0001477333-21-000009.txt : 20210225 0001477333-21-000009.hdr.sgml : 20210225 20210225162635 ACCESSION NUMBER: 0001477333-21-000009 CONFORMED SUBMISSION TYPE: 10-K PUBLIC DOCUMENT COUNT: 102 CONFORMED PERIOD OF REPORT: 20201231 FILED AS OF DATE: 20210225 DATE AS OF CHANGE: 20210225 FILER: COMPANY DATA: COMPANY CONFORMED NAME: Cloudflare, Inc. CENTRAL INDEX KEY: 0001477333 STANDARD INDUSTRIAL CLASSIFICATION: SERVICES-PREPACKAGED SOFTWARE [7372] IRS NUMBER: 270805829 STATE OF INCORPORATION: DE FISCAL YEAR END: 1231 FILING VALUES: FORM TYPE: 10-K SEC ACT: 1934 Act SEC FILE NUMBER: 001-39039 FILM NUMBER: 21680755 BUSINESS ADDRESS: STREET 1: 101 TOWNSEND ST. CITY: SAN FRANCISCO STATE: CA ZIP: 94107 BUSINESS PHONE: 888.993.5273 MAIL ADDRESS: STREET 1: 101 TOWNSEND ST. CITY: SAN FRANCISCO STATE: CA ZIP: 94107 FORMER COMPANY: FORMER CONFORMED NAME: CloudFlare, Inc. DATE OF NAME CHANGE: 20091120 10-K 1 cloud-20201231.htm 10-K cloud-20201231
FALSE0001477333FY2020us-gaap:AccountingStandardsUpdate201602MemberP1Y0M0D0.0267187100014773332020-01-012020-12-31iso4217:USD00014773332020-06-30xbrli:shares0001477333us-gaap:CommonClassAMember2021-02-120001477333us-gaap:CommonClassBMember2021-02-120001477333us-gaap:CommonClassAMemberus-gaap:IPOMember2019-09-012019-09-3000014773332020-12-3100014773332019-12-31iso4217:USDxbrli:shares0001477333us-gaap:CommonClassAMember2019-12-310001477333us-gaap:CommonClassAMember2020-12-310001477333us-gaap:CommonClassBMember2019-12-310001477333us-gaap:CommonClassBMember2020-12-3100014773332019-01-012019-12-3100014773332018-01-012018-12-310001477333us-gaap:RetainedEarningsMember2019-01-012019-12-310001477333us-gaap:RedeemableConvertiblePreferredStockMember2017-12-310001477333us-gaap:CommonStockMemberus-gaap:CommonClassAMember2017-12-310001477333us-gaap:CommonStockMemberus-gaap:CommonClassBMember2017-12-310001477333us-gaap:AdditionalPaidInCapitalMember2017-12-310001477333us-gaap:RetainedEarningsMember2017-12-310001477333us-gaap:AccumulatedOtherComprehensiveIncomeMember2017-12-3100014773332017-12-310001477333us-gaap:RedeemableConvertiblePreferredStockMember2018-01-012018-12-310001477333us-gaap:CommonStockMemberus-gaap:CommonClassBMember2018-01-012018-12-310001477333us-gaap:AdditionalPaidInCapitalMember2018-01-012018-12-310001477333us-gaap:RetainedEarningsMember2018-01-012018-12-310001477333us-gaap:AccumulatedOtherComprehensiveIncomeMember2018-01-012018-12-310001477333us-gaap:RedeemableConvertiblePreferredStockMember2018-12-310001477333us-gaap:CommonStockMemberus-gaap:CommonClassAMember2018-12-310001477333us-gaap:CommonStockMemberus-gaap:CommonClassBMember2018-12-310001477333us-gaap:AdditionalPaidInCapitalMember2018-12-310001477333us-gaap:RetainedEarningsMember2018-12-310001477333us-gaap:AccumulatedOtherComprehensiveIncomeMember2018-12-3100014773332018-12-310001477333us-gaap:CommonStockMemberus-gaap:CommonClassAMember2019-01-012019-12-310001477333us-gaap:AdditionalPaidInCapitalMember2019-01-012019-12-310001477333us-gaap:RedeemableConvertiblePreferredStockMember2019-01-012019-12-310001477333us-gaap:CommonStockMemberus-gaap:CommonClassBMember2019-01-012019-12-310001477333us-gaap:AccumulatedOtherComprehensiveIncomeMember2019-01-012019-12-310001477333us-gaap:RedeemableConvertiblePreferredStockMember2019-12-310001477333us-gaap:CommonStockMemberus-gaap:CommonClassAMember2019-12-310001477333us-gaap:CommonStockMemberus-gaap:CommonClassBMember2019-12-310001477333us-gaap:AdditionalPaidInCapitalMember2019-12-310001477333us-gaap:RetainedEarningsMember2019-12-310001477333us-gaap:AccumulatedOtherComprehensiveIncomeMember2019-12-310001477333srt:CumulativeEffectPeriodOfAdoptionAdjustmentMemberus-gaap:RetainedEarningsMember2019-12-310001477333srt:CumulativeEffectPeriodOfAdoptionAdjustmentMember2019-12-310001477333us-gaap:CommonStockMemberus-gaap:CommonClassAMember2020-01-012020-12-310001477333us-gaap:AdditionalPaidInCapitalMember2020-01-012020-12-310001477333us-gaap:CommonStockMemberus-gaap:CommonClassBMember2020-01-012020-12-310001477333us-gaap:RetainedEarningsMember2020-01-012020-12-310001477333us-gaap:AccumulatedOtherComprehensiveIncomeMember2020-01-012020-12-310001477333us-gaap:RedeemableConvertiblePreferredStockMember2020-12-310001477333us-gaap:CommonStockMemberus-gaap:CommonClassAMember2020-12-310001477333us-gaap:CommonStockMemberus-gaap:CommonClassBMember2020-12-310001477333us-gaap:AdditionalPaidInCapitalMember2020-12-310001477333us-gaap:RetainedEarningsMember2020-12-310001477333us-gaap:AccumulatedOtherComprehensiveIncomeMember2020-12-310001477333us-gaap:RestrictedStockUnitsRSUMember2020-01-012020-12-310001477333us-gaap:RestrictedStockUnitsRSUMember2019-01-012019-12-310001477333us-gaap:RestrictedStockUnitsRSUMember2018-01-012018-12-310001477333us-gaap:EmployeeStockMember2020-01-012020-12-310001477333us-gaap:EmployeeStockMember2019-01-012019-12-310001477333us-gaap:EmployeeStockMember2018-01-012018-12-310001477333srt:MinimumMember2020-01-012020-12-310001477333srt:MaximumMember2020-01-012020-12-310001477333us-gaap:EmployeeStockOptionMember2020-01-012020-12-310001477333us-gaap:TechnologyEquipmentMember2020-01-012020-12-310001477333us-gaap:BuildingMember2020-01-012020-12-310001477333us-gaap:OfficeEquipmentMember2020-01-012020-12-310001477333us-gaap:FurnitureAndFixturesMember2020-01-012020-12-310001477333us-gaap:SoftwareDevelopmentMember2020-01-012020-12-31xbrli:pure0001477333us-gaap:ConvertibleDebtMember2020-12-310001477333us-gaap:DevelopedTechnologyRightsMember2020-01-012020-12-3100014773332017-11-012017-11-30cloud:segment00014773332020-01-0100014773332020-01-012020-01-010001477333country:US2020-01-012020-12-310001477333country:USus-gaap:GeographicConcentrationRiskMemberus-gaap:RevenueFromContractWithCustomerMember2020-01-012020-12-310001477333country:US2019-01-012019-12-310001477333country:USus-gaap:GeographicConcentrationRiskMemberus-gaap:RevenueFromContractWithCustomerMember2019-01-012019-12-310001477333country:US2018-01-012018-12-310001477333country:USus-gaap:GeographicConcentrationRiskMemberus-gaap:RevenueFromContractWithCustomerMember2018-01-012018-12-310001477333us-gaap:EMEAMember2020-01-012020-12-310001477333us-gaap:GeographicConcentrationRiskMemberus-gaap:EMEAMemberus-gaap:RevenueFromContractWithCustomerMember2020-01-012020-12-310001477333us-gaap:EMEAMember2019-01-012019-12-310001477333us-gaap:GeographicConcentrationRiskMemberus-gaap:EMEAMemberus-gaap:RevenueFromContractWithCustomerMember2019-01-012019-12-310001477333us-gaap:EMEAMember2018-01-012018-12-310001477333us-gaap:GeographicConcentrationRiskMemberus-gaap:EMEAMemberus-gaap:RevenueFromContractWithCustomerMember2018-01-012018-12-310001477333srt:AsiaPacificMember2020-01-012020-12-310001477333us-gaap:GeographicConcentrationRiskMemberus-gaap:RevenueFromContractWithCustomerMembersrt:AsiaPacificMember2020-01-012020-12-310001477333srt:AsiaPacificMember2019-01-012019-12-310001477333us-gaap:GeographicConcentrationRiskMemberus-gaap:RevenueFromContractWithCustomerMembersrt:AsiaPacificMember2019-01-012019-12-310001477333srt:AsiaPacificMember2018-01-012018-12-310001477333us-gaap:GeographicConcentrationRiskMemberus-gaap:RevenueFromContractWithCustomerMembersrt:AsiaPacificMember2018-01-012018-12-310001477333cloud:OtherGeographicalRegionsMember2020-01-012020-12-310001477333us-gaap:GeographicConcentrationRiskMemberus-gaap:RevenueFromContractWithCustomerMembercloud:OtherGeographicalRegionsMember2020-01-012020-12-310001477333cloud:OtherGeographicalRegionsMember2019-01-012019-12-310001477333us-gaap:GeographicConcentrationRiskMemberus-gaap:RevenueFromContractWithCustomerMembercloud:OtherGeographicalRegionsMember2019-01-012019-12-310001477333cloud:OtherGeographicalRegionsMember2018-01-012018-12-310001477333us-gaap:GeographicConcentrationRiskMemberus-gaap:RevenueFromContractWithCustomerMembercloud:OtherGeographicalRegionsMember2018-01-012018-12-310001477333us-gaap:GeographicConcentrationRiskMemberus-gaap:RevenueFromContractWithCustomerMember2020-01-012020-12-310001477333us-gaap:GeographicConcentrationRiskMemberus-gaap:RevenueFromContractWithCustomerMember2019-01-012019-12-310001477333us-gaap:GeographicConcentrationRiskMemberus-gaap:RevenueFromContractWithCustomerMember2018-01-012018-12-310001477333us-gaap:SalesChannelThroughIntermediaryMember2020-01-012020-12-310001477333us-gaap:SalesChannelThroughIntermediaryMemberus-gaap:RevenueFromContractWithCustomerMembercloud:SalesChannelConcentrationRiskMember2020-01-012020-12-310001477333us-gaap:SalesChannelThroughIntermediaryMember2019-01-012019-12-310001477333us-gaap:SalesChannelThroughIntermediaryMemberus-gaap:RevenueFromContractWithCustomerMembercloud:SalesChannelConcentrationRiskMember2019-01-012019-12-310001477333us-gaap:SalesChannelThroughIntermediaryMember2018-01-012018-12-310001477333us-gaap:SalesChannelThroughIntermediaryMemberus-gaap:RevenueFromContractWithCustomerMembercloud:SalesChannelConcentrationRiskMember2018-01-012018-12-310001477333us-gaap:SalesChannelDirectlyToConsumerMember2020-01-012020-12-310001477333us-gaap:SalesChannelDirectlyToConsumerMemberus-gaap:RevenueFromContractWithCustomerMembercloud:SalesChannelConcentrationRiskMember2020-01-012020-12-310001477333us-gaap:SalesChannelDirectlyToConsumerMember2019-01-012019-12-310001477333us-gaap:SalesChannelDirectlyToConsumerMemberus-gaap:RevenueFromContractWithCustomerMembercloud:SalesChannelConcentrationRiskMember2019-01-012019-12-310001477333us-gaap:SalesChannelDirectlyToConsumerMember2018-01-012018-12-310001477333us-gaap:SalesChannelDirectlyToConsumerMemberus-gaap:RevenueFromContractWithCustomerMembercloud:SalesChannelConcentrationRiskMember2018-01-012018-12-310001477333us-gaap:RevenueFromContractWithCustomerMembercloud:SalesChannelConcentrationRiskMember2020-01-012020-12-310001477333us-gaap:RevenueFromContractWithCustomerMembercloud:SalesChannelConcentrationRiskMember2019-01-012019-12-310001477333us-gaap:RevenueFromContractWithCustomerMembercloud:SalesChannelConcentrationRiskMember2018-01-012018-12-3100014773332021-01-012020-12-310001477333us-gaap:CashMember2020-12-310001477333us-gaap:CashMemberus-gaap:CashAndCashEquivalentsMemberus-gaap:FairValueMeasurementsRecurringMember2020-12-310001477333us-gaap:CashMembercloud:DebtSecuritiesAvailableForSaleCurrentMemberus-gaap:FairValueMeasurementsRecurringMember2020-12-310001477333us-gaap:CashMemberus-gaap:FairValueMeasurementsRecurringMembercloud:RestrictedCashNoncurrentMember2020-12-310001477333us-gaap:FairValueInputsLevel1Memberus-gaap:MoneyMarketFundsMember2020-12-310001477333us-gaap:CashAndCashEquivalentsMemberus-gaap:FairValueMeasurementsRecurringMemberus-gaap:FairValueInputsLevel1Memberus-gaap:MoneyMarketFundsMember2020-12-310001477333cloud:DebtSecuritiesAvailableForSaleCurrentMemberus-gaap:FairValueMeasurementsRecurringMemberus-gaap:FairValueInputsLevel1Memberus-gaap:MoneyMarketFundsMember2020-12-310001477333us-gaap:FairValueMeasurementsRecurringMemberus-gaap:FairValueInputsLevel1Membercloud:RestrictedCashNoncurrentMemberus-gaap:MoneyMarketFundsMember2020-12-310001477333us-gaap:FairValueInputsLevel2Memberus-gaap:CorporateBondSecuritiesMember2020-12-310001477333us-gaap:CashAndCashEquivalentsMemberus-gaap:FairValueInputsLevel2Memberus-gaap:CorporateBondSecuritiesMemberus-gaap:FairValueMeasurementsRecurringMember2020-12-310001477333cloud:DebtSecuritiesAvailableForSaleCurrentMemberus-gaap:FairValueInputsLevel2Memberus-gaap:CorporateBondSecuritiesMemberus-gaap:FairValueMeasurementsRecurringMember2020-12-310001477333us-gaap:FairValueInputsLevel2Memberus-gaap:CorporateBondSecuritiesMemberus-gaap:FairValueMeasurementsRecurringMembercloud:RestrictedCashNoncurrentMember2020-12-310001477333us-gaap:USTreasurySecuritiesMemberus-gaap:FairValueInputsLevel2Member2020-12-310001477333us-gaap:USTreasurySecuritiesMemberus-gaap:CashAndCashEquivalentsMemberus-gaap:FairValueInputsLevel2Memberus-gaap:FairValueMeasurementsRecurringMember2020-12-310001477333cloud:DebtSecuritiesAvailableForSaleCurrentMemberus-gaap:USTreasurySecuritiesMemberus-gaap:FairValueInputsLevel2Memberus-gaap:FairValueMeasurementsRecurringMember2020-12-310001477333us-gaap:USTreasurySecuritiesMemberus-gaap:FairValueInputsLevel2Memberus-gaap:FairValueMeasurementsRecurringMembercloud:RestrictedCashNoncurrentMember2020-12-310001477333us-gaap:USGovernmentAgenciesDebtSecuritiesMemberus-gaap:FairValueInputsLevel2Member2020-12-310001477333us-gaap:USGovernmentAgenciesDebtSecuritiesMemberus-gaap:CashAndCashEquivalentsMemberus-gaap:FairValueInputsLevel2Memberus-gaap:FairValueMeasurementsRecurringMember2020-12-310001477333us-gaap:USGovernmentAgenciesDebtSecuritiesMembercloud:DebtSecuritiesAvailableForSaleCurrentMemberus-gaap:FairValueInputsLevel2Memberus-gaap:FairValueMeasurementsRecurringMember2020-12-310001477333us-gaap:USGovernmentAgenciesDebtSecuritiesMemberus-gaap:FairValueInputsLevel2Memberus-gaap:FairValueMeasurementsRecurringMembercloud:RestrictedCashNoncurrentMember2020-12-310001477333us-gaap:FairValueInputsLevel2Memberus-gaap:CommercialPaperMember2020-12-310001477333us-gaap:CashAndCashEquivalentsMemberus-gaap:FairValueInputsLevel2Memberus-gaap:FairValueMeasurementsRecurringMemberus-gaap:CommercialPaperMember2020-12-310001477333cloud:DebtSecuritiesAvailableForSaleCurrentMemberus-gaap:FairValueInputsLevel2Memberus-gaap:FairValueMeasurementsRecurringMemberus-gaap:CommercialPaperMember2020-12-310001477333us-gaap:FairValueInputsLevel2Memberus-gaap:FairValueMeasurementsRecurringMembercloud:RestrictedCashNoncurrentMemberus-gaap:CommercialPaperMember2020-12-310001477333us-gaap:FairValueInputsLevel2Member2020-12-310001477333us-gaap:CashAndCashEquivalentsMemberus-gaap:FairValueInputsLevel2Memberus-gaap:FairValueMeasurementsRecurringMember2020-12-310001477333cloud:DebtSecuritiesAvailableForSaleCurrentMemberus-gaap:FairValueInputsLevel2Memberus-gaap:FairValueMeasurementsRecurringMember2020-12-310001477333us-gaap:FairValueInputsLevel2Memberus-gaap:FairValueMeasurementsRecurringMembercloud:RestrictedCashNoncurrentMember2020-12-310001477333us-gaap:CashAndCashEquivalentsMemberus-gaap:FairValueMeasurementsRecurringMember2020-12-310001477333cloud:DebtSecuritiesAvailableForSaleCurrentMemberus-gaap:FairValueMeasurementsRecurringMember2020-12-310001477333us-gaap:FairValueMeasurementsRecurringMembercloud:RestrictedCashNoncurrentMember2020-12-310001477333us-gaap:CashMember2019-12-310001477333us-gaap:CashMemberus-gaap:CashAndCashEquivalentsMemberus-gaap:FairValueMeasurementsRecurringMember2019-12-310001477333us-gaap:CashMembercloud:DebtSecuritiesAvailableForSaleCurrentMemberus-gaap:FairValueMeasurementsRecurringMember2019-12-310001477333us-gaap:CashMemberus-gaap:FairValueMeasurementsRecurringMembercloud:RestrictedCashNoncurrentMember2019-12-310001477333us-gaap:FairValueInputsLevel1Memberus-gaap:MoneyMarketFundsMember2019-12-310001477333us-gaap:CashAndCashEquivalentsMemberus-gaap:FairValueMeasurementsRecurringMemberus-gaap:FairValueInputsLevel1Memberus-gaap:MoneyMarketFundsMember2019-12-310001477333cloud:DebtSecuritiesAvailableForSaleCurrentMemberus-gaap:FairValueMeasurementsRecurringMemberus-gaap:FairValueInputsLevel1Memberus-gaap:MoneyMarketFundsMember2019-12-310001477333us-gaap:FairValueMeasurementsRecurringMemberus-gaap:FairValueInputsLevel1Membercloud:RestrictedCashNoncurrentMemberus-gaap:MoneyMarketFundsMember2019-12-310001477333us-gaap:FairValueInputsLevel2Memberus-gaap:CorporateBondSecuritiesMember2019-12-310001477333us-gaap:CashAndCashEquivalentsMemberus-gaap:FairValueInputsLevel2Memberus-gaap:CorporateBondSecuritiesMemberus-gaap:FairValueMeasurementsRecurringMember2019-12-310001477333cloud:DebtSecuritiesAvailableForSaleCurrentMemberus-gaap:FairValueInputsLevel2Memberus-gaap:CorporateBondSecuritiesMemberus-gaap:FairValueMeasurementsRecurringMember2019-12-310001477333us-gaap:FairValueInputsLevel2Memberus-gaap:CorporateBondSecuritiesMemberus-gaap:FairValueMeasurementsRecurringMembercloud:RestrictedCashNoncurrentMember2019-12-310001477333us-gaap:USTreasurySecuritiesMemberus-gaap:FairValueInputsLevel2Member2019-12-310001477333us-gaap:USTreasurySecuritiesMemberus-gaap:CashAndCashEquivalentsMemberus-gaap:FairValueInputsLevel2Memberus-gaap:FairValueMeasurementsRecurringMember2019-12-310001477333cloud:DebtSecuritiesAvailableForSaleCurrentMemberus-gaap:USTreasurySecuritiesMemberus-gaap:FairValueInputsLevel2Memberus-gaap:FairValueMeasurementsRecurringMember2019-12-310001477333us-gaap:USTreasurySecuritiesMemberus-gaap:FairValueInputsLevel2Memberus-gaap:FairValueMeasurementsRecurringMembercloud:RestrictedCashNoncurrentMember2019-12-310001477333us-gaap:USGovernmentAgenciesDebtSecuritiesMemberus-gaap:FairValueInputsLevel2Member2019-12-310001477333us-gaap:USGovernmentAgenciesDebtSecuritiesMemberus-gaap:CashAndCashEquivalentsMemberus-gaap:FairValueInputsLevel2Memberus-gaap:FairValueMeasurementsRecurringMember2019-12-310001477333us-gaap:USGovernmentAgenciesDebtSecuritiesMembercloud:DebtSecuritiesAvailableForSaleCurrentMemberus-gaap:FairValueInputsLevel2Memberus-gaap:FairValueMeasurementsRecurringMember2019-12-310001477333us-gaap:USGovernmentAgenciesDebtSecuritiesMemberus-gaap:FairValueInputsLevel2Memberus-gaap:FairValueMeasurementsRecurringMembercloud:RestrictedCashNoncurrentMember2019-12-310001477333us-gaap:FairValueInputsLevel2Memberus-gaap:CommercialPaperMember2019-12-310001477333us-gaap:CashAndCashEquivalentsMemberus-gaap:FairValueInputsLevel2Memberus-gaap:FairValueMeasurementsRecurringMemberus-gaap:CommercialPaperMember2019-12-310001477333cloud:DebtSecuritiesAvailableForSaleCurrentMemberus-gaap:FairValueInputsLevel2Memberus-gaap:FairValueMeasurementsRecurringMemberus-gaap:CommercialPaperMember2019-12-310001477333us-gaap:FairValueInputsLevel2Memberus-gaap:FairValueMeasurementsRecurringMembercloud:RestrictedCashNoncurrentMemberus-gaap:CommercialPaperMember2019-12-310001477333us-gaap:FairValueInputsLevel2Member2019-12-310001477333us-gaap:CashAndCashEquivalentsMemberus-gaap:FairValueInputsLevel2Memberus-gaap:FairValueMeasurementsRecurringMember2019-12-310001477333cloud:DebtSecuritiesAvailableForSaleCurrentMemberus-gaap:FairValueInputsLevel2Memberus-gaap:FairValueMeasurementsRecurringMember2019-12-310001477333us-gaap:FairValueInputsLevel2Memberus-gaap:FairValueMeasurementsRecurringMembercloud:RestrictedCashNoncurrentMember2019-12-310001477333us-gaap:CashAndCashEquivalentsMemberus-gaap:FairValueMeasurementsRecurringMember2019-12-310001477333cloud:DebtSecuritiesAvailableForSaleCurrentMemberus-gaap:FairValueMeasurementsRecurringMember2019-12-310001477333us-gaap:FairValueMeasurementsRecurringMembercloud:RestrictedCashNoncurrentMember2019-12-310001477333us-gaap:MoneyMarketFundsMember2020-12-310001477333us-gaap:MoneyMarketFundsMember2019-12-310001477333us-gaap:TechnologyEquipmentMember2020-12-310001477333us-gaap:TechnologyEquipmentMember2019-12-310001477333us-gaap:BuildingMember2020-12-310001477333us-gaap:BuildingMember2019-12-310001477333us-gaap:ConstructionInProgressMember2020-12-310001477333us-gaap:ConstructionInProgressMember2019-12-310001477333us-gaap:SoftwareDevelopmentMember2020-12-310001477333us-gaap:SoftwareDevelopmentMember2019-12-310001477333us-gaap:OfficeEquipmentMember2020-12-310001477333us-gaap:OfficeEquipmentMember2019-12-310001477333us-gaap:FurnitureAndFixturesMember2020-12-310001477333us-gaap:FurnitureAndFixturesMember2019-12-310001477333cloud:SoftwareMember2020-12-310001477333cloud:SoftwareMember2019-12-310001477333us-gaap:LeaseholdImprovementsMember2020-12-310001477333us-gaap:LeaseholdImprovementsMember2019-12-310001477333us-gaap:RemediationPropertyForSaleAbandonmentOrDisposalMember2020-12-310001477333us-gaap:RemediationPropertyForSaleAbandonmentOrDisposalMember2019-12-310001477333us-gaap:AccountingStandardsUpdate201602Memberus-gaap:BuildingMember2020-01-012020-01-010001477333us-gaap:LeaseholdImprovementsMemberus-gaap:AccountingStandardsUpdate201602Member2020-01-012020-01-010001477333us-gaap:SoftwareAndSoftwareDevelopmentCostsMember2020-01-012020-12-310001477333us-gaap:SoftwareAndSoftwareDevelopmentCostsMember2019-01-012019-12-310001477333us-gaap:SoftwareAndSoftwareDevelopmentCostsMember2018-01-012018-12-310001477333cloud:S2SystemsCorporationMember2020-01-012020-12-310001477333us-gaap:DevelopedTechnologyRightsMember2020-12-310001477333us-gaap:DevelopedTechnologyRightsMember2019-12-310001477333srt:MaximumMember2020-12-310001477333cloud:CoLocationAssetLeaseMembersrt:MaximumMember2020-12-310001477333us-gaap:ConvertibleDebtMember2020-05-3100014773332020-05-012020-05-31cloud:day0001477333cloud:ScenarioOneMember2020-01-012020-12-310001477333cloud:ScenarioTwoMember2020-01-012020-12-310001477333cloud:ScenarioThreeMember2020-01-012020-12-310001477333cloud:ScenarioThreeMemberus-gaap:ConvertibleDebtMember2020-01-012020-12-310001477333cloud:FundamentalChangeMemberus-gaap:ConvertibleDebtMember2020-01-012020-12-310001477333cloud:MeasurementInputEffectiveInterestRateMemberus-gaap:ConvertibleDebtMember2020-05-3100014773332020-05-310001477333us-gaap:ConvertibleDebtMember2020-05-012020-05-310001477333us-gaap:CommonClassAMember2020-05-31cloud:vote0001477333us-gaap:ConvertibleDebtMember2019-12-310001477333us-gaap:EmployeeStockOptionMember2020-12-310001477333us-gaap:EmployeeStockOptionMember2019-12-310001477333cloud:EquityIncentivePlan2019Member2020-12-310001477333cloud:EquityIncentivePlan2019Member2019-12-310001477333us-gaap:RestrictedStockUnitsRSUMember2020-12-310001477333us-gaap:RestrictedStockUnitsRSUMember2019-12-310001477333us-gaap:EmployeeStockMember2020-12-310001477333us-gaap:EmployeeStockMember2019-12-310001477333cloud:TwoThousandAndTenEquityIncentivePlanMemberus-gaap:CommonStockMemberus-gaap:EmployeeStockOptionMember2020-01-012020-12-310001477333cloud:TwoThousandAndNineteenEquityIncentivePlanMemberus-gaap:CommonClassAMember2020-12-310001477333cloud:TwoThousandAndNineteenEquityIncentivePlanMembercloud:ClassAAndClassBCommonStockMember2020-01-012020-12-310001477333cloud:TwoThousandAndNineteenEquityIncentivePlanMemberus-gaap:CommonClassAMemberus-gaap:EmployeeStockOptionMember2020-12-310001477333cloud:TwoThousandAndNineteenEquityIncentivePlanMemberus-gaap:CommonClassAMemberus-gaap:RestrictedStockUnitsRSUMember2020-12-310001477333cloud:TwoThousandAndTenEquityIncentivePlanMemberus-gaap:EmployeeStockOptionMember2020-01-012020-12-3100014773332017-01-012017-12-310001477333us-gaap:EmployeeStockOptionMember2019-01-012019-12-310001477333us-gaap:EmployeeStockOptionMember2018-01-012018-12-310001477333cloud:S2SystemsCorporationMemberus-gaap:RestrictedStockMember2020-01-012020-12-310001477333us-gaap:ShareBasedCompensationAwardTrancheOneMembercloud:S2SystemsCorporationMemberus-gaap:RestrictedStockMember2020-01-012020-12-310001477333us-gaap:ShareBasedCompensationAwardTrancheTwoMembercloud:S2SystemsCorporationMemberus-gaap:RestrictedStockMember2020-01-012020-12-310001477333cloud:S2SystemsCorporationMemberus-gaap:RestrictedStockMember2019-01-012019-12-310001477333cloud:S2SystemsCorporationMemberus-gaap:RestrictedStockMember2020-12-310001477333cloud:S2SystemsCorporationMemberus-gaap:RestrictedStockMember2019-12-310001477333cloud:RestrictedStockAndRestrictedStockUnitsMember2019-12-310001477333us-gaap:RestrictedStockMember2020-01-012020-12-310001477333cloud:RestrictedStockAndRestrictedStockUnitsMember2020-01-012020-12-310001477333cloud:RestrictedStockAndRestrictedStockUnitsMember2020-12-310001477333us-gaap:RestrictedStockUnitsRSUMember2020-01-012020-03-310001477333us-gaap:EmployeeStockMembercloud:TwoThousandAndNineteenEmployeeStockPurchasePlanMemberus-gaap:CommonClassAMember2019-09-300001477333us-gaap:EmployeeStockMembercloud:ClassAAndClassBCommonStockMembercloud:TwoThousandAndNineteenEmployeeStockPurchasePlanMember2019-09-012019-09-300001477333us-gaap:EmployeeStockMembercloud:TwoThousandAndNineteenEmployeeStockPurchasePlanMember2019-09-012019-09-300001477333us-gaap:EmployeeStockMembercloud:TwoThousandAndNineteenEmployeeStockPurchasePlanMemberus-gaap:CommonClassAMember2019-09-012019-09-300001477333us-gaap:EmployeeStockMembercloud:TwoThousandAndNineteenEmployeeStockPurchasePlanMemberus-gaap:CommonClassAMember2020-01-012020-12-310001477333us-gaap:EmployeeStockMembercloud:TwoThousandAndNineteenEmployeeStockPurchasePlanMember2020-12-310001477333us-gaap:EmployeeStockMembercloud:TwoThousandAndNineteenEmployeeStockPurchasePlanMember2019-12-310001477333us-gaap:EmployeeStockMembercloud:TwoThousandAndNineteenEmployeeStockPurchasePlanMember2020-01-012020-12-310001477333us-gaap:CostOfSalesMember2020-01-012020-12-310001477333us-gaap:CostOfSalesMember2019-01-012019-12-310001477333us-gaap:CostOfSalesMember2018-01-012018-12-310001477333us-gaap:SellingAndMarketingExpenseMember2020-01-012020-12-310001477333us-gaap:SellingAndMarketingExpenseMember2019-01-012019-12-310001477333us-gaap:SellingAndMarketingExpenseMember2018-01-012018-12-310001477333us-gaap:ResearchAndDevelopmentExpenseMember2020-01-012020-12-310001477333us-gaap:ResearchAndDevelopmentExpenseMember2019-01-012019-12-310001477333us-gaap:ResearchAndDevelopmentExpenseMember2018-01-012018-12-310001477333us-gaap:GeneralAndAdministrativeExpenseMember2020-01-012020-12-310001477333us-gaap:GeneralAndAdministrativeExpenseMember2019-01-012019-12-310001477333us-gaap:GeneralAndAdministrativeExpenseMember2018-01-012018-12-310001477333us-gaap:CommonStockMember2018-01-012018-12-310001477333us-gaap:ConvertibleDebtSecuritiesMember2020-01-012020-12-310001477333us-gaap:ConvertibleDebtSecuritiesMember2019-01-012019-12-310001477333us-gaap:ConvertibleDebtSecuritiesMember2018-01-012018-12-310001477333cloud:ShareBasedPaymentArrangementSharesSubjectToRepurchaseMember2020-01-012020-12-310001477333cloud:ShareBasedPaymentArrangementSharesSubjectToRepurchaseMember2019-01-012019-12-310001477333cloud:ShareBasedPaymentArrangementSharesSubjectToRepurchaseMember2018-01-012018-12-310001477333us-gaap:EmployeeStockOptionMember2020-01-012020-12-310001477333us-gaap:EmployeeStockOptionMember2019-01-012019-12-310001477333us-gaap:EmployeeStockOptionMember2018-01-012018-12-310001477333cloud:RestrictedStockAwardAndRestrictedStockUnitRSUsAwardMember2020-01-012020-12-310001477333cloud:RestrictedStockAwardAndRestrictedStockUnitRSUsAwardMember2019-01-012019-12-310001477333cloud:RestrictedStockAwardAndRestrictedStockUnitRSUsAwardMember2018-01-012018-12-310001477333us-gaap:RedeemableConvertiblePreferredStockMember2020-01-012020-12-310001477333us-gaap:RedeemableConvertiblePreferredStockMember2019-01-012019-12-310001477333us-gaap:RedeemableConvertiblePreferredStockMember2018-01-012018-12-310001477333cloud:RedeemableConvertiblePreferredStockWarrantsMember2020-01-012020-12-310001477333cloud:RedeemableConvertiblePreferredStockWarrantsMember2019-01-012019-12-310001477333cloud:RedeemableConvertiblePreferredStockWarrantsMember2018-01-012018-12-310001477333cloud:VestedAndUnreleasedRestrictedStockUnitsMember2020-01-012020-12-310001477333cloud:VestedAndUnreleasedRestrictedStockUnitsMember2019-01-012019-12-310001477333cloud:VestedAndUnreleasedRestrictedStockUnitsMember2018-01-012018-12-310001477333us-gaap:EmployeeStockMember2020-01-012020-12-310001477333us-gaap:EmployeeStockMember2019-01-012019-12-310001477333us-gaap:EmployeeStockMember2018-01-012018-12-310001477333us-gaap:DomesticCountryMember2020-12-310001477333us-gaap:DomesticCountryMember2019-12-310001477333us-gaap:ResearchMemberus-gaap:DomesticCountryMember2020-12-310001477333us-gaap:StateAndLocalJurisdictionMember2020-12-310001477333us-gaap:StateAndLocalJurisdictionMember2019-12-310001477333us-gaap:StateAndLocalJurisdictionMemberus-gaap:ResearchMember2020-12-310001477333us-gaap:ForeignCountryMember2020-12-310001477333us-gaap:ForeignCountryMember2019-12-310001477333cloud:S2SystemsCorporationMember2020-01-012020-01-310001477333cloud:S2SystemsCorporationMember2020-01-310001477333cloud:S2SystemsCorporationMember2020-12-310001477333country:US2020-12-310001477333country:US2019-12-310001477333us-gaap:NonUsMember2020-12-310001477333us-gaap:NonUsMember2019-12-31


UNITED STATES
SECURITIES AND EXCHANGE COMMISSION
Washington, D.C. 20549
__________________________________________________
FORM 10-K
__________________________________________________
(Mark One)
ANNUAL REPORT PURSUANT TO SECTION 13 OR 15(d) OF THE SECURITIES EXCHANGE ACT OF 1934
For the fiscal year ended December 31, 2020
or
TRANSITION REPORT PURSUANT TO SECTION 13 OR 15(d) OF THE SECURITIES EXCHANGE ACT OF 1934
For the transition period from                to              
Commission file number: 001-39039
__________________________________________________
Cloudflare, Inc.
(Exact name of registrant as specified in its charter)
__________________________________________________
Delaware

27-0805829
(State or other jurisdiction of
incorporation or organization)

(I.R.S. Employer
Identification Number)
101 Townsend Street
San Francisco, California 94107
(Address of principal executive offices and zip code)
(888) 993-5273
(Registrant’s telephone number, including area code)
__________________________________________________
Securities registered pursuant to Section 12(b) of the Act:
Title of Each ClassTrading SymbolName of Each Exchange on Which Registered
Class A Common Stock, $0.001 par valueNETThe New York Stock Exchange
Indicate by check mark if the registrant is a well-known seasoned issuer, as defined in Rule 405 of the Securities Act. Yes ☒  No ☐
Indicate by check mark if the registrant is not required to file reports pursuant to Section 13 or Section 15 (d) of the Act. Yes ☐  No
Indicate by check mark whether the registrant (1) has filed all reports required to be filed by Section 13 or 15(d) of the Securities Exchange Act of 1934 during the preceding 12 months (or for such shorter period that the registrant was required to file such reports), and (2) has been subject to such filing requirements for the past 90 days.  Yes ☒  No ☐
Indicate by check mark whether the registrant has submitted electronically every Interactive Data File required to be submitted pursuant to Rule 405 of Regulation S-T (§232.405 of this chapter) during the preceding 12 months (or for such shorter period that the registrant was required to submit such files).  Yes ☒  No ☐
Indicate by check mark whether the registrant is a large accelerated filer, an accelerated filer, a non-accelerated filer, a smaller reporting company, or an emerging growth company. See the definitions of “large accelerated filer,” “accelerated filer,” “smaller reporting company,” and “emerging growth company” in Rule 12b-2 of the Exchange Act.
Large accelerated filer

Accelerated filer
Non-accelerated filer

Smaller reporting company



Emerging growth company
If an emerging growth company, indicate by check mark if the registrant has elected not to use the extended transition period for complying with any new or revised financial accounting standards provided pursuant to Section 13(a) of the Exchange Act. ☐
2

Indicate by check mark whether the registrant has filed a report on and attestation to its management’s assessment of the effectiveness of its internal control over financial reporting under Section 404(b) of the Sarbanes-Oxley Act (15 U.S.C. 7262(b)) by the registered public accounting firm that prepared or issued its audit report.
Indicate by check mark whether the registrant is a shell company (as defined in Rule 12b-2 of the Act).  Yes   No ☒
The aggregate market value of the common stock held by non-affiliates of the registrant, based on the closing price of the shares of Class A common stock on June 30, 2020 as reported by the New York Stock Exchange on such date was approximately $4,336 million. Shares of the registrant’s common stock held by each executive officer and director and by each other person who may be deemed to be an affiliate of the registrant have been excluded from this computation. This calculation does not reflect a determination that certain persons are affiliates of the registrant for any other purpose.
As of February 12, 2021, 250,305,083 shares of the registrant's Class A common stock were outstanding and 58,520,694 shares of the registrant's Class B common stock were outstanding.
DOCUMENTS INCORPORATED BY REFERENCE
Portions of the registrant's definitive Proxy Statement relating to the 2021 Annual Meeting of Stockholders are incorporated herein by reference in Part III of this Annual Report on Form 10-K to the extent stated herein. Such Proxy Statement will be filed with the Securities and Exchange Commission within 120 days of the registrant's fiscal year ended December 31, 2020.

3

TABLE OF CONTENTS
Page
Item 1.
Item 1A.
Item 1B.
Item 2.
Item 3.
Item 4.
Item 5.
Item 6.
Item 7.
Item 7A.
Item 8.
Item 9.
Item 9A.
Item 9B.
Item 10.
Item 11.
Item 12.
Item 13.
Item 14.
Item 15.
Item 16.

4

SPECIAL NOTE REGARDING FORWARD-LOOKING STATEMENTS
This Annual Report on Form 10-K contains forward-looking statements within the meaning of Section 27A of the Securities Act of 1933, as amended, and Section 21E of the Securities Exchange Act of 1934, as amended, which statements involve substantial risks and uncertainties. Forward-looking statements generally relate to future events or our future financial or operating performance. In some cases, you can identify forward-looking statements because they contain words such as “may,” “will,” “should,” “expects,” “plans,” “anticipates,” “could,” “intends,” “target,” “projects,” “contemplates,” “believes,” “estimates,” “predicts,” “potential,” or “continue,” or the negative of these words, or other similar terms or expressions that concern our expectations, strategy, plans, or intentions.
Forward-looking statements contained in this Annual Report on Form 10-K include, but are not limited to, statements about:
the impact of the ongoing COVID-19 pandemic, including on our and our customers’, vendors’, and partners’ respective businesses and the markets in which we and our customers, vendors, and partners operate;
our ability to retain and upgrade paying customers;
our ability to attract new paying customers, including large customers, or convert free customers to paying customers;
our future financial performance, including trends in revenue, costs of revenue, gross profit or gross margin, operating expenses, paying customers, and free cash flow;
our ability to achieve or maintain profitability;
the consequences we may face resulting from the activities of our customers and the actions we take in response, including associated theories of liability;
the demand for our products or for solutions for security, performance, and reliability in general;
possible harm caused by significant disruption of service, loss or unauthorized access to customers’ content, or the actual or perceived failure of our products to prevent security incidents;
our ability to compete successfully in competitive markets;
our ability to respond to rapid technological changes;
our ability to continue to innovate and develop new products;
our expectations and management of future growth;
our ability to maintain existing co-location relationships, ISP partnerships, and other interconnection arrangements around the world;
our ability to offer high-quality customer support;
our ability to manage our global operations;
our expectations of and ability to comply with applicable laws around the world;
our ability to correctly estimate our tax obligations around the world;
our ability to service the interest on our convertible senior notes and repay such notes, to the extent required;
our ability to attract and retain key personnel and other highly qualified personnel;
our ability to maintain our brand;
our ability to prevent serious errors or defects across, and to otherwise maintain the uninterrupted operation of, our network;
our ability to maintain, protect, and enhance our intellectual property; and
our ability to successfully identify, acquire, and integrate companies and assets.
You should not rely upon forward-looking statements as predictions of future events. We have based the forward-looking statements contained in this Annual Report on Form 10-K primarily on our current expectations and
5

projections about future events and trends that we believe may affect our business, financial condition, results of operations, and prospects. The outcome of the events described in these forward-looking statements is subject to risks, uncertainties, and other factors described in the section titled “Risk Factors” and elsewhere in this Annual Report on Form 10-K. Readers are urged to carefully review and consider the various disclosures made in this Annual Report on Form 10-K and in other documents we file from time to time with the Securities and Exchange Commission (SEC) that disclose risks and uncertainties that may affect our business. Moreover, we operate in a very competitive and rapidly changing environment. New risks and uncertainties emerge from time to time, and it is not possible for us to predict all risks and uncertainties that could have an impact on the forward-looking statements contained in this Annual Report on Form 10-K. We cannot assure you that the results, events, and circumstances reflected in the forward-looking statements will be achieved or occur, and actual results, events, or circumstances could differ materially from those described in the forward-looking statements.
The forward-looking statements made in this Annual Report on Form 10-K relate only to events as of the date on which the statements are made. We undertake no obligation to update any forward-looking statements made in this Annual Report on Form 10-K to reflect events or circumstances after the date of this Annual Report on Form 10-K or to reflect new information or the occurrence of unanticipated events, except as required by law. We may not actually achieve the plans, intentions, or expectations disclosed in our forward-looking statements, and you should not place undue reliance on our forward-looking statements. Our forward-looking statements do not reflect the potential impact of any future acquisitions, mergers, dispositions, joint ventures, or investments we may make.
In addition, statements that “we believe” and similar statements reflect our beliefs and opinions on the relevant subject. These statements are based upon information available to us as of the date of this Annual Report on Form 10-K, and while we believe such information forms a reasonable basis for such statements, such information may be limited or incomplete, and our statements should not be read to indicate that we have conducted an exhaustive inquiry into, or review of, all potentially available relevant information. These statements are inherently uncertain and investors are cautioned not to unduly rely upon these statements.
6

SELECTED RISKS AFFECTING OUR BUSINESS

Investing in our Class A common stock involves numerous risks, including those set forth below. This summary does not contain all of the information that may be important to you, and you should read this risk factor summary together with the more detailed discussion of risks and uncertainties set forth in Part I, Item 1A. Risk Factors of this Annual Report on Form 10-K. Below are summaries of some of these risks, any one of which could materially adversely affect our business, financial condition, results of operations, and prospects.
The effects of the ongoing COVID-19 pandemic have materially affected how we and our customers, vendors, and partners are operating our businesses, and the duration and extent to which this will negatively impact our future business and operations, results of operations, financial condition, and cash flows remain uncertain.
We have a history of net losses and may not be able to achieve or sustain profitability in the future.
We have experienced rapid revenue growth, which may not be indicative of our future performance.
If we are unable to attract new paying and free customers, our future results of operations could be harmed.
Our business depends on our ability to retain and upgrade paying customers and, to a lesser extent, convert free customers to paying customers, and any decline in renewals, upgrades, or conversions could adversely affect our future results of operations.
If we are unable to effectively increase sales to large customers, or we fail to mitigate the additional risks associated with serving such customers, our business, results of operation, and financial condition may suffer.
Activities of our paying and free customers or the content of their websites or other Internet properties, as well as our response to those activities, could cause us to experience significant adverse political, business, and reputational consequences with customers, employees, suppliers, government entities, and others.
We face intense and increasing competition, which could adversely affect our business, financial condition, and results of operations.
If we do not effectively expand, train, and retain our sales force, we may be unable to add new contracted customers, or increase sales to our existing customers and our business would be adversely affected.
We rely on our key technical, sales, and management personnel to grow our business, and the loss of one or more key employees or the inability to attract and retain qualified personnel could harm our business.
Our relatively limited operating history makes it difficult to evaluate our current business and prospects and may increase the risk that we will not be successful.
Problems with our internal systems, networks, or data, including actual or perceived breaches or failures, could cause our network or products to be perceived as insecure, underperforming, or unreliable, our reputation to be damaged, and our financial results to be negatively impacted.
If our global network that delivers our products or the core co-location facilities we use to operate our network are damaged or otherwise fail to meet the requirement of our business or local regulations, our ability to provide access to our network and products to our customers and maintain the performance of our network could be negatively impacted, which could cause our business, results of operations and financial condition to suffer.
Detrimental changes in, or the termination of, any of our co-location relationships, ISP partnerships, or our other interconnection relationships with ISPs could adversely impact our business, results of operations, and financial condition.
The actual or perceived failure of our products to block malware or prevent a security breach could harm our reputation and adversely impact our business, results of operations, and financial condition.
7

Activities of our paying and free customers or the content of their websites and other Internet properties may violate applicable laws and/or our terms of service and could subject us to lawsuits, regulatory enforcement actions, and/or liability in various jurisdictions.
Our actual or perceived failure to comply with privacy, data protection, and information security laws, regulations, and obligations could harm our business.
Our network presence within China is dependent upon our commercial relationship with JD Cloud & AI, and any detrimental changes in, or the termination of, that relationship could jeopardize our ability to offer an integrated global network that includes China.
The dual class structure of our common stock has the effect of concentrating voting control with those stockholders who held our capital stock prior to the completion of our initial public offering, and it may depress the trading price of our Class A common stock.
Servicing our future debt, including our convertible senior notes, may require a significant amount of cash, and we may not have sufficient cash flow from our business to pay our indebtedness.
8

PART I

Item 1. Business
Overview
Cloudflare’s mission is to help build a better Internet.
In recent years, the technology industry has undergone a massive transition from on-premise hardware and software that customers buy, to services in the cloud that they rent. Organizations find themselves at different points in this transition to the cloud. Regardless of where organizations are in their transition, they all face a common set of challenges: they exist in a complex, heterogeneous infrastructure environment which exacerbates the fundamental problems of the Internet more than ever, and the on-premise hardware boxes that they once relied upon to solve these problems were never designed to work in such an environment. As more workloads move to the cloud, there is no point in installing additional hardware boxes on premise. An on-premise box will not solve the problems organizations now face. Nor can a business ship a hardware box to a cloud vendor. Even if they wanted to, there is literally no place to install such a box in the cloud.
The result is that a major architectural shift at the network layer is now underway. Previously, enterprises would often string together a diverse set of on-premise hardware boxes from different vendors to solve their network challenges. As these solutions move to the cloud, the network latency, support complexity, and cost of overhead makes stringing together multiple point-cloud solutions that only address a specific network need untenable. Customers are therefore looking to consolidate behind a single global cloud services provider.
Cloudflare is a global cloud services provider that delivers a broad range of services to businesses of all sizes and in all geographies—making them more secure, enhancing the performance of their business-critical applications, and eliminating the cost and complexity of managing individual network hardware. Our network serves as a scalable, easy-to-use, unified control plane to deliver security, performance, and reliability across on-premise, hybrid, cloud, and software-as-a-service (SaaS) applications. We serve comprehensive customer needs across security, performance, and reliability. As of December 31, 2020, more than 17% of the Fortune 1,000 were paying Cloudflare customers.
Our Network
We have built an efficient, scalable network that allows us to rapidly develop and deploy our products for our customers.

We created a network architecture that is flexible, scalable, and gets more and more efficient as it expands. We designed and built our network to be able to grow capacity quickly and inexpensively; to allow for every server, in every city, to run nearly every Cloudflare service; and to allow us to shift customers and traffic across our network efficiently. We refer to this architecture as “serverless” because it means we can deploy standard, commodity hardware, and our product developers and customers do not need to worry about the underlying servers. Our software is designed to manage the deployment and execution of our product developers’ code and our customers’ code across our network. Because we manage the execution and prioritization of code running across our network, it means that we are both able to improve the performance of our highest paying customers, and also effectively leverage idle capacity across our network. We have chosen to utilize this idle capacity to create a free tier of service—which has generated substantial global scale for us. In turn, this scale makes us attractive partners for Internet Service Providers (ISPs) globally, which reduces our co-location and bandwidth costs. As our network grows, these dynamics become even more powerful. Today, our network spans more than 200 cities in over 100 countries worldwide and interconnects with over 9,100 networks globally, including major ISPs, cloud services, and enterprises.
9

Growth Strategy
Key elements of our growth strategy include:
Acquire New Customers: We believe that any person or business that relies on the Internet to deliver products, services, or content can be a Cloudflare customer. We plan to continue to grow our customer base across all of our offerings—free, pay-as-you-go, and contracted.
Free: We will continue to invest in awareness and functionality of our products to drive overall customer growth beyond the millions of Internet properties using Cloudflare today.
Pay-as-you-go and Contracted: We believe we have an opportunity to continue to grow our paying customer base, from small customers through to large contracted customers. In order to do this, we will continue to focus on growth in our pay-as-you-go channels by improving targeting and conversion as well as expanding our product offering. In addition, we intend to leverage our proven sales force to sell our products to larger contracted customers.

Expand Our Relationships with Existing Customers: Customers expand their relationships with us by upgrading to premium plans, increasing their usage of our products, or adding products. Once a customer has adopted one product on our platform, it can easily add additional products with a single click.
Develop New Products and Solutions: We continue to invest in new product development and building new solutions for our customers, and as we onboard more customers and more traffic on our network, our ability to identify promising new avenues for innovation improves. We have proven our ability to launch new products, having successfully brought many new products and product families to market. For example, in 2020 we announced a new suite of products called Cloudflare for Teams to protect the internal resources of organizations and more recently we announced our Cloudflare One solution that integrates many of our products to create a comprehensive security, performance, and reliability solution for our contracted customers.
Extend Our Serverless Platform Strategy: We have seen a growing number of customers that have chosen to bring applications to market using Cloudflare Workers. This has opened up an entirely new market for us: storage and compute. Our Cloudflare Workers offering is attractive in the market for reasons of our architecture and the power of our network, and we believe adoption of Cloudflare Workers will continue to grow as we further invest in it.
Our Products
We deliver a suite of deeply integrated products that serve as a unified control plane for our customers. Customers can quickly and easily join Cloudflare by using just one of our products and expand over time by adding most products with a single click. Our integrated suite of products consists of (1) solutions for an organization's external-facing infrastructure (such as websites, apps, and APIs) to deliver security, performance, and reliability, (2) solutions to serve an organization's internal resources (such as internal networks and devices), (3) developer-based solutions, and (4) consumer offerings.
Cloudflare for External-Facing Infrastructure
Cloudflare offers a suite of products to help ensure that external-facing infrastructure (such as websites, applications, and APIs) that are exposed to the Internet are safe from attack, fast, and reliable.
Security
We provide an integrated cloud-based security solution designed to secure any combination of platforms, including public cloud, private cloud, on-premise, SaaS applications, and IoT devices. Our key security product offerings include:
Cloud Firewall: Protects a customer’s Internet properties from common vulnerabilities like SQL injection attacks, cross-site scripting, and cross-site forgery requests, with no changes to its existing infrastructure.
10

Bot Management: Blocks undesired or malicious Internet traffic created by malicious software algorithms called bots, while still allowing useful bots to access Internet properties through machine learning and behavioral analytics.
Distributed Denial of Service (DDoS): Protects a customer’s Internet properties from a Distributed Denial of Service attack (product known as “Unmetered Mitigation”).
IoT: Protects IoT devices through the specialized application of our cloud-based security products (product known as “Cloudflare Orbit”).
SSL / TLS: Manages encrypted web traffic to prevent data theft and tampering to improve security as well as application and website productivity (products known as “SSL for SaaS,” “Dedicated & Custom Certs,” “Universal SSL,” “Keyless SSL,” and “GeoKey Manager”).
Secure Origin Connection: Creates an encrypted tunnel between a customer’s origin web server and the closest servers on our network without risking opening any public inbound ports (product known as “Cloudflare Argo Tunnel”).
Rate Limiting: Provides the ability to configure thresholds, define responses, and gain valuable insights into specific URLs of websites, applications, or API endpoints.
Performance
Our performance solutions improve conversions, reduce churn, and improve visitor experiences by accelerating web and mobile performance, while keeping applications available. Our key performance product offerings include:
Content Delivery: Accelerates content delivery time by automatically serving our customers most popular content from our network locations close to our customers’ users.
Intelligent Routing: Improves Internet performance by intelligently routing end users through less congested and more reliable paths over the Internet using our network (product known as “Cloudflare Argo Smart Routing”).
Content Optimization: Automatically adjusts the way content is delivered based on the particular device accessing the site to improve speed without affecting the customer’s Internet property look or features.
Mobile Optimization: Provides mobile-specific optimization and caching of content for fast delivery to mobile end users.
Image Optimization: Automatically adjusts the size and quality of the image to the device and network connection for improved end-user experience.
Mobile Software Development Kit (SDK): Offers developers cutting-edge network diagnostic tools for any application without dependencies on infrastructure, enabling them to more easily create high performing and engaging applications.
Reliability
Our reliability solutions improve the overall operational experience of the Internet and allow our customers to run their digital operations much more efficiently. Our key reliability product offerings include:
Load Balancing: Enhances performance and reliability for single, hybrid-cloud, and multi-cloud environments. Our cloud-based products provide local and global load balancing to reduce latency by distributing traffic across multiple servers or by routing traffic to the closest geolocation region.
Anycast Network: Enhances performance and reliability by globally and automatically load balancing Internet-scale traffic across our network based on proximity of request and other factors.
Virtual Backbone: Connects our global network, and by extension, our customer’s Internet properties, into a virtual network that is always encrypted, optimized for performance, and highly redundant.
DNS: Keeps Internet properties online and available around the world (products known as “Cloudflare DNS” and “Cloudflare Secondary DNS”).
DNS Resolver: Returns the IP addresses of servers when a user enters a domain name. We are one of the world’s fastest public DNS Resolvers, which benefits our DNS customers.
11

Always Online: Serves a limited copy of a cached website, to keep it online for a customer’s visitors should the customer’s origin server go down.
Cloudflare for Internal Infrastructure
Cloudflare provides a comprehensive, cloud-based network-as-a-service solution that is designed to be secure, fast, reliable, and define the future of the corporate network. Whereas some large companies had built their own proprietary networks to control and protect their employees working in virtual space, that model had significant limitations, including a price tag that was prohibitive for most companies and an inability to adapt well to increased use of mobile devices and remote work. By leveraging the public Internet, Cloudflare brings together in a single pane of glass how employees connect, on-ramps for branch offices, secure connectivity for applications, and controlled access to SaaS.

Broadly speaking, the Cloudflare internal infrastructure solution has two components: (i) on-ramps, which connect users, devices, or locations to Cloudflare's network; and (ii) filters, which are the products that protect, inspect, and privilege data.

On-ramps

These products connect a user, device, or location to Cloudflare's edge. This effectively enables Cloudflare to act as a secure WAN for all entities on a corporate network regardless what device they use or where they are located.
Endpoint connectivity: Connects and routes traffic of end-user devices like phones and PCs to the Cloudflare network (product known as "Cloudflare Warp").
IP connectivity: Extends the benefits of our network to customers' on-premise and data center networks (product known as "Cloudflare Magic Transit"). Magic Transit is deployed in front of an enterprise network and protects it at the IP layer from DDoS attacks and enables provisioning of a full suite of virtual network functions, including IP packet filtering and firewalling, load balancing, and traffic management tools.
Physical Internet connectivity: Direct internet connectivity between on-premise network and Cloudflare wherever they are. Connection is offered either via a private network interconnect (PNI) or over an Internet Exchange (IX). (product known as “Cloudflare Network Interconnect” or “CNI”).
Traffic acceleration: Intelligent routing of network traffic using our Cloudflare Argo Smart Routing product.

Filters

These products shield users from attacks, inspect traffic for threats, and apply privilege rules to grant access to data and applications.

Identity and access management: Enforces zero trust application access based on identity (product known as “Cloudflare Access”)
Traffic filtering: Filters all traffic crossing to devices to prevent malicious traffic reaching end-user devices (product known as “Cloudflare Gateway”)
Network filtering: Cloud-based firewall enables administrators to set policies for all traffic entering and leaving the network (product known as “Cloudflare Magic Firewall”)
Developer-based Solutions
By leveraging our serverless platform, developers can build serverless applications that scale without needing to spend time and effort on infrastructure or operations. This enables them to deliver more performant applications that have instant global scale, all while improving their productivity. Our key serverless products include:
Serverless Computing/Programmable Network: Allows developers to augment existing applications or create entirely new ones through a lightweight execution environment without configuring or maintaining infrastructure (product known as “Cloudflare Workers”).
Website Development: Allows frontend developers to quickly and easily build, collaborate on, and deploy websites (product known as “Cloudflare Pages”).
12

Domain Registration: Offers secure registration and management of domain names (product known as “Cloudflare Registrar”).
Cloudflare Apps: Offers an open suite of tools which can be installed instantly with just a few clicks. We have further expanded our offering through Cloudflare Apps with Workers, which allows developers to package Cloudflare Workers, delivering new Cloudflare Workers-powered experiences to our customers.
Analytics: Provides insights into the traffic of our customers’ Internet properties that are unique and proprietary to Cloudflare. We help our customers monitor threats, search for specific search engine crawlers, understand DNS query traffic, and analyze real time data traffic.
Consumer Offerings
Our consumer products make it easy for individuals to have a performant and secure Internet experience. Adoption of our consumer offerings makes our business offerings more powerful and adoption of our business offerings improves our consumer offerings. Our consumer offerings also have been an effective and differentiated marketing channel to increase the awareness of our brand. Our key consumer product offerings include:

Consumer DNS Resolver: A consumer app that provides a fast and private way to browse the Internet (product known as "1.1.1.1"). 1.1.1.1 is a public DNS resolver, but unlike most DNS resolvers, we do not sell user data to advertisers. Our implementation of 1.1.1.1 makes it among the fastest resolvers available, and we support DNS over HTTPS (DoH) which encrypts and secures consumers’ DNS requests. In 2020, we launched an additional version of our consumer DNS resolver that adds a layer of protection to consumer home networks and protects them from malware and adult content (product known as "1.1.1.1 for Families").
Consumer VPN: A VPN for consumers designed to secure and accelerate traffic on mobile devices (product known as "Warp"). The basic version of Warp is included as an option with the 1.1.1.1 App for free; and a premium version that accelerates a user's Internet access is available for purchase.

Our Customers

We view our approximately 3.5 million free and paying customers (excluding customers of our consumer offerings), which manage millions of Internet properties on our network, as part of a broad, global community.
As of December 31, 2020, we had over 111,000 paying customers across more than 170 countries. Our paying customer base is highly diversified across organizations of all sizes in every major industry vertical including technology, healthcare, financial services, consumer and retail, industrial, non-profit, and government. Our large customer count has increased from 294 as of December 31, 2018 to 526 as of December 31, 2019 to 828 as of December 31, 2020. Refer to Part II, Item 7, Management's Discussion and Analysis of Financial Condition and Results of Operations for additional information regarding the definitions of our "paying customers" and "large customers."
No single customer accounted for more than 10% of our revenue in the years ended December 31, 2020, 2019, or 2018.

Initiatives We Support
In support of our mission, we have launched various initiatives to help build a better Internet, including:

Project Galileo: Since 2014, we have equipped at-risk public interest groups with a set of our products at no cost to defend themselves against attacks that would otherwise censor their work. The nearly 1,400 recipients of services under Project Galileo include independent journalists reporting on repressive regimes, minority rights and arts groups in closed societies, and civil society organizations supporting democratic movements.
13

Athenian Project: We created Athenian Project to ensure that state and local governments’ election websites have the highest level of protection and reliability for free. We have provided these benefits to more than 275 state and local election websites.
Cloudflare for Campaigns: In January 2020, we announced the Cloudflare for Campaigns program that provides security services to help political campaigns in the United States and around the world defend against cyberattacks and election interference. We allow any eligible campaign to access a variety of our security services, including enhanced firewall protection, DDoS attack mitigation, as well as internal data management and security controls.
Project Fair Shot: In January 2021, we announced Project Fair Shot to provide our new Waiting Room service for free to any government, municipality, hospital, pharmacy, or other organization responsible for distributing COVID-19 vaccines. Project Fair Shot is open to eligible organizations around the world and will remain free until at least July 1, 2021 or longer if there is still more demand for appointments for the vaccine than there is supply.
Our Technology
Our distributed and proprietary network is the core of our technology, and enables us to move data seamlessly from nearly any point on earth in a fast, efficient, and reliable manner. Our network has been built from the ground up as a single software stack we developed that runs our products in more than 200 cities and over 100 countries worldwide. This allows us to scale quickly while offering a wide range of products and simultaneously lowering operating expenses.

Efficient Serverless Network Design

We have developed a single software stack that is responsible for all of our products. We have been able to efficiently scale our network by building it with commodity hardware components that are powered by our proprietary software. This integrated stack has made scaling, debugging, optimizing, and operating our network and products easier and cheaper. It also allows us to deploy changes across our entire worldwide network in a matter of seconds. In addition, we embed encryption chips into the motherboards of our servers that are designed to preclude anyone else from running unauthorized software on our equipment. This allows us to securely and quickly expand our infrastructure far and wide in order to offer the best service and drive down operating costs.
Our serverless network design allows each individual machine in our global network to run our software suite and provide our products. We have built coordination software that ties together these thousands of machines into a single global network that allows us to efficiently route traffic to different physical locations and to individual machines. This enables us to maximize utilization of our commodity hardware and provide different service levels to different customers. It also allows our network to get more efficient and powerful as we add each incremental server, regardless of where it is located. Every time we add a server or add a new city, our entire network improves.

Network Flexibility

Our network and products are API-driven and designed for developers. We have an API-first mentality, which means anything a customer can do via our web interface can also be performed by our API. This allows our customers to easily embed our service in their own workflows. For example, a customer can use our web interface or API to change its custom configuration and that will be rolled out globally by our configuration software in seconds. This contrasts with many other vendors’ solutions where configuration changes can take hours and require professional services.
Our software is designed to spread loads dynamically across our entire distributed network depending on current network conditions and traffic priority. This enables us to deliver different quality of service depending on what customers pay us, ensuring our highest paying customers get the best performance and permitting us to serve our lower paying and free customers from excess capacity.
Given the distributed and highly efficient nature of our network, we can easily develop new features and products on our platform and deploy them without significant incremental costs. The flexibility of our serverless platform allows us to open it to third parties to write code directly on our network through our Cloudflare Workers product.
14

Research and Development
Our research and development organization is responsible for the design, development, testing, and delivery of our global network and products. Our R&D team's structure allows us to build a broad swath of products while continuing to innovate. One group works closely with our product management organization to improve, refine and expand our existing products. A second independent group builds greenfield opportunities that aim to expand our market and reach new markets. In addition, our research team is focused on ensuring that our network, products, and customers are secured with the latest cryptography.
We prioritize investment in research and development. Those investments have continued to result in the launch of new products that have helped us attract new customers and sell more products to our existing customers.
Sales
We have a multi-pronged go to market approach that allows us to efficiently serve the needs of very small to very large customers. By using a combination of web sales, direct sales, and indirect sales, we are able to serve the greatest diversity of customers across all sizes.
We sell our pay-as-you-go plans through our website and hosting partners where a customer can either start on a free or paid plan and, as we demonstrate value, upgrade over time. Our pay-as-you-go customers are able to sign up for our Pro or Business plans that are payable monthly. Pay-as-you-go customers are able to onboard and customize our products through our website and pay for their subscription using a credit card. Our automated and easy to use process enables us to efficiently onboard thousands of new customers per day without requiring any interaction with our sales team. As pay-as-you-go customers evolve their usage of our products, some upgrade to an Enterprise plan for greater control, higher service levels, or productivity-related tools.
We sell our Enterprise plan directly through our technically-oriented inside and field sales teams, and also indirectly through our ecosystem of partners. Our Enterprise plan customers, which we refer to as our contracted customers, typically are replacing on-premise hardware with cloud network services, or consolidating multiple existing cloud services onto one global cloud services provider with Cloudflare. For large contracted customers, our relationships often start with a portion of the customer’s overall network needs and expand over time as they consolidate other vendors’ services and increase their adoption of our products.
Marketing
Our marketing aims to clearly communicate the value of our offerings to a large and diverse set of global customers at scale. We drive organic awareness and adoption of our products by providing a free offering that enables millions of users to experience the benefits of our global network before they adopt our pay-as-you-go offerings or contract for our Enterprise plan. We engage with developers across blogs, social media, and other channels to help build our brand and visibility among technical communities. In addition, our consumer products, including 1.1.1.1 and Warp, provide an effective and differentiated marketing channel to expand the awareness of our brand.

We invest in a variety of targeted digital and non-digital marketing activities and programs to build awareness, engage with prospects, and build pipeline for our global sales teams. We also share stories of how large customers are rapidly adopting our services across use cases, industry verticals, and geographies, to communicate customer trust and our market momentum.
Competition
We compete in the market for network services primarily across three categories:
On-premise network hardware vendors such as Cisco Systems Inc., F5 Networks, Inc., Check Point Software Technologies Ltd., FireEye, Inc., Imperva, Inc., Palo Alto Networks, Inc., Juniper Networks, Inc., and Riverbed Technology, Inc and Broadcom Inc. We compete with these companies to provide security, performance, and reliability services. We believe we are positioned favorably against these vendors with our
15

cloud-based, multitenant approach that is better suited to an increasingly cloud-based world and that allows customers to treat our services as operational as opposed to capital costs.
Point-cloud solution vendors in various categories including cloud security vendors (such as Zscaler, Inc. and Cisco Systems, Inc. through Umbrella (formerly known as OpenDNS), and Menlo Security, Inc., CDN vendors (such as Akamai Technologies, Inc., Limelight Networks, Inc., Fastly, Inc., and Verizon Communications Inc. through Edgecast), DNS services vendors (such as Oracle Corporation through DYN, Neustar, Inc., and UltraDNS Corporation), and cloud SD-WAN vendors. These providers are all focused on delivering point-cloud solutions. However, customers are increasingly looking for an integrated infrastructure platform offering security, performance, and reliability through a single vendor.
A subset of services provided by traditional public cloud vendors such as Amazon.com, Inc. through Amazon Web Services, Alphabet Inc. through Google Cloud Platform, Microsoft Corporation through Azure, and Alibaba Group Holding Limited through Alibaba Cloud. We believe customers want the ability to set a consistent policy across their on-premise, cloud, hybrid, and SaaS vendors, and be able to enforce that policy through an independent and integrated services provider. Customers are concerned about being locked in to any one public cloud provider. Our ability to efficiently and inexpensively move data between multiple clouds allows our customers to pick and choose the best from any cloud provider without fearing lock-in. Furthermore, unlike some public cloud providers, our business model aligns fully with the interests of our customers. We do not sell user data. We do not aim to compete with our customers.
As we open our serverless platform to third-party developers, we believe we will increasingly compete with public cloud vendors for storage and compute workloads. Because of the efficiency of our Cloudflare Workers product, we are able to offer it at prices that are highly competitive with public cloud vendors, and because it is distributed across our entire network, it enables the development of applications that were not previously possible on the traditional public cloud.

The principal competitive factors in the markets in which we operate include:
breadth of network and product features and continued innovation;
integrated solutions across security, performance, and reliability;
unified control plane across on-premise, cloud, hybrid, and SaaS infrastructure;
performance, availability, and effectiveness;
network scalability;
total cost of ownership;
ease of adoption and use;
global network coverage;
quality of customer support;
programmability and extensibility of platform; and
independence, reputation, and trust.

We believe that we are positioned favorably against our competitors based on these principal competitive factors.

Human Capital Resources
As of December 31, 2020, we had 1,788 full-time employees, including 666 employees located outside of the United States. We also engage contractors and consultants. None of our employees are represented by a labor union. We have not experienced any work stoppages, and we believe that our employee relations are strong.
We believe that attracting, motivating, and retaining talent at all levels is vital to our success. Our total rewards programs are built to engage employees, provide support, and encourage career best performance. Through programs that drive employee retention and engagement, we also improve our ability to support customers and protect the long-term interests of our stockholders. We provide our employees with competitive salaries, opportunities for equity ownership, and a comprehensive benefits package that promotes well-being across all aspects of their lives, including health care, life and disability insurance, financial savings, family forming and caregiving benefits, and flexible vacation time.
16

A healthy company culture has been a critical part of our success. In order to preserve our culture, we define performance by both results and behaviors. These behaviors are clearly defined, and we use them as part of our hiring, performance, and promotion decisions. We want everyone at Cloudflare to have the careers of their dreams so we invest in development opportunities, aligned with both behaviors and results, to build leadership skills across the company, at all levels.
We further believe that much of our innovation and success is rooted in the diversity of our teams and our commitment to inclusion. We remain committed to extending our diversity and inclusion initiatives across our global workforce. We value diversity at all levels and are committed to promoting the advancement of leaders from different backgrounds. We work with our managers to develop strategies for increasing the diversity of their teams and ensuring inclusion, equity, and fairness. We are focused on understanding our diversity and inclusion strengths and opportunities in order to execute a strategy to support further progress.
Intellectual Property
Our success depends in part upon our ability to protect and use our core technology and intellectual property rights. We rely on a combination of patents, copyrights, trademarks, trade secrets, know-how, contractual provisions, and confidentiality procedures to protect our intellectual property rights. As of December 31, 2020, we had 150 issued patents and 80 pending patent applications in the United States and abroad. These patents and patent applications seek to protect our proprietary inventions relevant to our business. Our issued patents are scheduled to expire between 2030 and 2040, and cover various aspects of our network and products. In addition, we have registered “Cloudflare” as a trademark in the United States and other jurisdictions and we have filed other trademark applications in the United States. We are also the registered holder of a variety of domestic and international domain names that include “Cloudflare” (including “Cloudflare.com”).
In addition to the protection provided by our intellectual property rights, we enter into proprietary information and invention assignment agreements or similar agreements with our employees, consultants, and contractors. We further seek to control the use of our proprietary technology and intellectual property rights through provisions in our subscription agreements.
Corporate Information
Cloudflare, Inc. was incorporated in the state of Delaware in July 2009. Our principal executive offices are located at 101 Townsend Street, San Francisco, California 94107, and our telephone number is (888) 993-5273.
Additional Information
Our website is located at https://www.cloudflare.com, our investor relations website is located at https://cloudflare.NET, our news site is located at https://www.cloudflare.com/press, our corporate blog’s address is https://blog.cloudflare.com, our Twitter account is @Cloudflare, and our Instagram account is @cloudflare. We have used, and intend to continue to use, our website, investor relations website, news site, blog, and Twitter and Instagram accounts as a means of disclosing material non-public information and for complying with our disclosure obligations under Regulation FD. The following filings are available through our investor relations website after we file them with the Securities and Exchange Commission (SEC): Annual Report on Form 10-K, Quarterly Reports on Form 10-Q, current reports on Form 8-K, and our Proxy Statement for our annual meeting of stockholders. These filings are also available for download free of charge on our investor relations website. The SEC also maintains an Internet website that contains reports, proxy statements, and other information about issuers, like us, that file electronically with the SEC. The address of that website is www.sec.gov.
We webcast our earnings calls and certain events we participate in or host with members of the investment community on our investor relations website. Additionally, we provide notifications of news or announcements regarding our financial performance, including SEC filings, investor events, press and earnings releases, and blogs as part of our investor relations website. Further corporate governance information, including our corporate governance guidelines, code of business conduct and ethics, and committee charters is also available on our investor relations website under the heading "Governance."
17

The contents of the websites provided above are not intended to be incorporated by reference into this Annual Report on Form 10-K or in any other report or document we file with the SEC. Further, our references to the URLs for these websites are intended to be inactive textual references only.
Item 1A. Risk Factors
Our business involves significant risks, some of which are described below. You should carefully consider the risks and uncertainties described below, together with all of the other information in this Annual Report on Form 10-K, including the section titled “Management’s Discussion and Analysis of Financial Condition and Results of Operations” and our consolidated financial statements and related notes. Any of the following risks could have an adverse effect on our business, results of operations, financial condition, or prospects, and could cause the trading price of our Class A common stock to decline. Our business, results of operations, financial condition, or prospects could also be harmed by risks and uncertainties that are not presently known to us or that we currently believe are not material. In that event, the market price of our Class A common stock could decline, and you could lose part or all of your investment.
Risks Related to Our Business and Our Industry
The effects of the ongoing COVID-19 pandemic have materially affected how we and our customers, vendors, and partners are operating our businesses, and the duration and extent to which this will negatively impact our future business and operations, results of operations, financial condition, and cash flows remain uncertain.
In March 2020, the World Health Organization declared COVID-19 a global pandemic. This pandemic, which has continued to spread and which has mutated into new potentially more contagious variants, and the related adverse public health developments, including travel restrictions and bans, quarantines, shelter-in-place orders, and mandated business closures, have adversely affected workforces, organizations, governments, customers, economies, and financial markets globally, leading to an economic downturn and increased market volatility. Vaccines for COVID-19 have been developed and are being administered in the United States and other countries, but the timing of administering these vaccines in countries around the world, and the long-term efficacy of these vaccines, remain uncertain. The ongoing COVID-19 pandemic has also disrupted the normal operations of many businesses, including ours and those of our customers, vendors, and partners. For example, in response to the initial outbreak of COVID-19, we activated our business continuity plan and took several precautionary steps early to safeguard our business and our people, including implementing travel bans and restrictions, temporarily closing offices and transitioning to a fully remote working environment, and canceling participation in various industry events.
The ongoing COVID-19 pandemic, as well as intensified measures undertaken from time to time in various countries and territories to contain the spread of COVID-19, could decrease the spending of our existing and potential new customers, adversely affect demand for our products, cause one or more of our customers, vendors, and partners to file for bankruptcy protection or go out of business, cause one or more of our customers to fail to renew, terminate, or renegotiate their contracts with us, affect the ability of our sales team to travel to potential customers, impact expected spending from existing and potential new customers, and negatively impact collections of accounts receivable, all of which could adversely affect our business, results of operations, and financial condition. Further, the sales cycle for a new customer of our technology and services has lengthened since the beginning of the pandemic and could lengthen further, resulting in a potentially longer delay between increasing operating expenses and the generation of corresponding revenue, if any. During the first quarter of 2020, we also experienced an increase in new and existing customers requesting concessions in terms of payment amounts and/or timing and earlier or additional termination rights. The COVID-19 pandemic also presents challenges as substantially all of our workforce is currently working remotely and assisting new and existing customers who are also generally working remotely.
Any of the negative impacts of the ongoing COVID-19 pandemic, including those described above, alone or in combination with others, may have a material adverse effect on our business and operations, results of operations, financial condition, and cash flows. Any of these negative impacts, alone or in combination with others, also could exacerbate many of the other risk factors discussed below in this Part I, Item 1A “Risk Factors” of this Annual Report on Form 10-K. The full extent to which the COVID-19 pandemic will negatively affect our business and operations, results of operations, financial condition, and cash flows will depend on future developments that are highly
18

uncertain and cannot be predicted, including the scope, severity, and duration of the pandemic and actions taken by governmental authorities and other third parties in response to the pandemic.
We have a history of net losses and may not be able to achieve or sustain profitability in the future.
We have incurred net losses in all periods since we began operations and we expect we will continue to incur net losses for the foreseeable future. We experienced net losses of $119.4 million, $105.8 million, and $87.2 million for the years ended December 31, 2020, 2019, and 2018, respectively, and as of December 31, 2020, we had an accumulated deficit of $420.5 million. Because the markets for our products are rapidly evolving, it is difficult for us to predict our future results of operations. We expect our operating expenses to increase over the next several years as we continue to hire additional personnel, expand our operations and infrastructure both domestically and internationally, and continue to develop our products. In addition to the expected costs to grow our business, we also are incurring significant additional legal, accounting, and other expenses as a public company, as described in greater detail in the risk factors below. If we fail to increase our revenue to offset the increases in our operating expenses, we may not achieve or sustain profitability in the future.
We have experienced rapid revenue growth, which may not be indicative of our future performance.
We have experienced rapid revenue growth in recent periods, with revenue of $431.1 million, $287.0 million, and $192.7 million for the years ended December 31, 2020, 2019, and 2018, respectively. You should not consider our recent growth in revenue as indicative of our future performance. In particular, our revenue growth rates may decline in the future and may not be sufficient to achieve and sustain profitability, as we also expect our costs to increase in future periods. We believe that historical comparisons of our revenue may not be meaningful and should not be relied upon as an indication of future performance. Accordingly, you should not rely on our revenue and other growth for any prior quarter or year as an indication of our future revenue or revenue growth.
Our rapid growth may also make it difficult to evaluate our future prospects. Our ability to forecast our future results of operations is subject to a number of uncertainties, including our ability to effectively plan for and model future growth. If we fail to achieve the necessary level of efficiency in our organization as it grows, or if we are not able to accurately forecast future growth, our business, results of operations, and financial condition could be harmed.
If we are unable to attract new paying and free customers, our future results of operations could be harmed.
The success of our business principally depends on our ability to attract new paying and free customers. To do so, we must persuade decision makers at potential customers that our products offer significant advantages over those of our competitors. Other factors, many of which are out of our control, may now or in the future impact our ability to add new paying and free customers, including:
potential customers’ commitments to existing equipment or vendors;
potential customers’ greater familiarity and/or comfort with on-premises, appliance-based products;
actual or perceived switching costs;
our failure to obtain or maintain government or industry security certifications for our network and products;
negative media, industry, or financial analyst commentary regarding our products and the identities and activities of some of our paying and free customers;
the adoption of new, or amendment of existing, laws, rules, or regulations that negatively impact the utility of our network and products;
our failure to expand, retain, and motivate our sales and marketing personnel;
our failure to develop or expand relationships with existing channel partners or to attract new channel partners;
our failure to help our customers to successfully deploy and use our products;
our failure to educate our customers about our network and products;
the perceived risk, commencement, or outcome of litigation; and
deteriorating general economic conditions, including as a result of the ongoing COVID-19 pandemic.
19

If our efforts to attract new paying customers are not successful, our revenue and rate of revenue growth may decline, we may not achieve profitability, and our future results of operations could be materially harmed. If our efforts to attract new free customers are not successful, the benefits to our network and product development cycles from our strategy of providing a free subscription plan will be diminished.
Our business depends on our ability to retain and upgrade paying customers and, to a lesser extent, convert free customers to paying customers, and any decline in renewals, upgrades, or conversions could adversely affect our future results of operations.
Our business is subscription-based and it is important for our business and financial results that our paying customers renew their subscriptions for our products when existing contract terms expire. Our pay-as-you-go customers pay with a credit card on a monthly basis and can terminate their subscriptions at will with little advance notice. Because pay-as-you-go customers that subscribe to our basic subscription plans are an important source of revenue, this ease of termination could cause our results of operations to fluctuate significantly from quarter to quarter. Our contracted customers, which consist of customers that sign up for our Enterprise plan, enter into longer term agreements ranging from one to three years, and they generally have no obligation to renew their subscriptions for our products after the expiration of their contractual period and are allowed to cancel their subscriptions in the case of an uncured material breach of the agreement. Some contracted customers also have agreements that allow them to terminate the agreement without cause upon little or no advance written notice, or upon our failure to meet certain service level commitments, or to obtain and maintain industry security certifications within a specified time frame. Due to our varied customer base and short average subscription periods, it is difficult to accurately predict our long-term customer retention rate. Our customer retention may decline or fluctuate as a result of a number of factors, including our customers’ satisfaction with the security, performance, and reliability of our products, our prices and subscription plans, our customers’ budgetary restrictions (including reductions in spending as a result of the COVID-19 pandemic), mergers, acquisitions, joint ventures, and business partnerships and relationships involving our customers, the perception that competitive products provide better or less expensive options, negative public perception of us or our free and paying customers, and deteriorating general economic conditions.
Our future financial performance also depends in part on our ability to continue to upgrade paying customers to higher-tier subscriptions or additional paid products and, to a lesser extent, to convert free customers into paying customers. Conversely, our paying customers may convert to lower-cost or free plans if they do not see the marginal value in paying for our higher-cost plans, thereby impacting our ability to increase revenue. Moreover, our free customers have no obligation to transition to paying customers at any point. In order to expand our commercial relationship with our customers, existing paying and free customers must decide that the incremental cost associated with such an upgrade is justified by the additional functionality. For example, some of our paying customers may decide that our enterprise offerings do not provide sufficient incremental value to upgrade from our pay-as-you-go offering. Our customers’ decision whether to upgrade their subscription is driven by a number of factors, including customer satisfaction with the security, performance, and reliability of our network and products, customer security and networking issues and requirements, general economic conditions, and customer reaction to the price for additional products. If our efforts to expand our relationship with our existing paying and free customers are not successful, our financial condition and results of operations may materially suffer.
If we are unable to effectively increase sales to large customers, or we fail to mitigate the additional risks associated with serving such customers, our business, results of operation, and financial condition may suffer.
Our growth strategy is dependent, in large part, upon increasing sales to large customers. For our definition of “large customers,” see Part II, Item 7. Management’s Discussion and Analysis of Financial Condition and Results of Operations. Sales to large customers involve risks that may not be present, or that are present to a lesser extent, with sales to smaller customers, including:
competition from companies that traditionally target larger enterprises and that may have pre-existing relationships or purchase commitments from such customers;
longer evaluation periods, more detailed evaluations, and more cumbersome contract negotiation and approval processes;
increased purchasing power and leverage in negotiating contractual arrangements with us;
requirements for more technically complex configurations, integrations, deployments, or features;
20

more stringent requirements in our support obligations; and
longer sales cycles and the associated risk that substantial time and resources may be spent on a potential customer that elects not to purchase our products.
Historically, the implementation period to start using our products has been short, with most customers under our pay-as-you-go plans implementing usage of our products within a matter of minutes and our sales cycle for customers under our Enterprise plan typically lasting less than one quarter. These implementation periods have remained generally consistent during the ongoing COVID-19 pandemic, subject to some modest lengthening of our average customer sales cycle since the pandemic began. As our sales force targets an increasing number of large customers, these larger enterprises may undertake a significant evaluation and negotiation process, which could lengthen our sales cycle materially.
In addition, our sales efforts typically involve educating our prospective large customers about the uses, benefits, and value proposition of our network and products. Our sales force develops relationships directly with our customers and our channel partners on account penetration, account coordination, sales, and overall market development. Potential large customers often view the subscription to our products as a significant strategic decision and, as a result, in some cases require considerable time to evaluate, test, and qualify our network and products prior to entering into or expanding a relationship with us. As a result, we spend substantial time and resources on our sales efforts without any assurance that our efforts will produce a sale. Subscriptions to our products often are subject to budget constraints, multiple approvals, and unanticipated administrative, processing, and other delays. As a result, it is difficult to predict whether or when a sale to a prospective large customer will be completed and when revenue from a subscription will be recognized.
Further, our ability to improve our sales of products to large customers is dependent on us continuing to attract and retain sales personnel with experience in selling to larger enterprises. Also, because security breaches or a network outage with respect to larger, high-profile enterprises are likely to be heavily publicized, there is increased reputational risk associated with serving such customers. These additional risks can potentially act as a disincentive to our sales team’s pursuit of these large customers.
If we are unable to continue to increase sales of our products to large customers or we experience the risks described above in connection with increased sales to such customers, our business, results of operations, and financial condition could be adversely affected.
Activities of our paying and free customers or the content of their websites or other Internet properties, as well as our response to those activities, could cause us to experience significant adverse political, business, and reputational consequences with customers, employees, suppliers, government entities, and others.
Activities of our paying and free customers or the content of their websites and other Internet properties could cause us to experience significant adverse political, business, and reputational consequences with customers, employees, suppliers, government entities, and other third parties. Even if we comply with legal obligations to remove or disable customer content, we may maintain relationships with customers that others find hostile, offensive, or inappropriate. For example, we experienced significant negative publicity in connection with the use of our network by The Daily Stormer, a neo-Nazi, white supremacist website, around the time of the 2017 protests in Charlottesville, Virginia. We also received negative publicity in connection with the use of our network by 8chan, a forum website that served as inspiration for the 2019 attacks in El Paso, Texas and Christchurch, New Zealand. We are aware of some potential customers that have indicated their decision to not subscribe to our products was impacted, at least in part, by the actions of certain of our paying and free customers. We may also experience other adverse political, business and reputational consequences with prospective and current customers, employees, suppliers, and others related to the activities of our paying and free customers, especially if such hostile, offensive, or inappropriate use is high profile.
Conversely, actions we take in response to the activities of our paying and free customers, up to and including banning them from using our products, may harm our brand and reputation. Following the events in Charlottesville, Virginia, we terminated the account of The Daily Stormer. Similarly, following the events in El Paso, Texas, we terminated the account of 8chan. We received significant adverse feedback for these decisions from those concerned about our ability to pass judgment on our customers and the users of our network and products, or to censor them by limiting their access to our products, and we are aware of potential customers who decided not to subscribe to our products because of this.
21

Although offering a free plan for certain of our products is an important part of our business strategy, we may not be able to realize all of the expected benefits of this strategy and the costs and other detriments associated with our free plan could outweigh the benefits we receive from our free customers.
We have historically offered a free plan for certain of our products. We believe that this strategy is valuable to us and it is an important part of our overall business strategy. However, to the extent that we do not achieve the expected benefits of this strategy, our business may be adversely affected by the costs and detriments of making certain of our products available on a free basis. While we do not receive any revenue from our free customers, we bear incremental expenses and other liabilities as a result of our free customers’ continuing free access to our network and certain of our products. Adverse political, business, and reputational consequences associated with Internet properties we serve that are perceived as hostile, offensive, or inappropriate may also be disproportionately common among our free customers. The vast majority of our customers do not pay for our products. In addition, a substantial majority of our free customers historically have not converted to paying customers and we expect this will continue in the future.
We face intense and increasing competition, which could adversely affect our business, financial condition, and results of operations.
The markets for our network and products are intensely competitive and characterized by rapid changes in technology, customer requirements, industry standards, and frequent introductions of new, and improvements of, existing products. Our broad portfolio of products exposes us to competition from a large number of competitors in a number of different markets, including companies and their product and services offerings in, among others, virtual private networks, internal and external firewalls, web security (including web application firewalls and content filtering), distributed denial of service prevention, intrusion detection and prevention, application delivery controls, content delivery networks, domain name systems, advanced threat prevention, and wide area network (WAN) technology.
Our competitors provide both on-premises, appliance-based solutions, and cloud-based services that have functionality similar to our network and products. We expect competition to increase as other established and emerging companies and start-ups enter the markets for products and solutions for security, performance, and reliability, in particular with respect to cloud-based solutions, as customer requirements evolve and as new products, services, and technologies are introduced. If we are unable to anticipate or effectively react to these competitive challenges, our competitive position could weaken, and we could experience a decline in revenue or our growth rate that could materially and adversely affect our business and results of operations.
Our potential competitors include large companies with substantial infrastructure, such as global telecommunications services provider partners and public cloud providers. These companies could choose to enter the markets for products and solutions for security, performance, and reliability, including by acquiring existing companies, developing their own internal solutions, or establishing cooperative relationships with businesses that may allow them to offer more comprehensive solutions or to offer solutions for lower prices or to adapt more quickly than us to new technologies and customer needs. Additionally, if an increasing portion of web content is housed on another company’s network or portions of the Internet are otherwise privatized, it could reduce the demand for our products and increase competitive pressure on us. These competitive pressures in our markets or our failure to compete effectively may result in price reductions, fewer subscriptions, reduced revenue and gross margin, increased net losses, and loss of market share.
Our current and potential future competitors include a number of different types of companies, including:
on-premise hardware network vendors, such as Cisco Systems Inc., F5 Networks, Inc., Check Point Software Technologies Ltd., FireEye, Inc., Imperva, Inc., Palo Alto Networks, Inc., Juniper Networks, Inc., and Riverbed Technology, Inc., and Broadcom Inc.;
point-cloud solution vendors, including cloud security vendors such as Zscaler, Inc., Cisco Systems Inc. through Umbrella (formerly known as OpenDNS), and Menlo Security, Inc., content delivery network vendors such as Akamai Technologies, Inc., Limelight Networks, Inc., Fastly, Inc., and Verizon Communications Inc. through Edgecast, domain name system vendors services such as Oracle Corporation through DYN, NeuStar, Inc., and UltraDNS Corporation, and cloud SD-WAN vendors; and
traditional public cloud vendors, such as Amazon.com, Inc. through Amazon Web Services, Alphabet Inc. through Google Cloud Platform, Microsoft Corporation through Azure, and Alibaba Group Holding Limited through Alibaba Cloud.
22

Many of our existing and potential competitors have or could have substantial competitive advantages including, among others:
greater name recognition;
longer operating histories and larger customer bases;
larger sales and marketing budgets and capital resources;
broader distribution and established relationships with partners and customers;
greater customer support resources;
greater resources to make acquisitions and enter into strategic partnerships;
lower labor and research and development costs;
larger and more mature intellectual property rights portfolios;
control of significant technologies, standards, or networks, including operating systems, with which our products must interoperate;
higher or more difficult to obtain security certifications than we possess; and
substantially greater financial, technical, and other resources.
In particular, some of our larger competitors have substantially broader and more diverse product and services offerings, which may allow them to leverage existing commercial relationships, incorporate functionality into existing products, sell products and services with which we compete at zero or negative margins, offer fee waivers and reductions or other economic and non-economic concessions, bundle products and solutions, maintain closed technology platforms, or render our products unable to interoperate with such platforms. If they were to engage in predatory practices, it could harm our existing product offerings or prevent us from creating viable products in other segments of the markets in which we participate. If our competitors are able to exploit their advantages or are able to persuade our customers or potential customers that their products are superior to ours, we may not be able to compete effectively and our business, financial condition, and results of operations may be materially affected.
If we do not effectively expand, train, and retain our sales force, we may be unable to add new contracted customers, or increase sales to our existing customers and our business would be adversely affected.
A majority of our revenue in the year ended December 31, 2020 was from contracted customers that were acquired through our inside and field sales teams. We expect this trend will continue for the foreseeable future. As a result, our financial condition and results of operations are dependent to a significant degree on the ability of our dedicated sales personnel to acquire new contracted customers and expand our relationships with our existing contracted customers. Our sales representatives typically engage in direct interaction with our prospective contracted customers. Increasing our customer base and achieving broader market acceptance of our network and products will depend, to a significant extent, on our ability to expand and further invest in our sales and marketing operations and activities. There is significant competition for sales personnel with the advanced sales skills and technical knowledge we need. We believe that selling subscriptions to our products requires particularly talented sales personnel that understand both cloud-based and appliance-based solutions, as well as the key differences between them. Our ability to achieve significant growth in revenue in the future will depend, in large part, on our success in recruiting, training, and retaining sufficient numbers of these talented sales personnel in both the United States and international markets. As we continue to focus on revenue growth, we are seeking to increase our rate of hiring sales personnel and any delays in making these sales hires could have an adverse impact on our ability to increase revenue, particularly with respect to our sales to contracted customers. In addition, new sales hires require significant training and may take significant time before they achieve full productivity. As a result, our new sales hires and planned sales hires may not become as productive as we would like or as quickly as we expect, and we may be unable to hire or retain sufficient numbers of qualified individuals. As a result of our rapid growth, a large percentage of our sales team is new to our company and inexperienced in selling subscriptions to our products, and therefore these personnel may be less effective than our more seasoned employees. Experienced sales personnel are particularly sought after in our industry and we may have to expend significant resources to retain our most productive sales employees. Even with considerable effort, we may be unsuccessful at retaining our experienced sales employees, which would adversely impact our business, results of operations, and financial condition.
Furthermore, hiring sales personnel in new countries, or expanding our existing presence in the countries in which we currently operate, requires upfront and ongoing expenditures that we may not recover if the sales personnel fail to achieve full productivity or that may be recovered on a more delayed basis than expected. We cannot predict whether, or when or to what extent, our sales will increase as we expand our sales force or how long it will take for
23

sales personnel to become productive. If we are unable to hire, train, and retain a sufficient number of effective sales personnel, or the sales personnel we hire are not successful in obtaining new customers or increasing sales to our existing customer base, our business and future growth prospects will be materially and adversely affected.
If we fail to effectively manage our growth, we may be unable to execute our business plan, maintain high-quality levels of support, ensure the security of our network, adequately address competitive challenges, or maintain our corporate culture, and our business, financial condition, and results of operations would be harmed.
We have recently experienced, and continue to experience, a period of rapid growth. For example, our headcount grew from 865 employees as of December 31, 2018, to 1,270 employees as of December 31, 2019, to 1,788 employees as of December 31, 2020. We also have offices around the world, including offices in Beijing and Munich that we opened during 2018 and offices in Sydney and Lisbon that we opened in 2019. In 2020, we opened offices in Paris, Tokyo and Toronto. The number of customers, users, and requests on our network also has increased rapidly in recent years. While we expect to continue to expand our operations and to increase our headcount, network, and products significantly in the future, both domestically and internationally, our growth may not be sustainable. Our growth has placed, and future growth will continue to place, a significant strain on our management and our administrative, operational, and financial infrastructure. Our success will depend in part on our ability to manage this growth effectively, which will require that we continue to improve our administrative, operational, financial, and management systems and controls by, among other things:
effectively attracting, training, and integrating a large number of new employees, particularly members of our sales, engineering, and management teams;
ensuring the integrity and security of our network and IT infrastructure throughout the world;
maintaining our corporate culture, which we believe fosters innovation, teamwork, and an emphasis on customer-focused results and contributes to our cost-effective business model;
further improving our key business applications, processes, and IT infrastructure, including our core co-location facilities, to support our business needs;
enhancing our information and communication systems to ensure that our employees and offices around the world are well coordinated and can effectively communicate with each other and our growing base of channel partners, customers, and users;
maintaining high levels of customer support; and
appropriately documenting and testing our IT systems and business processes.
Managing our growth will require significant capital expenditures and allocation of valuable management and employee resources. If we fail to manage our expected growth, the uninterrupted and secure operation of our network and products and key business systems, our corporate culture, our compliance with the rules and regulations applicable to our operations, the quality of our products, and our ability to compete could suffer. Any failure to preserve our culture also could further harm our ability to retain and recruit personnel, innovate and create new products, operate effectively, and execute on our business strategy.
Our quarterly results may fluctuate significantly and may not fully reflect the underlying performance of our business.
Our quarterly results of operations, including, without limitation, our revenue, gross margin, operating margin, profitability, cash flow from operations, and deferred revenue, may vary significantly in the future and period-to-period comparisons of our results of operations may not be meaningful. Accordingly, the results of any one quarter should not be relied upon as an indication of future performance. Our quarterly results of operations may fluctuate as a result of a variety of factors, many of which are outside of our control, and as a result, may not fully reflect the underlying performance of our business. Fluctuation in quarterly results may negatively impact the trading price of our Class A common stock. Factors that may cause fluctuations in our quarterly results of operations include, without limitation:
our ability to attract new paying customers and, to a lesser extent, convert free customers to paying customers;
our ability to retain and upgrade paying customers;
24

the timing of expenses and recognition of revenue;
the amount and timing of operating expenses related to the maintenance and expansion of our business, operations, and infrastructure, as well as entry into operating and capital leases and co-location, interconnection, and similar agreements related to the expansion of our network;
the timing of expenses related to acquisitions;
any large indemnification payments to our customers or other third parties;
changes in our pricing policies or those of our competitors;
the timing and success of new product feature and service introductions by us or our competitors;
network outages or actual or perceived security breaches;
our involvement in litigation or regulatory enforcement efforts, or the threat thereof;
changes in the competitive dynamics of our industry, including consolidation among competitors;
the length of the sales cycle for our contracted customers;
changes in laws and regulations that impact our business; and
general political, economic, market, and social conditions.
For example, the full impact of the ongoing COVID-19 pandemic is unknown at this time but could result in material adverse changes in our results of operations for an unknown period of time as the virus and its related political, social, and economic impacts spread.
We rely on our key technical, sales, and management personnel to grow our business, and the loss of one or more key employees or the inability to attract and retain qualified personnel could harm our business.
Our future success is substantially dependent on our ability to attract, retain, and motivate the members of our management team and other key employees throughout our organization, particularly Matthew Prince, our Chief Executive Officer, and Michelle Zatlyn, our President and Chief Operating Officer. We rely on our leadership team in the areas of operations, security, marketing, sales, support, research and development, and general and administrative functions, and on individual contributors on our research and development team. Although we have entered into employment offer letters with our key personnel, these agreements have no specific duration and constitute at-will employment. We do not maintain key person life insurance policies on any of our employees. The loss of one or more of our executive officers or key employees could seriously harm our business.
To execute our growth plan, we must attract and retain highly qualified personnel. In particular, it is critical for us to attract and retain engineering talent in our fast growing industry. Competition for these personnel in the San Francisco Bay Area, where our headquarters is located, and in London, Singapore, Austin, Texas, and other locations where we maintain offices, is intense, especially for experienced sales professionals and for engineers experienced in designing and developing cloud applications. We have from time to time experienced, and we expect to continue to experience, difficulty in hiring and retaining employees with appropriate qualifications. For example, in recent years, recruiting, hiring, and retaining employees with expertise in the cybersecurity industry has become increasingly difficult as the demand for cybersecurity professionals has increased as a result of high-profile cybersecurity attacks on global corporations and governments. Many of the companies with which we compete for experienced personnel have greater resources than we have and may provide higher levels of compensation. In addition, job candidates and existing employees often consider the value of the equity awards they receive in connection with their employment. Volatility or lack of performance in our stock price may affect our ability to attract and retain our key employees. Upon vesting of equity awards, many of our employees have acquired or may soon acquire a substantial amount of personal wealth. This may make it more difficult for us to retain and motivate these employees, and this wealth could affect their decision about whether or not they continue to work for us. Any failure to successfully attract, integrate, or retain qualified personnel to fulfill our current or future needs could materially and adversely affect our business, results of operations, and financial condition.
We believe our long-term value as a company will be greater if we focus on growth, which may negatively impact our profitability.
25

A significant part of our business strategy is to focus on long-term growth. For example, in the year ended December 31, 2020 we increased our operating expenses to $436.8 million as compared to $331.5 million and $234.0 million in the years ended December 31, 2019 and 2018, respectively. In the year ended December 31, 2020 our net loss increased to $119.4 million from $105.8 million and $87.2 million in the years ended December 31, 2019 and 2018, respectively. As a result, we may continue to operate at a loss or our profitability may be lower than it would be if our strategy were to maximize short-term profitability. Significant expenditures on sales and marketing efforts, and expenditures on growing our network and expanding our research and development and portfolio of products, each of which we intend to continue to invest in, may not ultimately grow our business or cause long-term profitability. If we are ultimately unable to achieve or improve profitability at the level or during the time frame anticipated by industry or financial analysts and our stockholders, our stock price may decline.
If we are not able to maintain our brand, our business and results of operations may be adversely affected.
We believe that maintaining our reputation as a provider of products with the highest levels of security, performance, and reliability is critical to our relationship with our existing customers and our ability to attract new customers. The successful promotion of our brand will depend on a number of factors, including the reliability of our network on which we provide our products and the record of security, performance, and reliability of our products; our marketing efforts; our ability to continue to develop high-quality features and products for our network; and our ability to successfully differentiate our products from competitive products and services. Our brand promotion activities may not be successful or yield increased revenue.
Independent industry and financial analysts often provide reviews of our products, as well as those of our competitors. Perception of our offerings in the marketplace may be significantly influenced by these expert reviews. In addition, the difficulty or inability of us to periodically provide certain types of financial information about our business and products requested by industry analysts could adversely impact these analysts’ reviews of our products. If reviews of our products are negative, or less positive than those of our competitors’, our brand may be adversely affected. The performance of our channel partners also may affect our brand and reputation, particularly if customers do not have a positive experience with our channel partners. The promotion of our brand requires us to make substantial expenditures, and we anticipate that the expenditures will increase as our markets become more competitive and we expand into new markets. Expenditures intended to maintain and enhance our brand may not be cost-effective or effective at all. If we do not successfully maintain and enhance our brand, we may have reduced pricing power relative to our competitors, we could lose customers, or we could fail to attract potential new customers or expand sales to our existing customers, all of which could materially and adversely affect our business, results of operations, and financial condition.
Adverse economic conditions, including reduced spending on products and solutions for network security, performance, and reliability, may adversely impact our revenue and profitability.
Our operations and financial performance depend in part on worldwide economic conditions and the impact these conditions have on levels of spending on products and solutions for network security, performance, and reliability. Our business depends on the overall demand for these products and on the economic health and general willingness of our current and prospective customers to purchase our products. For example, the full impact of the ongoing COVID-19 pandemic is unknown at this time but has resulted in a material adverse impact on economic conditions in the United States and throughout the world, including significant increases in unemployment, reduced demand for products and services across a variety of industries, and other related harms. Some of our paying customers may view a subscription to our products as a discretionary purchase and may reduce their discretionary spending on our products during an economic downturn. Weak economic conditions, including a reduction in spending on products and solutions for security, performance, and reliability, could reduce sales, lengthen sales cycles, increase churn, and lower demand for our products, any of which could adversely affect our business, results of operations, and financial condition.
Our relatively limited operating history makes it difficult to evaluate our current business and prospects and may increase the risk that we will not be successful.
Our relatively limited operating history makes it difficult to evaluate our current business and prospects, and to plan for our anticipated future growth. We began operations in 2010 and much of our growth has occurred in recent years. As a result, our business model has not been fully proven, which subjects us to a number of uncertainties, including our ability to plan for and model future growth. While we have continued to expand our network and develop additional reliability products, we have encountered, and will continue to encounter, risks and uncertainties
26

frequently experienced by rapidly growing companies in developing industries, including our ability to achieve broad market acceptance of our products, attract additional customers, identify and grow partnerships, withstand increasing competition in our existing and future markets, and manage increasing expenses as we continue to grow our business. If our assumptions regarding these risks and uncertainties are incorrect or change in response to changes in the markets for products and solutions for network security, performance, and reliability, our business could suffer and our results of operations and financial condition could differ materially from our expectations.
We have limited experience with our pricing models, and we may not accurately predict the long-term rate of paying customer adoption or renewal or the impact these will have on our revenue or results of operations.
We generate revenue primarily from subscriptions to our network and products. We offer subscription plans that provide varying degrees of functionality, and also offer separate subscriptions to various add-on products and network functionality. We have limited experience with respect to determining the optimal prices and pricing models for our subscription plans and products, particularly with respect to our newer products and solutions such as our recently announced Cloudflare for Teams and Cloudflare One. As the markets for our products mature, as we enter into newer product markets for our business, or as new competitors introduce new products or services that compete with ours, we may be unable to attract new customers or retain existing customers at the same price or based on the same pricing model as we have used historically. Moreover, our increasing focus on larger customers may lead to greater price concessions in the future or have a more significant impact period to period on our revenue and results of operations. As a result, in the future we may be required to reduce our prices, which could adversely affect our revenue, gross margin, profitability, financial condition, and cash flow.
We also have limited experience in determining which products and functionality to offer as part of our subscription plans and which to offer as add-on products. Our limited experience in determining the optimal manner in which to bundle our various products and functionalities could reduce our ability to capture the value delivered by our offerings, which could adversely impact our business, results of operations, and financial condition.
Our growth depends, in part, on the success of our strategic relationships with third parties.
To grow our business, we anticipate that we will continue to depend on relationships with third parties, such as channel partners. Identifying partners, negotiating and documenting relationships with them, and maintaining APIs that some of our partners use to interact with our business, each require significant time and resources. Our competitors may be effective in providing incentives to third parties to favor their products or services over subscriptions to our products. In addition, acquisitions of such partners by our competitors could result in a decrease in the number of our current and potential customers, as these partners may no longer facilitate the adoption of our applications by potential customers. Further, some of our partners are or may become competitive with certain of our products and may elect to no longer integrate with our network and products. If we are unsuccessful in establishing or maintaining our relationships with third parties, our ability to compete in the marketplace or to grow our revenue could be impaired, and our results of operations may suffer. Even if we are successful, we cannot assure you that these relationships will result in increased customer usage of our products or increased revenue.
Our ability to maintain customer satisfaction depends in part on the quality of our customer support. Failure to maintain high-quality customer support could have an adverse effect on our business, results of operation, and financial condition.
We believe that the successful use of our network and products requires a high level of support and engagement for many of our customers, particularly our large customers. In order to deliver appropriate customer support and engagement, we must successfully assist our customers in deploying and continuing to use our network and products, resolving performance issues, addressing interoperability challenges with the customers’ existing IT infrastructure, and responding to security threats and cyber attacks and performance and reliability problems that may arise from time to time. The IT architecture of our contracted customers, particularly the larger organizations, is very complex and may require high levels of focused support to effectively utilize our network and products. Because our network and products are designed to be highly configurable and to rapidly implement customers’ reconfigurations, customer errors in configuring our network and products can result in significant disruption to our customers. Our support organization faces additional challenges associated with our international operations, including those associated with delivering support, training, and documentation in languages other than English.
27

Increased demand for customer support, without corresponding increases in revenue, could increase our costs and adversely affect our business, results of operations, and financial condition.
We also rely on channel partners in order to provide frontline support to some of our customers, including in regions where we do not have a significant physical presence or the customers primarily speak languages other than English. If our channel partners do not provide support to the satisfaction of our customers, we may be required to hire additional personnel and to invest in additional resources in order to provide an adequate level of support, generally at a higher cost than that associated with our channel partners. There can be no assurance that we will be able to hire sufficient support personnel as and when needed, particularly if our sales exceed our internal forecasts. To the extent that we are unsuccessful in hiring, training, and retaining adequate support resources, our ability to provide high-quality and timely support to our customers will be negatively impacted, and our customers’ satisfaction with our network and products could be adversely affected. Any failure to maintain high-quality customer support, or a market perception that we do not maintain high-quality customer support, could adversely affect our reputation, business, results of operations, and financial condition, particularly with respect to our large customers.
Our business depends, in part, on sales to U.S. and foreign government organizations, which are subject to a number of challenges and risks.
We derive a portion of our revenue from contracts with government organizations, and we believe the success and growth of our business will in part depend on adding additional public sector customers. However, demand from government organizations is often unpredictable, and we cannot assure you that we will be able to maintain or grow our revenue from the public sector. Sales to government entities are subject to substantial additional risks that are not present in sales to other customers, including:
selling to government agencies can be more highly competitive, expensive, and time-consuming than sales to other customers, often requiring significant upfront time and expense without any assurance that such efforts will generate a sale;
U.S., European, or other government certification and audit requirements potentially applicable to our network, including the Federal Risk and Authorization Management Program (FedRAMP) in the U.S., are often difficult and costly to obtain and maintain, and failure to do so will restrict our ability to sell to government customers;
government demand and payment for our products may be impacted by public sector budgetary cycles, funding authorizations, or government shutdowns;
governments routinely investigate and audit government contractors’ administrative processes and any unfavorable audit could result in fines, civil or criminal liability, further investigations, damage to our reputation, and debarment from further government business;
governments often require contract terms that differ from our standard customer arrangements, including terms that can lead to those customers obtaining broader rights in our products than would be expected under a standard commercial contract and terms that can allow for early termination; and
governments may demand better pricing terms and public disclosure of such pricing terms, which may harm our ability to negotiate pricing terms with our non-government customers.
In addition, we must comply with laws and regulations relating to the formation, administration, and performance of contracts with the public sector, including U.S. federal, state, and local governmental organizations, which affect how we and our channel partners do business with governmental agencies. Selling our products to the U.S. government, whether directly or through channel partners, also subjects us to certain regulatory and contractual requirements. Failure to comply with these requirements by either us or our channel partners could subject us to investigations, fines, and other penalties, which could have an adverse effect on our business, results of operations, and financial condition. For example, the U.S. Department of Justice (the DOJ) and the General Services Administration (the GSA) have in the past pursued claims against and financial settlements with vendors under the False Claims Act and other statutes related to pricing and discount practices and compliance with certain provisions of GSA contracts for sales to the federal government. The DOJ and GSA continue to actively pursue such claims. Violations of certain regulatory and contractual requirements could also result in us being suspended or debarred from future government contracting. Any of these outcomes could have a material adverse effect on our revenue, results of operations, and financial condition. Any inability to address these risks and challenges could reduce the commercial benefit to us or otherwise preclude us from selling subscriptions to our products to government organizations.
28

We rely on third-party software for certain essential financial and operational services, and a failure or disruption in these services could materially and adversely affect our ability to manage our business effectively.
We rely on third-party software to provide many essential financial and operational services to support our business, including NetSuite, Salesforce, Atlassian, and Workday. Many of these vendors are less established and have shorter operating histories than traditional software vendors. Moreover, these vendors provide their services to us via a cloud-based model instead of software that is installed on our premises. As a result, we depend upon these vendors to provide us with services that are always available and are free of errors or defects that could cause disruptions in our business processes. Any failure by these vendors to do so, or any disruption in our ability to access the Internet, would materially and adversely affect our ability to manage our operations.
Our business is exposed to risks associated with credit card and other online payment processing methods.
Many of our customers pay for our service using a variety of different payment methods, including credit and debit cards, prepaid cards, direct debit, and online wallets. We rely on internal systems as well as those of third parties to process payments. Acceptance and processing of these payment methods are subject to certain rules and regulations and require payment of interchange and other fees. To the extent there are increases in payment processing fees, material changes in the payment ecosystem, such as large re-issuances of payment cards, delays in receiving payments from payment processors, changes to rules or regulations concerning payment processing, loss of payment partners, and/or disruptions or failures in our payment processing systems or payment products, including products we use to update payment information, our revenue, operating expenses, and results of operation could be adversely impacted. In addition, from time to time, we encounter fraudulent use of payment methods, which could impact our results of operations and if not adequately controlled and managed could create negative consumer perceptions of our service. If we are unable to maintain our chargeback rate at acceptable levels, card networks may impose fines and our card approval rate may be impacted. If we fail to comply with the rules or requirements applicable to processing payments, or if our data security systems are breached, compromised, or otherwise unable to detect or prevent fraudulent activity, we may be liable for card issuing banks’ costs, subject to fines and higher transaction fees, and lose our ability to accept certain payments from our customers. The termination of our ability to process payments using any major payment method our business, results of operations, and financial condition could be harmed.
Because we recognize revenue from subscriptions for our products over the term of the subscription, downturns or upturns in new business may not be immediately reflected in our results of operations and may be difficult to discern.
We generally recognize revenue from customers ratably over the term of their subscription, which in the case of our contracted customers range from one to three years and in the case of our pay-as-you-go customers is typically monthly. Consequently, any increase or decline in new sales or renewals to these customers in any one period may not be immediately reflected in our revenue for that period. Any such change, however, may affect our revenue in future periods. Accordingly, the effect of downturns or upturns in new sales and potential changes in our rate of renewals may not be fully reflected in our results of operations until future periods. We may also be unable to reduce our cost structure in line with a significant deterioration in sales or renewals. Our subscription model also makes it difficult for us to rapidly increase our revenue through additional sales in any period, as revenue from new customers must be recognized over the applicable subscription term.
By contrast, a significant majority of our costs are expensed as incurred, which occurs as soon as a customer starts using our network and products. As a result, an increase in customers could result in our recognition of more costs than revenue in the earlier portion of the subscription term. We may not attain sufficient revenue to maintain positive cash flow from operations or achieve profitability in any given period.
If our estimates or judgments relating to our critical accounting policies prove to be incorrect or financial reporting standards or interpretations change, our results of operations could be adversely affected.

The preparation of financial statements in conformity with generally accepted accounting principles in the United States (U.S. GAAP) requires our management to make estimates and assumptions that affect the amounts reported and disclosed in our consolidated financial statements and accompanying notes. We base our estimates and assumptions on historical experience and on various other assumptions that we believe to be reasonable under the
29

circumstances. The results of these estimates form the basis for making judgments about the carrying values of assets, liabilities, and equity, and the amount of revenue and expenses that are not readily apparent from other sources. Significant assumptions and estimates used in preparing our consolidated financial statements include those related to allowance for doubtful accounts, deferred contract acquisitions costs, the period of benefit generated from our deferred contract acquisition costs, the capitalization and estimated useful life of internal-use software, the assessment of recoverability of intangible assets and their estimated useful lives, useful lives of property and equipment, liability and equity allocation of our 0.75% Convertible Senior Notes due May 2025 (the Notes), the determination of the incremental borrowing rate used for operating lease liabilities, the valuation and recognition of stock-based compensation expense, uncertain tax positions, and the recognition and measurement of current and deferred income tax assets and liabilities. Due to the COVID-19 pandemic, there is ongoing uncertainty and significant disruption in the global economy and financial markets. We are not aware of any specific event or circumstance that would require an update to our estimates or assumptions or a revision of the carrying value of assets or liabilities as of February 25, 2021, the date of issuance of this Annual Report on Form 10-K. These estimates and assumptions may change in the future, however, as new events occur and additional information is obtained. Our results of operations may be adversely affected if our assumptions change or if actual circumstances differ from those in our assumptions, which could cause our results of operations to fall below the expectations of industry or financial analysts and investors, resulting in a decline in the trading price of our common stock.
Additionally, we regularly monitor our compliance with applicable financial reporting standards and review new pronouncements and drafts thereof that are relevant to us. As a result of new standards, or changes to existing standards, and changes in their interpretation, we might be required to change our accounting policies, alter our operational policies and implement new or enhance existing systems so that they reflect new or amended financial reporting standards, or we may be required to restate our published financial statements. Such changes to existing standards or changes in their interpretation may have an adverse effect on our reputation, business, financial condition, and profit and loss, or cause an adverse deviation from our revenue and operating profit and loss target, which may negatively impact our results of operations.
Future acquisitions, strategic investments, partnerships, or alliances could be difficult to identify and integrate, divert the attention of key management personnel, disrupt our business, dilute stockholder value, and adversely affect our results of operations, financial condition, and prospects.
Part of our business strategy is to make acquisitions of other companies, products, and technologies. For example, in January 2020, we acquired S2 Systems Corporation, a company that has developed browser isolation technology. We have limited experience in making acquisitions. We also may not be able to find suitable acquisition candidates and we may not be able to complete acquisitions on favorable terms, if at all. If we do complete acquisitions, we may not ultimately strengthen our competitive position or achieve our goals, and any acquisitions we complete could be viewed negatively by customers, developers, or investors. In addition, we may not be able to integrate acquired businesses successfully or effectively manage the combined company following an acquisition. If we fail to successfully integrate our acquisitions, or the people or technologies associated with those acquisitions, into our company, the results of operations of the combined company could be adversely affected. Any integration process will require significant time and resources, require significant attention from management, and disrupt the ordinary functioning of our business, and we may not be able to manage the process successfully, which could adversely affect our business, results of operations, and financial condition. In addition, we may not successfully evaluate or utilize the acquired technology and accurately forecast the financial impact of an acquisition transaction, including accounting charges.
In order to expand our network and product offerings, we also may enter into relationships with other businesses, which could involve joint ventures, preferred or exclusive licenses, additional channels of distribution, or investments in other companies. Negotiating these transactions can be time-consuming, difficult, and costly, and our ability to close these transactions may be subject to third-party approvals, such as government regulatory approvals, which are beyond our control. Consequently, we cannot assure you that these transactions, once undertaken and announced, will close or will lead to commercial benefit for us.
In connection with the foregoing strategic transactions, we may:
issue additional equity securities that would dilute our stockholders;
use cash that we may need in the future to operate our business;
incur debt on terms unfavorable to us or that we are unable to repay;
30

incur large charges or substantial liabilities;
encounter difficulties integrating diverse business cultures; and
become subject to adverse tax consequences, substantial depreciation, or deferred compensation charges.
These challenges related to acquisitions or other strategic transactions could adversely affect our business, results of operations, financial condition, and prospects.
Certain of our key business metrics could prove to be inaccurate, and any real or perceived inaccuracies may harm our reputation and negatively affect our business.
We rely on assumptions and estimates to calculate certain of our key business metrics, such as dollar-based net retention rate. We regularly review and may adjust our processes for calculating our key business metrics to improve their accuracy. For example, in our Quarterly Report on Form 10-Q for the quarter ended March 31, 2020, we announced a change in how we will calculate our key business metrics starting during 2020 so that they are now based on revenue instead of billings. For a discussion of the reasons for such change, refer to Part II, Item 7 “Management’s Discussion and Analysis of Financial Condition and Results of Operations – Non-GAAP Financial Measures and Key Business Metrics.” Our key business metrics may differ from estimates published by third parties or from similarly titled metrics of our competitors due to differences in methodology. If investors or analysts do not perceive our key business metrics to be accurate representations of our business, or if we discover material inaccuracies in our key business metrics, our reputation, business, results of operations, and financial condition would be harmed.
Our management team has limited experience managing a public company.
Most members of our management team have limited experience managing a publicly traded company, interacting with public company investors, and complying with the increasingly complex laws pertaining to public companies. Our management team may not successfully or efficiently manage our company, which is subject to significant regulatory oversight and reporting obligations under the federal securities laws and the continuous scrutiny of securities analysts and investors. These new obligations and constituents require significant attention from our senior management and could divert their attention away from the day-to-day management of our business, which could harm our business, results of operations, and financial condition.
We may need additional capital, and we cannot be certain that additional financing will be available on favorable terms, or at all.
Historically, we have financed our operations primarily through the sale of our equity and equity-linked securities as well as payments received from customers using our global cloud network and products. Although we currently anticipate that our existing cash, cash equivalents, and available-for-sale securities, and cash flow from operations will be sufficient to meet our working capital and capital expenditure needs for at least the next 12 months, we may require additional financing. We evaluate financing opportunities from time to time, and our ability to obtain financing will depend, among other things, on our development efforts, business plans, and operating performance, and the condition of the capital markets at the time we seek financing. We cannot assure you that additional financing will be available to us on favorable terms when required, or at all. If we raise additional funds through the issuance of equity or equity-linked or debt securities, those securities may have rights, preferences or privileges senior to the rights of our Class A common stock, and, in the case of equity or equity-linked securities, our stockholders may experience dilution.
Risks Related to Our Network and Products
Problems with our internal systems, networks, or data, including actual or perceived breaches or failures, could cause our network or products to be perceived as insecure, underperforming, or unreliable, our reputation to be damaged, and our financial results to be negatively impacted.
We face security threats from malicious third parties that could obtain unauthorized access to our internal systems, networks, and data, including the equipment at our network and core co-location facilities. It is virtually impossible for us to entirely mitigate the risk of these security threats and the security, performance, and reliability of our network and products may be disrupted by third parties, including nation-states, competitors, hackers, disgruntled employees, former employees, or contractors. We also face the possibility of security threats from other sources,
31

such as employee or contractor errors, or malfeasance. For example, hostile third parties, including nation-states, may seek to bribe, extort, or otherwise manipulate our employees or contractors to compromise our network and products. While we have implemented security measures internally and have integrated security measures into our network and products, these measures may not function as expected and may not detect or prevent all unauthorized activity, prevent all security breaches, mitigate all security breaches, or protect against all attacks or incidents. Because the equipment in our network co-location facilities is designed to run all of our products, any insertion of malicious code on, unauthorized access to, or other security breach with respect to, this equipment could potentially impact all of our products running on this equipment. We may also experience security breaches and other incidents that may remain undetected for an extended period and, therefore, may have a greater impact on our products and the networks and systems used in our business, and the proprietary and other confidential data contained on our network or otherwise stored or processed in our operations, and ultimately on our business. We expect to incur significant costs in our efforts to detect and prevent security breaches and other security-related incidents, and we may face increased costs in the event of an actual or perceived security breach or other security-related incident. Our internal systems are exposed to the same cybersecurity risks and consequences of a breach as our customers and other enterprises, any of which could have an adverse effect on our business or reputation. These cybersecurity risks pose a particularly significant risk to a business like ours that is focused on providing highly secure products to customers. With the increase in remote work during the ongoing COVID-19 pandemic, we and our customers face increased risks to the security of infrastructure and data, and we cannot guarantee that our security measures will prevent security breaches. We also may face increased costs relating to maintaining and securing our infrastructure and data that we maintain and otherwise process.
Unauthorized access to, other security breaches of, or security incidents affecting, systems, networks, and data used in our business, including those of our vendors, contractors, or those with which we have strategic relationships, even if not resulting in an actual or perceived breach of our customers’ networks, systems, or data, could result in the loss, compromise or corruption of data, loss of business, reputational damage adversely affecting customer or investor confidence, regulatory investigations and orders, litigation, indemnity obligations, damages for contract breach, penalties for violation of applicable laws or regulations, significant costs for remediation, and other liabilities.
Additionally, in the absence of malicious actions, our network and products may experience errors, failures, vulnerabilities, or bugs that cause our products not to perform as intended. For example, from time to time we are subject to “route leaks” that involve the accidental or, less commonly, illegitimate advertisement of prefixes, or blocks of IP addresses, which propagate across networks such as ours and can lead to incorrect routing of traffic across our network, taking traffic offline, or in extreme cases, potential interception of customers’ traffic by attackers. For example, in June 2019, a route leak spread by a major telecommunications services provider caused significant disruption to our traffic and that of many other providers. Although events like this are outside our control, they could materially harm our reputation and diminish the confidence of our current and potential customers in our network and products. In addition, deployment of our network and products into other computing environments may expose these errors, failures, vulnerabilities, or bugs in our products. Any such errors, failures, vulnerabilities, or bugs may not be found until after they are deployed to our customers and may create the perception that our network and products are insecure, underperforming, or unreliable. For example, in July 2019, we deployed an update to our web application firewall and certain aspects of the related software code resulted in excessive consumption of computing resources across our network, resulting in an outage on our network. In April 2020, our core co-location facility in the U.S. Pacific Northwest experienced an outage of approximately 4-1/2 hours as a result of an error that occurred during planned maintenance activities at that facility and, during the outage, our customers lost access to certain features included in our products. In July 2020, we experienced a configuration error in our backbone network that caused an outage for Internet properties and our products in certain areas lasting approximately 30 minutes. While the June 2019 route leak and the July 2019, April 2020, and July 2020 outages did not have a material impact on our results of operations or financial condition, any similar events that may occur in the future may have a material adverse impact on our results of operations or financial condition. In addition, in the event network outages or similar events occur, these events can require additional capital expenditures to lessen the chance that similar events will occur in the future. We also provide frequent updates and fundamental enhancements to our network and products, which increase the possibility of errors. Our quality assurance procedures and efforts to report, track, and monitor issues with our network may not be sufficient to ensure we detect any such defects in a timely manner. For example, in February 2017, a bug in our software code that processes computer information requests was identified. Instead of the requested data, in certain circumstances this bug, which became known as “Cloudbleed,” caused our servers to output data that was not requested. The erroneous data output by our system included, but was not limited to, a portion of our customers’ secure data. There can be no assurance that our software code is or will remain free from actual or perceived errors, failures,
32

vulnerabilities, or bugs, or that we will accurately route or process all requests and traffic on our network. Given the trillions of Internet requests that route through our network on a monthly basis and the large array of Internet properties (e.g., domains, websites, application programming interfaces (APIs), and mobile applications) we service, the impact of any such error, failure, vulnerability, or bug can be large in terms of absolute numbers of affected requests and customers.
Problems with our network or systems, or those of our vendors, contractors, or those with which we have strategic relationships, could result in actual or perceived breaches of our or our customers’ networks and systems or data. Actual or perceived breaches or other security incidents from these or other causes could lead to claims and litigation, indemnity obligations, regulatory audits, proceedings, and investigations and significant legal fees, significant costs for remediation, the expenditure of significant financial resources in efforts to analyze, correct, eliminate, remediate, or work around errors or defects, to address and eliminate vulnerabilities, and to address any applicable legal or contractual obligations relating to any actual or perceived security breach. They could damage our relationships with our existing customers and have a negative impact on our ability to attract and retain new customers. Because our business is focused on providing secure and high performing network services to our customers, we believe that our products and the networks and systems we use in our business could be targets for hackers and others, and that an actual or perceived breach of, or security incident affecting, our networks, systems, or data, could be especially detrimental to our reputation, customer and channel partner confidence in our solution, and our business. Additionally, our products are designed to operate without interruption, including up to a 100% uptime guarantee for our Business and Enterprise plans. If a breach or security incident were to impact the availability of our network and products, our business, results of operations, and financial condition, as well as our reputation, could be adversely affected.
Any cybersecurity insurance that we carry may be insufficient to cover all liabilities incurred by us in connection with any privacy or cybersecurity incidents or may not cover the kinds of incidents for which we submit claims. For example, insurers may consider cyber attacks by a nation-state as an “act of war” and any associated damages as uninsured. We also cannot be certain that our insurance coverage will be adequate for data handling or data security liabilities actually incurred, that insurance will continue to be available to us on economically reasonable terms, or at all, or that any insurer will not deny coverage as to any future claim. The successful assertion of one or more large claims against us that exceed available insurance coverage, or the occurrence of changes in our insurance policies, including premium increases or the imposition of large deductible or co-insurance requirements, could have a material adverse effect on our business, results of operations, and financial condition, as well as our reputation.
If our global network that delivers our products or the core co-location facilities we use to operate our network are damaged, interfered with, or otherwise fail to meet the requirements of our business or local regulations, our ability to provide access to our network and products to our customers and maintain the performance of our network could be negatively impacted, which could cause our business, results of operations and financial condition to suffer.
As of December 31, 2020, we hosted our global network and served our customers from co-location and ISP-partner facilities located in more than 200 cities and over 100 countries worldwide. In addition to these global facilities, much of the infrastructure for our global network and for our business and operations is maintained through a core co-location facility located in the U.S. Pacific Northwest, a second core co-location facility located in Luxembourg that provides certain redundancy to the U.S. core facility, and through a limited number of other U.S. co-location facilities that provide limited subsets of our network support. While we have electronic and, to a lesser extent, physical access to the components and infrastructure of our network and co-location facilities that are hosted by third parties—including ISP-partner facilities—we do not control the operation of these third-party facilities. Consequently, we may be subject to service disruptions as well as failures to provide adequate support for reasons that are outside of our direct control. Additionally, the demands placed on our global network by the COVID-19 pandemic may further strain our network, which could lead to service disruptions. All of our co-location and ISP-partner facilities and network infrastructure are vulnerable to damage or interruption from a variety of sources including earthquakes; floods; fires; power loss; system failures; computer viruses; physical or electronic break-ins; human error; malfeasance; or interference, including by disgruntled employees, former employees, or contractors; terrorism; and other catastrophic events. For example, in April 2020, our core co-location facility in the U.S. Pacific Northwest experienced an outage of approximately 4-1/2 hours as a result of an error that occurred during planned maintenance activities at that facility and, during the outage, our customers lost access to certain features included in our products. Co-location facilities housing our network infrastructure may also be subject to local administrative actions, changes to legal or permitting requirements, labor disputes, and litigation to stop, limit, or delay operations. Despite precautions taken at these facilities, such as disaster recovery and business continuity arrangements, the
33

occurrence of a natural disaster or an act of terrorism, a decision to close the co-location facilities without adequate notice, or other unanticipated problems at these facilities could result in interruptions or delays in the availability of our network and products, impede our ability to scale our operations, or have other adverse impacts upon our business, results of operations, and financial condition. In addition, errors or defects in our customers’ software can result in unexpected and unintentional upward spikes in their usage of our products and network, and those spikes can cause strains on, and adversely affect the availability and functioning of, our co-location facilities and our network.
The components of our global network are interrelated, such that disruptions or outages affecting one or more of our network co-location facilities may increase the strain on other components of our network. Concurrent disruptions or outages at a number of our network co-location facilities may lead to a cascading effect in which heightened strain on our network causes further disruptions or outages, particularly within the regions where the disruptions and outages occur. In addition, the failure of any of our core co-location facilities for any significant period of time, particularly our U.S. core co-location facility, could place a significant strain upon the ongoing operation of our business, as we have only limited redundant functionality for these facilities. Such a failure of a core co-location facility could degrade and slow down our network, reduce the functionality of our products for our customers, impact our ability to bill our customers, and otherwise materially and adversely impact our business, reputation, and results of operations.
If our customers’ or channel partners’ access to our network and products is interrupted or delayed for any reason, our business could suffer.
Any interruption or delay in our customers’ or channel partners’ access to our network and products will negatively impact our customers. Our customers depend on the continuous availability of our network for the delivery and use of our products, and our products are designed to operate without interruption, including up to 100% uptime guarantee for our Business and Enterprise plans. If all or a portion of our network were to fail, our customers and partners could lose access to the Internet until such disruption is resolved or they deploy disaster recovery options that allow them to bypass our network. The adverse effects of any network interruptions on our reputation and financial condition may be heightened due to the nature of our business and our customers’ expectation of continuous and uninterrupted Internet access and low tolerance for interruptions of any duration. While we do not consider them to have been material, we have experienced, and may in the future experience, network disruptions and other performance problems due to a variety of factors. For example, in July 2019, we deployed an update to our web application firewall and certain aspects of the related software code resulted in excessive consumption of computing resources across our network, resulting in an outage on our network. In April 2020, our core co-location facility in the U.S. Pacific Northwest experienced an outage of approximately 4-1/2 hours as a result of an error that occurred during planned maintenance activities at that facility and, during the outage, our customers lost access to certain features included in our products. In addition, in July 2020, we experienced a configuration error in our backbone network that caused an outage for Internet properties and our products in certain areas lasting approximately 30 minutes.
The following factors, many of which are beyond our control, can affect the delivery, performance, and availability of our network and products:
the development, maintenance, and functioning of the infrastructure of the Internet as a whole;
the performance and availability of third-party telecommunications services with the necessary speed, data capacity, and security for providing reliable Internet access and services;
decisions by the owners and operators of the co-location and ISP-partner facilities where our network infrastructure is deployed or by global telecommunications service provider partners who provide us with network bandwidth to terminate our contracts, discontinue services to us, shut down operations or facilities, increase prices, change service levels, limit bandwidth, declare bankruptcy, breach their contracts with us, or prioritize the traffic of other parties;
the occurrence of earthquakes, floods, fires, power loss, system failures, physical or electronic break-ins, acts of war or terrorism, human error or interference (including by disgruntled employees, former employees, or contractors), and other catastrophic events;
cyber attacks targeted at us, facilities where our network infrastructure is located, our global telecommunications service provider partners, or the infrastructure of the Internet;
errors, defects, or performance problems in the software we use to operate our network and products and provide our related products to our customers;
34

our customers’ or channel partners’ improper deployment or configuration of our customers' access to our network and products;
the maintenance of the APIs in our systems that our partners use to interact with us;
the failure of our redundancy systems, in the event of a service disruption at one of the facilities hosting our network infrastructure, to redistribute load to other components of our network; and
the failure of our disaster recovery and business continuity arrangements.
The occurrence of any of these factors, or our inability to efficiently and cost-effectively fix such errors or other problems that may be identified, could damage our reputation, negatively impact our relationship with our customers, or otherwise materially harm our business, results of operations, and financial condition.
Detrimental changes in, or the termination of, any of our co-location relationships, ISP partnerships, or our other interconnection relationships with ISPs could adversely impact our business, results of operations, and financial condition.
Our relationships with ISP partners and other vendors that provide co-location services for our network infrastructure and the pricing and other material contract terms we have with these vendors are important for the maintenance, development, and expansion of our global network. If any of our co-location agreements were to expire or the pricing and other material terms of these agreements were to worsen, our business, results of operations, and financial condition would be adversely affected unless we were able to find a substitute vendor for the impacted facility on comparable or better terms. Moreover, a significant number of our important co-location agreements are with a single company and if our arrangements with this company were to change in a manner adverse to us, we could face difficulty in maintaining or growing our network on commercially viable terms. In addition, as part of our arrangements with some of our ISP partners, the ISP partner has agreed to host our equipment for free or at a discount to the partner’s customary rate. There can be no assurances that these ISP partners will continue to provide these types of favorable equipment hosting arrangements in the future.
The efficient and effective operation of our network also relies upon a series of mutually beneficial arrangements with other Internet infrastructure companies. These arrangements are often referred to as “peering” or “interconnection” agreements, and allow us and our ISP partners to reduce bandwidth costs related to operating our respective networks. If the underlying competitive, business, or operational incentives supporting these arrangements were to change, we or our partners might terminate these agreements or allow them to expire. Many of our peering or interconnection agreements have a term of three years or less, after which such agreements auto-renew on an annual basis. Changes to the underlying incentive structure of peering arrangements may result from parties seeking to take advantage of an essential position or enter into exclusive arrangements, changes to U.S. or international laws, regulations, policies, or changes in the norms governing the relationships among Internet infrastructure providers. Without favorable peering arrangements, we would incur significantly increased costs to continue to provide our products at their current levels and such increased costs could adversely impact our business, results of operations, and financial condition. To the extent that additional countries begin to regulate peering with outside networks, our costs may increase and our business and results of operations could be adversely impacted.
If our network and products do not interoperate with our customers’ internal networks and infrastructure or with third-party products, websites, or services, our network may become less competitive and our results of operations may be harmed.
Our network and products must interoperate with our customers’ existing internal networks and infrastructure. These complex internal systems are developed, delivered, and maintained by the customer and a myriad of vendors and service providers. As a result, the components of our customers’ infrastructure have different specifications, rapidly evolve, utilize multiple protocol standards, include multiple versions and generations of products, and may be highly customized. We must be able to interoperate and provide products to customers with highly complex and customized internal networks, which requires careful planning and execution between our customers, our customer support teams and, in some cases, our channel partners. Further, when new or updated elements of our customers’ infrastructure or new industry standards or protocols are introduced, we may have to update or enhance our network to allow us to continue to provide our products to customers. Our competitors or other vendors may refuse to work with us to allow their products to interoperate with our network and products, which could make it difficult for our network and products to function properly in customer internal networks and infrastructures that include these third-party products.
35

We may not deliver or maintain interoperability quickly or cost-effectively, or at all. These efforts require capital investment and engineering resources. If we fail to maintain compatibility of our network and products with our customers’ internal networks and infrastructures, our customers may not be able to fully utilize our network and products, and we may, among other consequences, lose or fail to increase our market share and number of customers and experience reduced demand for our products, which would materially harm our business, results of operations, and financial condition.
Because we provide some of our products through a reverse-proxy, which is a network arrangement in which Internet user requests initially are directed to our network’s servers rather than those of our customers, the source of some traffic may be difficult to ascertain. When they cannot identify the source of the traffic, some governments, third-party products, websites, or services may block our traffic or blacklist our IP addresses. If our customers experience significant instances of traffic blockages, they will experience reduced functionality or other inefficiencies, which would reduce customer satisfaction with our network and products and likelihood of renewal.
We rely on a limited number of suppliers for certain components of the equipment we use to operate our network and any disruption in the availability of these components could delay our ability to expand or increase the capacity of our global network or replace defective equipment.
We rely on a limited number of suppliers for several components of the equipment we use to operate our network and provide products to our customers. Our reliance on these suppliers exposes us to risks, including reduced control over production costs and constraints based on the then current availability, terms, and pricing of these components. For example, we generally rely on a single source to purchase the servers that we use in our network and we ordinarily purchase these components on a purchase-order basis, without any long-term contracts guaranteeing supply. While the network equipment and servers we purchase generally are commodity equipment and we believe an alternative supply source for servers on substantially similar terms could be identified quickly, our business could be adversely affected until those efforts were completed. In addition, the technology equipment industry has experienced component shortages and delivery delays in the past, and we may experience shortages or delays, including as a result of natural disasters, increased demand in the industry, or our suppliers lacking sufficient rights to supply the components in all jurisdictions in which we have co-location facilities that support our global network. For example, the ongoing COVID-19 pandemic has resulted, and we expect will continue to result in disruptions and delays for these components and the delivery and installation of such components at our co-location facilities. If our supply of certain components is disrupted or delayed, there can be no assurance that additional supplies or components can serve as adequate replacements for the existing components or that supplies will be available on terms that are favorable to us, if at all. Any disruption or delay in the supply of our hardware components may delay the opening of new co-location facilities, limit capacity expansion or replacement of defective or obsolete equipment at existing co-location facilities, or cause other constraints on our operations that could damage our customer relationships.
The actual or perceived failure of our products to block malware or prevent a security breach could harm our reputation and adversely impact our business, results of operations, and financial condition.
Our security products are designed to reduce the threat to our customers posed by malware and other Internet security threats. Our security products may fail to detect or prevent malware or security breaches for any number of reasons. Even where our security products perform as intended, the performance of our security products can be negatively impacted by our failure to enhance, expand, or update our network and products; improper classification of websites by our employees, automated systems, and partners which identify and track malicious websites; improper deployment or configuration of our products; and many other factors.
Companies are increasingly subject to a wide variety of attacks on their networks and systems, including traditional computer hackers; malicious code, such as viruses and worms; distributed denial-of-service attacks; sophisticated attacks conducted or sponsored by nation-states; advanced persistent threat intrusions; ransomware; phishing attacks and other forms of social engineering; employee, vendor, or contractor errors or malfeasance; and theft or misuse of intellectual property or business or personal data, including by disgruntled employees, former employees, or contractors. No security solution, including our products, can address all possible security threats or block all methods of penetrating a network or otherwise perpetrating a security incident. Accordingly, our security products may be unable to detect or prevent a threat until after our customers are impacted. As our products are adopted by an increasing number of enterprises, it is possible that the individuals and organizations behind cyber threats will focus on identifying ways to circumvent or defeat our security products. If our network is targeted by attacks specifically designed to disrupt it, it could create the perception that our security products are not capable of
36

providing adequate security. As a provider of security products, any perceived lack of security to our network or any of our products could erode our customers’ and potential customers’ trust in our network and products. Moreover, a high-profile security breach of another cloud services provider could cause our customers and potential customers to lose trust in cloud solutions generally, and cloud-based products like ours in particular. Any such loss of trust could materially and adversely impact our ability to retain existing customers or attract new customers.
Our customers must rely on complex network and security infrastructures, which include products and services from multiple vendors, to secure their networks. If any of our customers becomes infected with malware, or experiences a security breach, they could be disappointed with our products, regardless of whether our security products are intended to block the attack or would have blocked the attack if the customer had properly configured our products or their network, or taken other steps within their control. For example, in April 2017, we published details of a web cache deception attack method that exploits the misconfiguration of websites to circumvent reverse-proxy systems such as ours. While the vulnerability associated with this attack method relates to misconfiguration of websites outside of our control, a customer experiencing a security event related to this vulnerability may nevertheless blame us or become dissatisfied with our products as a result. Additionally, if any enterprises that are publicly known to use our network and products are the subject of a cyber attack that becomes publicized, this could harm our reputation and our current or potential customers may look to our competitors for alternatives to our network and products.
From time to time, industry or financial analysts and research firms test our network and related security products against other security products. Our products may fail to detect or prevent threats in any particular test for a number of reasons, including misconfiguration. To the extent potential customers, industry or financial analysts, or testing firms believe that the occurrence of a failure to detect or prevent any particular threat is a flaw or indicates that our products do not provide significant value or provide less value than competitive solutions, our reputation and business could be materially harmed.
Any real or perceived flaws in our network, or any actual or perceived security breaches of our customers, could result in:
a loss of existing or potential customers or channel partners;
delayed or lost sales and harm to our financial condition and results of operations;
a delay in attaining, or the failure to attain, market acceptance of our products;
the expenditure of significant financial resources in efforts to analyze, correct, eliminate, remediate, or work around errors or defects, to address and eliminate vulnerabilities, and to address any applicable legal or contractual obligations relating to any actual or perceived security breach;
negative publicity and damage to our reputation and brand; and
legal claims and demands (including for stolen assets or information, repair of system damages, and compensation to customers and business partners), litigation, regulatory audits, proceedings or investigations, and other liability.
Any of the above results could materially and adversely affect our business, results of operations, and financial condition.
Abuse or misuse of our internal network services tools could cause significant harm to our business and reputation.
In order to provide real-time support to our customers, we have created internal network services tools that are used by our employees to diagnose and correct customer security, performance, and reliability issues. If our employees were to intentionally abuse these tools by interfering with or altering our customers’ Internet properties, our customers could be significantly harmed. Our employees’ inadvertent misuse of these tools could similarly harm our customers. For example, third parties have in the past attempted to induce our employees to use their administrative access to reveal, remove, or disable our customers’ information and content, including by submitting fraudulent law enforcement requests, copyright takedown requests, or other content-based complaints. Any such improper disclosure or removal could significantly and adversely impact our business and reputation. While our tools have been developed only for authorized use by our employees, any unauthorized release of these tools to third parties would represent a significant vulnerability in our products. Accordingly, any abuse or misuse of our network services tools could significantly harm our business and reputation. If it became necessary to further restrict
37

the availability or use of our network services tools by our employees in response to any abuse or misuse, our ability to deliver high-quality and timely customer support could be harmed.
We may choose to make public disclosures of negative events about our network, systems, and products when we are not otherwise required by applicable law and those disclosures could materially and adversely impact our business, reputation, and results of operations.
In the past we have been, and in the future we expect to be, transparent about our network, systems, and products with our customers and the public in general. We believe that being rigorously and promptly transparent is an essential part of maintaining trust with our customers. At times, this transparency may result in us publicly disclosing information regarding negative events about our network, systems, and products in circumstances where we may not be required to do so by applicable law. If and when we choose to make these types of non-legally required public disclosures, we may suffer reputational damage, loss of business, litigation, indemnity obligations, damages for contract breach, penalties for violation of applicable laws or regulations, significant costs for remediation, and other liabilities that could materially and adversely impact our business, reputation, and results of operations.
We provide service level commitments under our Enterprise plan customer contracts and our Business plan terms of service. If we fail to meet these contractual commitments, we could be obligated to provide credits for future service or allow customers to terminate their subscriptions and our business could suffer.
Our Enterprise plan agreements and our Business plan terms of service typically provide for service level commitments, which contain specifications regarding the availability and performance of our network. In particular, our Enterprise plan subscriptions and our Business plan terms of service include up to a 100% uptime guarantee. Any failure of or disruption to our infrastructure could adversely impact the security, performance, and reliability of our network and products for our customers. If we are unable to meet our stated service level commitments or if we suffer extended periods of poor performance or unavailability of our network and products, these customers could seek to bring claims against us or terminate their agreements with us and, in the case of our contracted customers, we may be contractually obligated to provide affected customers with service credits that they may apply against future subscription fees otherwise owed to us, and, in certain cases, refunds of pre-paid and other fees. For example, the June 2019 route leak and July 2019, April 2020, and July 2020 outages triggered certain of these types of obligations. The impact of the June 2019 route leak and the July 2019, April 2020, and July 2020 outages did not have a material impact on our results of operations or financial condition; however, other future events like these may materially and adversely impact our results of operations or financial condition. Our revenue, other results of operations, and financial condition could be harmed if we suffer performance issues or downtime that exceeds the service level commitments under our agreements and terms of service with our paying customers.
If our products do not obtain and maintain market acceptance, our ability to grow our business and our results of operations may be adversely affected.
Our products are still evolving and it is difficult to predict customer demand and adoption rates for our product offerings. We believe that our network and cloud-based products represent a major shift from traditional solutions. Many of our potential customers, particularly large enterprises and government entities, face barriers to adopting our offerings because of their prior investment in, and the familiarity of their IT personnel with, on-premises, appliance-based solutions. As a result, our sales process often involves extensive efforts to educate our customers about our products, particularly as we continue to pursue customer relationships with large organizations. Our customers also expect us to meet voluntary certifications or adhere to standards established by third parties and may demand that they be provided a report from our auditors that we are in compliance. Although we currently have certain certifications such as SOC2 Type 1 and Type 2, SOC3, PCI DSS, and ISO 27001, we may not be successful in continuing to maintain those certifications or in obtaining other certifications. In addition, sales to government entities and other large enterprises may in particular be conditioned upon adherence to the FedRAMP and Electronic Identification and Trust Services Regulation standards in the United States and the EU, respectively, and we do not currently have these certifications. The costs of obtaining and maintaining certification pursuant to any of these standards are significant, and any failure to obtain and maintain such certifications for our network and products could reduce demand for them, which would harm our business, results of operations, and financial condition. To the extent our competitors have, and we do not have, these certifications, we may lose the opportunity to obtain subscriptions from certain potential paying customers.
38

Despite our efforts, we can provide no assurance that our cloud-based products will obtain market acceptance or that competing products or services based on other cloud-based and/or on-premises technologies will not achieve market acceptance. If we fail to achieve market acceptance of our products or are unable to keep pace with industry changes or obtain necessary product certifications, our ability to grow our business, results of operations, and financial condition will be materially and adversely affected.
We may not be able to respond to rapid technological changes or develop new products and features that are attractive to our current and prospective future customers.
The industry in which we compete is characterized by rapid technological change, including frequent introductions of new products and services, evolving industry standards, changing regulations, and the development of novel cyber attacks by hostile parties, as well as changing customer needs, requirements, and preferences. Our need for continuous innovation is driven not only by competitive forces within our industry but also by our need to out-innovate the highly motivated third parties seeking to breach or compromise our network and those of our customers for economic, political, military, or other purposes.
Our ability to attract new customers and increase revenue from existing customers will depend in significant part on our ability to anticipate and respond effectively to these forces on a timely basis and continue to introduce enhancements to our network and develop new products. If new technologies emerge that deliver competitive products and services at lower prices, more efficiently, more conveniently, more securely or reliably, or are higher performing, these technologies could render our network and existing products less attractive to our current and prospective future customers, or obsolete. The development of novel attacks or exploits by criminal or malicious elements or hostile state actors also could render our network and existing products less effective or obsolete. The success of our business depends on our continued investment in our research and development organization to increase the integrity, reliability, availability, and scalability of our products. We may experience difficulties with development, design, or marketing of such enhancements to our network and products that could delay or prevent their development, introduction, or implementation. We have in the past experienced delays in the planned expansion of our network and in our internally planned or publicly announced release dates of new products and new features and capabilities, and there can be no assurance that planned expansions of our network will occur on schedule and that new products, features, or capabilities will be released according to schedule. Any delays could result in adverse publicity, loss of revenue or market acceptance, or claims by customers brought against us, all of which could have a material and adverse effect on our reputation, business, results of operations, and financial condition.
Risks Related to Legal, Tax, and Regulatory Matters
Activities of our paying and free customers or the content of their websites and other Internet properties may violate applicable laws and/or our terms of service and could subject us to lawsuits, regulatory enforcement actions, and/or liability in various jurisdictions.
Through our network, we provide a wide variety of products that enable our customers to exchange information, conduct business, and engage in various online activities both domestically and internationally. Our customers may use our network and products in violation of applicable law or in violation of our terms of service or the customer’s own policies. The existing laws relating to the liability of providers of online products and services for activities of their users are highly unsettled and in flux both within the United States and internationally. We are currently and, in the future, may be subject to lawsuits and/or liability arising from the conduct of our customers. Additionally, the conduct of our customers may subject us to regulatory enforcement actions and/or liability. We are a defendant in lawsuits, both in the United States and abroad, seeking injunctive relief and/or damages against us based on content that is made available through our customers’ websites. A number of these lawsuits involve copyright infringement claims, and courts in Italy and Germany recently disagreed with our position and directed us to take action by removing access to content of certain sites on our network. There can be no assurance that we will not face similar litigation in the future or that we will prevail in any litigation we are facing or may face. An adverse decision in one or more of these lawsuits could materially and adversely affect our business, results of operations, and financial condition.
Several U.S. federal statutes may apply to us with respect to various activities of our customers, including: the Digital Millennium Copyright Act (the DMCA), which provides recourse for owners of copyrighted material who believe their rights under U.S. copyright law have been infringed on the Internet; and section 230 of the Communications Decency Act (the CDA), which addresses blocking and screening of content on the Internet.
39

Although these and other similar legal provisions, such as the European Union (the EU) e-Commerce Directive, provide limited protections from liability for service providers like us, those protections may not be interpreted in a way that applies to us, may be amended in the future, or may not provide us with complete protection from liability claims. If we are found not to be protected by the safe harbor provisions of the DMCA, CDA or other similar laws, or if we are deemed subject to laws in other countries that may not have the same protections or that may impose more onerous obligations on us, we may owe substantial damages and our brand, reputation, and financial results may be harmed.
Current and future litigation subjects us to claims for very large potential damages based on a significant number of online occurrences under statutory or other damage theories. Such claims may result in liability that exceeds our ability to pay or our insurance coverage. Even if claims against us are ultimately unsuccessful, defending against such claims will increase our legal expenses and divert management’s attention from the operation of our business, which could materially and adversely impact our business and results of operations.
Policies and laws in this area remain highly dynamic, and we may face additional theories of intermediary liability in various jurisdictions. Many policymakers in the United States have called for a re-examination of CDA section 230 and the EU is considering a new Digital Services Act and Digital Markets Act to update the rules governing digital services like ours, including replacing the eCommerce directive and imposing additional legal requirements on service providers. In addition, in 2019, the EU approved a copyright directive that will impose additional obligations on service providers and failure to comply could give rise to significant liability. Other laws and pending legislation at the EU level (terrorist content), in Germany (extremist content), United Kingdom (online harms), Australia (violent content), and Singapore (online falsehoods), as well as other new laws like them, may also expose Internet companies like us to significant liability. We may incur additional costs to comply with these new laws, which may have an adverse effect on our business, results of operations, and financial condition.
Our policies regarding user privacy could cause us to experience adverse business and reputational consequences with customers, employees, suppliers, government entities, and other third parties.
As a company, we strive to protect our customers’ privacy consistent with applicable law. Consequently, we generally do not provide personal information about our customers without legal process. In accordance with our contractual commitments to our customers, we may need to challenge legal process requesting disclosure of personal information where such requests are inconsistent with applicable data protection laws. In addition, from time to time, government entities may seek our assistance with obtaining information about our customers or could request that we modify our network and products in a manner to permit access or monitoring. In light of our privacy commitments, we may legally challenge law enforcement requests to provide a feed of content transiting our network, to obtain encryption keys, or to modify or weaken encryption. We may face complaints from individuals who assert we have provided their information improperly to law enforcement or in response to third-party abuse complaints, despite policies we have in place to protect that information. To the extent that we do not provide assistance to or comply with requests from government entities or challenge those requests publicly or in court, we may experience adverse political, business, and reputational consequences. We may also face such adverse political, business, and reputational consequences to the extent that we provide, or are perceived as providing, assistance to government entities that exceeds our legal obligations. For example, we periodically receive requests for information purportedly originating from law enforcement agencies or pursuant to legal process, but which are fraudulent or improper attempts to cause us to reveal customer information. Any such disclosure could significantly and adversely impact our business and reputation.
We publish a transparency report on a semi-annual basis to provide details of law enforcement and government requests we receive. Our transparency report also includes a list of certain actions we have not taken in response to law enforcement requests. If we are ever required by law enforcement to take one or more of the actions covered by those disclosures, then we would have to remove the applicable disclosures from our transparency report. Both the publishing of our transparency report and, conversely, the potential narrowing of the list of actions we have not taken in response to law enforcement requests could damage our business and reputation.
Our business could be adversely impacted by changes in Internet access for our customers as a result of competitive behavior or laws specifically governing the Internet.
Our network performance and reliability depends on the quality of our customers’ access to the Internet. Certain features of our network require significant bandwidth and fidelity to work effectively. Internet access is frequently provided by companies that have significant market power that could take actions that degrade, disrupt, or increase the cost of user access to our network, which would negatively impact our business. We could incur greater
40

operating expenses and our customer acquisition and retention could be negatively impacted if other network operators:
implement usage-based pricing;
discount pricing for competitive products;
otherwise materially change their pricing rates or schemes;
charge us to deliver our traffic at certain levels or at all;
throttle traffic based on its source or type;
implement bandwidth caps or other usage restrictions; or
otherwise try to monetize or control access to their networks.
In addition, there are various laws and regulations that could impede the growth of the Internet or online services, and new laws and regulations may be adopted in the future. These laws and regulations could involve interconnection and network management; taxation; tariffs; privacy; data protection; content; copyrights; distribution; electronic contracts and other communications; consumer protection; and requirements for the characteristics and quality of services, any of which could decrease the demand for, or the usage of, our products. Legislators and regulators may make legal and regulatory changes, or interpret and apply existing laws, in ways that require us to incur substantial costs, expose us to unanticipated civil or criminal liability, or cause us to change our business practices. If these changes are implemented, it could have an adverse and negative impact on our business. In addition, we may be banned from providing our products in certain countries, which would prevent our ability to grow our business in such markets and would also have a detrimental impact on the performance and scope of our network. These changes or increased costs could materially harm our business, results of operations, and financial condition.
Failure to comply with laws and regulations applicable to our business could subject us to fines and penalties and could also cause us to lose customers or otherwise harm our business.
Our business is subject to regulation by various federal, state, local, and foreign governmental agencies, including agencies responsible for monitoring and enforcing compliance with various legal obligations, such as privacy and data protection laws and regulations, intellectual property laws, employment and labor laws, workplace safety, environmental laws, consumer protection laws, anti-bribery laws, governmental trade sanctions laws, import and export controls, anti-corruption and anti-bribery laws, federal securities laws, and tax laws and regulations. In certain jurisdictions, these regulatory requirements may be more stringent than in the United States. These laws and regulations impose added costs on our business. Noncompliance with applicable regulations or requirements could subject us to:
investigations, enforcement actions, and sanctions;
mandatory changes to our network and products;
disgorgement of profits, fines, and damages;
civil and criminal penalties or injunctions;
claims for damages by our customers or channel partners;
termination of contracts;
loss of intellectual property rights; and
temporary or permanent debarment from sales to government organizations.
If any governmental sanctions are imposed, or if we do not prevail in any possible civil or criminal litigation, our business, results of operations, and financial condition could be adversely affected. In addition, responding to any action will likely result in a significant diversion of our management’s attention and resources and an increase in professional fees. Enforcement actions and sanctions could materially harm our business, results of operations, and financial condition.
Additionally, companies in the technology industry have recently experienced increased regulatory scrutiny. Any reviews by regulatory agencies or legislatures may result in substantial regulatory fines, changes to our business
41

practices, and other penalties, which could negatively affect our business and results of operations. Changes in social, political, and regulatory conditions or in laws and policies governing a wide range of topics may cause us to change our business practices. Further, our expansion into a variety of new fields also could raise a number of new regulatory issues. These factors could negatively affect our business and results of operations in material ways.
Our actual or perceived failure to comply with privacy, data protection, and information security laws, regulations, and obligations could harm our business.
We receive, store, use, and otherwise process personal information and other information relating to individuals. There are numerous federal, state, local, and international laws and regulations regarding privacy, data protection, information security, and the storing, sharing, use, processing, transfer, disclosure, and protection of personal information and other content, the scope of which are changing, subject to differing interpretations, and may be inconsistent among jurisdictions, or conflict with other rules. These data protection and privacy-related laws and regulations are evolving and may result in ever-increasing regulatory and public scrutiny and escalating levels of enforcement and sanctions. For example, the EU’s General Data Protection Regulation (the GDPR), in effect since May 25, 2018, imposes more stringent data protection requirements than previous EU data protection laws and provides for penalties for noncompliance of up to the greater of €20 million or four percent of worldwide annual revenues. In addition, the Court of Justice of the European Union (CJEU) invalidated the U.S.-EU Privacy Shield in July 2020. The GDPR requires that certain mechanisms must be in place in order for the personal data of EU residents to be transferred to the United States for processing. The U.S.-EU Privacy Shield was one such mechanism. The CJEU’s decision also called into question the validity of the EU Standard Contractual Clauses (SCCs) — the other widely used mechanism for transferring data to the United States — due to concerns that the U.S. government’s laws and practices surrounding access to personal data transferred to the United States fall short of EU legal privacy requirements. Following the CJEU decision, the European Data Protection Board (EDPB) issued draft recommendations on the standards to be met for transfers of personal data from the European Union to the United States. In addition, the European Commission issued new draft SCCs to govern transfers of personal data to the United States. Following any issuance of final new SCCs, and in light of relevant regulatory guidance, we will need to identify different transfer mechanisms and/or change our use of SCCs in order to lawfully transfer certain personal data from the European Union to the United States. This could result in substantial costs, require changes to our business practices, limit our ability to provide certain products in certain jurisdictions, or materially adversely affect our business and operating results.

Additionally, Brexit has created additional uncertainty with regard to the regulation of data protection in the United Kingdom. In particular, although the United Kingdom has enacted legislation that is substantially consistent with the GDPR, with penalties for noncompliance of up to the greater of four percent of global revenues or £17.5 million. The European Commission and the United Kingdom government announced a Trade and Cooperation Agreement on December 24, 2020, providing for a temporary free flow of personal data between the EU and the United Kingdom, but it remains to be seen how Brexit will impact the manner in which United Kingdom data protection laws or regulations will develop and how data transfers to and from the United Kingdom will be regulated and enforced in the longer term.
The number of data protection laws globally is rising as more countries, including India, Australia, New Zealand, Singapore, and Japan explore new or updated comprehensive data protection regimes. For example, Brazil’s comprehensive data protection law, the Lei Geral de Proteção de Dados (the LGPD) went into effect in 2020 and contains requirements for contractual guarantees that need to be in place for personal data to be processed outside Brazil and penalties may result in fines of up to 2% of the organization’s Brazilian revenue for the prior year, up to a total of 50 million reais (or approximately $9.3 million USD) per violation. In China, we continue to monitor legal and government advisory developments regarding the Chinese Cybersecurity Law and Draft Cybersecurity Review Measures for impacts to our business related to cross-border data transfer limitations and evolving privacy, security, or data protection requirements.
In the United States, the California Consumer Privacy Act (the CCPA) went into effect on January 1, 2020 and accompanying regulations were issued by the California Office of the Attorney General in June 2020. Among other things, the CCPA requires covered companies to provide new disclosures to California consumers and afford such consumers new abilities to access and delete their personal information, and to opt-out of certain sales of personal information. On November 3, 2020, California voters approved the California Privacy Rights and Enforcement Act (the CPRA), which is expected to go into effect on January 1, 2023. The CPRA significantly modifies the CCPA and further aligns California privacy laws with the GDPR. The approval of the CPRA introduces additional uncertainty to the California privacy landscape as the California legislature will be required to reconcile the CCPA with the CPRA, and the California Office of the Attorney General will need to provide additional regulatory guidance, as well as
42

create a new data protection regulatory body, all of which will likely result in us incurring additional costs and expenses in an effort to comply with the evolving requirements.
We will need to closely monitor developments, including enforcement actions or private litigation under the LGPD, the CCPA, and other laws to determine if we will need to modify our data processing practices and policies, which may result in us incurring additional costs and expenses in an effort to comply.

We are also subject to the terms of our privacy policies and contractual obligations to third parties related to privacy, data protection, and information security. We strive to comply with applicable laws, regulations, policies, and other legal obligations relating to privacy, data protection, and information security to the extent possible. However, the regulatory framework for privacy and data protection worldwide is evolving rapidly, and it is possible that these or other actual or alleged obligations may be interpreted and applied in a manner that is inconsistent from one jurisdiction to another and may conflict with other rules or our practices.

We also expect that there will continue to be new laws, regulations, and industry standards concerning privacy, data protection, and information security proposed and enacted in various jurisdictions. For example, in the United States, various laws and regulations apply to the collection, processing, disclosure and security of certain types of data, including the Electronic Communications Privacy Act, the Computer Fraud and Abuse Act, the Health Insurance Portability and Accountability Act of 1996, the Gramm-Leach-Bliley Act, and state laws relating to privacy and data security. There are also a number of proposed U.S. federal and state privacy and data protection bills under consideration in Congress and state legislatures across the country. In addition, some countries are considering or have enacted legislation requiring local storage and processing of data that could increase the cost and complexity of delivering our services.
Any failure or perceived failure by us to comply with our privacy policies, our privacy-related obligations to customers or other third parties, applicable laws or regulations, or any of our other legal obligations relating to privacy, data protection, or information security may result in governmental investigations or enforcement actions, litigation, claims, or public statements against us by consumer advocacy groups or others and could result in significant liability or cause our customers to lose trust in us, which could cause them to cease or reduce use of our products and otherwise have an adverse effect on our reputation and business. Furthermore, the costs of compliance with, and other burdens imposed by, the laws, regulations, and policies that are applicable to the businesses of our customers may limit the adoption and use of, and reduce the overall demand for, our products.
Additionally, if third parties we work with, such as sub-processors, vendors, or developers, violate applicable laws or regulations, contractual obligations, or our policies—or if it is perceived that such violations have occurred—such actual or perceived violations may also have an adverse effect on our business. Further, any significant change to applicable laws, regulations, or industry practices regarding the collection, use, retention, security, disclosure, or other processing of users’ content, or regarding the manner in which the express or implied consent of users for the collection, use, retention, disclosure, or other processing of such content is obtained, could increase our costs and require us to modify our network, products, and features, possibly in a material manner, which we may be unable to complete, and may limit our ability to store and process customer data or develop new products and features.
We are subject to anti-corruption, anti-bribery, and similar laws, and noncompliance with such laws can subject us to criminal penalties or significant fines and harm our business and reputation.
We are subject to the U.S. Foreign Corrupt Practices Act of 1977, the UK Bribery Act 2010, and other anti-corruption, anti-bribery, anti-money laundering, and similar laws in the United States and other countries in which we conduct activities. Anti-corruption and anti-bribery laws, which have been enforced aggressively and are interpreted broadly, prohibit companies and their employees and agents from promising, authorizing, making, or offering improper payments or other benefits to government officials and others in the public sector. We leverage third parties, including channel partners, to sell subscriptions to our products, host many of our co-location facilities for our network, and conduct our business abroad. We and these third parties may have direct or indirect interactions with officials and employees of government agencies or state-owned or affiliated entities and we may be held liable for the corrupt or other illegal activities of our business partners and intermediaries, our employees, representatives, contractors, channel partners and agents, even if we do not explicitly authorize such activities. Further, some of our international sales activity occurs, and some of our network infrastructure is located, in parts of the world that are recognized as having a greater potential for business practices that violate anti-corruption, anti-bribery, or similar laws.
43

We cannot assure you that all of our employees and agents have complied with, or in the future will comply with, our policies and applicable law. As we continue to increase our international sales and business and expand our network globally, our risks under these laws may increase. The investigation of possible violations of these laws, including internal investigations and compliance reviews that we may conduct from time to time, could have a material adverse effect on our business. Noncompliance with these laws could subject us to investigations, severe criminal or civil sanctions, settlements, prosecution, loss of export privileges, suspension or debarment from U.S. government contracts and other contracts, other enforcement actions, the appointment of a monitor, disgorgement of profits, significant fines, damages, other civil and criminal penalties or injunctions, whistleblower complaints, adverse media coverage and other consequences. Other internal and government investigations, regulatory proceedings, or litigation, including private litigation filed by our stockholders, may also follow as a consequence. Any investigations, actions, or sanctions could materially harm our reputation, business, results of operations, and financial condition. Further, the promulgation of new laws, rules or regulations or new interpretations of current laws, rules or regulations could impact the way the we do business in other countries, including requiring us to change certain aspects of our business to ensure compliance, which could reduce revenue, increase costs, or subject us to additional liabilities.
We may face fines, penalties, or other costs, either directly or vicariously, if any of our partners, resellers, contractors, vendors or other third parties fail to adhere to their compliance obligations under our policies and applicable law.
We use a number of third parties to perform services or act on our behalf in areas like sales, network infrastructure, administration, research, and marketing. It may be the case that one or more of those third parties fail to adhere to our policies or violate applicable federal, state, local, and international laws, including but not limited to, those related to corruption, bribery, economic sanctions, and export/import controls. Despite the significant challenges in asserting and maintaining control and compliance by these third parties, we may be held fully liable for third parties’ actions as fully as if they were a direct employee of ours. Such liabilities may create harm to our reputation, inhibit our plans for expansion, or lead to extensive liability either to private parties or government regulators, which could adversely impact our business, results of operations, and financial condition.
We may have exposure to greater than anticipated income tax liabilities and may be affected by changes in tax laws, which could adversely impact our results of operations.
We operate in a number of tax jurisdictions globally, including in the United States at the federal, state, and local levels, and in many other countries, and plan to continue to expand the scale of our operations in the future. Accordingly, we are subject to income taxes in the United States and various jurisdictions outside of the United States. While to date we have not incurred significant income taxes in operating our business, we may in the future face significant tax liabilities. Our tax expense could also be impacted by changes in non-deductible expenses, changes in excess tax benefits from stock-based compensation, changes in the valuation of deferred tax assets and liabilities and our ability to utilize them, the applicability of withholding taxes, and effects from acquisitions.
Our tax provision could also be impacted by changes in accounting principles, changes in U.S. federal, state, or international tax laws applicable to corporate multinationals such as the recent legislation enacted in the United States, other fundamental law changes currently being considered by many countries, and changes in taxing jurisdictions’ administrative interpretations, decisions, policies, and positions. For example, on December 22, 2017, tax reform legislation referred to as the Tax Cuts and Jobs Act (the Tax Act) was enacted in the United States. The Tax Act significantly revises U.S. federal income tax law, including lowering the corporate income tax rate to 21%, requiring companies to pay a one-time transition tax on certain unrepatriated earnings of foreign subsidiaries, implementing a modified territorial tax system, requiring a current inclusion in U.S. federal taxable income of certain earnings of controlled foreign corporations, and creating a base erosion anti-abuse tax.
Additionally, in October 2015, the Organisation for Economic Co-Operation and Development (the OECD) released final guidance covering various topics, including transfer pricing, country-by-country reporting, and definitional changes to permanent establishment that could ultimately impact our tax liabilities. In March 2018, the European Commission released a proposal for a European Council directive on taxation of specified digital services. The proposal calls for an interim tax on certain revenues from digital activities, as well as a longer-term regime that creates a taxable presence for digital services and imposes tax on digital profits. We do not yet know the impact this proposal, if implemented, would have on our financial results. A number of other jurisdictions, including the United Kingdom, are considering enacting similar digital tax regimes. These efforts are alongside the OECD’s ongoing work, as part of its Base Erosion and Profit Shifting Action Plan, to issue a final report in 2021 that provides a long-
44

term, multilateral proposal on taxation of the digital economy. Any of the foregoing changes could have an adverse impact on our results of operations, cash flows, and financial condition.
Our results of operations may be harmed if we are required to collect sales and use, gross receipts, value-added, or similar taxes for our products in jurisdictions where we have not historically done so.
Sales and use, value-added, goods and services, and similar tax laws and rates vary greatly by jurisdiction. Our customers can be located in one jurisdiction, utilize our network and products through our network equipment in a different jurisdiction, and pay us from an account located in a third jurisdiction. This divergence, along with the jurisdiction-by-jurisdiction variance in tax laws, causes significant uncertainty in the tax treatment of our business. There is further uncertainty as to what constitutes sufficient physical presence or nexus for a national, state, or local jurisdiction to levy taxes, fees, and surcharges for sales made over the Internet, and there is also uncertainty as to whether our characterization of our network and products as not taxable in certain jurisdictions will be accepted by national, state, and local taxing authorities. In determining our tax filing obligations, management has made judgments regarding whether our activities in a jurisdiction rise to the level of taxability. These judgments may prove inaccurate, and one or more states or countries may seek to impose additional sales, use, or other tax collection obligations on us, including for past sales by us. It is possible that we could face sales tax audits and that our liability for these taxes could exceed our estimates as state and other tax authorities could still assert that we are obligated to collect additional amounts as taxes from our customers and remit those taxes to those authorities. Furthermore, the U.S. Supreme Court’s ruling in South Dakota v. Wayfair may permit wider enforcement of sales tax collection requirements. A successful assertion by a state, country, or other jurisdiction that we should have been or should be collecting additional sales, use, or other taxes on our network and products could, among other things, result in substantial tax liabilities for past sales, create significant administrative burdens for us, discourage customers from purchasing our network and products, or otherwise harm our business, results of operations, and financial condition.
Our international operations require us to exercise judgment in determining the applicability of tax laws, which may subject us to potentially adverse tax consequences.
We are subject to income taxes as well as non-income-based taxes, such as payroll, sales, use, value-added, property, and goods and services taxes, in both the United States and various foreign jurisdictions. Our domestic and international tax liabilities are subject to various jurisdictional rules regarding the timing and allocation of revenue and expenses. Additionally, the amount of income taxes paid is subject to our interpretation of applicable tax laws in the jurisdictions in which we file and to changes in tax laws. Significant judgment is required in determining our worldwide provision for income taxes and other tax liabilities. From time to time, we may be subject to income and non-income tax audits. While we believe we have complied with all applicable tax laws, there can be no assurance that a governing tax authority will not have a different interpretation of the law and assess us with additional taxes, including with respect to intercompany transfer pricing and the collection of sales and use tax, value-added tax, and goods and services tax. Should we be assessed with additional taxes, there could be a material adverse effect on our business, results of operations, and financial condition.
Our future effective tax rate may be affected by such factors as changes in tax laws, regulations, or rates, changing interpretation of existing laws or regulations, the impact of accounting for stock-based compensation, the impact of accounting for business combinations, changes in our international organization, and changes in our overall levels of income before tax. In addition, in the ordinary course of our global business, there are many intercompany transactions and calculations where the ultimate tax determination is uncertain. Although we believe that our tax estimates are reasonable, we cannot ensure that the final determination of tax audits or tax disputes will not be different from what is reflected in our historical income tax provisions and accruals. There can be no assurance that the outcomes from these continuous examinations will not have an adverse effect on our results of operations.
Our ability to use our net operating loss carryforwards and certain other tax attributes may be limited.
As of December 31, 2020, we had net operating loss carryforwards for U.S. federal income tax purposes of $448.7 million, net of uncertain tax positions, available to offset future U.S. federal taxable income that will begin to expire in 2029 for tax years beginning before December 31, 2017. Also as of December 31, 2020, we had net operating loss carryforwards for state income tax purposes of $215.8 million, net of uncertain tax positions, available to offset future state taxable income that will begin to expire in 2026. As of December 31, 2020, we had foreign tax credit carryforwards for federal income tax purposes of $1.8 million that will begin to expire, if not utilized, in 2025. Also as of December 31, 2020, we had federal research and development tax credit carryforwards of $8.2 million, net of
45

uncertain tax positions, that will begin to expire in 2029 and state research and development tax credit carryforwards of $6.0 million, net of uncertain tax positions, that can be carried forward indefinitely.
Utilization of our net operating loss carryforwards and other tax attributes, such as research and development tax credits, may be subject to annual limitations, or could be subject to other limitations on utilization or benefit due to the ownership change limitations provided by Sections 382 and 383 of the Internal Revenue Code of 1986, as amended (the Code), and other similar provisions. Under Sections 382 and 383 of the Code, if a corporation undergoes an “ownership change,” the corporation’s ability to use its pre-change net operating loss carryforwards and other pre-change attributes, such as research tax credits, to offset its post-change income may be limited. In general, an “ownership change” will occur if there is a cumulative change in our ownership by “5-percent shareholders” that exceeds 50 percentage points over a rolling three-year period. Similar rules may apply under state tax laws. We may have experienced various ownership changes, as defined by the Code, as a result of past financing transactions (or other activities), and we may experience ownership changes in the future as a result of subsequent changes in our stock ownership, some of which may be outside our control.
Further, the Tax Act imposed limitations on the use of certain net operating losses; however, the Coronavirus Aid, Relief, and Economic Security Act (the CARES Act), which was enacted in March 2020 in response to the COVID-19 pandemic, temporarily removes such limitations for years 2018 through 2020. The CARES Act contains numerous income tax provisions, such as relaxing limitations on the deductibility of interest and the use of net operating losses arising in taxable years beginning after December 31, 2017. Future regulatory guidance under the CARES Act (as well as under the Tax Act) remains forthcoming, and such guidance could ultimately increase or lessen their impact on our business and financial condition. Our net operating loss carryforwards may also be subject to limitations in other jurisdictions. For example, California recently enacted legislation suspending the use of net operating losses for taxable years 2020, 2021, and 2022 for many taxpayers. Net operating loss carryforwards and other tax assets could expire before utilization and could be subject to limitations, which could harm our business, revenue, and financial results. It is also possible that Congress will enact additional legislation in connection with the COVID-19 pandemic, some of which may adversely impact our business.
Risks Related to International Operations
Our international operations expose us to significant risks, and failure to manage those risks could materially and adversely impact our business and results of operations.
Historically, we have derived a significant portion of our revenue from outside the United States. We derived 49%, 50%, and 52% of our revenue from our international customers for the years ended December 31, 2020, 2019, and 2018, respectively. We are continuing to adapt to and develop strategies to address international markets and our growth strategy includes expansion into geographies around the world, but there is no guarantee that such efforts will be successful. In addition, our global network includes co-location facilities located in more than 200 cities and over 100 countries worldwide as of December 31, 2020. We expect that our international sales and network activities will continue to grow in the future, as we continue to pursue opportunities in international markets and further grow our network around the world. These international operations will require significant management attention and financial resources and are subject to substantial risks, including:
political, economic, and social uncertainty, including the potential nationalization of key peering partners by foreign governments or political unrest that affects our ability to continue to work with particular peering partners, potential terrorist activities, and the unknown impact of regional or global health crises, or epidemic or pandemic diseases, such as the ongoing COVID-19 pandemic;
changes in a specific country’s or region’s political or economic conditions, including in the United Kingdom as a result of its withdrawal from the EU, which is often referred to as "Brexit";
unexpected costs for the localization of our products, including translation into foreign languages and adaptation for local practices and regulatory requirements;
greater difficulty in enforcing contracts and accounts receivable collection, and longer collection periods;
reduced or uncertain protection for intellectual property rights in some countries;
greater risk of unexpected changes in regulatory practices, tariffs, and tax laws and treaties, including with respect to our business in China;
46

greater risk of a failure of foreign employees and channel partners to comply with both U.S. and foreign laws, including antitrust regulations, anti-bribery laws, export and import control laws, and any applicable trade regulations ensuring fair trade practices;
heightened security risks associated with our co-location facilities in high-risk countries and the software code and systems access shared with our service providers located in such countries; including in the Hong Kong region as a result of the National Security Law passed in June 2020;
greater risks associated with third-party contractors that we use to install and maintain our hardware in co-location facilities in foreign countries and the limited background checks and screening that we can perform on such service providers;
regulations related to privacy, data protection, security requirements, data localization, or content restriction that could pose risks to our intellectual property, increase the cost of doing business in a country, subject us to greater risks of claims and enforcement actions by regulators or others, subject us and our current and potential customers to burdensome requirements, increase the chance that current and potential customers may be unable to use our products or may be required to lessen or alter how they use our products, or create other disadvantages to our business or negative impacts on our results of operations;
changes in laws, regulations, and costs affecting our U.K. operations and local employees due to Brexit;
increased expenses incurred in establishing and maintaining office space and equipment for our international operations;
greater difficulty in identifying, attracting, and retaining local qualified personnel and the costs and expenses associated with such activities;
differing employment practices and labor relations issues, which may make expansion or contraction of our workforce, or changes in the terms of employment, in such countries more costly and time-consuming and subject us to a greater risk of disputes or litigation;
increased regulatory requirements and litigation risk related to the presence of our physical infrastructure in countries around the world;
difficulties in managing and staffing international offices and increased travel, infrastructure, and legal compliance costs associated with operating multiple international locations; and
fluctuations in exchange rates between the U.S. dollar and foreign currencies in markets where we do business, particularly the United Kingdom and Singapore where we have large offices and pay employees in local currency.
The expansion of our existing international operations and entry into additional international markets will require significant management attention and financial resources. Our failure to successfully manage our international operations and the associated risks could limit the future growth of our business. In particular, we are exposed to risks in China, which amounts to a significant part of both our short-term and long-term revenue growth plans. Our Chinese operations are substantially dependent on our relationships with JD Cloud & AI and, in the short term, Baidu, and due to economic and political challenges in servicing the Chinese market, the loss of this arrangement could have a significant adverse effect on our business and results of operations.
Geo-political events such as Brexit may increase the likelihood of certain of these risks materializing or heighten their impact on us in affected regions. In particular, it is possible that the level of economic activity in the United Kingdom and the rest of Europe will be adversely impacted and that we will face increased regulatory and legal complexities, including those related to tax, trade, data privacy, data protection, security, and employee relations, as a result of Brexit. Given the significance of our presence in the United Kingdom, such changes could be particularly costly and disruptive to our operations and business relationships. In addition, heightened use of trade restrictions such as tariffs or prohibitions on technology transfers to achieve diplomatic ends, including with respect to the current environment of economic trade negotiations and tensions between the Chinese and U.S. governments, could impact our ability to conduct our business as planned.

As discussed in greater detail above in our risk factors, in July 2020, the CJEU invalidated the U.S.-EU Privacy Shield, and this decision may result in European data protection regulators applying differing standards for, and requiring ad hoc verification of, transfers of personal data from the European Union to the United States. As a result of this uncertainty, our current and potential customers in the European Union may be concerned about whether they are able to transfer personal data to the United States in connection with the usage of our global network and
47

products. If these concerns result in our current and potential customers in Europe reducing their usage of our products, then our results of operations could be adversely impacted. Further, we anticipate needing to identify different transfer mechanisms and/or change our use of certain standard contractual clauses in order to lawfully transfer certain personal data from the European Union to the United States. This could result in substantial costs, require changes to our business practices, limit our ability to provide certain products in certain jurisdictions, or materially adversely affect our business and operating results.
Our business could be adversely impacted by the decision of foreign governments, Internet service providers, or others, to block transmission from Cloudflare IP addresses in order to enforce certain Internet content blocking efforts.
Some of our security products involve making origin IP addresses and other operational assets of our customers more difficult for cyber attackers to target. The evolving design of our network and products may create challenges for various organizations, including governments, that seek to block certain content based on IP address “black lists” or other mechanisms. This problem is exacerbated by the fact that a single Cloudflare IP address may be used for a number of Internet properties, and the Cloudflare IP used for any one Internet property may change over time. This means that efforts by ISPs to block a single domain name may end up blocking a number of other domains that share that Cloudflare IP address or domains that use that same Cloudflare IP address previously or subsequently. If these challenges become too difficult for those organizations to overcome, they could make the decision to block content in an overbroad manner or block completely websites and other Internet properties that are using our network and/or transmitted using known Cloudflare IP addresses. Some of these blocking efforts would be out of our control once they have been put in place and may limit our ability to provide our products on a fully global basis, which could reduce demand for our products among current or potential customers that are focused on the impacted regions or could otherwise adversely impact our business, results of operations, and financial condition.
Our network presence within China is dependent upon our commercial relationships with JD Cloud & AI, and, in the short term, Baidu, and any detrimental changes in, or the termination of, those relationships could jeopardize our ability to offer an integrated global network that includes China.
We believe our offering of an integrated global network that includes facilities in China is important to our existing and potential future customers. Our ability to continue to offer an integrated network presence that includes China currently is dependent on our new commercial relationship with JD Cloud & AI and the continuation through June 30, 2021 of our historical commercial relationship with Baidu. Regulation of Internet infrastructure and traffic by the Chinese government creates challenges to the peering of Chinese and non-Chinese networks. We have strategic agreements with JD Cloud & AI and Baidu to provide solutions that accommodate the requirements imposed by Chinese regulations through JD Cloud & AI's and Baidu’s development and operation of facilities in China that are included as part of our network. Our agreement with JD Cloud & AI was announced in 2020 and the term of the agreement expires on April 1, 2023. There can be no assurance that we will be able to extend our agreement with JD Cloud & AI in the future or if any such extension would be available on comparable terms. Our existing agreement with Baidu expires on June 30, 2021 with respect to the inclusion of Baidu’s facilities in China as part of our network, and we do not expect that any further extension of the Baidu agreement will occur. Each of these agreements is subject to earlier termination by either party under certain circumstances such as the other party’s material breach. In addition, each of these agreements can be terminated by JD Cloud & AI or Baidu, as applicable, under certain circumstances if necessary Chinese governmental approvals are revoked or become limited or impaired or if public law or regulatory action by the Chinese or U.S. government expressly prohibits or materially restricts the collaboration contemplated by the agreement. The risk of such an early termination event may have increased during the current environment of economic trade negotiations and tensions between the Chinese and U.S. governments.

Our customers that use our network presence in China through our JD Cloud & AI and Baidu commercial relationships are subject to Chinese laws and regulations of Internet infrastructure, traffic, and content. Under our agreements with JD Cloud & AI and Baidu, in some circumstances, these customers’ use of our Chinese network presence can be terminated if they violate these laws and regulations. The removal of our customers from our Chinese network presence could result in these customers deciding to terminate their overall relationship with us. In addition, any adverse publicity associated with the removal of some or all of our customers from our Chinese network presence as a result of the application of Chinese laws and regulations could cause us to experience adverse reputational and business consequences.

In addition, we currently are in the process of building out our new China network with JD Cloud & AI. If this build-up is interrupted or is not sufficiently completed prior to the termination of our access to the Baidu facilities, then our
48

ability to provide China network services to our customers could become impaired and the resulting loss of utility to many of our customers could materially harm our business.

If our commercial relationship with JD Cloud & AI is terminated, identifying an alternative solution in China could be difficult, time-consuming, and expensive. Even if an alternative solution is identified, we cannot be certain that the economic terms or performance of any such alternative arrangement will be comparable to our existing relationship with JD Cloud & AI, which could materially negatively impact our financial results and customer satisfaction with such alternative arrangement. A lack of network presence in China would represent a significant loss of utility to many of our customers and could materially harm our business.
We are subject to governmental trade sanctions laws, and export and import controls, that could impair our ability to compete in international markets and subject us to liability if we are not in full compliance with applicable laws.
Our business activities are subject to various economic and trade sanctions regulations administered by the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) and U.S. export control and similar foreign laws and regulations, including the U.S. Department of Commerce’s Export Administration Regulations (EAR). We incorporate encryption technology into certain of our products, and the encryption products and the underlying technology may be exported outside the United States only with the required export authorizations, including by license, a license exception, or other appropriate government authorizations, including the filing of classification requests or self-classification reports. Further, the U.S. economic sanctions laws and export control laws include restrictions or prohibitions on the sale or supply of most products and services to U.S. embargoed or sanctioned countries, governments, persons, and entities. Even though we take precautions and have implemented policies and practices to assist in compliance, there is a risk that we may not be in full compliance with these laws.
In 2019, we learned that we may have failed to comply with certain U.S. export-related filing and reporting requirements and may have submitted incorrect information to the U.S. government in connection with certain hardware exports. Upon learning of these potential violations and associated export control requirements, we promptly initiated a voluntary internal review and are taking remedial measures to prevent similar export control anomalies from occurring in the future. In May 2019, we submitted an initial voluntary self-disclosure to the Bureau of Industry and Security regarding potential violations of EAR and a voluntary self-disclosure to the Census Bureau regarding potential violations of the Foreign Trade Regulations. In July 2019, we filed the full and complete voluntary self-disclosures. The voluntary self-disclosure to the Census Bureau was completed with no penalties in November 2019. The voluntary self-disclosure to the Bureau of Industry and Security was completed with no penalties in June 2020.

In May 2019, we submitted an initial voluntary self-disclosure to OFAC related to our non-compliance with certain economic and trade sanctions programs, and we filed the full and complete voluntary self-disclosure to OFAC in July 2019. Specifically, we identified that our products were used by, or for the benefit of, certain individuals and entities included in OFAC’s Specially Designated Nationals and Blocked Persons List, including entities identified in OFAC’s counter-terrorism and counter-narcotics trafficking sanctions programs and individuals or entities affiliated with governments currently subject to comprehensive U.S. sanctions or located in regions subject to comprehensive sanctions. A small number of these parties made payments to us in connection with their use of our products. In January, July, September, and December 2020, we responded to additional questions from OFAC. The voluntary self-disclosure, which we may supplement as appropriate, remains under review by OFAC.

Although we have implemented, and are working to implement additional controls and screening tools designed to prevent similar activity from occurring in the future, there is no guarantee that we will not inadvertently provide our products to additional individuals, entities, or governments prohibited by U.S. sanctions in the future.
Additionally, we currently provide products to certain OFAC-sanctioned regions based upon general licenses issued by OFAC to engage in such activity. We continue to review the OFAC sanctions and our practices to verify compliance.
These efforts related to export controls and OFAC sanctions could result in negative consequences for us, including costs related to government investigations, financial penalties and harm to our reputation. The impact on us related to these matters could be substantial.
In addition, various countries regulate the import of certain technologies and have enacted or could enact laws that could limit our ability to provide our products and operate our network or could limit our customers’ ability to access or use our network and products in those countries.
49

If we are found to have violated the U.S. or foreign laws and regulations, we and certain of our employees could be subject to civil or criminal penalties, including the possible loss of export privileges and fines. We may be materially and adversely affected through penalties, reputational harm, loss of access to certain markets, loss of customers, or otherwise. Obtaining the necessary authorizations, including any required license, for a particular transaction may be time-consuming, is not guaranteed, and may result in the delay or loss of sales opportunities. In addition, changes in our network, products, or screening process, or changes in export, sanctions, and import laws, could delay the introduction and sale of subscriptions to our products in international markets, prevent customers in certain countries from accessing our network and products or, in some cases, prevent the provision of our network and products to certain countries, governments, persons, or entities altogether. Any decrease in our ability to sell our products could materially and adversely affect our business, results of operations, and financial condition.
We are exposed to fluctuations in currency exchange rates, which could negatively affect our results of operations.
Substantially all of our sales contracts are denominated in U.S. dollars and, therefore, substantially all of our revenue is not subject to foreign currency risk. However, a strengthening of the U.S. dollar could increase the real cost of our products to our customers outside of the United States, which could reduce demand for our products and adversely affect our financial condition and results of operations.
As our international operations expand, an increasing portion of our revenue and operating expenses is incurred outside the United States and is denominated in foreign currencies, such as the British Pound and Singapore Dollar. Accordingly, our revenue and operating expenses are increasingly subject to fluctuations due to changes in foreign currency exchange rates. As we continue to expand our international operations, we may become more exposed to foreign currency risk or remeasurement risk. If we become more exposed to currency fluctuations and are not able to successfully hedge against the risks associated with currency fluctuations, our results of operations could be materially and adversely affected.
Risks Related to Intellectual Property
We are currently, and may be in the future, party to intellectual property rights claims and other litigation matters that, if resolved adversely, could have a material impact on our business, results of operations, or financial condition.
We own a large number of patents, copyrights, trademarks, domain names, and trade secrets and, from time to time, are subject to litigation based on allegations of infringement, misappropriation, or other violations of intellectual property or other rights. As we face increasing competition and gain an increasingly high profile, the possibility of intellectual property rights claims, commercial claims, and other assertions against us grows. In addition, a number of companies in our industry hold a large number of patents and also protect their copyright, trade secret, and other intellectual property rights, and companies in the networking and security industry frequently enter into litigation based on allegations of patent infringement or other violations of intellectual property rights. We have in the past been, are currently, and may from time to time in the future become, a party to litigation and disputes related to intellectual property, our business practices, and our products. For example, we are a defendant in lawsuits, both in the United States and abroad, seeking injunctive relief and/or damages against us based on content that is made available through our customers’ websites, and these lawsuits include copyright infringement claims. We may also be subject to governmental and other regulatory investigations from time to time. The costs of supporting litigation and dispute resolution proceedings are considerable, and there can be no assurances that a favorable outcome will be obtained. Disputes, whether or not favorably resolved, may generate negative publicity and damage our reputation. We may need to settle litigation and disputes on terms that are unfavorable to us, or we may be subject to an unfavorable judgment that may not be reversible upon appeal. The terms of any settlement or judgment may require us to cease some or all of our operations or pay substantial amounts to the other party. With respect to any intellectual property rights claim, we may have to seek a license to continue practices found to be in violation of third-party rights, which may not be available on reasonable terms and may significantly increase our operating expenses. A license to continue such practices may not be available to us at all, and we may be required to develop alternative non-infringing technology or practices or discontinue the practices. The development of alternative, non-infringing technology or practices could require significant effort and expense. Our business, results of operations, and financial condition could be materially and adversely affected as a result.
50

Indemnity provisions in various agreements potentially expose us to substantial liability for intellectual property infringement and other losses.
Our agreements with certain of our customers or other third parties may include indemnification or other provisions under which we agree to indemnify or otherwise be liable to them for losses suffered or incurred as a result of claims of intellectual property infringement, damages caused by us to property or persons, or other liabilities relating to or arising from the use of our network and products or other acts or omissions. The term of these contractual provisions often survives termination or expiration of the applicable agreement. We have in the past been sued on the basis of alleged violation of intellectual property rights in the form of patents and trade secrets. Although we were successful in defending the claims to date, as we continue to grow, the possibility of these and other intellectual property rights claims against us may increase. For any intellectual property rights indemnification claim against us or our customers, we may incur significant legal expenses and have to pay damages, pay license fees and/or stop using technology found to be in violation of the third party’s rights. Large indemnity payments could harm our business, results of operations, and financial condition. We may also have to seek a license for the disputed technology. Such license may not be available on reasonable terms, if at all, and may significantly increase our operating expenses or may require us to restrict our business activities and limit our ability to deliver certain products. As a result, we may also be required to develop alternative non-infringing technology, which could require significant effort and expense and/or cause us to alter our network or products, which could negatively affect our business.
From time to time, customers require us to indemnify or otherwise be liable to them for breach of confidentiality, violation of applicable law, or failure to implement adequate security measures with respect to their data stored, transmitted, or accessed using our network and products. Our standard Enterprise plan agreements provide limited indemnification to our customers based on third-party claims related to our violation of intellectual property rights, and some of our Enterprise plan agreements offer indemnification for claims beyond that scope. The existence of such a dispute may have adverse effects on our customer relationship and reputation and we may still incur substantial liability related to them.
Any assertions by a third party, whether or not successful, with respect to such indemnification obligations could subject us to costly and time-consuming litigation, expensive remediation and licenses, divert management attention and financial resources, harm our relationship with that customer and other current and prospective customers, reduce demand for our products, and harm our brand, business, results of operations, and financial condition.
Our failure to protect our intellectual property rights and proprietary information could diminish our brand and other intangible assets.
We rely and expect to continue to rely on a combination of patent, patent licenses, trade secret, domain name protection, trademarks, copyrights, and confidentiality and license agreements with our employees, consultants, and third parties in order to protect our intellectual property and proprietary rights. As of December 31, 2020, we had 150 issued patents and 80 pending patent applications in the United States and abroad. However, third parties may knowingly or unknowingly infringe our proprietary rights. Third parties may challenge our proprietary rights, pending and future patent, trademark, and copyright applications may not be approved, and we may not be able to prevent infringement without incurring substantial expense. We have also devoted substantial resources to the development of our proprietary technologies and related processes, and we provide access to these technologies and processes to certain of our vendors and partners, including Baidu and JD Cloud & AI with respect to the facilities included within our network in China. We must protect this proprietary information in order to realize commercial benefit from our investment.
In order to protect our proprietary technologies and processes, we rely in part on trade secret laws and confidentiality agreements with our employees, consultants, and third parties. These agreements may not effectively prevent disclosure of confidential information and may not provide an adequate remedy in the event of unauthorized disclosure of confidential information. In addition, others may independently discover our trade secrets or develop similar technologies and processes, in which case we would not be able to assert trade secret rights against them. Laws in certain jurisdictions may afford little or no trade secret protection, and any changes in, or unexpected interpretations of, the intellectual property laws in any country in which we operate may compromise our ability to enforce our intellectual property rights. We may not be effective in policing unauthorized use of our intellectual property rights, and even if we do detect violations, costly and time-consuming litigation could be necessary to enforce and determine the scope of our proprietary rights, and any such litigation could be unsuccessful, lead to the invalidation of our proprietary rights, or lead to counterclaims by other parties against us. If the protection of our
51

proprietary rights is inadequate to prevent use or appropriation by third parties, the value of our network and products, brand, and other intangible assets may be diminished and competitors may be able to more effectively replicate our network and products and their features. Any of these events could materially and adversely affect our business, results of operations, and financial condition.
We depend and rely upon software and technologies licensed from third parties to operate our business, and interruptions or the unavailability of these technologies may adversely affect our products, network, business, and results of operations.
We rely on software, services, and other technology from third parties that we incorporate into, or integrate with, our network and products. We also rely on software, services, and other technology from third parties in order to operate critical functions of our business, including enterprise resource planning and customer relationship management services. If the software, services, or other technology we rely on become unavailable due to extended outages, the third-party provider disabling our access, expiration or termination of licenses, or because they are otherwise no longer available on commercially reasonable terms, our expenses could increase, and our ability to operate our network, provide our products, and our results of operations could be impaired until equivalent software, technology, or services are obtained or replacements are developed, all of which could adversely affect our business.
If we are unable to license necessary technology from third parties now or in the future, we may be forced to acquire or develop alternative technology, which we may be unable to do in a commercially feasible manner or at all, and we may be required to use alternative technology of lower quality or performance. This could limit and delay our ability to offer new or competitive products and increase our costs of production. As a result, our business and results of operations could be significantly harmed.
We cannot be certain that those from whom we license software and other technology are not infringing the intellectual property rights of third parties or have sufficient rights to the licensed intellectual property in all jurisdictions in which we may sell our products. Accordingly, our use of this intellectual property may expose us to third-party claims of infringement. In addition, many licenses are non-exclusive and may not prevent our competitors from licensing the same technology on equivalent or more favorable terms.
Some of our technology incorporates “open source” software, we license some of our software through open source projects and we voluntarily make available some of our software on an open source basis, which could negatively affect our ability to sell our products, subject us to possible litigation, and be used by other companies to compete against us.
Our network and products incorporate software licensed under open source licenses, including open source software included in software we receive from third-party commercial software vendors. Use of open source software may entail greater risks than use of third-party commercial software, as open source licensors generally do not provide support, updates, or warranties, or other contractual protections regarding infringement claims or the quality of the software. In addition, the wide availability of source code incorporated in our products could allow hostile parties to more easily identify security vulnerabilities in our network and products. The terms of some open source licenses may provide that under certain conditions we could be required to release the source code of our proprietary software, and to make our proprietary software available under open source licenses, including authorizing further modification and redistribution. In the event that certain portions of our proprietary software are determined to be subject to such requirements by an open source license, we could be required to publicly release the affected portions of our source code, re-engineer all or a portion of our network or applicable products, or otherwise be limited in the licensing of our products, each of which provide an advantage to our competitors or other entrants to the market, create security vulnerabilities in our products, and could reduce or eliminate the value of our products. Because the terms of open source licenses are novel and have not been widely interpreted by courts, we could be subject to lawsuits by parties claiming ownership of what we believe to be open source software or by third parties seeking to enforce the terms of open source licenses against us in a manner we do not anticipate. In addition, we voluntarily make available certain portions of our software on an open source basis to the public and such software could then be used by other companies to compete against us.
Any unanticipated disclosure of, or litigation regarding, our source code and any open source software incorporated into our source code could result in adverse judgments and liabilities, require us to reengineer all or a portion of our network and products, limit the marketing of our products, provide an advantage to our competitors or other entrants to the market, create new security vulnerabilities or highlight existing security vulnerabilities in our network and
52

products, and reduce or eliminate the value of our network and products. We cannot assure you that our processes for controlling our use of open source software in our network and products will be effective.
Risks Related to Ownership of Our Class A Common Stock
The trading price of our Class A common stock may be volatile, and you could lose all or part of your investment.
Prior to our initial public offering (IPO), there was no public market for shares of our Class A common stock. The trading price of our Class A common stock is likely to be volatile and could be subject to fluctuations in response to various factors, some of which are beyond our control. These fluctuations could cause you to lose all or part of your investment in our Class A common stock. Factors that could cause fluctuations in the trading price of our Class A common stock include:
price and volume fluctuations in the overall stock market from time to time;
volatility in the trading prices and trading volumes of technology stocks;
changes in operating performance and stock market valuations of other technology companies generally, or those in our industry in particular;
sales of shares of our Class A common stock and Class B common stock by us or our stockholders;
issuance of shares of our Class A common stock, whether in connection with an acquisition or upon conversion of some or all of our outstanding 0.75% Convertible Senior Notes due May 2025 (the Notes);
failure of securities analysts to maintain coverage of us, changes in financial estimates by securities analysts who follow our company, or our failure to meet these estimates or the expectations of investors;
the financial projections we may provide to the public, any changes in those projections, or our failure to meet those projections;
announcements by us or our competitors of new products, features, or services;
the public’s reaction to our press releases, other public announcements, and filings with the SEC;
rumors and market speculation involving us or other companies in our industry;
actual or anticipated changes in our results of operations or fluctuations in our results of operations;
actual or anticipated developments in our business, our competitors’ businesses or the competitive landscape generally;
investments we may make in equity that is, or may become, publicly held, and volatility we may experience due to changes in the market prices of such equity investments;
litigation involving us, our industry, or both, or investigations by regulators into our operations or those of our competitors;
developments or disputes concerning our intellectual property or other proprietary rights;
actual or perceived data security breaches or other data security incidents;
announced or completed acquisitions of businesses, products, services, or technologies by us or our competitors;
new laws or regulations or new interpretations of existing laws or regulations applicable to our business;
changes in accounting standards, policies, guidelines, interpretations, or principles;
any significant change in our management; and
general economic conditions and slow or negative growth of our markets, including due to the impact of the ongoing COVID-19 pandemic.
In addition, in the past, following periods of volatility in the overall market and the market price of a particular company’s securities, securities class action litigation has often been instituted against these companies. This litigation, if instituted against us, could result in substantial costs and a diversion of our management’s attention and resources.
53

The dual class structure of our common stock has the effect of concentrating voting control with those stockholders who held our capital stock prior to the completion of our initial public offering, and it may depress the trading price of our Class A common stock.
Our Class B common stock has 10 votes per share and our Class A common stock has one vote per share. As of December 31, 2020, our directors, executive officers, and holders of more than 5% of our common stock, and their respective affiliates, held in the aggregate 79.0% of the voting power of our capital stock, with our co-founders together holding approximately 53.8% of the voting power of our capital stock. Because of the ten-to-one voting ratio between our Class B and Class A common stock, the holders of our Class B common stock collectively continue to control a majority of the combined voting power of our common stock and therefore are able to control all matters submitted to our stockholders for approval. This concentrated control will limit or preclude the ability of holders of Class A common stock to influence corporate matters for the foreseeable future, including the election of directors, amendments of our organizational documents, and any merger, consolidation, sale of all or substantially all of our assets, or other major corporate transaction requiring stockholder approval. In addition, this may prevent or discourage unsolicited acquisition proposals or offers for our capital stock that you may feel are in your best interest as one of our stockholders.
Future transfers by holders of shares of Class B common stock and the cessation of employment by holders of our Class B common stock generally result in those shares converting to Class A common stock, subject to limited exceptions, such as certain transfers effected for estate planning purposes and transfers between related entities. The conversion of Class B common stock to Class A common stock will have the effect, over time, of increasing the relative voting power of those individual holders of Class B common stock who retain their shares in the long-term.
In July 2017, FTSE Russell and Standard & Poor’s announced that they would cease to include most newly public companies utilizing dual or multi-class capital structures in their indices. Affected indices include the Russell 1000, Russell 2000, and Russell 3000 and the S&P 500, S&P MidCap 400, and S&P SmallCap 600, which S&P indices together make up the S&P Composite 1500. Under the announced policies, our multi-class capital structure in some cases may make us ineligible for inclusion in some or all of these indices, and as a result, mutual funds, exchange-traded funds, and other investment vehicles that attempt to passively track these indices may not invest in our stock if we are not included. It is unclear what effect, if any, these policies have on the valuations of publicly traded companies excluded from the indices, but it is possible that they may depress these valuations compared to those of other similar companies that are included.
Substantial future sales could depress the market price of our Class A common stock.
The market price of our Class A common stock could decline as a result of sales of a large number of shares of such stock, and the perception that these sales could occur may also depress the market price of our Class A common stock.
Under our investors’ rights agreement, certain stockholders can require us to register shares owned by them for public sale in the United States. In addition, we file registration statements to register shares reserved for future issuance under our equity compensation plans. As a result, subject to the satisfaction of applicable exercise periods, the shares issued upon exercise of outstanding stock options or upon settlement of outstanding RSU awards are available for immediate resale in the United States in the open market.
Sales of our shares may make it more difficult for us to sell equity securities in the future at a time and at a price that we deem appropriate. These sales also could cause the trading price of our Class A common stock to fall and make it more difficult for you to sell shares of our Class A common stock.
We have broad discretion over the use of the net proceeds from our financing activities, and we may not use them effectively.
We cannot specify with any certainty the particular uses of the net proceeds that we received from our financing activities, including from our IPO and the issuance of the Notes, and our management has broad discretion in the application of the net proceeds. The failure by our management to apply these proceeds effectively could adversely affect our business, results of operations, and financial condition. Pending their use, we may invest our proceeds in a manner that does not produce income or that loses value. Our investments may not yield a favorable return to our investors and may negatively impact the price of our Class A common stock.
54

Delaware law and provisions in our amended and restated certificate of incorporation and amended and restated bylaws could make a merger, tender offer, or proxy contest difficult, thereby depressing the market price of our Class A common stock.
Our status as a Delaware corporation and the anti-takeover provisions of the Delaware General Corporation Law may discourage, delay, or prevent a change in control by prohibiting us from engaging in a business combination with an interested stockholder for a period of three years after the person becomes an interested stockholder, even if a change of control would be beneficial to our existing stockholders. In addition, our amended and restated certificate of incorporation and amended and restated bylaws contain provisions that may make the acquisition of our company more difficult, including the following:
our dual class common stock structure, which provides Mr. Prince and Ms. Zatlyn with the ability to significantly influence the outcome of matters requiring stockholder approval, even if they own significantly less than a majority of the shares of our outstanding Class A common stock and Class B common stock;
our Board of Directors is classified into three classes of directors with staggered three-year terms and directors are only able to be removed from office for cause;
vacancies on our Board of Directors will be able to be filled only by our Board of Directors and not by stockholders;
only the Chair of our Board of Directors, our Chief Executive Officer, or a majority of our entire Board of Directors are authorized to call a special meeting of stockholders;
certain litigation against us can only be brought in Delaware;
our amended and restated certificate of incorporation authorizes undesignated preferred stock, the terms of which may be established and shares of which may be issued, without the approval of the holders of Class A common stock;
advance notice procedures apply for stockholders to nominate candidates for election as directors or to bring matters before an annual meeting of stockholders;
our stockholders will only be able to take action at a meeting of stockholders and not by written consent; and
any amendment of the above anti-takeover provisions in our amended and restated certificate of incorporation or amended and restated bylaws will require the approval of two-thirds of the combined vote of our then-outstanding shares of Class A common stock and Class B common stock.
These anti-takeover defenses could discourage, delay, or prevent a transaction involving a change in control of our company. These provisions could also discourage proxy contests and make it more difficult for stockholders to elect directors of their choosing and to cause us to take other corporate actions they desire, any of which, under certain circumstances, could limit the opportunity for our stockholders to receive a premium for their shares of our capital stock, and could also affect the price that some investors are willing to pay for our Class A common stock.
Our amended and restated bylaws provide that the Court of Chancery of the State of Delaware and the federal district courts of the United States will be the exclusive forums for substantially all disputes between us and our stockholders, which could limit our stockholders’ ability to choose the judicial forum for disputes with us or our directors, officers or employees.
Our amended and restated bylaws provide that the Court of Chancery of the State of Delaware is the exclusive forum for the following types of actions or proceedings under Delaware statutory or common law: (i) any derivative action or proceeding brought on our behalf; (ii) any action asserting a claim of breach of a fiduciary duty owed by any of our directors, officers, or other employees to us or our stockholders; (iii) any action arising pursuant to any provision of the Delaware General Corporation Law, our amended and restated certificate of incorporation or our amended and restated bylaws; or (iv) any other action asserting a claim that is governed by the internal affairs doctrine shall be the Court of Chancery of the State of Delaware (or, if the Court of Chancery does not have jurisdiction, the federal district court for the District of Delaware), in all cases subject to the court having jurisdiction over indispensable parties named as defendants. Our amended and restated bylaws further provide that the U.S. federal district courts will be the exclusive forum for resolving any complaint asserting a cause of action arising under the Securities Act.
55

Any person or entity purchasing or otherwise acquiring any interest in any of our securities shall be deemed to have notice of and consented to this provision. These exclusive-forum provisions may limit a stockholder’s ability to bring a claim in a judicial forum of its choosing for disputes with us or our directors, officers, or other employees, which may discourage lawsuits against us and our directors, officers, and other employees. If a court were to find the exclusive-forum provision in our amended and restated bylaws to be inapplicable or unenforceable in an action, we may incur additional costs associated with resolving the dispute in other jurisdictions, which could harm our results of operations.
Our Class A common stock market price and trading volume could decline if equity or industry analysts do not publish research or publish inaccurate or unfavorable research about our business.
The trading market for our Class A common stock depends in part on the research and reports that equity or industry analysts publish about us or our business. The analysts’ estimates are based upon their own opinions and are often different from our estimates or expectations. If one or more of the analysts who cover us downgrade our Class A common stock or publish inaccurate or unfavorable research about our business, the price of our securities would likely decline. If few securities analysts commence coverage of us, or if one or more of these analysts cease coverage of us or fail to publish reports on us regularly, demand for our securities could decrease, which might cause the price and trading volume of our Class A common stock to decline.
An active trading market for our Class A common stock may not be sustained.
Our Class A common stock is listed on the NYSE under the symbol “NET.” However, we cannot assure you of the likelihood that an active trading market for our Class A common stock will be maintained, the liquidity of any trading market, your ability to sell your shares of our Class A common stock when desired, or the prices that you may obtain for your shares.
We do not intend to pay dividends for the foreseeable future.
We have never declared nor paid cash dividends on our capital stock. We currently intend to retain any future earnings to finance the operation and expansion of our business, and we do not expect to declare or pay any dividends in the foreseeable future. As a result, stockholders must rely on sales of their Class A common stock after price appreciation as the only way to realize any future gains on their investment.
Risks Related to our Outstanding Convertible Senior Notes
Servicing our future debt, including the Notes, may require a significant amount of cash, and we may not have sufficient cash flow from our business to pay our indebtedness.

In May 2020, we issued $575.0 million in aggregate principal amount of the Notes. The Notes are senior unsecured obligations of the Company and will mature on May 15, 2025, unless earlier redeemed, repurchased, or converted, and are governed by the terms of the Indenture dated May 15, 2020 (the Indenture). The interest rate is fixed at 0.75% per annum and is payable semi-annually in arrears on May 15 and November 15 of each year, beginning on November 15, 2020. Our ability to make scheduled payments of the principal of, to pay interest on or to refinance our indebtedness, including the Notes, depends on our future performance, which is subject to economic, financial, competitive, and other factors beyond our control. Our business may not generate cash flow from operations in the future sufficient to service our debt and make necessary capital expenditures. If we are unable to generate such cash flow, we may be required to adopt one or more alternatives, such as selling assets, restructuring debt, or obtaining additional debt financing or equity capital on terms that may be onerous or highly dilutive. Our ability to refinance any future indebtedness will depend on the capital markets and our financial condition at such time. We may not be able to engage in any of these activities or engage in these activities on desirable terms, which could result in a default on our debt obligations. In addition, any of our future debt agreements may contain restrictive covenants that may prohibit us from adopting any of these alternatives. Our failure to comply with these covenants could result in an event of default which, if not cured or waived, could result in the acceleration of our debt.
In addition, our indebtedness, combined with our other financial obligations and contractual commitments, could have other important consequences. For example, it could:
make us more vulnerable to adverse changes in general U.S. and worldwide economic, industry, and competitive conditions and adverse changes in government regulation;
56

limit our flexibility in planning for, or reacting to, changes in our business and our industry;
place us at a disadvantage compared to our competitors who have less debt;
limit our ability to borrow additional amounts to fund acquisitions, for working capital, and for other general corporate purposes; and
make an acquisition of our company less attractive or more difficult.
Any of these factors could harm our business, results of operations, and financial condition. In addition, if we incur additional indebtedness, the risks related to our business and our ability to service or repay our indebtedness would increase.
We may not have the ability to raise the funds necessary for cash settlement upon conversion of the Notes or to repurchase the Notes for cash upon a fundamental change, and our future debt may contain limitations on our ability to pay cash upon conversion of the Notes or to repurchase the Notes.
Holders of the Notes have the right to require us to repurchase their Notes upon the occurrence of a fundamental change at a fundamental change (which is defined in the Indenture for the Notes to include events such as a change of control) repurchase price equal to 100% of the principal amount of the Notes to be repurchased, plus accrued and unpaid interest, if any, to, but excluding, the fundamental change repurchase date. In addition, upon conversion of the Notes, unless we elect to deliver solely shares of our Class A common stock to settle such conversion (other than paying cash in lieu of delivering any fractional share), we will be required to make cash payments in respect of the Notes being converted. However, we may not have enough available cash or be able to obtain financing at the time we are required to make repurchases of Notes surrendered therefor or Notes being converted. In addition, our ability to repurchase the Notes or to pay cash upon conversions of the Notes may be limited by law, by regulatory authority or by agreements governing our future indebtedness. Our failure to repurchase the Notes at a time when the repurchase is required by the Indenture governing the Notes or to pay any cash payable on future conversions of the Notes as required by such Indenture would constitute a default under the Indenture. A default under the Indenture or the fundamental change itself could also lead to a default under agreements governing our future indebtedness. If the repayment of the related indebtedness were to be accelerated after any applicable notice or grace periods, we may not have sufficient funds to repay the indebtedness and repurchase the Notes or make cash payments upon conversions thereof. Any failure by us to repay the indebtedness and repurchase the Notes or make cash payments upon conversions thereof, in each case, when required to do so pursuant to the terms of the Indenture could harm our business, results of operations, and financial condition.
The conditional conversion feature of the Notes, if triggered, may adversely affect our financial condition and operating results.
In the event the conditional conversion feature of the Notes is triggered, holders of the Notes will be entitled to convert the Notes at any time during specified periods at their option. If one or more holders elect to convert their Notes, unless we elect to satisfy our conversion obligation by delivering solely shares of our Class A common stock (other than paying cash in lieu of delivering any fractional share), we would be required to settle a portion or all of our conversion obligation through the payment of cash, which could adversely affect our liquidity. In addition, even if holders do not elect to convert their Notes, we could be required under applicable accounting rules to reclassify all or a portion of the outstanding principal of the Notes as a current rather than long-term liability, which would result in a material reduction of our net working capital.
Transactions relating to the Notes may affect the value of our Class A common stock.
The conversion of some or all of the Notes would dilute the ownership interests of our existing stockholders to the extent we satisfy our conversion obligation by delivering shares of our Class A common stock upon any conversion of such Notes. The Notes may become in the future convertible at the option of their holders under certain circumstances. If holders of the Notes elect to convert their Notes, we may settle our conversion obligation by delivering to them a significant number of shares of our Class A common stock, which would cause dilution to our existing stockholders.
In connection with the pricing of the Notes, we entered into privately negotiated capped call transactions with the option counterparties. The capped call transactions are expected generally to reduce the potential dilution upon
57

conversion of the Notes and/or offset any cash payments we are required to make in excess of the principal amount of converted Notes, as the case may be, with such reduction and/or offset subject to a cap.
In connection with establishing their initial hedges of the capped call transactions, the option counterparties or their respective affiliates entered into various derivative transactions with respect to our Class A common stock and/or purchased shares of our Class A common stock concurrently with or shortly after the pricing of the Notes. From time to time, the option counterparties or their respective affiliates may modify their hedge positions by entering into or unwinding various derivatives with respect to our Class A common stock and/or purchasing or selling our Class A common stock or other securities of ours in secondary market transactions prior to the maturity of the Notes (and are likely to do so following any conversion, repurchase, or redemption of the Notes, to the extent we exercise the relevant election under the capped call transactions). This activity could also cause a decrease and/or increased volatility in the market price of our Class A common stock.
We are subject to counterparty risk with respect to the capped call transactions.
The option counterparties are financial institutions, and we will be subject to the risk that any or all of them might default under the capped call transactions. Our exposure to the credit risk of the option counterparties will not be secured by any collateral. Past global economic conditions have resulted in the actual or perceived failure or financial difficulties of many financial institutions. If an option counterparty becomes subject to insolvency proceedings, we will become an unsecured creditor in those proceedings with a claim equal to our exposure at that time under the capped call transactions with such option counterparty. Our exposure will depend on many factors but, generally, an increase in our exposure will be correlated to an increase in the market price and in the volatility of our Class A common stock. In addition, upon a default by an option counterparty, we may suffer adverse tax consequences and more dilution than we currently anticipate with respect to our Class A common stock. We can provide no assurance as to the financial stability or viability of the option counterparties.

General Risk Factors
If we fail to maintain an effective system of disclosure controls and internal control over financial reporting, our ability to produce timely and accurate financial statements or comply with applicable regulations could be impaired.
We are subject to the reporting requirements of the Securities Exchange Act of 1934, as amended (the Exchange Act), the Sarbanes-Oxley Act of 2002 (the Sarbanes-Oxley Act), and the rules and regulations of the applicable listing standards of the New York Stock Exchange (the NYSE). We expect that the requirements of these rules and regulations will continue to increase our legal, accounting, and financial compliance costs, make some activities more difficult, time-consuming, and costly, and place significant strain on our personnel, systems, and resources.
The Sarbanes-Oxley Act requires, among other things, that we maintain effective disclosure controls and procedures and internal control over financial reporting. We are continuing to develop and refine our disclosure controls and other procedures that are designed to ensure that information required to be disclosed by us in the reports that we file with the SEC is recorded, processed, summarized, and reported within the time periods specified in SEC rules and forms and that information required to be disclosed in reports under the Exchange Act is accumulated and communicated to our principal executive and financial officers. We are also continuing to improve our internal control over financial reporting. In order to maintain and improve the effectiveness of our disclosure controls and procedures and internal control over financial reporting, we have expended, and anticipate that we will continue to expend, significant resources, including accounting-related costs, and significant management oversight.
Our current controls and any new controls that we develop may become inadequate because of changes in conditions in our business. Further, weaknesses in our disclosure controls and internal control over financial reporting may be discovered in the future. Any failure to develop or maintain effective controls or any difficulties encountered in their implementation or improvement could harm our results of operations or cause us to fail to meet our reporting obligations and may result in a restatement of our financial statements for prior periods. Any failure to implement and maintain effective internal control over financial reporting also could adversely affect the results of periodic management evaluations and annual independent registered public accounting firm attestation reports regarding the effectiveness of our internal control over financial reporting that we will eventually be required to
58

include in our periodic reports that will be filed with the SEC. Ineffective disclosure controls and procedures and internal control over financial reporting could also cause investors to lose confidence in our reported financial and other information, which would likely have a negative effect on the trading price of our Class A common stock. In addition, if we are unable to continue to meet these requirements, we may not be able to remain listed on the NYSE. We will be required to provide an annual management report on the effectiveness of our internal control over financial reporting commencing with our second annual report on Form 10-K.
In the period ended December 31, 2017, we identified one material weakness in our internal control over financial reporting related to our lack of a formal process over stock administration and lack of adequate controls to ensure that all stock issuances and stock-based compensation transactions were completely and accurately documented, executed, and properly reflected in our consolidated financial statements and our capitalization table. Although the material weakness was remediated as of December 31, 2018, there can be no assurance that we will maintain internal control over financial reporting sufficient to enable us to identify or avoid material weaknesses in the future.
Our independent registered public accounting firm is not required to formally attest to the effectiveness of our internal control over financial reporting until after we are no longer an “emerging growth company” as defined in the JOBS Act. At such time, our independent registered public accounting firm may issue a report that is adverse in the event it is not satisfied with the level at which our internal control over financial reporting is documented, designed, or operating. Any failure to maintain effective disclosure controls and internal control over financial reporting could materially and adversely affect our business, results of operations, and financial condition and could cause a decline in the trading price of our Class A common stock.
Our business is subject to the risks of catastrophic events.
The occurrence of any catastrophic event, including an earthquake, fire, flood, tsunami, or other weather event, power loss, telecommunications failure, software or hardware malfunctions, epidemic or pandemic diseases (such as the ongoing COVID-19 pandemic), cyber-attack, war, or terrorist attack, could result in lengthy interruptions in our service. Our corporate headquarters is located in the San Francisco Bay Area and one of our core co-location facilities is located in the U.S. Pacific Northwest, both regions known for seismic activity, and we also have a second core co-location facility in Luxembourg. Our insurance coverage may not compensate us for losses that may occur in the event of an earthquake or other significant natural disaster. In addition, acts of terrorism could cause disruptions to the Internet or the economy as a whole. Even with our disaster recovery arrangements, our service could be interrupted. If our systems were to fail or be negatively impacted as a result of a natural disaster or other event, our ability to deliver products to our customers would be impaired or we could lose critical data.
Our partners, suppliers, and customers are also subject to the risk of catastrophic events. In those events, our ability to deliver our products in a timely manner, as well as the demand for our products, may be divided on account of factors outside our control.
The requirements of being a public company may strain our resources, divert management’s attention, and affect our ability to attract and retain executive management and qualified board members.
We are subject to the reporting requirements of the Exchange Act, the Sarbanes-Oxley Act, the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010, the listing requirements of the NYSE, and other applicable securities rules and regulations. Compliance with these rules and regulations increases our legal and financial compliance costs, makes some activities more difficult, time-consuming, or costly, and increases demand on our systems and resources. The Exchange Act requires, among other things, that we file annual, quarterly, and current reports with respect to our business and results of operations. The Sarbanes-Oxley Act requires, among other things, that we maintain effective disclosure controls and procedures and internal control over financial reporting. In order to maintain and, if required, improve our disclosure controls and procedures and internal control over financial reporting to meet this standard, significant resources and management oversight is required. We are required to disclose changes made in our internal control and procedures on a quarterly basis and we will be required to furnish a report by management on, among other things, the effectiveness of our internal control over financial reporting. As a result of the complexity involved in complying with the rules and regulations applicable to public companies, our management’s attention may be diverted from other business concerns, which could adversely affect our business and results of operations. Although we have already hired additional employees and have engaged outside consultants to assist us in complying with these requirements, we may need to hire more employees in the future or engage additional outside consultants, which will increase our operating expenses.
59

In addition, changing laws, regulations, and standards relating to corporate governance and public disclosure are creating uncertainty for public companies, increasing legal and financial compliance costs, and making some activities more time consuming. These laws, regulations, and standards are subject to varying interpretations, in many cases due to their lack of specificity, and, as a result, their application in practice may evolve over time as new guidance is provided by regulatory and governing bodies. This could result in continuing uncertainty regarding compliance matters and higher costs necessitated by ongoing revisions to disclosure and governance practices. We intend to invest substantial resources to comply with evolving laws, regulations, and standards, and this investment may result in increased general and administrative expenses and a diversion of management’s time and attention from revenue-generating activities to compliance activities. If our efforts to comply with new laws, regulations, and standards differ from the activities intended by regulatory or governing bodies due to ambiguities related to their application and practice, regulatory authorities may initiate legal proceedings against us and our business may be adversely affected.
Failure to comply with the aforementioned rules and regulations may make it more expensive for us to maintain director and officer liability insurance, and in the future we may be required to accept reduced coverage or incur substantially higher costs to obtain coverage. These factors could also make it more difficult for us to attract and retain qualified members of our Board of Directors, particularly to serve on our audit committee and compensation committee, and qualified executive officers.
As a result of disclosure of information in our filings with the SEC, our business and financial condition are visible, which we believe may result in threatened or actual litigation, including by competitors and other third parties. If such claims are successful, our business and results of operations could be adversely affected, and even if the claims do not result in litigation or are resolved in our favor, these claims, and the time and resources necessary to resolve them, could divert the resources of our management and adversely affect our business and results of operations.
Item 1B. Unresolved Staff Comments
None.

Item 2. Properties
Our corporate headquarters is located in San Francisco, California, where we lease approximately 81,000 square feet. Of the total leased space in San Francisco, approximately 66,000 square feet is concentrated in our adjoining buildings located at 101 Townsend Street and 111 Townsend Street pursuant to lease agreements expiring in October 2022. In addition, we lease approximately 15,000 square feet at 634 Second Street pursuant to a lease agreement expiring in December 2027.

We also maintain offices around the world including Austin, Texas; London, United Kingdom; Lisbon, Portugal; and Singapore to support our global team.

We lease all of our facilities and do not own any real property.
We believe that our facilities are suitable to meet our current needs. We intend to expand our facilities or add new facilities as we add employees and enter new geographic markets, and we believe that suitable additional or alternative space will be available as needed to accommodate any such growth.

Item 3. Legal Proceedings
From time to time we are subject to legal proceedings and claims arising in the ordinary course of business. We are not presently a party to any legal proceeding that we believe is likely to have a material impact on our business, results of operations, or financial condition.
Future litigation may be necessary, among other things, to defend ourselves or our customers by determining the scope, enforceability, and validity of third-party proprietary rights or to establish our proprietary rights. The results of any litigation cannot be predicted with certainty, particularly in the areas of unsettled and evolving law in which we
60

operate, and an unfavorable resolution in any legal proceedings could materially affect our future business, results of operations, or financial condition. Regardless of the outcome, litigation can have an adverse impact on us because of defense and settlement costs, diversion of management resources, and other factors. For additional information, see "Risk Factors - Activities of our paying and free customers or the content of their websites and other Internet properties could subject us to liability" and "We are currently, and may be in the future, party to intellectual property rights claims and other litigation matters that, if resolved adversely, could have a material impact on our business, results of operations, or financial condition" and Note 8 to the consolidated financial statements included in this Annual Report on Form 10-K.

Item 4. Mine Safety Disclosures
Not applicable.
61

PART II

Item 5. Market for Registrant's Common Equity, Related Stockholder Matters and Issuer Purchases of Equity Securities
Market Information for Our Class A Common Stock
Our Class A common stock has been listed on the New York Stock Exchange (NYSE) under the symbol "NET" since September 13, 2019. Prior to that date, there was no public trading market for our Class A common stock. There is no public trading market for our Class B common stock.
Holders of Record
As of February 12, 2021, we had 441 holders of record of our Class A and Class B common stock. The actual number of stockholders is greater than this number of record holders and includes stockholders who are beneficial owners but whose shares are held in street name by brokers and other nominees.
Dividend Policy
We have never declared nor paid any cash dividends on our capital stock. We currently intend to retain any future earnings and do not expect to pay any dividends in the foreseeable future. Any future determination to declare cash dividends will be made at the discretion of our Board of Directors, subject to applicable laws, and will depend on a number of factors, including our financial condition, results of operations, capital requirements, contractual restrictions, general business conditions, and other factors that our Board of Directors may deem relevant.
Securities Authorized for Issuance Under Equity Compensation Plans
The information required by this item with respect to our equity compensation plans is incorporated by reference to our Proxy Statement for the 2021 Annual Meeting of Stockholders to be filed with the Securities and Exchange Commission within 120 days of the fiscal year ended December 31, 2020.
Stock Performance Graph
This performance graph shall not be deemed “soliciting material” or to be “filed” with the Securities and Exchange Commission, or the SEC, for purposes of Section 18 of the Securities Exchange Act of 1934, as amended, or the Exchange Act, or otherwise subject to the liabilities under that Section, and shall not be deemed to be incorporated by reference into any of our filings under the Securities Act of 1933, as amended, or the Securities Act.
The following graph compares (i) the cumulative total stockholder return on our Class A common stock from September 13, 2019 (the date our Class A common stock commenced trading on the NYSE) through December 31, 2020 with (ii) the cumulative total return of the Standard & Poor's 500 Index and Standard & Poor's Information Technology Index over the same period, assuming the investment of $100 in our Class A common stock and in each index on September 13, 2019 and the reinvestment of dividends. The graph uses the closing market price on September 13, 2019 of $18.00 per share as the initial value of our common stock. The comparisons are based on historical data and are not indicative of, nor intended to forecast, future performance of our Class A common stock.


62

cloud-20201231_g1.jpg

Company/IndexBase Period
9/13/2019
9/30/201912/31/201903/31/202006/30/202009/30/202012/31/2020
Cloudflare$100.00 $103.17 $94.78 $130.44 $199.72 $228.11 $422.17 
S&P 500 Index100.00 98.98 107.43 85.94 103.09 111.82 124.89 
S&P 500 Information Technology Index100.00 99.44 113.36 99.51 129.47 144.56 161.21 

Unregistered Sales of Equity Securities
None.
Issuer Purchases of Equity Securities    
None.
Item 6. Selected Financial and Other Data
The following selected consolidated financial and other data should be read in conjunction with the section titled "Management's Discussion and Analysis of Financial Condition and Results of Operations" and the consolidated financial statements and related notes included elsewhere in this Annual Report on Form 10-K. The selected consolidated statements of operations data presented below for the years ended December 31, 2020, 2019, and 2018 and the consolidated balance sheet data as of December 31, 2020 and 2019, are derived from our audited consolidated financial statements that are included elsewhere in this Annual Report on Form 10-K. The selected consolidated statements of operations data presented below for the years ended December 31, 2017 and 2016 and the consolidated balance sheet data as of December 31, 2017, are derived from our audited consolidated financial statements that are not included in this Annual Report on Form 10-K. Our historical results are not necessarily indicative of our future results. The selected consolidated financial data in this section are not intended to replace the consolidated financial statements and are qualified in their entirety by the consolidated financial statements and related notes included elsewhere in this Annual Report on Form 10-K.

63


Year Ended December 31,
20202019201820172016
(in thousands, except per share data)
Consolidated Statements of Operations Data:
Revenue$431,059 $287,022 $192,674 $134,915 $84,791 
Cost of revenue(1)
101,055 63,423 43,537 28,788 23,962 
Gross profit
330,004 223,599 149,137 106,127 60,829 
Operating expenses:
Sales and marketing(1)
217,875 159,298 94,394 61,899 40,122 
Research and development(1)
127,144 90,669 54,463 33,650 23,663 
General and administrative(1)
91,753 81,578 85,179 20,308 14,073 
Total operating expenses436,772 331,545 234,036 115,857 77,858 
Loss from operations(106,768)(107,946)(84,899)(9,730)(17,029)
Non-operating income (expense):
Interest income
6,588 5,787 1,895 762 626 
Interest expense
(24,964)(1,112)(992)(862)(654)
Other income (expense), net
171 (1,442)(2,091)115 (208)
Total non-operating income (expense), net(18,205)3,233 (1,188)15 (236)
Loss before income taxes(124,973)(104,713)(86,087)(9,715)(17,265)
Provision for (benefit from) income taxes(5,603)1,115 1,077 1,033 69 
Net loss$(119,370)$(105,828)$(87,164)$(10,748)$(17,334)
Net loss per share attributable to common stockholders, basic and diluted(2)
$(0.40)$(0.72)$(1.08)$(0.14)$(0.23)
Weighted-average shares used in computing net loss per share attributable to common stockholders, basic and diluted(2)
299,774 146,306 80,981 77,147 75,721 
_______________
(1)Includes stock-based compensation expense as follows:
(2)Refer to Note 12 to our consolidated financial statements included elsewhere in this Annual Report on Form 10-K for an explanation of the method used to calculate our basic and diluted net loss per share attributable to common stockholders and the weighted-average number of shares used in the computation of per share amounts.

Year Ended December 31,
20202019201820172016
(in thousands)
Cost of revenue$1,225 $716 $119 $47 $64 
Sales and marketing16,019 8,709 979 488 381 
Research and development26,090 13,037 1,532 969 1,043 
General and administrative13,000 14,165 24,717 1,251 4,212 
Total stock-based compensation expense$56,334 $36,627 $27,347 $2,755 5,700 





64

December 31,
2020201920182017
(in thousands)
Consolidated Balance Sheet Data
Cash, cash equivalents, and available-for-sale securities$1,032,096 $636,948 $160,657 $73,407 
Working capital(1)
$988,577 $605,989 $135,358 $64,861 
Property and equipment, net$123,688 $101,466 $73,210 $51,423 
Total assets$1,380,651 $830,824 $298,380 $163,143 
Deferred revenue, current and noncurrent$56,836 $31,647 $17,037 $12,134 
Redeemable convertible preferred stock$— $— $331,521 $181,546 
Accumulated deficit$(420,520)$(301,706)$(195,878)$(108,714)
Total stockholders’ (deficit) equity$816,940 $725,828 $(113,505)$(59,834)
_______________
(1)Working capital is defined as current assets less current liabilities.

65

Item 7. Management's Discussion and Analysis of Financial Condition and Results of Operations
The following discussion and analysis of our financial condition and results of operations should be read in conjunction with our consolidated financial statements and related notes appearing elsewhere in this Annual Report on Form 10-K. In addition to historical financial information, the following discussion contains forward-looking statements that are based upon current plans, expectations, and beliefs that involve risks and uncertainties. Our actual results may differ materially from those anticipated in these forward-looking statements as a result of various factors, including the impact of the COVID-19 pandemic and those other factors discussed in the section titled “Risk Factors” and in other parts of this Annual Report on Form 10-K. Our fiscal year end is December 31.
Overview
Cloudflare’s mission is to help build a better Internet. We have built a global network that delivers a broad range of services to businesses of all sizes and in all geographies—making them more secure, enhancing the performance of their business-critical applications, and eliminating the cost and complexity of managing individual network hardware. Our network serves as a scalable, easy-to-use, unified control plane to deliver security, performance, and reliability across their on-premise, hybrid, cloud, and software-as-a-service (SaaS) applications.
Our Business Model
Our business model benefits from our ability to serve the needs of all customers ranging from individual developers to the largest enterprises, in a cost-effective manner. Our products are easy to deploy and allow for rapid and efficient onboarding of new customers and expansion of our relationships with customers over time. Given the large customer base we have and the immense amount of Internet traffic that we manage, we are able to negotiate mutually beneficial agreements with Internet Service Providers (ISPs) that allow us to place our equipment directly in their data centers, which drives down our bandwidth and co-location expenses. This symbiotic relationship that we have with ISPs and the efficiency of our serverless network architecture allows us to introduce new products on our network at low marginal cost.
We generate revenue primarily from sales to our customers of subscriptions to access our network and products. We offer a variety of plans to our free and paying customers depending on their required features and functionality.
Pay-as-you-go customers. For our pay-as-you-go customers, we offer Pro and Business subscription plans through our website per registered domain, and it is common for customers to purchase subscriptions to cover multiple Internet properties (e.g., domains, websites, application programming interfaces (APIs), and mobile applications). Our Pro plan provides basic functionality to improve the security, performance, and reliability of applications, such as enhanced web application firewall and image and mobile optimization. Our Business plan includes additional functionality often required by larger organizations, including service level agreements of up to 100% uptime, dynamic content acceleration, and enhanced customer support. Our implementation period for pay-as-you-go customers is extremely short with most customers implementing our services within a matter of minutes. While our Pro and Business plans offer significant value to customers, customers can subscribe to add-on products and network functionality we offer to meet their more advanced needs. Our pay-as-you-go customers typically pay with a credit card on a monthly basis.
Contracted customers. Our contracted customers, which consist of customers that enter into contracts for our Enterprise subscription plan, have contracts that range from one to three years and are typically billed on a monthly basis. Our contracted customer sales cycle typically lasts less than one quarter. Our agreements with contracted customers are tailored and priced to meet their varying needs and requirements. Enterprise subscription plan agreements for our contracted customers generally include a base subscription and a smaller portion based on usage.
Key elements of our business model include:
Free customer base. Free customers are an important part of our business. These customers, like our pay-as-you-go customers, sign up for our service through our website and are typically individual developers, early stage startups, hobbyists, and other users. Our free customers create scale, serve as efficient brand marketing, and help us attract developers, customers, and potential employees. These free customers expose us to diverse traffic, threats, and problems, often allowing us to see potential security, performance, and reliability issues at the earliest stage. This knowledge allows us to improve our products
66

and deliver more effective solutions to our paying customers. In addition, the added scale and diversity of this traffic makes us valuable to a diverse set of global ISPs, improving the breadth and economic terms of our interconnections, bandwidth costs, and co-location expenses. Finally, the enthusiastic engagement of our free customer base represents a "virtual quality assurance" function that allows us to maintain a high rate of product innovation, while ensuring our products are extensively tested in real world environments before they are deployed to our paying customers.
Significant investment in ongoing product development. We invest significantly in research and development. Our focus on research and development allows us to continually enhance the capabilities and functionality of our global network with new products that are innovative and powerful and can be quickly adopted by our customers and helps us grow our free and paying customer base, which allows us to serve a greater portion of the world's Internet traffic. That in turn provides us with greater knowledge and insight into the challenges that Internet users face every day.
Investments in our network for growth. We believe that the size, sophistication, and distributed nature of our network provide us with a significant competitive advantage. We intend to continue to make substantial investments in network infrastructure to support the growth of our business. As we invest in our network, we believe the service that we can provide our customers and the insight and knowledge that we can gain will continue to grow.
Efficient go-to-market model. We have built an efficient go-to market model that reflects the flexibility and ease of use our products offers to our customers around the world. This has enabled us to acquire new customers as well as to expand within our existing customer base in a rapid, cost-effective manner. In particular, we have invested heavily in our contracted customer sales efforts.
New customer acquisition. We believe that any person or business that relies on the Internet to deliver products, services, or content can be a Cloudflare customer. As such, we are focused on driving an increased number of customers on our infrastructure platform to support our long-term growth. Through our pay-as-you-go offering, a customer can subscribe to one of our many plans and begin using our network within minutes, with minimal technical skill and no professional services. This has allowed us to acquire a large portion of paying customers very rapidly and at significantly lower customer acquisition costs. Additionally, we continue to invest to build our direct sales force and improve the sophistication of our sales operations.
Expansion of our existing customers. We believe that our network enables a large opportunity for growth within our existing customer base given the breadth of products we offer on our infrastructure platform. Our relationships with customers often start with servicing a portion of their overall network needs and expand over time as they realize the significant value we deliver. Once a customer has adopted one product on our network it can easily add additional products with a single click. As we add more products and functionality to our network, we see opportunities to drive upsell as customers seek to consolidate onto one infrastructure platform to meet all of their security, performance, and reliability network requirements.
International reach. Our global network, with a presence in more than 200 cities and over 100 countries worldwide, has helped to foster our strong international growth. International markets represented 49%, 50% and 52% of our revenue in the years ended December 31, 2020, 2019, and 2018, respectively, and we intend to continue to invest in our international growth as a strategy to expand our customer base around the world.
Initial Public Offering
In September 2019, the Company completed an initial public offering (IPO) in which it issued and sold Class A common stock for net proceeds of $565.0 million, after deducting underwriting discounts and commissions and offering costs. Upon completion of the IPO, all of our outstanding redeemable convertible preferred stock was automatically converted into Class A common stock and Class B common stock. In addition, all of the outstanding warrants to purchase shares of our redeemable convertible preferred stock were automatically converted into outstanding warrants to purchase shares of Class B common stock, and all shares of Class B common stock held by former employees were automatically converted into Class A common stock.
Opportunities, Challenges, and Risks
67

We believe that the growth of our business and our future success are dependent upon many factors, including growing our customer base, expanding our relationships with existing paying customers, developing and successfully launching new products, expanding into additional market segments, expanding our base of free customers, and developing and maintaining favorable peering and co-location relationships. Each of these factors presents significant opportunities for us, but also poses material challenges and risks that we must successfully address in order to grow our business and improve our operating results. We expect that addressing these challenges and risks will increase our operating expenses significantly over the next several years. The timing of our future profitability, if we achieve profitability at all, will depend upon many variables, including the success of our growth strategies and the timing and size of investments and expenditures that we choose to undertake, as well as market growth and other factors that are not within our control. In addition, we must comply with complex, uncertain, and evolving laws, rules, and regulatory requirements across federal, state, and international jurisdictions. If we fail to successfully address these challenges, risks, and variables, our business, operating results, financial condition, and prospects may be adversely affected.
COVID-19 Update

In early March 2020, COVID-19, a disease caused by a novel strain of the coronavirus, was characterized as a pandemic by the World Health Organization. Since December 2019, COVID-19 has spread rapidly, with nearly all countries and territories worldwide having confirmed cases of COVID-19, and a high concentration of cases in the United States and many other countries in which we and our customers, vendors, and partners operate. In addition, in early 2021, new potentially more contagious variants of the virus have emerged. The rapid spread of the virus and the new variants has resulted in authorities around the world periodically implementing and relaxing numerous measures to contain the virus, such as travel restrictions and bans, quarantines, shelter-in-place orders, and mandated business closures. The COVID-19 pandemic and these containment measures that have been in effect from time to time in various countries and territories have had, and are expected to continue to have, a substantial negative impact on businesses around the world and on global, regional, and national economies. Although vaccines for COVID-19 have been developed and are being administered in the United States and other countries, the timing of administering these vaccines in countries around the world, and the long-term efficacy of these vaccines, remain uncertain.

We are closely monitoring the impact of the ongoing COVID-19 pandemic on all aspects of our business. While we believe the COVID-19 pandemic has had certain impacts on our business that we discuss in further detail below, we do not believe there has been, nor are we currently anticipating, a material adverse impact from the effects of the ongoing COVID-19 pandemic on our business and operations, results of operations, financial condition, and cash flows. However, the progression of the pandemic is uncertain, rapidly changing, and hard to predict. For example, after the initial spread of the pandemic during the spring of 2020, many countries began loosening containment measures in the summer, but the rapid escalation of infection rates, as well as the discovery of new variants of the virus, in North America, Europe, South Africa, and other regions during the fall and winter of 2020 and early 2021, has led, and is expected to continue to lead, to an increase in containment measures in certain of those countries and territories. As a result, the broader implications of the COVID-19 pandemic on our business and operations and our financial results continue to be uncertain. The duration and severity of the economic downturn from the ongoing COVID-19 pandemic may negatively impact our business and operations, results of operations, financial condition, and cash flows.

To date, the COVID-19 pandemic has impacted our employees, our network, and our customers in a number of ways, and this impact could worsen if and to the extent the pandemic continues or becomes more severe.

Our Employees. Our top priority during the COVID-19 pandemic is protecting the health and safety of our employees around the world. As the COVID-19 pandemic expanded globally during the spring of 2020, we activated our business continuity plan and transitioned our employees to a fully remote working environment in nearly all of our locations around the world and restricted almost all business travel. More recently, we have reopened, to a limited extent, most of our offices so that those of our employees who have difficult or challenging remote work circumstances are able to work from one of our offices located in jurisdictions that permit returns to offices and where we believe such a return to office can occur safely. Throughout the pandemic, our goal has been to ensure that our employees feel safe and secure, while having the flexibility and resources necessary to perform their jobs effectively. These efforts have included providing additional equipment to employees for working remotely and providing various benefits to promote our employees’ physical and mental well-being. We believe our employees have been able to remain productive during the COVID-19 pandemic and that our operations have not been materially impacted by our employees primarily working on a remote basis, but the continuation of the pandemic will place strains
68

on our employees. As the progression of the pandemic continues, we will continue to monitor and follow guidance from authorities and health officials in the locations where we operate and modify our working environments around the world appropriately. To the extent current or future measures we implement result in decreased productivity, harm our company culture, or otherwise negatively affect our business, our financial condition, and operating results could be materially and adversely affected.

We are continuing our efforts to increase our workforce to support the ongoing growth in our business, which currently is occurring through a virtual hiring and onboarding process. To date, we have not experienced difficulties in continuing to expand our workforce, but depending on the length and severity of the COVID-19 pandemic and its effect on our business, we may determine to slow our hiring. Any delays in expanding our workforce may result in key positions remaining unfilled, which could negatively impact our business, financial condition, or operating results.

Our Network. The change in everyday behavior caused by the COVID-19 pandemic during the year ended December 31, 2020 has resulted in an increased reliance on the Internet, increased Internet traffic, and a geographic migration of Internet traffic from office-focused areas (like city centers and business parks) to more residential areas (like suburbs and outlying towns). We believe that traffic on the Internet, and on our network that we use to provide our products to our customers around the world, will remain elevated while the isolation mandates across the globe remain in place or where significantly greater numbers of workers continue to work remotely than was the case prior to the pandemic. Nevertheless, there is uncertainty about the impact on Internet traffic levels and work locations as the isolation mandates are periodically lifted and as more workers begin to return to working in office environments instead of remotely.

Our business is dependent on our network providing our customers with secure, performant, and reliable network services every minute of every day. The pandemic has resulted not only in greatly increased traffic and strain on our network, but also adverse impacts on our ability to provision our network co-location facilities, including delays in our ability to obtain servers and other hardware and to ship and install such hardware at our network facilities. While we have been able to lessen these adverse impacts to date through our planning processes and use of alternative vendors, our ability to continue to provision our existing network facilities and expand into new network facilities may become more difficult and more expensive the longer the COVID-19 pandemic continues to negatively impact the vendors for our network hardware, which in turn could adversely impact our business and operations and results of operations.

Our Customers. The COVID-19 pandemic and the measures taken by governments around the world to contain the spread of COVID-19 are materially and adversely impacting many of our current and potential customers, and this impact could negatively impact our business and operations, results of operations, financial condition, and cash flows. During the first quarter of 2020, we experienced an increase in the sales cycle for our products with many customers. While we believe this increase could be a result of a number of factors, it is possible that the pandemic has contributed to the increase. Since the pandemic began, we also initially experienced an increase in the proportion of our pipeline of prospective future customers that was lost, as well as an increase during the year ended December 31, 2020 of new and existing customers requesting concessions in terms of payment amounts and/or timing and earlier or additional termination rights than was the case prior to the pandemic. Depending on the future progression of the pandemic, we also may experience future slowing in our collections of outstanding accounts receivables from some of our customers. We expect these trends and risks to continue while the COVID-19 pandemic persists and they could intensify as the pandemic continues and the financial condition of some of our current and potential customers deteriorates. While we have sought to ameliorate these negative sales impacts through focusing on additional upselling opportunities with existing customers, concentrating our sales efforts on industries that are more insulated from the impact of the ongoing COVID-19 pandemic, and shifting our marketing strategy to better identify sales opportunities in the current environment, there can be no assurance that these efforts will be successful.

For further discussion of the challenges and risks we confront related to the COVID-19 pandemic and otherwise, please refer to Part I, Item 1A “Risk Factors” of this Annual Report on Form 10-K, including the risk factor titled “The effects of the ongoing COVID-19 pandemic have materially affected how we and our customers, vendors, and partners are operating our businesses, and the duration and extent to which this will negatively impact our future business and operations, results of operations, financial condition and cash flows remain uncertain.
69

Non-GAAP Financial Measures and Key Business Metrics
We review a number of financial and operating metrics, including the following non-GAAP financial measures and key metrics to evaluate our business, measure our performance, identify trends affecting our business, formulate business plans, and make strategic decisions.
Year Ended December 31,
202020192018
(dollars in thousands)
Gross profit
$330,004 $223,599 $149,137 
Gross margin
77 %78 %77 %
Loss from operations
$(106,768)$(107,946)$(84,899)
Non-GAAP loss from operations
$(33,892)$(71,194)$(57,035)
Operating margin
(25)%(38)%(44)%
Non-GAAP operating margin
(8)%(25)%(30)%
Net cash used in operating activities
$(17,129)$(38,917)$(43,281)
Net cash used in investing activities
$(515,273)$(417,641)$(120,795)
Net cash provided by financing activities
$504,912 $570,768 $168,621 
Free cash flow
$(92,091)$(96,196)$(78,120)
Net cash used in operating activities (as a percentage of revenue)
(4)%(14)%(22)%
Free cash flow margin
(21)%(34)%(40)%
Paying customers
111,183 84,154 72,823 
Paying customers (> $100,000 Annualized Revenue)
828 526 294 

The following table summarizes the revenue by region based on the billing address of customers who have contracted to use the Company’s global network:
Year Ended December 31,
202020192018
(in thousands)
AmountPercentage
of Revenue
AmountPercentage
of Revenue
AmountPercentage
of Revenue
United States$218,191 51 %$144,575 50 %$92,652 48 %
Europe, Middle East, and Africa
109,274 25 %68,418 24 %48,438 25 %
Asia Pacific76,177 18 %55,131 19 %38,851 20 %
Other27,417 %18,898 %12,733 %
Total$431,059 100 %$287,022 100 %$192,674 100 %

Non-GAAP Financial Measures
In addition to our results determined in accordance with generally accepted accounting principles in the United States (U.S. GAAP), we believe the following non-GAAP measures are useful in evaluating our operating performance. We use the following non-GAAP financial information to evaluate our ongoing operations and for internal planning and forecasting purposes. We believe that non-GAAP financial information, when taken collectively, may be helpful to investors because it provides consistency and comparability with past financial performance. However, non-GAAP financial information is presented for supplemental informational purposes only, has limitations as an analytical tool and should not be considered in isolation or as a substitute for financial information presented in accordance with U.S. GAAP. In particular, free cash flow is not a substitute for cash provided by (used in) operating activities. Additionally, the utility of free cash flow as a measure of our liquidity is
70

further limited as it does not represent the total increase or decrease in our cash balance for a given period. In addition, other companies, including companies in our industry, may calculate similarly-titled non-GAAP measures differently or may use other measures to evaluate their performance, all of which could reduce the usefulness of our non-GAAP financial measures as tools for comparison. A reconciliation is provided below for each non-GAAP financial measure to the most directly comparable financial measure stated in accordance with U.S. GAAP. Investors are encouraged to review the related U.S. GAAP financial measures and the reconciliation of these non-GAAP financial measures to their most directly comparable U.S. GAAP financial measures, and not to rely on any single financial measure to evaluate our business.
Non-GAAP Loss from Operations and Non-GAAP Operating Margin
We define non-GAAP loss from operations and non-GAAP operating margin as U.S. GAAP loss from operations and U.S. GAAP operating margin, respectively, excluding stock-based compensation expense and its related employer payroll taxes, amortization of acquired intangible assets, and acquisition-related and other expenses. We exclude stock-based compensation expense which is a non-cash expense, from certain of our non-GAAP financial measures because we believe that excluding this item provides meaningful supplemental information regarding operational performance. We exclude employer payroll tax expenses related to stock-based compensation, which is a cash expense, from certain of our non-GAAP financial measures, because such expenses are dependent upon the price of our common stock and other factors that are beyond our control and do not correlate to the operation of our business. We exclude amortization of acquired intangible assets, which is a non-cash expense, related to business combinations from certain of our non-GAAP financial measures because such expenses are related to business combinations and have no direct correlation to the operation of our business. We exclude acquisition-related and other expenses from certain of our non-GAAP financial measures because such expenses are related to business combinations and have no direct correlation to the operation of our business. Acquisition-related and other expenses can be cash or non-cash expenses incurred in connection with the acquisition, and include third-party transaction costs and compensation expense for key acquired personnel.
Year Ended December 31,
202020192018
(dollars in thousands)
Loss from operations$(106,768)$(107,946)$(84,899)
Add:
Stock-based compensation expense and related employer payroll taxes
63,516 36,627 27,347 
Amortization of acquired intangible assets3,081 125 517 
Acquisition-related and other expenses$6,279 $— $— 
Non-GAAP loss from operations
$(33,892)$(71,194)$(57,035)
Operating margin(25)%(38)%(44)%
Non-GAAP operating margin (non-GAAP loss from operations as a percentage of revenue)
(8)%(25)%(30)%
Free Cash Flow and Free Cash Flow Margin
Free cash flow is a non-GAAP financial measure that we calculate as net cash provided by (used in) operating activities less cash used for purchases of property and equipment and capitalized internal-use software. Free cash flow margin is calculated as free cash flow divided by revenue. We believe that free cash flow and free cash flow margin are useful indicators of liquidity that provide information to management and investors about the amount of cash generated from our operations that, after the investments in property and equipment and capitalized internal-use software, can be used for strategic initiatives, including investing in our business, and strengthening our financial position. We believe that historical and future trends in free cash flow and free cash flow margin, even if negative, provide useful information about the amount of cash generated (or consumed) by our operating activities that is available (or not available) to be used for strategic initiatives. For example, if free cash flow is negative, we may need to access cash reserves or other sources of capital to invest in strategic initiatives. One limitation of free cash flow and free cash flow margin is that they do not reflect our future contractual commitments. Additionally, free cash flow does not represent the total increase or decrease in our cash balance for a given period.

71

Year Ended December 31,
202020192018
(dollars in thousands)
Net cash used in operating activities
$(17,129)$(38,917)$(43,281)
Less: Purchases of property and equipment
(56,375)(43,289)(25,466)
Less: Capitalized internal-use software
(18,587)(13,990)(9,373)
Free cash flow
$(92,091)$(96,196)$(78,120)
Net cash used in investing activities
$(515,273)$(417,641)$(120,795)
Net cash provided by financing activities
$504,912 $570,768 $168,621 
Net cash used in operating activities (as a percentage of revenue)
(4)%(14)%(22)%
Less: Purchases of property and equipment (as a percentage of revenue)
(13)%(15)%(13)%
Less: Capitalized internal-use software (as a percentage of revenue)
(4)%(5)%(5)%
Free cash flow margin
(21)%(34)%(40)%
Key Business Metrics
In addition to our results determined in accordance with U.S. GAAP and the non-GAAP measures discussed above, we also review the key business metrics discussed below to assist us in evaluating our business, measuring performance, identifying trends, formulating business plans, and making strategic decisions. There are a number of limitations associated with the use of key business metrics as analytical tools, however, and we do not rely upon any single key business metric to evaluate our business. In addition, other companies, including companies in our industry, may calculate similarly-titled business metrics differently or may use other measures to evaluate their performance, all of which could reduce the usefulness of these business metrics as tools for comparison to such companies.
Beginning with the quarter ended March 31, 2020, we transitioned the method for calculating our key business metrics from a billings-based methodology to a revenue-based methodology. We believe the change in methodology to GAAP-based metrics provides improved disclosures for our investors by better aligning our key business metrics with GAAP and our financial statements and will provide a better representation of these important components of our operating model and business performance as we continue to grow our business.
Paying Customers
We believe our ability to grow the number of paying customers on our network provides a key indicator of growth of our business and our future business opportunities. We define a paying customer at the end of the quarter as a person or entity who has generated revenue during such quarter, excluding (i) customers that were not acquired through ordinary sales channels, (ii) customers using only our registrar product, and (iii) customers using our consumer applications, such as 1.1.1.1 and Warp, which agreements and customers together represent an insignificant amount of our revenue. An entity is defined as a company, a government institution, a non-profit organization, or a distinct business unit of a large company that has an active contract with us or one of our partners. The number of paying customers was 111,183, 84,154, and 72,823 for the three months ended December 31, 2020, 2019, and 2018, respectively.
Paying Customers (> $100,000 Annualized Revenue)
While we continue to grow customers across all sizes, over time, our large customers have contributed an increasing share of our revenue. We view the number of customers with Annualized Revenue greater than $100,000 as indicative of our penetration within large enterprise accounts. To measure Annualized Revenue at the end of a quarter, we take the sum of revenue for each customer in the quarter and multiply that amount by four. For example, if we signed a new customer that generated $1,800 of revenue in a quarter, that customer would account for $7,200 of Annualized Revenue for that year. Our Annualized Revenue calculation excludes (i) agreements that were not entered into through our ordinary sales channels, (ii) revenue generated from customers using only our registrar product, and (iii) customers using our consumer applications, such as 1.1.1.1 and Warp, which agreements and customers together represent an insignificant amount of our revenue. Our Annualized Revenue metric also includes any usage charges by a customer during a period, which represents a small portion of our total revenue
72

and may not be recurring. As a result, Annualized Revenue may be higher than actual revenue over the course of the year. The number of paying customers with Annualized Revenue greater than $100,000 was 828, 526, and 294 for the three months ended December 31, 2020, 2019, and 2018, respectively. We believe this trend will continue as customers increasingly adopt cloud technology and we are able to compete with an increasing share of our customers’ legacy hardware solutions by adding new capabilities to our global network.
Dollar-Based Net Retention Rate
Our ability to maintain long-term revenue growth and achieve profitability is dependent on our ability to retain and grow revenue generated from our existing paying customers. We believe that we will achieve these objectives by continuing to focus on customer loyalty and adding additional products and functionality to our network. Our dollar-based net retention rate is a key way we measure our performance in these areas. Dollar-based net retention measures our ability to retain and expand recurring revenue from existing customers. To calculate dollar-based net retention for a quarter, we compare the Annualized Revenue from paying customers four quarters prior to the Annualized Revenue from the same set of customers in the most recent quarter. Our dollar-based net retention includes expansion and is net of contraction and attrition, but excludes Annualized Revenue from new customers in the current period. Our dollar-based net retention excludes the benefit of free customers that upgrade to a paid subscription between the prior and current periods, even though this is an important source of incremental growth. We believe this provides a more meaningful representation of our ability to add incremental business from existing paying customers as they renew and expand their contracts. Our dollar-based net retention rates for the three months ended December 31, 2020, 2019, and 2018 were 119% for each of these periods.

Components of Our Results of Operations
Revenue
We generate revenue primarily from sales to our customers of subscriptions to access our network and products, together with related support services. Arrangements with customers generally do not provide the customer with the right to take possession at any time of our software operating our global network. Instead, customers are granted continuous access to our network and products over the contractual period. A time-elapsed output method is used to measure progress because we transfer control evenly over the contractual period. Accordingly, the fixed consideration related to subscription and support revenue is generally recognized on a straight-line basis over the contract term beginning on the date that the service is made available to the customer. Usage-based consideration is primarily related to fees charged for our customer’s use of excess bandwidth when accessing our network in a given period and is recognized as revenue in the period in which the usage occurs.
The typical subscription and support term for our contracted customers is one year and subscription and support term lengths range from one to three years. Most of our contracts with contracted customers are non-cancelable over the contractual term. Customers typically have the right to terminate their contracts for cause if we fail to perform in accordance with the contractual terms. For our pay-as-you-go customers, subscription and support terms are typically monthly.
Cost of Revenue
Cost of revenue consists primarily of expenses that are directly related to providing our service to our paying customers. These expenses include expenses related to operating in co-location facilities, network and bandwidth costs, depreciation of our equipment located in co-location facilities, certificate authority services costs for paying customers, related overhead costs, the amortization of our capitalized internal-use software, and the amortization of acquired developed technologies. Cost of revenue also includes employee-related costs, including salaries, bonuses, benefits, and stock-based compensation for employees whose primary responsibilities relate to supporting our paying customers. Other costs included in cost of revenue include credit card fees related to processing customer transactions and allocated overhead costs.
As our customers expand and increase the use of our global network and products driven by additional applications and connected devices, we expect that our cost of revenue will increase due to higher network and bandwidth costs and expenses related to operating in additional co-location facilities. However, we expect to continue to benefit from economies of scale as our customers increase the use of our global network and products. We intend to continue to
73

invest additional resources in our global network and products and our customer support organizations as we grow our business. The level and timing of investment in these areas could affect our cost of revenue in the future.
Gross Profit and Gross Margin
Gross profit is revenue less cost of revenue and gross margin is gross profit as a percentage of revenue. Our gross profit and gross margin have and are expected to continue to fluctuate from period to period due to the timing of acquisition of new customers and our renewals with existing customers, expenses related to operating in co-location facilities and network and bandwidth costs to operate and expand our global network, and amortization of costs associated with capitalized internal-use software. We expect our gross profit to increase in absolute dollars and our gross margin to remain consistent over the long term, although our gross margin could fluctuate from period to period depending on the interplay of all of these factors.
Operating Expenses
Sales and Marketing
Sales and marketing expenses consist primarily of employee-related costs, including salaries, benefits, and stock-based compensation expense, sales commissions that are recognized as expenses over the period of benefit, marketing programs, certificate authority services costs for free customers, travel-related expenses, bandwidth and co-location costs for free customers, and allocated overhead costs. Sales commissions earned by our sales force and the associated payroll taxes that are direct and incremental to the acquisition of channel partner and direct customer contracts are deferred and amortized over an estimated period of benefit of three years for the initial acquisition of a contract and over the contractual term of the renewals for renewal contracts. We plan to continue to invest in sales and marketing to grow our customer base and increase our brand awareness, including marketing efforts to continue to drive our pay-as-you-go business model. As a result, we expect our sales and marketing expenses to increase in absolute dollars for the foreseeable future. However, we expect our sales and marketing expenses to decrease as a percentage of our revenue over the long term, although our sales and marketing expenses may fluctuate as a percentage of our revenue from period to period due to the timing and extent of these expenses.
Research and Development
Research and development costs consist primarily of employee-related costs, including salaries, benefits, and stock-based compensation expense, consulting costs, depreciation of equipment used in research and development, and allocated overhead costs. Research and development costs support our efforts to add new features to our existing offerings and to ensure the security, performance, and reliability of our global network. We expect our research and development expenses to increase in absolute dollars for the foreseeable future as we continue to invest in research and development efforts to enhance the functionality of our global network and products. However, we expect our research and development expenses to decrease as a percentage of our revenue over the long term, although our research and development expenses may fluctuate as a percentage of our revenue from period to period due to the timing and extent of these expenses.
General and Administrative
General and administrative expenses consist primarily of employee-related costs, including salaries, benefits, and stock-based compensation expense for our finance, legal, human resources, and other administrative personnel, professional fees for external legal services, accounting, and other consulting services, bad debt expense, and allocated overhead costs. We expect our general and administrative expenses to continue to increase in absolute dollars for the foreseeable future to support our growth as well as due to additional costs associated with legal, accounting, compliance, insurance, investor relations, and other costs as a result of operating as a public company. However, we expect our general and administrative expenses to decrease as a percentage of our revenue over the long term, although our general and administrative expenses may fluctuate as a percentage of our revenue from period to period due to the timing and extent of these expenses.
Non-Operating Income (Expense)
74

Interest Income
Interest income consists primarily of interest earned on our cash, cash equivalents, and our investment holdings.
Interest Expense
Interest expense consists primarily of contractual interest expense and amortization of the discount and debt issuance costs on our $575.0 million aggregate principal amount of 0.75% Convertible Senior Notes due May 2025 (the Notes) that were issued in May 2020. Previously, interest expense consisted primarily of interest related to our built-to-suit lease financing obligation and interest on our notes payable.
Other Income (Expense), Net
Other income (expense), net consists primarily of gain on sale of property and equipment and foreign currency transaction gains and losses. The year ended December 31, 2019 also included expenses resulting from the revaluation of our redeemable convertible preferred stock warrant liability and its conversion upon the IPO.
Provision for (Benefit from) Income Taxes
Provision for (benefit from) income taxes consists primarily of income taxes in certain foreign jurisdictions in which we conduct business, as well as state income taxes in the United States. We maintain a full valuation allowance on our federal and state deferred tax assets as we have concluded that it is more likely than not that the deferred tax assets will not be realized.

Results of Operations
The following tables set forth our consolidated results of operations for the periods presented in dollars and as a percentage of our revenue for those periods:

Year Ended December 31,
202020192018
(in thousands)
Revenue$431,059 $287,022 $192,674 
Cost of revenue(1)
101,055 63,423 43,537 
Gross profit330,004 223,599 149,137 
Operating expenses:
Sales and marketing(1)
217,875 159,298 94,394 
Research and development(1)
127,144 90,669 54,463 
General and administrative(1)
91,753 81,578 85,179 
Total operating expenses436,772 331,545 234,036 
Loss from operations(106,768)(107,946)(84,899)
Non-operating income (expense):
Interest income6,588 5,787 1,895 
Interest expense(24,964)(1,112)(992)
Other income (expense), net171 (1,442)(2,091)
Total non-operating income (expense), net(18,205)3,233 (1,188)
Loss before income taxes(124,973)(104,713)(86,087)
Provision for (benefit from) income taxes(5,603)1,115 1,077 
Net loss$(119,370)$(105,828)$(87,164)
_______________
(1)Includes stock-based compensation expense as follows:

75

Year Ended December 31,
202020192018
(in thousands)
Cost of revenue$1,225 $716 $119 
Sales and marketing16,019 8,709 979 
Research and development26,090 13,037 1,532 
General and administrative13,000 14,165 24,717 
Total stock-based compensation expense$56,334 $36,627 $27,347 


Year Ended December 31,
202020192018
Percentage of Revenue Data:
Revenue
100 %100 %100 %
Cost of revenue23 22 23 
Gross margin
77 78 77 
Operating expenses:
Sales and marketing51 56 49 
Research and development30 32 28 
General and administrative21 28 44 
Total operating expenses
102 116 121 
Loss from operations
(25)(38)(44)
Non-operating income (expense):
Interest income
Interest expense(6)— (1)
Other income (expense), net— (1)(1)
Total non-operating income (expense), net
(4)(1)
Loss before income taxes