10-K 1 sail-10k_20171231.htm 10-K sail-10k_20171231.htm

 

UNITED STATES

SECURITIES AND EXCHANGE COMMISSION

Washington, D.C. 20549

 

FORM 10-K

 

(Mark One)

ANNUAL REPORT PURSUANT TO SECTION 13 OR 15(d) OF THE SECURITIES EXCHANGE ACT OF 1934

For the fiscal year ended December 31, 2017

OR

TRANSITION REPORT PURSUANT TO SECTION 13 OR 15(d) OF THE SECURITIES EXCHANGE ACT OF 1934 FOR THE TRANSITION PERIOD FROM                      TO                     

Commission File Number 001-38297

 

SailPoint Technologies Holdings, Inc.

(Exact name of Registrant as specified in its Charter)

 

 

Delaware

47-1628077

(State or other jurisdiction of

incorporation or organization)

(I.R.S. Employer
Identification No.)

 

 

11305 Four Points Drive, Building 2, Suite 100,

Austin, TX 78726

78726

(Address of principal executive offices)

(Zip Code)

Registrant’s telephone number, including area code: (512) 346-2000

 

Securities registered pursuant to Section 12(b) of the Act:

 

Title of each class

 

Name of each exchange on which registered

Common stock, par value $0.0001 per share

 

New York Stock Exchange

Securities registered pursuant to Section 12(g) of the Act:  None

Indicate by check mark if the registrant is a well-known seasoned issuer, as defined in Rule 405 of the Securities Act. Yes      No  

Indicate by check mark if the registrant is not required to file reports pursuant to Section 13 or 15(d) of the Act. Yes      No  

Indicate by check mark whether the registrant (1) has filed all reports required to be filed by Section 13 or 15(d) of the Securities Exchange Act of 1934 during the preceding 12 months (or for such shorter period that the Registrant was required to file such reports), and (2) has been subject to such filing requirements for the past 90 days. Yes     No  

Indicate by check mark whether the registrant has submitted electronically and posted on its corporate Website, if any, every Interactive Data File required to be submitted and posted pursuant to Rule 405 of Regulation S-T (§232.405 of this chapter) during the preceding 12 months (or for such shorter period that the Registrant was required to submit and post such files). Yes      No  

Indicate by check mark if disclosure of delinquent filers pursuant to Item 405 of Regulation S-K (§229.405 of this chapter) is not contained herein, and will not be contained, to the best of registrant’s knowledge, in definitive proxy or information statements incorporated by reference in Part III of this Form 10-K or any amendment to this Form 10-K.  

Indicate by check mark whether the registrant is a large accelerated filer, an accelerated filer, a non-accelerated filer, a smaller reporting company, or emerging growth company. See the definition of “large accelerated filer,” “accelerated filer,” “smaller reporting company,” and “emerging growth company” in Rule 12b-2 of the Exchange Act.

Large accelerated filer

 

  

Accelerated filer

 

 

 

 

 

Non-accelerated filer

 

 (Do not check if a smaller reporting company)

  

Smaller reporting company

 

 

 

 

 

 

 

 

Emerging growth company

 

 

 

 

 

If an emerging growth company, indicate by check mark if the registrant has elected not to use the extended transition period for complying with any new or revised financial accounting standards provided pursuant to Section 13(a) of the Exchange Act.  

Indicate by check mark whether the registrant is a shell company (as defined in Rule 12b-2 of the Exchange Act). Yes      No  

As of June 30, 2017, the last business day of the registrant’s most recently completed second fiscal quarter, the registrant’s equity was not listed on a domestic exchange or over-the-counter market.  The registrant’s common stock began trading on the New York Stock Exchange on November 17, 2017.

The registrant had 87,205,120 shares of common stock outstanding as of March 15, 2018.

 

 

 

 


Table of Contents

 

 

 

Page

PART I

 

Item 1.

Business

3

Item 1A.

Risk Factors

15

Item 1B.

Unresolved Staff Comments

44

Item 2.

Properties

44

Item 3.

Legal Proceedings

44

Item 4.

Mine Safety Disclosures

44

 

 

 

PART II

 

Item 5.

Market for Registrant’s Common Equity, Related Stockholder Matters and Issuer Purchases of Equity Securities

45

Item 6.

Selected Financial Data

48

Item 7.

Management’s Discussion and Analysis of Financial Condition and Results of Operations

50

Item 7A.

Quantitative and Qualitative Disclosures About Market Risk

75

Item 8.

Financial Statements and Supplementary Data

77

Item 9.

Changes in and Disagreements with Accountants on Accounting and Financial Disclosure

112

Item 9A.

Controls and Procedures

112

Item 9B.

Other Information

113

 

 

 

PART III

 

Item 10.

Directors, Executive Officers and Corporate Governance

114

Item 11.

Executive Compensation

119

Item 12.

Security Ownership of Certain Beneficial Owners and Management and Related Stockholder Matters

126

Item 13.

Certain Relationships and Related Transactions, and Director Independence

133

Item 14.

Principal Accounting Fees and Services

136

 

 

 

PART IV

 

Item 15.

Exhibits, Financial Statement Schedules

137

Item 16.

Form 10-K Summary

141

 

Signatures

142

 

 

 

i


 

SPECIAL NOTE ABOUT FORWARD-LOOKING STATEMENTS

This Annual Report on Form 10-K contains forward-looking statements within the meaning of the federal securities laws, which statements involve substantial risks and uncertainties. Forward-looking statements generally relate to future events or our future financial or operating performance. All statements of historical fact included in this Annual Report on Form 10-K regarding our strategy, future operations, financial position, estimated revenues and losses, projected costs, prospects, plans and objectives of management are forward-looking statements. In some cases, you can identify forward-looking statements because they contain words such as “may,” “will,” “should,” “expects,” “plans,” “anticipates,” “could,” “intends,” “target,” “projects,” “contemplates,” “believes,” “estimates,” “predicts,” “potential” or “continue” or the negative of these words or other similar terms or expressions that concern our expectations, strategy, plans or intentions. When considering forward-looking statements, you should keep in mind the risk factors and other cautionary statements described in the section titled “Risk Factors” and elsewhere in this Annual Report on Form 10-K. These forward-looking statements are based on management’s current beliefs, based on currently available information, as to the outcome and timing of future events. Forward-looking statements contained in this Annual Report on Form 10-K include, but are not limited to, statements about:

 

 

our ability to attract and retain customers, including larger organizations;

 

our ability to deepen our relationships with existing customers

 

our expectations regarding our customer growth rate

 

our business plan and beliefs and objectives for future operations;

 

trends associated with our industry and potential market;

 

benefits associated with use of our platform and services;

 

our ability to develop or acquire new solutions, improve our platform and solutions and increase the value of our platform and solutions;

 

our ability to compete successfully against current and future competitors;

 

our ability to further develop strategic relationships;

 

our ability to achieve positive returns on investments;

 

our ability to acquire complementary businesses, products or technology;

 

our plans to further invest in and grow our business, and our ability to effectively manage our growth and associated investments;

 

our ability to timely and effectively scale and adapt our existing technology;

 

our ability to increase our revenue, our revenue growth rate and gross margin;

 

our ability to generate sufficient revenue to achieve and sustain profitability;

 

our future financial performance, including trends in revenue, cost of revenue, operating expenses, other income and expenses, income taxes, billings and customers;

 

the sufficiency of our cash and cash equivalents and cash generated from operations to meet our working capital and capital expenditure requirements;

 

our ability to raise capital and the loans of those financings;

 

our ability to attract, train and retain qualified employees and key personnel;

 

our ability to maintain and benefit from our corporate culture;

 

our ability to successfully identify, acquire and integrate companies and assets;

 

our ability to successfully enter new markets and manage our international expansion; and

 

our ability to maintain, protect and enhance our intellectual property and not infringe upon others’ intellectual property.

 

1


 

We caution you that the foregoing list may not contain all of the forward-looking statements made in this Annual Report on Form 10-K.

 

You should not rely upon forward-looking statements as predictions of future events. We have based the forward-looking statements contained in this Annual Report on Form 10-K primarily on our current expectations and projections about future events and trends that we believe may affect our business, financial condition, results of operations and prospects. The outcome of the events described in these forward-looking statements is subject to risks, uncertainties and other factors described in the section titled “Risk Factors” and elsewhere in this Annual Report on Form 10-K. Moreover, we operate in a very competitive and rapidly changing environment. New risks and uncertainties emerge from time to time and it is not possible for us to predict all risks and uncertainties that could have an impact on the forward-looking statements contained in this Annual Report on Form 10-K. We cannot assure you that the results, events and circumstances reflected in the forward-looking statements will be achieved or occur, and actual results, events or circumstances could differ materially from those described in the forward-looking statements.

 

The forward-looking statements made in this Annual Report on Form 10-K relate only to events as of the date on which the statements are made. We undertake no obligation to update any forward-looking statements made in this Annual Report on Form 10-K to reflect events or circumstances after the date of this Annual Report on Form 10-K or to reflect new information or the occurrence of unanticipated events, except as required by law. We may not actually achieve the plans, intentions or expectations disclosed in our forward-looking statements and you should not place undue reliance on our forward-looking statements. Our forward-looking statements do not reflect the potential impact of any future acquisitions, mergers, dispositions, joint ventures or investments we may make.

 

2


 

PART I

ITEM 1. BUSINESS

Our Vision

Our fundamental belief is that identity is power. Our mission is to enable enterprises to grow and innovate, securely and efficiently. To do so, we have created our open identity platform that empowers users and governs their access to applications and data across complex, hybrid IT environments.

Overview

SailPoint is the leading provider of enterprise identity governance solutions. Our team of visionary industry veterans launched SailPoint to empower our customers to efficiently and securely govern the digital identities of employees, contractors, business partners and other users, and manage their constantly changing access rights to enterprise applications and data. Our open identity platform provides organizations with critical visibility into who currently has access to which resources, who should have access to those resources, and how that access is being used. We offer both on-premises software and cloud-based solutions, which provide organizations with the intelligence required to empower users and govern their access to applications and data across hybrid IT environments, whether comprised of on-premises, cloud or mobile applications. We help customers enable their businesses with more agile and innovative IT, enhance their security posture and better meet compliance and regulatory requirements. Our customers include many of the world’s largest and most complex organizations, including commercial enterprises, educational institutions and governments.

Organizations globally are investing in technologies such as cloud computing and mobility to improve employee productivity, business agility and competitiveness. Today, enterprise environments are more open and interconnected with their business partners, contractors, vendors and customers. Business users have driven a dramatic increase in the number of applications and data that organizations need to manage, much of which sits beyond the traditional network perimeter. Because of these trends, the attack surface is expanding while well-funded cyber attackers have significantly increased the frequency and sophistication of their attacks. As a result, IT professionals need to manage and secure increasingly complex hybrid IT environments within these extended enterprises.

Attackers frequently target the identity vector as it allows them to leverage user identities to gain access to high-value systems and data while concealing their activity and movements within an organization’s IT infrastructure. The consequences of a data breach can be extremely damaging, with organizations facing significant costs to remediate the breach and repair brand and reputational damage. In addition, governments and regulatory bodies have increased efforts to protect users and their data with a new wave of regulatory and compliance measures that are further burdening organizations and levying severe penalties for non-compliance. As a result of these trends, enterprises are struggling to efficiently manage and secure their digital identities.

We believe that our open identity platform is a critical, foundational layer of a modern cyber security strategy that complements and builds upon traditional perimeter- and endpoint-centric security solutions, which on their own are increasingly insufficient to secure organizations, and their applications and data. We deliver a user-centric security platform that combines identity and data governance solutions to form a holistic view of the enterprise. In combination with our technology partners, we create identity awareness throughout our customers’ environments by providing valuable insights into, and incorporating information from, a broad range of enterprise software and security solutions. Our governance platform provides a system of record for digital identities across our customers’ IT environments while allowing them to remain agile and competitive. Our adaptable solutions integrate seamlessly into existing technology stacks, allowing organizations to maximize the value of their technology investments. Our professionals work closely with customers throughout the implementation lifecycle, from documentation to development to integration.

3


 

Our solutions address the complex needs of global enterprises and mid-market organizations. Our go-to-market strategy consists of both direct sales and indirect sales through resellers, such as Optiv, and system integrators. Our mature system integrator channel includes global consultants such as Accenture, Deloitte, KPMG and PwC, all of whom have dedicated SailPoint practices, with some dating back more than 7 years. As of December 31, 2017, 933 customers across a wide variety of industries were using our products to enable and secure digital identities across the globe.

Our Growth Strategy

Key investments we are making to drive growth include:

 

Driving new customer growth within existing geographic markets. Based on data from S&P Global Market Intelligence, we believe we have penetrated less than 2% of the approximately 65,000 companies in the countries where we have customers today. As a result, there is a significant opportunity to expand our footprint through both new, greenfield installations and displacement of competitive legacy solutions. We plan to expand our customer base in these countries by continuing to grow our sales organization, expand and leverage our channel partnerships and enhance our marketing efforts.

 

Continuing to expand our global presence. We believe there is a significant opportunity to grow our business internationally. Enterprises around the world are facing similar operational, security and compliance challenges, driving the need for identity governance. Although we have personnel in 24 countries and customers in 39 countries as of December 31, 2017, we generated only 28% of our revenue outside of the United States in 2017.  We plan to leverage our existing strong relationships with global system integrators and channel partners to grow our presence in Europe, Asia Pacific and other international markets.

 

Further penetrating our existing customer base. Our customer base of 933, as of December 31, 2017, provides a significant opportunity to drive incremental sales. Our customers have the flexibility to start with a single use case or project and expand over time. As they realize the value of their investment, new use cases and deployments are identified, allowing us to sell more products to existing customers and to expand the number of identities we cover within their organizations. We believe strong customer satisfaction is fundamental to our ability to expand our customer relationships. To support this endeavor, we have a dedicated team that is focused on customer success and has been instrumental in further penetrating our existing customer base.

 

Expanding market and product investment across new and existing vertical markets. We believe there is significant opportunity to further penetrate our target vertical markets by providing vertical-specific identity solutions and focusing our marketing efforts to address the use cases of those customers. With this approach, we believe we will be better able to address opportunities in key industries, such as financial services, healthcare and federal, state and local government.

 

Leveraging and expanding our network of partners. Our partnerships with global system integrators, such as Accenture, Deloitte, KPMG and PwC, and resellers, such as Optiv, have helped us extend our reach and serve our customers more effectively. We see a significant opportunity to offer comprehensive solutions to customers by collaborating with adjacent technology vendors. For example, we collaborate with leading access management vendors by adding our identity governance capabilities to their access management services. We intend to continue to invest in our partnership network as their influence on our sales is vital to the success of our business.

 

Continuing to invest in our platform. Innovation is a core part of our culture. We believe we have established a reputation as a technology leader and innovator in identity governance. In 2017, we released IdentityAI, an innovative identity analytics solution that provides customers with the real-time visibility they need to understand the risk associated with user access and detect anomalous behavior. As we have done in the past, we intend to continue investing to extend our position as the leader in identity governance by developing or acquiring new products and technologies.

4


 

Product, Subscription, and Support Offerings

We deliver an integrated set of products to address identity governance challenges for medium and large enterprises. This set of products supports all aspects of identity governance including provisioning, access request, compliance controls, password management, identity governance for data stored in files and identity analytics.

Our products deliver governance across the hybrid enterprise, extending from the mainframe to the cloud. We provide over 100 out-of-the-box connectors to enterprise applications such as SAP and Workday, which automate the collection and provisioning of identity data. We also provide governance over infrastructure components such as operating systems, directories, and databases and over vertical solutions such as Epic in the healthcare provider market.

Our solutions are built on our open identity platform which enables connectivity to a variety of security and operational IT applications such as access management (e.g., Microsoft, Okta and VMware), IT service management solutions (e.g., BMC Remedy and ServiceNow), privileged access management (e.g., CyberArk), enterprise mobility management (EMM), security information and event management (SIEM) and data loss prevention (DLP) solutions. Our open identity platform extends the reach of our identity governance processes across customer environments and collects additional information to improve the application of identity governance controls.

IdentityIQ

IdentityIQ is our on-premises identity governance solution. It provides large, complex enterprise customers a unified and highly configurable identity governance solution that consistently applies business and security policies as well as role and risk models across applications and data on-premises or hosted in the cloud. IdentityIQ enables organizations to:

 

Empower users to request and gain access to enterprise applications and data;

 

Automate provisioning across the user lifecycle, from on-boarding, to transfers and promotions to off-boarding by simplifying processes for creating, modifying and revoking access;

 

Enable business users to reset their passwords via self-service tools without the need for IT involvement;

 

Provide on-demand visibility to IT, business and risk managers into “who has access to what resources” to help make business decisions, improve security and meet audit requirements;

 

Improve security and eliminate common weak points associated with data breaches, including weak passwords, orphaned accounts, entitlement creep and segregation-of-duties policy violations; and

 

Manage compliance using automated access certifications and policy management.

We package and price IdentityIQ into modules with unique functionality, including:

 

Lifecycle Manager: This module provides a business-oriented solution that delivers access securely and cost effectively. The self-service access request capabilities feature an intuitive user interface that empowers business users to take an active role in managing changes to their access while greatly reducing the burden on IT organizations. Automated provisioning manages the business processes of granting, modifying and revoking access throughout a user’s lifecycle with an organization, whether that user is an employee, contractor or business partner. Changes to user access can be automatically provisioned via a large library of direct connectors for applications such as Workday and SAP or synchronized with IT service management solutions such as ServiceNow.

 

Compliance Manager: This module enables the business to improve compliance and audit performance while lowering costs. It provides business user friendly access certifications and automated policy management controls (e.g., segregation of duty violation reporting) that are designed to simplify and streamline audit processes across all applications and data. Built-in audit reporting and analytics give IT, business and audit teams visibility into, and management over, all compliance activities in the organization.

5


 

 

Password Manager: This module delivers a simple-to-use solution for managing user passwords to reduce operational costs and boost productivity. End users are empowered with a self-service interface for updating or resetting their password without having to contact the help desk. Configurable strong password policies enforce consistent security controls across on-premises and cloud applications. Password Manager has the capability to synchronize password changes across multiple applications so they remain consistent at all times.

IdentityNow

IdentityNow is our cloud-based, multi-tenant identity governance suite, which is delivered as a subscription service. IdentityNow provides customers with a set of fully-integrated services for compliance, provisioning and password management for applications and data hosted on-premises or in the cloud. IdentityNow meets the most stringent identity governance requirements and provides enterprise-grade services that meet scalability, performance, availability and security demands. IdentityNow provides the same benefits as IdentityIQ, but additionally enables organizations to:

 

Automate identity governance processes in one unified solution delivered from the cloud;

 

Accelerate deployment with built-in best practice policies, options and default settings; and

 

Eliminate the need to buy, deploy and maintain hardware and software to run an identity governance solution.

We package and price IdentityNow into services with unique functionality, including:

 

Cloud Platform: IdentityNow provides foundational components for identity governance in the cloud, including production and sandbox instances and the IdentityNow Cloud Gateway virtual appliance, which leverages our patented method for integrating with on-premises applications and data. IdentityNow also includes a large catalog of pre-built connectors and application profiles to on-premises and cloud applications, leveraging the intellectual property developed for IdentityIQ.

 

User Provisioning: This module enables business users to be productive from day one. With IdentityNow user provisioning, organizations can streamline the on-boarding and off-boarding process with best practice configurations and workflows, enabling IT to immediately grant employees access to the applications and data they need to do their jobs.

 

Access Request: This module empowers the entire enterprise with a robust self-service solution for requesting and approving access to applications and data. Automating the access request process quickly delivers business users the access they need to do their jobs.

 

Access Certifications: This module automates the process of reviewing user access privileges across the organization. Using IdentityNow, organizations can quickly plan, schedule and execute certification campaigns to ensure the right users have the appropriate access to corporate resources.

 

Password Management: This module offers business users an intuitive, self-service experience for managing and resetting passwords from any device and from anywhere. This service enforces consistent and secure password policies for all users across all systems from the cloud to the data center.

6


 

SecurityIQ

Our on-premises identity governance for files solution, SecurityIQ, secures access to the growing amount of data stored in file servers, collaboration portals, mailboxes and cloud storage systems. SecurityIQ helps organizations identify where sensitive data resides, who has access to it, and how they are using it—and then puts effective controls in place to secure it. Today, SecurityIQ is designed to interoperate with IdentityIQ to provide comprehensive visibility and governance over user access to unstructured data. By augmenting identity data from structured systems with data from unstructured data targets, organizations can more quickly identify and mitigate risks, spot compliance issues and make the right decisions when granting or revoking access to sensitive data. SecurityIQ enables organizations to:

 

Improve IT staff productivity by empowering the business to govern user access to unstructured data;

 

Unify identity governance for structured and unstructured data processes and policies;

 

Mitigate risk of inappropriate access to data stored in files whether on-premises or in the cloud;

 

Improve audit performance through automation of manual compliance activities such as access certifications; and

 

Decrease operational costs by optimizing storage resources.

We package and price SecurityIQ by target storage systems, which include file shares, SharePoint, Exchange, Active Directory and cloud storage solutions (e.g., Box). The following core capabilities are provided across all storage systems:

 

Data Discovery and Classification: SecurityIQ allows businesses to rapidly find and classify sensitive unstructured data stored in files located on-premises and in cloud file shares. Once identified, SecurityIQ collects and analyzes user permissions that grant access to each file and proactively flags issues for resolution. In addition, SecurityIQ provides visibility to when users access sensitive data, creating a 360-degree view of who has access and how that access is being used.

 

Policy Controls: SecurityIQ enables organizations to implement automated policy controls over user access to unstructured data. Through policy enforcement, SecurityIQ governs who gets access to what documents and file shares. Intuitive and actionable dashboards help data owners track and eliminate identified risk exposures and manage all data access requests.

 

Risk Remediation: SecurityIQ provides comprehensive options for remediating risks and optimizing file storage. The policy-based remediation model flags questionable user behavior and immediately alerts unstructured data owners to take action.

 

Compliance Automation: SecurityIQ streamlines compliance processes associated with privacy and data protection. The access certification capability allows organizations to review and approve ongoing user access to unstructured data, regardless of where it is stored. Interactive reports make it easy for compliance and audit teams to meet regulatory requirements, such as GDPR and HIPAA.

IdentityAI

To help organizations detect potential threats before they turn into security breaches, we released in 2017 a new identity analytics solution, IdentityAI. Using machine learning technologies, IdentityAI analyzes identity data, such as account and entitlement assignments, combined with real-time activity information, to identify suspicious or anomalous behaviors. As a result, customers will gain a much deeper understanding of the risk associated with user access, allowing them to focus their governance controls to reduce that risk. We are continuing development of IdentityAI to enable organizations to:

 

Improve operational efficiency of the IT organization and business productivity by automating identity governance activities for routine and low-risk access;

 

Detect and alert on anomalous behaviors and potential threats using artificial intelligence technology;

7


 

 

Scan massive amounts of identity data to identify risks without having to rely on a team of security experts; and

 

Classify behavioral threats and focus controls on high-risk scenarios and conditions.

We are continuing to develop IdentityAI to provide the following core capabilities:

 

Audit: IdentityAI tracks user access over time to determine historical patterns for individual digital identities. This allows for the system to quickly identify abnormal user access or activity patterns.

 

Peer Group Analysis: IdentityAI dynamically builds peer groups based on user attributes and access patterns. Peer group analysis is then used to identify outliers which may pose additional risk due to out-of-band or exceptional access privileges.

 

Behavioral Analysis: IdentityAI monitors user behaviors, including access requests and approvals and application access events, at individual and peer group levels to baseline normal patterns and alert when anomalies are detected.

 

Risk Assessment: IdentityAI leverages machine learning algorithms to create a dynamic risk model that automatically evolves as data changes. Risk scores are used to identify potential threats and tune identity controls to focus on high-risk users and events while deprioritizing low-risk activities.

Technology

Our comprehensive, enterprise-grade identity governance platform is the result of both years of investment and the expertise of the company’s management and technical teams. Taking the lessons learned from our experiences with prior generation identity solutions, our engineers and architects designed a modern identity platform with internet scale, comprehensive hybrid environment coverage, and openness to optimize customers’ existing technology investments.

Identity Cube Technology

Our Identity Cube technology establishes the 360-degree control essential to govern and secure digital identities in today’s complex IT environments. Our extensive data modeling capabilities allow us to understand how each identity relates to the full IT environment, whether on-premises or in the cloud. SailPoint’s account correlation and orphan account management capabilities allow IT security professionals and business managers to track and monitor the accounts that are most frequently under attack.

Identity Cubes track all relevant information about an identity and its relationships to applications and data. They create the “identity context” which is key to an identity-aware infrastructure in which identity information is shared across the extended enterprise. With identity context, operational and security systems can make informed decisions about access and perform key remediation and change requests on our open identity platform via our standardized APIs and SDKs.

Model-Based Governance

Our model-based governance engine sits at the center of our platform and provides a comprehensive understanding of both the current state of who currently has access to what as well as the desired state of who should have access to what. The governance engine is responsible for managing the ongoing process of aligning these two states.

Governance and control models are used to drive our policy-based reconciliation service and to define how reconciliation and provisioning fulfillment actions are executed. These models are designed with graphical tools, enabling IT and business users to own and define the reconciliation and fine-grained access provisioning fulfillment processes for applications and data.

8


 

Provisioning Broker

Our provisioning broker provides separation between identity processes at the business level (e.g., requesting access to an application) and the actual fulfillment of that request on the target system. The provisioning broker is a specialized business process workflow execution engine that manages long-running provisioning tasks and provides tracking, monitoring and statistics for the end-to-end fulfillment process.

The decoupling capability of the provisioning broker maximizes our customers’ flexibility and allows for the reuse of their existing IT investments. For example, if access to an application can only be provided manually through the opening of a help desk ticket, the provisioning broker will send that request to the help desk and report back on the status of that request. Likewise, if a customer utilizes a legacy provisioning system, the provisioning broker can pass off a request to that legacy system for fulfillment. In addition, the provisioning broker provides us with a unique migration strategy for customers moving from a legacy system to our identity governance solutions.

Enterprise-Grade Cloud Gateway

To manage on-premises infrastructure, applications and data from the cloud, we employ a Cloud Gateway Server (“CGS”), delivered as virtual machine behind the customer’s firewall, which ensures that all SailPoint communications are highly secure. Our CGS technology is a high availability, secure, self-managed container that allows for controlled and automated updates of our connector infrastructure while ensuring the integrity of individual on-premises and cloud connections.

Our CGS also provides an innovative and patented approach to protecting our customer’s credentials. Our “zero-knowledge encryption” technology allows us to store all of a customer’s passwords and security credentials inside the CGS behind their firewall. As a result, we protect the confidentiality of our customers’ system and end-user credentials, even if our cloud service provider were to be breached.

Data Ownership Assessment and Election

Verifying the business end-user who is the logical owner of information is a key challenge in managing growing volumes of unstructured data in the enterprise. We have developed a patent-pending approach to determine the rightful owner of files so they can be integrated into governance control processes, such as access certifications and access approvals. Our solution leverages profile data to determine logical owners of information based on identity attributes and usage data. Once a set of logical owners is identified, we use a crowd-sourcing approach to allow other users familiar with the data to vote on the rightful owner of the file or file storage location. This enables organizations to efficiently identify and designate specific owners for sensitive information stored in files and incorporate them into identity governance processes.

Connectivity for the Hybrid IT Environment

Our extensive library of over 100 proprietary connectors provides interfaces to on-premises and cloud applications. These connectors are the means by which we provide governance over target systems. We support granular management of a wide range of systems, from mainframe security managers, including CA ACF2 and Top Secret, IBM and RACF, to traditional enterprise applications, including Oracle E-Business Suite and SAP, and pure SaaS business applications, such as Microsoft Office365, Salesforce and ServiceNow. The same connectors are used for both our on-premises and cloud-based products. This allows both solutions to leverage fully the over 400-man years we have invested in developing these connectors.

Open and Extensible Identity Platform

Our open identity platform is the result of over a decade of investment. Recognizing identity governance is at the center of critical enterprise business and IT processes, we developed a comprehensive set of services that go beyond simple APIs. In addition to our comprehensive API strategy, we deliver SDKs and plug-in frameworks which allow our partners and customers to create their own integrations and extensions to our core product capabilities. For example, we leverage our open identity platform to integrate with third-party user provisioning solutions, such as IBM Security Identity Manager and Oracle Identity Manager, and service desk solutions, such as BMC Remedy and ServiceNow, to implement account change requests. This enables SailPoint to govern access and provide identity context to downstream processes managed by these solutions. We also collect activity and other information from third-party solutions to improve risk analytics and identity governance processes in our products.

9


 

Our APIs and SDKs are compliant with System for Cross-domain Identity Management (“SCIM”) and both provide standards-based bi-directional runtime access to our identity context model. Many such integrations and extensions have already been built by partners and certified for commercialization on our open identity platform.

Customers

We have 933 customers in 39 countries, as of December 31, 2017. In the years ended December 31, 2017, 2016, and 2015, we generated 28%, 30% and 33%, respectively, of our revenue outside of the United States. No single customer represented more than 10% of our revenue for the years ended December 31, 2017, 2016 or 2015.

Sales and Marketing

Sales

We sell our platform through our direct sales organization, which is comprised of field and inside sales personnel, as well as through channel partners. Our sales strategy relies on a “land-and-expand” business model, in which our initial deployment with a new customer typically addresses a limited number of use cases within a single business unit. Such initial deployments frequently expand across departments, divisions and geographies through a need for additional users, increased usage or extended functionality. As we expand our portfolio of solutions within our platform, we execute a growing number of “combination” deals that include two to three of our products in the initial transaction.

Our sales force is structured by geography, customer size, status (customer or prospect) and industry. By focusing some of our sales representatives on the specific needs of vertical industries, we have been able to drive significant results and establish ourselves as the identity governance leader for that industry. Our global sales organization is comprised of quota-carrying sales representatives supported by market development representatives, sales engineers, partner managers, product and technical specialists and architects.

Partners constitute an essential part of our selling model. We have established a model designed to create zero conflict, and typically include our partners in all of our training and enablement efforts, including our semiannual sales kick-off events. As a result, our indirect sales model, executed through our global and regional system integrators, technology partners and value-added resellers, is a key factor in our overall success.

Marketing

Our marketing strategy is focused on building a strong brand through differentiated messaging and thought leadership, educating the market on the importance of identity, communicating our product advantages and generating pipeline for our sales force. Our data-driven approach to marketing is tightly aligned to our sales and channel strategy and provides agility to leverage market opportunities as they arise. Our awareness efforts focus on branding, content marketing, public and analyst relations and social media, including blogs and bylines. Educational and pipeline maturation programs include global email campaigns and webinars, security events and customers round tables. Pipeline generation and maturation efforts focus on local events in our three major geographies: (i) Americas, (ii) Europe, the Middle East and Africa (EMEA) and (iii) Asia-Pacific (APAC). Audiences for such events are typically IT and security professionals, including CIOs and CISOs. We host an annual user conference that brings together customers, prospects and our partners to learn about our platform as well as network and share best practices with each other. Our user conferences demonstrate our strong commitment to enabling our customers to succeed, while also serving as an opportunity to create pipeline for new sales to prospective customers and additional sales to existing customers.

10


 

Professional Services and Maintenance and Customer Support

Professional Services

We are primarily focused on ensuring that our professional services partners, who perform a majority of the implementations for our customers, are able to implement our solutions successfully. We provide “expert services” to partners and customers, including deployment best practices, architecture and code reviews, real time technical training, and complex implementation assistance. We provide instructor-led courses, self-paced e-learning and on-site training. We expect the use of SailPoint University, our e-learning service introduced in 2016, to grow at an accelerated pace in the coming years, making it more accessible for customers and partners to get trained on our products. We also lead direct implementations when requested by a customer. We believe our investment in professional services, as well as the investment our partners are making to grow their SailPoint professional services practices, will drive increased adoption of our platform.

Maintenance and Customer Support

Our customers receive one year of software maintenance as part of their initial purchase of our on-premises solutions, and may renew their maintenance agreement following the initial period. Our cloud-based solutions include customer support. For our on-premises solutions, our maintenance provides customers with the right to receive major releases of their purchased solutions, maintenance releases and patches and access to our technical support services during the term of the agreement. We provide our cloud-based solutions customers with technical support services and all aspects of infrastructure support. We maintain a customer support organization, which includes experienced, trained engineers, that offers multiple service levels for our customers based on their needs. These customers receive contractual response times, telephonic support and access to online support portals. Our highest levels of support provide 24x7x365 support for critical issues. Our customer support organization has global capabilities, a deep expertise in our solutions and, through select support partners, is able to deliver support in multiple languages.

Customer Success Management

Our customer success strategy centers around our investment in, and ownership of, the post-sale experience for our customers. Every customer has a dedicated Customer Success Manager (“CSM”), who is responsible for ensuring that return on investment and business results, committed during the sales cycle, are achieved. Through proactive and regular engagements, the CSM makes sure every customer is satisfied and is using their SailPoint products or services optimally. When necessary, the CSM coordinates cross-departmental resources to remove any barrier to success. In addition, our customer success team utilizes customer data to identify and present any cross-sell or upsell solutions aligned to a customer’s business objectives, thereby contributing to revenue expansion and increased product penetration. By proactively managing customer relationships, our CSM team nurtures client advocates, who become a powerful asset in closing new business.

Partnerships and Strategic Relationships

As a core part of our strategy, we have cultivated strong relationships with partners to help us increase our reach and influence, while providing a broader distribution of our software platform. We have developed a large partner network consisting of technology partners, system integrators, a growing network of value-added resellers and our G4 Alliance partners (Accenture, Deloitte, KPMG and PwC). In fact, over 80% of our new customer transactions involved our partners. We believe that our extensive partnership network enables us to provide the most complete identity governance solution to our customers.

Technology Partners

We have partnered with industry leaders across a spectrum of technologies that enable organizations to integrate their entire security and operational infrastructure into our platform so that breaches can be better identified, mitigated and contained, and operations can be streamlined. We believe that solutions from companies such as CyberArk, Informatica, Microsoft, MobileIron, ServiceNow and VMware that are plugged into our open identity platform through APIs provide our customers value-added capabilities to build an identity-aware enterprise.

11


 

Value-Added Resellers

Value-added resellers bring product expertise and implementation best practices to our customers globally. They provide vertical expertise and technical advice in addition to reselling or bundling our software. All of our reseller partners have been trained to demonstrate and promote our identity platform. Our reseller channel ranges from large companies, like Optiv, to regional resellers in our markets and territories. Our reseller program is designed to scale growth, help generate new opportunities, optimize customer experience and increase profitability as well as sales efficiency.

System Integrators

We partner with many large and global system integrators. We have partnerships with global advisory firms such as Deloitte, KPMG and PwC, with global system integrators such as Accenture, Infosys and Tata, and with many regional system integrators in all three of our geographies. The focus of our system integrators program is to deliver pipeline growth and bookings, to help partners drive self-sufficiency and to foster transparency and collaboration through shared assets and resources. We have implemented joint business controls and metrics that provide a platform for discussion and partnership development and help us optimize our program and unified value proposition.

Identity+ Alliance

The SailPoint Identity+ Alliance is a technology partnering network that leverages familiar standards and methods—like SQL, SCIM and Representational State Transfer (REST)—that make it easy to share identity context and configure identity-specific policies across disparate systems. For example, when Privileged Account Management (PAM) systems are integrated with our solutions, enterprises can conduct regular audits of privileged users and automatically remediate any policy violations. Program offerings include access to SailPoint SDKs and APIs, developer support, and cloud-based certification services. After two years, the Identity+ Alliance comprises over thirty technology and implementation partners and has produced over ten certified solutions.

Research and Development

Innovation is one of our core values, and it is at the heart of how we think and do business. We believe ongoing and timely development of new products and features is imperative to maintaining our competitive position. We continue to invest in both our cloud and on-premises solutions across our global innovation centers in Austin, Texas, Pune, India and Tel Aviv, Israel. Additionally, we have made significant investment in our connectors business, which is a key enabler to our open identity platform. As of December 31, 2017, our research and development team had 244 employees. For the years ended December 31, 2017, 2016 and 2015, our research and development expenses totaled approximately $33.3 million, $24.4 million and $20.0 million, respectively.

As part of our relentless drive toward innovation and technical market leadership, we created SailPoint Labs in 2011. SailPoint Labs is a dedicated, stand-alone technology investigation and engineering group that sits outside of the company’s core product development and delivery teams. The Labs team has two specific charters: Labs Research, which is focused on forward-looking technology prototyping, and targets mid-to-long term product enhancements and new service offerings; and Labs Runtime, which is focused on performance and scalability testing and ensuring that we deliver the best possible solutions. Examples of Labs Research prototypes that went into production are our plugin framework, our AD password recovery technology and our recent Privileged Account Management Integration module. In addition, the Labs Research team co-authored the SCIM open standard, which provides for an automated exchange of user identity information between identity domains, or IT systems. The Labs Runtime team is responsible for developing and continually advancing the performance and scalability of our products and solutions by establishing benchmarks and best practices for high-performance and extreme scalability scenarios.

12


 

Competition

We operate in a highly competitive market characterized by constant change and innovation. Our competitors include large enterprise software vendors such as CA Technologies, IBM and Oracle; pure-play data access governance vendors such as Varonis; and companies of varying sizes that offer less-comprehensive solutions, which compete with individual features of our platform. We believe the principal competitive factors in our market include:

 

Reliability and effectiveness in implementing identity governance policies;

 

Comprehensiveness of visibility provided by implemented identity governance policies;

 

Ability to deploy in hybrid IT environment;

 

Adherence to government and industry regulations and standards;

 

Comprehensiveness and interoperability of the solution with other IT and security applications;

 

Scalability and performance;

 

Ability to innovate and respond to customer needs rapidly;

 

Quality and responsiveness of support organizations;

 

Total cost of ownership;

 

Ease of use; and

 

Customer experience.

Some of our competitors have significantly greater financial, technical, and sales and marketing resources, as well as greater name recognition and more extensive geographic presence than we do. However, we believe we compete favorably with our competitors on the basis of all the factors above.

Intellectual Property

Our success depends in part on our ability to protect our intellectual property. We rely on copyrights and trade secret laws, confidentiality procedures, employment proprietary information and inventions assignment agreements, trademarks and patents to protect our intellectual property rights. We also license software from third parties for integration into our product solutions, including open source software and other software available on commercially reasonable terms.

We control access to and use of our product solutions and other confidential information through the use of internal and external controls, including contractual protections with employees, contractors, customers and partners, and our software is protected by U.S. and international copyright and trade secret laws. Despite our efforts to protect our trade secrets and proprietary rights through intellectual property rights, licenses and confidentiality agreements, unauthorized parties may still copy or otherwise obtain and use our software and technology.

We have three issued patents and three patent applications pending in the United States relating to certain aspects of our technology. Our issued patents expire in 2034 and 2036. We cannot assure you whether any of our patent applications will result in the issuance of a patent or whether the examination process will require us to narrow our claims. Any of our existing patents and any that may issue may be contested, circumvented, found unenforceable or invalidated, and we may not be able to prevent third parties from infringing them. In addition, we have international operations and intend to continue to expand these operations, and effective patent, copyright, trademark and trade secret protection may not be available or may be limited in foreign countries.

Legal Proceedings

We are not currently a party to any material legal proceedings. We are not aware of any inquiries or investigations into our business.

13


 

Employees

As of December 31, 2017, we had a total of 806 employees, including 244 involved in research and development activities, 264 in our sales and marketing organization, and 211 in professional services and customer support. 33% of these employees are located outside of the United States. We consider our employee relations to be good and we have not experienced employee litigation or a work stoppage.

Segments and Geographic Areas

We operate as one operating segment. Our chief operating decision maker is our chief executive officer, who reviews financial information presented on a consolidated basis for purposes of making operating decisions, assessing financial performance and allocating resources. Because we operate as one operating segment, all required financial segment information can be found in the consolidated financial statements.

Please see Note 16 of our accompanying Notes to Consolidated Financial Statements included in Part II, Item 8 of this Annual Report on Form 10-K for financial information by geographic area.

Corporate Information

SailPoint Technologies Holdings, Inc. was incorporated in the state of Delaware on August 8, 2014, in preparation for the purchase of SailPoint Technologies, Inc. The purchase occurred on September 8, 2014 and our certificate of incorporation was amended and restated as of such date. SailPoint Technologies, Inc. was formed July 14, 2004 as a Delaware corporation

Our principal executive offices are located at 11305 Four Points Drive, Building 2, Suite 100, Austin, Texas 78726, and our telephone number at that address is (512) 346-2000. Our website address is www.sailpoint.com. Information contained on, or that can be accessed through, our website does not constitute part of this Annual Report on Form 10-K, and inclusions of our website address in this Annual Report on Form 10-K are inactive textual references only.

The SailPoint design logo and our other registered or common law trademarks, service marks or trade names appearing in this Annual Report on Form 10-K are the property of SailPoint Technologies, Inc., our wholly owned subsidiary. Other trademarks and trade names referred to in this Annual Report on Form 10-K are the property of their respective owners.

Available Information

Our website is located at www.sailpoint.com, and our investor relations website is located at https://investors.sailpoint.com. The information posted on our website is not incorporated into this Annual Report on Form 10-K. Our Annual Report on Form 10-K, Quarterly Reports on Form 10-Q, Current Reports on Form 8-K and amendments to reports filed or furnished pursuant to Sections 13(a) and 15(d) of the Securities Exchange Act of 1934 (the “Exchange Act”) are available free of charge on our investor relations website as soon as reasonably practicable after we electronically file such material with, or furnish it to, the SEC. You may also access all of our public filings through the SEC’s website at www.sec.gov. Further, a copy of this Annual Report on Form 10-K is located at the SEC’s Public Reference Room at 100 F Street, NE, Washington, D.C. 20549. Information on the operation of the Public Reference Room can be obtained by calling the SEC at 1-800-SEC-0330.

Investors and other interested parties should note that we use our media and investor relations website and our social media channels to publish important information about us, including information that may be deemed material to investors. We encourage investors and other interested parties to review the information we may publish through our media and investor relations website and the social media channels listed on our media and investor relations website, in addition to our SEC filings, press releases, conference calls and webcasts.

14


 

ITEM 1A. RISK FACTORS

The nature of the business activities conducted by the Company subjects it to certain hazards and risks. The following is a summary of some of the material risks relating to the Company’s business activities. Other risks are described in “Part I. Item 1. Business—Competition and Markets” and “Part II. Item 7A. Quantitative and Qualitative Disclosures About Market Risk.” These risks are not the only risks facing the Company. The Company’s business could also be affected by additional risks and uncertainties not currently known to the Company or that it currently deems to be immaterial. If any of these risks actually occurs, it could materially harm the Company’s business, financial condition or results of operations and impair the Company’s ability to implement business plans. In that case, the market price of the Company’s common stock could decline.

Risks Related to Our Business and Industry

We have a history of losses, and we may not be able to generate sufficient revenue to achieve and sustain profitability.

We have incurred net losses in each year since our inception, including net losses of $7.6 million, $3.2 million and $10.8 million for the years ended December 31, 2017, 2016 and 2015, respectively. We expect our operating expenses to increase significantly as we continue to expand our sales and marketing efforts, continue to invest in research and development, and expand our operations in existing and new geographies and vertical markets. We also expect to continue to devote significant research and development resources to our on-premises solutions; if our customers and potential customers shift their IT infrastructures to the cloud faster than we anticipate, we may not realize our expected return from the costs we incur. While our revenue has grown in recent years, if our revenue declines or fails to grow at a rate faster than these increases in our operating expenses, we will not be able to achieve and maintain profitability in future periods. As a result, we may continue to generate losses. We cannot assure you that we will achieve profitability in the future or that, if we do become profitable, we will be able to sustain profitability.

We have experienced rapid growth in recent periods, and our recent growth rates may not be indicative of our future growth.

We have experienced rapid growth in recent years. From the year ended December 31, 2012 to the year ended December 31, 2017, we grew our business at a revenue compound annual growth rate of over 36%, and our revenue grew from $95.4 million to $186.1 million from the year ended December 31, 2015 to the year ended December 31, 2017. In future periods, we may not be able to sustain revenue growth consistent with recent history, or at all. We believe our revenue growth depends on a number of factors, including, but not limited to:

 

our ability to attract new customers and retain and increase sales to existing customers;

 

our ability to, and the ability of our channel partners to, successfully deploy and implement our solutions, increase our existing customers’ use of our solutions and provide our customers with excellent customer support;

 

our ability to increase the number of our technology partners;

 

our ability to develop our existing solutions and introduce new solutions; and

 

our ability to hire substantial numbers of new sales and marketing, research and development and general and administrative personnel, and expand our global operations.

If we are unable to achieve any of these requirements, our revenue growth will be adversely affected.

15


 

Our future revenues and operating results will be harmed if we are unable to acquire new customers, if our customers do not renew their arrangements with us, or if we are unable to expand sales to our existing customers or develop new solutions that achieve market acceptance.

To continue to grow our business, it is important that we continue to acquire new customers to purchase and use our solutions. Our success in adding new customers depends on numerous factors, including our ability to (i) offer a compelling identity governance platform and solutions, (ii) execute our sales and marketing strategy, (iii) attract, effectively train and retain new sales, marketing, professional services and support personnel in the markets we pursue, (iv) develop or expand relationships with technology partners, systems integrators, resellers and other channel partners, (v) expand into new geographies and vertical markets, (vi) deploy our platform and solutions for new customers and (vii) provide quality customer support once deployed.

It is important to our continued growth that our customers renew their arrangements when existing contract terms expire. Our customers have no obligation to renew their maintenance, SaaS and/or term-license agreements, and our customers may decide not to renew these agreements with a similar contract period, at the same prices and terms or with the same or a greater number of identities. Although our customer retention rate has historically been strong, some of our customers have elected not to renew their agreements with us, and it is difficult to accurately predict long-term customer retention and expansion rates. Our customer retention and expansion may decline or fluctuate as a result of a number of factors, including our customers’ satisfaction with our solutions, our customer support and professional services, our prices and pricing plans, the competitiveness of other software products and services, reductions in our customers’ spending levels, user adoption of our solutions, deployment success, utilization rates by our customers, new product releases and changes to our product offerings. If our customers do not renew their maintenance, SaaS and/or term-license agreements, or renew on less favorable terms, our business, financial condition and operating results may be adversely affected.

Our ability to increase revenue also depends in part on our ability to increase the number of identities governed with our solutions and sell more modules and solutions to our existing and new customers. Our ability to increase sales to existing customers depends on several factors, including their experience with implementing and using our platform and the existing solutions they have implemented, their ability to integrate our solutions with existing technologies, and our pricing model.

If our new solutions do not achieve adequate acceptance in the market, our competitive position could be impaired, and our potential to generate new revenue or to retain existing revenue could be diminished. The adverse effect on our financial results may be particularly acute because of the significant research, development, marketing, sales and other expenses we will have incurred in connection with the new solutions, and our ability to introduce compelling new solutions that address the requirements of our customers in light of the dynamic identity governance market in which we operate.

If we are unable to successfully acquire new customers, retain our existing customers, expand sales to existing customers or introduce new solutions, our business, financial condition and operating results could be adversely affected.

If we are unable to maintain successful relationships with our channel partners, our ability to market, sell and distribute our solutions will be limited and our business, financial condition and operating results could be adversely affected.

We derive a significant portion of our revenue from sales influenced or made through our channel partner network and expect these sales to continue to grow for the foreseeable future. Our channel partners provide implementation and other services to our customers in exchange for fees paid by those customers. We may not achieve anticipated revenue growth from our channel partners if we are unable to retain our existing channel partners and expand their sales or add additional motivated channel partners.

16


 

Our arrangements with our channel partners are generally non-exclusive, meaning they may offer customers the products of several different companies, including products that compete with our platform and solutions. If our channel partners do not effectively market and sell our solutions, choose to use greater efforts to market and sell our competitors’ products or services, or fail to meet the needs of our customers, our ability to grow our business and sell our solutions may be adversely affected. Our channel partners may cease marketing our products with limited or no notice and with little or no penalty. In addition, certain of our channel partners are subject to independence requirements that may prevent them from providing services to us or cooperating with us in our go-to-market efforts if they also provide services for affiliates of our controlling stockholder. Thoma Bravo, LLC (“Thoma Bravo”), the ultimate general partner of our controlling stockholders, Thoma Bravo Fund XI, L.P., Thoma Bravo Fund XI-A, L.P. and Thoma Bravo Executive Fund XI, L.P. (together, the “Thoma Bravo Funds”),  is a leading private equity investment firm that holds control investments in over 20 businesses, some of which engage certain of our channel partners to provide services, and it intends to continue making control investments in the future. If one or more of our channel partners determines that it is unable to both provide services to us or cooperate with us in our go-to-market efforts and also provide services to affiliates of our controlling stockholder, those channel partners may cease marketing our products or otherwise cease providing services to us or cooperating with us in our go-to-market efforts.

We also collaborate with adjacent technology vendors to offer comprehensive solutions to our customers. If we do not effectively collaborate with them, or if they elect to terminate their relationship with us or develop and market solutions that compete with our solutions, our growth may be adversely affected.

Our ability to generate revenue in the future will depend in part on our success in maintaining effective working relationships with our channel partners, in expanding our indirect sales channel, in training our channel partners to independently sell and/or deploy our solutions and in continuing to integrate our solutions with the products and services offered by our technology partners. If we are unable to maintain our relationships with these channel partners, our business, financial condition and operating results could be adversely affected.

Our quarterly results fluctuate significantly and may not fully reflect the underlying performance of our business.

We believe our quarterly revenue and operating results may vary significantly in the future. As a result, you should not rely on the results of any one quarter as an indication of future performance and period-to-period comparisons of our revenue and operating results may not be meaningful and, as a result, may not fully reflect the underlying performance of our business.

Our quarterly operating results may fluctuate as a result of a variety of factors, including, but not limited to, those listed below, many of which are outside of our control:

 

the loss or deterioration of our channel partner and other relationships influencing our sales execution;

 

the mix of revenue and associated costs attributable to licenses, subscription and professional services, which may impact our gross margins and operating income;

 

the mix of revenue attributable to larger transactions as opposed to smaller transactions and the associated volatility and timing of our transactions;

 

the growth in the market for our products;

 

our ability to attract new customers and retain and increase sales to existing customers;

 

changes in customers’ budgets and in the timing of their purchasing decisions, including seasonal buying patterns for IT spending;

 

the timing and success of new product introductions by our competitors and by us;

 

changes in our pricing policies or those of our competitors;

 

significant security breaches of, technical difficulties with, or interruptions to, the delivery and use of our platform;  

17


 

 

changes in the legislative or regulatory environment;

 

foreign exchange gains and losses related to expenses and sales denominated in currencies other than the U.S. dollar or the function currencies of our subsidiaries;

 

increases in and timing of sales and marketing and other operating expenses that we may incur to grow and expand our operations and to remain competitive;

 

costs related to the acquisition of businesses, talent, technologies or intellectual property, including potentially significant amortization costs and possible write-downs;

 

our ability to control costs, including our operating expenses;

 

the collectability of receivables from customers and channel partners, which may be hindered or delayed if these customers or channel partners experience financial distress;

 

economic conditions specifically affecting industries in which our customers participate;

 

natural disasters or other catastrophic events; and

 

litigation-related costs, settlements or adverse litigation judgments.

Our sales cycle is long and unpredictable, and our sales efforts require considerable time and expense.

The timing of our sales and related revenue recognition is difficult to predict because of the length and unpredictability of the sales cycle for our platform before a sale. We and our channel partners are often required to spend significant time and resources to better educate and familiarize potential customers with the value proposition of our platform and solutions. Customers often view the purchase of our solutions as a strategic decision and significant investment and, as a result, frequently require considerable time to evaluate, test and qualify our platform and solutions prior to purchasing our solutions. During the sales cycle, we expend significant time and money on sales and marketing and contract negotiation activities, which may not result in a sale. Additional factors that may influence the length and variability of our sales cycle include:

 

the discretionary nature of purchasing and budget cycles and decisions;

 

lengthy purchasing approval processes;

 

the evaluation of competing products during the purchasing process;

 

time, complexity and expense involved in replacing existing solutions;

 

announcements or planned introductions of new products, features or functionality by our competitors or of new solutions or modules by us; and

 

evolving functionality demands.

If our efforts in pursuing sales and customers are unsuccessful, or if our sales cycles lengthen, our revenue could be lower than expected, which would have an adverse effect on our business, operating results and financial condition.

We recognize some of our revenue ratably over the term of our agreements with customers and, as a result, downturns or upturns in sales may not be immediately reflected in our operating results.

We recognize revenue from our IdentityNow subscription offering ratably over the terms of our agreements with customers, which generally occurs over a three-year period. As a result, a portion of the revenue that we report in each period will be derived from the recognition of deferred revenue relating to agreements entered into during previous periods. Consequently, a decline in new sales or renewals in any one period may not be immediately reflected in our revenue results for that period. This decline, however, will negatively affect our revenue in future periods. Accordingly, the effect of significant downturns in sales and market acceptance of our products and potential changes in our rate of renewals may not be fully reflected in our operating results until future periods. Our model also makes it difficult for us to rapidly increase our subscription revenue through additional sales in any period, as revenue from new customers generally will be recognized over the term of the applicable agreement.

18


 

We also intend to increase our investment in research and development, sales and marketing, and general and administrative functions and other areas to grow our subscription-related business. These subscription-related costs are generally expensed as incurred (with the exception of sales commissions), as compared to the corresponding revenue, substantially all of which is recognized ratably in future periods. We are likely to recognize the costs associated with these increased investments earlier than some of the anticipated benefits and the return on these investments may develop more slowly, or may be lower, than we expect, which could adversely affect our operating results.

We face intense competition in our market, especially from larger, well established companies, and we may lack sufficient financial and other resources to maintain and improve our competitive position.

The market for identity and data governance solutions is intensely competitive and is characterized by constant change and innovation. We face competition from both traditional, larger software vendors offering enterprise-wide software frameworks and services and smaller companies offering point solutions for specific identity and data governance issues. We also compete with IT equipment vendors and systems management solution providers whose products and services address identity and data governance requirements. Our principal competitors vary depending on the product we offer and include CA Technologies, IBM, Oracle and Varonis and several smaller vendors. Many of our existing competitors have, and some of our potential competitors could have, substantial competitive advantages such as:

 

greater name recognition and longer operating histories;

 

more comprehensive and varied products and services;

 

broader product offerings and market focus;

 

greater resources to develop technologies or make acquisitions;

 

more expansive intellectual property portfolios;

 

broader distribution and established relationships with distribution partners and customers;

 

greater customer support resources; and

 

substantially greater financial, technical and other resources.

Given their larger size, greater resources and existing customer relationships, our competitors may be able to compete and respond more effectively than we can to new or changing opportunities, technologies, standards or customer requirements. Our competitors may also seek to extend or supplement their existing offerings to provide identity and data governance solutions that more closely compete with our offerings. Potential customers may also prefer to purchase, or incrementally add solutions, from their existing suppliers rather than a new or additional supplier regardless of product performance or features.

In addition, with the recent increase in large merger and acquisition transactions in the technology industry, particularly transactions involving cloud-based technologies, there is a greater likelihood that we will compete with other large technology companies in the future. Some of our competitors have made acquisitions or entered into strategic relationships to offer a more comprehensive product than they individually had offered. Companies and alliances resulting from these possible consolidations and partnerships may create more compelling product offerings and be able to offer more attractive pricing, making it more difficult for us to compete effectively. In addition, continued industry consolidation may adversely impact customers’ perceptions of the viability of small and medium-sized technology companies and consequently their willingness to purchase from those companies.

New start-up companies that innovate and large competitors that are making significant investments in research and development may invent similar or superior products and technologies that compete with our products, and our business could be materially and adversely affected if such technologies or products are widely adopted. Conditions in our market could change rapidly and significantly as a result of technological advancements, partnering by our competitors or continuing market consolidation. These competitive pressures in our market or our failure to compete effectively may result in price reductions, fewer orders, reduced revenue and gross margins, increased net losses, and loss of market share. Any failure to meet and address these factors could adversely affect our business, financial condition and operating results.

19


 

We anticipate that our operations will continue to increase in complexity as we grow, which will add additional challenges to the management of our business in the future.

Our business has experienced significant growth and is becoming increasingly complex. We increased the number of our employees from 514 at December 31, 2015 to 806 at December 31, 2017. We have also experienced growth in the number of customers of our solutions from 520 at December 31, 2015 to 933 at December 31, 2017. At December 31, 2017, we had personnel in 24 countries, and we expect to expand into additional countries in the future. We expect this growth to continue and for our operations to become increasingly complex. To effectively manage this growth, we have made and continue to make substantial investments to improve our operational, financial and management controls as well as our reporting systems and procedures. Our success will depend in part on our ability to manage this complexity effectively without undermining our corporate culture, which we believe has been central to our success. If we are unable to manage this complexity, our business, operations, operating results and financial condition may suffer.

As our customer base continues to grow, we will need to expand our professional services and other personnel, and maintain and enhance our existing partner network, to provide a high level of customer service. We also will need to effectively manage our direct and indirect sales processes as the number and type of our sales personnel and partner network continues to grow and become more complex and as we continue to expand into new geographies and vertical markets. This complexity is further driven by the various ways in which we sell our solutions, including on a per identity and per module basis through perpetual licenses and SaaS. If we do not effectively manage the increasing complexity of our business and operations, the quality of our solutions and customer service could suffer, and we may not be able to adequately address competitive challenges. These factors could impair our ability, and our channel partners’ ability, to attract new customers, retain existing customers, expand our customers’ use of existing solutions and adoption of more of our solutions and continue to provide high levels of customer service, all of which would adversely affect our reputation, overall business, operations, operating results and financial condition.

Interruptions with the delivery of our SaaS solutions, or third-party cloud-based systems that we use in our operations, may adversely affect our business, operating results and financial condition.

Our continued growth depends in part on the ability of our existing customers and new customers to access our platform and solutions, particularly our cloud-based deployments, at any time and within an acceptable amount of time. In addition, our ability to access certain third-party SaaS solutions is important to our operations and the delivery of our customer support and professional services, including our online training for customers, professional services partners and channel partners. We have experienced, and may in the future experience, service disruptions, outages and other performance problems both in the delivery of our SaaS solutions and in third-party SaaS solutions we use due to a variety of factors, including infrastructure changes, malicious actors, human or software errors or capacity constraints. In some instances, we may not be able to identify the cause or causes of these performance problems within an acceptable period of time. It may become increasingly difficult to maintain and improve the performance of our SaaS solutions as they become more complex. If our SaaS solutions are unavailable or if our customers are unable to access features of our SaaS solutions within a reasonable amount of time or at all, our business would be negatively affected. In addition, if any of the third-party SaaS solutions that we use were to experience a significant or prolonged outage or security breach, our business could be adversely affected.

We host our SaaS solutions using Amazon Web Services (“AWS”) data centers, a provider of cloud infrastructure services. All of our SaaS solutions reside on hardware owned or leased and operated by us in these locations. Our SaaS operations depend on protecting the virtual cloud infrastructure hosted in AWS by maintaining its configuration, architecture, features and interconnection specifications, as well as the information stored in these virtual data centers and which third-party internet service providers transmit. Although we have disaster recovery plans that utilize multiple AWS locations, any incident affecting their infrastructure that may be caused by fire, flood, severe storm, earthquake or other natural disasters, cyber-attacks, terrorist or other attacks, and other similar events beyond our control could negatively affect our SaaS platform. A prolonged AWS service disruption affecting our SaaS platform for any of the foregoing reasons would negatively impact our ability to serve our customers and could damage our reputation with current and potential customers, expose us to liability, cause us to lose customers or otherwise harm our business. We may also incur significant costs for using alternative equipment or taking other actions in preparation for, or in reaction to, events that damage the AWS services we use. In addition, AWS may

20


 

terminate the agreement by providing 30 days’ prior written notice and may, in some cases, terminate the agreement immediately for cause upon notice. In the event that our AWS service agreements are terminated, or there is a lapse of service, elimination of AWS services or features that we utilize, interruption of internet service provider connectivity or damage to such facilities, we could experience interruptions in access to our platform as well as significant delays and additional expense in arranging or creating new facilities and services and/or re-architecting our SaaS solutions for deployment on a different cloud infrastructure service provider, which may adversely affect our business, operating results and financial condition.

If we fail to adapt and respond effectively to rapidly changing technology, evolving industry standards, changing regulations and changing customer needs, requirements or preferences, our platform and solutions may become less competitive.

The market in which we compete is relatively new and subject to rapid technological change, evolving industry standards and changing regulations, as well as changing customer needs, requirements and preferences. The success of our business will depend, in part, on our ability to adapt and respond effectively to these changes on a timely basis. In addition, as our customers’ technologies and business plans grow more complex, we expect them to face new and increasing challenges. Our customers require that our solution effectively identifies and responds to these challenges without disrupting the performance of our customers’ IT systems. As a result, we must continually modify and improve our products in response to changes in our customers’ IT infrastructures.

We may be unable to anticipate future market needs and opportunities or be able to develop enhancements to our platform or existing solutions or new solutions to meet such needs or opportunities in a timely manner, if at all. Even if we are able to anticipate, develop and commercially introduce enhancements to our platform and existing solutions and new solutions, those enhancements and new solutions may not achieve widespread market acceptance. Our enhancements or new solutions could fail to attain sufficient market acceptance for many reasons, including:

 

delays in releasing platform or solutions enhancements or new solutions;

 

inability to interoperate effectively with existing or newly introduced technologies, systems or applications of our existing and prospective customers;

 

defects, errors or failures in our platform or solutions;

 

negative publicity about the performance or effectiveness of our platform or solutions;

 

introduction or anticipated introduction of competing products by our competitors;

 

installation, configuration or usage errors by our customers or partners; and

 

changing of regulatory requirements related to security.

If we were unable to enhance our platform or existing solutions or develop new solutions that keep pace with rapid technological and industry change, our business, operating results and financial condition could be adversely affected. If new technologies emerge that are able to deliver competitive products and services at lower prices, more efficiently, more conveniently or more securely, such technologies could adversely impact our ability to compete effectively.

Our failure to achieve and maintain an effective system of disclosure controls and internal control over financial reporting could adversely affect our financial position and lower our stock price.

As a public company, we are subject to the reporting requirements of the Exchange Act, the Sarbanes-Oxley Act of 2002 (the “Sarbanes-Oxley Act”), and the rules and regulations of the applicable listing standards of the New York Stock Exchange (the “NYSE”). The Sarbanes-Oxley Act requires, among other things, that we maintain effective disclosure controls and procedures and internal control over financial reporting. In order to maintain and improve the effectiveness of our disclosure controls and procedures and internal control over financial reporting, we have expended, and anticipate that we will continue to expend, significant resources, including accounting-related costs and significant management oversight. In connection with the audit of our consolidated financial statements for the year ended December 31, 2015, our independent registered public accountants identified a material weakness related to insufficient documentation evidencing the revenue recognition decisions that we made when allocating revenue to specific customer agreements, which we remediated by December 31, 2016.

21


 

In finalizing our financial statements for our initial public offering, our independent registered public accounting firm identified a material weakness in our internal control over financial reporting related to our accounting for certain complex, non-routine transactions affecting our presentation of amortization expense related to acquisitions, equity transactions and related disclosure and earnings per share calculations. We are taking measures to remediate the material weakness, including establishing more robust accounting policies and procedures, reviews on the adoption of new accounting positions and financial statement disclosures, and selection and engagement of consultants to assist us in determining positions and evaluating new accounting policies. We have not yet remediated this material weakness as of December 31, 2017 and we cannot assure you that these measures and any further measures that we implement will be sufficient to remediate our existing material weakness or to identify or prevent additional material weaknesses.

Our internal resources and personnel may in the future be insufficient to avoid accounting errors and there can be no assurance that we will not have additional material weaknesses in the future. Any failure to develop or maintain effective controls or any difficulties encountered implementing required new or improved controls could harm our operating results or cause us to fail to meet our reporting obligations and may result in a restatement of our financial statements for prior periods. Any failure to implement and maintain effective internal control over financial reporting also could adversely affect the results of periodic management evaluations and annual independent registered public accounting firm attestation reports regarding the effectiveness of our internal control over financial reporting that we will eventually be required to include in our periodic reports that will be filed with the Securities and Exchange Commission (the “SEC”). Ineffective disclosure controls and procedures and internal control over financial reporting could also cause investors to lose confidence in our reported financial and other information, which would likely have a negative effect on the trading price of our common stock. In addition, if we are unable to continue to meet these requirements, we may not be able to remain listed on the NYSE. As a public company, we are required to comply with the SEC rules that implement Section 404 of the Sarbanes-Oxley Act and are therefore required to make a formal assessment of the effectiveness of our internal control over financial reporting for that purpose, but we are not required to provide an annual management report on the effectiveness of our internal control over financial reporting until our second annual report on Form 10-K.  

Our independent registered public accounting firm is not required to formally attest to the effectiveness of our internal control over financial reporting until after we are no longer an emerging growth company as defined in the JOBS Act. At such time, our independent registered public accounting firm may issue a report that is adverse in the event it is not satisfied with the level at which our internal control over financial reporting is documented, designed or operating. Any failure to maintain effective disclosure controls and internal control over financial reporting could have an adverse effect on our business and operating results and could cause a decline in the price of our common stock.

 

Forecasting our estimated annual effective tax rate for financial accounting purposes is complex and subject to uncertainty, and there may be material differences between our forecasted and actual tax rates.

 

Forecasts of our income tax position and effective tax rate for financial accounting purposes are complex and subject to uncertainty because our income tax position for each year combines the effects of a mix of profits earned and losses incurred by us in various tax jurisdictions with a broad range of income tax rates, as well as changes in the valuation of deferred tax assets and liabilities, the impact of various accounting rules and changes to these rules and tax laws, the results of examinations by various tax authorities, and the impact of any acquisition, business combination or other reorganization or financing transaction. To forecast our tax rate, we estimate our pre-tax profits and losses by jurisdiction and forecast our tax expense by jurisdiction. If the mix of profits and losses, our ability to use tax credits, or effective tax rates by jurisdiction is different than those estimated, our actual tax rate could be materially different than forecasted, which could have a material impact on our results of business, financial condition and results of operations.

 

22


 

On December 22, 2017, U.S. Federal tax reform was enacted with the signing of the Tax Cuts and Jobs Act, or the TCJA. Notable provisions of the TCJA include significant changes to corporate taxation, including reduction of the corporate tax rate from a top marginal rate of 35% to a flat rate of 21%, limitation of the tax deduction for interest expense to 30% of adjusted earnings (except for certain small businesses), limitation of the deduction for net operating losses to 80% of current year taxable income and elimination of net operating loss carrybacks, one time taxation of offshore earnings at reduced rates regardless of whether they are repatriated, elimination of U.S. tax on foreign earnings (subject to certain important exceptions), immediate deductions for certain new investments instead of deductions for depreciation expense over time, and modifying or repealing many business deductions and credits. 

 

The U.S. Department of Treasury has broad authority to issue regulations and interpretative guidance that may significantly impact how we will apply the law and impact our results of operations in the period issued. As additional regulatory guidance is issued by the applicable taxing authorities, as accounting treatment is clarified, as we perform additional analysis on the application of the law, and as we refine estimates in calculating the effect, our final analysis, which will be recorded in the period completed, may be different from our current provisional amounts, which could materially affect our tax obligations and effective tax rate.

If we are not able to maintain and enhance our brand or reputation as an industry leader and innovator, our business and operating results may be adversely affected.

We believe that maintaining and enhancing our reputation as a leader and innovator in the market for identity and data governance solutions is critical to our relationship with our existing customers and commercial relationships and our ability to attract new customers and commercial relationships. The successful promotion of our brand attributes will depend on a number of factors, including our marketing efforts, our ability to continue to develop high-quality features and solutions for our platform and our ability to successfully differentiate our platform and solutions from competitive products and services. Our brand promotion activities may not be successful or yield increased revenue. In addition, independent industry analysts often provide reports of our platform and solutions, as well as products and services of our competitors, and perception of our platform and solutions in the marketplace may be significantly influenced by these reports. If these reports are negative, or less positive as compared to those of our competitors’ products and services, our reputation may be adversely affected. Additionally, the performance of our channel partners may affect our brand and reputation if customers do not have a positive experience with our solutions as implemented by our channel partners or with the implementation generally. The promotion of our brand requires us to make substantial expenditures, and we anticipate that the expenditures will increase as our market becomes more competitive, as we expand into new geographies and vertical markets, and as more sales are generated through our channel partners. To the extent that these activities yield increased revenue, this revenue may not offset the increased expenses we incur. If we do not successfully maintain and enhance our brand and reputation, our business and operating results may be adversely affected.

Real or perceived errors, failures, or disruptions in our platform and solutions could adversely affect our customers’ satisfaction with our solutions and/or our industry reputation and business could be harmed.

Our platform and solutions are very complex and have contained and may contain undetected defects or errors, especially when solutions are first introduced or enhanced. Our platform and solutions are often used in connection with large-scale computing environments with different operating systems, system management software, equipment and networking configurations, which may cause errors or failures of products, or other aspects of the computing environment into which our products are deployed. If our platform and solutions are not implemented or used correctly or as intended, inadequate performance and disruption in service may result. In addition, deployment of our platform and solutions into complicated, large-scale computing environments may expose errors, failures or vulnerabilities in our products. Any such errors, failures, or vulnerabilities may not be found until after they are deployed to our customers. We have experienced from time to time errors, failures and bugs in our platform that have resulted in customer downtime. While we were able to remedy these situations, we cannot assure you that we will be able to mitigate future errors, failures or bugs in a quick or cost-effective manner.

23


 

If we or our channel partners or one or more customers were to suffer a highly publicized breach, even if our platform and solutions perform effectively, such a breach could cause us to suffer reputational harm, lose existing commercial relationships and customers or deter them from purchasing additional solutions and prevent new customers from purchasing our solutions.

Since our customers use our platform and solutions for important aspects of their business, any real or perceived errors, failures or vulnerabilities in our products, or disruptions in service or other performance problems, could hurt our reputation and may damage our customers’ businesses. Furthermore, defects, errors or failures in our platform or solutions may require us to implement design changes or software updates. Any defects or errors in our platform or solutions, or the perception of such defects or errors, could result in:

 

expenditure of significant financial and product development resources in efforts to analyze, correct, eliminate or work around errors or defects;

 

loss of existing or potential customers or channel partners;

 

delayed or lost revenue;

 

delay or failure to attain market acceptance;

 

delay in the development or release of new solutions or services;

 

negative publicity, which will harm our reputation;

 

an increase in collection cycles for accounts receivable or the expense and risk of litigation; and

 

harm to our operating results.

Although we have contractual protections, such as warranty disclaimers and limitation of liability provisions, in our standard terms and conditions of sale, they may not fully or effectively protect us from claims by customers, commercial relationships or other third parties. Any insurance coverage we may have may not adequately cover all claims asserted against us or cover only a portion of such claims. In addition, even claims that ultimately are unsuccessful could result in our expenditure of funds in litigation and divert management’s time and other resources.

If our platform and solutions do not effectively interoperate with our customers’ existing or future IT infrastructures, installations could be delayed or cancelled, which would harm our business.

Our success depends on the interoperability of our platform and solutions with third-party operating systems, applications, data and devices that we have not developed and do not control. Any changes in such operating systems, applications, data or devices that degrade the functionality of our platform or solutions or give preferential treatment to competitive software could adversely affect the adoption and usage of our platform. We may not be successful in adapting our platform or solutions to operate effectively with these applications, data or devices. If it is difficult for our customers to access and use our platform or solutions, or if our platform or solutions cannot connect a broadening range of applications, data and devices, then our customer growth and retention may be harmed, and our business and operating results could be adversely affected.

Our success depends on the experience and expertise of our senior management team and key employees. If we are unable to hire, retain, train and motivate our personnel, our business, operating results and prospects may be harmed.

Our success has depended, and continues to depend, on the efforts and talents of our senior management team and key employees, including our engineers, product managers, sales and marketing personnel and professional services personnel. Our future success will also depend upon our continued ability to identify, hire and retain additional skilled and highly qualified personnel, which will require significant time, expense and attention.

Our officers and key employees are employed on an at-will basis, which means that they could terminate their employment with us at any time. The loss of one or more members of our senior management team, particularly if closely grouped, could adversely affect our ability to execute our business plan and thus, our business, operating results and prospects. We do not maintain key man insurance on any of our officers or key employees, and we may not be able to find adequate replacements. If we fail to identify, recruit and integrate strategic hires, our business, operating results and financial condition could be adversely affected.

24


 

We have from time to time experienced, and we expect to continue to experience, difficulty in hiring, and may in the future have difficulty retaining, employees with appropriate qualifications and many of the companies with which we compete for experienced personnel have greater resources than we have. In addition to hiring new employees, we must continue to focus on training, motivating and retaining our best employees, substantially all of whom are at-will employees, which means they may terminate their employment relationship with us at any time. Many of our employees may be able to receive significant proceeds from sales of our common stock in the public markets, which may reduce their motivation to continue to work for us. Conversely, employees may be more likely to leave us if the exercise prices of the stock options that they hold are significantly above the market price of our common stock. Competition for highly skilled personnel is intense, and we may need to invest significant amounts of cash and equity to attract and retain new employees, and we may never realize returns on these investments.

Competition for well-qualified employees in all aspects of our business, including sales personnel, professional services personnel and software engineers, is intense. Our primary recruiting competition are well-known, high-paying firms. Our continued ability to compete effectively depends on our ability to attract new employees and to retain and motivate existing employees. If we do not succeed in attracting well-qualified employees or retaining and motivating existing employees, our business would be adversely affected.

Our corporate culture has contributed to our success, and if we cannot maintain this culture as we grow, we could lose the innovation, creativity and teamwork fostered by our culture, which could adversely affect our business.

We believe that our culture has been and will continue to be a key contributor to our success. From January 1, 2016 to December 31, 2017, we have increased the size of our workforce by 211 employees domestically and 81 employees internationally, and we expect to continue to hire aggressively as we expand. In addition, we plan to continue to expand our international operations, which may affect our culture as we seek to find, hire and integrate additional international employees while maintaining our corporate culture. If we do not continue to maintain our corporate culture as we grow, we may be unable to continue to foster the innovation, integrity, and collaboration we believe we need to support our growth. Our substantial anticipated headcount growth, international expansion and our transition from a private company to a public company may result in a change to our corporate culture, which could adversely affect our business.

Because our long-term success depends, in part, on our ability to expand the sales and marketing of our platform and solutions to customers located outside of the United States, and we perform a significant portion of our development outside of the United States, our business will be susceptible to risks associated with international operations.

At December 31, 2017, we had sales and marketing and product development personnel outside the United States in Australia, Canada, Denmark, France, Germany, Hong Kong, India, Israel, Italy, the Netherlands, Singapore, South Africa, Spain, Sweden, Switzerland, Taiwan, Turkey, the United Arab Emirates and the United Kingdom, and we intend to expand our international sales and marketing operations.

Conducting international operations subjects us to risks that we do not generally face in the United States. These risks include:

 

encountering existing and new competitors with stronger brand recognition in the new markets;

 

challenges developing, marketing, selling and implementing our platform and solutions caused by language, cultural and ethical differences and the competitive environment;

 

heightened risks of unethical, unfair or corrupt business practices, actual or claimed, in certain geographies and of improper or fraudulent sales arrangements that may impact financial results and result in restatements of, and irregularities in, financial statements;

 

political instability, war, armed conflict or terrorist activities;

 

currency fluctuations;

25


 

 

the risks of currency hedging activities to limit the impact of exchange rate fluctuations, should we engage in such activities in the future;

 

difficulties in managing systems integrators and technology providers;

 

laws imposing heightened restrictions on data usage and increased penalties for failure to comply with applicable laws, particularly in the European Union (“EU”);

 

risks associated with trade restrictions and foreign import requirements, including the importation, certification and localization of our solutions required in foreign countries, as well as changes in trade, tariffs, restrictions or requirements;

 

potentially different pricing environments, longer sales cycles and longer accounts receivable payment cycles and collections issues;

 

management communication and integration problems resulting from cultural differences and geographic dispersion;

 

increased turnover of international personnel as compared to our domestic operations;

 

potentially adverse tax consequences, including multiple and possibly overlapping tax structures, the complexities of foreign value added tax systems, restrictions on the repatriation of earnings and changes in tax rates;

 

greater difficulty in enforcing contracts, accounts receivable collection and longer collection periods;

 

the uncertainty and limitation of protection for intellectual property rights in some countries;

 

increased financial accounting and reporting burdens and complexities; and

 

lack of familiarity with local laws, customs and practices, and laws and business practices favoring local competitors or commercial parties.

The occurrence of any one of these risks could harm our international business and, consequently, our operating results. Additionally, operating in international markets requires significant management attention and financial resources. We cannot be certain that the investment and additional resources required to operate in other countries will produce desired levels of revenue or net income.

Adverse economic conditions may negatively impact our business.

Our business depends on the overall demand for information technology and on the economic health of our current and prospective customers. Any significant weakening of the economy in the United States or Europe and of the global economy, more limited availability of credit, a reduction in business confidence and activity, decreased government spending, economic uncertainty and other difficulties may affect one or more of the sectors or countries in which we sell our solutions. Global economic and political uncertainty may cause some of our customers or potential customers to curtail spending generally or IT and identity and data governance spending specifically and may ultimately result in new regulatory and cost challenges to our international operations. In addition, a strong dollar could reduce demand for our products in countries with relatively weaker currencies. These adverse conditions could result in reductions in sales of our solutions, longer sales cycles, slower adoption of new technologies and increased price competition. Any of these events could have an adverse effect on our business, operating results and financial position.

Forecasts of our market and market growth may prove to be inaccurate, and even if the markets in which we compete achieve the forecasted growth, there can be no assurance that our business will grow at similar rates, or at all.

Growth forecasts included in this 10-K relating to our market opportunity and the expected growth in that market are subject to significant uncertainty and are based on assumptions and estimates which may prove to be inaccurate. Even if this market meets our size estimate and experiences the forecasted growth, we may not grow our business at a similar rate, or at all. Our growth is subject to many factors, including our success in implementing our business strategy, which is subject to many risks and uncertainties. Accordingly, the forecasts of market growth included in this 10-K should not be taken as indicative of our future growth.

26


 

Any failure to offer high-quality customer support may adversely affect our relationships with our customers and our financial results.

We typically bundle customer support with arrangements for our solutions. In deploying and using our platform and solutions, our customers typically require the assistance of our support teams to resolve complex technical and operational issues. We may be unable to modify the nature, scope and delivery of our customer support to compete with changes in product support services provided by our competitors. Increased customer demand for support, without corresponding revenue, could increase costs and adversely affect our operating results. We may also be unable to respond quickly enough to accommodate short-term increases in customer demand for support. Our sales are highly dependent on our reputation and on positive recommendations from our existing customers. Any failure to maintain high-quality customer support, or a market perception that we do not maintain high-quality product support, could adversely affect our reputation, and our ability to sell our solutions to existing and new customers.

If we fail to meet contractual commitments related to response time, service level commitments or quality of professional services, we could be obligated to provide credits for future service, or face contract termination, which could adversely affect our business, operating results and financial condition.

Depending on the products purchased, our customer agreements contain service level agreements, under which we guarantee specified availability of our platform and solutions. If we are unable to meet the stated service level commitments to our customers or suffer extended periods of unavailability of our SaaS platform or solutions, we may be contractually obligated to provide affected customers with service credits or customers could elect to terminate and receive refunds for prepaid amounts. In addition, if the quality of our professional services do not meet contractual requirements, we may be required to re-perform the services at our expense or refund amounts paid for the services. Any failure to meet these contractual commitments could adversely affect our revenue, operating results and financial condition and any failure to meet service level commitments or extended service outages of our SaaS solutions could adversely affect our business and reputation as customers may elect not to renew and we could lose future sales.

Our business depends, in part, on sales to the public sector, and significant changes in the contracting or fiscal policies of the public sector could have an adverse effect on our business.

We derive a portion of our revenue from sales of our solutions to federal, state, local and foreign governments, and we believe that the success and growth of our business will continue to depend in part on our successful procurement of government contracts. Factors that could impede our ability to maintain or increase the amount of revenue derived from government contracts include:

 

changes in fiscal or contracting policies;

 

decreases in available government funding;

 

changes in government programs or applicable requirements;

 

the adoption of new laws or regulations or changes to existing laws or regulations; and

 

potential delays or changes in the government appropriations or other funding authorization processes.

The occurrence of any of the foregoing could cause governments and governmental agencies to delay or refrain from purchasing our solutions or otherwise have an adverse effect on our business, operating results and financial condition.

Any actual or perceived failure by us to comply with our privacy policy or legal or regulatory requirements in one or multiple jurisdictions could result in proceedings, actions or penalties against us.

Our customers’ storage and use of data concerning, among others, their employees, contractors, customers and partners is essential to their use of our platform and solutions. We have implemented various features intended to enable our customers to better comply with applicable privacy and security requirements in their collection and use of data, but these features do not ensure their compliance and may not be effective against all potential privacy and data security concerns.

27


 

A wide variety of domestic and foreign laws and regulations apply to the collection, use, retention, protection, disclosure, transfer, disposal and other processing of personal data. These data protection and privacy-related laws and regulations are evolving and may result in regulatory and public scrutiny and escalating levels of enforcement and sanctions. Our failure to comply with applicable laws and regulations, or to protect any personal data, could result in enforcement action against us, including fines, claims for damages by customers and other affected individuals, damage to our reputation and loss of goodwill (both in relation to existing customers and prospective customers), any of which could adversely affect our business, operating results, financial performance and prospects.

Evolving and changing definitions of personal data and personal information within the EU, the United States and elsewhere may limit or inhibit our ability to operate or expand our business.

In jurisdictions outside of the United States, we may face data protection and privacy requirements that are more stringent than those in place in the United States. In the EU, for example, Directive 95/46/EC (the “Directive”) has required EU member states to implement data protection laws to meet the strict privacy requirements of the Directive. Among other requirements, the Directive regulates transfers of personal data that is subject to the Directive (“Personal Data”) to third countries, such as the United States, that have not been found to provide adequate protection to such Personal Data. The safe harbor framework previously relied on to ensure compliance with the Directive is no longer deemed to be a valid method of compliance with requirements set forth in the Directive, and so we face uncertainty as to whether our efforts to comply with our obligations under European privacy laws are sufficient. We and our customers are at risk of enforcement actions taken by certain EU data protection authorities until such point in time that we may be able to ensure that all transfers of Personal Data to us in the United States from the EU are conducted in compliance with all applicable regulatory obligations, the guidance of data protection authorities and evolving best practices. The Directive will be replaced in time with the European General Data Protection Regulation (“GDPR”), which will enter into force on May 25, 2018, and which may impose additional obligations, costs and risk upon our business. The GDPR may increase substantially the penalties to which we could be subject in the event of any non-compliance. In addition, we may incur substantial expense in complying with the new obligations to be imposed by the GDPR and we may be required to make significant changes in our business operations, all of which may adversely affect our revenues and our business overall.

In addition, we are subject to certain contractual obligations and privacy policies and practices regarding the collection, use, storage, transfer, disclosure, disposal or processing of personal data. Even the perception of a failure by us to comply with such contractual obligations and/or privacy policies and practices or other privacy concerns, whether or not valid, may harm our reputation, inhibit adoption of our solutions by current and future customers or adversely impact our ability to attract and retain workforce talent.

Loss, retention or misuse of certain information and alleged violations of laws and regulations relating to privacy and data security, and any relevant claims, may expose us to potential liability and may require us to expend significant resources on data security and in responding to and defending such allegations and claims. In addition, future laws, regulations, standards and other obligations, and changes in the interpretation of existing laws, regulations, standards and other obligations could impair our customers’ ability to collect, use or disclose data relating to individuals, which could decrease demand for our platform and solutions, increase our costs and impair our ability to maintain and grow our customer base and increase our revenue.

Around the world, there are numerous lawsuits in process against various technology companies that process personal data. If those lawsuits are successful, it could increase the likelihood that our company may be exposed to liability for our own policies and practices concerning the processing of personal data and could hurt our business. Furthermore, the costs of compliance with, and other burdens imposed by laws, regulations and policies concerning privacy and data security that are applicable to the businesses of our customers may limit the use and adoption of our platform or solutions and reduce overall demand for them. Privacy concerns, whether or not valid, may inhibit market adoption of our platform. Additionally, concerns about security or privacy may result in the adoption of new legislation that restricts the implementation of technologies like ours or requires us to make modifications to our platform, which could significantly limit the adoption and deployment of our technologies or result in significant expense to modify our platform.

28


 

We publicly post our privacy policies and practices concerning our processing, use and disclosure of the personally identifiable information provided to us by our website visitors. Our publication of our privacy policies and other statements we publish that provide promises and assurances about privacy and security can subject us to potential state and federal action if they are found to be deceptive or misrepresentative of our actual policies and practices or if our practices are found to be unfair.

Evolving and changing definitions of what constitutes “Personal Information” and “Personal Data” within the EU, the United States and elsewhere, especially relating to classification of IP addresses, machine or device identification numbers, location data and other information, may limit or inhibit our ability to operate or expand our business, including limiting technology alliance relationships that may involve the sharing of data.

We use third-party licensed software in or with our solutions, and the inability to maintain these licenses or issues with the software we license could result in increased costs or reduced service levels, which would adversely affect our business.

Our solutions include software or other intellectual property licensed from third parties, and we otherwise use software and other intellectual property licensed from third parties in our business. We anticipate that we will continue to rely on such third-party software and intellectual property in the future. This exposes us to risks over which we may have little or no control. The third-party software we currently license may not always be available, and we may not have access to alternative third-party software on commercially reasonable terms. In addition, a third party may assert that we or our customers are in breach of the terms of a license, which could, among other things, give such third party the right to terminate a license or seek damages from us, or both. Our inability to obtain or maintain certain licenses or other rights or to obtain or maintain such licenses or rights on favorable terms, or the need to engage in litigation regarding these matters, could result in delays in releases of new solutions, and could otherwise disrupt our business, until equivalent technology can be identified, licensed or developed, if at all. Also, to the extent that our platform and solutions depend upon the successful operation of third-party software in conjunction with our software, any undetected errors or defects in such third-party software could prevent the deployment or impair the functionality of our platform, delay new feature introductions, result in a failure of our platform and injure our reputation.

Our failure to raise additional capital or generate cash flows necessary to expand our operations and invest in new technologies in the future could reduce our ability to compete successfully and harm our operating results.

We may need to raise additional funds, and we may not be able to obtain additional debt or equity financing on favorable terms, if at all. If we raise additional equity financing, our security holders may experience significant dilution of their ownership interests. If we engage in debt financing, we may be required to accept terms that restrict our ability to incur additional indebtedness, force us to maintain specified liquidity or other ratios or restrict our ability to pay dividends or make acquisitions. If we need additional capital and cannot raise it on acceptable terms, or at all, we may not be able to, among other things:

 

develop and enhance our products;

 

continue to expand our product development, sales and marketing organizations;

 

hire, train and retain employees;

 

respond to competitive pressures or unanticipated working capital requirements; or

 

pursue acquisition opportunities.

29


 

Our debt obligations contain restrictions that impact our business and expose us to risks that could adversely affect our liquidity and financial condition.

At December 31, 2017, the balance outstanding under our term loan facility was $70.0 million, and we had a $7.5 million revolving credit facility (under which we had no outstanding borrowings and $6.1 million outstanding under a letter of credit sub-facility). Our interest expense during the years ended December 31, 2017, 2016 and 2015 was approximately $14.8 million, $7.3 million and $3.9 million, respectively, which includes non-cash amortization of loan origination fees and costs of modifying our credit facility as well as $1.4 million in cash charges for an early prepayment penalty in 2017.

The credit agreement governing our credit facility contains various covenants that are operative so long as our credit facility remain outstanding. The covenants, among other things, limit our and certain of our subsidiaries’ abilities to:

 

incur additional indebtedness or guarantee indebtedness of others;

 

create additional liens on our assets;

 

pay dividends and make other distributions on our capital stock, and redeem and repurchase our capital stock;

 

make investments, including acquisitions;

 

make capital expenditures;

 

enter into mergers or consolidations or sell assets;

 

sell our subsidiaries;

 

engage in sale and leaseback transactions; or

 

enter into transactions with affiliates.

Our credit facility also contains numerous affirmative covenants, including financial covenants. Even if our credit facility is terminated, any additional debt that we incur in the future could subject us to similar or additional covenants.

If we experience a decline in cash flow due to any of the factors described in this “Risk Factors” section or otherwise, we could have difficulty paying interest and principal amounts due on our indebtedness and meeting the financial covenants set forth in our credit facility. If we are unable to generate sufficient cash flow or otherwise to obtain the funds necessary to make required payments under our credit facility, or if we fail to comply with the various requirements of our indebtedness, we could default under our credit facility. Any such default that is not cured or waived could result in an acceleration of indebtedness then outstanding under our credit facility, an increase in the applicable interest rates under our credit facility, and a requirement that our subsidiaries that have guaranteed our credit facility pay the obligations in full, and would permit the lenders to exercise remedies with respect to all of the collateral that is securing our credit facility, including substantially all of our and our subsidiary guarantors’ assets. Thus, any such default could have a material adverse effect on our liquidity and financial condition.

30


 

We may acquire or invest in companies, which may divert our management’s attention and result in additional dilution to our stockholders. We may be unable to integrate acquired businesses and technologies successfully or achieve the expected benefits of such acquisitions.

Our success will depend, in part, on our ability to expand our solutions and services and grow our business in response to changing technologies, customer demands and competitive pressures. In some circumstances, we may choose to do so through the acquisition of, or investment in, new or complementary businesses and technologies rather than through internal development. The identification of suitable acquisition or investment candidates can be difficult, time-consuming and costly, and we may not be able to successfully complete identified acquisitions or investments. The risks we face in connection with acquisitions and/or investments include:

 

an acquisition may negatively affect our operating results because it may require us to incur charges or assume substantial debt or other liabilities, may cause adverse tax consequences or unfavorable accounting treatment, may expose us to claims and disputes by stockholders and third parties, including intellectual property claims and disputes, or may not generate sufficient financial return to offset additional costs and expenses related to the acquisition;

 

we may encounter difficulties or unforeseen expenditures in integrating the business, technologies, products, personnel or operations of any company that we acquire;

 

an acquisition or investment may disrupt our ongoing business, divert resources, increase our expenses and distract our management;

 

an acquisition may result in a delay or reduction of customer purchases for both us and the company acquired due to customer uncertainty about continuity and effectiveness of service from either company;

 

we may encounter difficulties in, or may be unable to, successfully sell any acquired products or effectively integrate them into or with our existing solutions;

 

our use of cash to pay for acquisitions or investments would limit other potential uses for our cash;

 

if we incur debt to fund any acquisitions or investments, such debt may subject us to material restrictions on our ability to conduct our business; and

 

if we issue a significant amount of equity securities in connection with future acquisitions, existing stockholders may be diluted and earnings per share may decrease.

The occurrence of any of these risks could adversely affect our business, operating results and financial condition.

If we fail to adequately protect our proprietary rights, our competitive position could be impaired, and we may lose valuable assets, generate reduced revenue and incur costly litigation to protect our rights.

We rely on copyrights and trade secret laws, confidentiality procedures, employment proprietary information and inventions assignment agreements, trademarks and patents to protect our intellectual property rights. However, the steps we take to protect our intellectual property may not be adequate. To protect our trade secrets and proprietary information, we rely in significant part on confidentiality arrangements with our employees, licensees, independent contractors, advisers, channel partners, resellers and customers. These arrangements may not be effective to prevent disclosure of confidential information, including trade secrets, and may not provide an adequate remedy in the event of unauthorized disclosure of confidential information. In addition, if others independently discover trade secrets and proprietary information, we would not be able to assert trade secret rights against such parties. To protect our intellectual property, we may be required to spend significant resources to obtain, monitor and enforce such rights. Litigation brought to enforce our intellectual property could be costly, time-consuming and distracting to management and could be met with defenses, counterclaims and countersuits attacking the validity and enforceability of our intellectual property, which may result in the impairment or loss of portions of our intellectual property. The laws of some foreign countries do not protect our intellectual property to the same extent as the laws of the United States, and effective intellectual property protection and mechanisms may not be available in those jurisdictions. We may need to expend additional resources to defend our intellectual property in these countries, and our inability to do so could impair our business or adversely affect our international expansion. Even if we are able to secure intellectual property, there can be no assurances that such rights will provide us with competitive advantages or distinguish our platform or solutions and services from those of our competitors or that our competitors will not independently develop similar technology.

31


 

We may be subject to intellectual property rights claims by third parties, which may be costly to defend, could require us to pay significant damages and could limit our ability to use certain technologies.

Companies in the software and technology industries, including some of our current and potential competitors, own large numbers of patents, copyrights, trademarks and trade secrets and frequently enter into litigation based on allegations of infringement, misappropriation or other violations of intellectual property rights. We have in the past and may in the future be subject to notices that claim we have infringed, misappropriated or misused the intellectual property of our competitors or other third parties, including patent holding companies whose sole business is to assert such claims. To the extent we increase our visibility in the market, we face a higher risk of being the subject of intellectual property claims. Additionally, we do not have a significant patent portfolio, which could prevent us from deterring patent infringement claims through our own patent portfolio, and our competitors and others may now or in the future have significantly larger and more mature patent portfolios than we do.

Any intellectual property claims, with or without merit, could be time-consuming and expensive and could divert our management’s attention and other resources. These claims could also subject us to significant liability for damages, potentially including treble damages if we are found to have willfully infringed patents or copyrights. These claims could also result in our having to stop using technology found to be in violation of a third party’s rights. We might be required to seek a license for the intellectual property, which may not be available on reasonable terms or at all. Even if a license is available, we could be required to pay significant royalties, which would increase our operating expenses. As a result, we may be required to develop alternative non-infringing technology, which could require significant effort and expense. If we cannot license or develop technology for any aspect of our business that may ultimately be determined to infringe on or misappropriate the intellectual property rights of another party, we could be forced to limit or stop sales of licenses to our platform and solutions and may be unable to compete effectively. Furthermore, we may be subject to indemnification obligations with respect to third-party intellectual property pursuant to our agreements with our channel partners or customers. Any of these results would adversely affect our business, operating results and financial condition.

Indemnity provisions in various agreements potentially expose us to substantial liability for intellectual property infringement and other losses.

Our agreements with customers and other third parties may include indemnification provisions under which we agree to indemnify them or otherwise be liable for losses suffered or incurred as a result of claims of intellectual property infringement or misappropriation, damages caused by us to property or persons, or other liabilities relating to or arising from our platform, solutions, services or other contractual obligations. Some of these indemnity agreements provide for uncapped liability for which we would be responsible, and some indemnity provisions survive termination or expiration of the applicable agreement.

From time to time, customers also require us to indemnify or otherwise be liable to them for breach of confidentiality, violation of applicable law or failure to implement adequate security measures with respect to their data stored, transmitted or accessed using our platform. Although we normally seek contractual limitations to our liability with respect to the foregoing obligations, the existence of such a dispute may have adverse effects on our customer relationship and reputation and even if we contractually limit our liability with respect to such obligations, we may still incur substantial liability related to them. Any assertions by a third party, whether or not successful, with respect to any of these indemnification obligations could subject us to costly and time-consuming litigation, expensive remediation and licenses, divert management attention and financial resources, harm our relationship with that customer and other current and prospective customers, reduce demand for our platform and solutions, and harm our brand, business, operating results and financial condition. Any dispute with a customer with respect to such obligations could have adverse effects on our relationship with that customer and other existing customers and new customers and adversely affect our business and operating results.

32


 

We may be subject to damages resulting from claims that our employees or contractors have wrongfully used or disclosed alleged trade secrets of their former employers or other parties.

We could in the future be subject to claims that we, our employees or our contractors have inadvertently or otherwise used or disclosed trade secrets or other proprietary information of our competitors or other parties. Litigation may be necessary to defend against these claims. If we fail in defending against such claims, a court could order us to pay substantial damages and prohibit us from using technologies or features that are essential to our solutions, if such technologies or features are found to incorporate or be derived from the trade secrets or other proprietary information of these parties. In addition, we may lose valuable intellectual property rights or personnel. A loss of key personnel or their work product could hamper or prevent our ability to develop, market and support potential solutions or enhancements, which could severely harm our business. Even if we are successful in defending against these claims, such litigation could result in substantial costs and be a distraction to management.

Our use of “open source” software could negatively affect our ability to sell our solutions and subject us to possible litigation.

Some aspects of our platform and solutions are built using open source software, and we intend to continue to use open source software in the future. From time to time, we contribute software source code to open source projects under open source licenses or release internal software projects under open source software licenses, and anticipate doing so in the future. The terms of certain open source licenses to which we are subject have not been interpreted by U.S. or foreign courts, and there is a risk that open source software licenses could be construed in a manner that imposes unanticipated conditions or restrictions on our ability to monetize our products. Additionally, we may from time to time face claims from third parties claiming ownership of, or demanding release of, the open source software or derivative works that we developed using such software, which could include our proprietary source code, or otherwise seeking to enforce the terms of the applicable open source software license. These claims could result in litigation and could require us to make our software source code freely available, purchase a costly license or cease offering the implicated services unless and until we can re-engineer them to avoid infringement or violation. This re-engineering process could require significant additional research and development resources, and we may not be able to complete it successfully. In addition to risks related to license requirements, use of certain open source software can lead to greater risks than use of third-party commercial software, as open source licensors generally do not provide warranties or controls on the origin of software and, thus, may contain security vulnerabilities or broken code. Additionally, because any software source code we contribute to open source projects is publicly available, our ability to protect our intellectual property rights with respect to such software source code may be limited or lost entirely, and we may be unable to prevent our competitors or others from using such contributed software source code. Any of these risks could be difficult to eliminate or manage, and if not addressed, could have a negative effect on our business, operating results and financial condition.  

We may be required to defer recognition of some of our license revenue, which may harm our operating results in any given period.

We may be required to defer recognition of license revenue for a significant period of time after entering into an agreement due to a variety of factors, including, among other things, whether:

 

the transaction involves products or features that are under development;

 

the transaction involves extended payment terms; or

 

the transaction involves acceptance criteria.

Although we strive to enter into agreements that meet the criteria under GAAP for current revenue recognition on delivered elements, our agreements are often subject to negotiation and revision based on the demands of our customers. The final terms of our agreements sometimes result in deferred revenue recognition well after the time of delivery, which may adversely affect our financial results in any given period.

33


 

Furthermore, the presentation of our financial results requires us to make estimates and assumptions that may affect revenue recognition. In some instances, we could reasonably use different estimates and assumptions, and changes in estimates are likely to occur from period to period. Accordingly, actual results could differ significantly from our estimates.

If our estimates or judgments relating to our critical accounting policies prove to be incorrect, our operating results could be adversely affected.

The preparation of financial statements in conformity with GAAP requires management to make estimates and assumptions that affect the amounts reported in our consolidated financial statements and accompanying notes. We base our estimates on historical experience and on various other assumptions that we believe to be reasonable under the circumstances, as provided in Item 7. Management’s Discussion and Analysis of Financial Condition and Results of Operations. The results of these estimates form the basis for making judgments about the carrying values of assets, liabilities and equity, and the amount of revenue and expenses that are not readily apparent from other sources. Significant assumptions and estimates used in preparing our consolidated financial statements include those related to revenue recognition, capitalized internal-use software costs, income taxes, other non-income taxes, business combinations and valuation of goodwill and purchased intangible assets and stock-based compensation. Our operating results may be adversely affected if our assumptions change or if actual circumstances differ from those in our assumptions, which could cause our operating results to fall below the expectations of securities analysts and investors, resulting in a decline in the trading price of our common stock.

Changes in existing financial accounting standards or practices, or taxation rules or practices, may harm our operating results.

Changes in existing accounting or taxation rules or practices, new accounting pronouncements or taxation rules, or varying interpretations of current accounting pronouncements or taxation practice could harm our operating results or the manner in which we conduct our business. Further, such changes could potentially affect our reporting of transactions completed before such changes are effective.

GAAP is subject to interpretation by the Financial Accounting Standards Board (“FASB”), the SEC and various bodies formed to promulgate and interpret appropriate accounting principles. A change in these principles or interpretations could have a significant effect on our reported financial results and could affect the reporting of transactions completed before the announcement of a change.

For example, in May 2014 the FASB issued ASU No. 2014-09, Revenue from Contracts with Customers (“Topic 606”), for which certain elements may impact our accounting for revenue and costs incurred to acquire contracts. We will be required to implement this guidance for our annual reporting period beginning after December 15, 2018, unless we are no longer an emerging growth company on December 31, 2018. Application of Topic 606 may significantly impact the amount and timing of revenue recognition, such as recognizing revenue from existing contracts in periods other than when historically reported under existing GAAP or the revenue recognized under existing GAAP could be eliminated as part of the effect of adoption. Further, adoption of Topic 606 could result in changes to the periods when revenue is recognized in the future compared with management’s current expectations under existing GAAP. In addition, Topic 606 may significantly change the timing of when expense recognition will occur related to costs to obtain and fulfill customer contracts. While the adoption of Topic 606 does not change the cash flows received from our contracts with customers, the adoption of Topic 606 could have a material adverse effect on our financial position or results of operations.

34


 

Our business may be subject to additional obligations to collect and remit sales tax and other taxes, and we may be subject to tax liability for past sales. Any successful action by state, foreign or other authorities to collect additional or past sales tax could adversely affect our business.

States and some local taxing jurisdictions have differing rules and regulations governing sales and use taxes, and these rules and regulations are subject to varying interpretations that may change over time. In particular, the applicability of sales taxes to our platform in various jurisdictions is unclear. It is possible that we could face sales tax audits and that our liability for these taxes could exceed our estimates as state tax authorities could still assert that we are obligated to collect additional amounts as taxes from our customers and remit those taxes to those authorities. We could also be subject to audits in states and international jurisdictions for which we have not accrued tax liabilities. A successful assertion that we should be collecting additional sales or other taxes on our services in jurisdictions where we have not historically done so and do not accrue for sales taxes could result in substantial tax liabilities for past sales, discourage customers from purchasing our products or otherwise adversely affect our business, operating results and financial condition.

We file sales tax returns in certain states within the United States as required by law and certain customer contracts for a portion of the products that we provide. We do not collect sales or other similar taxes in other states and many of such states do not apply sales or similar taxes to the vast majority of the products that we provide. However, one or more states or foreign authorities could seek to impose additional sales, use or other tax collection and record-keeping obligations on us or may determine that such taxes should have, but have not been, paid by us. Liability for past taxes may also include substantial interest and penalty charges. Any successful action by state, foreign or other authorities to compel us to collect and remit sales tax, use tax or other taxes, either retroactively, prospectively or both, could adversely affect our business, operating results and financial condition.

If our products fail to help our customers achieve and maintain compliance with certain government regulations and industry standards, our business and operating results could be materially and adversely affected.

We believe we generate a portion of our revenues from our products and services because our customers use our products and services as part of their efforts to achieve and maintain compliance with certain government regulations and industry standards, and we expect that will continue for the foreseeable future. Examples of industry standards and government regulations include the Payment Card Industry Data Security Standard (“PCI-DSS”); the Federal Information Security Management Act (“FISMA”) and associated National Institute for Standards and Testing (“NIST”) Network Security Standards; the Sarbanes-Oxley Act; Title 21 of the U.S. Code of Federal Regulations, which governs food and drugs industries; the North American Electric Reliability Corporation Critical Infrastructure Protection Plan (“NERC-CIP”); the proposed European General Data Protection Regulation; the German Federal Financial Supervisory Authority (“BaFin”) Minimum Requirements for Risk Management; and the Monetary Authority of Singapore’s Technology Risk Management Notices. These industry standards may change with little or no notice, including changes that could make them more or less onerous for businesses. In addition, governments may also adopt new laws or regulations, or make changes to existing laws or regulations, that could affect whether our customers believe our solution assists them in maintaining compliance with such laws or regulations. If our solutions fail to expedite our customers’ compliance initiatives, our customers may lose confidence in our products and could switch to products offered by our competitors. In addition, if government regulations and industry standards related to IT security are changed in a manner that makes them less onerous, our customers may view compliance as less critical to their businesses, and our customers may be less willing to purchase our products and services. In either case, our sales and financial results would suffer.

35


 

Failure to comply with anti-bribery, anti-corruption, and anti-money laundering laws could subject us to penalties and other adverse consequences.

We are subject to the Foreign Corrupt Practices Act (“FCPA”), the U.K. Bribery Act and other anti-corruption, anti-bribery and anti-money laundering laws in various jurisdictions both domestic and abroad. The FCPA prohibits any U.S. individual or business from paying, offering, authorizing payment or offering of anything of value, directly or indirectly, to any foreign official, political party or candidate for the purpose of influencing any act or decision of the foreign entity in order to assist the individual or business in obtaining or retaining business. The U.K. Bribery Act is similar but even broader in scope in that it prohibits bribery of private (non-government) persons as well. The FCPA also obligates companies whose securities are listed in the United States to comply with certain accounting provisions requiring the company to maintain books and records that accurately and fairly reflect all transactions of the corporation, including international subsidiaries, and to devise and maintain an adequate system of internal accounting controls for international operations. Our sales model presents some risk under these laws. We leverage third parties, including channel partners, to sell our solutions and conduct our business abroad. We and our third-party intermediaries may have direct or indirect interactions with officials and employees of government agencies, state-owned or affiliated entities and non-governmental commercial entities, and may be held liable for the corrupt or other illegal activities of these third-party intermediaries, our employees, representatives, contractors, channel partners and agents, even if we do not explicitly authorize such activities. While we have policies and procedure to address compliance with these laws, we cannot assure you that all of our employees and agents will not take actions in violation of our policies and applicable law, for which we may be ultimately held responsible. Noncompliance with these laws could subject us to investigations, sanctions, settlements, prosecution, other enforcement actions, disgorgement of profits, significant fines, damages, other civil and criminal penalties or injunctions, adverse media coverage and other consequences. Any investigations, actions or sanctions could adversely affect our business, operating results and financial condition.

We are subject to governmental export controls and economic sanctions laws that could impair our ability to compete in international markets and subject us to liability if we are not in full compliance with applicable laws.

Our business activities are subject to various restrictions under U.S. export controls and trade and economic sanctions laws, including the U.S. Commerce Department’s Export Administration Regulations and economic and trade sanctions regulations maintained by the U.S. Treasury Department’s Office of Foreign Assets Control. The U.S. export control laws and U.S. economic sanctions laws include prohibitions on the sale or supply of certain products and services to U.S. embargoed or sanctioned countries, governments, persons and entities and also require authorization for the export of encryption items. We are also subject to Israeli export controls on encryption technology for SecurityIQ. If the applicable U.S. or Israeli requirements regarding export of encryption technology were to change or if we change the encryption means in our products, we may need to satisfy additional requirements in the United States or Israel. There can be no assurance that we will be able to satisfy any additional requirements under these circumstances in either the United States or Israel.

In addition, various countries regulate the import of certain encryption technology, including through import permitting and licensing requirements, and have enacted laws that could limit our ability to distribute our services or could limit our customers’ ability to implement our services in those countries. Although we take precautions to prevent our products from being provided in violation of such laws, our products may have been in the past, and could in the future be, provided inadvertently in violation of such laws, despite the precautions we take. If we fail to comply with these laws and regulations, we and certain of our employees could be subject to civil or criminal penalties, including the possible loss of export privileges and monetary penalties. Obtaining the necessary authorizations, including any required license, for a particular transaction may be time-consuming, is not guaranteed, and may result in the delay or loss of sales opportunities. Although we take precautions to prevent transactions with U.S. sanction targets, we could inadvertently provide our products to persons prohibited by U.S. sanctions. This could result in negative consequences to us, including government investigations, penalties and harm to our reputation.

36


 

Our corporate structure and intercompany arrangements are subject to the tax laws of various jurisdictions, and we could be obligated to pay additional taxes, which would harm our operating results.

Based on our current corporate structure, we may be subject to taxation in several jurisdictions around the world with increasingly complex tax laws, the application of which can be uncertain. The amount of taxes we pay in these jurisdictions could increase substantially as a result of changes in the applicable tax principles, including increased tax rates, new tax laws or revised interpretations of existing tax laws and precedents. In addition, the authorities in these jurisdictions could challenge our methodologies for valuing developed technology or intercompany arrangements, including our transfer pricing. The relevant taxing authorities may determine that the manner in which we operate our business does not achieve the intended tax consequences. If such a disagreement were to occur, and our position were not sustained, we could be required to pay additional taxes, interest and penalties. Such authorities could claim that various withholding requirements apply to us or our subsidiaries or assert that benefits of tax treaties are not available to us or our subsidiaries. Any increase in the amount of taxes we pay or that are imposed on us could increase our worldwide effective tax rate and adversely affect our business and operating results.

Our ability to use net operating losses and other tax attributes to offset future taxable income may be subject to certain limitations.

In general, under Sections 382 and 383 of the Internal Revenue Code of 1986, as amended (the “Internal Revenue Code”), a corporation that undergoes an “ownership change” is subject to limitations on its ability to utilize its pre-change net operating losses (“NOLs”), tax credits or other tax attributes, to offset future taxable income or taxes. For these purposes, an ownership change generally occurs where the aggregate stock ownership of one or more stockholders or groups of stockholders who owns at least 5% of a corporation’s stock increases its ownership by more than 50 percentage points over its lowest ownership percentage within a specified testing period. Our existing NOLs may be subject to substantial limitations arising from previous ownership changes, and if we undergo an ownership change in the future, our ability to utilize NOLs could be further limited by Sections 382 and 383 of the Internal Revenue Code. In addition, future changes in our stock ownership, many of which are outside of our control, could result in an ownership change under Sections 382 and 383 of the Internal Revenue Code. Our NOLs may also be impaired under state law. Accordingly, we may not be able to utilize a material portion of our NOLs. Furthermore, our ability to utilize our NOLs is conditioned upon our attaining profitability and generating U. S. federal and state taxable income.

We function as a HIPAA “business associate” for certain of our customers and, as such, are subject to strict privacy and data security requirements. If we fail to comply with any of these requirements, we could be subject to significant liability, all of which can adversely affect our business as well as our ability to attract and retain new customers.

The Health Insurance Portability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act (“HITECH”), and their respective implementing regulations (“HIPAA”), imposes specified requirements relating to the privacy, security and transmission of individually identifiable health information. Among other things, HITECH makes HIPAA’s security standards directly applicable to “business associates.” We function as a business associate for certain of our customers that are HIPAA covered entities and service providers and, in that context we are regulated as a business associate for the purposes of HIPAA. If we are unable to comply with our obligations as a HIPAA business associate, we could face substantial civil and even criminal liability. Modifying the already stringent penalty structure that was present under HIPAA prior to HITECH, HITECH created four new tiers of civil monetary penalties and gave state attorneys general new authority to file civil actions for damages or injunctions in federal courts to enforce the federal HIPAA laws and seek attorneys’ fees and costs associated with pursuing federal civil actions. In addition, many state laws govern the privacy and security of health information in certain circumstances, many of which differ from HIPAA and each other in significant ways and may not have the same effect.

The HIPAA covered entities and service providers to which we provide services require us to enter into HIPAA-compliant business associate agreements with them. These agreements impose stringent data security obligations on us. If we are unable to meet the requirements of any of these business associate agreements, we could face contractual liability under the applicable business associate agreement as well as possible civil and criminal liability under HIPAA, all of which can have an adverse impact on our business and generate negative publicity, which, in turn, can have an adverse impact on our ability to attract and retain new customers.

37


 

Risks Related to Ownership of Our Common Stock

The requirements of being a public company, including compliance with the reporting requirements of the Exchange Act, and the requirements of the Sarbanes-Oxley Act and the NYSE, may strain our resources, increase our costs and distract management, and we may be unable to comply with these requirements in a timely or cost-effective manner.

As a public company, we are subject to laws, regulations and requirements with which we were not required to comply as a private company, including compliance with reporting requirements of the Exchange Act and the requirements of the Sarbanes-Oxley Act and the NYSE. As a newly public company, complying with these statutes, regulations and requirements occupies a significant amount of time of our board of directors and management and has significantly increased our costs and expenses as compared to when we were a private company. For example, as a newly public company, we have had to institute a more comprehensive compliance function, establish new internal policies, such as those relating to insider trading, and involve and retain to a greater degree outside counsel and accountants. In addition, being a public company subject to these rules and regulations has made it more expensive for us to obtain director and officer liability insurance, and we may be required to accept reduced policy limits and coverage or incur substantially higher costs to obtain the same or similar coverage. As a result, it may be more difficult for us to attract and retain qualified individuals to serve on our board of directors or as executive officers as compared to when we were a private company.  

Furthermore, while we generally must comply with Section 404 of the Sarbanes-Oxley Act for our fiscal year ending December 31, 2018, we are not required to have our independent registered public accounting firm attest to the effectiveness of our internal controls until our first annual report subsequent to our ceasing to be an emerging growth company. Accordingly, we may not be required to have our independent registered public accounting firm attest to the effectiveness of our internal controls until as late as our annual report for the fiscal year ending December 31, 2022. Once it is required to do so, our independent registered public accounting firm may issue a report that is adverse in the event it is not satisfied with the level at which our controls are documented, designed, operated or reviewed. Compliance with these requirements may strain our resources, increase our costs and distract management, and we may be unable to comply with these requirements in a timely or cost-effective manner.

The trading price of our common stock could be volatile, which could cause the value of your investment to decline.

Our initial public offering occurred in November 2017.  Therefore, there has only been a public market for our common stock for a short period of time.  Although our common stock is listed on the NYSE, an active trading market for our common stock may not develop or, if developed, be sustained.  Technology stocks have historically experienced high levels of volatility. The trading price of our common stock may fluctuate substantially. Since shares of our common stock were sold in our initial public offering in November 2017 at a price of $12.00 per share, our stock price has fluctuated significantly. Factors that could cause fluctuations in the trading price of our common stock include the following:

 

announcements of new products or technologies, commercial relationships, acquisitions or other events by us or our competitors;

 

changes in how customers perceive the benefits of our platform;

 

shifts in the mix of revenue attributable to perpetual licenses and to SaaS subscriptions from quarter to quarter;

 

departures of key personnel;

 

price and volume fluctuations in the overall stock market from time to time;

 

fluctuations in the trading volume of our shares or the size of our public float;

 

sales of large blocks of our common stock;

 

actual or anticipated changes or fluctuations in our operating results;

 

whether our operating results meet the expectations of securities analysts or investors;

38


 

 

changes in actual or future expectations of investors or securities analysts;

 

litigation involving us, our industry or both;

 

regulatory developments in the United States, foreign countries or both;

 

general economic conditions and trends;

 

major catastrophic events in our domestic and foreign markets; and

 

“flash crashes,” “freeze flashes” or other glitches that disrupt trading on the securities exchange on which we are listed.

In addition, if the market for technology stocks or the stock market in general experiences a loss of investor confidence, the trading price of our common stock could decline for reasons unrelated to our business, operating results or financial condition. The trading price of our common stock might also decline in reaction to events that affect other companies in our industry even if these events do not directly affect us. In the past, following periods of volatility in the trading price of a company’s securities, securities class action litigation has often been brought against that company. If our stock price is volatile, we may become the target of securities litigation. Securities litigation could result in substantial costs and divert our management’s attention and resources from our business. This could have an adverse effect on our business, operating results and financial condition.

In the past, following periods of volatility in the trading price of a company’s securities, securities class action litigation has often been brought against that company. If our stock price is volatile, we may become the target of securities litigation. Securities litigation could result in substantial costs and divert our management’s attention and resources from our business. This could have an adverse effect on our business, operating results and financial condition.

An active public trading market may not continue to develop or be sustained.

Prior to the completion of our initial public offering in November 2017, no public market for our common stock existed. An active public trading market for our common stock may not continue to develop or be sustained. The lack of an active market may impair your ability to sell your shares of our common stock at the time you wish to sell them or at a price that you consider reasonable. The lack of an active market may also reduce the fair value of your shares. An inactive market may also impair our ability to raise capital to continue to fund operations by selling shares and may impair our ability to acquire other companies or technologies by using our shares as consideration.

If securities analysts or industry analysts were to downgrade our stock, publish negative research or reports or fail to publish reports about our business, our competitive position could suffer, and our stock price and trading volume could decline.

The trading market for our common stock, to some extent, depends on the research and reports that securities or industry analysts publish about us or our business. We do not have any control over these analysts. If one or more of the analysts who cover us should downgrade our stock or publish negative research or reports, cease coverage of our company or fail to regularly publish reports about our business, our competitive position could suffer, and our stock price and trading volume could decline.

Sales of substantial amounts of our common stock in the public markets, or the perception that such sales could occur, could reduce the market price of our common stock.

Sales of a substantial number of shares of our common stock in the public market, or the perception that such sales could occur, could adversely affect the market price of our common stock. We are unable to predict the effect that such sales may have on the prevailing market price of our common stock.

39


 

As of March 15, 2018, we have outstanding 87,205,120 shares of common stock. Of these shares, the 23,000,000 shares of common stock sold in our initial public offering are freely tradable. In addition, 63,600,396 shares of our common stock will be eligible for sale in the public market on May 16, 2018 following the expiration of the 180-day lock-up period in connection with our initial public offering, subject to volume, manner of sale and other limitations of Rule 144, as applicable. Morgan Stanley & Co. LLC and Citigroup Global Markets Inc. may, in their sole discretion, permit our stockholders who are subject to these lock-up agreements to sell shares prior to the expiration of the lock- up agreements. Sales of a substantial number of such shares upon expiration of, or the perception that such sales may occur, or early release of the shares subject to, the lock-up agreements, could cause our stock price to fall.

In addition, as of March 15, 2018, there were 3,766,294 shares of common stock subject to outstanding options and 1,245,826 shares of common stock to be issued upon the vesting of outstanding restricted stock units. We have registered all of the shares of common stock issuable upon the exercise of outstanding options, upon the vesting of outstanding restricted stock units and upon exercise of settlement of any options or other equity incentives we may grant in the future, for public resale under the Securities Act of 1933, as amended (the “Securities Act”). Accordingly, these shares may be freely sold in the public market upon issuance as permitted by any applicable vesting requirements, subject to the lock-up agreements described above and compliance with applicable securities laws. Furthermore, holders of 70,115,454 shares of our common stock have certain rights with respect to the registration of such shares (and any additional shares acquired by such holders in the future) under the Securities Act.

Our issuance of additional capital stock in connection with financings, acquisitions, investments, our stock incentive plans or otherwise will dilute all other stockholders.

We may issue additional capital stock in the future that will result in dilution to all other stockholders. We may also raise capital through equity financings in the future. As part of our business strategy, we may acquire or make investments in complementary companies, products or technologies and issue equity securities to pay for any such acquisition or investment. Any such issuances of additional capital stock may cause stockholders to experience significant dilution of their ownership interests and the per share value of our common stock to decline.

Our charter and bylaws contain anti-takeover provisions that could delay or discourage takeover attempts that stockholders may consider favorable.

Our charter and bylaws contain provisions that could delay or prevent a change in control of our company. These provisions could also make it difficult for stockholders to elect directors who are not nominated by the current members of our board of directors or take other corporate actions, including effecting changes in our management. These provisions include:

 

a classified board of directors with three-year staggered terms, which could delay the ability of stockholders to change the membership of a majority of our board of directors;

 

after Thoma Bravo ceases to beneficially own at least 30% of the outstanding shares of our common stock, removal of directors only for cause;

 

the ability of our board of directors to issue shares of preferred stock and to determine the price and other terms of those shares, including preferences and voting rights, without stockholder approval, which could be used to significantly dilute the ownership of a hostile acquirer;

 

allowing Thoma Bravo to fill vacancy on our board of directors for so long as affiliates of Thoma Bravo own 30% or more of our outstanding shares of common stock and thereafter, allowing only our board of directors, which prevents stockholders from being able to fill vacancies on our board of directors;

 

after we cease to be a controlled company, a prohibition on stockholder action by written consent, which forces stockholder action to be taken at an annual or special meeting of our stockholders;

40


 

 

after we cease to be a controlled company, the requirement that a special meeting of stockholders may be called only by or at the direction of our board of directors, which could delay the ability of our stockholders to force consideration of a proposal or to take action, including the removal of directors;

 

after we cease to be a controlled company, the requirement for the affirmative vote of holders of at least 66 2/3% of the voting power of all of the then outstanding shares of the voting stock, voting together as a single class, to amend the provisions of our charter relating to the management of our business (including our classified board structure) or certain provisions of our bylaws, which may inhibit the ability of an acquirer to effect such amendments to facilitate an unsolicited takeover attempt;

 

the ability of our board of directors to amend the bylaws, which may allow our board of directors to take additional actions to prevent an unsolicited takeover and inhibit the ability of an acquirer to amend the bylaws to facilitate an unsolicited takeover attempt;

 

advance notice procedures with which stockholders must comply to nominate candidates to our board of directors or to propose matters to be acted upon at a stockholders’ meeting, which may discourage or deter a potential acquirer from conducting a solicitation of proxies to elect the acquirer’s own slate of directors or otherwise attempting to obtain control of us; and

 

a prohibition of cumulative voting in the election of our board of directors, which would otherwise allow less than a majority of stockholders to elect director candidates.

Our charter also contains a provision that provides us with protections similar to Section 203 of the Delaware General Corporation Law (“DGCL”), and prevents us from engaging in a business combination, such as a merger, with an interested stockholder (i.e., a person or group who acquires at least 15% of our voting stock) for a period of three years from the date such person became an interested stockholder, unless (with certain exceptions) the business combination or the transaction in which the person became an interested stockholder is approved in a prescribed manner. However, our charter also provides that Thoma Bravo, including the Thoma Bravo Funds, and any persons to whom any Thoma Bravo Fund sells its common stock will be deemed not to be interested stockholders.

Thoma Bravo has a controlling influence over matters requiring stockholder approval, which could delay or prevent a change of control.

Thoma Bravo, as the ultimate general partner of the Thoma Bravo Funds, beneficially owns in the aggregate 57.7% of our common stock as of March 15, 2018 (which shares are held directly by the Thoma Bravo Funds or their affiliates). As a result, Thoma Bravo could exert significant influence over our operations and business strategy and would have sufficient voting power to effectively control the outcome of matters requiring stockholder approval. These matters may include:

 

the composition of our board of directors, which has the authority to direct our business and to appoint and remove our officers;

 

approving or rejecting a merger, consolidation or other business combination;

 

raising future capital; and

 

amending our charter and bylaws, which govern the rights attached to our common stock.

41


 

Additionally, for so long as Thoma Bravo beneficially owns at least (i) 30% of our outstanding shares of common stock, Thoma Bravo will have the right to designate the chairman of our board of directors and of each committee of our board of directors as well as nominate a majority of our board of directors (provided that, at such time as we cease to be a “controlled company” under the NYSE corporate governance standards, the majority of our board of directors will be “independent” directors, as defined under the rules of the NYSE, and provided further, that, the membership of each committee of our board of directors will comply with the applicable rules of the NYSE); (ii) 20% (but less than 30%) of our outstanding shares of common stock, Thoma Bravo will have the right to nominate a number of directors to our board of directors equal to the lowest whole number that is greater than 30% of the total number of directors (but in no event fewer than two directors); (iii) 10% (but less than 20%) of our outstanding shares of common stock, Thoma Bravo will have the right to nominate a number of directors to our board of directors equal to the lowest whole number that is greater than 20% of the total number of directors (but in no event fewer than one director); and (iv) at least 5% (but less than 10%) of our outstanding shares of common stock, Thoma Bravo will have the right to nominate one director to our board of directors. For so long as Thoma Bravo beneficially owns at least 30% of our outstanding shares of common stock, the directors nominated by Thoma Bravo are expected to constitute a majority of each committee of our board of directors, other than the audit committee.

This concentration of ownership of our common stock could delay or prevent proxy contests, mergers, tender offers, open-market purchase programs or other purchases of our common stock that might otherwise result in the opportunity to realize a premium over the then-prevailing market price of our common stock. This concentration of ownership may also adversely affect our share price.

Thoma Bravo may pursue corporate opportunities independent of us that could present conflicts with our and our stockholders’ interests.

Thoma Bravo is in the business of making or advising on investments in companies and holds (and may from time to time in the future acquire) interests in or provides advice to businesses that directly or indirectly compete with certain portions of our business or are suppliers or customers of ours. Thoma Bravo may also pursue acquisitions that may be complementary to our business and, as a result, those acquisition opportunities may not be available to us.

Our charter provides that no officer or director of the Company who is also an officer, director, employee, managing director or other affiliate of Thoma Bravo will be liable to us or our stockholders for breach of any fiduciary duty by reason of the fact that any such individual pursues or acquires a corporate opportunity for its own account or the account of an affiliate, as applicable, instead of us, directs a corporate opportunity to any other person, instead of us or does not communicate information regarding a corporate opportunity to us.

We may issue preferred stock whose terms could adversely affect the voting power or value of our common stock.

Our charter authorizes us to issue, without the approval of our stockholders, one or more classes or series of preferred stock having such designations, preferences, limitations and relative rights, including preferences over our common stock respecting dividends and distributions, as our board of directors may determine. The terms of one or more classes or series of preferred stock could adversely impact the voting power or value of our common stock. For example, we might grant holders of preferred stock the right to elect some number of our directors in all events or on the happening of specified events or the right to veto specified transactions. Similarly, the repurchase or redemption rights or liquidation preferences we might assign to holders of preferred stock could affect the residual value of our common stock.

42


 

Our charter designates the Court of Chancery of the State of Delaware as the sole and exclusive forum for certain types of actions and proceedings that may be initiated by our stockholders, which could limit our stockholders’ ability to obtain a favorable judicial forum for disputes with us or our directors, officers, employees or agents.

Our charter provides that, unless we consent in writing to the selection of an alternative forum, the Court of Chancery of the State of Delaware will, to the fullest extent permitted by applicable law, be the sole and exclusive forum for (i) any derivative action or proceeding brought on our behalf, (ii) any action asserting a claim of breach of a fiduciary duty owed by any of our directors, officers, employees or agents to us or our stockholders, (iii) any action asserting a claim arising pursuant to any provision of the DGCL, our charter or bylaws, or (iv) any action asserting a claim against us that is governed by the internal affairs doctrine, in each such case subject to such Court of Chancery of the State of Delaware having personal jurisdiction over the indispensable parties named as defendants therein. Any person or entity purchasing or otherwise acquiring any interest in shares of our capital stock will be deemed to have notice of, and consented to, the provisions of our charter described in the preceding sentence. This choice of forum provision may limit a stockholder’s ability to bring a claim in a judicial forum that it finds favorable for disputes with us or our directors, officers, employees or agents, which may discourage such lawsuits against us and such persons. Alternatively, if a court were to find these provisions of our charter inapplicable to, or unenforceable in respect of, one or more of the specified types of actions or proceedings, we may incur additional costs associated with resolving such matters in other jurisdictions, which could adversely affect our business, financial condition or operating results.

For as long as we are an emerging growth company, we will not be required to comply with certain requirements that apply to other public companies.

We are an emerging growth company, as defined in the JOBS Act. For as long as we are an emerging growth company, which may be up to five full fiscal years, unlike other public companies, we are not required to, among other things: (i) provide an auditor’s attestation report on management’s assessment of the effectiveness of our system of internal control over financial reporting pursuant to Section 404(b) of the Sarbanes-Oxley Act; (ii) comply with any new requirements adopted by the Public Company Accounting Oversight Board requiring mandatory audit firm rotation or a supplement to the auditor’s report in which the auditor would be required to provide additional information about the audit and the financial statements of the issuer; (iii) provide certain disclosures regarding executive compensation required of larger public companies; or (iv) hold nonbinding advisory votes on executive compensation and any golden parachute payments not previously approved. In addition, the JOBS Act provides that an emerging growth company can take advantage of the extended transition period provided in Section 7(a)(2)(B) of the Securities Act for adopting new or revised financial accounting standards. We have elected take advantage of the longer phase-in periods for the adoption of new or revised financial accounting standards permitted under the JOBS Act until we are no longer an emerging growth company. If we were to subsequently elect instead to comply with these public company effective dates, such election would be irrevocable pursuant to the JOBS Act.

We will remain an emerging growth company for up to five years after our initial public offering, although we will lose that status sooner if we have more than $1.07 billion of revenues in a fiscal year, have more than $700.0 million in market value of our common stock held by non-affiliates, or issue more than $1.0 billion of non-convertible debt over a three-year period.

To the extent that we rely on any of the exemptions available to emerging growth companies, you will receive less information about our executive compensation and internal control over financial reporting than issuers that are not emerging growth companies. We cannot predict if investors will find our common stock less attractive because we will rely on these exemptions. If some investors find our common stock to be less attractive as a result, there may be a less active trading market for our common stock and our stock price may be more volatile.

When we lose our emerging growth company status or if we elect to no longer take advantage of the longer phase-in periods for the adoption of new or revised financial accounting standards permitted under the JOBS Act, the emerging growth company exemptions will cease to apply and we expect we will incur additional expenses and devote increased management effort toward ensuring compliance with the non-emerging growth company requirements. We cannot predict or estimate the amount of these expenses, which may be substantial.

43


 

We are controlled company within the meaning of the NYSE rules and, as a result, qualify for and rely on exemptions from certain corporate governance requirements.

Thoma Bravo beneficially owns, on a combined basis, a majority of the combined voting power of all classes of our outstanding voting stock. As a result, we are a controlled company within the meaning of the NYSE corporate governance standards. Under the NYSE rules, a company of which more than 50% of the voting power is held by another person or group of persons acting together is a controlled company and may elect not to comply with certain NYSE corporate governance requirements, including the requirements that:

 

a majority of the board of directors consist of independent directors as defined under the rules of the NYSE;

 

the nominating and governance committee be composed entirely of independent directors with a written charter addressing the committee’s purpose and responsibilities; and

 

the compensation committee be composed entirely of independent directors with a written charter addressing the committee’s purpose and responsibilities.

These requirements will not apply to us as long as we remain a controlled company. We currently utilize some or all of these exemptions. Accordingly, our investors may not have the same protections afforded to stockholders of companies that are subject to all of the corporate governance requirements of the NYSE. See the section titled “Management—Status as a Controlled Company” below.

Item 1B. Unresolved Staff Comments.

None.

Item 2. Properties.

We have a lease for a new 164,818 square-feet corporate headquarters in Austin, Texas that is currently under construction.  We anticipate that the lease’s term will commence during the second fiscal quarter of 2019 (but may commence earlier or later, depending on the date the construction thereof is substantially completed or when we first conduct business therein), and it expires approximately 10 years from such commencement date. Our current corporate headquarters occupy 44,633 square feet in Austin, Texas under a lease that expires 20 business days after the commencement date for the lease for our new corporate headquarters. In addition to our headquarters, we have additional office space in Austin, Texas, and office space in Pune, India and Tel Aviv, Israel. Consistent with our growth, we currently plan to consolidate our Austin offices in 2019.

We lease all of our facilities. We believe that our facilities are adequate for our current needs and anticipate that suitable additional space will be readily available to accommodate any foreseeable expansion of our operations.

Item 3. Legal Proceedings.

We are not currently a party to, nor is our property currently subject to,  any material legal proceedings. We are not aware of any inquiries or investigations into our business.

Item 4. Mine Safety Disclosures.

None

44


 

PART II

Item 5. Market for Registrant’s Common Equity, Related Stockholder Matters and Issuer Purchases of Equity Securities.

Market Information

Our common stock is listed and traded on the NYSE under the symbol “SAIL.” Initial trading of our common stock commenced on November 17, 2017.  Accordingly, no market for our common stock existed prior to that date. The table below sets forth, for the period indicated, the high and low sales prices per share of our common stock since November 17, 2017 as regularly quoted on the NYSE.

 

Year ended December 31, 2017

 

 

High

 

 

Low

Fourth Quarter (from November 17, 2017)

 

$

16.36

 

$

12.82

 

On March 15, 2018, the closing sale price of our common stock on the NYSE was $21.60 per share.

 

Holders of Record

On March 15, 2018, there were 288 holders of record of our common stock. Because many of our shares of common stock are held by brokers and other institutions on behalf of stockholders, we are unable to estimate the total number of beneficial stockholders represented by these record holders.

Dividend Policy

We have never declared or paid any cash dividends on our common stock. We currently intend to retain all our earnings for the repayment of our outstanding debt and to finance the growth and development of our business. Any further determination to pay dividends on our common stock will be at the discretion of our board of directors, subject to applicable laws, and will depend on our financial condition, results of operations, capital requirements, general business conditions and other factors that our board of directors considers relevant.  In addition, our credit facility places restrictions on our ability to pay cash dividends.

Stock Performance Graph

The following is not “soliciting material,” shall not be deemed “filed” for purposes of Section 18 of the Exchange Act or incorporated by reference into any of our other filings under the Exchange Act or the Securities Act, except to the extent we specifically incorporate it by reference into such filing.

The graph assumes that $100 was invested on November 17, 2017 in the Company’s common stock, in the NYSE composite index and the S&P 600 information technology index, and that all dividends were reinvested. The stock price performance on the following graph are required by the SEC and are not necessarily intended to forecast or be indicative of future stock price performance.

45


 

The closing price of our common stock on December 29, 2017, the last trading day of our 2017 fiscal year, was $14.50 per share.

The closing price of our common stock on December 31, 2017, the last day of our 2017 fiscal year, was $14.50 per share.

 

Company /Index

 

11/17/17

 

11/30/17

 

12/31/17

SAIL

 

$

100.00

 

$

113.07

 

$

111.53

NYSE Composite

 

$

100.00

 

$

102.60

 

$

104.24

S&P 600 IT

 

$

100.00

 

$

97.30

 

$

94.94

 

Recent Sale of Unregistered Securities

Between January 1, 2017 and November 20, 2017, we had the following sales of unregistered securities: (i) grants to certain of our employees, consultants and other service providers of options to purchase an aggregate of 1,765,420 shares of common stock at exercise prices ranging from $3.17 to $ 12.00 per share, (ii) grants to certain of our employees, consultants and other service providers of restricted stock awards for an aggregate of 897,284 shares of common stock, and (iii) issuances to certain of our employees, consultants and other service providers of an aggregate of 160,740 shares of common stock upon the exercise of options at exercise prices ranging from $1.07 to $ 2.46 per share, for a weighted-average exercise price of $ 2.23.

None of the foregoing transactions involved any underwriters, underwriting discounts or commissions, or any public offering. We believe the offers, sales and issuances of the above securities were exempt from registration under the Securities Act by virtue of Section 4(a)(2) of the Securities Act (or Regulation D or Regulation S promulgated thereunder) because the issuance of securities to the recipients did not involve a public offering, or in reliance on Rule 701 because the transactions were pursuant to compensatory benefit plans or contracts relating to compensation as provided under such rule. The recipients of the securities in each of these transactions represented their intentions to acquire the securities for investment only and not with a view to or for sale in connection with any distribution thereof, and appropriate legends were placed upon the stock certificates issued in these transactions. All recipients had adequate access, through their relationships with us, to information about us. The sales of these securities were made without any general solicitation or advertising.

46


 

Use of Proceeds from Initial Public Offering of Common stock

On November 16, 2017, the Registration Statement on Form S-1 (File No. 333-221036) relating to our initial public offering was declared effective by the SEC and we priced our initial public offering. Pursuant to the Registration Statement, we registered an aggregate of 23,000,000 shares of our common stock, of which 15,800,000 shares were sold by us and 7,200,000 shares were sold by certain selling stockholders named therein at a price to the public of $12.00 per share (for an aggregate offering price of $276.0 million). We received net proceeds of approximately $172.0 million, after deducting underwriting discounts and commissions of approximately $13.3 million and offering-related expenses of $4.4 million. No payments were made to our directors or officers or their associates, holders of 10% or more of any class of our equity securities or any affiliates. Morgan Stanley & Co. LLC, Citigroup Global Markets Inc., Jefferies LLC and RBC Capital Markets, LLC acted as book-running managers and KeyBanc Capital Markets Inc., Canaccord Genuity Inc. and Oppenheimer & Co. Inc. acted as co-managers (collectively, the “Underwriters”) for our initial public offering.

Our initial public offering closed in November 2017. There has been no material change in the planned use of proceeds from our initial public offering as described in our final prospectus dated November 16, 2017 and filed with the SEC on November 17, 2017 pursuant to Rule 424(b) of the Securities Act.  As of December 31, 2017, we have used $90.0 million of the proceeds from our initial public offering to repay borrowings under our term loan facility and approximately $1.4 million of such proceeds to pay a related prepayment premium. As of December 31, 2017, all of the remaining net proceeds are held in cash and have not been deployed.

 

 

47


 

Item 6: Selected Financial Data

 

The following selected historical financial data has been derived from, and should be read in conjunction with, the audited Consolidated Financial Statements and the Notes to Consolidated Financial Statements and “Item 7. Management’s Discussion and Analysis of Financial Condition and Results of Operations” included elsewhere in this

Annual Report on Form 10-K. Our selected consolidated financial data may not be indicative of our future financial condition or results of operations (in thousands, except per share amounts).

 

Consolidated Statements of Operations Data:

 

 

 

Year Ended December 31,

 

 

 

2017

 

 

2016

 

 

2015

 

 

 

(In thousands, except share and per share data)

 

Revenue:

 

 

 

 

 

 

 

 

 

 

 

 

Licenses

 

$

79,209

 

 

$

54,395

 

 

$

44,124

 

Subscription

 

 

71,007

 

 

 

49,364

 

 

 

29,930

 

Services and other

 

 

35,840

 

 

 

28,653

 

 

 

21,302

 

Total revenue

 

 

186,056

 

 

 

132,412

 

 

 

95,356

 

Cost of revenue:

 

 

 

 

 

 

 

 

 

 

 

 

Licenses

 

 

4,561

 

 

 

4,278

 

 

 

4,293

 

Subscription (1)

 

 

16,406

 

 

 

13,051

 

 

 

9,815

 

Services and other (1)

 

 

23,623

 

 

 

19,709

 

 

 

15,151

 

Total cost of revenue

 

 

44,590

 

 

 

37,038

 

 

 

29,259

 

Gross profit

 

 

141,466

 

 

 

95,374

 

 

 

66,097

 

Operating expenses:

 

 

 

 

 

 

 

 

 

 

 

 

Research and development (1)

 

 

33,331

 

 

 

24,358

 

 

 

19,965

 

General and administrative (1)

 

 

17,678

 

 

 

9,680

 

 

 

7,474

 

Sales and marketing (1)

 

 

80,514

 

 

 

58,607

 

 

 

46,831

 

Total operating expenses

 

 

131,523

 

 

 

92,645

 

 

 

74,270

 

Income (loss) from operations

 

 

9,943

 

 

 

2,729

 

 

 

(8,173

)

Other expense, net:

 

 

 

 

 

 

 

 

 

 

 

 

Interest expense, net

 

 

(14,783

)

 

 

(7,277

)

 

 

(3,883

)

Other, net

 

 

(459

)

 

 

(610

)

 

 

(1,365

)

Total other expense, net

 

 

(15,242

)

 

 

(7,887

)

 

 

(5,248

)

Loss before income taxes

 

 

(5,299

)

 

 

(5,158

)

 

 

(13,421

)

Income tax (expense) benefit

 

 

(2,293

)

 

 

1,985

 

 

 

2,614

 

Net loss

 

$

(7,592

)

 

$

(3,173

)

 

$

(10,807

)

Net loss available to common shareholders

 

$

(28,721

)

 

$

(26,791

)

 

$

(32,404

)

Net loss per share

 

 

 

 

 

 

 

 

 

 

 

 

Basic:

 

$

(0.55

)

 

$

(0.58

)

 

$

(0.74

)

Diluted:

 

$

(0.55

)

 

$

(0.58

)

 

$

(0.74

)

Weighted-average shares of common stock used in

   computing net loss per share attributable to

   common stockholders

 

 

 

 

 

 

 

 

 

 

 

 

Basic:

 

 

52,339,804

 

 

 

45,933,218

 

 

 

43,929,159

 

Diluted:

 

 

52,339,804

 

 

 

45,933,218

 

 

 

43,929,159

 

 

 

48


 

(1)

Includes stock-based compensation expense as follows:

 

 

 

Year Ended December 31,

 

 

 

2017

 

 

2016

 

 

2015

 

 

 

(In thousands)

 

Cost of revenue - subscription

 

$

133

 

 

$

34

 

 

$

12

 

Cost of revenue - services and other

 

 

458

 

 

 

63

 

 

 

20

 

Research and development

 

 

658

 

 

 

118

 

 

 

62

 

General and administrative

 

 

2,062

 

 

 

96

 

 

 

28

 

Sales and marketing

 

 

1,203

 

 

 

257

 

 

 

124

 

Total stock-based compensation

 

$

4,514

 

 

$

568

 

 

$

246

 

Consolidated Balance Sheet data:

 

 

 

As of December 31,

 

 

 

2017

 

 

2016

 

 

2015

 

 

 

(In thousands)

 

Cash and cash equivalents

 

$

116,049

 

 

$

18,214

 

 

$

14,896

 

Working capital, excluding deferred revenue (1)

 

$

172,492

 

 

$

60,047

 

 

$

27,982

 

Total assets

 

$

506,433

 

 

$

387,410

 

 

$

371,504

 

Deferred revenue, current and non-current portion

 

$

83,125

 

 

$

55,104

 

 

$

34,888

 

Long-term debt

 

$

68,329

 

 

$

107,344

 

 

$

99,770

 

Total liabilities

 

$

178,036

 

 

$

177,307

 

 

$

160,465

 

Redeemable convertible preferred stock

 

$

 

 

$

223,987

 

 

$

222,898

 

Total stockholders' equity (deficit)

 

$

328,397

 

 

$

(13,884

)

 

$

(11,859

)

 

(1)

We define working capital as current assets less current liabilities, excluding deferred revenue.

 

49


 

Item 7. Management’s Discussion and Analysis of Financial Condition and Results of Operations.

You should read the following discussion and analysis of our financial condition and results of operations together with the section titled “Selected Consolidated Financial and Other Data” and the consolidated financial statements and related notes that are included elsewhere in this Annual Report on Form 10-K. This discussion contains forward-looking statements that involve risks and uncertainties. Our actual results may differ materially from those anticipated in these forward-looking statements as a result of various factors, including, but not limited to, those set forth in the section titled “Risk Factors” and in other parts of this Annual Report on Form 10-K. Our historical results are not necessarily indicative of the results that may be expected for any period in the future, and our interim results are not necessarily indicative of the results we expect for the full fiscal year or any other period.

Overview

SailPoint is the leading provider of enterprise identity governance solutions. Our open identity platform provides organizations with critical visibility into who currently has access to which resources, who should have access to those resources, and how that access is being used.

We offer both on-premises software and cloud-based solutions, which empower our customers to efficiently and securely govern the digital identities of employees, contractors, business partners and other users, and manage their constantly changing access rights to enterprise applications and data across hybrid IT environments, whether comprised of on-premises, cloud or mobile applications. We help customers enable their businesses with more agile and innovative IT, enhance their security posture and better meet compliance and regulatory requirements. We believe that our open identity platform is a critical, foundational layer of a modern cyber security strategy that complements and builds upon traditional perimeter- and endpoint-centric security solutions, which on their own are increasingly insufficient to secure organizations, and their applications and data. Our customers include many of the world’s largest and most complex organizations, including commercial enterprises, educational institutions and governments.

We were founded by identity industry veterans to develop a new category of identity management solutions and address emerging identity governance challenges. Since our inception, we have focused on driving innovation in the identity market, with our key milestones including:

 

in 2007, we pioneered identity governance through our release of IdentityIQ, our on-premises identity governance solution;

 

in 2010, we revolutionized provisioning by integrating it with IdentityIQ into a single solution;

 

in 2013, we introduced our cloud-based identity governance solution, IdentityNow;

 

in 2015, we extended identity governance by adding our identity governance for data stored in files solution, SecurityIQ, which manages user access to unstructured data, a rapidly growing area of risk; and

 

in 2017, we further extended identity governance with the introduction of our advanced identity analytics solution, IdentityAI, which is designed to use machine learning technologies to enable rapid detection of security threats before they turn into security breaches.

Our solutions address the complex needs of global enterprises and mid-market organizations. As of December 31, 2017, 933 customers across a wide variety of industries were using our products to enable and secure digital identities across the globe. No single customer represented more than 10% of our revenue for the years ended December 31, 2017, 2016 or 2015.

Our revenue grew at a compound annual growth rate of approximately 36% from the year ended December 31, 2012 to the year ended December 31, 2017. For the years ended December 31, 2017, 2016 and 2015, our revenue was $186.1 million, $132.4 million, and $95.4 million, respectively. During such periods, purchase accounting adjustments related to the Acquisition reduced our revenue by $0.1 million, $1.4 million and $5.6 million, respectively. For the years ended December 31, 2017, 2016 and 2015, our net loss was $7.6 million, $3.2 million, and $10.8 million, respectively. For the years ended December 31, 2017, 2016 and 2015, our net cash provided by operations was $21.9 million, $6.5 million, and $3.6 million, respectively.

50


 

Our success is principally dependent on our ability to deliver compelling solutions to attract new customers and retain existing customers. Delivering these solutions is challenging because our customers have large, complex IT environments, often rely on both legacy and innovative technologies, and deploy different business models, including on premise and cloud solutions. Rising security threats and evolving regulations and compliance standards for cyber security, data protection, privacy and internal IT controls create new opportunities for our industry and require us to adapt our solutions to be successful. Our ability to continue to maintain our historical growth rates is also challenging because our growth strategy depends in part on our ability to expand our global presence and invest in new vertical markets, while competing against much larger companies with more recognizable brands and financial resources. Although we seek to grow rapidly, we also focus on delivering positive net cash from operations while continuing to invest in our platform and to deliver innovative solutions to our customers. Additionally, our gross margins vary depending on the type of solution we sell, and a shift in the mix of our solutions could affect our performance relative to historical results.

Our Business Model

We deliver an integrated set of solutions that supports all aspects of identity governance, including provisioning, access request, compliance controls, password management and identity governance for data stored in files. Our solutions are built on an open identity platform, which offers connectivity to a variety of security and operational IT applications, extending the reach of our identity governance processes and enabling effective identity governance controls across customer environments.

Our set of solutions currently consists of (i) IdentityIQ, our on-premises identity governance solution, (ii) IdentityNow, our cloud-based, multi-tenant governance suite, which is delivered as a subscription service, and (iii) SecurityIQ, our on-premises identity governance for files solution that secures access to data stored in file servers, collaboration portals, mailboxes and cloud storage systems, and (iv) IdentityAI, our cloud-based advanced identity analytics solution. See in Part I – Item 1, the section titled “Business—Products” for more information regarding our solutions.

For our IdentityIQ and SecurityIQ solutions, our customers typically purchase a perpetual software license, which includes one year of maintenance. Our maintenance provides software maintenance as well as access to our technical support services during the maintenance term. After the initial maintenance period, customers with perpetual licenses may renew their maintenance agreement for an additional fee. For our cloud-based solutions, IdentityNow and IdentityAI, for a subscription fee, we offer customers access to this solution and infrastructure support for the duration of their subscription agreement. Our standard subscription agreement for our IdentityNow solution has a duration of three years.

Pricing for each of our solutions is dependent on the number of digital identities of employees, contractors, business partners and other users that the customer is entitled to govern with the solution. We also package and price our IdentityIQ and IdentityNow solutions into modules. Each module has unique functionalities, and our IdentityIQ and IdentityNow customers are able to purchase one or more modules, depending on their needs. We package and price SecurityIQ, our identity governance for files solution, by target storage systems. Thus, our revenue from any customer is generally determined by the number of identities that the customer is entitled to govern as well as the number of modules (for our IdentityIQ and IdentityNow solutions) or target storage systems (for our SecurityIQ solution) purchased by the customer.

Our go-to-market strategy consists of both direct sales and indirect sales through our partnership network of systems integrators, value-added resellers and adjacent technology vendors. We work closely with systems integrators, many of whom have dedicated SailPoint practices (including Accenture, Deloitte, KPMG and PwC), with some dating back more than seven years, and resellers (including value-added resellers such as Optiv) to identify potential sales opportunities and help us increase our reach, and we frequently cooperate with systems integrators to make joint sales proposals to address our mutual customers’ requirements. We also collaborate with leading access management vendors by adding our identity governance capabilities to their access management services (e.g., Microsoft, Okta and VMware). We do not have any material payment obligations to systems integrators, resellers or our technology partners; nor do they have any material payment obligations to us, except that resellers typically purchase solutions directly from us and resell to customers. See the section titled “Business—Partnerships and Strategic Relationships” for more information regarding our partnership network.

51


 

In addition to our solutions, we offer professional services to our customers and partners to configure and optimize the use of our solutions as well as training services related to the configuration and operation of our platform. Most of our professional services activity is in support of our partners, who perform a significant majority of all initial and follow-on implementation work for our customers. Most of our consulting services are priced on a time and materials basis; our training services are provided through multiple pricing models, including on a per-person basis (for courses provided at our headquarters and on-site at our customers’ offices) and a flat-rate basis (for our e-learning course).

We devote significant resources to acquire new customers, in both existing and new markets, in order to grow our customer base. In addition, we focus on three distinct opportunities to increase sales to existing customers: (i) expand the number of digital identities; (ii) up-sell additional modules or target storage systems, as applicable, within a single solution; and (iii) cross-sell additional solutions.

Key Factors Affecting Our Performance

Our historical financial performance has been, and we expect our financial performance in the future to be, driven by our ability to:

 

Add New Customers Within Existing Markets. Based on data from S&P Global Market Intelligence, we believe that we have penetrated less than 2% of the approximately 65,000 companies in the countries where we have customers today and that as a result, there is significant opportunity to expand our footprint in our existing markets through new, greenfield installations and displacement of our competitors’ legacy solutions. To do so, we plan to grow our sales organization, increase and leverage our indirect channel partners and enhance our marketing efforts.

 

Generate Additional Sales to Existing Customers. We believe that our existing customer base provides us with a significant opportunity to drive incremental sales. In most cases, our customers initially purchase a subset of the modules or solutions we offer based on their immediate need. We focus on generating more revenue from the modules that our customers have already purchased from us as our customers grow the number of identities our solutions manage and govern and as our customers deploy our solutions across other business units or geographies within their organizations. Over time, we also identify up-selling and cross-selling opportunities and seek to sell additional modules and solutions to our existing customers.

 

Retain Customers. We believe that our ability to retain our customers is an important component of our growth strategy and reflects the long-term value of our customer relationships. For example, when we add a new customer, we generate new license revenue. If the customer renews, we generate incremental maintenance revenue. As we add new IdentityIQ customers, our high renewal rates result in incremental maintenance revenue. Our key strategies to maintain our high renewal rates include focusing on the quality and reliability of our solutions, customer service and support to ensure our customers receive value from our solutions, providing consistent software upgrades and having dedicated customer success teams.

 

Expand into New Markets. We expect to continue to invest significantly in sales, marketing and customer service, as well as our indirect channel partner network, to expand into new geographies and vertical markets. We believe that our market opportunity is large and growing and that the global cyber security market represents a significant growth opportunity for us. In 2017, we generated only 28% of our revenue outside of the United States.

 

52


 

Key Business Metrics

In addition to our GAAP financial information, we monitor the following key metrics to help us measure and evaluate the effectiveness of our operations:

 

 

 

Year Ended December 31,

 

 

 

2017

 

 

2016

 

 

2015

 

Number of customers

 

 

933

 

 

 

695

 

 

 

520

 

Subscription revenue as a percentage of total revenue

 

 

38

%

 

 

37

%

 

 

32

%

Adjusted EBITDA (in thousands)

 

$

25,501

 

 

$

15,135

 

 

$

7,464

 

 

 

Number of Customers. We believe that the size of our customer base is an indicator of our market penetration and that our net customer additions are an indicator of the growth of our business and our future revenue opportunity. We define a customer as a distinct entity, division or business unit of an organization that receives support or has the right to use our cloud-based solutions as of the specified measurement date.

 

Subscription Revenue as a Percentage of Total Revenue. Subscription revenue is a portion of our total revenue and is derived from (i) IdentityNow, our cloud-based solution where customers enter into SaaS subscription agreements with us, and (ii) IdentityIQ and SecurityIQ maintenance and support agreements, but not licenses. As we generally sell our solutions on a per-identity basis, our subscription revenue for any customer is primarily determined by the number of identities that the customer is entitled to govern as part of a SaaS subscription, and the ongoing price paid per-identity under a maintenance and support agreement or SaaS subscription. Thus, we consider our subscription revenue to be the recurring portion of our revenue base and believe that its continued growth as a percentage of total revenue will lead to a more predictable revenue model and increase our visibility to future period total revenues. Because we recognize our subscription revenue ratably over the duration of those agreements, a portion of the revenue we recognize each period is derived from agreements we entered into in prior periods. In contrast, we typically recognize license revenue upon entering into the applicable license, the timing of which is less predictable and may cause significant fluctuations in our quarterly financial results.

 

Adjusted EBITDA. We believe that adjusted EBITDA is a measure widely used by securities analysts and investors to evaluate the financial performance of our company and other companies. We believe that adjusted EBITDA is an important measure for evaluating our performance because it facilitates comparisons of our core operating results from period to period by removing the impact of our capital structure (net interest income or expense from our outstanding debt), asset base (depreciation and amortization), tax consequences, purchase accounting adjustments, acquisition and sponsor related costs and stock-based compensation. In addition, we base certain of our forward-looking estimates and budgets on adjusted EBITDA. See the section titled “Non-GAAP Financial Measures” for more information regarding adjusted EBITDA, including the limitations of using adjusted EBITDA as a financial measure, and for a reconciliation of adjusted EBITDA to net loss, the most directly comparable financial measure calculated in accordance with GAAP.

Non-GAAP Financial Measures

In addition to our financial information presented in accordance with GAAP, we use certain non-GAAP financial measures to clarify and enhance our understanding of past performance and future prospects. Generally, a non-GAAP financial measure is a numerical measure of a company’s operating performance, financial position or cash flow that includes or excludes amounts that are included or excluded from the most directly comparable measure calculated and presented in accordance with GAAP. As discussed below, we monitor the non-GAAP financial measures described below, and we believe they are helpful to investors.

53


 

Our non-GAAP financial measures may not provide information that is directly comparable to that provided by other companies in our industry because they may calculate non-GAAP financial results differently. In addition, there are limitations in using non-GAAP financial measures because they are not prepared in accordance with GAAP and exclude expenses that may have a material impact on our reported financial results. In particular, interest expense, which is excluded from adjusted EBITDA has been and will continue to be a significant recurring expense in our business for the foreseeable future. The presentation of non-GAAP financial information is not meant to be considered in isolation or as a substitute for the directly comparable financial measures prepared in accordance with GAAP. We urge you to review the reconciliations of our non-GAAP financial measures to the comparable GAAP financial measures included below, and not to rely on any single financial measure to evaluate our business.

We exclude stock-based compensation expense because it is non-cash in nature and excluding this expense provides meaningful supplemental information regarding our operational performance and allows investors the ability to make more meaningful comparisons between our operating results and those of other companies. We also exclude amortization of acquired intangible assets, acquisition-related costs, the partial release of the valuation allowance due to acquisition, facility exit costs, and make adjustments related to a financing lease obligation from our non-GAAP financial measures because these are considered by management to be outside of our core operating results. Accordingly, we believe that excluding these expenses provides investors and management with greater visibility to the underlying performance of our business operations and may also facilitate comparison with the results of other companies in our industry.

Adjusted EBITDA

Adjusted EBITDA is a non-GAAP financial measure that we calculate as net income (loss) adjusted to exclude income taxes, interest expense, net, depreciation and amortization, purchase accounting adjustments, acquisition and sponsor related costs and stock-based compensation expense.

We believe that adjusted EBITDA is a measure widely used by securities analysts and investors to evaluate the financial performance of our company and other companies. We believe that adjusted EBITDA is an important measure for evaluating our performance because it facilitates comparisons of our core operating results from period to period by removing the impact of our capital structure (net interest income or expense from our outstanding debt), asset base (depreciation and amortization), tax consequences, purchase accounting adjustments, acquisition and sponsor related costs and stock-based compensation. In addition, we base certain of our forward-looking estimates and budgets on adjusted EBITDA.

 

The following table reflects the reconciliation of GAAP to non-GAAP financial measures for the years ended December 31, 2017, 2016 and 2015:

 

 

 

Year Ended December 31,

 

 

 

2017

 

 

2016

 

 

2015

 

 

 

(In thousands)

 

Net loss

 

$

(7,592

)

 

$

(3,173

)

 

 

(10,807

)

Stock-based compensation

 

 

4,514

 

 

 

568

 

 

 

246

 

Amortization

 

 

8,841

 

 

 

9,092

 

 

 

9,099

 

Depreciation

 

 

1,379

 

 

 

890

 

 

 

521

 

Purchase price accounting adjustment (1)

 

 

141

 

 

 

1,373

 

 

 

5,618

 

Acquisition and sponsor related costs

 

 

1,142

 

 

 

1,093

 

 

 

1,518

 

Interest expense

 

 

14,783

 

 

 

7,277

 

 

 

3,883

 

Income tax expense (benefit)

 

 

2,293

 

 

 

(1,985

)

 

 

(2,614

)

Adjusted EBITDA

 

$

25,501

 

 

$

15,135

 

 

$

7,464

 

54


 

The following table reflects the reconciliation of GAAP to Non-GAAP Financial Measures for our unaudited quarterly consolidated statements of operations data for each of the quarters indicated:

 

 

 

Three Months Ended

 

 

 

12/31/2017

 

 

9/30/2017

 

 

6/30/2017

 

 

3/31/2017

 

 

12/31/2016

 

 

9/30/2016

 

 

6/30/2016

 

 

3/31/2016

 

 

 

(In thousands)

 

Net income (loss)

 

$

5,382

 

 

$

(6,387

)

 

$

(4,304

)

 

$

(2,283

)

 

$

3,306

 

 

$

(2,247

)

 

$

(2,118

)

 

$

(2,114

)

Stock-based compensation

 

 

3,970

 

 

 

201

 

 

 

185

 

 

 

158

 

 

 

238

 

 

 

116

 

 

 

109

 

 

 

105

 

Amortization

 

 

2,206

 

 

 

2,207

 

 

 

2,207

 

 

 

2,211

 

 

 

2,229

 

 

 

2,130

 

 

 

2,258

 

 

 

2,475

 

Depreciation

 

 

444

 

 

 

385

 

 

 

295

 

 

 

265

 

 

 

243

 

 

 

227

 

 

 

213

 

 

 

207

 

Purchase price accounting adjustment (1)

 

 

15

 

 

 

16

 

 

 

55