false2021FY00015439160P3YP4YP1Y66.666700015439162021-01-012021-12-310001543916us-gaap:CommonClassAMember2022-02-28xbrli:shares0001543916us-gaap:CommonClassBMember2022-02-2800015439162021-06-30iso4217:USD00015439162021-12-3100015439162020-12-31iso4217:USDxbrli:shares0001543916us-gaap:CommonClassAMember2020-12-310001543916us-gaap:CommonClassAMember2021-12-310001543916us-gaap:CommonClassBMember2020-12-310001543916us-gaap:CommonClassBMember2021-12-310001543916forg:SubscriptionTermLicensesMember2021-01-012021-12-310001543916forg:SubscriptionTermLicensesMember2020-01-012020-12-310001543916forg:SubscriptionTermLicensesMember2019-01-012019-12-310001543916forg:SubscriptionSaasSupportAndMaintenanceMember2021-01-012021-12-310001543916forg:SubscriptionSaasSupportAndMaintenanceMember2020-01-012020-12-310001543916forg:SubscriptionSaasSupportAndMaintenanceMember2019-01-012019-12-310001543916forg:PerpetualLicensesMember2021-01-012021-12-310001543916forg:PerpetualLicensesMember2020-01-012020-12-310001543916forg:PerpetualLicensesMember2019-01-012019-12-310001543916us-gaap:LicenseAndServiceMember2021-01-012021-12-310001543916us-gaap:LicenseAndServiceMember2020-01-012020-12-310001543916us-gaap:LicenseAndServiceMember2019-01-012019-12-310001543916forg:ProfessionalServicesMember2021-01-012021-12-310001543916forg:ProfessionalServicesMember2020-01-012020-12-310001543916forg:ProfessionalServicesMember2019-01-012019-12-3100015439162020-01-012020-12-3100015439162019-01-012019-12-3100015439162018-12-310001543916us-gaap:CommonStockMember2018-12-310001543916us-gaap:AdditionalPaidInCapitalMember2018-12-310001543916us-gaap:AccumulatedOtherComprehensiveIncomeMember2018-12-310001543916us-gaap:RetainedEarningsMember2018-12-310001543916us-gaap:AdditionalPaidInCapitalMember2019-01-012019-12-310001543916us-gaap:CommonStockMember2019-01-012019-12-310001543916us-gaap:AccumulatedOtherComprehensiveIncomeMember2019-01-012019-12-310001543916us-gaap:RetainedEarningsMember2019-01-012019-12-3100015439162019-12-310001543916us-gaap:CommonStockMember2019-12-310001543916us-gaap:AdditionalPaidInCapitalMember2019-12-310001543916us-gaap:AccumulatedOtherComprehensiveIncomeMember2019-12-310001543916us-gaap:RetainedEarningsMember2019-12-310001543916us-gaap:AdditionalPaidInCapitalMember2020-01-012020-12-310001543916us-gaap:CommonStockMember2020-01-012020-12-310001543916us-gaap:RetainedEarningsMember2020-01-012020-12-310001543916us-gaap:AccumulatedOtherComprehensiveIncomeMember2020-01-012020-12-310001543916us-gaap:CommonStockMember2020-12-310001543916us-gaap:AdditionalPaidInCapitalMember2020-12-310001543916us-gaap:AccumulatedOtherComprehensiveIncomeMember2020-12-310001543916us-gaap:RetainedEarningsMember2020-12-310001543916us-gaap:AdditionalPaidInCapitalMember2021-01-012021-12-310001543916us-gaap:CommonStockMember2021-01-012021-12-310001543916us-gaap:AccumulatedOtherComprehensiveIncomeMember2021-01-012021-12-310001543916us-gaap:RetainedEarningsMember2021-01-012021-12-310001543916us-gaap:CommonStockMember2021-12-310001543916us-gaap:AdditionalPaidInCapitalMember2021-12-310001543916us-gaap:AccumulatedOtherComprehensiveIncomeMember2021-12-310001543916us-gaap:RetainedEarningsMember2021-12-310001543916us-gaap:IPOMember2021-09-202021-09-200001543916us-gaap:IPOMember2021-09-200001543916us-gaap:OverAllotmentOptionMember2021-09-202021-09-2000015439162021-09-192021-09-190001543916us-gaap:CommonClassBMember2021-09-190001543916srt:MinimumMember2021-01-012021-12-310001543916srt:MaximumMember2021-01-012021-12-310001543916us-gaap:ComputerEquipmentMembersrt:MinimumMember2021-01-012021-12-310001543916us-gaap:ComputerEquipmentMembersrt:MaximumMember2021-01-012021-12-310001543916us-gaap:FurnitureAndFixturesMembersrt:MinimumMember2021-01-012021-12-310001543916us-gaap:FurnitureAndFixturesMembersrt:MaximumMember2021-01-012021-12-310001543916srt:MinimumMemberus-gaap:LeaseholdImprovementsMember2021-01-012021-12-310001543916us-gaap:LeaseholdImprovementsMembersrt:MaximumMember2021-01-012021-12-310001543916srt:MinimumMember2021-12-310001543916srt:MaximumMember2021-12-31forg:partner0001543916forg:SalesBasedMilestoneWarrantsMember2021-12-310001543916us-gaap:CollaborativeArrangementTransactionWithPartyToCollaborativeArrangementMember2021-01-012021-12-310001543916us-gaap:CollaborativeArrangementTransactionWithPartyToCollaborativeArrangementMember2020-01-012020-12-310001543916us-gaap:CollaborativeArrangementTransactionWithPartyToCollaborativeArrangementMember2019-01-012019-12-310001543916us-gaap:RestrictedStockUnitsRSUMember2016-01-012016-12-310001543916us-gaap:RestrictedStockUnitsRSUMember2018-01-012018-12-310001543916us-gaap:RestrictedStockUnitsRSUMember2021-09-202021-09-200001543916us-gaap:RestrictedStockUnitsRSUMember2020-01-012020-12-310001543916us-gaap:RestrictedStockUnitsRSUMember2019-01-012019-12-31xbrli:pure0001543916srt:MinimumMemberus-gaap:EmployeeStockOptionMember2021-12-310001543916us-gaap:EmployeeStockOptionMembersrt:MaximumMember2021-12-310001543916srt:MinimumMemberus-gaap:EmployeeStockOptionMember2020-12-310001543916us-gaap:EmployeeStockOptionMembersrt:MaximumMember2020-12-310001543916us-gaap:EmployeeStockOptionMembersrt:MaximumMember2019-12-310001543916srt:MinimumMemberus-gaap:EmployeeStockOptionMember2019-12-310001543916us-gaap:EmployeeStockOptionMember2021-01-012021-12-310001543916us-gaap:EmployeeStockOptionMember2020-01-012020-12-310001543916us-gaap:EmployeeStockOptionMember2019-01-012019-12-310001543916us-gaap:EmployeeStockMember2021-01-012021-12-310001543916us-gaap:EmployeeStockMembersrt:MinimumMember2021-01-012021-12-310001543916us-gaap:EmployeeStockMembersrt:MaximumMember2021-01-012021-12-310001543916srt:CumulativeEffectPeriodOfAdoptionAdjustmentMember2020-12-310001543916srt:AmericasMember2021-01-012021-12-310001543916srt:AmericasMember2020-01-012020-12-310001543916srt:AmericasMember2019-01-012019-12-310001543916us-gaap:EMEAMember2021-01-012021-12-310001543916us-gaap:EMEAMember2020-01-012020-12-310001543916us-gaap:EMEAMember2019-01-012019-12-310001543916srt:AsiaPacificMember2021-01-012021-12-310001543916srt:AsiaPacificMember2020-01-012020-12-310001543916srt:AsiaPacificMember2019-01-012019-12-310001543916country:US2021-01-012021-12-310001543916country:US2020-01-012020-12-310001543916country:US2019-01-012019-12-310001543916country:GB2021-01-012021-12-310001543916country:GB2020-01-012020-12-310001543916country:GB2019-01-012019-12-310001543916forg:MultiYearTermLicenseMember2021-01-012021-12-310001543916forg:MultiYearTermLicenseMember2020-01-012020-12-310001543916forg:MultiYearTermLicenseMember2019-01-012019-12-310001543916forg:OneYearTermLicenseMember2021-01-012021-12-310001543916forg:OneYearTermLicenseMember2020-01-012020-12-310001543916forg:OneYearTermLicenseMember2019-01-012019-12-310001543916us-gaap:LicenseAndMaintenanceMember2021-01-012021-12-310001543916us-gaap:LicenseAndMaintenanceMember2020-01-012020-12-310001543916us-gaap:LicenseAndMaintenanceMember2019-01-012019-12-310001543916us-gaap:LicenseMember2021-01-012021-12-310001543916us-gaap:LicenseMember2020-01-012020-12-310001543916us-gaap:LicenseMember2019-01-012019-12-3100015439162022-01-01us-gaap:LicenseMember2021-12-310001543916us-gaap:FairValueMeasurementsRecurringMemberus-gaap:MoneyMarketFundsMemberus-gaap:FairValueInputsLevel1Member2021-12-310001543916us-gaap:FairValueMeasurementsRecurringMemberus-gaap:FairValueInputsLevel2Memberus-gaap:MoneyMarketFundsMember2021-12-310001543916us-gaap:FairValueMeasurementsRecurringMemberus-gaap:MoneyMarketFundsMemberus-gaap:FairValueInputsLevel3Member2021-12-310001543916us-gaap:FairValueMeasurementsRecurringMemberus-gaap:MoneyMarketFundsMember2021-12-310001543916us-gaap:FairValueMeasurementsRecurringMemberus-gaap:FairValueInputsLevel1Member2021-12-310001543916us-gaap:FairValueMeasurementsRecurringMemberus-gaap:FairValueInputsLevel2Member2021-12-310001543916us-gaap:FairValueMeasurementsRecurringMemberus-gaap:FairValueInputsLevel3Member2021-12-310001543916us-gaap:FairValueMeasurementsRecurringMember2021-12-310001543916us-gaap:FairValueMeasurementsRecurringMemberus-gaap:CommercialPaperMemberus-gaap:FairValueInputsLevel1Member2021-12-310001543916us-gaap:FairValueMeasurementsRecurringMemberus-gaap:CommercialPaperMemberus-gaap:FairValueInputsLevel2Member2021-12-310001543916us-gaap:FairValueMeasurementsRecurringMemberus-gaap:CommercialPaperMemberus-gaap:FairValueInputsLevel3Member2021-12-310001543916us-gaap:FairValueMeasurementsRecurringMemberus-gaap:CommercialPaperMember2021-12-310001543916us-gaap:FairValueMeasurementsRecurringMemberus-gaap:AssetBackedSecuritiesMemberus-gaap:FairValueInputsLevel1Member2021-12-310001543916us-gaap:FairValueMeasurementsRecurringMemberus-gaap:AssetBackedSecuritiesMemberus-gaap:FairValueInputsLevel2Member2021-12-310001543916us-gaap:FairValueMeasurementsRecurringMemberus-gaap:AssetBackedSecuritiesMemberus-gaap:FairValueInputsLevel3Member2021-12-310001543916us-gaap:FairValueMeasurementsRecurringMemberus-gaap:AssetBackedSecuritiesMember2021-12-310001543916us-gaap:FairValueMeasurementsRecurringMemberus-gaap:CorporateDebtSecuritiesMemberus-gaap:FairValueInputsLevel1Member2021-12-310001543916us-gaap:FairValueMeasurementsRecurringMemberus-gaap:FairValueInputsLevel2Memberus-gaap:CorporateDebtSecuritiesMember2021-12-310001543916us-gaap:FairValueMeasurementsRecurringMemberus-gaap:CorporateDebtSecuritiesMemberus-gaap:FairValueInputsLevel3Member2021-12-310001543916us-gaap:FairValueMeasurementsRecurringMemberus-gaap:CorporateDebtSecuritiesMember2021-12-310001543916us-gaap:FairValueMeasurementsRecurringMemberus-gaap:USTreasuryBondSecuritiesMemberus-gaap:FairValueInputsLevel1Member2021-12-310001543916us-gaap:FairValueMeasurementsRecurringMemberus-gaap:USTreasuryBondSecuritiesMemberus-gaap:FairValueInputsLevel2Member2021-12-310001543916us-gaap:FairValueMeasurementsRecurringMemberus-gaap:USTreasuryBondSecuritiesMemberus-gaap:FairValueInputsLevel3Member2021-12-310001543916us-gaap:FairValueMeasurementsRecurringMemberus-gaap:USTreasuryBondSecuritiesMember2021-12-310001543916us-gaap:FairValueMeasurementsRecurringMemberus-gaap:MoneyMarketFundsMemberus-gaap:FairValueInputsLevel1Member2020-12-310001543916us-gaap:FairValueMeasurementsRecurringMemberus-gaap:FairValueInputsLevel2Memberus-gaap:MoneyMarketFundsMember2020-12-310001543916us-gaap:FairValueMeasurementsRecurringMemberus-gaap:MoneyMarketFundsMemberus-gaap:FairValueInputsLevel3Member2020-12-310001543916us-gaap:FairValueMeasurementsRecurringMemberus-gaap:MoneyMarketFundsMember2020-12-310001543916us-gaap:FairValueMeasurementsRecurringMemberus-gaap:FairValueInputsLevel1Member2020-12-310001543916us-gaap:FairValueMeasurementsRecurringMemberus-gaap:FairValueInputsLevel2Member2020-12-310001543916us-gaap:FairValueMeasurementsRecurringMemberus-gaap:FairValueInputsLevel3Member2020-12-310001543916us-gaap:FairValueMeasurementsRecurringMember2020-12-310001543916us-gaap:FairValueMeasurementsRecurringMemberus-gaap:WarrantMemberus-gaap:FairValueInputsLevel3Member2019-12-310001543916us-gaap:FairValueMeasurementsRecurringMemberus-gaap:WarrantMemberus-gaap:FairValueInputsLevel3Member2020-01-012020-12-310001543916us-gaap:FairValueMeasurementsRecurringMemberus-gaap:WarrantMemberus-gaap:FairValueInputsLevel3Member2020-12-310001543916us-gaap:FairValueMeasurementsRecurringMemberus-gaap:WarrantMemberus-gaap:FairValueInputsLevel3Member2021-01-012021-12-310001543916us-gaap:FairValueMeasurementsRecurringMemberus-gaap:WarrantMemberus-gaap:FairValueInputsLevel3Member2021-12-310001543916us-gaap:FairValueMeasurementsRecurringMemberus-gaap:DerivativeMemberus-gaap:FairValueInputsLevel3Member2019-12-310001543916us-gaap:FairValueMeasurementsRecurringMemberus-gaap:DerivativeMemberus-gaap:FairValueInputsLevel3Member2020-01-012020-12-310001543916us-gaap:FairValueMeasurementsRecurringMemberus-gaap:DerivativeMemberus-gaap:FairValueInputsLevel3Member2020-12-310001543916us-gaap:FairValueMeasurementsRecurringMemberus-gaap:DerivativeMemberus-gaap:FairValueInputsLevel3Member2021-01-012021-12-310001543916us-gaap:FairValueMeasurementsRecurringMemberus-gaap:DerivativeMemberus-gaap:FairValueInputsLevel3Member2021-12-310001543916us-gaap:MoneyMarketFundsMember2021-12-310001543916us-gaap:CommercialPaperMember2021-12-310001543916us-gaap:USTreasuryBondSecuritiesMember2021-12-310001543916us-gaap:AssetBackedSecuritiesMember2021-12-310001543916us-gaap:CorporateDebtSecuritiesMember2021-12-310001543916us-gaap:MoneyMarketFundsMember2020-12-310001543916forg:ComputerEquipmentAndSoftwareMember2021-12-310001543916forg:ComputerEquipmentAndSoftwareMember2020-12-310001543916us-gaap:FurnitureAndFixturesMember2021-12-310001543916us-gaap:FurnitureAndFixturesMember2020-12-310001543916us-gaap:LeaseholdImprovementsMember2021-12-310001543916us-gaap:LeaseholdImprovementsMember2020-12-310001543916forg:DebtInstrumentIssuedMarch2019Member2021-12-310001543916forg:DebtInstrumentIssuedMarch2019Member2020-12-310001543916forg:DebtInstrumentIssuedSeptember2019Member2021-12-310001543916forg:DebtInstrumentIssuedSeptember2019Member2020-12-310001543916forg:DebtInstrumentIssuedDecember2019Member2021-12-310001543916forg:DebtInstrumentIssuedDecember2019Member2020-12-310001543916forg:DebtInstrumentIssuedMarch2020Member2021-12-310001543916forg:DebtInstrumentIssuedMarch2020Member2020-12-310001543916forg:OtherDebtMember2021-12-310001543916forg:OtherDebtMember2020-12-310001543916forg:LoanAndSecurityAgreementMemberus-gaap:SecuredDebtMember2016-03-310001543916forg:LoanAndSecurityAgreementMemberus-gaap:SecuredDebtMember2016-03-012016-03-31forg:tranche0001543916forg:LoanAndSecurityAgreementMemberus-gaap:SecuredDebtMember2016-08-012016-08-310001543916forg:LoanAndSecurityAgreementMemberforg:SeriesCRedeemableConvertiblePreferredStockMember2016-03-310001543916forg:LoanAndSecurityAgreementMemberforg:SeriesCWarrantsMember2016-03-310001543916forg:LoanAndSecurityAgreementMemberus-gaap:SecuredDebtMemberus-gaap:PrimeRateMember2017-11-012017-11-300001543916forg:LoanAndSecurityAgreementMemberus-gaap:SecuredDebtMemberus-gaap:PrimeRateMember2017-11-300001543916forg:LoanAndSecurityAgreementMemberus-gaap:SecuredDebtMember2019-03-310001543916forg:LoanAndSecurityAgreementMemberus-gaap:SecuredDebtMember2019-03-012019-03-310001543916forg:LoanAndSecurityAgreementMemberus-gaap:SecuredDebtMember2019-12-012019-12-310001543916forg:LoanAndSecurityAgreementMemberus-gaap:SecuredDebtMember2019-09-012019-09-300001543916forg:LoanAndSecurityAgreementMemberus-gaap:SecuredDebtMember2019-03-012019-12-310001543916forg:LoanAndSecurityAgreementMemberus-gaap:SecuredDebtMemberus-gaap:PrimeRateMember2019-03-012019-03-310001543916forg:LoanAndSecurityAgreementMemberus-gaap:SecuredDebtMemberus-gaap:PrimeRateMember2019-09-012019-09-300001543916forg:LoanAndSecurityAgreementMemberus-gaap:SecuredDebtMemberus-gaap:PrimeRateMember2019-12-012019-12-310001543916forg:LoanAndSecurityAgreementMembersrt:MinimumMemberus-gaap:SecuredDebtMemberus-gaap:PrimeRateMember2019-12-310001543916forg:LoanAndSecurityAgreementMembersrt:MinimumMemberus-gaap:SecuredDebtMemberus-gaap:PrimeRateMember2019-03-310001543916forg:LoanAndSecurityAgreementMembersrt:MinimumMemberus-gaap:SecuredDebtMemberus-gaap:PrimeRateMember2019-09-300001543916forg:LoanAndSecurityAgreementMemberus-gaap:SecuredDebtMember2019-01-012019-12-310001543916forg:LoanAndSecurityAgreementMemberforg:SeriesDRedeemableConvertiblePreferredStockMember2019-12-310001543916forg:LoanAndSecurityAgreementMemberforg:SeriesDWarrantMember2019-12-310001543916us-gaap:SecuredDebtMemberforg:ARLoanAgreementMember2020-04-012020-04-300001543916forg:ARLoanAgreementMemberforg:SeriesDRedeemableConvertiblePreferredStockMember2020-04-300001543916forg:ARLoanAgreementMemberforg:ARLoanAgreementWarrantMember2020-04-300001543916forg:ARLoanAgreementWarrantMember2020-04-300001543916forg:LoanAndSecurityAgreementMemberus-gaap:SecuredDebtMemberus-gaap:PrimeRateMember2020-04-300001543916forg:LoanAndSecurityAgreementMemberus-gaap:SecuredDebtMemberus-gaap:PrimeRateMember2019-03-310001543916forg:LoanAndSecurityAgreementMemberus-gaap:SecuredDebtMemberus-gaap:PrimeRateMember2019-12-310001543916forg:LoanAndSecurityAgreementMemberus-gaap:SecuredDebtMemberus-gaap:PrimeRateMember2019-09-300001543916us-gaap:SecuredDebtMemberforg:ARLoanAgreementMember2020-03-012020-03-310001543916forg:ARLoanAgreementMember2021-09-012021-09-300001543916forg:ARLoanAgreementMember2021-09-3000015439162014-12-310001543916us-gaap:DomesticCountryMember2021-12-310001543916us-gaap:StateAndLocalJurisdictionMember2021-12-310001543916us-gaap:ForeignCountryMember2021-12-310001543916us-gaap:ResearchMemberus-gaap:DomesticCountryMember2021-12-310001543916us-gaap:ResearchMemberus-gaap:StateAndLocalJurisdictionMember2021-12-310001543916us-gaap:ResearchMemberus-gaap:DomesticCountryMember2020-12-310001543916us-gaap:ResearchMemberus-gaap:StateAndLocalJurisdictionMember2020-12-310001543916us-gaap:ForeignCountryMember2020-12-310001543916us-gaap:CostOfSalesMember2021-01-012021-12-310001543916us-gaap:CostOfSalesMember2020-01-012020-12-310001543916us-gaap:CostOfSalesMember2019-01-012019-12-310001543916us-gaap:ResearchAndDevelopmentExpenseMember2021-01-012021-12-310001543916us-gaap:ResearchAndDevelopmentExpenseMember2020-01-012020-12-310001543916us-gaap:ResearchAndDevelopmentExpenseMember2019-01-012019-12-310001543916us-gaap:SellingAndMarketingExpenseMember2021-01-012021-12-310001543916us-gaap:SellingAndMarketingExpenseMember2020-01-012020-12-310001543916us-gaap:SellingAndMarketingExpenseMember2019-01-012019-12-310001543916us-gaap:GeneralAndAdministrativeExpenseMember2021-01-012021-12-310001543916us-gaap:GeneralAndAdministrativeExpenseMember2020-01-012020-12-310001543916us-gaap:GeneralAndAdministrativeExpenseMember2019-01-012019-12-310001543916forg:EquityIncentivePlan2021Memberus-gaap:CommonClassAMember2021-09-300001543916forg:EquityIncentivePlan2021Member2021-09-012021-09-300001543916us-gaap:StockAppreciationRightsSARSMember2021-01-012021-12-310001543916us-gaap:RestrictedStockUnitsRSUMember2021-09-012021-09-300001543916us-gaap:EmployeeStockMemberforg:EmployeeStockPurchasePlan2021Member2021-09-300001543916us-gaap:EmployeeStockMemberforg:EmployeeStockPurchasePlan2021Member2021-09-012021-09-300001543916us-gaap:EmployeeStockMemberforg:EmployeeStockPurchasePlan2021Member2021-01-012021-12-310001543916us-gaap:RestrictedStockUnitsRSUMembersrt:MinimumMember2021-01-012021-12-310001543916us-gaap:RestrictedStockUnitsRSUMembersrt:MaximumMember2021-01-012021-12-310001543916us-gaap:RestrictedStockUnitsRSUMember2021-01-012021-12-310001543916us-gaap:RestrictedStockUnitsRSUMember2021-12-310001543916us-gaap:EmployeeStockOptionMember2021-12-3100015439162021-04-012021-04-300001543916forg:SeriesARedeemableConvertiblePreferredStockMember2020-12-310001543916forg:SeriesBRedeemableConvertiblePreferredStockMember2020-12-310001543916forg:SeriesCRedeemableConvertiblePreferredStockMember2020-12-310001543916forg:SeriesDRedeemableConvertiblePreferredStockMember2020-12-310001543916forg:SeriesERedeemableConvertiblePreferredStockMember2020-12-3100015439162021-09-1900015439162021-09-242021-09-2400015439162021-09-24forg:vote0001543916us-gaap:RedeemableConvertiblePreferredStockMember2021-01-012021-12-310001543916us-gaap:RedeemableConvertiblePreferredStockMember2020-01-012020-12-310001543916us-gaap:RedeemableConvertiblePreferredStockMember2019-01-012019-12-310001543916us-gaap:EmployeeStockOptionMember2021-01-012021-12-310001543916us-gaap:EmployeeStockOptionMember2020-01-012020-12-310001543916us-gaap:EmployeeStockOptionMember2019-01-012019-12-310001543916us-gaap:RestrictedStockUnitsRSUMember2021-01-012021-12-310001543916us-gaap:RestrictedStockUnitsRSUMember2020-01-012020-12-310001543916us-gaap:RestrictedStockUnitsRSUMember2019-01-012019-12-310001543916forg:ConvertiblePreferredStockWarrantsAndOptionMember2021-01-012021-12-310001543916forg:ConvertiblePreferredStockWarrantsAndOptionMember2020-01-012020-12-310001543916forg:ConvertiblePreferredStockWarrantsAndOptionMember2019-01-012019-12-310001543916forg:OtherAwardsAndContingentlyIssuableSharesMember2021-01-012021-12-310001543916forg:OtherAwardsAndContingentlyIssuableSharesMember2020-01-012020-12-310001543916forg:OtherAwardsAndContingentlyIssuableSharesMember2019-01-012019-12-310001543916us-gaap:InvestorMemberforg:SeriesERedeemableConvertiblePreferredStockMember2020-04-012020-04-300001543916us-gaap:InvestorMemberforg:SeriesERedeemableConvertiblePreferredStockMember2020-04-300001543916forg:SeriesE1RedeemableConvertiblePreferredStockMemberus-gaap:InvestorMember2021-04-012021-04-300001543916forg:SeriesE1RedeemableConvertiblePreferredStockMemberus-gaap:InvestorMember2021-04-300001543916forg:KKRCoIncMemberforg:ForgeRockIncMember2021-12-310001543916srt:AffiliatedEntityMemberforg:KKRCoIncMember2021-01-012021-12-310001543916srt:AffiliatedEntityMemberforg:KKRCoIncMember2021-12-310001543916us-gaap:RestrictedStockUnitsRSUMemberforg:February2022GrantMemberus-gaap:SubsequentEventMember2022-02-202022-02-20
Table of Contents
UNITED STATES
SECURITIES AND EXCHANGE COMMISSION
Washington, D.C. 20549
______________________________
FORM 10-K
______________________________
(Mark One)
x
ANNUAL REPORT PURSUANT TO SECTION 13 OR 15(d) OF THE SECURITIES EXCHANGE ACT OF 1934
For the fiscal year ended December 31, 2021
OR
TRANSITION REPORT PURSUANT TO SECTION 13 OR 15(d) OF THE SECURITIES EXCHANGE ACT OF 1934
For the transition period from
Commission file number 001-40787
______________________________
ForgeRock, Inc.
______________________________
(Exact name of registrant as specified in its charter)
Delaware
33-1223363
(State or other jurisdiction of incorporation or organization)
(I.R.S. Employer Identification No.)
201 Mission Street Suite 2900 San Francisco CA
94105
(Address of Principal Executive Offices)
(Zip Code)
(415) 599-1100
Registrant's telephone number, including area code
Securities registered pursuant to Section 12(b) of the Act:
Title of each class
Trading Symbol(s)
Name of each exchange on which registered
Class A common stock
FORG
New York Stock Exchange
Securities registered pursuant to section 12(g) of the Act:
None
(Title of class)
Indicate by check mark if the registrant is a well-known seasoned issuer, as defined in Rule 405 of the Securities Act. Yes No
Indicate by check mark if the registrant is not required to file reports pursuant to Section 13 or Section 15(d) of the Act. Yes No
Indicate by check mark whether the registrant: (1) has filed all reports required to be filed by Section 13 or 15(d) of the Securities Exchange Act of 1934 during the preceding 12 months (or for such shorter period that the registrant was required to file such reports); and (2) has been subject to such filing requirements for the past 90 days. Yes No
Indicate by check mark whether the registrant has submitted electronically and posted on its corporate web site, if any, every Interactive Data File required to be submitted and posted pursuant to Rule 405 of Regulation S-T (§232.405 of this chapter) during the preceding 12 months (or for such shorter period that the registrant was required to submit and post such files). Yes No
Indicate by check mark whether the registrant is a large accelerated filer, an accelerated filer, a non-accelerated filer, a smaller reporting company, or an emerging growth company. See the definitions of “large accelerated filer,” “accelerated filer” and “smaller reporting company” and “emerging growth company” in Rule 12b-2 of the Exchange Act. (Check one):
Large accelerated filer
Accelerated filer
Non-accelerated filer
Smaller reporting company
Emerging growth company
If an emerging growth company, indicate by check mark if the registrant has elected not to use the extended transition period for complying with any new or revised financial accounting standards provided pursuant to Section 13(a) of the Exchange Act.

Indicate by check mark whether the registrant has filed a report on and attestation to its management’s assessment of the effectiveness of its internal control over financial reporting under Section 404(b) of the Sarbanes-Oxley Act (15 U.S.C. 7262(b)) by the registered public accounting firm that prepared or issued its audit report.

Indicate by check mark whether the registrant is a shell company (as defined in Rule 12b-2 of the Act). Yes No

The registrant was not a public company as of the last business day of its most recently completed second fiscal quarter and therefore, cannot calculate the aggregate market value of its voting and non-voting common equity held by non-affiliates as of such date.

The registrant had outstanding 30,879,085 shares of Class A common stock and 52,902,668 shares of Class B common stock as of February 28, 2022.
DOCUMENTS INCORPORATED BY REFERENCE

Portions of the registrant’s definitive Proxy Statement relating to our 2022 annual meeting of stockholders are incorporated by reference into Part III of this Annual Report on Form 10-stockholders. Such Proxy Statement will be filed with the Securities and Exchange Commission within 120 days of the Registrant’s fiscal year ended December 31, 2021.


Table of Contents
TABLE OF CONTENTS
Page
Item 9C.
i

Table of Contents
SPECIAL NOTE REGARDING FORWARD-LOOKING STATEMENTS

This Annual Report on Form 10-K contains forward-looking statements within the meaning of Section 27A of the Securities Act of 1933, as amended (the “Securities Act”), and Section 21E of the Securities Exchange Act of 1934, as amended (the “Exchange Act”), which statements involve substantial risk and uncertainties. Forward-looking statements generally relate to future events or our future financial or operating performance. In some cases, you can identify forward-looking statements because they contain words such as “may,” “will,” “should,” “expects,” “plans,” “anticipates,” “could,” “intends,” “target,” “projects,” “contemplates,” “believes,” “estimates,” “predicts,” “potential,” or “continue” or the negative of these words or other similar terms or expressions that concern our expectations, strategy, plans, or intentions. Forward-looking statements contained in this Annual Report on Form 10-K include, but are not limited to, statements about:

our future financial performance, including our expectations regarding our revenue, cost of revenue, operating expenses, our ability to determine reserves and our ability to achieve and maintain future profitability;
our future operational performance, including our expectations regarding ARR, dollar-based net retention rate, and the number of large customers;
the sufficiency of our cash, cash equivalents and investments to meet our liquidity needs;
the demand for our products and services or for security solutions in general, including our recently introduced SaaS offering, the ForgeRock Identity Cloud;
our ability to attract and retain customers and partners;
our ability to cross-sell to our existing customers;
our ability to develop new products and features and bring them to market in a timely manner and make enhancements to our offerings;
our ability to compete with existing and new competitors in existing and new markets and offerings;
our expectations regarding the effects of existing and developing laws and regulations, including with respect to privacy, data protection and information security, as well as taxation;
our ability to manage and insure risk associated with our business;
our expectations regarding new and evolving markets;
our ability to develop and protect our brand;
our ability to maintain the security and availability of our platform and protect against data breaches and other security incidents;
our expectations and management of future growth;
our ability to continue to expand internationally;
our expectations concerning relationships with third parties;
our ability to obtain, maintain, protect, enhance, defend or enforce our intellectual property;
our ability to successfully acquire and integrate companies and assets;
the attraction and retention of qualified employees and key personnel;
our estimated total addressable market; and
the increased expenses associated with being a public company.

We caution you that the foregoing list may not contain all of the forward-looking statements made in this Annual Report on Form 10-K.

You should not rely upon forward-looking statements as predictions of future events. We have based the forward-looking statements contained in this Annual Report on Form 10-K primarily on our current expectations and projections about future events and trends that we believe may affect our business, financial condition, results of operations, and prospects. The outcome of the events described in these forward-looking statements is subject to risks, uncertainties, and other factors described in the section titled “Risk Factors” and elsewhere in this Annual Report on Form 10-K. Moreover, we operate in a very competitive and rapidly changing environment. New risks and uncertainties emerge from time to time, and it is not possible for us to predict all risks and uncertainties that could have an impact on the forward-looking statements contained in this Annual Report on Form 10-K. We cannot assure you that the results, events, and circumstances reflected in the forward-looking statements will be achieved or occur, and actual results, events, or circumstances could differ materially from those described in the forward-looking statements.

The forward-looking statements made in this Annual Report on Form 10-K relate only to events as of the date on which the statements are made. We undertake no obligation to update any forward-looking statements made in this Annual Report on
1

Table of Contents
Form 10-K to reflect events or circumstances after the date of this Annual Report on Form 10-K or to reflect new information or the occurrence of unanticipated events, except as required by law. We may not actually achieve the plans, intentions, or expectations disclosed in our forward-looking statements, and you should not place undue reliance on our forward-looking statements. Our forward-looking statements do not reflect the potential impact of any future acquisitions, mergers, dispositions, joint ventures, or investments we may make.
2

Table of Contents
Part I
Item 1. Business
Overview

ForgeRock, Inc. (the “Company” or “ForgeRock”) supports billions of identities to help people simply and safely access the connected world — from shopping and banking to accessing company networks to get their work done. We make this possible through a unified and extensive identity platform to enable enterprises to provide exceptional digital user experiences without compromising security and privacy. This allows enterprises to deepen their relationships with customers and increase the productivity of their workforce and partners, while at the same time providing better security and regulatory compliance.

We estimate the global market opportunity for consumer, workforce, the Internet of Things (“IoT”) and services identity to be $71 billion. Identity is foundational to the growth of enterprises in the era of digital transformation because it enables enterprises to create frictionless user experiences that are both simple and secure. Digital identity has become a top priority for enterprises, and is viewed as a way to grow business and gain competitive advantage by enabling personalized, seamless, and secure omnichannel experiences. We are uniquely positioned to expand our share of this growing market by addressing emerging customer needs and by continuing to displace legacy, homegrown, and point identity solutions that cannot meet the functionality, performance, and scale that enterprises require.

Our proprietary multi-tenant SaaS architecture with complete tenant isolation enables enterprise-grade data protection and performance. We maximize performance by not throttling or rate limiting individual customer environments, which can be critical for enterprises especially during large usage spikes such as Black Friday and Cyber Monday. Our platform is purpose-built for enterprises to create natural and frictionless identity experiences while providing capabilities to secure the enterprise in a Zero Trust environment. We are unique in the identity market due to the combination of: (1) our full suite platform that works for all kinds of identities, integrates with complex environments, and operates at high scale and performance; (2) the availability of our platform through multiple deployment options; and (3) our recognition as a market leader by premier industry analysts.

Our land-and-expand business model is centered on our ability to help our customers succeed and deliver on their value expectations. Our strong dollar-based net retention rate is further driven by our continuous investments in technology innovation and significant modular additions to our product portfolio. Once customers experience the benefits of our platform, they often expand their investments with ForgeRock in four different ways – through more identities, more use cases, more product modules, and more deployments. We have successfully sold our platform to a variety of C-suite level decision makers who are driving business transformation initiatives with increasing budgets year-over-year.
The ForgeRock Identity Platform
We provide a leading modern identity platform that enables enterprises to secure, manage, and govern the identities of everything—consumers, employees and partners, APIs, microservices, devices, and IoT. More than organizations around the world leverage our platform to create seamless and secure digital experiences for collectively over three billion identities.
The ForgeRock Identity Platform includes a full suite of identity management, access management, identity governance, and AI-powered autonomous identity capabilities to serve the CIAM, AM, and IGA needs of enterprises. Our platform is deployable in a variety of configurations that can be combined, including self- managed environments such as public and private cloud environments, and through ForgeRock Identity Cloud.
1

Table of Contents
forg-20211231_g1.jpg
We provide the ability to manage multiple identity types:
Consumer. Our platform enables enterprises to provide secure digital identity experiences for their consumers. User journeys built on our platform provide recognition and personalization across channels and devices, which we believe leads to better customer acquisition, loyalty, and retention while reducing friction and fraud.
Workforce. Our platform helps enterprises increase the productivity of their employees, partners, and contingent workers by automatically enabling access to appropriate systems during the worker lifecycle. Our platform also helps reduce enterprise risk by securing system access and governing that the provisioned access is appropriate.
IoT and Services. Our platform helps enterprises secure non-human identities, including IoT, machine identities, bots, APIs, and microservices.
We have an integrated set of comprehensive services to orchestrate and secure the user identity journeys across four fundamental areas:
Identity Management. Automates the identity lifecycle process, including initial set-up, provisioning, transfers, changes, privacy considerations, security protections, and departures.
Access Management. Provides simple and secure access management, using rich context and adaptive intelligence to make continuous access decisions.
Identity Governance. Manages and reduces risk from users having excessive or unnecessary access to applications, systems, devices, and data.
Autonomous Identity. Provides an enterprise-wide view of access, streamlines and automates governance processes, and reduces risk related to digital identities.
Why Leading Enterprises Choose ForgeRock
We enable enterprises to deliver exceptional user experiences without compromising security. We provide capabilities, such as passwordless and usernameless authentication that free users from the challenges and security risks associated with weak and forgotten credentials. Further, our Intelligent Access Trees enable our customers to quickly create flexible and tailored user identity journeys allowing for frictionless, seamless, and consistent omnichannel user experiences that also result in enhanced security.
We offer a full suite of capabilities that enable enterprises to secure, manage, and govern identities in a unified modern platform. Our platform includes a full suite of identity functionality across CIAM, AM, and IGA, and a differentiated identity object modeling approach that supports all identity types. Our unified platform is built to work with enterprises’ complex landscape of applications and infrastructure and fulfill their identity needs across four fundamental areas: identity management, access management, identity governance, and autonomous identity.
2

Table of Contents
Our platform manages all identity types. Under our Identity of Everything philosophy, we built our platform for consumers, the workforce, and IoT and services. Further, our platform enables our customers to understand and set policies based on the relationships between different identities. For example, a parent and child relationship where the parent must authorize transactions on behalf of the child, or a connected car with different drivers in a household with various restrictions. While each identity has different requirements, our platform can unify the enterprise architecture and security design across multiple identity types.
For consumers, our platform enables enterprises to create personalized, simple, and secure identity journeys across multiple services and devices, regardless of where a consumer begins or continues their experience.
For the workforce, our platform enables enterprises to increase the productivity of their workforce and partners by allowing users to login from anywhere, on any device, and quickly access necessary information with enterprise-grade security. Our platform provides foundational context designed to continuously ensure users are who they say they are as well as constantly fine tune user access based on signals and other gathered information.
For IoT and services, since there are no biometrics or passwords that devices can use, our platform is designed to close the IoT security gap by allowing enterprises to create trusted identities to secure authenticity and authorization of IoT devices and their transactions or data streams. Our platform is differentiated in its ability to define identity objects and their attributes, and relationships between them.

Our platform delivers enterprise-grade performance and scalability to serve mission-critical needs. Since our launch in 2010, our capabilities around performance and scale, rich identity functionality, deployment flexibility, and extensive integration and interoperability have been purpose-built to meet the specific requirements of global enterprises. Our ability to serve mission-critical needs in complex environments for large customers enables us to grow our base of large customers and expand within each of them.
Our differentiated SaaS architecture facilitates strong customer data protection and high performance. We enable our customers to choose how they want to deploy our software in their complex, heterogeneous environments—whether it be a self-managed deployment in their private or public cloud environments, our SaaS offering, or a combination of both.
Our proprietary tenant isolation approach is designed to enhance individual customers’ data security and sovereignty. We have improved upon a typical multi-tenant SaaS architecture by never commingling customer data with each other. In addition, our customers’ data resides only in locations that the customer chooses, which enables our customers to comply with data and privacy regulations, such as the GDPR in the European Union.
Our architecture does not limit performance of individual customers. Our architecture is designed to maximize performance by not throttling or rate limiting individual customer environments. We also protect against “noisy neighbor” issues so that load from one customer will not affect another customer’s performance.
Same codebase as our self-managed platform. Our SaaS offering leverages the same codebase as our self-managed offering, which enables us to create or modify functionality that can be released on both deployments, and enables our customers utilizing our self-managed deployment to add or migrate to our SaaS deployment more easily. We enable our customers to choose how they want to deploy our software in their complex, heterogeneous environments—whether it be a self- managed deployment in their private or public cloud environments, our SaaS offering, or a combination.
Designed to be deployable as SaaS or in public and private cloud environments using DevOps. Our platform utilizes Kubernetes and Docker containerization and is deployable with DevOps workflows, and has been certified to run in GCP, AWS, Azure, or can be run on a customer’s private cloud.
3

Table of Contents
forg-20211231_g2.jpg
Extensive integrations enable our platform to be the single view of identity and provide powerful extensibility in complex and heterogeneous environments. Our platform has extensive integration capabilities that enable us to integrate with the myriad of applications and infrastructures that exist within our enterprise customers’ heterogeneous IT environments. We are also able to leverage our Trust Network, an ecosystem of partners that extend our rich native functionality with additional vertical-specific authentication, biometrics, digital identity proofing, and risk management capabilities.

Proven track record of innovation. We have consistently set the standard of innovation in the identity market, anticipating major market trends and introducing new capabilities to support them. We are a pioneer of the development of advanced capabilities, such as Identity of Everything, Intelligent Access Trees, Continuous Security, certifying deployments on public cloud and multi-cloud with DevOps, enterprise-grade SaaS, passwordless and usernameless authentication using FIDO2 Webauthn, and AI-based Autonomous Identity with proprietary algorithms to automate identity processes. We intend to continue investing to extend our leadership in the CIAM, AM, and IGA markets by developing or acquiring new products and technologies.

Management team with deep identity domain expertise. Our management team’s collective experience and deep knowledge of the identity space allows us to maintain our position as an innovation leader. Our management team is a driving force behind our vision, mission, culture, and focus on customer success. Our leadership enables us to continuously deliver products that enterprises need and want. They are also critical in building upon our culture which we believe is vital to our success.
Our Growth Strategy
Innovate and advance our platform.
Enhance SaaS. Add more products and functionality to accelerate our ForgeRock Identity Cloud platform, which we launched in 2020.
Enhance Governance. Continue to add functionality to our Governance offerings, which we launched in December 2019.
Enhance AI. Invest in AI capabilities to automate decision making and deepen the security of our platform.
Further build our Trust Network. Further develop and expand our Trust Network to help source and support relationships, provide technology, and enhance our go-to-market.
4

Table of Contents
Acquire new customers.
Brand awareness and lead acceleration. Continue to invest in our brand and demand-generation to further expand our pipeline.
Partner and alliance leverage. Continue to capitalize on key strategic partnerships and alliances, such as our alliances with GSIs, such as Accenture, Deloitte, and PwC, to win new business.
Multiple entry points. The extensive breadth of our platform facilitates new customer acquisition by allowing customers to choose from: (1) numerous product modules across identity management, access management, identity governance, and autonomous identity, (2) identity types across consumer, workforce, and IoT and services, and (3) deployments across our self- managed and SaaS offerings.
New geographies. Enter new countries within our existing global regions.
New types of buyers. Address the needs of all identity constituents within the enterprise and expand adoption beyond the C-suite to developers and business unit leaders.
Expand into midmarket. Leverage the ease of deployment of our SaaS offering to accelerate traction in smaller enterprise and mid-market organizations.
Expand within our existing customer base.
More identities. Increase the utilization of our platform as our customers grow their identity footprint within existing use cases, as well as adding new use cases.
More identity types. Cross-sell additional identity types to our customers across consumer, workforce, and IoT and services.
More product modules. Cross-sell more product modules across identity management, access management, identity governance, and autonomous identity.
More SaaS. Leverage the flexibility of our platform to allow our customers to seamlessly add or transition to our SaaS offering.
Customer success. Maintain our focus on customer success to expand within our existing customer base.
Our Products
Our products and capabilities include the following:
forg-20211231_g3.jpg
forg-20211231_g4.jpg
forg-20211231_g5.jpg
forg-20211231_g6.jpg
Onboarding/Registration and Progressive Profiling
Passwordless, Usernameless and Multi-factor Authentication
Access Requests
Predictive Confidence Scores for Access
Identity Lifecycle and Relationship Management
Single Sign-On
Access Reviews and Certifications
Overprovisioned Access Detection and Access Revocation Recommendations
Identity Provisioning and Synchronization
Contextual and Adaptive Risk-based Access
Segregation of Duties
Outlier Detection
User Self-Service
Fine-grained Authorization
Role and Entitlement Management
Identity Automation Recommendations
Personalization
API and Microservices Security
Policy Management
Role Mining and Recommendations
Delegation
Secure Impersonation and Data Sharing
Identity Workflows
Joiner, Mover, Leaver Access Automation
Privacy and Consent Management
Reporting and Analytics
Identity Management Our Identity Management product fully automates the identity lifecycle process and includes the following capabilities:
Onboarding/Registration and Progressive Profiling. Our platform facilitates the initial establishment of a digital identity at the onboarding or registration stage, including by integrating into the HR workflow for employee
5

Table of Contents
onboarding or enabling the account registration and set-up process. After registration, our platform also helps enterprises to progressively gather profile information to minimize friction.

Identity Lifecycle and Relationship Management. As the lifecycle of the consumer or workforce progresses, changes in access are often necessary. Our platform enables enterprises to automate this process, eliminating error-prone manual intervention, and providing a consistent and efficient way to create, modify, and remove accounts while maintaining a high level of security. Furthermore, our platform can understand and traverse relationships between identities and apply policies to those relationships.
Identity Provisioning and Synchronization. Our platform centralizes and automates identity provisioning and deprovisioning processes (granting and revoking access) across systems and applications within an enterprise when users join, move, or leave the identity ecosystem. With our platform, continuous updates of identity changes are synced, mapped, and reconciled in real time.
User Self-Service. Our platform empowers users to easily remember their usernames, reset their passwords, and share discrete data over time, including by progressive profiling, without interrupting the user workflow, which helps enable a frictionless user experience and boosts business operational efficiency.
Personalization. Our platform saves and gathers information in order to provide personalized and tailored identity experiences based on user preferences, demographics, device types, risk profiles, and more.
Delegation. Our platform enables the ability to grant administrative access for specific privileges without providing full administrative access. For example, we can allow users with a help desk or support role to update another user’s information without allowing them to delete user accounts or system configurations.
Privacy and Consent Management. Our platform enables users to manage their own profile details, manage data sharing preferences, understand (and reject) terms and conditions, enjoy the right to be forgotten, and understand the devices connected to their account by providing a comprehensive, standards-based profile and privacy and consent management dashboard.
Access Management – Our Access Management product provides simple and secure access management using rich context and adaptive intelligence to make continuous access decisions and includes the following capabilities:
Passwordless, Usernameless, and Multi-factor Authentication. We provide standards-based, out-of-the box usernameless and passwordless authentication based on the FIDO2 WebAuthn standard with the added convenience of biometrics. We also provide several common multi-factor authentication methods to enable users to more securely authenticate with convenience and flexibility.
Single Sign-On (SSO). We enable seamless SSO experiences across different channels, including APIs and services, and across application types, from modern to legacy.
Contextual and Adaptive Risk-based Access. We provide an array of capabilities for helping support modern Zero Trust authorization architectures. We allow customers to combine identity and device information by leveraging the ability to capture user and device context during login and at every transaction level if needed and respond to contextual changes. During use, the context is recreated and compared to context during login, allowing customers to make access alterations such as automatic throttling, data redaction, or access denials dynamically.
Fine-grained Authorization. In addition to creating detailed policies for specific user groups, permissions, and environments, our policy engine can be used to protect custom and non-HTTP-based resources such as objects, data, and IoT components.
API and Microservices Security. Our platform secures API endpoints and microservices including ingress/egress control, throttling, and authentication with our identity-aware proxy gateways, Identity Gateway and Microservices Security.
Secure Impersonation and Data Sharing. Our platform allows users to provide access to data or accounts on behalf of others in a secure and auditable way without the need to share credentials or passwords.
Identity Governance – Our Identity Governance product manages and reduces risk to enterprises from users having excessive or unnecessary access to applications, systems, devices, and data and includes the following capabilities:
Access Requests. We allow users to request access to systems or applications through integration with help desk or service ticketing systems which can then be routed automatically according to business- defined identity workflows for
6

Table of Contents
approvals. Administrators can also use our platform to provide users with automated, policy-based access based on identity and role assignments.
Access Reviews and Certifications. We allow business line managers or other users with access rights validation to quickly grant, enforce, or revoke secure access to systems and applications according to established business policies and workflows, to increase workforce productivity.
Segregation of Duties. We provide a unified view of the entitlement landscape across the enterprise, minimizing risk of segregation of duties violations that could result in a security risk or possible internal fraud.
Role and Entitlement Management. Many enterprises have different and multiple environments for their applications and services. We enable a centralized and unified view of identities, roles, and entitlements so that they can be easily managed via an extensible model.
Policy Management. We allow enterprises to define, apply, and enforce compliance policies in a preventive and detective manner, preventing toxic access combinations and ensuring regulatory compliance. Administrators can also use our platform to define policies based on the relationships between different types of identities.
Identity Workflows. We enable enterprises to connect their business processes with identity events, such as identity synchronization and reconciliation, across identity infrastructures, allowing for appropriate reviews and administrative action, to reduce enterprise risk.
Reporting and Analytics. We provide out-of-the box reporting and ad hoc querying to enable enterprises to stay on top of their identity programs and compliance postures.
AI-powered Autonomous Identity Our Autonomous Identity product provides an enterprise-wide view of access and streamlines and automates governance processes and reduces risk related to digital identities and includes the following capabilities:
Predictive Confidence Scores for Access. Using proprietary AI algorithms, our platform analyzes enterprise data to assign confidence scores for provisioned access, which highlights anomalies that should be further actioned.
Overprovisioned Access Detection and Access Revocation Recommendations. Our platform displays enterprise entitlements graphically on a user interface console to help easily detect over-provisioned access that could pose a security risk and identify high-risk access entitlement assignments that are candidates for access revocation.
Outlier Detection. Our platform flags any provisioned access for remedial action that is an outlier to predicted normal patterns.
Identity Automation Recommendations. Our platform reduces the burden on managers who otherwise must manually approve new entitlements by automatically approving high confidence, low-risk access requests and automating the re-certification of entitlements.
Role Mining and Recommendations. Our platform is designed to enable intelligent role mining by identifying redundant roles and making recommendations to reduce the number of roles in the enterprise, which can significantly improve an enterprise’s ongoing security posture.
Joiner, Mover, Leaver Access Automation. Our platform provides users with the access to applications they need to be rapidly productive during the worker lifecycle without manual review and fulfillment.
Automated Approvals and Certifications. Our platform can automate approvals and ensure that IAM and IGA systems are compliant for regulatory standards and audits by tracking assigned entitlements.
Our Technology
Our differentiated architecture and design unify Identity Management, Access Management and Governance in one end-to-end platform. It also leverages the same underlying architecture across all identity types and use cases, enabling rapid development and innovation. The technical differentiators of our platform include:
Intelligent Access Trees. Our platform includes Intelligent Access Trees, which leverage a visual designer with a drag-and-drop interface that allows enterprises to easily orchestrate, personalize, and secure user journeys to deliver meaningful user experiences without compromising security. These journeys can incorporate real-time digital signals such as device, contextual, behavioral, analytics, and risk-based factors to provide more personalized experiences that incorporate user-choice, omni-channel user recognition and better security.
7

Table of Contents
“Identity of Everything.” While traditional IAM struggles to manage non-human identities, our flexible data model can define any kind of identity object and its attributes, which provides enterprises the flexibility of managing multiple identity types, including non-human identities.
Open Platform. Our platform was built to integrate with complex enterprise environments, which consist of heterogeneous cloud and data center environments, myriad on-premise and SaaS applications, corporate- and personally-owned devices, and emerging IoT services. Enterprises need cohesiveness across their IT environments and we make this possible through our technology stack:
Identity Gateway. Our Identity Gateway is a lightweight, flexible, and high-performance proxy that can provide identity services and security to web or application traffic. Acting as a bridge between legacy and modern web applications and identity management platforms, it enables the transition of identity integration of the application from legacy to modern.
SDKs. Our SDKs allow developers to quickly integrate identity to web or mobile applications without needing to understand the inner-workings of identity. Leveraging our Intelligent Access Trees, the SDKs step through each stage of a user journey via callbacks empowering developers to build applications that can handle changes in journeys in real time without the need to redeploy the application. They have the option to collect device profile information and automatically generate device fingerprints into the user’s profile.
Microservices Security. Our lightweight, high performance sidecar proxy can be deployed directly into the namespace of microservices to provide east-west service-to-service security while integrating identity into the services.
Policy Agents. Our policy agents are designed to plug directly into application servers to ease integration of identity into legacy applications, protecting them from unauthorized access.
Identity Edge Controller. We provide a device-embeddable controller that can bring identity security to the edge of where code runs, including physical things.
ICF Connectors. We leverage the standards-based Identity Connector Framework (ICF) to connect to multiple systems and applications by provisioning and synchronizing identities between them.
APIs. Our platform is REST API enabled, which provides enterprises with the flexibility to integrate deeply.
Extensibility. We provide extensive hook points in the platform that enable enterprises to extend core functionality with plug-ins and scripting to meet virtually any business need.
Open Standards. We provide support for major identity standards such as OAuth2, SAML, OIDC, and SCIM, and we embrace new open standards such as delivering an early integration with FIDO2 WebAuthn passwordless authentication standards or the UMA protocol.
Scale and Performance. Our platform is used to manage billions of identities globally. This is made possible by some key design principles:
High Availability. Our applications including our next-generation directory services provide the ability to deploy in highly-available configurations that provide resiliency against unforeseen events as well as the ability to perform maintenance with no downtime.
Stateless and Stateful Session Management. Our highly flexible session management enables both stateless and stateful sessions. Stateless session management allows for highly distributed elastic deployments with nearly unlimited horizontal scalability. Stateful session management enables complex, multi-site failover environments to always be highly available to end-users.
Horizontally Scalable. Our platform allows deployments to be horizontally scaled to meet the most demanding performance requirements.
SaaS Architecture. Our proprietary SaaS architecture has been purpose-built to solve real world enterprise problems, recognizing that most enterprises have complex IT environments and need a IAM solution that fits their environments.
Multi-tenant SaaS with Complete Tenant Isolation. Our proprietary SaaS architecture provides multi-tenant service with complete tenant isolation. Because each customer tenant in our Cloud is isolated, they are insulated from performance concerns arising from other customer usage. Furthermore, being isolated means a customer’s data is not co-mingled with any others.
8

Table of Contents
One Platform, Any Cloud. ForgeRock utilizes one core platform for all deployment scenarios, SaaS and self-managed. This enables enterprises to meet their IT requirements with the same technology and enables an easier transition from on-premise to cloud for their applications and workloads.
Extreme Flexibility. The ForgeRock Identity Cloud treats both cloud and on-premise applications the same way. It can even co-exist with other legacy IAM solutions running on premise. Enterprises can also quickly augment legacy systems with new capabilities such as Intelligent Access Trees and multi-factor authentication while planning and executing on their cloud migration strategy.
Continuous Integration/Continuous Delivery Compatible. Identity is a critical enterprise technology and needs protection from user mistakes, such as accidentally deleting a critical configuration or set of identities. The ForgeRock Identity Cloud provides development, staging, and production environments, and both staging and production environments are immutable, so that changes are promoted from one environment to the next, protecting enterprises from unexpected changes or mistakes.
Proprietary AI Technology. Our proprietary AI technology deploys using a microservices architecture that scales linearly as the load increases. It is capable of quickly processing millions of access points and allows enterprises to configure the machine learning process and prune less productive rules. Enterprises can run analyses, predictions, and recommendations frequently to improve the machine learning process. Our Analytics Engine provides transparent and explainable results that lets enterprises get insight into why end-users have the access they have or what access they should have.
Our Customers

Our customer base includes many of the world’s leading brands and includes direct and indirect customers, of which direct customers are those we contract with directly (whether sourced by us or through a partner or reseller), and indirect customers include customers that receive the benefit of using components of our software by contracting with certain third parties such as resellers, system integrators, managed service providers, or other channel partners, as well as with original equipment manufacturers (“OEMs”).

We focus on the number of large customers because it represents our ability to land-and-expand with large enterprises and the number of large customers is a key indicator of our ability to grow our business and revenue in future periods. We define a large customer as a customer with $100,000 or greater Annual Recurring Revenue (“ARR”) as of a measurement date. As of December 31, 2021, 2020 and 2019, we had 394, 325 and 275 large customers with $100,000 of ARR or greater, respectively, representing 90%, 86% and 81% of our total ARR as of such dates. All of our large customers are direct customers. No single customer accounted for more than 3% of our total ARR or 10% of our total revenue in 2021, 2020 and 2019.

Our customers are based in more than 50 countries and across a diverse set of industries.
Marketing, Sales and Partners
Marketing
Our marketing organization is focused on building our brand reputation, increasing awareness of our platform, and driving customer demand. As part of these efforts, we execute on content marketing, search engine optimization and awareness ads, social media, press and news coverage, industry analyst recognition, and customer success stories, among other initiatives. We also continuously strengthen our position as a thought leader in our industry by participating in speaking engagements where we provide expert advice, updates on the state of the digital identity industry, and educate the public about the importance of digital identity and our platform.
Sales
We sell our platform through our direct sales organization, which is composed of our major account executives, solution engineers, sales development representatives, customer success managers, and partner representatives. Our direct sales teams are located in geographic regions near our customers and prospective customers, such as North and South America (Americas), EMEA and APAC. This enables our direct sales teams to effectively target enterprises in these regions, engage in timely dialogue with them to assess and provide solutions for their digital identity needs, close the sale, implement our platform, and support their ongoing needs with our dedicated customer success managers. Our ongoing support and dialogue with our
9

Table of Contents
customers fosters a “land-and-expand” business model where customers typically purchase one identity type initially and expand by adding more identities, use cases, product modules, and deployments.
Partners

Our strong network of strategic global channel partners source and influence opportunities for us, providing leverage and execution capabilities across the globe. These strategic global channel partnerships not only provide us with a significant source of lead generation but also a global network of certified and trained implementation professionals. Our alliances, including global strategic consulting firms and global systems integrators (“GSIs”), such as Accenture, Deloitte, and PwC, often promote our platform as part of large-scale digital transformation projects they drive by identifying opportunities in which our platform can help accelerate business initiatives and improve user experience. We also partner with leading regional consulting firms and implementation partners. These highly skilled regional partners not only provide subject-matter expertise in the implementation of specific use cases, but they also act as an extension of our direct sales force by identifying and referring opportunities to us.
We also acquire customers through OEM partners or customers who utilize components of our platform to deliver services and strategic alliance partners such as Google Cloud, where ForgeRock is a premier partner for digital identity. Our partners help source and support relationships with new and existing customers, as well as provide technology and go-to-market benefits.

We foster an ecosystem of Trust Network partners that enhance the value of our platform to enterprise customers by providing complementary technologies in categories such as strong authentication, risk and fraud management, behavioral biometrics, and identity proofing and enrichment. These technologies seamlessly plug into our platform through our Intelligent Access Trees.
Research and Development
Continued investment in research and development is critical to our business. We believe our research and development efforts are imperative to maintaining and extending our competitive advantage. Our research and development efforts are focused primarily on building industry leading solutions, addressing all primary use cases, enhancing deployment flexibility and providing seamless integration across cloud and on-premise applications. We regularly release updates to our platform which incorporate new features and enhancements to existing ones.
We have invested considerable time and resources into building a world-class research and development organization that continually enhances our broad, market-leading platform. Our research and development employees are primarily located in the United States, the United Kingdom, and France. We continue to invest in our platform to maintain and extend our market leadership.
Competition
The IAM market in which we operate is characterized by intense competition, constant change, and innovation. We face competition from (1) legacy providers such as CA Technologies, IBM and Oracle, (2) cloud- only providers such as Okta, (3) companies that provide only a subset of functionality across identity, access and governance such as Okta, Ping and SailPoint, and (4) homegrown solutions that are designed to solve a limited identity use case and are difficult to secure, maintain and scale, and quickly become obsolete. Microsoft and other companies that offer a broad array of IT solutions also compete in our market.
We believe the principal competitive factors in our market are:
enterprise-grade scalability and performance;
breadth of use cases supported by a single platform or solution;
ability to serve the most complex and largest identity environments;
single view of all identities in one unified platform;
reliability and effectiveness in maintaining secure identity management;
ability to deploy in a variety of environments;
10

Table of Contents
ability of customers to use a platform or solution to achieve and maintain compliance with compliance standards and audit requirements;
ease of integration with an organization’s existing IT infrastructure and security investments;
capability for customization and configurability;
speed at which a platform can be deployed;
ease of use;
customer experience;
total cost of ownership;
strength of sales and marketing efforts, including partner relationships;
global reach and customer base;
brand awareness and reputation;
innovation and thought leadership; and
quality of professional services and customer support.
We believe we compete favorably on these factors. However, some of our current and potential future competitors may enjoy competitive advantages, such as greater name recognition, longer operating histories, larger market share, larger existing user bases and greater financial, technical, and other resources.

Intellectual Property

Our success depends in part on our ability to obtain, maintain, protect, defend, and enforce our intellectual property. We rely on a combination of patent, copyright, trademark, and trade secret laws in the United States and certain other jurisdictions, as well as contractual restrictions, to protect our intellectual property rights. We also license certain software and other intellectual property from third parties for integration into our product solutions, including open source software and other software available on commercially reasonable terms.

As of December 31, 2021, we owned two issued U.S. patent and 16 pending U.S. patent applications relating to certain aspects of our technology. Our two issued U.S. patents are expected to expire in 2039 and 2040, assuming payment of all appropriate maintenance, renewal, annuity or other fees, and without taking into account any possible patent term adjustments or extensions. We cannot assure you that any of our pending patent applications will result in the issuance of a patent or whether the examination process will require us to narrow our claims. Our existing patents and any patents that are issued in the future may be contested, circumvented, found unenforceable, narrowed in scope or invalidated, and we may not be able to prevent third parties from infringing, misappropriating or otherwise violating them or any of our other intellectual property rights. Furthermore, our competitors or other third-parties may also claim that our technology infringes, misappropriates or otherwise violates their intellectual property rights. With regard to our brand, we have registered “ForgeRock” as a trademark in the United States, the European Union, Norway, and China. We have significant international operations and intend to continue to expand these operations, and effective patent, copyright, trademark, trade secret, and other intellectual property protection may not be available or may be limited in foreign countries.

We control access to, and use of, our solutions and other confidential and proprietary information through the use of internal and external controls, including contractual protections with employees, contractors, customers, partners, and other third parties. Despite our efforts to protect our trade secrets and proprietary rights through intellectual property rights, licenses, contractual provisions, and confidentiality and invention assignment agreements, unauthorized parties may still copy or otherwise obtain and use our software, technology, trade secrets, or proprietary or confidential information, and such risks may increase as we attempt to expand into jurisdictions where such rights are less easily enforced, or are more subject to reverse engineering or misappropriation due to local legal requirements. For more information, see the section titled “Risk Factors – Risks Related to Our Intellectual Property.”
Government Regulation
We are subject to various federal, state, local, and foreign laws and regulations, including those relating to data privacy, protection and security, intellectual property, employment and labor, workplace safety, consumer protection, anti-bribery, import and export controls, immigration, federal securities, and tax. In addition, we are subject to various laws and regulations
11

Table of Contents
relating to the formation, administration, and performance of contracts with our customers in heavily regulated industries and the public sector, which affect how we and our partners do business with such customers. Additional laws and regulations relating to these areas likely will be passed in the future, and these or existing laws and regulations may be interpreted or enforced in new or expanded manners, each of which could result in significant limitations on how we operate our business. New and evolving laws and regulations, and changes in their enforcement and interpretation, may require changes to our platform, offerings or business practices, and may significantly increase our compliance costs and otherwise adversely affect our business, financial condition, and results of operations. As our business expands to include additional platform functionalities and offerings, and our operations continue to expand internationally, our compliance requirements and costs may increase, and we may be subject to increased regulatory scrutiny.
See the section titled “Risk Factors – Risks Related to Our Legal and Regulatory Environment” for additional information about the laws and regulations we are subject to and the risks to our business associated with such laws and regulations.
Data Privacy and Cybersecurity
Many jurisdictions have enacted or are considering enacting or revising privacy, data protection or information security legislation, including laws, rules and regulations applying to the collection, use, storage, transfer, disclosure, or other processing of personal data, including for purposes of marketing and other communications.

For example, in June 2018, California enacted the California Consumer Privacy Act (“CCPA”), which took effect on January 1, 2020 and established a new privacy framework for covered businesses such as ours. The CCPA broadly defines personal information and gave California residents expanded privacy rights and protections, such as affording them the right to access and request deletion of their information and to opt out of certain sharing and sales of personal information. The CCPA provides for severe civil penalties and statutory damages for violations and a private right of action for certain data breaches that result in the loss of personal information. In November 2020, California voters passed the California Privacy Rights Act of 2020 (“CPRA”). Effective in most material respects starting on January 1, 2023, the CPRA imposes additional obligations on companies covered by the legislation and will significantly modify the CCPA, including by expanding the CCPA with additional data privacy compliance requirements that may impact our business. The CPRA also establishes a regulatory agency dedicated to enforcing the CCPA and the CPRA. Other state legislatures are currently contemplating, and have passed or may pass, their own comprehensive data privacy and security laws, with potentially greater penalties and more rigorous compliance requirements relevant to our business. Following the enactment of the CCPA, in 2021, Virginia enacted the Virginia Consumer Data Protection Act of 2021, and Colorado enacted the Colorado Privacy Act, each of which shares similarities with the CCPA. Additionally, many state legislatures have already adopted legislation that regulates how businesses operate online, including measures relating to privacy, data security, data breaches, and the protection of sensitive and personal information.
Internationally, many jurisdictions have established their own legal frameworks governing privacy, data protection, and information security with which we may need to comply. For example, the EU has adopted the GDPR, which went into effect in May 2018 and contains numerous requirements and changes from previously existing EU law, including more robust obligations on data processors and heavier documentation requirements for data protection compliance programs. The GDPR requires data controllers to implement more stringent operational requirements for processors and controllers of personal data, including, for example, transparent and expanded disclosure to data subjects about how their personal data is to be used, imposes limitations on retention of information, introduces mandatory data breach notification requirements, and sets higher standards for data controllers to demonstrate that they have obtained valid consent for certain data processing activities. The GDPR also imposes strict rules on the transfer of personal data to countries outside the EEA, including the United States. Other countries have also passed or are considering passing laws requiring local data residency or restricting the international transfer of data. Additionally, many jurisdictions outside the United States and EEA in which we have operations or for which such jurisdictions’ laws or regulations may apply to us or our operations, including Canada, Australia, the United Kingdom, New Zealand, and Singapore, maintain laws and regulations relating to privacy, data protection, and information security that provide for extensive obligations in connection with the use, collection, protection, and processing of personal data. Many of these legal regimes provide for substantial fines, penalties, or other consequences for noncompliance. We may be required to implement new measures or policies, or change our existing policies and measures or the features of our platform, in an effort to comply with U.S. and international laws, rules, and regulations relating to privacy, data protection and information security, which may require us to expend substantial financial and other resources and which may otherwise be difficult to undertake.
Although we are working to comply with applicable federal, state, and foreign laws, rules and regulations, industry standards, contractual obligations and other legal obligations that apply to us, those laws, rules, regulations, standards and obligations are evolving and may be modified, interpreted and applied in an inconsistent manner from one jurisdiction to another, and may conflict with one another, other requirements or legal obligations, our practices or the features of our platform.
12

Table of Contents

Any failure or perceived failure by us to comply with federal, state or foreign laws, rules or regulations, industry standards, our internal or external privacy policies, contractual or other legal obligations relating to privacy, data protection or information security, or any actual, perceived or suspected security breach or incident, whether or not resulting in unauthorized access to, unavailability of, or acquisition, release, transfer, or other processing of personal data or other data, may result in enforcement actions and prosecutions, private litigation, significant fines, penalties and censure, claims for damages by customers and other affected individuals, regulatory inquiries and investigations or adverse publicity and could cause our customers to lose trust in us, any of which could have an adverse effect on our reputation and business. For more information, see “Risk Factors — Risks Related to Legal and Regulatory Environment — We are subject to stringent laws, rules and regulations regarding privacy, data protection and information security. Any actual or perceived failure by us to comply with such laws, rules and regulations, the privacy or security provisions of our privacy policy, our contracts or other legal or regulatory requirements could result in proceedings, actions or penalties against us and materially adversely affect our business.”
Our Culture and People

Our People

Our most valuable asset is our people. ForgeRock is the place where the best people do their best work. As of December 31, 2021, we had 786 full-time employees, of which approximately 48% were in the United States and 52% were in our international locations. We supplement our workforce with contractors and consultants. We strive to drive a positive employee experience and maintain a good relationship with our people. Our priority is to attract the best, diverse workforce and at the same time, engage and grow our global team.

Values

Our culture and values are critical to our success. Our values guide our interactions, business, our product development, our practices and our brand. Our values have delivered tangible financial and operational benefits for our customers, employees and stockholders. As our company continues to evolve and grow, these six values remain constant:
forg-20211231_g7.jpg

Diversity, Inclusion, and Belonging

Diversity, Inclusion, and Belonging are how we talk about our business. It is not just about listening and responding to our employees but about the focus and commitment to becoming more inclusive and demonstrating that in our actions and results.
13

Table of Contents
Creating a workplace that is safe, supportive and inclusive attracts talent and helps ensure our current talent stays and grows at ForgeRock.

Compensation, Benefits and Wellness

ForgeRock provides robust compensation, global benefits and wellness programs that help support the varying needs of our employees. In addition to market-competitive base pay, short-term incentives and long-term equity incentives, our total rewards program includes comprehensive employee benefits and a variety of other health and wellness resources. We are committed to fair compensation and opportunity in our workplace. We have a pay for performance framework, including market reference range scale for compensation, and an always-on performance evaluation and feedback system. Wellness is embedded in our benefits and the employee engagements we design. The overall health and safety of each of our employees is imperative. It is important with the evolving landscape of hybrid work.

In addition, we are intentional in our approach to supporting the mental well-being of our people. Our value of “Balance Matters” encourages our people to take the time to ensure both professional and personal commitments get the attention they require. We have hosted mental and emotional health workshops and speaking events as well as provide mental health resources and access to support throughout our locations.

Future of Work

ForgeRock has a mission to enable our customers to simply and safely access the connected world. Those two sentiments, simple and safe, are at the center of our launch into a new way of working. Our beliefs and strategies are helping us shape the vision around the future of work at ForgeRock. Since the pandemic began, we have used a data driven approach to determine how we would ensure the health and safety of our people while continuing to deliver for our customers and partners. Our employees have adapted incredibly well to the changing work environment with many team members on-boarding during the COVID-19 pandemic. We embrace a level of flexibility as it relates to how and where we do our work.

We know that work styles and preferences are different for everyone. Similar to our business philosophy and how we serve our customers, we do not apply a one-size-fits-all approach to how we work. We believe work is what you do, not where you do it. We are flexible and balance the needs of our people while also working to accommodate individual work preferences and supporting the health, safety and wellness of our people.

Growth and Development

One of our values is “Grow and Learn” and for that we continue to invest resources to develop talent and actively foster a learning culture where employees are empowered to grow personally and professionally. We offer new employee induction/onboarding and training programs to prepare our employees for career growth and individual development. We know that managers play an important role in how our employees feel about their work and their impact and the potential for growth. For that reason we are investing in the capabilities of our leaders through enablement sessions, coaching and external thought leadership.

Corporate Information

We were formed in October 2009 as ForgeRock AS under the laws of Norway. In February 2012, we underwent a reorganization and incorporated as ForgeRock, Inc. under the laws of the state of Delaware. Our principal executive offices are located at 201 Mission Street, Suite 2900, San Francisco, California 94105, and our telephone number is (415) 599-1100. Our Class A common stock is listed on the New York Stock Exchange (the “NYSE”) under the symbol “FORG.”

Available Information

Our website is located at www.forgerock.com, our investor relations website is located at investors.forgerock.com, and our blog is located at www.forgerock.com/blog. We have used, and intend to continue to use, our investor relations website, our blog, press releases, public conference calls and webcasts to disclose material non-public information and to comply with our disclosure obligations under Regulation FD. The following filings are available through our investor relations website after we file them with the SEC: Annual Report on Form 10-K, Quarterly Reports on Form 10-Q, current reports on Form 8-K, and our Proxy Statement for our annual meeting of stockholders. These filings are also available for download free of charge on our investor relations website. The SEC also maintains an Internet website that contains reports, proxy statements and other information about issuers, like us, that file electronically with the SEC. The address of that website is www.sec.gov. The
14

Table of Contents
contents of these websites are not incorporated into this filing. Further, the Company’s references to the URLs for these websites are intended to be inactive textual references only.

15

Table of Contents
Item 1A. Risk Factors
Investing in our Class A common stock involves a high degree of risk. You should carefully consider the risks and uncertainties described below, together with all of the other information in this Annual Report on the Form 10-K, including the section titled “Management’s Discussion and Analysis of Financial Condition and Results of Operations” and our consolidated financial statements and related notes. Our business, financial condition, and results of operations could also be harmed by risks and uncertainties not currently known to us or that we currently do not believe are material. If any of the risks actually occur, our business, financial condition, and results of operations could be adversely affected. In that event, the market price of our Class A common stock could decline, and you could lose part or all of your investment. Additional risks and uncertainties not presently known to us or that we currently deem immaterial also may impair our business, financial condition, and results of operations.
Risk Factor Summary
The material risks that may affect our business, financial condition or results of operations include, but are not limited to, those relating to the following:

Risks Related to Our Business and Industry
We have a history of losses, and we expect to incur losses for the foreseeable future.
We may not continue to grow on pace with historical rates.
We face intense competition, especially from larger, well-established companies, and we may lack sufficient financial or other resources to maintain or improve our competitive position.
If we fail to manage our growth effectively, we may be unable to execute our business plan, maintain high levels of service and customer satisfaction or adequately address competitive challenges.
We have a limited operating history, which makes it difficult to predict our future results of operations.
If we fail to innovate in response to rapid technological change, evolving industry standards, and changing customer needs, requirements or preferences, our business, financial condition, and results of operations could be adversely affected.
If we are unable to efficiently acquire new customers, retain our existing customers or expand the level of adoption of our platform with our existing customers, our business, financial condition, and results of operations could be adversely affected.
Our quarterly results are likely to fluctuate and as a result may adversely affect the trading price of our common stock.
If our solutions have or are perceived to have defects, errors, or vulnerabilities, or if we otherwise fail or are perceived to fail to provide secure and frictionless user experiences, our brand and reputation could be harmed, which could adversely affect our business, financial condition, and results of operations.
If we or our third-party service providers experience a security breach or incident that allows, or is perceived to allow, unauthorized access to our platform or our customers’ data, our reputation, business, financial condition, and results of operations could be adversely affected.

Risks Related to Our Dependence on Third Parties

If we are unable to build and maintain successful relationships with our partners, our business, financial condition and results of operations could be adversely affected.
Defects in or the loss of access to software or services from third parties could increase our costs and adversely affect the quality of our platform.
Certain estimates and information that we refer to publicly are based on information from third-party sources and we do not independently verify the accuracy or completeness of the data contained in such sources or the methodologies for collecting such data, and any real or perceived inaccuracies in such estimates and information may harm our reputation and adversely affect our business.

Risks Related to Our Intellectual Property

We use open source software in our platform and offerings, which could negatively affect our ability to offer our platform and expose us to litigation or other actions.
If we fail to adequately obtain, maintain, defend, protect, or enforce our intellectual property or proprietary rights, our competitive position could be impaired and we may lose valuable assets, generate less revenue, and incur costly litigation.
16

Table of Contents
If we cannot license rights to use technologies on reasonable terms, we may not be able to commercialize new products in the future.
If we are subject to a claim that we infringe, misappropriate, or otherwise violate a third party’s intellectual property rights, our business, financial condition or results of operations could be adversely affected.

Risks Related to Our Legal and Regulatory Environment

Our business is subject to a wide range of laws and regulations, many of which are evolving, and failure to comply with such laws and regulations could harm our business, financial condition and results of operations.
We are subject to stringent laws, rules, and regulations regarding privacy, data protection and information security. Any actual or perceived failure by us to comply with such laws, rules, and regulations, the privacy or security provisions of our privacy policy, our contracts or other legal or regulatory requirements could result in proceedings, actions, or penalties against us and materially adversely affect our business.

Risks Related to Ownership of Our Class A Common Stock

We are an “emerging growth company” and the reduced disclosure requirements applicable to emerging growth companies may make our Class A common stock less attractive to investors.
The dual-class structure of our common stock has the effect of concentrating voting control with those stockholders who held our capital stock (or options or other securities convertible into or exercisable for our capital stock) prior to the completion of our initial public offering, which will limit your ability to influence the outcome of important transactions, including a change in control.

Risks Related to Our Business and Industry
We have a history of losses, and we expect to incur losses in the future.
We have incurred net losses in each year since our inception, including net losses of $47.8 million, $41.8 million and $36.9 million in 2021, 2020, and 2019, respectively. As of December 31, 2021 and 2020, we had an accumulated deficit of $263.8 million and $216.1 million, respectively. We expect to continue to incur net losses in the future. Because the market for our platform is rapidly evolving and has not yet reached widespread adoption, it is difficult for us to predict our future results of operations. We expect our operating expenses to continue to increase over the next several years as we hire additional personnel, particularly in sales and marketing, expand and improve the effectiveness of our distribution channels, expand our operations and infrastructure, both domestically and internationally, pursue business combinations and continue to develop our platform. As we transition and develop as a public company, we may incur additional legal, accounting, and other expenses that we did not incur historically. If our revenue does not increase to offset these increases in our operating expenses, we will not be profitable in future periods. Any failure by us to achieve or sustain profitability on a consistent basis could cause the value of our common stock to decline.
We may not continue to grow on pace with historical rates.
We have experienced rapid growth in recent periods, and we may not sustain our current growth rates. Our ARR increased to $183 million as of December 31, 2021 from $136 million as of December 31, 2020, and our revenue increased to $176.9 million in 2021 from $127.6 million in 2020. However, you should not rely on our key business metrics or results of operations for any previous quarterly or annual period (or the growth rate relating to such metrics or results) as any indication of future growth rates or operating results. In particular, our revenue growth rate and ARR has fluctuated in prior periods. We expect our revenue growth rate to continue to fluctuate over the short term. In future periods, our revenue growth and ARR could slow or our revenue could decline for a number of reasons, including slowing demand for or adoption of our platform and offerings, increasing competition, any failure to gain or retain customers or partners, a decrease in the growth of our overall market, changes to technology or our failure, for any reason, to continue to capitalize on growth opportunities. In addition, our revenue growth rate and ARR may experience increased volatility due to global societal and economic disruption, including the COVID-19 pandemic and the ongoing geopolitical tensions related to Russia’s actions in Ukraine. As a result, our past financial performance should not be considered indicative of our future performance. If our revenue growth rate and ARR declines, investors’ perceptions of our business and the market price of our common stock could be adversely affected. Additionally, our ARR does not adjust for the timing impact of revenue recognition for specific performance obligations identified within a contract. Therefore, our ARR growth in any given period may not result in a similar growth rate for revenue. Our revenue is also affected by the overall growth in our business and changes in our revenue mix of self-managed subscriptions and SaaS subscriptions. As a result, our year-over-year growth rates for total revenue may not be comparable due to changes in our revenue mix.
17

Table of Contents
We face intense competition, especially from larger, well-established companies, and we may lack sufficient financial or other resources to maintain or improve our competitive position.
The identity and access management market is intensely competitive, and we expect competition to increase in the future from established competitors and new market entrants. We face competition from (1) legacy providers such as CA Technologies, IBM and Oracle, (2) cloud-only providers such as Okta, (3) companies that provide a subset of functionality across identity, access and governance such as Okta, Ping, and SailPoint, and (4) homegrown solutions that are designed to solve a limited identity use case. We also compete with other companies that offer a broad array of IT solutions that compete in our market.
With the continued increase in merger and acquisition transactions in the technology industry, particularly transactions involving cloud-based technologies, there is a significant likelihood that we will compete with other large technology companies in the future. For example, other technology companies could acquire or develop an identity and access management or digital identity platform that competes directly with our platform. These companies have significant name recognition, considerable resources and existing IT infrastructures and powerful economies of scale and scope, which allow them to rapidly develop and deploy new solutions. Many of our existing competitors have, and some of our potential competitors could have, substantial competitive advantages such as greater name recognition and brand awareness, longer operating histories, larger customer bases, larger sales and marketing budgets and resources, broader distribution and established relationships with partners and customers, greater professional services and customer support resources, greater resources to make acquisitions and enter into strategic partnerships, lower labor and research and development costs, larger and more mature intellectual property portfolios and substantially greater financial, technical and other resources. Certain of our competitors may also have greater ease of implementation of their products with customers in our market, as well as flexibility, scale, and breadth of integration points.
In addition, some of our larger competitors have substantially broader product offerings and leverage their relationships based on other products they offer or incorporate functionality into existing products to gain business in a manner that discourages users from purchasing our offerings, including through selling at zero or negative margins, product bundling or closed technology platforms. Potential customers may also prefer to purchase from their existing suppliers rather than a new supplier regardless of product performance or features. Our larger competitors often have broader product lines and market focus and are less susceptible to downturns in a particular market. Our competitors may also seek to repurpose their existing offerings to provide identity solutions with subscription models. Conditions in our market could change rapidly and significantly as a result of technological advancements, partnering by our competitors or continuing market consolidation. Further, industry trends, such as the migration to cloud and the transition to Zero Trust, could give competitors an advantage in the market if they are better positioned to address such industry trends. Additionally, start-up companies that innovate and large competitors that are making significant investments in research and development may invent similar or superior products and technologies that compete with our solutions or solution packages.
Consolidation in the markets in which we compete may affect our competitive position. This is particularly true in circumstances where customers are seeking to obtain a broader set of solutions and services than we are currently able to provide. In addition, some of our competitors may enter into new alliances with each other or may establish or strengthen cooperative relationships with system integrators, third-party consulting firms, or other parties. Any such consolidation, acquisition, alliance, or cooperative relationship could lead to pricing pressure and loss of our market share and could result in a competitor with greater financial, technical, marketing, service, and other resources, all of which could harm our ability to compete. Furthermore, organizations may be more willing to incrementally add solutions to their existing infrastructure from competitors than to replace their existing infrastructure with our offerings. Any failure to meet and address the foregoing could adversely affect our business, financial condition, and results of operations.
If we fail to manage our growth effectively, we may be unable to execute our business plan, maintain high levels of service and customer satisfaction or adequately address competitive challenges.
We have experienced, and may continue to experience, rapid growth, and organizational change, which has placed, and may continue to place, significant demands on our management and our operational and financial resources. Our employee headcount grew to 786 as of December 31, 2021 from 680 as of December 31, 2020. Employee growth has occurred both at our headquarters and in a number of locations across the United States and internationally. Our ability to manage our growth effectively and to integrate new employees and technologies into our existing business will require us to continue to expand our operational and financial infrastructure and to continue to effectively integrate, develop, and motivate a large number of new employees, while maintaining the beneficial aspects of our culture.
18

Table of Contents
Continued growth could challenge our ability to develop and improve our operational, financial and management controls, enhance our reporting systems and procedures, recruit, train, and retain highly skilled personnel and maintain customer satisfaction. In addition, we have encountered and will continue to encounter risks and challenges frequently experienced by growing companies in evolving industries, including market acceptance of our platform and offerings, intense competition, and our ability to manage our costs and operating expenses. We must continue to improve and expand our IT and financial infrastructure, operating, and administrative systems and relationships with various partners and other third parties. Additionally, we currently have international operations in Canada, France, Germany, Norway, Sweden, the United Kingdom, Australia, New Zealand, and Singapore, and we may continue to expand our international operations in these jurisdictions or other countries in the future. Our expansion has placed, and our expected future growth will continue to place, a significant strain on our managerial, research and development, sales and marketing, administrative, financial, and other resources. If we are unable to manage our continued growth successfully, our business, financial condition, and results of operations could suffer. In addition, as we expand our business, it is important that we continue to maintain a high level of customer service and satisfaction. As our customer base continues to grow, we will need to expand our account management, customer service and other personnel, and our network of partners, to provide personalized account management and customer service. If we are not able to continue to provide high levels of customer service, our reputation, as well as our business, financial condition, and results of operations could be adversely affected.
We have a limited operating history, which makes it difficult to predict our future results of operations.
We were formed in 2009 and we have since frequently expanded our platform features and offerings and evolved our pricing methodologies. Our limited operating history and evolving business make it difficult to evaluate our future prospects and the risks and challenges we may encounter. These risks and challenges include our ability to:
accurately forecast our revenue and plan our expenses;
increase the number of new customers and retain and expand relationships with existing customers;
successfully introduce new offerings and services;
successfully compete with current and future competitors;
successfully expand our business in existing markets and enter new markets and geographies;
anticipate and respond to macroeconomic and technological changes and changes in the markets in which we operate;
maintain and enhance the value of our reputation and brand;
maintain and expand our relationships with partners;
successfully execute on our sales and marketing strategies;
adapt to rapidly evolving trends in the ways consumers interact with technology;
hire, integrate, and retain talented technology, sales, customer service, and other personnel; and
effectively manage rapid growth in our personnel and operations.
If we fail to address the risks and difficulties that we face, including those associated with the challenges listed above as well as those described elsewhere in this “Risk Factors” section, our business, financial condition, and results of operations could be adversely affected. Further, because we have limited historical financial data and operate in a rapidly evolving market, any predictions about our future revenue and expenses may not be as accurate as they would be if we had a longer operating history or operated in a more predictable market. We have encountered in the past, and will encounter in the future, risks and uncertainties frequently experienced by growing companies with limited operating histories in rapidly changing industries. If our assumptions regarding these risks and uncertainties, which we use to plan and operate our business, are incorrect or change, or if we do not address these risks successfully, our results of operations could differ materially from our expectations and our business, financial condition, and results of operations could be adversely affected. Additionally, we recently launched our SaaS offering, and it is in the early stages of customer adoption. Our SaaS offering may prove to be difficult to scale, or encounter other difficulties and such difficulties could cause our results of operations to differ materially from our expectations and our business, financial condition, and results of operations could be adversely affected.
19

Table of Contents
If we fail to innovate in response to rapid technological change, evolving industry standards and changing customer needs, requirements or preferences, our business, financial condition, and results of operations could be adversely affected.
The identity and access management market is characterized by rapid technological change, evolving industry standards, and changing regulations, as well as changing customer needs, requirements and preferences. The success of our business will depend, in part, on our ability to anticipate, adapt, and respond effectively to these changes on a timely and cost-effective basis. In addition, as our customers’ technologies and business plans grow more complex, we expect them to face new and increasing challenges. Our customers require that our platform effectively identify and respond to these challenges without disrupting the performance of our customers’ IT systems or interrupting their business operations. As a result, we must continually modify and improve our offerings in response to changes in our customers’ IT infrastructures and operational needs or end-user preferences. The success of any enhancement to our existing offerings or the deployment of new offerings depends on several factors, including the timely completion and market acceptance of our enhancements or new offerings. Any enhancement to our existing offerings or new offerings that we develop and introduce involves significant commitment of time and resources and is subject to a number of risks and challenges including:
ensuring the timely release of new offerings, features and platform enhancements;
adapting to emerging and evolving industry standards, technological developments by our competitors and customers, and changing regulatory requirements;
interoperating effectively with existing or newly-introduced technologies, systems, or applications of our existing and prospective customers;
resolving defects, errors, or failures in our platform or offering;
extending the operation of our offerings and services to new and evolving platforms, operating systems, and hardware products, such as mobile and IoT devices; and
managing new offerings, features, and service strategies for the markets in which we operate.
If we are not successful in managing these risks and challenges, or if our new offerings, platform upgrades and services are not competitive or do not achieve market acceptance, our business, financial condition, and results of operations could be adversely affected.
If we are unable to efficiently acquire new customers, retain our existing customers or expand the level of adoption of our platform with our existing customers, our business, financial condition, and results of operations could be adversely affected.
To continue to grow our business, it is important that we continue to acquire new customers. Our success in adding new customers depends on numerous factors, including our ability to (1) offer a compelling identity and access management platform and effective offerings, (2) execute our sales and marketing strategy, (3) attract, effectively train and retain new sales, marketing, professional services and support personnel, (4) develop or expand relationships with partners, (5) expand into new geographies and vertical markets, (6) deploy our platform or offerings for new customers, (7) provide quality customer support once deployed, (8) effectively manage and forecast our customer count, and (9) expand our use cases for our existing customers.
It is important to our continued growth that we retain our existing customers. Our customers have no obligation to renew their subscription agreements, and our customers may decide not to renew these agreements with a similar contract period, at the same prices and terms or with the same or a greater number of identities, or at all. Our customer retention or our customers’ use of our platform and services may decline or fluctuate as a result of a number of factors, including our customers’ satisfaction with our platform and offerings, our customer support and professional services, our prices and pricing plans, the competitiveness of other identity and access management offerings and services, reductions in our customers’ spending levels, user adoption of our platform and offerings, deployment success, utilization rates by our customers, new releases, and changes to our platform or offerings. Additionally, new consolidations, acquisitions, alliances or cooperative relationships involving one or more of our customers may lead such customers not to renew their existing subscriptions with us.
Our ability to increase revenue also depends in part on our ability to increase the number of identities managed by our platform and sell more use cases or offerings to our existing and new customers. Our ability to increase sales to existing customers depends on several factors, including their experience with implementing our offerings and using our platform and the existing offerings they have implemented, their ability to integrate our offerings with existing technologies and our pricing model. As we expand our market reach, we may experience difficulties in gaining traction and raising awareness among potential customers regarding the critical role that our offerings play in securing their businesses and we may face more
20

Table of Contents
competitive pressure in such markets. Additionally, our existing customers may delay or fail to pay us under our commercial agreements. Our dollar- based net retention rate may fluctuate from period to period and is dependent upon new ARR and renewals from existing customers, of which new ARR is impacted by the mix of new ARR from existing and new customers in any given period. We cannot accurately predict our renewals and dollar-based net retention rate given the diversity of our customer base, the size of our industry, and geography. Our renewals and dollar-based net retention rate may decline or fluctuate as a result of a number of factors, many of which are outside our control, including the business strength or weakness of our customers, customer usage, the ability of our customers to quickly integrate our products into their businesses, the ability of our customers to continually find new uses for our products within their businesses, and customer satisfaction with our products, platform capabilities, and customer support.
If we are unable to successfully acquire new customers, retain our existing customers or expand sales to existing customers, our business, financial condition, and results of operations could be adversely affected.
Our quarterly results are likely to fluctuate and as a result may adversely affect the trading price of our common stock.
Our quarterly results of operations, including our key business metrics, are likely to vary significantly in the future, and period-to-period comparisons of our results of operations may not be meaningful. Accordingly, the results for any one quarter are not necessarily an accurate indication of future performance. Our quarterly financial results may fluctuate due to a variety of factors, many of which are outside of our control. Factors that may cause fluctuations in our quarterly financial results include:
the mix of revenue attributable to our various offerings, in particular, our SaaS and subscription offerings;
the length of our sales cycles;
the weighted average duration of our contracts in any given period;
the mix of revenue attributable to larger transactions as opposed to smaller transactions, and the associated volatility and timing of our transactions;
the level of demand for our platform;
our ability to attract new customers, obtain renewals from existing customers, and upsell or otherwise increase our existing customers’ use of our platform;
the timing and success of new product introductions by us or our competitors or any other change in the competitive landscape of our market;
pricing pressure as a result of competition or otherwise;
seasonal buying patterns for IT spending;
changes in remaining performance obligations (“RPO”) due to seasonality, the timing of and compounding effects of renewals, invoice duration, size and timing, new business linearity between quarters and within a quarter or average contract term, all of which may impact implied growth rates;
errors in our forecasting of the demand for our offerings, which could lead to lower than projected revenue, increased costs or both;
increases in and timing of sales and marketing and other operating expenses that we may incur to grow and expand our operations and to remain competitive;
security breaches or incidents impacting, technical difficulties with or interruptions to, the delivery and use of our platform and offerings;
our ability to comply with laws, rules, regulations, industry standards, contractual obligations, and other legal requirements relating to privacy, data protection and information security, including the GDPR, and the California Consumer Privacy Act, or CCPA;
costs related to the acquisition of businesses, talent, technologies, or intellectual property, including potentially significant amortization costs and possible write-downs;
our ability to effectively obtain, maintain, protect, defend, and enforce our intellectual property rights;
credit, liquidity, financial or other difficulties confronting our channel partners;
adverse litigation judgments, settlements of litigation and other disputes or other litigation-related or dispute-related costs;
21

Table of Contents
the impact of new accounting pronouncements and associated system implementations;
changes in the legislative or regulatory environment;
fluctuations in foreign currency exchange rates;
expenses related to real estate, including our office leases, and other fixed expenses; and
general economic conditions in domestic or international markets, including the economic impact of inflation, the COVID-19 pandemic and other geopolitical uncertainty and instability, such as the ongoing geopolitical tensions related to Russia’s actions in Ukraine, resulting sanctions imposed by the U.S. and other countries, and retaliatory actions taken by Russia in response to such sanctions.
Any one or more of the factors above may result in significant fluctuations in our results of operations. In addition, we generally experience seasonality based on when we enter into agreements with customers, which has historically been the most frequent in our fourth quarter, and our quarterly results of operations generally fluctuate from quarter-to-quarter depending on customer purchasing habits. This seasonality is reflected to a much lesser extent, and sometimes is not immediately apparent, in our revenue, due to the fact that we recognize subscription revenue over the term of the subscription. We expect that seasonality will continue to affect our results of operations in the future and may reduce our ability to predict cash flow and optimize the timing of our operating expenses.
The variability and unpredictability of our quarterly results of operations or key business metrics could result in our failure to meet our expectations or those of securities analysts or investors. If we fail to meet or exceed such expectations for these or any other reasons, the market price of our common stock could decline, and we could face costly lawsuits, including securities class action suits.
If our solutions have or are perceived to have defects, errors, or vulnerabilities, or if we otherwise fail or are perceived to fail to provide secure and frictionless user experiences, our brand and reputation could be harmed, which could adversely affect our business, financial condition, and results of operations.
Real or perceived defects, errors, or vulnerabilities in our software, the failure of our solution to secure digital identities, including any stored or transmitted data and integrated applications, services, and APIs, the failure to protect against advanced or newly developed exploits or discovered vulnerabilities, misconfiguration of our solutions, or the failure of customers to take action on attacks could harm our reputation and adversely affect our business, financial condition, and results of operations. Because our platform is complex, it may contain defects or errors that are not detected until after deployment. We cannot assure you that our products will protect against all security vulnerabilities, exploits, or cyber attacks, especially in light of the rapidly changing cybersecurity landscape that our offerings seek to address. Due to a variety of both internal and external factors, including, without limitation, defects or misconfigurations of our solutions, our offerings could become vulnerable to security incidents that cause them to fail to secure identities, to protect against vulnerabilities and exploits, to secure data that is stored or transmitted, and to secure integrated applications, services, and APIs. In addition, due to a variety of both internal and external factors, including real or perceived defects, errors, vulnerabilities, or misconfiguration in our software, our solutions may fail to deliver a frictionless experience or may significantly or negatively degrade the end user experience which could lead to customer and end user dissatisfaction that could harm our reputation and adversely affect our business, financial condition, and results of operations.
Moreover, as our platform is adopted by an increasing number of enterprises and governmental entities, it is possible that the individuals and organizations behind advanced cyberattacks will begin to focus on finding ways to defeat our platform. If this happens, our customers could be specifically targeted by attackers, which could result in vulnerabilities in our platform or undermine the market acceptance of our platform or solutions or our reputation as a provider of identity and access management solutions.

Companies are increasingly subject to a wide variety of attacks on their systems and networks on an ongoing basis. In addition to threats from traditional computer “hackers,” malicious code (such as malware, viruses, worms and ransomware), employee or contractor theft, fraud, misconduct or misuse, password spraying, phishing, social engineering attacks and denial-of-service attacks, we and our third-party service providers now also face threats from sophisticated nation-state and nation-state supported actors who engage in attacks (including advanced persistent threat intrusions) that add to the risks to our systems (including those hosted on GCP or other cloud services), internal networks, our customers’ systems, and the information that they store and process. Despite our efforts to create security barriers to such threats, it is virtually impossible for us to entirely mitigate these risks, in particular, as the frequency and sophistication of cyberattacks increases. For example, cybersecurity researchers anticipate an increase in cyberattack activity in connection with Russia’s activities in Ukraine. If any of our customers experiences a cyberattack while using our platform or offerings, or believes that this has occurred, such
22

Table of Contents
customer could be disappointed with our platform, regardless of whether our offerings or services were implicated in failing to prevent such attack. Real or perceived security breaches of, or security incidents impacting, our customers’ networks could cause disruption or damage to their networks or other negative consequences and could result in negative publicity to us, damage to our reputation, and other customer relations issues, and our business, financial condition, and results of operations could be adversely affected.
If we or our third-party service providers experience a security breach or incident that allows, or is perceived to allow, unauthorized access to our platform or our customers’ data, our reputation, business, financial condition, and results of operations could be adversely affected.
As a provider of identity and security solutions, we pose an attractive target for cyber attacks. The security measures we have integrated into our internal systems and platform, which are designed to detect unauthorized access or activity and prevent or minimize security breaches and incidents, may not function as expected or may not be sufficient to protect our internal networks and platform against certain attacks and other security breaches and incidents. In addition, techniques used to sabotage or to obtain unauthorized access to networks in which data is stored or through which data is transmitted change frequently, become more complex over time and generally are not recognized until launched against a target. As a result, we and our third-party service providers may be unable to anticipate these techniques or implement adequate preventative measures quickly enough to prevent either an electronic intrusion into our systems or services or a compromise of customer data, and we and they may face difficulties or delays in identifying or otherwise responding to any potential security breach or incident. Additionally, our remediation efforts and other response to any potential security breach or incident may not be successful or timely.
Third parties may attempt to fraudulently induce employees, contractors, customers, or our customers’ users into disclosing sensitive information, such as user names, passwords, or other information or otherwise compromise the security of our internal networks, electronic systems, or physical facilities in order to gain access to our data or our customers’ data, which could result in significant legal and financial exposure, a loss of confidence in the security of our platform, interruptions, or malfunctions in our operations, account lock outs, and, ultimately, harm to our business, financial condition, and results of operations.

Our customers’ use of ForgeRock to access business systems and store data concerning, among other things, their employees, contractors, partners and customers is essential to their use of our platform, which collects, uses, stores, transmits, and otherwise processes customers’ proprietary information and personal data. If a security breach or incident impacting customer data or systems on our platform were to occur, as a result of third-party action, technology limitations, employee or contractor error, malfeasance or otherwise, and the confidentiality, integrity or availability of our customers’ data or systems was disrupted, or if this was perceived to have occurred, we could face claims, demands, and litigation by, and incur significant liability to our customers and to individuals or businesses whose information was being stored by our customers, could face regulatory or governmental investigations, inquiries, or other proceedings, and our platform may be perceived as less desirable, any of which could negatively affect our business and damage our reputation. Further, and notwithstanding any contractual rights or remedies we may have, because we do not control our third-party service providers, including their security measures and the processing of data by our third-party service providers, we cannot ensure the integrity or security of measures they take to protect customer information and prevent data loss.

In addition, security breaches or incidents impacting our platform, including from ransomware, could result in a risk of loss or unauthorized disclosure of critical information, including personal data, or the denial of access to this information, which, in turn, could lead to enforcement actions, litigation, regulatory or governmental audits, investigations, inquiries, or other proceedings and possible significant liability, and increased requests by individuals regarding their personal data. Actual or perceived security breaches and incidents could also damage our relationships with and ability to attract customers and partners, and trigger service availability, indemnification, and other contractual obligations. Security breaches and incidents may also cause us to incur significant investigation, mitigation, remediation, notification and other expenses, including necessitating that we put in place additional measures designed to prevent further security breaches or incidents. We may be required to expend significant capital and financial resources to protect against such threats or to alleviate problems caused by security breaches and incidents. Furthermore, as a provider of identity and security solutions, any such breach or incident, including a breach of our customers’ systems, could compromise systems secured by our products, creating system disruptions, or slowdowns and exploiting security vulnerabilities of our or our customers’ systems, and the information stored on our or our customers’ systems could be improperly accessed, publicly disclosed, altered, lost, stolen, or otherwise processed, which could result in a loss of intellectual property and subject us to claims, demands, and litigation from private parties, as well as regulatory or governmental investigations and other proceedings, fines, penalties, and other liabilities, harm to our reputation and market position, and financial harm. While we maintain cybersecurity insurance, our insurance may be insufficient to cover all liabilities incurred in these incidents, and any incidents may result in loss of, or increased costs of, our cybersecurity insurance. We also cannot ensure that our existing insurance coverage will continue to be available on acceptable terms or will be
23

Table of Contents
available in sufficient amounts to cover one or more large claims related to a security incident or breach, or that the insurer will not deny coverage as to any future claim. The successful assertion of one or more large claims against us that exceed available insurance coverage, or the occurrence of changes in our insurance policies, including premium increases or the imposition of large deductible or co-insurance requirements, could adversely affect our reputation and our business, financial condition, and results of operations. We also cannot ensure that any limitations of liability provisions in our customer agreements, contracts with third-party service providers and other contracts for a security lapse or breach or other security-related matter would be enforceable or adequate or would otherwise protect us from any liabilities or damages with respect to any particular claim.

Any breach or incident, or any perceived breach or incident, of our systems, our customers’ systems, or other systems or networks secured by our products, whether or not any such breach or incident is due to a vulnerability in our platform, may also undermine confidence in our platform or our industry and result in damage to our reputation and brand, negative publicity, loss of partners, customers and sales, increased costs to remedy any problem, costly litigation, and other liability. In addition, a breach or violation of the security measures of one of our partners could result in the exfiltration of confidential corporate information or other data that may provide additional avenues of attack, and if a high profile security breach or incident occurs with respect to a comparable identity and access management provider, our customers and potential customers may lose trust in identity and access management providers generally, which could adversely impact our ability to retain existing customers or attract new ones, potentially causing a negative impact on our business. Any of these negative outcomes could negatively impact market acceptance of our platform and our business, financial condition, and results of operations could be adversely affected.
The global COVID-19 pandemic has harmed and could continue to harm our business, financial condition, and results of operations.
The ongoing COVID-19 pandemic and efforts to mitigate its impact have significantly curtailed the movement of people, goods and services worldwide, including in the geographic areas in which we conduct our business operations and from which we generate our revenue. It has also caused societal and economic disruption and financial market volatility, resulting in business shutdowns, and reduced business activity. We believe that the COVID-19 pandemic has had a modest negative impact on our business and results of operations, primarily as a result of:
for certain enterprises, delaying or pausing digital transformation and expansion projects and negatively impacting IT spending, which has caused some potential customers to delay or forgo purchases of subscriptions for our platform and services and some existing customers to fail to renew subscriptions, reduce their usage or fail to expand their usage of our platform due to the COVID-19 pandemic’s impact on their business;
restricting our sales operations and marketing efforts, reducing the effectiveness of such efforts in some cases and delaying or lengthening our sales cycles; and
delaying the delivery of professional services and training to our customers.
The COVID-19 pandemic may cause us to continue to experience the foregoing challenges in our business in the future and could have other effects on our business, including disrupting our ability to develop new offerings and enhance existing offerings, market, and sell our products and conduct business activities generally.

In light of the uncertain and rapidly evolving situation relating to the spread of COVID-19, we have taken precautionary measures intended to reduce the risk of the virus spreading to our employees, our customers and the communities in which we operate, and we may take further actions as required by government entities or that we determine are in the best interests of our employees, customers, partners, and third-party service providers. In particular, governmental authorities have previously instituted shelter-in-place policies or other restrictions in many jurisdictions in which we operate, including in the San Francisco Bay Area where our headquarters are located, which policies required most of our employees to work remotely. We expect to take a measured and careful approach to have employees returning to offices and travel for business. These precautionary measures and policies could negatively impact product innovation and development and employee and organizational productivity, training, and collaboration, or otherwise disrupt our business operations. The further continuation of working remotely may expose us to increased risks of security breaches or incidents. We may need to enhance the security of our platform and offerings, our data, and our internal IT infrastructure, which may require additional resources and may not be successful.
In addition, the COVID-19 pandemic has disrupted and may continue to disrupt the operations of our customers and partners, particularly our customers in industries, including travel and entertainment, that have been especially impacted by the pandemic. Other disruptions or potential disruptions resulting from the COVID-19 pandemic include restrictions on our
24

Table of Contents
personnel and the personnel of our partners to travel and access customers for training, delays in product development efforts, and additional government requirements or other incremental mitigation efforts that may further impact our business, financial condition, and results of operations. The extent to which the COVID-19 pandemic continues to impact our business and results of operations will also depend on future developments that are highly uncertain and cannot be predicted, including new information which may emerge concerning the severity of the disease, the duration and spread of the outbreak, the scope of travel restrictions imposed in geographic areas in which we operate, mandatory or voluntary business closures, the impact on businesses and financial and capital markets and the extent and effectiveness of the development and distribution of vaccines and other actions taken throughout the world to contain the virus or treat its impact. A further extended period of global supply chain and economic disruption as a result of the COVID-19 pandemic could have a material negative impact on our business, financial condition, and results of operations, though the full extent and duration is uncertain. To the extent the COVID-19 pandemic adversely affects our business, financial condition, and results of operations it is likely to also have the effect of heightening many of the other risks described in this “Risk Factors” section.
If our platform and offerings fail to help our customers achieve and maintain compliance with certain government regulations and industry standards, our business, financial condition, and results of operations could be adversely affected.
The success of our platform depends, in large part, on its ability to help our customers achieve and maintain compliance with certain industry standards and government regulations, such as the Sarbanes-Oxley Act, HIPAA, the CCPA, the GDPR, and the GLBA, and these types of regulations continue to proliferate globally. These industry standards may change with little or no notice, including changes that could make them more or less onerous for businesses. In addition, governments may also adopt new laws or regulations, or make changes to existing laws or regulations, that could affect whether our customers believe our platform assists them in maintaining compliance with such laws or regulations. If our platform and offerings fail to expedite our customers’ compliance initiatives, our customers may lose confidence in our platform and could switch to products offered by our competitors. In addition, if government regulations and industry standards related to digital identity and security are changed in a manner that makes such regulations and industry standards less onerous, our customers may view compliance as less critical to their businesses, and our customers may be less willing to purchase our platform and offerings. If we are unable to manage the foregoing risks, our business, financial condition, and results of operations could be adversely affected.
We recognize a substantially all of our revenue from subscriptions over the term of the relevant subscription period, and as a result, downturns or upturns in sales may not be immediately reflected in our results of operations.
In 2021, 97% of our revenue was subscription revenue. We recognize revenue from the non-license element of subscriptions and support and maintenance ratably over the term of the subscription or support and maintenance agreements with our customers, which is generally one to three years. As a result, a substantial portion of the revenue that we report in each period will be derived from the recognition of deferred revenue relating to agreements entered into in prior periods. Consequently, the full impact of a decline in new sales or renewals in any one period may not be immediately reflected in our results of operations for such period. Accordingly, the effect of significant downturns in sales and market acceptance of and demand for our platform and changes in our rate of renewals may not be fully reflected in our results of operations until future periods.
We also intend to increase our investment in research and development, sales and marketing, and general and administrative functions, and other areas to grow our business. These costs are generally expensed as incurred (with the exception of sales commissions), as compared to a significant portion of our revenue, which is recognized ratably in future periods. We may recognize the costs associated with such increased investments earlier than some of the anticipated benefits and the return on these investments may be lower, or may develop more slowly, than we expect, which could adversely affect our business, financial condition and results of operations.
Our sales cycle is frequently long and unpredictable, and our sales efforts require considerable time and expense.
Since we primarily focus on selling our offerings to enterprises, the timing of our sales can be difficult to predict. We and our partners are often required to spend significant time and resources to better educate and familiarize potential customers with the value proposition of our platform and offerings. Customers often view the purchase of our platform and offerings as a strategic decision and significant investment and, as a result, frequently require considerable time to evaluate, test, and qualify our platform and offerings prior to purchase. In particular, for customers in highly-regulated industries, the selection of a security solution provider is a critical business decision due to the sensitive nature of these customers’ data, which results in particularly extensive evaluations prior to the selection of information security vendors. During the sales cycle, we expend
25

Table of Contents
significant time and money on sales and marketing and contract negotiation activities, which may not result in a sale. Additional factors that may influence the length and variability of our sales cycle include:
the discretionary nature of purchasing and budget cycles and decisions;
lengthy purchasing approval processes;
the industries in which our customers operate;
the evaluation of competing solutions and offerings during the purchasing process;
time, complexity and expense involved in replacing existing solutions;
announcements or planned introductions of new offerings, features or functionality by our competitors or of new offerings, features or functionality by us; and
evolving functionality demands.
If our efforts in pursuing sales and customers are unsuccessful, or if our sales cycles lengthen, our revenue could be lower than expected, which would adversely affect our business, financial condition, and results of operations.
Our international operations and continued international expansion subject us to additional costs and risks, which could adversely affect our business, financial condition, and results of operations.
We generated 52% of our revenue outside the United States in both 2021 and 2020, respectively. Our growth strategy depends, in part, on our continued international expansion. We are continuing to adapt to and develop strategies to address international markets, but there is no guarantee that such efforts will be successful.
Additionally, our international sales and operations are subject to a number of risks, including the following:
unexpected costs and errors in the localization of our platform, including translation into foreign languages and adaptation for local practices and regulatory requirements;
lack of familiarity and burdens of complying with foreign laws, legal standards, privacy standards, regulatory requirements, tariffs, and other barriers;
laws and business practices favoring local competitors or commercial parties;
costs and liabilities related to compliance with foreign data privacy, protection and security laws, rules, regulations, standards and enforcement, including the GDPR;
fluctuations in exchange rates that may increase the volatility of our foreign-based revenue and expense;
risk that our foreign employees or partners will fail to comply with U.S. and foreign laws;
practical difficulties of obtaining, maintaining, defending, protecting, and enforcing intellectual property rights in countries with fluctuating laws and standards and reduced or varied protection for intellectual property rights in some countries;
restrictive governmental actions focusing on cross-border trade, including taxes, trade laws, tariffs, import and export restrictions, controls, or quotas, barriers, sanctions, custom duties, or other trade restrictions;
unexpected changes in legal and regulatory requirements;
difficulties in managing partners;
differing technology standards;
longer accounts receivable payment cycles and difficulties in collecting accounts receivable;
difficulties in managing and staffing international operations, including compliance with differing employer-employee relationships and local employment laws;
political, economic and social instability, war (including ongoing geopolitical tensions related to Russia’s actions in Ukraine, resulting sanctions imposed by the U.S. and other countries and retaliatory actions taken by Russia in response to such sanctions), armed conflict, or terrorist activities;
health epidemics, such as the COVID-19 pandemic, influenza, and other highly communicable diseases or viruses; and
26

Table of Contents
potentially adverse tax consequences, including the complexities of foreign value added tax (or other tax) systems, and restrictions on the repatriation of earnings.
Operating in international markets also requires significant management attention and financial resources. We cannot be certain that the investment and additional resources required in establishing operations in other countries will produce desired levels of revenue or profitability. Any of the foregoing factors could harm our ability to generate revenue outside of the United States and, consequently, adversely affect our business, financial condition, and results of operations.

Some of our business partners also have international operations and are subject to the risks described above. Even if we are able to successfully manage the risks of international operations, our business may be adversely affected if our business partners are not able to successfully manage these risks.
We may face exposure to foreign currency exchange rate fluctuations.
A substantial portion of our international customer contracts are denominated in local currencies. In addition, the majority of our international costs are denominated in local currencies. As a result, fluctuations in the value of the U.S. Dollar and foreign currencies may affect our results of operations when translated into U.S. Dollars. For example, in the first quarter of 2020, the volatility in the exchange rate of the Norwegian Krone, British Pound, and the U.S. Dollar resulted in a meaningful impact on our consolidated results of operations. We do not currently engage in currency hedging activities to limit the risk of exchange rate fluctuations. However, in the future, we may use derivative instruments, such as foreign currency forward and option contracts, to hedge certain exposures to fluctuations in foreign currency exchange rates. The use of such hedging activities may not offset any or more than a portion of the adverse financial effects of unfavorable movements in foreign exchange rates over the limited time the hedges are in place. Moreover, the use of hedging instruments may introduce additional risks if we are unable to structure effective hedges with such instruments.
If we fail to offer high-quality customer support, our business and reputation will suffer.
Once our platform is deployed, our customers rely on our support services to resolve any issues that may arise. High-quality customer education and customer support is important for the successful marketing and sale of our platform and offerings and for the renewal of existing customers. We must successfully assist our customers in deploying our platform and offerings, resolving performance issues, and addressing interoperability challenges with a customer’s existing network and security infrastructure. Many enterprises, particularly large enterprises, have complex networks, and require high levels of focused support, including premium support offerings, to fully realize the benefits of our platform. Any failure by us to maintain the expected level of support could reduce customer satisfaction and hurt our customer retention, particularly with respect to our large enterprise customers. To the extent that we are unsuccessful in hiring, training and retaining adequate support resources, our ability to provide adequate and timely support to our customers will be negatively impacted, and our customers’ satisfaction with our platform could be adversely affected.
Given our growth, we may in the future engage third parties to provide support services to our customers. Any failure to properly train or oversee such contractors could result in a poor customer experience, which could have an adverse impact on our reputation and ability to renew subscriptions or engage new customers. In addition, some of our contracts with our larger customers require consent in the event we subcontract the services we provide thereunder. The process of obtaining consent to subcontract support services with these customers could be lengthy and there can be no assurance such consent would be provided.
Furthermore, as we sell our platform and offerings internationally, our support organization faces additional challenges, including those associated with delivering support, training and documentation in languages other than English. Any failure to maintain high-quality customer support, or a market perception that we do not maintain high-quality support, could adversely affect our reputation, business, financial condition, and results of operations, and adversely impact our ability to sell our platform or offerings to existing and prospective customers. The importance of high-quality customer support will increase as we expand our business and pursue new customers.
If we do not set optimal prices for our platform and offerings, our business, financial condition, and results of operations could be adversely affected.
In the past, we have at times adjusted our prices either for individual customers in connection with long- term agreements or for a particular offering. We expect that we may need to change our pricing in future periods. Further, as competitors introduce new products that compete with ours or reduce their prices, we may be unable to attract new customers or retain
27

Table of Contents
existing customers based on our historical pricing. As we expand internationally, we also must determine the appropriate price to enable us to compete effectively in each respective geographic region. In addition, if our mix of offerings changes, then we may need to, or choose to, revise our pricing model. If we do not optimally price our platform and offerings and manage risks related to changing our prices or pricing model, our business, financial condition, and results of operations could be adversely affected.
If we are unable to manage the costs associated with our professional services, our results of operations could be adversely affected.
We offer professional services associated with implementing our platform and training customers on the use of our platform, and our revenue from professional services carries a negative gross margin compared to our subscription revenue. We price our professional services to be attractive to customers because we believe that our professional services help achieve customer success on our platform, which assists us in retaining customers and expanding our relationships with them. If we are unable to manage and improve the margin associated with our professional services, our business, financial condition, and results of operations could be adversely affected.
If our platform or offerings do not effectively interoperate with our customers’ existing or future IT infrastructures, our business would be harmed.
Our success depends in part on the interoperability of our platform or offerings with our customers’ IT infrastructures, including third-party operating systems, applications, data and devices that we have not developed and do not control. Third-party products and services are constantly evolving, and we may not be able to modify our offerings to ensure their compatibility with those of other third parties following development changes. Any changes in such infrastructure, operating systems, applications, data or devices that degrade the functionality of our platform or offerings or give preferential treatment to competitive solutions could adversely affect the adoption and usage of our platform. We may not be successful in quickly or cost effectively adapting our platform or offerings to operate effectively with these operating systems, applications, data, or devices. If it is difficult for our customers to access and use our platform or offerings, or if our platform or offerings cannot connect a broadening range of applications, data and devices, then our customer growth and retention may be harmed, and our business, financial condition, and results of operations could be adversely affected. We rely on open standards for many integrations between our platform and third-party applications that our customers utilize, and in other instances on such third parties making available the necessary tools for us to create interoperability with their applications. If application providers were to move away from open standards, or if a critical, widely-utilized application provider were to adopt proprietary integration standards and not make them available for the purposes of facilitating interoperability with our platform, the utility of our platform and offerings for our customers would be decreased, our offerings may become less marketable, less competitive, or obsolete, and our business, financial condition, and results of operations could be adversely affected.
Real or perceived errors, failures, vulnerabilities or bugs in our platform, including deployment complexity, could harm our business, financial condition, and results of operations.
Errors, failures, vulnerabilities or bugs may occur in our platform, especially when updates are deployed or new platform offerings and functionalities are rolled out. Our platform is often used in connection with large- scale computing environments with different operating systems, system management software, equipment and networking configurations, which may cause errors or failures of products, or other aspects of the computing environment into which our platform is deployed. In addition, deployment of our platform into complicated, large-scale computing environments may expose errors, failures, vulnerabilities or bugs in our platform. Any such errors, failures, vulnerabilities or bugs may be difficult to detect and may not be found until after they are deployed to our customers. Further, our platform and offerings operate in conjunction with, and we are dependent upon, numerous third-party products and components. There have been and may continue to be significant attacks on certain third-party providers, and we cannot guarantee that our or our third-party providers’ systems and networks have not been breached or that they do not contain exploitable defects or bugs that could result in a breach of or disruption to our systems and networks or the systems and networks of third parties that support us and our services. If there is a security vulnerability, error, or other bug in one of these third-party products or components and if there is a security exploit targeting them, we could face increased costs, liability claims, reduced revenue, or harm to our reputation or competitive position. More generally, real or perceived errors, failures, vulnerabilities or bugs in our platform, or delays in or difficulties implementing our platform releases, could result in negative publicity, or corruption of, or unauthorized access to, customer data, loss of or delay in market acceptance of our platform, a decrease in customer satisfaction, confidence or adoption rates, delayed product introductions, compromised ability to protect the data (including personal data) of our customers and our data and intellectual property, an inability to provide some or all of our services, loss of competitive position, or claims by customers for losses sustained by them, all of which could adversely affect our business, financial condition, and results of operations. Such errors, bugs,
28

Table of Contents
vulnerabilities or defects could also be exploited by malicious actors and result in exposure of data of users on our platform, or otherwise result in a security breach or other security incident. We may need to expend significant financial and development resources to analyze, correct, eliminate, or work around errors or defects or to address and eliminate vulnerabilities.
If there are interruptions or performance problems associated with our technology or infrastructure, our customers may experience service outages or delays in the deployment of our platform.
Our continued growth depends on the ability of our existing and potential customers to access our platform 24 hours a day, seven days a week, without interruption or degradation of performance. We have in the past and may in the future experience disruptions, outages and other performance problems with our infrastructure due to a variety of factors, including infrastructure changes, introductions of new functionality, human or software errors, capacity constraints, distributed denial-of-service attacks or other security-related incidents. In some instances, we may not be able to identify the cause or causes of these performance problems immediately or in short order. We may not be able to maintain the level of service uptime and performance required by our customers, especially during peak usage times and as our offerings become more complex and our user traffic increases. If our platform is unavailable or if our customers are unable to access our offerings or deploy them within a reasonable amount of time, or at all, our business would be harmed. Frequent or persistent interruptions in our products and services could cause customers to believe that our products and services are unreliable, leading them to switch to our competitors or to otherwise avoid our products and services.
The adverse effects of any service interruptions on our reputation and financial condition may be disproportionately heightened due to the nature of our business and the fact that our customers expect continuous and uninterrupted access to our offerings and have a low tolerance for interruptions of any duration. Since our customers rely on our offerings to provide and secure access to their IT infrastructures and to support customer- facing applications, any outage on our platform would impair the ability of our customers to operate their businesses, which would negatively impact our brand, reputation and customer satisfaction. Additionally, our insurance policies may be insufficient to cover a claim made against us by any customers affected by any disruptions, outages, or other performance or infrastructure problems.
Moreover, we depend on services from various third parties to maintain our cloud infrastructure and deploy our offerings, such as GCP, which hosts our platform. If a third-party service provider fails to provide sufficient capacity to support our platform or otherwise experiences service outages, such failure could interrupt our customers’ access to our services, which could adversely affect their perception of our platform’s reliability. Any disruptions in these services, including as a result of actions outside of our control, would significantly impact the continued performance of our offerings. In the event that our service agreements are terminated with our cloud infrastructure providers, or there is a lapse of service, interruption of internet service provider connectivity or damage to such providers’ facilities, we could experience interruptions in access to our platform as well as delays and additional expense in arranging new facilities and services. In the future, these services may not be available to us on commercially reasonable terms, or at all. Any loss of the right to use any of these services could result in decreased functionality of our offerings until equivalent technology is either developed by us or, if available from another provider, is identified, obtained and integrated into our infrastructure. We may also be unable to effectively address capacity constraints, upgrade our systems as needed and continually develop our technology and network architecture to accommodate actual and anticipated changes in technology.
Our platform is accessed by a large number of customers, often at the same time. As we continue to expand the number of our customers and offerings available to our customers, our technology may not be able to scale to accommodate the increased capacity requirements, which may result in interruptions or delays in service. In addition, the failure of third-party cloud infrastructure providers, third-party internet service providers or other third-party service providers whose services are integrated with our platform to meet our capacity requirements could result in interruptions or delays in access to our platform or impede our ability to scale our operations. Any of the above circumstances or events may harm our reputation, cause customers to terminate their agreements with us, impair our ability to obtain subscription renewals from existing customers, impair our ability to grow our customer base, result in the expenditure of significant financial, technical and engineering resources, subject us to financial penalties and liabilities under our service level agreements, and otherwise could adversely affect our business, financial condition, and results of operations.
System interruption and the lack of integration, redundancy and scalability in these systems and infrastructures may harm our business, financial condition, and results of operations.
Our success depends, in part, on our ability to maintain the integrity of our systems and infrastructure, including websites, information and related systems. System interruption and a lack of integration and redundancy in our information systems and infrastructure may adversely affect our ability to operate websites, process and fulfill transactions, respond to customer
29

Table of Contents
inquiries and generally maintain cost-efficient operations. We may experience occasional system interruptions that make some or all systems or data unavailable or prevent us from efficiently providing access to our platform. We also rely on third-party computer systems, broadband and other communications systems and service providers in connection with providing access to our platform generally. Any interruptions, outages or delays in our systems and infrastructure, our business or third parties, or deterioration in the performance of these systems and infrastructure, could impair our ability to provide access to our platform. Fire, flood, power loss, telecommunications failure, hurricanes, tornadoes, earthquakes, other natural disasters, acts of war (including Russia’s actions in Ukraine) or terrorism and similar events or disruptions may damage or interrupt computer, broadband or other communications systems and infrastructure at any time. Any of these events could cause system interruption, delays and loss of critical data, including personal data, and could prevent us from providing access to our platform. While we have backup systems for certain aspects of these operations, disaster recovery planning by its nature cannot be sufficient for all eventualities. In addition, we may not have adequate insurance coverage to compensate for losses from a major interruption. If any of these events were to occur, it could harm our business, financial condition, and results of operations.
If we fail to efficiently maintain, protect and enhance our brand, our ability to attract new customers could be impaired and our business, financial condition, and results of operations could be adversely affected.
We believe that developing and maintaining awareness of our brand in a cost-effective manner is critical to achieving widespread adoption of our platform and offerings and is critical to our ability to attract new customers. Furthermore, we believe that the importance of brand recognition will increase as competition in our market increases. Successful promotion of our brand will depend largely on the effectiveness of our marketing efforts, our ability to provide reliable and useful offerings at competitive prices, our ability to maintain our customers’ trust and our ability to successfully differentiate our services and platform capabilities from competitive products and services, any of which we may not be able to do effectively. In the past, our efforts to build our brand have involved significant expenses. Brand promotion activities may not yield increased revenue, and even if they do, any increased revenue may not offset the expenses we incur in building our brand. If we fail to successfully promote and maintain our brand, or incur substantial expenses in an unsuccessful attempt to promote and maintain our brand, we may fail to attract new customers or retain our existing customers to the extent necessary to realize a sufficient return on our brand-building efforts, and our business, financial condition, and results of operations could be adversely affected.
Failure to effectively develop and expand our marketing and sales capabilities could harm our ability to grow our customer base and achieve broader market acceptance of our platform.
Our ability to increase our customer base and achieve broader market acceptance of our platform depends, in part, on our ability to expand our marketing and sales operations. We plan to continue expanding our direct sales force and engaging additional channel, system integrator and technology partners, both domestically and internationally. This expansion will require us to invest significant financial and other resources. Our business will be harmed if our efforts do not generate a corresponding increase in revenue. We may not achieve anticipated revenue growth from expanding our direct sales force if we are unable to hire and develop talented direct sales personnel, if our new direct sales personnel are unable to achieve desired productivity levels in a reasonable period of time or if we are unable to retain our existing direct sales personnel. We also may not achieve anticipated revenue growth from our partners if we are unable to attract and retain additional motivated partners, if any existing or future partners fail to successfully market, resell, implement or support our platform or offerings for their customers, or if they represent multiple providers and devote greater resources to market, resell, implement and support the products and solutions of other providers. For example, some of our partners also sell or provide integration and administration services for our competitors’ products, and if such partners devote greater resources to marketing, reselling and supporting competing products, our business, financial condition, and results of operations could be adversely affected.
If we cannot maintain our corporate culture as we grow, our business could be adversely affected.
We believe that our corporate culture has been a critical component to our success and that our culture creates an environment that drives and perpetuates our overall business strategy. We have invested substantial time and resources in building our team and we expect to continue to hire as we expand, including with respect to our international operations. As we transition and grow as a public company and grow internationally, we may find it difficult to maintain our corporate culture. Any failure to preserve our culture could negatively affect our future success, including our ability to recruit and retain personnel and effectively execute on our business strategy.
30

Table of Contents
We depend on our management team and other highly skilled personnel, and we may fail to attract, retain, motivate, or integrate highly skilled personnel, which could adversely affect our business, financial condition, and results of operations.

We depend on the continued contributions of our management team, key employees, and other highly skilled personnel. Our management team and key employees are at-will employees, which means they may terminate their relationship with us at any time. The loss of the services of any of our key personnel or delays in hiring required personnel, particularly within our research and development and engineering teams, could adversely affect our business, financial condition, and results of operations.
Our future success also depends, in part, on our ability to continue to attract and retain highly skilled personnel. Competition for these personnel in the San Francisco Bay Area, where our headquarters is located, and in other locations where we maintain offices, is intense, and the industry in which we operate is generally characterized by significant competition for skilled personnel as well as high employee attrition. We may not be successful in attracting, retaining, training or motivating qualified personnel to fulfill our current or future needs. Competitors for technical talent increasingly seek to hire our employees, and the increased availability of work-from-home arrangements, accelerated by the COVID-19 pandemic, has both intensified and expanded competition while also reducing regional salary differences. In addition, changes in immigration policies may further limit the pool of available talent and impair our ability to recruit and hire technical and professional talent. We have intensified our efforts to recruit and retain talent. These efforts have increased our expenses, and they may not be successful in attracting, retaining, and motivating the workforce necessary to deliver on our strategy. Additionally, the former employers of our new employees may attempt to assert that our new employees or we have breached their legal obligations, which may be time-consuming, distracting to management and may divert our resources. To help attract, retain, and motivate qualified employees, we use share-based awards, such as RSUs, and performance-based cash incentive awards. Sustained declines in our stock price, or lower stock price performance relative to competitors, can reduce the retention value of our share-based awards. Our employee hiring and retention also depend on our ability to build and maintain a diverse and inclusive workplace culture and be viewed as an employer of choice. To the extent our compensation programs and workplace culture are not viewed as competitive, our ability to attract, retain, and motivate employees can be weakened, which could harm our results of operations. If we fail to attract and integrate new personnel or retain and motivate our current personnel, our business, financial condition, and results of operations could be adversely affected.
We may be unable to make acquisitions and investments, successfully integrate acquired companies into our business, or our acquisitions and investments may not meet our expectations, any of which could adversely affect our business, financial condition, and results of operations.
We have in the past acquired, and we may in the future acquire or invest in, businesses, offerings, technologies, or talent that we believe could complement or expand our platform, enhance our technical capabilities or otherwise offer growth opportunities. We may not be able to fully realize the anticipated benefits of such acquisitions or investments. The pursuit of potential acquisitions may divert the attention of management and cause us to incur significant expenses related to identifying, investigating and pursuing suitable acquisitions, whether or not they are consummated.
There are inherent risks in integrating and managing acquisitions. If we acquire additional businesses, we may not be able to assimilate or integrate the acquired personnel, operations, solutions and technologies successfully, or effectively manage the combined business following the acquisition. We also may not achieve the anticipated benefits or synergies from the acquired business due to a number of factors, including, without limitation:
delays or reductions in customer purchases for both us and the acquired business;
disruption of partner and customer relationships;
potential loss of key employees of the acquired company;
claims by and disputes with the acquired company’s employees, customers, stockholders or third parties;
unknown liabilities or risks associated with the acquired business, product or technology, such as contractual obligations, potential security vulnerabilities of the acquired company and its products and services, potential intellectual property infringement, misappropriation or other violation, costs arising from the acquired company’s failure to comply with legal or regulatory requirements and litigation matters;
acquired technologies or products may not comply with legal or regulatory requirements and may require us to make additional investments to make them compliant;
acquired technologies or products may not be able to provide the same support service levels that we generally offer with our other offerings;
31

Table of Contents
they could be viewed unfavorably by our partners, our customers, our stockholders or securities analysts;
unforeseen difficulties relating to integration or other expenses; and
future impairment of goodwill or other acquired intangible assets.
Acquisitions also increase the risk of unforeseen legal liability, including for potential violations of applicable law or industry rules and regulations, arising from prior or ongoing acts or omissions by the acquired businesses that are not discovered by due diligence during the acquisition process. We may have to pay cash, incur debt or issue equity or equity-linked securities to pay for any future acquisitions, each of which could adversely affect our financial condition or the market price of our common stock. The sale of equity or issuance of equity-linked debt to finance any future acquisitions could result in dilution to our stockholders. The incurrence of indebtedness would result in increased fixed obligations and could also include covenants or other restrictions that would impede our ability to manage our operations. Any of the foregoing could adversely affect our business, financial condition, and results of operations.
We track certain operational metrics with internal systems and tools and do not independently verify such metrics. Certain of our operational metrics are subject to inherent challenges in measurement, and any real or perceived inaccuracies in such metrics may adversely affect our business and reputation.
We track certain operational metrics, including ARR, dollar-based net retention rate, and number of large customers, with internal systems and tools that are not independently verified by any third party and which may differ from estimates or similar metrics published by third parties due to differences in sources, methodologies or the assumptions on which we rely. Our internal systems and tools have a number of limitations, and our methodologies for tracking these metrics may change over time, which could result in unexpected changes to our metrics, including the metrics we publicly disclose. If the internal systems and tools we use to track these metrics undercount or overcount performance or contain algorithmic or other technical errors, the data we report may not be accurate. While these numbers are based on what we believe to be reasonable estimates of our metrics for the applicable period of measurement, there are inherent challenges in measuring these metrics. Limitations or errors with respect to how we measure data or with respect to the data that we measure may affect our understanding of certain details of our business, which could affect our long-term strategies. If our operating metrics are not accurate representations of our business, if investors do not perceive our operating metrics to be accurate or if we discover material inaccuracies with respect to these figures, we expect that our business, financial condition, and results of operations could be adversely affected.
We have substantial indebtedness under our term loan facility and our obligations thereunder may limit our operational flexibility or otherwise adversely affect our financial condition.
In September 2021, we entered into our Amended and Restated Loan Agreement (as defined herein) that provides for senior secured credit consisting of term loans. As of December 31, 2021, the aggregate principal amount of our outstanding indebtedness under our Amended and Restated Loan Agreement was $40.0 million and no further amounts are available to be drawn at this time. There can be no assurance that we will be able to repay this indebtedness when due, or that we will be able to refinance this indebtedness on acceptable terms or at all.
Our indebtedness could adversely impact us. For example, these obligations could, among other things:
make it difficult for us to pay other obligations;
increase our cost of borrowing;
make it difficult to obtain favorable terms for any necessary future financing for working capital, capital expenditures, investments, acquisitions, debt service requirements, or other purposes;
restrict us from making acquisitions or cause us to make divestitures or similar transactions;
adversely affect our liquidity and result in an adverse effect on our financial condition upon repayment of the indebtedness;
require us to dedicate a substantial portion of our cash flow from operations to service and repay the indebtedness, reducing the amount of cash flow available for other purposes;
increase our vulnerability to adverse and economic conditions;
place us at a competitive disadvantage compared to our less leveraged competitors; and
limit our flexibility in planning for and reacting to changes in our business.
32

Table of Contents
Restrictions imposed by our outstanding indebtedness and any future indebtedness may limit our ability to operate our business and to finance our future operations or capital needs or to engage in acquisitions or other business activities necessary to achieve growth.
The terms of our outstanding indebtedness restrict us from engaging in specified types of transactions. Subject to certain exceptions, these covenants restrict our ability to, among other things:
incur additional indebtedness;
create or incur liens;
engage in consolidations, amalgamations, mergers, liquidations, dissolutions or dispositions;
sell, transfer or otherwise dispose of assets;
pay dividends and distributions on, or repurchase or redeem, capital stock; and
make acquisitions, investments, loans, advances or capital contributions.
We cannot guarantee that we will be able to maintain compliance with these covenants or, if we fail to do so, that we will be able to obtain waivers from the lenders and/or amend the covenants. Even if we comply with all of the applicable covenants, the restrictions on the conduct of our business could adversely affect our business by, among other things, limiting our ability to take advantage of financing opportunities, mergers, acquisitions, investments, and other corporate opportunities that may be beneficial to our business. Even if our Amended and Restated Loan Agreement is terminated, any additional debt that we incur in the future could subject us to similar or additional covenants.
A breach of any of the covenants in the Amended and Restated Loan Agreement could result in an event of default, which, if not cured or waived, could trigger acceleration of our indebtedness and an increase in the interest rates applicable to such indebtedness, and may result in the acceleration of or default under any other debt we may incur in the future to which a cross-acceleration or cross-default provision applies. The acceleration of the indebtedness under our Amended and Restated Loan Agreement or under any other indebtedness could have an adverse effect on our business, results of operations, and financial condition. In the event of any default under our existing or future debt instruments, the applicable lenders could elect to terminate borrowing commitments and declare all borrowings and loans outstanding, together with accrued and unpaid interest and any fees and other obligations, to be due and payable. In addition, we have granted a security interest in a significant portion of our assets to secure our obligations under our Amended and Restated Loan Agreement. During the existence of an event of default under our Amended and Restated Loan Agreement, the applicable lenders could exercise their rights and remedies thereunder, including by way of initiating foreclosure proceedings against any assets constituting collateral for our obligations.
We may be unable to generate sufficient cash flow to satisfy our debt service obligations, which could have an adverse effect on our business, financial condition, and results of operations.
Our ability to make scheduled payments on or to refinance our debt obligations depends on our financial condition and results of operations, which are subject to prevailing economic and competitive conditions and to certain financial, business, legislative, regulatory, and other factors beyond our control. We may not be able to maintain a level of cash flows from operating activities sufficient to permit us to pay the principal, premium, if any, or interest on our indebtedness. If our cash flows and capital resources are insufficient to fund our debt service obligations, we may be forced to reduce or delay strategic acquisitions and partnerships, capital expenditures, and payments on account of other obligations, seek additional capital, restructure or refinance our indebtedness, or sell assets. These alternative measures may not be successful and may not permit us to meet our scheduled debt service obligations. Our ability to restructure or refinance our debt will depend on the condition of the capital markets and our financial condition at such time. Any refinancing of our debt could be at higher interest rates and could require us to comply with more onerous covenants, which could further restrict our business operations. In addition, we cannot assure you that we will be able to refinance any of our indebtedness on commercially reasonable terms, or at all.
If we are unable to repay or otherwise refinance our indebtedness when due, or if any other event of default is not cured or waived, the applicable lenders could accelerate our outstanding obligations or proceed against the collateral granted to them to secure that indebtedness, which could force us into bankruptcy or liquidation. In the event the applicable lenders accelerate the repayment of our borrowings, we and our subsidiaries may not have sufficient assets to repay that indebtedness. Any acceleration of amounts due under the agreements governing our amended and restated term loan facility or the exercise by the applicable lenders of their rights under the security documents could have a material and adverse effect on our business.
33

Table of Contents
Despite our level of indebtedness, we and our subsidiaries may still be able to incur substantially more debt, including off-balance sheet financing, contractual obligations and general and commercial liabilities. This could further exacerbate the risks to our financial condition described above.
We and our subsidiaries may incur significant additional indebtedness in the future, including additional tranches of term loans and/or term loan increases and/or revolving credit facilities, contractual obligations, and general and commercial liabilities. Although the terms of our Amended and Restated Loan Agreement contain restrictions on the incurrence of additional indebtedness, such restrictions are subject to a number of significant exceptions and qualifications and any additional indebtedness incurred in compliance with such restrictions could be substantial. These restrictions also will not prevent us from incurring obligations that do not constitute indebtedness. If we and our subsidiaries incur significant additional indebtedness or other obligations, the related risks that we face could increase.
We may require additional capital, which may not be available on terms acceptable to us, or at all.
Historically, we have funded our operations and capital expenditures primarily through equity issuances, debt instruments and cash generated from our operations. To support our growing business, we must have sufficient capital to continue to make significant investments in our platform. If we raise additional funds through the issuance of equity, equity-linked or debt securities, those securities may have rights, preferences or privileges senior to those of our common stock, and our existing stockholders may experience dilution. Any debt financing secured by us in the future could involve restrictive covenants relating to our capital-raising activities and other financial and operational matters, which may make it more difficult for us to obtain additional capital and to pursue business opportunities.
We evaluate financing opportunities from time to time, and our ability to obtain financing will depend on, among other things, our development efforts, business plans and operating performance, and the condition of the capital markets at the time we seek financing. We cannot be certain that additional financing will be available to us on favorable terms, or at all. If we are unable to obtain adequate financing or financing on terms satisfactory to us, when we require it, our ability to continue to support our business growth and to respond to business challenges could be significantly limited, and our business, financial condition, and results of operations could be adversely affected. In September 2021, we entered into our Amended and Restated Loan Agreement, which provides for term loans, and we must adhere to the covenants contained therein.
Our results of operations may be adversely affected by changes in accounting principles applicable to us.
US GAAP is subject to interpretation by the Financial Accounting Standards Board, the “FASB”, the SEC and other various bodies formed to promulgate and interpret appropriate accounting principles. Changes in accounting principles applicable to us, or varying interpretations of current accounting principles, could have a significant effect on our reported results of operations. Further, any difficulties in the implementation of changes in accounting principles, including the ability to modify our accounting systems, could cause us to fail to meet our financial reporting obligations, which could result in regulatory discipline and harm investors’ confidence in us.
Our estimates or judgments relating to our critical accounting policies may be based on assumptions that change or prove to be incorrect, which could cause our results of operations to fall below expectations of securities analysts and investors, resulting in a decline in the market price of our Class A common stock.
The preparation of financial statements in conformity with GAAP requires management to make estimates and assumptions that affect the amounts reported in our financial statements and accompanying notes. We base our estimates on historical experience and on various other assumptions that we believe to be reasonable under the circumstances, as described in the section titled “Management’s Discussion and Analysis of Financial Condition and Results of Operations.” The results of these estimates form the basis for making judgments about the recognition and measurement of certain assets and liabilities and revenue and expenses that is not readily apparent from other sources. Our accounting policies that involve judgment include those related to revenue recognition, the period of benefit for deferred sales commissions, assumptions used for estimating the fair value of common stock and to calculate stock-based compensation, certain accrued liabilities, and valuation allowances associated with income taxes. If our assumptions change or if actual circumstances differ from those in our assumptions, our results of operations could be adversely affected, which could cause our results of operations to fall below the expectations of securities analysts and investors, resulting in a decline in the market price of our Class A common stock.
34

Table of Contents
We may fail to maintain an effective system of disclosure controls and internal control over financial reporting, which could impair our ability to produce timely and accurate financial statements or comply with applicable regulations.
As a public company, we are subject to the reporting requirements of the Securities Exchange Act of 1934, as amended, or the Exchange Act, Sarbanes-Oxley Act, and the listing standards of  the New York Stock Exchange (“NYSE”). The Sarbanes-Oxley Act requires, among other things, that we maintain effective disclosure controls and procedures and internal control over financial reporting. We are continuing to develop and refine our disclosure controls and other procedures that are designed to ensure that information required to be disclosed by us in the reports that we will file with the SEC is recorded, processed, summarized and reported within the time periods specified in SEC rules and forms and that information required to be disclosed in reports under the Exchange Act is accumulated and communicated to our principal executive and financial officers. We are also continuing to improve our internal control over financial reporting. We have expended, and anticipate that we will continue to expend, significant resources in order to maintain and improve the effectiveness of our disclosure controls and procedures and internal control over financial reporting.
Our current controls and any new controls that we develop may become inadequate because of changes in the conditions in our business, including increased complexity resulting from any further international expansion. Further, weaknesses in our disclosure controls or our internal control over financial reporting may be discovered in the future. Any failure to develop or maintain effective controls, or any difficulties encountered in their implementation or improvement, could harm our results of operations or cause us to fail to meet our reporting obligations and may result in a restatement of our financial statements for prior periods. Any failure to implement and maintain effective internal control over financial reporting could also adversely affect the results of periodic management evaluations and annual independent registered public accounting firm attestation reports regarding the effectiveness of our internal control over financial reporting that we will eventually be required to include in our periodic reports that will be filed with the SEC. Ineffective disclosure controls and procedures and internal control over financial reporting could also cause investors to lose confidence in our reported financial and other information, which would likely adversely affect the market price of our common stock. In addition, if we are unable to continue to meet these requirements, we may not be able to remain listed on NYSE. We are not currently required to comply with the SEC rules that implement Section 404 of the Sarbanes-Oxley Act and are therefore not required to make a formal assessment of the effectiveness of our internal control over financial reporting for that purpose. As a public company, we will be required to provide an annual management report on the effectiveness of our internal control over financial reporting commencing with our second annual report on Form 10-K.
Our independent registered public accounting firm is not required to formally attest to the effectiveness of our internal control over financial reporting until after we are no longer an “emerging growth company.” At such time, our independent registered public accounting firm may issue a report that is adverse in the event it is not satisfied with the level at which our internal control over financial reporting is documented, designed or operating. Any failure to maintain effective disclosure controls and internal control over financial reporting could have an adverse effect on our business, financial condition, and results of operations, and could cause a decline in the market price of our common stock.
Our business could be adversely affected by economic downturns.
Prolonged economic uncertainties or downturns could adversely affect our business, financial condition, and results of operations. Negative conditions in the general economy in either the United States or abroad, including conditions resulting from financial and credit market fluctuations, changes in economic policy, trade uncertainty, including changes in tariffs, sanctions, international treaties and other trade restrictions, the occurrence of a natural disaster or global public health crisis, such as the COVID-19 pandemic, or armed conflicts, such as the ongoing geopolitical tensions related to Russia’s actions in Ukraine, resulting sanctions imposed by the U.S. and other countries, and retaliatory actions taken by Russia in response to such sanctions, could cause a decrease in corporate spending on digital identity offerings in general and negatively affect the growth of our business.
These conditions could make it extremely difficult for our customers and us to forecast and plan future business activities accurately and could cause our customers to reevaluate their decision to purchase access to our platform, which could delay and lengthen our sales cycles or result in cancellations of planned purchases. For example, the impact of the COVID-19 pandemic on the current economic environment has caused and may in the future cause our customers to reduce their spending on, or duration of, their contracts with us, or request concessions including extended payment terms or better pricing. Further, during challenging economic times, our customers may face issues in gaining timely access to sufficient credit, which could result in an impairment of their ability to make timely payments to us, if at all. If that were to occur, we may be required to increase our allowance for doubtful accounts, which would adversely affect our results of operations.
35

Table of Contents
A substantial downturn in any of the industries in which our customers operate may cause firms to react to worsening conditions by reducing their capital expenditures in general or by specifically reducing their spending on digital identity offerings. Customers in these industries may delay or cancel projects or seek to lower their costs by renegotiating vendor contracts. To the extent purchases of access to our platform are perceived by customers and potential customers to be discretionary, our revenue may be disproportionately affected by delays or reductions in general digital identity spending.
We cannot predict the timing, strength or duration of any economic slowdown, instability or recovery, generally or within any particular industry or geography. Any economic downtowns of the general economy or industries in which we operate would adversely affect our business, financial condition, and results of operations. For example, the full impact of the COVID-19 pandemic is unknown at this time, but could result in adverse changes in our results of operations for an unknown period of time.
Our business could be adversely affected by pandemics, natural disasters, political crises or other unexpected events.
A significant natural disaster, such as an earthquake, fire, hurricane, tornado, flood or significant power outage, could disrupt our operations, mobile networks, the Internet or the operations of our third-party technology providers. In particular, our corporate headquarters are located in the San Francisco Bay Area, a region known for seismic activity. In addition, any unforeseen public health crises, such as the COVID-19 pandemic, political crises, such as terrorist attacks, war and other political instability, such as the ongoing geopolitical tensions related to Russia’s actions in Ukraine, resulting sanctions imposed by the U.S. and other countries and retaliatory actions taken by Russia in response to such sanctions, or other catastrophic events, whether in the United States or abroad, can continue to adversely affect our operations or the economy as a whole. The impact of any natural disaster, act of terrorism or other disruption to us or our third- party providers’ abilities could result in decreased demand for our platform or a delay in the provision of our platform, which would adversely affect our business, financial condition, and results of operations. All of the aforementioned risks would be further increased if our disaster recovery plans prove to be inadequate.
Risks Related to Our Dependence on Third Parties
If we are unable to build and maintain successful relationships with our partners, our business, financial condition and results of operations could be adversely affected.
We employ a go-to-market business model whereby a meaningful portion of our revenue is generated by sales through our strategic global channel partners, including global strategic consulting firms and global systems integrators, that further expand the reach of our direct sales force into additional geographies, sectors and industries. We provide certain of our partners with specific training and programs to assist them in selling access to our platform, and our deal cycles are sometimes protracted due to our partners’ involvement. If our partners are unsuccessful in marketing and selling access to our platform, it would limit our expansion into certain geographies, sectors and industries. If we are unable to develop and maintain effective sales incentive programs for our partners, we may not be able to incentivize these partners to sell access to our platform to customers.
Identifying partners, and negotiating and documenting relationships with them, requires significant time and resources. Our competitors may be effective in causing third parties to favor their products or services over subscriptions to our platform. In addition, acquisitions of such partners by our competitors could result in a decrease in the number of our current and potential customers, as these partners may no longer facilitate the adoption of our applications by potential customers. Further, some of our partners are or may become competitive with certain of our offerings and may elect to no longer integrate with our platform. If we are unsuccessful in establishing or maintaining our relationships with third parties, our ability to compete in the marketplace or to grow our revenue could be impaired, and our results of operations may suffer. Even if we are successful, we cannot ensure that these relationships will result in increased customer adoption and usage of our platform or increased revenue. If our existing relationships with our partners are disrupted or terminated for any of these factors, our business, financial condition, and results of operations could be adversely affected.
Defects in or the loss of access to software or services from third parties could increase our costs and adversely affect the quality of our platform.
We rely on technologies from third parties to operate critical functions of our business, including cloud infrastructure services such as GCP, customer relationship management services, support software and development hardware. Our business would be disrupted if any of the third-party software or services we use, or functional equivalents, were unavailable due to extended outages or interruptions or because they are no longer available on commercially reasonable terms or prices. In each case, we would be required to either seek licenses to software or services from other parties and redesign our platform and
36

Table of Contents
offerings to function with such software or services or develop substitutes ourselves, which would result in increased costs and could result in delays in our offering launches and the release of new platform offerings until equivalent technology can be identified, licensed or developed, and integrated into our platform. Furthermore, we might be forced to limit the features available on our platform. Any delays and feature limitations could adversely affect our business, financial condition, and results of operations.
Certain estimates and information that we refer to publicly are based on information from third-party sources and we do not independently verify the accuracy or completeness of the data contained in such sources or the methodologies for collecting such data, and any real or perceived inaccuracies in such estimates and information may harm our reputation and adversely affect our business.
Certain estimates and information that we refer to publicly, including general expectations concerning our industry and the market in which we operate and addressable market size, are based to some extent on information provided by third-party providers. This information involves a number of assumptions and limitations, and although we believe the information from such third-party sources is reliable, we have not independently verified the accuracy or completeness of the data contained in such third-party sources or the methodologies for collecting such data. If there are any limitations or errors with respect to such data or methodologies, or if investors do not perceive such data or methodologies to be accurate, or if we discover material inaccuracies with respect to such data or methodologies, our business, financial condition, and results of operations could be adversely affected.
Risks Related to Our Intellectual Property
We use open source software in our platform and offerings, which could negatively affect our ability to offer our platform and expose us to litigation or other actions.
We use open source software in our platform and offerings and expect to use more open source software in the future. In certain circumstances, we also make available, upon customer request, the source code of the open source portions of our software. From time to time, there have been claims challenging the ownership of open source software against companies that incorporate open source software into their products. However, the terms of many open source licenses have not been interpreted by U.S. or foreign courts, and there is a risk that these licenses could be construed in a way that could impose unanticipated conditions or restrictions on our ability to commercialize our platform and offerings. As a result, we could be subject to lawsuits by parties claiming ownership of what we believe to be open source software, or claiming that software we developed using such open source software is a derivative work of open source software and demanding the release of portions of our source code, or otherwise seeking to enforce the terms of the applicable open source license. Litigation could be costly for us to defend, have a negative effect on our financial condition and results of operations or require us to devote additional research and development resources to change our platform and offerings.
In addition, if we were to combine our proprietary software offerings with open source software in a certain manner, we could, under certain of the open source licenses, be required to release the source code of our proprietary software to the public. While we monitor our use of open source software and try to ensure that none is used in a manner that would require us to disclose our proprietary source code or that would otherwise breach the terms of an open source agreement, such use could inadvertently occur, or could be claimed to have occurred, in part because open source license terms are often ambiguous. This would allow our competitors to create similar products with less development effort and time. If we inappropriately use open source software, or if the license terms for open source software that we use change, we may be required to re-engineer our platform or offerings, incur additional costs, discontinue the sale of some or all of our platform or take other remedial actions.
In addition to risks related to license requirements, usage of open source software can lead to greater risks than use of third-party commercial software, as open source licensors generally do not provide warranties or assurance of title or controls on origin of the software. There is typically no support available for open source software, and we cannot ensure that the authors of such open source software will implement or push updates to address security risks or will not abandon further development and maintenance. In addition, many of the risks associated with usage of open source software, such as the lack of warranties or assurances of title, cannot be eliminated, and could, if not properly addressed, negatively affect our business. We have established processes to help alleviate these risks, including a review process for screening requests from our development organizations for the use of open source software, but we cannot be sure that all of our use of open source software is in a manner that is consistent with our current policies and procedures, or will not subject us to liability. Any of these risks could be difficult to eliminate or manage and, if not addressed, could have an adverse effect on our business, financial condition, and results of operations.
37

Table of Contents
If we fail to adequately obtain, maintain, defend, protect or enforce our intellectual property or proprietary rights, our competitive position could be impaired and we may lose valuable assets, generate less revenue and incur costly litigation.
Our success is dependent, in part, upon protecting our intellectual property, proprietary information and technology. We rely, or may in the future rely, on a combination of patents, copyrights, trademarks, service marks, trade secret laws in the United States and certain other jurisdictions and contractual restrictions to establish and protect our proprietary rights, all of which provide only limited protection. However, the steps we take to protect our intellectual property may be inadequate and we will not be able to protect our intellectual property if we are unable to enforce our rights or if we do not detect unauthorized use of our intellectual property. Various factors outside our control pose a threat to our intellectual property rights, as well as to our products, services and technologies. For example, we may fail to obtain effective intellectual property protection, or the efforts we have taken to protect our intellectual property rights may not be sufficient or effective, and any of our intellectual property rights may be challenged, which could result in them being narrowed in scope or declared invalid or unenforceable.
We make business decisions about when to seek patent protection for a particular technology and when to rely upon trade secret protection, and the approach we select may ultimately prove to be inadequate. There can be no assurance our intellectual property rights will be sufficient to protect against others offering products or services that are substantially similar to ours and compete with our business or that unauthorized parties may attempt to copy aspects of our technology and use information that we consider proprietary. For example, it is possible that third parties, including our competitors, may obtain patents relating to technologies that overlap or compete with our technology. If third parties obtain patent protection with respect to such technologies, they may assert that our technology infringes their patents and seek to charge us a licensing fee or otherwise preclude the use of our technology.
We rely in part on trade secrets, proprietary know-how and other confidential information to maintain our competitive position. We attempt to protect our intellectual property, technology and confidential information by requiring our employees, contractors, consultants, corporate collaborators, advisors and other third parties who develop intellectual property on our behalf to enter into confidentiality and invention assignment agreements and third parties we share information with to enter into nondisclosure and confidentiality agreements. However, we cannot guarantee that we have entered into such agreements with each party who has developed intellectual property on our behalf and each party that has or may have had access to our confidential information, know-how and trade secrets, and no assurance can be given that these agreements will be effective in controlling access to and distribution of our intellectual property, trade secrets, platform or offerings and proprietary and confidential information. Further, these agreements do not prevent our competitors from independently developing technologies that are substantially equivalent or superior to our platform or offerings. These agreements may be insufficient or breached, or may not effectively prevent unauthorized access to or unauthorized use, disclosure, misappropriation or reverse engineering of, our confidential information, intellectual property, or technology. Moreover, these agreements may not provide an adequate remedy for breaches or in the event of unauthorized use or disclosure of our confidential information or technology, or infringement of our intellectual property. Enforcing a claim that a party illegally disclosed or misappropriated a trade secret or know-how is difficult, expensive, and time-consuming, and the outcome is unpredictable. In addition, trade secrets and know-how can be difficult to protect and some courts inside and outside the U.S. are less willing or unwilling to protect trade secrets and know-how. If any of our trade secrets were to be lawfully obtained or independently developed by a competitor or other third party, we would have no right to prevent them from using that technology or information to compete with us, and our competitive position would be adversely harmed. The loss of trade secret protection could make it easier for third parties to compete with our products and services by copying functionality. Additionally, individuals not subject to invention assignment agreements may make adverse ownership claims to our current and future intellectual property, and, to the extent that our employees, independent contractors or other third parties with whom we do business use intellectual property owned by others in their work for us, disputes may arise as to the rights in related or resulting know-how and inventions.
Despite our precautions, it may be possible for unauthorized third parties to copy our platform or offerings and use information that we regard as proprietary to create products that compete with ours. Some license provisions protecting against unauthorized use, copying, transfer and disclosure of our platform or offerings may be unenforceable under the laws of certain jurisdictions and foreign countries. Further, the laws of some countries do not protect intellectual property and proprietary rights to the same extent as the laws of the United States, and mechanisms for enforcement of intellectual property rights in some foreign countries may be inadequate. Any of our intellectual property rights may be challenged or circumvented by others or invalidated or held unenforceable through administrative process or litigation in the United States or in foreign jurisdictions. Furthermore, legal standards relating to the validity, enforceability and scope of protection of intellectual property rights are uncertain and any changes in, or unexpected interpretations of, intellectual property laws may compromise our ability to enforce our trade secrets and intellectual property rights. To the extent we expand our international activities, our exposure to unauthorized copying and use of our platform or offerings and proprietary information may increase. Accordingly, despite our efforts, we may be unable to prevent third parties from infringing, misappropriating, or otherwise violating our technology and intellectual property.
38

Table of Contents
To protect our intellectual property rights, we may be required to spend significant time, money, and resources to maintain, monitor, and protect these rights. Litigation may be necessary in the future to enforce our intellectual property rights and to protect our trade secrets. Such litigation could be costly, time consuming and distracting to management and could result in the impairment or loss of portions of our intellectual property. Furthermore, our efforts to enforce our intellectual property rights may be met with defenses, counterclaims and countersuits attacking the validity and enforceability of our intellectual property rights. Additionally, because of the substantial amount of discovery required in connection with intellectual property litigation, there is a risk that some of our confidential information could be compromised by disclosure during this type of litigation. Our inability to protect our proprietary technology against unauthorized copying or use, as well as any costly litigation or diversion of our management’s attention and resources, could delay further sales or the implementation of our platform or offerings, impair the functionality of our platform or offerings, delay introductions of new offerings, result in our substituting inferior or more costly technologies into our platform and offerings, or injure our reputation.
If we fail to comply with our obligations under license or technology agreements with third parties, we may be required to pay damages and we could lose license rights that are critical to our business.
We license from third parties certain intellectual property, technologies, data, content and software that are important to our business, and in the future we may enter into additional agreements. If we fail to comply with any of the obligations under our license agreements, we may be required to pay damages and the licensor may have the right to terminate the license. Termination by the licensor may cause us to lose valuable rights, and could prevent us from selling our products and services, or inhibit our ability to commercialize future products and services. Our business may suffer if any current or future licenses terminate, if the licensors fail to abide by the terms of the license, if the licensors fail to enforce licensed patents against infringing third parties, if the licensed intellectual property rights are found to be invalid or unenforceable, or if we are unable to enter into necessary licenses on acceptable terms. Moreover, our licensors may not own or control intellectual property that has been licensed to us and, as a result, we may be subject to claims, regardless of their merit, that we are infringing, misappropriating or otherwise violating a third party’s rights. In addition, the agreements under which we license intellectual property or technology from third parties are generally complex, and certain provisions in such agreements may be susceptible to multiple interpretations. The resolution of any contract interpretation disagreement that may arise could narrow what we believe to be the scope of our rights to the relevant intellectual property or technology, or increase what we believe to be our financial or other obligations under the relevant agreement. Any of the foregoing could an adverse effect on our competitive position, business, financial condition, and results of operations.
If we cannot license rights to use technologies on reasonable terms, we may not be able to commercialize new products in the future.
In the future, we may identify additional third-party intellectual property that we may need to license to conduct our business, including to develop or commercialize new products or services. However, such licenses may not be available on acceptable terms or at all. The licensing or acquisition of third-party intellectual property rights is a competitive area, and several more established companies may pursue strategies to license or acquire third-party intellectual property rights that we may consider attractive or necessary. These established companies may have a competitive advantage over us due to their size, capital resources and greater development or commercialization capabilities. In addition, companies that perceive us to be a competitor may be unwilling to assign or license rights to us. Even if such licenses are available, we may be required to pay the licensor substantial royalties based on sales of our products and services. Such royalties are a component of the cost of our products or services and may affect the margins on our products and services. In addition, such licenses may be non-exclusive, which could give our competitors access to the same intellectual property licensed to us. If we are unable to enter into the necessary licenses on acceptable terms or at all, if any necessary licenses are subsequently terminated, if our licensors fail to abide by the terms of the licenses, if our licensors fail to prevent infringement by third parties, or if the licensed intellectual property rights are found to be invalid or unenforceable, our business, financial condition, and results of operations could be adversely affected. Defense of any lawsuit or failure to obtain any of these licenses on favorable terms could prevent us from commercializing products, which could have an adverse effect on our competitive position, business, financial condition, and results of operations.
If we are subject to a claim that we infringe, misappropriate or otherwise violate a third party’s intellectual property rights, our business, financial condition, or results of operations could be adversely affected.
Claims by third parties that we or customers using our platform infringe, misappropriate or otherwise violate their proprietary technology or other intellectual property rights could harm our business. A number of companies in our industry hold a large number of patents and also protect their copyrights, trade secrets and other intellectual property rights, and there is considerable patent and other intellectual property development activity in our industry. We expect that software companies
39

Table of Contents
will increasingly be subject to claims of infringement, misappropriation and other violations of intellectual property rights as the number of products and competitors grows and the functionality of products in different industry segments overlaps. As we face increasing competition and become increasingly high profile, the possibility of receiving a larger number of intellectual property claims against us grows. In addition, various “non-practicing entities,” and other intellectual property rights holders may attempt to assert intellectual property claims against us or seek to monetize the intellectual property rights they own to extract value through licensing or other settlements.
In addition, the patent portfolios of many of our competitors are larger than ours, and this disparity may increase the risk that our competitors may sue us for patent infringement and may limit our ability to counterclaim for patent infringement or settle through patent cross-licenses. Our use of third-party software and other intellectual property rights also may be subject to claims of infringement or misappropriation. For example, a claim may be made relating to technology that we acquire or license from third parties. In addition, to the extent we hire personnel from competitors, we may be subject to allegations that such personnel have divulged proprietary or other confidential information to us. Further, we may be unaware of the intellectual property rights of others that may cover some or all of our technology, and our insurance may not cover intellectual property rights infringement claims that may be made.

Our agreements with our customers or third-party service providers also contain indemnification provisions related to claims that our platform infringes upon, misappropriates or otherwise violates the intellectual property rights of third parties. We have in the past, and may in the future, receive such claims. In the event that the resolution of such claims requires us to indemnify our customers or third-party service providers for significant amounts, our business, financial condition and results of operations could be adversely affected.
Any claim of infringement, misappropriation or other violation, regardless of its merit or our defenses, could:
require costly litigation to resolve or the payment of substantial damages, ongoing royalty payments, or other significant amounts to settle such disputes;
require significant management time and attention;
cause us to enter into unfavorable royalty or license agreements, which may not be available on commercially reasonable terms, if at all;
require us to discontinue the sale of some or all of our platform, remove, or reduce features or functionality of our platform or comply with other unfavorable terms;
require us to indemnify our customers or third-party service providers; or
require us to expend additional development resources to redesign our platform.
Any of the foregoing could adversely affect our business, financial condition, and results of operations.
We may be obligated to disclose our proprietary source code to certain of our customers, which may limit our ability to protect our intellectual property and proprietary rights and could reduce the renewals of our solutions.
Some of our customer agreements contain provisions permitting the customer to become a party to, or a beneficiary of, a source code escrow agreement under which we place the proprietary source code for certain of our products in escrow with a third party, and in certain circumstances, upon customer request, we also make available the source code of our proprietary software. We are currently party to a source code escrow agreement, pursuant to which an escrow agent may release our source code to customers identified as beneficiaries under such agreement (i) upon our written request or (ii) if we become the subject of a voluntary or involuntary petition in bankruptcy (other than a case filed under chapter 11 of the U.S. Bankruptcy Code), and such petition is not dismissed within 120 days of filing, or if we admit in writing of our inability to pay our debts as they become due. We have never released our source code from escrow. Agreements with certain customers may also require us to release our source code under certain other circumstances, such as material breach of the applicable agreement. Disclosing the content of our source code may limit the intellectual property protection we can obtain or maintain for our source code or our products containing that source code and may facilitate intellectual property infringement, misappropriation or other violation claims against us. Following any such release, we cannot be certain that customers will comply with the restrictions on their use of the source code and we may be unable to monitor and prevent unauthorized disclosure of such source code by customers. Any increase in the number of people familiar with our source code as a result of any such release also may increase the risk of a successful hacking attempt. Any of these circumstances could result in an adverse effect on our business, financial condition, and results of operations.
40

Table of Contents
Risks Related to Legal and Regulatory Environment
Our business is subject to a wide range of laws and regulations, many of which are evolving, and failure to comply with such laws and regulations could harm our business, financial condition, and results of operations.
Our business is subject to regulation by various federal, state, local and foreign governmental agencies, including agencies responsible for monitoring and enforcing data privacy, security and protection laws and regulations, intellectual property, employment and labor laws, workplace safety, consumer protection laws, anti- bribery laws, import and export controls, immigration laws, federal securities laws and tax laws and regulations. In certain foreign jurisdictions, these regulatory requirements may be more stringent than in the United States. These laws and regulations impose added costs on our business. Noncompliance with applicable regulations or requirements could subject us to:
investigations, enforcement actions, orders and sanctions;
mandatory changes to our products and services;
disgorgement of profits, fines and damages;
civil and criminal penalties or injunctions;
claims for damages by our customers or partners;
termination of contracts;
loss of intellectual property rights; and
temporary or permanent debarment from sales to heavily regulated organizations and governments.
If any governmental sanctions are imposed, or if we do not prevail in any possible civil or criminal litigation, our business, financial condition, and results of operations could be adversely affected. In addition, responding to any action will likely result in a significant diversion of management’s attention and resources and an increase in professional fees. Enforcement actions and sanctions could materially harm our business, financial condition, and results of operations.
In addition, we must comply with laws and regulations relating to the formation, administration and performance of contracts with customers in heavily regulated industries and the public sector, including U.S. federal, state and local governmental organizations, which affect how we and our partners do business with such customers. Selling our product to customers in heavily regulated industries or to the U.S. government, whether directly or through partners, also subjects us to certain regulatory and contractual requirements. Failure to comply with these requirements by either us or our partners could subject us to investigations, fines and other penalties, which would adversely affect our business, financial condition, and results of operations. Violations of certain regulatory and contractual requirements could also result in us being suspended or debarred from future government contracting or other contracting opportunities. Any of these outcomes could adversely affect our business, financial condition, and results of operations.
We are subject to stringent laws, rules and regulations regarding privacy, data protection and information security. Any actual or perceived failure by us to comply with such laws, rules and regulations, the privacy or security provisions of our privacy policy, our contracts or other legal or regulatory requirements could result in proceedings, actions or penalties against us and materially adversely affect our business.
Our customers’ collection, storage, use and other processing of data concerning, among others, their employees, contractors, partners and customers is essential to their use of our platform. We have implemented various features intended to enable our customers to better comply with applicable privacy, data protection and information security requirements in their collection, use and other processing of data within our online service, but these features do not ensure their compliance and may not be effective against all potential concerns relating to privacy, data protection or information security.
Many jurisdictions have enacted or are considering enacting or revising privacy, data protection or information security legislation, including laws, rules and regulations applying to the collection, use, storage, transfer, disclosure or other processing of personal data, including for purposes of marketing and other communications. The costs of compliance with, and other burdens imposed by, such laws, rules and regulations that are applicable to the operations of our business, or those of our customers, may limit the use and adoption of our service and reduce overall demand for it. These privacy, data protection and information security related laws, rules and regulations are evolving and may result in increasing regulatory and public scrutiny and escalating levels of enforcement and sanctions. In addition, we are subject to certain contractual obligations regarding the collection, use, storage, transfer, disclosure or other processing of personal data. Although we are working to comply with applicable federal, state, and foreign laws, rules and regulations, industry standards, contractual obligations and other legal
41

Table of Contents
obligations that apply to us, those laws, rules, regulations, standards and obligations are evolving and may be modified, interpreted and applied in an inconsistent manner from one jurisdiction to another, and may conflict with one another, other requirements or legal obligations, our practices or the features of our platform. We also expect that there will continue to be new proposed laws, regulations and industry standards concerning privacy, data protection and information security in the United States, the European Union and other jurisdictions, and we cannot yet determine the impact such future laws, regulations and standards may have on our business.
In June 2018, California enacted the CCPA, which took effect on January 1, 2020 and established a new privacy framework for covered businesses such as ours, which may require us to modify our data processing practices and policies and incur compliance-related costs and expenses. The CCPA broadly defines personal information and gave California residents expanded privacy rights and protections, such as affording them the right to access and request deletion of their information and to opt out of certain sharing and sales of personal information. The law also prohibits covered businesses from discriminating against California residents (for example, charging more for services) for exercising any of their CCPA rights. The CCPA provides for severe civil penalties and statutory damages for violations and a private right of action for certain data breaches that result in the loss of personal information. This private right of action is expected to increase the likelihood of, and risks associated with, data breach litigation. However, it remains unclear how various provisions of the CCPA will be interpreted and enforced. In November 2020, California voters passed the California Privacy Rights Act of 2020, or CPRA. Effective in most material respects starting on January 1, 2023, the CPRA imposes additional obligations on companies covered by the legislation and will significantly modify the CCPA, including by expanding the CCPA with additional data privacy compliance requirements that may impact our business. The CPRA also establishes a regulatory agency dedicated to enforcing the CCPA and the CPRA. The effects of the CPRA, the CCPA, other similar state or federal laws, and other future changes in laws or regulations relating to privacy, data protection and information security, particularly any new or modified laws or regulations that require enhanced protection of certain types of data or new obligations with regard to data retention, transfer or disclosure, are significant, may require us to modify our data processing practices and policies, and could greatly increase the cost of providing our offerings, require significant changes to our operations or even prevent us from providing certain offerings in jurisdictions in which we currently operate and in which we may operate in the future or incur potential liability in an effort to comply with such legislation.
Other state legislatures are currently contemplating, and may pass, their own comprehensive data privacy and security laws, with potentially greater penalties and more rigorous compliance requirements relevant to our business, and many state legislatures have already adopted legislation that regulates how businesses operate online, including measures relating to privacy, data security, data breaches and the protection of sensitive and personal information. For example, in March 2021, Virginia enacted the Virginia Consumer Data Protection Act, or CDPA, a comprehensive privacy statute that becomes effective on January 1, 2023 and shares similarities with the CCPA, the CPRA, and legislation proposed in other states. Laws in all 50 states require businesses to provide notice under certain circumstances to customers whose personal information has been disclosed as a result of a data breach. New laws, amendments to or re-interpretations of existing laws and regulations, industry standards, contractual obligations and other obligations may require us to incur additional costs and restrict our business operations. Such laws and regulations may require companies to implement privacy and security policies, permit users to access, correct and delete personal data stored or maintained by such companies, inform individuals of security breaches that affect their personal data, and, in some cases, obtain individuals’ consent to use personal data for certain purposes. If we, or the third parties on which we rely, fail to comply with federal, state or international laws or regulations relating to privacy, data protection or information security, our ability to successfully operate our business and pursue our business goals could be harmed. In addition to government activity, privacy advocacy groups and technology and other industries are considering various new, additional or different self-regulatory standards that may place additional burdens on us. Future laws, regulations, standards and other obligations, and changes in the interpretation of existing laws, regulations, standards and other obligations may require us to modify our data processing practices and policies, and could impair our or our customers’ ability to collect, use or disclose information relating to consumers, which could decrease demand for our applications, increase our costs and impair our ability to maintain and grow our customer base and increase our revenue.

Internationally, many jurisdictions have established their own legal frameworks governing privacy, data protection, and information security with which we may need to comply. For example, the European Union has adopted the GDPR, which went into effect in May 2018 and contains numerous requirements and changes from previously existing EU law, including more robust obligations on data processors and heavier documentation requirements for data protection compliance programs. The GDPR requires data controllers to implement more stringent operational requirements for processors and controllers of personal data, including, for example, transparent and expanded disclosure to data subjects about how their personal data is to be used, imposes limitations on retention of information, introduces mandatory data breach notification requirements, and sets higher standards for data controllers to demonstrate that they have obtained valid consent for certain data processing activities. The GDPR also imposes strict rules on the transfer of personal data to countries outside the European Economic Area (the “EEA”),
42

Table of Contents
including the United States. In 2016, the EU and United States agreed to a transfer framework for data transferred from the EEA to the United States, called the EU-U.S. Privacy Shield, but the EU-U.S. Privacy Shield was invalidated in July 2020 by the Court of Justice of the EU, or CJEU. On September 8, 2020, the Swiss Federal Data Protection and Information Commissioner invalidated the Swiss-U.S. Privacy Shield on similar grounds. The standard contractual clauses issued by the European Commission for the transfer of personal data (the “SCCs”), a potential alternative to the EU-U.S. Privacy Shield, also have been drawn into question for use under certain circumstances, and regulators have issued additional guidance regarding considerations and requirements that we and other companies must consider and undertake when using the SCCs. In its July 2020 decision invalidating the EU-U.S. Privacy Shield, the CJEU imposed additional obligations on companies when relying on the SCCs to transfer personal data. The CJEU decision may result in European data protection regulators applying differing standards for, and requiring ad hoc verification of, transfers of personal data from the EEA and Switzerland to the U.S. On June 4, 2021, the European Commission published new SCCs that are required to be implemented, and it remains to be seen whether additional means for lawful data transfers will become available. The revised SCCs, recommendations and opinions of regulators, and other developments relating to cross-border data transfer, may require us to implement additional contractual and technical safeguards for any personal data transferred out of the EEA and Switzerland, which may increase compliance and related costs, lead to increased regulatory scrutiny or liability, necessitate additional contractual negotiations, and adversely impact our business, financial condition, and results of operations. Fines for noncompliance with the GDPR are significant and can be up to the greater of €20 million or 4% of annual global turnover. The GDPR also provides that EU member states may introduce further conditions, including limitations, and make their own laws and regulations further limiting the processing of ‘special categories of personal data,’ including personal data related to health, biometric data used for unique identification purposes and genetic information, which could limit our ability to collect, use and share EU data, and could cause our compliance costs to increase, ultimately having an adverse impact on our business, financial condition, and results of operations.

Further, the United Kingdom’s exit from the European Union, often referred to as Brexit, and ongoing developments in the United Kingdom have created uncertainty with regard to data protection regulation in the United Kingdom. Following the expiry of transitional arrangements agreed to between the United Kingdom and European Union, data processing in the United Kingdom is governed by a United Kingdom version of the GDPR (combining the GDPR and the United Kingdom’s Data Protection Act 2018), which authorizes significant fines, up to the greater of £17.5 million or 4% of global turnover, and exposes us to two parallel regimes and other potentially divergent enforcement actions for certain violations. On June 28, 2021, the European Commission announced a decision that the United Kingdom is an “adequate country” to which personal data could be exported from the EEA, but this decision must be renewed and may face challenges in the future, creating uncertainty regarding transfers of personal data to the United Kingdom from the EEA. Furthermore, there exists the potential over time for divergence in application, interpretation and enforcement of the data protection law as between the United Kingdom and EEA. On February 2, 2022, the United Kingdom’s Information Commissioner’s Office issued new standard contractual clauses, or the UK SCCs, to support personal data transfers out of the United Kingdom. If approved by the United Kingdom Parliament, the UK SCCs will become effective March 21, 2022, and we may, in addition to other impacts, experience additional costs associated with increased compliance burdens and be required to engage in new contract negotiations with third parties that aid in processing personal data on our behalf or localize certain personal data of United Kingdom data subjects. Other countries have also passed or are considering passing laws requiring local data residency or restricting the international transfer of data. Additionally, many jurisdictions outside the United States, EEA, and United Kingdom in which we have operations or for which such jurisdictions’ laws or regulations may apply to us or our operations, including Canada, Australia, New Zealand, and Singapore, maintain laws and regulations relating to privacy, data protection, and information security that provide for extensive obligations in connection with the use, collection, protection, and processing of personal data. Many of these legal regimes provide for substantial fines, penalties, or other consequences for noncompliance. We may be required to implement new measures or policies, or change our existing policies and measures or the features of our platform, in an effort to comply with U.S. and international laws, rules, and regulations relating to privacy, data protection and information security, which may require us to expend substantial financial and other resources and which may otherwise be difficult to undertake.
Any failure or perceived failure by us to comply with federal, state or foreign laws, rules or regulations, industry standards, contractual or other legal obligations relating to privacy, data protection or information security, or any actual, perceived or suspected security incident, whether or not resulting in unauthorized access to, or acquisition, release or transfer of personal data or other data, may result in enforcement actions and prosecutions, private litigation, significant fines, penalties and censure, claims for damages by customers and other affected individuals, regulatory inquiries and investigations or adverse publicity and could cause our customers to lose trust in us, any of which could have an adverse effect on our reputation and business. Since many of our offerings involve the processing of personal data from our customers and their employees, contractors, customers, partners and others, any inability to adequately address privacy, data protection or information security concerns, even if unfounded, or comply with applicable laws, rules, regulations, policies, industry standards, contractual or
43

Table of Contents
other legal obligations could result in additional cost and liability to us, damage our reputation, inhibit sales and adversely affect our business, financial condition, and results of operations.
Around the world, there are numerous lawsuits in process against various technology companies that process personal data. If those lawsuits are successful, it could increase the likelihood that our company may be exposed to liability for our own policies and practices concerning the processing of personal data and could hurt our business. Furthermore, the costs of compliance with, and other burdens imposed by laws, regulations and policies concerning privacy, data protection and information security that are applicable to the businesses of our customers may limit the use and adoption of our platform and reduce overall demand for it. Concerns relating to privacy, data protection or information security whether or not valid, may inhibit market adoption of our platform. Additionally, concerns about privacy, data protection or information security may result in the adoption of new legislation that restricts the implementation of technologies like ours or requires us to make modifications to our platform, which could significantly limit the adoption and deployment of our technologies or result in significant expense to modify our platform.
We publicly post our privacy policies and practices concerning our collection, use, disclosure and other processing of the personal data provided to us by our website visitors and by our customers. Although we endeavor to comply with our public statements and documentation, we may at times fail to do so or be alleged to have failed to do so. Our publication of our privacy policies and other statements we publish that provide promises and assurances about privacy, data protection and information security can subject us to potential regulatory action if they are found to be deceptive, unfair or misrepresentative of our actual practices.
Evolving and changing definitions of what constitutes “personal information” and “personal data” within the EEA, the United States and elsewhere, especially relating to classification of IP addresses, machine or device identification numbers, location data and other information, may limit or inhibit our ability to operate or expand our business, including limiting technology alliance partners that may involve the sharing of data. In addition, rapidly-evolving privacy laws and frameworks distinguish between a data processor and data controller (or under the CCPA, whether a business is a ‘service provider’), and different risks and requirements may apply to us, depending on the nature of our data processing activities. If our business model expands and changes over time, different sets of risks and requirements may apply to us, requiring us to re-orient the business accordingly.
If our platform is perceived to cause, or is otherwise unfavorably associated with, violations of privacy, data protection or information security requirements, it may subject us or our customers to public criticism and potential legal liability. Existing and potential laws, rules and regulations concerning privacy, data protection and information security and increasing sensitivity of consumers to unauthorized processing of personal data may create negative public reactions to technologies, products and services such as ours. Public concerns regarding personal data processing, privacy, data protection and information security may cause some of our customers’ end users to be less likely to visit their websites or otherwise interact with them. If enough end users choose not to visit our customers’ websites or otherwise interact with them, our customers could stop using our platform. This, in turn, may reduce the value of our service, and slow or eliminate the growth of our business, or cause our business to contract.
We may be the subject of legal proceedings which could have an adverse effect on our business, financial condition, and results of operations.
In the ordinary course of business, we may be involved in various litigation matters, including but not limited to commercial disputes, employee claims and class actions, and from time to time may be involved in governmental or regulatory investigations or similar matters arising out of our current or future business. Any claims asserted against us, regardless of merit or eventual outcome, could harm our reputation and have an adverse impact on our relationship with our customers, partners and other third parties and could lead to additional related claims. Certain claims may seek injunctive relief, which could disrupt the ordinary conduct of our business and operations or increase our cost of doing business. Our insurance or indemnities may not cover all claims that may be asserted against us, and any claims asserted against us, regardless of merit or eventual outcome, may harm our reputation and cause us to expend resources in our defense. Furthermore, there is no guarantee that we will be successful in defending ourselves in future litigation or similar matters under various laws. If judgments or settlements in any future litigation or investigation significantly exceed our insurance coverage, our business, financial condition, and results of operations could be adversely affected.
44

Table of Contents
If we fail to meet the service level commitments under our customer contracts, we could be obligated to provide credits for future service, or face contract termination with refunds of prepaid amounts related to unused subscriptions, which could adversely affect our business, financial condition, and results of operations.
Our customer agreements contain service level commitments, under which we guarantee specified availability of our platform, and time-bound resolutions to support inquiries. Any failure of or disruption to our infrastructure could make our platform unavailable to our customers. If we are unable to meet the stated service level commitments to our customers or suffer extended periods of unavailability of our platform, we may be contractually obligated to provide affected customers with service credits for future subscriptions, or customers could elect to terminate and receive refunds for prepaid amounts related to unused subscriptions. Any of the foregoing could adversely affect our business, financial condition, and results of operations.
Indemnity provisions in various agreements potentially expose us to substantial liability for intellectual property infringement and other losses.
Our agreements with customers, partners and other third parties may include indemnification or other provisions under which we agree to indemnify or otherwise be liable to them for losses suffered or incurred as a result of claims of intellectual property infringement, misappropriation or other violation, damages caused by us to property or persons, or other liabilities relating to or arising from the use of our platform or other acts or omissions. The term of these contractual provisions sometimes survives termination or expiration of the applicable agreement. As we continue to grow, the possibility of infringement claims and other intellectual property rights claims against us may increase. For any intellectual property rights indemnification claim against us or our customers, we will incur significant legal expenses and may have to pay damages, settlement fees, license fees or stop using technology found to be in violation of the third party’s rights. Large indemnity payments could harm our business, financial condition, and results of operations. We may also have to seek a license for the infringing or allegedly infringing technology. Such license may not be available on reasonable terms, if at all, and may significantly increase our operating expenses or may require us to restrict our business activities and limit our ability to deliver certain offerings. As a result, we may also be required to develop alternative non-infringing technology, which could require significant effort and expense or cause us to alter our platform, which could adversely affect our business, financial condition, and results of operations.
From time to time, customers require us to indemnify or otherwise be liable to them for breach of confidentiality, violation of applicable law or failure to implement adequate security measures with respect to their data stored, transmitted or accessed using our platform. Although we normally contractually limit our liability with respect to such obligations, the existence of such a dispute may have adverse effects on our customer relationship and reputation and we may still incur substantial liability related to them.
Any assertions by a third party, whether or not successful, with respect to such indemnification obligations could subject us to costly and time-consuming litigation, expensive remediation and licenses, divert management attention and financial resources, harm our relationship with that customer and other current and prospective customers, reduce demand for our platform, and adversely affect our brand, business, financial condition, and results of operations.
We may be subject to liability claims if we breach our contracts and our insurance may be inadequate to cover our losses.
We are subject to numerous obligations in our contracts with our customers and partners. Despite the procedures, systems and internal controls we have implemented to comply with our contracts, we may breach these commitments, whether through a weakness in these procedures, systems and internal controls, negligence or the willful act of an employee or contractor. Our insurance policies, including our errors and omissions insurance, may be inadequate to compensate us for the potentially significant losses that may result from claims arising from breaches of our contracts, disruptions in our service, including those caused by cybersecurity incidents, failures or disruptions to our infrastructure, catastrophic events and disasters or otherwise. In addition, such insurance may not be available to us in the future on economically reasonable terms, or at all. Further, our insurance may not cover all claims made against us and defending a suit, regardless of its merit, could be costly and divert management’s attention.
A portion of our revenue is generated from sales to government entities, which subject us to a number of challenges and risks.
A portion of our revenue is generated from sales to governmental entities, and we have made, and may continue to make, investments to support future sales opportunities in the government sector. We estimate that we generated approximately 19% of our revenue from sales to government entities in 2021 and 16% in each of 2020 and 2019. Government demand for our
45

Table of Contents
platform and offerings could be impacted by budgetary cycles, and there may be governmental certification requirements for our platform. Further, we may be subject to audits and investigations regarding our governmental contracts, and any violations could result in penalties and sanctions, including termination of the contract, refunding or forfeiting payments, fines and suspension or disbarment from future government business. Selling to these entities can be highly competitive, expensive and time consuming, often requiring significant upfront time and expense without any assurance that we will successfully complete a sale. Government entities often require contract terms that differ from our standard arrangements and impose compliance requirements that are complicated, require preferential pricing, termination rights tied to funding availability, or are otherwise time consuming and expensive to satisfy. Government entities may also have statutory, contractual, or other legal rights to terminate contracts with our partners for convenience, for lack of funding, or due to a default, and any such termination may adversely impact our results of operations. If we undertake to meet special standards or requirements and do not meet them, we could be subject to increased liability from our customers or regulators. Even if we do meet such special standards, the additional costs associated with providing our platform and offerings to government entities could harm our margins. Moreover, changes in the underlying regulatory conditions that affect these types of customers could harm our ability to efficiently provide our platform to them and to grow or maintain our customer base. If we are unable to manage the risks related to contracting with government entities, our business, financial condition, and results of operations could be adversely affected.
Political developments in the United Kingdom, including the exit of the United Kingdom from the European Union, could adversely affect our business, financial condition, and results of operations.
We contract with our international customers via our subsidiary in the United Kingdom, ForgeRock Limited, and we derive a meaningful portion of our revenue from the United Kingdom, which is typically in British Pounds or Euros. Recent developments in the relationship between the United Kingdom and the European Union may have an adverse impact on our business and financial position, and results of operations and the currencies in which we transact business.
Following a referendum in June 2016, the United Kingdom withdrew from the European Union on February 1, 2020, or Brexit, and entered into a transition period to, among other things, negotiate an agreement with the European Union governing the future relationship between the European Union and the United Kingdom. Brexit created significant political and economic uncertainty in 2020 about the future relationship between the United Kingdom and the European Union, which in turn caused and continues to cause significant volatility in global financial markets and the value of the British Pound or other currencies, including the Euro.
While the E.U.-UK Trade and Cooperation Agreement was agreed on December 24, 2020 and ratified by the UK Parliament on December 30, 2020 shortly before the transition period ended on December 31, 2020, the ongoing impact of both Brexit and the E.U.-UK Trade and Cooperation Agreement, is unclear how these will impact economic conditions in the United Kingdom as well as global financial markets.
While the European Union Withdrawal Act retains relevant E.U. law as domestic UK law and the E.U.-UK Trade and Cooperation Agreement extended the transition period specifically for data transfers (the adequacy bridge), Brexit has nonetheless created uncertainty with regard to the regulation of data protection, immigration and taxation, among other issues, in the United Kingdom. For example, it is unclear how Brexit will affect how data transfers to and from the United Kingdom will be regulated in the future.
The uncertainty that Brexit has caused may result in new regulatory challenges or increased costs to our United Kingdom and global operations, all of which could adversely affect our business, financial condition, and results of operations.
We are subject to anti-corruption, anti-bribery, anti-money laundering and similar laws, and non-compliance with such laws can subject us to criminal penalties or significant fines and harm our business and reputation.
We are subject to the U.S. Foreign Corrupt Practices Act of 1977, as amended, or the FCPA, the U.S. domestic bribery statute contained in 18 U.S.C. § 201, U.S. Travel Act, the U.K. Bribery Act 2010 and possibly other anti-corruption, anti-bribery and anti-money laundering laws in countries in which we conduct activities. Anti-corruption and anti-bribery laws have been enforced aggressively in recent years and are interpreted broadly and prohibit companies and their employees, agents, representatives, business partners, and third-party intermediaries from promising, authorizing, making or offering, directly or indirectly, improper payments or other benefits to recipients in the public or private sector. As we increase our international sales and business, our risks under these laws may increase.
In addition, we use third parties to sell our platform or offerings and conduct business on our behalf abroad. We, our employees, agents, representatives, business partners and third-party intermediaries may have direct or indirect interactions with
46

Table of Contents
officials and employees of government agencies or state-owned or affiliated entities and we may be held liable for the corrupt or other illegal activities of these employees, agents, representatives, business partners and third-party intermediaries, representatives, contractors, partners, and agents, even if we do not explicitly authorize such activities. These laws also require that we keep accurate books and records and maintain internal controls and compliance procedures designed to prevent any such actions. We have policies to address compliance with such laws, but cannot ensure that all our employees, agents, representatives, business partners and third-party intermediaries, will not take actions in violation of our policies and applicable law, for which we may be ultimately held responsible.
Any allegations or violation of the FCPA, other applicable anti-bribery, anti-corruption laws, or anti-money laundering laws could subject us to investigations, whistleblower complaints, sanctions, settlements, prosecution, and other enforcement actions, disgorgement of profits, significant fines, damages, injunctions, adverse media coverage, loss of export privileges, severe criminal or civil sanctions, suspension or debarment from government contracts and other consequences, any of which could have a material adverse effect on our reputation, business, financial condition, prospects and results of operations. Responding to any investigation or action will likely result in a materially significant diversion of management’s attention and resources and significant defense costs and other professional fees.
We are subject to governmental export and import controls and economic sanctions programs that could impair our ability to compete in international markets or subject us to liability if we violate these controls.
In many cases, our business activities are subject to U.S. and international export control laws and regulations including the Export Administration Regulations, or EAR, and trade and economic sanctions maintained by the Office of Foreign Assets Control, or OFAC. As such, an export license may be required to export or reexport our software and services to certain countries and end-users, including to certain U.S. embargoed or sanctioned countries, governments, and persons and for certain end-uses. If we were to fail to comply with such export control laws and regulations, trade and economic sanctions, or other similar laws, we could be subject to both civil and criminal penalties, including substantial fines, possible incarceration for employees and managers for willful violations, and the possible loss of our export or import privileges. Obtaining the necessary export license for a particular sale or offering may not be possible and may be time-consuming and may result in the delay or loss of sales opportunities.
In addition, various countries regulate the import of certain software and technology using encryption, including through import permit and license requirements, and have enacted laws that could limit our ability to distribute our platform and offerings or could limit our end-customers’ ability to implement our platform in those countries. Changes in our platform or changes in export and import regulations in such countries may create delays in the introduction of our platform and offerings into international markets, prevent our customers with international operations from deploying our platform globally, or in some cases, prevent or delay the export or import of our platform and offerings to certain countries, governments, or persons altogether. The following developments could result in decreased use of our platform and offerings by, or in our decreased ability to export or sell our platform and offerings to, existing or potential end-customers with international operations: any change in export or import laws or regulations, economic sanctions or related legislation; shift in the enforcement or scope of existing export, import or sanctions laws or regulations; or change in the countries, governments, persons, or technologies targeted by such export, import or sanctions laws or regulations. Any decreased use of our platform or offerings or limitation on our ability to export to or sell our platform or offerings in international markets could adversely affect our business, financial condition, and results of operations.
Our international operations may give rise to potentially adverse tax consequences.
Our income tax obligations are based in part on our corporate operating structure and intercompany arrangements, including the manner in which we develop, value, manage and use our intellectual property and the valuation of our intercompany transactions. Our existing corporate structure and intercompany arrangements have been implemented in a manner we believe is in compliance with current prevailing tax laws. The tax laws applicable to our business, including the laws of the United States and other jurisdictions, are subject to interpretation and certain jurisdictions are aggressively interpreting their laws in new ways in an effort to raise additional tax revenue. New income, sales, use or other tax laws, statutes, rules, regulations or ordinances could be enacted at any time. Those enactments could harm our business, financial condition, and results of operations. In addition, taxing authorities in these jurisdictions could impose additional tax, interest and penalties on us, claim that various withholding requirements apply to us or our subsidiaries or assert that benefits of tax treaties are not available to us or our subsidiaries. These events could require us or our customers to pay additional tax amounts on a prospective or retroactive basis, as well as require us or our customers to pay fines or penalties and interest for past amounts deemed to be due. If we raise our prices to offset the costs of these changes, existing and potential future customers may elect not to purchase our products in the future.
47

Table of Contents
In addition, our intercompany relationships are subject to complex transfer pricing regulations administered by taxing authorities in various jurisdictions. The relevant taxing authorities may disagree with our current and historic determinations as to the value of assets sold or acquired or income and expenses attributable to specific jurisdictions. If such a disagreement were to occur, and our position were not sustained, we could be required to pay additional taxes, interest, and penalties, which could result in one-time tax charges, higher effective tax rates, reduced cash flows, and lower overall profitability of our operations. In addition, changes to our corporate structure and intercompany agreements could impact our worldwide effective tax rate and adversely affect our financial condition and results of operations.

There is also a high level of uncertainty in today’s tax environment stemming from both global initiatives put forth by the Organization for Economic Co-operation and Development, or OECD, and unilateral measures being implemented by various countries due to a lack of consensus on these global initiatives. As an example, the OECD has put forth two proposals—Pillar One and Pillar Two—that revise the allocation of revenues to market jurisdiction based on customer jurisdiction rather than physical presence of the provider and ensure a minimal level of taxation, respectively. Further, certain countries have implemented or are considering implementing measures such as a digital services tax, or a minimum tax on gross income. Recently, the U.S. House of Representatives has proposed legislation that, if enacted, could materially impact our U.S. tax liability in future years. These measures and corresponding tariffs in response to such measures create additional tax liabilities and uncertainty. As a result, we may have to pay higher taxes in countries where such rules are applicable.
Our ability to use our net operating loss carryforwards and certain other tax attributes may be limited.
Under Section 382 of the Internal Revenue Code of 1986, as amended, or the Code, if a corporation undergoes an “ownership change,” generally defined as a greater than 50% change (by value) in its equity ownership over a three year period, the corporation’s ability to use its pre-change net operating loss carryforwards and other pre-change tax attributes, such as research tax credits and interest deduction carryover, to offset its post-change income may be limited. Any ownership change in the future could result in increased future tax liability. In addition, we may experience ownership changes in the future as a result of subsequent shifts in our stock ownership. As a result, if we earn net taxable income, our ability to use our pre-change net operating loss carryforwards to offset U.S. federal taxable income may be subject to limitations, which could potentially result in increased future tax liability to us. The impact of any limitations that may be imposed due to such ownership changes has not been determined.
In addition, on December 22, 2017, the U.S. government enacted new tax legislation commonly referred to as the Tax Cuts and Jobs Act, or Tax Act. The Tax Act makes broad and complex changes to the U.S. tax code, including changes to the uses and limitations of net operating losses carryforwards. For example, under the Tax Act, as modified by the Coronavirus Aid, Relief, and Economic Security Act, or the CARES Act, federal net operating losses incurred during our taxable years beginning after December 31, 2017 can be carried forward indefinitely, however, the deductibility of our federal net operating losses generated in such years will be limited to 80% of taxable income in the year utilized. Federal net operating losses incurred in years beginning before January 1, 2018 are subject to a twenty year carryforward but are not limited to 80% of taxable income. Furthermore, our ability to use our net operating loss carryforwards is conditioned upon generating future U.S. federal taxable income. Since we do not know whether or when we will generate the U.S. federal taxable income necessary to use our remaining net operating loss carryforwards, certain of our net operating loss carryforwards generated could expire before use.
Any successful action by state, foreign or other authorities to collect additional or past indirect taxes, including sales tax and others could adversely affect our business, financial condition, and results of operations.
States, some local taxing jurisdictions, and foreign jurisdictions have differing rules and regulations governing indirect taxes such as sales and use taxes, value added taxes, or VAT, and goods and services taxes, and these rules and regulations are subject to varying interpretations that may change over time. In particular, the applicability of indirect taxes to our platform in various jurisdictions is unclear. We file indirect tax returns and collect indirect taxes in certain states within the United States and certain foreign jurisdictions as required by law, and we do not file and collect indirect or other similar taxes in certain other states, certain other foreign jurisdictions and on certain of the offerings that we provide on the basis that such taxes are not applicable. It is possible that we could face indirect tax audits and that one or more states, local jurisdictions or foreign authorities could seek to impose additional indirect or other tax collection and record-keeping obligations on us or may determine that such taxes should have, but have not been, paid by us. We could also be subject to audits in states, local and foreign jurisdictions for which we have not accrued tax liabilities. A successful assertion that we should be collecting additional indirect or other taxes on our service in jurisdictions where we have not historically done so and do not accrue for indirect taxes could result in substantial tax liabilities for past sales, discourage customers from purchasing our platform and offerings or otherwise adversely affect our business, financial condition, and results of operations.
48

Table of Contents

We may face exposure to foreign currency exchange rate fluctuations.

Today, approximately half of our customer contracts are denominated in U.S. dollars. Over time, however, an increasing portion of our international customer contracts may be denominated in local currencies. In addition, the majority of our international costs are denominated in local currencies. As a result, fluctuations in the value of the U.S. dollar and foreign currencies may affect our results of operations when translated into U.S. dollars. We do not currently engage in currency hedging activities to limit the risk of exchange rate fluctuations. However, in the future, we may use derivative instruments, such as foreign currency forward and option contracts, to hedge certain exposures to fluctuations in foreign currency exchange rates. The use of such hedging activities may not offset any or more than a portion of the adverse financial effects of unfavorable movements in foreign exchange rates over the limited time the hedges are in place. Moreover, the use of hedging instruments may introduce additional risks if we are unable to structure effective hedges with such instruments.
Operating as a public company has and will require us to incur substantial costs and will require substantial management attention.
As a public company, we incur substantial legal, accounting and other expenses that we did not incur as a private company. For example, we are subject to the reporting requirements of the Exchange Act, the applicable requirements of the Sarbanes-Oxley Act, the Dodd-Frank Wall Street Reform and Consumer Protection Act, the rules and regulations of the SEC and the listing standards of the New York Stock Exchange. The Exchange Act requires, among other things, we file annual, quarterly and current reports with respect to our business, financial condition, and results of operations. Compliance with these rules and regulations will increase our legal and financial compliance costs, and increase demand on our systems, particularly after we are no longer an “emerging growth company.” In addition, as a public company, we may be subject to stockholder activism, which can lead to additional substantial costs, distract management and impact the manner in which we operate our business in ways we cannot currently anticipate. As a result of disclosure of information in filings required of a public company, our business, financial condition, and results of operations will become more visible, which may result in threatened or actual litigation, including by competitors.
Certain members of our management team have limited experience managing a publicly traded company, and certain members joined us more recently. As such, our management team may not successfully or efficiently manage our transition to being a public company subject to significant regulatory oversight and reporting obligations under the federal securities laws and the continuous scrutiny of securities analysts and investors. These new obligations and constituents will require significant attention from our senior management and could divert their attention away from the day-to-day management of our business, which could adversely affect our business, financial condition, and results of operations.
Risks Related to Ownership of Our Class A Common Stock
We are an “emerging growth company” and the reduced disclosure requirements applicable to emerging growth companies may make our Class A common stock less attractive to investors.
We are an “emerging growth company,” as defined in the JOBS Act, and we intend to take advantage of certain exemptions from various reporting requirements that are applicable to other public companies that are not “emerging growth companies,” including not being required to comply with the auditor attestation requirements of Section 404 of the Sarbanes-Oxley Act, reduced disclosure obligations regarding executive compensation in our periodic reports and proxy statements and exemptions from the requirements of holding a nonbinding advisory vote on executive compensation and stockholder approval of any golden parachute payments not previously approved. As an “emerging growth company,” we are also allowed to delay adoption of new or revised accounting pronouncements applicable to public companies until such pronouncements are made applicable to private companies. As a result, our financial statements may not be comparable to those of companies that comply with new or revised accounting pronouncements as of public company effective dates. Any difficulties in implementing these pronouncements could cause us to fail to meet our financial reporting obligations, which could result in regulatory discipline and harm investors’ confidence in us. We may take advantage of these exemptions for so long as we are an “emerging growth company,” which could be for as long as five full reporting years following the completion of our initial public offering. We cannot predict if investors will find our Class A common stock less attractive because we will rely on these exemptions. If some investors find our Class A common stock less attractive as a result, there may be a less active trading market for our Class A common stock and the market price of our Class A common stock may be more volatile.

49

Table of Contents
The dual-class structure of our common stock has the effect of concentrating voting control with those stockholders who held our capital stock (or options or other securities convertible into or exercisable for our capital stock) prior to the completion of our initial public offering, which will limit your ability to influence the outcome of important transactions, including a change in control.
Our Class B common stock has 10 votes per share, and our Class A common stock has one vote per share. As of December 31, 2021, our directors, executive officers, and holders of more than 5% of our common stock, and their respective affiliates, held in the aggregate 84.2% of the combined voting power of our Class A common stock and Class B common stock. Because of the 10-to-one voting ratio between our Class B common stock and Class A common stock, the holders of our Class B common stock collectively will continue to control a majority of the combined voting power of our common stock and will therefore, if acting together, be able to control all matters submitted to our stockholders for approval until the earlier of (i) the 7th anniversary of the filing and effectiveness of our amended and restated certificate of incorporation, (ii) when the outstanding shares of our Class B common stock represent less than 5% of the combined voting power of our outstanding Class A common stock and Class B common stock, and (iii) the affirmative vote of the holders of 66-2/3% of the voting power of our outstanding Class B common stock. This concentrated control will limit or preclude your ability to influence corporate matters, including the election of directors, amendments of our organizational documents, and any merger, consolidation, sale of all or substantially all of our assets or other major corporate transactions requiring stockholder approval. In addition, this may prevent or discourage unsolicited acquisition proposals or offers for our capital stock that you may feel are in your best interest as one of our stockholders.
Future transfers by holders of shares of our Class B common stock generally result in those shares converting to Class A common stock, subject to limited exceptions, including but not limited to, transfers effected for estate planning purposes, to the extent the transferor retains voting power over the shares, and transfers among affiliates, to the extent the transferee continues to remain an affiliate. Shares of Class B common stock held by natural persons automatically convert into shares of Class A common stock upon the death or disability of the holder. The conversion of Class B common stock to Class A common stock will have the effect, over time, of increasing the relative voting power of those individual holders of Class B common stock who retain their shares in the long term.
The market price of our Class A common stock may be volatile, and you could lose all or part of your investment.
The market price of our Class A common stock may be volatile and could be subject to fluctuations in response to various factors, some of which are beyond our control. These fluctuations could cause you to lose all or part of your investment in our Class A common stock. Factors that could cause fluctuations in the market price of our Class A common stock include the following:
price and volume fluctuations in the overall stock market from time to time;
volatility in the market prices and trading volumes of technology stocks;
changes in operating performance and stock market valuations of other technology companies generally, or those in our industry in particular;
sales of shares of our common stock by us or our stockholders, as well as the anticipation of expiration of, or releases, from market standoff agreements or lock-up agreements;
failure of securities analysts to maintain coverage of us, changes in financial estimates by securities analysts who follow our company or our failure to meet these estimates or the expectations of investors;
the financial projections we may provide to the public, any changes in those projections or our failure to meet those projections;
announcements by us or our competitors of new offerings or platform features;
the public’s reaction to our press releases, other public announcements and filings with the SEC;
rumors and market speculation involving us or other companies in our industry;
short selling of our Class A common stock or related derivative securities;
actual or anticipated changes in our results of operations or fluctuations in our results of operations; actual or perceived security breaches or incidents;
actual or anticipated developments in our business, our competitors’ businesses or the competitive landscape generally;
announced or completed acquisitions of businesses, offerings or technologies by us or our competitors;
developments or disputes concerning our intellectual property or other proprietary rights;
50

Table of Contents
litigation involving us, our industry, or both, or investigations by regulators into our operations or those of our competitors;
new laws, regulations, rules or industry standards or new interpretations of existing laws, regulations, rules or industry standards applicable to our business;
increased inflation throughout the economy, which is often accompanied by higher interest rates;
changes in accounting standards, policies, guidelines, interpretations or principles;
any significant change in our management; and
general economic conditions and slow or negative growth of our markets.
In addition, if the market for technology stocks or the stock market in general experiences a loss of investor confidence, the market price of our Class A common stock could decline for reasons unrelated to our business, financial condition or results of operations. The market price of our Class A common stock might also decline in reaction to events that affect other companies in our industry even if these events do not directly affect us. In the past, following periods of volatility in the overall market and the market price of a particular company’s securities, securities class action litigation has often been instituted against these companies. This litigation, if instituted against us, would result in substantial costs and a diversion of our management’s attention and resources.
Recently, the stock markets in general, and the markets for technology stocks in particular, have experienced extreme volatility, including as a result of the COVID-19 pandemic. Furthermore, the market price of our Class A common stock may be adversely affected by third parties trying to drive down the price of our Class A common stock. Short sellers and others, some of whom post anonymously on social media, can negatively affect the market price of our Class A common stock and may be positioned to profit if the market price of our Class A common stock declines. These broad market and industry factors may seriously harm the market price of our Class A common stock, regardless of our operating performance.
Sales, directly or indirectly, of shares of our common stock by existing equity holders, or the perception that such sales might occur, could cause the market price of our Class A common stock to decline or impair our ability to raise capital through the sale of additional equity securities.

Sales, directly or indirectly, of a substantial number of shares of our common stock, or the public perception that these sales might occur, could depress the market price of our Class A common stock and could impair our ability to raise capital through the sale of additional equity securities. Many of our existing equity holders have substantial unrecognized gains on the value of the equity they hold, and may take, or attempt to take, steps to sell, directly or indirectly, their shares or otherwise secure, or limit the risk to, the value of their unrecognized gains on those shares.

Our executive officers, directors and the holders of substantially all of our capital stock and securities convertible into or exchangeable for our capital stock are parties to agreements with us containing market standoff provisions, or have entered into lock-up agreements with the underwriters of our initial public offering, under which they have agreed, subject to specific exceptions, not to dispose of or hedge any of our capital stock during the period ending on and including the earlier of (i) March 14, 2022 and (ii) the second trading day after we publicly announce our earnings for the fourth quarter of 2021.

As this lock-up restriction ends, if our stockholders sell, or if the market perceives that our stockholders intend to sell, a substantial number of shares of our Class A common stock in the public market, the market price of our Class A common stock could decline and our ability to raise capital through the sale of additional equity securities could be impaired. While our executive officers, directors and the holders of substantially all of our capital stock and securities convertible into or exchangeable for our capital stock have entered into agreements with us containing market standoff provisions or lock-up agreements with the underwriters of our initial public offering, sales, short sales or hedging transactions involving our equity securities, whether or not we believe them to be prohibited, could adversely affect the market price of our Class A common stock. Further, record holders of our securities are typically the parties to the lock-up agreements, while holders of beneficial interests in our shares who are not also record holders in respect of such shares are not typically subject to any such agreements or other similar restrictions. Accordingly, we believe that holders of beneficial interests who are not record holders and are not bound by lock-up agreements could enter into transactions with respect to those beneficial interests that negatively impact the market price of our Class A common stock. In addition, to the extent an equity holder does not comply with the terms of a market standoff provision or a lock-up agreement, such equity holder may be able to sell, short sell, transfer, hedge, pledge or otherwise dispose of or attempt to sell, short sell, transfer, hedge, pledge or otherwise dispose of, their equity interests, which could negatively impact the market price of our Class A common stock.

51

Table of Contents
In addition, we filed a registration statement to register shares reserved for future issuance under our equity compensation plans, and we intend to file an additional registration statement to register shares issued and reserved for future issuance under our equity compensation plans in connection with the Early Lock-Up Release. As a result, subject to the satisfaction of applicable exercise periods and the expiration or waiver of the lock-up agreements referred to above, the shares issued upon exercise of outstanding stock options will be available for immediate resale in the United States in the open market. If a large number of these shares are sold in the public market, the sales could reduce our trading price.

Further, certain of our stockholders are entitled, under our investors’ rights agreement, to require us to register shares owned by them for public sale in the United States. Sales of our Class A common stock pursuant to registration rights may make it more difficult for us to sell equity securities in the future at a time and at a price that we deem appropriate. These sales also could cause the market price of our Class A common stock to fall and make it more difficult for you to sell shares of our Class A common stock.
The issuance of additional stock in connection with financings, acquisitions, investments, our equity compensation plans or otherwise will dilute all other stockholders.

Our amended and restated certificate of incorporation authorizes us to issue up to 1,000,000,000 shares of Class A common stock, up to 500,000,000 shares of Class B common stock and up to 100,000,000 shares of preferred stock with such rights and preferences as may be determined by our board of directors. Subject to compliance with applicable rules and regulations, we may issue shares of Class A common stock or securities convertible into shares of our Class A common stock from time to time in connection with a financing, acquisition, investment, our equity compensation plans or otherwise. Any such issuance could result in substantial dilution to our existing stockholders and cause the market price of our Class A common stock to decline.
Delaware law and provisions in our amended and restated certificate of incorporation and amended and restated bylaws could make a merger, tender offer or proxy contest difficult, thereby depressing the market price of our Class A common stock.

Our status as a Delaware corporation and the anti-takeover provisions of the Delaware General Corporation Law may discourage, delay or prevent a change in control by prohibiting us from engaging in a business combination with an interested stockholder for a period of three years after the date of the transaction in which the person became an interested stockholder, even if a change in control would be beneficial to our existing stockholders. In addition, our amended and restated certificate of incorporation and amended and restated bylaws contain provisions that may make the acquisition of our company more difficult, including the following:

our board of directors is classified into three classes of directors with staggered three-year terms, and directors are only able to be removed from office for cause;
certain amendments to our amended and restated certificate of incorporation require the approval of at least 66 2/3% of the voting power of the outstanding shares of our stock entitled to vote generally in the election of directors, voting together as a single class;
our dual class common stock structure provides holders of Class B common stock with the ability to significantly influence the outcome of matters requiring stockholder approval, even if they own significantly less than a majority of the shares of our outstanding capital stock;
our stockholders are only be able to take action at a meeting of stockholders and are not able to take action by written consent for any matter;
our amended and restated certificate of incorporation does not provide for cumulative voting;
vacancies on our board of directors are able to be filled only by our board of directors and not by stockholders;
a special meeting of our stockholders may only be called by the chairperson of our board of directors, our Chief Executive Officer (or our President in the absence of a Chief Executive Officer) or a majority of the “whole board” of our board of directors, where the “whole board” is the total number of authorized directorships whether or not there exist any vacancies or other unfilled seats in previously authorized directorships;
certain litigation against us can only be brought in Delaware;
our amended and restated certificate of incorporation authorizes undesignated preferred stock, the terms of which may be established and shares of which may be issued without further action by our stockholders; and
52

Table of Contents
advance notice procedures apply for stockholders to nominate candidates for election as directors or to bring matters before an annual meeting of stockholders.

These provisions, alone or together, could discourage, delay or prevent a transaction involving a change in control of our company. These provisions could also discourage proxy contests and make it more difficult for stockholders to elect directors of their choosing and to cause us to take other corporate actions they desire, any of which, under certain circumstances, could limit the opportunity for our stockholders to receive a premium for their shares of our Class A common stock and could also affect the price that some investors are willing to pay for our Class A common stock.
We cannot predict the impact our dual class structure may have on the market price of our Class A common stock.

We cannot predict whether our dual class structure will result in a lower or more volatile market price of our Class A common stock or in adverse publicity or other adverse consequences. For example, certain index providers have restrictions on including companies with multiple-class share structures in certain of their indexes. In July 2017, FTSE Russell and Standard & Poor’s announced that they would cease to allow most newly public companies utilizing dual or multi-class capital structures to be included in their indices. Affected indices include the Russell 2000 and the S&P 500, S&P MidCap 400, and S&P SmallCap 600, which together make up the S&P Composite 1500. Under these policies, our dual class capital structure would make us ineligible for inclusion in certain indices, and as a result, mutual funds, exchange-traded funds, and other investment vehicles that attempt to passively track those indices will not be investing in our stock. Because of our dual class structure, we will likely be excluded from certain of these indexes and we cannot assure you that other stock indexes will not take similar actions. Given the sustained flow of investment funds into passive strategies that seek to track certain indexes, exclusion from stock indexes would likely preclude investment by many of these funds and could make our Class A common stock less attractive to other investors. As a result, the market price of our Class A common stock could be adversely affected.
Our amended and restated bylaws designate a state or federal court located within the State of Delaware as the exclusive forum for substantially all disputes between us and our stockholders, which could limit our stockholders’ ability to choose the judicial forum for disputes with us or our directors, officers or employees.

Our amended and restated bylaws, which provide that, unless we consent in writing to the selection of an alternative forum, to the fullest extent permitted by law, the sole and exclusive forum for (i) any derivative action or proceeding brought on our behalf, (ii) any action asserting a claim of breach of a fiduciary duty owed by any of our directors, officers or other employees to us or our stockholders, (iii) any action arising pursuant to any provision of the Delaware General Corporation Law, our amended and restated certificate of incorporation or our amended and restated bylaws or (iv) any other action asserting a claim that is governed by the internal affairs doctrine shall be the Court of Chancery of the State of Delaware (or, if the Court of Chancery does not have jurisdiction, the federal district court for the District of Delaware), in all cases subject to the court having jurisdiction over indispensable parties named as defendants.

Section 22 of the Securities Act creates concurrent jurisdiction for federal and state courts over all such Securities Act actions. Accordingly, both state and federal courts have jurisdiction to entertain such claims. To prevent having to litigate claims in multiple jurisdictions and the threat of inconsistent or contrary rulings by different courts, among other considerations, our amended and restated bylaws further provide that the federal district courts of the United States will be the exclusive forum for resolving any complaints asserting a cause of action arising under the Securities Act of 1933, as amended, or the Securities Act. We note, however, that investors cannot waive compliance with the federal securities laws and the rules and regulations thereunder, and that there is uncertainty as to whether a court would enforce this exclusive forum provision. If a court were to find either exclusive-forum provision in our amended and restated bylaws to be inapplicable or unenforceable in an action, we may incur additional costs associated with resolving the dispute in other jurisdictions, which could harm our business, financial condition, and results of operations.
If securities or industry analysts do not publish research or publish inaccurate or unfavorable research about us, our business or our market, or if they change their recommendations regarding our Class A common stock adversely, the market price and trading volume of our Class A common stock could decline.

The trading market for our Class A common stock depends, in part, on the research and reports that securities or industry analysts publish about us, our business, our market or our competitors. The analysts’ estimates are based upon their own opinions and are often different from our estimates or expectations. If any of the analysts who cover us change their recommendation regarding our Class A common stock adversely, provide more favorable relative recommendations about our
53

Table of Contents
competitors or publish inaccurate or unfavorable research about our business, the market price of our Class A common stock would likely decline. If few securities analysts commence coverage of us, or if one or more of these analysts cease coverage of us or fail to publish reports on us regularly, we could lose visibility in the financial markets and demand for our securities could decrease, which could cause the market price and trading volume of our Class A common stock to decline.
We do not intend to pay dividends for the foreseeable future.

We have never declared nor paid cash dividends on our capital stock. We currently intend to retain any future earnings to finance the operation and expansion of our business, and we do not expect to declare or pay any dividends in the foreseeable future. Additionally, our ability to pay cash dividends on our common stock is limited by restrictions under the terms of our Amended and Restated Loan Agreement. As a result, stockholders must rely on sales of their common stock after price appreciation, if any, as the only way to realize any future gains on their investment in our Class A common stock.

Item 1B. Unresolved Staff Comments
Not applicable.
Item 2. Properties
Our corporate headquarters are in San Francisco, California, where we lease approximately 16,000 square feet of office space as of December 31, 2021. We also have domestic offices in Texas and Washington and international offices in France, Norway, United Kingdom and Singapore.

We lease all of our facilities. We believe that our facilities are adequate for our current needs and anticipate that suitable additional space will be readily available to accommodate any foreseeable expansion of our operations.
Item 3. Legal Proceedings
From time to time, we may be subject to legal proceedings and claims that arise in the ordinary course of business, as well as governmental and other regulatory investigations and proceedings. In addition, third parties may from time to time assert claims against us in the form of letters and other communications. We are not currently a party to any legal proceedings that, if determined adversely to us, would, in our opinion, have a material and adverse effect on our business, financial condition or results of operations. Future litigation may be necessary to defend ourselves, our partners and our customers, to determine the scope, enforceability, and validity of third-party intellectual property or proprietary rights or to establish and protect our intellectual property or proprietary rights. The results of any current or future litigation cannot be predicted with certainty and there can be no assurances that favorable outcomes will be obtained, and regardless of the outcome, litigation can have an adverse impact on us because of defense and settlement costs, diversion of management attention and resources and other factors.
Item 4. Mine Safety Disclosures
Not applicable.
54

Table of Contents
Part II
Item 5. Market for Registrant's Common Equity, Related Stockholder Matters and Issuer Purchases of Equity Securities
Market Information for Our Common Stock
Our Class A common stock, $0.001 par value per share, began trading on the NYSE under the symbol “FORG” on September 15, 2021. Prior to that time, there was no public market for our Class A common stock. Our Class B common stock is not listed or traded on any stock exchange.
Holders of Record
As of December 31, 2021, we had 126 holders of record of our Class A common stock and 155 holders of record of our Class B common stock. The actual number of Class A beneficial stockholders is substantially greater than the number of holders of record because a large portion of our Class A common stock is held by banks, brokers, other financial institutions and other nominees.
Dividend Policy

We have never declared or paid any cash dividends on our capital stock, and we do not currently intend to pay any cash dividends in the foreseeable future. We expect to retain future earnings, if any, to fund the development and growth of our business. Any decision to declare and pay dividends in the future will be made at the discretion of our Board and will depend on, among other things, our results of operations, financial condition, cash requirements, contractual restrictions and other factors that our Board may deem relevant. In addition, our ability to pay dividends is, and may be, limited by covenants of existing and any future outstanding indebtedness we or our subsidiaries incur, including under the Amended Restated Plain English Growth Capital Loan and Security Agreement with TriplePoint Venture Growth BDC Corp. and TriplePoint Capital LLC, as amended (the “A&R Loan Agreement”).
Securities Authorized for Issuance under Equity Compensation Plans

The information required by this item is incorporated by reference to the definitive Proxy Statement relating to our 2022 Annual Meeting of Stockholders, which will be filed with the SEC no later than 120 days after December 31, 2021.
Stock Performance Graph
The following performance graph and related information shall not be deemed to be “filed” for purposes of Section 18 of the Securities Exchange Act of 1934, as amended, or otherwise subject to the liabilities of that section or Sections 11 and 12(a)(2) of the Securities Act of 1933, as amended, and shall not be incorporated by reference into any registration statement or other document filed by us with the SEC, whether made before or after the date of this Annual Report on Form 10-K, regardless of any general incorporation language in such filing, except as shall be expressly set forth by specific reference in such filing. The following graph and related information shows a comparison of the cumulative total return for our common stock, Standard & Poor’s 500 Index (“S&P 500 Index”) and Standard & Poor’s 500 Information Technology Index (“S&P 500 IT Index”) between September 16, 2021 (the date our common stock commenced trading on the NYSE) through December 31, 2021. All values assume an initial investment of $100 and reinvestment of any dividends. The comparisons are based on historical data and are not indicative of, nor intended to forecast, the future performance of our common stock.
55

Table of Contents
forg-20211231_g8.jpg
Unregistered Sales of Equity Securities

None.


Use of Proceeds from Initial Public Offering

On September 20, 2021, we closed our IPO in which we sold 12,650,000 shares of Class A common stock at a public offering price of $25.00 per share, including 1,650,000 shares pursuant to the exercise in full of the underwriters’ option to purchase additional shares. We received net proceeds of $289.7 million, after deducting underwriting discounts and commissions of $21.3 million and offering expenses paid by us of approximately $6.0 million, net of reimbursements. The offer and sale of all of the shares in the IPO were registered under the Securities Act pursuant to a registration statement on Form S-1 (File No. 333-259016 ), which was declared effective by the SEC on September 15, 2021. The representatives of the several underwriters of the IPO were Morgan Stanley & Co. LLC and J.P. Morgan Securities LLC. No offering expenses were paid directly or indirectly to any of our directors or officers (or their associates) or persons owning 10% or more of any class of our equity securities or to any other affiliates, other than payments in the ordinary course of business to officers for salaries and to non-employee directors pursuant to our director compensation policy.

There has been no material change in the planned use of proceeds from our IPO as described in our final prospectus filed with the SEC on September 17, 2021 pursuant to Rule 424(b)(4).

Issuer Purchases of Equity Securities

None.
Item 6. Reserved
Not applicable.
56

Table of Contents
Item 7. Management's Discussion and Analysis of Financial Condition and Results of Operations

You should read the following discussion and analysis of our financial condition and results of operations together with our consolidated financial statements and the related notes and other financial information included elsewhere in this Annual Report on Form 10-K Some of the information contained in this discussion and analysis or set forth elsewhere in this Annual Report on Form 10-K, including information with respect to our plans and strategy for our business, includes forward-looking statements that involve risks and uncertainties. You should review the sections titled “Special Note Regarding Forward-Looking Statements” and “Risk Factors” for a discussion of forward-looking statements and important factors that could cause actual results to differ materially from the results described in or implied by the forward-looking statements contained in the following discussion and analysis. Our fiscal years ended December 31, 2021 and 2020 are referred to herein as 2021 and 2020, respectively. We have omitted the financial results for the fiscal year ended December 31, 2019 where it would be redundant to the discussion previously included in Part II, Item 7 of our final prospectus filed with the SEC on September 17, 2021, which discussion is hereby incorporated by reference herein.
Overview
Our vision is a world where you never log in again.
We help make the digital economy possible. ForgeRock supports billions of identities to help people simply and safely access the connected world—from shopping and banking to accessing company networks to get their work done. We make this possible through a unified and extensive identity platform to enable enterprises to provide exceptional digital user experiences without compromising security and privacy. This allows enterprises to deepen their relationships with customers and increase the productivity of their workforce and partners, while at the same time providing better security and regulatory compliance.
Our platform is purpose-built for the enterprise and provides mission-critical capabilities, including performance and scale, rich identity functionality, deployment flexibility, and extensive integration and interoperability. Our platform includes a full suite of identity functionality across CIAM, AM, and IGA and a differentiated identity object modeling approach that supports all identity types. We enable enterprises to rapidly integrate and secure thousands of applications across types, deployments, and operating environments such as SaaS, mobile, microservices, web, and legacy, running in public and private cloud, and on-premise. Together, these deep capabilities enable us to provide enterprises with a single view of all their identities in one unified platform and position us as a leader in digital identity for the enterprise market.
We Generate Substantially All of Our Revenue From Subscriptions
Our revenue includes recurring revenue from term licenses, SaaS, and maintenance and support which we refer to as our subscription revenue. We now generate substantially all of our revenue from the sale of subscriptions, which accounted for 97% , 96% and 88% of our total revenue in 2021, 2020 and 2019, respectively. We have significantly reduced our percentage of revenue from perpetual licenses from 1% to 1% and 8% in 2021, 2020 and 2019, respectively. The remainder of our revenue is from professional services, which represented 3%, 3%, and 5% of our revenue in 2021, 2020 and 2019, respectively. We enable our customers to choose how they want to deploy our software in their heterogeneous environments, including self-managed environments such as public and private cloud environments, and through our Software-as-a-Service (SaaS) offering, ForgeRock Identity Cloud, or a combination of both. Our subscription contracts are typically non-cancelable and non-refundable, and are largely billed annually upfront. Our weighted average new subscription term in 2021 was 26 months. Our pricing is based on the deployment method (SaaS or self-managed), products purchased, identity type (consumer, workforce, or IoT and services), and number of identities managed.
We Focus on Global Enterprises and Large Organizations, Who are Prioritizing Investments in Identity
Our go-to-market strategy is primarily focused on selling to large global enterprises, who are consistently investing in identity as a top priority. We focus our sales efforts on decision makers with a purview across the enterprise such as Chief Information Officers, or CIOs, Chief Information Security Officers, or CISOs, Chief Digital Officers, or CDOs, and Chief Technology Officers, or CTOs. We are also increasing our focus on line-of-business owners and developers as core stakeholders. We have been operating globally since our founding and 47% of our revenue in 2021 was generated from customers located in Europe, the Middle East and Africa, or EMEA, and the Asia-Pacific, or APAC, region, demonstrating the global demand for our offerings. Our customers are based in more than 50 countries and across a diverse set of industries such as financial services, public sector, technology, telecom and media, medical, services, retail, and manufacturing. Many of our customers are recognized as leaders in their respective industries or public sectors.
57

Table of Contents
Our Go-to-Market Strategy is Driven by Close Collaboration Between Our Sales and Marketing Organizations and Our Partners
We primarily sell subscriptions through our direct sales teams located in geographic regions near our customers. Our sales and marketing organizations work closely to attract and drive awareness and engagement with prospective customers to help them understand our leadership in identity and our product differentiation, and to convert prospects into customers. Our marketing organization engages with prospective customers across physical and digital channels and provides them with solution guides, whitepapers, webinars, presentations, and other content to accelerate their understanding of our platform and drive greater adoption. We are highly focused on embracing and supporting our customers with the implementation of and utilization of our platform through dedicated customer success managers.
We also have a strong network of strategic global channel partners that both source and influence opportunities for us —providing leverage and execution capabilities across the globe. These strategic global channel partnerships not only provide us with a significant source of lead generation but also a global network of certified and trained implementation professionals. Our alliances, including global strategic consulting firms and global systems integrators, or GSIs, such as Accenture, Deloitte, and PwC, often promote our platform as part of large-scale digital transformation projects they drive by identifying opportunities in which our platform can help accelerate business initiatives and improve user experience. We also partner with leading regional consulting firms and implementation partners. These highly-skilled regional partners not only provide subject-matter expertise in the implementation of specific use cases, but they also act as an extension of our direct sales force by identifying and referring opportunities to us.
Our Customer Base Includes Many of the World’s Leading Brands
Our global customer base includes direct and indirect customers, of which direct customers are those we contract with directly (whether sourced by us or through a partner or reseller), and indirect customers include customers that receive the benefit of using components of our software by contracting with certain third parties, such as resellers, system integrators, managed service providers, or other channel partners, as well as with original equipment manufacturers, or OEMs.
We focus on the number of large customers because it represents our ability to land-and-expand with large enterprises and the number of large customers is a key indicator of our ability to grow our business and revenue in future periods. We define a large customer as a customer with $100,000 or greater ARR as of a measurement date. As of December 31, 2021, 2020 and 2019, we had 394, 327 and 275 large customers with $100,000 of ARR or greater, respectively, representing 90%, 86% and 81% of our total ARR as of such dates. No single customer accounted for more than 10% of our total revenue or 3% of our total ARR in 2021, 2020 and 2019.
We Have a Robust Land & Expand Model Enabled in Part by Our Flexible Purchasing Options
The breadth of our platform enables many entry points for new customers, and we enable them to purchase one or more product modules for their initial deployment and expand into new modules for additional functionality over time. We believe there is a significant opportunity for revenue expansion across our customer base as our customers increase the number of identities managed through our platform, expand across consumer, workforce and IoT and services use cases, subscribe to additional product offerings, and expand into additional deployments, such as our SaaS offering.

Our Business Has Experienced Strong Growth

We have experienced strong growth from a combination of internal drivers and external drivers. Internal drivers include the continuous innovation of our platform, resulting in new technology, products and deployment offerings, a loyal customer base that continues to increase their spend with us over time, and the acquisition of new customers. For example, we have developed and released our SaaS offering (ForgeRock Identity Cloud), Autonomous Identity and Governance in the past two years and both new and existing customers have adopted these offerings. Our effective go-to-market model has also been a driver of our growth, aided by recent leadership recognition by industry analysts. We believe external drivers such as the increasing importance of identity to enterprises, identity being a key enabler of digital transformation, the growing cyber threat landscape and constantly evolving regulatory and compliance requirements are also driving our growth.

In 2021 and 2020 our ARR was $183.1 million and $135.9 million, respectively, representing a year-over-year growth rate of 35%. We generate substantially all of our revenue from subscriptions, with 97% of our total revenue coming from subscriptions in both 2021 and 2020. In 2021 and 2020 our total revenue was $176.9 million and $127.6 million, respectively, representing a year-over-year growth rate of 39%. In the same periods, we incurred net losses of $47.8 million and $41.8 million, respectively.
58

Table of Contents
Impact of COVID-19
The ongoing COVID-19 pandemic and efforts to mitigate its impact have significantly curtailed the movement of people, goods and services worldwide, including in the geographic areas in which we conduct our business operations and from which we generate our revenue. It has also caused societal and economic disruption and financial market volatility, resulting in business shutdowns and reduced business activity. We believe that the COVID-19 pandemic has had a modest negative impact on our business, financial condition, and results of operations, primarily as a result of:
for certain enterprises, delaying or pausing digital transformation and expansion projects and negatively impacting IT spending, which has caused some potential customers to delay or forgo purchases of subscriptions for our platform and services and some existing customers to fail to renew subscriptions, reduce their usage or fail to expand their usage of our platform due to the COVID-19 pandemic’s impact on their business;
restricting our sales operations and marketing efforts, reducing the effectiveness of such efforts in some cases and delaying or lengthening our sales cycles; and
delaying the delivery of professional services and training to our customers.
The COVID-19 pandemic may cause us to continue to experience the foregoing challenges in our business in the future and could have other effects on our business, including disrupting our ability to develop new offerings and enhance existing offerings, market and sell our products and conduct business activities generally.
In the longer term, we expect some positive impacts on our business as a result of the COVID-19 pandemic. We believe the COVID-19 pandemic has accelerated the trend of enterprises pursuing digital transformation initiatives in order to remain competitive, with identity being a key enabler of such transformation. Further, the COVID-19 pandemic has led to a rapid expansion of digital identities, as more consumer transactions are being undertaken over the internet and more employees are working remotely. We believe that these impacts of the COVID-19 pandemic will benefit our business in the future.
The COVID-19 pandemic has also driven some temporary cost savings to our business. We have experienced slower growth in certain operating expenses due to reduced business-related travel, deferred hiring for some positions and the cancellation of in-person customer and employee events. We do not yet have visibility into the full impact that the COVID-19 pandemic will have on our future business or results of operations, particularly if the COVID-19 pandemic continues and persists for an extended period of time. Given the uncertainty, we cannot reasonably estimate the impact on our future financial condition, results of operations or cash flows. See the Item 1A. “Risk Factors” for more information regarding risks related to the COVID-19 pandemic.
Factors Affecting Our Performance
We believe that our future performance will depend on many factors, including the following:
Acquiring New Customers
Our results of operations and growth depends in part on our ability to attract new customers and we believe there is a significant opportunity to grow our customer base. To date, we have primarily relied on our marketing efforts, direct sales, channel partners and alliances, industry recognition and referrals to attract new customers. While we believe we have a significant market opportunity and an effective go-to-market strategy to win new customers, we will need to continue to invest in partner and alliance leverage, digital marketing, and expand into new markets and new customer segments to maintain or accelerate our customer growth.
Expanding Usage by Existing Customers
Our business depends, in part, on the degree to which our land-and-expand strategy is successful. Our customers often initially adopt our platform for a specific use case, such as consumer identity, and subsequently increase their adoption as they realize the benefits and flexibility of our platform. We have been successful in expanding our existing customers’ adoption of our platform as demonstrated by our dollar-based net retention rate, which we consider an indicator of our ability to retain and expand revenue from existing customers over time. We continue to invest in our customer success efforts to help our customers realize the full potential of our platform and expand their usage of our platform over time.
59

Table of Contents
Innovating and Advancing Our Platform
We intend to continue to invest in our research and development to extend the capabilities of our digital identity platform. Our investments in research and development drive core technology innovation and bring new products to market. We intend to continue to enhance our platform by developing new products and expanding the functionality of existing products to maintain our technology leadership. For example, since the beginning of 2019, we released ForgeRock Identity Governance, ForgeRock Identity Cloud, and Autonomous Identity. We have also strengthened our Trust Network of ecosystem partners that bring leading-edge authentication, biometrics, digital identity proofing, risk management, and other complementary technologies.
Expanding Strategic Partnerships and Alliances
Our growth depends in part on our ability to expand our strategic partnerships. We have four types of strategic alliances and partners: (1) GSIs and implementation partners, (2) OEM partners or customers who utilize components of our platform to deliver services, (3) strategic partners such as Google Cloud where ForgeRock is a premier partner for digital identity, and (4) Trust Network partners who provide complementary technologies that plug into our platform. Our partners help source and support relationships with new and existing customers, as well as provide technology and go-to-market benefits. We believe we have a meaningful opportunity to increase our revenue through strategic partners and our growth depends in part on the strength of these partnerships.
Mix of Multi-Year Subscription Licenses and SaaS, and Seasonality
Subscription term licenses are often deployed by our customers in public cloud environments such as AWS, GCP, or Azure. Under ASC 606, for self-managed term-based subscription licenses, we recognize approximately half of the total contract value of the portion upfront as license revenue, with the remainder attributable to maintenance and support that is recognized ratably over the license term. If the total contract value of our subscription term licenses increases as a percentage of total contract value of all our subscriptions, more revenue would be recognized upfront.
For our SaaS offering, the ForgeRock Identity Cloud, 100% of revenue is recognized ratably over the subscription term. If the total contract value of our SaaS subscriptions increases as a percentage of total contract value of all our subscriptions, less revenue would be recognized upfront.
For the reasons stated above, our revenue is affected by the overall growth in our business and changes in our revenue mix of self-managed subscriptions and SaaS subscriptions. As a result, our year-over-year growth rates for total revenue may not be comparable due to changes in revenue mix.
We also experience seasonality in our business which could continue to affect our financial results.
Key Business Metrics
Annual Recurring Revenue (ARR)
We believe that ARR is a key metric to measure our business performance because it is driven by our ability to acquire new customers and to maintain and expand our relationship with existing customers. We define ARR as the annualized value of all contractual subscription agreements as of the end of the period. To the extent that we are negotiating a renewal with a customer after the expiration of the subscription, we continue to include that revenue in ARR if we are actively in discussion with such an organization for a new subscription or renewal, or until such organization notifies us that it is not renewing its subscription. We perform this calculation on an individual customer basis by dividing the total dollar amount of the customer’s contract by the total contract term stated in months and multiplying this amount by 12 to annualize. Calculated ARR for each individual customer is then aggregated to arrive at total ARR.
ARR does not have a standardized meaning and therefore may not be comparable to similarly titled measures presented by other companies. ARR should be viewed independently of revenue, deferred revenue and remaining performance obligations computed and/or disclosed in accordance with GAAP and is not intended to be combined with or to replace any of those items. Specifically, ARR, as calculated under the definition herein, does not adjust for the timing impact of revenue recognition for specific performance obligations identified within a contract. ARR is not a forecast and the active contracts at the date used in calculating ARR may or may not be extended by our customers.
60

Table of Contents
The following chart sets forth our ARR as of the end of our last two years:
As of December 31,Change
20212020AmountPercent
(dollars in thousands)
ARR$183,100 $135,900 $47,200 35%

Dollar-Based Net Retention Rate
Our ability to drive growth and generate incremental revenue depends, in part, on our ability to maintain and grow our relationships with customers. An important way in which we track our performance in this area is by measuring the dollar-based net retention rate. We calculate our dollar-based net retention rate by first identifying customers, or the Base Customers, in a particular quarter, or the Base Quarter. We then divide the ARR in the same quarter of the subsequent year attributable to the Base Customers, or the Comparison Quarter, by the ARR attributable to those Base Customers in the Base Quarter. Our dollar-based net retention rate captures any increase or decrease in ARR from the Base Customers from the Base Quarter to the Comparison Quarter. We expand our relationships with customers as they purchase more identities, add more use cases across consumer, workforce, and IoT and services, subscribe to additional product offerings, and add additional deployment options such as our SaaS offering. Our ARR for new customers in 2021 on average exceeded $200,000.
The following table sets forth our dollar-based net retention rate as of the end of our last two years:
December 31,
20212020Change
 Dollar-Based Net Retention Rate 112%115%(3)%

Number of Large Customers
We focus on the number of large customers because it represents our ability to land-and-expand with large enterprises and the number of large customers is a key indicator of our ability to grow our business and revenue in future periods. We define a large customer as a customer with $100,000 or greater ARR as of a measurement date. We believe that our ability to increase the number of large customers on our platform is an indicator of our market penetration, the growth of our business, and our potential future business opportunities. Over time, large customers have constituted a greater share of our revenue, which has contributed to an increase in average revenue per customer. We define a customer as a separate and distinct buying entity, such as a company, an educational or government institution, or a distinct business unit of a large company that has an active contract with us or one of our partners to access our platform.
The following table sets forth our large customers as of the end of our last two years:
As of December 31,Change
20212020AmountPercent
Large Customers3943256921%

Non-GAAP Financial Measures
In addition to our results determined in accordance with GAAP, we believe the following non-GAAP financial measures are useful to investors in evaluating our operating performance and liquidity. We use non-GAAP financial measures to understand and evaluate our core operating performance and trends, to prepare our annual budget, to monitor and assess our liquidity, and to develop short-term and long-term operating plans. We believe that the non-GAAP financial measures we review are each a useful measure to us and to our investors because they provide consistency and comparability with our past performance and between periods, as these metrics generally eliminate the effects of the variability of certain charges and expenses that may not reflect our overall operating performance and liquidity. We believe that non-GAAP financial measures,
61

Table of Contents
when taken collectively with GAAP financial information, can be helpful to us and to investors because it provides consistency and comparability with past performance and assists in comparisons with other companies, some of which use similar non-GAAP financial information to supplement their GAAP results.
The non-GAAP financial information is presented for supplemental informational purposes only and should not be considered a substitute for financial information presented in accordance with GAAP and may be different from similarly-titled non-GAAP measures used by other companies. The principal limitation of these non-GAAP financial measures is that they exclude expenses that are required by GAAP to be recorded in our consolidated financial statements. In addition, they are subject to inherent limitations as they reflect the exercise of judgment by our management about which expenses are excluded or included in determining these non-GAAP financial measures. A reconciliation is provided below for each non-GAAP financial measure to the most directly comparable financial measure stated in accordance with GAAP. Investors are encouraged to review the related GAAP financial measures and the reconciliation of these non-GAAP financial measures to their most directly comparable GAAP financial measures.
Non-GAAP Gross Profit and Non-GAAP Gross Margin
Gross profit is defined as GAAP revenue less cost of revenue and gross margin is GAAP gross profit as a percentage of total revenue. We define non-GAAP gross profit and non-GAAP gross margin as GAAP gross profit and GAAP gross margin, adjusted to exclude stock-based compensation.
A reconciliation of Non-GAAP gross profit to GAAP gross profit, and non-GAAP gross margin to GAAP gross margin, is as follows:
Year ended December 31,
20212020
(dollars in thousands)
Gross Profit
$144,005 $106,306 
Add:
Stock-based compensation expense included in cost of revenue
617 166 
Non-GAAP gross profit
$144,622 $106,472 
Gross margin
81 %83 %
Non-GAAP gross margin
82 %83 %
Non-GAAP Operating Loss and Non-GAAP Operating Margin
We define non-GAAP operating loss and non-GAAP operating margin as GAAP operating loss and GAAP operating margin, adjusted for stock-based compensation expense and restructuring and impairment charges.
A reconciliation of non-GAAP operating loss and non-GAAP operating margin to GAAP operating loss and GAAP operating margin, the most directly comparable GAAP measures, is as follows:
Year ended December 31,
20212020
(dollars in thousands)
Operating loss
$(28,441)$(32,092)
Add:
Stock-based compensation expense
10,666 6,184 
Restructuring and impairment charges
— 632 
Non-GAAP operating loss
$(17,775)$(25,276)
Operating margin
(16)%(25)%
Non-GAAP operating margin
(10)%(20)%
62

Table of Contents
Adjusted EBITDA
We define Adjusted EBITDA as operating loss before tax, adjusted for depreciation, stock-based compensation expense and restructuring and impairment charges.
A reconciliation of Adjusted EBITDA to operating loss, the most directly comparable GAAP measure, is as follows:
Year ended December 31,
20212020
(in thousands)
Operating loss
$(28,441)$(32,092)
Depreciation
1,061 1,155 
Stock-based compensation expense
10,666 6,184 
Restructuring and impairment charges
— 632 
Adjusted EBITDA
$(16,714)$(24,121)
Free Cash Flow

We define free cash flow as net cash provided by (used in) operating activities less/(plus) cash used for purchases of property and equipment.
A reconciliation of free cash flow to net cash used in operating activities, the most directly comparable GAAP measure, is as follows:
Year ended December 31,
20212020
(in thousands)
Net cash used in operating activities
$(36,783)$(29,594)
Less:
Purchases of property and equipment
(1,113)(854)
Free cash flow
$(37,896)$(30,448)
Net cash used in investing activities
$(244,446)$(846)
Net cash provided by financing activities
$310,512 $101,151 
Cash paid for interest
$3,629 $3,914 
Components of Results of Operations
Revenue
We derive revenue primarily from subscriptions and, to a lesser extent, professional services and perpetual licenses.
Subscriptions and perpetual licenses. Subscriptions and perpetual licenses revenue consist of the following:
Subscriptions consist of:
Subscription term licenses. We sell subscriptions for our solutions that are self-managed by our customer within our customer’s IT infrastructure or cloud infrastructure. These subscriptions include licenses and technical support and access to new software updates on a when-and-if available basis. We recognize the license portion, which is approximately half of the total contract value, upon the later of the delivery of the software and commencement of the subscription term. The remainder is recognized ratably over the subscription term as support & maintenance revenue. We typically invoice our customers annually in advance.
Subscription SaaS, support & maintenance. We sell SaaS subscriptions for access to ForgeRock Identity Cloud, our SaaS offering. We sell support and maintenance bundled with license in the self-managed software subscription offering, or as a standalone for the perpetual license support & maintenance renewal. For our SaaS offering, we recognize revenue ratably over the period beginning on the later of the commencement of the subscription term or the provisioning of the
63

Table of Contents
SaaS service, to the end of the subscription term. For support and maintenance, we recognize revenue ratably over the period beginning on the later of the commencement of the subscription term or the delivery of the software to the end of the subscription term.
Perpetual licenses. We also sell perpetual licenses to our self-managed solutions. Revenue from our perpetual licenses is recognized when the software is delivered or made available to the customer. Perpetual license revenue increased by $0.5 million, or 38%, in 2021 compared to 2020. In both 2021 and 2020, revenue from perpetual licenses represented 1% of our total revenue. We do not expect perpetual license revenue to be material in future periods.
Subscriptions and perpetual licenses revenue represented 97% of our total revenue in both 2021 and 2020. Subscriptions revenue represented 99% of our subscriptions and perpetual licenses revenue in both 2021 and 2020. We expect that substantially all our revenue will be generated from subscriptions for the foreseeable future. Our subscriptions revenue may fluctuate due to the timing and relative mix between revenue from subscription term licenses and subscription SaaS, support & maintenance. Over time, we expect a greater percentage of our subscriptions and perpetual licenses revenue will come from our ForgeRock Identity Cloud offering. This will have a negative impact on our near-term revenue growth as SaaS subscription revenue is recognized ratably.
Professional services. Professional services consist primarily of fees from professional services provided to our customers and partners to configure and optimize the use of our solutions, as well as training services related to the configuration and operation of our solutions. Our professional services are generally priced on a time and materials or fixed package basis, which is generally invoiced upfront. Revenue from professional services is recognized as the service hours are used or milestones are achieved. Revenue from our training services is recognized on the date the services are complete.
Revenue from professional services represented 3% of our total revenue in both 2021 and 2020. We expect our professional services revenue to increase in absolute dollars as our business continues to grow, but we expect professional services revenue to fluctuate as a percentage of total revenue over time.
Overhead Allocation and Employee Compensation Costs
We allocate shared costs, such as facilities costs (including rent, utilities and depreciation on assets shared by all departments) and certain information technology costs to all departments based on headcount. As such, allocated shared costs are reflected in each cost of revenue and operating expense category. Employee compensation costs include salaries, bonuses, benefits and stock-based compensation for each cost of revenue and operating expense category, sales commissions for sales and marketing and any compensation related taxes.

Cost of Revenue
Subscriptions and perpetual licenses. Subscriptions and perpetual licenses cost of revenue consists of personnel costs, including salaries, bonuses, and benefits, as well as stock-based compensation, for employees associated with our subscription offerings and customer support, allocated overhead costs, and third-party costs, including cloud infrastructure costs and other expenses directly associated with our customer support. We expect our subscriptions and perpetual licenses cost of revenue to increase in absolute dollars to the extent our subscriptions revenue increases. As a percentage of revenue, we expect subscriptions and perpetual licenses cost of revenue to increase as a percentage of total revenue in the near term as we grow our SaaS subscription business, but to decrease as a percentage of our total revenue over the long term as our SaaS subscription revenue grows.
Professional services. Professional services cost of revenue consists of personnel costs, including salaries, bonuses and benefits, as well as stock-based compensation, for employees associated with our professional services and training services, allocated overhead costs, and third-party costs, including other costs directly associated with our professional services and training services. We expect our professional services cost of revenue to increase in absolute dollars as our business continues to grow. As a percentage of revenue, we expect professional services cost of revenue to fluctuate over time as we continue to invest in our growth. The cost of providing professional services has historically been higher than the associated revenue we generate, as we use professional services to help drive customer success and increased subscriptions and perpetual licenses revenue.
Gross Profit and Gross Margin
Gross profit (revenue less cost of revenue) and gross margin (gross profit as a percentage of total revenue) have been and will continue to be affected by various factors, including the timing of our acquisition of new customers and the renewal of and
64

Table of Contents
expansion of sales to existing customers, the mix between revenue from subscription term licenses and subscription SaaS, support & maintenance, the costs associated with operating our platform, the extent to which we expand our customer support team, and the extent to which we can increase the efficiency of our technology and infrastructure through technological improvements. We expect our gross profit to increase in absolute dollars as total revenue increases but our gross margin to decrease as we invest further in our cloud-based infrastructure to support our subscription SaaS offering. We expect subscriptions and perpetual licenses cost of revenue to increase consistently with the growth in our subscriptions and perpetual licenses revenue, although our gross margin could fluctuate from period-to-period.
Operating Expenses
Our operating expenses consist of sales and marketing, research and development, and general and administrative expenses. Personnel costs are the most significant component of operating expenses and consist of salaries, benefits, bonuses, payroll taxes, stock-based compensation expense and, with regard to sales and marketing expenses, sales commissions.
Research and development. Research and development expenses primarily consist of personnel costs, outside consultants, and overhead. We focus our research and development efforts on developing new solutions, core technologies, and to further enhance the functionality, reliability, performance and flexibility of existing solutions. We expect our research and development expenses will increase in absolute dollars as our business grows. However, we expect our research and development expenses will decrease as a percentage of total revenue over the long term, although they may fluctuate as a percentage of total revenue from period-to-period depending on the timing of expenses.
Sales and marketing. Sales and marketing expenses primarily consist of personnel costs, costs of general marketing and promotional activities, travel-related expenses, and overhead. Certain sales commissions earned by our sales force on subscription contracts are deferred and amortized over the period of benefit, which is generally four to five years. We expect to continue to invest in our sales force domestically and internationally, as well as in our channel relationships. We expect our sales and marketing expenses to increase in absolute dollars and continue to be our largest operating expense category for the foreseeable future. However, we expect our sales and marketing expenses will decrease as a percentage of total revenue over the long term, although they may fluctuate as a percentage of total revenue from period-to-period depending on the timing of expenses.
General and administrative. General and administrative expenses consist primarily of personnel costs associated with our executive, human resource, legal, facilities, accounting and finance, information security, and information technology departments. In addition, general and administrative expenses include third-party professional fees and overhead.
We expect that our general and administrative expenses will increase in absolute dollars as our business grows. We also expect to incur additional general and administrative expenses as a public company, including costs to comply with the rules and regulations applicable to companies listed on a national securities exchange, costs related to compliance and reporting obligations pursuant to the rules and regulations of the SEC, including regarding internal control over financial reporting under Section 404 of the Sarbanes-Oxley Act, and increased expenses for insurance, investor relations and professional services. However, we expect that our general and administrative expenses will decrease as a percentage of total revenue over the long term, although they may fluctuate as a percentage of total revenue from period-to-period depending on the timing of expenses.
Interest and other expense, net

Interest expense. Interest expense consists primarily of interest payments, accrual of end of term balloon payment on our outstanding borrowings under our A&R Loan Agreement and the amortization of associated deferred financing costs. See “Liquidity and Capital Resources” for additional information.
Other income (expense), net. Other income (expense), net primarily consists of gains and losses from foreign currency transactions denominated in a currency other than the functional currency, fair value changes on a preferred stock tranche option and warrants, and interest income. We expect our exposure to fluctuations in foreign currencies to continue as we expand our business internationally.
Provision For (Benefit From) Income Taxes

Provision for (benefit from) income taxes consists primarily of income taxes related to U.S. federal and state income taxes and income taxes in foreign jurisdictions in which we conduct business.
65

Table of Contents



Results of Operations
The following tables set forth our results of operations for the periods presented:
Year ended December 31,
20212020
(in thousands)
Revenue:
Subscription term licenses$84,611 $64,318 
Subscription SaaS, support & maintenance85,434 57,833 
Perpetual licenses1,695 1,225 
Total subscriptions and perpetual licenses171,740 123,376 
Professional services5,193 4,258 
Total revenue176,933 127,634 
Cost of revenue:
Subscriptions and perpetual licenses17,535 12,249 
Professional services15,393 9,079 
Total cost of revenue(1)
32,928 21,328 
Gross profit144,005 106,306 
Operating expenses:
Research and development(1)
43,497 35,901 
Sales and marketing(1)
88,620 75,768 
General and administrative(1)
40,329 26,729 
Total operating expenses172,446 138,398 
Operating loss(28,441)(32,092)
Foreign currency gain (loss)(3,819)3,064 
Fair value adjustment on warrants and preferred stock tranche option(10,068)(7,344)
Interest expense(4,516)(4,512)
Other, net(40)(345)
Interest and other expense, net(18,443)(9,137)
Loss before income taxes(46,884)(41,229)
Provision for (benefit from) income taxes884 565 
Net loss$(47,768)$(41,794)
(1) Includes stock-based compensation expense as follows:
Year ended December 31,
20212020
(in thousands)
Cost of revenue
$617 $166 
Research and development
1,924 1,307 
Sales and marketing
3,495 1,794 
General and administrative
4,630 2,917 
Total stock-based compensation
$10,666 $6,184 
66

Table of Contents
The following table sets forth our results of operations for the periods presented as a percentage of our total revenue:

Year ended December 31,
20212020
Revenue:
Subscription term licenses48%50%
Subscription SaaS, support & maintenance48%46%
Perpetual licenses1%1%
Total subscriptions and perpetual licenses97%97%
Professional services3%3%
Total revenue100%100%
Cost of revenue:
Subscriptions and perpetual licenses10%10%
Professional services9%7%
Total cost of revenue19%17%
Gross profit81%83%
Operating expenses:
Research and development25%28%
Sales and marketing50%59%
General and administrative23%21%
Total operating expenses98%108%
Operating loss(17)%(25)%
Foreign currency gain (loss)(2)%2%
Fair value adjustment on warrants and preferred stock tranche option(6)%(6)%
Interest expense(3)%(4)%
Other, net—%—%
Interest and other expense, net(11)%(8)%
Loss before income taxes(28)%(33)%
Provision for (benefit from) income taxes—%—%
Net loss(28)%(33)%


Comparison of the Years Ended December 31, 2021 and 2020
RevenueYear ended December 31,Change
20212020
Amount
Percent
(in thousands, except percentages)
Subscription term licenses
$84,611 $64,318 $20,293 32%
Subscription SaaS, support & maintenance
85,434 57,833 27,601 48%
Perpetual licenses
1,695 1,225 470 38%
Total subscriptions and perpetual licenses
171,740 123,376 48,364 39%
Professional services
5,193 4,258 935 22%
Total revenue
$176,933 $127,634 $49,299 39%
Total revenue increased by $49.3 million, or 39%, in 2021 compared to 2020.
67

Table of Contents
Subscriptions and perpetual licenses revenue increased by $48.4 million, or 39%, in 2021 compared to 2020. Subscription term licenses revenue increased by $20.3 million or 32% in 2021 compared to 2020. Subscription SaaS, support & maintenance revenue increased by $27.6 million or 48% in 2021 compared to 2020. The increases in subscription term licenses and subscription SaaS, support & maintenance revenue were driven by the addition of new customers as well as an increase in identities, use cases, product modules, and deployments from existing customers. Support and maintenance increased due to the steady growth of the installment base. SaaS, support and maintenance revenue increased due to the steady growth of the installment base, as well as the increased adoption of our SaaS offerings.
Professional services revenue increased by $0.9 million, or 22%, in 2021 compared to 2020. There was an increase in the service activity for cloud onboarding and self-managed software in 2021 compared to the prior year.
Cost of Revenue, Gross Profit and Gross Margin
Year ended December 31,Change
20212020
Amount
Percent
(in thousands, except percentages)
Cost of Revenue
Subscriptions and perpetual licenses
$17,535$12,249$5,286 43%
Professional services
15,3939,0796,314 70%
Total cost of revenue
$32,928$21,328$11,600 54%
Gross Margin
Subscriptions and perpetual licenses
90%90%
Professional services
(196)%(113)%
Total Gross Margin
81%83%
Cost of revenue increased by $11.6 million, or 54%, in 2021 compared to 2020. Subscriptions and perpetual licenses cost of revenue increased by $5.3 million, or 43%, in 2021 compared to 2020, primarily due to a $4.0 million increase in headcount and related personnel costs to support the growth of our offerings, ongoing maintenance for our expanding customer base and our investment in cloud infrastructure costs for our ForgeRock Identity Cloud offering and a $0.5 million increase in royalty expenses. Professional services cost of revenue increased by $6.3 million, or 70%, in 2021 compared to 2020, primarily due to an increase of $5.9 million of contractor costs and allocated overhead costs as we invest further for anticipated growth.
Gross margin for subscriptions and perpetual licenses was 90% in both 2021 and 2020. While our gross margins for subscription and perpetual licenses revenue may fluctuate in the near-term as we invest in our growth, we expect our subscription revenue gross margin to improve over the long-term as we achieve additional economies of scale. Gross margin for professional services decreased to (196)% in 2021 from (113)% in 2020. The decrease in gross margin for professional services was due to investments to increase our professional services capacity to support the anticipated growth in new customers.
Operating ExpensesYear ended December 31,Change
20212020
Amount
Percent
(in thousands, except percentages)
Operating Expenses
Research and development
$43,497 $35,901 $7,596 21%
Sales and marketing
88,620 75,768 12,852 17%
General and administrative
40,329 26,729 13,600 51%
Total operating expenses
$172,446 $138,398 $34,048 25%
Research and development. Research and development expenses increased $7.6 million, or 21%, in 2021 compared to 2020. The increase was primarily due to an increase of $5.8 million in personnel costs related to higher headcount to support our continued research and development efforts in enhancing our offerings. Other increases include a $1.3 million increase in IT outsourcing costs, including AWS and Google, related to our cloud strategy, and a $1.5 million increase in professional fees, partially offset by a $0.4 million decrease in facility costs.
68

Table of Contents
Sales and marketing. Sales and marketing expenses increased $12.9 million, or 17%, in 2021 compared to 2020. The increase was primarily due to an increase of $11.0 million in personnel costs related to the expansion of our sales force and our marketing department. Personnel costs also increased due to an increase in stock-based compensation expense with the introduction of Employee Stock Purchase Plan (“ESPP”) and restricted stock units (RSUs) in the last quarter of 2021. Additionally, there was also a $1.6 million increase in marketing costs such as Google advertising and sales demonstrations as we increase awareness campaigns. Advertising costs were $6.7 million and $5.5 million for the years ended December 31, 2021 and 2020, respectively.
General and administrative. General and administrative expenses increased $13.6 million, or 51%, in 2021 compared to 2020. The increase was primarily due to an increase of $7.5 million in personnel costs due to a higher headcount and an increase in stock-based compensation expense with the introduction of ESPP and RSUs in the last quarter of 2021. There was also a $4.8 million increase in third-party professional fees, insurance and related costs of becoming a public company and a $0.9 million increase in software costs.
Interest and other expense, net
Year ended December 31,Change
20212020
Amount
Percent
(in thousands, except percentages)
Interest and other expense, net
Foreign currency (loss) gain
$(3,819)$3,064 $(6,883)(225)%
Fair value adjustment on warrants and preferred stock tranche option
(10,068)(7,344)(2,724)37%
Interest expense(4,516)(4,512)(4)—%
Other, net(40)(345)305 (89)%
Total Interest and other expense, net$(18,443)$(9,137)$(9,306)102%
Interest and other expense, net, increased $9.3 million, or 102%, in 2021 compared to 2020.
We recorded a net foreign currency loss of $3.8 million in 2021 compared to a net foreign currency gain of $3.1 million in 2020, primarily due to fluctuations in foreign currency remeasurement on intercompany balances denominated in Norwegian krone, Euros and the British pound. On September, 30, 2021, we reclassified certain intercompany balances considered long-term in nature. Accordingly, foreign currency remeasurement gains and losses related to these balances are being reported in the accumulated other comprehensive income in stockholders’ equity (deficit) on the consolidated balance sheet effective October 1, 2021.
In 2021, we recorded fair value mark-to-market adjustments of $4.2 million, compared to $6.1 million in 2020 relating to a preferred stock tranche option to purchase Series E-1 preferred shares held by one of our Series E preferred stock investors totaling $20.0 million. The option was exercised in April 2021. In addition, the outstanding preferred stock warrants fair value increased by $5.9 million in 2021, compared to $1.2 million in 2020 due to mark-to-market adjustments on these instruments reflecting the increase in the value of ForgeRock. The warrants were subsequently exercised in September 2021.
Interest expense remained relatively flat in 2021 by comparison to 2020 driven by the impact of recognizing a full year of interest expense in 2021 on additional borrowings of $10.0 million made in April 2020 offset by lower interest rates on the debt when the agreement was amended, effective October 1, 2021.
Provision For Income Taxes
In 2021, we recorded a provision for income taxes of $0.9 million. In 2020, we recorded a provision for income taxes of $0.6 million. In 2021 and 2020, the federal statutory income tax rate of 21% differs from the effective tax rate primarily due to the valuation allowance against related deferred taxes. Our valuation allowance was $65.4 million and $47.0 million as of December 31, 2021 and 2020, respectively.
69

Table of Contents
Liquidity and Capital Resources
As of December 31, 2021, our principal sources of liquidity were cash, cash equivalents and short-term investments of $369.8 million, which were held for working capital purposes. In September 2021 and April 2021, we received $295.7 million and $20.0 million, respectively, of net cash proceeds from the IPO and exercise of a preferred stock tranche option that was exercised by one of our investors. Our cash equivalents were comprised primarily of money market funds and our short-term investments were comprised of marketable securities. We have generated significant operating losses and negative cash flows from operations as reflected in our accumulated deficit and consolidated statements of cash flows. We expect to continue to incur operating losses and negative cash flows from operations for the foreseeable future.
Prior to the IPO, we had funded our operations and capital expenditures primarily through equity issuances, debt instruments and cash generated from our operations. We believe our existing cash, cash equivalents, short-term investments and cash provided by sales of our products and services will be sufficient to meet our working capital and capital expenditure needs for at least the next 12 months following the date of this report. We use our cash for a variety of needs, including but not limited to ongoing investments in our business, strategic acquisitions, capital expenditures, investment in our infrastructure, including non-cancellable purchase commitments, and debt repayment obligations. Our future capital requirements will depend on many factors, including our licenses growth rate, licenses renewal activity, billing frequency, the timing and extent of spending required to support development efforts, the expansion of sales and marketing activities, the introduction of new and enhanced product offerings, the continuing market adoption of our platform and further investment in general and administrative functions to meet the compliance requirements of being a public company. We may in the future enter into arrangements to acquire or invest in complementary businesses, services and technologies, including intellectual property rights. We may be required to seek additional equity or debt financing. In the event that additional financing is required from outside sources, we may not be able to raise it on terms acceptable to us or at all. If we are unable to raise additional capital or generate cash flows necessary to expand our operations and invest in new technologies this could reduce our ability to compete successfully and harm our business, financial condition, and results of operations.
In September 2021, we executed an amendment to the Amended Restated Plain English Growth Capital Loan and Security Agreement with TriplePoint Venture Growth BDC Corp. and TriplePoint Capital LLC, or the amended “A&R Loan Agreement”. The amended A&R Loan Agreement became effective once the registration statement in connection with the initial public offering was declared effective on September 16, 2021. The key provisions of the amendment include: (1) a covenant requiring the maintenance of a $20.0 million cash balance, (2) change in the interest rate for outstanding term loan to be eight percent (8.00%) per annum on the existing loans, (3) extension of the maturity dates by twenty-four months, (4) change in the prepayment penalties and (5) and a change in the prepayment premium. The principal will be due at the end of the term of the respective advance. As of December 31, 2021, the balance outstanding under our term loan facility was $40.0 million and is included in long-term debt on our consolidated balance sheet.
All of our obligations under our term loan facility are guaranteed by ForgeRock US, Inc. and ForgeRock Limited and, subject to certain exceptions, secured by a security interest in substantially all of our assets, excluding intellectual property, which is subject to a negative pledge.
A significant majority of our customers pay in advance for their subscriptions. Therefore, a substantial source of our cash is from our deferred revenue, which is included on our consolidated balance sheet as a liability. Deferred revenue consists of the unearned portion of billed fees for our subscriptions, which is recognized as revenue in accordance with our revenue recognition policy. As of December 31, 2021, we had deferred revenue of $75.4 million, of which $67.2 million is recorded as a current liability and is expected to be recorded as revenue in the next 12 months, provided all other revenue recognition criteria have been met.

70

Table of Contents
In the ordinary course of business, the Company enters into various purchase commitments primarily related to third-party cloud hosting and data services, information technology operations and marketing events. Total noncancelable purchase commitments as of December 31, 2021 were approximately $60.3 million for the years through December 31, 2024.

Cash Flows
The following table summarizes our cash flows for the periods indicated:
Year ended December 31,
20212020
(in thousands)
Cash used in operating activities
$(36,783)$(29,594)
Cash used in investing activities
(244,446)(846)
Cash provided by financing activities
310,512 101,151 
Effects of changes in foreign currency exchange rates on cash and cash equivalents
(888)546 
Net increase in cash and cash equivalents and restricted cash
$28,395 $71,257 
Operating activities
Our largest source of operating cash is cash collections from our customers for subscription, support and maintenance services. Our primary uses of cash from operating activities are for employee-related expenditures, marketing expenses and third-party hosting costs. Historically, we have generated negative cash flows from operating activities and have supplemented working capital requirements through net proceeds from the sale of equity securities and term loans.

During the twelve months ended December 31, 2021 cash used in operating activities was $36.8 million primarily due to our net loss of $47.8 million and net cash outflows of $31.3 million used in our operating assets and liabilities. Non-cash charges primarily consisted of amortization of deferred commissions of $14.0 million driven by the timing of revenue recognition, and stock-based compensation of $10.7 million. The primary drivers of the changes in operating assets and liabilities related to a change in deferred commissions of $23.3 million driven by the timing of commission payments, a $10.5 million change in contract and other non-current assets due to the issuance of invoices and timing of revenue recognition, a $20.7 million change in accounts receivable and a $10.9 million change in accrued expenses and other liabilities due to the timing of cash disbursements.
During the twelve months ended December 31, 2020, cash used in operating activities was $29.6 million primarily due to our net loss of $41.8 million, adjusted for net cash outflows of $13.7 million used in our operating assets and liabilities. Non-cash charges primarily consisted of a foreign currency remeasurement loss of $3.1 million, amortization of deferred commissions of $13.4 million and stock- based compensation of $6.2 million. The primary drivers of the changes in operating assets and liabilities related to a change in deferred revenue of $5.3 million due to the timing of collection of payment from our customers, partially offset by a change in deferred commissions of $18.0 million driven by the timing of commission payments.

Investing activities
Net cash used in investing activities during the twelve months ended December 31, 2021 of $244.4 million was primarily attributable to purchases of short term investments of $277.1 million, purchases of property and equipment of $1.1 million, and partially offset by sales and maturities of short term investments of $1.9 million.
Net cash used in investing activities during the twelve months ended December 31, 2020 of $0.8 million was attributable to the purchase of available for sale securities of $3.0 million and purchases of property and equipment of $0.9 million, offset by sales of available for sale securities of $3.0 million.

Financing activities
Cash provided by financing activities during the twelve months ended December 31, 2021 was $310.5 million primarily as a result of proceeds consisting of $295.7 million of aggregate net proceeds from our IPO, net of underwriting discounts and commissions and offering costs paid, the issuance of Series E-1 convertible preferred stock of $20.0 million and proceeds from
71

Table of Contents
the exercise of employee stock options of $4.9 million partially offset by $3.9 million employee payroll taxes paid for net shares settlement of restricted stock units on IPO.
Cash provided by financing activities during the twelve months ended December 31, 2020 was $101.2 million, primarily as a result of proceeds from the issuance of Series E redeemable convertible preferred stock of $93.5 million, proceeds from the issuance of debt of $9.9 million and partially offset by repurchases of common stock from employees of $2.3 million.



JOBS Act Accounting Election
We are an emerging growth company pursuant to the provisions of the Jumpstart Our Business Startups Act of 2012, or the JOBS Act. For as long as we are an emerging growth company, we may take advantage of certain exemptions from various reporting requirements that are applicable to other public companies that are not emerging growth companies. The JOBS Act also permits an emerging growth company to take advantage of an extended transition period to comply with new or revised accounting standards applicable to public companies. We have elected to use the extended transition period until we are no longer an emerging growth company or until we choose to affirmatively and irrevocably opt out of the extended transition period. As a result, our financial statements may not be comparable to companies that comply with new or revised accounting pronouncements applicable to public companies. See “Risk Factors” — We are an ‘emerging growth company’ and we expect to elect to comply with reduced public company reporting requirements, which could make our common stock less attractive to investors.

Critical Accounting Policies and Estimates
The discussion and analysis of our financial condition and results of operations are based upon our consolidated financial statements, which have been prepared in accordance with U.S. GAAP. The preparation of these financial statements requires management to make estimates and judgments that affect the reported amounts of assets and liabilities, revenue and expenses and related disclosures of contingent assets and liabilities at the date of our financial statements. Actual results may differ from these estimates under different assumptions or conditions, impacting our reported results of operations and financial condition.
Certain accounting policies involve significant judgments and assumptions by management, which have a material impact on the carrying value of assets and liabilities and the recognition of income and expenses. Management considers these accounting policies to be critical accounting policies. The estimates and assumptions used by management are based on historical experience and other factors, which are believed to be reasonable under the circumstances. The significant accounting policies which we believe are the most critical to aid in fully understanding and evaluating our reported financial results are described below. Refer to “Note 2 — Summary of Significant Accounting Policies” to the consolidated financial statements included in Part II, Item 8 of this Annual Report on Form 10-K for more detailed information regarding our significant accounting policies.
Revenue Recognition
We recognize revenue under ASC 606. In accordance with ASC 606, revenue is recognized when promised goods or services are transferred to a customer. The amount of revenue recognized reflects the consideration that we expected to be entitled to receive in exchange for these goods or services. We recognize revenue from contracts with customers using the five-step method described in Note 2 of the notes to our consolidated financial statements, included in Part II, Item 8 of this Annual Report on Form 10-K for mor