OKTA Okta, Inc. - 10-K

Item 1A. Risk Factors

A description of the risks and uncertainties associated with our business is set forth below. You should carefully consider the risks and uncertainties described below, as well as the other information in this Annual Report on Form 10-K, including our consolidated financial statements and the related notes and “Management’s Discussion and Analysis of Financial Condition and Results of Operations.” The occurrence of any of the events or developments described below, or of additional risks and uncertainties not presently known to us or that we currently deem immaterial, could materially and adversely affect our business, results of operations, financial condition and growth prospects. In such an event, the market price of our Class A common stock could decline, and you could lose all or part of your investment.

Risk Factor Summary

This risk factor summary contains a high-level summary of risks associated with our business. It does not contain all of the information that may be important to you, and you should read this risk factor summary together with the more detailed discussion of risks and uncertainties set forth following this summary. A summary of our risks includes, but is not limited to, the following:

• Adverse general economic, market and industry conditions and reductions in workforce identity and customer identity spending have, in the past and may, in the future, reduce demand for our solutions, which could harm our revenue, results of operations and cash flows.

• Our business depends on our ability to retain existing customers, and our revenues and results of operations could be adversely impacted if they do not renew their subscriptions or purchase additional licenses or subscriptions with us.

• If we are unable to grow our customer base, our revenue growth and profitability could be harmed.

• We face intense competition, especially from larger, well-established companies, and we may lack sufficient financial or other resources to maintain or improve our competitive position.

• We may experience quarterly fluctuations in our results of operations due to a number of factors that make our future results difficult to predict and could cause our results of operations to fall below analyst or investor expectations.

• Interruptions or performance problems that impact the functionality of our technology, systems or infrastructure could result in delays in the deployment of our platforms.

• In the past, we have experienced cybersecurity incidents that allowed unauthorized access to our systems or data or our customers’ data, harmed our reputation, created additional liability and adversely impacted our financial results. We and our third-party service providers may experience similar incidents in the future which may also include disabling access to our service.

• Any actual or perceived failure by us, our third-party service providers or our customers to comply with new or existing laws, regulations or other requirements relating to the privacy, security and processing of personal information could adversely affect our business, results of operations or financial condition.

• If we are unable to ensure that our solutions integrate or interoperate with a variety of operating systems, platforms, services, software applications devices, mobile phones and other hardware form factors that are developed by others, our platforms may become less competitive and our results of operations may be harmed.

• Real or perceived errors, failures, vulnerabilities or bugs in our solutions, including deployment complexity, have in the past and could, in the future, harm our business and results of operations.

• Issues with our use, development, adoption, deployment and maintenance of AI and machine learning technologies, combined with an uncertain regulatory environment, may result in reputational harm, liability or other adverse consequences to our business operations.

• Because we generally recognize revenue from our subscriptions and support services over the term of the relevant service period, a decrease in sales during a reporting period may not be immediately reflected in our results of operations for that period.

• The stock price of our Class A common stock may be volatile or may decline.

• The dual class structure of our common stock has the effect of concentrating voting control with those stockholders who held our capital stock prior to the completion of our IPO, including our directors, executive officers, and their affiliates, who held in the aggregate 32% of the voting power of our capital stock as of January 31, 2026. This will limit or preclude your ability to influence corporate matters, including the election of directors, amendments of our organizational documents, and any merger, consolidation, sale of all or substantially all of our assets or other major corporate transaction requiring stockholder approval.

• Transactions relating to our convertible notes may affect the value of our Class A common stock.

• We depend on our executive officers and other key employees, and the loss of one or more of these employees or an inability to attract and retain other highly skilled employees could harm our business.

Risks Related to Our Business and Industry

Adverse general economic, market and industry conditions and reductions in workforce identity and customer identity spending have, in the past and may, in the future, reduce demand for our solutions, which could harm our revenue, results of operations and cash flows.

Our revenue, results of operations and cash flows depend on the overall demand for our solutions. International and regional economic conditions, including instability or security concerns abroad, such as widespread downturns and recessions; geopolitical events; changes in trade policies, trade restrictions, economic sanctions or the threat of such actions; the instability of financial institutions; the availability and cost of credit; fluctuations in the inflation and interest rate environment; health epidemics; or energy costs have and could continue to lead to increased market volatility, decreased consumer confidence and diminished growth expectations in the U.S. economy and abroad, which in turn could result in reductions in spending on our platforms by our existing and prospective customers. These economic conditions can occur abruptly. Prolonged economic slowdowns may result in customers requesting us to renegotiate existing contracts on less advantageous terms to us than those currently in place or defaulting on payments due on existing contracts or not renewing at the end of the contract term. To the extent there is a sustained general economic downturn, and our platforms and services are perceived by customers or potential customers as costly, or too difficult to deploy or migrate to, our revenue may be disproportionately affected by delays or reductions in spending.

Our business depends on our ability to retain existing customers, and our revenues and results of operations could be adversely impacted if they do not renew their subscriptions or purchase additional licenses or subscriptions with us.

Our ability to increase and maintain revenue growth depends, in part, on our ability to retain and expand our commercial relationships with our existing customers. This requires that our existing customers continue to use our platforms, either by purchasing additional subscriptions or by renewing their subscriptions when existing contract terms expire. Our customers have no obligation to renew their subscriptions after the expiration of their subscription period. They may decide not to renew their subscriptions with a similar contract period, at the same prices and terms or with the same or a greater number of users. In the past, some of our customers have elected not to renew their agreements with us, and it is difficult to accurately predict long-term customer retention and expansion rates. Customer retention and expansion has, in the past and may, in the future, decline or fluctuate as a result of a number of factors, such as customers’ satisfaction with our solutions; our prices and pricing plans, including as compared to those of competing software solutions; unfavorable macroeconomic and geopolitical conditions; reductions in customer spending levels; negative sentiment stemming from cybersecurity incidents; customer utilization rates; new offerings; and changes to the packaging of our product offerings. If existing customers do not purchase additional subscriptions or renew their subscriptions, renew on less favorable terms or fail to add more users, our revenue may decline or grow less quickly than anticipated, which would harm our future results of operations.

If we are unable to grow our customer base, our revenue growth and profitability could be harmed.

We aim to increase our revenue and achieve and maintain profitability by growing our customer base, particularly through sales to larger organizations. As our market matures and product offerings evolve, we believe that competitors will introduce lower cost or differentiated solutions that compete, or are perceived to compete, with our solutions. If prospective customers view the cost or features of competitors’ solutions as preferable to ours, or do not perceive our solutions to be of sufficiently high value and quality, we could fail to attract the number and

types of new customers we are seeking. Prospective customers’ decisions to purchase our solutions depends on a variety of other factors, including those specified under the risk factor titled “ Our business depends on our ability to retain existing customers, and our revenues and results of operations could be adversely impacted if they do not renew their subscriptions or purchase additional licenses or subscriptions with us ,” and described elsewhere in these risk factors. Any failure to attract new customers could impede our success in selling new subscriptions and adversely impact our business, financial condition and results of operations.

We face intense competition, especially from larger, well-established companies, and we may lack sufficient financial or other resources to maintain or improve our competitive position.

The markets for our solutions are rapidly evolving, highly competitive and subject to shifting customer needs and frequent introductions of new technologies. As the markets in which we operate continue to mature and new technologies and competitors enter such markets, we expect competition to intensify. We compete with both cloud-based and on-premise enterprise application software providers including, but not limited to: authentication providers; identity governance providers; multi-factor authentication providers; infrastructure-as-a-service providers; other customer identity and access management providers; and solutions developed in-house by our potential customers. Our principal competitor is Microsoft.

Many of our competitors have significantly greater financial, technical, sales and marketing, distribution, customer support or other resources, larger intellectual property portfolios, longer operating histories, greater resources to make strategic acquisitions, more established relationships with third-party service providers and greater name recognition than we do. They may also have a larger customer base, many of which may prefer to purchase from the same competitor rather than replace their existing infrastructure with our solutions.

Some of our larger competitors have substantially broader product offerings, or greater resources to acquire new offerings or repurpose existing offerings to provide identity solutions with subscription models. As a result, they can leverage their relationships based on other solutions, or incorporate functionality into existing solutions, to gain business in a manner that discourages users from purchasing our solutions, including selling at zero or negative margins, bundling products or maintaining closed technology platforms. In addition, larger competitors, as well as new start-up companies that innovate, make significant investments in research and development and may invent similar or superior solutions that compete with our solutions. It is also possible that products and services developed by others, including, but not limited to, new technologies and offerings integrating AI, or products and services developed by competitors, could put us at a competitive disadvantage. These competitive pressures or our failure to compete effectively may result in price reductions, fewer orders, reduced revenue and gross margins, increased net losses and loss of market share, which could harm our business, results of operations and financial condition.

If we fail to adapt to rapid technological change, our ability to remain competitive could be impaired.

The industry in which we compete is characterized by rapid technological change, frequent introductions of new solutions and evolving industry standards. Our ability to attract new customers and increase revenue from existing customers will depend in significant part on our ability to anticipate industry standards and trends. We must continue to enhance existing solutions or introduce or acquire new solutions on a timely basis to keep pace with technological developments. The success of any enhancement or new solution depends on several factors, including the timely completion and market acceptance of the enhancement or new solution. Any new solution we develop or acquire might not be introduced in a timely or cost-effective manner and might not achieve the broad market acceptance necessary to generate significant revenue. If any of our competitors implements new technologies before we are able to implement them, those competitors may be able to provide more effective solutions than ours at lower prices. Any delay or failure in the introduction of new or enhanced solutions that gain market acceptance and meet customer requirements could harm our business, results of operations and financial condition.

Our ability to introduce new solutions is dependent on adequate research and development resources and, in part, on our ability to successfully complete acquisitions. If we do not adequately fund our research and development efforts or complete acquisitions successfully, we may not be able to compete effectively and our business and results of operations may be harmed.

To remain competitive, we must continue to develop new solutions, applications and enhancements to our existing portfolio. This is particularly true as we further expand and diversify our capabilities. Maintaining adequate research and development resources, such as the appropriate personnel and development technology, to meet the demands of the market is essential. If we elect not to or are unable to develop solutions internally, we may choose to expand into a certain market or strategy via an acquisition for which we could potentially pay too much or fail to

successfully integrate into our operations. Further, many of our competitors expend a considerably greater amount of funds on their respective research and development programs, and those that do not have, in some cases, been acquired by larger companies that allocate greater resources to our competitors’ research and development programs. Our failure to maintain adequate research and development resources or to compete effectively with the research and development programs of our competitors would give an advantage to such competitors and may harm our business, results of operations and financial condition.

Even if we maintain adequate research and development resources, we may be unable to monetize newly developed solutions or features such that we can recoup our research and development expenditures. For example, if we develop a new feature but our competitors give an equivalent feature away for free, we may need to also include our newly developed feature for free as part of an existing product offering to remain competitive in the marketplace. Such a loss of anticipated revenue to offset our research and development expenditures may harm our business, results of operations and financial condition.

We may experience quarterly fluctuations in our results of operations due to a number of factors that make our future results difficult to predict and could cause our results of operations to fall below analyst or investor expectations.

Our results of operations fluctuate from quarter to quarter as a result of a number of factors, many of which are outside of our control and may be difficult to predict, including, but not limited to:

• fluctuations in demand for, or pricing of, our platforms, including as a result of macroeconomic conditions or competition;

• our ability to retain and increase sales to existing customers, attract new customers or otherwise increase the use of our platforms;

• the timing and success of introductions of new solutions by us or our competitors, or any other change in the competitive landscape of our market;

• security breaches of, technical difficulties with, or interruptions to, the delivery and use of our solutions, and any negative market perception or customer reactions related to, or arising from the disclosure of, such breaches, difficulties or interruptions;

• seasonal buying patterns for IT spending;

• the mix of revenue attributable to larger transactions as opposed to smaller transactions, and the associated volatility and timing of our transactions;

• changes in remaining performance obligations due to seasonality, the timing of and compounding effects of renewals, invoice duration, size and timing, new business linearity between quarters and within a quarter, average contract term or fluctuations due to foreign currency movements, all of which may impact implied growth rates;

• errors in our forecasting of the demand for our solutions, which could lead to lower revenue, increased costs or both;

• increases in and timing of sales and marketing and other operating expenses that we may incur to grow our brand, expand our operations and remain competitive;

• our ability to comply with applicable laws and requirements, including data privacy and cybersecurity regimes;

• costs related to the acquisition of businesses, talent, technologies or intellectual property, including potentially significant amortization costs and possible write-downs;

• credit or other difficulties confronting our third-party service providers, including channel partners;

• costs related to litigation, including adverse judgments, settlements and other disputes;

• the impact of new accounting pronouncements and associated system implementations;

• changes in the legislative or regulatory environment;

• fluctuations in foreign currency exchange rates;

• expenses related to real estate, including our office leases and other fixed expenses;

• changes in government spending and budgetary priorities, workforce reduction and other policy shifts;

• general economic, market and industry conditions in domestic or international markets, including the inflation and interest rate environment, geopolitical uncertainty and instability; and

• changes in trade policies, trade restrictions or the threat of such actions.

Any one or more of the factors above may result in significant fluctuations in our results of operations. You should not rely on our past results as an indicator of our future performance.

The variability and unpredictability of our quarterly results of operations or other operating metrics could result in our failure to meet our expectations or those of analysts that cover us or investors with respect to revenue or other metrics for a particular period. If we fail to meet or exceed such expectations for these or any other reasons, the market price of our Class A common stock could fall substantially, and we could face costly lawsuits, including securities class action suits.

Our prior revenue growth rates may not be indicative of our future growth or performance.

Our revenue growth depends on several factors, including pricing our platforms to attract new and retain existing customers; managing demand for our solutions; competing against larger companies and new market entrants; capitalizing on new acquisitions, technologies or growth opportunities; and other conditions described in these risk factors. If we are unable to grow our revenue, it will be difficult to maintain our profitability, or maintain or increase our cash flow on a consistent basis. We expect our operating expenses to increase in future periods as we continue to expand our business. If our revenue growth does not increase to offset these anticipated increases in our operating expenses, our business, financial position and results of operations will be harmed, and we may not be able to consistently maintain profitability.

Our growth depends, in part, on the success of our strategic relationships with third parties.

To grow our business, we expect to continue to depend on relationships with third parties, such as channel partners. Identifying partners, negotiating and maintaining relationships with them requires significant time and resources.

Our ability to compete in the marketplace depends, in part, on whether third parties successfully market, resell, implement or support our solutions for their customers. For example, some of our channel partners sell or provide integration and administration services for our competitors’ solutions. They may choose to devote greater resources to our competitors that are more effective in incentivizing them to favor their solutions over ours. In addition, acquisitions of such partners by our competitors could result in a decrease in the number of our current and potential customers, as these partners may no longer facilitate the adoption of our applications by potential customers. Some of our partners compete with certain of our solutions and may elect to no longer integrate with our platforms or sell our solutions.

Our growth also depends on our ability to incentivize third-party developers to adopt and build their applications using our APIs and solutions. We believe that these applications facilitate greater usage and customization of our solutions. If these third-party developers stop developing on or supporting our platforms, we will lose the benefit of network effects that have contributed to the growth in our number of customers.

If we are unsuccessful in establishing or maintaining our relationships with third parties, our ability to grow our revenue could be impaired, and our results of operations may suffer. Even if we are successful, we cannot ensure that these relationships will result in increased customer usage of our applications or increased revenue.

Because our long-term success depends, in part, on our ability to expand the sales of our solutions to customers located outside of the United States, our business will be susceptible to risks associated with international operations.

We currently have sales personnel outside the United States and maintain offices outside the United States in the Americas, Asia-Pacific and Europe, and our international revenue was 21% and 20% of our total revenue in fiscal 2025 and fiscal 2026, respectively. Any international expansion efforts that we may undertake may not be successful. We may face challenges, including those not generally faced in the United States, such as managing and staffing international operations, and becoming familiar with varying technology standards, local laws and business practices. Conducting international operations also subjects us to, among other risks described in these risk factors:

• general political, economic and social uncertainties, including macroeconomic and geopolitical conditions and financial market conditions;

• unexpected changes in, or costs and liabilities related to, compliance with foreign legal and regulatory requirements, such as data privacy and cybersecurity regimes; intellectual property rights protections; and requirements relating to the localization of our solutions;

• restrictive governmental actions focusing on cross-border trade, including taxes, changes in trade policies, trade restrictions, import and export restrictions or quotas, barriers, sanctions, custom duties or the threat of such actions; and

• difficulties in managing systems integrators and technology partners.

Establishing operations in international markets also requires significant management attention and financial resources and we cannot guarantee that these investments will produce desired levels of revenue or profitability. If we fail to expand our operations successfully and in a timely manner, our business and results of operations will suffer.

Future acquisitions, investments, partnerships or alliances could be difficult to identify and integrate, divert the attention of management personnel, disrupt our business, dilute stockholder value and harm our results of operations and financial condition.

We have in the past acquired and we may, in the future, seek to acquire or invest in, businesses, products, teams or technologies that we believe could complement or expand our current platforms, enhance our technical capabilities or otherwise offer growth opportunities. The pursuit of potential acquisitions may divert the attention of management and cause us to incur various expenses in identifying, investigating and pursuing suitable acquisitions, whether or not they are consummated. If we acquire additional businesses, we may not be able to successfully integrate and retain the acquired personnel; integrate the acquired operations and technologies; adequately test and assimilate the internal control processes of the acquired business in accordance with the requirements of Section 404 of the Sarbanes-Oxley Act of 2002 (the “Sarbanes-Oxley Act”); or effectively manage the combined business. We may also be required to assume liabilities or incur unforeseen costs, such as those arising from the acquired company’s failure to comply with legal or regulatory requirements and litigation matters.

Any acquisition or strategic transaction we do consummate could fail to produce the benefits we hope to achieve, which could disrupt our own business or those of our partners and customers or result in future impairment charges. In particular, from time to time we invest in private growth stage companies for strategic reasons and to support key business initiatives. All of our venture investments are subject to a risk of partial or total loss of investment capital, and we may not realize a return on these investments.

In addition, we have limited experience in acquiring other businesses. We may not be able to identify desirable acquisition targets, or we may not be successful in entering into an agreement with any particular target. Acquisitions could also result in dilutive issuances of equity securities, use of our available cash or the incurrence of debt, or in adverse tax consequences or unfavorable accounting treatment. If an acquired business fails to meet our expectations, our business, results of operations and financial condition could suffer.

Our financial results may fluctuate due to increasing variability in our sales cycles.

We plan our expenses based on certain assumptions about the length and variability of our sales cycle. These assumptions are based upon historical trends for sales cycles and conversion rates associated with our existing customers. We are increasingly focused on sales to larger organizations, which often involve lengthy

purchasing approval processes and less predictable sales cycles. The length of sales cycles may be further impacted by the current macroeconomic and geopolitical environment and by the discretionary nature of customer spending. Customers may also take prolonged evaluation periods of our platforms, or their features or functionality, as well as those of our competitors. As a result, it is difficult to predict exactly when, or even if, we will make a sale. If we are unable to close one or more of expected significant transactions in a particular period, or if such an expected transaction is delayed until a subsequent period, our results of operations for that period and for any future periods in which revenue from such transaction would otherwise have been recognized, may be harmed.

Various factors may cause implementation of our solutions to be delayed, inefficient or otherwise unsuccessful.

Our business depends upon the successful implementation of our solutions by our customers. Increasingly, we, as well as our customers, rely on our network of partners to deliver implementation services, and there may not be enough qualified implementation partners available to meet customer demand. Various other factors may cause implementations to be delayed, inefficient or otherwise unsuccessful, including significant costs to purchase, implement and enable our solutions; changes in our customers’ functional requirements; timeline delays; or deviation from recommended best practices. These and other circumstances may delay our ability to sell additional solutions or result in customers canceling or failing to renew their subscriptions before our solutions have been fully implemented. Unsuccessful, lengthy or costly customer implementation and integration projects could result in claims from customers, harm to our reputation and opportunities for competitors to displace our solutions, each of which could have an adverse effect on our business and results of operations.

A portion of our revenues are generated by sales to public sector entities, which are subject to a number of challenges and risks.

We rely on partners to resell our services to public sector entities, and we have made and plan to continue to make investments to support future sales opportunities in the public sector. The sale of our services to public sector entities is tied to budget cycles and there are government requirements and authorizations that we may be required to meet. Changes in fiscal or contracting policies or reductions in government spending or workforce could adversely affect the funding for and purchases of our platforms and, in turn, could negatively impact our revenue and future growth. Further, we may be subject to audits and investigations regarding our role as a subcontractor in government contracts, and violations could result in penalties and sanctions, including contract termination, refunding or forfeiting payments, fines and suspension or debarment from future government business. Selling to these entities can be highly competitive, expensive and time consuming, often requiring significant upfront time and expense. Public sector entities often require contract terms that differ from our standard arrangements and impose additional compliance requirements, require increased attention to pricing practices or are otherwise time consuming and expensive to satisfy. For example, some of our public sector customers contract with us on the basis of our authorization under FedRAMP, which requires us to undertake additional actions and expenses to ensure compliance. Public sector entities may also have statutory, contractual or other legal rights to terminate contracts with our partners for convenience, for lack of funding or due to a default, and any such termination may adversely impact our future results of operations. If we represent that we meet certain standards, authorizations (such as FedRAMP) or requirements and do not meet them, or if such authorizations are suspended or revoked, we could be subject to increased liability from our customers, investigation by regulators or termination rights. Even if we do meet them, the additional costs associated with providing our service to public sector entities could harm our margins. Moreover, changes in underlying regulatory requirements could be an impediment to our ability to efficiently provide our service to government customers and to grow or maintain our customer base. Any of these risks related to contracting with, or as a subcontractor supporting, public sector entities could adversely impact our future sales and results of operations or make them more difficult to predict.

If we fail to enhance our brand cost-effectively, our ability to expand our customer base will be impaired and our business, results of operations and financial condition may suffer.

We believe that developing and maintaining awareness of our brand in a cost-effective manner is critical to achieving widespread acceptance of our existing and future solutions, and is an important element in attracting new customers and retaining existing customers. Furthermore, we believe that the importance of brand recognition is likely to increase as competition in our market increases. Successful promotion of our brand will depend largely on the effectiveness of our marketing and sales efforts and on our ability to provide reliable and useful solutions at competitive prices and that align with our customers’ needs. In the past, our efforts to build our brand have involved significant expenses and have not always attracted a sufficient number of new customers to be cost-effective.

In February 2025, we began further specializing our sales force to better align with our customers and evolving market demands, which has required us to invest significant financial and other resources. We may not achieve anticipated revenue growth if we are unable to hire and develop talented sales personnel or retain our existing sales personnel, or if our new sales personnel are unable to achieve desired productivity levels in a reasonable period of time. If our marketing and sales efforts are unsuccessful and we fail to enhance our brand we may fail to attract new customers or retain our existing customers to the extent necessary to realize a sufficient return on our brand-building efforts. As a result, our business, results of operations and financial condition could suffer.

We may not set optimal prices for our solutions.

In the past, we have at times adjusted our prices either for individual customers in connection with long-term agreements or for a particular solution. We expect that we may need to change our pricing in future periods and potentially in response to increased costs, including as a result of the inflation and interest rate environment, geopolitical considerations, as well as changes in trade policies, trade restrictions or the threat of such actions. Further, as competitors introduce new solutions that compete with ours, or if they reduce their prices or adopt preferable pricing models for evolving technologies, such as AI agents, we may be unable to attract new customers or retain existing customers based on our historical pricing. As we further expand internationally and into additional verticals, we also must determine the appropriate price to enable us to compete effectively. In addition, if our mix of solutions sold changes, then we may need to, or choose to, revise our pricing. As a result, we may be required or choose to reduce our prices or change our pricing model, which could harm our business, results of operations and financial condition.

If we are not able to consistently generate cash flows or raise additional capital necessary to expand our operations and invest in new technologies in the future could reduce our ability to compete successfully and harm our results of operations.

We may need to raise additional funds, and we may not be able to obtain additional debt or equity financing on favorable terms, if at all. If we raise additional equity or convertible debt financing, our security holders may experience significant dilution of their ownership interests. If we engage in additional debt financing, we may be required to accept terms that restrict our ability to incur additional indebtedness, force us to maintain specified liquidity or other ratios or restrict our ability to pay dividends or make acquisitions. If we need additional capital and cannot raise it on acceptable terms or at all, we may not be able to effectively grow our business or respond to competitive pressures, which could harm our business, results of operations and financial condition.

We may be subject to liability claims if we breach our contracts and our insurance may be inadequate to cover our losses.

We are subject to numerous obligations in our contracts with our customers and partners. Despite the procedures, systems and internal controls we have implemented to comply with our contracts, we may breach these commitments, whether through a weakness in these procedures, systems and internal controls, negligence or the willful act of an employee or contractor. Our insurance policies, including our errors and omissions insurance, may be inadequate to compensate us for the potentially significant losses that may result from claims arising from breaches of our contracts, disruptions in our service, including those caused by cybersecurity incidents, failures or disruptions to our infrastructure, catastrophic events and disasters or otherwise. In addition, such insurance may not be available to us in the future on economically reasonable terms or at all. Further, our insurance may not cover all claims made against us and defending a suit, regardless of its merit, could be costly and divert management’s attention.

Evolving and complex scrutiny of sustainability matters may require us to incur additional costs or otherwise adversely impact our reputation or business.

Investors, regulators, customers and other stakeholders, both in the United States and internationally, are increasingly attentive to, and have evolving expectations about, sustainability and social issues, initiatives and disclosures. We have undertaken certain sustainability-related initiatives, goals and commitments, which we have communicated on our website, in our SEC filings and elsewhere, and may undertake additional actions in the future. These actions, including establishing certain sustainability goals or targets to respond to stakeholder demands or requirements, may result in increased costs (including, but not limited to, increased costs related to compliance, stakeholder engagement and meeting our contractual commitments). Our ability to perform or carry out such actions may be subject to numerous conditions that are outside our control, and we cannot guarantee that any actions or

outcomes will have the desired effect. Our actual or perceived failure to achieve such goals or targets could negatively impact our reputation and otherwise affect our business performance.

Risks Related to Intellectual Property, Infrastructure Technology, Data Privacy and Security

Interruptions or performance problems that impact the functionality of our technology, systems or infrastructure could result in delays in the deployment of our platforms.

Our continued growth depends, in part, on the ability of our existing and potential customers to access our platforms 24 hours a day, seven days a week, without interruption or degradation of performance. System interruption and a lack of integration and redundancy in our information systems and infrastructure may adversely affect our ability to operate websites, process and fulfill transactions, respond to customer inquiries and generally maintain cost-efficient operations. We have experienced in the past and may experience in the future, disruptions, data loss or corruption, outages and other performance problems with our infrastructure or service due to a variety of factors. These factors include, for example, infrastructure and functionality changes, human or software errors, capacity constraints, ransomware attacks that encrypt our data and render it inaccessible or security-related incidents. In some instances, we may not be able to identify the cause or causes of these performance problems immediately, and it could take months, or even years, for such problems to become pronounced enough for us to detect or for our customers to detect and inform us. We may not be able to maintain the level of service uptime and performance required by our customers, especially during peak usage times and as our solutions become more complex and our user traffic increases. If our platforms are unavailable or if our customers are unable to access our solutions or deploy them within a reasonable amount of time, or at all, our business would be harmed. Since our customers rely on our service to access and complete their work, any outage on our platforms would impair the ability of our customers to perform their work, which would negatively impact our brand, reputation and customer satisfaction.

Our platforms are accessed by a large number of customers, often at the same time, and we continue to expand the number of our customers and solutions available to our customers. While we rely on third-party information technology systems, broadband and other communications systems and service providers to assist in providing access to our platforms, maintaining our infrastructure and distributing our solutions via the internet, we may not be able to scale our technology to accommodate increased capacity requirements, which may result in interruptions or delays in service. If a service provider fails to provide sufficient capacity to support our platforms or otherwise experiences service outages, including intentionally blocking our internet traffic or all internet traffic, for example at the request of a national government intending to isolate its country’s network, such failure could interrupt our customers’ access to our service, which could adversely affect their perception of our platforms’ reliability and our revenues. Any disruptions in these services, including as a result of actions outside of our control, would significantly impact the continued performance of our solutions. In the future, these services may not be available to us on commercially reasonable terms or at all. Any loss of the right to use any of these services could result in decreased functionality of our solutions until equivalent technology is either developed by us or, if available from another provider, is identified, obtained and integrated into our infrastructure. If we do not accurately predict our infrastructure capacity requirements, our customers could experience service shortfalls. We may also be unable to effectively address capacity constraints, upgrade our systems as needed and continually develop our technology and network architecture to accommodate actual and anticipated changes in technology.

Any of the above circumstances or events may harm our reputation, cause customers to terminate their agreements with us, impair our ability to obtain subscription renewals from existing customers, impair our ability to grow our customer base, result in the expenditure of significant financial, technical and engineering resources, subject us to financial penalties and liabilities under our service level agreements, and otherwise harm our business, results of operations and financial condition.

In the past, we have experienced cybersecurity incidents that allowed unauthorized access to our systems or data or our customers’ data, harmed our reputation, created additional liability and adversely impacted our financial results. We and our third-party service providers may experience similar incidents in the future which may also include disabling access to our service.

Our business relies on computer systems, hardware, software, technology infrastructure, and online sites and networks for operations that are critical to our business. Increasingly, we and other companies are subject to a wide variety of attacks on their systems and networks on an ongoing basis. In addition to threats from traditional computer “hackers,” malicious code (such as malware, viruses, worms and ransomware), employee or contractor

theft or misuse, password spraying, phishing and denial-of-service attacks, we and our third-party service providers now also face threats from sophisticated nation-state actors and organized crime groups who engage in attacks (including advanced persistent threat intrusions) that add to the risks to our systems (including those hosted on AWS’ or other cloud services providers’ systems), internal networks, our customers’ systems and the information that we and they store and process. For example, like other companies, we have experienced an increase in cybersecurity attacks and have had to expend increasing amounts of human and financial capital to respond. We expect that these cybersecurity attacks will continue and that the scope and sophistication of these efforts will increase in future periods. In particular, the use of AI, AI agents and NHIs to develop, conduct and/or enhance cyberattacks is expected to increase the frequency, severity and volume of such attacks. Despite significant efforts to create security barriers to such threats, it is virtually impossible for us to entirely mitigate these risks. As a provider of independent and neutral cloud-based identity solutions that form a part of our customers’ security software supply chain, we pose an attractive target for such attacks. The security measures we have integrated into our internal systems and platforms, which are designed to detect unauthorized activity and prevent or minimize security breaches, may not function as expected and have not in the past been, and may not in the future be, sufficient to protect our internal networks and platforms against certain attacks. Further, because we do not control our third-party service providers or the processing of data by our third-party service providers, we cannot ensure the integrity or security of the measures they take to protect customer information and prevent data loss. In addition, techniques used to sabotage or to obtain unauthorized access to networks in which data is stored or through which data is transmitted change frequently and become more complex over time. As a result, we and our third-party service providers have in the past been, and may in the future be, unable to anticipate these techniques or implement adequate preventative measures quickly enough to prevent either an electronic intrusion into our systems or services or a compromise of customer data, employee data or other protected information.

Our customers’ use of our technology to access business systems and store data concerning, among others, their employees, contractors, partners and customers is essential to their use of our platforms. As our platforms store, transmit and process customers’ proprietary information and users’ personal data, they have experienced and likely will in the future experience attacks targeting such customer data. When such breaches occur, and if the confidentiality, integrity or availability of our customers’ data or systems is disrupted, we could incur significant liability to our customers and to individuals or businesses whose information was being stored by our customers, and our platforms may be perceived as less desirable, which could negatively affect our business and damage our reputation.

In addition, security breaches impacting our platforms have in certain cases resulted in and could in the future result in a risk of loss or unauthorized disclosure or theft of this information, or the denial of access to this information, which, in turn, could lead to enforcement actions, litigation, regulatory or governmental audits, investigations and possible liability and increased requests by individuals regarding their personal data. Security breaches could also damage our relationships with and ability to attract customers and partners, as well as trigger service availability, indemnification and other contractual obligations. For example, our customers have in the past published public criticisms of our security practices in connection with security incidents, and these postings harm our reputation and brand. Security incidents may also cause us to incur significant investigation, mitigation, remediation, notification and other expenses. Furthermore, as a well-known provider of identity and security solutions that form a part of our customers’ security software supply chain, any such breach, including a breach of our customers’ systems, could compromise systems secured by our solutions, creating system disruptions or slowdowns and exploiting security vulnerabilities of our or our customers’ systems, and the information stored on our or our customers’ systems could be accessed, publicly disclosed, altered, lost or stolen, which could subject us to liability and cause us financial harm. While we have taken a number of remediation steps, there is no guarantee that our preventative and mitigation actions with respect to this incident and others like it will fully eliminate the risk of a malicious compromise of our or our customers’ systems.

We have experienced cybersecurity incidents resulting from our use of and oversight over third-party service providers and could experience such incidents in the future. These incidents have, in the past and may, in the future, result from our configuration of such providers’ products or from cybersecurity attacks on such providers of the same type that could affect our own systems. While we have implemented security measures and configuration policies that seek to protect data stored with our third-party service providers, such measures and policies have not in the past been and may not in the future be sufficient to protect our data or our customers’ data. For example, the January 2022 compromise of one of our third-party service providers by a threat actor, even though not material and not a breach of our platforms, nonetheless was widely publicized and focused attention on the security of our systems and the systems of our third-party service providers. In addition, in October 2023, a threat actor gained

unauthorized access to and stole information from inside our customer support system, which was hosted by a third-party service provider.

While we maintain cybersecurity insurance, our insurance may be insufficient to cover all liabilities incurred in these incidents and any incidents may result in loss of, or increased costs of, our cybersecurity insurance. These breaches, or any perceived breach, of our systems, our customers’ systems, our service providers’ systems or other systems or networks secured by our platforms, whether or not any such breach is due to a vulnerability in our platforms, may also undermine confidence in our platforms or our industry and result in damage to our reputation and brand, negative publicity, loss of ISVs and other channel partners, customers and sales, increased costs to remedy any problem, costly litigation and other liability. In addition, a breach of the security measures of one of our key ISVs or other channel partners or a security software supply chain attack even many levels removed could result in the exfiltration of confidential corporate information or other data that may provide additional avenues of attack. For example, an exploitation in an open source library that is imported and used in another framework that is used by a software product used by us could introduce an avenue of attack into our platforms. If a high profile security breach occurs with respect to a comparable cloud technology provider, our customers and potential customers may lose trust in the security of the cloud business model generally, which could adversely impact our ability to retain existing customers or attract new ones, potentially causing a negative impact on our business. Any of these negative outcomes could adversely impact market acceptance of our solutions and could harm our business, results of operations and financial condition.

Any actual or perceived failure by us, our third-party service providers or our customers to comply with new or existing laws, regulations or other requirements relating to the privacy, security and processing of personal information could adversely affect our business, results of operations or financial condition.

In connection with running our business, we receive, store, use and otherwise process personal data, including on behalf of our customers. Our customers’ storage and use of personal data concerning, among others, their employees, contractors, partners and customers is essential to their use of our platforms. We and our customers are therefore subject to global data protection laws and regulations, as well as other privacy-related requirements. For example, data protection laws, such as those applicable in the European Union, Canada and certain of its provinces, United Kingdom, Asia and certain states in the United States, have enhanced data protection obligations for companies that handle personal data. Obligations include, for example, expanded disclosures about how personal data is to be used, individual rights in relation to personal data, limitations on retention of personal data, mandatory data breach notification requirements and strict obligations on service providers, and restrictions on online marketing and the use of cookies and tracking technologies.

The costs of compliance with, and other burdens imposed by, such laws and regulations that are applicable to our business and the operations of our customers may limit the use and adoption of our service and reduce overall demand for it. These privacy and data security related laws and regulations are evolving and may result in increasing regulatory and public scrutiny and escalating levels of enforcement and sanctions. In addition, we are subject to certain contractual obligations regarding the collection, use, storage, transfer, disclosure and/or processing of personal data. Although we are working to comply with those federal, state and foreign laws and regulations, industry standards, contractual obligations and other legal obligations that apply to us, those laws, regulations, standards and obligations are evolving and may be modified, interpreted and applied in an inconsistent manner from one jurisdiction to another and may conflict with one another, other requirements or legal obligations, our practices or the features of our platforms. Additionally, while we have implemented various features intended to enable our customers to better comply with applicable privacy and security requirements in their collection and use of data within our platforms, these features have, in the past, not ensured and may, in the future, not ensure our customers’ compliance and may not be effective against all potential privacy or related regulatory concerns.

We also expect that there will continue to be new proposed laws, regulations, self-regulatory and industry standards concerning privacy, data protection, digital services and information security in the United States, the European Union and other jurisdictions, and we cannot yet determine the impact such future laws, regulations and standards may have on our business. In the United States, the Federal Trade Commission and state regulators enforce a variety of data privacy issues, such as promises made in privacy policies or failures to appropriately protect information about individuals, as unfair or deceptive acts or practices in or affecting commerce in violation of the Federal Trade Commission Act or similar state laws. Many U.S. states have also adopted new or modified privacy and security laws. These laws create a patchwork of legislation and regulation that impose heightened transparency obligations about data collection, use and sharing practices; add restrictions on the “sale” or “sharing” or transfer of personal information to third parties for purposes such as advertising or analytics; create new data privacy rights for consumers including the ability to limit the use of personal information for advertising; and carry

significant enforcement penalties for non-compliance, including monetary and injunctive relief. This patchwork may also give rise to conflicts or differing views of personal privacy rights. For example, certain state laws may be more stringent or broader in scope, or offer greater individual rights, with respect to personal data than federal, international or other state laws, and such laws may differ from each other, all of which may complicate compliance efforts. We may expend significant resources attempting to comply with conflicting and overlapping state privacy regulations, and the cost and complexity of complying with such regulations could adversely affect our business or increase our potential liability if we fail to comply. This influx of state privacy regimes indicates a trend toward more stringent privacy legislation in the United States, including a potential federal privacy law, which could also increase our potential liability and adversely affect our business. In Europe, the General Data Protection Regulation 2016/679 (the “GDPR”) imposes a strict data protection compliance regime in relation to the collection and processing of personal data, and various European and other foreign laws also restrict the use of cookies, tracking technologies and certain marketing activities.

Future laws, regulations, standards and other obligations and changes in the interpretation of existing laws, regulations, standards and other obligations could impair our or our customers’ ability to collect, use or disclose information relating to consumers, which could decrease demand for our applications, restrict our business operations, or increase our costs and impair our ability to maintain and grow our customer base and increase our revenue. Such laws and regulations may require companies to implement privacy and security policies, permit users to exercise various data rights, inform individuals of security breaches that affect their personal data and, in some cases, obtain individuals’ consent to use personal data for certain purposes.

Any failure or perceived failure by us or our third-party service providers to comply with federal, state or foreign laws or regulations, industry standards, contractual obligations or other legal obligations, compliance frameworks with which we have contractually committed to comply, or any actual or suspected privacy or security incident, even if unfounded, whether or not resulting in unauthorized access to, or acquisition, release or transfer of personal data or other data, may result in investigations and enforcement actions and prosecutions, private litigation (including class action lawsuits), fines, penalties and censure, claims for damages by customers and other affected individuals or adverse publicity and could cause our customers to lose trust in us, which could have an adverse effect on our reputation and business. Additionally, plaintiffs have become increasingly active in bringing privacy-related claims against companies. Some of these claims allow for the recovery of statutory damages on a per violation basis and, if viable, carry the potential for significant statutory damages, depending on the volume of data and the number of violations.

We also publicly post our privacy policies and practices concerning our processing, use and disclosure of the personal data provided to us by our website visitors and by our customers and other individuals with whom we interact. Our publication of our privacy policies and other statements we publish that provide promises and assurances about privacy and security can subject us to potential state and federal action if they are found to be unfair, deceptive or misrepresentative of our practices.

Moreover, if our platforms are perceived to cause, or are otherwise unfavorably associated with, violations of privacy or data security requirements, it may subject us or our customers to public criticism and potential legal liability. Existing and potential privacy laws and regulations concerning privacy and data security and increasing sensitivity of consumers to unauthorized processing of personal data may create negative public reactions to technologies, solutions and services such as ours. Public concerns regarding personal data processing, privacy and security may cause some of our customers’ end users to be less likely to visit their websites or otherwise interact with them. If enough end users choose not to visit our customers’ websites or otherwise interact with them, our customers could stop using our platforms. This, in turn, may reduce the value of our service, slow or eliminate the growth of our business or cause our business to contract.

Privacy is a key issue for us and for our customers. We have attained multiple privacy certifications, such as the Data Privacy Network, Privacy Recognition for Processors and the European Union Cloud Code of Conduct, Level 2. If we fail to maintain our privacy certifications, or if we fail to seek expansion of their applicability to acquired and/or newly-developed solutions, we may fail to meet our contractual commitments and we may fail to retain our existing customers or attract new customers, and our business, results of operations and financial condition could suffer.

If we fail to maintain our security attestations and certifications, our business, results of operations and financial condition may suffer.

Security is essential for us and for our customers. A number of our Okta Platform product offerings have attained multiple certifications, including SOC 2 Type II Attestations, CSA Star Level 2 Certification, ISO/IEC 27001:2022, ISO/IEC 27017:2015, ISO/IEC 27018:2019 and comply with many other international frameworks. Certain Okta Platform offerings maintain multiple agency FedRAMP Authorities to Operate and are compliant to operate at Department of Defense Impact Level 4. Certain Okta Platform offerings maintain minimum security requirements in alignment with the Security Rule of HIPAA. The Okta Platform also supports FIPS 140-2 encryption requirements. If we fail to maintain our security attestations and certifications, or if we fail to seek expansion of their applicability to acquired and/or newly-developed products, we may fail to meet our contractual commitments and we may fail to retain our existing customers or attract new customers, and our business, results of operations and financial condition could suffer.

We provide service level commitments under our customer contracts. If we fail to meet these contractual commitments, we could be obligated to provide credits for future service, which could harm our business, results of operations and financial condition.

Our customer agreements contain service level commitments, under which we guarantee specified availability of our platforms. Any failure of or disruption to our infrastructure could make our platforms unavailable to our customers. If we are unable to meet the stated service level commitments to our customers or suffer extended periods of unavailability of our platforms, we have been, and could in the future be, contractually obligated to provide affected customers with service credits for future subscriptions. Our revenue, other results of operations and financial condition could be harmed if we suffer unscheduled downtime that exceeds the service level commitments under our agreements with our customers, and any extended service outages could adversely affect our business and reputation as customers may elect not to renew and we could lose future sales.

If we are unable to ensure that our solutions integrate or interoperate with a variety of operating systems, platforms, services, software applications devices, mobile phones and other hardware form factors that are developed by others, our platforms may become less competitive and our results of operations may be harmed.

The number of people who access the internet through mobile devices and access cloud-based software applications through mobile devices, including smartphones and handheld tablets or laptop computers, has increased significantly in the past several years and is expected to continue to increase. While we have created mobile applications and mobile versions of our solutions that are accessible on third-party application stores, if these mobile applications and solutions do not perform well, our business may suffer. Third-party application stores may also impose new requirements, including, for example, updates to their terms of access or policies on how we or our channel partners must collect, use and share data. Compliance with any such requirements could be costly or burdensome, and could prevent us from timely updating our current mobile applications or distributing new mobile applications. If we fail to comply with these requirements, we could lose access to, or be required to remove our mobile applications from, third-party application stores.

In addition, our solutions interoperate with servers, mobile devices and software applications predominantly through the use of protocols, many of which are created and maintained by third parties. As a result, we depend on the interoperability of our solutions with such third-party services, mobile devices and mobile operating systems, as well as cloud-enabled hardware, software, networking, browsers, database technologies and protocols that we do not control. Past and future changes in such technologies that degrade the functionality of our solutions or give preferential treatment to competitive services have, in the past and could, in the future, adversely affect adoption and usage of our platforms. Any change in our customers’ preference for cloud-based identity management or any shift towards on-premises systems could also adversely affect adoption and usage of our platforms. Also, we may not be successful in developing or maintaining relationships with key participants in the mobile industry or in developing solutions that operate effectively with a range of operating systems, networks, devices, browsers, protocols and standards. In addition, we may face different fraud, security and regulatory risks from transactions sent from mobile devices than we do from personal computers. If we are unable to effectively anticipate and manage these risks, or if it is difficult for our customers to access and use our platforms, our business, results of operations and financial condition may be harmed.

Our success also depends on the willingness of third-party developers and technology providers to build applications and provide integrations that are complementary to our service. Without the development of these

applications and integrations, both current and potential customers may not find our service sufficiently attractive and our business, results of operations and financial condition could suffer.

Interruptions or delays in the services provided by third-party data centers or internet service providers have, in the past and could, in the future, impair the delivery of our platforms and our business could suffer.

We rely on a number of third-party service providers to operate our services. For example, we host our platforms using AWS data centers and other third-party cloud infrastructure services. Our operations depend on protecting the virtual cloud infrastructure hosted in AWS or other cloud services by maintaining its configuration, architecture and interconnection specifications, as well as the information stored in these virtual data centers and which third-party internet service providers transmit. Service interruptions from such infrastructure providers have caused and could in the future cause outages on our platforms. Our solutions use resources operated by us in these locations. Although we have disaster recovery plans that use multiple virtual data center locations, any incident affecting their infrastructure, including events beyond our control, could negatively affect our platforms, harm our reputation and expose us to liability. We may also incur significant costs for using alternative equipment or taking other actions in preparation for, or in reaction to, events that damage the third-party services we use.

We rely on software and services from other parties. Defects in or the loss of access to software or services from third parties could increase our costs and adversely affect the quality of our solutions.

We rely on technologies from third parties to operate critical functions of our business, including cloud infrastructure services and customer relationship management services. Our business would be disrupted if any of the third-party software or services we use, or functional equivalents, were unavailable due to defects in the software or services from those third parties, or because they are no longer available on commercially reasonable terms or prices. In each case, we would be required to either seek licenses to software or services from other parties and redesign our solutions to function with such software or services or develop substitutes ourselves, which would result in increased costs and could result in delays in launches or releases of new solutions until equivalent technology can be identified, licensed or developed and integrated into our solutions. Furthermore, we might be forced to limit the features available in our current or future solutions. These delays and feature limitations, if they occur, could harm our business, results of operations and financial condition.

Real or perceived errors, failures, vulnerabilities or bugs in our solutions, including deployment complexity, have in the past and could, in the future, harm our business and results of operations.

Errors, failures, vulnerabilities or bugs have, in the past and may, in the future, occur in our solutions, especially when updates are deployed or new solutions are rolled out, maintenance patches are applied or infrastructure, architectural or configuration changes are made. In the past, such issues have caused outages for our customers. Our platforms are often used in connection with large-scale computing environments with different operating systems, system management software, equipment and networking configurations, which may cause errors or failures of our solutions, or other aspects of the computing environment into which our solutions are deployed. In addition, deployment of our solutions into complicated, large-scale computing environments may expose errors, failures, vulnerabilities or bugs in our solutions. Any such errors, failures, vulnerabilities or bugs may not be found until after they are deployed to our customers.

We are committed to increasing our transparency with our customers and the public about our solutions and technology. This transparency, which may be more than is expected of companies in our industry, could lead to us publicly disclosing information that we would not otherwise be legally required to disclose, such as errors, failures, vulnerabilities or bugs in our solutions and technology. As a result, we could experience negative publicity that could harm our business. Any real or perceived errors, failures, vulnerabilities or bugs in our solutions or delays in or difficulties implementing our solutions, could also result in: loss, compromise, corruption or other unavailability of customer data; disruptions to our solutions or our customers’ products, systems, networks and operations; loss of business and new customers; loss of or delay in market acceptance of our solutions; a decrease in customer satisfaction or adoption rates; loss of competitive position; or claims by customers for losses sustained by them, all of which could harm our business, results of operations and financial condition.

Issues with our use, development, adoption, deployment and maintenance of AI Technologies, combined with an uncertain regulatory environment, may result in reputational harm, liability or other adverse consequences to our business operations.

We use internally developed and third-party developed machine learning and AI technologies (collectively, “AI Technologies”) in our offerings and business, and we are making investments in expanding our AI capabilities in our portfolio, including ongoing deployment and improvement of existing AI Technologies, as well as developing new product features using AI Technologies. We expect to rely on AI Technologies to help drive future growth and efficiency in our business. While our use of AI Technologies may become more important to our operations or to our future growth over time, we may not be able to realize the desired or anticipated benefits from AI in a timely or cost-effective manner.

AI Technologies are complex and rapidly evolving, and we face significant competition from other companies as well as an evolving regulatory landscape. For example, in the European Union, the EU Artificial Intelligence Act now establishes obligations on the use of AI based on the type of AI and its potential risks to society. Additionally, in the United States, legislation related to AI Technologies has been introduced at the federal level and is advancing at the state level. It is possible that further new laws and regulations will be adopted in the United States and in other non-U.S. jurisdictions, or that existing laws and regulations, including competition and antitrust laws, may be interpreted or challenged in ways that would limit our ability to use AI Technologies for our business, or require us to change the way we use AI Technologies in a manner that negatively affects the performance of our products, services, and business. We may need to expend resources to adjust our products or services in certain jurisdictions if the laws, regulations, or decisions are not consistent across jurisdictions. Further, the introduction of AI Technologies into new or existing solutions may result in new or enhanced governmental or regulatory scrutiny, litigation, confidentiality or security risks, ethical concerns or other complications that could adversely affect our business, reputation or financial results. For example, even if permitted by our privacy policy and contractual rights, our use of data in novel AI applications may, in time, expand beyond customer expectations. The intellectual property ownership and license rights, including copyright, surrounding AI Technologies has not been fully addressed by courts or national or local laws or regulations, and the use or adoption of third-party AI Technologies into our solutions may result in exposure to claims of copyright infringement or other intellectual property misappropriation.

In addition, we are working to incorporate generative AI Technologies (i.e., those that can produce and output new content, software code, data and information) into our offerings and internal business practices. Uncertainty around new and emerging AI Technologies, such as generative AI Technologies, may require additional investment in the development and maintenance of proprietary and third-party datasets and machine learning models, development of new approaches and processes to provide attribution or remuneration to creators of training data, and development of appropriate protections and safeguards for handling the use of customer data with AI Technologies, which may be costly and could impact our expenses as we continue to expand generative AI Technologies into our product offerings. If such investments do not deliver anticipated benefits or are not otherwise successful, our business and results of operations may be harmed. Furthermore, there is a risk that generative AI Technologies may create content that appears correct but is factually inaccurate or misleading, or that creates other discriminatory content or unexpected results or behaviors. Our customers or others may rely on or use this misleading content to their detriment, which may expose us to brand or reputational harm, competitive harm and/or legal liability. The use of AI Technologies presents emerging ethical and social issues, and if we enable or offer solutions that draw scrutiny or controversy due to their perceived or actual impact on customers or on society as a whole, we may experience brand or reputational harm, competitive harm and/or legal liability.

If we fail to adequately protect our proprietary rights, our competitive position could be impaired and we may lose valuable assets, generate less revenue and incur costly litigation to protect our rights.

Our success is dependent, in part, upon protecting our proprietary information and technology. We rely on a combination of patents, copyrights, trademarks, service marks, trade secret laws and contractual restrictions to establish and protect our proprietary rights. However, the steps we take to protect our intellectual property may be inadequate. We will not be able to protect our intellectual property if we are unable to enforce our rights or if we do not detect unauthorized use of our intellectual property. Despite our precautions, it may be possible for unauthorized third parties to copy our solutions and use information that we regard as proprietary to create solutions that compete with ours. Some contract provisions protecting against unauthorized use, copying, transfer and disclosure of our solutions may be unenforceable under the laws of certain jurisdictions and foreign countries. Further, the laws of some countries do not protect proprietary rights to the same extent as the laws of the United States, and mechanisms for enforcement of intellectual property rights in some foreign countries may be inadequate. To the

extent we expand our international activities, our exposure to unauthorized copying and use of our solutions and proprietary information may increase. Accordingly, despite our efforts, we may be unable to prevent third parties from infringing upon or misappropriating our technology and intellectual property.

We rely in part on trade secrets, proprietary know-how and other confidential information to maintain our competitive position. Although we enter into confidentiality and invention assignment agreements with our employees and consultants and enter into confidentiality agreements with the parties with whom we have strategic relationships and business alliances, no assurance can be given that these agreements will be effective in controlling access to and distribution of our solutions and proprietary information. Further, these agreements do not prevent our competitors from independently developing technologies that are substantially equivalent or superior to our solutions.

To protect our intellectual property rights, we may be required to spend significant resources to monitor and protect these rights. Litigation may be necessary in the future to enforce our intellectual property rights and to protect our trade secrets. Such litigation could be costly, time consuming and distracting to management and could result in the impairment or loss of portions of our intellectual property. Furthermore, our efforts to enforce our intellectual property rights may be met with defenses, counterclaims and countersuits attacking the validity and enforceability of our intellectual property rights. Our inability to protect our proprietary technology against unauthorized copying or use, as well as any costly litigation or diversion of our management’s attention and resources, could delay further sales or the implementation of our solutions, impair the functionality of our solutions, delay introductions of new solutions, result in our substituting inferior or more costly technologies into our solutions or injure our reputation. In addition, we may be required to license additional technology from third parties to develop and market new solutions, and we cannot ensure that we can license that technology on commercially reasonable terms or at all, and our inability to license this technology could harm our ability to compete.

We have in the past and may, in the future, be subject to infringement claims, which could result in significant damage awards that could harm our results of operations.

There is considerable patent and other intellectual property development activity in our industry, and we expect that software companies will increasingly be subject to infringement claims as the number of solutions and competitors grows, and the functionality of solutions in different industry segments overlaps. In addition, the patent portfolios of many of our competitors are larger than ours, and this disparity may increase the risk that our competitors may sue us for patent infringement and may limit our ability to counterclaim for patent infringement or settle through patent cross-licenses. Other companies have claimed in the past and may claim in the future, that we infringe upon their intellectual property rights. A claim may also be made relating to technology that we acquire or license from third parties. Further, we may be unaware of the intellectual property rights of others that may cover some or all of our technology.

Any claim of infringement, regardless of its merit or our defenses, could subject us to a number of risks described elsewhere in these risk factors, including those discussed under the title, “ If we fail to adequately protect our proprietary rights, our competitive position could be impaired and we may lose valuable assets, generate less revenue and incur costly litigation to protect our rights .”

We use open source software in our platforms, which could negatively affect our ability to offer our solutions and subject us to litigation or other actions.

We use open source software in our solutions and expect to use more open source software in the future. From time to time, there have been claims challenging the ownership of open source software against companies that incorporate open source software into their products. However, the terms of many open source licenses have not been interpreted by U.S. courts, and there is a risk that these licenses could be construed in a way that could impose unanticipated conditions or restrictions on our ability to commercialize our solutions. As a result, we could be subject to lawsuits by parties claiming ownership of what we believe to be open source software. Litigation could be costly for us to defend, have a negative effect on our results of operations and financial condition or require us to devote additional research and development resources to change our solutions. In addition, if we were to combine our proprietary software with open source software in a certain manner, we could, under certain of the open source licenses, be required to release the source code of our proprietary software to the public, which could open security risks as well as risks to exposing some of our trade secrets. This would allow our competitors to create similar solutions with less development effort and time. If we inappropriately use open source software, or if the license terms for open source software that we use change, we may be required to re-engineer our solutions, incur additional costs, discontinue the sale of some or all of our solutions or take other remedial actions. Some open

source software may include generative AI software or other software that incorporates or relies on generative AI or other AI technologies. The use of such software may expose us to risks as the intellectual property ownership and license rights, including copyright, of generative AI software and tools, has not been fully interpreted by U.S. courts or been fully addressed by federal or state regulation.

In addition to risks related to license requirements, usage of open source software can lead to greater risks than use of third-party commercial software, as open source licensors generally do not provide warranties or assurance of title or controls on origin of the software. In addition, many of the risks associated with usage of open source software, such as security issues, potential loss of trade secret protection and the lack of warranties or assurances of title, cannot be eliminated, and could, if not properly addressed, negatively affect our business. We have established processes to help alleviate these risks, including a review process for screening requests from our development organizations for the use of open source software, but we cannot be sure that all of our use of open source software is in a manner that is consistent with our current policies and procedures, or will not subject us to liability.

Indemnity provisions in various agreements potentially expose us to substantial liability for intellectual property infringement and other losses.

Our agreements with customers and other third parties include provisions under which we agree to indemnify or otherwise be liable to them for losses suffered or incurred as a result of claims of intellectual property infringement, damages caused by us to property or persons, or other liabilities relating to or arising from the use of our platforms or other acts or omissions. From time to time, customers also require us to indemnify or otherwise be liable to them for breach of confidentiality, violation of applicable law, or failure to implement adequate security measures with respect to their data stored, transmitted or accessed using our platforms. The term of these contractual provisions often survives termination or expiration of the applicable agreement. Although we normally contractually limit our liability with respect to such obligations, the existence of such a dispute may have adverse effects on our customer relationship and reputation and we may still incur substantial liability or large indemnity payments. This could significantly increase our operating expenses, require us to restrict our business activities and limit our ability to deliver certain solutions, all of which could require significant time, effort and expense, harm our reputation and customer relationships and negatively affect our business.

Risks Related to Legal, Accounting and Tax Matters

Because we generally recognize revenue from our subscriptions and support services over the term of the relevant service period, a decrease in sales during a reporting period may not be immediately reflected in our results of operations for that period.

We generally recognize revenue from subscriptions and related support services revenue ratably over the relevant service period. Net new revenue from new subscriptions, upsells and renewals entered into during a period can generally be expected to generate revenue for the duration of the service period. As a result, most of the revenue we report in each period is derived from the recognition of deferred revenue relating to subscriptions and support services contracts entered into during previous periods. Consequently, a decrease in new or renewed subscriptions in any single reporting period will have a limited impact on our revenue for that period, but will negatively affect our revenue in future periods. In addition, our ability to adjust our cost structure in the event of a decrease in new or renewed subscriptions may be limited.

Our subscription model also makes it difficult for us to rapidly increase our revenue through additional sales in any period, as revenue from customers is generally recognized over the applicable service period. Additionally, due to the complexity of certain of our customer contracts, the actual revenue recognition treatment required under relevant accounting principles generally accepted in the United States (“GAAP”) will depend on contract-specific terms and may result in greater variability in revenue from period to period.

In addition, a decrease in new subscriptions or renewals in a reporting period may not have an immediate impact on billings for that period.

We face exposure to foreign currency exchange rate fluctuations.

Today, a vast majority of our customer contracts are denominated in U.S. dollars. Over time, however, an increasing portion of our international customer contracts may be denominated in local currencies. In addition, the majority of our international costs are denominated in local currencies. As a result, fluctuations in the value of the

U.S. dollar and foreign currencies, including as a result of, for example, geopolitical events, changes in trade policies, trade restrictions and economic sanctions, or the threat of such actions, and market volatility, may affect our results of operations when translated into U.S. dollars. We do not currently engage in currency hedging activities to limit the risk of exchange rate fluctuations. However, in the future, we may use derivative instruments, such as foreign currency forward and option contracts, to hedge certain exposures to fluctuations in foreign currency exchange rates. The use of such hedging activities may not offset any or more than a portion of the adverse financial effects of unfavorable movements in foreign exchange rates over the limited time the hedges are in place. Moreover, the use of hedging instruments may introduce additional risks if we are unable to structure effective hedges with such instruments.

We are subject to anti-corruption, anti-bribery and similar laws, and non-compliance with such laws can subject us to criminal penalties or significant fines and harm our business and reputation.

We are subject to anti-corruption and anti-bribery and similar laws, such as the U.S. Foreign Corrupt Practices Act of 1977, as amended (the “FCPA”), the U.S. domestic bribery statute contained in 18 U.S.C. § 201, U.S. Travel Act, the USA PATRIOT Act, the U.K. Bribery Act 2010 and other anti-corruption, anti-bribery and anti-money laundering laws in countries in which we conduct activities. Anti-corruption and anti-bribery laws have been enforced aggressively in recent years and are interpreted broadly and prohibit companies and their employees and agents from promising, authorizing, making or offering improper payments or other benefits to government officials and others in the private sector. As we increase our international sales and business, our risks under these laws may increase.

In addition, we use channel partners to sell our solutions and conduct business on our behalf. We or such partners may have direct or indirect interactions with officials and employees of government agencies or state-owned or affiliated entities and under certain circumstances we could be held liable for the corrupt or other illegal activities of such partners and our employees, representatives, contractors, partners and agents, even if we do not explicitly authorize such activities.

Noncompliance with the FCPA, other applicable anti-corruption laws or anti-money laundering laws could subject us to investigations, whistleblower complaints, sanctions, settlements, prosecution and other enforcement actions within the U.S. and internationally, which could have a material adverse effect on our reputation, business, results of operations and financial condition.

We are subject to governmental export controls and economic sanctions laws that could impair our ability to compete in international markets and subject us to liability if we are not in full compliance with applicable laws.

Our business activities are subject to various restrictions under U.S. export controls and trade and economic sanctions laws, which include prohibitions on the sale or supply of certain products and services to U.S. embargoed or sanctioned countries, governments, persons and entities and also require authorization for the export of encryption items. In addition, various countries regulate the import of certain encryption technology, including through import and licensing requirements, and have enacted laws that could limit our ability to distribute our service or could limit our customers’ ability to implement our service in those countries. If we fail to comply with these laws and regulations, we and certain of our employees could be subject to civil or criminal penalties, including the possible loss of export privileges and monetary penalties. Obtaining the necessary authorizations, including any required license, for a particular transaction may be time-consuming, is not guaranteed and may result in the delay or loss of sales opportunities. Although we take precautions to prevent our solutions from being provided in violation of such laws, these laws are subject to change and interpretation over time. Our solutions may have been in the past, and could in the future be, provided inadvertently in violation of such laws, despite the precautions we take. This could result in negative consequences to us, including government investigations, penalties and harm to our reputation.

Our international operations may give rise to potentially adverse tax consequences.

We are expanding our international operations and staff to better support our growth into certain international markets. Our corporate structure and associated transfer pricing policies anticipate future growth into certain international markets. The amount of taxes we pay in different jurisdictions may depend on the application of the tax laws of the various jurisdictions, including the United States, to our international business activities, changes in tax rates, new or revised tax laws or interpretations of existing tax laws and policies and our ability to operate our business in a manner consistent with our corporate structure and intercompany arrangements. The taxing authorities of the jurisdictions in which we operate may challenge our methodologies for pricing intercompany

transactions, which are generally required to be computed on an arm’s-length basis pursuant to intercompany arrangements or disagree with our determinations as to the income and expenses attributable to specific jurisdictions. If such a challenge or disagreement were to occur and our position was not sustained, we could be required to pay additional taxes, interest and penalties, which could result in one-time tax charges, higher effective tax rates, reduced net cash flows and lower overall profitability of our operations. Our financial statements could fail to reflect adequate reserves to cover such a contingency.

Changes in tax laws or regulations in the various tax jurisdictions we are subject to that are applied adversely to us or our customers could increase the costs of our solutions and harm our business.

New income, sales, use, value-added or other transaction level taxes (including digital services taxes), tax laws, statutes, rules, regulations or ordinances could be enacted at any time. Those enactments could adversely impact our domestic and international business operations and our business and financial performance. Further, existing tax laws, statutes, rules, regulations or ordinances could be interpreted, changed, modified or applied adversely to us. These events could require us or our customers to pay additional tax amounts on a prospective or retroactive basis, as well as require us or our customers to pay fines and/or penalties and interest for past amounts deemed to be due. If we raise our prices to offset the costs of these additional taxes, existing and potential future customers may elect not to purchase our solutions in the future. Additionally, new, changed, modified or newly interpreted or applied tax laws could increase our compliance, operating and other costs, as well as the costs of our solutions to our customers. Further, these events could decrease the capital we have available to operate our business. Any or all of these events could harm our business and financial performance. For example, various legislative and regulatory actions and proposals, such as in the United States, the Organisation for Economic Co-operation and Development and the EU, have increasingly focused on future tax reform and contemplate changes to long-standing tax principles, which could adversely affect our liquidity and results of operations.

As a multinational organization, we may be subject to taxation in certain jurisdictions around the world with increasingly complex tax laws, the application of which can be uncertain. The amount of taxes we pay in these jurisdictions could increase substantially as a result of changes in the applicable tax principles, including increased tax rates, new tax laws or revised interpretations of existing tax laws and precedents, which could harm our liquidity and results of operations. In addition, the authorities in these jurisdictions could review our tax returns and impose additional tax, interest and penalties, and the authorities could claim that various withholding requirements apply to us or our subsidiaries or assert that benefits of tax treaties are not available to us or our subsidiaries, any of which could harm us and our results of operations.

Our business may be subject to additional obligations to collect and remit sales tax and other taxes, and we may be subject to tax liability for past sales. Any successful action by state, foreign or other authorities to collect additional or past sales tax could harm our business.

State, foreign and local taxing jurisdictions have differing rules and regulations governing sales, use and other indirect taxes (including digital services taxes), and these rules and regulations are subject to varying interpretations that may change over time. In particular, the applicability of certain sales, value-added and digital services taxes to our platforms in various jurisdictions is unclear. It is possible that we could face tax audits and that our liability for these taxes could exceed our estimates as tax authorities could still assert that we are obligated to collect additional amounts as taxes from our customers and remit those taxes to those authorities. We could also be subject to audits in states and international jurisdictions for which we have not accrued tax liabilities. A successful assertion that we should be collecting additional sales or other taxes on our solutions and services in jurisdictions where we have not historically done so and do not accrue for such taxes could result in substantial tax liabilities for past sales, discourage customers from purchasing our solutions or otherwise harm our business, results of operations and financial condition.

We file sales tax returns in certain state and local jurisdictions within the United States as required by law and certain customer contracts for a portion of the solutions that we provide. We do not collect sales or other similar taxes in other state and local jurisdictions and many of such jurisdictions do not apply sales or similar taxes to the vast majority of the solutions that we provide. However, one or more state, local or foreign authorities could seek to impose additional sales, use or other tax collection and record-keeping obligations on us or may determine that such taxes should have, but have not been, paid by us. Liability for past taxes may also include substantial interest and penalty charges. Any successful action by state, foreign or other authorities to compel us to collect and remit sales tax, use tax or other taxes, either retroactively, prospectively or both, could harm our business, results of operations and financial condition.

Our ability to use our U.S. net operating loss carry-forwards and certain other tax attributes may be limited.

Under Section 382 of the Internal Revenue Code of 1986, as amended, if a corporation undergoes an “ownership change,” generally defined as a greater than 50% change (by value) in its equity ownership over a three-year period, the corporation’s ability to use its pre-change net operating loss carry-forwards and other pre-change tax attributes, such as research tax credits and distributed interest deduction carryover, to offset its post-change income may be limited. We have experienced ownership changes in the past and any such ownership change in the future could result in increased future tax liability. In addition, we may experience ownership changes in the future as a result of subsequent shifts in our stock ownership. As a result, if we earn net taxable income, our ability to use our pre-change net operating loss carry-forwards to offset U.S. federal taxable income may be subject to limitations, which could potentially result in increased future tax liability to us.

If we fail to maintain an effective system of disclosure controls and internal control over financial reporting, our ability to produce timely and accurate financial statements or comply with applicable regulations could be impaired.

The Sarbanes-Oxley Act requires, among other things, that we maintain effective disclosure controls and procedures and internal control over financial reporting. To satisfy this obligation, we expend significant resources, including accounting-related costs and significant management oversight. If any of these controls and systems do not perform as expected, we may experience material weaknesses or significant deficiencies in our controls. Our controls may also become inadequate because of changes in conditions in our business. We may discover any such weaknesses or deficiencies in the future and be required to restate our financial statements for prior periods.

Ineffective internal controls over financial reporting could adversely affect the results of periodic management evaluations and annual independent registered public accounting firm attestation reports regarding the effectiveness of our internal control over financial reporting that we are required to include in our periodic reports that are filed with the SEC. For example, investors could lose confidence in our reported financial and other information; we could fail to satisfy our SEC, Nasdaq or other reporting obligations, or become subject to sanctions or investigations by regulators; and the price of our Class A common stock could decline.

Changes in existing financial accounting standards or practices, or taxation rules or practices, may harm our results of operations.

Changes in existing accounting or taxation rules or practices, new accounting pronouncements or taxation rules, or varying interpretations of current accounting pronouncements or taxation practice could harm our results of operations or the manner in which we conduct our business. Further, such changes could potentially affect our reporting of transactions completed before such changes are effective.

GAAP are subject to interpretation by the Financial Accounting Standards Board (“FASB”), the SEC and various bodies formed to promulgate and interpret appropriate accounting principles. A change in these principles or interpretations could have a significant effect on our reported financial results and could affect the reporting of transactions completed before the announcement of a change. Adoption of such new standards and any difficulties in implementation of changes in accounting principles, including the ability to modify our accounting systems, could cause us to fail to meet our financial reporting obligations, which could result in regulatory discipline and harm investors’ confidence in us.

If our estimates or judgments relating to our critical accounting policies prove to be incorrect, our results of operations could be adversely affected.

The preparation of financial statements in conformity with GAAP requires management to make estimates and assumptions that affect the amounts reported in our consolidated financial statements and accompanying notes. We base our estimates on historical experience and on various other assumptions that we believe to be reasonable under the circumstances, as provided in the section titled “Management’s Discussion and Analysis of Financial Condition and Results of Operations.” The results of these estimates form the basis for making judgments about the carrying values of assets, liabilities and equity and the amount of revenue and expenses that are not readily apparent from other sources. Significant assumptions and estimates used in preparing our consolidated financial statements include, but are not limited to those referenced in the section titled “Management’s Discussion and Analysis of Financial Condition and Results of Operations.” Our results of operations may be adversely affected if our assumptions change or if actual circumstances differ from those in our assumptions, which could cause our

results of operations to fall below the expectations of securities analysts and investors, resulting in a decline in the trading price of our Class A common stock.

Risks Related to Ownership of Our Class A Common Stock

The stock price of our Class A common stock may be volatile or may decline.

The trading price of our Class A common stock has been, and in the future may be, subject to substantial volatility and wide fluctuations. For example, from February 1, 2025 through January 31, 2026, the trading price of our Class A common stock has ranged from $75.05 per share to $127.57 per share. The market price of our Class A common stock fluctuates significantly in response to numerous factors, many of which are beyond our control, including, but not limited to, the factors described elsewhere in these risk factors as well as:

• overall performance of the equity markets and/or publicly-listed technology companies;

• volatility in the market prices and trading volumes of technology and high-growth companies generally, or those in our industry in particular;

• actual or anticipated fluctuations in our revenue or other financial or operating metrics;

• our ability to meet or exceed forward-looking guidance we have given, our ability to give forward-looking guidance consistent with past practices, and changes to or withdrawal of previous guidance or long-range targets;

• our inability to execute on our publicly announced stock repurchase program as planned, including failure to meet internal or external expectations around the timing or price of share repurchases, and any reductions or discontinuances of repurchases thereunder;

• failure of securities analysts to initiate or maintain coverage of us, changes in financial estimates and/or recommendations by any securities analysts who follow our company;

• our failure to meet the estimates or the expectations of securities analysts or investors;

• actions and investment positions taken by institutional and other stockholders, including activist investors;

• recruitment or departure of key personnel;

• rumors and market speculation involving us or other companies in our industry;

• announcements by us or our competitors of significant innovations, acquisitions, strategic partnerships, joint ventures or capital commitments; and

• sales of additional shares of our Class A common stock by us, our directors, our officers or our stockholders.

In addition, stock markets have experienced extreme price and volume fluctuations that have affected and continue to affect the market prices of equity securities of many companies. Stock prices of many companies, including technology companies and high-growth, unprofitable companies in particular, have fluctuated in a manner unrelated or disproportionate to the operating performance of those companies. In the past, stockholders have instituted securities class action litigation following periods of market volatility. Our involvement in securities litigation has, in the past and could, in the future, subject us to substantial costs, divert resources and the attention of management from our business and harm our business.

The dual class structure of our common stock has the effect of concentrating voting control with those stockholders who held our capital stock prior to the completion of our IPO, including our directors, executive officers, and their affiliates, who held in the aggregate 32% of the voting power of our capital stock as of January 31, 2026. This will limit or preclude your ability to influence corporate matters, including the election of directors, amendments of our organizational documents, and any merger, consolidation, sale of all or substantially all of our assets or other major corporate transaction requiring stockholder approval.

Our Class B common stock has ten votes per share and our Class A common stock has one vote per share. As of January 31, 2026, our directors, executive officers and their affiliates held in the aggregate 32% of the voting

power of our capital stock, taking into account shares of our common stock subject to options that are currently exercisable or exercisable within 60 days of January 31, 2026 and restricted stock units (“RSUs”) that are releasable within 60 days of January 31, 2026. Because of the ten-to-one voting ratio between our Class B and Class A common stock, the holders of our Class B common stock collectively could continue to control nearly a majority of the combined voting power of our common stock and be able to effectively control all matters submitted to our stockholders for approval until April 12, 2027, the date that is the ten-year anniversary of the closing of our IPO. This concentrated control may limit or preclude your ability to influence corporate matters for the foreseeable future, including the election of directors, amendments of our organizational documents, and any merger, consolidation, sale of all or substantially all of our assets or other major corporate transaction requiring stockholder approval. In addition, this may prevent or discourage unsolicited acquisition proposals or offers for our capital stock that you may feel are in your best interest as one of our stockholders.

Future transfers by holders of Class B common stock will generally result in those shares converting to Class A common stock, subject to limited exceptions, such as certain transfers effected for estate planning purposes. The conversion of Class B common stock to Class A common stock will have the effect, over time, of increasing the relative voting power of those holders of Class B common stock who have retained their shares.

Sales of a substantial number of shares of our Class A common stock in the public markets, or the perception that sales might occur, could cause the market price of our Class A common stock to decline.

Sales of a substantial number of shares of our Class A common stock into the public market, particularly sales by our directors, executive officers and principal stockholders, or the perception that these sales might occur, could cause the market price of our Class A common stock to decline.

In addition, we have options outstanding that, if fully exercised, would result in the issuance of shares of our Class A and Class B common stock. We also have RSUs outstanding that, if vested and settled, would result in the issuance of shares of Class A common stock. All of the shares of Class A and Class B common stock issuable upon the exercise of stock options and vesting of RSUs and the shares reserved for future issuance under our equity incentive plans, are registered for public resale under the Securities Act of 1933, as amended (“Securities Act”). Accordingly, these shares will be able to be freely sold in the public market upon issuance, subject to applicable vesting requirements.

Furthermore, a substantial number of shares of our Class A common stock is reserved for issuance upon the exercise of the 2026 Notes (as defined below). If we elect to satisfy our conversion obligation on the 2026 Notes solely in shares of our Class A common stock upon conversion of the 2026 Notes, we will be required to deliver the shares of our Class A common stock, together with cash for any fractional share, on the second business day following the relevant conversion date.

We cannot guarantee that our Share Repurchase Program will be fully consummated or will enhance long-term stockholder value, and stock repurchases could increase the volatility of the trading price of our Class A common stock and diminish our cash reserves.

On January 5, 2026, we announced that our board of directors (our “board”) approved a stock repurchase program with authorization to purchase up to $1 billion of our Class A common stock from time to time (the “Share Repurchase Program”). As of January 31, 2026, a total of $921 million remained available for repurchase under the Share Repurchase Program. Repurchases under the Share Repurchase Program are made in the open market, through privately negotiated transactions or other means, including pursuant to Rule 10b5-1 trading arrangements, and in compliance with applicable securities laws and other requirements. The timing, manner, price, and amount of the Share Repurchase Program is subject to the discretion of our management. The Share Repurchase Program does not obligate us to acquire a specified number of shares, and may be suspended, modified, or terminated at any time, without prior notice. We may not be able to repurchase shares at favorable prices. Further, our share repurchases could affect the trading price of our Class A common stock, increase its volatility, reduce our cash reserves, and may be suspended or terminated at any time, which may result in a lower market valuation of our Class A common stock.

If securities or industry analysts do not publish or cease publishing research, or publish inaccurate or unfavorable research, about our business, the price of our Class A common stock and trading volume could decline.

The trading market for our Class A common stock will depend in part on the research and reports that securities or industry analysts publish about us or our business. If industry analysts do not publish or cease

publishing research on our company, the trading price for our Class A common stock would be negatively affected. If one or more of the analysts who cover us downgrade our Class A common stock or publish inaccurate or unfavorable research about our business, our Class A common stock price would likely decline. If one or more of these analysts cease coverage of us or fail to publish reports on us on a regular basis, demand for our Class A common stock could decrease, which might cause our Class A common stock price and trading volume to decline.

We do not intend to pay dividends for the foreseeable future.

We have never declared or paid any cash dividends on our common stock and do not intend to pay any cash dividends in the foreseeable future. We anticipate that we will retain all of our future earnings for use in the operation of our business and for general corporate purposes. Any determination to pay dividends in the future will be at the discretion of our board. Accordingly, investors must rely on sales of their Class A common stock after price appreciation, which may never occur, as the only way to realize any future gains on their investments.

Provisions in our charter documents and under Delaware law could make an acquisition of our company more difficult, limit attempts by our stockholders to replace or remove our current board and limit the market price of our Class A common stock.

Provisions in our amended and restated certificate of incorporation and amended and restated bylaws may have the effect of delaying or preventing a change of control or changes in our management. Our amended and restated certificate of incorporation and amended and restated bylaws include provisions that:

• provide that our board is classified into three classes of directors with staggered three-year terms;

• permit our board to establish the number of directors and fill any vacancies and newly-created directorships;

• require super-majority voting to amend some provisions in our amended and restated certificate of incorporation and amended and restated bylaws;

• authorize the issuance of “blank check” preferred stock that our board could use to implement a stockholder rights plan;

• provide that only the Chairperson of our board, our Chief Executive Officer or a majority of our board are authorized to call a special meeting of stockholders;

• provide for a dual class common stock structure in which holders of our Class B common stock have the ability to effectively control the outcome of matters requiring stockholder approval, even if they own significantly less than a majority of the outstanding shares of our Class A and Class B common stock, including the election of directors and significant corporate transactions, such as a merger or other sale of our company or its assets;

• prohibit stockholder action by written consent, which requires all stockholder actions to be taken at a meeting of our stockholders;

• provide that our board is expressly authorized to make, alter or repeal our bylaws; and

• advance notice requirements for nominations for election to our board or for proposing matters that can be acted upon by stockholders at annual stockholder meetings.

Moreover, Section 203 of the Delaware General Corporation Law may discourage, delay or prevent a change in control of our company. Section 203 imposes certain restrictions on mergers, business combinations and other transactions between us and holders of 15% or more of our common stock.

Our amended and restated bylaws designate a state or federal court located within the State of Delaware as the exclusive forum for certain litigation that may be initiated by our stockholders, which could limit stockholders’ ability to obtain a favorable judicial forum for disputes with us.

Our amended and restated bylaws provide that the Court of Chancery of the State of Delaware will be the exclusive forum for:

• any derivative action or proceeding brought on our behalf;

• any action asserting a breach of fiduciary duty;

• any action asserting a claim against us arising pursuant to the Delaware General Corporation Law, our amended and restated certificate of incorporation or our amended and restated bylaws; or

• any action asserting a claim against us that is governed by the internal affairs doctrine.

This choice of forum provision may limit a stockholder’s ability to bring a claim in a judicial forum that it finds favorable for disputes with us or any of our directors, officers or other employees, which may discourage lawsuits with respect to such claims. Alternatively, if a court were to find the choice of forum provision contained in our amended and restated certificate of incorporation to be inapplicable or unenforceable in an action, we may incur additional costs associated with resolving such action in other jurisdictions, which could harm our business, results of operations and financial condition.

Risks Related to our Outstanding Convertible Notes

Servicing our debt may require a significant amount of cash. We may not have sufficient cash flow from our business to pay our indebtedness.

We have issued convertible notes due in 2026 (the “2026 Notes”). Our ability to make scheduled payments of the principal of, to pay interest on or to refinance our indebtedness, including the 2026 Notes, depends on our future performance, which is subject to economic, financial, competitive and other factors beyond our control. Our business may not generate cash flow from operations in the future sufficient to service our debt and make necessary capital expenditures. If we are unable to generate such cash flow, we may be required to adopt one or more alternatives, such as selling assets, restructuring debt or obtaining additional debt financing or equity capital on terms that may be onerous or highly dilutive. Our ability to refinance or raise any future indebtedness will depend on the capital markets and our financial condition at such time. We may not be able to engage in any of these activities or engage in these activities on desirable terms, which could result in a default on our debt obligations. In addition, any of our future debt agreements may contain restrictive covenants that may prohibit us from adopting any of these alternatives. Our failure to comply with these covenants could result in an event of default which, if not cured or waived, could result in the acceleration of our debt.

We may not have the ability to raise the funds necessary for cash settlement upon conversion of the 2026 Notes or to repurchase them for cash upon a fundamental change, and our future debt may contain limitations on our ability to pay cash upon conversion of the 2026 Notes or to repurchase the 2026 Notes.

Holders of the 2026 Notes have the right to require us to repurchase their 2026 Notes upon the occurrence of a fundamental change (as defined in the indentures governing their respective Notes) at a repurchase price equal to 100% of the principal amount of the 2026 Notes to be repurchased, plus accrued and unpaid interest, if any. Upon conversion of the 2026 Notes, unless we elect to deliver solely shares of our Class A common stock to settle such conversion (other than paying cash in lieu of delivering any fractional share), we will be required to make cash payments in respect of the 2026 Notes being converted. We may not have enough available cash or be able to obtain financing at the time we are required to make repurchases of 2026 Notes surrendered or those being converted. In addition, our ability to repurchase the 2026 Notes or to pay cash upon conversions of the 2026 Notes may be limited by law, by regulatory authority or by agreements governing our future indebtedness. Our failure to repurchase 2026 Notes at a time when the repurchase is required by the indenture governing such notes or to pay any cash payable on future conversions of the 2026 Notes as required by such indenture would constitute a default under such indenture. A default under the indenture governing the 2026 Notes or the fundamental change itself could also lead to a default under agreements governing our future indebtedness. If the repayment of the related indebtedness were to be accelerated after any applicable notice or grace periods, we may not have sufficient funds to repay the indebtedness and repurchase the 2026 Notes or make cash payments upon conversions.

In addition, our indebtedness, combined with our other financial obligations and contractual commitments, could have other important consequences. For example, it could:

• make us more vulnerable to adverse changes in general U.S. and worldwide economic, industry and competitive conditions and adverse changes in government regulation;

• limit our flexibility in planning for, or reacting to, changes in our business and our industry;

• place us at a disadvantage compared to our competitors who have less debt;

• limit our ability to borrow additional amounts to fund acquisitions, for working capital and for other general corporate purposes; and

• make an acquisition of our company less attractive or more difficult.

Any of these factors could harm our business, results of operations and financial condition. In addition, if we incur additional indebtedness, the risks related to our business and our ability to service or repay our indebtedness would increase.

The conversion features of the 2026 Notes, if triggered, may adversely affect our financial condition and results of operations.

In the event the conditional conversion features of the 2026 Notes are triggered, holders of the 2026 Notes will be entitled to convert them at any time during specified periods at their option. If one or more holders elect to convert their 2026 Notes, unless we elect to satisfy our conversion obligation by delivering solely shares of our Class A common stock (other than paying cash in lieu of delivering any fractional share), we would be required to settle a portion or all of our conversion obligation through the payment of cash, which could adversely affect our liquidity. From the date of issuance through January 31, 2026, the conditions allowing holders of the 2026 Notes to convert were not met. As of January 31, 2026, the 2026 Notes are classified as a current liability due to their upcoming maturity on June 15, 2026.

Transactions relating to the 2026 Notes may affect the value of our Class A common stock.

The conversion of some or all of the 2026 Notes would dilute the ownership interests of existing stockholders to the extent we satisfy our conversion obligation by delivering shares of our Class A common stock upon any conversion of such notes. Our 2026 Notes may become in the future convertible at the option of their holders under certain circumstances. If holders of the 2026 Notes elect to convert their notes, we may settle our conversion obligation by delivering to them a significant number of shares of our Class A common stock, which would cause dilution to our existing stockholders. We have in the past and may in the future, engage in exchanges, repurchase or induce conversions of the 2026 Notes. Holders of the 2026 Notes that participate in any of these exchanges, repurchases or induced conversions may enter into or unwind various derivatives with respect to our Class A common stock or sell shares of our Class A common stock in the open market to hedge their exposure in connection with these transactions. These activities could decrease (or reduce the size of any increase in) the market price of our Class A common stock or the 2026 Notes, or dilute the ownership interests of our stockholders. In addition, the market price of our Class A common stock is likely to be affected by short sales of our Class A common stock or the entry into or unwind of economically equivalent derivative transactions with respect to our Class A common stock by investors that do not participate in the exchange transactions and by the hedging activity of the counterparties to our capped call transactions (“Capped Calls”) or their respective affiliates.

In addition, in connection with the issuance of the 2026 Notes, we entered into Capped Calls with certain financial institutions (the “Option Counterparties”). The Capped Calls are generally expected to reduce potential dilution to our Class A common stock upon any conversion or settlement of the 2026 Notes and/or offset any cash payments we are required to make in excess of the principal amount of converted 2026 Notes, as the case may be, with such reduction and/or offset subject to a cap. If we unwind the Capped Calls in connection with 2026 Notes repurchases or otherwise, we would lose the anti-dilutive impact of any unwound Capped Calls.

From time to time, the Option Counterparties or their respective affiliates may modify their hedge positions by entering into or unwinding various derivative transactions with respect to our Class A common stock and/or purchasing or selling our Class A common stock or other securities of ours in secondary market transactions prior to the maturity of the 2026 Notes. This activity could cause a decrease in the market price of our Class A common stock.

General Risk Factors

We depend on our executive officers and other key employees, and the loss of one or more of these employees or an inability to attract and retain other highly skilled employees could harm our business.

Our success depends largely upon the continued services of our executive officers and other key employees. From time to time, there may be changes in our executive management team resulting from the hiring or departure of executives. We do not have employment agreements with our executive officers or other key personnel that require them to continue to work for us for any specified period and they could terminate their employment with us

at any time. The loss of one or more of our executive officers or key employees, and any failure to have in place and execute an effective succession plan for key executives, could harm our business. In addition, to execute our growth plan, we must attract and retain highly qualified personnel. Competition for these personnel in the San Francisco Bay Area, where our headquarters is located, and in other locations where we maintain offices, is intense, especially for engineers experienced in designing and developing software and SaaS applications and experienced sales professionals. We have from time to time experienced, and we expect to continue to experience, difficulty in hiring and retaining employees with appropriate qualifications, and may not be able to fill positions in the desired regions or at all. Our efforts to attract new personnel may be compounded by intensified restriction on travel, changes to immigration policy or the availability of work visas. If we fail to attract new personnel or fail to retain and motivate our current personnel, our business and future growth prospects could be harmed.

Catastrophic events may disrupt our business.

Natural disasters or other catastrophic events may cause damage or disruption to our operations, international commerce and the global economy, and thus could harm our business. We have a large employee presence in San Francisco, California, and the west coast of the United States contains active earthquake and wildfire zones which have the potential to disrupt our business. Communications systems and infrastructure could be damaged or interrupted at any time due to a major catastrophic event such as an earthquake, hurricane, fire or flood; power loss or a telecommunications failure; an unauthorized or malicious act such as a cyber-attack, war or terrorist attack; a health epidemic; or similar events or disruptions. Such events could result in reputational harm, delays in our application development, breaches of data security and loss of critical data. While we have backup systems for certain aspects of our operations, disaster recovery planning by its nature cannot be sufficient for all eventualities. In addition, the insurance we maintain may be insufficient to compensate for losses from a major interruption.

Item 7. MANAGEMENT’S DISCUSSION AND ANALYSIS OF FINANCIAL CONDITION AND RESULTS OF OPERATIONS

The following discussion and analysis of our financial condition and results of operations should be read in conjunction with our consolidated financial statements and related notes appearing elsewhere in this Annual Report on Form 10-K. Amounts reported in millions are rounded based on the amounts in thousands. As a result, the sum of the components reported in millions may not equal the total amount reported in millions due to rounding. In addition, percentages presented may not add to their respective totals or recalculate due to rounding. In addition to historical financial information, the following discussion contains forward-looking statements that are based upon current plans, expectations and beliefs that involve risks and uncertainties. Our actual results may differ materially from those anticipated in these forward-looking statements as a result of various factors, including those set forth under the section titled “Risk Factors” under Part I, Item 1A of this Annual Report on Form 10-K. Our fiscal year ends January 31. References to fiscal 2026, for example, refer to the fiscal year ended January 31, 2026.

Overview

We are the leading independent identity partner. Our Okta Platform and Auth0 Platform enable our customers to securely connect the right people to the right technologies and services at the right time. Every day, thousands of organizations and millions of people use our platforms to securely access a wide range of cloud, mobile, web and Software-as-a-Service (“SaaS”) applications, on-premises servers, application programming interfaces (“APIs”), IT infrastructure providers, and services from a multitude of devices. For IT and security leaders, the Okta Platform governs the seamless and secure access by human users and non-human identities (“NHIs”) to the applications they need to do their most important work. We are expanding these capabilities to include AI agents with the introduction of new product offerings currently in development and early access. Developers leverage our Okta Platform and Auth0 Platform to securely and efficiently embed identity for both human users and, increasingly, AI agents into the software they build, allowing them to innovate and focus on their core mission.

Our customers consist of leading global organizations ranging from the largest enterprises to small- and medium-sized businesses, universities, nonprofits and government agencies. We partner with a broad range of application, IT infrastructure and security vendors through our Okta Integration Network. As of January 31, 2026, we had over 7,000 integrations with these cloud, mobile and web applications, and IT infrastructure and security vendors.

We employ a SaaS business model and generate revenue primarily by selling multi-year subscriptions to our cloud-based offerings. We focus on attracting and retaining our customers by building on and increasing the value we provide to them over time. This commitment to our customers’ success helps drive increased customer investment in the number of users of our Okta Platform and Auth0 Platform and adoption of our additional product offerings. We sell our product offerings directly through our field and inside sales teams, as well as indirectly through our network of channel partners, including cloud marketplaces, resellers, system integrators and other distribution partners. Our subscription fees include the use of our service and our technical support and management of our platforms. We base subscription fees primarily on the solutions used and the number of users on our platforms. We typically invoice customers in advance in annual installments for subscriptions to our platforms.

Our revenue is relatively predictable as a result of our subscription-based business model, which constituted approximately 98% of total revenue for fiscal 2026. Future growth may be impacted by longer sales cycles, which we have experienced, which in turn, could result in delays in deals closing, creating near-term headwinds for cash flow, remaining performance obligations (“RPO”) and billings growth as well as potential future impacts on revenue growth and other key metrics on a trailing basis.

Impact of Cybersecurity Incidents

In the past we have experienced cybersecurity incidents, such as the January 2022 incident involving one of our third-party service providers and the October 2023 incident where a threat actor gained unauthorized access to and stole information from our third-party customer support system, that harmed our reputation and customer relations and adversely impacted our financial results. While we expect the impact of these security incidents to adversely affect our future financial performance, we cannot predict the extent of such impact with certainty. Due to

OKTA, INC.

MANAGEMENT’S DISCUSSION AND ANALYSIS OF

FINANCIAL CONDITION AND RESULTS OF OPERATIONS (continued)

the nature of our business, the announcement of any security incidents, even if not significant, could have these impacts.

Impact of Current Economic Conditions

Worldwide economic and political uncertainties and negative trends, including financial and credit market fluctuations, tariffs and increasing trade protectionism, changes in government spending levels, uncertainty in the banking sector, changing interest rates, inflation and other impacts from the macroeconomic environment have, and could continue to, adversely affect our business operations or financial results. As we continue to monitor the direct and indirect impacts of these circumstances, the broader implications of these macroeconomic and political events on our business, results of operations and overall financial position remain uncertain. See the section titled “ Risk Factors ” included under Part I, Item 1A above for further discussion of the possible impact of these factors and other risks on our business.

Financial Information and Segments

We operate our business as one reportable segment. For fiscal 2026, 2025 and 2024, our revenue was $2,919 million, $2,610 million and $2,263 million, respectively, representing a growth rate of 12% and 15% in fiscal 2026 and 2025, respectively. For fiscal 2026 and 2025, we generated net income of $235 million and $28 million, respectively, and for fiscal 2024, we generated a net loss of $355 million. Our accumulated deficit as of January 31, 2026 was $2,567 million.

Key Business Metrics

We review a number of operating and financial metrics, including the following key metrics, to evaluate our business, measure our performance, identify trends affecting our business, formulate business plans, and make strategic decisions.

As of January 31,

(dollars in millions)

Customers with annual contract value (“ACV”) above $100,000

Dollar-based net retention rate for the trailing 12 months ended

Current remaining performance obligations

Remaining performance obligations

Number of Customers with Annual Contract Value Above $100,000

The number of customers who have greater than $100,000 in ACV with us was 5,100, 4,800 and 4,485 as of January 31, 2026, 2025 and 2024, respectively. We expect this trend to continue as larger enterprises recognize the value of our platforms and replace their legacy identity access management infrastructure. We define a customer as a separate and distinct buying entity, such as a company, an educational or government institution, or a distinct business unit of a large company that has an active contract with us or one of our partners to access our platforms. For purposes of determining our customer count, we do not include customers that use our platforms under self-service arrangements only.

Dollar-Based Net Retention Rate

Part of our ability to generate revenue is dependent upon our ability to maintain our relationships with our customers and to increase their utilization of our platforms. We believe we can achieve these goals by focusing on delivering value and functionality that enables us to both retain our existing customers and expand the number of users and solutions used within an existing customer. One way that we assess our performance in this area by measuring our Dollar-Based Net Retention Rate. Our Dollar-Based Net Retention Rate measures our ability to increase revenue across our existing customer base through expansion of users and solutions associated with a customer as offset by churn and contraction in the number of users and/or solutions associated with a customer.

Our Dollar-Based Net Retention Rate is based upon our ACV which is calculated based on the terms of that customer’s contract and represents the total contracted annual subscription amount as of that period end. We

OKTA, INC.

MANAGEMENT’S DISCUSSION AND ANALYSIS OF

FINANCIAL CONDITION AND RESULTS OF OPERATIONS (continued)

calculate our Dollar-Based Net Retention Rate as of a period end by starting with the ACV from all customers as of twelve months prior to such period end (“Prior Period ACV”). We then calculate the ACV from these same customers as of the current period end (“Current Period ACV”). Current Period ACV includes any upsells and is net of contraction or churn over the trailing twelve months but excludes ACV from new customers in the current period. We then divide the Current Period ACV by the Prior Period ACV to arrive at our Dollar-Based Net Retention Rate. Our Dollar-Based Net Retention Rate is inclusive of ACV from self-service customers.

Our Dollar-Based Net Retention Rate is primarily attributable to our healthy gross retention, an expansion of users and upselling additional solutions within our existing customers. Larger enterprises often implement a limited initial deployment of our platforms before increasing their deployment on a broader scale. The decrease in our Dollar-Based Net Retention Rate as of January 31, 2026, compared to January 31, 2025, was primarily a result of the macroeconomic environment, with overall ACV from existing customers increasing at a slower rate in the current period.

Remaining Performance Obligations (“RPO”)

RPO represent all future, non-cancelable, contracted revenue under our subscription contracts with customers that has not yet been recognized, inclusive of deferred revenue that has been invoiced and non-cancelable amounts that will be invoiced and recognized as revenue in future periods. Current RPO represents the portion of RPO expected to be recognized during the next 12 months. RPO fluctuates due to a number of factors, including the timing, duration and dollar amount of customer contracts and fluctuations in foreign currency exchange rates.

Components of Results of Operations

Revenue

Subscription Revenue.  Subscription revenue primarily consists of fees for access to and usage of our cloud-based platforms and related support. Subscription revenue is driven primarily by the number of customers, the number of users per customer and the solutions used. We typically invoice customers in advance in annual installments for subscriptions to our platforms.

Professional Services and Other . Professional services revenue includes fees from assisting customers in implementing and optimizing the use of our solutions. These services include application configuration, system integration and training services.

We generally invoice customers as the work is performed for time-and-materials arrangements, and up front for fixed fee arrangements. Professional services revenue is recognized as the services are performed.

Overhead Allocation and Employee Compensation Costs

We allocate shared costs, such as facilities costs (including rent, utilities and depreciation on assets shared by all departments), certain information technology costs, security costs and recruiting costs to all departments based on headcount. As such, allocated shared costs are reflected in each of the cost of revenue and operating expense categories. Employee compensation costs reflected in each of the cost of revenue and operating expense categories include salaries, bonuses, compensation related taxes, benefits and stock-based compensation. Additionally included in the sales and marketing expense category are sales commissions and related taxes.

Cost of Revenue and Gross Margin

Cost of Subscription . Cost of subscription primarily consists of expenses related to hosting our services and providing support. These expenses include employee-related costs associated with our cloud-based infrastructure, our product security organization and our customer support organization, third-party hosting fees, software and maintenance costs, outside services associated with the delivery of our subscription services, amortization expense associated with capitalized internal-use software and acquired developed technology and allocated overhead.

We intend to continue to invest additional resources in our platform infrastructure, our platforms’ support organizations and security posture. We will continue to invest in technology innovation and we anticipate that costs qualifying for capitalization of internal-use software costs and related amortization may fluctuate over time. We

OKTA, INC.

MANAGEMENT’S DISCUSSION AND ANALYSIS OF

FINANCIAL CONDITION AND RESULTS OF OPERATIONS (continued)

expect our investment in technology to expand the capability of our platforms, enabling us to improve our gross margin over time. The level and timing of investment in these areas could affect our cost of subscription revenue in the future.

Cost of Professional Services and Other . Cost of professional services consists primarily of employee-related costs for our professional services delivery team, travel-related costs, allocated overhead and costs of outside services associated with supplementing our professional services delivery team. The cost of providing professional services has historically been higher than the associated revenue we generate.

Gross Margin . Gross margin is gross profit expressed as a percentage of total revenue. Our gross margin may fluctuate from period to period as a result of the timing and amount of investments to expand our hosting capacity and our continued efforts to build platform support and professional services teams.

Operating Expenses

Research and Development. Research and development expenses consist primarily of employee compensation costs and allocated overhead. We believe that continued investment in our platforms is important for our growth.

Sales and Marketing.  Sales and marketing expenses consist primarily of employee compensation costs, costs of general marketing and promotional activities, travel-related expenses, amortization expense associated with acquired customer relationships and trade names and allocated overhead. Commissions earned by our sales force that are considered incremental and recoverable costs of obtaining a contract with a customer are deferred and then amortized on a straight-line basis over a period of benefit that we have determined to be generally five years.

General and Administrative. General and administrative expenses consist primarily of employee compensation costs for finance, accounting, legal, information technology and human resources personnel. In addition, general and administrative expenses include acquisition and integration-related costs, non-personnel costs, such as legal, accounting and other professional fees, charitable contributions, allocated overhead and all other supporting corporate expenses.

Restructuring and Other Charges. Restructuring and other charges consist primarily of personnel costs, such as notice period, employee severance payments and termination benefits. In addition, restructuring and other charges include certain lease impairment charges.

Interest and Other, Net

Interest and other, net consists of interest expense, which primarily includes amortization of debt issuance costs and contractual interest expense for our convertible senior notes, interest income from our investment holdings, gains on early extinguishment of debt and gains and losses from our strategic investments.

Provision for Income Taxes

Our provision for income taxes consists of federal and state income taxes in the United States and income taxes in certain foreign jurisdictions where we operate.

OKTA, INC.

MANAGEMENT’S DISCUSSION AND ANALYSIS OF

FINANCIAL CONDITION AND RESULTS OF OPERATIONS (continued)

Results of Operations

The following table sets forth our results of operations for the periods presented:

Year Ended January 31,

(dollars in millions)

Revenue

Subscription

Professional services and other

Total revenue

Cost of revenue

Subscription (1)

Professional services and other (1)

Total cost of revenue

Gross profit

Operating expenses

Research and development (1)

Sales and marketing (1)

General and administrative (1)

Restructuring and other charges

Total operating expenses

Operating income (loss)

Interest expense

Interest income and other, net

Gain on early extinguishment of debt

Interest and other, net

Income (loss) before provision for income taxes

Provision for income taxes

Net income (loss)

(1) Includes stock-based compensation expense as follows:

Year Ended January 31,

(dollars in millions)

Cost of subscription revenue

Cost of professional services and other revenue

Research and development

Sales and marketing

General and administrative

Total stock-based compensation expense

OKTA, INC.

MANAGEMENT’S DISCUSSION AND ANALYSIS OF

FINANCIAL CONDITION AND RESULTS OF OPERATIONS (continued)

The following table sets forth our results of operations for the periods presented as a percentage of our total revenue:

Year Ended January 31,

Revenue

Subscription

Professional services and other

Total revenue

Cost of revenue

Subscription

Professional services and other

Total cost of revenue

Gross profit

Operating expenses

Research and development

Sales and marketing

General and administrative

Restructuring and other charges

Total operating expenses

Operating income (loss)

Interest expense

Interest income and other, net

Gain on early extinguishment of debt

Interest and other, net

Income (loss) before provision for income taxes

Provision for income taxes

Net income (loss)

OKTA, INC.

MANAGEMENT’S DISCUSSION AND ANALYSIS OF

FINANCIAL CONDITION AND RESULTS OF OPERATIONS (continued)

A discussion regarding our financial condition and results of operations for fiscal 2026 compared to fiscal 2025 is presented below. A discussion regarding our financial condition and results of operations for fiscal 2025 compared to fiscal 2024 can be found under Item 7 in our Annual Report on Form 10-K for fiscal 2025, filed with the SEC on March 5, 2025, which is available free of charge on the SEC’s website at www.sec.gov and our Investor Relations website at investor.okta.com.

Comparison of the Years Ended January 31, 2026 and 2025

Revenue

Year Ended January 31,

$ Change

% Change

(dollars in millions)

Revenue:

Subscription

Professional services and other

Total revenue

Percentage of revenue:

Subscription

Professional services and other

Total

For fiscal 2026, the increase in subscription revenue was primarily due to an increase in users and sales of additional solutions to existing customers and the addition of new customers. The increase in revenue was attributable to increased revenue from existing customers as reflected in our Dollar-Based Net Retention Rate of 106% as of January 31, 2026 and an increase in the number of customers as detailed in our Key Business Metrics.

For fiscal 2026, the increase in professional services and other revenue was due to higher bookings associated with professional services. Beginning in fiscal 2027, we expect professional services and other revenue to decline as we shift more engagements to our partner ecosystem.

Cost of Revenue, Gross Profit and Gross Margin

Year Ended January 31,

$ Change

% Change

(dollars in millions)

Cost of revenue:

Subscription

Professional services and other

Total cost of revenue

Gross profit

Gross margin:

Subscription

Professional services and other

Total gross margin

For fiscal 2026, cost of subscription revenue increased primarily due to an increase of $20 million in labor costs, third-party hosting costs of $15 million, and software costs of $9 million. This was offset by decreases in consulting costs of $10 million and stock-based compensation of $8 million.

Our gross margin for subscription revenue improved from 79% to 80% during fiscal 2026. The increase was primarily driven by improved spend efficiency resulting in lower relative cost of subscription revenue.

For fiscal 2026, cost of professional services and other revenue increased due to an increase in labor costs of $15 million offset by a decrease in stock-based compensation of $2 million.

OKTA, INC.

MANAGEMENT’S DISCUSSION AND ANALYSIS OF

FINANCIAL CONDITION AND RESULTS OF OPERATIONS (continued)

Our gross margin for professional services and other revenue remained relatively flat.

Operating Expenses

Research and Development Expenses

Year Ended January 31,

$ Change

% Change

(dollars in millions)

Research and development

Percentage of revenue

For fiscal 2026, research and development expenses decreased due to a reduction in stock-based compensation expense of $20 million, offset by increases in labor costs of $15 million and hosting fees of $2 million. The decrease in research and development as a percentage of total revenue was primarily driven by improved spend efficiency.

Sales and Marketing Expenses

Year Ended January 31,

$ Change

% Change

(dollars in millions)

Sales and marketing

Percentage of revenue

For fiscal 2026, sales and marketing expenses increased primarily due to an increase in labor costs of $23 million, marketing costs of $12 million, travel and entertainment of $8 million, software costs of $2 million and stock-based compensation expense of $1 million. The decrease in sales and marketing as a percentage of total revenue was primarily driven by improved spend efficiency.

We expect our sales and marketing expenses will continue to be our largest operating expense category for the foreseeable future. We expect sales and marketing expenses as a percentage of total revenue to decrease as our total revenue grows.

General and Administrative Expenses

Year Ended January 31,

$ Change

% Change

(dollars in millions)

General and administrative

Percentage of revenue

For fiscal 2026, general and administrative expenses remained flat. Increases in labor costs of $13 million and stock-based compensation expense of $8 million were partially offset by decreases in legal and professional fees of $10 million and consulting costs of $8 million. The decrease in general and administrative as a percentage of total revenue was primarily driven by improved spend efficiency. We expect general and administrative expenses as a percentage of total revenue to decrease as our total revenue grows.

OKTA, INC.

MANAGEMENT’S DISCUSSION AND ANALYSIS OF

FINANCIAL CONDITION AND RESULTS OF OPERATIONS (continued)

Restructuring and Other Charges

Year Ended January 31,

$ Change

% Change

(dollars in millions)

Restructuring and other charges

Percentage of revenue

Restructuring and other charges decreased in fiscal 2026 due to a reduction in the scale of restructuring initiatives compared to fiscal 2025.

Interest and Other, Net

Year Ended January 31,

$ Change

% Change

(dollars in millions)

Interest expense

Interest income and other, net

Gain on early extinguishment of debt

Interest and other, net

For fiscal 2026, interest and other, net decreased primarily due to a decrease in gains on early extinguishment of debt related to repurchases of the convertible senior notes offset by an increase in interest income from our short-term investments. We expect interest income to decrease in fiscal 2027 as we deploy investable cash to fund our Share Repurchase Program, settle our 2026 Convertible Senior Notes obligation, and due to changes in the interest rate environment.

Provision for Income Taxes

Year Ended January 31,

$ Change

% Change

(dollars in millions)

Provision for income taxes

For fiscal 2026, income tax expense resulted primarily from income in profitable foreign jurisdictions and state and local taxes, offset by the favorable impacts of the “One Big Beautiful Bill Act” (the “Act”) enacted on July 4, 2025.

For fiscal 2025, income tax expense resulted primarily from income in profitable foreign jurisdictions, federal and state taxes resulting from limitations on tax attribute utilization, offset by the impact of tax windfalls from stock-based compensation in the United States.

The Act, among other provisions, maintains the U.S. federal 21% corporate tax rate, makes permanent the immediate expensing of domestic research and development expenditures, allows for 100% bonus depreciation for qualified assets, and modifies the U.S. taxation of profits derived from foreign operations. The provisions of the Act have staggered effective dates beginning in 2025 and continuing through 2027. Our provision for income taxes reported for fiscal 2026 was computed to reflect the effects of the change in the tax law. We expect the immediate expensing of domestic R&D expenditures to be the most significant impact of the Act, resulting in a reduction in federal and state cash tax payments and in our provision for income taxes for future periods.

In addition, certain provisions of the Act, particularly those related to international taxation, are effective beginning in the fiscal period ending January 31, 2027. We are currently evaluating the impact of these provisions on our financial statements and tax positions.

We periodically evaluate the realizability of our deferred tax assets based on all available evidence, both positive and negative. The realization of the net deferred tax assets is dependent on our ability to generate sufficient

OKTA, INC.

MANAGEMENT’S DISCUSSION AND ANALYSIS OF

FINANCIAL CONDITION AND RESULTS OF OPERATIONS (continued)

future taxable income during the periods prior to the expiration of tax attributes to fully utilize these assets. Given our current and anticipated future earnings, we may release a significant portion of our valuation allowance in the foreseeable future if there is sufficient positive evidence that outweighs the negative evidence. The release of the valuation allowance would result in the recognition of certain deferred tax assets and a corresponding decrease to income tax expense for the period the release is recorded. However, the exact timing and amount of any potential valuation allowance release remains uncertain and is subject to change on the basis of the level of profitability that we are able to actually achieve. As of January 31, 2026 we continue to maintain a full valuation allowance on our deferred tax assets in the United States.

Liquidity and Capital Resources

As of January 31, 2026, our principal sources of liquidity were cash, cash equivalents and short-term investments totaling $2,553 million, which were held for working capital and general corporate purposes, including potential future acquisition activity. Our cash equivalents and investments consisted primarily of U.S. treasury securities, money market funds, corporate debt securities and certificates of deposit.

Recent macroeconomic events, including changes in interest rates, global inflation and bank failures, have led to further economic uncertainty in the global economy. To mitigate risk, our cash and cash equivalents are distributed across large financial institutions. In addition, we have policy restrictions in place on the types of securities that can be purchased as part of our available-for-sale securities portfolio. These restrictions take credit quality, liquidity and diversification into consideration among other criteria. We continue to monitor the impacts of this situation; however, there can be no assurances that conditions in the banking sector and in global financial markets will not worsen and/or adversely affect us.

In January 2026, our board authorized a stock repurchase program of up to $1 billion of our outstanding shares of Class A common stock (the “Share Repurchase Program”). We have and may repurchase shares of our Class A common stock from time to time through open market purchases, in privately negotiated transactions, or by other means. Open market repurchases may be structured to occur in accordance with the requirements of Rule 10b-18. We may also, from time to time, enter into Rule 10b5-1 trading plans to facilitate repurchases of shares. The timing and the amount of stock repurchases under the Share Repurchase will be based on our evaluation of factors including business and market conditions, corporate and regulatory requirements, and other considerations. The Share Repurchase Program does not obligate us to repurchase any specific number of shares and may be modified, suspended, or terminated at any time. During the year ended January 31, 2026, we repurchased and immediately retired 875,150 shares of our Class A common stock for an aggregate amount, including commissions, of $79 million under the Share Repurchase Program. As of January 31, 2026, approximately $921 million of the originally authorized amount under the Share Repurchase Program remained available for future repurchases.

We satisfy employee tax withholding obligations due upon the vesting of share-based awards through net share settlement using available cash. This practice reduces our equity dilution rate and impacts liquidity as our cash requirements for these obligations are primarily driven by the market price of our Class A common stock at the time of vesting. In fiscal 2026 and 2025 , cash paid to satisfy these employee tax withholding obligations was $192 million and $148 million , respectively.

In September 2019, we completed our private offering of the 2025 convertible senior notes (“2025 Notes”) due on September 1, 2025 and we used a portion of the proceeds to enter into capped call transactions (“2025 Capped Calls”) with respect to our Class A common stock. The 2025 Notes matured on September 1, 2025, and we settled in full the principal amount then outstanding of $510 million in cash and the associated then outstanding 2025 Capped Calls expired unexercised.

In June 2020, we completed our private offering of the 2026 convertible senior notes (“2026 Notes”) due on June 15, 2026 and received aggregate gross proceeds of $1,150 million. The interest rate on the 2026 Notes is fixed at 0.375% per year and is payable semi-annually in arrears on June 15 and December 15 of each year, beginning on December 15, 2020. In connection with the 2026 Notes, we used a portion of the proceeds to enter into capped call transactions (“2026 Capped Calls”) with respect to our Class A common stock. As of January 31, 2026, the outstanding principal balance of the 2026 Notes of $350 million is classified as a current liability due to their upcoming maturity on June 15, 2026 and we currently intend to settle the principal amount of the 2026 Notes in cash.

OKTA, INC.

MANAGEMENT’S DISCUSSION AND ANALYSIS OF

FINANCIAL CONDITION AND RESULTS OF OPERATIONS (continued)

In the ordinary course of our business, we have and may, at any time and from time to time, seek to extinguish our outstanding 2026 Notes through cash purchases and/or exchanges for equity, in open-market purchases, privately negotiated transactions or otherwise. Such extinguishments, if any, will be conducted on such terms and at such prices as we may determine, and will depend on our evaluation of the prevailing market conditions, trading price of the 2026 Notes, our liquidity requirements, legal and contractual restrictions and other factors. See Note 8 to our consolidated financial statements “Convertible Senior Notes, Net” and the section titled “Transactions relating to the 2026 Notes may affect the value of our Class A common stock” in “ Risk Factors ” included under Part I, Item 1A of this Annual Report on Form 10-K for additional information.

On September 4, 2025, we acquired all of the outstanding equity of Axiom Security Ltd (“Axiom”), a privately held company specializing in privileged access management solutions. The acquisition date cash consideration was $54 million. See Note 16 to our consolidated financial statements “Business Combinations” for additional information.

We believe our existing cash and cash equivalents, our investments and cash provided by sales of our solutions will be sufficient to meet our short-term and long-term projected working capital and capital expenditure needs for the foreseeable future. Our future capital requirements will depend on many factors, including our subscription growth rate, subscription renewal activity, billing frequency, the timing and extent of spending to support development efforts, the expansion of sales and marketing activities, the expansion of our international operations, the introduction of new and enhanced product offerings, and the continuing market adoption of our platforms. We continue to assess our capital structure and evaluate the merits of deploying available cash. We may in the future enter into arrangements to acquire or invest in complementary businesses, services and technologies, including intellectual property rights; additionally, we have, and may in the future, repurchase shares of our Class A common stock from time to time under our Share Repurchase Program. We may be required to seek additional equity or debt financing. In the event that additional financing is required from outside sources, we may not be able to raise it on terms acceptable to us or at all. If we are unable to raise additional capital or generate cash flows necessary to expand our operations and invest in new technologies this could reduce our ability to compete successfully and harm our results of operations.

A significant majority of our customers pay in advance for annual subscriptions. Therefore, a substantial source of our cash is from our deferred revenue, which is included on our consolidated balance sheet as a liability. Deferred revenue consists of the unearned portion of billed fees for our subscriptions, which is recognized as revenue in accordance with our revenue recognition policy. As of January 31, 2026, we had deferred revenue of $1,905 million, of which $1,875 million was recorded as a current liability and is expected to be recorded as revenue in the next 12 months, provided all other revenue recognition criteria have been met.

Cash Flows

The following table summarizes our cash flows for the periods indicated:

Year Ended January 31,

(dollars in millions)

Net cash provided by operating activities

Net cash provided by (used in) investing activities

Net cash used in financing activities

Effects of changes in foreign currency exchange rates on cash, cash equivalents and restricted cash

Net increase in cash, cash equivalents and restricted cash

Operating Activities

Our largest source of operating cash is cash collections from our customers for subscription and professional services. Our primary uses of cash from operating activities are for employee-related expenditures, marketing expenses and third-party hosting costs.

OKTA, INC.

MANAGEMENT’S DISCUSSION AND ANALYSIS OF

FINANCIAL CONDITION AND RESULTS OF OPERATIONS (continued)

During fiscal 2026, cash provided by operating activities was $884 million, an increase of $134 million compared to fiscal 2025. The increase was primarily attributable to an increase in cash received from customers and improved spend efficiency.

Investing Activities

During fiscal 2026, cash provided by investing activities was $271 million, compared to cash used in investing activities of $314 million during fiscal 2025. The change was primarily driven by higher proceeds from maturities and redemption of available-for-sale securities and a decrease in purchases of available-for-sale and other securities.

Financing Activities

During fiscal 2026, cash used in financing activities was $720 million, an increase of $361 million compared to fiscal 2025. The increase was primarily attributable to an increase in payments upon maturity and repurchases of convertible senior notes, an increase in taxes paid related to net share settlement of equity awards, and further impacted by common stock repurchases related to the initiation of our share repurchase program in fiscal 2026. The cash outlay for common stock repurchases and taxes paid on net share settlement of equity awards are generally predicated on the closing price of our stock on the respective transaction dates.

Material Cash Requirements

Contractual Obligations

The following table represents our known short-term (i.e., the next twelve months) and long-term (i.e., beyond the next twelve months) obligations as of January 31, 2026:

Short-term

Long-term

Total

(dollars in millions)

Convertible Senior Notes: (1)

Principal payments

Interest payments

Operating leases (2)

Purchase obligations (3)

Total contractual obligations

(1) See Note 8 to our consolidated financial statements “Convertible Senior Notes, Net” for additional information.

(2) See Note 9 to our consolidated financial statements “Leases” for additional information.

(3) Purchase obligations primarily relate to data center hosting facilities, and other sales and marketing obligations.

Indemnification Agreements

In the ordinary course of business, we enter into agreements of varying scope and terms pursuant to which we agree to indemnify customers, vendors, lessors, business partners and other parties with respect to certain matters, including, but not limited to, losses arising out of the breach of such agreements, services to be provided by us or from intellectual property infringement claims made by third parties. In addition, we have entered into indemnification agreements with our directors and certain officers and employees that will require us, among other things, to indemnify them against certain liabilities that may arise by reason of their status or service as directors, officers or employees. No material demands have been made upon us to provide indemnification under such agreements and there are no claims that we are aware of that could have a material effect on our consolidated balance sheets, consolidated statements of operations and comprehensive income (loss), or consolidated statements of cash flows.

Critical Accounting Estimates

We prepare our consolidated financial statements in accordance with accounting principles generally accepted in the United States of America. In the preparation of these consolidated financial statements, we are required to make estimates and assumptions that affect the reported amounts of assets, liabilities, revenue, costs

OKTA, INC.

MANAGEMENT’S DISCUSSION AND ANALYSIS OF

FINANCIAL CONDITION AND RESULTS OF OPERATIONS (continued)

and expenses, and related disclosures. To the extent that there are material differences between these estimates and actual results, our financial condition or results of operations would be affected. We base our estimates on past experience and other assumptions that we believe are reasonable under the circumstances, and we evaluate these estimates on an ongoing basis. We refer to accounting estimates of this type as critical accounting estimates, which we discuss below.

Income Taxes

Income taxes are accounted for using the liability method. Under this method, deferred tax assets and liabilities are recognized for the expected future tax consequences of temporary differences between the financial reporting and tax basis of assets and liabilities, as well as for operating loss and tax credit carryforwards. Deferred tax assets and liabilities are measured using enacted tax rates that are expected to apply to taxable income for the years in which those tax assets and liabilities are expected to be realized or settled.

Valuation allowances are established when necessary to reduce deferred tax assets to the amounts that are more likely than not expected to be realized based on the weighting of positive and negative evidence. Future realization of deferred tax assets ultimately depends on the existence of sufficient taxable income of the appropriate character, within the carry-back or carry-forward periods available under the applicable tax law. In assessing the need for a valuation allowance, we consider available evidence, including past operating results, estimates of future taxable income, and the feasibility of tax planning strategies. Our judgment regarding future estimates may change due to many factors, including future market conditions and the ability to successfully execute our business plans and tax planning strategies. Should there be a change in the ability to recover deferred tax assets, our provision for income taxes would increase or decrease in the period in which the assessment is changed.

Our tax positions are subject to income tax audits by multiple tax jurisdictions throughout the world. We recognize the tax benefit of an uncertain tax position only if it is more likely than not that the position is sustainable upon examination by the taxing authority, based on the technical merits. Significant judgment is required in determining the technical merits of an uncertain tax position, such as taking into account current tax laws, our interpretation of current tax laws and possible outcomes of current and future audits conducted by foreign and domestic tax authorities. We adjust these reserves in light of changing facts and circumstances, such as the closing of a tax audit or the refinement of an estimate. To the extent the final tax outcome of these matters is different than the amounts recorded, such differences may impact the provision for income taxes in the period in which such determination is made.

Business Combinations

When we acquire a business, the purchase price is allocated to the acquired assets, including separately identifiable intangible assets, and assumed liabilities at their respective estimated fair values. Any residual purchase price is recorded as goodwill. The allocation of the purchase price requires management to make significant estimates in determining the fair values of assets acquired and liabilities assumed, especially with respect to intangible assets. These estimates can include, but are not limited to:

• future expected cash flows from subscription contracts, professional services contracts, other customer contracts and acquired developed technologies;

• person hours required in recreating certain acquired technologies;

• historical and expected customer attrition rates and anticipated growth in revenue from acquired customers;

• royalty rates applied to acquired developed technology platforms and other intangible assets;

• obsolescence curves and other useful life assumptions, such as the period of time and intended use of acquired intangible assets in our product offerings;

• discount rates;

• uncertain tax positions and tax-related valuation allowances; and

OKTA, INC.

MANAGEMENT’S DISCUSSION AND ANALYSIS OF

FINANCIAL CONDITION AND RESULTS OF OPERATIONS (continued)

• fair value of assumed equity awards.

These estimates are inherently uncertain and unpredictable, and unanticipated events and circumstances may occur that may affect the accuracy or validity of such assumptions, estimates or actual results.

If the initial accounting for a business combination is not complete following the acquisition date, we report provisional amounts for the known assets, liabilities, equity interests, or items of consideration for which the accounting is incomplete at the end of the financial reporting period. Provisional accounting is inherently subjective and judgmental. The objective of the measurement period is to provide a reasonable period of time to obtain the information necessary to complete all aspects of business combination accounting with a high level of confidence. During the measurement period, which may be up to one year from the acquisition date, adjustments to the reported provisional amounts may be recorded for which the accounting was incomplete, with the corresponding offset to goodwill. Should the accounting for a business combination be incomplete by the end of a reporting period that falls within the measurement period, we report provisional amounts in our financial statements, disclosing them as provisional, and any material measurement period adjustments are identified as such. Additional assets acquired or liabilities assumed in an acquisition that were not recognized at the acquisition date might be identified during the measurement period. Upon the conclusion of the measurement period or final determination of the fair value of assets acquired or liabilities assumed, whichever comes first, no further adjustments are made.

Loss Contingencies

We evaluate contingent liabilities, including threatened or pending litigation, and make provisions for such liabilities when it is both probable that a loss has been incurred and its amount can be reasonably estimated. Because of uncertainties inherent in litigation, we base our estimate and accrue the liabilities, if any, on the information available at the time of our assessment. Significant judgment is required to determine both the probability and the estimated amount of loss given such legal proceedings are inherently unpredictable and subject to significant uncertainties, some of which are beyond our control. Developments in these matters could affect the amount of any liability we may accrue. As additional information becomes available, we may revise our estimates. Any revisions in the estimates of potential liabilities could have a material impact on our operating results and financial position. Further, until the final resolution of any such matter, there may be a loss exposure in excess of the liability recognized and such amount could be significant.

Revenue Recognition

We primarily derive our revenues from subscription fees. A description of our revenue recognition policies is included in Note 2 to our consolidated financial statements “Summary of Significant Accounting Policies.”

Our contracts with customers often contain multiple performance obligations. For these contracts, we account for individual performance obligations separately if they are distinct. The transaction price of the contract is allocated to the separate performance obligations on a relative standalone selling price (“SSP”) basis. Evaluating customer contracts with multiple performance obligations and complex terms may require significant judgment in identifying the distinct performance obligations.

Recent Accounting Pronouncements

See Note 2 to our consolidated financial statements “Summary of Significant Accounting Policies — Accounting Pronouncements Recently Adopted and Recent Accounting Pronouncements Not Yet Adopted” for more information.