Annual Statements Open main menu

Okta, Inc. - Annual Report: 2023 (Form 10-K)



UNITED STATES
SECURITIES AND EXCHANGE COMMISSION
Washington, D.C. 20549
FORM 10-K
(Mark One)
ANNUAL REPORT PURSUANT TO SECTION 13 OR 15(d) OF THE SECURITIES EXCHANGE ACT OF 1934
For the fiscal year ended January 31, 2023
or
TRANSITION REPORT PURSUANT TO SECTION 13 OR 15(d) OF THE SECURITIES EXCHANGE ACT OF 1934
For the transition period from              to             
Commission File Number: 001-38044
Okta, Inc.
(Exact name of Registrant as specified in its charter)
Delaware
100 First Street, Suite 600
26-4175727
(State or Other Jurisdiction of
Incorporation or Organization)
San Francisco
(I.R.S. Employer
Identification Number)
California
94105
(Address of Principal executive offices)
Registrant’s telephone number, including area code: (888) 722-7871
___________________________________________________
Securities registered pursuant to Section 12(b) of the Act:
(Title of each class)Trading Symbol(s)(Name of each exchange on which registered)
Class A common stock, par value $0.0001 per share
OKTA
The Nasdaq Stock Market LLC
Securities registered pursuant to Section 12(g) of the Act: None
___________________________________________________
Indicate by check mark if the Registrant is a well-known seasoned issuer, as defined in Rule 405 of the Securities Act. Yes ☒ No 
Indicate by check mark if the Registrant is not required to file reports pursuant to Section 13 or Section 15(d) of the Act. Yes 
  No  ☒
Indicate by check mark whether the Registrant (1) has filed all reports required to be filed by Section 13 or 15(d) of the Securities Exchange Act of 1934 during the preceding 12 months (or for such shorter period that the Registrant was required to file such reports), and (2) has been subject to such filing requirements for the past 90 days.    Yes  ☒    No  
Indicate by check mark whether the Registrant has submitted electronically every Interactive Data File required to be submitted pursuant to Rule 405 of Regulation S-T (§232.405 of this chapter) during the preceding 12 months (or for such shorter period that the Registrant was required to submit such files).    Yes  ☒    No  
Indicate by check mark whether the Registrant is a large accelerated filer, an accelerated filer, a non-accelerated filer, smaller reporting company, or an emerging growth company. See the definitions of “large accelerated filer,” “accelerated filer,” “smaller reporting company,” and “emerging growth company” in Rule 12b-2 of the Exchange Act.
Large Accelerated Filer
Accelerated filer
Non-accelerated filer
Smaller reporting company
Emerging growth company
If an emerging growth company, indicate by check mark if the Registrant has elected not to use the extended transition period for complying with any new or revised financial accounting standards provided pursuant to Section 13(a) of the Exchange Act.
Indicate by check mark whether the Registrant has filed a report on and attestation to its management’s assessment of the effectiveness of its internal control over financial reporting under Section 404(b) of the Sarbanes-Oxley Act (15 U.S.C. 7262(b)) by the registered public accounting firm that prepared or issued its audit report. ☒
If securities are registered pursuant to Section 12(b) of the Act, indicate by check mark whether the financial statements of the Registrant included in the filing reflect the correction of an error to previously issued financial statements.
Indicate by check mark whether any of those error corrections are restatements that required a recovery analysis of incentive-based compensation received by any of the Registrant’s executive officers during the relevant recovery period pursuant to §240.10D-1(b).
Indicate by check mark whether the Registrant is a shell company (as defined in Rule 12b-2 of the Act).    Yes  
    No  ☒
The aggregate market value of the stock of the Registrant as of July 31, 2022 (based on a closing price of $98.45 per share) held by non-affiliates was approximately $14.9 billion. As of February 27, 2023, there were 153,987,922 shares of the Registrant’s Class A Common Stock and 7,299,891 shares of the Registrant's Class B Common Stock outstanding.
DOCUMENTS INCORPORATED BY REFERENCE
Portions of the registrant's definitive Proxy Statement relating to the 2023 Annual Meeting of Stockholders are incorporated herein by reference in Part III of this Annual Report on Form 10-K to the extent stated herein. Such Proxy Statement will be filed with the Securities and Exchange Commission within 120 days of the registrant's fiscal year ended January 31, 2023.




Okta, Inc.
Form 10-K
For the Fiscal Year Ended January 31, 2023
TABLE OF CONTENTS
Page
Part I
Item 1A.
Part II
Item 6.Removed and Reserved
Part III
Part IV




Special Note Regarding Forward-Looking Statements 
This Annual Report on Form 10-K contains "forward-looking statements" within the meaning of the “safe harbor” provisions of the Private Securities Litigation Reform Act of 1995, including but not limited to, statements regarding our financial outlook, product development, business strategy, plans, market trends, opportunities and positioning. These forward-looking statements are made as of the date they were first issued and were based on current expectations, estimates, forecasts and projections as well as the beliefs and assumptions of management. Words such as “expect,” “anticipate,” “should,” “believe,” “hope,” “target,” “project,” “goals,” “estimate,” “potential,” “predict,” “may,” “will,” “might,” “could,” “intend,” “shall” and variations of these terms or the negative of these terms and similar expressions are intended to identify these forward-looking statements, although not all forward-looking statements include these identifying words. The forward-looking statements are contained principally in “Management’s Discussion and Analysis of Financial Condition and Result of Operations” and “Risk Factors."
Forward-looking statements contained in this Annual Report on Form 10-K include, but are not limited to, statements about:
our future financial performance, including our revenue, costs of revenue, gross profits, margins and operating expenses;
the impact of general economic, business and market conditions, including general economic downturn or recession, market volatility, and the inflation and interest rate environment;
trends in our key business metrics;
our growth strategy and ability to compete;
the sufficiency of our cash and cash equivalents, investments and cash provided by sales of our products and services to meet our liquidity needs;
market or other opportunities arising from business combinations;
our ability to maintain the security and availability of our internal networks and platform;
our ability to increase our number of customers;
our ability to sell additional products to and retain our existing customers;
our ability to successfully expand in our existing markets and into new markets;
our ability to effectively manage our growth and future expenses;
our ability to expand our network of channel partners;
our ability to form and expand partnerships with independent software vendors and system integrators;
our ability to introduce new products, enhance existing products and address new use cases;
our ability to add new integration partners;
our ability to grow our international business;
the impact of the global COVID-19 pandemic on our business and operations;
our ability to maintain, protect and enhance our intellectual property;
our ability to comply with modified or new laws and regulations applying to our business;
the attraction and retention of qualified employees and key personnel;
our anticipated investments in sales and marketing and research and development;
our ability to comply with modified or new laws and regulations applying to our business, including GDPR (as defined below), and other privacy regulations that may be implemented in the future;
the impact of recent accounting pronouncements on our financial statements;
our ability to successfully defend litigation brought against us; and
our ability to successfully integrate and realize the benefits of strategic acquisitions or investments, including our acquisition of Auth0, Inc. ("Auth0").
Forward-looking statements are subject to a number of risks and uncertainties, many of which involve factors or circumstances that are beyond our control. Our actual results could differ materially from those stated or implied in forward-looking statements due to a number of factors, including but not limited to, risks detailed in “Risk Factors” in this Annual Report on Form 10-K as well as other documents that may be filed by us from time to time with the Securities and Exchange Commission. Moreover, we operate in a very competitive and rapidly changing environment. New risks emerge from time to time. It is not possible for our management to predict all risks, nor can we assess the impact of all factors on our business or the extent to which any factor, or combination of factors, may



cause actual results to differ materially from those contained in any forward-looking statements we may make. In light of these risks, uncertainties and assumptions, the forward-looking events and circumstances discussed in this Annual Report on Form 10-K may not occur and actual results could differ materially and adversely from those anticipated or implied in the forward-looking statements.
You should not rely upon forward-looking statements as predictions of future events. Although we believe that the expectations reflected in the forward-looking statements are reasonable, we cannot guarantee that the future results, levels of activity, performance or events and circumstances reflected in the forward-looking statements will be achieved or occur. Moreover, except as required by law, neither we nor any other person assumes responsibility for the accuracy and completeness of the forward-looking statements. We undertake no obligation to update publicly any forward-looking statements for any reason after the date of this Annual Report on Form 10-K to conform these statements to actual results or to changes in our expectations.



Part I
Item 1. Business
Overview
Okta is the leading independent identity provider. Our vision is to free everyone to safely use any technology, and we believe identity is the key to making that happen. Our mission is to bring simple and secure digital access to people and organizations everywhere. Our Workforce Identity and Customer Identity Clouds are powered by our category-defining Okta Identity Platform that enables our customers to securely connect the right people to the right technologies and services at the right time.
Our Workforce Identity and Customer Identity Clouds help organizations effectively harness the power of cloud, mobile and web technologies by securing users and connecting them with the applications and technology they use. Every day, thousands of organizations and millions of people use Okta to securely access a wide range of cloud, mobile, web and Software-as-a-Service ("SaaS") applications, on-premises servers, application programming interfaces ("APIs"), IT infrastructure providers and services from a multitude of devices. Employees and contractors sign into the Workforce Identity Cloud to seamlessly and securely access the applications they need to do their most important work. Developers leverage our Customer Identity and Workforce Identity Clouds to securely and efficiently embed identity into the software they build, allowing them to innovate and focus on their core mission. Organizations use our platform to collaborate with their partners, and to provide their customers with more modern and secure experiences in the cloud and via mobile devices. As we add new customers, users, developers and integrations to our platform, our business, customers, partners and users benefit from powerful network effects that increase the value and security of our Workforce Identity and Customer Identity Clouds.
The acceleration of digital transformations, cloud adoption and evolving security threat landscape and changing consumer expectations to simple, secure digital experiences are driving a shift in how organizations manage consumer identities on the internet. Organizations are building secure consumer-facing applications and are turning to identity to optimize seamless and private user experiences. Our approach provides organizations with the scale, interoperability, efficiency and security they need to build customer-facing applications.
Given the growth trends in the number of applications and cloud adoption, and the movement to remote workforces, identity is becoming the most critical layer of an organization’s security. As organizations shift from network-based security models to a Zero Trust security model focusing on adaptive and context-aware controls, identity has become the most reliable way to manage user access and protect digital assets. Our approach to identity allows our customers to simplify and efficiently scale their security infrastructures across internal IT systems and external customer-facing applications.
As of January 31, 2023, more than 17,600 customers across nearly every industry used Okta to secure and manage identities around the world. Our customers consist of leading global organizations ranging from the largest enterprises, to small- and medium-sized businesses, universities, non-profits and government agencies. We partner with leading application, infrastructure and security vendors, such as Amazon Web Services ("AWS"), CrowdStrike, Google, LexisNexis Risk Solutions, Microsoft, Netskope, Palo Alto Networks, Plaid, Proofpoint, Salesforce, ServiceNow, VMware, Workday, Yubico and Zscaler. We had over 7,000 integrations with cloud, mobile and web applications and IT infrastructure providers as of January 31, 2023, which while not directly correlated to revenue, shows the breadth and acceptance of our platform.
We employ a SaaS business model and generate revenue primarily by selling multi-year subscriptions to our cloud-based offerings. We focus on acquiring and retaining our customers and increasing their spending with us through expanding the number of users who access our Workforce Identity and Customer Identity Clouds and up-selling additional products. We sell our products directly through our field and inside sales teams, as well as indirectly through our network of channel partners, including resellers, system integrators and other distribution partners.
5


The Okta Identity Platform
Okta is an independent and neutral cloud-based identity solution that allows our customers to integrate with nearly any application, service or cloud that they choose through our secure, reliable and scalable platform and cloud infrastructure. Our technological neutrality allows our customers to easily adopt the best technologies, and our Okta Identity Platform is designed to securely connect users to the technology that they choose. Our Workforce Identity and Customer Identity Clouds are underpinned by Okta Platform Services which are the foundational platform components that power our product features. We prioritize the compatibility of our platform with public clouds, on-premises infrastructures and hybrid clouds.
The Okta Identity Platform is used by organizations in two distinct and powerful ways. Our customers use it to manage and secure their employees, contractors and partners, which we refer to as workforce identity as supported by our Workforce Identity Cloud. Our customers also use it to enable, manage and secure the identities of their own customers via the powerful APIs we have developed, which we refer to as customer identity as supported by our Customer Identity Cloud.
Workforce Identity Cloud
The Workforce Identity Cloud simplifies the way an organization’s employees, contractors and partners connect to its applications and data from any device, while increasing efficiency and keeping IT environments secure. The Workforce Identity Cloud can be used as the central system for an organization’s connectivity, access, authentication and identity lifecycle management needs spanning all of its users, technology and applications. Our customers use the Workforce Identity Cloud to secure their workforces, to create solutions that make their partner networks more collaborative, and to provide more seamless and secure experiences for their end users, which combined with our open approach, enables our customers to future-proof their environments. We enable our customers to easily deploy, manage and secure applications and devices, and to provision and support users across their IT environments, with a simple, intuitive, consumer-like user experience. Once deployed, we enable administrators to enforce contextual access management decisions based on conditions such as user identity, device, location, application identity, IP reputation and time of day.
We enable organizations to provide their workforces with immediate and secure access to every application they need from any device they use, without requiring multiple credentials, which significantly enhances user connectivity and productivity. We offer our customers an additional security layer through our Adaptive Multi-Factor Authentication product. Our Universal Directory product also serves as a system of record to help our customers organize, customize and manage their users. Our Lifecycle Management product enables customers to manage users’ access privileges through their entire lifecycle with a no-code approach that improves administrative efficiency and productivity. Okta Identity Governance, our unified identity access management and identity governance solution, helps our customers improve their security and compliance posture while mitigating modern security risks and increasing efficiency. Our Advanced Server Access product is designed to significantly improve our customers’ ability to secure access to cloud-based and on-premises servers, while Access Gateway enables our customers to extend the Workforce Identity Cloud to their existing on-premises applications. The Workforce Identity Cloud enables our customers to automate access across their growing ecosystem of employees, contractors and partners, increasing collaboration across their workforces.
Customer Identity Cloud
The Customer Identity Cloud enables organizations to transform their own customers’ experiences by empowering development teams to rapidly and securely build customer-facing cloud, mobile or web applications. Our Customer Identity Cloud primarily supports consumer and SaaS applications. It empowers application builders to innovate faster by removing the complexity from identity and making it simple, extensible and customizable. We enable organizations to integrate our powerful identity platform into their cloud, web and mobile applications. This makes it easier for them to authenticate, manage, scale and secure their applications through comprehensive APIs, software development kits and extensive developer community tools, enabling rapid time to market for the business. Organizations are able to streamline user experience and improve security across all their applications, leading to increased customer acquisition, retention and loyalty.
Platform Services
In order to enable customers and partners to address a wide range of identity use cases, we have built a set of modular components, called Okta Platform Services, which can be combined to build new features and tailored experiences faster. Okta Platform Services are available in Okta packaged products through APIs and software
6


development kits. Okta Platform Services can be used across both workforce and customer identity use cases. We expect to use Okta Platform Services to continue to enable new and expanded use cases and enable customers or third-party developers to build their own solutions based on an industry use case or unique customer need. Okta Platform Services include Okta’s Identity Engine, Workflows, Devices, Directories, Integrations and Insights.
Growth Strategy
Key elements of our growth strategy are to:
Execute with Our Platform
Drive New Customer Growth.  To increase our market share, we intend to continue to grow our customer base using a land-and-expand sales model, with a focus on key markets by size of customers, as well as key verticals, including highly-regulated sectors.
Deepen Relationships Within Our Existing Customer Base.  We strive to further increase revenue from our existing customers by cross-selling and up-selling additional and new products. We also believe we can expand our footprint by focusing on current customers that have deployed our Workforce Identity Cloud for workforce identity, and expanding those customers’ use of our Customer Identity Cloud for customer identity, or vice versa.
Leverage Partner Ecosystem. We also plan to further leverage the sales efforts of resellers, system integrators and other distribution partners, and to increase the contribution we receive from these channel partners.
Expand Our International Footprint.  With 22% of our revenue generated outside of the United States in fiscal 2023, and our international revenue growing 53% from fiscal 2022 to fiscal 2023, we believe there is significant opportunity to continue to grow our international business. We believe global demand for our products will continue to be a long-term opportunity as organizations outside the United States fully embrace the transition to cloud computing, and larger international organizations take advantage of technology consolidation within their global locations.
Increase Our Opportunities
Innovate and Extend Our Platform with New Products.  We intend to continue making significant investments in research and development, hiring top technical talent and maintaining an agile organization. In addition, we intend to selectively pursue acquisitions and strategic investments in businesses and technologies to extend our platform. By continuing to innovate, introduce new products and extend our platform, we believe that we can offer increasing value to our existing and potential customers.
Extend Our Accessible Market with New Use Cases. As technology and our customers’ needs evolve, we plan to use our platform to help our customers address new challenges, regulatory requirements and use cases.
Leverage Our Integrations.  The Okta Integration Network is an extensive ecosystem, which includes over 7,000 integrations with cloud, mobile and web applications and IT infrastructure providers. We plan to maintain these integrations as well as add new ones to enrich our user experience and expand our customer base. We view our investment in these partnerships as a force multiplier that enables us to build and promote complementary capabilities that benefit our customers.
Expand our Developer Ecosystem. We want to empower every application developer to use our platform to securely integrate identity into any application. We believe that our Okta Identity Platform enables developers to focus their time and attention on innovating within their core application capabilities while relying on our platform for their identity related requirements, leading to more secure and convenient experiences for their own customers.
Leverage Our Unique Data Assets with Powerful Analytics. Our position at the intersection of people, devices, applications and infrastructure gives us unique access to powerful data, and the opportunity to provide differentiated insights based on that data, as well as predictive capabilities based on that data to help keep customers more secure. We expect the value of our analytics to our customer base will increase as customers continue to connect more devices, applications and users to their networks and as we add
7


more customers. We also expect that our analytics ability will enable our customers to use our data and third-party data from our partners, to help customers make more informed and secure access decisions. We do not currently derive direct revenue from our unique data assets, but we may explore opportunities for monetization in the future.
Mergers and Acquisitions and Investments. From time to time, we evaluate opportunities to acquire or invest in emerging and adjacent technologies to complement our organic investments and improve our products, services and customers’ experiences. We will continue to use these types of strategic levers as opportunities arise.
Our Products
Okta's suite of products and services is used to manage and secure identities. Most of our products can be used for both customer identity and for workforce identity use cases and we are continuously enhancing our products and services. Our workforce identity products are consumed through web and mobile interfaces, and provide simple ways for IT organizations to manage identities for their employees, contractors and partners. For customer identity, our APIs are also used by developers to embed Okta identity functionality into their own customer-facing mobile or web applications. We continuously improve our Workforce Identity and Customer Identity Clouds through the release and development of additional products, features and services.
Workforce Identity Products
Universal Directory.  Universal Directory provides a centralized, cloud-based system of record to store and secure user, application and device profiles for an organization. Users and profiles stored in the directory can be used with our Single Sign-On product to manage passwords and authentication, or can be used by developers to store and authenticate the users of their applications. When used for workforce identity, Universal Directory becomes a customer’s system of record for all of its employees, contractors and partners. When used for customer identity, Universal Directory becomes a customer's secure system of record for management of all of its users.
Single Sign-On.  When used to manage and secure identities for a customer’s workforce, Single Sign-On enables users to access all of their applications, whether in the cloud or on-premise, from any device, with a single entry of their user credentials. We combine secure access, modern protocols, flexible policies and a consumer-like user experience to permit organizations to easily allow customers or partners to sign in to their applications with their existing identity information. Single Sign-On also enables built-in reporting and analytics that provide real-time search functionalities across users, devices, applications and the associated access and usage activity. When used for customer identity, Single Sign-On enables secure authentication for applications by external customers.
Adaptive Multi-Factor Authentication.  Adaptive Multi-Factor Authentication is a comprehensive, but simple-to-use, product that provides an additional layer of security for an organization’s cloud, mobile and web applications and data. We offer an intelligent approach to security, built on contextual data. Adaptive Multi-Factor Authentication includes a policy framework that is integrated with a broad set of cloud and on-premises applications and network infrastructures. It offers adaptive, risk-based authentication that leverages data intelligence from across the Okta network of thousands of organizations.
Lifecycle Management.  Lifecycle Management enables IT organizations or developers to manage a user's identity throughout its entire lifecycle. It automates IT processes and ensures user accounts are created and deactivated at the appropriate times, including the workflow and policies needed to power those processes. With Lifecycle Management, organizations can securely manage the entire identity lifecycle, from on-boarding to off-boarding, and ensure compliance requirements are met as user roles evolve and access levels change.
API Access Management.  API Access Management enables organizations to secure APIs as systems connect to each other. Access to these APIs is managed based on the user, which enables organizations to centrally maintain one set of permissions for any employee, partner or customer across every point of access. API Access Management reduces development time, boosts security, helps in achieving compliance and enables seamless end user experiences by providing a unified portable service for authorizing secure and always available access to any API.
8


Access Gateway.  Access Gateway enables organizations to extend the Workforce Identity Cloud, which is a cloud native platform, from the cloud to their existing on-premises applications, so that they can harness the benefits of Okta to manage all of their critical systems, whether in the cloud, on-premises or hybrid. Extending the benefits of the Workforce Identity Cloud to hybrid IT environments delivers a single point of management for our customers’ administrators and a single location from which end users can access their critical applications.
Advanced Server Access.  Advanced Server Access offers continuous, contextual access management to secure cloud infrastructure. Organizations can continuously manage and secure access to on-premises Windows and Linux servers and across leading Infrastructure-as-a-Service vendors, including Amazon Web Services, Google Cloud Platform and Microsoft Azure. Advanced Server Access enables our customers to centralize access controls in a seamless manner to better mitigate the risk of credential theft, reuse, sprawl and abandoned administrative accounts.
Okta Identity Governance. Okta Identity Governance, also referred to as "IGA," provides a unified identity access management and identity governance solution focused on improving an organization’s security and compliance posture, helping customers to mitigate everyday security risks and improve IT efficiency. Okta Identity Governance includes governance capabilities relating to access requests, access certifications and access reporting. Through these capabilities, Okta Identity Governance simplifies and automates the process of requesting and approving access to applications and resources.
Customer Identity Products
Universal Login. Universal Login is a standards-based login infrastructure with centralized feature management and configuration for websites and applications that can be integrated with a wide range of social providers, enterprise login services and customer-provided databases. Universal Login enables our customers to provide a consistent login experience across many different applications and devices.
Attack Protection. Attack Protection is a suite of security capabilities that protect our customers from different types of malicious traffic, including bots, breached passwords, suspicious IP addresses and brute force attacks. Attack Protection enables our customers to minimize risks associated with the ever-growing volume of identity-targeted attacks.
Adaptive Multi-Factor Authentication. Simple-to-use and adaptable Multi-Factor Authentication that minimizes friction to end users. When using Adaptive Multi-Factor Authentication, our customers leverage risk-assessment algorithms that present Multi-Factor Authentication challenges only to select authentication attempts that require additional validation.
Passwordless. Passwordless authentication enables users to login without a password and supports a variety of different login methods, including advanced device biometrics.
Machine to Machine. Machine to Machine provides standards-based authentication and authorization with non-interactive devices and applications.
Private Cloud. Private Cloud is a deployment option that allows our customers to run a dedicated cloud instance of the Customer Identity Cloud. Private Cloud capability supports multiple cloud providers.
Organizations. Organizations enable our customers to support a large number of partners or customers of their own with independent configurations, login experiences and security options.
Actions and Extensibility. Actions and Extensibility allows our customers to visually drag and drop Actions to build custom identity flows that address their unique requirements.
Enterprise Connections. Enterprise Connections enable Enterprise Federation using pre-built integrations with commonly used Enterprise Identity Systems.
By focusing on identity, the one constant in an ever-changing technology and threat landscape, we provide our customers with a solution to solve their IT and security challenges, facilitate their adoption of a Zero Trust security model and enable their digital transformation.
9


Our Technology
We focus on engineering an intuitive, but comprehensive, platform to solve complex problems. Our cloud architecture is multi-tenant, encrypted and third-party validated. Our service also allows us to integrate into our customers’ on-premises components and hybrid configurations.
Okta Identity Platform with Differentiated Administration, User and Developer Experience
Okta provides one common platform and user interface framework supporting our Workforce Identity and Customer Identity Clouds, offering administrators and users a consistent, easy-to-use, consumer-like experience across our products. Our technology integrates with industry-leading browsers and mobile applications to provide seamless access to nearly any web or native mobile application. We also heavily leverage operating system management and security technologies across desktops, laptops and mobile devices to provide a transparent, but secure experience for users across a range of devices. These integrations allow us to seamlessly deliver connectivity use cases that previously required significant custom development to achieve.
Robust Security
Security is a mission-critical issue for Okta and for our customers. Our approach to security spans day-to-day operational practices from the design and development of our software to how customer data is segmented and secured within our multi-tenant platform. We ensure that access to our platform is securely delegated across an organization. Okta's source code is updated weekly, and there are audited and verifiable security checkpoints to ensure source code fidelity and continuous security review. We have attained multiple SOC 2 Type II Attestations, CSA Star Level 2 Attestation, ISO/IEC 27001:2013, ISO/IEC 27018:2019 and Health Insurance Portability and Accountability Act ("HIPAA") certifications and multiple agency Federal Risk and Authorization Management Program ("FedRAMP") Moderate Authorities to Operate. We also support FIPS 140-2 encryption requirements.
Scalability and Uptime
Our technical operations and engineering teams are designed around the concept of an always-on, highly redundant and available platform that we can upgrade without customer disruption. Our products and architecture were built entirely in and for the cloud with availability and scalability at the center of the design and were built to be agnostic with respect to the underlying infrastructure. Our maintenance windows do not require any downtime.
Okta's proprietary cell architecture includes redundant, active-active availability zones with cross-continental disaster recovery centers, real-time database replication and geo-distributed storage. If one of our systems goes down, another is quickly promoted. Our architecture is designed to scale both vertically by increasing the size of the application tiers and horizontally by adding new geo-distributed cells.
Our Workforce Identity and Customer Identity Clouds are monitored not only at the infrastructure level but also at the application and third-party integration level. Synthetic transaction monitoring allows our technical operations team to detect and resolve issues proactively.
Okta Integration Network and Auth0 Marketplace
The Okta Integration Network contains over 7,000 integrations with cloud, mobile and web applications, IoT devices and IT infrastructure providers, including Amazon Web Services, Atlassian, DocuSign, Google, Microsoft Office 365, NetSuite, Oracle, Palo Alto Networks, Proofpoint, Salesforce, SAP, ServiceNow, Slack, Splunk, VMware, Workday, Zendesk and Zoom. Our patented technology allows our customers to seamlessly connect to any application or type of device that is already integrated into our network. In addition, customers can extend the benefits of the Okta Integration Network by creating their own integrations to both cloud and on-premises proprietary applications.
Similarly, the Auth0 Marketplace is a trusted catalog of integrations that enables application teams to easily assemble complete identity solutions. The Auth0 Marketplace connects customers with service providers and builders who solve integration use cases and implement integrations with the Customer Identity Cloud.
Our Customers
As of January 31, 2023, we had more than 17,600 customers, including more than 3,930 customers with an annual contract value greater than $100,000. Our customers span nearly all industry verticals and range from small organizations with fewer than 100 employees to companies in the Fortune 50, with up to hundreds of thousands of employees, some of which use our platform to manage millions of their customers' identities.
10


Sales and Marketing
Sales
We sell directly to customers through our direct inside and field sales force and also indirectly through our extensive ecosystem of channel partners. Once a sale is made, we leverage our land-and-expand sales model to generate incremental revenue, often within the term of the initial agreement, through the addition of new users and the sale of additional products. In many instances, we find that initial customer success with our platform results in key internal decision makers expanding their deployments, for example, from initial use for workforce identity to expanded use for their customer identity needs. Furthermore, as our customers are successful in their businesses and increase headcount or the number of their customers, we share in their growth as the number of identities that we manage increases.
Our sales organization is structured to address the specific needs of each segment of our target market. Our sales team is divided by geography, customer size and industry vertical. Our direct sales force is supported by our sales engineers, security team, cloud architects, professional services team and other technical resources.
We benefit from an expansive partner ecosystem that helps drive additional sales. Nearly all of the leading cloud application providers are our partners, and many of them drive further customer acquisition for us through co-selling arrangements, building our offerings directly into their products, and product demonstrations running on Okta. We also partner with several of the large technology companies that are driving the movement to the cloud. In addition to these technology partners, we leverage our channel partners, including system integrators, traditional value-added resellers ("VARs") and Government VARs, to broaden the range of customers we reach.
Marketing
Our most valuable marketing features our customers and their successes, and is informed by a deeply data-driven approach, giving us insights into the efficacy of our efforts. Our marketing efforts focus on promoting our industry-leading identity platform, establishing our brand, generating awareness, creating sales leads and cultivating the Okta Community.
A centerpiece of our marketing strategy is our annual customer conference, Oktane, that features customers sharing their success stories, new product and feature announcements and hands-on product labs. We also host a number of other events where we engage with both existing customers and new prospects, as well as deliver product training.
Research and Development
Our research and development organization is responsible for the design, architecture, creation and the quality of our platform. The research and development organization also works closely with our technical operations team to ensure the successful deployment and monitoring of our platform. We use test automation and application monitoring to ensure our services are always-on.
Customer Support and Professional Services
Our products are designed for ease of use and fast deployments. As part of our customer first strategy, we are focused on customer success and offer several programs to help our customers maximize their success with our products. These programs leverage the expertise and best practices that we have built while helping thousands of customers to adopt and deploy our products.
Customer Support and Training Services
We offer three tiers of support, each of which builds upon the previous tier. We provide 24/7 support for the highest support tiers as well as access to Customer Success and Technical Account Managers. We also provide on-demand access to a robust online digital community and customer success hub where customers can find answers to common use cases, information about product features, and interact with Okta experts and industry peers.
Professional Services
Our professional services team provides assistance to customers in the deployment of our Workforce Identity and Customer Identity Clouds and includes identity and security experts, customized deployment plans and SmartStart, which provides a quick path to implementation.
11


Okta Community

We have created the Okta Community, an online community available to all of our customers that enables them to connect with other customers and partners to ask questions and find answers.
Intellectual Property
We protect our intellectual property through a combination of trademarks, domain names, copyrights, trade secrets and patents, as well as contractual provisions and restrictions on access to our proprietary technology.
As of January 31, 2023, we had thirty-four issued patents in the United States, which expire between 2030 and 2039 and cover various aspects of our products. In addition, as of such date, we also had a number of patents granted around the world including twelve issued patents in Australia which expire between 2033 and 2037, seven issued patents in New Zealand which expire between 2034 and 2037, and nine issued European patents which have each been validated in Germany, France and Great Britain, with some also validated in Switzerland, Denmark, Spain, the Netherlands, Norway and Sweden, and expire between 2033 and 2037.
We have registered “Okta” and "Auth0" as trademarks in many jurisdictions throughout the world to protect our brands. We also have filed other trademark applications pending in various jurisdictions throughout the world. We also have registered other trademarks in the United States including “Okta Workforce Identity Cloud,” “Okta Customer Identity Cloud,” “Okta WIC,” “Okta CIC,” “The World’s Identity Company,” "Okta Your Cloud, Covered," "Enterprise Identity, Delivered," "Work Outside the Perimeter," "Oktane" and "Never Build Auth Again."
We are the registered holder of a variety of domestic and international domain names that include “Okta,” "Auth0" and similar variations.
In addition to the protection provided by our intellectual property rights, we enter into confidentiality and proprietary rights or similar agreements with our employees, consultants and contractors. Our employees, consultants and contractors are also subject to invention assignment agreements. We further control the use of our proprietary technology and intellectual property through provisions in both general and product-specific terms of use.
Additional information regarding certain risks related to our intellectual property is included in Part I, Item 1A “Risk Factors” of this Annual Report on Form 10-K.
Our Competitors
The markets for our products are rapidly evolving, highly competitive and subject to shifting customer needs and frequent introductions of new competing technologies. As the markets in which we operate continue to mature and new technologies and competitors enter those markets, we expect competition to intensify. Our competitor categories include:
Authentication providers;
Lifecycle Management providers;
Multi-factor Authentication providers;
Infrastructure-as-a-service providers;
Other customer identity and access management providers; and
Solutions developed in-house by our potential customers.
We compete with both cloud-based and on-premise enterprise application software providers. Our competitors vary in size and in the breadth and scope of the products and services offered. However, certain of our competitors have substantial competitive advantages such as significantly greater financial, technical, sales and marketing, distribution, customer support or other resources, longer operating histories, greater resources to make strategic acquisitions and greater name recognition than we do. Our principal competitor is Microsoft.
Due to the flexibility and breadth of our platform, we can and often do co-exist alongside our competitors’ products within our customer base.
12


Principal competitive factors in our markets include flexibility, independence, product capabilities, total cost of ownership, time to value, scalability, user experience, number of pre-built integrations, customer satisfaction, global reach and ease of integration, management and use. We believe our product strategy, platform architecture, technology and independence as well as our company culture allow us to compete favorably on each of these factors.
We expect competition to increase as other established and emerging companies enter our markets, as customer requirements evolve, and as new products and technologies are introduced. We expect this to be particularly true as we are a cloud-based offering, and our competitors may also seek to acquire new offerings or repurpose their existing offerings to provide identity management solutions with subscription models. With the continuing merger and acquisition activity in the technology industry, particularly transactions involving security or identity and access management technologies, there is a greater likelihood that we will compete with other large technology companies in the future in both the workforce identity and customer identity markets.
Additional information regarding our competition is included in Part I, Item 1A “Risk Factors” of this Annual Report on Form 10-K.
Human Capital Resources
Our core values – love our customers, never stop innovating, act with integrity, be transparent and empower our people – inform and guide our human capital initiatives and objectives. In order to continue to innovate and drive customer success, it is crucial that we continue to attract, develop and retain exceptional talent and balanced teams. To that end, we strive to make Okta a diverse and inclusive workplace, with opportunities for our employees to grow and develop in their careers, supported by fair and competitive compensation, benefits and wellness programs, and by initiatives that foster connections between and among our employees and their communities.
As of January 31, 2023, we had 6,013 employees, of which approximately 72% were in the United States and 28% were in our international locations. We have not experienced any work stoppages, and we consider our relations with our employees to be good. Our employee engagement program helps us understand employee sentiment on a wide range of topics throughout the employee lifecycle, providing insights that inform our decisions about company initiatives, employee programs, talent risks, management opportunities and more. In fiscal 2023, 84% of our eligible employees participated in our annual employee engagement survey.
We encourage you to review the “Diversity, Inclusion and Belonging,” “Responsibility,” “Careers” and “Okta for Good” pages of our website at www.okta.com for more detailed information regarding our human capital programs and initiatives. Additional information on our diversity, inclusion and belonging strategy, diversity metrics and programs can be found in our most recent State of Inclusion at Okta annual report located on our website at www.okta.com/state-of-inclusion-at-okta, and additional information on our compensation, benefits and wellness programs is available on our Total Rewards website at rewards.okta.com. The information contained on, or that can be accessed through, our website is not incorporated by reference into this Annual Report on Form 10-K.
People First Philosophy
“Empower our people” is one of our core values. Our “People First” philosophy, in which culture, career growth, competitive rewards, flexible work and purpose come together, creates a shared sense of ownership in achieving our company vision. We want every employee to feel ownership of Okta.
Diversity, Inclusion and Belonging
We are committed to fostering a culture of inclusion and belonging, and to building a diverse workforce to drive innovation and collective growth, which we believe is critical to our success. In recent years, we have made deeper investments in our diversity, inclusion and belonging ("DIB") program at Okta. Our DIB initiatives – spearheaded by our DIB department and employee resource groups ("ERGs"), in partnership with various other teams – focus on DIB in our workforce, in our workplace and in the marketplace.
We employ inclusive recruitment and hiring practices to source diverse talent and mitigate potential bias throughout the hiring process. Our engagement with diversity sourcing programs and partnerships allows us to both source top talent from underrepresented groups for current open roles, and further strengthen our ability to build and nurture diverse talent communities for future roles. We also continue to recruit from a range of colleges and engage with organizations that support diverse students and jobseekers through our social impact arm, Okta for Good.
13


Nurturing a culture of inclusion and belonging in our workplace is a key priority. We empower our employees to be authentic and grow through open conversations and engagement resources, including regular safe space DIB discussion forums and facilitated workshops, precise language and inclusive calibrations, personalized DIB learning tools, mentoring and workplace development programs focused on supporting talent from underrepresented communities, and sponsorship of ERGs that strengthen our DIB culture. We currently have an affinity group supporting neurodiversity and ERGs supporting women, people of color, veterans, the LGBTQIA+ community and parents and caregivers.
Growth and Development
We invest significant resources to develop talent and actively foster a learning culture where employees are empowered to drive their personal and professional growth. We provide our employees with a wide range of learning and development opportunities, including in-person, virtual, social and self-directed learning, mentoring, coaching and external development. We offer extensive onboarding and training programs through our internal learning initiative to prepare our employees at all levels for career progression and individual development. Our employee onboarding program helps our employees get off to the right start, our manager development program helps to build a solid foundation for our people managers, and our technical training program quickly brings our new technical employees up to speed on our product offerings.
Compensation, Benefits and Wellness
We provide robust compensation, benefits and wellness programs that help support the varying needs of our employees. In addition to market-competitive base pay, short-term bonus incentives and long-term equity incentives, our total rewards program offers comprehensive employee benefits that may vary by country/region, including an employee stock purchase plan, a 401(k) plan with company matching contributions, comprehensive medical, dental and vision insurance, life and disability insurance, health savings accounts, charitable donation matching, flexible time off, volunteer time off, gender-neutral paid parental leave, fertility and adoption support, family care resources, mobile and internet reimbursement, mental health and lifestyle support programs and a variety of other health and wellness resources.
We are committed to fair compensation and opportunity in our workplace. We conduct regular equal pay assessments and adjust as needed to ensure our employees are paid equitably without regard to gender or ethnicity.
Dynamic Work
We help our employees succeed by providing flexibility in where and how they work. Prior to the COVID-19 pandemic, we had introduced and began transitioning our workforce to a “Dynamic Work” framework, based on the premise that enabling our employees to work from anywhere can increase employee empowerment, satisfaction and productivity, drive efficiency and enable us to hire from a broader, more diverse pool of talent. In response to the COVID-19 pandemic, we accelerated our move to Dynamic Work to protect the health, safety and wellness of our employees.
Looking forward, we continue to focus on technologies and programs that create equity and build community across our dynamic workforce, including:
Flexible benefit offerings that allow employee customization;
Workplace solutions, such as coworking spaces, outside of our primary office locations that support our distributed teams;
A Dynamic Work Sustainability Guide to empower our employees to bring sustainability into their work environments, wherever they are based; and
Curated experience programs that foster a sense of community both in-person and virtually.
Community and Social Impact
The mission of our social impact arm, Okta for Good, is to strengthen the connections between people, technology and community, which we believe fosters a more meaningful, fulfilling and enjoyable workplace. Our employees are passionate about many causes and Okta for Good connects them with numerous giving and volunteering opportunities in service of our communities. Okta for Good's core focus areas are:
14


Developing technology for good ecosystems;
Expanding economic opportunity and pathways into the technology sector;
Supporting non-profits addressing critical needs in our global communities; and
Empowering our employees to become changemakers.
Through Okta for Good, which is a part of our company and not a separate legal entity, we donate and discount access to our service for non-profit organizations, who use Okta to make their teams more efficient, allowing them to focus on their important missions. Our employee volunteer program enables global team members to donate time to support charitable organizations worldwide.
In addition, prior to our initial public offering ("IPO") in April 2017, we reserved 300,000 shares of our common stock to fund and support the operations of Okta for Good, of which 131,250 shares of Class A common stock remained reserved for future issuances as of January 31, 2023. Additional information can be found on the "Okta for Good" page of our website at www.okta.com. The information contained on, or that can be accessed through, our website is not incorporated by reference into this Annual Report on Form 10-K.
Sustainability
In fiscal 2021, we launched our Environmental, Social and Governance (“ESG”) program. We established an oversight structure to provide strategic direction for our ESG program. Our ESG efforts are overseen by our executive leadership team and are reviewed by the nominating and corporate governance committee of our board of directors. Our ESG program covers issues relevant to our business under three categories: Protecting Our Customers, Investing in Our People and Supporting Our Communities.
We have set public commitments to climate targets. Our climate strategy to address emissions is currently aimed at energy consumption reduction, electrification, purchasing renewable energy and engaging with vendors to address their emissions. We have a renewable energy program, which matches our electricity consumption from our offices, our remote workforce and cloud services with renewable electricity. Additional information on our ESG programs and initiatives can be found in our “ESG Fact Sheet” on the “Responsibility” page of our website at www.okta.com. The information contained on, or that can be accessed through, our website is not incorporated by reference into this Annual Report on Form 10-K.
Financial Information
The financial information required under this Item 1 is incorporated herein by reference to the section of this Annual Report on Form 10-K titled “Part II-Item 8-Financial Statements and Supplementary Data.” For financial information regarding our business, see “Part II-Item 7-Management’s Discussion and Analysis of Financial Condition and Results of Operations” of this Annual Report on Form 10-K and our consolidated audited financial statements and related notes included elsewhere in this Annual Report on Form 10-K.
Corporate Information
We were incorporated in 2009 as Saasure Inc., a California corporation, and were later reincorporated in 2010 under the name Okta, Inc. as a Delaware corporation. Our principal executive offices are located at 100 First Street, Suite 600, San Francisco, California 94105, and our telephone number is (888) 722-7871. Our website address is www.okta.com. Information contained on, or that can be accessed through, our website does not constitute part of this Annual Report on Form 10-K.
Additional Information
The following filings are available through our investor relations website after we file them with the Securities and Exchange Commission ("SEC"): Annual Report on Form 10-K, Quarterly Reports on Form 10-Q and our Proxy Statement for our annual meeting of stockholders. These filings are also available for download free of charge on our investor relations website. Our investor relations website is located at investor.okta.com. The SEC also maintains an internet website that contains reports, proxy statements and other information about issuers, like us, that file electronically with the SEC. The address of that website is www.sec.gov.
We webcast our earnings calls and certain events we participate in or host with members of the investment community on our investor relations website. Additionally, we provide notifications of news or announcements regarding our financial performance, including SEC filings, investor events, press and earnings releases, and blogs
15


as part of our investor relations website. Further corporate governance information, including our corporate governance guidelines and code of conduct, is also available on our investor relations website under the heading "Corporate Governance." The contents of our websites are not intended to be incorporated by reference into this Annual Report on Form 10-K or in any other report or document we file with the SEC, and any references to our websites are intended to be inactive textual references only.
Item 1A. Risk Factors
A description of the risks and uncertainties associated with our business is set forth below. You should carefully consider the risks and uncertainties described below, as well as the other information in this Annual Report on Form 10-K, including our consolidated financial statements and the related notes and “Management’s Discussion and Analysis of Financial Condition and Results of Operations.” The occurrence of any of the events or developments described below, or of additional risks and uncertainties not presently known to us or that we currently deem immaterial, could materially and adversely affect our business, results of operations, financial condition and growth prospects. In such an event, the market price of our Class A common stock could decline and you could lose all or part of your investment.
Risk Factor Summary
This risk factor summary contains a high-level summary of risks associated with our business. It does not contain all of the information that may be important to you, and you should read this risk factor summary together with the more detailed discussion of risks and uncertainties set forth following this summary. A summary of our risks includes, but is not limited to, the following:
Adverse general economic, market and industry conditions and reductions in workforce identity and customer identity spending may reduce demand for our products, which could harm our revenue, results of operations and cash flows.
We have experienced rapid growth in recent periods, which makes it difficult to forecast our revenue and evaluate our business and future prospects.
We have experienced rapid growth in recent periods, and our prior growth rates may not be indicative of our future growth. As our costs increase, we may not be able to generate sufficient revenue to achieve and, if achieved, maintain profitability.
We have a history of losses, and we expect to incur losses for the foreseeable future.
If we fail to manage our growth effectively, we may be unable to execute our business plan, maintain high levels of service and customer satisfaction or adequately address competitive challenges.
We face intense competition, especially from larger, well-established companies, and we may lack sufficient financial or other resources to maintain or improve our competitive position.
If we are unable to attract new customers, sell additional products to our existing customers or develop new products and enhancements to our products that achieve market acceptance, our revenue growth and profitability will be harmed.
Our business depends on our customers renewing their subscriptions and purchasing additional licenses or subscriptions from us. Any material decline in our Dollar-Based Net Retention Rate would harm our future results of operations.
Customer growth could fall below expectations.
The effects of the COVID-19 pandemic have affected how we and our customers are operating our businesses, and the duration and extent to which this will impact our future results of operations and overall financial performance remains uncertain.
We may experience quarterly fluctuations in our results of operations due to a number of factors that make our future results difficult to predict and could cause our results of operations to fall below analyst or investor expectations.
16


If there are interruptions or performance problems associated with our technology or infrastructure, our existing customers may experience service outages, and our new customers may experience delays in the deployment of our platform.
In the past we have experienced and in the future we may experience cybersecurity incidents that may allow unauthorized access to our systems or data or our customers’ data, disable access to our service, harm our reputation, create additional liability and adversely impact our financial results.
Any actual or perceived failure by us to comply with the privacy or security provisions of our privacy policy, our contracts and/or legal or regulatory requirements could result in proceedings, actions or penalties against us.
The stock price of our Class A common stock may be volatile or may decline.
The dual class structure of our common stock has the effect of concentrating voting control with those stockholders who held our capital stock prior to the completion of our IPO, including our directors, executive officers, and their affiliates, who held in the aggregate 41.7% of the voting power of our capital stock as of January 31, 2023. This will limit or preclude your ability to influence corporate matters, including the election of directors, amendments of our organizational documents, and any merger, consolidation, sale of all or substantially all of our assets, or other major corporate transaction requiring stockholder approval.
Servicing our debt may require a significant amount of cash. We may not have sufficient cash flow from our business to pay our indebtedness.
We depend on our executive officers and other key employees, and the loss of one or more of these employees or an inability to attract and retain other highly skilled employees could harm our business.
Risks Related to Our Business and Industry
Adverse general economic, market and industry conditions and reductions in workforce identity and customer identity spending may reduce demand for our products, which could harm our revenue, results of operations and cash flows.
Our revenue, results of operations and cash flows depend on the overall demand for our products. Concerns about the inflation and interest rate environment, the COVID-19 pandemic, the systemic impact of a widespread recession (in the United States or internationally), energy costs, geopolitical issues, such as Russia’s invasion of Ukraine, or the availability and cost of credit have and could continue to lead to increased market volatility, decreased consumer confidence and diminished growth expectations in the U.S. economy and abroad, which in turn could result in reductions in workforce identity and customer identity spending by our existing and prospective customers. These economic conditions can occur abruptly. Prolonged economic slowdowns may result in customers requesting us to renegotiate existing contracts on less advantageous terms to us than those currently in place or defaulting on payments due on existing contracts or not renewing at the end of the contract term. For example, rising interest rates in the United States have begun to affect businesses across many industries, including ours, by increasing the costs of labor, employee healthcare and other components, which may further constrain our, our customers’ and prospective customers’ budgets. To the extent there is a sustained general economic downturn and our platforms and services are perceived by customers or potential customers as costly, or too difficult to deploy or migrate to, our revenue may be disproportionately affected by delays or reductions in spending.
Our customers may merge with other entities who use alternative identity solutions and, during weak economic times, there is an increased risk that one or more of our customers will file for bankruptcy protection, either of which may harm our revenue, profitability and results of operations. We also face risk from international customers that file for bankruptcy protection in foreign jurisdictions, particularly given that the application of foreign bankruptcy laws may be more difficult to predict. In addition, we may determine that the cost of pursuing any claim may outweigh the recovery potential of such claim. As a result, if economic growth in countries where we do business slows or if such countries experience further economic recession, it could harm our business, revenue, results of operations and cash flows.
We have experienced rapid growth in recent periods, which makes it difficult to forecast our revenue and evaluate our business and future prospects.
17


Much of our growth has occurred in recent periods, which makes it difficult to forecast our revenue and evaluate our business and future prospects. We have encountered and will continue to encounter risks and uncertainties frequently experienced by growing companies in rapidly changing industries, including the risks and uncertainties described in this document. Additionally, the sales cycle for the evaluation and implementation of our platform, which typically extends for multiple months for enterprise deals, may also cause us to experience a delay between increasing operating expenses and the generation of corresponding revenue, if any. Accordingly, we may be unable to prepare accurate internal financial forecasts or replace anticipated revenue that we do not receive as a result of delays arising from these factors, and our results of operations in future reporting periods may be below the expectations of investors. If we do not address these risks successfully, our results of operations could differ materially from our estimates and forecasts or the expectations of investors, causing our business to suffer and our stock price to decline.
We have experienced rapid growth in recent periods, and our prior growth rates may not be indicative of our future growth. As our costs increase, we may not be able to generate sufficient revenue to achieve and, if achieved, maintain profitability.
From fiscal 2021 to fiscal 2022, our revenue grew from $835 million to $1,300 million, an increase of 56%, and from fiscal 2022 to fiscal 2023, our revenue grew from $1,300 million to $1,858 million, an increase of 43%. In future periods, we may not be able to sustain revenue growth consistent with recent history, or at all. We believe our revenue growth depends on a number of factors, such as macroeconomic conditions including the inflation and interest rate environment, budget constraints and the economic impact of the COVID-19 pandemic, as well as, but not limited to, our ability to:
price our platform effectively so that we are able to attract and retain customers without compromising our profitability;
attract new customers, successfully deploy and implement our platform, upsell or otherwise increase our existing customers’ use of our platform, obtain customer renewals and provide our customers with excellent customer support;
increase our network of channel partners, which include resellers, system integrators and other distribution partners and independent software vendors (“ISVs”);
adequately expand our sales force, and maintain or increase our sales force’s productivity;
successfully identify and enter into agreements with suitable acquisition targets, integrate any acquisitions and integrate acquired technologies into our existing products or use them to develop new products;
successfully introduce new products, enhance existing products and address new use cases;
introduce our platform to new markets outside of the United States;
successfully compete against larger companies and new market entrants; and
increase awareness of our brand on a global basis.
If we are unable to accomplish any of these tasks, our revenue growth will be harmed. We also expect our operating expenses to increase in future periods, and if our revenue growth does not increase to offset these anticipated increases in our operating expenses, our business, financial position and results of operations will be harmed, and we may not be able to achieve or maintain profitability.
We have a history of losses, and we expect to incur losses for the foreseeable future.
We have incurred significant net losses in each year since our inception, including net losses of $266 million, $848 million and $815 million in fiscal 2021, 2022 and 2023, respectively. We expect to continue to incur net losses for the foreseeable future. Because the market for our platform is rapidly evolving and has not yet reached widespread adoption, it is difficult for us to predict our future results of operations. We expect our operating expenses to significantly increase over the next several years as a result of the Auth0 acquisition, and as we hire additional personnel, particularly in sales and marketing, expand and improve the effectiveness of our distribution channels, expand our operations and infrastructure, both domestically and internationally, pursue business combinations and continue to develop our platform. As we continue to develop as a public company, we may incur additional legal, accounting and other expenses that we did not incur historically. If our revenue does not increase to
18


offset these increases in our operating expenses, we will not be profitable in future periods. While historically, our total revenue has grown, not all components of our total revenue have grown consistently. Further, in future periods, our revenue growth could slow or our revenue could decline for a number of reasons, including slowing demand for our software, increasing competition, any failure to gain or retain channel partners, a decrease in the growth of our overall market, or our failure, for any reason, to continue to capitalize on growth opportunities. As a result, our past financial performance should not be considered indicative of our future performance. Any failure by us to achieve or sustain profitability on a consistent basis could cause the value of our common stock to decline.
If we fail to manage our growth effectively, we may be unable to execute our business plan, maintain high levels of service and customer satisfaction or adequately address competitive challenges.
We have experienced, and may continue to experience, rapid growth and organizational change, which has placed, and may continue to place, significant demands on our management and our operational and financial resources. For example, our headcount has grown from 5,030 employees as of January 31, 2022 to 6,013 employees as of January 31, 2023. We have also experienced significant growth in the number of customers, users and logins and in the amount of data that our SaaS infrastructure supports. Finally, our organizational structure is becoming more complex as we improve our operational, financial and management controls as well as our reporting systems and procedures. We will require significant capital expenditures and the allocation of valuable management resources to grow and change in these areas without undermining our culture of rapid innovation, teamwork and attention to customer success, which has been central to our growth so far. If we fail to manage our anticipated growth and change in a manner that preserves the key aspects of our corporate culture, the quality of our platform may suffer, which could negatively affect our brand and reputation and harm our ability to retain and attract customers and employees.
We have established international offices in the Americas, Asia-Pacific and Europe, and we plan to continue to expand our international operations in the future. Our expansion has placed, and our expected future growth will continue to place, a significant strain on our managerial, customer operations, research and development, marketing and sales, administrative, financial and other resources. If we are unable to manage our continued growth successfully, our business and results of operations could suffer.
In addition, as we expand our business, it is important that we continue to maintain a high level of customer service and satisfaction. As our customer base continues to grow, we will need to expand our account management, customer service and other personnel, and our network of ISVs, system integrators and other channel partners, to provide personalized account management and customer service. If we are not able to continue to provide high levels of customer service, our reputation, as well as our business, results of operations and financial condition, could be harmed.
We face intense competition, especially from larger, well-established companies, and we may lack sufficient financial or other resources to maintain or improve our competitive position.
The markets for our products are rapidly evolving, highly competitive and subject to shifting customer needs and frequent introductions of new technologies. As the markets in which we operate continue to mature and new technologies and competitors enter such markets, we expect competition to intensify. Our competitor categories include, but are not limited to:

Authentication providers;
Access and lifecycle management providers;
Multi-factor authentication providers;
Infrastructure-as-a-service providers;
Other customer identity and access management providers; and
Solutions developed in-house by our potential customers.
We compete with both cloud-based and on-premise enterprise application software providers. Our competitors vary in size and in the breadth and scope of the products and services offered. However, many of our competitors have substantial competitive advantages such as significantly greater financial, technical, sales and marketing, distribution, customer support or other resources, larger intellectual property portfolios, longer operating
19


histories, greater resources to make strategic acquisitions and greater name recognition than we do. Our principal competitor is Microsoft.
With the continuing merger and acquisition activity in the technology industry, particularly transactions involving security or identity and access management technologies, there is a greater likelihood that we will compete with other large technology companies in the future in both the workforce identity and customer identity markets.
In addition, some of our larger competitors have substantially broader product offerings and leverage their relationships based on other products or incorporate functionality into existing products to gain business in a manner that discourages users from purchasing our products, including through selling at zero or negative margins, product bundling or closed technology platforms. Potential customers may also prefer to purchase from their existing suppliers rather than a new supplier regardless of product performance or features. These larger competitors often have broader product lines and market focus and as a result are not as susceptible to downturns in a particular market. Our competitors may also seek to acquire new offerings or repurpose their existing offerings to provide identity solutions with subscription models. Conditions in our market could change rapidly and significantly as a result of technological advancements, partnering by our competitors or continuing market consolidation. New start-up companies that innovate and large competitors that are making significant investments in research and development may invent similar or superior products and technologies that compete with our products. In addition, some of our competitors may enter into new alliances with each other or may establish or strengthen cooperative relationships with systems integrators, third-party consulting firms or other parties. Any such consolidation, acquisition, alliance or cooperative relationship could lead to pricing pressure and our loss of market share and could result in a competitor with greater financial, technical, marketing, service and other resources, all of which could harm our ability to compete. Furthermore, organizations may be more willing to incrementally add solutions to their existing infrastructure from competitors than to replace their existing infrastructure with our products. These competitive pressures in our market or our failure to compete effectively may result in price reductions, fewer orders, reduced revenue and gross margins, increased net losses, and loss of market share. Any failure to meet and address these factors could harm our business, results of operations and financial condition.
If we are unable to attract new customers, sell additional products to our existing customers or develop new products and enhancements to our products that achieve market acceptance, our revenue growth and profitability will be harmed.
To increase our revenue and achieve and maintain profitability, we must add new customers or sell additional products to our existing customers. Numerous factors, however, may impede our ability to add new customers and sell additional products to our existing customers, including our failure to convert new organizations into paying customers, failure to attract, effectively train, retain and motivate sales and marketing personnel, failure to develop or expand relationships with channel partners, failure to successfully deploy products for new customers and provide quality customer support or failure to ensure the effectiveness of our marketing programs. In addition, if prospective customers do not perceive our platform to be of sufficiently high value and quality, we will not be able to attract the number and types of new customers that we are seeking.

In addition, our ability to attract new customers and increase revenue from existing customers depends in large part on our ability to enhance and improve our existing products and to introduce compelling new products that reflect the changing nature of our markets. The success of any enhancement to our products depends on several factors, including timely completion and delivery, competitive pricing, adequate quality testing, integration with existing technologies and our platform and overall market acceptance. If we are unable to successfully develop new products, enhance our existing products to meet customer requirements, or otherwise gain market acceptance, our business, results of operations and financial condition would be harmed.
Further, to grow our business, we must convince developers to adopt and build their applications using our application programming interfaces (“APIs”) and products. We believe that these developer-built applications facilitate greater usage and customization of our products. If these developers stop developing on or supporting our platform, we will lose the benefit of network effects that have contributed to the growth in our number of customers, and our business (including the performance levels of our products), results of operations and financial condition could be harmed.
20


Our business depends on our customers renewing their subscriptions and purchasing additional licenses or subscriptions from us. Any material decline in our Dollar-Based Net Retention Rate would harm our future results of operations.
To continue to grow our business, it is important that our customers renew their subscriptions when existing contract terms expire and that we expand our commercial relationships with our existing customers. Our customers have no obligation to renew their subscriptions, and our customers may decide not to renew their subscriptions with a similar contract period, at the same prices and terms or with the same or a greater number of users. We have experienced significant growth in the number of users of our platform, but we do not know whether we will continue to achieve similar user growth rates in the future. In the past, some of our customers have elected not to renew their agreements with us, and it is difficult to accurately predict long-term customer retention and expansion rates. Our customer retention and expansion may decline or fluctuate as a result of a number of factors, including our customers’ satisfaction with our products, our product support, our prices and pricing plans, particularly in light of COVID-19-related economic conditions, the inflation and interest rate environment and increased costs, the prices of competing software products, reductions in our customers’ spending levels, user adoption of our platform, deployment success, utilization rates by our customers, new product releases and changes to the packaging of our product offerings. If our customers do not purchase additional subscriptions or renew their subscriptions, renew on less favorable terms or fail to add more users, our revenue may decline or grow less quickly than anticipated, which would harm our future results of operations. Furthermore, if our contractual subscription terms were to shorten it could lead to increased volatility of, and diminished visibility into, future recurring revenue. If our sales of new or recurring subscriptions and software-related support service contracts decline from existing customers, our revenue and revenue growth may decline, and our business will suffer.
Customer growth could fall below expectations.
We have experienced significant growth in the number of our customers in recent periods. As our customer base continues to grow and as we increase our focus on sales to the world’s largest organizations, we do not expect customer growth to continue at the same pace as it has previously. These factors could cause customer growth to fall below analyst or investor expectations. If we fail to meet or exceed such expectations for these or any other reasons, the market price of our Class A common stock could fall substantially, and we could face costly lawsuits, including securities class action suits.
The effects of the COVID-19 pandemic have materially affected how we and our customers are operating our businesses, and the duration and extent to which this will impact our future results of operations and overall financial performance remains uncertain.
The extent of the impact of COVID-19 on our future operational and financial performance remains uncertain and will depend on certain developments, including the duration and spread of COVID-19 and variants of concern, the manufacture, distribution, efficacy and public acceptance of COVID-19 treatments and vaccines, related public health measures, including vaccine mandates, and their impact on the global economy, our customers, employees and vendors. While some governments around the world have lifted restrictions and distributed vaccines, there remains significant uncertainty around the recovery, as well as the unknown impact of emerging variants of COVID-19. This pandemic has resulted in a widespread health crisis that is adversely affecting broader economies and financial markets.
The conditions caused by the COVID-19 pandemic have and may continue to affect the rate of IT spending and have and could adversely affect our current and potential customers’ ability or willingness to purchase our offerings. It has and could continue to delay current and prospective customers’ purchasing decisions, adversely impact our ability to provide professional services to our customers, delay the provisioning of our offerings, lengthen payment terms, reduce the value or duration of our subscription contracts, or affect customer attrition rates, all of which could adversely affect our future sales, operating results and overall financial performance.
The duration and extent of the impact from the COVID-19 pandemic depends on future developments that cannot be accurately predicted at this time, such as the efficacy, global availability and acceptance of COVID-19 vaccines, the severity and transmission rate of the virus and emerging variants of concern, the extent and effectiveness of containment actions and the impact of these and other factors on our employees, customers, partners and vendors as well as the global economy. Although global economic conditions have generally improved with the rollout of COVID-19 vaccines, business activity may not recover as quickly as anticipated, including as a result of inflationary pressures and the responses by central banking authorities to control such inflation, rising interest rates, debt and equity market fluctuations, diminished liquidity and credit availability, increased
21


unemployment rates, decreased investor and consumer confidence, political turmoil and supply chain challenges. Despite our best efforts to manage the impact of such events effectively, our business still may be harmed.
We may experience quarterly fluctuations in our results of operations due to a number of factors that make our future results difficult to predict and could cause our results of operations to fall below analyst or investor expectations.
Our quarterly results of operations fluctuate from quarter to quarter as a result of a number of factors, many of which are outside of our control and may be difficult to predict, including, but not limited to:
the level of demand for our platform;
our ability to attract new customers, obtain renewals from existing customers and upsell or otherwise increase our existing customers’ use of our platform;
health epidemics, such as COVID-19, influenza and other highly communicable diseases or viruses;
the timing and success of new product introductions by us or our competitors or any other change in the competitive landscape of our market;
pricing pressure as a result of competition, the inflation and interest rate environment and increased costs, COVID-19 or otherwise;
seasonal buying patterns for IT spending;
the mix of revenue attributable to larger transactions as opposed to smaller transactions, and the associated volatility and timing of our transactions;
changes in remaining performance obligations (“RPO”) due to seasonality, the timing of and compounding effects of renewals, invoice duration, size and timing, new business linearity between quarters and within a quarter, average contract term or fluctuations due to foreign currency movements, all of which may impact implied growth rates;
errors in our forecasting of the demand for our products, which could lead to lower revenue, increased costs or both;
increases in and timing of sales and marketing and other operating expenses that we may incur to grow and expand our operations and to remain competitive;
significant security breaches of, technical difficulties with, or interruptions to, the delivery and use of our platform and products;
our ability to comply with privacy laws and requirements, including the General Data Protection Regulation and California Consumer Privacy Act;
costs related to the acquisition of businesses, talent, technologies or intellectual property, including potentially significant amortization costs and possible write-downs;
credit or other difficulties confronting our channel partners;
adverse litigation judgments, settlements of litigation and other disputes or other litigation-related or dispute-related costs;
the impact of new accounting pronouncements and associated system implementations;
changes in the legislative or regulatory environment;
fluctuations in foreign currency exchange rates;
expenses related to real estate, including our office leases, and other fixed expenses; and
general economic conditions in either domestic or international markets, including the inflation and interest rate environment, geopolitical uncertainty and instability.
22


Any one or more of the factors above may result in significant fluctuations in our results of operations. You should not rely on our past results as an indicator of our future performance.
The variability and unpredictability of our quarterly results of operations or other operating metrics could result in our failure to meet our expectations or those of analysts that cover us or investors with respect to revenue or other metrics for a particular period. If we fail to meet or exceed such expectations for these or any other reasons, the market price of our Class A common stock could fall substantially, and we could face costly lawsuits, including securities class action suits.
Our ability to introduce new products and features is dependent on adequate research and development resources and our ability to successfully complete acquisitions. If we do not adequately fund our research and development efforts or complete acquisitions successfully, we may not be able to compete effectively and our business and results of operations may be harmed.
To remain competitive, we must continue to develop new products, applications and enhancements to our existing platform. This is particularly true as we further expand and diversify our capabilities. Maintaining adequate research and development resources, such as the appropriate personnel and development technology, to meet the demands of the market is essential. If we elect not to or are unable to develop products internally, we may choose to expand into a certain market or strategy via an acquisition for which we could potentially pay too much or fail to successfully integrate into our operations. Further, many of our competitors expend a considerably greater amount of funds on their respective research and development programs, and those that do not may be acquired by larger companies that could allocate greater resources to our competitors’ research and development programs. Our failure to maintain adequate research and development resources or to compete effectively with the research and development programs of our competitors would give an advantage to such competitors and may harm our business, results of operations and financial condition.
Future acquisitions, investments, partnerships or alliances could be difficult to identify and integrate, divert the attention of management personnel, disrupt our business, dilute stockholder value and harm our results of operations and financial condition.
We have in the past acquired, and we may in the future seek to acquire or invest in, businesses, products or technologies that we believe could complement or expand our current platform, enhance our technical capabilities or otherwise offer growth opportunities. The pursuit of potential acquisitions may divert the attention of management and cause us to incur various expenses in identifying, investigating and pursuing suitable acquisitions, whether or not they are consummated. In addition, we have limited experience in acquiring other businesses. If we acquire additional businesses, we may not be able to successfully integrate and retain the acquired personnel, integrate the acquired operations and technologies, and adequately test and assimilate the internal control processes of the acquired business in accordance with the requirements of Section 404 of the Sarbanes-Oxley Act of 2002 (“Sarbanes-Oxley Act”), or effectively manage the combined business following the acquisition. For example, we have experienced and continue to experience aspects of such challenges in connection with our May 2021 acquisition of Auth0.
We may not be able to find and identify desirable acquisition targets or we may not be successful in entering into an agreement with any particular target. Acquisitions could also result in dilutive issuances of equity securities, use of our available cash or the incurrence of debt, or in adverse tax consequences or unfavorable accounting treatment, which could harm our results of operations.
In addition, from time to time we invest in private growth stage companies for strategic reasons and to support key business initiatives, and we may not realize a return on these investments. All of our venture investments are subject to a risk of partial or total loss of investment capital.
Acquisitions and strategic transactions involve numerous risks, including:
delays or reductions in customer purchases for both us and the acquired business;
disruption of partner and customer relationships;
potential loss of key employees of the acquired company;
claims by and disputes with the acquired company’s employees, customers, stockholders or third parties;
23


unknown liabilities or risks associated with the acquired business, product or technology, such as contractual obligations, potential security vulnerabilities of the acquired company and its products and services, potential intellectual property infringement, costs arising from the acquired company’s failure to comply with legal or regulatory requirements and litigation matters;
acquired technologies or products may not comply with legal or regulatory requirements and may require us to make additional investments to make them compliant;
acquired technologies or products may not be able to provide the same support service levels that we generally offer with our other products;
acquired businesses, technologies or products could be viewed unfavorably by our partners, our customers, our stockholders or securities analysts;
unforeseen integration or other expenses; and
future impairment of goodwill or other acquired intangible assets.
In addition, if an acquired business fails to meet our expectations, our business, results of operations and financial condition could suffer.
Because our long-term success depends, in part, on our ability to expand the sales of our products to customers located outside of the United States, our business will be susceptible to risks associated with international operations.
We currently have sales personnel outside the United States and maintain offices outside the United States in the Americas, Asia-Pacific and Europe, and we plan to continue to expand our international operations.

Our international revenue was 20% and 22% of our total revenue in fiscal 2022 and fiscal 2023, respectively. Any international expansion efforts that we may undertake may not be successful. In addition, conducting international operations subjects us to new risks, some of which we have not generally faced in the United States. These risks include, among other things:
health epidemics, such as COVID-19, influenza and other highly communicable diseases or viruses;
macroeconomic conditions, including the inflation and interest rate environment and the economic impact of the COVID-19 pandemic;
unexpected costs and errors in the localization of our products, including translation into foreign languages and adaptation for local practices and regulatory requirements;
lack of familiarity and burdens of complying with foreign laws, legal standards, privacy standards, regulatory requirements, tariffs and other barriers;
laws and business practices favoring local competitors or commercial parties;
costs and liabilities related to compliance with the numerous and ever-growing landscape of U.S. and international data privacy and cybersecurity regimes, many of which involve disparate standards and enforcement approaches, including implementation of the recently-announced agreement in principle between the European Union and United States to implement a successor framework to the EU-U.S. Privacy Shield, to address cross-border data flows;
greater risk that our foreign employees or partners will fail to comply with U.S. and foreign laws;
practical difficulties of enforcing intellectual property rights in countries with fluctuating laws and standards and reduced or varied protection for intellectual property rights in some countries;
restrictive governmental actions focusing on cross-border trade, including taxes, trade laws, tariffs, import and export restrictions or quotas, barriers, sanctions, custom duties or other trade restrictions;
unexpected changes in legal and regulatory requirements;
difficulties in managing systems integrators and technology partners;
24


differing technology standards;
longer accounts receivable payment cycles and difficulties in collecting accounts receivable;
difficulties in managing and staffing international operations and differing employer/employee relationships and local employment laws;
political, economic and social instability, war, terrorist activities or armed conflict, including Russia's invasion of Ukraine;
global economic uncertainty caused by global political events;
fluctuations in exchange rates that may increase the volatility of our foreign-based revenue and expense; and
potentially adverse tax consequences, including the complexities of foreign value added tax (or other tax) systems and restrictions on the repatriation of earnings.
Additionally, operating in international markets also requires significant management attention and financial resources. We cannot be certain that the investment and additional resources required in establishing operations in other countries will produce desired levels of revenue or profitability.
We have not engaged in currency hedging activities to limit risk of exchange rate fluctuations. Changes in exchange rates affect our costs and earnings, and may also affect the book value of our assets located outside the United States and the amount of our stockholders’ equity.
We have limited experience in marketing, selling and supporting our platform abroad. Our limited experience in operating our business internationally increases the risk that any potential future expansion efforts that we may undertake will not be successful. If we invest substantial time and resources to expand our international operations and are unable to do so successfully and in a timely manner, our business and results of operations will suffer.
If we fail to adapt to rapid technological change, our ability to remain competitive could be impaired.
The industry in which we compete is characterized by rapid technological change, frequent introductions of new products and evolving industry standards. Our ability to attract new customers and increase revenue from existing customers will depend in significant part on our ability to anticipate industry standards and trends and continue to enhance existing products or introduce or acquire new products on a timely basis to keep pace with technological developments. The success of any enhancement or new product depends on several factors, including the timely completion and market acceptance of the enhancement or new product. Any new product we develop or acquire might not be introduced in a timely or cost-effective manner and might not achieve the broad market acceptance necessary to generate significant revenue. If any of our competitors implements new technologies before we are able to implement them, those competitors may be able to provide more effective products than ours at lower prices. Any delay or failure in the introduction of new or enhanced products could harm our business, results of operations and financial condition.
Our financial results may fluctuate due to increasing variability in our sales cycles.
We plan our expenses based on certain assumptions about the length and variability of our sales cycle. These assumptions are based upon historical trends for sales cycles and conversion rates associated with our existing customers. As we continue to focus on sales to larger organizations and in light of the current COVID-19 environment, our sales cycles are lengthening in certain circumstances and becoming less predictable, which may harm our financial results. Other factors that may influence the length and variability of our sales cycle include, among other things:
the need to raise awareness about the uses and benefits of our platform, including our customer identity products;
the need to allay privacy, regulatory and security concerns;
the discretionary nature of purchasing and budget cycles and decisions;
the competitive nature of evaluation and purchasing processes;
25


announcements or planned introductions of new products, features or functionality by us or our competitors; and
often lengthy purchasing approval processes.
Our increasing focus on sales to larger organizations may further increase the variability of our financial results. If we are unable to close one or more of such expected significant transactions in a particular period, or if such an expected transaction is delayed until a subsequent period, our results of operations for that period, and for any future periods in which revenue from such transaction would otherwise have been recognized, may be harmed.
Our growth depends, in part, on the success of our strategic relationships with third parties.
To grow our business, we anticipate that we will continue to depend on relationships with third parties, such as channel partners. Identifying partners, and negotiating and documenting relationships with them, requires significant time and resources. Our competitors may be effective in causing third parties to favor their products or services over subscriptions to our platform. In addition, acquisitions of such partners by our competitors could result in a decrease in the number of our current and potential customers, as these partners may no longer facilitate the adoption of our applications by potential customers. Further, some of our partners are or may become competitive with certain of our products and may elect to no longer integrate with our platform. If we are unsuccessful in establishing or maintaining our relationships with third parties, our ability to compete in the marketplace or to grow our revenue could be impaired, and our results of operations may suffer. Even if we are successful, we cannot ensure that these relationships will result in increased customer usage of our applications or increased revenue.
Failure to effectively develop and expand our marketing and sales capabilities could harm our ability to increase our customer base and achieve broader market acceptance of our products.
Our ability to increase our customer base and achieve broader market acceptance of our products will depend to a significant extent on our ability to expand our marketing and sales operations. We plan to continue expanding our direct sales force and engaging additional channel partners, both domestically and internationally. This expansion will require us to invest significant financial and other resources. Our business will be harmed if our efforts do not generate a corresponding increase in revenue. We may not achieve anticipated revenue growth from expanding our direct sales force if we are unable to hire and develop talented direct sales personnel, if our new direct sales personnel are unable to achieve desired productivity levels in a reasonable period of time or if we are unable to retain our existing direct sales personnel. We also may not achieve anticipated revenue growth from our channel partners if we are unable to attract and retain additional motivated channel partners, if any existing or future channel partners fail to successfully market, resell, implement or support our products for their customers, or if they represent multiple providers and devote greater resources to market, resell, implement and support the products and solutions of these other providers. For example, some of our channel partners also sell or provide integration and administration services for our competitors’ products, and if such channel partners devote greater resources to marketing, reselling and supporting competing products, this could harm our business, results of operations and financial condition.
Various factors may cause our product implementations to be delayed, inefficient or otherwise unsuccessful.
Our business depends upon the successful implementation of our products by our customers. Increasingly, we, as well as our customers, rely on our network of partners to deliver implementation services, and there may not be enough qualified implementation partners available to meet customer demand. Various factors may cause implementations to be delayed, inefficient or otherwise unsuccessful. For example, changes in the functional requirements of our customers, delays in timeline, or deviation from recommended best practices may occur during the course of an implementation project. As a result of these and other risks, we or our customers may incur significant implementation costs in connection with the purchase, implementation and enablement of our products. Some customer implementations may take longer than planned or fail to meet our customers’ expectations, which may delay our ability to sell additional products or result in customers canceling or failing to renew their subscriptions before our products have been fully implemented. Unsuccessful, lengthy, or costly customer implementation and integration projects could result in claims from customers, harm to our reputation, and opportunities for competitors to displace our products, each of which could have an adverse effect on our business and results of operations.
26


A portion of our revenues are generated by sales to government entities, which are subject to a number of challenges and risks.
A portion of our sales are to partners that resell our services to government agencies, and we have made, and plan to continue to make, investments to support future sales opportunities in the government sector. The sale of our services to government agencies is tied to budget cycles, and there are government requirements and authorizations that we may be required to meet. Further, we may be subject to audits and investigations regarding our role as a subcontractor in government contracts, and violations could result in penalties and sanctions, including contract termination, refunding or forfeiting payments, fines, and suspension or debarment from future government business. Selling to these entities can be highly competitive, expensive and time consuming, often requiring significant upfront time and expense. Government entities often require contract terms that differ from our standard arrangements and impose additional compliance requirements, require increased attention to pricing practices, or are otherwise time consuming and expensive to satisfy. Government entities may also have statutory, contractual or other legal rights to terminate contracts with our partners for convenience, for lack of funding or due to a default, and any such termination may adversely impact our future results of operations. If we represent that we meet certain standards or requirements and do not meet them, we could be subject to increased liability from our customers, investigation by regulators or termination rights. Even if we do meet them, the additional costs associated with providing our service to government entities could harm our margins. Moreover, changes in underlying regulatory requirements could be an impediment to our ability to efficiently provide our service to government customers and to grow or maintain our customer base. Any of these risks related to contracting with government entities could adversely impact our future sales and results of operations, or make them more difficult to predict.
If we fail to enhance our brand cost-effectively, our ability to expand our customer base will be impaired and our business, results of operations and financial condition may suffer.
We believe that developing and maintaining awareness of our brand in a cost-effective manner is critical to achieving widespread acceptance of our existing and future products and is an important element in attracting new customers. For example, in the fourth quarter of fiscal 2023, we rebranded our Okta and Auth0 product offerings, which we now refer to as Workforce Identity Cloud and Customer Identity Cloud. Furthermore, we believe that the importance of brand recognition will increase as competition in our market increases. Successful promotion of our brand will depend largely on the effectiveness of our marketing efforts and on our ability to provide reliable and useful products at competitive prices. In the past, our efforts to build our brand have involved significant expenses. Brand promotion activities may not yield increased revenue, and even if they do, any increased revenue may not offset the expenses we incur in building our brand. If we fail to successfully promote and maintain our brand, or incur substantial expenses in an unsuccessful attempt to promote and maintain our brand, we may fail to attract new customers or retain our existing customers to the extent necessary to realize a sufficient return on our brand-building efforts, and our business, results of operations and financial condition could suffer.
We may not set optimal prices for our products.
In the past, we have at times adjusted our prices either for individual customers in connection with long-term agreements or for a particular product. We expect that we may need to change our pricing in future periods and potentially in response to COVID-19 pricing pressures, the inflation and interest rate environment and increased costs. Further, as competitors introduce new products that compete with ours or reduce their prices, we may be unable to attract new customers or retain existing customers based on our historical pricing. As we expand internationally, we also must determine the appropriate price to enable us to compete effectively internationally. In addition, if our mix of products sold changes, then we may need to, or choose to, revise our pricing. As a result, we may be required or choose to reduce our prices or change our pricing model, which could harm our business, results of operations and financial condition.
Our failure to raise additional capital or generate cash flows necessary to expand our operations and invest in new technologies in the future could reduce our ability to compete successfully and harm our results of operations.
We may need to raise additional funds, and we may not be able to obtain additional debt or equity financing on favorable terms, if at all. If we raise additional equity or convertible debt financing, our security holders may experience significant dilution of their ownership interests. If we engage in additional debt financing, we may be required to accept terms that restrict our ability to incur additional indebtedness, force us to maintain specified
27


liquidity or other ratios or restrict our ability to pay dividends or make acquisitions. If we need additional capital and cannot raise it on acceptable terms, or at all, we may not be able to, among other things:
develop and enhance our products;
continue to expand our product development, sales and marketing organizations;
hire, train and retain employees;
respond to competitive pressures or unanticipated working capital requirements; or
pursue acquisition opportunities.
Our inability to do any of the foregoing could reduce our ability to compete successfully and harm our business, results of operations and financial condition.
We may be subject to liability claims if we breach our contracts and our insurance may be inadequate to cover our losses.
We are subject to numerous obligations in our contracts with our customers and partners. Despite the procedures, systems and internal controls we have implemented to comply with our contracts, we may breach these commitments, whether through a weakness in these procedures, systems and internal controls, negligence or the willful act of an employee or contractor. Our insurance policies, including our errors and omissions insurance, may be inadequate to compensate us for the potentially significant losses that may result from claims arising from breaches of our contracts, disruptions in our service, including those caused by cybersecurity incidents, failures or disruptions to our infrastructure, catastrophic events and disasters or otherwise. In addition, such insurance may not be available to us in the future on economically reasonable terms, or at all. Further, our insurance may not cover all claims made against us and defending a suit, regardless of its merit, could be costly and divert management’s attention.
Actions that we are taking to restructure our business to improve profitability may not be as effective as anticipated.
During the first quarter of fiscal 2024, we announced a world-wide restructuring plan intended to reduce operating expenses and improve profitability. We may encounter challenges in the execution of these efforts, and these challenges could impact our ability to execute on our business initiatives and could impact our financial results. If we are unable to realize the expected outcomes from our restructuring efforts, our business and operating results may be harmed.
Increased and complex scrutiny of environmental, social and governance (“ESG”) matters may require us to incur additional costs or otherwise adversely impact our business.
Increased attention to climate change; diversity, equity and inclusion; and other ESG issues, as well as societal expectations regarding voluntary ESG initiatives and disclosures, may result in increased costs (including but not limited to increased costs related to compliance, stakeholder engagement and contracting), impact our reputation, or otherwise affect our business performance. In addition, organizations that provide information to investors on corporate governance and related matters have developed ratings processes for evaluating companies on ESG matters. Such ratings are used by some investors to inform their investment or voting decisions. Unfavorable ESG ratings could lead to negative investor sentiment toward us and/or our industry, which could have a negative impact on our access to and costs of capital. To the extent ESG matters negatively impact our reputation, we may also not be able to compete as effectively to recruit or retain employees. We may take certain actions, including the establishment of ESG-related goals or targets, to improve our ESG profile and/or respond to stakeholder demand; however, such actions may be costly or be subject to numerous conditions that are outside our control, and we cannot guarantee that such actions will have the desired effect.

Moreover, while we may create and publish voluntary disclosures regarding ESG matters from time to time, many of the statements in those voluntary disclosures are based on hypothetical expectations and assumptions that may or may not be representative of current or actual risks or events or forecasts of expected risks or events, including the costs associated therewith. Such expectations and assumptions are necessarily uncertain and may be prone to error or subject to misinterpretation given the long timelines involved and the lack of an established single approach to identifying, measuring and reporting on many ESG matters. Such disclosures may also be at least partially reliant on third-party information that we have not independently verified or cannot be independently
28


verified. In addition, we expect there will likely be increasing levels of regulation, disclosure-related and otherwise, with respect to ESG matters, and increased regulation will likely lead to increased compliance costs as well as scrutiny that could heighten all of the risks identified in this risk factor. Such ESG matters may also impact our customers, which may adversely impact our business, financial condition, or results of operations.
Risks Related to Intellectual Property, Infrastructure Technology, Data Privacy and Security
If there are interruptions or performance problems associated with our technology or infrastructure, our existing customers may experience service outages, and our new customers may experience delays in the deployment of our platform.
Our continued growth depends, in part, on the ability of our existing and potential customers to access our platform 24 hours a day, seven days a week, without interruption or degradation of performance. We may experience disruptions, data loss, outages and other performance problems with our infrastructure due to a variety of factors, including infrastructure and functionality changes, human or software errors, capacity constraints or security-related incidents. In some instances, we may not be able to identify the cause or causes of these performance problems immediately or in short order. We may not be able to maintain the level of service uptime and performance required by our customers, especially during peak usage times and as our products become more complex and our user traffic increases. If our platform is unavailable or if our customers are unable to access our products or deploy them within a reasonable amount of time, or at all, our business would be harmed. Since our customers rely on our service to access and complete their work, any outage on our platform would impair the ability of our customers to perform their work, which would negatively impact our brand, reputation and customer satisfaction. Moreover, we depend on services from various third parties to maintain our infrastructure and distribute our products via the internet. If a service provider fails to provide sufficient capacity to support our platform or otherwise experiences service outages, such failure could interrupt our customers’ access to our service, which could adversely affect their perception of our platform's reliability and our revenues. Any disruptions in these services, including as a result of actions outside of our control, would significantly impact the continued performance of our products. In the future, these services may not be available to us on commercially reasonable terms, or at all. Any loss of the right to use any of these services could result in decreased functionality of our products until equivalent technology is either developed by us or, if available from another provider, is identified, obtained and integrated into our infrastructure. If we do not accurately predict our infrastructure capacity requirements, our customers could experience service shortfalls. We may also be unable to effectively address capacity constraints, upgrade our systems as needed, and continually develop our technology and network architecture to accommodate actual and anticipated changes in technology.
Any of the above circumstances or events may harm our reputation, cause customers to terminate their agreements with us, impair our ability to obtain subscription renewals from existing customers, impair our ability to grow our customer base, result in the expenditure of significant financial, technical and engineering resources, subject us to financial penalties and liabilities under our service level agreements, and otherwise harm our business, results of operations and financial condition.
In the past we have experienced and in the future we may experience cybersecurity incidents that may allow unauthorized access to our systems or data or our customers’ data, disable access to our service, harm our reputation, create additional liability and adversely impact our financial results.
Increasingly, companies, including Okta, are subject to a wide variety of attacks on their systems and networks on an ongoing basis. In addition to threats from traditional computer “hackers,” malicious code (such as malware, viruses, worms and ransomware), employee or contractor theft or misuse, password spraying, phishing and denial-of-service attacks, we and our third-party service providers now also face threats from sophisticated nation-state and nation-state-supported actors who engage in attacks (including advanced persistent threat intrusions) that add to the risks to our systems (including those hosted on AWS’ or other cloud services providers’ systems), internal networks, our customers’ systems and the information that they store and process. For example, like other companies, we have experienced numerous cybersecurity attacks and have had to expend increasing amounts of human and financial capital to respond. We expect that these cybersecurity attacks will continue and that the scope and sophistication of these efforts may increase in future periods. Despite significant efforts to create security barriers to such threats, it is virtually impossible for us to entirely mitigate these risks. As a well-known provider of identity and security solutions, we pose an attractive target for such attacks. The security measures we have integrated into our internal systems and platform, which are designed to detect unauthorized activity and prevent or minimize security breaches, may not function as expected or may not be sufficient to protect our internal networks and platform against certain attacks. In addition, techniques used to sabotage or to obtain unauthorized
29


access to networks in which data is stored or through which data is transmitted change frequently, become more complex over time and generally are not recognized until launched against a target. As a result, we and our third-party service providers may be unable to anticipate these techniques or implement adequate preventative measures quickly enough to prevent either an electronic intrusion into our systems or services or a compromise of customer data, employee data or other protected information.
Our customers’ use of Okta to access business systems and store data concerning, among others, their employees, contractors, partners and customers is essential to their use of our platform, which stores, transmits and processes customers’ proprietary information and users’ personal data. Okta has experienced and likely will in the future experience attacks targeting such customer data. When such breaches occur, as a result of third-party action, technology limitations, employee or contractor error, malfeasance or otherwise, and if the confidentiality, integrity or availability of our customers’ data or systems is disrupted, we could incur significant liability to our customers and to individuals or businesses whose information was being stored by our customers, and our platform may be perceived as less desirable, which could negatively affect our business and damage our reputation. Because techniques used to obtain unauthorized access to, or to sabotage, systems change frequently and generally are not recognized until launched against a target, we, our third-party service providers and our customers may be unable to anticipate these techniques or to implement adequate preventive measures. Further, because we do not control our third-party service providers, or the processing of data by our third-party service providers, we cannot ensure the integrity or security of measures they take to protect customer information and prevent data loss.
In addition, security breaches impacting our platform have in certain cases resulted in and could in the future result in a risk of loss or unauthorized disclosure of this information, or the denial of access to this information, which, in turn, could lead to enforcement actions, litigation, regulatory or governmental audits, investigations and possible liability, and increased requests by individuals regarding their personal data. Security breaches could also damage our relationships with and ability to attract customers and partners, and trigger service availability, indemnification and other contractual obligations. Security incidents may also cause us to incur significant investigation, mitigation, remediation, notification and other expenses. Furthermore, as a well-known provider of identity and security solutions, any such breach, including a breach of our customers’ systems, could compromise systems secured by our products, creating system disruptions or slowdowns and exploiting security vulnerabilities of our or our customers’ systems, and the information stored on our or our customers’ systems could be accessed, publicly disclosed, altered, lost or stolen, which could subject us to liability and cause us financial harm. For example, the January 2022 compromise of one of our third-party service providers by a threat actor, even though not material and not a breach of our product or systems, nonetheless was widely publicized and focused attention on the security of our systems and the systems of our third-party service providers. Our disclosures concerning security incidents also may become the subject of litigation, and our disclosures concerning the January 2022 compromise, for example, have become the subject of lawsuits, as discussed in Item 3, “Legal Proceedings” below. While we have taken a number of remediation steps, there is no guarantee that our preventative and mitigation actions with respect to this incident and others like it will fully eliminate the risk of a malicious compromise of our, our third-party service providers’ or our customers’ systems.
While we maintain cybersecurity insurance, our insurance may be insufficient to cover all liabilities incurred in these incidents, and any incidents may result in loss of, or increased costs of, our cybersecurity insurance. These breaches, or any perceived breach, of our systems, our customers’ systems, or other systems or networks secured by our products, whether or not any such breach is due to a vulnerability in our platform, may also undermine confidence in our platform or our industry and result in damage to our reputation and brand, negative publicity, loss of ISVs and other channel partners, customers and sales, increased costs to remedy any problem, costly litigation and other liability. In addition, a breach of the security measures of one of our key ISVs or other channel partners could result in the exfiltration of confidential corporate information or other data that may provide additional avenues of attack, and if a high profile security breach occurs with respect to a comparable cloud technology provider, our customers and potential customers may lose trust in the security of the cloud business model generally, which could adversely impact our ability to retain existing customers or attract new ones, potentially causing a negative impact on our business. Any of these negative outcomes could adversely impact market acceptance of our products and could harm our business, results of operations and financial condition.
Third parties have induced and may continue to fraudulently induce employees, contractors, customers or our customers’ users into disclosing sensitive information such as user names, passwords or other information or otherwise compromise the security of our applications, internal networks, electronic systems and/or physical facilities in order to gain access to our data or our customers’ data, which could result in significant legal and financial exposure, a loss of confidence in the security of our platform, interruptions or malfunctions in our
30


operations, account lock outs, and, ultimately, harm to our future business prospects and revenue. We may be required to expend significant capital and financial resources to protect against such threats or to alleviate problems caused by breaches in security.
Any actual or perceived failure by us to comply with the privacy or security provisions of our privacy policy, our contracts and/or legal or regulatory requirements could result in proceedings, actions or penalties against us.
Our customers’ storage and use of data concerning, among others, their employees, contractors, partners and customers is essential to their use of our platform. We have implemented various features intended to enable our customers to better comply with applicable privacy and security requirements in their collection and use of data within our online service, but these features do not ensure their compliance and may not be effective against all potential privacy or related regulatory concerns.
Many jurisdictions have enacted or are considering enacting or revising privacy and/or data security legislation, including laws and regulations applying to the collection, use, storage, transfer, disclosure and/or processing of personal data. The costs of compliance with, and other burdens imposed by, such laws and regulations that are applicable to the operations of our customers may limit the use and adoption of our service and reduce overall demand for it. These privacy and data security related laws and regulations are evolving and may result in increasing regulatory and public scrutiny and escalating levels of enforcement and sanctions. In addition, we are subject to certain contractual obligations regarding the collection, use, storage, transfer, disclosure and/or processing of personal data. Although we are working to comply with those federal, state and foreign laws and regulations, industry standards, contractual obligations and other legal obligations that apply to us, those laws, regulations, standards and obligations are evolving and may be modified, interpreted and applied in an inconsistent manner from one jurisdiction to another, and may conflict with one another, other requirements or legal obligations, our practices or the features of our platform. In addition, some of our customers rely on our authorization under FedRAMP to help satisfy their own legal and regulatory compliance requirements which, in addition to state or international regulations, may require us to undertake additional actions and expense to ensure compliance.
We also expect that there will continue to be new proposed laws, regulations, self-regulatory and industry standards concerning privacy, data protection and information security in the United States, China, the European Union, India and other jurisdictions, and we cannot yet determine the impact such future laws, regulations and standards may have on our business. For example, the California Consumer Privacy Act (“CCPA”), which took effect on January 1, 2020, and the California Privacy Rights Act (“CPRA”), which took effect on January 1, 2023 and significantly modifies the CCPA, broadly define personal information and give California residents expanded privacy rights and protections and provide for civil penalties for violations and a private right of action for data breaches. The CPRA also creates a new state agency that is vested with authority to implement and enforce the CCPA and the CPRA. Since the CPRA passed, Virginia, Colorado, Utah and Connecticut have each passed their own comprehensive privacy statutes that share similarities with the CCPA and CPRA and will take effect in 2023. Some observers see this influx of state privacy regimes as a trend toward more stringent privacy legislation in the United States, including a potential federal privacy law, all of which could increase our potential liability and adversely affect our business.
Future laws, regulations, standards and other obligations, and changes in the interpretation of existing laws, regulations, standards and other obligations could impair our or our customers’ ability to collect, use or disclose information relating to consumers, which could decrease demand for our applications, restrict our business operations, or increase our costs and impair our ability to maintain and grow our customer base and increase our revenue. Such laws and regulations may require companies to implement privacy and security policies, permit users to exercise various data rights, inform individuals of security breaches that affect their personal data, and, in some cases, obtain individuals’ consent to use personal data for certain purposes. If we, or the third parties on which we rely, fail to comply with federal, state and international data privacy laws and regulations our ability to successfully operate our business and pursue our business goals could be harmed.
With respect to cybersecurity in the United States, we are closely monitoring the development of rules and guidance pursuant to various executive orders that may apply to us, including, for example, pursuant to Executive Order 14028 for “critical software.” While the rules and guidance coming from the Order are still being developed, we could be categorized as a provider of critical software, which may increase our compliance costs and delay or prevent our ability to execute contracts with customers, including in particular with government entities.
Any failure or perceived failure by us to comply with federal, state or foreign laws or regulations, industry standards, contractual obligations or other legal obligations, compliance frameworks that Okta has contractually
31


committed to comply with, or any actual or suspected privacy or security incident, even if unfounded, whether or not resulting in unauthorized access to, or acquisition, release or transfer of personal data or other data, may result in enforcement actions and prosecutions, private litigation, fines, penalties and censure, claims for damages by customers and other affected individuals, or adverse publicity and could cause our customers to lose trust in us, which could have an adverse effect on our reputation and business.
We publicly post our privacy policies and practices concerning our processing, use and disclosure of the personal data provided to us by our website visitors and by our customers, and other individuals with whom we interact. Our publication of our privacy policies and other statements we publish that provide promises and assurances about privacy and security can subject us to potential state and federal action if they are found to be unfair, deceptive or misrepresentative of our practices.
If our platform is perceived to cause, or is otherwise unfavorably associated with, violations of privacy or data security requirements, it may subject us or our customers to public criticism and potential legal liability. Existing and potential privacy laws and regulations concerning privacy and data security and increasing sensitivity of consumers to unauthorized processing of personal data may create negative public reactions to technologies, products and services such as ours. Public concerns regarding personal data processing, privacy and security may cause some of our customers’ end users to be less likely to visit their websites or otherwise interact with them. If enough end users choose not to visit our customers’ websites or otherwise interact with them, our customers could stop using our platform. This, in turn, may reduce the value of our service, and slow or eliminate the growth of our business, or cause our business to contract.
Privacy is a mission-critical issue for Okta and for our customers. We have attained multiple privacy certifications, such as the Asia-Pacific Economic Cooperation Privacy Recognition for Processors, and the European Union Cloud Code of Conduct, Level 2. If we fail to maintain our privacy certifications, or if we fail to seek expansion of their applicability to acquired and/or newly-developed products, we may fail to meet our contractual commitments and we may fail to retain our existing customers or attract new customers, and our business, results of operations and financial condition could suffer.
We may face particular privacy, data security and data protection risks in Europe due to stringent data protection and privacy laws, including the European General Data Protection Regulation, and increased scrutiny over EU-U.S. data transfers.
We are subject to the EU General Data Protection Regulation 2016/679 (“GDPR”) and the UK General Data Protection Regulation and Data Protection Act 2018 (“UK Data Protection Laws”). The GDPR and UK Data Protection Laws have enhanced data protection obligations for processors and controllers of personal data, including, for example, expanded disclosures about how personal data is to be used, limitations on retention of information, mandatory data breach notification requirements and onerous new obligations on services providers. Non-compliance with the GDPR can trigger fines of up to €20 million, or 4% of total worldwide annual revenue, whichever is higher. The UK Data Protection Laws mirror the fines under the GDPR. Given the breadth and depth of changes in data protection obligations, complying with its requirements has caused us to expend significant resources and such expenditures are likely to continue into the near future as we respond to new interpretations and enforcement actions following the effective date of the regulation and as we continue to negotiate data processing agreements with our customers and business partners. Separate EU laws and regulations (and member states’ implementations of them) govern the protection of consumers and of electronic communications and these are also evolving. A draft of the new ePrivacy Regulation extends the strict opt-in marketing rules with limited exceptions to business-to-business communications, alters rules on third-party cookies, web beacons and similar technology and significantly increases penalties. We cannot yet determine the impact that such future laws, regulations and standards may have on our business. Such laws and regulations are often subject to differing interpretations and may be inconsistent among jurisdictions. We may incur substantial expense in complying with any new obligations and we may be required to make significant changes in our business operations and product and services development, all of which may adversely affect our revenues and our business overall.
In addition, the GDPR restricts transfers outside of the EU to third countries deemed to lack adequate privacy protections (such as the United States), unless an appropriate safeguard specified by the GDPR is implemented, such as the Standard Contractual Clauses (“SCCs”) approved by the European Commission and, until July 16, 2020, the Privacy Shield for EU-U.S. data transfers. With regard to transfers to the United States of personal data from our employees and European customers and users, we rely upon the SCCs. On July 16, 2020, in what is known as the “Schrems II” decision, the Court of Justice of the European Union (“CJEU”) invalidated the EU-U.S. Privacy Shield Framework (“Privacy Shield”) under which personal data could be transferred from the EEA to U.S.
32


entities who had self-certified under the Privacy Shield scheme. While the CJEU upheld the adequacy of the SCCs (a standard form of contract approved by the European Commission as an adequate personal data transfer mechanism, and potential alternative to the Privacy Shield), it made clear that reliance on them alone may not necessarily be sufficient in all circumstances. Use of the SCCs must now be assessed on a case-by-case basis taking into account the legal regime applicable in the destination country, in particular applicable surveillance laws and rights of individuals and additional measures and/or contractual provisions may need to be put in place. In June 2021, the European Commission issued new SCCs that account for the CJEU’s “Schrems II” decision. The new SCCs must be used for relevant new data transfers, and existing SCCs arrangements were required to be migrated to the new SCCs by December 27, 2022. These new SCCs only apply to the transfer of personal data outside the EEA, and not the United Kingdom. The United Kingdom’s Information Commissioner’s Office released revised UK standard contractual clauses that can be used from March 21, 2022, with a two-year grace period.
U.S. and EU officials are actively seeking a solution to replace the Privacy Shield. On March 25, 2022, the U.S. and European Commission announced that they had agreed in principle to a new “Trans-Atlantic Data Privacy Framework” to enable trans-Atlantic data flows and address the concerns raised in the Schrems II decision. There is no clear timeline for the enactment of this new framework. Moreover, once enacted, the new framework is likely to be subject to legal challenges and may be struck down by the CJEU.
Although we believe we continue to satisfy regulatory requirements through our use of SCCs, these latest developments may require major changes to our data transfer policy, including the need to conduct legal, technical, and security assessments for each data transfer from the EEA and UK to a country outside of the EEA and UK. This means that we may be unsuccessful in maintaining legitimate means for our transfer and receipt of personal data from the EEA and UK. We may, in addition to other impacts, experience additional costs associated with increased compliance burdens, and we and our customers face the potential for regulators in the EEA and UK to apply different standards to the transfer of personal data from the EEA and UK to the United States, and to block, or require ad hoc verification of measures taken with respect to, certain data flows from the EEA and UK to the United States. We also anticipate being required to engage in new contract negotiations with third parties that aid in processing data on our behalf, and entering into the new SCCs. We may experience reluctance or refusal by current or prospective European customers to use our products, and we may find it necessary or desirable to make further changes to our handling of personal data of EEA and UK residents. There are few viable alternatives to the SCCs, and the law in this area remains dynamic. These recent developments will require us to review and may require us to amend the legal mechanisms by which we make and/or receive personal data transfers to/in the United States.
The regulatory environment applicable to the handling of EEA and UK residents' personal data, and our actions taken in response, may cause us to assume additional liabilities or incur additional costs and could result in our business, operating results and financial condition being harmed. We and our customers may face a risk of enforcement actions by data protection authorities in the EEA and UK relating to personal data transfers to us and by us from the EEA and UK. Any such enforcement actions could result in substantial costs and diversion of resources, distract management and technical personnel and negatively affect our business, operating results and financial condition.
We also continue to see jurisdictions imposing data localization laws, which require personal information, or certain subcategories of personal information to be stored in the jurisdiction of origin. These regulations may deter customers from using cloud-based services such as ours, and may inhibit our ability to expand into those markets or prohibit us from continuing to offer services in those markets without significant additional costs.
We and our customers are at risk of enforcement actions taken by certain EEA and UK data protection authorities until such point in time that we may be able to ensure that all transfers of personal data to us in the United States from the EEA and UK are conducted in compliance with all applicable regulatory obligations, the guidance of data protection authorities and evolving best practices. Any investigation or charges by EEA and UK data protection authorities could have a negative effect on our existing business and on our ability to attract and retain new customers. We may find it necessary to establish systems to maintain EEA and UK personal data within the EEA and UK, which may involve substantial expense and may cause us to need to divert resources from other aspects of our business, all of which may adversely affect our business.
We function as a HIPAA Business Associate for certain of our customers and, as such, are subject to strict privacy and data security requirements. If we fail to comply with any of these requirements, we could be subject to significant liability, all of which can adversely affect our business as well as our ability to attract and retain new customers.
33


The Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), as amended by the Health Information Technology for Economic and Clinical Health Act (“HITECH”), and their respective implementing regulations under HIPAA, imposes specified requirements relating to the privacy, security and transmission of individually identifiable health information. Among other things, HITECH makes HIPAA’s security standards directly applicable to business associates. We function as a business associate for certain of our customers that are HIPAA covered entities and service providers, and in that context we are regulated as a business associate for the purposes of HIPAA. The HIPAA-covered entities and service providers to which we provide services require us to enter into HIPAA-compliant business associate agreements with them. These agreements impose stringent data security obligations on us. If we are unable to comply with our obligations as a HIPAA business associate or under the terms of the business associate agreements we have executed, we could face substantial civil and even criminal liability as well as contractual liability under the applicable business associate agreement, all of which can have an adverse impact on our business and generate negative publicity, which, in turn, can have an adverse impact on our ability to attract and retain new customers. Modifying the already stringent penalty structure that was present under HIPAA prior to HITECH, HITECH created four new tiers of civil monetary penalties and gave state attorneys general new authority to file civil actions for damages or injunctions in federal courts to enforce the federal HIPAA laws and seek attorneys’ fees and costs associated with pursuing federal civil actions. In addition, many state laws govern the privacy and security of health information in certain circumstances, many of which differ from HIPAA and each other in significant ways and may not have the same effect.
In addition, the U.S. Department of Health & Human Services recently proposed modifications to the HIPAA privacy regulations (“Privacy Rule”), including certain changes designed to strengthen individuals’ right to access their own health information, improve information sharing for care coordination and case management, and reduce administrative burdens on HIPAA covered entities, while continuing to protect individuals’ health information privacy interests. The proposed rulemaking has not yet been finalized. We will continue to monitor whether any final modifications to the Privacy Rule may obligate us to change our practices. Significant changes to HIPAA, including interpretation and application of HIPAA, could negatively impact our business.
If we fail to maintain our security attestations and certifications, our business, results of operations and financial condition may suffer.
Security is a mission-critical issue for Okta and for our customers. We have attained multiple certifications, including SOC 2 Type II certifications, CSA Star Level 2 Attestation, ISO/IEC 27001:2013, ISO/IEC 27018:2019 certifications, and agency FedRAMP Moderate Authorities to Operate. We also support FIPS 140-2 encryption requirements. If we fail to maintain our security attestations and certifications, or if we fail to seek expansion of their applicability to acquired and/or newly-developed products, we may fail to meet our contractual commitments and we may fail to retain our existing customers or attract new customers, and our business, results of operations and financial condition could suffer.
We provide service level commitments under our customer contracts. If we fail to meet these contractual commitments, we could be obligated to provide credits for future service, or face contract termination with refunds of prepaid amounts related to unused subscriptions, which could harm our business, results of operations and financial condition.
Our customer agreements contain service level commitments, under which we guarantee specified availability of our platform. Any failure of or disruption to our infrastructure could make our platform unavailable to our customers. If we are unable to meet the stated service level commitments to our customers or suffer extended periods of unavailability of our platform, we may be contractually obligated to provide affected customers with service credits for future subscriptions. Our revenue, other results of operations and financial condition could be harmed if we suffer unscheduled downtime that exceeds the service level commitments under our agreements with our customers, and any extended service outages could adversely affect our business and reputation as customers may elect not to renew and we could lose future sales.
34


If we are unable to ensure that our products integrate or interoperate with a variety of operating systems and software applications that are developed by others, our platform may become less competitive and our results of operations may be harmed.
The number of people who access the internet through mobile devices and access cloud-based software applications through mobile devices, including smartphones and handheld tablets or laptop computers, has increased significantly in the past several years and is expected to continue to increase. While we have created mobile applications and mobile versions of our products, if these mobile applications and products do not perform well, our business may suffer. We are also dependent on third-party application stores that may prevent us from timely updating our current products or uploading new products. In addition, our products interoperate with servers, mobile devices and software applications predominantly through the use of protocols, many of which are created and maintained by third parties. As a result, we depend on the interoperability of our products with such third-party services, mobile devices and mobile operating systems, as well as cloud-enabled hardware, software, networking, browsers, database technologies and protocols that we do not control. Any changes in such technologies that degrade the functionality of our products or give preferential treatment to competitive services could adversely affect adoption and usage of our platform. Also, we may not be successful in developing or maintaining relationships with key participants in the mobile industry or in developing products that operate effectively with a range of operating systems, networks, devices, browsers, protocols and standards. In addition, we may face different fraud, security and regulatory risks from transactions sent from mobile devices than we do from personal computers. If we are unable to effectively anticipate and manage these risks, or if it is difficult for our customers to access and use our platform, our business, results of operations and financial condition may be harmed.
Our success also depends on the willingness of third-party developers and technology providers to build applications and provide integrations that are complementary to our service. Without the development of these applications and integrations, both current and potential customers may not find our service sufficiently attractive, and our business, results of operations and financial condition could suffer.
Interruptions or delays in the services provided by third-party data centers or internet service providers could impair the delivery of our platform and our business could suffer.
We rely on a number of third-party service providers to operate our services, any of which, if it encountered interruptions or delays, could negatively affect our platform, damage our reputation, expose us to liability, cause us to lose customers or otherwise harm our business. For example, we host our platform using AWS data centers and other third-party cloud infrastructure services. All of our products use resources operated by us in these locations. Our operations depend on protecting the virtual cloud infrastructure hosted in AWS or other cloud services by maintaining its configuration, architecture and interconnection specifications, as well as the information stored in these virtual data centers and which third-party internet service providers transmit. Although we have disaster recovery plans that use multiple virtual data center locations, any incident affecting their infrastructure that may be caused by fire, flood, severe storm, earthquake, power loss, telecommunications failures, unauthorized intrusion, computer viruses and disabling devices, natural disasters, war, criminal act, military actions, terrorist attacks and other similar events beyond our control could negatively affect our platform. A prolonged third-party service disruption affecting our platform for any of the foregoing reasons could be detrimental to our business. We may also incur significant costs for using alternative equipment or taking other actions in preparation for, or in reaction to, events that damage the third-party services we use.
Our cloud infrastructure services enable us to order and reserve server capacity in varying amounts and sizes distributed across multiple regions. These cloud infrastructure services provide us with computing and storage capacity pursuant to agreements which may be terminated under specified circumstances.
Our platform is accessed by a large number of customers, often at the same time. As we continue to expand the number of our customers and products available to our customers, we may not be able to scale our technology to accommodate the increased capacity requirements, which may result in interruptions or delays in service. In addition, the failure of third-party virtual data centers, third-party internet service providers, or other third-party service providers whose services are integrated with our platform, to meet our capacity requirements could result in interruptions or delays in access to our platform or impede our ability to scale our operations. In the event that our third-party service agreements are terminated, or there is a lapse of service, interruption of internet service provider connectivity or damage to such facilities, we could experience interruptions in access to our platform as well as delays and additional expense in arranging new facilities and services.
35


Our success depends, in part, on the integrity and scalability of our systems and infrastructures. System interruption and the lack of integration, redundancy and scalability in these systems and infrastructures may harm our business, results of operations and financial condition.
Our success depends, in part, on our ability to maintain the integrity of our systems and infrastructure, including websites, information and related systems. System interruption and a lack of integration and redundancy in our information systems and infrastructure may adversely affect our ability to operate websites, process and fulfill transactions, respond to customer inquiries and generally maintain cost-efficient operations. We may experience occasional system interruptions that make some or all systems or data unavailable or prevent us from efficiently providing access to our platform. We also rely on third-party computer systems, broadband and other communications systems and service providers in connection with providing access to our platform generally. Any interruptions, outages or delays in our systems and infrastructure, our business and/or third parties, or deterioration in the performance of these systems and infrastructure, could impair our ability to provide access to our platform. Fire, flood, power loss, telecommunications failure, hurricanes, tornadoes, earthquakes, other natural disasters, acts of war or terrorism and similar events or disruptions may damage or interrupt computer, broadband or other communications systems and infrastructure at any time. Any of these events could cause system interruption, delays and loss of critical data, and could prevent us from providing access to our platform. While we have backup systems for certain aspects of these operations, disaster recovery planning by its nature cannot be sufficient for all eventualities. In addition, we may not have adequate insurance coverage to compensate for losses from a major interruption. If any of these events were to occur, it could harm our business, results of operations and financial condition.
We rely on software and services from other parties. Defects in or the loss of access to software or services from third parties could increase our costs and adversely affect the quality of our products.
We rely on technologies from third parties to operate critical functions of our business, including cloud infrastructure services and customer relationship management services. Our business would be disrupted if any of the third-party software or services we use, or functional equivalents, were unavailable due to extended outages or interruptions or because they are no longer available on commercially reasonable terms or prices. In each case, we would be required to either seek licenses to software or services from other parties and redesign our products to function with such software or services or develop substitutes ourselves, which would result in increased costs and could result in delays in our product launches and the release of new product offerings until equivalent technology can be identified, licensed or developed, and integrated into our products. Furthermore, we might be forced to limit the features available in our current or future products. These delays and feature limitations, if they occur, could harm our business, results of operations and financial condition.
Real or perceived errors, failures, vulnerabilities or bugs in our products, including deployment complexity, could harm our business and results of operations.
Errors, failures, vulnerabilities or bugs may occur in our products, especially when updates are deployed or new products are rolled out. Our platform is often used in connection with large-scale computing environments with different operating systems, system management software, equipment and networking configurations, which may cause errors or failures of products, or other aspects of the computing environment into which our products are deployed. In addition, deployment of our products into complicated, large-scale computing environments may expose errors, failures, vulnerabilities or bugs in our products. Any such errors, failures, vulnerabilities or bugs may not be found until after they are deployed to our customers. Real or perceived errors, failures, vulnerabilities or bugs in our products, or delays in or difficulties implementing our product releases, could result in negative publicity, loss of customer data, loss of or delay in market acceptance of our products, a decrease in customer satisfaction or adoption rates, loss of competitive position, or claims by customers for losses sustained by them, all of which could harm our business, results of operations and financial condition.
If we fail to adequately protect our proprietary rights, our competitive position could be impaired and we may lose valuable assets, generate less revenue and incur costly litigation to protect our rights.
Our success is dependent, in part, upon protecting our proprietary information and technology. We rely on a combination of patents, copyrights, trademarks, service marks, trade secret laws and contractual restrictions to establish and protect our proprietary rights. However, the steps we take to protect our intellectual property may be inadequate. We will not be able to protect our intellectual property if we are unable to enforce our rights or if we do not detect unauthorized use of our intellectual property. Despite our precautions, it may be possible for unauthorized third parties to copy our products and use information that we regard as proprietary to create products that compete
36


with ours. Some contract provisions protecting against unauthorized use, copying, transfer and disclosure of our products may be unenforceable under the laws of certain jurisdictions and foreign countries. Further, the laws of some countries do not protect proprietary rights to the same extent as the laws of the United States, and mechanisms for enforcement of intellectual property rights in some foreign countries may be inadequate. To the extent we expand our international activities, our exposure to unauthorized copying and use of our products and proprietary information may increase. Accordingly, despite our efforts, we may be unable to prevent third parties from infringing upon or misappropriating our technology and intellectual property.
We rely in part on trade secrets, proprietary know-how and other confidential information to maintain our competitive position. Although we enter into confidentiality and invention assignment agreements with our employees and consultants and enter into confidentiality agreements with the parties with whom we have strategic relationships and business alliances, no assurance can be given that these agreements will be effective in controlling access to and distribution of our products and proprietary information. Further, these agreements do not prevent our competitors from independently developing technologies that are substantially equivalent or superior to our products.
To protect our intellectual property rights, we may be required to spend significant resources to monitor and protect these rights. Litigation may be necessary in the future to enforce our intellectual property rights and to protect our trade secrets. Such litigation could be costly, time consuming and distracting to management and could result in the impairment or loss of portions of our intellectual property. Furthermore, our efforts to enforce our intellectual property rights may be met with defenses, counterclaims and countersuits attacking the validity and enforceability of our intellectual property rights. Our inability to protect our proprietary technology against unauthorized copying or use, as well as any costly litigation or diversion of our management’s attention and resources, could delay further sales or the implementation of our products, impair the functionality of our products, delay introductions of new products, result in our substituting inferior or more costly technologies into our products, or injure our reputation. In addition, we may be required to license additional technology from third parties to develop and market new products, and we cannot ensure that we can license that technology on commercially reasonable terms or at all, and our inability to license this technology could harm our ability to compete.
Our results of operations may be harmed if we are subject to an infringement claim or a claim that results in a significant damage award.
There is considerable patent and other intellectual property development activity in our industry, and we expect that software companies will increasingly be subject to infringement claims as the number of products and competitors grows and the functionality of products in different industry segments overlaps. In addition, the patent portfolios of many of our competitors are larger than ours, and this disparity may increase the risk that our competitors may sue us for patent infringement and may limit our ability to counterclaim for patent infringement or settle through patent cross-licenses. Other companies have claimed in the past, and may claim in the future, that we infringe upon their intellectual property rights. A claim may also be made relating to technology that we acquire or license from third parties. Further, we may be unaware of the intellectual property rights of others that may cover some or all of our technology.
Any claim of infringement, regardless of its merit or our defenses, could:
require costly litigation to resolve and/or the payment of substantial damages, ongoing royalty payments or other amounts to settle such disputes;
require significant management time and attention;
cause us to enter into unfavorable royalty or license agreements, if such arrangements are available at all;
require us to discontinue the sale of some or all of our products, remove or reduce features or functionality of our products or comply with other unfavorable terms;
require us to indemnify our customers or third-party service providers; and/or
require us to expend additional development resources to redesign our products.
Any one or more of the above could harm our business, results of operations and financial condition.
37


We use open source software in our products, which could negatively affect our ability to offer our products and subject us to litigation or other actions.
We use open source software in our products and expect to use more open source software in the future. From time to time, there have been claims challenging the ownership of open source software against companies that incorporate open source software into their products. However, the terms of many open source licenses have not been interpreted by U.S. courts, and there is a risk that these licenses could be construed in a way that could impose unanticipated conditions or restrictions on our ability to commercialize our products. As a result, we could be subject to lawsuits by parties claiming ownership of what we believe to be open source software. Litigation could be costly for us to defend, have a negative effect on our results of operations and financial condition or require us to devote additional research and development resources to change our products. In addition, if we were to combine our proprietary software products with open source software in a certain manner, we could, under certain of the open source licenses, be required to release the source code of our proprietary software to the public. This would allow our competitors to create similar products with less development effort and time. If we inappropriately use open source software, or if the license terms for open source software that we use change, we may be required to re-engineer our products, incur additional costs, discontinue the sale of some or all of our products or take other remedial actions.
In addition to risks related to license requirements, usage of open source software can lead to greater risks than use of third-party commercial software, as open source licensors generally do not provide warranties or assurance of title or controls on origin of the software. In addition, many of the risks associated with usage of open source software, such as the lack of warranties or assurances of title, cannot be eliminated, and could, if not properly addressed, negatively affect our business. We have established processes to help alleviate these risks, including a review process for screening requests from our development organizations for the use of open source software, but we cannot be sure that all of our use of open source software is in a manner that is consistent with our current policies and procedures, or will not subject us to liability.
Indemnity provisions in various agreements potentially expose us to substantial liability for intellectual property infringement and other losses.
Our agreements with customers and other third parties may include indemnification or other provisions under which we agree to indemnify or otherwise be liable to them for losses suffered or incurred as a result of claims of intellectual property infringement, damages caused by us to property or persons, or other liabilities relating to or arising from the use of our platform or other acts or omissions. The term of these contractual provisions often survives termination or expiration of the applicable agreement. As we continue to grow, the possibility of infringement claims and other intellectual property rights claims against us may increase. For any intellectual property rights indemnification claim against us or our customers, we will incur significant legal expenses and may have to pay damages, settlement fees, license fees and/or stop using technology found to be in violation of the third party’s rights. Large indemnity payments could harm our business, results of operations and financial condition. We may also have to seek a license for the infringing or allegedly infringing technology. Such license may not be available on reasonable terms, if at all, and may significantly increase our operating expenses or may require us to restrict our business activities and limit our ability to deliver certain products. As a result, we may also be required to develop alternative non-infringing technology, which could require significant effort and expense and/or cause us to alter our platform, which could negatively affect our business.
From time to time, customers require us to indemnify or otherwise be liable to them for breach of confidentiality, violation of applicable law or failure to implement adequate security measures with respect to their data stored, transmitted, or accessed using our platform. Although we normally contractually limit our liability with respect to such obligations, the existence of such a dispute may have adverse effects on our customer relationship and reputation and we may still incur substantial liability related to them.
Any assertions by a third party, whether or not successful, with respect to such indemnification obligations could subject us to costly and time-consuming litigation, expensive remediation and licenses, divert management attention and financial resources, harm our relationship with that customer and other current and prospective customers, reduce demand for our platform, and harm our brand, business, results of operations and financial condition.
38


Risks Related to Legal, Accounting and Tax Matters

Because we generally recognize revenue from our subscriptions and support services over the term of the relevant service period, a decrease in sales during a reporting period may not be immediately reflected in our results of operations for that period.
We generally recognize revenue from subscriptions and related support services revenue ratably over the relevant service period. Net new revenue from new subscriptions, upsells and renewals entered into during a period can generally be expected to generate revenue for the duration of the service period. As a result, most of the revenue we report in each period is derived from the recognition of deferred revenue relating to subscriptions and support services contracts entered into during previous periods. Consequently, a decrease in new or renewed subscriptions in any single reporting period will have a limited impact on our revenue for that period. In addition, our ability to adjust our cost structure in the event of a decrease in new or renewed subscriptions may be limited.
Further, a decline in new subscriptions or renewals in a given period may not be fully reflected in our revenue for that period, but will negatively affect our revenue in future periods. Accordingly, the effect of significant downturns in sales and market acceptance of our services, and changes in our rate of renewals, may not be fully reflected in our results of operations until future periods. Our subscription model also makes it difficult for us to rapidly increase our revenue through additional sales in any period, as revenue from new customers is generally recognized over the applicable service period. Additionally, due to the complexity of certain of our customer contracts, the actual revenue recognition treatment required under relevant accounting principles generally accepted in the United States (“GAAP”) will depend on contract-specific terms and may result in greater variability in revenue from period to period.
In addition, a decrease in new subscriptions or renewals in a reporting period may not have an immediate impact on billings for that period.
We may face exposure to foreign currency exchange rate fluctuations.
Today, a vast majority of our customer contracts are denominated in U.S. dollars. Over time, however, an increasing portion of our international customer contracts may be denominated in local currencies. In addition, the majority of our international costs are denominated in local currencies. As a result, fluctuations in the value of the U.S. dollar and foreign currencies may affect our results of operations when translated into U.S. dollars. We do not currently engage in currency hedging activities to limit the risk of exchange rate fluctuations. However, in the future, we may use derivative instruments, such as foreign currency forward and option contracts, to hedge certain exposures to fluctuations in foreign currency exchange rates. The use of such hedging activities may not offset any or more than a portion of the adverse financial effects of unfavorable movements in foreign exchange rates over the limited time the hedges are in place. Moreover, the use of hedging instruments may introduce additional risks if we are unable to structure effective hedges with such instruments.
We are subject to anti-corruption, anti-bribery and similar laws, and non-compliance with such laws can subject us to criminal penalties or significant fines and harm our business and reputation.
We are subject to anti-corruption and anti-bribery and similar laws, such as the U.S. Foreign Corrupt Practices Act of 1977, as amended (“FCPA”), the U.S. domestic bribery statute contained in 18 U.S.C. § 201, U.S. Travel Act, the USA PATRIOT Act, the U.K. Bribery Act 2010 and other anti-corruption, anti-bribery and anti-money laundering laws in countries in which we conduct activities. Anti-corruption and anti-bribery laws have been enforced aggressively in recent years and are interpreted broadly and prohibit companies and their employees and agents from promising, authorizing, making or offering improper payments or other benefits to government officials and others in the private sector. As we increase our international sales and business, our risks under these laws may increase.
In addition, we use channel partners to sell our products and conduct business on our behalf abroad. We or such partners may have direct or indirect interactions with officials and employees of government agencies or state-owned or affiliated entities and under certain circumstances we could be held liable for the corrupt or other illegal activities of such partners, and our employees, representatives, contractors, partners, and agents, even if we do not explicitly authorize such activities. We have implemented an anti-corruption compliance program but cannot ensure that all our employees and agents, as well as those companies to which we outsource certain of our business operations, will not take actions in violation of our policies and applicable law, for which we may be ultimately held responsible.
39


Noncompliance with the FCPA, other applicable anti-corruption laws, or anti-money laundering laws could subject us to investigations, whistleblower complaints, sanctions, settlements, prosecution, and other enforcement actions. Any violation of these laws could result in disgorgement of profits, significant fines, damages, other civil and criminal penalties or injunctions, adverse media coverage, loss of export privileges, severe criminal or civil sanctions, suspension or debarment from U.S. government contracts and other consequences, any of which could have a material adverse effect on our reputation, business, results of operations, and financial condition.
We are subject to governmental export controls and economic sanctions laws that could impair our ability to compete in international markets and subject us to liability if we are not in full compliance with applicable laws.
Our business activities are subject to various restrictions under U.S. export controls and trade and economic sanctions laws, including the U.S. Commerce Department’s Export Administration Regulations and economic and trade sanctions regulations maintained by the U.S. Treasury Department’s Office of Foreign Assets Control. The U.S. export control laws and U.S. economic sanctions laws include prohibitions on the sale or supply of certain products and services to U.S. embargoed or sanctioned countries, governments, persons and entities and also require authorization for the export of encryption items. In addition, various countries regulate the import of certain encryption technology, including through import and licensing requirements, and have enacted laws that could limit our ability to distribute our service or could limit our customers’ ability to implement our service in those countries. If we fail to comply with these laws and regulations, we and certain of our employees could be subject to civil or criminal penalties, including the possible loss of export privileges and monetary penalties. Obtaining the necessary authorizations, including any required license, for a particular transaction may be time-consuming, is not guaranteed, and may result in the delay or loss of sales opportunities. Although we take precautions to prevent our products from being provided in violation of such laws, our products may have been in the past, and could in the future be, provided inadvertently in violation of such laws, despite the precautions we take. This could result in negative consequences to us, including government investigations, penalties and harm to our reputation.
Our international operations may give rise to potentially adverse tax consequences.
We are expanding our international operations and staff to better support our growth into certain international markets. Our corporate structure and associated transfer pricing policies anticipate future growth into certain international markets. The amount of taxes we pay in different jurisdictions may depend on the application of the tax laws of the various jurisdictions, including the United States, to our international business activities, changes in tax rates, new or revised tax laws or interpretations of existing tax laws and policies and our ability to operate our business in a manner consistent with our corporate structure and intercompany arrangements. The taxing authorities of the jurisdictions in which we operate may challenge our methodologies for pricing intercompany transactions, which are generally required to be computed on an arm’s-length basis pursuant to intercompany arrangements or disagree with our determinations as to the income and expenses attributable to specific jurisdictions. If such a challenge or disagreement were to occur, and our position was not sustained, we could be required to pay additional taxes, interest and penalties, which could result in one-time tax charges, higher effective tax rates, reduced cash flows and lower overall profitability of our operations. Our financial statements could fail to reflect adequate reserves to cover such a contingency.
Changes in tax laws or regulations in the various tax jurisdictions we are subject to that are applied adversely to us or our customers could increase the costs of our products and harm our business.
New income, sales, use, value-added or other taxes, tax laws, statutes, rules, regulations or ordinances could be enacted at any time. Those enactments could harm our domestic and international business operations, and our business and financial performance. Further, existing tax laws, statutes, rules, regulations or ordinances could be interpreted, changed, modified or applied adversely to us. These events could require us or our customers to pay additional tax amounts on a prospective or retroactive basis, as well as require us or our customers to pay fines and/or penalties and interest for past amounts deemed to be due. If we raise our prices to offset the costs of these additional taxes, existing and potential future customers may elect not to purchase our products in the future. Additionally, new, changed, modified or newly interpreted or applied tax laws could increase our customers’ and our compliance, operating and other costs, as well as the costs of our products. Further, these events could decrease the capital we have available to operate our business. Any or all of these events could harm our business and financial performance. For example, various legislative and regulatory actions and proposals, such as in the United States, the Organisation for Economic Co-operation and Development and the EU, have increasingly focused on future tax reform and contemplate changes to long-standing tax principles, which could adversely affect our liquidity and results of operations.
40


As a multinational organization, we may be subject to taxation in certain jurisdictions around the world with increasingly complex tax laws, the application of which can be uncertain. The amount of taxes we pay in these jurisdictions could increase substantially as a result of changes in the applicable tax principles, including increased tax rates, new tax laws or revised interpretations of existing tax laws and precedents, which could harm our liquidity and results of operations. In addition, the authorities in these jurisdictions could review our tax returns and impose additional tax, interest and penalties, and the authorities could claim that various withholding requirements apply to us or our subsidiaries or assert that benefits of tax treaties are not available to us or our subsidiaries, any of which could harm us and our results of operations.
Our business may be subject to additional obligations to collect and remit sales tax and other taxes, and we may be subject to tax liability for past sales. Any successful action by state, foreign or other authorities to collect additional or past sales tax could harm our business.
State, foreign and local taxing jurisdictions have differing rules and regulations governing sales, use and other indirect taxes, and these rules and regulations are subject to varying interpretations that may change over time. In particular, the applicability of sales and value-added taxes to our platform in various jurisdictions is unclear. It is possible that we could face tax audits and that our liability for these taxes could exceed our estimates as tax authorities could still assert that we are obligated to collect additional amounts as taxes from our customers and remit those taxes to those authorities. We could also be subject to audits in states and international jurisdictions for which we have not accrued tax liabilities. A successful assertion that we should be collecting additional sales or other taxes on our service in jurisdictions where we have not historically done so and do not accrue for such taxes could result in substantial tax liabilities for past sales, discourage customers from purchasing our products or otherwise harm our business, results of operations and financial condition.
We file sales tax returns in certain states within the United States as required by law and certain customer contracts for a portion of the products that we provide. We do not collect sales or other similar taxes in other states and many of such states do not apply sales or similar taxes to the vast majority of the products that we provide. However, one or more states or foreign authorities could seek to impose additional sales, use or other tax collection and record-keeping obligations on us or may determine that such taxes should have, but have not been, paid by us. Liability for past taxes may also include substantial interest and penalty charges. Any successful action by state, foreign or other authorities to compel us to collect and remit sales tax, use tax or other taxes, either retroactively, prospectively or both, could harm our business, results of operations and financial condition.
Our ability to use our U.S. net operating loss carry-forwards and certain other tax attributes may be limited.
Under Section 382 of the Internal Revenue Code of 1986, as amended, if a corporation undergoes an “ownership change,” generally defined as a greater than 50% change (by value) in its equity ownership over a three-year period, the corporation’s ability to use its pre-change net operating loss carry-forwards and other pre-change tax attributes, such as research tax credits and distributed interest deduction carryover, to offset its post-change income may be limited. We have experienced ownership changes in the past and any such ownership change in the future could result in increased future tax liability. In addition, we may experience ownership changes in the future as a result of subsequent shifts in our stock ownership. As a result, if we earn net taxable income, our ability to use our pre-change net operating loss carry-forwards to offset U.S. federal taxable income may be subject to limitations, which could potentially result in increased future tax liability to us.

On March 27, 2020, the U.S. government enacted the Coronavirus Aid, Relief, and Economic Security Act (“CARES Act”), which included temporary relief from the net operating loss limitations imposed by the Tax Cuts and Jobs Act for tax years beginning after December 31, 2017 and before January 1, 2021, and made certain technical corrections to applying the net operating loss utilization limitations for tax years beginning after January 1, 2021.

Our ability to use our net operating losses is conditioned upon generating future U.S. federal taxable income. Since we do not know whether or when we will generate the U.S. federal taxable income necessary to use our remaining net operating losses, these net operating loss carryforwards generated prior to our fiscal 2018 could expire unused.

41


If we fail to maintain an effective system of disclosure controls and internal control over financial reporting, our ability to produce timely and accurate financial statements or comply with applicable regulations could be impaired.
The Sarbanes-Oxley Act requires, among other things, that we maintain effective disclosure controls and procedures and internal control over financial reporting. In order to maintain the effectiveness of our disclosure controls and procedures and internal control over financial reporting, we have expended, and anticipate that we will continue to expend, significant resources, including accounting-related costs and significant management oversight. If any of these new or improved controls and systems do not perform as expected, we may experience material weaknesses or significant deficiencies in our controls.
Our controls may become inadequate because of changes in conditions in our business. Further, weaknesses in our disclosure controls and internal control over financial reporting may be discovered in the future. Any failure to maintain effective controls could harm our results of operations or cause us to fail to meet our reporting obligations and may result in a restatement of our financial statements for prior periods. Any failure to maintain effective internal control over financial reporting also could adversely affect the results of periodic management evaluations and annual independent registered public accounting firm attestation reports regarding the effectiveness of our internal control over financial reporting that we are required to include in our periodic reports that are filed with the SEC. Ineffective disclosure controls and procedures and internal control over financial reporting could also cause investors to lose confidence in our reported financial and other information, which would likely have a negative effect on the trading price of our Class A common stock. In addition, if we are unable to continue to meet these requirements, we may not be able to remain listed on the Nasdaq. We are required to provide an annual management report on the effectiveness of our internal control over financial reporting.
Our independent registered public accounting firm is required to formally attest to the effectiveness of our internal control over financial reporting annually. Our independent registered public accounting firm may issue a report that is adverse in the event it is not satisfied with the level at which our internal control over financial reporting is documented, designed, or operating. Any failure to maintain effective disclosure controls and internal control over financial reporting could harm our business and results of operations and could cause a decline in the price of our Class A common stock.
Changes in existing financial accounting standards or practices, or taxation rules or practices, may harm our results of operations.
Changes in existing accounting or taxation rules or practices, new accounting pronouncements or taxation rules, or varying interpretations of current accounting pronouncements or taxation practice could harm our results of operations or the manner in which we conduct our business. Further, such changes could potentially affect our reporting of transactions completed before such changes are effective.
GAAP are subject to interpretation by the Financial Accounting Standards Board (“FASB”), the SEC and various bodies formed to promulgate and interpret appropriate accounting principles. A change in these principles or interpretations could have a significant effect on our reported financial results, and could affect the reporting of transactions completed before the announcement of a change. Adoption of such new standards and any difficulties in implementation of changes in accounting principles, including the ability to modify our accounting systems, could cause us to fail to meet our financial reporting obligations, which could result in regulatory discipline and harm investors’ confidence in us.
If our estimates or judgments relating to our critical accounting policies prove to be incorrect, our results of operations could be adversely affected.
The preparation of financial statements in conformity with GAAP requires management to make estimates and assumptions that affect the amounts reported in our consolidated financial statements and accompanying notes. We base our estimates on historical experience and on various other assumptions that we believe to be reasonable under the circumstances, as provided in the section titled “Management’s Discussion and Analysis of Financial Condition and Results of Operations.” The results of these estimates form the basis for making judgments about the carrying values of assets, liabilities and equity, and the amount of revenue and expenses that are not readily apparent from other sources. Significant assumptions and estimates used in preparing our consolidated financial statements include, but are not limited to those referenced in the section titled “Management’s Discussion and Analysis of Financial Condition and Results of Operations.” Our results of operations may be adversely affected if our assumptions change or if actual circumstances differ from those in our assumptions, which could cause our
42


results of operations to fall below the expectations of securities analysts and investors, resulting in a decline in the trading price of our Class A common stock.
Risks Related to Ownership of Our Class A Common Stock
The stock price of our Class A common stock may be volatile or may decline.
The trading price of our Class A common stock has been, and in the future, may be, subject to substantial volatility and wide fluctuations. For example, from February 1, 2022 through January 31, 2023, the trading price of our Class A common stock has ranged from $44.12 per share to $203.79 per share. The market price of our Class A common stock may fluctuate significantly in response to numerous factors, many of which are beyond our control, including, but not limited to:
overall performance of the equity markets and/or publicly-listed technology companies;
volatility in the market prices and trading volumes of technology and high-growth companies generally, or those in our industry in particular;
actual or anticipated fluctuations in our revenue or other financial or operating metrics;
our ability to meet or exceed forward-looking guidance we have given, our ability to give forward-looking guidance consistent with past practices, and changes to or withdrawal of previous guidance or long-range targets;
failure of securities analysts to initiate or maintain coverage of us, changes in financial estimates and/or recommendations by any securities analysts who follow our company;
our failure to meet the estimates or the expectations of securities analysts or investors;
actions and investment positions taken by institutional and other stockholders, including activist investors;

recruitment or departure of key personnel;
significant security breaches, technical difficulties or interruptions of our service;
the economy as a whole, the inflation and interest rate environment and market and industry conditions;
rumors and market speculation involving us or other companies in our industry;
announcements by us or our competitors of significant innovations, acquisitions, strategic partnerships, joint ventures, or capital commitments;
new laws or regulations or new interpretations of existing laws or regulations applicable to our business;
lawsuits threatened or filed against us;
other events or factors, including those resulting from war, incidents of terrorism, or responses to these events; and
sales of additional shares of our Class A common stock by us, our directors, our officers or our stockholders.
In addition, stock markets have experienced extreme price and volume fluctuations that have affected and continue to affect the market prices of equity securities of many companies. Stock prices of many companies, including technology companies and high-growth, unprofitable companies in particular, have fluctuated in a manner unrelated or disproportionate to the operating performance of those companies. In the past, stockholders have instituted securities class action litigation following periods of market volatility. Our involvement in securities litigation could subject us to substantial costs, divert resources and the attention of management from our business, and harm our business.
43


The dual class structure of our common stock has the effect of concentrating voting control with those stockholders who held our capital stock prior to the completion of our IPO, including our directors, executive officers, and their affiliates, who held in the aggregate 41.7% of the voting power of our capital stock as of January 31, 2023. This will limit or preclude your ability to influence corporate matters, including the election of directors, amendments of our organizational documents, and any merger, consolidation, sale of all or substantially all of our assets, or other major corporate transaction requiring stockholder approval.
Our Class B common stock has ten votes per share and our Class A common stock has one vote per share. As of January 31, 2023, our directors, executive officers and their affiliates held in the aggregate 41.7% of the voting power of our capital stock. Because of the ten-to-one voting ratio between our Class B and Class A common stock, the holders of our Class B common stock collectively could continue to control nearly a majority of the combined voting power of our common stock and be able to effectively control all matters submitted to our stockholders for approval until April 12, 2027, the date that is the ten-year anniversary of the closing of our IPO. This concentrated control may limit or preclude your ability to influence corporate matters for the foreseeable future, including the election of directors, amendments of our organizational documents, and any merger, consolidation, sale of all or substantially all of our assets, or other major corporate transaction requiring stockholder approval. In addition, this may prevent or discourage unsolicited acquisition proposals or offers for our capital stock that you may feel are in your best interest as one of our stockholders.
Future transfers by holders of Class B common stock will generally result in those shares converting to Class A common stock, subject to limited exceptions, such as certain transfers effected for estate planning purposes. The conversion of Class B common stock to Class A common stock will have the effect, over time, of increasing the relative voting power of those holders of Class B common stock who have retained their shares.
Sales of a substantial number of shares of our Class A common stock in the public markets, or the perception that sales might occur, could cause the market price of our Class A common stock to decline.
Sales of a substantial number of shares of our Class A common stock into the public market, particularly sales by our directors, executive officers, and principal stockholders, or the perception that these sales might occur, could cause the market price of our Class A common stock to decline.
In addition, we have options outstanding that, if fully exercised, would result in the issuance of shares of our Class A and Class B common stock. We also have restricted stock units (“RSUs”) outstanding that, if vested and settled, would result in the issuance of shares of Class A common stock. All of the shares of Class A and Class B common stock issuable upon the exercise of stock options and vesting of RSUs and the shares reserved for future issuance under our equity incentive plans, are registered for public resale under the Securities Act of 1933, as amended (“Securities Act”). Accordingly, these shares will be able to be freely sold in the public market upon issuance, subject to applicable vesting requirements.
Furthermore, a substantial number of shares of our Class A common stock is reserved for issuance upon the exercise of the Notes (as defined below) and the Warrants (as defined below). If we elect to satisfy our conversion obligation on the Notes solely in shares of our Class A common stock upon conversion of the Notes, we will be required to deliver the shares of our Class A common stock, together with cash for any fractional share, on the second business day following the relevant conversion date.
If securities or industry analysts do not publish or cease publishing research, or publish inaccurate or unfavorable research, about our business, the price of our Class A common stock and trading volume could decline.
The trading market for our Class A common stock will depend in part on the research and reports that securities or industry analysts publish about us or our business. If industry analysts do not publish or cease publishing research on our company, the trading price for our Class A common stock would be negatively affected. If one or more of the analysts who cover us downgrade our Class A common stock or publish inaccurate or unfavorable research about our business, our Class A common stock price would likely decline. If one or more of these analysts cease coverage of us or fail to publish reports on us on a regular basis, demand for our Class A common stock could decrease, which might cause our Class A common stock price and trading volume to decline.
44


We do not intend to pay dividends for the foreseeable future.
We have never declared or paid any cash dividends on our common stock and do not intend to pay any cash dividends in the foreseeable future. We anticipate that we will retain all of our future earnings for use in the operation of our business and for general corporate purposes. Any determination to pay dividends in the future will be at the discretion of our board of directors. Accordingly, investors must rely on sales of their Class A common stock after price appreciation, which may never occur, as the only way to realize any future gains on their investments.
Provisions in our charter documents and under Delaware law could make an acquisition of our company more difficult, limit attempts by our stockholders to replace or remove our current board of directors, and limit the market price of our Class A common stock.
Provisions in our amended and restated certificate of incorporation and amended and restated bylaws may have the effect of delaying or preventing a change of control or changes in our management. Our amended and restated certificate of incorporation and amended and restated bylaws include provisions that:
provide that our board of directors is classified into three classes of directors with staggered three-year terms;
permit the board of directors to establish the number of directors and fill any vacancies and newly-created directorships;
require super-majority voting to amend some provisions in our amended and restated certificate of incorporation and amended and restated bylaws;
authorize the issuance of “blank check” preferred stock that our board of directors could use to implement a stockholder rights plan;
provide that only the Chairperson of our board of directors, our Chief Executive Officer, or a majority of our board of directors are authorized to call a special meeting of stockholders;
provide for a dual class common stock structure in which holders of our Class B common stock have the ability to effectively control the outcome of matters requiring stockholder approval, even if they own significantly less than a majority of the outstanding shares of our Class A and Class B common stock, including the election of directors and significant corporate transactions, such as a merger or other sale of our company or its assets;
prohibit stockholder action by written consent, which requires all stockholder actions to be taken at a meeting of our stockholders;
provide that the board of directors is expressly authorized to make, alter or repeal our bylaws; and
advance notice requirements for nominations for election to our board of directors or for proposing matters that can be acted upon by stockholders at annual stockholder meetings.
Moreover, Section 203 of the Delaware General Corporation Law may discourage, delay, or prevent a change in control of our company. Section 203 imposes certain restrictions on mergers, business combinations, and other transactions between us and holders of 15% or more of our common stock.
Our amended and restated bylaws designate a state or federal court located within the State of Delaware as the exclusive forum for certain litigation that may be initiated by our stockholders, which could limit stockholders’ ability to obtain a favorable judicial forum for disputes with us.
Our amended and restated bylaws provide that the Court of Chancery of the State of Delaware will be the exclusive forum for:
any derivative action or proceeding brought on our behalf;
any action asserting a breach of fiduciary duty;
any action asserting a claim against us arising pursuant to the Delaware General Corporation Law, our amended and restated certificate of incorporation, or our amended and restated bylaws; or
45


any action asserting a claim against us that is governed by the internal affairs doctrine.
This choice of forum provision may limit a stockholder’s ability to bring a claim in a judicial forum that it finds favorable for disputes with us or any of our directors, officers, or other employees, which may discourage lawsuits with respect to such claims. Alternatively, if a court were to find the choice of forum provision contained in our amended and restated certificate of incorporation to be inapplicable or unenforceable in an action, we may incur additional costs associated with resolving such action in other jurisdictions, which could harm our business, results of operations and financial condition.
Risks Related to our Outstanding Convertible Notes

Servicing our debt may require a significant amount of cash. We may not have sufficient cash flow from our business to pay our indebtedness.
Since February 2018, we have issued convertible notes due in 2023 (“2023 Notes”), 2025 (“2025 Notes”) and 2026 (“2026 Notes” and together with the 2023 Notes and 2025 Notes, the “Notes”). Our ability to make scheduled payments of the principal of, to pay interest on or to refinance our indebtedness, including the Notes, depends on our future performance, which is subject to economic, financial, competitive and other factors beyond our control. Our business may not generate cash flow from operations in the future sufficient to service our debt and make necessary capital expenditures. If we are unable to generate such cash flow, we may be required to adopt one or more alternatives, such as selling assets, restructuring debt or obtaining additional debt financing or equity capital on terms that may be onerous or highly dilutive. Our ability to refinance or raise any future indebtedness will depend on the capital markets and our financial condition at such time. We may not be able to engage in any of these activities or engage in these activities on desirable terms, which could result in a default on our debt obligations. In addition, any of our future debt agreements may contain restrictive covenants that may prohibit us from adopting any of these alternatives. Our failure to comply with these covenants could result in an event of default which, if not cured or waived, could result in the acceleration of our debt.

We may not have the ability to raise the funds necessary for cash settlement upon conversion of the Notes or to repurchase the Notes for cash upon a fundamental change, and our future debt may contain limitations on our ability to pay cash upon conversion of the Notes or to repurchase the Notes.
Holders of the Notes have the right to require us to repurchase their Notes upon the occurrence of a fundamental change (as defined in the indentures governing their respective Notes) at a repurchase price equal to 100% of the principal amount of the Notes to be repurchased, plus accrued and unpaid interest, if any. Upon conversion of the Notes, unless we elect to deliver solely shares of our Class A common stock to settle such conversion (other than paying cash in lieu of delivering any fractional share), we will be required to make cash payments in respect of the Notes being converted. We may not have enough available cash or be able to obtain financing at the time we are required to make repurchases of Notes surrendered or Notes being converted. In addition, our ability to repurchase the Notes or to pay cash upon conversions of the Notes may be limited by law, by regulatory authority or by agreements governing our future indebtedness. Our failure to repurchase Notes at a time when the repurchase is required by the indenture governing such notes or to pay any cash payable on future conversions of the Notes as required by such indenture would constitute a default under such indenture. A default under the indenture governing the Notes or the fundamental change itself could also lead to a default under agreements governing our future indebtedness. If the repayment of the related indebtedness were to be accelerated after any applicable notice or grace periods, we may not have sufficient funds to repay the indebtedness and repurchase the Notes or make cash payments upon conversions.
In addition, our indebtedness, combined with our other financial obligations and contractual commitments, could have other important consequences. For example, it could:
make us more vulnerable to adverse changes in general U.S. and worldwide economic, industry and competitive conditions and adverse changes in government regulation;
limit our flexibility in planning for, or reacting to, changes in our business and our industry;
place us at a disadvantage compared to our competitors who have less debt;
limit our ability to borrow additional amounts to fund acquisitions, for working capital and for other general corporate purposes; and
46


make an acquisition of our company less attractive or more difficult.
Any of these factors could harm our business, results of operations and financial condition. In addition, if we incur additional indebtedness, the risks related to our business and our ability to service or repay our indebtedness would increase.
The conversion features of the Notes, if triggered, may adversely affect our financial condition and results of operations.
In the event the conditional conversion features of the 2025 Notes and the 2026 Notes are triggered, holders of the Notes will be entitled to convert the Notes, as applicable, at any time during specified periods at their option. If one or more holders elect to convert their Notes, unless we elect to satisfy our conversion obligation by delivering solely shares of our Class A common stock (other than paying cash in lieu of delivering any fractional share), we would be required to settle a portion or all of our conversion obligation through the payment of cash, which could adversely affect our liquidity. The conditional conversion features of the 2025 Notes were triggered as of January 31, 2021 and the 2025 Notes were convertible at the option of the holders between February 1, 2021 and April 30, 2021; however, as of January 31, 2023, the conditions allowing holders of the 2025 Notes to convert were not met. From the date of issuance through January 31, 2023, the conditions allowing holders of the 2026 Notes to convert were not met.
In addition, even if holders do not elect to convert their Notes, we could be required under applicable accounting rules to reclassify all or a portion of the outstanding principal of the Notes as a current rather than long-term liability, which would result in a material reduction of our net working capital and could limit our ability to raise future capital.
Transactions relating to our Notes may affect the value of our Class A common stock.
The conversion of some or all of the Notes would dilute the ownership interests of existing stockholders to the extent we satisfy our conversion obligation by delivering shares of our Class A common stock upon any conversion of such Notes. Our 2025 Notes and 2026 Notes may become in the future convertible at the option of their holders under certain circumstances. If holders of our Notes elect to convert their notes, we may settle our conversion obligation by delivering to them a significant number of shares of our Class A common stock, which would cause dilution to our existing stockholders.
In addition, in connection with the issuance of the 2023 Notes, we entered into warrant transactions with certain financial institutions (the “2023 Notes Option Counterparties”) pursuant to which we sold warrants for the purchase of our Class A common stock (“Warrants”). The Warrant transactions could separately have a dilutive effect to the extent that the market price per share of our Class A common stock exceeds the strike price of any Warrants unless, subject to the terms of the Warrant transactions, we elect to cash settle the Warrants. Through January 31, 2023, we have terminated Warrants corresponding to approximately 6 million shares. As of January 31, 2023, Warrants to acquire up to approximately 1 million shares (subject to adjustment) remained outstanding.

In addition, in connection with the issuance of the 2025 Notes and 2026 Notes, we entered into capped call transactions (“Capped Calls”) with certain financial institutions (the 2025 Notes and 2026 Notes Capped Call Counterparties and together with the 2023 Notes Option Counterparties, the “Option Counterparties”). The Capped Calls are generally expected to reduce potential dilution to our Class A common stock upon any conversion or settlement of the 2025 Notes and 2026 Notes and/or offset any cash payments we are required to make in excess of the principal amount of converted 2025 Notes and 2026 Notes, as the case may be, with such reduction and/or offset subject to a cap.

From time to time, the Option Counterparties or their respective affiliates may modify their hedge positions by entering into or unwinding various derivative transactions with respect to our Class A common stock and/or purchasing or selling our Class A common stock or other securities of ours in secondary market transactions prior to the maturity of the Notes. This activity could cause a decrease in the market price of our Class A common stock.
47



General Risk Factors
We depend on our executive officers and other key employees, and the loss of one or more of these employees or an inability to attract and retain other highly skilled employees could harm our business.
Our success depends largely upon the continued services of our executive officers and other key employees. We rely on our leadership team in the areas of research and development, operations, security, marketing, sales, customer support, general and administrative functions, and on individual contributors in our research and development and operations functions. From time to time, there may be changes in our executive management team resulting from the hiring or departure of executives. For example, our President, Worldwide Field Operations retired at the end of our fiscal year and our Executive Vice Chairman and co-founder is on sabbatical through October 2023. Such changes in our executive management team may be disruptive to our business. We do not have employment agreements with our executive officers or other key personnel that require them to continue to work for us for any specified period and they could terminate their employment with us at any time. The loss of one or more of our executive officers or key employees, and any failure to have in place and execute an effective succession plan for key executives, could harm our business. Changes in our executive management team may also cause disruptions in, and harm to, our business.
In addition, to execute our growth plan, we must attract and retain highly qualified personnel. Competition for these personnel in the San Francisco Bay Area, where our headquarters is located, and in other locations where we maintain offices, is intense, especially for engineers experienced in designing and developing software and SaaS applications and experienced sales professionals. We have from time to time experienced, and we expect to continue to experience, difficulty in hiring and retaining employees with appropriate qualifications, and may not be able to fill positions in the desired regions, or at all. Our efforts to attract new personnel may be compounded by intensified restriction on travel (including during the COVID-19 pandemic), changes to immigration policy or the availability of work visas. Many of the companies with which we compete for experienced personnel have greater resources than we have. If we hire employees from competitors or other companies, their former employers may attempt to assert that these employees or we have breached their legal obligations, resulting in a diversion of our time and resources. In addition, job candidates and existing employees often consider the value of the equity awards they receive in connection with their employment. If the perceived value of our equity awards declines, it may harm our ability to recruit and retain highly skilled employees. If we fail to attract new personnel or fail to retain and motivate our current personnel, our business and future growth prospects could be harmed.
Catastrophic events may disrupt our business.
Natural disasters or other catastrophic events may cause damage or disruption to our operations, international commerce and the global economy, and thus could harm our business. We have a large employee presence in San Francisco, California and the west coast of the United States contains active earthquake and wildfire zones which have the potential to disrupt our business. For example, in the fall of 2019 and 2020, PG&E shut off power to certain cities in the San Francisco Bay Area in order to reduce the risk of wildfires and this resulted in many of our employees being unable to work remotely. In the event of a major earthquake, hurricane or catastrophic event such as fire, power loss, telecommunications failure, vandalism, cyber-attack, war, terrorist attack or health epidemic (including COVID-19), we may be unable to continue our operations and may endure system interruptions, reputational harm, delays in our application development, lengthy interruptions in our products, breaches of data security and loss of critical data, all of which could harm our business, results of operations and financial condition. In addition, the insurance we maintain may be insufficient to cover our losses resulting from disasters, cyber-attacks or other business interruptions, and any incidents may result in loss of, or increased costs of, such insurance.
Item 1B. Unresolved Staff Comments
None.
Item 2. Properties
Our corporate headquarters is located in San Francisco, California, where we currently lease approximately 285,996 square feet under a lease, as amended, that expires in October 2028. We are entitled to two five-year options to extend this lease, subject to certain requirements.
We also lease space in various locations in the Americas, Europe and Asia-Pacific.
48


We believe that our facilities are suitable to meet our current needs. We intend to add new facilities, as necessary, as we add employees and enter new geographic markets, and we believe that suitable additional or alternative space will be available as needed to accommodate any such growth.
Item 3. Legal Proceedings
On May 20, 2022, a purported shareholder filed a putative class action lawsuit in the United States District Court for the Northern District of California against the Company and certain of its executive officers, captioned In re Okta, Inc. Securities Litigation, No. 3:22-cv-02990. The lawsuit asserts claims under Sections 10(b) and 20(a) of the Securities Exchange Act of 1934, alleging that the defendants made false or misleading statements or omissions concerning the Company’s cybersecurity controls, vulnerability to data breaches, and the Company’s integration of Auth0. The lawsuit seeks an order certifying the lawsuit as a class action and unspecified damages.
Additionally, two purported shareholders filed derivative lawsuits on behalf of the Company in the United States District Court for the Northern District of California against certain of its current and former executive officers and directors, captioned O’Dell v. McKinnon et al., No. 3:22-cv-07480 (filed Nov. 28, 2022), and LR Trust v. McKinnon et al., No. 3:22-cv-08627 (filed Dec. 13, 2022). The lawsuits allege, among other things, that the defendants breached their fiduciary duties by making false or misleading statements or omissions concerning the Company’s cybersecurity controls, vulnerability to data breaches, and the Company’s integration of Auth0. The lawsuits seek orders permitting the plaintiffs to maintain this action derivatively on behalf of the Company, awarding unspecified damages allegedly sustained by the Company, awarding restitution from the individual defendants, and requiring the Company to make certain reforms to its corporate governance and controls.
The Company intends to defend these lawsuits vigorously.
See Note 11 to our consolidated financial statements "Commitments and Contingencies" for information related to legal proceedings.
Item 4. Mine Safety Disclosures
Not Applicable.

49


Part II
Item 5.    Market for Registrant's Common Equity, Related Stockholder Matters and Issuer Purchases of Equity Securities
Market Information and Holders
Our Class A common stock has been listed on the Nasdaq Global Select Market under the symbol "OKTA" since April 7, 2017. Prior to that date, there was no public trading market for our Class A common stock. Our Class B common stock is not listed or traded on any stock exchange.
As of February 27, 2023, we had 104 holders of record of our Class A common stock and 17 holders of record of our Class B common stock. The actual number of Class A beneficial stockholders is substantially greater than the number of holders of record because a large portion of our Class A common stock is held in street name by brokers and other nominees.
Dividend Policy
We have never declared or paid cash dividends on our capital stock. We currently intend to retain any future earnings for use in the operation of our business and do not intend to declare or pay any cash dividends in the foreseeable future. Any further determination to pay dividends on our capital stock will be at the discretion of our board of directors, subject to applicable laws, and will depend on our financial condition, results of operations, capital requirements, general business conditions and other factors that our board of directors considers relevant.
50


Stock Performance Graph
This performance graph shall not be deemed "soliciting material" or to be "filed" with the Securities and Exchange Commission ("SEC") for purposes of Section 18 of the Securities Exchange Act of 1934, as amended (the "Exchange Act"), or otherwise subject to the liabilities under that Section, and shall not be deemed to be incorporated by reference into any filing of Okta, Inc. under the Securities Act of 1933, as amended ("Securities Act") or the Exchange Act.
The following graph shows a five-year comparison of cumulative total return (equal to dividends plus stock appreciation) for our Class A common stock, the Standard & Poor’s 500 Stock Index ("S&P 500 Index") and Standard & Poor's Information Technology Index ("S&P 500 Information Technology Index"). All values assume a $100 initial investment, and data for the S&P 500 Index and S&P 500 Information Technology Index assume reinvestment of dividends. The comparisons are based on historical data and are not indicative of, nor intended to forecast, the future performance of our Class A common stock.
okta-20230131_g1.jpg
Company/Index1/31/20181/31/20191/31/20201/31/20211/31/20221/31/2023
Okta$100 $280 $435 $879 $672 $250 
S&P 500 Index 100 98 119 139 172 158 
S&P 500 Information Technology Index 100 99 145 199 251 212 
51


Securities Authorized for Issuance under Equity Compensation Plans
The information required by this item with respect to our equity compensation plans is incorporated by reference to our Proxy Statement for the 2023 Annual Meeting of Stockholders to be filed with the Securities and Exchange Commission within 120 days of the fiscal year ended January 31, 2023.
Unregistered Sales of Equity Securities
In connection with conversions of certain convertible notes due in 2023 ("2023 Notes") during the fiscal year ended January 31, 2023, we issued 355,932 shares of our Class A common stock. These issuances were made in reliance on the exemption from registration provided by Section 4(a)(2) of the Securities Act. We relied on this exemption from registration based in part on representations made by the holders of the 2023 Notes in the exchange agreements pursuant to which the shares of Class A Common Stock were issued.
Issuer Purchases of Equity Securities
None.



52

OKTA, INC.
MANAGEMENT’S DISCUSSION AND ANALYSIS OF
FINANCIAL CONDITION AND RESULTS OF OPERATIONS
Item 7. MANAGEMENT’S DISCUSSION AND ANALYSIS OF FINANCIAL CONDITION AND RESULTS OF OPERATIONS
The following discussion and analysis of our financial condition and results of operations should be read in conjunction with our consolidated financial statements and related notes appearing elsewhere in this Annual Report on Form 10-K. Amounts reported in millions are rounded based on the amounts in thousands. As a result, the sum of the components reported in millions may not equal the total amount reported in millions due to rounding. In addition, percentages presented may not add to their respective totals or recalculate due to rounding. In addition to historical financial information, the following discussion contains forward-looking statements that are based upon current plans, expectations and beliefs that involve risks and uncertainties. Our actual results may differ materially from those anticipated in these forward-looking statements as a result of various factors, including those set forth under the section titled “Risk Factors” under Part I, Item 1A in this Annual Report on Form 10-K. Our fiscal year ends January 31. References to fiscal 2023, for example, refer to the fiscal year ended January 31, 2023.
Overview
Okta is the leading independent identity provider. Our Workforce Identity and Customer Identity Clouds are powered by our category-defining Okta Identity Platform that enables our customers to securely connect the right people to the right technologies and services at the right time. Every day, thousands of organizations and millions of people use Okta to securely access a wide range of cloud, mobile, web and Software-as-a-Service ("SaaS") applications, on-premises servers, application programming interfaces, IT infrastructure providers and services from a multitude of devices. Employees and contractors sign into the Workforce Identity Cloud to seamlessly and securely access the applications they need to do their most important work. Developers leverage our Customer Identity and Workforce Identity Clouds to securely and efficiently embed identity into the software they build, allowing them to innovate and focus on their core mission. Given the growth trends in the number of applications and cloud adoption, and the movement to remote workforces, identity is becoming the most critical layer of an organization’s security. As workforces have transitioned to fully remote and hybrid work models, Zero Trust has become an increasingly important security model and identity an increasingly critical service. Our approach to identity allows our customers to simplify and efficiently scale their security infrastructures across internal IT systems and external customer facing applications.
As of January 31, 2023, more than 17,600 customers across nearly every industry used Okta to secure and manage identities around the world. Our customers consist of leading global organizations ranging from the largest enterprises, to small and medium-sized businesses, universities, non-profits and government agencies. We also partner with leading application, IT infrastructure and security vendors through our Okta Integration Network. As of January 31, 2023, we had over 7,000 integrations with these cloud, mobile and web applications and IT infrastructure and security vendors.
We employ a SaaS business model and generate revenue primarily by selling multi-year subscriptions to our cloud-based offerings. We focus on acquiring and retaining our customers and increasing their spending with us through expanding the number of users who access our Workforce Identity and Customer Identity Clouds and up-selling additional products. We sell our products directly through our field and inside sales teams, as well as indirectly through our network of channel partners, including resellers, system integrators and other distribution partners. Our subscription fees include the use of our service and our technical support and management of our platform. We base subscription fees primarily on the products used and the number of users on our platform. We typically invoice customers in advance in annual installments for subscriptions to our platform.
Our revenue is relatively predictable as a result of our subscription-based business model, which constituted approximately 97% of total revenue for fiscal 2023. Future growth may be impacted by longer sales cycles, which we have experienced, which in turn, could result in delays in deals closing, creating near-term headwinds for cash flow, remaining performance obligations (“RPO”) and billings growth as well as potential future impacts on revenue growth and other key metrics on a trailing basis.
Acquisition of Auth0
On May 3, 2021, we completed the acquisition of Auth0, Inc. ("Auth0"). The acquisition date fair value, net of acquired cash, was approximately $5,671 million, including shares of our Class A common stock, cash, and assumed equity awards. In addition, we issued unvested restricted stock and assumed unvested equity and
53

OKTA, INC.
MANAGEMENT’S DISCUSSION AND ANALYSIS OF
FINANCIAL CONDITION AND RESULTS OF OPERATIONS (continued)
restricted cash awards, which are subject to future vesting and will be recorded as expense over the period the services are provided. A portion of the total consideration was held back by us to secure the indemnification obligations of the Auth0 securityholders and was paid in full during fiscal 2023.
Financial Information and Segments
We operate our business as one reportable segment. For fiscal 2023, 2022 and 2021, our revenue was $1,858 million, $1,300 million and $835 million, respectively, representing a growth rate of 43% and 56%, respectively. For fiscal 2023, 2022 and 2021, we generated net losses of $815 million, $848 million and $266 million, respectively. Our accumulated deficit as of January 31, 2023 was $2,475 million.
Key Business Metrics 
We review a number of operating and financial metrics, including the following key metrics, to evaluate our business, measure our performance, identify trends affecting our business, formulate business plans, and make strategic decisions.
 As of January 31,
202320222021
 (dollars in millions)
Number of customers17,600 15,000 10,000 
Customers with annual contract value ("ACV") above $100,000 3,930 3,100 1,950 
Dollar-based net retention rate for the trailing 12 months ended120 %124 %121 %
Current remaining performance obligations$1,684 $1,351 $842 
Remaining performance obligations$3,007 $2,694 $1,797 
Calculated billings$2,123 $1,718 $976 
Total Customers and Number of Customers with Annual Contract Value Above $100,000
As of January 31, 2023, we had over 17,600 customers on our platform. We believe that our ability to increase the number of customers on our platform is an indicator of our market penetration, the growth of our business, and our potential future business opportunities. Increasing awareness of our platform and capabilities, coupled with the mainstream adoption of cloud technology, has expanded the diversity of our customer base to include organizations of all sizes across all industries. The number of customers who have greater than $100,000 in ACV with us was 3,930, 3,100 and 1,950 as of January 31, 2023, 2022 and 2021, respectively. We expect this trend to continue as larger enterprises recognize the value of our platform and replace their legacy identity access management infrastructure. We define a customer as a separate and distinct buying entity, such as a company, an educational or government institution, or a distinct business unit of a large company that has an active contract with us or one of our partners to access our platform. For purposes of determining our customer count, we do not include customers that use our platform under self-service arrangements only.
Dollar-Based Net Retention Rate
Our ability to generate revenue is dependent upon our ability to maintain our relationships with our customers and to increase their utilization of our platform. We believe we can achieve these goals by focusing on delivering value and functionality that enables us to both retain our existing customers and expand the number of users and products used within an existing customer. We assess our performance in this area by measuring our Dollar-Based Net Retention Rate. Our Dollar-Based Net Retention Rate measures our ability to increase revenue across our existing customer base through expansion of users and products associated with a customer as offset by churn and contraction in the number of users and/or products associated with a customer.
Our Dollar-Based Net Retention Rate is based upon our ACV which is calculated based on the terms of that customer’s contract and represents the total contracted annual subscription amount as of that period end. We calculate our Dollar-Based Net Retention Rate as of a period end by starting with the ACV from all customers as of twelve months prior to such period end ("Prior Period ACV"). We then calculate the ACV from these same customers as of the current period end ("Current Period ACV"). Current Period ACV includes any upsells and is net of contraction or churn over the trailing twelve months but excludes ACV from new customers in the current period.
54

OKTA, INC.
MANAGEMENT’S DISCUSSION AND ANALYSIS OF
FINANCIAL CONDITION AND RESULTS OF OPERATIONS (continued)
We then divide the Current Period ACV by the Prior Period ACV to arrive at our Dollar-Based Net Retention Rate. Our Dollar-Based Net Retention Rate is inclusive of ACV from self-service customers.
Our strong Dollar-Based Net Retention Rate is primarily attributable to gross retention, an expansion of users and upselling additional products within our existing customers. Larger enterprises often implement a limited initial deployment of our platform before increasing their deployment on a broader scale.
Remaining Performance Obligations ("RPO")
RPO represent all future, non-cancelable, contracted revenue under our subscription contracts with customers that has not yet been recognized, inclusive of deferred revenue that has been invoiced and non-cancelable amounts that will be invoiced and recognized as revenue in future periods. Current RPO represents the portion of RPO expected to be recognized during the next 12 months. RPO fluctuates due to a number of factors, including the timing, duration and dollar amount of customer contracts and fluctuations in foreign currency exchange rates.
Calculated Billings
Calculated Billings represent our total revenue plus the change in deferred revenue, net of acquired deferred revenue, and less the change in unbilled receivables, net of acquired unbilled receivables, in the period. Calculated Billings in any particular period reflect sales to new customers plus subscription renewals and upsells to existing customers, and represent amounts invoiced for subscription, support and professional services. We typically invoice customers in advance in annual installments for subscriptions to our platform.
Calculated Billings increased 24% in fiscal 2023 over fiscal 2022. See the section titled “Non-GAAP Financial Measures” for additional information and a reconciliation of Calculated Billings to total revenue.
Components of Results of Operations
Revenue
Subscription Revenue. Subscription revenue primarily consists of fees for access to and usage of our cloud-based platform and related support. Subscription revenue is driven primarily by the number of customers, the number of users per customer and the products used. We typically invoice customers in advance in annual installments for subscriptions to our platform.
Professional Services and Other. Professional services revenue includes fees from assisting customers in implementing and optimizing the use of our products. These services include application configuration, system integration and training services.
We generally invoice customers as the work is performed for time-and-materials arrangements, and up front for fixed fee arrangements. All professional services revenue is recognized as the services are performed.
Overhead Allocation and Employee Compensation Costs
We allocate shared costs, such as facilities costs (including rent, utilities and depreciation on assets shared by all departments), certain information technology costs and recruiting costs to all departments based on headcount. As such, allocated shared costs are reflected in each of the cost of revenue and operating expense categories. Employee compensation costs reflected in each of the cost of revenue and operating expense categories include salaries, bonuses, compensation related taxes, benefits and stock-based compensation. Additionally included in the sales and marketing expense category are sales commissions and related taxes.
Cost of Revenue and Gross Margin
Cost of Subscription. Cost of subscription primarily consists of expenses related to hosting our services and providing support. These expenses include employee-related costs associated with our cloud-based infrastructure and our customer support organization, third-party hosting fees, software and maintenance costs, outside services associated with the delivery of our subscription services, amortization expense associated with capitalized internal-use software and acquired developed technology and allocated overhead.
55

OKTA, INC.
MANAGEMENT’S DISCUSSION AND ANALYSIS OF
FINANCIAL CONDITION AND RESULTS OF OPERATIONS (continued)
We intend to continue to invest additional resources in our platform infrastructure and our platform support organizations. We will continue to invest in technology innovation and we anticipate that costs qualifying for capitalization of internal-use software costs and related amortization may fluctuate over time. We expect our investment in technology to expand the capability of our platform enabling us to improve our gross margin over time. The level and timing of investment in these areas could affect our cost of subscription revenue in the future.
Cost of Professional Services and Other. Cost of professional services consists primarily of employee-related costs for our professional services delivery team, travel-related costs, allocated overhead and costs of outside services associated with supplementing our professional services delivery team. The cost of providing professional services has historically been higher than the associated revenue we generate.
Gross Margin. Gross margin is gross profit expressed as a percentage of total revenue. Our gross margin may fluctuate from period to period as a result of the timing and amount of investments to expand our hosting capacity, our continued efforts to build platform support and professional services teams, increased stock-based compensation expenses, as well as the amortization of costs associated with capitalized internal-use software and acquired intangible assets.
Operating Expenses
Research and Development. Research and development expenses consist primarily of employee compensation costs and allocated overhead. We believe that continued investment in our platform is important for our growth.
Sales and Marketing. Sales and marketing expenses consist primarily of employee compensation costs, costs of general marketing and promotional activities, travel-related expenses, amortization expense associated with acquired customer relationships (including unbilled and unrecognized contracts yet to be fulfilled) and trade names and allocated overhead. Commissions earned by our sales force that are considered incremental and recoverable costs of obtaining a contract with a customer are deferred and then amortized on a straight-line basis over a period of benefit that we have determined to be generally five years.
General and Administrative. General and administrative expenses consist primarily of employee compensation costs for finance, accounting, legal, information technology and human resources personnel. In addition, general and administrative expenses include acquisition and integration-related costs, non-personnel costs, such as legal, accounting and other professional fees, charitable contributions, and all other supporting corporate expenses, such as information technology, not allocated to other departments.
Restructuring and Other Charges. Restructuring and other charges consist primarily of personnel costs, such as notice period, employee severance payments and termination benefits. In addition, restructuring and other charges include certain lease impairment charges.
Interest and Other, Net
Interest and other, net consists of interest expense, which primarily includes amortization of debt discount (in comparative periods prior to the adoption of Accounting Standards Update ("ASU") No. 2020-06, Accounting for Convertible Instruments and Contracts in an Entity's Own Equity ("ASU 2020-06")), amortization of debt issuance costs, contractual interest expense for our 2023 Notes, convertible notes due in 2025 ("2025 Notes") and convertible notes due in 2026 ("2026 Notes", together with the 2023 Notes and 2025 Notes, the "Notes"), interest income from our investment holdings, and gains and losses from our strategic investments.
Provision for (Benefit from) Income Taxes
Our provision for (benefit from) income taxes consists of federal and state income taxes in the United States and income taxes in certain foreign jurisdictions where we operate. The primary difference between our effective tax rate and the federal statutory rate relates to the net operating losses in jurisdictions with a valuation allowance against related deferred tax assets.
56

OKTA, INC.
MANAGEMENT’S DISCUSSION AND ANALYSIS OF
FINANCIAL CONDITION AND RESULTS OF OPERATIONS (continued)
Results of Operations
The following table sets forth our results of operations for the periods presented:
 Year Ended January 31,
 202320222021
 (dollars in millions)
Revenue
Subscription$1,794 $1,249 $797 
Professional services and other64 51 38 
Total revenue1,858 1,300 835 
Cost of revenue
Subscription(1)
464 329 170 
Professional services and other(1)
82 67 48 
Total cost of revenue546 396 218 
Gross profit1,312 904 617 
Operating expenses
Research and development(1)
620 469 223 
Sales and marketing(1)
1,066 771 427 
General and administrative(1)
409 432 171 
Restructuring and other charges29 — — 
Total operating expenses2,124 1,672 821 
Operating loss(812)(768)(204)
Interest expense(11)(91)(73)
Interest income and other, net22 13 
Loss on early extinguishment and conversion of debt— — (2)
Interest and other, net11 (82)(62)
Loss before provision for (benefit from) income taxes(801)(850)(266)
Provision for (benefit from) income taxes14 (2)— 
Net loss$(815)$(848)$(266)
(1) Includes stock-based compensation expense as follows:
 Year Ended January 31,
 202320222021
(dollars in millions)
Cost of subscription revenue$69 $49 $21 
Cost of professional services and other revenue14 12 
Research and development275 193 63 
Sales and marketing159 136 53 
General and administrative160 176 49 
Total stock-based compensation expense$677 $566 $195 
57

OKTA, INC.
MANAGEMENT’S DISCUSSION AND ANALYSIS OF
FINANCIAL CONDITION AND RESULTS OF OPERATIONS (continued)

The following table sets forth our results of operations for the periods presented as a percentage of our total revenue:
 Year Ended January 31,
 202320222021
Revenue 
Subscription97 %96 %95 %
Professional services and other
Total revenue100 100 100 
Cost of revenue
Subscription25 25 20 
Professional services and other
Total cost of revenue29 30 26 
Gross profit71 70 74 
Operating expenses
Research and development33 36 27 
Sales and marketing58 59 51 
General and administrative22 34 20 
Restructuring and other charges— — 
Total operating expenses115 129 98 
Operating loss(44)(59)(24)
Interest expense(1)(7)(9)
Interest income and other, net
Loss on early extinguishment and conversion of debt— — — 
Interest and other, net(6)(8)
Loss before provision for (benefit from) income taxes(43)(65)(32)
Provision for (benefit from) income taxes— — 
Net loss(44)%(65)%(32)%
58

OKTA, INC.
MANAGEMENT’S DISCUSSION AND ANALYSIS OF
FINANCIAL CONDITION AND RESULTS OF OPERATIONS (continued)
A discussion regarding our financial condition and results of operations for fiscal 2023 compared to fiscal 2022 is presented below. A discussion regarding our financial condition and results of operations for fiscal 2022 compared to fiscal 2021 can be found under Item 7 in our Annual Report on Form 10-K for fiscal 2022, filed with the SEC on March 7, 2022, which is available free of charge on the SEC’s website at www.sec.gov and our Investor Relations website at investor.okta.com.
Comparison of the Years Ended January 31, 2023 and 2022
Revenue
 Year Ended January 31,
 20232022$ Change
% Change  
 (dollars in millions)
Revenue:   
Subscription$1,794 $1,249 $545 44 %
Professional services and other64 51 13 27 
Total revenue$1,858 $1,300 $558 43 %
Percentage of revenue:   
Subscription97 %96 %  
Professional services and other  
Total100 %100 %  
For fiscal 2023, subscription revenue increased primarily due to the addition of new customers, an increase in users and sales of additional products to existing customers. The increase in revenue was attributable to a 17% increase in total customers, from over 15,000 as of January 31, 2022, to over 17,600 as of January 31, 2023, and revenue from existing customers as reflected in our Dollar-Based Net Retention Rate of 120% as of January 31, 2023. Additionally, as our acquisition of Auth0 was completed on May 3, 2021, subscription revenue during fiscal 2023 includes twelve months of Auth0 revenue while subscription revenue during fiscal 2022 includes approximately nine months of Auth0 revenue.
For fiscal 2023, professional services revenue increased primarily due to an increase in implementation and other services associated with growth in the number of new customers purchasing our subscription services.
Cost of Revenue, Gross Profit and Gross Margin
 Year Ended January 31,
 20232022$ Change
% Change
 (dollars in millions)
Cost of revenue:   
Subscription$464 $329 $135 41 %
Professional services and other82 67 15 22 
Total cost of revenue$546 $396 $150 38 %
Gross profit$1,312 $904 $408 45 %
Gross margin:   
Subscription74 %74 %  
Professional services and other(27)(32)  
Total gross margin71 %70 %  
For fiscal 2023, cost of subscription revenue increased primarily due to an increase of $69 million in employee compensation costs related to higher headcount to support the growth in our subscription services, an increase of $26 million in third-party hosting costs as we expanded capacity to support our growth, an increase of $17 million in software costs and an increase in amortization of acquired developed technology of $11 million.
59

OKTA, INC.
MANAGEMENT’S DISCUSSION AND ANALYSIS OF
FINANCIAL CONDITION AND RESULTS OF OPERATIONS (continued)
Our gross margin for subscription revenue remained consistent at 74% during fiscal 2023. While our gross margins for subscription revenue may fluctuate in the near-term as we invest in our growth, we expect our subscription revenue gross margin to improve over the long-term as we achieve additional economies of scale.
For fiscal 2023, cost of professional services and other revenue increased primarily due to an increase of $11 million in employee compensation costs related to higher headcount.
Our gross margin for professional services and other revenue improved to (27)% during fiscal 2023 from (32)% during fiscal 2022 primarily due to increases in professional services and other revenue at a faster rate than increases in associated costs.
Operating Expenses
Research and Development Expenses
 Year Ended January 31,
 20232022$ Change
% Change  
 (dollars in millions)
Research and development$620 $469 $151 32 %
Percentage of revenue33 %36 %  
For fiscal 2023, research and development expenses increased primarily due to an increase of $139 million in employee compensation costs related to higher headcount. We expect our research and development expenses will increase in absolute dollars as our business grows.
Sales and Marketing Expenses
 Year Ended January 31,
 20232022$ Change
% Change  
 (dollars in millions)
Sales and marketing$1,066 $771 $295 38 %
Percentage of revenue58 %59 %  
For fiscal 2023, sales and marketing expenses increased primarily due to an increase of $217 million in employee compensation costs related to headcount growth, an increase in travel expenses of $19 million, an increase in marketing and event costs of $16 million primarily due to increases in demand generation programs, advertising and brand awareness efforts aimed at acquiring new customers and an increase in amortization expense of $10 million for acquired customer relationships and trade names. We expect our sales and marketing expenses will continue to be our largest operating expense category for the foreseeable future as we expand our sales and marketing efforts. In the short-term, our sales and marketing expenses may increase as a percentage of our total revenue, however, over time, we expect this percentage to decrease as our total revenue grows.
General and Administrative Expenses
 Year Ended January 31,
 20232022$ Change
% Change  
 (dollars in millions)
General and administrative$409 $432 $(23)(5)%
Percentage of revenue22 %34 %  
For fiscal 2023, general and administrative expenses decreased primarily due to a decrease in acquisition and integration-related costs of $46 million, partially offset by increases in employee compensation and related costs associated with headcount growth. We expect our general and administrative expenses will increase in absolute dollars as our business grows.
60

OKTA, INC.
MANAGEMENT’S DISCUSSION AND ANALYSIS OF
FINANCIAL CONDITION AND RESULTS OF OPERATIONS (continued)
Restructuring and Other Charges
 Year Ended January 31,
 20232022$ Change
% Change  
 (dollars in millions)
Restructuring and other charges$29 $— $29 — %
Percentage of revenue%— %  
For fiscal 2023, restructuring and other charges relate to severance and termination benefit costs of $15 million and lease impairment charges of $14 million. See Note 16 to our consolidated financial statements "Restructuring and Other Charges" for additional information.
Interest and Other, Net
 Year Ended January 31,
 20232022$ Change
% Change  
 (dollars in millions)
Interest expense$(11)$(91)$80 (88)%
Interest income and other, net22 13 126 
Interest and other, net$11 $(82)
For fiscal 2023, the change in interest and other, net was primarily due to a decrease in interest expense resulting from the adoption of ASU 2020-06 and an increase in interest income from our short-term investments. We expected interest income from our short-term investments to continue to increase as a result of increasing interest rates.
Provision for (Benefit from) Income Taxes
 Year Ended January 31,
 20232022$ Change
% Change  
 (dollars in millions)
Provision for (benefit from) income taxes$14 $(2)$16 (1,158)%
For fiscal 2023, income tax expense resulted primarily from income from profitable foreign jurisdictions, the tax impact of shortfalls from stock-based compensation in the United Kingdom, and state taxes.
For fiscal 2022, the income tax benefit resulted from the release of valuation allowance in the United States in connection with acquisitions and excess tax benefits from stock-based compensation in the United Kingdom, offset by income tax expense related to profitable foreign jurisdictions.
Non-GAAP Financial Measures
In addition to our results determined in accordance with accounting principles generally accepted in the United States (“GAAP”), we believe the following non-GAAP measures are useful in evaluating our operating performance. We use the below referenced non-GAAP financial information, collectively, to evaluate our ongoing operations and for internal planning and forecasting purposes. We believe that non-GAAP financial information, when taken collectively with GAAP financial measures, may be helpful to investors because it provides consistency and comparability with past financial performance, and assists in comparisons with other companies, some of which use similar non-GAAP financial information to supplement their GAAP results. The non-GAAP financial information is presented for supplemental informational purposes only, and should not be considered a substitute for financial information presented in accordance with GAAP, and may be different from similarly-titled non-GAAP measures used by other companies. The principal limitation of these non-GAAP financial measures is that they exclude significant expenses that are required by GAAP to be recorded in our financial statements. In addition, they are subject to inherent limitations as they reflect the exercise of judgment by our management about which expenses are excluded or included in determining these non-GAAP financial measures. A reconciliation is provided below for
61

OKTA, INC.
MANAGEMENT’S DISCUSSION AND ANALYSIS OF
FINANCIAL CONDITION AND RESULTS OF OPERATIONS (continued)
each non-GAAP financial measure to the most directly comparable financial measure stated in accordance with GAAP. Investors are encouraged to review the related GAAP financial measures and the reconciliation of these non-GAAP financial measures to their most directly comparable GAAP financial measures, and not to rely on any single financial measure to evaluate our business.
We periodically reassess the components of our Non-GAAP adjustments for changes in how we evaluate our performance, changes in how we make financial and operational decisions, and consider the use of these measures by our competitors and peers to ensure the adjustments remain relevant and meaningful.
Non-GAAP Gross Profit and Non-GAAP Gross Margin
We define Non-GAAP gross profit and Non-GAAP gross margin as GAAP gross profit and GAAP gross margin, adjusted for stock-based compensation expense included in cost of revenue, amortization of acquired intangibles and acquisition and integration-related expenses. Acquisition and integration-related expenses include transaction costs and other non-recurring incremental costs incurred through the one-year anniversary of the transaction close.
Year Ended January 31,
202320222021
(dollars in millions)
Gross profit$1,312 $904 $617 
Add:
Stock-based compensation expense included in cost of revenue83 61 30 
Amortization of acquired intangibles46 34 
Acquisition and integration-related expenses— 
Non-GAAP gross profit$1,442 $1,001 $654 
Gross margin71 %70 %74 %
Non-GAAP gross margin78 %77 %78 %
Non-GAAP Operating Income (Loss) and Non-GAAP Operating Margin
We define Non-GAAP operating income (loss) and Non-GAAP operating margin as GAAP operating loss and GAAP operating margin, adjusted for stock-based compensation expense, non-cash charitable contributions, amortization of acquired intangibles, acquisition and integration-related expenses and restructuring costs related to severance and termination benefits and lease impairments in connection with the closing of certain leased facilities. Acquisition and integration-related expenses include transaction costs and other non-recurring incremental costs incurred through the one-year anniversary of the transaction close.
62

OKTA, INC.
MANAGEMENT’S DISCUSSION AND ANALYSIS OF
FINANCIAL CONDITION AND RESULTS OF OPERATIONS (continued)
In fiscal 2023, we updated our definition of Non-GAAP operating income (loss) and Non-GAAP operating margin to include restructuring costs as defined in the preceding paragraph.

Year Ended January 31,
202320222021
(dollars in millions)
Operating loss$(812)$(768)$(204)
Add:
Stock-based compensation expense677 566 195 
Non-cash charitable contributions
Amortization of acquired intangibles85 64 
Acquisition and integration-related expenses56 — 
Restructuring costs29 — — 
Non-GAAP operating income (loss)$(10)$(74)$
Operating margin(44)%(59)%(24)%
Non-GAAP operating margin(1)%(6)%%
Non-GAAP Net Income (Loss), Non-GAAP Net Margin and Non-GAAP Net Income (Loss) Per Share, Basic and Diluted
We define Non-GAAP net income (loss) and Non-GAAP net margin as GAAP net loss and GAAP net margin, adjusted for stock-based compensation expense, non-cash charitable contributions, amortization of acquired intangibles, acquisition and integration-related expenses, amortization of debt discount, amortization of debt issuance costs, loss on early extinguishment and conversion of debt and restructuring costs related to severance and termination benefits and lease impairments in connection with the closing of certain leased facilities. Acquisition and integration-related expenses include transaction costs and other non-recurring incremental costs incurred through the one-year anniversary of the transaction close.
In fiscal 2023, we updated our definition of Non-GAAP net income (loss) and Non-GAAP net margin to include restructuring costs as defined in the preceding paragraph.
We define Non-GAAP net income (loss) per share, basic, as Non-GAAP net income (loss) divided by GAAP weighted-average shares used to compute net loss per share, basic and diluted.
We define Non-GAAP net income (loss) per share, diluted, as Non-GAAP net income (loss) divided by GAAP weighted-average shares used to compute net loss per share, basic and diluted adjusted for the potentially dilutive effect of (i) employee equity incentive plans, excluding the impact of unrecognized stock-based compensation expense, and (ii) convertible senior notes outstanding and related warrants. In addition, Non-GAAP net income (loss) per share, diluted, includes the impact of our note hedge and capped call agreements on convertible senior notes outstanding, as applicable. The note hedge and capped call agreements are intended to offset potential dilution to our Class A common stock upon any conversion or settlement of the convertible senior notes under certain circumstances. Accordingly, we did not record any adjustments for the potential impact of the convertible senior notes outstanding under the if-converted method.
63

OKTA, INC.
MANAGEMENT’S DISCUSSION AND ANALYSIS OF
FINANCIAL CONDITION AND RESULTS OF OPERATIONS (continued)

Year Ended January 31,
202320222021
(dollars in millions, shares in thousands, except per share data)
Net loss$(815)$(848)$(266)
Add:
Stock-based compensation expense677 566 195 
Non-cash charitable contributions
Amortization of acquired intangibles85 64 
Acquisition and integration-related expenses56 — 
Amortization of debt discount and debt issuance costs86 69 
Loss on early extinguishment and conversion of debt— — 
Restructuring costs29 — — 
Non-GAAP net income (loss)$(7)$(68)$16 
Net margin(44)%(65)%(32)%
Non-GAAP net margin— %(5)%%
Weighted-average shares used to compute net loss per share, basic and diluted158,023 148,036 127,212 
Non-GAAP weighted-average effect of potentially dilutive securities— — 15,171 
Non-GAAP weighted-average shares used to compute non-GAAP net income (loss) per share, diluted158,023 148,036 142,383 
Net loss per share, basic and diluted$(5.16)$(5.73)$(2.09)
Non-GAAP net income (loss) per share, basic$(0.04)$(0.46)$0.13 
Non-GAAP net income (loss) per share, diluted$(0.04)$(0.46)$0.11 
Free Cash Flow and Free Cash Flow Margin
We define Free cash flow as net cash provided by operating activities, less cash used for purchases of property and equipment, net of sales proceeds, and capitalized internal-use software costs. Free cash flow margin is calculated as Free cash flow divided by total revenue.
Year Ended January 31,
202320222021
(dollars in millions)
Net cash provided by operating activities$86 $104 $128 
Less:
Purchases of property and equipment(12)(13)(13)
Capitalization of internal-use software costs(9)(4)(4)
Free cash flow$65 $87 $111 
Net cash used in investing activities$(130)$(367)$(1,305)
Net cash provided by financing activities$48 $89 $1,092 
Free cash flow margin%%13 %
64

OKTA, INC.
MANAGEMENT’S DISCUSSION AND ANALYSIS OF
FINANCIAL CONDITION AND RESULTS OF OPERATIONS (continued)
Calculated Billings
We define Calculated Billings as total revenue plus the change in deferred revenue, net of acquired deferred revenue, and less the change in unbilled receivables, net of acquired unbilled receivables, in the period.
Year Ended January 31,
202320222021
(dollars in millions)
Total revenue$1,858 $1,300 $835 
Add:
Deferred revenue (end of period)1,260 996 514 
Unbilled receivables (beginning of period)
Acquired unbilled receivables— — 
Less:
Deferred revenue (beginning of period)(996)(514)(371)
Unbilled receivables (end of period)(2)(3)(3)
Acquired deferred revenue— (66)— 
Calculated Billings$2,123 $1,718 $976 
Liquidity and Capital Resources
As of January 31, 2023, our principal sources of liquidity were cash, cash equivalents and short-term investments totaling $2,580 million, which were held for working capital and general corporate purposes, including potential future acquisition activity. Our cash equivalents and investments consisted primarily of U.S. treasury securities, corporate debt securities and money market funds. Historically, we have generated significant operating losses and both positive and negative cash flows from operations as reflected in our accumulated deficit and consolidated statements of cash flows. We expect to continue to incur operating losses and cash flows from operations that may fluctuate between positive and negative amounts for the foreseeable future.
In February 2018, we completed our private offering of the 2023 Notes due on February 15, 2023 and received aggregate proceeds of $345 million. Nearly all of the 2023 Notes have been repurchased or converted as of January 31, 2023. The interest rate on the 2023 Notes is fixed at 0.25% per annum and is payable semi-annually in arrears on February 15 and August 15 of each year, beginning on August 15, 2018. In connection with the issuance of the 2023 Notes, we used a portion of the proceeds to enter into convertible note hedges ("Note Hedges") with respect to our Class A common stock. The cost of the Note Hedges was partially offset by proceeds from the sale of warrants to purchase shares of our Class A common stock ("Warrants") in connection with the issuance of the 2023 Notes.
In September 2019, we completed our private offering of the 2025 Notes due on September 1, 2025 and received aggregate gross proceeds of $1,060 million The interest rate on the 2025 Notes is fixed at 0.125% per annum and is payable semi-annually in arrears on March 1 and September 1 of each year, beginning on March 1, 2020. In connection with the 2025 Notes, we used a portion of the proceeds to enter into capped call transactions ("2025 Capped Calls") with respect to our Class A common stock. Concurrent with the private offering of the 2025 Notes, we repurchased a portion of the 2023 Notes and terminated a portion of our existing Note Hedges and Warrants.
In June 2020, we completed our private offering of the 2026 Notes due on June 15, 2026 and received aggregate proceeds of $1,150 million. The interest rate on the 2026 Notes is fixed at 0.375% per year and is payable semi-annually in arrears on June 15 and December 15 of each year, beginning on December 15, 2020. In connection with the 2026 Notes, we used a portion of the proceeds to enter into capped call transactions ("2026 Capped Calls") with respect to our Class A common stock. Concurrent with the private offering of the 2026 Notes, we repurchased a portion of the 2023 Notes and terminated a portion of our existing Note Hedges and Warrants.
65

OKTA, INC.
MANAGEMENT’S DISCUSSION AND ANALYSIS OF
FINANCIAL CONDITION AND RESULTS OF OPERATIONS (continued)
On May 3, 2021, we completed the acquisition of Auth0. In connection with this acquisition, consideration included cash of $150 million, net of cash acquired of $107 million, and approximately 19 million shares of our common stock with an estimated fair value of $5,176 million. In addition, we assumed outstanding employee equity awards with vested fair value of $238 million.
On August 2, 2021, we completed the acquisition of Townsend Street Labs, Inc. ("atSpoke"), providing total cash consideration, net of cash acquired of $79 million. Of this amount, $13 million of consideration was held back as partial security for any adjustments and indemnification obligations and will be paid within 18 months of the closing date.
We believe our existing cash and cash equivalents, our investments and cash provided by sales of our products and services will be sufficient to meet our short-term and long-term projected working capital and capital expenditure needs for the foreseeable future. Our future capital requirements will depend on many factors, including our subscription growth rate, subscription renewal activity, billing frequency, the timing and extent of spending to support development efforts, the expansion of sales and marketing activities, the expansion of our international operations, the introduction of new and enhanced product offerings, and the continuing market adoption of our platform. We continue to assess our capital structure and evaluate the merits of deploying available cash. We may in the future enter into arrangements to acquire or invest in complementary businesses, services and technologies, including intellectual property rights. We may be required to seek additional equity or debt financing. In the event that additional financing is required from outside sources, we may not be able to raise it on terms acceptable to us or at all. If we are unable to raise additional capital or generate cash flows necessary to expand our operations and invest in new technologies this could reduce our ability to compete successfully and harm our results of operations.
A significant majority of our customers pay in advance for annual subscriptions. Therefore, a substantial source of our cash is from our deferred revenue, which is included on our consolidated balance sheet as a liability. Deferred revenue consists of the unearned portion of billed fees for our subscriptions, which is recognized as revenue in accordance with our revenue recognition policy. As of January 31, 2023, we had deferred revenue of $1,260 million, of which $1,242 million was recorded as a current liability and is expected to be recorded as revenue in the next 12 months, provided all other revenue recognition criteria have been met.
Cash Flows
The following table summarizes our cash flows for the periods indicated:
 Year Ended January 31,
 202320222021
 (dollars in millions)
Net cash provided by operating activities$86 $104 $128 
Net cash used in investing activities(130)(367)(1,305)
Net cash provided by financing activities48 89 1,092 
Effects of changes in foreign currency exchange rates on cash, cash equivalents and restricted cash(6)(2)
Net decrease in cash, cash equivalents and restricted cash$(2)$(176)$(83)
Operating Activities
Our largest source of operating cash is cash collections from our customers for subscription and professional services. Our primary uses of cash from operating activities are for employee-related expenditures, marketing expenses and third-party hosting costs. In recent periods, we have supplemented working capital requirements through net proceeds from the issuance of the 2023, 2025 and 2026 Notes in February 2018, September 2019 and June 2020, respectively.
During fiscal 2023, cash provided by operating activities was $86 million, decreasing by $18 million compared to fiscal 2022. The decrease was primarily attributable to an increase in cash paid to employees and vendors, partially offset by an increase in cash received from customers.
66

OKTA, INC.
MANAGEMENT’S DISCUSSION AND ANALYSIS OF
FINANCIAL CONDITION AND RESULTS OF OPERATIONS (continued)
Investing Activities
During fiscal 2023, cash used in investing activities was $130 million, decreasing by $237 million compared to fiscal 2022. The decrease was primarily attributable to a decrease in payments for business acquisitions, net of cash acquired, and a decrease in cash used from net investment purchases, sales, and maturities.
Financing Activities
During fiscal 2023, cash provided by financing activities was $48 million, decreasing by $41 million compared to fiscal 2022. The decrease was primarily attributable to a decrease in proceeds from the exercise of stock options and a decrease in proceeds from employee purchases under our employee stock purchase plan ("ESPP").
Material Cash Requirements
Contractual Obligations
The following table represents the Company’s known short-term (i.e., the next twelve months) and long-term (i.e., beyond the next twelve months) obligations as of January 31, 2023:
Short-termLong-termTotal
(dollars in millions)
Convertible Senior Notes:(1)
    Principal payments$— $2,210 $2,210 
    Interest payments13 19 
Operating leases(2)
43 160 203 
Purchase obligations(3)
237 361 598 
Total contractual obligations$286 $2,744 $3,030 
(1) See Note 9 to our consolidated financial statements "Convertible Senior Notes, Net" for additional information.
(2) See Note 10 to our consolidated financial statements "Leases" for additional information.
(3) Purchase obligations primarily relate to data center hosting facilities, and other sales and marketing obligations.
Indemnification Agreements
In the ordinary course of business, we enter into agreements of varying scope and terms pursuant to which we agree to indemnify customers, vendors, lessors, business partners and other parties with respect to certain matters, including, but not limited to, losses arising out of the breach of such agreements, services to be provided by us or from intellectual property infringement claims made by third parties. In addition, we have entered into indemnification agreements with our directors and certain officers and employees that will require us, among other things, to indemnify them against certain liabilities that may arise by reason of their status or service as directors, officers or employees. No material demands have been made upon us to provide indemnification under such agreements and there are no claims that we are aware of that could have a material effect on our consolidated balance sheets, consolidated statements of operations and comprehensive loss, or consolidated statements of cash flows.
Critical Accounting Estimates
We prepare our consolidated financial statements in accordance with accounting principles generally accepted in the United States of America. In the preparation of these consolidated financial statements, we are required to make estimates and assumptions that affect the reported amounts of assets, liabilities, revenue, costs and expenses, and related disclosures. To the extent that there are material differences between these estimates and actual results, our financial condition or results of operations would be affected. We base our estimates on past experience and other assumptions that we believe are reasonable under the circumstances, and we evaluate these estimates on an ongoing basis. We refer to accounting estimates of this type as critical accounting estimates, which we discuss below.
67

OKTA, INC.
MANAGEMENT’S DISCUSSION AND ANALYSIS OF
FINANCIAL CONDITION AND RESULTS OF OPERATIONS (continued)
Income Taxes
Income taxes are accounted for in accordance with the liability method. Under this method, deferred tax assets and liabilities are recognized for the expected future tax consequences of temporary differences between the financial reporting and tax basis of assets and liabilities, as well as for operating loss and tax credit carryforwards. Deferred tax assets and liabilities are measured using enacted tax rates that are expected to apply to taxable income for the years in which those tax assets and liabilities are expected to be realized or settled.
Valuation allowances are established when necessary to reduce deferred tax assets to the amounts that are more likely than not expected to be realized based on the weighting of positive and negative evidence. Future realization of deferred tax assets ultimately depends on the existence of sufficient taxable income of the appropriate character, within the carry-back or carry-forward periods available under the applicable tax law. In assessing the need for a valuation allowance, we consider available evidence, including past operating results, estimates of future taxable income, and the feasibility of tax planning strategies. Our judgment regarding future estimates may change due to many factors, including future market conditions and the ability to successfully execute our business plans and tax planning strategies. Should there be a change in the ability to recover deferred tax assets, our provision for income taxes would increase or decrease in the period in which the assessment is changed.
Our tax positions are subject to income tax audits by multiple tax jurisdictions throughout the world. We recognize the tax benefit of an uncertain tax position only if it is more likely than not that the position is sustainable upon examination by the taxing authority, based on the technical merits. Significant judgment is required in determining the technical merits of an uncertain tax position, such as taking into account current tax laws, our interpretation of current tax laws and possible outcomes of current and future audits conducted by foreign and domestic tax authorities. We adjust these reserves in light of changing facts and circumstances, such as the closing of a tax audit or the refinement of an estimate. To the extent the final tax outcome of these matters is different than the amounts recorded, such differences may impact the provision for income taxes in the period in which such determination is made.
Business Combinations
When we acquire a business, the purchase price is allocated to the acquired assets, including separately identifiable intangible assets, and assumed liabilities at their respective estimated fair values. Any residual purchase price is recorded as goodwill. The allocation of the purchase price requires management to make significant estimates in determining the fair values of assets acquired and liabilities assumed, especially with respect to intangible assets. These estimates can include, but are not limited to:
future expected cash flows from subscription contracts, professional services contracts, other customer contracts and acquired developed technologies;
person hours required in recreating certain acquired technologies;
historical and expected customer attrition rates and anticipated growth in revenue from acquired customers;
royalty rates applied to acquired developed technology platforms and other intangible assets;
obsolescence curves and other useful life assumptions, such as the period of time and intended use of acquired intangible assets in our product offerings;
discount rates;
uncertain tax positions and tax-related valuation allowances; and
fair value of assumed equity awards.
These estimates are inherently uncertain and unpredictable, and unanticipated events and circumstances may occur that may affect the accuracy or validity of such assumptions, estimates or actual results. During the measurement period, which may be up to one year from the acquisition date, adjustments to the fair value of these tangible and intangible assets acquired and liabilities assumed may be recorded, with the corresponding offset to
68

OKTA, INC.
MANAGEMENT’S DISCUSSION AND ANALYSIS OF
FINANCIAL CONDITION AND RESULTS OF OPERATIONS (continued)
goodwill. We continue to collect information and reevaluate these estimates and assumptions quarterly and record any adjustments to our preliminary estimates to goodwill provided that we are within the measurement period. Upon the conclusion of the measurement period or final determination of the fair value of assets acquired or liabilities assumed, whichever comes first, any subsequent adjustments are recorded to the consolidated statements of operations.
Loss Contingencies
We evaluate contingent liabilities, including threatened or pending litigation, and make provisions for such liabilities when it is both probable that a loss has been incurred and its amount can be reasonably estimated. Because of uncertainties inherent in litigation, we base our estimate and accrue the liabilities, if any, on the information available at the time of our assessment. Significant judgment is required to determine both the probability and the estimated amount of loss given such legal proceedings are inherently unpredictable and subject to significant uncertainties, some of which are beyond our control. Developments in these matters could affect the amount of any liability we may accrue. As additional information becomes available, we may revise our estimates. Any revisions in the estimates of potential liabilities could have a material impact on our operating results and financial position. Further, until the final resolution of any such matter, there may be a loss exposure in excess of the liability recognized and such amount could be significant.
Revenue Recognition
We derive our revenues primarily from subscription fees and professional services fees. A description of our revenue recognition policies is included in Note 2 to our consolidated financial statements "Summary of Significant Accounting Policies."
Our contracts with customers often contain multiple performance obligations. For these contracts, we account for individual performance obligations separately if they are distinct. The transaction price of the contract is allocated to the separate performance obligations on a relative standalone selling price basis. Evaluating customer contracts with multiple performance obligations and complex terms may require significant judgment in identifying the distinct performance obligations.
Recent Accounting Pronouncements
See Note 2 to our consolidated financial statements “Summary of Significant Accounting Policies — Recently Adopted Accounting Pronouncements" for more information.
69


Item 7A. Quantitative and Qualitative Disclosures about Market Risk
Foreign Currency Exchange Risk
The functional currencies of our foreign subsidiaries are the respective local currencies. Most of our sales are denominated in U.S. dollars, and therefore our revenue is not currently subject to significant foreign currency risk. Our operating expenses are denominated in the currencies of the countries in which our operations are located, which are primarily in the United States, the United Kingdom, Canada and Australia. Our consolidated results of operations and cash flows are, therefore, subject to fluctuations due to changes in foreign currency exchange rates and may be adversely affected in the future due to changes in foreign exchange rates. To date, we have not entered into any hedging arrangements with respect to foreign currency risk or other derivative financial instruments. During fiscal 2023, 2022 and 2021, a hypothetical 10% change in foreign currency exchange rates applicable to our business would not have had a material impact on our consolidated financial statements.
Interest Rate Risk
We had cash, cash equivalents and short-term investments totaling $2,580 million as of January 31, 2023, of which $2,449 million was invested in U.S. treasury securities, corporate debt securities and money market funds. Our cash and cash equivalents are held for working capital and general corporate purposes, including potential future acquisition activity. Our short-term investments are made for capital preservation purposes. We do not enter into investments for trading or speculative purposes.
Our cash equivalents and our investment portfolio are subject to market risk due to changes in interest rates. Fixed rate securities may have their market value adversely affected due to a rise in interest rates. Due in part to these factors, our future investment income may fall short of our expectations due to changes in interest rates or we may suffer losses in principal if we are forced to sell securities that decline in market value due to changes in interest rates. However, because we classify our short-term investments as “available for sale,” no gains are recognized due to changes in interest rates. As losses due to changes in interest rates are generally not considered to be credit related changes, no losses in such securities are recognized due to changes in interest rates unless we intend to sell, it is more likely than not that we will be required to sell, we sell prior to maturity, or we otherwise determine that all or a portion of the decline in fair value are due to credit related factors.
As of January 31, 2023, a hypothetical 10% relative change in interest rates would not have had a material impact on the value of our cash equivalents or investment portfolio. Fluctuations in the value of our cash equivalents and investment portfolio caused by a change in interest rates (gains or losses on the carrying value) are recorded in other comprehensive income (loss), and are realized only if we sell the underlying securities prior to maturity.
Convertible Senior Notes
In February 2018, we issued the 2023 Notes due February 15, 2023 with a principal amount of $345 million, of which $224 million and $70 million were repurchased in September 2019 and June 2020, respectively. Concurrently with the issuance of the 2023 Notes, we entered into separate Note Hedges and Warrant transactions, a portion of which were terminated in September 2019 and June 2020 in connection with the partial repurchases of the 2023 Notes. The Note Hedges were completed to reduce the potential dilution from the conversion of the 2023 Notes. Additionally, through January 31, 2023, we received and completed requests to convert approximately $51 million principal amount of 2023 Notes (not in connection with the partial repurchases of the 2023 Notes) and exercised and net-share-settled Note Hedges corresponding to approximately $45 million principal amount of 2023 Notes.
In September 2019, we issued the 2025 Notes due September 1, 2025 with a principal amount of $1,060 million. Concurrently with the issuance of the 2025 Notes, we entered into separate capped call transactions. The 2025 Capped Calls were completed to reduce the potential dilution from the conversion of the 2025 Notes.
In June 2020, we issued the 2026 Notes due June 15, 2026 with a principal amount of $1,150 million. Concurrently with the issuance of the 2026 Notes, we entered into separate capped call transactions. The 2026 Capped Calls were completed to reduce the potential dilution from the conversion of the 2026 Notes.
The 2023 Notes, 2025 Notes and 2026 Notes have a fixed annual interest rate of 0.25%, 0.125% and 0.375%, respectively; accordingly, we do not have economic interest rate exposure on the Notes. However, the fair value of the Notes is exposed to interest rate risk. Generally, the fair market value of the fixed interest rate of the Notes will increase as interest rates fall and decrease as interest rates rise. In addition, the fair value of the Notes fluctuates when the market price of our common stock fluctuates. The fair value was determined based on the
70


quoted bid price of the Notes in an over-the-counter market on the last trading day of the reporting period. See Note 5 to our consolidated financial statements for more information. Changes in the interest rate environment upon maturity of this fixed rate debt could have an effect on our future cash flows and earnings, depending on whether the debt is replaced with other fixed rate debt, variable rate debt or equity.

71


Item 8. FINANCIAL STATEMENTS AND SUPPLEMENTARY DATA

INDEX TO CONSOLIDATED FINANCIAL STATEMENTS
Page

72


Report of Independent Registered Public Accounting Firm

To the Stockholders and the Board of Directors of Okta, Inc.

Opinion on the Financial Statements
We have audited the accompanying consolidated balance sheets of Okta, Inc. (the Company) as of January 31, 2023 and 2022, the related consolidated statements of operations, comprehensive loss, stockholders' equity, and cash flows for each of the three years in the period ended January 31, 2023, and the related notes (collectively referred to as the “consolidated financial statements”). In our opinion, the consolidated financial statements present fairly, in all material respects, the financial position of the Company at January 31, 2023 and 2022, and the results of its operations and its cash flows for each of the three years in the period ended January 31, 2023, in conformity with U.S. generally accepted accounting principles.
We also have audited, in accordance with the standards of the Public Company Accounting Oversight Board (United States) (PCAOB), the Company's internal control over financial reporting as of January 31, 2023, based on criteria established in Internal Control-Integrated Framework issued by the Committee of Sponsoring Organizations of the Treadway Commission (2013 framework) and our report dated March 3, 2023 expressed an unqualified opinion thereon.

Basis for Opinion
These financial statements are the responsibility of the Company's management. Our responsibility is to express an opinion on the Company’s financial statements based on our audits. We are a public accounting firm registered with the PCAOB and are required to be independent with respect to the Company in accordance with the U.S. federal securities laws and the applicable rules and regulations of the Securities and Exchange Commission and the PCAOB.
We conducted our audits in accordance with the standards of the PCAOB. Those standards require that we plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of material misstatement, whether due to error or fraud. Our audits included performing procedures to assess the risks of material misstatement of the financial statements, whether due to error or fraud, and performing procedures that respond to those risks. Such procedures included examining, on a test basis, evidence regarding the amounts and disclosures in the financial statements. Our audits also included evaluating the accounting principles used and significant estimates made by management, as well as evaluating the overall presentation of the financial statements. We believe that our audits provide a reasonable basis for our opinion.

Critical Audit Matter
The critical audit matter communicated below is a matter arising from the current period audit of the financial statements that was communicated or required to be communicated to the audit committee and that: (1) relates to accounts or disclosures that are material to the financial statements and (2) involved our especially challenging, subjective, or complex judgments. The communication of the critical audit matter does not alter in any way our opinion on the consolidated financial statements, taken as a whole, and we are not, by communicating the critical audit matter below, providing a separate opinion on the critical audit matter or on the accounts or disclosures to which it relates.

73



Revenue recognition Identifying and evaluating terms and conditions in contracts
Description of the Matter
As explained in Note 2 to the consolidated financial statements, the Company derives revenue from subscription fees and professional services fees. The Company’s arrangements are generally non-cancelable and non-refundable. In addition, the arrangements do not provide customers with the right to take possession of the software and, as a result, are accounted for as service arrangements. Subscription revenue, which includes support, is recognized on a straight-line basis over the non-cancelable contractual term of the arrangement, generally beginning on the date that the Company’s service is made available to the customer. Revenue for the Company’s professional services is recognized as services are performed in proportion to their pattern of transfer.

Auditing the Company’s accounting for revenue recognition was challenging, specifically related to the appropriate identification and evaluation of non-standard terms and conditions. For example, certain non-standard terms and conditions required judgment to identify the distinct performance obligations and determine the timing of revenue recognition.

How We Addressed the Matter in Our Audit
We obtained an understanding, evaluated the design and tested the operating effectiveness of the Company’s internal controls over the identification and evaluation of terms and conditions in contracts that impact revenue recognition, including the identification of performance obligations and the determination of the timing of revenue recognition. This included testing relevant controls over the information systems that are used in the initiation, billing and recording of revenue transactions.

Among other procedures, on a sample basis, we tested the completeness and accuracy of management’s identification and evaluation of the non-standard terms and conditions in contracts. We also tested amounts recognized pursuant to contractual terms and conditions by examining the relationship between revenue recognized and accounts receivable and related cash collections. Further, we selected a sample of contractual arrangements to test that management had properly assessed the impact of any non-standard terms on the identified performance obligations and timing of revenue recognition. Additionally, to verify completeness of non-standard terms and conditions, we obtained confirmations of terms and conditions for a sample of arrangements with customers.

/s/ Ernst & Young LLP
We have served as the Company’s auditor since 2013.
San Jose, California
March 3, 2023
74


Report of Independent Registered Public Accounting Firm
To the Stockholders and the Board of Directors of Okta, Inc.
Opinion on Internal Control Over Financial Reporting
We have audited Okta, Inc.’s internal control over financial reporting as of January 31, 2023, based on criteria established in Internal Control—Integrated Framework issued by the Committee of Sponsoring Organizations of the Treadway Commission (2013 framework) (the COSO criteria). In our opinion, Okta, Inc. (the Company) maintained, in all material respects, effective internal control over financial reporting as of January 31, 2023, based on the COSO criteria.
We also have audited, in accordance with the standards of the Public Company Accounting Oversight Board (United States) (PCAOB), the consolidated balance sheets of the Company as of January 31, 2023 and 2022, the related consolidated statements of operations, comprehensive loss, stockholders' equity, and cash flows for each of the three years in the period ended January 31, 2023, and the related notes and our report dated March 3, 2023 expressed an unqualified opinion thereon.

Basis for Opinion
The Company’s management is responsible for maintaining effective internal control over financial reporting and for its assessment of the effectiveness of internal control over financial reporting included in the accompanying Management’s Report on Internal Control over Financial Reporting. Our responsibility is to express an opinion on the Company’s internal control over financial reporting based on our audit. We are a public accounting firm registered with the PCAOB and are required to be independent with respect to the Company in accordance with the U.S. federal securities laws and the applicable rules and regulations of the Securities and Exchange Commission and the PCAOB.
We conducted our audit in accordance with the standards of the PCAOB. Those standards require that we plan and perform the audit to obtain reasonable assurance about whether effective internal control over financial reporting was maintained in all material respects.
Our audit included obtaining an understanding of internal control over financial reporting, assessing the risk that a material weakness exists, testing and evaluating the design and operating effectiveness of internal control based on the assessed risk, and performing such other procedures as we considered necessary in the circumstances. We believe that our audit provides a reasonable basis for our opinion.

Definition and Limitations of Internal Control Over Financial Reporting
A company’s internal control over financial reporting is a process designed to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles. A company’s internal control over financial reporting includes those policies and procedures that (1) pertain to the maintenance of records that, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the company; (2) provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and that receipts and expenditures of the company are being made only in accordance with authorizations of management and directors of the company; and (3) provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use, or disposition of the company’s assets that could have a material effect on the financial statements.
Because of its inherent limitations, internal control over financial reporting may not prevent or detect misstatements. Also, projections of any evaluation of effectiveness to future periods are subject to the risk that controls may become inadequate because of changes in conditions, or that the degree of compliance with the policies or procedures may deteriorate.
/s/ Ernst & Young LLP
San Jose, California
March 3, 2023
75


OKTA, INC.
CONSOLIDATED BALANCE SHEETS
(dollars in millions, shares in thousands, except per share data)
 As of January 31,
 20232022
Assets 
Current assets: 
Cash and cash equivalents$264 $260 
Short-term investments2,316 2,242 
Accounts receivable, net of allowances of $8 and $4
481 398 
Deferred commissions92 75 
Prepaid expenses and other current assets76 66 
Total current assets3,229 3,041 
Property and equipment, net59 65 
Operating lease right-of-use assets122 148 
Deferred commissions, noncurrent210 191 
Intangible assets, net241 317 
Goodwill5,400 5,401 
Other assets46 43 
Total assets$9,307 $9,206 
Liabilities and stockholders’ equity 
Current liabilities: 
Accounts payable$12 $20 
Accrued expenses and other current liabilities112 90 
Accrued compensation99 144 
Convertible senior notes, net— 16 
Deferred revenue1,242 973 
Total current liabilities1,465 1,243 
Convertible senior notes, net, noncurrent2,193 1,816 
Operating lease liabilities, noncurrent142 171 
Deferred revenue, noncurrent18 23 
Other liabilities, noncurrent23 31 
Total liabilities3,841 3,284 
Commitments and contingencies (Note 11)
Stockholders’ equity: 
Preferred stock, par value $0.0001 per share; 100,000 shares authorized, no shares issued and outstanding as of January 31, 2023 and 2022.
— — 
Class A Common stock, par value $0.0001 per share; 1,000,000 shares authorized; 154,009 and 149,624 shares issued and outstanding as of January 31, 2023 and 2022, respectively.
— — 
Class B Common stock, par value $0.0001 per share; 120,000 shares authorized; 7,300 and 6,978 shares issued and outstanding as of January 31, 2023 and 2022, respectively.
— — 
Additional paid-in capital7,974 7,750 
Accumulated other comprehensive loss(33)(12)
Accumulated deficit(2,475)(1,816)
Total stockholders’ equity5,466 5,922 
Total liabilities and stockholders’ equity $9,307 $9,206 

See Notes to Consolidated Financial Statements.
76


OKTA, INC.
CONSOLIDATED STATEMENTS OF OPERATIONS
(dollars in millions, shares in thousands, except per share data)
 Year Ended January 31,
 202320222021
Revenue 
Subscription$1,794 $1,249 $797 
Professional services and other64 51 38 
Total revenue1,858 1,300 835 
Cost of revenue
Subscription464 329 170 
Professional services and other82 67 48 
Total cost of revenue546 396 218 
Gross profit1,312 904 617 
Operating expenses 
Research and development620 469 223 
Sales and marketing1,066 771 427 
General and administrative409 432 171 
Restructuring and other charges29 — — 
Total operating expenses2,124 1,672 821 
Operating loss(812)(768)(204)
Interest expense(11)(91)(73)
Interest income and other, net22 13 
Loss on early extinguishment and conversion of debt— — (2)
Interest and other, net11 (82)(62)
Loss before provision for (benefit from) income taxes(801)(850)(266)
Provision for (benefit from) income taxes14 (2)— 
Net loss$(815)$(848)$(266)
 
Net loss per share, basic and diluted$(5.16)$(5.73)$(2.09)
 
Weighted-average shares used to compute net loss per share, basic and diluted158,023 148,036 127,212 

See Notes to Consolidated Financial Statements.

77


OKTA, INC.
CONSOLIDATED STATEMENTS OF COMPREHENSIVE LOSS
(in millions)
 
 Year Ended January 31,
 202320222021
Net loss$(815)$(848)$(266)
Other comprehensive income (loss):
Net change in unrealized gains or losses on available-for-sale securities(12)(14)
Foreign currency translation adjustments(9)(3)
Other comprehensive income (loss)(21)(17)
Comprehensive loss$(836)$(865)$(262)

See Notes to Consolidated Financial Statements.

78


OKTA, INC.
CONSOLIDATED STATEMENTS OF STOCKHOLDERS’ EQUITY
(dollars in millions, shares in thousands)
 
Class A Common Stock 
Class B Common Stock 
Additional
Paid-in
Capital
Accumulated
Other
Comprehensive
Income (Loss)
Accumulated
Deficit
Total
Stockholders’
Equity
 
Shares 
Amount 
Shares 
Amount 
Balances as of January 31, 2020113,990 $— 8,648 $— $1,106 $$(702)$405 
Issuance of common stock upon exercise of stock options and other activity, net4,114 — 254 — 46 — — 46 
Issuance of common stock under employee stock purchase plan, net of cancellations247 — — — 26 — — 26 
Issuance of common stock for settlement of restricted stock units2,109 — — — — — — — 
Issuance of common stock for bonus settlement86 — — — 10 — — 10 
Issuance of common stock pursuant to charitable donation43 — — — — — 
Conversion of Class B common stock to Class A common stock743 — (743)— — — — — 
Exercise of hedges related to convertible senior notes(168)— — — — — — — 
Equity component of convertible senior notes, net of issuance costs— — — — 306 — — 306 
Equity component of early extinguishment and conversion of convertible senior notes1,660 — — — 70 — — 70 
Proceeds from hedges related to convertible senior notes— — — — 195 — — 195 
Payments for warrants related to convertible senior notes— — — — (175)— — (175)
Purchases of capped calls related to convertible senior notes— — — — (134)— — (134)
Stock-based compensation— — — — 197 — — 197 
Other comprehensive income— — — — — — 
Net loss— — — — — — (266)(266)
Balances as of January 31, 2021122,824 $— 8,159 $— $1,656 $$(968)$693 
Issuance of common stock in connection with business combinations19,190 — — — 5,409 — — 5,409 
Issuance of common stock in connection with business combinations subject to future vesting1,269 — — — — — — — 
Issuance of common stock upon exercise of stock options and other activity, net2,552 — — 54 — — 54 
Issuance of common stock under employee stock purchase plan, net of cancellations186 — — — 36 — — 36 
Issuance of common stock for settlement of restricted stock units2,294 — — — — — — — 
Issuance of common stock pursuant to charitable donation30 — — — — — 
Conversion of Class B common stock to Class A common stock1,183 — (1,183)— — — — — 
Equity component of early extinguishment and conversion of convertible senior notes476 — — — 21 — — 21 
Proceeds from hedges related to convertible senior notes(380)— — — — — — — 
Stock-based compensation— — — — 567 — — 567 
Other comprehensive loss— — — — — (17)— (17)
Net loss— — — — — — (848)(848)
Balances as of January 31, 2022149,624 $— 6,978 $— $7,750 $(12)$(1,816)$5,922 
79


 
Class A Common Stock 
Class B Common Stock 
Additional
Paid-in
Capital
Accumulated
Other
Comprehensive
Income (Loss)
Accumulated
Deficit
Total
Stockholders’
Equity
 
Shares 
Amount 
Shares 
Amount 
Adjustments from adoption of ASU 2020-06— — — — (528)— 156 (372)
Forfeiture of unvested common stock issued in connection with business combinations(14)— — — — — — — 
Issuance of common stock upon exercise of stock options and other activity, net965 — 451 — 17 — — 17 
Issuance of common stock under employee stock purchase plan, net of cancellations492 — — — 31 — — 31 
Issuance of common stock for settlement of restricted stock units2,555 — — — — — — — 
Issuance of common stock pursuant to charitable donation42 — — — — — 
Conversion of Class B common stock to Class A common stock129 — (129)— — — — — 
Settlement of convertible senior notes356 — — — 17 — — 17 
Proceeds from hedges related to convertible senior notes(140)— — — — — — — 
Stock-based compensation— — — — 683 — — 683 
Other comprehensive loss— — — — — (21)— (21)
Net loss— — — — — — (815)(815)
Balances as of January 31, 2023154,009 $— 7,300 $— $7,974 $(33)$(2,475)$5,466 
See Notes to Consolidated Financial Statements.
80


OKTA, INC.
CONSOLIDATED STATEMENTS OF CASH FLOWS
(in millions)
 Year Ended January 31,
 202320222021
Cash flows from operating activities: 
Net loss$(815)$(848)$(266)
Adjustments to reconcile net loss to net cash provided by operating activities:
Stock-based compensation677 566 195 
Depreciation, amortization and accretion114 108 37 
Amortization of debt discount and issuance costs86 68 
Amortization of deferred commissions84 57 40 
Deferred income taxes(6)(1)
Non-cash charitable contributions
Lease impairment charges14 — 
Loss on early extinguishment and conversion of debt— — 
(Gain) loss on strategic investments(1)(8)
Other, net
Changes in operating assets and liabilities:
Accounts receivable(87)(175)(66)
Deferred commissions(122)(171)(81)
Prepaid expenses and other assets(13)(7)(13)
Operating lease right-of-use assets