management and customer service. If we are not able to continue to provide high levels of customer service, our reputation, as well as our business, results of operations and financial condition, could be harmed.
We face intense competition, especially from larger, well-established companies, and we may lack sufficient financial or other resources to maintain or improve our competitive position.
The markets for our products are rapidly evolving, highly competitive and subject to shifting customer needs and frequent introductions of new technologies. As the markets in which we operate continue to mature and new technologies and competitors enter such markets, we expect competition to intensify. Our competitor categories include, but are not limited to:

Authentication providers;
Access and lifecycle management providers;
Multi-factor authentication providers;
Infrastructure-as-a-service providers;
Other customer identity and access management providers; and
Solutions developed in-house by our potential customers.
We compete with both cloud-based and on-premise enterprise application software providers. Our competitors vary in size and in the breadth and scope of the products and services offered. However, many of our competitors have substantial competitive advantages such as significantly greater financial, technical, sales and marketing, distribution, customer support or other resources, larger intellectual property portfolios, longer operating histories, greater resources to make strategic acquisitions and greater name recognition than we do. Our principal competitor is Microsoft.
With the continuing merger and acquisition activity in the technology industry, particularly transactions involving security or identity and access management technologies, there is a greater likelihood that we will compete with other large technology companies in the future in both the workforce identity and customer identity markets.
In addition, some of our larger competitors have substantially broader product offerings and leverage their relationships based on other products or incorporate functionality into existing products to gain business in a manner that discourages users from purchasing our products, including through selling at zero or negative margins, product bundling or closed technology platforms. Potential customers may also prefer to purchase from their existing suppliers rather than a new supplier regardless of product performance or features. These larger competitors often have broader product lines and market focus and as a result are not as susceptible to downturns in a particular market. Our competitors may also seek to acquire new offerings or repurpose their existing offerings to provide identity solutions with subscription models. Conditions in our market could change rapidly and significantly as a result of technological advancements, partnering by our competitors or continuing market consolidation. New start-up companies that innovate and large competitors that are making significant investments in research and development may invent similar or superior products and technologies that compete with our products. In addition, some of our competitors may enter into new alliances with each other or may establish or strengthen cooperative relationships with systems integrators, third-party consulting firms or other parties. Any such consolidation, acquisition, alliance or cooperative relationship could lead to pricing pressure and our loss of market share and could result in a competitor with greater financial, technical, marketing, service and other resources, all of which could harm our ability to compete. Furthermore, organizations may be more willing to incrementally add solutions to their existing infrastructure from competitors than to replace their existing infrastructure with our products. These competitive pressures in our market or our failure to compete effectively may result in price reductions, fewer orders, reduced revenue and gross margins, increased net losses, and loss of market share. Any failure to meet and address these factors could harm our business, results of operations and financial condition.
20


If we are unable to attract new customers, sell additional products to our existing customers or develop new products and enhancements to our products that achieve market acceptance, our revenue growth and profitability will be harmed.
To increase our revenue and achieve and maintain profitability, we must add new customers or sell additional products to our existing customers. Numerous factors, however, may impede our ability to add new customers and sell additional products to our existing customers, including our failure to convert new organizations into paying customers, failure to attract, effectively train, retain and motivate sales and marketing personnel, failure to develop or expand relationships with channel partners, failure to successfully deploy products for new customers and provide quality customer support, failure to ensure the effectiveness of our marketing programs, or any negative market perception stemming from past or future security breaches. In addition, if prospective customers do not perceive our platform to be of sufficiently high value and quality, we will not be able to attract the number and types of new customers that we are seeking.

In addition, our ability to attract new customers and increase revenue from existing customers depends in large part on our ability to enhance and improve our existing products and to introduce compelling new products that reflect the changing nature of our markets. The success of any enhancement to our products depends on several factors, including timely completion and delivery, competitive pricing, adequate quality testing, integration with existing technologies and our platform and overall market acceptance. If we are unable to successfully develop new products, enhance our existing products to meet customer requirements, or otherwise gain market acceptance, our business, results of operations and financial condition would be harmed.
Further, to grow our business, we must convince developers to adopt and build their applications using our APIs and products. We believe that these developer-built applications facilitate greater usage and customization of our products. If these developers stop developing on or supporting our platform, we will lose the benefit of network effects that have contributed to the growth in our number of customers, and our business (including the performance levels of our products), results of operations and financial condition could be harmed.
Our business depends on our customers renewing their subscriptions and purchasing additional licenses or subscriptions from us. Any material decline in our Dollar-Based Net Retention Rate would harm our future results of operations.
To continue to grow our business, it is important that our customers renew their subscriptions when existing contract terms expire and that we expand our commercial relationships with our existing customers. Our customers have no obligation to renew their subscriptions, and our customers may decide not to renew their subscriptions with a similar contract period, at the same prices and terms or with the same or a greater number of users. We have experienced significant growth in the number of users of our platform, but we do not know whether we will continue to achieve similar user growth rates in the future. In the past, some of our customers have elected not to renew their agreements with us, and it is difficult to accurately predict long-term customer retention and expansion rates. Our customer retention and expansion has, in the past, and may, in the future, decline or fluctuate as a result of a number of factors, including our customers’ satisfaction with our products, our product support, our prices and pricing plans, particularly in light of macroeconomic conditions, the inflation and interest rate environment and increased costs, the prices of competing software products, reductions in our customers’ spending levels, user adoption of our platform, deployment success, negative sentiment stemming from cybersecurity incidents, utilization rates by our customers, new product releases and changes to the packaging of our product offerings. If our customers do not purchase additional subscriptions or renew their subscriptions, renew on less favorable terms or fail to add more users, our revenue may decline or grow less quickly than anticipated, which would harm our future results of operations. Furthermore, if our contractual subscription terms were to shorten it could lead to increased volatility of, and diminished visibility into, future recurring revenue. If our sales of new or recurring subscriptions and software-related support service contracts decline from existing customers, our revenue and revenue growth may decline, and our business will suffer.
Customer growth has slowed in recent periods and could fall below expectations.
We have experienced significant growth in the number of our customers since our founding, but this growth has slowed in recent periods. As we increase our focus on sales to the world’s largest organizations, we do not expect customer growth to continue at the same pace as it has previously. This could cause customer growth to fall below analyst or investor expectations. If we fail to meet or exceed such expectations for this or any other reason, the market price of our Class A common stock could fall substantially, and we could face costly lawsuits, including securities class action suits.
21


We may experience quarterly fluctuations in our results of operations due to a number of factors that make our future results difficult to predict and could cause our results of operations to fall below analyst or investor expectations.
Our quarterly results of operations fluctuate from quarter to quarter as a result of a number of factors, many of which are outside of our control and may be difficult to predict, including, but not limited to:
the level of demand for our platform;
our ability to attract new customers, obtain renewals from existing customers and upsell or otherwise increase our existing customers’ use of our platform;
the timing and success of new product introductions by us or our competitors or any other change in the competitive landscape of our market;
security breaches of, technical difficulties with, or interruptions to, the delivery and use of our platform and products, and any negative market perception or customer reactions related to, or arising from the disclosure of, such breaches, difficulties or interruptions;
pricing pressure as a result of competition, the inflation and interest rate environment and increased costs;
seasonal buying patterns for IT spending;
the mix of revenue attributable to larger transactions as opposed to smaller transactions, and the associated volatility and timing of our transactions;
changes in remaining performance obligations (“RPO”) due to seasonality, the timing of and compounding effects of renewals, invoice duration, size and timing, new business linearity between quarters and within a quarter, average contract term or fluctuations due to foreign currency movements, all of which may impact implied growth rates;
errors in our forecasting of the demand for our products, which could lead to lower revenue, increased costs or both;
increases in and timing of sales and marketing and other operating expenses that we may incur to grow and expand our operations and to remain competitive;
our ability to comply with privacy laws and requirements;
costs related to the acquisition of businesses, talent, technologies or intellectual property, including potentially significant amortization costs and possible write-downs;
credit or other difficulties confronting our channel partners;
adverse litigation judgments, settlements of litigation and other disputes or other litigation-related or dispute-related costs;
the impact of new accounting pronouncements and associated system implementations;
changes in the legislative or regulatory environment;
fluctuations in foreign currency exchange rates;
expenses related to real estate, including our office leases, and other fixed expenses;
health epidemics, such as COVID-19, influenza and other highly communicable diseases or viruses; and
general economic conditions in either domestic or international markets, including the inflation and interest rate environment, geopolitical uncertainty and instability.
Any one or more of the factors above may result in significant fluctuations in our results of operations. You should not rely on our past results as an indicator of our future performance.
The variability and unpredictability of our quarterly results of operations or other operating metrics could result in our failure to meet our expectations or those of analysts that cover us or investors with respect to revenue or
22


other metrics for a particular period. If we fail to meet or exceed such expectations for these or any other reasons, the market price of our Class A common stock could fall substantially, and we could face costly lawsuits, including securities class action suits.
Our ability to introduce new products and features is dependent on adequate research and development resources and our ability to successfully complete acquisitions. If we do not adequately fund our research and development efforts or complete acquisitions successfully, we may not be able to compete effectively and our business and results of operations may be harmed.
To remain competitive, we must continue to develop new products, applications and enhancements to our existing platform. This is particularly true as we further expand and diversify our capabilities. Maintaining adequate research and development resources, such as the appropriate personnel and development technology, to meet the demands of the market is essential. If we elect not to or are unable to develop products internally, we may choose to expand into a certain market or strategy via an acquisition for which we could potentially pay too much or fail to successfully integrate into our operations. Further, many of our competitors expend a considerably greater amount of funds on their respective research and development programs, and those that do not may be acquired by larger companies that could allocate greater resources to our competitors’ research and development programs. Our failure to maintain adequate research and development resources or to compete effectively with the research and development programs of our competitors would give an advantage to such competitors and may harm our business, results of operations and financial condition.
Even if we maintain adequate research and development resources, we may be unable to monetize newly developed products or features such that we can recoup our research and development expenditures. For example, if we develop a new product feature but our competitors give an equivalent feature away for free, we may need to also include our newly developed feature for free as part of an existing product offering to remain competitive in the marketplace. Such a loss of anticipated revenue to offset our research and development expenditures may harm our business, results of operations and financial condition.
Future acquisitions, investments, partnerships or alliances could be difficult to identify and integrate, divert the attention of management personnel, disrupt our business, dilute stockholder value and harm our results of operations and financial condition.
We have in the past acquired, and we may in the future seek to acquire or invest in, businesses, products, teams or technologies that we believe could complement or expand our current platform, enhance our technical capabilities or otherwise offer growth opportunities. The pursuit of potential acquisitions may divert the attention of management and cause us to incur various expenses in identifying, investigating and pursuing suitable acquisitions, whether or not they are consummated. In addition, we have limited experience in acquiring other businesses. If we acquire additional businesses, we may not be able to successfully integrate and retain the acquired personnel, integrate the acquired operations and technologies, and adequately test and assimilate the internal control processes of the acquired business in accordance with the requirements of Section 404 of the Sarbanes-Oxley Act of 2002 (“Sarbanes-Oxley Act”), or effectively manage the combined business following the acquisition. For example, we have experienced aspects of such challenges in connection with our May 2021 acquisition of Auth0.
We may not be able to find and identify desirable acquisition targets or we may not be successful in entering into an agreement with any particular target. Acquisitions could also result in dilutive issuances of equity securities, use of our available cash or the incurrence of debt, or in adverse tax consequences or unfavorable accounting treatment, which could harm our results of operations.
In addition, from time to time we invest in private growth stage companies for strategic reasons and to support key business initiatives, and we may not realize a return on these investments. All of our venture investments are subject to a risk of partial or total loss of investment capital.
Acquisitions and strategic transactions involve numerous risks, including:
delays or reductions in customer purchases for both us and the acquired business;
disruption of partner and customer relationships;
potential loss of key employees of the acquired company;
claims by and disputes with the acquired company’s employees, customers, stockholders or third parties;
23


unknown liabilities or risks associated with the acquired business, product or technology, such as contractual obligations, potential security vulnerabilities of the acquired company and its products and services, potential intellectual property infringement, costs arising from the acquired company’s failure to comply with legal or regulatory requirements and litigation matters;
acquired technologies or products may not comply with legal or regulatory requirements and may require us to make additional investments to make them compliant;
acquired technologies or products may not be able to provide the same support service levels that we generally offer with our other products;
acquired businesses, technologies or products could be viewed unfavorably by our partners, our customers, our stockholders or securities analysts;
unforeseen integration or other expenses; and
future impairment of goodwill or other acquired intangible assets.
In addition, if an acquired business fails to meet our expectations, our business, results of operations and financial condition could suffer.
Because our long-term success depends, in part, on our ability to expand the sales of our products to customers located outside of the United States, our business will be susceptible to risks associated with international operations.
We currently have sales personnel outside the United States and maintain offices outside the United States in the Americas, Asia-Pacific and Europe, and we plan to continue to expand our international operations.

Our international revenue was 22% and 21% of our total revenue in fiscal 2023 and fiscal 2024, respectively. Any international expansion efforts that we may undertake may not be successful. In addition, conducting international operations subjects us to new risks, some of which we have not generally faced in the United States. These risks include, among other things:
macroeconomic conditions, including the inflation and interest rate environment;
unexpected costs and errors in the localization of our products, including translation into foreign languages and adaptation for local practices and regulatory requirements;
lack of familiarity and burdens of complying with foreign laws, legal standards, privacy standards, regulatory requirements, tariffs and other barriers;
laws and business practices favoring local competitors or commercial parties;
costs and liabilities related to compliance with the numerous and ever-growing landscape of U.S. and international data privacy and cybersecurity regimes, many of which involve disparate standards and enforcement approaches, to address cross-border data flows;
greater risk that our foreign employees or partners will fail to comply with U.S. and foreign laws;
practical difficulties of enforcing intellectual property rights in countries with fluctuating laws and standards and reduced or varied protection for intellectual property rights in some countries;
restrictive governmental actions focusing on cross-border trade, including taxes, trade laws, tariffs, import and export restrictions or quotas, barriers, sanctions, custom duties or other trade restrictions;
unexpected changes in legal and regulatory requirements;
difficulties in managing systems integrators and technology partners;
differing technology standards;
longer accounts receivable payment cycles and difficulties in collecting accounts receivable;
24


difficulties in managing and staffing international operations and differing employer/employee relationships and local employment laws;
political, economic and social instability, war, terrorist activities or armed conflict, including Russia's invasion of Ukraine;
global economic uncertainty caused by global political events;
health epidemics, such as COVID-19, influenza and other highly communicable diseases or viruses;
fluctuations in exchange rates that may increase the volatility of our foreign-based revenue and expense; and
potentially adverse tax consequences, including the complexities of foreign value added tax (or other tax) systems and restrictions on the repatriation of earnings.
Additionally, operating in international markets also requires significant management attention and financial resources. We cannot be certain that the investment and additional resources required in establishing operations in other countries will produce desired levels of revenue or profitability.
We have not engaged in currency hedging activities to limit risk of exchange rate fluctuations. Changes in exchange rates affect our costs and earnings, and may also affect the book value of our assets located outside the United States and the amount of our stockholders’ equity.
If we invest substantial time and resources to expand our international operations and are unable to do so successfully and in a timely manner, our business and results of operations will suffer.
If we fail to adapt to rapid technological change, our ability to remain competitive could be impaired.
The industry in which we compete is characterized by rapid technological change, frequent introductions of new products and evolving industry standards. Our ability to attract new customers and increase revenue from existing customers will depend in significant part on our ability to anticipate industry standards and trends and continue to enhance existing products or introduce or acquire new products on a timely basis to keep pace with technological developments. The success of any enhancement or new product depends on several factors, including the timely completion and market acceptance of the enhancement or new product. Any new product we develop or acquire might not be introduced in a timely or cost-effective manner and might not achieve the broad market acceptance necessary to generate significant revenue. If any of our competitors implements new technologies before we are able to implement them, those competitors may be able to provide more effective products than ours at lower prices. Any delay or failure in the introduction of new or enhanced products could harm our business, results of operations and financial condition.
Our financial results may fluctuate due to increasing variability in our sales cycles.
We plan our expenses based on certain assumptions about the length and variability of our sales cycle. These assumptions are based upon historical trends for sales cycles and conversion rates associated with our existing customers. As we continue to focus on sales to larger organizations and in light of the current macroeconomic environment, our sales cycles are lengthening in certain circumstances and becoming less predictable, which may harm our financial results. Other factors that may influence the length and variability of our sales cycle include, among other things:
the need to raise awareness about the uses and benefits of our platform, including our customer identity products;
the need to allay privacy, regulatory and security concerns;
the discretionary nature of purchasing and budget cycles and decisions;
the competitive nature of evaluation and purchasing processes;
announcements or planned introductions of new products, features or functionality by us or our competitors; and
often lengthy purchasing approval processes.
25


Our increasing focus on sales to larger organizations may further increase the variability of our financial results. If we are unable to close one or more of such expected significant transactions in a particular period, or if such an expected transaction is delayed until a subsequent period, our results of operations for that period, and for any future periods in which revenue from such transaction would otherwise have been recognized, may be harmed.
Our growth depends, in part, on the success of our strategic relationships with third parties.
To grow our business, we anticipate that we will continue to depend on relationships with third parties, such as channel partners. Identifying partners, and negotiating and documenting relationships with them, requires significant time and resources. Our competitors may be effective in causing third parties to favor their products or services over subscriptions to our platform. In addition, acquisitions of such partners by our competitors could result in a decrease in the number of our current and potential customers, as these partners may no longer facilitate the adoption of our applications by potential customers. Further, some of our partners are or may become competitive with certain of our products and may elect to no longer integrate with our platform. If we are unsuccessful in establishing or maintaining our relationships with third parties, our ability to compete in the marketplace or to grow our revenue could be impaired, and our results of operations may suffer. Even if we are successful, we cannot ensure that these relationships will result in increased customer usage of our applications or increased revenue.
Failure to effectively develop and expand our marketing and sales capabilities could harm our ability to increase our customer base and achieve broader market acceptance of our products.
Our ability to increase our customer base and achieve broader market acceptance of our products will depend to a significant extent on our ability to expand our marketing and sales operations. We plan to continue expanding our direct sales force and engaging additional channel partners, both domestically and internationally. This expansion will require us to invest significant financial and other resources. Our business will be harmed if our efforts do not generate a corresponding increase in revenue. We may not achieve anticipated revenue growth from expanding our direct sales force if we are unable to hire and develop talented direct sales personnel, if our new direct sales personnel are unable to achieve desired productivity levels in a reasonable period of time or if we are unable to retain our existing direct sales personnel. We also may not achieve anticipated revenue growth from our channel partners if we are unable to attract and retain additional motivated channel partners, if any existing or future channel partners fail to successfully market, resell, implement or support our products for their customers, or if they represent multiple providers and devote greater resources to market, resell, implement and support the products and solutions of these other providers. For example, some of our channel partners also sell or provide integration and administration services for our competitors’ products, and if such channel partners devote greater resources to marketing, reselling and supporting competing products, this could harm our business, results of operations and financial condition.
Various factors may cause our product implementations to be delayed, inefficient or otherwise unsuccessful.
Our business depends upon the successful implementation of our products by our customers. Increasingly, we, as well as our customers, rely on our network of partners to deliver implementation services, and there may not be enough qualified implementation partners available to meet customer demand. Various factors may cause implementations to be delayed, inefficient or otherwise unsuccessful. For example, changes in the functional requirements of our customers, delays in timeline, or deviation from recommended best practices may occur during the course of an implementation project. As a result of these and other risks, we or our customers may incur significant implementation costs in connection with the purchase, implementation and enablement of our products. Some customer implementations may take longer than planned or fail to meet our customers’ expectations, which may delay our ability to sell additional products or result in customers canceling or failing to renew their subscriptions before our products have been fully implemented. Unsuccessful, lengthy, or costly customer implementation and integration projects could result in claims from customers, harm to our reputation, and opportunities for competitors to displace our products, each of which could have an adverse effect on our business and results of operations.
A portion of our revenues are generated by sales to government entities, which are subject to a number of challenges and risks.
A portion of our sales are to partners that resell our services to government agencies, and we have made, and plan to continue to make, investments to support future sales opportunities in the government sector. The sale of our services to government agencies is tied to budget cycles, and there are government requirements and authorizations that we may be required to meet. Further, we may be subject to audits and investigations regarding
26


our role as a subcontractor in government contracts, and violations could result in penalties and sanctions, including contract termination, refunding or forfeiting payments, fines, and suspension or debarment from future government business. Selling to these entities can be highly competitive, expensive and time consuming, often requiring significant upfront time and expense. Government entities often require contract terms that differ from our standard arrangements and impose additional compliance requirements, require increased attention to pricing practices, or are otherwise time consuming and expensive to satisfy. For example, some of our government entity customers contract with us on the basis of our authorization under FedRAMP, which has, in the past, and may, in the future, require us to undertake additional actions and expense to ensure compliance. Government entities may also have statutory, contractual or other legal rights to terminate contracts with our partners for convenience, for lack of funding or due to a default, and any such termination may adversely impact our future results of operations. If we represent that we meet certain standards, authorizations (such as FedRAMP) or requirements and do not meet them, or if such authorizations are suspended or revoked, we could be subject to increased liability from our customers, investigation by regulators or termination rights. Even if we do meet them, the additional costs associated with providing our service to government entities could harm our margins. Moreover, changes in underlying regulatory requirements could be an impediment to our ability to efficiently provide our service to government customers and to grow or maintain our customer base. Any of these risks related to contracting with government entities could adversely impact our future sales and results of operations, or make them more difficult to predict.
If we fail to enhance our brand cost-effectively, our ability to expand our customer base will be impaired and our business, results of operations and financial condition may suffer.
We believe that developing and maintaining awareness of our brand in a cost-effective manner is critical to achieving widespread acceptance of our existing and future products and is an important element in attracting new customers. Furthermore, we believe that the importance of brand recognition will increase as competition in our market increases. Successful promotion of our brand will depend largely on the effectiveness of our marketing efforts and on our ability to provide reliable and useful products at competitive prices. In the past, our efforts to build our brand have involved significant expenses and have not always attracted a sufficient number of new customers to be cost-effective. Brand promotion activities may not yield increased revenue, and even if they do, any increased revenue may not offset the expenses we incur in building our brand. If we fail to successfully promote and maintain our brand, or incur substantial expenses in an unsuccessful attempt to promote and maintain our brand, we may fail to attract new customers or retain our existing customers to the extent necessary to realize a sufficient return on our brand-building efforts, and our business, results of operations and financial condition could suffer.
We may not set optimal prices for our products.
In the past, we have at times adjusted our prices either for individual customers in connection with long-term agreements or for a particular product. We expect that we may need to change our pricing in future periods and potentially in response to the inflation and interest rate environment and increased costs. Further, as competitors introduce new products that compete with ours or reduce their prices, we may be unable to attract new customers or retain existing customers based on our historical pricing. As we expand internationally, we also must determine the appropriate price to enable us to compete effectively internationally. In addition, if our mix of products sold changes, then we may need to, or choose to, revise our pricing. As a result, we may be required or choose to reduce our prices or change our pricing model, which could harm our business, results of operations and financial condition.
Our failure to raise additional capital or generate cash flows necessary to expand our operations and invest in new technologies in the future could reduce our ability to compete successfully and harm our results of operations.
We may need to raise additional funds, and we may not be able to obtain additional debt or equity financing on favorable terms, if at all. If we raise additional equity or convertible debt financing, our security holders may experience significant dilution of their ownership interests. If we engage in additional debt financing, we may be required to accept terms that restrict our ability to incur additional indebtedness, force us to maintain specified liquidity or other ratios or restrict our ability to pay dividends or make acquisitions. If we need additional capital and cannot raise it on acceptable terms, or at all, we may not be able to, among other things:
develop and enhance our products;
continue to expand our product development, sales and marketing organizations;
27


hire, train and retain employees;
respond to competitive pressures or unanticipated working capital requirements; or
pursue acquisition opportunities.
Our inability to do any of the foregoing could reduce our ability to compete successfully and harm our business, results of operations and financial condition.
We may be subject to liability claims if we breach our contracts and our insurance may be inadequate to cover our losses.
We are subject to numerous obligations in our contracts with our customers and partners. Despite the procedures, systems and internal controls we have implemented to comply with our contracts, we may breach these commitments, whether through a weakness in these procedures, systems and internal controls, negligence or the willful act of an employee or contractor. Our insurance policies, including our errors and omissions insurance, may be inadequate to compensate us for the potentially significant losses that may result from claims arising from breaches of our contracts, disruptions in our service, including those caused by cybersecurity incidents, failures or disruptions to our infrastructure, catastrophic events and disasters or otherwise. In addition, such insurance may not be available to us in the future on economically reasonable terms, or at all. Further, our insurance may not cover all claims made against us and defending a suit, regardless of its merit, could be costly and divert management’s attention.
Increased and complex scrutiny of environmental, social and governance (“ESG”) matters may require us to incur additional costs or otherwise adversely impact our business.
Increased attention to climate change; diversity, equity and inclusion; and other ESG issues, as well as societal expectations regarding voluntary ESG initiatives and disclosures, may result in increased costs (including but not limited to increased costs related to compliance, stakeholder engagement and contracting), impact our reputation, or otherwise affect our business performance. In addition, organizations that provide information to investors on corporate governance and related matters have developed ratings processes for evaluating companies on ESG matters. Such ratings are used by some investors to inform their investment or voting decisions. Unfavorable ESG ratings could lead to negative investor sentiment toward us and/or our industry, which could have a negative impact on our access to and costs of capital. To the extent ESG matters negatively impact our reputation, we may also not be able to compete as effectively to recruit or retain employees. We may take certain actions, including the establishment of ESG-related goals or targets, to improve our ESG profile and/or respond to stakeholder demand; however, such actions may be costly or be subject to numerous conditions that are outside our control, and we cannot guarantee that such actions will have the desired effect.

Moreover, while we may create and publish voluntary disclosures regarding ESG matters from time to time, many of the statements in those voluntary disclosures are based on hypothetical expectations and assumptions that may or may not be representative of current or actual risks or events or forecasts of expected risks or events, including the costs associated therewith. Such expectations and assumptions are necessarily uncertain and may be prone to error or subject to misinterpretation given the long timelines involved and the lack of an established single approach to identifying, measuring and reporting on many ESG matters. Such disclosures may also be at least partially reliant on third-party information that we have not independently verified or cannot be independently verified. In addition, we expect there will likely be increasing levels of regulation, disclosure-related and otherwise, with respect to ESG matters, and increased regulation will likely lead to increased compliance costs as well as scrutiny that could heighten all of the risks identified in this risk factor. Such ESG matters may also impact our customers, which may adversely impact our business, financial condition, or results of operations.
Risks Related to Intellectual Property, Infrastructure Technology, Data Privacy and Security
If there are interruptions or performance problems associated with our technology or infrastructure, our existing customers may experience service outages, and our new customers may experience delays in the deployment of our platform.
Our continued growth depends, in part, on the ability of our existing and potential customers to access our platform 24 hours a day, seven days a week, without interruption or degradation of performance. We have, in the past, and may, in the future, experience disruptions, data loss or corruption, outages and other performance problems with our infrastructure or service due to a variety of factors. These factors include, for example,
28


infrastructure and functionality changes, human or software errors, capacity constraints, ransomware attacks that encrypt our data and render it inaccessible or security-related incidents. In some instances, we may not be able to identify the cause or causes of these performance problems immediately, and it could take months, or even years, for such problems to become pronounced enough for us to detect or for our customers to detect and inform us. We may not be able to maintain the level of service uptime and performance required by our customers, especially during peak usage times and as our products become more complex and our user traffic increases. If our platform is unavailable or if our customers are unable to access our products or deploy them within a reasonable amount of time, or at all, our business would be harmed. Since our customers rely on our service to access and complete their work, any outage on our platform would impair the ability of our customers to perform their work, which would negatively impact our brand, reputation and customer satisfaction. Moreover, we depend on services from various third parties to maintain our infrastructure and distribute our products via the internet. If a service provider fails to provide sufficient capacity to support our platform or otherwise experiences service outages, including intentionally blocking our internet traffic or all internet traffic, for example at the request of a national government intending to isolate its country’s network, such failure could interrupt our customers’ access to our service, which could adversely affect their perception of our platform's reliability and our revenues. Any disruptions in these services, including as a result of actions outside of our control, would significantly impact the continued performance of our products. In the future, these services may not be available to us on commercially reasonable terms, or at all. Any loss of the right to use any of these services could result in decreased functionality of our products until equivalent technology is either developed by us or, if available from another provider, is identified, obtained and integrated into our infrastructure. If we do not accurately predict our infrastructure capacity requirements, our customers could experience service shortfalls. We may also be unable to effectively address capacity constraints, upgrade our systems as needed, and continually develop our technology and network architecture to accommodate actual and anticipated changes in technology.
Any of the above circumstances or events may harm our reputation, cause customers to terminate their agreements with us, impair our ability to obtain subscription renewals from existing customers, impair our ability to grow our customer base, result in the expenditure of significant financial, technical and engineering resources, subject us to financial penalties and liabilities under our service level agreements, and otherwise harm our business, results of operations and financial condition.
In the past we have experienced cybersecurity incidents that allowed unauthorized access to our systems or data or our customers’ data, harmed our reputation, created additional liability and adversely impacted our financial results. We may experience similar incidents in the future which may also include disabling access to our service.
Increasingly, companies, including Okta, are subject to a wide variety of attacks on their systems and networks on an ongoing basis. In addition to threats from traditional computer “hackers,” malicious code (such as malware, viruses, worms and ransomware), employee or contractor theft or misuse, password spraying, phishing and denial-of-service attacks, we and our third-party service providers now also face threats from sophisticated nation-state actors and organized crime groups who engage in attacks (including advanced persistent threat intrusions) that add to the risks to our systems (including those hosted on AWS’ or other cloud services providers’ systems), internal networks, our customers’ systems and the information that we and they store and process. For example, like other companies, we have experienced an increase in cybersecurity attacks and have had to expend increasing amounts of human and financial capital to respond. We expect that these cybersecurity attacks will continue and that the scope and sophistication of these efforts will increase in future periods. Despite significant efforts to create security barriers to such threats, it is virtually impossible for us to entirely mitigate these risks. As a well-known provider of identity and security solutions that form a part of our customers’ security software supply chain, we pose an attractive target for such attacks. The security measures we have integrated into our internal systems and platform, which are designed to detect unauthorized activity and prevent or minimize security breaches, may not function as expected and have not in the past been, and may not in the future be, sufficient to protect our internal networks and platform against certain attacks. In addition, techniques used to sabotage or to obtain unauthorized access to networks in which data is stored or through which data is transmitted change frequently, become more complex over time and generally are not recognized until launched against a target. As a result, we and our third-party service providers have in the past been, and may in the future be, unable to anticipate these techniques or implement adequate preventative measures quickly enough to prevent either an electronic intrusion into our systems or services or a compromise of customer data, employee data or other protected information.
Our customers’ use of Okta to access business systems and store data concerning, among others, their employees, contractors, partners and customers is essential to their use of our platform, which stores, transmits and
29


processes customers’ proprietary information and users’ personal data. Okta has experienced and likely will in the future experience attacks targeting such customer data. When such breaches occur, as a result of third-party action, technology limitations, employee or contractor error, malfeasance or otherwise, and if the confidentiality, integrity or availability of our customers’ data or systems is disrupted, we could incur significant liability to our customers and to individuals or businesses whose information was being stored by our customers, and our platform may be perceived as less desirable, which could negatively affect our business and damage our reputation. Techniques used to obtain unauthorized access to, or to sabotage, systems change frequently and generally are not recognized until launched against a target. As a result, we, our third-party service providers and our customers have not in the past been, and may not in the future be, able to anticipate these techniques or to implement adequate preventive measures. Further, because we do not control our third-party service providers, or the processing of data by our third-party service providers, we cannot ensure the integrity or security of measures they take to protect customer information and prevent data loss.
In addition, security breaches impacting our platform have in certain cases resulted in and could in the future result in a risk of loss or unauthorized disclosure or theft of this information, or the denial of access to this information, which, in turn, could lead to enforcement actions, litigation, regulatory or governmental audits, investigations and possible liability, and increased requests by individuals regarding their personal data. Security breaches could also damage our relationships with and ability to attract customers and partners, and trigger service availability, indemnification and other contractual obligations. For example, our customers have in the past published public criticisms of our security practices in connection with security incidents, and these postings harm our reputation and brand. Security incidents may also cause us to incur significant investigation, mitigation, remediation, notification and other expenses. Furthermore, as a well-known provider of identity and security solutions that form a part of our customers’ security software supply chain, any such breach, including a breach of our customers’ systems, could compromise systems secured by our products, creating system disruptions or slowdowns and exploiting security vulnerabilities of our or our customers’ systems, and the information stored on our or our customers’ systems could be accessed, publicly disclosed, altered, lost or stolen, which could subject us to liability and cause us financial harm. Our disclosures concerning security incidents also may become the subject of litigation, and our disclosures concerning the January 2022 compromise, for example, have become the subject of lawsuits, as discussed in Item 3, “Legal Proceedings” below. While we have taken a number of remediation steps, there is no guarantee that our preventative and mitigation actions with respect to this incident and others like it will fully eliminate the risk of a malicious compromise of our or our customers’ systems.
We have experienced cybersecurity incidents resulting from our use of and oversight over third-party service providers and may experience such incidents in the future. These incidents have, in the past, and may, in the future, result from our configuration of such providers’ products or from cybersecurity attacks on such providers of the same type that could affect our own systems. While we have implemented security measures and configuration policies that seek to protect data stored with our third-party service providers, such measures and policies have not in the past been, and may not in the future be, sufficient to protect our data or our customers’ data. For example, the January 2022 compromise of one of our third-party service providers by a threat actor, even though not material and not a breach of our product or systems, nonetheless was widely publicized and focused attention on the security of our systems and the systems of our third-party service providers. In addition, in October 2023, a threat actor gained unauthorized access to and stole information from inside our customer support system, which was hosted by a third-party service provider.
While we maintain cybersecurity insurance, our insurance may be insufficient to cover all liabilities incurred in these incidents, and any incidents may result in loss of, or increased costs of, our cybersecurity insurance. These breaches, or any perceived breach, of our systems, our customers’ systems, our service providers’ systems, or other systems or networks secured by our products, whether or not any such breach is due to a vulnerability in our platform, may also undermine confidence in our platform or our industry and result in damage to our reputation and brand, negative publicity, loss of ISVs and other channel partners, customers and sales, increased costs to remedy any problem, costly litigation and other liability. In addition, a breach of the security measures of one of our key ISVs or other channel partners or a security software supply chain attack even many levels removed could result in the exfiltration of confidential corporate information or other data that may provide additional avenues of attack. For example, an exploitation in an open source library that is imported and used in another framework that is used by a software product used by Okta could introduce an avenue of attack into the Okta service. If a high profile security breach occurs with respect to a comparable cloud technology provider, our customers and potential customers may lose trust in the security of the cloud business model generally, which could adversely impact our ability to retain existing customers or attract new ones, potentially causing a negative impact on our business. Any of these
30


negative outcomes could adversely impact market acceptance of our products and could harm our business, results of operations and financial condition.
Third parties have induced and may continue to fraudulently induce employees, contractors, customers or our customers’ users into disclosing sensitive information such as user names, passwords or other information or otherwise compromise the security of our applications, internal networks, electronic systems and/or physical facilities in order to gain access to our data or our customers’ data, which could result in significant legal and financial exposure, a loss of confidence in the security of our platform, interruptions or malfunctions in our operations, account lockouts, and, ultimately, harm to our future business prospects and revenue. We may be required to expend significant capital and financial resources to protect against such threats or to alleviate problems caused by breaches in security.
We have, in the past, failed or been perceived to have failed to fully comply with the privacy or security provisions of our privacy policy, our contracts and/or legal or regulatory requirements, which could result in proceedings, actions or penalties against us. We may experience similar incidents in the future.
Our customers’ storage and use of data concerning, among others, their employees, contractors, partners and customers is essential to their use of our platform. We have implemented various features intended to enable our customers to better comply with applicable privacy and security requirements in their collection and use of data within our online service, but these features have, in the past, not ensured and may, in the future, not ensure our customers’ compliance and may not be effective against all potential privacy or related regulatory concerns.
Many jurisdictions have enacted or are considering enacting or revising privacy and/or data security legislation, including laws and regulations applying to the collection, use, storage, transfer, disclosure and/or processing of personal data. The costs of compliance with, and other burdens imposed by, such laws and regulations that are applicable to the operations of our customers may limit the use and adoption of our service and reduce overall demand for it. These privacy and data security related laws and regulations are evolving and may result in increasing regulatory and public scrutiny and escalating levels of enforcement and sanctions. In addition, we are subject to certain contractual obligations regarding the collection, use, storage, transfer, disclosure and/or processing of personal data. Although we are working to comply with those federal, state and foreign laws and regulations, industry standards, contractual obligations and other legal obligations that apply to us, those laws, regulations, standards and obligations are evolving and may be modified, interpreted and applied in an inconsistent manner from one jurisdiction to another, and may conflict with one another, other requirements or legal obligations, our practices or the features of our platform. In addition, some of our customers contract with us on the basis of our authorization under FedRAMP, which, in addition to state or international regulations, has, in the past, and may, in the future, require us to undertake additional actions and expense to ensure compliance.
We also expect that there will continue to be new proposed laws, regulations, self-regulatory and industry standards concerning privacy, data protection and information security in the United States, China, the European Union, India and other jurisdictions, and we cannot yet determine the impact such future laws, regulations and standards may have on our business. For example, the California Consumer Privacy Act (“CCPA”), which took effect on January 1, 2020, and the California Privacy Rights Act (“CPRA”), which took effect on January 1, 2023 and significantly modifies the CCPA, broadly define personal information and give California residents expanded privacy rights and protections and provide for civil penalties for violations and a private right of action for data breaches. The CPRA also created a new state agency that is vested with authority to implement and enforce the CCPA and the CPRA. Since the CPRA passed, a number of states have passed their own comprehensive privacy statutes that share similarities with the CCPA and CPRA and, depending on the jurisdiction, will take effect in 2024 or thereafter. Following California’s enactment of the CCPA and CPRA, a number of other states have passed new privacy laws with differing requirements and remedies for violations. We expect that additional states will enact privacy regulations that differ from each other. We may expend significant resources attempting to comply with conflicting and overlapping state privacy regulations, and the cost and complexity of complying with such regulations could adversely affect our business or increase our potential liability if we fail to comply. This influx of state privacy regimes indicates a trend toward more stringent privacy legislation in the United States, including a potential federal privacy law, which could also increase our potential liability and adversely affect our business.
Future laws, regulations, standards and other obligations, and changes in the interpretation of existing laws, regulations, standards and other obligations could impair our or our customers’ ability to collect, use or disclose information relating to consumers, which could decrease demand for our applications, restrict our business operations, or increase our costs and impair our ability to maintain and grow our customer base and increase our
31


revenue. Such laws and regulations may require companies to implement privacy and security policies, permit users to exercise various data rights, inform individuals of security breaches that affect their personal data, and, in some cases, obtain individuals’ consent to use personal data for certain purposes. If we, or the third parties on which we rely, fail to comply with federal, state and international data privacy laws and regulations our ability to successfully operate our business and pursue our business goals could be harmed.
With respect to cybersecurity in the United States, we are closely monitoring the development of rules and guidance pursuant to various executive orders that may apply to us, including, for example, pursuant to Executive Order 14028 for “critical software.” While the rules and guidance coming from the Order are still being developed, we could be categorized as a provider of critical software, which may increase our compliance costs and delay or prevent our ability to execute contracts with customers, including in particular with government entities.
Any failure by us to comply with federal, state or foreign laws or regulations, industry standards, contractual obligations or other legal obligations, compliance frameworks that Okta has contractually committed to comply with, or any actual or suspected privacy or security incident, even if unfounded, whether or not resulting in unauthorized access to, or acquisition, release or transfer of personal data or other data, may result in enforcement actions and prosecutions, private litigation, fines, penalties and censure, claims for damages by customers and other affected individuals, or adverse publicity and could cause our customers to lose trust in us, which could have an adverse effect on our reputation and business.
We publicly post our privacy policies and practices concerning our processing, use and disclosure of the personal data provided to us by our website visitors and by our customers, and other individuals with whom we interact. Our publication of our privacy policies and other statements we publish that provide promises and assurances about privacy and security can subject us to potential state and federal action if they are found to be unfair, deceptive or misrepresentative of our practices.
If our platform is perceived to cause, or is otherwise unfavorably associated with, violations of privacy or data security requirements, it may subject us or our customers to public criticism and potential legal liability. Existing and potential privacy laws and regulations concerning privacy and data security and increasing sensitivity of consumers to unauthorized processing of personal data may create negative public reactions to technologies, products and services such as ours. Public concerns regarding personal data processing, privacy and security may cause some of our customers’ end users to be less likely to visit their websites or otherwise interact with them. If enough end users choose not to visit our customers’ websites or otherwise interact with them, our customers could stop using our platform. This, in turn, may reduce the value of our service, and slow or eliminate the growth of our business, or cause our business to contract.
Privacy is a key issue for Okta and for our customers. We have attained multiple privacy certifications, such as the Asia-Pacific Economic Cooperation Privacy Recognition for Processors, and the European Union Cloud Code of Conduct, Level 2. If we fail to maintain our privacy certifications, or if we fail to seek expansion of their applicability to acquired and/or newly-developed products, we may fail to meet our contractual commitments and we may fail to retain our existing customers or attract new customers, and our business, results of operations and financial condition could suffer.
We may face particular privacy, data security and data protection risks in Europe due to stringent data protection and privacy laws and increased scrutiny over EU-U.S. data transfers.
We are subject to global data protection laws and regulations (“Data Protection Laws”) that may impact how we do business with customers. Data Protection Laws, such as those applicable in the European Union, Canada and certain of its provinces, United Kingdom, Asia, and certain states in the United States, have enhanced data protection obligations for companies that handle personal data. Obligations include, for example, expanded disclosures about how personal data is to be used, individual rights to access and delete personal data, limitations on retention of personal data, mandatory data breach notification requirements and strict obligations on service providers.
In addition, increasing numbers of Data Protection Laws restrict transfers of personal data outside of their country of origin to countries deemed to lack adequate privacy protections. These types of transfers must be supported by a transfer mechanism that we may be required to implement; for example, data transfers out of the European Economic Area may require certification to the EU-U.S. Data Privacy Framework (“DPF”) or agreeing to the European Commission’s Standard Contractual Clauses (“SCCs”), each of which impose additional compliance obligations.
32


One Okta subsidiary is a certified participant of the DPF and receives European personal data in the U.S. pursuant to the DPF and the SCCs, and by contrast, the rest of Okta relies on the SCCs for its lawful transfers of European personal data to the U.S. The DPF and the SCCs are subject to further review by European authorities (such as the Court of Justice of the European Union) and could be invalidated in the future, requiring expenditure of additional resources to support lawful transfers of European personal data.
Additional jurisdictions continue to adopt data localization laws, which require personal data, or certain subcategories of personal data, to be stored in the jurisdiction of origin. These regulations may deter customers from using cloud-based services such as ours and may inhibit our ability to expand into those markets or prohibit us from continuing to offer services in those markets without significant additional costs.
This regulatory environment applicable to the handling of personal data, and our actions taken in response, may cause us to assume additional liabilities or incur additional costs and could result in our business, results of operations and financial condition being harmed. We and our customers may face a risk of enforcement actions by an increasing number of global data protection authorities in countries where data protection laws apply to us and with which we may not be able to comply. Any such enforcement actions could result in substantial costs and diversion of resources, distract management and technical personnel and negatively affect our business, results of operations and financial condition.
Non-compliance with these obligations can trigger significant fines. For example, in Europe fines for non-compliance can be a maximum of €20 million or 4% of total worldwide annual revenue, whichever is higher. In some U.S. states, fines can be up to $7,500 per violation, multiplied by the number of impacted individuals, and, in addition, some states allow a private right of action. Given the breadth and depth of changes in data protection obligations, complying with these requirements has caused us to expend significant resources, which is likely to continue into the near future as we respond to new interpretations and enforcement actions.
In addition, new laws are continually being passed. For example, in the European Union, a draft ePrivacy Regulation extends strict opt-in marketing rules, alters rules on third-party cookies, web beacons and similar technology and significantly increases penalties for violations. India recently passed a comprehensive data protection law that will apply new privacy rules for the first time in that country. In addition, the number of U.S. states with comprehensive Data Protection Laws significantly increased in 2023. We cannot yet determine the impact that such future laws, regulations and standards may have on our business. Such laws and regulations are often subject to differing interpretations and may be inconsistent among jurisdictions. We may incur substantial expense in complying with any new obligations, we may be required to make significant changes in our business operations and product and services development, and we may not be able to comply with some of these regulatory developments, all of which may adversely affect our revenues and our business overall.
We function as a HIPAA Business Associate for certain of our customers and, as such, are subject to strict privacy and data security requirements. If we fail to comply with any of these requirements, we could be subject to significant liability, all of which can adversely affect our business as well as our ability to attract and retain new customers.
HIPAA, as amended by the Health Information Technology for Economic and Clinical Health Act (“HITECH”), and their respective implementing regulations under HIPAA, imposes specified requirements relating to the privacy, security and transmission of individually identifiable health information. Among other things, HITECH makes HIPAA’s security standards directly applicable to “Business Associates”. We function as a Business Associate for certain of our customers that are HIPAA covered entities and service providers, and in that context we are regulated as a Business Associate for the purposes of HIPAA. The HIPAA-covered entities and service providers to which we provide services require us to enter into HIPAA-compliant Business Associate agreements with them. These agreements impose stringent data security obligations on us. If we are unable to comply with our obligations as a HIPAA Business Associate or under the terms of the Business Associate agreements we have executed, we could face substantial civil and even criminal liability as well as contractual liability under the applicable Business Associate agreement, all of which can have an adverse impact on our business and generate negative publicity, which, in turn, can have an adverse impact on our ability to attract and retain new customers. Modifying the already stringent penalty structure that was present under HIPAA prior to HITECH, HITECH created four new tiers of civil monetary penalties and gave state attorneys general new authority to file civil actions for damages or injunctions in federal courts to enforce the federal HIPAA laws and seek attorneys’ fees and costs associated with pursuing federal civil actions. In addition, many state laws govern the privacy and security of health information in certain circumstances, many of which differ from HIPAA and each other in significant ways and may not have the same effect. Further, certain modifications have been proposed to the HIPAA privacy regulations, and we expect that there
33


will continue to be changes to health information privacy laws in the United States, including HIPAA, and we cannot yet determine the impact such changes to existing laws, regulations and standards may have on our business.
If we fail to maintain our security attestations and certifications, our business, results of operations and financial condition may suffer.
Security is essential for Okta and for our customers. A number of our product offerings have attained multiple certifications, including SOC 2 Type II Attestations, CSA Star Level 2 Attestation, ISO/IEC 27001:2013, ISO/IEC 27017:2015, ISO/IEC 27018:2019, multiple agency FedRAMP Authorities to Operate, Department of Defense Impact Level 4, are in accordance with Health Insurance Portability and Accountability Act ("HIPAA"), and comply with many other international security frameworks. Workforce Identity Cloud also supports FIPS 140-2 encryption requirements. If we fail to maintain our security attestations and certifications, or if we fail to seek expansion of their applicability to acquired and/or newly-developed products, we may fail to meet our contractual commitments and we may fail to retain our existing customers or attract new customers, and our business, results of operations and financial condition could suffer.
We provide service level commitments under our customer contracts. If we fail to meet these contractual commitments, we could be obligated to provide credits for future service, or face contract termination with refunds of prepaid amounts related to unused subscriptions, which could harm our business, results of operations and financial condition.
Our customer agreements contain service level commitments, under which we guarantee specified availability of our platform. Any failure of or disruption to our infrastructure could make our platform unavailable to our customers. If we are unable to meet the stated service level commitments to our customers or suffer extended periods of unavailability of our platform, we may be contractually obligated to provide affected customers with service credits for future subscriptions. Our revenue, other results of operations and financial condition could be harmed if we suffer unscheduled downtime that exceeds the service level commitments under our agreements with our customers, and any extended service outages could adversely affect our business and reputation as customers may elect not to renew and we could lose future sales.
If we are unable to ensure that our products integrate or interoperate with a variety of operating systems, platforms, services, software applications devices, mobile phones and other hardware form factors that are developed by others, our platform may become less competitive and our results of operations may be harmed.
The number of people who access the internet through mobile devices and access cloud-based software applications through mobile devices, including smartphones and handheld tablets or laptop computers, has increased significantly in the past several years and is expected to continue to increase. While we have created mobile applications and mobile versions of our products, if these mobile applications and products do not perform well, our business may suffer. We are also dependent on third-party application stores that may prevent us from timely updating our current products or uploading new products. In addition, our products interoperate with servers, mobile devices and software applications predominantly through the use of protocols, many of which are created and maintained by third parties. As a result, we depend on the interoperability of our products with such third-party services, mobile devices and mobile operating systems, as well as cloud-enabled hardware, software, networking, browsers, database technologies and protocols that we do not control. Past and future changes in such technologies that degrade the functionality of our products or give preferential treatment to competitive services have, in the past, and could, in the future, adversely affect adoption and usage of our platform. Any change in our customers’ preference for cloud-based identity management or any shift towards on-premises systems could also adversely affect adoption and usage of our platform. Also, we may not be successful in developing or maintaining relationships with key participants in the mobile industry or in developing products that operate effectively with a range of operating systems, networks, devices, browsers, protocols and standards. In addition, we may face different fraud, security and regulatory risks from transactions sent from mobile devices than we do from personal computers. If we are unable to effectively anticipate and manage these risks, or if it is difficult for our customers to access and use our platform, our business, results of operations and financial condition may be harmed.
Our success also depends on the willingness of third-party developers and technology providers to build applications and provide integrations that are complementary to our service. Without the development of these applications and integrations, both current and potential customers may not find our service sufficiently attractive, and our business, results of operations and financial condition could suffer.
34


Interruptions or delays in the services provided by third-party data centers or internet service providers have, in the past, and could, in the future, impair the delivery of our platform and our business could suffer.
We rely on a number of third-party service providers to operate our services, any of which, if it encounters interruptions or delays, could negatively affect our platform, damage our reputation, expose us to liability, cause us to lose customers or otherwise harm our business. For example, we host our platform using AWS data centers and other third-party cloud infrastructure services and, in the past, service interruptions from such infrastructure providers have caused outages on our platform, which could occur again in the future. All of our products use resources operated by us in these locations. Our operations depend on protecting the virtual cloud infrastructure hosted in AWS or other cloud services by maintaining its configuration, architecture and interconnection specifications, as well as the information stored in these virtual data centers and which third-party internet service providers transmit. Although we have disaster recovery plans that use multiple virtual data center locations, any incident affecting their infrastructure that may be caused by fire, flood, severe storm, earthquake, power loss, telecommunications failures, unauthorized intrusion or malicious action, computer viruses and disabling devices, natural disasters, war, criminal act, military actions, terrorist attacks and other similar events beyond our control could negatively affect our platform. A prolonged third-party service disruption affecting our platform for any of the foregoing reasons could be detrimental to our business. We may also incur significant costs for using alternative equipment or taking other actions in preparation for, or in reaction to, events that damage the third-party services we use.
Our cloud infrastructure services enable us to order and reserve server capacity in varying amounts and sizes distributed across multiple regions. These cloud infrastructure services provide us with computing and storage capacity pursuant to agreements which may be terminated under specified circumstances.
Our platform is accessed by a large number of customers, often at the same time. As we continue to expand the number of our customers and products available to our customers, we may not be able to scale our technology to accommodate the increased capacity requirements, which may result in interruptions or delays in service. In addition, the failure of third-party virtual data centers, third-party internet service providers, or other third-party service providers whose services are integrated with our platform, to meet our capacity requirements could result in interruptions or delays in access to our platform or impede our ability to scale our operations. In the event that our third-party service agreements are terminated, or there is a lapse of service, interruption of internet service provider connectivity or damage to such facilities, we could experience interruptions in access to our platform as well as delays and additional expense in arranging new facilities and services.
Our success depends, in part, on the integrity and scalability of our systems and infrastructures. System interruption and the lack of integration, redundancy and scalability in these systems and infrastructures may harm our business, results of operations and financial condition.
Our success depends, in part, on our ability to maintain the integrity of our systems and infrastructure, including websites, information and related systems. System interruption and a lack of integration and redundancy in our information systems and infrastructure may adversely affect our ability to operate websites, process and fulfill transactions, respond to customer inquiries and generally maintain cost-efficient operations. We may experience occasional system interruptions that make some or all systems or data unavailable or prevent us from efficiently providing access to our platform. We also rely on third-party information technology systems, broadband and other communications systems and service providers in connection with providing access to our platform generally. Any interruptions, outages or delays in our systems and infrastructure, our business and/or third parties, or deterioration in the performance of these systems and infrastructure, could impair our ability to provide access to our platform. Fire, flood, power loss, telecommunications failure, hurricanes, tornadoes, earthquakes, other natural disasters, acts of war or terrorism, unauthorized access or malicious acts, and similar events or disruptions may damage or interrupt computers, broadband or other communications systems and infrastructure at any time. Any of these events could cause system interruption, delays and loss of critical data, and could prevent us from providing access to our platform. While we have backup systems for certain aspects of these operations, disaster recovery planning by its nature cannot be sufficient for all eventualities. In addition, we may not have adequate insurance coverage to compensate for losses from a major interruption. If any of these events were to occur, it could harm our business, results of operations and financial condition.
35


We rely on software and services from other parties. Defects in or the loss of access to software or services from third parties could increase our costs and adversely affect the quality of our products.
We rely on technologies from third parties to operate critical functions of our business, including cloud infrastructure services and customer relationship management services. Our business would be disrupted if any of the third-party software or services we use, or functional equivalents, were unavailable due to extended outages or interruptions or because they are no longer available on commercially reasonable terms or prices. In each case, we would be required to either seek licenses to software or services from other parties and redesign our products to function with such software or services or develop substitutes ourselves, which would result in increased costs and could result in delays in our product launches and the release of new product offerings until equivalent technology can be identified, licensed or developed, and integrated into our products. Furthermore, we might be forced to limit the features available in our current or future products. These delays and feature limitations, if they occur, could harm our business, results of operations and financial condition.
Real or perceived errors, failures, vulnerabilities or bugs in our products, including deployment complexity, have, in the past and could, in the future, harm our business and results of operations.
Errors, failures, vulnerabilities or bugs have, in the past and may, in the future, occur in our products, especially when updates are deployed or new products are rolled out, maintenance patches are applied, or infrastructure, architectural or configuration changes are made. In the past, such issues have caused outages for our customers. Our platform is often used in connection with large-scale computing environments with different operating systems, system management software, equipment and networking configurations, which may cause errors or failures of products, or other aspects of the computing environment into which our products are deployed. In addition, deployment of our products into complicated, large-scale computing environments may expose errors, failures, vulnerabilities or bugs in our products. Any such errors, failures, vulnerabilities or bugs may not be found until after they are deployed to our customers. Real or perceived errors, failures, vulnerabilities or bugs in our products, or delays in or difficulties implementing our product releases, could result in negative publicity, loss of customer data, loss of or delay in market acceptance of our products, a decrease in customer satisfaction or adoption rates, loss of competitive position, or claims by customers for losses sustained by them, all of which could harm our business, results of operations and financial condition.
Issues in the development and use of artificial intelligence, combined with an uncertain regulatory environment, may result in reputational harm, liability, or other adverse consequences to our business operations.
We use internally developed and third-party developed machine learning and artificial intelligence (“AI”) technologies in our offerings and business, and we are making investments in expanding our artificial intelligence capabilities in our products, services, and tools, including ongoing deployment and improvement of existing machine learning and AI technologies, as well as developing new product features using AI technologies, including, for example, generative AI. AI technologies are complex and rapidly evolving, and we face significant competition from other companies as well as an evolving regulatory landscape. For example, in the European Union, the proposed Artificial Intelligence Act, if approved, would establish obligations for providers of AI based on the type of AI and its potential risks to society. The introduction of AI technologies into new or existing products may result in new or enhanced governmental or regulatory scrutiny, litigation, confidentiality or security risks, ethical concerns, or other complications that could adversely affect our business, reputation, or financial results. For example, even if permitted by our privacy policy and contractual rights, our use of data in novel AI applications may, in time, expand beyond customer expectations. The intellectual property ownership and license rights, including copyright, surrounding AI technologies has not been fully addressed by courts or national or local laws or regulations, and the use or adoption of third-party AI technologies into our products and services may result in exposure to claims of copyright infringement or other intellectual property misappropriation. Uncertainty around new and emerging AI technologies, such as generative AI, may require additional investment in the development and maintenance of proprietary datasets and machine learning models, development of new approaches and processes to provide attribution or remuneration to creators of training data, and development of appropriate protections and safeguards for handling the use of customer data with AI technologies, which may be costly and could impact our expenses if we decide to expand generative AI into our product offerings. AI technologies, including generative AI, may create content that appears correct but is factually inaccurate or flawed. Our customers or others may rely on or use this flawed content to their detriment, which may expose us to brand or reputational harm, competitive harm, and/or legal liability. The use of AI technologies presents emerging ethical and social issues, and if we enable or offer solutions that draw scrutiny or controversy due to their perceived or actual impact on customers or on society as a whole, we may experience brand or reputational harm, competitive harm, and/or legal liability.
36


If we fail to adequately protect our proprietary rights, our competitive position could be impaired and we may lose valuable assets, generate less revenue and incur costly litigation to protect our rights.
Our success is dependent, in part, upon protecting our proprietary information and technology. We rely on a combination of patents, copyrights, trademarks, service marks, trade secret laws and contractual restrictions to establish and protect our proprietary rights. However, the steps we take to protect our intellectual property may be inadequate. We will not be able to protect our intellectual property if we are unable to enforce our rights or if we do not detect unauthorized use of our intellectual property. Despite our precautions, it may be possible for unauthorized third parties to copy our products and use information that we regard as proprietary to create products that compete with ours. Some contract provisions protecting against unauthorized use, copying, transfer and disclosure of our products may be unenforceable under the laws of certain jurisdictions and foreign countries. Further, the laws of some countries do not protect proprietary rights to the same extent as the laws of the United States, and mechanisms for enforcement of intellectual property rights in some foreign countries may be inadequate. To the extent we expand our international activities, our exposure to unauthorized copying and use of our products and proprietary information may increase. Accordingly, despite our efforts, we may be unable to prevent third parties from infringing upon or misappropriating our technology and intellectual property.
We rely in part on trade secrets, proprietary know-how and other confidential information to maintain our competitive position. Although we enter into confidentiality and invention assignment agreements with our employees and consultants and enter into confidentiality agreements with the parties with whom we have strategic relationships and business alliances, no assurance can be given that these agreements will be effective in controlling access to and distribution of our products and proprietary information. Further, these agreements do not prevent our competitors from independently developing technologies that are substantially equivalent or superior to our products.
To protect our intellectual property rights, we may be required to spend significant resources to monitor and protect these rights. Litigation may be necessary in the future to enforce our intellectual property rights and to protect our trade secrets. Such litigation could be costly, time consuming and distracting to management and could result in the impairment or loss of portions of our intellectual property. Furthermore, our efforts to enforce our intellectual property rights may be met with defenses, counterclaims and countersuits attacking the validity and enforceability of our intellectual property rights. Our inability to protect our proprietary technology against unauthorized copying or use, as well as any costly litigation or diversion of our management’s attention and resources, could delay further sales or the implementation of our products, impair the functionality of our products, delay introductions of new products, result in our substituting inferior or more costly technologies into our products, or injure our reputation. In addition, we may be required to license additional technology from third parties to develop and market new products, and we cannot ensure that we can license that technology on commercially reasonable terms or at all, and our inability to license this technology could harm our ability to compete.
Our results of operations may be harmed if we are subject to an infringement claim or a claim that results in a significant damage award.
There is considerable patent and other intellectual property development activity in our industry, and we expect that software companies will increasingly be subject to infringement claims as the number of products and competitors grows and the functionality of products in different industry segments overlaps. In addition, the patent portfolios of many of our competitors are larger than ours, and this disparity may increase the risk that our competitors may sue us for patent infringement and may limit our ability to counterclaim for patent infringement or settle through patent cross-licenses. Other companies have claimed in the past, and may claim in the future, that we infringe upon their intellectual property rights. A claim may also be made relating to technology that we acquire or license from third parties. Further, we may be unaware of the intellectual property rights of others that may cover some or all of our technology.
Any claim of infringement, regardless of its merit or our defenses, could:
require costly litigation to resolve and/or the payment of substantial damages, ongoing royalty payments or other amounts to settle such disputes;
require significant management time and attention;
cause us to enter into unfavorable royalty or license agreements, if such arrangements are available at all;
37


require us to discontinue the sale of some or all of our products, remove or reduce features or functionality of our products or comply with other unfavorable terms;
require us to indemnify our customers or third-party service providers; and/or
require us to expend additional development resources to redesign our products.
Any one or more of the above could harm our business, results of operations and financial condition.
We use open source software in our products, which could negatively affect our ability to offer our products and subject us to litigation or other actions.
We use open source software in our products and expect to use more open source software in the future. From time to time, there have been claims challenging the ownership of open source software against companies that incorporate open source software into their products. However, the terms of many open source licenses have not been interpreted by U.S. courts, and there is a risk that these licenses could be construed in a way that could impose unanticipated conditions or restrictions on our ability to commercialize our products. As a result, we could be subject to lawsuits by parties claiming ownership of what we believe to be open source software. Litigation could be costly for us to defend, have a negative effect on our results of operations and financial condition or require us to devote additional research and development resources to change our products. In addition, if we were to combine our proprietary software products with open source software in a certain manner, we could, under certain of the open source licenses, be required to release the source code of our proprietary software to the public. This would allow our competitors to create similar products with less development effort and time. If we inappropriately use open source software, or if the license terms for open source software that we use change, we may be required to re-engineer our products, incur additional costs, discontinue the sale of some or all of our products or take other remedial actions. Some open source software may include generative AI software or other software that incorporates or relies on generative AI or other AI technologies. The use of such software may expose us to risks as the intellectual property ownership and license rights, including copyright, of generative AI software and tools, has not been fully interpreted by U.S. courts or been fully addressed by federal or state regulation.
In addition to risks related to license requirements, usage of open source software can lead to greater risks than use of third-party commercial software, as open source licensors generally do not provide warranties or assurance of title or controls on origin of the software. In addition, many of the risks associated with usage of open source software, such as the lack of warranties or assurances of title, cannot be eliminated, and could, if not properly addressed, negatively affect our business. We have established processes to help alleviate these risks, including a review process for screening requests from our development organizations for the use of open source software, but we cannot be sure that all of our use of open source software is in a manner that is consistent with our current policies and procedures, or will not subject us to liability.
Indemnity provisions in various agreements potentially expose us to substantial liability for intellectual property infringement and other losses.
Our agreements with customers and other third parties may include indemnification or other provisions under which we agree to indemnify or otherwise be liable to them for losses suffered or incurred as a result of claims of intellectual property infringement, damages caused by us to property or persons, or other liabilities relating to or arising from the use of our platform or other acts or omissions. The term of these contractual provisions often survives termination or expiration of the applicable agreement. As we continue to grow, the possibility of infringement claims and other intellectual property rights claims against us may increase. For any intellectual property rights indemnification claim against us or our customers, we will incur significant legal expenses and may have to pay damages, settlement fees, license fees and/or stop using technology found to be in violation of the third party’s rights. Large indemnity payments could harm our business, results of operations and financial condition. We may also have to seek a license for the infringing or allegedly infringing technology. Such license may not be available on reasonable terms, if at all, and may significantly increase our operating expenses or may require us to restrict our business activities and limit our ability to deliver certain products. As a result, we may also be required to develop alternative non-infringing technology, which could require significant effort and expense and/or cause us to alter our platform, which could negatively affect our business.
From time to time, customers require us to indemnify or otherwise be liable to them for breach of confidentiality, violation of applicable law or failure to implement adequate security measures with respect to their data stored, transmitted, or accessed using our platform. Although we normally contractually limit our liability with
38


respect to such obligations, the existence of such a dispute may have adverse effects on our customer relationship and reputation and we may still incur substantial liability related to them.
Any assertions by a third party, whether or not successful, with respect to such indemnification obligations could subject us to costly and time-consuming litigation, expensive remediation and licenses, divert management attention and financial resources, harm our relationship with that customer and other current and prospective customers, reduce demand for our platform, and harm our brand, business, results of operations and financial condition.
Risks Related to Legal, Accounting and Tax Matters

Because we generally recognize revenue from our subscriptions and support services over the term of the relevant service period, a decrease in sales during a reporting period may not be immediately reflected in our results of operations for that period.
We generally recognize revenue from subscriptions and related support services revenue ratably over the relevant service period. Net new revenue from new subscriptions, upsells and renewals entered into during a period can generally be expected to generate revenue for the duration of the service period. As a result, most of the revenue we report in each period is derived from the recognition of deferred revenue relating to subscriptions and support services contracts entered into during previous periods. Consequently, a decrease in new or renewed subscriptions in any single reporting period will have a limited impact on our revenue for that period. In addition, our ability to adjust our cost structure in the event of a decrease in new or renewed subscriptions may be limited.
Further, a decline in new subscriptions or renewals in a given period may not be fully reflected in our revenue for that period, but will negatively affect our revenue in future periods. Accordingly, the effect of significant downturns in sales and market acceptance of our services, and changes in our rate of renewals, may not be fully reflected in our results of operations until future periods. Our subscription model also makes it difficult for us to rapidly increase our revenue through additional sales in any period, as revenue from new customers is generally recognized over the applicable service period. Additionally, due to the complexity of certain of our customer contracts, the actual revenue recognition treatment required under relevant accounting principles generally accepted in the United States (“GAAP”) will depend on contract-specific terms and may result in greater variability in revenue from period to period.
In addition, a decrease in new subscriptions or renewals in a reporting period may not have an immediate impact on billings for that period.
We may face exposure to foreign currency exchange rate fluctuations.
Today, a vast majority of our customer contracts are denominated in U.S. dollars. Over time, however, an increasing portion of our international customer contracts may be denominated in local currencies. In addition, the majority of our international costs are denominated in local currencies. As a result, fluctuations in the value of the U.S. dollar and foreign currencies may affect our results of operations when translated into U.S. dollars. We do not currently engage in currency hedging activities to limit the risk of exchange rate fluctuations. However, in the future, we may use derivative instruments, such as foreign currency forward and option contracts, to hedge certain exposures to fluctuations in foreign currency exchange rates. The use of such hedging activities may not offset any or more than a portion of the adverse financial effects of unfavorable movements in foreign exchange rates over the limited time the hedges are in place. Moreover, the use of hedging instruments may introduce additional risks if we are unable to structure effective hedges with such instruments.
We are subject to anti-corruption, anti-bribery and similar laws, and non-compliance with such laws can subject us to criminal penalties or significant fines and harm our business and reputation.
We are subject to anti-corruption and anti-bribery and similar laws, such as the U.S. Foreign Corrupt Practices Act of 1977, as amended (“FCPA”), the U.S. domestic bribery statute contained in 18 U.S.C. § 201, U.S. Travel Act, the USA PATRIOT Act, the U.K. Bribery Act 2010 and other anti-corruption, anti-bribery and anti-money laundering laws in countries in which we conduct activities. Anti-corruption and anti-bribery laws have been enforced aggressively in recent years and are interpreted broadly and prohibit companies and their employees and agents from promising, authorizing, making or offering improper payments or other benefits to government officials and others in the private sector. As we increase our international sales and business, our risks under these laws may increase.
39


In addition, we use channel partners to sell our products and conduct business on our behalf. We or such partners may have direct or indirect interactions with officials and employees of government agencies or state-owned or affiliated entities and under certain circumstances we could be held liable for the corrupt or other illegal activities of such partners, and our employees, representatives, contractors, partners, and agents, even if we do not explicitly authorize such activities. We have implemented an anti-corruption compliance program but cannot ensure that all our employees and agents, as well as those companies to which we outsource certain of our business operations, will not take actions in violation of our policies and applicable law, for which we may be ultimately held responsible.
Noncompliance with the FCPA, other applicable anti-corruption laws, or anti-money laundering laws could subject us to investigations, whistleblower complaints, sanctions, settlements, prosecution, and other enforcement actions within the U.S. and internationally. Any violation of these laws could result in disgorgement of profits, significant fines, damages, other civil and criminal penalties or injunctions, adverse media coverage, loss of export privileges, severe criminal or civil sanctions, suspension or debarment from U.S. government contracts and other consequences, any of which could have a material adverse effect on our reputation, business, results of operations, and financial condition.
We are subject to governmental export controls and economic sanctions laws that could impair our ability to compete in international markets and subject us to liability if we are not in full compliance with applicable laws.
Our business activities are subject to various restrictions under U.S. export controls and trade and economic sanctions laws, including the U.S. Commerce Department’s Export Administration Regulations and economic and trade sanctions regulations maintained by the U.S. Treasury Department’s Office of Foreign Assets Control. The U.S. export control laws and U.S. economic sanctions laws include prohibitions on the sale or supply of certain products and services to U.S. embargoed or sanctioned countries, governments, persons and entities and also require authorization for the export of encryption items. In addition, various countries regulate the import of certain encryption technology, including through import and licensing requirements, and have enacted laws that could limit our ability to distribute our service or could limit our customers’ ability to implement our service in those countries. These laws and regulations may change frequently in response to evolving international issues. If we fail to comply with these laws and regulations, we and certain of our employees could be subject to civil or criminal penalties, including the possible loss of export privileges and monetary penalties. Obtaining the necessary authorizations, including any required license, for a particular transaction may be time-consuming, is not guaranteed, and may result in the delay or loss of sales opportunities. Although we take precautions to prevent our products from being provided in violation of such laws, our products may have been in the past, and could in the future be, provided inadvertently in violation of such laws, despite the precautions we take. This could result in negative consequences to us, including government investigations, penalties and harm to our reputation.
Our international operations may give rise to potentially adverse tax consequences.
We are expanding our international operations and staff to better support our growth into certain international markets. Our corporate structure and associated transfer pricing policies anticipate future growth into certain international markets. The amount of taxes we pay in different jurisdictions may depend on the application of the tax laws of the various jurisdictions, including the United States, to our international business activities, changes in tax rates, new or revised tax laws or interpretations of existing tax laws and policies and our ability to operate our business in a manner consistent with our corporate structure and intercompany arrangements. The taxing authorities of the jurisdictions in which we operate may challenge our methodologies for pricing intercompany transactions, which are generally required to be computed on an arm’s-length basis pursuant to intercompany arrangements or disagree with our determinations as to the income and expenses attributable to specific jurisdictions. If such a challenge or disagreement were to occur, and our position was not sustained, we could be required to pay additional taxes, interest and penalties, which could result in one-time tax charges, higher effective tax rates, reduced cash flows and lower overall profitability of our operations. Our financial statements could fail to reflect adequate reserves to cover such a contingency.
Changes in tax laws or regulations in the various tax jurisdictions we are subject to that are applied adversely to us or our customers could increase the costs of our products and harm our business.
New income, sales, use, value-added or other transaction level taxes, tax laws, statutes, rules, regulations or ordinances could be enacted at any time. Those enactments could adversely impact our domestic and international business operations, and our business and financial performance. Further, existing tax laws, statutes, rules,
40


regulations or ordinances could be interpreted, changed, modified or applied adversely to us. These events could require us or our customers to pay additional tax amounts on a prospective or retroactive basis, as well as require us or our customers to pay fines and/or penalties and interest for past amounts deemed to be due. If we raise our prices to offset the costs of these additional taxes, existing and potential future customers may elect not to purchase our products in the future. Additionally, new, changed, modified or newly interpreted or applied tax laws could increase our customers’ and our compliance, operating and other costs, as well as the costs of our products. Further, these events could decrease the capital we have available to operate our business. Any or all of these events could harm our business and financial performance. For example, various legislative and regulatory actions and proposals, such as in the United States, the Organisation for Economic Co-operation and Development and the EU, have increasingly focused on future tax reform and contemplate changes to long-standing tax principles, which could adversely affect our liquidity and results of operations.
As a multinational organization, we may be subject to taxation in certain jurisdictions around the world with increasingly complex tax laws, the application of which can be uncertain. The amount of taxes we pay in these jurisdictions could increase substantially as a result of changes in the applicable tax principles, including increased tax rates, new tax laws or revised interpretations of existing tax laws and precedents, which could harm our liquidity and results of operations. In addition, the authorities in these jurisdictions could review our tax returns and impose additional tax, interest and penalties, and the authorities could claim that various withholding requirements apply to us or our subsidiaries or assert that benefits of tax treaties are not available to us or our subsidiaries, any of which could harm us and our results of operations.
Our business may be subject to additional obligations to collect and remit sales tax and other taxes, and we may be subject to tax liability for past sales. Any successful action by state, foreign or other authorities to collect additional or past sales tax could harm our business.
State, foreign and local taxing jurisdictions have differing rules and regulations governing sales, use and other indirect taxes (including digital services taxes), and these rules and regulations are subject to varying interpretations that may change over time. In particular, the applicability of certain sales, value-added and digital services taxes to our platform in various jurisdictions is unclear. It is possible that we could face tax audits and that our liability for these taxes could exceed our estimates as tax authorities could still assert that we are obligated to collect additional amounts as taxes from our customers and remit those taxes to those authorities. We could also be subject to audits in states and international jurisdictions for which we have not accrued tax liabilities. A successful assertion that we should be collecting additional sales or other taxes on our service in jurisdictions where we have not historically done so and do not accrue for such taxes could result in substantial tax liabilities for past sales, discourage customers from purchasing our products or otherwise harm our business, results of operations and financial condition.
We file sales tax returns in certain states within the United States as required by law and certain customer contracts for a portion of the products that we provide. We do not collect sales or other similar taxes in other states and many of such states do not apply sales or similar taxes to the vast majority of the products that we provide. However, one or more states or foreign authorities could seek to impose additional sales, use or other tax collection and record-keeping obligations on us or may determine that such taxes should have, but have not been, paid by us. Liability for past taxes may also include substantial interest and penalty charges. Any successful action by state, foreign or other authorities to compel us to collect and remit sales tax, use tax or other taxes, either retroactively, prospectively or both, could harm our business, results of operations and financial condition.
Our ability to use our U.S. net operating loss carry-forwards and certain other tax attributes may be limited.
Under Section 382 of the Internal Revenue Code of 1986, as amended, if a corporation undergoes an “ownership change,” generally defined as a greater than 50% change (by value) in its equity ownership over a three-year period, the corporation’s ability to use its pre-change net operating loss carry-forwards and other pre-change tax attributes, such as research tax credits and distributed interest deduction carryover, to offset its post-change income may be limited. We have experienced ownership changes in the past and any such ownership change in the future could result in increased future tax liability. In addition, we may experience ownership changes in the future as a result of subsequent shifts in our stock ownership. As a result, if we earn net taxable income, our ability to use our pre-change net operating loss carry-forwards to offset U.S. federal taxable income may be subject to limitations, which could potentially result in increased future tax liability to us.

41


If we fail to maintain an effective system of disclosure controls and internal control over financial reporting, our ability to produce timely and accurate financial statements or comply with applicable regulations could be impaired.
The Sarbanes-Oxley Act requires, among other things, that we maintain effective disclosure controls and procedures and internal control over financial reporting. In order to maintain the effectiveness of our disclosure controls and procedures and internal control over financial reporting, we have expended, and anticipate that we will continue to expend, significant resources, including accounting-related costs and significant management oversight. If any of these new or improved controls and systems do not perform as expected, we may experience material weaknesses or significant deficiencies in our controls.
Our controls may become inadequate because of changes in conditions in our business. Further, weaknesses in our disclosure controls and internal control over financial reporting may be discovered in the future. Any failure to maintain effective controls could harm our results of operations or cause us to fail to meet our reporting obligations and may result in a restatement of our financial statements for prior periods. Any failure to maintain effective internal control over financial reporting also could adversely affect the results of periodic management evaluations and annual independent registered public accounting firm attestation reports regarding the effectiveness of our internal control over financial reporting that we are required to include in our periodic reports that are filed with the SEC. Ineffective disclosure controls and procedures and internal control over financial reporting could also cause investors to lose confidence in our reported financial and other information, which would likely have a negative effect on the trading price of our Class A common stock. In addition, if we are unable to continue to meet these requirements, we may not be able to remain listed on the Nasdaq. We are required to provide an annual management report on the effectiveness of our internal control over financial reporting.
Our independent registered public accounting firm is required to formally attest to the effectiveness of our internal control over financial reporting annually. Our independent registered public accounting firm may issue a report that is adverse in the event it is not satisfied with the level at which our internal control over financial reporting is documented, designed, or operating. Any failure to maintain effective disclosure controls and internal control over financial reporting could harm our business and results of operations and could cause a decline in the price of our Class A common stock.
Changes in existing financial accounting standards or practices, or taxation rules or practices, may harm our results of operations.
Changes in existing accounting or taxation rules or practices, new accounting pronouncements or taxation rules, or varying interpretations of current accounting pronouncements or taxation practice could harm our results of operations or the manner in which we conduct our business. Further, such changes could potentially affect our reporting of transactions completed before such changes are effective.
GAAP are subject to interpretation by the Financial Accounting Standards Board (“FASB”), the SEC and various bodies formed to promulgate and interpret appropriate accounting principles. A change in these principles or interpretations could have a significant effect on our reported financial results, and could affect the reporting of transactions completed before the announcement of a change. Adoption of such new standards and any difficulties in implementation of changes in accounting principles, including the ability to modify our accounting systems, could cause us to fail to meet our financial reporting obligations, which could result in regulatory discipline and harm investors’ confidence in us.
If our estimates or judgments relating to our critical accounting policies prove to be incorrect, our results of operations could be adversely affected.
The preparation of financial statements in conformity with GAAP requires management to make estimates and assumptions that affect the amounts reported in our consolidated financial statements and accompanying notes. We base our estimates on historical experience and on various other assumptions that we believe to be reasonable under the circumstances, as provided in the section titled “Management’s Discussion and Analysis of Financial Condition and Results of Operations.” The results of these estimates form the basis for making judgments about the carrying values of assets, liabilities and equity, and the amount of revenue and expenses that are not readily apparent from other sources. Significant assumptions and estimates used in preparing our consolidated financial statements include, but are not limited to those referenced in the section titled “Management’s Discussion and Analysis of Financial Condition and Results of Operations.” Our results of operations may be adversely affected if our assumptions change or if actual circumstances differ from those in our assumptions, which could cause our
42


results of operations to fall below the expectations of securities analysts and investors, resulting in a decline in the trading price of our Class A common stock.
Risks Related to Ownership of Our Class A Common Stock
The stock price of our Class A common stock may be volatile or may decline.
The trading price of our Class A common stock has been, and in the future, may be, subject to substantial volatility and wide fluctuations. For example, from February 1, 2023 through January 31, 2024, the trading price of our Class A common stock has ranged from $65.04 per share to $92.38 per share. The market price of our Class A common stock fluctuates significantly in response to numerous factors, many of which are beyond our control, including, but not limited to:
overall performance of the equity markets and/or publicly-listed technology companies;
volatility in the market prices and trading volumes of technology and high-growth companies generally, or those in our industry in particular;
actual or anticipated fluctuations in our revenue or other financial or operating metrics;
our ability to meet or exceed forward-looking guidance we have given, our ability to give forward-looking guidance consistent with past practices, and changes to or withdrawal of previous guidance or long-range targets;
failure of securities analysts to initiate or maintain coverage of us, changes in financial estimates and/or recommendations by any securities analysts who follow our company;
our failure to meet the estimates or the expectations of securities analysts or investors;
actions and investment positions taken by institutional and other stockholders, including activist investors;

recruitment or departure of key personnel;
security breaches of, technical difficulties with, or interruptions to, the delivery and use of our platform and products, and any negative market perception or customer reactions related to, or arising from the disclosure of, such breaches, difficulties or interruptions;
the economy as a whole, the inflation and interest rate environment and market and industry conditions;
rumors and market speculation involving us or other companies in our industry;
announcements by us or our competitors of significant innovations, acquisitions, strategic partnerships, joint ventures, or capital commitments;
new laws or regulations or new interpretations of existing laws or regulations applicable to our business;
lawsuits threatened or filed against us;
other events or factors, including those resulting from war, incidents of terrorism, or responses to these events; and
sales of additional shares of our Class A common stock by us, our directors, our officers or our stockholders.
In addition, stock markets have experienced extreme price and volume fluctuations that have affected and continue to affect the market prices of equity securities of many companies. Stock prices of many companies, including technology companies and high-growth, unprofitable companies in particular, have fluctuated in a manner unrelated or disproportionate to the operating performance of those companies. In the past, stockholders have instituted securities class action litigation following periods of market volatility. Our involvement in securities litigation has, in the past, and could, in the future, subject us to substantial costs, divert resources and the attention of management from our business, and harm our business.
43


The dual class structure of our common stock has the effect of concentrating voting control with those stockholders who held our capital stock prior to the completion of our IPO, including our directors, executive officers, and their affiliates, who held in the aggregate 40.4% of the voting power of our capital stock as of January 31, 2024. This will limit or preclude your ability to influence corporate matters, including the election of directors, amendments of our organizational documents, and any merger, consolidation, sale of all or substantially all of our assets, or other major corporate transaction requiring stockholder approval.
Our Class B common stock has ten votes per share and our Class A common stock has one vote per share. As of January 31, 2024, our directors, executive officers and their affiliates held in the aggregate 40.4% of the voting power of our capital stock, taking into account shares of our common stock subject to options that are currently exercisable or exercisable within 60 days of January 31, 2024 and RSUs that are releasable within 60 days of January 31, 2024. Because of the ten-to-one voting ratio between our Class B and Class A common stock, the holders of our Class B common stock collectively could continue to control nearly a majority of the combined voting power of our common stock and be able to effectively control all matters submitted to our stockholders for approval until April 12, 2027, the date that is the ten-year anniversary of the closing of our IPO. This concentrated control may limit or preclude your ability to influence corporate matters for the foreseeable future, including the election of directors, amendments of our organizational documents, and any merger, consolidation, sale of all or substantially all of our assets, or other major corporate transaction requiring stockholder approval. In addition, this may prevent or discourage unsolicited acquisition proposals or offers for our capital stock that you may feel are in your best interest as one of our stockholders.
Future transfers by holders of Class B common stock will generally result in those shares converting to Class A common stock, subject to limited exceptions, such as certain transfers effected for estate planning purposes. The conversion of Class B common stock to Class A common stock will have the effect, over time, of increasing the relative voting power of those holders of Class B common stock who have retained their shares.
Sales of a substantial number of shares of our Class A common stock in the public markets, or the perception that sales might occur, could cause the market price of our Class A common stock to decline.
Sales of a substantial number of shares of our Class A common stock into the public market, particularly sales by our directors, executive officers, and principal stockholders, or the perception that these sales might occur, could cause the market price of our Class A common stock to decline.
In addition, we have options outstanding that, if fully exercised, would result in the issuance of shares of our Class A and Class B common stock. We also have restricted stock units (“RSUs”) outstanding that, if vested and settled, would result in the issuance of shares of Class A common stock. All of the shares of Class A and Class B common stock issuable upon the exercise of stock options and vesting of RSUs and the shares reserved for future issuance under our equity incentive plans, are registered for public resale under the Securities Act of 1933, as amended (“Securities Act”). Accordingly, these shares will be able to be freely sold in the public market upon issuance, subject to applicable vesting requirements.
Furthermore, a substantial number of shares of our Class A common stock is reserved for issuance upon the exercise of the Notes (as defined below). If we elect to satisfy our conversion obligation on the Notes solely in shares of our Class A common stock upon conversion of the Notes, we will be required to deliver the shares of our Class A common stock, together with cash for any fractional share, on the second business day following the relevant conversion date.
If securities or industry analysts do not publish or cease publishing research, or publish inaccurate or unfavorable research, about our business, the price of our Class A common stock and trading volume could decline.
The trading market for our Class A common stock will depend in part on the research and reports that securities or industry analysts publish about us or our business. If industry analysts do not publish or cease publishing research on our company, the trading price for our Class A common stock would be negatively affected. If one or more of the analysts who cover us downgrade our Class A common stock or publish inaccurate or unfavorable research about our business, our Class A common stock price would likely decline. If one or more of these analysts cease coverage of us or fail to publish reports on us on a regular basis, demand for our Class A common stock could decrease, which might cause our Class A common stock price and trading volume to decline.
44


We do not intend to pay dividends for the foreseeable future.
We have never declared or paid any cash dividends on our common stock and do not intend to pay any cash dividends in the foreseeable future. We anticipate that we will retain all of our future earnings for use in the operation of our business and for general corporate purposes. Any determination to pay dividends in the future will be at the discretion of our board of directors. Accordingly, investors must rely on sales of their Class A common stock after price appreciation, which may never occur, as the only way to realize any future gains on their investments.
Provisions in our charter documents and under Delaware law could make an acquisition of our company more difficult, limit attempts by our stockholders to replace or remove our current board of directors, and limit the market price of our Class A common stock.
Provisions in our amended and restated certificate of incorporation and amended and restated bylaws may have the effect of delaying or preventing a change of control or changes in our management. Our amended and restated certificate of incorporation and amended and restated bylaws include provisions that:
provide that our board of directors is classified into three classes of directors with staggered three-year terms;
permit the board of directors to establish the number of directors and fill any vacancies and newly-created directorships;
require super-majority voting to amend some provisions in our amended and restated certificate of incorporation and amended and restated bylaws;
authorize the issuance of “blank check” preferred stock that our board of directors could use to implement a stockholder rights plan;
provide that only the Chairperson of our board of directors, our Chief Executive Officer, or a majority of our board of directors are authorized to call a special meeting of stockholders;
provide for a dual class common stock structure in which holders of our Class B common stock have the ability to effectively control the outcome of matters requiring stockholder approval, even if they own significantly less than a majority of the outstanding shares of our Class A and Class B common stock, including the election of directors and significant corporate transactions, such as a merger or other sale of our company or its assets;
prohibit stockholder action by written consent, which requires all stockholder actions to be taken at a meeting of our stockholders;
provide that the board of directors is expressly authorized to make, alter or repeal our bylaws; and
advance notice requirements for nominations for election to our board of directors or for proposing matters that can be acted upon by stockholders at annual stockholder meetings.
Moreover, Section 203 of the Delaware General Corporation Law may discourage, delay, or prevent a change in control of our company. Section 203 imposes certain restrictions on mergers, business combinations, and other transactions between us and holders of 15% or more of our common stock.
Our amended and restated bylaws designate a state or federal court located within the State of Delaware as the exclusive forum for certain litigation that may be initiated by our stockholders, which could limit stockholders’ ability to obtain a favorable judicial forum for disputes with us.
Our amended and restated bylaws provide that the Court of Chancery of the State of Delaware will be the exclusive forum for:
any derivative action or proceeding brought on our behalf;
any action asserting a breach of fiduciary duty;
any action asserting a claim against us arising pursuant to the Delaware General Corporation Law, our amended and restated certificate of incorporation, or our amended and restated bylaws; or
45


any action asserting a claim against us that is governed by the internal affairs doctrine.
This choice of forum provision may limit a stockholder’s ability to bring a claim in a judicial forum that it finds favorable for disputes with us or any of our directors, officers, or other employees, which may discourage lawsuits with respect to such claims. Alternatively, if a court were to find the choice of forum provision contained in our amended and restated certificate of incorporation to be inapplicable or unenforceable in an action, we may incur additional costs associated with resolving such action in other jurisdictions, which could harm our business, results of operations and financial condition.
Risks Related to our Outstanding Convertible Notes

Servicing our debt may require a significant amount of cash. We may not have sufficient cash flow from our business to pay our indebtedness.
We have issued convertible notes due in 2025 (“2025 Notes”) and 2026 (“2026 Notes” and together with the 2025 Notes, the “Notes”). Our ability to make scheduled payments of the principal of, to pay interest on or to refinance our indebtedness, including the Notes, depends on our future performance, which is subject to economic, financial, competitive and other factors beyond our control. Our business may not generate cash flow from operations in the future sufficient to service our debt and make necessary capital expenditures. If we are unable to generate such cash flow, we may be required to adopt one or more alternatives, such as selling assets, restructuring debt or obtaining additional debt financing or equity capital on terms that may be onerous or highly dilutive. Our ability to refinance or raise any future indebtedness will depend on the capital markets and our financial condition at such time. We may not be able to engage in any of these activities or engage in these activities on desirable terms, which could result in a default on our debt obligations. In addition, any of our future debt agreements may contain restrictive covenants that may prohibit us from adopting any of these alternatives. Our failure to comply with these covenants could result in an event of default which, if not cured or waived, could result in the acceleration of our debt.
We may not have the ability to raise the funds necessary for cash settlement upon conversion of the Notes or to repurchase the Notes for cash upon a fundamental change, and our future debt may contain limitations on our ability to pay cash upon conversion of the Notes or to repurchase the Notes.
Holders of the Notes have the right to require us to repurchase their Notes upon the occurrence of a fundamental change (as defined in the indentures governing their respective Notes) at a repurchase price equal to 100% of the principal amount of the Notes to be repurchased, plus accrued and unpaid interest, if any. Upon conversion of the Notes, unless we elect to deliver solely shares of our Class A common stock to settle such conversion (other than paying cash in lieu of delivering any fractional share), we will be required to make cash payments in respect of the Notes being converted. We may not have enough available cash or be able to obtain financing at the time we are required to make repurchases of Notes surrendered or Notes being converted. In addition, our ability to repurchase the Notes or to pay cash upon conversions of the Notes may be limited by law, by regulatory authority or by agreements governing our future indebtedness. Our failure to repurchase Notes at a time when the repurchase is required by the indenture governing such notes or to pay any cash payable on future conversions of the Notes as required by such indenture would constitute a default under such indenture. A default under the indenture governing the Notes or the fundamental change itself could also lead to a default under agreements governing our future indebtedness. If the repayment of the related indebtedness were to be accelerated after any applicable notice or grace periods, we may not have sufficient funds to repay the indebtedness and repurchase the Notes or make cash payments upon conversions.
In addition, our indebtedness, combined with our other financial obligations and contractual commitments, could have other important consequences. For example, it could:
make us more vulnerable to adverse changes in general U.S. and worldwide economic, industry and competitive conditions and adverse changes in government regulation;
limit our flexibility in planning for, or reacting to, changes in our business and our industry;
place us at a disadvantage compared to our competitors who have less debt;
limit our ability to borrow additional amounts to fund acquisitions, for working capital and for other general corporate purposes; and
46


make an acquisition of our company less attractive or more difficult.
Any of these factors could harm our business, results of operations and financial condition. In addition, if we incur additional indebtedness, the risks related to our business and our ability to service or repay our indebtedness would increase.
The conversion features of the Notes, if triggered, may adversely affect our financial condition and results of operations.
In the event the conditional conversion features of the 2025 Notes and the 2026 Notes are triggered, holders of the Notes will be entitled to convert the Notes, as applicable, at any time during specified periods at their option. If one or more holders elect to convert their Notes, unless we elect to satisfy our conversion obligation by delivering solely shares of our Class A common stock (other than paying cash in lieu of delivering any fractional share), we would be required to settle a portion or all of our conversion obligation through the payment of cash, which could adversely affect our liquidity. The conditional conversion features of the 2025 Notes were triggered as of January 31, 2021 and the 2025 Notes were convertible at the option of the holders between February 1, 2021 and April 30, 2021; however, as of January 31, 2024, the conditions allowing holders of the 2025 Notes to convert were not met. From the date of issuance through January 31, 2024, the conditions allowing holders of the 2026 Notes to convert were not met.
In addition, even if holders do not elect to convert their Notes, we could be required under applicable accounting rules to reclassify all or a portion of the outstanding principal of the Notes as a current rather than long-term liability, which would result in a material reduction of our net working capital and could limit our ability to raise future capital.
Transactions relating to our Notes may affect the value of our Class A common stock.
The conversion of some or all of the Notes would dilute the ownership interests of existing stockholders to the extent we satisfy our conversion obligation by delivering shares of our Class A common stock upon any conversion of such Notes. Our 2025 Notes and 2026 Notes may become in the future convertible at the option of their holders under certain circumstances. If holders of our Notes elect to convert their notes, we may settle our conversion obligation by delivering to them a significant number of shares of our Class A common stock, which would cause dilution to our existing stockholders. We have in the past, and may in the future, engage in exchanges, repurchase, or induce conversions of the Notes. Holders of the Notes that participate in any of these exchanges, repurchases, or induced conversions may enter into or unwind various derivatives with respect to our Class A common stock or sell shares of our Class A common stock in the open market to hedge their exposure in connection with these transactions. These activities could decrease (or reduce the size of any increase in) the market price of our Class A common stock or the Notes, or dilute the ownership interests of our stockholders. In addition, the market price of our Class A common stock is likely to be affected by short sales of our Class A common stock or the entry into or unwind of economically equivalent derivative transactions with respect to our Class A common stock by investors that do not participate in the exchange transactions and by the hedging activity of the counterparties to our capped call transactions ("Capped Calls") or their respective affiliates.
In addition, in connection with the issuance of the 2025 Notes and 2026 Notes, we entered into Capped Calls with certain financial institutions (the “Option Counterparties”). The Capped Calls are generally expected to reduce potential dilution to our Class A common stock upon any conversion or settlement of the 2025 Notes and 2026 Notes and/or offset any cash payments we are required to make in excess of the principal amount of converted 2025 Notes and 2026 Notes, as the case may be, with such reduction and/or offset subject to a cap. If we unwind the Capped Calls in connection with Note repurchases or otherwise, we would lose the anti-dilutive impact of any unwound Capped Calls.
From time to time, the Option Counterparties or their respective affiliates may modify their hedge positions by entering into or unwinding various derivative transactions with respect to our Class A common stock and/or purchasing or selling our Class A common stock or other securities of ours in secondary market transactions prior to the maturity of the Notes. This activity could cause a decrease in the market price of our Class A common stock.
47


General Risk Factors
We depend on our executive officers and other key employees, and the loss of one or more of these employees or an inability to attract and retain other highly skilled employees could harm our business.
Our success depends largely upon the continued services of our executive officers and other key employees. We rely on our leadership team in the areas of research and development, operations, security, marketing, sales, customer support, general and administrative functions, and on individual contributors in our research and development and operations functions. From time to time, there may be changes in our executive management team resulting from the hiring or departure of executives. For example, our former Chief Operating Officer did not return as an employee following his recent sabbatical, though he is continuing to serve as a director and as Vice Chairman of the Board of Directors. Such changes in our executive management team may be disruptive to our business. We do not have employment agreements with our executive officers or other key personnel that require them to continue to work for us for any specified period and they could terminate their employment with us at any time. The loss of one or more of our executive officers or key employees, and any failure to have in place and execute an effective succession plan for key executives, could harm our business. Changes in our executive management team may also cause disruptions in, and harm to, our business.
In addition, to execute our growth plan, we must attract and retain highly qualified personnel. Competition for these personnel in the San Francisco Bay Area, where our headquarters is located, and in other locations where we maintain offices, is intense, especially for engineers experienced in designing and developing software and SaaS applications and experienced sales professionals. We have from time to time experienced, and we expect to continue to experience, difficulty in hiring and retaining employees with appropriate qualifications, and may not be able to fill positions in the desired regions, or at all. Our efforts to attract new personnel may be compounded by intensified restriction on travel, changes to immigration policy or the availability of work visas. Many of the companies with which we compete for experienced personnel have greater resources than we have. If we hire employees from competitors or other companies, their former employers may attempt to assert that these employees or we have breached their legal obligations, resulting in a diversion of our time and resources. In addition, job candidates and existing employees often consider the value of the equity awards they receive in connection with their employment. If the perceived value of our equity awards declines, it may harm our ability to recruit and retain highly skilled employees. If we fail to attract new personnel or fail to retain and motivate our current personnel, our business and future growth prospects could be harmed.
Catastrophic events may disrupt our business.
Natural disasters or other catastrophic events may cause damage or disruption to our operations, international commerce and the global economy, and thus could harm our business. We have a large employee presence in San Francisco, California and the west coast of the United States contains active earthquake and wildfire zones which have the potential to disrupt our business. For example, in the fall of 2019 and 2020, PG&E shut off power to certain cities in the San Francisco Bay Area in order to reduce the risk of wildfires and this resulted in many of our employees being unable to work remotely. In the event of a major earthquake, hurricane or catastrophic event such as fire, power loss, telecommunications failure, vandalism, cyber-attack, war, terrorist attack or health epidemic (including COVID-19), we may be unable to continue our operations and may endure system interruptions, reputational harm, delays in our application development, lengthy interruptions in our products, breaches of data security and loss of critical data, all of which could harm our business, results of operations and financial condition. In addition, the insurance we maintain may be insufficient to cover our losses resulting from disasters, cyber-attacks or other business interruptions, and any incidents may result in loss of, or increased costs of, such insurance.
Item 1B. Unresolved Staff Comments
None.
Item 1C. Cybersecurity
Okta, like other companies, is subject to a wide variety of cybersecurity attacks on its systems and networks on an ongoing basis and with increasing sophistication. In addition to threats from traditional computer “hackers,” malicious code (such as malware, viruses, worms and ransomware), employee or contractor theft or misuse, password spraying, phishing and denial-of-service attacks, Okta and its third-party service providers now also face threats from sophisticated nation-state actors and organized crime groups who engage in attacks (including
48


advanced persistent threat intrusions). In the face of this threat landscape, Okta remains committed to protecting its systems, internal networks and its customers’ systems, and the information that it and they store and process.
Okta has an established cybersecurity risk management program intended to protect the confidentiality, integrity, and availability of its critical systems, internal networks and information. This program implements policies, processes and controls to respond to cybersecurity threats and mitigate business impacts. Okta’s board of directors (the “board”) has delegated to the cybersecurity risk committee of the board (the “cybersecurity risk committee”) oversight responsibility of the cybersecurity risk management program, which includes a cybersecurity incident response plan.
Okta devotes significant resources, including human and financial capital, to create security measures, configuration policies and response plans to address cybersecurity threats. However, as a well-known provider of identity and security solutions, Okta is a particularly attractive target for such threats. For additional information related to these risks, see “Risk Factors” included under Part I, Item 1A of this Annual Report on Form 10-K. In the past we have experienced cybersecurity incidents, and we cannot anticipate when or the extent to which cybersecurity breaches will materially affect Okta or its customers’ use of Okta’s platform in the future. To date we have not identified any prior cybersecurity incidents that have materially affected or are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. There can be no assurance that Okta’s cybersecurity risk management program and processes, including its policies, controls or procedures, will be fully implemented, complied with or effective in protecting its systems and information.
Cybersecurity Risk Management and Strategy
Cybersecurity is essential for Okta. Our cybersecurity strategy is to develop a consistent framework of security controls that can apply to all business functions. To execute on this strategy, we integrate cybersecurity risk management into our broader enterprise risk management program. We also take a cross-functional approach to cybersecurity risk management by engaging teams across the business, including security, technical operations, engineering, IT, customer support, legal and communications, to implement shared processes for identifying, assessing and managing key cybersecurity risks.
We design and assess our cybersecurity risk management program against the National Institute of Standards and Technology Cybersecurity Framework (the “NIST Framework”). This does not imply that Okta satisfies any particular specifications or requirements, only that we use the NIST Framework to guide our efforts to improve our security posture.
Our cybersecurity risk management program consists of technical and organizational safeguards aimed at protecting the confidentiality of our systems and the Okta platform. From time to time, we engage external consultants and advisors to perform independent assessments and testing of our program, or otherwise assist with aspects of our program and security controls.
Key features of our cybersecurity risk management program include:
Designated security risk team. Our security risk management team is responsible for maintaining Okta’s cybersecurity risk management framework and risk assessments and tracking risk mitigation efforts. This team, together with our enterprise risk management team, monitors and regularly reports on our cybersecurity risk profile. Our internal audit team partners with these teams to provide input on the overall effectiveness of Okta’s security risk governance and management processes.
Risk assessments. We periodically perform enterprise-wide assessments to stay informed about critical security risks. Okta’s functional teams also assess risks associated with their specific activities, with supervision by the security risk management team. Functional team risk assessments follow an established framework that includes information-gathering from internal and external sources to identify risks, and evaluating the adequacy of controls to mitigate those risks. We have a management-level risk oversight committee, led by internal audit and security risk management personnel, that meets quarterly with other internal business leaders to review the results of these enterprise-wide and functional team risk assessments and evaluate the adequacy of any proposed mitigation plans.
Incident response planning. Okta’s cybersecurity incident response plan outlines the processes and procedures for responding to, remediating and resolving a security incident, and defines the roles and responsibilities of Okta personnel in responding to such incidents.



Security awareness training. We require our employees and contractors to complete general cybersecurity awareness training at least annually. These training sessions advise on how to protect Okta, our information systems and data, as well as our customers’ systems and data. From time to time we may also require supplemental cybersecurity training for certain members of our workforce depending on their job responsibilities.
Third-party risk management. We require high risk third-party vendors, suppliers and service providers to undergo a cybersecurity risk assessment prior to contracting with Okta. Certain third parties are monitored and reassessed on an ongoing basis, depending on their level of risk or in the event of changes to their products or services.
Cybersecurity Governance
Okta’s board oversees Okta’s enterprise risk management program, of which cybersecurity is a critical component. To facilitate the board’s supervision of cybersecurity matters, the board formed a cybersecurity risk committee. Among other responsibilities, the cybersecurity risk committee oversees Okta's cybersecurity program.
The cybersecurity risk committee receives regular updates from Okta’s chief security officer (the “CSO”) on our cybersecurity program. In addition, management updates the cybersecurity risk committee, as appropriate, regarding cybersecurity incidents. The cybersecurity risk committee reports to the board on its activities. In addition to receiving reports from the cybersecurity risk committee, the board periodically receives cyber risk management program briefings directly from the CSO. Additionally, the audit committee of the board receives cybersecurity updates as part of the audit committee’s oversight of Okta’s enterprise risk management program.
Our management team, including the CSO, is responsible for assessing and managing our risks from cybersecurity threats. The CSO partners with the security, technical operations, legal, internal audit, engineering and product development teams to supervise both our cybersecurity program and our retained external cybersecurity consultants, and to stay informed on Okta’s security and the overall security landscape. Our current CSO brings over 20 years of cybersecurity and risk management experience to his work at Okta, having held numerous security leadership positions in highly-regulated industries such as finance. Prior to joining Okta, the CSO was Senior Vice President and Chief Security Officer at Symantec Corporation, a leading cybersecurity company, where he had global oversight responsibility for all cybersecurity and physical security programs. His experience delivering cybersecurity at scale extends internationally, and includes security and risk management roles at companies in Australia, the United Kingdom and the United States. Our security team includes individuals with experience across a broad range of cybersecurity areas, including product security; cloud security; infrastructure security; security monitoring and incident response; identity and access management; vulnerability management; and governance, risk and compliance.
Our management team supervises efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, which may include briefings from internal security and technical personnel; threat intelligence and other information obtained from governmental, public or private sources, including external consultants engaged by us; and alerts and reports produced by security tools deployed in our technical environment.
Item 2. Properties
Our corporate headquarters is located in San Francisco, California, where we currently lease approximately 285,996 square feet under a lease, as amended, that expires in October 2028. We are entitled to two five-year options to extend this lease, subject to certain requirements. We sublease approximately 111,168 square feet of space under this lease to third parties.
We also lease space in various locations in the Americas, Europe and Asia-Pacific.
We believe that our facilities are suitable to meet our current needs. We intend to add new facilities, as necessary, as we add employees and enter new geographic markets, and we believe that suitable additional or alternative space will be available as needed to accommodate any such growth.



Item 3. Legal Proceedings
On May 20, 2022, a purported shareholder filed a putative class action lawsuit in the United States District Court for the Northern District of California against the Company and certain of its executive officers, captioned In re Okta, Inc. Securities Litigation, No. 3:22-cv-02990. The lawsuit asserts claims under Sections 10(b) and 20(a) of the Securities Exchange Act of 1934, as amended (the "Exchange Act"), alleging that the defendants made false or misleading statements or omissions concerning the Company’s cybersecurity controls, vulnerability to data breaches, and the Company’s integration of Auth0. The lawsuit seeks an order certifying the lawsuit as a class action and unspecified damages. The defendants moved to dismiss the amended complaint. On March 31, 2023, the court issued an order granting in part and denying in part the motion to dismiss. The court dismissed in full the claims based on the plaintiff’s allegations related to the Company’s cybersecurity controls and vulnerability to data breaches, and dismissed in part and denied in part the claims based on allegations related to the Auth0 integration. On November 1, 2023, the plaintiffs filed a motion for class certification, on January 17, 2024, the defendants filed a notice of non-opposition to the motion, and on February 5, 2024, the court granted the motion. The court has not otherwise issued a scheduling order, and discovery is proceeding.
Additionally, two purported shareholders filed derivative lawsuits on behalf of the Company in the United States District Court for the Northern District of California against certain of its current and former executive officers and directors, captioned O’Dell v. McKinnon et al., No. 3:22-cv-07480 (filed Nov. 28, 2022), and LR Trust v. McKinnon et al., No. 3:22-cv-08627 (filed Dec. 13, 2022). The lawsuits allege, among other things, that the defendants breached their fiduciary duties by making false or misleading statements or omissions concerning the Company’s cybersecurity controls, vulnerability to data breaches, and the Company’s integration of Auth0. The lawsuits seek orders permitting the plaintiffs to maintain the actions derivatively on behalf of the Company, awarding unspecified damages allegedly sustained by the Company, awarding restitution from the individual defendants, and requiring the Company to make certain reforms to its corporate governance and controls. On February 22, 2023, the court entered a stipulated order consolidating the derivative actions, appointing co-lead counsel for plaintiffs, and staying the consolidated derivative actions during the pendency of the motion to dismiss in the securities class action lawsuit. The consolidated derivative action is captioned In re Okta, Inc. Stockholder Derivative Litigation, No. 3:22-cv-07480. On May 9, 2023, the court entered a stipulated order continuing the stay through the close of discovery in the securities class action lawsuit.
On April 14, 2023, another shareholder filed a substantially similar derivative lawsuit in the United States District Court for the District of Delaware against certain of the Company’s current and former executive officers and directors, captioned Buono v. McKinnon et al., No. 1:23-cv-00413. On May 31, 2023, the court entered a stipulated order whereby the defendants agreed to accept service and stay the derivative action through the close of discovery in the securities class action lawsuit.
On January 25, 2024, another shareholder filed a substantially similar derivative lawsuit in the United States District Court for the District of Delaware against certain of the Company’s current and former executive officers and directors, captioned Nasr v. McKinnon, et al., No. 1:24-cv-00106.
The Company is defending these lawsuits vigorously.
See Note 10 to our consolidated financial statements "Commitments and Contingencies" for information related to legal proceedings.
Item 4. Mine Safety Disclosures
Not Applicable.

51


Part II
Item 5. Market for Registrant's Common Equity, Related Stockholder Matters and Issuer Purchases of Equity Securities
Market Information and Holders
Our Class A common stock has been listed on the Nasdaq Global Select Market under the symbol "OKTA" since April 7, 2017. Prior to that date, there was no public trading market for our Class A common stock. Our Class B common stock is not listed or traded on any stock exchange.
As of February 26, 2024, we had 68 holders of record of our Class A common stock and 17 holders of record of our Class B common stock. The actual number of Class A beneficial stockholders is substantially greater than the number of holders of record because a large portion of our Class A common stock is held in street name by brokers and other nominees.
Dividend Policy
We have never declared or paid cash dividends on our capital stock. We currently intend to retain any future earnings for use in the operation of our business and do not intend to declare or pay any cash dividends in the foreseeable future. Any further determination to pay dividends on our capital stock will be at the discretion of our board of directors, subject to applicable laws, and will depend on our financial condition, results of operations, capital requirements, general business conditions and other factors that our board of directors considers relevant.
52


Stock Performance Graph
This performance graph shall not be deemed "soliciting material" or to be "filed" with the Securities and Exchange Commission ("SEC") for purposes of Section 18 of the Securities Exchange Act of 1934, as amended (the "Exchange Act"), or otherwise subject to the liabilities under that Section, and shall not be deemed to be incorporated by reference into any filing of Okta, Inc. under the Securities Act of 1933, as amended ("Securities Act") or the Exchange Act.
The following graph shows a five-year comparison of cumulative total return (equal to dividends plus stock appreciation) for our Class A common stock, the Standard & Poor’s 500 Index ("S&P 500 Index") and Standard & Poor's Information Technology Index ("S&P 500 Information Technology Index"). All values assume a $100 initial investment, and data for the S&P 500 Index and S&P 500 Information Technology Index assume reinvestment of dividends. The comparisons are based on historical data and are not indicative of, nor intended to forecast, the future performance of our Class A common stock.
2450
Company/Index1/31/20191/31/20201/31/20211/31/20221/31/20231/31/2024
Okta$100 $155 $314 $240 $89 $100 
S&P 500 Index 100 122 143 176 161 195 
S&P 500 Information Technology Index 100 146 200 253 214 320 
53


Securities Authorized for Issuance under Equity Compensation Plans
The information required by this item with respect to our equity compensation plans is incorporated by reference to our 2024 Annual Report to Stockholders, which includes our Proxy Statement for the 2024 Annual Meeting of Stockholders to be filed with the SEC within 120 days of the fiscal year ended January 31, 2024.
Unregistered Sales of Equity Securities
In connection with conversions of certain convertible notes due in 2023 ("2023 Notes") during the fiscal year ended January 31, 2024, we issued 81 shares of our Class A common stock. These issuances were made in reliance on the exemption from registration provided by Section 4(a)(2) of the Securities Act. We relied on this exemption from registration based in part on representations made by the holders of the 2023 Notes in the exchange agreements pursuant to which the shares of Class A Common Stock were issued.
Issuer Purchases of Equity Securities
None.
Item 6. [Reserved]
54

OKTA, INC.
MANAGEMENT’S DISCUSSION AND ANALYSIS OF
FINANCIAL CONDITION AND RESULTS OF OPERATIONS
Item 7. MANAGEMENT’S DISCUSSION AND ANALYSIS OF FINANCIAL CONDITION AND RESULTS OF OPERATIONS
The following discussion and analysis of our financial condition and results of operations should be read in conjunction with our consolidated financial statements and related notes appearing elsewhere in this Annual Report on Form 10-K. Amounts reported in millions are rounded based on the amounts in thousands. As a result, the sum of the components reported in millions may not equal the total amount reported in millions due to rounding. In addition, percentages presented may not add to their respective totals or recalculate due to rounding. In addition to historical financial information, the following discussion contains forward-looking statements that are based upon current plans, expectations and beliefs that involve risks and uncertainties. Our actual results may differ materially from those anticipated in these forward-looking statements as a result of various factors, including those set forth under the section titled “Risk Factors” under Part I, Item 1A of this Annual Report on Form 10-K. Our fiscal year ends January 31. References to fiscal 2024, for example, refer to the fiscal year ended January 31, 2024.
Overview
Okta is the leading independent identity partner. Our Workforce Identity Cloud and Customer Identity Cloud, powered by Auth0, enable our customers to securely connect the right people to the right technologies and services at the right time. Every day, thousands of organizations and millions of people use Okta to securely access a wide range of cloud, mobile, web and Software-as-a-Service ("SaaS") applications, on-premises servers, application programming interfaces, IT infrastructure providers and services from a multitude of devices. Employees and contractors sign into the Workforce Identity Cloud to seamlessly and securely access the applications they need to do their most important work. Organizations use our platform to collaborate with their partners and to provide their customers with more modern and secure experiences in the cloud and via mobile devices. Developers leverage our Customer Identity Cloud and Workforce Identity Cloud to securely and efficiently embed identity into the software they build, allowing them to innovate and focus on their core missions.
Given the growth trends in the number of applications and cloud adoption and the movement to remote and hybrid workforces, identity is becoming the most critical layer of an organization’s security. As organizations shift from network-based security models to a Zero Trust security model focusing on adaptive and context-aware controls, identity has become the most reliable way to manage user access and protect digital assets. Our approach to identity allows our customers to simplify and efficiently scale their security infrastructures across internal IT systems and external customer facing applications.
As of January 31, 2024, more than 18,950 customers across nearly every industry used Okta to secure and manage identities around the world. Our customers consist of leading global organizations ranging from the largest enterprises, to small and medium-sized businesses, universities, non-profits and government agencies. We also partner with leading application, IT infrastructure and security vendors through our Okta Integration Network. As of January 31, 2024, we had over 7,000 integrations with these cloud, mobile and web applications and IT infrastructure and security vendors.
We employ a SaaS business model and generate revenue primarily by selling multi-year subscriptions to our cloud-based offerings. We focus on acquiring and retaining our customers and increasing the value we provide to our customers over time, and thus their spending with us through expanding the number of users who access our Workforce Identity Cloud and Customer Identity Cloud and up-selling additional product offerings. We sell our product offerings directly through our field and inside sales teams, as well as indirectly through our network of channel partners, including resellers, system integrators and other distribution partners. Our subscription fees include the use of our service and our technical support and management of our platform. We base subscription fees primarily on the products used and the number of users on our platform. We typically invoice customers in advance in annual installments for subscriptions to our platform.
Our revenue is relatively predictable as a result of our subscription-based business model, which constituted approximately 97% of total revenue for fiscal 2024. Future growth may be impacted by longer sales cycles, which we have experienced, which in turn, could result in delays in deals closing, creating near-term headwinds for cash flow, remaining performance obligations (“RPO”) and billings growth as well as potential future impacts on revenue growth and other key metrics on a trailing basis.
55

OKTA, INC.
MANAGEMENT’S DISCUSSION AND ANALYSIS OF
FINANCIAL CONDITION AND RESULTS OF OPERATIONS (continued)
Impact of Cybersecurity Incidents
In the past we have experienced cybersecurity incidents, such as the January 2022 incident involving one of our third-party service providers and the October 2023 incident where a threat actor gained unauthorized access to and stole information from our third-party customer support system, that harmed our reputation and customer relations, adversely impacted our financial results and may create additional liabilities. While we expect the impact of these security incidents to adversely affect our future financial performance, we cannot predict the extent of such impact with certainty. Due to the nature of our business, the announcement of any security incidents, even if not significant, could have these impacts.
Impact of Current Economic Conditions
Worldwide economic uncertainties and negative trends, including financial and credit market fluctuations, uncertainty in the banking sector, rising interest rates, inflation and other impacts from the macroeconomic environment have, and could continue to, adversely affect our business operations or financial results. As we continue to monitor the direct and indirect impacts of these circumstances, the broader implications of these macroeconomic events on our business, results of operations and overall financial position remain uncertain. See the section titled “Risk Factors'' included under Part I, Item 1A above for further discussion of the possible impact of these factors and other risks on our business.
Financial Information and Segments
We operate our business as one reportable segment. For fiscal 2024, 2023 and 2022, our revenue was $2,263 million, $1,858 million and $1,300 million, respectively, representing a growth rate of 22% and 43% in fiscal 2024 and 2023, respectively. For fiscal 2024, 2023 and 2022, we generated net losses of $355 million, $815 million and $848 million, respectively. Our accumulated deficit as of January 31, 2024 was $2,830 million.
Key Business Metrics 
We review a number of operating and financial metrics, including the following key metrics, to evaluate our business, measure our performance, identify trends affecting our business, formulate business plans, and make strategic decisions.
 As of January 31,
202420232022
 (dollars in millions)
Number of customers18,950 17,600 15,000 
Customers with annual contract value ("ACV") above $100,000 4,485 3,930 3,100 
Dollar-based net retention rate for the trailing 12 months ended111 %120 %124 %
Current remaining performance obligations$1,952 $1,684 $1,351 
Remaining performance obligations$3,385 $3,007 $2,694 
Total Customers and Number of Customers with Annual Contract Value Above $100,000
As of January 31, 2024, we had over 18,950 customers on our platform. We believe that our ability to increase the number of customers on our platform is an indicator of our market penetration, the growth of our business, and our potential future business opportunities. Increasing awareness of our platform and capabilities, coupled with the mainstream adoption of cloud technology, has expanded the diversity of our customer base to include organizations of all sizes across all industries. The number of customers who have greater than $100,000 in ACV with us was 4,485, 3,930 and 3,100 as of January 31, 2024, 2023 and 2022, respectively. We expect this trend to continue as larger enterprises recognize the value of our platform and replace their legacy identity access management infrastructure. We define a customer as a separate and distinct buying entity, such as a company, an educational or government institution, or a distinct business unit of a large company that has an active contract with us or one of our partners to access our platform. For purposes of determining our customer count, we do not include customers that use our platform under self-service arrangements only.
56

OKTA, INC.
MANAGEMENT’S DISCUSSION AND ANALYSIS OF
FINANCIAL CONDITION AND RESULTS OF OPERATIONS (continued)
Dollar-Based Net Retention Rate
Part of our ability to generate revenue is dependent upon our ability to maintain our relationships with our customers and to increase their utilization of our platform. We believe we can achieve these goals by focusing on delivering value and functionality that enables us to both retain our existing customers and expand the number of users and products used within an existing customer. We assess our performance in this area by measuring our Dollar-Based Net Retention Rate. Our Dollar-Based Net Retention Rate measures our ability to increase revenue across our existing customer base through expansion of users and products associated with a customer as offset by churn and contraction in the number of users and/or products associated with a customer.
Our Dollar-Based Net Retention Rate is based upon our ACV which is calculated based on the terms of that customer’s contract and represents the total contracted annual subscription amount as of that period end. We calculate our Dollar-Based Net Retention Rate as of a period end by starting with the ACV from all customers as of twelve months prior to such period end ("Prior Period ACV"). We then calculate the ACV from these same customers as of the current period end ("Current Period ACV"). Current Period ACV includes any upsells and is net of contraction or churn over the trailing twelve months but excludes ACV from new customers in the current period. We then divide the Current Period ACV by the Prior Period ACV to arrive at our Dollar-Based Net Retention Rate. Our Dollar-Based Net Retention Rate is inclusive of ACV from self-service customers.
Our strong Dollar-Based Net Retention Rate is primarily attributable to gross retention, an expansion of users and upselling additional products within our existing customers. Larger enterprises often implement a limited initial deployment of our platform before increasing their deployment on a broader scale. The decrease in our Dollar-Based Net Retention Rate as of January 31, 2024, compared to January 31, 2023, was primarily a result of the macroeconomic environment, with ACV from existing customers increasing at a slower rate in the current period.
Remaining Performance Obligations ("RPO")
RPO represent all future, non-cancelable, contracted revenue under our subscription contracts with customers that has not yet been recognized, inclusive of deferred revenue that has been invoiced and non-cancelable amounts that will be invoiced and recognized as revenue in future periods. Current RPO represents the portion of RPO expected to be recognized during the next 12 months. RPO fluctuates due to a number of factors, including the timing, duration and dollar amount of customer contracts and fluctuations in foreign currency exchange rates.
Components of Results of Operations
Revenue
Subscription Revenue. Subscription revenue primarily consists of fees for access to and usage of our cloud-based platform and related support. Subscription revenue is driven primarily by the number of customers, the number of users per customer and the products used. We typically invoice customers in advance in annual installments for subscriptions to our platform.
Professional Services and Other. Professional services revenue includes fees from assisting customers in implementing and optimizing the use of our products. These services include application configuration, system integration and training services.
We generally invoice customers as the work is performed for time-and-materials arrangements, and up front for fixed fee arrangements. Professional services revenue is recognized as the services are performed.
Overhead Allocation and Employee Compensation Costs
We allocate shared costs, such as facilities costs (including rent, utilities and depreciation on assets shared by all departments), certain information technology costs and recruiting costs to all departments based on headcount. As such, allocated shared costs are reflected in each of the cost of revenue and operating expense categories. Employee compensation costs reflected in each of the cost of revenue and operating expense categories include salaries, bonuses, compensation related taxes, benefits and stock-based compensation. Additionally included in the sales and marketing expense category are sales commissions and related taxes.
57

OKTA, INC.
MANAGEMENT’S DISCUSSION AND ANALYSIS OF
FINANCIAL CONDITION AND RESULTS OF OPERATIONS (continued)
Cost of Revenue and Gross Margin
Cost of Subscription. Cost of subscription primarily consists of expenses related to hosting our services and providing support. These expenses include employee-related costs associated with our cloud-based infrastructure and our customer support organization, third-party hosting fees, software and maintenance costs, outside services associated with the delivery of our subscription services, amortization expense associated with capitalized internal-use software and acquired developed technology and allocated overhead.
We intend to continue to invest additional resources in our platform infrastructure, our platform support organizations and security posture. We will continue to invest in technology innovation and we anticipate that costs qualifying for capitalization of internal-use software costs and related amortization may fluctuate over time. We expect our investment in technology to expand the capability of our platform, enabling us to improve our gross margin over time. The level and timing of investment in these areas could affect our cost of subscription revenue in the future.
Cost of Professional Services and Other. Cost of professional services consists primarily of employee-related costs for our professional services delivery team, travel-related costs, allocated overhead and costs of outside services associated with supplementing our professional services delivery team. The cost of providing professional services has historically been higher than the associated revenue we generate.
Gross Margin. Gross margin is gross profit expressed as a percentage of total revenue. Our gross margin may fluctuate from period to period as a result of the timing and amount of investments to expand our hosting capacity and our continued efforts to build platform support and professional services teams.
Operating Expenses
Research and Development. Research and development expenses consist primarily of employee compensation costs and allocated overhead. We believe that continued investment in our platform is important for our growth.
Sales and Marketing. Sales and marketing expenses consist primarily of employee compensation costs, costs of general marketing and promotional activities, travel-related expenses, amortization expense associated with acquired customer relationships (including unbilled and unrecognized contracts yet to be fulfilled) and trade names and allocated overhead. Commissions earned by our sales force that are considered incremental and recoverable costs of obtaining a contract with a customer are deferred and then amortized on a straight-line basis over a period of benefit that we have determined to be generally five years.
General and Administrative. General and administrative expenses consist primarily of employee compensation costs for finance, accounting, legal, information technology and human resources personnel. In addition, general and administrative expenses include acquisition and integration-related costs, non-personnel costs, such as legal, accounting and other professional fees, charitable contributions, and all other supporting corporate expenses, such as information technology, not allocated to other departments.
Restructuring and Other Charges. Restructuring and other charges consist primarily of personnel costs, such as notice period, employee severance payments and termination benefits. In addition, restructuring and other charges include certain lease impairment charges.
Interest and Other, Net
Interest and other, net consists of interest expense, which primarily includes amortization of debt issuance costs and contractual interest expense for our convertible senior notes, interest income from our investment holdings, gains on early extinguishment of debt and gains and losses from our strategic investments.
Provision for (Benefit from) Income Taxes
Our provision for (benefit from) income taxes consists of federal and state income taxes in the United States and income taxes in certain foreign jurisdictions where we operate. The difference between our effective tax rate and the federal statutory rate is primarily due to a valuation allowance against U.S. deferred tax assets, the tax effect of foreign operations and state taxes.
58

OKTA, INC.
MANAGEMENT’S DISCUSSION AND ANALYSIS OF
FINANCIAL CONDITION AND RESULTS OF OPERATIONS (continued)
Results of Operations
The following table sets forth our results of operations for the periods presented:
 Year Ended January 31,
 202420232022
 (dollars in millions)
Revenue
Subscription$2,205 $1,794 $1,249 
Professional services and other58 64 51 
Total revenue2,263 1,858 1,300 
Cost of revenue
Subscription(1)
502 464 329 
Professional services and other(1)
79 82 67 
Total cost of revenue581 546 396 
Gross profit1,682 1,312 904 
Operating expenses
Research and development(1)
656 620 469 
Sales and marketing(1)
1,036 1,066 771 
General and administrative(1)
450 409 432 
Restructuring and other charges56 29 — 
Total operating expenses2,198 2,124 1,672 
Operating loss(516)(812)(768)
Interest expense(8)(11)(91)
Interest income and other, net81 22 
Gain on early extinguishment of debt
106 — — 
Interest and other, net179 11 (82)
Loss before provision for (benefit from) income taxes(337)(801)(850)
Provision for (benefit from) income taxes18 14 (2)
Net loss$(355)$(815)$(848)
(1) Includes stock-based compensation expense as follows:
 Year Ended January 31,
 202420232022
(dollars in millions)
Cost of subscription revenue$75 $69 $49 
Cost of professional services and other revenue15 14 12 
Research and development277 275 193 
Sales and marketing156 159 136 
General and administrative161 160 176 
Total stock-based compensation expense$684 $677 $566 
59

OKTA, INC.
MANAGEMENT’S DISCUSSION AND ANALYSIS OF
FINANCIAL CONDITION AND RESULTS OF OPERATIONS (continued)

The following table sets forth our results of operations for the periods presented as a percentage of our total revenue:
 Year Ended January 31,
 202420232022
Revenue 
Subscription97 %97 %96 %
Professional services and other
Total revenue100 100 100 
Cost of revenue
Subscription22 25 25 
Professional services and other
Total cost of revenue26 29 30 
Gross profit74 71 70 
Operating expenses
Research and development29 33 36 
Sales and marketing46 58 59 
General and administrative20 22 34 
Restructuring and other charges— 
Total operating expenses97 115 129 
Operating loss(23)(44)(59)
Interest expense— (1)(7)
Interest income and other, net
Gain on early extinguishment of debt
— — 
Interest and other, net(6)
Loss before provision for (benefit from) income taxes(15)(43)(65)
Provision for (benefit from) income taxes— 
Net loss(16)%(44)%(65)%
60

OKTA, INC.
MANAGEMENT’S DISCUSSION AND ANALYSIS OF
FINANCIAL CONDITION AND RESULTS OF OPERATIONS (continued)
A discussion regarding our financial condition and results of operations for fiscal 2024 compared to fiscal 2023 is presented below. A discussion regarding our financial condition and results of operations for fiscal 2023 compared to fiscal 2022 can be found under Item 7 in our Annual Report on Form 10-K for fiscal 2023, filed with the SEC on March 3, 2023, which is available free of charge on the SEC’s website at www.sec.gov and our Investor Relations website at investor.okta.com.
Comparison of the Years Ended January 31, 2024 and 2023
Revenue
 Year Ended January 31,
 20242023$ Change
% Change  
 (dollars in millions)
Revenue:   
Subscription$2,205 $1,794 $411 23 %
Professional services and other58 64 (6)(10)
Total revenue$2,263 $1,858 $405 22 %
Percentage of revenue:   
Subscription97 %97 %  
Professional services and other  
Total100 %100 %  
For fiscal 2024, the increase in subscription revenue was primarily due to the addition of new customers, an increase in users and sales of additional products to existing customers. The increase in revenue was attributable to a 8% increase in total customers, from over 17,600 as of January 31, 2023, to over 18,950 as of January 31, 2024, and revenue from existing customers as reflected in our Dollar-Based Net Retention Rate of 111% as of January 31, 2024.
For fiscal 2024, the decrease in professional services and other revenue was due to lower bookings associated with professional services.
Cost of Revenue, Gross Profit and Gross Margin
 Year Ended January 31,
 20242023$ Change
% Change
 (dollars in millions)
Cost of revenue:   
Subscription$502 $464 $38 %
Professional services and other79 82 (3)(4)
Total cost of revenue$581 $546 $35 %
Gross profit$1,682 $1,312 $370 28 %
Gross margin:   
Subscription77 %74 %  
Professional services and other(36)(27)  
Total gross margin74 %71 %  
For fiscal 2024, cost of subscription revenue increased primarily due to an increase of $22 million in employee compensation costs, an increase of $7 million in software costs and an increase of $5 million in third-party hosting costs as we expanded capacity to support our growth.
Our gross margin for subscription revenue improved from 74% to 77% during fiscal 2024. The increase was primarily driven by improved spend efficiency resulting in lower relative cost of subscription revenue.
For fiscal 2024, cost of professional services and other revenue decreased slightly.
61

OKTA, INC.
MANAGEMENT’S DISCUSSION AND ANALYSIS OF
FINANCIAL CONDITION AND RESULTS OF OPERATIONS (continued)
Our gross margin for professional services and other revenue decreased to (36)% during fiscal 2024 from (27)% during fiscal 2023 primarily due to a decrease in professional services and other revenue.
Operating Expenses
Research and Development Expenses
 Year Ended January 31,
 20242023$ Change
% Change  
 (dollars in millions)
Research and development$656 $620 $36 %
Percentage of revenue29 %33 %  
For fiscal 2024, research and development expenses increased primarily due to an increase of $39 million in employee compensation costs. We expect our research and development expenses will increase in absolute dollars as our business grows.
Sales and Marketing Expenses
 Year Ended January 31,
 20242023$ Change
% Change  
 (dollars in millions)
Sales and marketing$1,036 $1,066 $(30)(3)%
Percentage of revenue46 %58 %  
For fiscal 2024, sales and marketing expenses decreased primarily due to a decrease in marketing costs of $15 million and a decrease in amortization expense of $9 million for acquired customer relationships and trade names. The decrease in sales and marketing expenses as a percentage of total revenue was primarily driven by improved spend efficiency. We expect our sales and marketing expenses will continue to be our largest operating expense category for the foreseeable future. We expect sales and marketing expenses as a percentage of total revenue to decrease as our total revenue grows.
General and Administrative Expenses
 Year Ended January 31,
 20242023$ Change
% Change  
 (dollars in millions)
General and administrative$450 $409 $41 10 %
Percentage of revenue20 %22 %  
For fiscal 2024, general and administrative expenses increased primarily due to an increase of $26 million in employee compensation costs. We expect general and administrative expenses as a percentage of total revenue to decrease as our total revenue grows.
62

OKTA, INC.
MANAGEMENT’S DISCUSSION AND ANALYSIS OF
FINANCIAL CONDITION AND RESULTS OF OPERATIONS (continued)
Restructuring and Other Charges
 Year Ended January 31,
 20242023$ Change
% Change  
 (dollars in millions)
Restructuring and other charges$56 $29 $27 92 %
Percentage of revenue%%  
For fiscal 2024, restructuring and other charges increased primarily due to an increase of $14 million in lease impairment charges and an increase of $13 million in severance and termination benefit costs.
Interest and Other, Net
 Year Ended January 31,
 20242023$ Change
% Change  
 (dollars in millions)
Interest expense$(8)$(11)$(25)%
Interest income and other, net81 22 59 265 
Gain on early extinguishment of debt
106 — 106 — 
Interest and other, net$179 $11 $168 1,571 %
For fiscal 2024, the change in interest and other, net was primarily due to the gain on early extinguishment of debt related to repurchases of convertible senior notes and an increase in interest income from our short-term investments.
Provision for Income Taxes
 Year Ended January 31,
 20242023$ Change
% Change  
 (dollars in millions)
Provision for income taxes
$18 $14 $31 %
For fiscal 2024, income tax expense resulted primarily from income in profitable foreign jurisdictions, federal and state taxes resulting from tax attribution utilization limitations, and the tax impact of shortfalls from stock-based compensation in the United Kingdom.
For fiscal 2023, income tax expense resulted primarily from income from profitable foreign jurisdictions, the tax impact of shortfalls from stock-based compensation in the United Kingdom, and state taxes.
The Organization for Economic Cooperation and Development ("OECD") and many countries have proposed to reallocate some portion of profits of large multinational companies with global revenues exceeding EUR 20 billion to markets where sales arise ("Pillar One"), as well as enacted a global minimum tax rate of at least 15% for multinationals with global revenues exceeding EUR 750 million ("Pillar Two"), with additional countries considering or intending to adopt these proposals. In December 2022, the Council of the European Union ("EU") formally adopted the EU Minimum Tax Directive, which would require member states to adopt Pillar Two into their domestic law. The directive requires the rules to initially become effective for fiscal years starting on or after December 31, 2023. Certain jurisdictions in which we operate have enacted Pillar Two legislation, with other countries considering changes to their tax laws to adopt the OECD's proposals. The enactment of Pillar Two legislation is not expected to have a material adverse effect in fiscal 2025, on our effective tax rate, financial position, results of operations and cash flows. We will continue to monitor and reflect the impact of such legislative changes in future financial statements as appropriate.
63

OKTA, INC.
MANAGEMENT’S DISCUSSION AND ANALYSIS OF
FINANCIAL CONDITION AND RESULTS OF OPERATIONS (continued)
Liquidity and Capital Resources
As of January 31, 2024, our principal sources of liquidity were cash, cash equivalents and short-term investments totaling $2,202 million, which were held for working capital and general corporate purposes, including potential future acquisition activity. Our cash equivalents and investments consisted primarily of U.S. treasury securities, money market funds, corporate debt securities and certificates of deposit. Historically, we have generated significant operating losses and both positive and negative cash flows from operations as reflected in our accumulated deficit and consolidated statements of cash flows.
Recent macroeconomic events, including rising interest rates, global inflation and bank failures, have led to further economic uncertainty in the global economy. To mitigate risk, our cash and cash equivalents are distributed across large financial institutions. In addition, we have policy restrictions in place on the types of securities that can be purchased as part of our available-for-sale securities portfolio. These restrictions take credit quality, liquidity and diversification into consideration among other criteria. We continue to monitor the impacts of this situation; however, there can be no assurances that conditions in the banking sector and in global financial markets will not worsen and/or adversely affect us.
Effective the first quarter of fiscal 2025, we intend to satisfy employee payroll tax withholding due upon the vesting of share-based compensation awards with our own funds under the "net share settlement" approach. Previously, payroll tax withholding was satisfied via the sale of shares of our common stock in the open market. The net share settlement approach reduces our equity dilution rate by covering such withholding tax obligations from existing cash reserves and impacts future liquidity. The cash outflow to cover these tax obligations is classified as a financing activity in the statement of cash flows.
In September 2019, we completed our private offering of the 2025 convertible senior notes ("2025 Notes") due on September 1, 2025 and received aggregate gross proceeds of $1,060 million. The interest rate on the 2025 Notes is fixed at 0.125% per year and is payable semi-annually in arrears on March 1 and September 1 of each year, beginning on March 1, 2020. In connection with the 2025 Notes, we used a portion of the proceeds to enter into capped call transactions ("2025 Capped Calls") with respect to our Class A common stock.
In June 2020, we completed our private offering of the 2026 convertible senior notes ("2026 Notes") due on June 15, 2026 and received aggregate gross proceeds of $1,150 million. The interest rate on the 2026 Notes is fixed at 0.375% per year and is payable semi-annually in arrears on June 15 and December 15 of each year, beginning on December 15, 2020. In connection with the 2026 Notes, we used a portion of the proceeds to enter into capped call transactions ("2026 Capped Calls") with respect to our Class A common stock.
In the ordinary course of our business, we may, at any time and from time to time, seek to extinguish our outstanding Notes through cash purchases and/or exchanges for equity, in open-market purchases, privately negotiated transactions or otherwise. Such extinguishments, if any, will be conducted on such terms and at such prices as we may determine, and will depend on our evaluation of the prevailing market conditions, trading price of the 2025 Notes and 2026 Notes (collectively, "the Notes"), our liquidity requirements, legal and contractual restrictions and other factors. During fiscal 2024, we repurchased $508 million principal amount of the 2025 Notes for $462 million in cash and $542 million principal amount of the 2026 Notes for $475 million in cash, which resulted in an aggregate gain on early extinguishment of debt of $106 million. The 2025 Capped Calls and 2026 Capped Calls remained outstanding notwithstanding such repurchase. We may, however, elect to terminate the 2025 Capped Calls or 2026 Capped Calls, in full or in part. In connection with any such termination, the option counterparties or their respective affiliates are expected to modify their hedge positions, which activity could affect the market price of our Class A common stock or the trading price of the Notes that remain outstanding. See Note 8 to our consolidated financial statements “Convertible Senior Notes, Net” and the section titled “Transactions relating to our Notes may affect the value of our Class A common stock” in “Risk Factors” included under Part I, Item 1A of this Annual Report on Form 10-K for additional information.
On August 2, 2021, we completed the acquisition of Townsend Street Labs, Inc. ("atSpoke"), providing total cash consideration, net of cash acquired of $79 million. Of this amount, $13 million of consideration was held back as partial security for any adjustments and indemnification obligations and was paid during fiscal 2024.
64

OKTA, INC.
MANAGEMENT’S DISCUSSION AND ANALYSIS OF
FINANCIAL CONDITION AND RESULTS OF OPERATIONS (continued)
On February 1, 2024, we completed the acquisition of Spera Cybersecurity, Inc. and its subsidiary ("Spera"). Total net consideration, subject to final adjustments, consists of approximately $80 million of cash and our Class A common stock. See Note 16 to our consolidated financial statements "Subsequent Events" for additional information.
We believe our existing cash and cash equivalents, our investments and cash provided by sales of our products and services will be sufficient to meet our short-term and long-term projected working capital and capital expenditure needs for the foreseeable future. Our future capital requirements will depend on many factors, including our subscription growth rate, subscription renewal activity, billing frequency, the timing and extent of spending to support development efforts, the expansion of sales and marketing activities, the expansion of our international operations, the introduction of new and enhanced product offerings, and the continuing market adoption of our platform. We continue to assess our capital structure and evaluate the merits of deploying available cash. We may in the future enter into arrangements to acquire or invest in complementary businesses, services and technologies, including intellectual property rights. We may be required to seek additional equity or debt financing. In the event that additional financing is required from outside sources, we may not be able to raise it on terms acceptable to us or at all. If we are unable to raise additional capital or generate cash flows necessary to expand our operations and invest in new technologies this could reduce our ability to compete successfully and harm our results of operations.
A significant majority of our customers pay in advance for annual subscriptions. Therefore, a substantial source of our cash is from our deferred revenue, which is included on our consolidated balance sheet as a liability. Deferred revenue consists of the unearned portion of billed fees for our subscriptions, which is recognized as revenue in accordance with our revenue recognition policy. As of January 31, 2024, we had deferred revenue of $1,511 million, of which $1,488 million was recorded as a current liability and is expected to be recorded as revenue in the next 12 months, provided all other revenue recognition criteria have been met.
Cash Flows
The following table summarizes our cash flows for the periods indicated:
 Year Ended January 31,
 202420232022
 (dollars in millions)
Net cash provided by operating activities$512 $86 $104 
Net cash provided by (used in) investing activities
441 (130)(367)
Net cash provided by (used in) financing activities(883)48 89 
Effects of changes in foreign currency exchange rates on cash, cash equivalents and restricted cash(6)(2)
Net increase (decrease) in cash, cash equivalents and restricted cash
$71 $(2)$(176)
Operating Activities
Our largest source of operating cash is cash collections from our customers for subscription and professional services. Our primary uses of cash from operating activities are for employee-related expenditures, marketing expenses and third-party hosting costs.
During fiscal 2024, cash provided by operating activities was $512 million, an increase of $426 million compared to fiscal 2023. The increase was primarily attributable to an increase in cash received from customers and improved spend efficiency, partially offset by an increase in cash paid to vendors.
Investing Activities
During fiscal 2024, cash provided by investing activities was $441 million, compared to cash used in investing activities of $130 million during fiscal 2023. The change was primarily attributable to an increase in cash provided from investment maturities and sales, net of purchases, partially offset by cash paid for business acquisitions, net of cash acquired.
65

OKTA, INC.
MANAGEMENT’S DISCUSSION AND ANALYSIS OF
FINANCIAL CONDITION AND RESULTS OF OPERATIONS (continued)
Financing Activities
During fiscal 2024, cash used in financing activities was $883 million, compared to cash provided by financing activities of $48 million during fiscal 2023. The change was primarily attributable to payments made for repurchases of the Notes.
Material Cash Requirements
Contractual Obligations
The following table represents the Company’s known short-term (i.e., the next twelve months) and long-term (i.e., beyond the next twelve months) obligations as of January 31, 2024:
Short-termLong-termTotal
(dollars in millions)
Convertible Senior Notes:(1)
    Principal payments$— $1,160 $1,160 
    Interest payments
Operating leases(2)
37 124 161 
Purchase obligations(3)
262 240 502 
Total contractual obligations$302 $1,528 $1,830 
(1) See Note 8 to our consolidated financial statements "Convertible Senior Notes, Net" for additional information.
(2) See Note 9 to our consolidated financial statements "Leases" for additional information.
(3) Purchase obligations primarily relate to data center hosting facilities, and other sales and marketing obligations.
Indemnification Agreements
In the ordinary course of business, we enter into agreements of varying scope and terms pursuant to which we agree to indemnify customers, vendors, lessors, business partners and other parties with respect to certain matters, including, but not limited to, losses arising out of the breach of such agreements, services to be provided by us or from intellectual property infringement claims made by third parties. In addition, we have entered into indemnification agreements with our directors and certain officers and employees that will require us, among other things, to indemnify them against certain liabilities that may arise by reason of their status or service as directors, officers or employees. No material demands have been made upon us to provide indemnification under such agreements and there are no claims that we are aware of that could have a material effect on our consolidated balance sheets, consolidated statements of operations and comprehensive loss, or consolidated statements of cash flows.
Critical Accounting Estimates
We prepare our consolidated financial statements in accordance with accounting principles generally accepted in the United States of America. In the preparation of these consolidated financial statements, we are required to make estimates and assumptions that affect the reported amounts of assets, liabilities, revenue, costs and expenses, and related disclosures. To the extent that there are material differences between these estimates and actual results, our financial condition or results of operations would be affected. We base our estimates on past experience and other assumptions that we believe are reasonable under the circumstances, and we evaluate these estimates on an ongoing basis. We refer to accounting estimates of this type as critical accounting estimates, which we discuss below.
Income Taxes
Income taxes are accounted for in accordance with the liability method. Under this method, deferred tax assets and liabilities are recognized for the expected future tax consequences of temporary differences between the financial reporting and tax basis of assets and liabilities, as well as for operating loss and tax credit carryforwards.
66

OKTA, INC.
MANAGEMENT’S DISCUSSION AND ANALYSIS OF
FINANCIAL CONDITION AND RESULTS OF OPERATIONS (continued)
Deferred tax assets and liabilities are measured using enacted tax rates that are expected to apply to taxable income for the years in which those tax assets and liabilities are expected to be realized or settled.
Valuation allowances are established when necessary to reduce deferred tax assets to the amounts that are more likely than not expected to be realized based on the weighting of positive and negative evidence. Future realization of deferred tax assets ultimately depends on the existence of sufficient taxable income of the appropriate character, within the carry-back or carry-forward periods available under the applicable tax law. In assessing the need for a valuation allowance, we consider available evidence, including past operating results, estimates of future taxable income, and the feasibility of tax planning strategies. Our judgment regarding future estimates may change due to many factors, including future market conditions and the ability to successfully execute our business plans and tax planning strategies. Should there be a change in the ability to recover deferred tax assets, our provision for income taxes would increase or decrease in the period in which the assessment is changed.
Our tax positions are subject to income tax audits by multiple tax jurisdictions throughout the world. We recognize the tax benefit of an uncertain tax position only if it is more likely than not that the position is sustainable upon examination by the taxing authority, based on the technical merits. Significant judgment is required in determining the technical merits of an uncertain tax position, such as taking into account current tax laws, our interpretation of current tax laws and possible outcomes of current and future audits conducted by foreign and domestic tax authorities. We adjust these reserves in light of changing facts and circumstances, such as the closing of a tax audit or the refinement of an estimate. To the extent the final tax outcome of these matters is different than the amounts recorded, such differences may impact the provision for income taxes in the period in which such determination is made.
Business Combinations
When we acquire a business, the purchase price is allocated to the acquired assets, including separately identifiable intangible assets, and assumed liabilities at their respective estimated fair values. Any residual purchase price is recorded as goodwill. The allocation of the purchase price requires management to make significant estimates in determining the fair values of assets acquired and liabilities assumed, especially with respect to intangible assets. These estimates can include, but are not limited to:
future expected cash flows from subscription contracts, professional services contracts, other customer contracts and acquired developed technologies;
person hours required in recreating certain acquired technologies;
historical and expected customer attrition rates and anticipated growth in revenue from acquired customers;
royalty rates applied to acquired developed technology platforms and other intangible assets;
obsolescence curves and other useful life assumptions, such as the period of time and intended use of acquired intangible assets in our product offerings;
discount rates;
uncertain tax positions and tax-related valuation allowances; and
fair value of assumed equity awards.
These estimates are inherently uncertain and unpredictable, and unanticipated events and circumstances may occur that may affect the accuracy or validity of such assumptions, estimates or actual results.
If the initial accounting for a business combination is not complete following the acquisition date, we report provisional amounts for the known assets, liabilities, equity interests, or items of consideration for which the accounting is incomplete at the end of the financial reporting period. Provisional accounting is inherently subjective and judgmental. The objective of the measurement period is to provide a reasonable period of time to obtain the information necessary to complete all aspects of business combination accounting with a high level of confidence. During the measurement period, which may be up to one year from the acquisition date, adjustments to the reported
67

OKTA, INC.
MANAGEMENT’S DISCUSSION AND ANALYSIS OF
FINANCIAL CONDITION AND RESULTS OF OPERATIONS (continued)
provisional amounts may be recorded for which the accounting was incomplete, with the corresponding offset to goodwill. Should the accounting for a business combination be incomplete by the end of a reporting period that falls within the measurement period, we report provisional amounts in our financial statements, disclosing them as provisional, and any material measurement period adjustments are identified as such. Additional assets acquired or liabilities assumed in an acquisition that were not recognized at the acquisition date might be identified during the measurement period. Upon the conclusion of the measurement period or final determination of the fair value of assets acquired or liabilities assumed, whichever comes first, no further adjustments are made.
Loss Contingencies
We evaluate contingent liabilities, including threatened or pending litigation, and make provisions for such liabilities when it is both probable that a loss has been incurred and its amount can be reasonably estimated. Because of uncertainties inherent in litigation, we base our estimate and accrue the liabilities, if any, on the information available at the time of our assessment. Significant judgment is required to determine both the probability and the estimated amount of loss given such legal proceedings are inherently unpredictable and subject to significant uncertainties, some of which are beyond our control. Developments in these matters could affect the amount of any liability we may accrue. As additional information becomes available, we may revise our estimates. Any revisions in the estimates of potential liabilities could have a material impact on our operating results and financial position. Further, until the final resolution of any such matter, there may be a loss exposure in excess of the liability recognized and such amount could be significant.
Revenue Recognition
We derive our revenues primarily from subscription fees and professional services fees. A description of our revenue recognition policies is included in Note 2 to our consolidated financial statements "Summary of Significant Accounting Policies."
Our contracts with customers often contain multiple performance obligations. For these contracts, we account for individual performance obligations separately if they are distinct. The transaction price of the contract is allocated to the separate performance obligations on a relative standalone selling price basis. Evaluating customer contracts with multiple performance obligations and complex terms may require significant judgment in identifying the distinct performance obligations.
Recent Accounting Pronouncements
See Note 2 to our consolidated financial statements “Summary of Significant Accounting Policies — Recent Accounting Pronouncements Not Yet Adopted" for more information.
68


Item 7A. Quantitative and Qualitative Disclosures about Market Risk
Foreign Currency Exchange Risk
The functional currencies of our foreign subsidiaries are the respective local currencies. Most of our sales are denominated in U.S. dollars, and therefore our revenue is not currently subject to significant foreign currency risk. Our operating expenses are denominated in the currencies of the countries in which our operations are located, which are primarily in the United States, the United Kingdom, Canada and Australia. Our consolidated results of operations and cash flows are, therefore, subject to fluctuations due to changes in foreign currency exchange rates and may be adversely affected in the future due to changes in foreign currency exchange rates. To date, we have not entered into any hedging arrangements with respect to foreign currency risk or other derivative financial instruments. During fiscal 2024, 2023 and 2022, a hypothetical 10% change in foreign currency exchange rates applicable to our business would not have had a material impact on our consolidated financial statements.
Interest Rate Risk
We had cash, cash equivalents and short-term investments totaling $2,202 million as of January 31, 2024, of which $2,019 million was invested in U.S. treasury securities, money market funds, corporate debt securities and certificates of deposit. Our cash and cash equivalents are held for working capital and general corporate purposes, including potential future acquisition activity. Our short-term investments are made for capital preservation purposes. We do not enter into investments for trading or speculative purposes.
Our cash equivalents and our investment portfolio are subject to market risk due to changes in interest rates. Fixed rate securities may have their market value adversely affected due to a rise in interest rates. Due in part to these factors, our future investment income may fall short of our expectations due to changes in interest rates or we may suffer losses in principal if we are forced to sell securities that decline in market value due to changes in interest rates. However, because we classify our short-term investments as “available for sale,” no gains are recognized due to changes in interest rates. As losses due to changes in interest rates are generally not considered to be credit related changes, no losses in such securities are recognized due to changes in interest rates unless we intend to sell, it is more likely than not that we will be required to sell, we sell prior to maturity, or we otherwise determine that all or a portion of the decline in fair value are due to credit related factors.
As of January 31, 2024, a hypothetical 10% relative change in interest rates would not have had a material impact on the value of our cash equivalents or investment portfolio. Fluctuations in the value of our cash equivalents and investment portfolio caused by a change in interest rates (gains or losses on the carrying value) are recorded in other comprehensive income (loss), and are realized only if we sell the underlying securities prior to maturity.
Convertible Senior Notes
In September 2019, we issued the 2025 Notes due September 1, 2025 with a principal amount of $1,060 million. Concurrently with the issuance of the 2025 Notes, we entered into separate capped call transactions. The 2025 Capped Calls were completed to reduce the potential dilution from the conversion of the 2025 Notes. As of January 31, 2024, $552 million principal amount of the 2025 Notes remain outstanding.
In June 2020, we issued the 2026 Notes due June 15, 2026 with a principal amount of $1,150 million. Concurrently with the issuance of the 2026 Notes, we entered into separate capped call transactions. The 2026 Capped Calls were completed to reduce the potential dilution from the conversion of the 2026 Notes. As of January 31, 2024, $608 million principal amount of the 2026 Notes remain outstanding.
The 2025 Notes and 2026 Notes have a fixed annual interest rate of 0.125% and 0.375%, respectively; accordingly, we do not have economic interest rate exposure on the Notes. However, the fair value of the Notes is exposed to interest rate risk. Generally, the fair market value of the Notes will increase as interest rates fall and decrease as interest rates rise. In addition, the fair value of the Notes fluctuates when the market price of our common stock fluctuates. The fair value was determined based on the quoted bid price of the Notes in an over-the-counter market on the last trading day of the reporting period. See Note 8 to our consolidated financial statements "Convertible Senior Notes, Net" for additional information. Changes in the interest rate environment upon maturity of this fixed rate debt could have an effect on our future cash flows and earnings, depending on whether the debt is replaced with other fixed rate debt, variable rate debt or equity.

69


Item 8. FINANCIAL STATEMENTS AND SUPPLEMENTARY DATA


70


Report of Independent Registered Public Accounting Firm

To the Stockholders and the Board of Directors of Okta, Inc.

Opinion on the Financial Statements
We have audited the accompanying consolidated balance sheets of Okta, Inc. (the Company) as of January 31, 2024 and 2023, the related consolidated statements of operations, comprehensive loss, stockholders' equity, and cash flows for each of the three years in the period ended January 31, 2024, and the related notes (collectively referred to as the “consolidated financial statements”). In our opinion, the consolidated financial statements present fairly, in all material respects, the financial position of the Company at January 31, 2024 and 2023, and the results of its operations and its cash flows for each of the three years in the period ended January 31, 2024, in conformity with U.S. generally accepted accounting principles.
We also have audited, in accordance with the standards of the Public Company Accounting Oversight Board (United States) (PCAOB), the Company's internal control over financial reporting as of January 31, 2024, based on criteria established in Internal Control-Integrated Framework issued by the Committee of Sponsoring Organizations of the Treadway Commission (2013 framework) and our report dated March 1, 2024 expressed an unqualified opinion thereon.
Basis for Opinion
These financial statements are the responsibility of the Company's management. Our responsibility is to express an opinion on the Company’s financial statements based on our audits. We are a public accounting firm registered with the PCAOB and are required to be independent with respect to the Company in accordance with the U.S. federal securities laws and the applicable rules and regulations of the Securities and Exchange Commission and the PCAOB.
We conducted our audits in accordance with the standards of the PCAOB. Those standards require that we plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of material misstatement, whether due to error or fraud. Our audits included performing procedures to assess the risks of material misstatement of the financial statements, whether due to error or fraud, and performing procedures that respond to those risks. Such procedures included examining, on a test basis, evidence regarding the amounts and disclosures in the financial statements. Our audits also included evaluating the accounting principles used and significant estimates made by management, as well as evaluating the overall presentation of the financial statements. We believe that our audits provide a reasonable basis for our opinion.
Critical Audit Matter
The critical audit matter communicated below is a matter arising from the current period audit of the financial statements that was communicated or required to be communicated to the audit committee and that: (1) relates to accounts or disclosures that are material to the financial statements and (2) involved our especially challenging, subjective, or complex judgments. The communication of the critical audit matter does not alter in any way our opinion on the consolidated financial statements, taken as a whole, and we are not, by communicating the critical audit matter below, providing a separate opinion on the critical audit matter or on the accounts or disclosures to which it relates.
71



Revenue recognition Identifying and evaluating terms and conditions in contracts
Description of the Matter
As explained in Note 2 to the consolidated financial statements, the Company derives revenue from subscription fees and professional services fees. The Company’s arrangements are generally non-cancelable and non-refundable. In addition, the arrangements do not provide customers with the right to take possession of the software and, as a result, are accounted for as service arrangements. Subscription revenue, which includes support, is recognized on a straight-line basis over the non-cancelable contractual term of the arrangement, generally beginning on the date that the Company’s service is made available to the customer. Revenue for the Company’s professional services is recognized as services are performed in proportion to their pattern of transfer.

Auditing the Company’s accounting for revenue recognition was challenging, specifically related to the appropriate identification and evaluation of non-standard terms and conditions. For example, certain non-standard terms and conditions required judgment to identify the distinct performance obligations.

How We Addressed the Matter in Our Audit
We obtained an understanding, evaluated the design and tested the operating effectiveness of the Company’s internal controls over the identification and evaluation of terms and conditions in contracts that impact revenue recognition, including the identification of performance obligations. This included testing relevant controls over the information systems that are used in the initiation, billing and recording of revenue transactions.

Among other procedures, on a sample basis, we tested the completeness and accuracy of management’s identification and evaluation of the non-standard terms and conditions in contracts. Further, we selected a sample of contractual arrangements to test that management had properly assessed the impact of any non-standard terms on the identified performance obligations. Additionally, to verify completeness of non-standard terms and conditions, we obtained confirmations of terms and conditions for a sample of arrangements with customers.


/s/ Ernst & Young LLP
We have served as the Company’s auditor since 2013.
San Jose, California
March 1, 2024
72


Report of Independent Registered Public Accounting Firm
To the Stockholders and the Board of Directors of Okta, Inc.
Opinion on Internal Control Over Financial Reporting
We have audited Okta, Inc.’s internal control over financial reporting as of January 31, 2024, based on criteria established in Internal Control—Integrated Framework issued by the Committee of Sponsoring Organizations of the Treadway Commission (2013 framework) (the COSO criteria). In our opinion, Okta, Inc. (the Company) maintained, in all material respects, effective internal control over financial reporting as of January 31, 2024, based on the COSO criteria.
We also have audited, in accordance with the standards of the Public Company Accounting Oversight Board (United States) (PCAOB), the consolidated balance sheets of the Company as of January 31, 2024 and 2023, the related consolidated statements of operations, comprehensive loss, stockholders' equity, and cash flows for each of the three years in the period ended January 31, 2024, and the related notes and our report dated March 1, 2024 expressed an unqualified opinion thereon.
Basis for Opinion
The Company’s management is responsible for maintaining effective internal control over financial reporting and for its assessment of the effectiveness of internal control over financial reporting included in the accompanying Management’s Report on Internal Control over Financial Reporting. Our responsibility is to express an opinion on the Company’s internal control over financial reporting based on our audit. We are a public accounting firm registered with the PCAOB and are required to be independent with respect to the Company in accordance with the U.S. federal securities laws and the applicable rules and regulations of the Securities and Exchange Commission and the PCAOB.
We conducted our audit in accordance with the standards of the PCAOB. Those standards require that we plan and perform the audit to obtain reasonable assurance about whether effective internal control over financial reporting was maintained in all material respects.
Our audit included obtaining an understanding of internal control over financial reporting, assessing the risk that a material weakness exists, testing and evaluating the design and operating effectiveness of internal control based on the assessed risk, and performing such other procedures as we considered necessary in the circumstances. We believe that our audit provides a reasonable basis for our opinion.
Definition and Limitations of Internal Control Over Financial Reporting
A company’s internal control over financial reporting is a process designed to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles. A company’s internal control over financial reporting includes those policies and procedures that (1) pertain to the maintenance of records that, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the company; (2) provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and that receipts and expenditures of the company are being made only in accordance with authorizations of management and directors of the company; and (3) provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use, or disposition of the company’s assets that could have a material effect on the financial statements.
Because of its inherent limitations, internal control over financial reporting may not prevent or detect misstatements. Also, projections of any evaluation of effectiveness to future periods are subject to the risk that controls may become inadequate because of changes in conditions, or that the degree of compliance with the policies or procedures may deteriorate.
/s/ Ernst & Young LLP
San Jose, California
March 1, 2024
73


OKTA, INC.
CONSOLIDATED BALANCE SHEETS
(dollars in millions, shares in thousands, except per share data)
 As of January 31,
 20242023
Assets 
Current assets: 
Cash and cash equivalents$334 $264 
Short-term investments1,868 2,316 
Accounts receivable, net of allowances of $6 and $8
559 481 
Deferred commissions113 92 
Prepaid expenses and other current assets106 76 
Total current assets2,980 3,229 
Property and equipment, net48 59 
Operating lease right-of-use assets83 122 
Deferred commissions, noncurrent242 210 
Intangible assets, net182 241 
Goodwill5,406 5,400 
Other assets48 46 
Total assets$8,989 $9,307 
Liabilities and stockholders’ equity 
Current liabilities: 
Accounts payable$12 $12 
Accrued expenses and other current liabilities115 112 
Accrued compensation167 99 
Deferred revenue1,488 1,242 
Total current liabilities1,782 1,465 
Convertible senior notes, net, noncurrent1,154 2,193 
Operating lease liabilities, noncurrent112 142 
Deferred revenue, noncurrent23 18 
Other liabilities, noncurrent30 23 
Total liabilities3,101 3,841 
Commitments and contingencies (Note 10)
Stockholders’ equity: 
Preferred stock, par value $0.0001 per share; 100,000 shares authorized, no shares issued and outstanding as of January 31, 2024 and 2023.
  
Class A Common stock, par value $0.0001 per share; 1,000,000 shares authorized; 159,835 and 154,009 shares issued and outstanding as of January 31, 2024 and 2023, respectively.
  
Class B Common stock, par value $0.0001 per share; 120,000 shares authorized; 7,291 and 7,300 shares issued and outstanding as of January 31, 2024 and 2023, respectively.
  
Additional paid-in capital8,724 7,974 
Accumulated other comprehensive loss(6)(33)
Accumulated deficit(2,830)(2,475)
Total stockholders’ equity5,888 5,466 
Total liabilities and stockholders’ equity $8,989 $9,307 

See Notes to Consolidated Financial Statements.
74


OKTA, INC.
CONSOLIDATED STATEMENTS OF OPERATIONS
(dollars in millions, shares in thousands, except per share data)
 Year Ended January 31,
 202420232022
Revenue 
Subscription$2,205 $1,794 $1,249 
Professional services and other58 64 51 
Total revenue2,263 1,858 1,300 
Cost of revenue
Subscription502 464 329 
Professional services and other79 82 67 
Total cost of revenue581 546 396 
Gross profit1,682 1,312 904 
Operating expenses 
Research and development656 620 469 
Sales and marketing1,036 1,066 771 
General and administrative450 409 432 
Restructuring and other charges56 29  
Total operating expenses2,198 2,124