false 2019 FY 0001627857 --12-31 Large Accelerated Filer 0.005 0.005 2024-03-31 P4Y P5Y P5Y P15Y P8Y10M24D P17Y P1Y6M P4Y9M18D P6Y3M P6Y3M P6Y3M P5M1D 0.388 0.400 0.409 0.409 0.460 0.460 0.490 0.490 0.0139 0.0263 0.0196 0.0196 0.0259 0.0297 0.0218 0.0218 P5Y6M P6Y3M14D 0.398 0.40 0.481 0.46 0.0162 0.0200 0.0244 0.0256 P6M P6M P8Y10M24D P8Y9M18D P8Y9M18D P7Y10M24D P8Y9M18D P8Y P8Y P7Y4M24D P8Y P7Y8M12D P7Y8M12D P6Y4M24D P8Y10M24D P8Y6M P0Y P0Y P9Y10M24D P9Y10M24D P9Y10M24D P1Y9M18D P1Y9M18D P1Y9M18D P1Y7M6D P1Y7M6D 0001627857 2019-01-01 2019-12-31 xbrli:shares 0001627857 2020-02-17 iso4217:USD 0001627857 2019-06-28 0001627857 2019-12-31 0001627857 2018-12-31 iso4217:USD xbrli:shares 0001627857 us-gaap:LicenseMember 2019-01-01 2019-12-31 0001627857 us-gaap:LicenseMember 2018-01-01 2018-12-31 0001627857 us-gaap:LicenseMember 2017-01-01 2017-12-31 0001627857 us-gaap:MaintenanceMember 2019-01-01 2019-12-31 0001627857 us-gaap:MaintenanceMember 2018-01-01 2018-12-31 0001627857 us-gaap:MaintenanceMember 2017-01-01 2017-12-31 0001627857 us-gaap:TechnologyServiceMember 2019-01-01 2019-12-31 0001627857 us-gaap:TechnologyServiceMember 2018-01-01 2018-12-31 0001627857 us-gaap:TechnologyServiceMember 2017-01-01 2017-12-31 0001627857 2018-01-01 2018-12-31 0001627857 2017-01-01 2017-12-31 0001627857 us-gaap:RedeemableConvertiblePreferredStockMember 2016-12-31 0001627857 us-gaap:CommonStockMember 2016-12-31 0001627857 us-gaap:AdditionalPaidInCapitalMember 2016-12-31 0001627857 us-gaap:RetainedEarningsMember 2016-12-31 0001627857 2016-12-31 0001627857 us-gaap:CommonStockMember 2017-01-01 2017-12-31 0001627857 us-gaap:AdditionalPaidInCapitalMember 2017-01-01 2017-12-31 0001627857 us-gaap:RedeemableConvertiblePreferredStockMember 2017-01-01 2017-12-31 0001627857 us-gaap:TreasuryStockMember 2017-01-01 2017-12-31 0001627857 us-gaap:RetainedEarningsMember 2017-01-01 2017-12-31 0001627857 us-gaap:CommonStockMember 2017-12-31 0001627857 us-gaap:AdditionalPaidInCapitalMember 2017-12-31 0001627857 us-gaap:RetainedEarningsMember 2017-12-31 0001627857 2017-12-31 0001627857 us-gaap:AccountingStandardsUpdate201409Member us-gaap:RetainedEarningsMember 2018-12-31 0001627857 us-gaap:AccountingStandardsUpdate201409Member 2018-12-31 0001627857 us-gaap:CommonStockMember 2018-01-01 2018-12-31 0001627857 us-gaap:AdditionalPaidInCapitalMember 2018-01-01 2018-12-31 0001627857 us-gaap:RetainedEarningsMember 2018-01-01 2018-12-31 0001627857 us-gaap:CommonStockMember 2018-12-31 0001627857 us-gaap:AdditionalPaidInCapitalMember 2018-12-31 0001627857 us-gaap:RetainedEarningsMember 2018-12-31 0001627857 us-gaap:CommonStockMember 2019-01-01 2019-12-31 0001627857 us-gaap:AdditionalPaidInCapitalMember 2019-01-01 2019-12-31 0001627857 us-gaap:RetainedEarningsMember 2019-01-01 2019-12-31 0001627857 us-gaap:CommonStockMember 2019-12-31 0001627857 us-gaap:AdditionalPaidInCapitalMember 2019-12-31 0001627857 us-gaap:RetainedEarningsMember 2019-12-31 0001627857 us-gaap:ConvertibleDebtMember 2019-01-01 2019-12-31 0001627857 sail:OrkusMember 2019-01-01 2019-12-31 0001627857 sail:OverwatchIDMember 2019-01-01 2019-12-31 0001627857 sail:TimeBasedMember 2019-01-01 2019-12-31 0001627857 us-gaap:PerformanceSharesMember 2019-01-01 2019-12-31 sail:Segment 0001627857 us-gaap:FinancialStandbyLetterOfCreditMember 2019-12-31 xbrli:pure 0001627857 us-gaap:CreditConcentrationRiskMember us-gaap:AccountsReceivableMember 2018-01-01 2018-12-31 0001627857 us-gaap:CreditConcentrationRiskMember us-gaap:SalesRevenueNetMember 2019-01-01 2019-12-31 0001627857 us-gaap:CreditConcentrationRiskMember us-gaap:SalesRevenueNetMember 2018-01-01 2018-12-31 0001627857 us-gaap:CreditConcentrationRiskMember us-gaap:SalesRevenueNetMember 2017-01-01 2017-12-31 0001627857 us-gaap:CreditConcentrationRiskMember us-gaap:NetAssetsGeographicAreaMember 2019-01-01 2019-12-31 0001627857 us-gaap:CreditConcentrationRiskMember us-gaap:NetAssetsGeographicAreaMember 2018-01-01 2018-12-31 0001627857 us-gaap:CreditConcentrationRiskMember us-gaap:NetAssetsGeographicAreaMember 2017-01-01 2017-12-31 0001627857 srt:MinimumMember 2019-01-01 2019-12-31 0001627857 srt:MaximumMember 2019-01-01 2019-12-31 0001627857 us-gaap:PropertyPlantAndEquipmentMember 2019-01-01 2019-12-31 0001627857 us-gaap:PropertyPlantAndEquipmentMember 2018-01-01 2018-12-31 0001627857 us-gaap:PropertyPlantAndEquipmentMember 2017-01-01 2017-12-31 0001627857 srt:MinimumMember us-gaap:EmployeeStockMember 2019-12-31 0001627857 srt:MaximumMember us-gaap:EmployeeStockMember 2019-12-31 0001627857 us-gaap:EmployeeStockMember 2019-01-01 2019-12-31 0001627857 us-gaap:AccountingStandardsUpdate201602Member 2019-01-01 2019-01-01 0001627857 us-gaap:TransferredAtPointInTimeMember us-gaap:LicenseMember 2019-01-01 2019-12-31 0001627857 us-gaap:TransferredAtPointInTimeMember us-gaap:LicenseMember 2018-01-01 2018-12-31 0001627857 us-gaap:TransferredOverTimeMember us-gaap:MaintenanceMember 2019-01-01 2019-12-31 0001627857 us-gaap:TransferredOverTimeMember us-gaap:TechnologyServiceMember 2019-01-01 2019-12-31 0001627857 us-gaap:TransferredOverTimeMember us-gaap:MaintenanceMember 2018-01-01 2018-12-31 0001627857 us-gaap:TransferredOverTimeMember us-gaap:TechnologyServiceMember 2018-01-01 2018-12-31 0001627857 2020-01-01 2019-12-31 0001627857 us-gaap:FairValueMeasurementsRecurringMember 2018-12-31 0001627857 us-gaap:MoneyMarketFundsMember us-gaap:FairValueInputsLevel1Member 2019-12-31 0001627857 us-gaap:MoneyMarketFundsMember 2019-12-31 0001627857 us-gaap:FairValueInputsLevel1Member 2019-12-31 0001627857 sail:OrkusMember 2019-10-15 2019-10-15 0001627857 sail:OrkusMember 2019-10-15 0001627857 sail:OrkusMember us-gaap:OtherCurrentLiabilitiesMember 2019-12-31 0001627857 sail:OrkusMember us-gaap:OtherNoncurrentLiabilitiesMember 2019-12-31 0001627857 us-gaap:DevelopedTechnologyRightsMember sail:OrkusMember 2019-10-15 0001627857 us-gaap:DevelopedTechnologyRightsMember sail:OrkusMember 2019-10-15 2019-10-15 0001627857 sail:OverwatchIDMember 2019-10-15 2019-10-15 0001627857 sail:OverwatchIDMember 2019-10-15 0001627857 sail:OverwatchIDMember us-gaap:OtherCurrentLiabilitiesMember 2019-12-31 0001627857 sail:OverwatchIDMember us-gaap:OtherNoncurrentLiabilitiesMember 2019-12-31 0001627857 us-gaap:DevelopedTechnologyRightsMember sail:OverwatchIDMember 2019-10-15 0001627857 us-gaap:DevelopedTechnologyRightsMember sail:OverwatchIDMember 2019-10-15 2019-10-15 0001627857 us-gaap:CustomerListsMember 2019-01-01 2019-12-31 0001627857 us-gaap:DevelopedTechnologyRightsMember 2019-01-01 2019-12-31 0001627857 us-gaap:TrademarksAndTradeNamesMember 2019-01-01 2019-12-31 0001627857 us-gaap:OrderOrProductionBacklogMember 2018-01-01 2018-12-31 0001627857 us-gaap:OtherIntangibleAssetsMember 2019-01-01 2019-12-31 0001627857 us-gaap:CustomerListsMember 2019-12-31 0001627857 us-gaap:CustomerListsMember 2018-12-31 0001627857 us-gaap:DevelopedTechnologyRightsMember 2019-12-31 0001627857 us-gaap:DevelopedTechnologyRightsMember 2018-12-31 0001627857 us-gaap:TrademarksAndTradeNamesMember 2019-12-31 0001627857 us-gaap:TrademarksAndTradeNamesMember 2018-12-31 0001627857 us-gaap:OrderOrProductionBacklogMember 2018-12-31 0001627857 us-gaap:OtherIntangibleAssetsMember 2019-12-31 0001627857 us-gaap:OtherIntangibleAssetsMember 2018-12-31 0001627857 us-gaap:PatentedTechnologyMember 2018-12-01 2018-12-31 0001627857 us-gaap:ResearchAndDevelopmentExpenseMember 2019-01-01 2019-12-31 0001627857 us-gaap:ResearchAndDevelopmentExpenseMember 2018-01-01 2018-12-31 0001627857 us-gaap:ResearchAndDevelopmentExpenseMember 2017-01-01 2017-12-31 0001627857 us-gaap:SellingAndMarketingExpenseMember 2019-01-01 2019-12-31 0001627857 us-gaap:SellingAndMarketingExpenseMember 2018-01-01 2018-12-31 0001627857 us-gaap:SellingAndMarketingExpenseMember 2017-01-01 2017-12-31 0001627857 srt:MinimumMember 2019-12-31 0001627857 srt:MaximumMember 2019-12-31 0001627857 sail:TermLoanMember sail:PriorCreditAgreementMember 2016-08-31 0001627857 us-gaap:RevolvingCreditFacilityMember sail:PriorCreditAgreementMember 2016-08-31 0001627857 us-gaap:LondonInterbankOfferedRateLIBORMember sail:PriorCreditAgreementMember 2016-08-01 2016-08-31 0001627857 sail:TermLoanMember sail:PriorCreditAgreementMember 2019-01-01 2019-12-31 0001627857 sail:PriorCreditAgreementMember 2019-01-01 2019-12-31 0001627857 sail:TermLoanMember sail:PriorCreditAgreementMember 2017-01-01 2017-12-31 0001627857 sail:PriorCreditAgreementMember 2017-01-01 2017-12-31 0001627857 sail:TermLoanMember sail:PriorCreditAgreementMember 2018-01-01 2018-12-31 0001627857 sail:PriorCreditAgreementMember 2018-01-01 2018-12-31 0001627857 sail:PriorCreditAgreementMember 2017-12-31 0001627857 sail:PriorCreditAgreementMember sail:ModifiedPriorCreditAgreementMember 2017-12-31 0001627857 us-gaap:StandbyLettersOfCreditMember sail:PriorCreditAgreementMember 2017-10-05 0001627857 us-gaap:LetterOfCreditMember sail:PriorCreditAgreementMember 2018-12-31 0001627857 us-gaap:LetterOfCreditMember sail:NewCreditAgreementMember 2019-03-11 0001627857 us-gaap:LetterOfCreditMember sail:NewCreditAgreementMember 2019-12-31 0001627857 srt:MaximumMember sail:NewCreditAgreementMember 2019-12-31 0001627857 us-gaap:FederalFundsEffectiveSwapRateMember sail:NewCreditAgreementMember 2019-03-10 2019-03-11 0001627857 sail:NewCreditAgreementMember 2019-01-01 2019-12-31 0001627857 us-gaap:LondonInterbankOfferedRateLIBORMember sail:NewCreditAgreementMember 2019-03-10 2019-03-11 0001627857 sail:NewCreditAgreementMember srt:MinimumMember 2019-03-10 2019-03-11 0001627857 sail:NewCreditAgreementMember srt:MaximumMember 2019-03-10 2019-03-11 0001627857 us-gaap:LondonInterbankOfferedRateLIBORMember sail:NewCreditAgreementMember srt:MinimumMember 2019-03-10 2019-03-11 0001627857 us-gaap:LondonInterbankOfferedRateLIBORMember sail:NewCreditAgreementMember srt:MaximumMember 2019-03-10 2019-03-11 0001627857 us-gaap:RevolvingCreditFacilityMember sail:NewCreditAgreementMember 2019-12-31 0001627857 sail:NewCreditAgreementMember 2019-12-31 0001627857 sail:ConvertibleSeniorNotesDueTwoThousandTwentyFourMember 2019-09-30 0001627857 sail:ConvertibleSeniorNotesDueTwoThousandTwentyFourMember 2019-09-01 2019-09-30 0001627857 sail:ConvertibleSeniorNotesDueTwoThousandTwentyFourMember 2019-01-01 2019-12-31 0001627857 sail:ConvertibleSeniorNotesDueTwoThousandTwentyFourMember 2019-12-31 sail:Day 0001627857 sail:ConvertibleSeniorNotesDueTwoThousandTwentyFourMember us-gaap:CommonStockMember 2019-09-01 2019-09-30 0001627857 sail:ConvertibleSeniorNotesDueTwoThousandTwentyFourMember us-gaap:CommonStockMember 2019-09-30 0001627857 sail:LiabilityComponentMember sail:ConvertibleSeniorNotesDueTwoThousandTwentyFourMember 2019-09-30 0001627857 sail:EquityComponentMember sail:ConvertibleSeniorNotesDueTwoThousandTwentyFourMember 2019-09-30 0001627857 sail:CappedCallTransactionsMember 2019-09-30 0001627857 sail:CappedCallTransactionsMember 2019-09-01 2019-09-30 0001627857 sail:NonExecutiveEmployeesMember 2016-01-01 2016-12-31 0001627857 sail:NonExecutiveEmployeesMember 2018-01-01 2018-12-31 0001627857 sail:NonExecutiveEmployeesMember 2019-01-01 2019-12-31 0001627857 us-gaap:GeneralAndAdministrativeExpenseMember 2017-01-01 2017-12-31 0001627857 srt:AffiliatedEntityMember 2017-01-01 2017-12-31 0001627857 2017-11-30 0001627857 2017-10-31 2017-10-31 0001627857 2017-06-27 2017-06-27 0001627857 us-gaap:RedeemableConvertiblePreferredStockMember 2017-06-27 2017-06-27 0001627857 us-gaap:IPOMember us-gaap:RedeemableConvertiblePreferredStockMember 2017-11-16 0001627857 us-gaap:IPOMember us-gaap:RedeemableConvertiblePreferredStockMember 2017-11-16 2017-11-16 0001627857 us-gaap:IPOMember us-gaap:CommonStockMember 2017-11-17 2017-11-17 0001627857 us-gaap:TreasuryStockMember 2017-12-31 0001627857 sail:IncentiveStockOptionsAndNonqualifiedStockOptionsMember 2019-12-31 0001627857 us-gaap:RestrictedStockMember 2019-12-31 0001627857 sail:TwentyFifteenStockIncentivePlanMember 2019-12-31 0001627857 sail:IncentiveStockOptionsAndNonqualifiedStockOptionsMember srt:MaximumMember 2019-01-01 2019-12-31 0001627857 sail:IncentiveStockOptionsAndNonqualifiedStockOptionsMember 2019-01-01 2019-12-31 0001627857 sail:TwentyFifteenStockOptionAndGrantPlanMember 2019-12-31 0001627857 sail:TwentySeventeenLongTermIncentivePlanMember 2019-12-31 0001627857 sail:TwentySeventeenLongTermIncentivePlanMember 2019-01-01 2019-12-31 0001627857 sail:TimeBasedMember us-gaap:EmployeeStockOptionMember 2019-01-01 2019-12-31 0001627857 sail:TimeBasedMember us-gaap:EmployeeStockOptionMember 2018-01-01 2018-12-31 0001627857 sail:TimeBasedMember us-gaap:EmployeeStockOptionMember 2017-01-01 2017-12-31 0001627857 us-gaap:PerformanceSharesMember us-gaap:EmployeeStockOptionMember 2017-01-01 2017-12-31 0001627857 us-gaap:PerformanceSharesMember us-gaap:EmployeeStockOptionMember srt:MinimumMember 2017-01-01 2017-12-31 0001627857 us-gaap:PerformanceSharesMember us-gaap:EmployeeStockOptionMember srt:MaximumMember 2017-01-01 2017-12-31 0001627857 sail:TimeBasedMember us-gaap:EmployeeStockMember 2019-01-01 2019-12-31 0001627857 sail:TimeBasedMember us-gaap:EmployeeStockMember 2018-01-01 2018-12-31 0001627857 sail:TimeBasedMember us-gaap:EmployeeStockMember srt:MinimumMember 2019-01-01 2019-12-31 0001627857 sail:TimeBasedMember us-gaap:EmployeeStockMember srt:MaximumMember 2019-01-01 2019-12-31 0001627857 sail:TimeBasedMember 2016-12-31 0001627857 sail:TimeBasedMember 2017-01-01 2017-12-31 0001627857 sail:TimeBasedMember 2017-12-31 0001627857 sail:TimeBasedMember 2018-01-01 2018-12-31 0001627857 sail:TimeBasedMember 2018-12-31 0001627857 sail:TimeBasedMember 2019-12-31 0001627857 sail:TimeBasedMember 2016-01-01 2016-12-31 0001627857 us-gaap:PerformanceSharesMember 2016-12-31 0001627857 us-gaap:PerformanceSharesMember 2017-01-01 2017-12-31 0001627857 us-gaap:PerformanceSharesMember 2016-01-01 2016-12-31 0001627857 sail:IncentiveUnitPlanMember srt:ExecutiveOfficerMember us-gaap:ShareBasedCompensationAwardTrancheOneMember 2019-01-01 2019-12-31 0001627857 sail:IncentiveUnitPlanMember srt:ExecutiveOfficerMember us-gaap:ShareBasedCompensationAwardTrancheTwoMember 2019-01-01 2019-12-31 0001627857 sail:IncentiveUnitPlanMember srt:ExecutiveOfficerMember sail:FirstAnniversaryDateOfGrantMember 2019-01-01 2019-12-31 0001627857 sail:IncentiveUnitPlanMember 2017-01-01 2017-12-31 0001627857 sail:IncentiveUnitPlanMember 2019-01-01 2019-12-31 0001627857 sail:IncentiveUnitPlanMember 2018-01-01 2018-12-31 0001627857 sail:IncentiveUnitPlanMember 2018-12-31 0001627857 sail:IncentiveUnitPlanMember 2017-12-31 0001627857 us-gaap:RestrictedStockUnitsRSUMember 2016-12-31 0001627857 us-gaap:RestrictedStockUnitsRSUMember 2017-01-01 2017-12-31 0001627857 us-gaap:RestrictedStockUnitsRSUMember 2017-12-31 0001627857 us-gaap:RestrictedStockUnitsRSUMember 2018-01-01 2018-12-31 0001627857 us-gaap:RestrictedStockUnitsRSUMember 2018-12-31 0001627857 us-gaap:RestrictedStockUnitsRSUMember 2019-01-01 2019-12-31 0001627857 us-gaap:RestrictedStockUnitsRSUMember 2019-12-31 0001627857 us-gaap:RestrictedStockUnitsRSUMember sail:KeyExecutivesMember 2019-01-01 2019-12-31 0001627857 us-gaap:EmployeeStockMember 2019-12-31 0001627857 us-gaap:EmployeeStockMember 2018-01-01 2018-12-31 0001627857 us-gaap:EmployeeStockOptionMember 2019-01-01 2019-12-31 0001627857 us-gaap:EmployeeStockOptionMember 2018-01-01 2018-12-31 0001627857 us-gaap:EmployeeStockOptionMember 2017-01-01 2017-12-31 0001627857 us-gaap:RestrictedStockMember 2019-01-01 2019-12-31 0001627857 us-gaap:RestrictedStockMember 2018-01-01 2018-12-31 0001627857 us-gaap:RestrictedStockMember 2017-01-01 2017-12-31 0001627857 us-gaap:GeneralAndAdministrativeExpenseMember 2019-01-01 2019-12-31 0001627857 us-gaap:GeneralAndAdministrativeExpenseMember 2018-01-01 2018-12-31 0001627857 us-gaap:ComputerEquipmentMember 2019-12-31 0001627857 us-gaap:ComputerEquipmentMember 2018-12-31 0001627857 us-gaap:ConstructionInProgressMember 2018-12-31 0001627857 us-gaap:FurnitureAndFixturesMember 2019-12-31 0001627857 us-gaap:FurnitureAndFixturesMember 2018-12-31 0001627857 us-gaap:LeaseholdImprovementsMember 2019-12-31 0001627857 us-gaap:LeaseholdImprovementsMember 2018-12-31 0001627857 us-gaap:OtherCapitalizedPropertyPlantAndEquipmentMember 2019-12-31 0001627857 us-gaap:OtherCapitalizedPropertyPlantAndEquipmentMember 2018-12-31 0001627857 srt:MaximumMember 2017-01-01 2017-12-31 0001627857 us-gaap:CalculatedUnderRevenueGuidanceInEffectBeforeTopic606Member 2017-01-01 2017-12-31 0001627857 us-gaap:ForeignCountryMember 2019-12-31 0001627857 us-gaap:ForeignCountryMember 2018-12-31 0001627857 us-gaap:DomesticCountryMember 2019-12-31 0001627857 us-gaap:DomesticCountryMember 2018-12-31 0001627857 us-gaap:DomesticCountryMember 2019-01-01 2019-12-31 0001627857 sail:ForeignCountryAndStateAndLocalJurisdictionMember 2019-01-01 2019-12-31 0001627857 us-gaap:EmployeeStockOptionMember 2019-01-01 2019-12-31 0001627857 us-gaap:EmployeeStockOptionMember 2018-01-01 2018-12-31 0001627857 us-gaap:EmployeeStockOptionMember 2017-01-01 2017-12-31 0001627857 sail:NonVestedIncentiveUnitsMember 2017-01-01 2017-12-31 0001627857 us-gaap:RestrictedStockUnitsRSUMember 2019-01-01 2019-12-31 0001627857 us-gaap:RestrictedStockUnitsRSUMember 2018-01-01 2018-12-31 0001627857 us-gaap:RestrictedStockUnitsRSUMember 2017-01-01 2017-12-31 0001627857 country:US 2019-01-01 2019-12-31 0001627857 country:US 2018-01-01 2018-12-31 0001627857 country:US us-gaap:CalculatedUnderRevenueGuidanceInEffectBeforeTopic606Member 2017-01-01 2017-12-31 0001627857 us-gaap:EMEAMember 2019-01-01 2019-12-31 0001627857 us-gaap:EMEAMember 2018-01-01 2018-12-31 0001627857 us-gaap:EMEAMember us-gaap:CalculatedUnderRevenueGuidanceInEffectBeforeTopic606Member 2017-01-01 2017-12-31 0001627857 sail:RestOfTheWorldMember 2019-01-01 2019-12-31 0001627857 sail:RestOfTheWorldMember 2018-01-01 2018-12-31 0001627857 sail:RestOfTheWorldMember us-gaap:CalculatedUnderRevenueGuidanceInEffectBeforeTopic606Member 2017-01-01 2017-12-31

Table of Contents

 

UNITED STATES

SECURITIES AND EXCHANGE COMMISSION

Washington, D.C. 20549

 

FORM 10-K

 

(Mark One)

 

ANNUAL REPORT PURSUANT TO SECTION 13 OR 15(d) OF THE SECURITIES EXCHANGE ACT OF 1934

 

For the fiscal year ended December 31, 2019

 

OR

 

TRANSITION REPORT PURSUANT TO SECTION 13 OR 15(d) OF THE SECURITIES EXCHANGE ACT OF 1934

 

FOR THE TRANSITION PERIOD FROM                      TO

Commission File Number 001-38297

 

SailPoint Technologies Holdings, Inc.

(Exact name of Registrant as specified in its Charter)

 

 

Delaware

 

47-1628077

(State or other jurisdiction of

incorporation or organization)

 

(I.R.S. Employer

Identification No.)

 

 

 

11120 Four Points Drive, Suite 100,

Austin, TX

 

78726

(Address of principal executive offices)

 

(Zip Code)

Registrant’s telephone number, including area code: (512346-2000

 

Securities registered pursuant to Section 12(b) of the Act:

Title of each class

 

Trading

Symbol(s)

 

Name of each exchange on which registered

Common stock, par value $0.0001 per share

 

SAIL

 

New York Stock Exchange

Securities registered pursuant to Section 12(g) of the Act:  None

Indicate by check mark if the registrant is a well-known seasoned issuer, as defined in Rule 405 of the Securities Act. Yes     No  

Indicate by check mark if the registrant is not required to file reports pursuant to Section 13 or 15(d) of the Act. Yes     No 

Indicate by check mark whether the registrant (1) has filed all reports required to be filed by Section 13 or 15(d) of the Securities Exchange Act of 1934 during the preceding 12 months (or for such shorter period that the Registrant was required to file such reports), and (2) has been subject to such filing requirements for the past 90 days. Yes    No 

Indicate by check mark whether the registrant has submitted electronically every Interactive Data File required to be submitted pursuant to Rule 405 of Regulation S-T (§232.405 of this chapter) during the preceding 12 months (or for such shorter period that the Registrant was required to submit such files). Yes     No 

Indicate by check mark whether the registrant is a large accelerated filer, an accelerated filer, a non-accelerated filer, a smaller reporting company, or emerging growth company. See the definition of “large accelerated filer,” “accelerated filer,” “smaller reporting company,” and “emerging growth company” in Rule 12b-2 of the Exchange Act.

 

Large accelerated filer

  

Accelerated filer

 

 

 

 

 

Non-accelerated filer

 

  

Smaller reporting company

 

 

 

 

 

Emerging growth company

 

 

 

 

 

If an emerging growth company, indicate by check mark if the registrant has elected not to use the extended transition period for complying with any new or revised financial accounting standards provided pursuant to Section 13(a) of the Exchange Act.  

Indicate by check mark whether the registrant is a shell company (as defined in Rule 12b-2 of the Exchange Act). Yes     No 

On June 28, 2019, the last business day of the Registrant’s most recently completed second fiscal quarter, the aggregate market value of the common stock, par value $0.0001 per share, held by non-affiliates of the Registrant was approximately $1.7 billion, based upon the closing price on the New York Stock Exchange on such date.

The registrant had 89,736,026 shares of common stock outstanding as of February 17, 2020.

DOCUMENTS INCORPORATED BY REFERENCE

Portions of the Registrant’s definitive proxy statement for its 2020 Annual Meeting of Stockholders (the “Proxy Statement”), to be filed within 120 days of the Registrant’s fiscal year ended December 31, 2019, are incorporated by reference in Part III of this Annual Report on Form 10-K (this “Form 10-K”). Except with respect to information specifically incorporated by reference in this Form 10-K, the Proxy Statement is not deemed to be filed as part of this Form 10-K.

 

 

 

 


Table of Contents

Table of Contents

 

 

 

Page

PART I

 

Item 1.

Business

2

Item 1A.

Risk Factors

12

Item 1B.

Unresolved Staff Comments

37

Item 2.

Properties

37

Item 3.

Legal Proceedings

37

Item 4.

Mine Safety Disclosures

37

 

 

 

PART II

 

Item 5.

Market for Registrant’s Common Equity, Related Stockholder Matters and Issuer Purchases of Equity Securities

38

Item 6.

Selected Financial Data

40

Item 7.

Management’s Discussion and Analysis of Financial Condition and Results of Operations

42

Item 7A.

Quantitative and Qualitative Disclosures About Market Risk

60

Item 8.

Financial Statements and Supplementary Data

62

Item 9.

Changes in and Disagreements with Accountants on Accounting and Financial Disclosure

104

Item 9A.

Controls and Procedures

104

Item 9B.

Other Information

105

 

 

 

PART III

 

Item 10.

Directors, Executive Officers and Corporate Governance

106

Item 11.

Executive Compensation

106

Item 12.

Security Ownership of Certain Beneficial Owners and Management and Related Stockholder Matters

106

Item 13.

Certain Relationships and Related Transactions, and Director Independence

106

Item 14.

Principal Accounting Fees and Services

106

 

 

 

PART IV

 

Item 15.

Exhibits, Financial Statement Schedules

107

Item 16.

Form 10-K Summary

112

 

Signatures

113

 

 

 

i


Table of Contents

 

SPECIAL NOTE ABOUT FORWARD-LOOKING STATEMENTS

This Annual Report on Form 10-K contains forward-looking statements within the meaning of the federal securities laws, which statements involve substantial risks and uncertainties. Forward-looking statements generally relate to future events or our future financial or operating performance. All statements of historical fact included in this Annual Report on Form 10-K regarding our strategy, future operations, financial position, estimated revenues and losses, projected costs, prospects, plans and objectives of management are forward-looking statements. In some cases, you can identify forward-looking statements because they contain words such as “may,” “will,” “should,” “expects,” “plans,” “anticipates,” “could,” “intends,” “target,” “projects,” “contemplates,” “believes,” “estimates,” “predicts,” “potential” or “continue” or the negative of these words or other similar terms or expressions.

You should not rely upon forward-looking statements as predictions of future events or place undue reliance thereon. We have based the forward-looking statements contained in this Annual Report on Form 10-K primarily on our current expectations and projections, in light of currently available information, about future events and trends that we believe may affect our business, financial condition, results of operations and prospects. The outcome of the events described in these forward-looking statements is subject to risks, uncertainties and other factors described in the section titled “Risk Factors” and elsewhere in this Annual Report on Form 10-K. Moreover, we operate in a very competitive and rapidly changing environment. New risks and uncertainties emerge from time to time and it is not possible for us to predict all risks and uncertainties that could have an impact on the forward-looking statements contained in this Annual Report on Form 10-K. We cannot assure you that the results, events and circumstances reflected in the forward-looking statements will be achieved or occur, and actual results, events or circumstances could differ materially from those described in the forward-looking statements.

The forward-looking statements made in this Annual Report on Form 10-K relate only to events as of the date on which the statements are made. We undertake no obligation to update any forward-looking statements made in this Annual Report on Form 10-K to reflect events or circumstances after the date of this Annual Report on Form 10-K or to reflect new information or the occurrence of unanticipated events, except as required by law. Our forward-looking statements do not reflect the potential impact of any future acquisitions, mergers, dispositions, joint ventures or investments we may make.

 

1


Table of Contents

 

PART I

ITEM 1. BUSINESS

Our Vision

Our fundamental belief is that identity is power. Our mission is to enable enterprises to grow and innovate, securely and efficiently. To do so, we have created our open identity platform that empowers users and governs their access to applications and data across complex, hybrid information technology (“IT”) environments.

Overview

SailPoint Technologies Holdings, Inc. (“SailPoint,” “the Company” or “we”) is the leading provider of enterprise identity governance solutions. Our team of visionary industry veterans launched SailPoint to empower our customers to efficiently and securely govern the digital identities of employees, contractors, business partners, software bots and other human and non-human users, and manage their constantly changing access rights to enterprise applications and data. Our SailPoint Predictive Identity platform provides organizations with critical visibility into who currently has access to which resources, who should have access to those resources, and how that access is being used. We offer both software and software as a service (“SaaS”) solutions, which provide organizations with the intelligence required to empower users and govern their access to systems, applications and data across hybrid IT environments, spanning on-premises, cloud and mobile applications and file storage platforms. We help customers enable their businesses with more agile and innovative IT, streamline delivery of access to their businesses, enhance their security posture and better meet compliance and regulatory requirements. Our customers include many of the world’s largest and most complex organizations, including commercial enterprises, financial institutions and governments.

Organizations globally are investing in technologies such as cloud computing and mobility to improve employee productivity, business agility and competitiveness. Today, enterprise environments are more open and interconnected with their business partners, contractors, vendors and customers. Business users have driven a dramatic increase in the number of applications and amount of data that organizations need to manage, much of which sits beyond the traditional network perimeter. Because of these trends, the attack surface is expanding while well-funded cyber attackers have significantly increased the frequency and sophistication of their attacks. As a result, IT professionals need to manage and secure increasingly complex hybrid IT environments within these extended enterprises.

Attackers frequently target the identity vector as it allows them to leverage user identities to gain access to high-value systems and data while concealing their activity and movements within an organization’s IT infrastructure. The consequences of a data breach can be extremely damaging, with organizations facing significant costs to remediate the breach and repair brand and reputational damage. In addition, governments and regulatory bodies have increased efforts to protect users and their data with a new wave of regulatory and compliance measures that are further burdening organizations and levying severe penalties for non-compliance. As a result of these trends, enterprises are struggling to efficiently manage and secure their digital identities.

We believe that our SailPoint Predictive Identity platform is a critical, foundational layer of a modern cyber security strategy. Its open architecture allows it to complement and build upon traditional perimeter- and endpoint-centric security solutions, which on their own are increasingly insufficient to secure organizations, and their applications and data. We deliver a user-centric security platform that combines identity and data governance solutions to form a holistic view of the enterprise. In combination with our technology partners, we create identity awareness throughout our customers’ environments by providing valuable insights into, and incorporating information from, a broad range of enterprise software and security solutions. Our governance platform provides a system of record for digital identities across our customers’ IT environments while allowing them to remain agile and competitive. Our adaptable solutions integrate seamlessly into existing technology stacks, allowing organizations to maximize the value of their technology investments. Our professionals work closely with customers throughout the implementation lifecycle, from documentation to development to integration.

Our solutions address the complex needs of global enterprises and mid-market organizations. Our go-to-market strategy consists of both direct sales and indirect sales through resellers, such as Optiv, and system integrators. Our mature system integrator channel includes global consultants such as Accenture, Deloitte, Ernst & Young (“EY”), KPMG and PricewaterhouseCoopers (“PwC”), all of whom have dedicated SailPoint practices, with some dating back more than nine years. As of December 31, 2019, 1,469 customers across a wide variety of industries were using our products to enable and secure digital identities across the globe.

 

2


Table of Contents

 

Our Growth Strategy

Key investments we are making to drive growth include:

 

Driving new customer growth within existing geographic markets. Based on data from S&P Global Market Intelligence, we believe we have penetrated approximately 2% of over 65,000 companies in the countries where we have customers today. As a result, there is a significant opportunity to expand our footprint through both new, greenfield installations and displacement of competitive legacy solutions. We plan to expand our customer base in these countries by continuing to grow our sales organization, expand and leverage our channel partnerships and enhance our marketing efforts.

 

Further penetrating our existing customer base. Our customer base of 1,469, as of December 31, 2019, provides a significant opportunity to drive incremental sales. Our customers have the flexibility to start with a single use case or project and expand over time. As they realize the value of their investment, new use cases and deployments are identified, allowing us to sell more products to existing customers and to expand the number and types of identities, including non-human and machine identities, and governed systems we cover within their organizations. This is especially true when it comes to our new and expanded SaaS offerings, including artificial intelligence (“AI”) and cloud governance. We believe strong customer satisfaction is fundamental to our ability to expand our customer relationships.

 

Continuing to invest in our platform. Innovation is a core part of our culture. We believe we have established a reputation as a technology leader and innovator in identity governance. Over the past year, we launched new solutions and acquired Orkus and Overwatch.ID to further our SailPoint Predictive Identity vision. We plan to launch three new SaaS offerings in the first half of 2020. The first offering will help customers simplify and accelerate how they model access using our AI and machine learning (“ML”) platform. The next two offerings are focused on helping customers govern access to cloud platforms and workload and are built on technology acquired as part of the Orkus and Overwatch.ID acquisitions. We intend to continue investing, particularly in our SaaS offerings, to extend our position as the leader in identity governance by developing or acquiring new products and technologies.

 

Leveraging and expanding our network of partners. Our partnerships with global system integrators, such as Accenture, Deloitte, EY, KPMG and PwC, and resellers, such as Optiv, have helped us extend our reach and serve our customers more effectively. We see a significant opportunity to offer comprehensive solutions to customers by collaborating with adjacent technology vendors. We intend to continue to invest in our partnership network as their influence on our sales is vital to the success of our business.

 

Expanding market and product investment across existing vertical markets. We believe there is significant opportunity to further penetrate our target vertical markets by continuing to provide vertical-specific identity solutions and focusing our marketing efforts to address the use cases of those customers. With this approach, we believe we will be better able to address opportunities in key industries, such as financial services, healthcare, and federal, state and local government.

 

Continuing to expand our global presence. We believe there is significant opportunity to grow our business internationally. Enterprises around the world are facing similar operational, security and compliance challenges, driving the need for identity governance. We have personnel in 18 countries and customers based in 54 countries as of December 31, 2019 and we generated 29% of our revenue outside of the United States in 2019. We plan to leverage our existing strong relationships with global system integrators and channel partners to grow our presence in Europe, Asia Pacific and other international markets.

Product, Subscription, and Support Offerings

We deliver an integrated set of solutions to address identity governance challenges for medium and large enterprises. This set of solutions supports all aspects of identity governance, including provisioning, access request, compliance controls, password management and identity analytics for data stored in applications and files.

Our solutions deliver governance across the hybrid enterprise, extending from the mainframe to the cloud. We provide over 100 out-of-the-box connectors to enterprise applications such as SAP and Workday, which automate the collection, analysis and provisioning of identity data. We also provide governance over infrastructure components such as operating systems, directories, and databases and over vertical solutions, such as Epic, in the healthcare provider market. SailPoint Predictive Identity embeds AI and ML into our open identity platform to deliver actionable insights and recommendations to reduce risk, accelerate deployment and simplify administration.

3


Table of Contents

 

Our solutions are built on our open identity platform, which enables connectivity to a variety of security and operational IT applications such as IT service management solutions (e.g., BMC Remedy and ServiceNow), privileged access management (“PAM”) (e.g., CyberArk and BeyondTrust), enterprise mobility management (EMM) and security information and event management (SIEM). Our open identity platform extends the reach of our identity governance processes and enables effective identity governance controls across customer environments.

IdentityIQ

IdentityIQ is our on-premises identity governance solution, which can be deployed in customer’s data center or hosted in the public cloud. It provides large, complex enterprise customers a unified and highly configurable identity governance solution that consistently applies business and security policies as well as role and risk models across applications and data on-premises or hosted in the cloud. IdentityIQ enables organizations to:

 

Empower users to request and gain access to enterprise applications and data;

 

Automate provisioning across the user lifecycle, from on-boarding, to transfers and promotions to off-boarding by simplifying processes for creating, modifying and revoking access;

 

Enable business users to reset their passwords via self-service tools without the need for IT involvement;

 

Provide on-demand visibility to IT, business and risk managers into “who has access to what resources” to help make business decisions, improve security and meet audit requirements;

 

Improve security and eliminate common weak points associated with data breaches, including weak passwords, orphaned accounts, entitlement creep and separation-of-duties policy violations; and

 

Manage compliance using automated access certifications and policy management.

We package and price IdentityIQ into Core Modules and Advanced Integration Modules. All customers leverage the IdentityIQ Governance Platform, which provides the base features of the solution, including the identity warehouse, workflow engine and governance models. The four Core Modules include:

 

Lifecycle Manager: This module provides a business-oriented solution that delivers access securely and cost effectively. The self-service access request capabilities feature an intuitive user interface that empowers business users to take an active role in managing changes to their access while greatly reducing the burden on IT organizations. Automated provisioning manages the business processes of granting, modifying and revoking access throughout a user’s lifecycle with an organization, whether that user is an employee, contractor or business partner. Changes to user access can be automatically provisioned via a large library of direct connectors for applications such as Workday and SAP or synchronized with IT service management solutions such as ServiceNow.

 

Compliance Manager: This module enables the business to improve compliance and audit performance while lowering costs. It provides business user friendly access certifications and automated policy management controls (e.g., separation-of-duty violation reporting) that are designed to simplify and streamline audit processes across all applications and data. Built-in audit reporting and analytics give IT, business and audit teams visibility into, and management over, all compliance activities in the organization.

 

File Access Manager: This module, a rebranded and repackaged version of the SecurityIQ product line, secures access to the growing amount of data stored in file servers, collaboration portals, mailboxes and cloud storage systems. The change was made to align the positioning and packaging of solutions with how our customers are purchasing and deploying a comprehensive identity governance strategy. It helps organizations identify where sensitive data resides, who has access to it, and how they are using it and then puts effective controls in place to secure it. File Access Manager is designed to interoperate with the Compliance Manager and Lifecycle Manager modules to provide comprehensive visibility and governance over user access to all data. By augmenting identity data from structured systems with data from unstructured data targets, organizations can more quickly identify and mitigate risks, spot compliance issues and make the right decisions when granting or revoking access to sensitive data.

 

Password Manager: This module delivers a simple-to-use solution for managing user passwords to reduce operational costs and boost productivity. End users are empowered with a self-service interface for updating or resetting their password without having to contact the help desk. Configurable strong password policies enforce consistent security controls across on-premises and cloud applications. Password Manager has the capability to synchronize password changes across multiple applications, so they always remain consistent.

The Advanced Integration Modules provide connectivity to target application platforms such as SAP, mainframes, Amazon Web Services (“AWS”) and file storage systems.

4


Table of Contents

 

IdentityNow

IdentityNow is our cloud-based, multi-tenant identity governance platform, which is delivered as a SaaS subscription offering. IdentityNow provides customers with a set of fully integrated services for compliance, provisioning and password management for applications and data hosted on-premises or in the cloud. IdentityNow meets the most stringent identity governance requirements and provides enterprise-grade services that meet scalability, performance, availability and security demands. IdentityNow covers the same breadth of functionality as IdentityIQ, but additionally enables organizations to:

 

Automate identity governance processes in one unified solution delivered from the cloud;

 

Accelerate deployment with built-in best practice policies, options and default settings; and

 

Eliminate the need to buy, deploy and maintain hardware and software to run an identity governance solution.

We package and price IdentityNow into a Cloud Platform and Governance Services with unique functionality as outlined below:

 

Cloud Platform: IdentityNow provides foundational components for identity governance in the cloud, including production and sandbox instances and the IdentityNow Cloud Gateway virtual appliance, which leverages our patented method for integrating with on-premises applications and data. IdentityNow also includes a large catalog of pre-built connectors and application profiles to on-premises and cloud applications, leveraging the intellectual property developed for IdentityIQ.

 

User Provisioning: This module enables business users to be productive from day one. With IdentityNow user provisioning, organizations can streamline the on-boarding and off-boarding process with best practice configurations and workflows, enabling IT to immediately grant employees access to the applications and data they need to do their jobs.

 

Access Request: This module empowers the entire enterprise with a robust self-service solution for requesting and approving access to applications and data. Automating the access request process quickly delivers business users the access they need to do their jobs.

 

Access Certifications: This module automates the process of reviewing user access privileges across the organization. Using IdentityNow, organizations can quickly plan, schedule and execute certification campaigns to ensure the right users have the appropriate access to corporate resources.

 

Separation-of-Duties: This module simplifies and speeds the process of investigating access, quickly uncovering any access-related conflicts of interest for review and mitigation. It also automates the creation of policies that ensure continuous compliance with internal and external audit requirements.

 

Password Management: This module offers business users an intuitive, self-service experience for managing and resetting passwords from any device and from anywhere. This service enforces consistent and secure password policies for all users across all systems from the cloud to the data center.

IdentityAI

IdentityAI, our multi-tenant advanced AI and ML SaaS subscription offering, delivers on part of the SailPoint Predictive Identity vision by infusing intelligent insights and recommendations into our IdentityNow and IdentityIQ solutions to help organizations detect areas of high risk, including potential threats, before they turn into security breaches. IdentityAI consolidates identity data from IdentityNow and IdentityIQ, including account and entitlement assignments, with real-time activity in its big data platform. It then applies ML technologies to identify suspicious or anomalous behaviors. As a result, we believe customers will gain a much deeper understanding of the risk associated with user access, allowing them to focus their governance controls to reduce that risk. We are continuing development of IdentityAI to enable organizations to:

 

Scan massive amounts of identity data to identify risks without having to rely on a team of security experts;

 

Detect and alert on anomalous behaviors and potential threats using artificial intelligence technology;

 

Classify behavioral threats and focus controls on high-risk scenarios and conditions; and

 

Improve operational efficiency of the IT organization and business productivity by automating identity governance activities for routine and low-risk access.

We are continuing to develop IdentityAI to provide the following core capabilities:

 

Audit: IdentityAI tracks user access over time to determine historical patterns for individual digital identities. This allows for the system to quickly identify abnormal user access or activity patterns.

 

Peer Group Analysis: IdentityAI dynamically builds peer groups based on user attributes and access patterns. Peer group analysis is then used to identify outliers which may pose additional risk due to out-of-band or exceptional access privileges.

5


Table of Contents

 

 

Behavioral Analysis: IdentityAI monitors user behaviors, including access requests and approvals and application access events, at individual and peer group levels to baseline normal patterns and alert when anomalies are detected.

 

Risk Assessment: IdentityAI leverages ML algorithms to create a dynamic risk model that automatically evolves as data changes. Real-time risk analysis is used to identify potential threats and tune identity controls to focus on high-risk users and events while deprioritizing low-risk activities.

Technology

Our comprehensive, enterprise-grade identity governance platform is the result of both years of investment and the expertise of the Company’s management and technical teams. Taking the lessons learned from our experiences with prior generation identity solutions, our engineers and architects designed a modern identity platform with internet scale, comprehensive hybrid environment coverage, and openness to optimize customers’ existing technology investments.

Identity Cube Technology

Our Identity Cube technology establishes the 360-degree control essential to govern and secure digital identities in today’s complex IT environments. Our extensive data modeling capabilities allow us to understand how each identity relates to the full IT environment, whether on-premises or in the cloud. SailPoint’s account correlation and orphan account management capabilities allow IT security professionals and business managers to track and monitor the accounts that are most frequently under attack.

Identity Cubes track all relevant information about an identity and its relationships to applications and data. They create the “identity context” which is key to an identity-aware infrastructure in which identity information is shared across the extended enterprise. With identity context, operational and security systems can make informed decisions about access and perform key remediation and change requests on our open identity platform via our standardized application program interfaces (“APIs”) and software development kits (“SDKs”).

Model-Based Governance

Our model-based governance engine sits at the center of our platform and provides a comprehensive understanding of both the current state of who currently has access to what as well as the desired state of who should have access to what. The governance engine is responsible for managing the ongoing process of aligning these two states.

Governance and control models are used to drive our policy-based reconciliation service and to define how reconciliation and provisioning fulfillment actions are executed. These models are designed with graphical tools, enabling IT and business users to own and define the reconciliation and fine-grained access provisioning fulfillment processes for applications and data.

Dynamic Discovery Engine

The Dynamic Discovery Engine provides instant visibility to all applications and users across an organization and its IT systems. It works by enabling users to use natural language search to quickly find access-related information or identify potential risks in their environments. Searches can be saved for future use or quickly turned into automated governance policies for use in provisioning, access request, certification, and password management processes. In addition, an API framework is provided to enable machine queries of filtered identity data from external systems.

Provisioning Broker

Our provisioning broker provides separation between identity processes at the business level (e.g., requesting access to an application) and the actual fulfillment of that request on the target system. The provisioning broker is a specialized business process workflow execution engine that manages long-running provisioning tasks and provides tracking, monitoring and statistics for the end-to-end fulfillment process.

6


Table of Contents

 

The decoupling capability of the provisioning broker maximizes our customers’ flexibility and allows for the reuse of their existing IT investments. For example, if access to an application can only be provided manually through the opening of a help desk ticket, the provisioning broker will send that request to the help desk and report back on the status of that request. Likewise, if a customer utilizes a legacy provisioning system, the provisioning broker can pass off a request to that legacy system for fulfillment. In addition, the provisioning broker provides us with a unique migration strategy for customers moving from a legacy system to our identity governance solutions.

Enterprise-Grade Cloud Gateway

To manage on-premises infrastructure, applications and data from the cloud, we employ a Cloud Gateway Server (“CGS”), delivered as a virtual machine behind the customer’s firewall, which ensures that all SailPoint communications are highly secure. Our CGS technology is a high availability, secure, self-managed container that allows for controlled and automated updates of our connector infrastructure while ensuring the integrity of individual on-premises and cloud connections.

Our CGS also provides an innovative and patented approach to protecting our customer’s credentials. Our “zero-knowledge encryption” technology allows us to store all of a customer’s passwords and security credentials inside the CGS behind their firewall. As a result, we protect the confidentiality of our customers’ system and end-user credentials, even if our cloud service provider were to be breached.

Data Ownership Assessment and Election

Verifying the business end-user who is the logical owner of information is a key challenge in managing growing volumes of unstructured data in the enterprise. Our novel approach, supported by a recently granted patent, determines the rightful owner of files, so they can be integrated into governance control processes, such as access certifications and access approvals. Our solution leverages profile data to determine logical owners of information based on identity attributes and usage data. Once a set of logical owners is identified, we use a crowd-sourcing approach to allow other users familiar with the data to vote on the rightful owner of the file or file storage location. This enables organizations to efficiently identify and designate specific owners for sensitive information stored in files and incorporate them into identity governance processes.

Connectivity for the Hybrid IT Environment

Our extensive library of over 100 proprietary connectors provides interfaces to on-premises and cloud applications. These connectors are the means by which we provide governance over target systems. We support granular management of a wide range of systems, from mainframe security managers, including CA ACF2 and Top Secret, IBM and RACF, to traditional enterprise applications, including Oracle E-Business Suite and SAP, and pure SaaS business applications, such as Microsoft Office365, Salesforce and ServiceNow. Generally, the same connectors are used for both our on-premises and cloud-based products. This allows both solutions to leverage fully the over 400-man years we have invested in developing these connectors.

Open and Extensible Identity Platform

Our open identity platform is the result of over a decade of investment. Recognizing identity governance is at the center of critical enterprise business and IT processes, we developed a comprehensive set of services that go beyond simple APIs. In addition to our comprehensive API strategy, we deliver SDKs and plug-in frameworks which allow our partners and customers to create their own integrations and extensions to our core product capabilities. For example, we leverage our open identity platform to integrate with third-party user provisioning solutions, such as IBM Security Identity Manager and Oracle Identity Manager, and service desk solutions, such as BMC Remedy and ServiceNow, to implement account change requests. This enables SailPoint to govern access and provide identity context to downstream processes managed by these solutions. Another important open identity platform integration model is with PAM solutions. SailPoint provides a framework that enables organizations to use the same governance controls to oversee both privileged and standard account access. We also collect activity and other information from third-party solutions to improve risk analytics and identity governance processes in our products, specifically in IdentityAI.

Our APIs and SDKs are compliant with System for Cross-domain Identity Management (“SCIM”) and both provide standards-based bi-directional runtime access to our identity context model. Many such integrations and extensions have already been built by partners and certified for commercialization on our open identity platform.

 

7


Table of Contents

 

Seasonality

 

We generally experience seasonal fluctuations in demand for our products and services. Our quarterly sales are impacted by industry buying patterns. As a result, our sales have generally been highest in the fourth quarter of a calendar year and lowest in the first quarter.

Customers

As of December 31, 2019, we have 1,469 customers based in 54 countries. In the year ended December 31, 2019, we generated 29% of our revenue outside of the United States. No single customer represented more than 10% of our revenue for the year ended December 31, 2019.

Sales and Marketing

Sales

We sell our platform through our direct sales organization, which is comprised of field and inside sales personnel, as well as through channel partners. Our sales strategy often reflects a “land-and-expand” business model, in which our initial deployment with a new customer typically addresses a limited number of use cases within a single business unit. Such initial deployments frequently expand across departments, divisions and geographies through a need for additional users, increased usage or extended functionality. As we expand our portfolio of offerings within our platform, we execute a growing number of “solution” deals that include two to three of our products in the initial transaction.

Our sales force is structured by geography, customer size, status (customer or prospect) and industry. Our global sales organization is comprised of quota-carrying sales representatives supported by sales development representatives, sales engineers, partner managers, product and technical specialists and solution architects.

Partners constitute an essential part of our selling model. We have established a model designed to create zero conflict, and typically include our partners in all of our training and enablement efforts. As a result, our indirect sales model, executed through our global and regional system integrators, technology partners and value-added resellers, is a key factor in our overall success.

Marketing

Our marketing strategy is focused on building a strong brand through differentiated messaging and thought leadership, educating the market on the importance of identity, communicating our product advantages and generating pipeline for our sales force. Our data-driven approach to marketing is tightly aligned to our sales and channel strategy and provides agility to leverage market opportunities in a targeted and timely fashion. Our awareness efforts focus on branding, digital and content marketing, public and analyst relations and social media, including blogs and bylines. Educational and pipeline maturation programs include global email campaigns and webinars, security events and customers round tables. Pipeline generation and maturation efforts focus on local events in our three major geographies: (i) Americas, (ii) Europe, the Middle East and Africa (“EMEA”) and (iii) Asia-Pacific (“APAC”). Audiences for such events are typically IT and security professionals, including Chief Information Officers (“CIOs”) and Chief Information Security Officers (“CISOs”). We host geographic annual user conferences that bring together customers, prospects and our partners to learn about our platform as well as network and share best practices with each other. Our user conferences demonstrate our strong commitment to enabling our customers to succeed, while also serving as an opportunity to create pipeline for new sales to prospective customers and additional sales to existing customers.

Professional Services and Maintenance and Customer Support

Professional Services

We are primarily focused on ensuring that our professional services partners, who perform a majority of the implementations for our customers, are able to implement our solutions successfully. We provide “expert services” to partners and customers, including deployment best practices, architecture and code reviews, real time technical training, and complex implementation assistance. We also lead direct implementations when requested by a customer. We believe our investment in professional services, as well as the investment our partners are making to grow their SailPoint professional services practices, will drive increased adoption of our platform.

8


Table of Contents

 

Maintenance and Customer Support

Our customers receive one year of software maintenance as part of their initial purchase of our on-premises offerings and may renew their maintenance agreement following the initial period. Our cloud-based offerings include customer support. For our on-premises offerings, our maintenance provides customers with the right to receive major releases of their purchased solutions, maintenance releases and patches and access to our technical support services during the term of the agreement. We provide customers of our cloud-based offerings with technical support services and all aspects of infrastructure support. We maintain a customer support organization, which includes experienced, trained engineers, that offers multiple service levels for our customers based on their needs. These customers receive contractual response times, telephonic support and access to online support portals. Our highest levels of support provide 24x7x365 support for critical issues. Our customer support organization has global capabilities, a deep expertise in our solutions and, through select support partners, is able to deliver support in multiple languages.

Customer Success Management

Our customer success strategy centers around our investment in, and ownership of, the post-sale experience for our customers. Every customer has an assigned dedicated Customer Success Manager (“CSM”), who is responsible for ensuring that return on investment and business results, committed during the sales cycle, are achieved. Through proactive and regular engagements, the CSM makes sure every customer is satisfied and is using their SailPoint products or services optimally. When necessary, the CSM coordinates cross-departmental resources to remove any barrier to success. In addition, our customer success team utilizes customer data to identify and present any cross-sell or upsell solutions aligned to a customer’s business objectives, thereby contributing to revenue expansion and increased product penetration. By proactively managing customer relationships, our CSM team nurtures client advocates, who become a powerful asset in closing new business.

Partnerships and Strategic Relationships

As a core part of our strategy, we have cultivated strong relationships with partners to help us increase our reach and influence, while providing a broader distribution of our software platform. We have developed a large partner network consisting of technology partners, system integrators, a growing network of value-added resellers and our alliance partners (Accenture, Deloitte, EY, KPMG and PwC). In 2019, approximately 90% of our new customer transactions involved our partners. We believe that our extensive partnership network enables us to provide the most complete identity governance solution to our customers.

Technology Partners

We have partnered with industry leaders across a spectrum of technologies that enable organizations to integrate their entire security, mobility, cloud, and applications infrastructure into our platform so that breaches can be better identified, mitigated and contained, and operations can be streamlined. We believe that solutions from companies such as AWS, CyberArk, Microsoft, SAP, ServiceNow and Workday that are plugged into our open identity platform through APIs provide our customers value-added capabilities to build an identity-aware enterprise.

The SailPoint Identity+ Alliance is a technology partnering network that leverages familiar standards and methods—like SQL, SCIM and Representational State Transfer (“REST”)—that make it easy to share identity context and configure identity-specific policies across disparate systems. For example, when PAM systems are integrated with our solutions, enterprises can conduct regular audits of privileged users and automatically remediate any policy violations. Program offerings include access to SailPoint SDKs and APIs, developer support, and cloud-based certification services. The Identity+ Alliance comprises over 60 technology and implementation partners and has produced over 40 certified integrations.

Value-Added Resellers

Value-added resellers bring product expertise and implementation best practices to our customers globally. They provide vertical expertise and technical advice in addition to reselling or bundling our software. Many of our reseller partners have been trained to demonstrate and promote our identity platform. Our reseller channel ranges from large companies, like Optiv, to regional resellers in our markets and territories. Our reseller program is designed to scale growth, help generate new opportunities, optimize customer experience and increase profitability as well as sales efficiency.

9


Table of Contents

 

System Integrators

We partner with many large and global system integrators. We have partnerships with global advisory firms such as Deloitte, EY, KPMG, and PwC, with global system integrators such as Accenture and DXC Technologies, and with many regional system integrators in all three of our geographies. The focus of our system integrators program is to deliver pipeline growth and bookings, to help partners drive self-sufficiency and to foster transparency and collaboration through shared assets and resources. We have implemented joint business controls and metrics that provide a platform for discussion and partnership development and help us optimize our program and unified value proposition.

Research and Development

Innovation is one of our core values, and it is at the heart of how we think and do business. We believe ongoing and timely development of new products and features is imperative to maintaining our competitive position. We continue to invest in both our cloud and on-premises solutions. Additionally, we will be opportunistic in leveraging technology acquisitions similar to our acquisition of Orkus and Overwatch.ID to accelerate research and development activities. As of December 31, 2019, our research and development team had 326 employees.

As part of our relentless drive toward innovation and technical market leadership, we created SailPoint Labs in 2011. SailPoint Labs is a dedicated, stand-alone technology investigation and engineering group that focuses on finding and evaluating new technologies and approaches that will accelerate SailPoint’s vision in the market.

Competition

We operate in a highly competitive market characterized by constant change and innovation. Our competitors include large enterprise software vendors that offer identity solutions within their product portfolios, pure play identity vendors (including new market entrants) and vendors with whom we have not traditionally competed but may either introduce new products or incorporated features into existing products that compete with our solutions.

We believe the principal competitive factors in our market include:

 

Reliability and effectiveness in implementing identity governance policies;

 

Comprehensiveness of visibility provided by implemented identity governance policies;

 

Flexibility to deploy identity governance and administration as a software-based solution on-premises or in the cloud or as a SaaS solution;

 

Adherence to government and industry regulations and standards;

 

Comprehensiveness and interoperability of the solution with other IT and security applications;

 

Security, scalability and performance;

 

Ability to innovate and respond to customer needs rapidly;

 

Quality and responsiveness of support organizations;

 

Total cost of ownership;

 

Ease of use; and

 

Customer experience.

Some of our competitors have significantly greater financial, technical, and sales and marketing resources, as well as greater name recognition, in some cases within particular geographic regions, and more extensive geographic presence than we do. However, we believe we compete favorably with our competitors on the basis of all the factors above.

Intellectual Property

Our success depends in part on our ability to protect our intellectual property. We rely on copyrights and trade secret laws, confidentiality procedures, employment proprietary information and inventions assignment agreements, trademarks and patents to protect our intellectual property rights. We also license software from third parties for integration into our product solutions, including open source software and other software available on commercially reasonable terms.

We control access to and use of our product solutions and other confidential information through the use of internal and external controls, including contractual protections with employees, contractors, customers and partners, and our software is protected by U.S. and international copyright and trade secret laws. Despite our efforts to protect our trade secrets and proprietary rights through intellectual property rights, licenses and confidentiality agreements, unauthorized parties may still copy or otherwise obtain and use our software and technology.

10


Table of Contents

 

We have 29 issued patents and 16 patent applications pending in the United States relating to certain aspects of our technology. Additionally, we have three issued patents and two patent applications pending internationally. The expiration dates of our issued patents range from 2024 to 2039. We cannot assure you whether any of our patent applications will result in the issuance of a patent or whether the examination process will require us to narrow our claims. Any of our existing patents and any that may issue may be contested, circumvented, found unenforceable or invalidated, and we may not be able to prevent third parties from infringing them. In addition, we have international operations and intend to continue to expand these operations, and effective patent, copyright, trademark and trade secret protection may not be available or may be limited in foreign countries.

Employees

As of December 31, 2019, we had a total of 1,168 employees, including 326 involved in research and development activities, 420 in our sales and marketing organization, and 275 in professional services and customer support. As of December 31, 2019, approximately 33% of our employees were located outside of the United States. We consider our employee relations to be good.

Corporate Information

SailPoint Technologies Holdings, Inc. was incorporated in the state of Delaware on August 8, 2014, in preparation for the purchase of SailPoint Technologies, Inc. The purchase occurred on September 8, 2014 and our certificate of incorporation was amended and restated as of such date. SailPoint Technologies, Inc. was formed July 14, 2004 as a Delaware corporation.

Our principal executive offices are located at 11120 Four Points Drive, Suite 100, Austin, Texas 78726, and our telephone number at that address is (512) 346-2000. Our website address is www.sailpoint.com. Information contained on, or that can be accessed through, our website does not constitute part of this Annual Report on Form 10-K, and inclusions of our website address in this Annual Report on Form 10-K are inactive textual references only.

The SailPoint design logo and our other registered or common law trademarks, service marks or trade names appearing in this Annual Report on Form 10-K are the property of SailPoint Technologies, Inc., our wholly-owned subsidiary. Other trademarks and trade names referred to in this Annual Report on Form 10-K are the property of their respective owners.

Available Information

Our website is located at https://www.sailpoint.com, and our investor relations website is located at https://investors.sailpoint.com. The information posted on our website is not incorporated into this Annual Report on Form 10-K. Our Annual Report on Form 10-K, Quarterly Reports on Form 10-Q, Current Reports on Form 8-K and amendments to reports filed or furnished pursuant to Sections 13(a) and 15(d) of the Securities Exchange Act of 1934 (the “Exchange Act”) are available free of charge on our investor relations website as soon as reasonably practicable after we electronically file such material with, or furnish it to, the Securities and Exchange Commission (“SEC”). You may also access all of our public filings through the SEC’s website at https://www.sec.gov.

Investors and other interested parties should note that we use our media and investor relations website and our social media channels to publish important information about us, including information that may be deemed material to investors. We encourage investors and other interested parties to review the information we may publish through our media and investor relations website and the social media channels listed on our media and investor relations website, in addition to our SEC filings, press releases, conference calls and webcasts.

11


Table of Contents

 

ITEM 1A. RISK FACTORS

The nature of the business activities conducted by the Company subjects it to certain hazards and risks. The following is a summary of some of the material risks relating to the Company’s business activities. Other risks are described in Part I, Item 1. “Business—Competition” and Part II, Item 7A. “Quantitative and Qualitative Disclosures About Market Risk.” These risks are not the only risks facing the Company. The Company’s business could also be affected by additional risks and uncertainties not currently known to the Company or that it currently deems to be immaterial. If any of these risks actually occurs, it could materially harm the Company’s business, financial condition or results of operations and impair the Company’s ability to implement business plans. In that case, the market price of the Company’s common stock could decline.

Risks Related to Our Business and Industry

Since our inception, except for the year ended December 31, 2018, we have incurred net losses and we may not be able to generate sufficient revenue to achieve and sustain profitability.

Since our inception, except for the year ended December 31, 2018, we have incurred net losses, including net loss of $8.5 million for the year ended December 31, 2019. We cannot assure you that we will achieve profitability in the future or that we will be able to sustain profitability. We expect our operating expenses to increase significantly as we continue to expand our sales and marketing efforts, continue to invest in research and development, particularly for our cloud-based solutions, and expand our operations in existing and new geographies and vertical markets. While our revenue has grown in recent years, if our revenue declines or fails to grow at a rate faster than increases in our operating expenses, we will not be able to maintain profitability in future years. In particular, as discussed in the risk factor above, our revenues may be materially and adversely affected during any period of significant shifts to subscription-based arrangements, and as a result, we may again generate losses.

We have experienced rapid growth in recent periods, and our recent growth rates may not be indicative of our future growth.

We have experienced rapid growth in recent years. Our revenue grew from $186.1 million to $288.5 million from the year ended December 31, 2017 to the year ended December 31, 2019. In future periods, we may not be able to sustain revenue growth consistent with recent history, or at all. We believe our revenue growth depends on a number of factors, including, but not limited to:

 

our ability to attract new customers and retain and increase sales to existing customers;

 

our ability to, and the ability of our channel partners to, successfully deploy and implement our solutions, increase our existing customers’ use of our solutions and provide our customers with excellent customer support;

 

our ability to develop our existing solutions and introduce new solutions;

 

our ability to hire substantial numbers of new sales and marketing, research and development and general and administrative personnel, and expand our global operations; and

 

our ability to increase the number of our technology partners.

If we are unable to achieve any of these requirements, our revenue growth will be adversely affected. In addition, as discussed above, our revenue growth may be materially and adversely affected during any period of significant shifts to subscription-based arrangements.

Our future revenues and operating results will be harmed if we are unable to acquire new customers, if our customers do not renew their arrangements with us, or if we are unable to expand sales to our existing customers or develop new solutions that achieve market acceptance.

To continue to grow our business, it is important that we continue to acquire new customers to purchase and use our solutions. Our success in adding new customers depends on numerous factors, including our ability to (i) offer a compelling identity governance platform and solutions, (ii) execute an effective sales and marketing strategy, (iii) attract, effectively train and retain new sales, marketing, professional services and support personnel in the markets we pursue, (iv) develop or expand relationships with channel partners, including systems integrators, resellers and technology partners, (v) expand into new geographies and vertical markets, (vi) deploy our platform and solutions for new customers and (vii) provide quality customer support once deployed. Further, our marketing efforts depend, in part, on attendance by our prospective customers at in-person meetings and events, which attendance could be adversely affected by public health issues, including outbreaks of contagious diseases or illnesses, such as the coronavirus.

12


Table of Contents

 

It is important to our continued growth that our customers renew their arrangements when existing contract terms expire. Our customers have no obligation to renew their maintenance, SaaS and/or term-license agreements, and our customers may decide not to renew these agreements with a similar contract period, at the same prices and terms or with the same or a greater number of identities. Although our customer retention rate has historically been strong, some of our customers have elected not to renew their agreements with us, and it is difficult to accurately predict long-term customer retention and expansion rates. Our customer retention and expansion may decline or fluctuate as a result of a number of factors, including our customers’ satisfaction with our solutions, our customer support and professional services, our prices and pricing plans, the competitiveness of other software products and services, reductions in our customers’ spending levels, user adoption of our solutions, deployment success, utilization rates by our customers, new product releases and changes to our product offerings. If our customers do not renew their maintenance, SaaS and/or term-license agreements, or renew on less favorable terms, our business, financial condition and operating results may be adversely affected.

Our ability to increase revenue also depends in part on our ability to increase the number of identities governed with our solutions and sell more modules and solutions to our existing and new customers. Our ability to increase sales to existing customers depends on several factors, including their experience with implementing and using our platform and the existing solutions they have implemented, their ability to integrate our solutions with existing technologies, and our pricing model.

If our new solutions do not achieve adequate acceptance in the market, our competitive position could be impaired, and our potential to generate new revenue or to retain existing revenue could be diminished. The adverse effect on our financial results may be particularly acute because of the significant research, development, marketing, sales and other expenses we will have incurred in connection with the new solutions, and our ability to introduce compelling new solutions that address the requirements of our customers in light of the dynamic identity governance market in which we operate.

If we are unable to successfully acquire new customers, retain our existing customers, expand sales to existing customers or introduce new solutions, our business, financial condition and operating results could be adversely affected.

A shift in our business from selling licenses to selling subscriptions could materially and adversely affect our financial condition, operating results and liquidity, and our business, financial condition, operating results and prospects could be materially and adversely affected if we fail to successfully manage this shift.

We believe enterprises are increasingly embracing the cloud to house their critical security infrastructure. As a result, a growing number of enterprises are changing their approach to identity governance and now prefer SaaS in place of purchasing software via a license and independently operating their identity infrastructure. Our current product strategy reflects our belief in this industry shift. As we make this transition and sell subscription-based arrangements, our license revenue will be negatively impacted and to a lesser extent our subscription revenue could be positively impacted.

We believe that continued growth of subscription revenue as a percentage of total revenue will lead to a more predictable revenue model and increase our visibility to future period total revenues. However, in a subscription-based arrangement with a customer, we typically:

 

recognize revenue (i) ratably over the term of the applicable agreement if the software is delivered as a service, whereas we typically recognize revenue from perpetual licenses upfront upon delivering the applicable license, or (ii) upfront if the software is purchased on a subscription-based license (for example, a term license) and deployed on the customer’s premises, but for an amount less than we would charge for a perpetual license; meaning in each case that for a given customer, we will initially recognize less revenue if our software is delivered via a subscription-based arrangement rather than as a perpetual license; and

 

invoice the customer for subscription fees annually, and at an amount less than we would charge initially for a perpetual license, meaning that for a given customer, initially our billings and our cash flows will decrease.

As a result, during any period of significant shifts to subscription-based arrangements, our revenue and cash flows, financial condition, operating results and liquidity may be materially and adversely affected in such period. Additionally, if a greater percentage of our customers purchase our solutions through subscription-based arrangements than we expect in any period, our revenue and earnings will likely fall below expectations for that period and our cash flows may be lower than expected. Furthermore, our business, financial condition, operating results and prospects could be materially and adversely affected if we fail to successfully manage this industry shift, which depends upon our ability to, among other things, properly price our subscription-based arrangements, deliver

13


Table of Contents

 

software as a service, retain our customers, and further develop or acquire related technologies and infrastructure. If the industry shift occurs differently than we anticipate, our business, financial condition, operating results and prospects could be materially and adversely affected.

Breaches in our security, cyber-attacks or other cyber-risks could expose us to significant liabilities and cause our business and reputation to suffer.

Our operations involve transmission and processing of our customers' and their employees’ confidential, proprietary and sensitive information including, in some cases, personally identifiable information. We have legal and contractual obligations to protect the confidentiality and appropriate use of customer data. Despite our security measures, our information technology and infrastructure may be vulnerable to security risks, including but not limited to, unauthorized access to use or disclosure of customer data, theft of proprietary information, employee error or misconduct, denial of service attacks, loss or corruption of customer data, and computer hacking attacks or other cyber-attacks subsequently originated from our infrastructure. Such events could expose us to substantial litigation expenses and damages, indemnity and other contractual obligations, government fines and penalties, mitigation expenses and other liabilities. Because techniques used to obtain unauthorized access or to sabotage systems change frequently and generally are not recognized until successfully launched against a target, we may be unable to anticipate these techniques or to reasonably implement adequate preventative measures. If an actual or perceived breach of our security occurs, the market perception of the effectiveness of our security measures could be harmed, our brand and reputation could be impacted, we could lose potential sales and existing customers, our ability to operate our business could be impaired, and we may incur significant liabilities. Moreover, failure to maintain effective internal accounting controls related to data security breaches and cybersecurity in general could impact our ability to produce timely and accurate financial statements and could subject us to regulatory scrutiny.

Interruptions with the delivery of our SaaS solutions, or third-party cloud-based systems that we use in our operations, may adversely affect our business, operating results and financial condition.

Our continued growth depends in part on the ability of our existing customers and new customers to access our platform and solutions, particularly our cloud-based deployments, at any time and within an acceptable amount of time. In addition, our ability to access certain third-party SaaS solutions is important to our operations and the delivery of our customer support and professional services, including our online training for customers, professional services partners and channel partners. We have experienced, and may in the future experience, service disruptions, outages and other performance problems both in the delivery of our SaaS solutions and in third-party SaaS solutions we use due to a variety of factors, including infrastructure changes, malicious actors, human or software errors or capacity constraints. In some instances, we may not be able to identify the cause or causes of these performance problems within an acceptable period of time. It may become increasingly difficult to maintain and improve the performance of our SaaS solutions as they become more complex. If our SaaS solutions are unavailable or if our customers are unable to access features of our SaaS solutions within a reasonable amount of time or at all, our business would be negatively affected. In addition, if any of the third-party SaaS solutions that we use were to experience a significant or prolonged outage or security breach, our business could be adversely affected.

We host our SaaS solutions using AWS data centers, a provider of cloud infrastructure services. All of our SaaS solutions reside on hardware owned or leased and operated by us in these locations. Our SaaS operations depend on protecting the virtual cloud infrastructure hosted in AWS by maintaining its configuration, architecture, features and interconnection specifications, as well as the information stored in these virtual data centers and which third-party internet service providers transmit. Although we have disaster recovery plans that utilize multiple AWS locations, any incident affecting their infrastructure that may be caused by fire, flood, severe storm, earthquake or other natural disasters, cyber-attacks, terrorist or other attacks, public health issues or other similar events beyond our control could negatively affect our SaaS platform. A prolonged AWS service disruption affecting our SaaS platform for any of the foregoing reasons would negatively impact our ability to serve our customers and could damage our reputation with current and potential customers, expose us to liability, cause us to lose customers or otherwise harm our business. We may also incur significant costs for using alternative equipment or taking other actions in preparation for, or in reaction to, events that damage the AWS services we use. In addition, AWS may terminate the agreement by providing 30 days’ prior written notice and may, in some cases, terminate the agreement immediately for cause upon notice. In the event that our AWS service agreements are terminated, or there is a lapse of service, elimination of AWS services or features that we utilize, interruption of internet service provider connectivity or damage to such facilities, we could experience interruptions in access to our platform as well as significant delays and additional expense in arranging or creating new facilities and services and/or re-architecting our SaaS solutions for deployment on a different cloud infrastructure service provider, which may adversely affect our business, operating results and financial condition.

14


Table of Contents

 

We face intense competition in our market, both from larger, well established companies and from emerging companies, and we may lack sufficient financial and other resources to maintain and improve our competitive position.

The market for identity and data governance solutions is intensely competitive and is characterized by constant change and innovation. We face competition from large enterprise software vendors that offer identity solutions within their product portfolios, pure play identity vendors (including new market entrants) and vendor with whom we have not traditionally completed but may either introduce new products or incorporate features into existing products that compete with our solutions. Many of our existing competitors have, and some of our potential competitors could have, substantial competitive advantages such as:

 

greater name recognition and longer operating histories;

 

more comprehensive and varied products and services;

 

broader product offerings and market focus;

 

greater resources to develop technologies or make acquisitions;

 

more expansive intellectual property portfolios;

 

broader distribution and established relationships with distribution partners and customers;

 

greater customer support resources; and

 

substantially greater financial, technical and other resources.

Given their larger size, greater resources and existing customer relationships, our competitors may be able to compete and respond more effectively than we can to new or changing opportunities, technologies, standards or customer requirements. Our competitors may also seek to extend or supplement their existing offerings to provide identity and data governance solutions that more closely compete with our offerings. Potential customers may also prefer to purchase, or incrementally add solutions, from their existing suppliers rather than a new or additional supplier regardless of product performance or features.

In addition, with the recent increase in large merger and acquisition transactions in the technology industry, particularly transactions involving cloud-based technologies, there is a greater likelihood that we will compete with other large technology companies in the future. Some of our competitors have made acquisitions or entered into strategic relationships to offer a more comprehensive product than they individually had offered. Companies and alliances resulting from these possible consolidations and partnerships may create more compelling product offerings and be able to offer more attractive pricing, making it more difficult for us to compete effectively. In addition, continued industry consolidation may adversely impact customers’ perceptions of the viability of small and medium-sized technology companies and consequently their willingness to purchase from those companies.

New start-up companies that innovate and competitors that are making significant investments in research and development may invent similar or superior products and technologies that compete with our products, and our business could be materially and adversely affected if such technologies or products are widely adopted. Conditions in our market could change rapidly and significantly as a result of technological advancements, partnering by our competitors or continuing market consolidation. These competitive pressures in our market or our failure to compete effectively may result in price reductions, fewer orders, reduced revenue and gross margins, increased net losses, and loss of market share. Any failure to meet and address these factors could adversely affect our business, financial condition and operating results.

Our sales cycle is long and unpredictable, and our sales efforts require considerable time and expense.

The timing of our sales and related revenue recognition is difficult to predict because of the length and unpredictability of the sales cycle for our platform before a sale. We and our channel partners are often required to spend significant time and resources to better educate and familiarize potential customers with the value proposition of our platform and solutions. Customers often view the purchase of our solutions as a strategic decision and significant investment and, as a result, frequently require considerable time to evaluate, test and qualify our platform and solutions prior to purchasing our solutions. During the sales cycle, we expend significant time and money on sales and marketing and contract negotiation activities, which may not result in a sale. Additional factors that may influence the length and variability of our sales cycle include:

 

the discretionary nature of purchasing and budget cycles and decisions;

 

lengthy purchasing approval processes;

 

the evaluation of competing products during the purchasing process;

15


Table of Contents

 

 

time, complexity and expense involved in replacing existing solutions;

 

announcements or planned introductions of new products features or functionality by our competitors or of new solutions or modules by us;

 

the practice of large enterprises often driving their purchasing cycles based on internal factors rather than marketing cycles; and

 

evolving functionality demands.

If our efforts in pursuing sales and customers are unsuccessful, or if our sales cycles lengthen, our revenue could be lower than expected, which would have an adverse effect on our business, operating results and financial condition.

We recognize some of our revenue ratably over the term of our agreements with customers and, as a result, downturns or upturns in sales may not be immediately reflected in our operating results.

We recognize revenue from our subscription offerings, including IdentityNow, ratably over the terms of our agreements with customers, which generally occurs over a three-year period. As a result, a portion of the revenue that we report in each period will be derived from the recognition of deferred revenue relating to agreements entered into during previous periods. Consequently, a decline in new sales or renewals in any one period may not be immediately reflected in our revenue results for that period. This decline, however, will negatively affect our revenue in future periods. Accordingly, the effect of significant downturns in sales and market acceptance of our products and potential changes in our rate of renewals may not be fully reflected in our operating results until future periods. Our model also makes it difficult for us to rapidly increase our subscription revenue through additional sales in any period, as revenue from new customers generally will be recognized over the term of the applicable agreement.

We expect to continue to invest in research and development, sales and marketing, and general and administrative functions and other areas to grow our subscription-related business. These subscription-related costs are generally expensed as incurred (with the exception of sales commissions), as compared to the corresponding revenue, substantially all of which is recognized ratably in future periods. We are likely to recognize the costs associated with these investments earlier than some of the anticipated benefits and the return on these investments may develop more slowly, or may be lower, than we expect, which could adversely affect our operating results.

Our quarterly results fluctuate significantly and may not fully reflect the underlying performance of our business.

We believe our quarterly revenue and operating results may vary significantly in the future. As a result, you should not rely on the results of any one quarter as an indication of future performance and period-to-period comparisons of our revenue and operating results may not be meaningful and, as a result, may not fully reflect the underlying performance of our business.

Our quarterly operating results may fluctuate as a result of a variety of factors, including, but not limited to, those listed below, many of which are outside of our control:

 

the loss or deterioration of our channel partner and other relationships influencing our sales execution;

 

the mix of revenue and associated costs attributable to licenses, subscription and professional services, which may impact our gross margins and operating income;

 

the mix of revenue attributable to larger transactions as opposed to smaller transactions and the associated volatility and timing of our transactions;

 

the growth in the market for our products;

 

our ability to attract new customers and retain and increase sales to existing customers;

 

changes in customers’ budgets and in the timing of their purchasing decisions, including seasonal buying patterns for IT spending;

 

the timing and success of new product introductions by our competitors and by us;

 

changes in our pricing policies or those of our competitors;

 

significant security breaches of, technical difficulties with, or interruptions to, the delivery and use of our platform;

 

changes in the legislative or regulatory environment;

 

foreign exchange gains and losses related to expenses and sales denominated in currencies other than the U.S. dollar or the function currencies of our subsidiaries;

 

increases in and timing of sales and marketing and other operating expenses that we may incur to grow and expand our operations and to remain competitive;

 

costs related to the acquisition of businesses, talent, technologies or intellectual property, including potentially significant amortization costs and possible write-downs;

 

our ability to control costs, including our operating expenses;

16


Table of Contents

 

 

the collectability of receivables from customers and channel partners, which may be hindered or delayed if these customers or channel partners experience financial distress;

 

economic conditions specifically affecting industries in which our customers participate;

 

natural disasters, public health issues or other catastrophic events; and

 

litigation-related costs, settlements or adverse litigation judgments.

If we are unable to maintain successful relationships with our channel partners, our ability to market, sell and distribute our solutions will be limited and our business, financial condition and operating results could be adversely affected.

We derive a significant portion of our revenue from sales influenced or made through our channel partner network and expect these sales to continue to grow for the foreseeable future. Our channel partners provide implementation and other services to our customers in exchange for fees paid by those customers. We may not achieve anticipated revenue growth from our channel partners if we are unable to retain our existing channel partners and expand their sales or add additional motivated channel partners.

Our arrangements with our channel partners are generally non-exclusive, meaning they may offer customers the products of several different companies, including products that compete with our platform and solutions. If our channel partners do not effectively market and sell our solutions, choose to use greater efforts to market and sell our competitors’ products or services, or fail to meet the needs of our customers, our ability to grow our business and sell our solutions may be adversely affected. Our channel partners may cease marketing our products with limited or no notice and with little or no penalty. In addition, certain of our channel partners are subject to independence requirements that may prevent them from providing services to us or cooperating with us in our go-to-market efforts if they also provide services for entities where members of our board of directors or executive officers serve on such entities’ board of directors or similar governing body. If one or more of our channel partners determines that it is unable to both provide services to us or cooperate with us in our go-to-market efforts and also provide services to another entity, those channel partners may cease marketing our products or otherwise cease providing services to us or cooperating with us in our go-to-market efforts.

We also collaborate with adjacent technology vendors to offer comprehensive solutions to our customers. If we do not effectively collaborate with them, or if they elect to terminate their relationship with us or develop and market solutions that compete with our solutions, our growth may be adversely affected.

Our ability to generate revenue in the future will depend in part on our success in maintaining effective working relationships with our channel partners, in expanding our indirect sales channel, in training our channel partners to independently sell and/or deploy our solutions and in continuing to integrate our solutions with the products and services offered by our technology partners. If we are unable to maintain our relationships with these channel partners, our business, financial condition and operating results could be adversely affected.

We anticipate that our operations will continue to increase in complexity as we grow, which will add additional challenges to the management of our business in the future.

Our business has experienced significant growth and is becoming increasingly complex. We increased the number of our employees from 806 at December 31, 2017 to 1,168 at December 31, 2019. We have also experienced growth in the number of customers of our solutions from 933 at December 31, 2017 to 1,469 at December 31, 2019. At December 31, 2019, we had personnel in 18 countries, and we expect to expand into additional countries in the future. We expect this growth to continue and for our operations to become increasingly complex. To effectively manage this growth, we have made and plan to continue to make substantial investments to improve our operational, financial and management controls as well as our reporting systems and procedures. Our success will depend in part on our ability to manage this complexity effectively without undermining our corporate culture, which we believe has been central to our success. If we are unable to manage this complexity, our business, operations, operating results and financial condition may suffer.

17


Table of Contents

 

As our customer base continues to grow, we likely will need to expand our professional services and other personnel, and maintain and enhance our existing partner network, to provide a high level of customer service. We also will need to effectively manage our direct and indirect sales processes as the number and type of our sales personnel and partner network continues to grow and become more complex and as we continue to expand into new geographies and vertical markets. This complexity is further driven by the various ways in which we sell our solutions, including on a per identity and per module basis through perpetual licenses and SaaS. If we do not effectively manage the increasing complexity of our business and operations, the quality of our solutions and customer service could suffer, and we may not be able to adequately address competitive challenges. These factors could impair our ability, and our channel partners’ ability, to attract new customers, retain existing customers, expand our customers’ use of existing solutions and adoption of more of our solutions and continue to provide high levels of customer service, all of which would adversely affect our reputation, overall business, operations, operating results and financial condition.

Real or perceived errors, failures, or disruptions, including those caused by cyber-attacks, in our platform and solutions could adversely affect our customers’ satisfaction with our solutions and/or our industry reputation and business could be harmed.

Our platform and solutions are very complex and have contained and may contain undetected defects, vulnerabilities or errors, especially when solutions are first introduced or enhanced. Our platform and solutions are often used in connection with large-scale computing environments with different operating systems, system management software, equipment and networking configurations, which may cause errors or failures of products, or other aspects of the computing environment into which our products are deployed. If our platform and solutions are not implemented or used correctly or as intended, inadequate performance and disruption in service may result. In addition, deployment of our platform and solutions into complicated, large-scale computing environments may expose errors, failures or vulnerabilities in our products. Any such errors, failures, or vulnerabilities may not be found until after they are deployed to our customers. We have experienced from time to time errors, failures and bugs in our platform that have resulted in customer downtime. While we were able to remediate these situations, we cannot assure you that we will be able to mitigate future errors, failures, vulnerabilities or bugs in a quick or cost-effective manner.

We have in the past experienced, and may in the future experience, performance issues due to a variety of factors, including infrastructure changes, human or software errors, website or third-party hosting disruptions or capacity constraints due to a number of potential causes including technical failures, cyber-attacks, security incidents, natural disasters or fraud. If our products or solutions or corporate security is compromised, our website, professional services, customer support or SaaS solutions are unavailable, our business could be negatively affected. Moreover, if our security measures, products or services are subject to cyber-attacks that degrade or deny the ability of users to access our website or other products or services, our products or services may be perceived as insecure, and we may incur significant legal and financial exposure. In particular, our cloud-based products may be especially vulnerable to interruptions, performance problems or cyber-attacks. We continue to invest in the personnel, infrastructure and third-party best practice software solutions and services necessary to mitigate these risks. However, if we are unable to attract and retain personnel with the necessary cybersecurity expertise, or fail to implement sufficient safeguarding measures, we may not be able to prevent, detect, and mitigate potentially disruptive events which could occur in the future. In some instances, we may not be able to identify the cause or causes of these events within an acceptable period of time. Our cloud-based products are hosted at third-party data centers that are not under our direct control. If these data centers were to be damaged or suffer disruption, our ability to provide products and services to our customers could be impaired and our reputation could be harmed and we may face legal action over the disruption or exposure and/or loss of data, as well as incur additional compliance and information security costs in order to mitigate future disruptions.

If we or our partners or one or more customers were to suffer a highly publicized breach, even if our platform and solutions perform effectively, such a breach could cause our customers or potential customers to lose trust in our identity governance platform in general, which could cause us to suffer reputational harm, lose existing commercial relationships and customers or deter them from purchasing additional solutions and prevent new customers from purchasing our solutions.

18


Table of Contents

 

Since our customers use our platform and solutions for important aspects of their security environment and operational business, any real or perceived errors, failures or vulnerabilities in our products, or disruptions in service or other performance problems, could hurt our reputation and may damage our customers’ businesses. Furthermore, defects, errors, vulnerabilities or failures in our platform or solutions may require us to implement design changes or software updates. Any defects, vulnerabilities or errors in our platform or solutions, or the perception of such defects, vulnerabilities or errors, could result in:

 

expenditure of significant financial and product development resources in efforts to analyze, correct, eliminate or work around errors or defects;

 

loss of existing or potential customers or channel partners;

 

delayed or lost revenue;

 

delay or failure to attain market acceptance;

 

delay in the development or release of new solutions or services;

 

negative publicity, which will harm our reputation;

 

an increase in collection cycles for accounts receivable or the expense and risk of litigation; and

 

harm to our operating results.

Although we have contractual protections, such as warranty disclaimers and limitation of liability provisions, in our standard terms and conditions of sale, they may not fully or effectively protect us from claims by customers, commercial relationships or other third parties. Any insurance coverage we may have may not adequately cover all claims asserted against us or cover only a portion of such claims. In addition, even claims that ultimately are unsuccessful could result in our expenditure of funds in litigation and the diverting of management’s time and other resources.

If we fail to adapt and respond effectively to rapidly changing technology, evolving industry standards, changing regulations and changing customer needs, requirements or preferences, our platform and solutions may become less competitive.

The market in which we compete is relatively new and subject to rapid technological change, evolving industry standards and changing regulations, as well as changing customer needs, requirements and preferences. The success of our business will depend, in part, on our ability to adapt and respond effectively to these changes on a timely basis. In addition, as our customers’ technologies and business plans grow more complex, we expect them to face new and increasing challenges. Our customers require that our solution effectively identifies and responds to these challenges without disrupting the performance of our customers’ IT systems. As a result, we must continually modify and improve our products in response to changes in our customers’ IT infrastructures.

We may be unable to anticipate future market needs and opportunities or be unable to develop enhancements to our platform or existing solutions or new solutions to meet such needs or opportunities in a timely manner, if at all. Even if we are able to anticipate, develop and commercially introduce enhancements to our platform and existing solutions and new solutions, those enhancements and new solutions may not achieve widespread market acceptance. Our enhancements or new solutions could fail to attain sufficient market acceptance for many reasons, including:

 

delays in releasing platform or solutions enhancements or new solutions;

 

inability to interoperate effectively with existing or newly introduced technologies, systems or applications of our existing and prospective customers;

 

defects, errors or failures in our platform or solutions;

 

negative publicity about the performance or effectiveness of our platform or solutions;

 

introduction or anticipated introduction of competing products by our competitors;

 

installation, configuration or usage errors by our customers or partners; and

 

changing of regulatory requirements related to security.

If we were unable to enhance our platform or existing solutions or develop new solutions that keep pace with rapid technological and industry change, our business, operating results and financial condition could be adversely affected. If new technologies emerge that are able to deliver competitive products and services at lower prices, more efficiently, more conveniently or more securely, such technologies could adversely impact our ability to compete effectively.

19


Table of Contents

 

Our failure to achieve and maintain an effective system of disclosure controls and internal control over financial reporting could adversely affect our financial position and lower our stock price.

As a public company, we are subject to the reporting requirements of the Exchange Act, the Sarbanes-Oxley Act of 2002 (the “Sarbanes-Oxley Act”), and the rules and regulations of the applicable listing standards of the New York Stock Exchange (the “NYSE”). The Sarbanes-Oxley Act requires, among other things, that we maintain effective disclosure controls and procedures and internal control over financial reporting. In order to maintain and improve the effectiveness of our disclosure controls and procedures and internal control over financial reporting, we have expended, and anticipate that we will continue to expend, significant resources, including accounting-related costs and significant management oversight.

Our internal resources and personnel may be insufficient to avoid accounting errors and there can be no assurance that we will not have material weaknesses in our internal control over financial reporting. For example, we reported material weaknesses as of December 31, 2018 in our Annual Report on Form 10-K. We have since fully remediated the reported material weaknesses, but we cannot assure you that our efforts to identify and prevent additional material weaknesses in the future will be successful. Any failure to maintain effective controls or any difficulties encountered implementing required new or improved controls could harm our operating results or cause us to fail to meet our reporting obligations and may result in a restatement of our financial statements. Any failure to implement and maintain effective internal control over financial reporting also could adversely affect the results of periodic management evaluations and annual independent registered public accounting firm attestation reports regarding the effectiveness of our internal control over financial reporting that we are required to include in our periodic reports that are filed with the SEC. Ineffective disclosure controls and procedures and internal control over financial reporting could also cause investors to lose confidence in our reported financial and other information, which would likely have a negative effect on the trading price of our common stock. In addition, if we are unable to continue to meet these requirements, we may not be able to remain listed on the NYSE.

Any actual or perceived failure by us to comply with our privacy policy or legal or regulatory requirements in one or multiple jurisdictions could result in proceedings, actions or penalties against us.

Our customers’ storage and use of data concerning, among others, their employees, contractors, customers and partners is essential to their use of our platform and solutions. We have implemented various features intended to enable our customers to better comply with applicable privacy and security requirements in their collection and use of data, but these features do not ensure their compliance and may not be effective against all potential privacy and data security concerns.

A wide variety of domestic and foreign laws and regulations apply to the collection, use, retention, protection, disclosure, transfer, disposal and other processing of personal data. These data protection and privacy-related laws and regulations are evolving and may result in regulatory and public scrutiny and escalating levels of enforcement and sanctions. Our failure to comply with applicable laws and regulations, or to protect any personal data, could result in enforcement action against us, including fines, claims for damages by customers and other affected individuals, damage to our reputation and loss of goodwill (both in relation to existing customers and prospective customers), any of which could adversely affect our business, operating results, financial performance and prospects.

Domestically, California enacted the California Consumer Privacy Act (the “CCPA”) which took effect on January 1, 2020, imposing an additional regulatory burden on our company and providing for both civil penalties as well as a private right of action for data breaches.

In jurisdictions outside of the United States, we may face heightened data protection and privacy requirements. In the EU, for example, the European General Data Protection Regulation (“GDPR”) regulates the collection, use and disclosure of personal data that is subject to GDPR (“Personal Data”), including the transfer of such Personal Data to third countries, such as the United States. Due to ongoing legal challenges regarding the methods for transferring Personal Data to third countries, we face uncertainty as to whether our efforts to comply with such transfer restrictions are adequate and, as a result, we and our customers may be at risk of enforcement actions taken by EU data protection authorities until such point in time that we may be able to ensure that all transfers of Personal Data to us in the United States from the EU are conducted in compliance with all applicable regulatory obligations, the guidance of data protection authorities and evolving best practices. The GDPR also imposes significant penalties for non-compliance and may continue to cause our company to incur increased compliance costs. The CCPA and the GDPR are subject to differing interpretations and may cause us to incur substantial compliance costs and/or to make significant changes in our business operations, all of which may adversely affect our revenues and our business overall.

20


Table of Contents

 

In addition, we are subject to certain contractual obligations and privacy policies and practices regarding the collection, use, storage, transfer, disclosure, disposal or processing of personal data. Even the perception of a failure by us to comply with such contractual obligations and/or privacy policies and practices or other privacy concerns, whether or not valid, may harm our reputation, inhibit adoption of our solutions by current and future customers or adversely impact our ability to attract and retain workforce talent.

Loss, retention or misuse of certain information and alleged violations of laws and regulations relating to privacy and data security, and any relevant claims, may expose us to potential liability and may require us to expend significant resources on data security and in responding to and defending such allegations and claims. In addition, future laws, regulations, standards and other obligations, and changes in the interpretation of existing laws, regulations, standards and other obligations could impair our customers’ ability to collect, use or disclose data relating to individuals, which could decrease demand for our platform and solutions, increase our costs and impair our ability to maintain and grow our customer base and increase our revenue.

Around the world, there are numerous lawsuits in process against various technology companies that process personal data. If those lawsuits are successful, it could increase the likelihood that our company may be exposed to liability for our own policies and practices concerning the processing of personal data and could hurt our business. Furthermore, the costs of compliance with, and other burdens imposed by laws, regulations and policies concerning privacy and data security that are applicable to the businesses of our customers may limit the use and adoption of our platform or solutions and reduce overall demand for them. Privacy concerns, whether or not valid, may inhibit market adoption of our platform. Additionally, concerns about security or privacy may result in the adoption of new legislation that restricts the implementation of technologies like ours or requires us to make modifications to our platform, which could significantly limit the adoption and deployment of our technologies or result in significant expense to modify our platform.

We publicly post our privacy policies and practices concerning our processing, use and disclosure of the personally identifiable information provided to us by our website visitors. Our publication of our privacy policies and other statements we publish that provide promises and assurances about privacy and security can subject us to potential state and federal action if they are found to be deceptive or misrepresentative of our actual policies and practices or if our practices are found to be unfair.

Evolving and changing definitions of what constitutes “Personal Information” and “Personal Data” within the EU, the United States and elsewhere, especially relating to classification of IP addresses, machine or device identification numbers, location data and other information, may limit or inhibit our ability to operate or expand our business, including limiting technology alliance relationships that may involve the sharing of data.

Forecasting our estimated annual effective tax rate for financial accounting purposes is complex and subject to uncertainty, and there may be material differences between our forecasted and actual tax rates.

Forecasts of our income tax position and effective tax rate for financial accounting purposes are complex and subject to uncertainty because our income tax position for each year combines the effects of a mix of profits earned and losses incurred by us in various tax jurisdictions with a broad range of income tax rates, as well as changes in the valuation of deferred tax assets and liabilities, the impact of various accounting rules and changes to these rules and tax laws, the results of examinations by various tax authorities, and the impact of any acquisition, business combination or other reorganization or financing transaction. To forecast our tax rate, we estimate our pre-tax profits and losses by jurisdiction and forecast our tax expense by jurisdiction. If the mix of profits and losses, our ability to use tax credits, or effective tax rates by jurisdiction is different than those estimated, our actual tax rate could be materially different than forecasted, which could have a material impact on our results of business, financial condition and results of operations.

Comprehensive U.S. federal tax reform legislation could adversely affect our business and financial condition.

On December 22, 2017, U.S. Federal tax reform was enacted with the signing of the Tax Cuts and Jobs Act, (the “TCJA”). Notable provisions of the TCJA include significant changes to corporate taxation, including reduction of the corporate tax rate from a top marginal rate of 35% to a flat rate of 21%, limitation of the tax deduction for interest expense to 30% of adjusted earnings (except for certain small businesses), limitation of the deduction for net operating losses to 80% of current year taxable income and elimination of net operating loss carrybacks, one time taxation of offshore earnings at reduced rates regardless of whether they are repatriated, elimination of U.S. tax on foreign earnings (subject to certain important exceptions), immediate deductions for certain new investments instead of deductions for depreciation expense over time, and modification or repeal many business deductions and credits. 

 

21


Table of Contents

 

The U.S. Department of Treasury has broad authority to issue regulations and interpretative guidance that may significantly impact how we will apply the law and impact our results of operations in the period issued. As additional regulatory guidance is issued by the applicable taxing authorities, as accounting treatment is clarified, as we perform additional analysis on the application of the law, and as we refine estimates in calculating the effect, our final analysis, which will be recorded in the period completed, may be different from our current provisional amounts, which could materially affect our tax obligations and effective tax rate.

We may acquire or invest in companies, which may divert our management’s attention and result in additional dilution to our stockholders. We may be unable to integrate acquired businesses and technologies successfully or achieve the expected benefits of such acquisitions, and acquisitions, particularly of development stage companies, may adversely affect our operating results and liquidity as well as our ability to meet expectations.

Our success will depend, in part, on our ability to expand our solutions and services and grow our business in response to changing technologies, customer demands and competitive pressures. In some circumstances, we may choose to do so through the acquisition of, or investment in, new or complementary businesses and technologies rather than through internal development. As a function of the industry in which we operate, we may acquire development stage companies that are not yet profitable, and that require continued investment, which could adversely affect our results of operations and liquidity as well as our ability to meet expectations, particularly if they were formulated prior to such acquisitions. Development stage companies generally involve a higher degree of risk and have not been proven, require additional capital to develop, and typically do not generate enough revenue to offset increased expenses associated therewith.

The identification of suitable acquisition or investment candidates can be difficult, time-consuming and costly, and we may not be able to successfully complete identified acquisitions or investments. The risks we face in connection with acquisitions and/or investments include:

 

an acquisition may negatively affect our operating results because it may require us to incur charges or assume substantial debt or other liabilities, may cause adverse tax consequences or unfavorable accounting treatment, may expose us to claims and disputes by stockholders and third parties, including intellectual property claims and disputes, or may not generate sufficient financial return to offset additional costs and expenses related to the acquisition;

 

we may encounter difficulties or unforeseen expenditures in integrating the business, technologies, products, personnel or operations of any company that we acquire;

 

an acquisition or investment may disrupt our ongoing business, divert resources, increase our expenses and distract our management;

 

an acquisition may result in a delay or reduction of customer purchases for both us and the company acquired due to customer uncertainty about continuity and effectiveness of service from either company;

 

we may encounter difficulties in, or may be unable to, successfully sell any acquired products or effectively integrate them into or with our existing solutions;

 

our use of cash to pay for acquisitions or investments would limit other potential uses for our cash;

 

if we incur debt to fund any acquisitions or investments, such debt may subject us to material restrictions on our ability to conduct our business; and

 

if we issue a significant amount of equity securities in connection with future acquisitions, existing stockholders may be diluted and earnings per share may decrease.

The occurrence of any of these risks could prevent us from realizing the anticipated benefits of an acquisition and could adversely affect our business, operating results and financial condition.

Any failure to maintain high-quality customer satisfaction may adversely affect our relationships with our customers, including customer renewals, which could adversely affect our business.

We typically bundle customer support with arrangements for our solutions. In deploying and using our platform and solutions, our customers typically require the assistance of our support teams to resolve complex technical and operational issues. We may be unable to modify the nature, scope and delivery of our customer support to compete with changes in product support services provided by our competitors. Increased customer demand for support, without corresponding revenue, could increase costs and adversely affect our operating results. We may also be unable to respond quickly enough to accommodate short-term increases in customer demand for support. Our sales are highly dependent on our reputation and on positive recommendations from our existing customers. Customer satisfaction will become even more important as our customers increasingly shift to subscription-based arrangements. Any failure to maintain high-quality customer support, or a market perception that we do not maintain high-quality product support, could adversely affect our reputation and our ability to sell our solutions to existing and new customers.

22


Table of Contents

 

If we are not able to maintain and enhance our brand or reputation as an industry leader and innovator, our business and operating results may be adversely affected.

We believe that maintaining and enhancing our reputation as a leader and innovator in the market for identity and data governance solutions is critical to our relationship with our existing customers and commercial relationships and our ability to attract new customers and commercial relationships. The successful promotion of our brand attributes will depend on a number of factors, including our marketing efforts, our ability to continue to develop high-quality features and solutions for our platform and our ability to successfully differentiate our platform and solutions from competitive products and services. Our brand promotion activities may not be successful or yield increased revenue. In addition, independent industry analysts often provide reports of our platform and solutions, as well as products and services of our competitors, and perception of our platform and solutions in the marketplace may be significantly influenced by these reports. If these reports are negative, or less positive as compared to those of our competitors’ products and services, our reputation may be adversely affected. Additionally, the performance of our channel partners may affect our brand and reputation if customers do not have a positive experience with our solutions as implemented by our channel partners or with the implementation generally. The promotion of our brand requires us to make substantial expenditures, and we anticipate that the expenditures will increase as our market becomes more competitive, as we expand into new geographies and vertical markets, and as more sales are generated through our channel partners. To the extent that these activities yield increased revenue, this revenue may not offset the increased expenses we incur. If we do not successfully maintain and enhance our brand and reputation, our business and operating results may be adversely affected.

If our platform and solutions do not effectively interoperate with our customers’ existing or future IT infrastructures, installations could be delayed or cancelled, which would harm our business.

Our success depends on the interoperability of our platform and solutions with third-party operating systems, applications, data and devices that we have not developed and do not control. Any changes in such operating systems, applications, data or devices that degrade the functionality of our platform or solutions or give preferential treatment to competitive software could adversely affect the adoption and usage of our platform. We may not be successful in adapting our platform or solutions to operate effectively with these applications, data or devices. If it is difficult for our customers to access and use our platform or solutions, or if our platform or solutions cannot connect a broadening range of applications, data and devices, then our customer growth and retention may be harmed, and our business and operating results could be adversely affected.

Our success depends on the experience and expertise of our senior management team and key employees. If we are unable to hire, retain, train and motivate our personnel, our business, operating results and prospects may be harmed.

Our success has depended, and continues to depend, on the efforts and talents of our senior management team and key employees, including our engineers, product managers, sales and marketing personnel and professional services personnel. Our future success will also depend upon our continued ability to identify, hire and retain additional skilled and highly qualified personnel, which will require significant time, expense and attention.

Our officers and key employees are employed on an at-will basis, which means that they could terminate their employment with us at any time. The loss of one or more members of our senior management team, particularly if closely grouped, could adversely affect our ability to execute our business plan and thus, our business, operating results and prospects. We do not maintain key man insurance on any of our officers or key employees, and we may not be able to find adequate replacements. If we fail to identify, recruit and integrate strategic hires, our business, operating results and financial condition could be adversely affected.

We have from time to time experienced, and we expect to continue to experience, difficulty in hiring, and may in the future have difficulty retaining, employees with appropriate qualifications and many of the companies with which we compete for experienced personnel have greater resources than we have. In addition to hiring new employees, we must continue to focus on training, motivating and retaining our best employees, but they may terminate their employment relationship with us at any time. Competition for highly skilled personnel is intense, and we may need to invest significant amounts of cash and equity to attract and retain new employees, and we may never realize returns on these investments.

Competition for well-qualified employees in all aspects of our business, including sales personnel, professional services personnel and software engineers, is intense. Our primary recruiting competition are well-known, high-paying firms. Our continued ability to compete effectively depends on our ability to attract new employees and to retain and motivate existing employees. If we do not succeed in attracting well-qualified employees or retaining and motivating existing employees, our business would be adversely affected.

23


Table of Contents

 

Our corporate culture has contributed to our success, and if we cannot maintain this culture as we grow, we could lose the innovation, creativity and teamwork fostered by our culture, which could adversely affect our business.

We believe that our culture has been and will continue to be a key contributor to our success. From January 1, 2017 to December 31, 2019, we have increased the size of our workforce by 346 employees domestically and 165 employees internationally, and we expect to continue to hire aggressively as we expand. In addition, we plan to continue to expand our international operations, which may affect our culture as we seek to find, hire and integrate additional international employees while maintaining our corporate culture. If we do not continue to maintain our corporate culture as we grow, we may be unable to continue to foster the innovation, integrity, and collaboration we believe we need to support our growth. Our substantial anticipated headcount growth, and international expansion may result in a change to our corporate culture, which could adversely affect our business.

Because our long-term success depends, in part, on our ability to expand the sales and marketing of our platform and solutions to customers located outside of the United States, and we perform a significant portion of our development outside of the United States, our business will be susceptible to risks associated with international operations.

At December 31, 2019, we had sales and marketing and product development personnel outside the United States in Australia, Belgium, Canada, France, Germany, Hong Kong, India, Israel, Italy, Japan, the Netherlands, Norway, Singapore, Sweden, Switzerland, Taiwan, and the United Kingdom, and we intend to expand our international sales and marketing operations.

Conducting international operations subjects us to risks that we do not generally face in the United States. These risks include:

 

encountering existing and new competitors with stronger brand recognition in the new markets;

 

challenges developing, marketing, selling and implementing our platform and solutions caused by language, cultural and ethical differences and the competitive environment;

 

heightened risks of unethical, unfair or corrupt business practices, actual or claimed, in certain geographies and of improper or fraudulent sales arrangements that may impact financial results and result in restatements of, and irregularities in, financial statements;

 

political instability, war, armed conflict or terrorist activities;

 

public health issues, including outbreaks of contagious diseases or illnesses;

 

currency fluctuations;

 

the risks of currency hedging activities to limit the impact of exchange rate fluctuations, should we engage in such activities in the future;

 

difficulties in managing systems integrators and technology providers;

 

laws imposing heightened restrictions on data usage and increased penalties for failure to comply with applicable laws, particularly in the European Union (“EU”);

 

risks associated with trade restrictions and foreign import requirements, including the importation, certification and localization of our solutions required in foreign countries, as well as changes in trade, tariffs, restrictions or requirements;

 

potentially different pricing environments, longer sales cycles and longer accounts receivable payment cycles and collections issues;

 

management communication and integration problems resulting from cultural differences and geographic dispersion;

 

increased turnover of international personnel as compared to our domestic operations;

 

potentially adverse tax consequences, including multiple and possibly overlapping tax structures, the complexities of foreign value added tax systems, restrictions on the repatriation of earnings and changes in tax rates;

 

greater difficulty in enforcing contracts, accounts receivable collection and longer collection periods;

 

the uncertainty and limitation of protection for intellectual property rights in some countries;

 

increased financial accounting and reporting burdens and complexities; and

 

lack of familiarity with local laws, customs and practices, and laws and business practices favoring local competitors or commercial parties.

The occurrence of any one of these risks could harm our international business and, consequently, our operating results. Additionally, operating in international markets requires significant management attention and financial resources. We cannot be certain that the investment and additional resources required to operate in other countries will produce desired levels of revenue or net income.

 

24


Table of Contents

 

In addition, general worldwide economic conditions could experience significant downturns and instability, including as a result of changes in global trade policies, such as how the United Kingdom's vote to exit the EU, commonly referred to as "Brexit," develops in the United Kingdom, trade disputes and increased tariffs between the United States and China, or other political or economic developments. For example, Brexit has created substantial economic and political uncertainty, the impact of which depends on the terms of the United Kingdom’s withdrawal from the EU. This uncertainty may cause some of our customers or potential customers to curtail spending and may ultimately result in new regulatory and cost challenges to our United Kingdom and global operations. These conditions make it extremely difficult for our customers and us to forecast and plan future business activities accurately, and they could cause our customers to reevaluate their decisions to purchase our products, which could delay and lengthen our sales cycles or result in cancellations of planned purchases. Furthermore, during challenging economic times and/or during times of rising interest rates, our customers may tighten their budgets and face issues in gaining timely access to sufficient and/or affordable credit, which could result in an impairment of their ability to make timely payments to us. In turn, we may be required to increase our allowance for doubtful accounts, which would adversely affect our financial results.

Adverse economic conditions may negatively impact our business.

Our business depends on the overall demand for information technology and on the economic health of our current and prospective customers. Any significant weakening of the economy in the United States or of the global economy, more limited availability of credit, a reduction in business confidence and activity, decreased government spending, economic uncertainty and other difficulties may affect one or more of the sectors or countries in which we sell our solutions. Global economic and political uncertainty may cause some of our customers or potential customers to curtail spending generally or IT and identity and data governance spending specifically and may ultimately result in new regulatory and cost challenges to our international operations. In addition, a strong dollar could reduce demand for our products in countries with relatively weaker currencies. These adverse conditions could result in reductions in sales of our solutions, longer sales cycles, slower adoption of new technologies and increased price competition. Any of these events could have an adverse effect on our business, operating results and financial position.

Forecasts of our market and market growth may prove to be inaccurate, and even if the markets in which we compete achieve the forecasted growth, there can be no assurance that our business will grow at similar rates, or at all.

Growth forecasts relating to our market opportunity and the expected growth in that market are subject to significant uncertainty and are based on assumptions and estimates which may prove to be inaccurate. Even if this market meets our size estimate and experiences the forecasted growth, we may not grow our business at a similar rate, or at all. Our growth is subject to many factors, including our success in implementing our business strategy, which is subject to many risks and uncertainties. Accordingly, our forecasts of market growth should not be taken as indicative of our future growth.

If we fail to meet contractual commitments related to response time, service level commitments or quality of professional services, we could be obligated to provide credits for future service, or face contract termination, which could adversely affect our business, operating results and financial condition.

Depending on the products purchased, our customer agreements contain service level agreements, under which we guarantee specified availability of our platform and solutions. If we are unable to meet the stated service level commitments to our customers or suffer extended periods of unavailability of our SaaS platform or solutions, we may be contractually obligated to provide affected customers with service credits or customers could elect to terminate and receive refunds for prepaid amounts. In addition, if the quality of our professional services does not meet contractual requirements, we may be required to re-perform the services at our expense or refund amounts paid for the services. Any failure to meet these contractual commitments could adversely affect our revenue, operating results and financial condition and any failure to meet service level commitments or extended service outages of our SaaS solutions could adversely affect our business and reputation as customers may elect not to renew and we could lose future sales.

25


Table of Contents

 

Our business depends, in part, on sales to the public sector, and significant changes in the contracting or fiscal policies of the public sector could have an adverse effect on our business.

We derive a portion of our revenue from sales of our solutions to federal, state, local and foreign governments, and we believe that the success and growth of our business will continue to depend in part on our successful procurement of government contracts. Factors that could impede our ability to maintain or increase the amount of revenue derived from government contracts include:

 

changes in fiscal or contracting policies;

 

decreases in available government funding;

 

changes in government programs or applicable requirements;

 

the adoption of new laws or regulations or changes to existing laws or regulations; and

 

potential delays or changes in the government appropriations or other funding authorization processes.

The occurrence of any of the foregoing could cause governments and governmental agencies to delay or refrain from purchasing our solutions or otherwise have an adverse effect on our business, operating results and financial condition.

We use third-party licensed software in or with our solutions, and the inability to maintain these licenses or issues with the software we license could result in increased costs or reduced service levels, which would adversely affect our business.

Our solutions include software or other intellectual property licensed from third parties, and we otherwise use software and other intellectual property licensed from third parties in our business. We anticipate that we will continue to rely on such third-party software and intellectual property in the future. This exposes us to risks over which we may have little or no control. The third-party software we currently license may not always be available, and we may not have access to alternative third-party software on commercially reasonable terms. In addition, a third party may assert that we or our customers are in breach of the terms of a license, which could, among other things, give such third party the right to terminate a license or seek damages from us, or both. Our inability to obtain or maintain certain licenses or other rights or to obtain or maintain such licenses or rights on favorable terms, or the need to engage in litigation regarding these matters, could result in delays in releases of new solutions, and could otherwise disrupt our business, until equivalent technology can be identified, licensed or developed, if at all. Also, to the extent that our platform and solutions depend upon the successful operation of third-party software in conjunction with our software, any undetected errors or defects in such third-party software could prevent the deployment or impair the functionality of our platform, delay new feature introductions, result in a failure of our platform and injure our reputation.

Our failure to raise additional capital or generate cash flows necessary to expand our operations and invest in new technologies in the future could reduce our ability to compete successfully and harm our operating results.

We may need to raise additional funds, and we may not be able to obtain additional debt or equity financing on favorable terms, if at all. If we raise additional equity financing, our security holders may experience significant dilution of their ownership interests. If we engage in debt financing, we may be required to accept terms that restrict our ability to incur additional indebtedness, force us to maintain specified liquidity or other ratios or restrict our ability to pay dividends or make acquisitions. If we need additional capital and cannot raise it on acceptable terms, or at all, we may not be able to, among other things:

 

develop and enhance our products;

 

continue to expand our product development, sales and marketing organizations;

 

hire, train and retain employees;

 

respond to competitive pressures or unanticipated working capital requirements; or

 

pursue acquisition opportunities.

Our credit agreement contains restrictions that impact our business and could expose us to risks that could adversely affect our liquidity and financial condition.

Our credit agreement contains various covenants that, among other things, limit our and certain of our subsidiaries’ abilities to:

 

incur additional indebtedness or guarantee indebtedness of others;

 

create additional liens on our assets;

 

merge, consolidate or dissolve;

 

make loans or investments, including acquisitions;

26


Table of Contents

 

 

sell assets;

 

engage in sale and leaseback transactions;

 

pay dividends and make other distributions on our capital stock, and redeem and repurchase our capital stock; or

 

enter into transactions with affiliates.

Our credit agreement also contains numerous affirmative covenants and a financial covenant. Any additional debt that we incur in the future could subject us to similar or additional covenants.

We have historically relied on the availability of some amount of debt financing. If we experience a decline in cash flow due to any of the factors described in this “Risk Factors” section or otherwise, we could have difficulty paying interest and principal amounts due on our indebtedness and meeting the financial covenant set forth in our credit agreement. If we are unable to generate sufficient cash flow or otherwise to obtain the funds necessary to make required payments under our credit agreement, or if we fail to comply with the various requirements of our indebtedness, we could default under our credit agreement. Any such default that is not cured or waived could result in an acceleration of indebtedness then outstanding under our credit agreement, an increase in the applicable interest rates under our credit agreement, and require our subsidiaries that have guaranteed our borrowings under our credit agreement to pay the obligations in full, and would permit the lenders to exercise remedies with respect to all of the collateral that is securing our borrowings under the credit agreement, including substantially all of our and our subsidiary guarantors’ assets. Thus, any such default could have a material adverse effect on our liquidity and financial condition.

If we fail to adequately protect our proprietary rights, our competitive position could be impaired, and we may lose valuable assets, generate reduced revenue and incur costly litigation to protect our rights.

We rely on copyrights, trade secret laws, confidentiality procedures, employment proprietary information and inventions assignment agreements, trademarks and patents to protect our intellectual property rights. However, the steps we take to protect our intellectual property may not be adequate. To protect our trade secrets and proprietary information, we rely in significant part on confidentiality arrangements with our employees, licensees, independent contractors, advisers, channel partners, resellers and customers. These arrangements may not be effective to prevent disclosure of confidential information, including trade secrets, and may not provide an adequate remedy in the event of unauthorized disclosure of confidential information. In addition, if others independently discover trade secrets and proprietary information, we would not be able to assert trade secret rights against such parties. To protect our intellectual property, we may be required to spend significant resources to obtain, monitor and enforce such rights. Litigation brought to enforce our intellectual property could be costly, time-consuming and distracting to management and could be met with defenses, counterclaims and countersuits attacking the validity and enforceability of our intellectual property, which may result in the impairment or loss of portions of our intellectual property. The laws of some foreign countries do not protect our intellectual property to the same extent as the laws of the United States, and effective intellectual property protection and mechanisms may not be available in those jurisdictions. We may need to expend additional resources to defend our intellectual property in these countries, and our inability to do so could impair our business or adversely affect our international expansion. Even if we are able to secure intellectual property, there can be no assurances that such rights will provide us with competitive advantages or distinguish our platform or solutions and services from those of our competitors or that our competitors will not independently develop similar technology.

We may be subject to intellectual property rights claims by third parties, which may be costly to defend, could require us to pay significant damages and could limit our ability to use certain technologies.

Companies in the software and technology industries, including some of our current and potential competitors, own large numbers of patents, copyrights, trademarks and trade secrets and frequently enter into litigation based on allegations of infringement, misappropriation or other violations of intellectual property rights. We have in the past and may in the future be subject to notices that claim we have infringed, misappropriated or misused the intellectual property of our competitors or other third parties, including patent holding companies whose sole business is to assert such claims. To the extent we increase our visibility in the market, we face a higher risk of being the subject of intellectual property claims. Additionally, we do not have a significant patent portfolio, which could prevent us from deterring patent infringement claims through our own patent portfolio, and our competitors and others may now or in the future have significantly larger and more mature patent portfolios than we do.

27


Table of Contents

 

Any intellectual property claims, with or without merit, could be time-consuming and expensive and could divert our management’s attention and other resources. These claims could also subject us to significant liability for damages, potentially including treble damages if we are found to have willfully infringed patents or copyrights. These claims could also result in our having to stop using technology found to be in violation of a third party’s rights. We might be required to seek a license for the intellectual property, which may not be available on reasonable terms or at all. Even if a license is available, we could be required to pay significant royalties, which would increase our operating expenses. As a result, we may be required to develop alternative non-infringing technology, which could require significant effort and expense. If we cannot license or develop technology for any aspect of our business that may ultimately be determined to infringe on or misappropriate the intellectual property rights of another party, we could be forced to limit or stop sales of licenses to our platform and solutions and may be unable to compete effectively. Furthermore, we may be subject to indemnification obligations with respect to third-party intellectual property pursuant to our agreements with our channel partners or customers. Any of these results would adversely affect our business, operating results and financial condition.

Indemnity provisions in various agreements potentially expose us to substantial liability for intellectual property infringement and other losses.

Our agreements with customers and other third parties may include indemnification provisions under which we agree to indemnify them or otherwise be liable for losses suffered or incurred as a result of claims of intellectual property infringement or misappropriation, damages caused by us to property or persons, or other liabilities relating to or arising from our platform, solutions, services or other contractual obligations. Some of these indemnity agreements provide for uncapped liability for which we would be responsible, and some indemnity provisions survive termination or expiration of the applicable agreement.

From time to time, customers also require us to indemnify or otherwise be liable to them for breach of confidentiality, violation of applicable law or failure to implement adequate security measures with respect to their data stored, transmitted or accessed using our platform. Although we normally seek contractual limitations to our liability with respect to the foregoing obligations, the existence of such a dispute may have adverse effects on our customer relationship and reputation and even if we contractually limit our liability with respect to such obligations, we may still incur substantial liability related to them. Any assertions by a third party, whether or not successful, with respect to any of these indemnification obligations could subject us to costly and time-consuming litigation, expensive remediation and licenses, divert management attention and financial resources, harm our relationship with that customer and other current and prospective customers, reduce demand for our platform and solutions, and harm our brand, business, operating results and financial condition. Any dispute with a customer with respect to such obligations could have adverse effects on our relationship with that customer and other existing customers and new customers and adversely affect our business and operating results.

We may be subject to damages resulting from claims that our employees or contractors have wrongfully used or disclosed alleged trade secrets of their former employers or other parties.

We could in the future be subject to claims that we, our employees or our contractors have inadvertently or otherwise used or disclosed trade secrets or other proprietary information of our competitors or other parties. Litigation may be necessary to defend against these claims. If we fail in defending against such claims, a court could order us to pay substantial damages and prohibit us from using technologies or features that are essential to our solutions, if such technologies or features are found to incorporate or be derived from the trade secrets or other proprietary information of these parties. In addition, we may lose valuable intellectual property rights or personnel. A loss of key personnel or their work product could hamper or prevent our ability to develop, market and support potential solutions or enhancements, which could severely harm our business. Even if we are successful in defending against these claims, such litigation could result in substantial costs and be a distraction to management.

Our use of “open source” software could negatively affect our ability to sell our solutions and subject us to possible litigation.

Some aspects of our platform and solutions are built using open source software, and we intend to continue to use open source software in the future. From time to time, we contribute software source code to open source projects under open source licenses or release internal software projects under open source software licenses and anticipate doing so in the future. The terms of certain open source licenses to which we are subject have not been interpreted by U.S. or foreign courts, and there is a risk that open source software licenses could be construed in a manner that imposes unanticipated conditions or restrictions on our ability to monetize our products. Additionally, we may from time to time face claims from third parties claiming ownership of, or demanding release of, the open source software or derivative works that we developed using such software, which could include our proprietary source code, or otherwise seeking to enforce the terms of the applicable open source software license. These claims could result in litigation and could require us to make our software source code freely available, purchase a costly license or cease

28


Table of Contents

 

offering the implicated services unless and until we can re-engineer them to avoid infringement or violation. This re-engineering process could require significant additional research and development resources, and we may not be able to complete it successfully. In addition to risks related to license requirements, use of certain open source software can lead to greater risks than use of third-party commercial software, as open source licensors generally do not provide warranties or controls on the origin of software and, thus, may contain security vulnerabilities or broken code. Additionally, because any software source code we contribute to open source projects is publicly available, our ability to protect our intellectual property rights with respect to such software source code may be limited or lost entirely, and we may be unable to prevent our competitors or others from using such contributed software source code. Any of these risks could be difficult to eliminate or manage, and if not addressed, could have a negative effect on our business, operating results and financial condition.

We may be required to defer or adjust recognition of some of our license revenue, which may harm our operating results in any given period.

We may be required to defer or adjust recognition of license revenue for a significant period of time after entering into an agreement due to a variety of factors, including, among other things, whether:

 

the transaction involves products or features that are under development;

 

the transaction involves extended payment terms; or

 

the transaction involves acceptance criteria.

Although we strive to enter into agreements that meet the criteria under accounting principles generally accepted in the United States of America (“GAAP”) for current revenue recognition on delivered performance obligations, our agreements are often subject to negotiation and revision based on the demands of our customers. The final terms of our agreements sometimes result in deferred revenue recognition well after the time of delivery, which may adversely affect our financial results in any given period.

Furthermore, the presentation of our financial results requires us to make estimates and assumptions that may affect revenue recognition, including determination of stand-alone selling price. In some instances, we could reasonably use different estimates and assumptions, and changes in estimates are likely to occur from period to period. Accordingly, actual results could differ significantly from our estimates.

If our estimates or judgments relating to our critical accounting policies prove to be incorrect, our operating results could be adversely affected.

The preparation of financial statements in conformity with GAAP requires management to make estimates and assumptions that affect the amounts reported in our consolidated financial statements and accompanying notes. We base our estimates on historical experience and on various other assumptions that we believe to be reasonable under the circumstances, as provided in Item 7. “Management’s Discussion and Analysis of Financial Condition and Results of Operations.” The results of these estimates form the basis for making judgments about the carrying values of assets, liabilities and equity, and the amount of revenue and expenses that are not readily apparent from other sources. Significant assumptions and estimates used in preparing our consolidated financial statements include those related to revenue recognition, capitalized internal-use software costs, income taxes, other non-income taxes, business combinations and valuation of goodwill and purchased intangible assets and stock-based compensation. Our operating results may be adversely affected if our assumptions change or if actual circumstances differ from those in our assumptions, which could cause our operating results to fall below the expectations of securities analysts and investors, resulting in a decline in the trading price of our common stock.

Changes in existing financial accounting standards or practices, or taxation rules or practices, may harm our operating results.

Changes in existing accounting or taxation rules or practices, new accounting pronouncements or taxation rules, or varying interpretations of current accounting pronouncements or taxation practice could harm our operating results or the manner in which we conduct our business. Further, such changes could potentially affect our reporting of transactions completed before such changes are effective.

GAAP is subject to interpretation by the Financial Accounting Standards Board (“FASB”), the SEC and various bodies formed to promulgate and interpret appropriate accounting principles. A change in these principles or interpretations could have a significant effect on our reported financial results and could affect the reporting of transactions completed before the announcement of a change.

 

 

29


Table of Contents

 

Our business may be subject to additional obligations to collect and remit sales tax, value-added and other taxes, and we may be subject to tax liability for past sales. Any successful action by state, foreign or other authorities to collect additional or past sales tax could adversely affect our business.

States and some local taxing jurisdictions have differing rules and regulations governing sales and use taxes, and these rules and regulations are subject to varying interpretations that may change over time. In particular, the applicability of sales taxes to our platform in various jurisdictions is unclear. It is possible that we could face sales tax audits and that our liability for these taxes could exceed our estimates as state tax authorities could still assert that we are obligated to collect additional amounts as taxes from our customers and remit those taxes to those authorities. We could also be subject to audits in states and international jurisdictions for which we have not accrued tax liabilities. A successful assertion that we should be collecting additional sales or other taxes on our services in jurisdictions where we have not historically done so and do not accrue for sales taxes could result in substantial tax liabilities for past sales, discourage customers from purchasing our products or otherwise adversely affect our business, operating results and financial condition.

We file sales tax returns in certain states within the United States as required by law and certain customer contracts for a portion of the products that we provide. We do not collect sales or other similar taxes in other states and many of such states do not apply sales or similar taxes to the vast majority of the products that we provide. However, one or more states or foreign authorities could seek to impose additional sales, use or other tax collection and record-keeping obligations on us or may determine that such taxes should have, but have not been, paid by us. Liability for past taxes may also include substantial interest and penalty charges. Any successful action by state, foreign or other authorities to compel us to collect and remit sales tax, use tax or other taxes, either retroactively, prospectively or both, could adversely affect our business, operating results and financial condition.

If our products fail to help our customers achieve and maintain compliance with certain government regulations and industry standards, our business and operating results could be materially and adversely affected.

We believe we generate a portion of our revenues from our products and services because our customers use our products and services as part of their efforts to achieve and maintain compliance with certain government regulations and industry standards, and we expect that will continue for the foreseeable future. Examples of industry standards and government regulations include the Payment Card Industry Data Security Standard (“PCI-DSS”); the Federal Information Security Management Act (“FISMA”) and associated National Institute for Standards and Testing (“NIST”) Network Security Standards; the Sarbanes-Oxley Act; Title 21 of the U.S. Code of Federal Regulations, which governs food and drugs industries; the North American Electric Reliability Corporation Critical Infrastructure Protection Plan (“NERC-CIP”); the GDPR; the German Federal Financial Supervisory Authority (“BaFin”) Minimum Requirements for Risk Management; and the Monetary Authority of Singapore’s Technology Risk Management Notices. These industry standards may change with little or no notice, including changes that could make them more or less onerous for businesses. In addition, governments may also adopt new laws or regulations, or make changes to existing laws or regulations, that could affect whether our customers believe our solution assists them in maintaining compliance with such laws or regulations. If our solutions fail to expedite our customers’ compliance initiatives, our customers may lose confidence in our products and could switch to products offered by our competitors. In addition, if government regulations and industry standards related to IT security are changed in a manner that makes them less onerous, our customers may view compliance as less critical to their businesses, and our customers may be less willing to purchase our products and services. In either case, our sales and financial results would suffer.

We are subject to governmental export controls and economic sanctions laws that could impair our ability to compete in international markets and subject us to liability if we are not in full compliance with applicable laws.

Our business activities are subject to various restrictions under U.S. export controls and trade and economic sanctions laws, including the U.S. Commerce Department’s Export Administration Regulations and economic and trade sanctions regulations maintained by the U.S. Treasury Department’s Office of Foreign Assets Control. The U.S. export control laws and U.S. economic sanctions laws include prohibitions on the sale or supply of certain products and services to U.S. embargoed or sanctioned countries, governments, persons and entities and also require authorization for the export of encryption items. We are also subject to Israeli export controls on encryption technology for SecurityIQ (now IdentityIQ File Access Manager). If the applicable U.S. or Israeli requirements regarding export of encryption technology were to change or if we change the encryption means in our products, we may need to satisfy additional requirements in the United States or Israel. There can be no assurance that we will be able to satisfy any additional requirements under these circumstances in either the United States or Israel.

30


Table of Contents

 

In addition, various countries regulate the import of certain encryption technology, including through import permitting and licensing requirements, and have enacted laws that could limit our ability to distribute our services or could limit our customers’ ability to implement our services in those countries. Although we take precautions to prevent our products from being provided in violation of such laws, our products may have been in the past, and could in the future be, provided inadvertently in violation of such laws, despite the precautions we take. If we fail to comply with these laws and regulations, we and certain of our employees could be subject to civil or criminal penalties, including the possible loss of export privileges and monetary penalties. Obtaining the necessary authorizations, including any required license, for a particular transaction may be time-consuming, is not guaranteed, and may result in the delay or loss of sales opportunities. Although we take precautions to prevent transactions with U.S. sanction targets, we could inadvertently provide our products to persons prohibited by U.S. sanctions. This could result in negative consequences to us, including government investigations, penalties and harm to our reputation.

Our corporate structure and intercompany arrangements are subject to the tax laws of various jurisdictions, and we could be obligated to pay additional taxes, which would harm our operating results.

Based on our current corporate structure, we may be subject to taxation in several jurisdictions around the world with increasingly complex tax laws, the application of which can be uncertain. The amount of taxes we pay in these jurisdictions could increase substantially as a result of changes in the applicable tax principles, including increased tax rates, new tax laws or revised interpretations of existing tax laws and precedents. In addition, the authorities in these jurisdictions could challenge our methodologies for valuing developed technology or intercompany arrangements, including our transfer pricing. The relevant taxing authorities may determine that the manner in which we operate our business does not achieve the intended tax consequences. If such a disagreement were to occur, and our position were not sustained, we could be required to pay additional taxes, interest and penalties. Such authorities could claim that various withholding requirements apply to us or our subsidiaries or assert that benefits of tax treaties are not available to us or our subsidiaries. Any increase in the amount of taxes we pay or that are imposed on us could increase our worldwide effective tax rate and adversely affect our business and operating results.

Our ability to use net operating losses and other tax attributes to offset future taxable income may be subject to certain limitations.

In general, under Sections 382 and 383 of the Internal Revenue Code of 1986, as amended (the “Internal Revenue Code”), a corporation that undergoes an “ownership change” is subject to an annual limitation on its ability to utilize its pre-change net operating losses (“NOLs”), tax credits or other tax attributes, to offset future taxable income or taxes. For these purposes, an ownership change generally occurs where the aggregate stock ownership of one or more stockholders or groups of stockholders who own at least 5% of a corporation’s stock increases its ownership by more than 50 percentage points over its lowest ownership percentage within a specified testing period. Based on the results of the Company’s Section 382 studies, we believe the annual limitation will not result in the expiration of any NOLs, tax credits or other tax attributes prior to utilization. However, future changes in our stock ownership, many of which are outside of our control, could result in another “ownership change” and subsequently could substantially impair our ability to utilize any NOLs, tax credits or other tax attributes.

We function as a HIPAA “business associate” for certain of our customers and, as such, are subject to strict privacy and data security requirements. If we fail to comply with any of these requirements, we could be subject to significant liability, all of which can adversely affect our business as well as our ability to attract and retain new customers.

The Health Insurance Portability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act (“HITECH”), and their respective implementing regulations (“HIPAA”), imposes specified requirements relating to the privacy, security and transmission of individually identifiable health information. Among other things, HITECH makes HIPAA’s security standards directly applicable to “business associates.” We function as a business associate for certain of our customers that are HIPAA covered entities and service providers and, in that context, we are regulated as a business associate for the purposes of HIPAA. If we are unable to comply with our obligations as a HIPAA business associate, we could face substantial civil and even criminal liability. Modifying the already stringent penalty structure that was present under HIPAA prior to HITECH, HITECH created four new tiers of civil monetary penalties and gave state attorneys general new authority to file civil actions for damages or injunctions in federal courts to enforce the federal HIPAA laws and seek attorneys’ fees and costs associated with pursuing federal civil actions. In addition, many state laws govern the privacy and security of health information in certain circumstances, many of which differ from HIPAA and each other in significant ways and may not have the same effect.

31


Table of Contents

 

The HIPAA covered entities and service providers to which we provide services require us to enter into HIPAA-compliant business associate agreements with them. These agreements impose stringent data security obligations on us. If we are unable to meet the requirements of any of these business associate agreements, we could face contractual liability under the applicable business associate agreement as well as possible civil and criminal liability under HIPAA, all of which can have an adverse impact on our business and generate negative publicity, which, in turn, can have an adverse impact on our ability to attract and retain new customers.

Failure to comply with anti-bribery, anti-corruption, and anti-money laundering laws could subject us to penalties and other adverse consequences.

We are subject to the Foreign Corrupt Practices Act (“FCPA”), the U.K. Bribery Act and other anti-corruption, anti-bribery and anti-money laundering laws in various jurisdictions both domestic and abroad. The FCPA prohibits any U.S. individual or business from paying, offering, authorizing payment or offering of anything of value, directly or indirectly, to any foreign official, political party or candidate for the purpose of influencing any act or decision of the foreign entity in order to assist the individual or business in obtaining or retaining business. The U.K. Bribery Act is similar but even broader in scope in that it prohibits bribery of private (non-government) persons as well. The FCPA also obligates companies whose securities are listed in the United States to comply with certain accounting provisions requiring the company to maintain books and records that accurately and fairly reflect all transactions of the corporation, including international subsidiaries, and to devise and maintain an adequate system of internal accounting controls for international operations. Our sales model presents some risk under these laws. We leverage third parties, including channel partners, to sell our solutions and conduct our business abroad. We and our third-party intermediaries may have direct or indirect interactions with officials and employees of government agencies, state-owned or affiliated entities and non-governmental commercial entities, and may be held liable for the corrupt or other illegal activities of these third-party intermediaries, our employees, representatives, contractors, channel partners and agents, even if we do not explicitly authorize such activities. While we have policies and procedure to address compliance with these laws, we cannot assure you that all of our employees and agents will not take actions in violation of our policies and applicable law, for which we may be ultimately held responsible. Noncompliance with these laws could subject us to investigations, sanctions, settlements, prosecution, other enforcement actions, disgorgement of profits, significant fines, damages, other civil and criminal penalties or injunctions, adverse media coverage and other consequences. Any investigations, actions or sanctions could adversely affect our business, operating results and financial condition.

Risks Related to Ownership of Our Common Stock

The requirements of being a public company, including compliance with the reporting requirements of the Exchange Act, and the requirements of the Sarbanes-Oxley Act and the NYSE, may strain our resources, increase our costs and distract management, and we may be unable to comply with these requirements in a timely or cost-effective manner.

We are subject to certain laws, regulations and requirements, including compliance with reporting requirements of the Exchange Act and the requirements of the Sarbanes-Oxley Act and the NYSE. For example, we have a comprehensive compliance function, internal governance policies, such as those relating to insider trading, and frequently involve and retain outside counsel and accountants to enhance our compliance efforts. Additionally, we must comply with Section 404 of the Sarbanes-Oxley Act, including having our independent registered public accounting firm attest to the effectiveness of our internal controls. Our independent registered public accounting firm may issue a report attesting to the effectiveness of our internal controls that is adverse in the event it is not satisfied with the level at which our controls are documented, designed, operated or reviewed. Compliance with these requirements may strain our resources, increase our costs and distract management, and we may be unable to comply with these requirements in a timely or cost-effective manner.

 

Furthermore, being subject to these rules and regulations makes it more expensive for us to obtain director and officer liability insurance as compared to when we were a private company, and we may be required to accept reduced policy limits and coverage or incur substantially higher costs to obtain the same or similar coverage. As a result, it may be more difficult for us, as a public company, to attract and retain qualified individuals to serve on our board of directors or as executive officers.

32


Table of Contents

 

The trading price of our common stock could be volatile, which could cause the value of your investment to decline.

Our initial public offering occurred in November 2017. Therefore, there has only been a public market for our common stock for a short period of time. Although our common stock is listed on the NYSE, an active trading market for our common stock may not develop or, if developed, be sustained. Technology stocks have historically experienced high levels of volatility. Since shares of our common stock were sold in our initial public offering in November 2017 at a price of $12.00 per share, our stock price has fluctuated significantly. The trading price of our common stock may fluctuate substantially in response to numerous factors, many of which are beyond our control, including the factors listed below and other factors described in this “Risk Factors” section:

 

announcements of new products or technologies, commercial relationships, acquisitions or other events by us or our competitors;

 

changes in how customers perceive the benefits of our platform;

 

shifts in the mix of revenue attributable to perpetual licenses and to SaaS subscriptions from quarter to quarter;

 

departures of key personnel;

 

price and volume fluctuations in the overall stock market from time to time;

 

fluctuations in the trading volume of our shares or the size of our public float;

 

sales of large blocks of our common stock;

 

actual or anticipated changes or fluctuations in our operating results;

 

whether our operating results meet the expectations of securities analysts or investors;

 

changes in actual or future expectations of investors or securities analysts;

 

litigation involving us, our industry or both;

 

regulatory developments in the United States, foreign countries or both;

 

general economic conditions and trends;

 

major catastrophic events in our domestic and foreign markets;

 

cyber-attacks or incidents; and

 

“flash crashes,” “freeze flashes” or other glitches that disrupt trading on the securities exchange on which we are listed.

In addition, if the market for technology stocks or the stock market in general experiences a loss of investor confidence, the trading price of our common stock could decline for reasons unrelated to our business, operating results or financial condition. The trading price of our common stock might also decline in reaction to events that affect other companies in our industry even if these events do not directly affect us.

In the past, following periods of volatility in the trading price of a company’s securities, securities class action litigation has often been brought against that company. If our stock price is volatile, we may become the target of securities litigation. Securities litigation could result in substantial costs and divert our management’s attention and resources from our business. This could have an adverse effect on our business, operating results and financial condition.

If securities analysts or industry analysts were to downgrade our stock, publish negative research or reports or fail to publish reports about our business, our competitive position could suffer, and our stock price and trading volume could decline.

The trading market for our common stock, to some extent, depends on the research and reports that securities or industry analysts publish about us or our business. We do not have any control over these analysts. If one or more of the analysts who cover us should downgrade our stock or publish negative research or reports, cease coverage of our company or fail to regularly publish reports about our business, our competitive position could suffer, and our stock price and trading volume could decline.

Our issuance of additional capital stock in connection with financings, acquisitions, investments, our stock incentive plans or otherwise will dilute all other stockholders.

We may issue additional capital stock in the future that will result in dilution to all other stockholders. We may also raise capital through equity financings in the future. As part of our business strategy, we may acquire or make investments in complementary companies, products or technologies and issue equity securities to pay for any such acquisition or investment. Any such issuances of additional capital stock may cause stockholders to experience significant dilution of their ownership interests and the per share value of our common stock to decline.

33


Table of Contents

 

Our charter and bylaws contain anti-takeover provisions that could delay or discourage takeover attempts that stockholders may consider favorable.

Our charter and bylaws contain provisions that could delay or prevent a change in control of our company. These provisions could also make it difficult for stockholders to elect directors who are not nominated by the current members of our board of directors or take other corporate actions, including effecting changes in our management. These provisions include:

 

a classified board of directors with three-year staggered terms, which could delay the ability of stockholders to change the membership of a majority of our board of directors;

 

removal of directors only for cause;

 

the ability of our board of directors to issue shares of preferred stock and to determine the price and other terms of those shares, including preferences and voting rights, without stockholder approval, which could be used to significantly dilute the ownership of a hostile acquirer;

 

allowing only our directors to fill vacancies on our board of directors;

 

a prohibition on stockholder action by written consent, which forces stockholder action to be taken at an annual or special meeting of our stockholders;

 

the requirement that a special meeting of stockholders may be called only by or at the direction of our board of directors, which could delay the ability of our stockholders to force consideration of a proposal or to take action, including the removal of directors;

 

the requirement for the affirmative vote of holders of at least 66 2/3% of the voting power of all of the then outstanding shares of the voting stock, voting together as a single class, to amend the provisions of our charter relating to the management of our business (including our classified board structure) or certain provisions of our bylaws, which may inhibit the ability of an acquirer to effect such amendments to facilitate an unsolicited takeover attempt;

 

the ability of our board of directors to amend the bylaws, which may allow our board of directors to take additional actions to prevent an unsolicited takeover and inhibit the ability of an acquirer to amend the bylaws to facilitate an unsolicited takeover attempt;

 

advance notice procedures with which stockholders must comply to nominate candidates to our board of directors or to propose matters to be acted upon at a stockholders’ meeting, which may discourage or deter a potential acquirer from conducting a solicitation of proxies to elect the acquirer’s own slate of directors or otherwise attempting to obtain control of us; and

 

a prohibition of cumulative voting in the election of our board of directors, which would otherwise allow less than a majority of stockholders to elect director candidates.

Our charter also contains a provision that provides us with protections similar to Section 203 of the Delaware General Corporation Law (“DGCL”), and prevents us from engaging in a business combination, such as a merger, with an interested stockholder (i.e., a person or group who acquires at least 15% of our voting stock) for a period of three years from the date such person became an interested stockholder, unless (with certain exceptions) the business combination or the transaction in which the person became an interested stockholder is approved in a prescribed manner.

We may issue preferred stock whose terms could adversely affect the voting power or value of our common stock.

Our charter authorizes us to issue, without the approval of our stockholders, one or more classes or series of preferred stock having such designations, preferences, limitations and relative rights, including preferences over our common stock respecting dividends and distributions, as our board of directors may determine. The terms of one or more classes or series of preferred stock could adversely impact the voting power or value of our common stock. For example, we might grant holders of preferred stock the right to elect some number of our directors in all events or on the happening of specified events or the right to veto specified transactions. Similarly, the repurchase or redemption rights or liquidation preferences we might assign to holders of preferred stock could affect the residual value of our common stock.

34


Table of Contents

 

Our charter designates the Court of Chancery of the State of Delaware as the sole and exclusive forum for certain types of actions and proceedings that may be initiated by our stockholders, which could limit our stockholders’ ability to obtain a favorable judicial forum for disputes with us or our directors, officers, employees or agents.

Our charter provides that, unless we consent in writing to the selection of an alternative forum, the Court of Chancery of the State of Delaware will, to the fullest extent permitted by applicable law, be the sole and exclusive forum for (i) any derivative action or proceeding brought on our behalf, (ii) any action asserting a claim of breach of a fiduciary duty owed by any of our directors, officers, employees or agents to us or our stockholders, (iii) any action asserting a claim arising pursuant to any provision of the DGCL, our charter or bylaws, or (iv) any action asserting a claim against us that is governed by the internal affairs doctrine, in each such case subject to such Court of Chancery of the State of Delaware having personal jurisdiction over the indispensable parties named as defendants therein. Any person or entity purchasing or otherwise acquiring any interest in shares of our capital stock will be deemed to have notice of, and consented to, the provisions of our charter described in the preceding sentence. This choice of forum provision may limit a stockholder’s ability to bring a claim in a judicial forum that it finds favorable for disputes with us or our directors, officers, employees or agents, which may discourage such lawsuits against us and such persons. Alternatively, if a court were to find these provisions of our charter inapplicable to, or unenforceable in respect of, one or more of the specified types of actions or proceedings, we may incur additional costs associated with resolving such matters in other jurisdictions, which could adversely affect our business, financial condition or operating results.

The enforceability of similar exclusive forum provisions in other companies’ charters has been challenged in legal proceedings, and it is possible that, in connection with one or more actions or proceedings described above, a court could rule that this provision in our charter is inapplicable or unenforceable. For example, the choice of forum provisions summarized above are not intended to, and would not, apply to suits brought to enforce any liability or duty created by the Securities Exchange Act of 1934, as amended (the “Exchange Act”), or other claim for which the federal courts have exclusive jurisdiction. Additionally, there is uncertainty as to whether our choice of forum provisions would be enforceable with respect to suits brought to enforce any liability or duty created by the Securities Act of 1933, as amended (the “Securities Act”), or other claims for which the federal courts have concurrent jurisdiction, and in any event stockholders will not be deemed to have waived the Company’s compliance with federal securities laws and rules and regulations thereunder.

Risks Related to the Notes

Servicing our future debt may require a significant amount of cash, and we may not have sufficient cash flow from our business to do so.

Our ability to make scheduled payments of the principal of, to pay interest on or to refinance our indebtedness, including our $400.0 million aggregate principal amount of 0.125% convertible senior notes due 2024 (the “Notes”) and any future borrowings under the Credit Agreement, depends on our future performance, which is subject to economic, financial, competitive and other factors beyond our control. Our business may not continue to generate cash flow from operations in the future sufficient to service our debt and make necessary capital expenditures. If we are unable to generate such cash flow, we may be required to adopt one or more alternatives, such as selling assets, restructuring debt or obtaining additional equity capital on terms that may be onerous or highly dilutive. Our ability to refinance our indebtedness will depend on the capital markets and our financial condition at such time. We may not be able to engage in any of these activities or engage in these activities on desirable terms. In addition, our credit facility and any of our future debt agreements may contain restrictive covenants that prohibit us from adopting any of these alternatives. Our failure to comply with these covenants could result in an event of default, which, if not cured or waived, could result in the acceleration of our debt.

In addition, holders of the Notes have the right to require us to repurchase their Notes upon the occurrence of a fundamental change (as defined in the indenture governing the Notes) at a repurchase price equal to 100% of the principal amount of the Notes to be repurchased, plus accrued and unpaid interest, if any. In such event, we may not have enough available cash or be able to obtain financing at the time to make repurchases of the Notes surrendered therefor. In addition, our ability to repurchase the Notes may be limited by our existing Credit Agreement or agreements governing our future indebtedness. Our failure to repurchase the Notes at a time when the repurchase is required by the indenture governing the Notes would constitute a default under such indenture. A default under the indenture or the fundamental change itself could also lead to a default under agreements governing our existing credit facility or future indebtedness. If the repayment of the related indebtedness were to be accelerated after any applicable notice or grace periods, we may not have sufficient funds to repay the indebtedness and repurchase the Notes.

35


Table of Contents

 

In addition, our indebtedness, combined with our other financial obligations and contractual commitments, could have other important consequences. For example, it could:

 

make us more vulnerable to adverse changes in general U.S. and worldwide economic, industry and competitive conditions and adverse changes in government regulation;

 

limit our flexibility in planning for, or reacting to, changes in our business and our industry;

 

place us at a disadvantage compared to our competitors who have less debt;

 

limit our ability to borrow additional amounts to fund acquisitions, for working capital and for other general corporate purposes; and

 

make an acquisition of our company less attractive or more difficult.

Any of these factors could harm our business, financial condition and operating results. In addition, if we incur additional indebtedness, the risks related to our business and our ability to service or repay our indebtedness would increase.

The conditional conversion feature of the Notes, if triggered, may adversely affect our financial condition and operating results.

In the event the conditional conversion feature of the Notes is triggered, holders of the Notes will be entitled to convert the Notes at any time during specified periods at their option. If one or more holders elect to convert their Notes, unless we elect to satisfy our conversion obligation by delivering solely shares of our common stock (other than paying cash in lieu of delivering any fractional share), we would be required to settle a portion or all of our conversion obligation through the payment of cash, which could adversely affect our liquidity. In addition, even if holders do not elect to convert their Notes, we could be required under applicable accounting rules to reclassify all or a portion of the outstanding principal of the Notes as a current rather than long-term liability, which would result in a material reduction of our net working capital.

The Capped Call Transactions relating to the Notes may affect the value of our common stock.

Our Notes may become in the future convertible at the option of their holders under certain circumstances. The conversion of some or all of the Notes would dilute the ownership interests of existing stockholders to the extent we satisfy our conversion obligation by delivering shares of our common stock upon any conversion of such Notes. If holders of the Notes elect to convert their Notes, we may settle our conversion obligation by delivering to them a significant number of shares of our common stock, which would cause dilution to our existing stockholders.

In connection with the pricing of the Notes, we entered into privately negotiated capped call transactions (“Capped Call Transactions”) with the option counterparties. The Capped Call Transactions will generally reduce the potential dilution to our common stock upon any conversion of the Notes and/or offset any potential cash payments we are required to make in excess of the principal amount of converted Notes, as the case may be, with such reduction and/or offset subject to a cap.

In connection with establishing their initial hedges of the Capped Call Transactions, the option counterparties or their respective affiliates have purchased shares of our common stock and/or enter into various derivative transactions with respect to our common stock, including with certain investors in the Notes. Such activity could increase (or reduce the size of any decrease in) the market price of our common stock. In addition, we expect that the option counterparties or their respective affiliates may modify their hedge positions by entering into or unwinding various derivatives with respect to our common stock and/or purchasing or selling our common stock or other securities of ours in secondary market transactions prior to the maturity of the Notes (and are likely to do so during any observation period related to a conversion of the Notes). This activity could also cause or avoid an increase or a decrease in the market price of our common stock. Also, if any such Capped Call Transactions fail to become effective, whether or not the offering of the Notes is completed, the option counterparties or their respective affiliates may unwind their hedge positions with respect to our common stock, which could adversely affect the value of our common stock.

We do not make any representation or prediction as to the direction or magnitude of any potential effect that the transactions described above may have on the price of our common stock. In addition, we do not make any representation that the option counterparties will engage in these transactions or that these transactions, once commenced, will not be discontinued without notice.

36


Table of Contents

 

The accounting method for convertible debt securities that may be settled in cash, such as the Notes, could have a material effect on our reported financial results.

In May 2008, the FASB issued FASB Staff Position No. APB 14-1, Accounting for Convertible Debt Instruments That May Be Settled in Cash Upon Conversion (Including Partial Cash Settlement), which has subsequently been codified as Accounting Standards Codification 470-20, Debt with Conversion and Other Options (“ASC 470-20”). Under ASC 470-20, an entity must separately account for the liability and equity components of the convertible debt instruments (such as the Notes) that may be settled entirely or partially in cash upon conversion in a manner that reflects the issuer’s economic interest cost. The effect of ASC 470-20 on the accounting for the Notes is that the equity component is required to be included in the additional paid in capital section of stockholders’ equity on our consolidated balance sheet at issuance, and the value of the equity component would be treated as original issue discount for purposes of accounting for the debt component of the Notes. As a result, we will be required to record a greater amount of non-cash interest expense in current periods presented as a result of the amortization of the discounted carrying value of the Notes to their face amount over the term of the Notes. We will report larger net losses or lower net income in our financial results because ASC 470-20 will require interest to include both the current period’s amortization of the debt discount and the instrument’s non-convertible coupon interest rate, which could adversely affect our reported or future financial results, the trading price of our common stock and the trading price of the Notes.

In addition, under certain circumstances, convertible debt instruments (such as the Notes) that may be settled entirely or partly in cash are currently accounted for utilizing the treasury stock method, the effect of which is that the shares issuable upon conversion of such Notes are not included in the calculation of diluted earnings per share except to the extent that the conversion value of such Notes exceeds their principal amount. Under the treasury stock method, for diluted earnings per share purposes, the transaction is accounted for as if the number of shares of common stock that would be necessary to settle such excess, if we elected to settle such excess in shares, are issued. We cannot be sure that the accounting standards in the future will continue to permit the use of the treasury stock method. For example, the Financial Accounting Standards Board recently published an exposure draft proposing to amend these accounting standards to eliminate the treasury stock method for convertible instruments and instead require application of the “if-converted” method. Under that method, if it is adopted, diluted earnings per share would generally be calculated assuming that all the Notes were converted solely into shares of our common stock at the beginning of the reporting period, unless the result would be anti-dilutive. If we are unable or otherwise elect not to use the treasury stock method in accounting for the shares issuable upon conversion of the Notes, then our diluted earnings per share would be adversely affected.

Item 1B. Unresolved Staff Comments.

None.

Item 2. Properties.

Our corporate headquarters in Austin, Texas consists of 164,818 square feet of space under a lease that expires in April 2029. Our prior corporate headquarters occupied 44,633 square feet in Austin, Texas under a lease that expired in the first quarter of 2019, which coincided with the commencement of the lease for our current corporate headquarters. In addition to our headquarters, we have additional office space in Pune, India, Tel Aviv, Israel, London, United Kingdom, Denver, Colorado and San Jose, California.

We lease all of our facilities. We believe that our facilities are adequate for our current needs and anticipate that suitable additional space will be readily available to accommodate any foreseeable expansion of our operations.

For more information about our lease commitments, see also Note 7 “Commitments and Contingencies” of the notes to our consolidated financial statements, included elsewhere in this Annual Report on Form 10-K.

We are not currently a party to, nor is our property currently subject to, any material legal proceedings other than ordinary routine litigation incidental to the business. We are not aware of any inquiries or investigations into our business.

Item 4. Mine Safety Disclosures.

None.

 

 

37


Table of Contents

 

PART II

Item 5. Market for Registrant’s Common Equity, Related Stockholder Matters and Issuer Purchases of Equity Securities.

Market Information

Our common stock is listed and traded on the NYSE under the symbol “SAIL.”

Holders of Record

As of February 17, 2020, there were 28 holders of record of our common stock including the Cede & Co, a nominee for The Depository Trust Company, or DTC, which holds shares of our common stock on behalf of an indeterminate number of beneficial owners. All of the shares of common stock held by brokerage firms, banks and other financial institutions as nominees for beneficial owners are deposited into participant accounts at DTC and are considered to be held of record by Cede & Co. as one stockholder. Because many of our shares of common stock are held by brokers and other institutions on behalf of stockholders, we are unable to estimate the total number of beneficial stockholders represented by these record holders.

Dividend Policy

We have never declared or paid any cash dividends on our common stock. We currently intend to retain all of our earnings to finance the growth and development of our business. Any further determination to pay dividends on our common stock will be at the discretion of our board of directors, subject to applicable laws, and will depend on our financial condition, results of operations, capital requirements, general business conditions and other factors that our board of directors considers relevant. In addition, our credit agreement places restrictions on our ability to pay cash dividends.

Stock Performance Graph

The following is not “soliciting material,” shall not be deemed “filed” for purposes of Section 18 of the Exchange Act or incorporated by reference into any of our other filings under the Exchange Act or the Securities Act of 1933, as amended (the “Securities Act”), except to the extent we specifically incorporate it by reference into such filing.

38


Table of Contents

 

The graph assumes that $100 was invested (i) in the Company’s common stock on November 17, 2017 (the date on which initial trading in the Company’s common stock commenced), and (ii) on October 31, 2017, in the NYSE Composite Index and the S&P 600 Information Technology Index, and in each case, that all dividends were reinvested. The stock price performance on the following graph is required by the SEC and is not necessarily intended to forecast or be indicative of future stock price performance.

 

Company/Index

 

11/17/2017

 

 

12/31/2017

 

 

3/31/2018

 

 

6/30/2018

 

 

9/30/2018

 

 

12/31/2018

 

 

3/31/2019

 

 

6/30/2019

 

 

9/30/2019

 

 

12/31/2019

 

SAIL

 

$

100.00

 

 

$

111.54

 

 

$

159.15

 

 

$

188.77

 

 

$

261.69

 

 

$

180.69

 

 

$

220.92

 

 

$

154.15

 

 

$

143.77

 

 

$

181.54

 

NYSE Composite

 

$

100.00

 

 

$

104.23

 

 

$

101.92

 

 

$

103.08

 

 

$

108.50

 

 

$

94.91

 

 

$

106.64

 

 

$

110.37

 

 

$

110.69

 

 

$

119.11

 

S&P 600 IT Index

 

$

100.00

 

 

$

94.34

 

 

$

94.08

 

 

$

98.33

 

 

$

102.06

 

 

$

82.25

 

 

$

96.88

 

 

$

98.94

 

 

$

100.71

 

 

$

112.39

 

 

Recent Sales of Unregistered Securities

None.

 

Purchase of Equity Securities by the Issuer and Affiliated Purchasers

None.

39


Table of Contents

 

Use of Proceeds from Initial Public Offering of Common Stock

On November 16, 2017, the Registration Statement on Form S-1 (File No. 333-221036) relating to our initial public offering was declared effective by the SEC and we priced our initial public offering. Pursuant to the Registration Statement, we registered an aggregate of 23,000,000 shares of our common stock, of which 15,800,000 shares were sold by us and 7,200,000 shares were sold by certain selling stockholders named therein at a price to the public of $12.00 per share (for an aggregate offering price of $276.0 million). We received net proceeds of approximately $172.0 million, after deducting underwriting discounts and commissions of approximately $13.3 million and offering-related expenses of $4.4 million. No payments were made to our directors or officers or their associates, holders of 10% or more of any class of our equity securities or any affiliates. Morgan Stanley & Co. LLC, Citigroup Global Markets Inc., Jefferies LLC and RBC Capital Markets, LLC acted as book-running managers and KeyBanc Capital Markets Inc., Canaccord Genuity Inc. and Oppenheimer & Co. Inc. acted as co-managers (collectively, the “Underwriters”) for our initial public offering.

Our initial public offering closed in November 2017. There has been no material change in the planned use of proceeds from our initial public offering as described in our final prospectus dated November 16, 2017 and filed with the SEC on November 17, 2017 pursuant to Rule 424(b) of the Securities Act. As of December 31, 2019, we have used $160.0 million of the proceeds from our initial public offering to repay borrowings under our term loan facility and approximately $1.8 million of such proceeds to pay a related prepayment premium. As of December 31, 2019, the remaining net proceeds are held in cash and have not been deployed.

Item 6. Selected Financial Data

 

The following selected consolidated financial data as of December 31, 2019 and 2018 and for the years ended December 31, 2019, 2018 and 2017 has been derived from, and should be read in conjunction with, the audited consolidated financial statements and the notes to our consolidated financial statements and Item 7. “Management’s Discussion and Analysis of Financial Condition and Results of Operations”, which is included elsewhere in this Annual Report on Form 10-K. Historical financial information as of December 31, 2017, 2016 and 2015 and for the years ended December 31, 2016 and 2015 is derived from our audited consolidated financial statements not included in this Annual Report on Form 10-K. Our selected consolidated financial data may not be indicative of our future financial condition or results of operations.

Consolidated Statements of Operations Data:

 

 

 

Year Ended December 31,

 

 

 

2019

 

 

2018

 

 

2017 (1)

 

 

2016 (1)

 

 

2015 (1)

 

 

 

(In thousands, except per share data)

 

Total revenue

 

$

288,515

 

 

$

248,920

 

 

$

186,056

 

 

$

132,412

 

 

$

95,356

 

Gross profit

 

$

223,040

 

 

$

194,250

 

 

$

141,466

 

 

$

95,374

 

 

$

66,097

 

Income (loss) from operations

 

$

(9,433

)

 

$

10,913

 

 

$

9,943

 

 

$

2,729

 

 

$

(8,173

)

Net income (loss)

 

$

(8,500

)

 

$

3,670

 

 

$

(7,592

)

 

$

(3,173

)

 

$

(10,807

)

Net income (loss) per share

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Basic

 

$

(0.10

)

 

$

0.04

 

 

$

(0.55

)

 

$

(0.58

)

 

$

(0.74

)

Diluted

 

$

(0.10

)

 

$

0.04

 

 

$

(0.55

)

 

$

(0.58

)

 

$

(0.74

)

Weighted average shares outstanding

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Basic

 

 

88,907

 

 

 

86,495

 

 

 

52,340

 

 

 

45,933

 

 

 

43,929

 

Diluted

 

 

88,907

 

 

 

90,003

 

 

 

52,340

 

 

 

45,933

 

 

 

43,929

 

 

(1)

The comparative information for years prior to 2018 has not been adjusted to reflect the adoption of the revised revenue recognition standard and is reported in accordance with Accounting Standards Codification 605 (“ASC 605”). See Note 3 “Revenue Recognition” of our Annual Report on Form 10-K for the year ended December 31, 2018, which was filed with the SEC on March 18, 2019 (the “2018 Annual Report”) for additional information related to our adoption of the revised revenue recognition standard (ASC 606).

40


Table of Contents

 

Consolidated Balance Sheets Data:

 

 

 

As of December 31,

 

 

 

2019

 

 

2018

 

 

2017 (1)

 

 

2016 (1)

 

 

2015 (1)

 

 

 

(In thousands)

 

Cash and cash equivalents

 

$

443,795

 

 

$

70,964

 

 

$

116,049

 

 

$

18,214

 

 

$

14,896

 

Working capital (2)

 

$

538,986

 

 

$

172,045

 

 

$

172,492

 

 

$

60,047

 

 

$

27,982

 

Total assets

 

$

990,078

 

 

$

534,434

 

 

$

506,433

 

 

$

387,410

 

 

$

371,504

 

Deferred revenue, current and non-current

 

$

152,033

 

 

$

114,301

 

 

$

83,125

 

 

$

55,104

 

 

$

34,888

 

Convertible senior notes, net

 

$

309,051

 

 

$

 

 

$

 

 

$

 

 

$

 

Long-term debt

 

$

 

 

$

 

 

$

68,329

 

 

$

107,344

 

 

$

99,770

 

Operating lease liabilities, current and non-current (3)

 

$

41,986

 

 

$

 

 

$

 

 

$

 

 

$

 

Total liabilities

 

$

555,951

 

 

$

156,741

 

 

$

178,036

 

 

$

177,307

 

 

$

160,465

 

Redeemable convertible preferred stock

 

$

 

 

$

 

 

$

 

 

$

223,987

 

 

$

222,898

 

Total stockholders' equity (deficit)

 

$

434,127

 

 

$

377,693

 

 

$

328,397

 

 

$

(13,884

)

 

$

(11,859

)

 

(1)

The comparative information for years prior to 2018 has not been adjusted to reflect the adoption of the revised revenue recognition standard and is reported in accordance with ASC 605. See Note 3 “Revenue Recognition” of our 2018 Annual Report for additional information related to our adoption of the revised revenue recognition standard (ASC 606).

(2)

We define working capital as current assets less current liabilities, excluding deferred revenue.

(3)

The comparative information for years prior to 2019 has not been adjusted to reflect the adoption of ASC 842 as we adopted the standard using the modified retrospective transition method. For additional information see Note 7 “Commitments and Contingencies” of our accompanying notes to our consolidated financial statements included in Part II, Item 8. of this Annual Report on Form 10-K for further discussion.

41


Table of Contents

 

Item 7. Management’s Discussion and Analysis of Financial Condition and Results of Operations

You should read the following discussion and analysis of our financial condition and results of operations together with the section titled “Selected Financial Data” and the consolidated financial statements and related notes that are included elsewhere in this Annual Report on Form 10-K. This discussion contains forward-looking statements that involve risks and uncertainties. Our actual results may differ materially from those anticipated in these forward-looking statements as a result of various factors, including, but not limited to, those set forth in the section titled “Risk Factors” and in other parts of this Annual Report on Form 10-K. Our historical results are not necessarily indicative of the results that may be expected for any period in the future, and our interim results are not necessarily indicative of the results we expect for the full fiscal year or any other period.

The Company has elected to omit a discussion and analysis of the financial condition and results of operations of certain 2017 items and year-to-year comparisons between 2018 and 2017. Such discussion and analysis can be found in “Management’s Discussion and Analysis of Financial Condition and Results of Operations” in Part II, Item 7 of the Company’s Annual Report on Form 10-K for the year ended December 31, 2018, which was filed with the SEC on March 18, 2019 and is incorporated by reference herein.

Overview

SailPoint is the leading provider of enterprise identity governance solutions. Our SailPoint Predictive Identity platform provides organizations with critical visibility into who currently has access to which resources, who should have access to those resources, and how that access is being used.

We offer both software and software as a service (“SaaS”) solutions, which empower our customers to efficiently and securely govern the digital identities of employees, contractors, business partners, software bots and other human and non-human users, and manage their constantly changing access rights to enterprise applications and data across hybrid IT environments, spanning on-premises, cloud and mobile applications and file storage platforms. We help customers enable their businesses with more agile and innovative IT, streamline delivery of access to their businesses, enhance their security posture and better meet compliance and regulatory requirements. Our customers include many of the world’s largest and most complex organizations, including commercial enterprises, financial institutions and governments.

We believe that our SailPoint Predictive Identity platform is a critical, foundational layer of a modern cyber security strategy. Its open architecture allows it to complement and build upon traditional perimeter- and endpoint-centric security solutions, which on their own are increasingly insufficient to secure organizations, and their applications and data.

We were founded by visionary industry veterans to develop a new category of identity management solutions and address emerging identity governance challenges. Since our inception, we have focused on driving innovation in the identity market, with our key milestones including:

 

in 2007, we pioneered identity governance through our release of IdentityIQ, our on-premises identity governance solution;

 

in 2010, we revolutionized provisioning by integrating it with IdentityIQ into a single solution;

 

in 2013, we introduced our SaaS identity governance offering, IdentityNow;

 

in 2015, we extended identity governance by adding our identity governance for data stored in files solution, SecurityIQ (now referred as the File Access Manager module within IdentityIQ), which manages user access to unstructured data, a rapidly growing area of risk; and

 

in 2017, we further extended identity governance with the introduction of our advanced identity analytics offering, IdentityAI, which is designed to use machine learning technologies to enable rapid detection of security threats before they turn into security breaches.

Our solutions address the complex needs of global enterprises and mid-market organizations. As of December 31, 2019, 1,469 customers across a wide variety of industries were using our products to enable and secure digital identities across the globe. No single customer represented more than 10% of our revenue for the year ended December 31, 2019 or 2018.

For the years ended December 31, 2019 and 2018, our revenue was $288.5 million and $248.9 million, respectively. For the year ended December 31, 2019, we had a net loss of $8.5 million compared to net income of $3.7 million for the year ended December 31, 2018. For the years ended December 31, 2019 and 2018, our net cash provided by operations was $50.1 million and $37.5 million, respectively.

42


Table of Contents

 

Our success is principally dependent on our ability to deliver compelling solutions to attract new customers and retain existing customers. Delivering these solutions is challenging because our customers have large, complex IT environments, often rely on both legacy and innovative technologies, and deploy different business models, including on-premises and cloud models. Rising security threats and evolving regulations and compliance standards for cyber security, data protection, privacy and internal IT controls create new opportunities for our industry and require us to adapt our solutions to be successful. Maintaining our historical growth rates is also challenging because our growth strategy depends in part on our ability to expand our global presence, increase the number of companies we can address with our current solutions, and invest in new vertical markets, while competing against much larger companies with more recognizable brands and financial resources. Although we seek to grow rapidly, we also focus on managing our net cash from operations while continuing to invest in our platform and to deliver innovative solutions to our customers. 

We believe enterprises are increasingly embracing the cloud to house their critical security infrastructure. As a result, a growing number of enterprises are changing their approach to identity governance and now prefer SaaS in place of purchasing software via a license and independently operating their identity infrastructure. This industry shift aligns well with our current product strategy. Our product strategy is to (1) accelerate innovation within our core identity governance SaaS offerings, (2) deliver continued innovation as we execute against our vision for SailPoint Predictive Identity, and (3) ensure that as we deliver these new innovations, they work in concert with our on-premises offerings in addition to our SaaS offerings. We believe that continued growth of subscription revenue, which includes revenue from our SaaS offerings, as a percentage of total revenue will lead to a more predictable revenue model and increase our visibility to future period total revenues. Nevertheless, our gross margins vary depending on the type of solution we sell. As a result, a shift in the sales mix of our solutions could affect our performance relative to historical results.

Our Business Model

We deliver an integrated set of solutions that supports all aspects of identity governance, including provisioning, access request, compliance controls, password management and identity governance for data stored in files. Our most recent innovation, the SailPoint Predictive Identity platform, embeds advanced artificial intelligence (“AI”) and machine learning (“ML”) into our open identity platform to deliver actionable insights and recommendations to reduce risk, accelerate deployment and simplify administration. Our solutions are built on our open identity platform, which enables connectivity to a variety of security and operational IT applications. Our open identity platform extends the reach of our identity governance processes and enable effective identity governance controls across customer environments.

Our set of solutions currently consists of (i) IdentityIQ, our on-premises identity governance solution, which can be deployed in customer’s data center or hosted in the public cloud, (ii) IdentityNow, our cloud-based, multi-tenant identity governance platform, which is delivered as a SaaS subscription offering and (iii) IdentityAI, our multi-tenant advanced AI and ML SaaS offering that infuses intelligent insights and recommendations into our IdentityIQ and IdentityNow solutions to help organizations detect areas of high risk, including potential threats, before they turn into security breaches. See Part I, Item 1. “Business—Product, Subscription, and Support Offerings” for more information regarding our solutions.

For our IdentityIQ solutions, our customers typically purchase a perpetual software license, which includes one year of maintenance. Our maintenance provides software maintenance as well as access to our technical support services during the maintenance term. After the initial maintenance period, customers with perpetual licenses may renew their maintenance agreement for an additional fee. For our SaaS offerings, IdentityNow and IdentityAI, for a subscription fee, we offer customers access to these solutions and infrastructure support for the duration of their subscription agreement. Our standard subscription agreement for our SaaS offerings has a duration of three years.

Pricing for each of our solutions is dependent on the number of digital identities of employees, contractors, business partners, software bots and other human and non-human users that the customer is entitled to govern with the solution. We also package and price our IdentityIQ, IdentityNow and IdentityAI solutions into modules. Each module has unique functionalities, and our customers are able to purchase one or more modules, depending on their needs. We also offer advanced integration modules for key applications and systems which can be purchased in addition to our base solution modules. They are also priced based on the total number of identities. Thus, our revenue from any customer is generally determined by the number of identities that the customer is entitled to govern as well as the number of modules (for our IdentityIQ and IdentityNow solutions) purchased by the customer.

43


Table of Contents

 

Our go-to-market strategy consists of both direct sales and indirect sales through our partner network consisting of technology partners, system integrators, a growing network of value-added resellers and our alliance partners. We work closely with systems integrators, many of whom have dedicated SailPoint practices (including Accenture, Deloitte, EY, KPMG, and PwC), with some dating back more than nine years, and resellers (including value-added resellers such as Optiv) to scale growth, help generate new opportunities, optimize customer experience and increase profitability as well as sales efficiency. We frequently cooperate with systems integrators to make joint sales proposals to address our mutual customers’ requirements. We do not have any material payment obligations to systems integrators, resellers or our technology partners; nor do they have any material payment obligations to us, except that resellers typically purchase solutions directly from us and resell to customers. See Part I, Item 1. “Business—Partnerships and Strategic Relationships” for more information regarding our partnership network.

In addition to our solutions, we offer professional services to our customers and partners to configure and optimize the use of our solutions as well as training services related to the configuration and operation of our platform. Most of our professional services activity is in support of our partners, who perform a significant majority of all initial and follow-on implementation work for our customers. Most of our consulting services are priced on a time-and-materials basis; our training services are provided through multiple pricing models, including on a per-person basis (for courses provided at our headquarters and on-site at our customers’ offices) and a flat-rate basis (for our e-learning course).

We devote significant resources to acquire new customers, in both existing and new markets, in order to grow our customer base. In addition, we focus on three distinct opportunities to increase sales to existing customers: (i) expand the number of digital identities; (ii) up-sell additional modules or target storage systems, as applicable, within a single solution; and (iii) cross-sell additional solutions.

As part of our product strategy for the SailPoint Predictive Identity platform, we acquired Orkus, Inc. (“Orkus”) and Overwatch.ID, Inc. (“Overwatch.ID”). Orkus is engaged in the development and license of software products to assist customers in monitoring and controlling access and authorization across hybrid cloud assets. Overwatch.ID is engaged in the development and license of software products focused on access controls security for cloud applications, cloud computing, hybrid IT environments, and on-premises infrastructure. See Note 5 “Business Combinations” in our notes to our consolidated financial statements included in this Annual Report for more information.

Key Factors Affecting Our Performance

Our historical financial performance has been, and we expect our financial performance in the future to be, driven by our ability to:

 

Add New Customers Within Existing Markets. Based on data from S&P Global Market Intelligence, we believe that we have penetrated approximately 2% of over 65,000 companies in the countries where we have customers today. As a result, there is significant opportunity to expand our footprint in our existing markets through new, greenfield installations and displacement of our competitors’ legacy solutions. We plan to grow our sales organization, expand and leverage our channel partners and enhance our marketing efforts.

 

Generate Additional Sales to Existing Customers. We believe that our existing customer base provides us with a significant opportunity to drive incremental sales. In most cases, our customers initially purchase a subset of the modules or offerings we provide based on their immediate need. We focus on generating more revenue from the modules that our customers have already purchased from us as our customers grow the number of identities our solutions manage and govern and as our customers deploy our solutions across other business units or geographies within their organizations. This is especially true when it comes to our new and expanded SaaS offerings, including AI and cloud governance. Over time, we also identify up-selling and cross-selling opportunities and seek to sell additional modules and offerings to our existing customers.

44


Table of Contents

 

 

Retain Customers. We believe that our ability to retain our customers is an important component of our growth strategy and reflects the long-term value of our customer relationships. For example, when we add a new customer, we generate new license revenue. If the customer renews, we generate incremental maintenance revenue. As we add new IdentityIQ customers, our high renewal rates result in maintenance revenue. Our key strategies to maintain our high renewal rates include focusing on the quality and reliability of our solutions, customer service and support to ensure our customers receive value from our solutions, providing consistent software upgrades and having dedicated customer success teams.

 

Expand into New Markets. We expect to continue to invest significantly in sales, marketing and customer service, as well as our indirect channel partner network, to expand into new geographies and vertical markets. We believe that our market opportunity is large and growing and that the global cyber security market represents a significant growth opportunity for us. In 2019, we generated only 29% of our revenue outside of the United States. We plan to leverage our existing strong relationships with global system integrators and channel partners to grow our presence in Europe, Asia Pacific and other international markets.

Key Business Metrics

In addition to our GAAP financial information such as revenue and net income discussed above, we monitor the following key metrics to help us measure and evaluate the effectiveness of our operations:

 

 

 

Year Ended December 31,

 

 

2019

 

 

2018

 

 

2017 (1)