Item 1A. Risk Factors.
In addition to the other information set forth in this Annual Report on Form 10-K, you should carefully consider the risks and uncertainties described below, which could materially adversely affect our business, operating results, financial condition, and cash flow.
Summary of Risk Factors
We are providing the following summary of the risk factors contained in this Annual Report on Form 10-K to enhance the readability and accessibility of our risk factor disclosures. We encourage you to carefully review the full risk factors immediately following this summary as well as the other information in this report, including the section titled “Management’s Discussion and Analysis of Financial Condition and Results of Operations” and our financial statements and related notes. The risks and uncertainties described in this Annual Report on Form 10-K may not be the only ones we face. If any of the risks actually occur, our business, operating results, financial condition, cash flows and prospects could be materially and adversely affected. These risks and uncertainties include, but are not limited to, the following:
• Our success and revenue growth depends on our ability to add, grow and retain super-scaled customers.
• We often have long sales cycles, which can result in significant time between initial contact with a potential customer and execution of a customer agreement, making it difficult to project when, if at all, we will generate revenue from those customers.
• We may experience fluctuations in our operating results, including during presidential and, to a lesser extent, midterm election years where we generally generate higher revenues, which could make our future operating results difficult to compare and predict.
• If we do not manage our growth effectively, the quality of our platform and solutions may suffer, and our business, operating results and financial condition may be adversely affected.
• Our industry is intensely competitive, and if we do not effectively compete against current and future competitors or fail to innovate and make the right investment decisions in our product offerings and platform, our business, operating results and financial condition could be harmed.
• Acquisitions or strategic investments could be difficult to identify and integrate (including the integration of our recent acquisition of Marigold’s Enterprise Business), divert the attention of management and disrupt our business, dilute stockholder value and adversely affect our business, operating results and financial condition.
• The technology industry is subject to increasing scrutiny that could result in U.S. federal or state government, or international regulatory actions that could negatively affect our business.
• Our business and the effectiveness of our platform depends on our ability to collect and use data online. New consumer tools, regulatory restrictions and potential changes to web browsers and mobile operating systems all threaten our ability to collect such data, which could harm our operating results and financial condition and adversely affect the demand for our products and solutions.
• Actual or perceived failures to comply with applicable data protection, privacy and security laws, regulations, standards and other requirements could adversely affect our business, results of operations and financial condition.
• Any unfavorable publicity or negative public perception of current data collection practices could result in additional regulations which may impact the effectiveness of our data cloud and platform.
• A significant inadvertent disclosure or breach of confidential and/or personal information we process, or a security breach of our or our customers’, suppliers’ or other partners’ IT Systems could be detrimental to our business, reputation, financial performance and results of operations.
• We depend on third-party data centers, systems and technologies to operate our business, the disruption of which could adversely affect our business, operating results and financial condition.
• If we fail to detect or prevent fraud or malware intrusion on our platform, devices, or systems, or into the systems or devices of our customers and their consumers, publishers could lose confidence in our platform, and we could face legal claims and regulatory investigations, any of which could adversely affect our business, operating results and financial condition.
• The standards that private entities and inbox service providers adopt in the future to regulate the use and delivery of email may interfere with the effectiveness of our platform and our ability to conduct business.
• Any actual or perceived failure to comply with evolving regulatory frameworks around the development and use of machine learning and AI technologies and our use of artificial intelligence technologies may expose us to technical, legal, and regulatory risks, which could adversely affect our business, results of operations, and financial condition.
• The incurrence of additional debt or the issuance of new debt or equity securities.
• Catastrophic events such as pandemics, hurricanes, wildfires, tornadoes, earthquakes, flooding, droughts and power outages, and business and operational interruption by man-made problems such as war, conflicts and acts of terrorism.
•We may issue additional equity or debt securities in the future in order to raise capital. Additional issuances of equity securities would dilute the investment of our current stockholders and could cause the market price of our Class A Common Stock to decline.
Risks Related to Our Business and Our Industry
Our success and revenue growth depends on our ability to add, grow and retain super-scaled customers.
Our success is dependent on regularly adding new customers, in particular new super-scaled customers, and increasing our existing customers’ usage of our platform in order to convert our customers into super-scaled customers. Many of our contracts and relationships with customers do not include automatic renewal or exclusive obligations requiring them to use our platform or maintain or increase their use of our platform. Our customers, in particular our super-scaled customers, typically have relationships with numerous providers and can use both our platform and those of our competitors without incurring significant costs or disruption. Our customers may also choose to decrease their overall marketing spend for any reason, including if they do not believe they are generating a sufficient return on their marketing spend. Further, we may not be successful at educating and training our new and existing customers on how to use our platform, in particular our advanced reporting tools, in order for them to benefit from it and generate revenues. Accordingly, we must continually work to win new super-scaled customers and educate and retain existing super-scaled customers, increase their usage of our platform and capture a larger share of their marketing spend.
In 2025, our top ten customers accounted for more than one-third of our total revenue, and one customer accounted for more than 10% of our total revenue. Occasionally, we enter into separate contracts and billing relationships with individual marketing agencies that are owned by the same holding company and account for them as separate customers. However, if a holding company of multiple marketing agencies chooses to exert control over the individual agencies in the future and terminate their relationship with us, it could result in a disproportionate loss of revenue.
A substantial portion of our revenue is derived from usage-based pricing, which is less stable than subscription-based pricing. If our customers, in particular our super-scaled customers, decide not to continue to use our platform or decrease their usage of our platform for any reason, or if we fail to attract new customers and turn them into super-scaled customers, our revenue could decline, which would materially and adversely harm our business, operating results and financial condition. We cannot assure that our super-scaled customers will continue to use and increase their spend on our platform or that we will be able to attract a sufficient number of new super-scaled customers to continue to grow our revenue. If customers representing a significant portion of our business decide to materially reduce their use of our platform or cease using our platform altogether, our revenue could be significantly reduced, which could have a material adverse effect on our business, operating results and financial condition. We may not be able to replace super-scaled customers who decrease or cease their usage of our platform with new super-scaled customers that will use our platform to the same extent.
We often have long sales cycles, which can result in significant time between initial contact with a potential customer and execution of a customer agreement, making it difficult to project when, if at all, we will obtain new customers and when we will generate revenue from those customers.
As part of our sales efforts, we invest considerable time and expense evaluating the specific organizational needs of our potential customers and educating these potential customers about the technical capabilities and value of our platforms and solutions. We may spend substantial time and resources prospecting for new business or responding to requests for proposals from potential customers, and these efforts may not result in us ultimately generating any revenue from a potential customer. It is possible that we will be unable to recover any of these expenses.
Our results of operations also depend on sales to enterprise customers, which make product purchasing decisions based in part or entirely on factors, or perceived factors, not directly related to the features of our platform, including, among others, a customer’s projections of business growth, uncertainty about economic conditions, capital budgets, anticipated cost savings from the implementation of our platform, potential preference for such customer’s internally-developed software solutions, perceptions about our business and platform, more favorable terms offered by potential competitors, and previous technology investments. As a result of these and other factors, there can be no assurance that we will be successful in making a sale to a potential customer. If our sales efforts to a potential customer do not result in sufficient revenue to justify our investments, our business, operating results and financial condition could be adversely affected.
We are subject to payment-related risks if customers dispute, do not pay their invoices, or decrease their amount of spend due to unforeseen downturns in their financial condition. Any decreases or significant delays in payments could have a material adverse effect on our business, operating results and financial condition. These risks may be heightened during economic downturns or customer impacts from such downturns, including supply chain disruptions or shortages.
We may become involved in disputes with our customers over the operation of our platform, the terms of our agreements or our billings for purchases made by them through our platform. In the past, certain customers have sought to slow their payments to us or been forced into filing for bankruptcy protection, resulting in delay or cancelation of their pending payments to us. In certain cases, customers have been unable to timely make payments, and we have suffered losses. Certain of our contracts with marketing agencies state that if their customer does not pay the agency, the agency is not liable to us, and we must seek payment solely from their customer, a type of arrangement called sequential liability. Contracting with these agencies, which in some cases have or may develop higher-risk credit profiles, may subject us to greater credit risk than if we were to contract directly with the customer.
If we are unable to collect customers’ fees on a timely basis or at all, we could incur write-offs for bad debt, which could have a material adverse effect on our business, operating results and financial condition for the periods in which the write-offs occur. In the future, bad debt may exceed reserves for such contingencies, and our bad debt exposure may increase over time. Even if we are not paid by our customers on time or at all, we may still be obligated to pay for the inventory we have purchased for our customers’ marketing campaigns, and consequently, our results of operations and financial condition would be adversely impacted.
We may experience fluctuations in our operating results, including during presidential and, to a lesser extent, midterm election years where we generally generate higher revenues, which could make our future operating results difficult to compare and predict. Consequently, we may not be able to meet our expectations or those of securities analysts and investors.
Our quarterly and annual operating results have fluctuated in the past, and we expect our future operating results to fluctuate due to a variety of factors, many of which are beyond our control. Our liquidity and revenue can fluctuate quarter to quarter as certain of our customers have seasonal marketing activity. Historically, marketing activity is higher in the fourth quarter of the calendar year to coincide with the holiday shopping season as compared to the first quarter. As a result, the subsequent first quarter tends to reflect lower activity levels and lower performance. Our revenues are also impacted by political cycles in which we generally generate higher revenues in congressional elections years, and particularly presidential election years and, to a lesser extent, midterm election years. In addition, the varying nature of our pricing mix between periods, customers and products may also make it more difficult for us to forecast our future operating results. Further, these factors may make it more difficult to make comparisons between prior, current and future periods. As a result, period-to-period comparisons of our operating results should not be relied upon as an indication of our future performance.
In addition, the following factors may cause our operating results to fluctuate:
• our usage-based pricing model makes it difficult to forecast revenues from our current customers and future prospects;
• changes in our pricing policies, the pricing policies of our competitors and the pricing or availability of data or other third-party services;
• the seasonal budgeting cycles and internal marketing budgeting and strategic purchasing priorities of our customers;
• the U.S. presidential and midterm election cycles potentially leading to higher revenue generation compared to non-election years;
• our ability to retain and attract top talent;
• our ability to anticipate or respond to changes in the competitive landscape, or improvements in the functionality of competing solutions that reduce or eliminate one or more of our competitive advantages;
• our ability to maintain and expand our relationships with data centers and strategic third-party technology vendors, who provide floor space, bandwidth, cooling and physical security services on which our platform operates;
• our ability to successfully expand our business internationally;
• the emergence of significant privacy, data protection, security or other threats, regulations or requirements applicable to our business and shifting views and behaviors of consumers concerning use of data and data privacy;
• general economic and market conditions, including as a result of changes in U.S. trade policies, such as new or increased tariffs and retaliatory responses from other countries, and the resulting impact on our customers’ businesses;
• extraordinary expenses, such as litigation or other dispute-related settlement payments; and
• future accounting pronouncements or changes in our accounting policies.
Any one of the factors referred to above or herein or the cumulative effect of any combination of factors referred to above or herein may result in our operating results that are below our expectations and the expectations of securities analysts and investors, or may result in significant fluctuations in our quarterly and annual operating results, including fluctuations in our key performance indicators (“KPIs”). This variability and unpredictability could result in our failure to meet our business plan or the expectations of securities analysts or investors for any period. In addition, a significant percentage of our operating expenses are fixed in nature in the short term and based on forecasted revenue trends. Accordingly, in the event of revenue shortfalls, we are generally unable to mitigate the negative impact on our results of operations in the short term.
If we do not manage our growth effectively, the quality of our platform and solutions may suffer, and our business, operating results and financial condition may be adversely affected.
The continued growth in our business may place demands on our infrastructure and our operational, managerial, administrative and financial resources. Our success will depend on the ability of our management to manage growth effectively. Among other things, this will require us at various times to:
• strategically invest in the development and enhancement of our platform and data center infrastructure;
• improve coordination among our engineering, product, operations and other support organizations;
• manage multiple relationships with various partners, customers and other third parties;
• manage international operations;
• develop our operating, administrative, legal, financial and accounting systems and controls; and
• recruit, hire, train and retain personnel, especially those possessing extensive engineering skills and experience in complex technologies and data sciences, of which there is limited supply and increasing demand.
If we do not manage our growth well, the efficacy and performance of our platform may suffer, which could harm our reputation, reduce demand for our platform and solutions and have an adverse effect on our business, operating results and financial condition.
Our industry is intensely competitive, and if we do not effectively compete against current and future competitors or fail to innovate and make the right investment decisions in our product offerings and platform, our business, operating results and financial condition could be harmed.
Our industry is intensely competitive. To sustain and grow our revenue, we must continuously respond to the different trends driving our industry. We generally have flexible master services agreements in place with our customers. Such agreements allow our customers to change the amount of spend through our platform or terminate our services with limited notice. As a result, the introduction of new entrants or technology that are superior to or that achieve greater market acceptance than our products and solutions could negatively impact our revenue. In such an event, we may experience a reduction in market share and may have to respond by reducing our prices, resulting in lower profit margins for us.
There has also been rapid evolution and consolidation in the marketing technology industry, and we expect this trend to continue. Larger companies typically have more assets to purchase emerging companies or technologies, which gives them a competitive edge. If we are not able to effectively compete with these consolidated companies, we may not be able to maintain our market share and may experience a reduction in our revenue.
Our industry is subject to rapid and frequent changes in technology, evolving customer needs and the frequent introduction of new and enhanced offerings by our competitors, making it intensely competitive. To sustain and grow our revenue, we must continuously respond to the different trends driving our industry. We must regularly make investment decisions regarding offerings and technology to maintain the technological competitiveness of our products and platform and meet customer demand and evolving industry standards. As we continue to grow and attract a broader customer base, we will have to invest more time and effort to maintain a certain level of performance in our products and platform.
The complexity and uncertainty regarding the development of new technologies and the extent and timing of market acceptance of innovative products and solutions create difficulties in maintaining this competitiveness. The success of any enhancement or new solution depends on many factors, including timely completion, adequate quality testing, appropriate introduction and market acceptance. If our competitors are able to orientate their product to meet the specific needs of a particular industry better than us, they may be able to amass market share faster than us and by consequence, reduce our current and future revenues.
Without the timely introduction of new products, solutions and enhancements, our offerings could become technologically or commercially obsolete over time, or we may be required to make unanticipated and costly changes to our platform or business model, in which case our revenue and operating results would suffer. New customer demands, superior competitive offerings or new industry standards could require us to make unanticipated and costly changes to our platform or business model. If we fail to enhance our current products and solutions or fail to develop new products to adapt to our rapidly changing industry or to evolving customers’ needs, demand for our platform could decrease, and our business, operating results and financial condition may be adversely affected.
Our use and reliance upon technology and development resources in India may expose us to unanticipated costs and liabilities, which could affect our ability to realize cost savings from our technology operations in India and other non-U.S. locations.
We conduct a significant amount of our technology and product development work in India and other global locations. We cannot ensure that our reliance upon development resources in India and other non-U.S. locations will enable us to achieve meaningful cost reductions or greater resource efficiency. Further, our operations in India involve significant risks, including:
• difficulty hiring and retaining engineering and management resources due to intense competition for such resources and resulting wage inflation;
• heightened exposure to changes in economic, security and political conditions, war, conflicts and acts of terrorism;
• different standards of protection for intellectual property rights and confidentiality protection;
• the effects of pandemics, epidemics or other health crises on general health and economic conditions; and
• fluctuations in currency exchange rates and tax compliance.
The enforcement of intellectual property rights and confidentiality protections in India may not be as effective as in the U.S. or other countries. Policing unauthorized use of proprietary technology is difficult and expensive, and we might need to resort to litigation to protect our trade secrets and confidential information. The experience and capabilities of Indian courts in handling intellectual property litigation vary, and outcomes are unpredictable. Further, such litigation may require significant management efforts and result in significant cash expenditures and could harm our business, operating results and financial condition. An adverse determination in any such litigation will impair our intellectual property rights and may harm our business, operating results and financial condition.
We expect to continue to rely on significant cost savings obtained by concentrating our technology and development and engineering work in India and other non-U.S. locations, but difficulties resulting from the factors noted above and other risks related to our operations in India or such other non-U.S. locations could increase our expenses and harm our competitive position. The historical rate of wage inflation has been higher in India than in the U.S. In addition, if the Rupee strengthens against the U.S. Dollar, our costs would increase. If the cost of technology and development work in India significantly increases or the labor environment in India changes unfavorably, our cost savings may be diminished. Any such developments could adversely affect our business, operating results and financial condition.
Our success depends on our ability to retain key members of our management team, and on our ability to hire, train, retain and motivate new employees.
Our success depends upon the continued service of members of our senior management team and other key employees. Our Co-Founder and Chief Executive Officer, David Steinberg, is critical to our overall management, as well as the continued development of our platform, relationships with our customers and vendors and our overall strategic direction. We do not maintain “key person” insurance for any member of our senior management team or any of our other key employees. Our senior management and key personnel are all employed on an at-will basis, which means that they could terminate their employment with us at any time, for any reason and without notice. In addition, some of our key employees may receive significant proceeds from sales of our Class A Common Stock, which may reduce their incentive to continue to work for us. As a result, we may be unable to retain them, which could make it difficult to operate our business, cause us to lose expertise or know-how and increase our recruitment and training costs.
Our success also depends on our ability to hire, train, retain and motivate new employees. We have incurred substantial stock-based compensation expense and will continue to incur stock-based compensation expense in future years as a result of our equity compensation plan under which we grant time-based and performance-based restricted stock awards. Competition for employees in our industry can be intense, and we compete for experienced personnel with many companies that have greater resources than we have. The market for engineering talent is particularly intense in New York, where we are headquartered, and in the San Francisco Bay Area, the EU and India, where we have offices. Our future growth will also depend in part on our ability to establish sales teams that effectively solve problems and efficiently execute our objectives. We will need to establish teams that are well versed in complex and varied systems of distribution across national, regional and international markets. We believe that there is significant competition for sales personnel with the sales skills and technical knowledge that we require. Our ability to achieve growth in revenue in the future will depend, in large part, on our success in recruiting, training and retaining sufficient numbers of sales personnel with relevant industry knowledge and strong selling skills.
We believe our corporate culture has been critical to our success, and we plan to continue to invest time and resources to continue building it. In particular, our human capital initiatives are a strategic imperative at Zeta. Although we have adopted policies to promote compliance with laws and regulations as well as to foster a respectful workplace for all employees, our employees may fail to abide by these policies, relevant laws and regulations, or any new laws or regulations or interpretations of existing legal requirements. In addition to damaging our reputation, actual or alleged misconduct could affect the confidence of our stockholders, regulators and other parties and could have a material adverse effect on our business, operating results and financial condition.
Acquisitions or strategic investments could be difficult to identify and integrate (including the integration of our recent acquisition of Marigold’s Enterprise Business), divert the attention of management and disrupt our business, dilute stockholder value and adversely affect our business, operating results and financial condition.
As part of our growth strategy, we have acquired and may continue to acquire or invest in other businesses, assets or technologies that are complementary to and fit within our strategic goals. Acquisitions are inherently risky and if they fail, they can result in costly remediating steps such as litigation and divesture. Any acquisition or investment may divert the attention of management and require us to use significant amounts of cash, issue dilutive equity securities or incur debt. The anticipated benefits of any acquisition (including our recent acquisition of Marigold’s Enterprise Business) or investment may not be realized, and we may be exposed to unknown risks, any of which could adversely affect our business, operating results and financial condition, including risks arising from:
• difficulties in integrating the operations, technologies, product or service offerings, administrative systems and personnel of Marigold’s Enterprise Business or any other acquired businesses, especially if those businesses operate outside of our core competency or geographies in which we currently operate;
• ineffectiveness or incompatibility of acquired technologies or solutions;
• potential loss of key employees of the acquired businesses;
• inability to maintain key business relationships and reputations of the acquired businesses;
• diversion of management attention from other business concerns;
• litigation arising from the acquisition or the activities of the acquired businesses, including claims from terminated employees, customers, former stockholders or other third parties and intellectual property disputes;
• assumption of contractual obligations that contain terms that are not beneficial to us, require us to license or waive intellectual property rights, or increase our risk of liability;
• complications in the integration of our recent acquisition of Marigold’s Enterprise Business or any other businesses we may acquire, or diminished prospects;
• failure to generate the expected financial results related to the recent acquisition of Marigold’s Enterprise Business or other future acquisitions on a timely manner or at all;
• weak, ineffective, or incomplete data privacy compliance strategies by the acquired company resulting in our inability to use acquired data assets;
• failure to accurately forecast the financial or other business impacts of an acquisition; and
• implementation or remediation of effective controls, procedures and policies for acquired businesses.
To fund acquisitions, we have in the past and may in the future pay cash, including in connection with the recent acquisition of Marigold’s Enterprise Business, which would diminish our cash reserves, or issue additional shares of our Class A Common Stock, which would dilute current stockholders’ holdings in our company. Borrowing to fund an acquisition would result in increased fixed obligations and could also subject us to covenants or other restrictions that could limit our ability to effectively run our business.
We may be adversely affected by the effects of inflation.
Inflation has the potential to adversely affect our liquidity, business, operating results and financial condition by increasing our overall cost structure, particularly if we are unable to achieve commensurate increases in the prices we charge our customers. The existence of inflation in the economy has resulted in, and may continue to result in, higher interest rates and capital costs, increased costs of labor, weakening exchange rates and other similar effects. As a result of inflation, we have experienced, and may continue to experience, cost increases. Measures to mitigate inflationary impacts may not be effective, or there could be a difference between the timing of when these beneficial actions impact our results of operations and when increased costs due to inflation are incurred.
Our international operations subject us to additional costs and risks and may not yield returns, and our continued international expansion may not be successful.
We have entered into several international markets and expect to enter into additional markets in the future. We expect to continue to expand our international operations, which may require significant management attention and financial resources and may place burdens on our management, administrative, operational, legal and financial infrastructure. The costs and risks inherent in conducting business internationally include:
• difficulty and costs associated with maintaining effective controls at foreign locations;
• adapting our platform and solutions to non-U.S. customer preferences and customs;
• difficulties in staffing and managing foreign operations;
• difficulties in enforcing our intellectual property rights;
• new and different sources of competition;
• regulatory and other delays and difficulties in setting up foreign operations;
• compliance with anti-bribery laws, such as the U.S. Foreign Corrupt Practices Act and the United Kingdom (“UK”) Anti-Bribery Act 2010, by us, our employees and our business partners;
• compliance with export and import control and economic sanctions, laws and regulations, such as those administered by the U.S. Office of Foreign Assets Control;
• compliance with foreign data privacy laws, such as the EU ePrivacy Directive (and its local implementations), the UK Privacy and Electronic Communications Regulation (“PECR”), EU and UK GDPR, and Brazil’s General Data Protection Law (“LGPD”), which could materially diminish our ability to collect data and/or the effectiveness of our platform;
• restrictions on the transfers of funds;
• currency exchange rate fluctuations and foreign exchange controls;
• economic and political instability in some countries;
• compliance with the laws of numerous taxing jurisdictions where we conduct business, potential double taxation of our international earnings, and potentially adverse tax consequences due to changes in applicable U.S. and foreign tax laws; and
• the complexity and potential adverse consequences of U.S. tax laws as they relate to our international operations.
As we continue to expand our business globally, our success will depend, in large part, on our ability to anticipate and effectively manage these risks. These factors and others could harm our ability to increase international revenues and, consequently, could adversely affect our business, operating results and financial condition. The expansion of our existing international operations and entry into additional international markets will require significant management attention and financial resources. Our failure to manage these risks successfully could adversely affect our business, operating results and financial condition.
Our business is subject to the risk of catastrophic events such as pandemics, hurricanes, wildfires, tornadoes, earthquakes, extreme weather events, flooding, droughts and power outages, and to business and operational interruption by man-made problems such as war, conflicts and terrorism.
Our business is vulnerable to damage or interruption from pandemics, hurricanes, wildfires, tornadoes, earthquakes, extreme weather events, flooding, droughts, power outages, telecommunications failures, terrorist attacks, acts of war, human errors, break-ins and similar events. A significant natural disaster could have a material adverse effect on our business, operating results, and financial condition, and our insurance coverage may be insufficient to compensate us for losses that we may incur. Climate change and other environmental and social pressures are expected to increase the frequency and intensity of certain such events, as well as contribute to chronic changes (such as changes to water levels and meteorological and hydrological patterns) that may result in similar risks. As we rely heavily on our data center facilities, computer and communications systems and the Internet to conduct our business and provide high-quality customer service, any disruptions of the foregoing could negatively impact our ability to run our business and either directly or indirectly disrupt publishers’ and partners’ businesses, which could have an adverse effect on our business, operating results, and financial condition.
Pandemics, such as the COVID-19 pandemic, which negatively impacted our business, operating results and financial condition, or other health crises could have a material negative impact on economic and market conditions around the world, which could have a significant negative impact on our and our customers, suppliers’ or other partners’ business, operating results, and financial condition. Further, actual or threatened war, terrorist activity, political unrest, civil strife, and other geopolitical uncertainty could have a similar effect on our and our customers, suppliers’ or other partners’ business, financial condition or growth strategy.
We are subject to various risks associated with environmental, social, and governance matters.
There is increased scrutiny from investors, customers, policymakers, and other stakeholder regarding companies management of climate change, human capital, and various other environmental, social, and governance (“ESG”) matters. We engage in various initiatives to manage such matters and address stakeholder expectations; however, such initiatives can be costly and may not have the desired effect. For example, many of our initiatives leverage methodologies, standards, and data that are complex and continue to evolve. As with other companies, our approach to such matters also evolves, and we cannot guarantee that our approach will align with the expectations or preferences of any particular stakeholder.
Moreover, various stakeholders have different, and at times conflicting, expectations. For example, while some policymakers (such as the State of California and the European Union) have adopted requirements for various disclosures or actions on ESG matters, policymakers in other jurisdictions have sought to constrain companies’ consideration of such matters in certain circumstances. Proponents and opponents of such matters are increasingly resorting to activism, including litigation, to advance their perspectives. Addressing stakeholder expectations or requirements entails costs, and any failure to successfully navigate such expectations, as well as evolving interpretations of any existing governmental laws or requirements, may result in reputational harm, issues attracting and retaining employees or customers, regulatory or investor engagement, or other adverse impacts to our business.
Risks Related to Data Collection and Security, Intellectual Property and Technology Industry Regulations
The technology industry is subject to increasing scrutiny that could result in U.S. government and/or international regulatory actions that could negatively affect our business.
We may face claims relating to the information or content that is made available through our platform. Though we contractually require our customers to represent that they will follow our policies with respect to all information or content they upload to our systems, we may be exposed to potential liability if our customers do not abide by such policies. In particular, the nature of our business may expose us to claims related to defamation, dissemination of misinformation or news hoaxes, discrimination, harassment, intellectual property right infringement, rights of publicity and privacy, personal injury torts, laws regulating hate speech or other types of content, and breach of contract, among others. The technology industry is subject to intense media, political and regulatory scrutiny, including on issues related to antitrust and AI, which exposes us to regulatory and government investigations, legal actions and penalties. For instance, various regulatory agencies, including competition and consumer protection authorities, have active proceedings and investigations concerning multiple technology companies on antitrust and other issues. If we become subject to such investigations, we could be liable for substantial fines and penalties, be required to change our products or alter our business operations, receive negative publicity, or be subject to civil litigation, all of which could harm our business. Lawmakers also have proposed new laws and regulations, and modifications to existing laws and regulations, that affect the activities of technology companies such as the recent efforts to eliminate or modify Section 230 of the Communications Decency Act. If such laws and regulations are enacted or modified, they could negatively impact us, even if they are not specifically intended to affect our company. In addition, the introduction of new products, expansion of our activities in certain jurisdictions, or other actions that we may take may subject us to additional laws, regulations and other scrutiny. The increased scrutiny of certain acquisitions in the technology industry also could affect our ability to enter into strategic transactions of our own or to acquire other businesses.
Compliance with new or modified laws and regulations could increase the cost of conducting our business, limit the opportunities to increase our revenues, or prevent us from offering certain products and services. While we have adopted policies and procedures designed to ensure compliance with applicable laws and regulations, there can be no assurance that our employees, contractors or agents will not violate such laws and regulations. If we are found to have violated laws and regulations, it could materially adversely affect our reputation, financial condition and operating results. We also could be harmed by government investigations, litigation, or changes in laws and regulations directed at our customers, business partners, or suppliers in the technology industry that would have the effect of limiting our ability to do business with those entities. There can be no assurance that our business will not be materially adversely affected, individually or in the aggregate, by the outcomes of such investigations, litigation or changes to laws and regulations in the future.
Our business and the effectiveness of our platform depends on our ability to collect and use online data. New tools used by consumers to limit data collection, regulatory restrictions and potential changes to web browsers and mobile operating systems affect our ability to collect such data, which could harm our operating results and financial condition.
We have one of the largest compilations of personal data relating to U.S. and international consumers in the world. The ability of our platform to deliver high quality solutions to our customers is based on our technology’s capability to derive relevant, actionable insights from the data that we ingest into our systems and our ability to execute marketing programs across digital channels such as email, social media, website and other touchpoints to engage consumers. The principal way that we collect individual data is directly from the consumers when they register or interact with our platform (such as the DISQUS commenting system and LiveIntent inbox advertising), or with partners’ services. We also use various tracking technologies, both proprietary and those provided through third-party suppliers in order to connect to individuals across marketing channels for the purpose of targeting consumers and delivering campaigns. The future of these and other digital data collection practices is evolving, with some prominent companies in the industry recently announcing that they will implement their own individual data collection tools and phase out others. This approach may or may not be compatible with our current operations in those channels and platforms. It is yet to be determined if there will be an industry-wide framework for targeting consumers in a digital environment. Furthermore, regulatory and legislative actions may influence which data collection tools are permitted in various jurisdictions and may further restrict our data collection efforts. Without this incremental data, we may not have sufficient insight into the consumer’s activity to provide some of our current tools, which may impact our capacity to execute our customers’ programs efficiently and effectively.
Consumers can, with increasing ease, implement technologies that limit our ability to collect and use data to track and deliver our solutions across different marketing channels and platforms. Various digital tracking tools may be deleted or blocked by consumers. Several internet browsers also allow consumers to modify their browser settings to block first-party cookies (placed directly by the publisher or website owner that the consumer intends to interact with), which are not affected by changes from web browsers and operating systems, or third-party cookies (placed by parties that do not have direct relationship with the consumer), which some browsers may block by default. Mobile devices using Android and iOS operating systems limit the ability of cookies, or similar technology, to track consumers while they are using applications other than their web browser on the device. Even if cookies and ad blockers do not ultimately have an adverse effect on our business, investor concerns about the utility and robustness of these tracking technologies could limit demand for our stock and cause its price to decline.
We also partner with third-party data suppliers and publishers. When we purchase or license from third-party data suppliers, we are dependent upon our ability to obtain such data on commercially reasonable terms and in compliance with applicable regulations. If a substantial number of data suppliers were to withdraw or withhold their data from us, or if we had to terminate our ties with data suppliers either due to commercial or regulatory reasons, our ability to provide products to our customers could be materially adversely impacted, which could result in decreased revenues and operating results. We cannot provide assurance that we will be successful in maintaining our relationships with these external data source providers or that we will be able to continue to obtain data from them on acceptable terms or at all. Furthermore, we cannot provide assurance that we will be able to obtain data from alternative sources if our current sources become unavailable.
Actual or perceived failures to comply with applicable data protection, privacy, security and technology laws, regulations, standards and other requirements could adversely affect our business, results of operations, and financial condition and the price of our Class A Common Stock.
The global data protection landscape is rapidly evolving, and we are or may become subject to numerous state, federal and foreign laws, requirements and regulations governing the collection, use, disclosure, retention, and security of personal information and the regulation of technology more broadly. Implementation standards and enforcement practices are likely to remain uncertain for the foreseeable future, and we cannot yet determine the impact future laws, regulations, standards, or perception of their requirements may have on our business. This evolution may create uncertainty in our business, affect our ability to operate in certain jurisdictions or to collect, store, transfer use and share personal information, necessitate the acceptance of more onerous obligations in our contracts, result in liability or impose additional costs on us. The cost of compliance with these laws, regulations and standards is high and is likely to increase in the future. Any failure or perceived failure by us to comply with federal, state or foreign laws or regulations, our internal policies and procedures or our contracts governing our processing of personal information could result in negative publicity, regulatory and government investigations and enforcement actions, claims by third parties and damage to our reputation, any of which could have a material adverse effect on our operations, financial performance and business. For example, a short seller report published in November 2024 included claims around a perceived failure of our data collection practices to comply with potential changes to applicable laws, adversely impacting the price of our Class A Common Stock. See “Risks Related to Public Reporting Matters and an Investment in Our Class A Common Stock–Short sellers of our stock may be manipulative and may drive down the market price of our Class A Common Stock, harm our brand and reputation, and negatively impact our business, operating results and financial condition.”
In the U.S., numerous state laws impose standards relating to the privacy, security, transmission and breach reporting of personal information. Such laws and regulations are subject to interpretation by various courts and other governmental authorities, thus creating potentially complex compliance issues for us, our customers and our strategic partners. For example, the CCPA requires in-scope businesses to, among other things: provide certain disclosures to California residents regarding the business’s collection, use, and disclosure of their personal information; receive and respond to requests from California residents to access, delete, and correct their personal information, or to opt-out of certain disclosures of their personal information; and enter into specific contractual provisions with service providers that process California resident personal information on the business’s behalf. The CCPA also provides for civil penalties for violations, as well as a private right of action for certain data breaches suffered as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices, and this may lead to breach litigation. Similar state comprehensive data privacy laws are in effect and enforceable in other states and have been proposed in additional states, which creates a patchwork of overlapping but different state laws. Additionally, state regulators may exercise greater scrutiny regarding the collection and processing of personal information for purposes of online advertising, marketing, and analytics. These laws and their requirements could have a material adverse effect on our financial performance, and any liability from failure to comply with the requirements of these laws could adversely affect our financial condition. Beginning in 2026, the California Delete Act will require certain entities to delete data relating to California consumers at their request through a state-owned portal. The impacts of this law will not be fully known until late 2026, but it could potentially decrease our ability to reach California consumers.
In addition, the Federal Trade Commission (“FTC”) and many state Attorneys General continue to enforce federal and state consumer protection laws against companies for online collection, use, dissemination and security practices that appear to be unfair or deceptive. The FTC sees failure to take appropriate steps to keep consumers’ personal information secure as constituting unfair acts or practices in or affecting commerce in violation of Section 5(a) of the Federal Trade Commission Act. The FTC expects a company’s data security measures to be reasonable and appropriate in light of the sensitivity and volume of consumer information it holds, the size and complexity of its business, and the cost of available tools to improve security and reduce vulnerabilities. The FTC has in recent years conducted enforcement actions against other companies that created new precedents that may require us to adjust our business practices. Future FTC enforcement actions against marketing companies could result in more material impacts to us.
Our communications with consumers are also subject to certain laws and regulations, including the Controlling the Assault of Non-Solicited Pornography and Marketing (“CAN-SPAM”) Act, the Telephone Consumer Protection Act (the “TCPA”), and the Telemarketing Sales Rule and analogous state laws, that could expose us to significant damages awards, fines and other penalties that could materially impact our business. For example, the TCPA imposes various consumer consent requirements and other restrictions in connection with certain telemarketing activity and other communication with consumers by phone, fax or text message. As such, the actual or perceived improper calling of customer phones or sending of text messages may subject us to potential risks, including liabilities or claims relating to the TCPA. Further, the FTC and the Federal Communications Commission have been active in expanding regulatory and enforcement activities related to TCPA-covered practices. State laws have created additional requirements and penalties for violations relating to telemarketing and SMS marketing. Numerous class-action suits under federal and state laws have been filed against companies who conduct telemarketing and/or SMS texting programs, with many resulting in multi-million-dollar settlements to the plaintiffs. Any future such litigation against us could be costly and time-consuming to defend. In particular, the TCPA and related state laws impose significant restrictions on the ability to make telephone calls or send text messages to mobile telephone numbers without the prior consent of the person being contacted. The CAN-SPAM Act and the Telemarketing Sales Rule and analogous state laws also impose various restrictions on marketing conducted using email, telephone, fax or text message. Additional laws, regulations, and standards covering marketing, advertising, and other activities conducted by telephone, email, mobile devices, and the internet may be or become applicable to our business, such as the Communications Act, the Federal Wiretap Act, the Electronic Communications Privacy Act, and similar state consumer protection and communication privacy laws, such as California’s Invasion of Privacy Act. Litigation targeting standard commercial online marketing practices under such laws and other state or federal wiretapping, video privacy, or invasion of privacy statutes has proliferated since 2024, and is expected to continue through 2026. We or our clients have and may in the future have to defend or settle related lawsuits. As laws and regulations, including FTC enforcement, rapidly evolve to govern the use of these communications and marketing platforms, the failure by us, our employees or third parties acting at our direction to abide by applicable laws and regulations could adversely impact our business, financial condition and results of operations or subject us to fines or other penalties.
New requirements relating to automated, browser-based, or one-stop opt-out mechanisms (“OOMs”) such as the Global Privacy Control, the Delete Request and Opt-Out Platform (“DROP”) established under the California Delete Act, or other OOMs that will be established in the future may result in significantly larger numbers of consumers opting out of having their data used for marketing purposes versus historical averages. This could result in Zeta having less access to consumer data, impacting performance of our services or resulting in loss of business.
Our operations abroad may also be subject to increased scrutiny or attention from data protection authorities. For example, in Europe, we are subject to the European Union General Data Protection Regulation (the “EU GDPR”) and the United Kingdom’s General Data Protection Regulation and the Data Protection Act 2018 (the “UK GDPR”) (the EU GDPR and UK GDPR, together referred to as the “GDPR”), which impose strict requirements for processing the personal data of individuals within the EEA and the UK. Companies that must comply with the GDPR face increased compliance obligations and risk, including more robust regulatory enforcement of data protection requirements and potential fines for noncompliance. Since we are subject to the supervision of relevant data protection authorities under both the EU GDPR and the UK GDPR, we could be fined under each of these regimes independently, in respect of the same breach. Penalties for certain breaches are up to €20 million / £17.5 million or 4% of the annual global revenues of the noncompliant company, whichever is greater.
Among other requirements, the GDPR also regulates transfers of personal data out of the EEA and/or the UK to third countries that have not been found to provide adequate protection to such personal data, including the U.S. In relation to such cross border transfers of personal data, we expect the existing legal complexity and uncertainty regarding international data transfers to continue and international transfers to the U.S. and other jurisdictions more generally to continue to be subject to enhanced scrutiny by regulators. As the regulatory guidance and enforcement landscape in relation to data transfers continue to develop, we could suffer additional costs, complaints and/or regulatory investigations or fines, and/or if we are otherwise unable to transfer personal data between and among countries and regions in which we operate, it could affect the manner in which we provide our services, the geographical location or segregation of our relevant systems and operations, and could adversely affect our financial results.
We are also subject to evolving EU and UK privacy laws on cookies, tracking technologies and e-marketing. The GDPR, ePrivacy Directive (and its local implementations) and PECR impose conditions on obtaining valid consent for cookies, such as a prohibition on pre-checked consents and a requirement to ensure separate consents are sought for each type of cookie or similar technology. Recent European court and regulator decisions are driving increased attention to cookies and tracking technologies as well as to standards for consent. If the trend of increasing enforcement by regulators of the strict approach to opt-in consent for all but essential use cases, as seen in recent guidance and decisions continues, this could lead to additional costs, require systems changes, limit the effectiveness of our marketing and personalization offerings, divert the attention of our technology personnel, adversely affect our margins, and subject us to additional liabilities. In light of the complex and evolving nature of EU, EU Member State and UK privacy laws on cookies and tracking technologies, there can be no assurances that we will be successful in our efforts to comply with such laws and violations of such laws could result in regulatory investigations, fines, orders to cease / change our use of such technologies, as well as civil claims including class actions, and reputational damage.
Increased scrutiny regarding the use of such technologies and the use of personal data for online advertising practices, together with adverse rulings on these issues, even if not directly against us, may have a direct impact on our ability to continue to collect and process personal data for the services that we provide and could adversely impact our business activities. Providers of major browsers could change, eliminate or restrict the usage of third-party cookies to track user behaviors, and allow users to limit the collection of certain data generally or from specified websites, which could impair our ability to collect user information, including personal data and usage information, that helps us provide more targeted advertising to our current and prospective consumers. The effectiveness of our platform relies in part on our ability to collect and use online data, so these changes could adversely affect our business.
In Canada, the Personal Information Protection and Electronic Documents Act (“PIPEDA”), and various provincial laws require that companies give detailed privacy notices to consumers, obtain consent to use personal information, with limited exceptions, allow individuals to access and correct their personal information, and report certain data breaches. Failure to comply with PIPEDA or other Canadian provincial privacy or data protection laws could result in significant fines and penalties or possible damage awards.
Our data-driven platform may also be subject to laws and evolving regulations regarding the provision of digital services as well as the use of AI and machine learning in such digital services, controlling for data bias, and antidiscrimination. For example, in addition to enforcing Section 5 of the FTC Act, the FTC enforces the Fair Credit Reporting Act, and the Equal Credit Opportunity Act. These laws prohibit unfair and deceptive practices, including use of biased algorithms in AI. In Europe, the EU Artificial Intelligence Act (the “EU AI Act”) establishes a comprehensive, risk-based governance framework for AI in the EU market, and the EU Digital Services Act (“DSA”) and the UK Digital Markets, Competition and Consumer Act 2024 (“DMCCA”) include, among other obligations, requirements related to digital services including content hosting requirements. The EU Network and Information Security 2 Directive (“NIS 2”) and its EU Member State implementations impose requirements on cloud computing services (including SaaS) providers, and the EU Data Act establishes requirements for providers of data processing services (including cloud and SaaS) into the EU, including requirements to facilitate customers switching to other providers/on-premise solutions and porting their data within certain timeframes (and affecting potential charges as well as mandatory contract terms), which may also impact revenue recognition practices. These laws and regulations may increase compliance costs, require changes to our processes, operations, and business practices which may adversely affect our ability to attract, retain and provide our services to customers, and may otherwise adversely affect our business, operations and financial condition including by exposing us to liability to monetary penalties and some private rights of action. In addition, if federal, state or international regulators were to determine that the type of data we collect, the process we use for collecting this data or how we use it unfairly discriminates against some groups of people, laws and regulations could be interpreted or implemented to prohibit or restrict our collection or use of this data. Additionally, existing and future laws, and evolving attitudes about privacy protection and technology regulation may impair our ability to collect, use, and maintain data points of sufficient type or quantity to develop and train our AI algorithms.
In the European Union, we are also indirectly subject to the requirements of the Digital and Operational Resilience Act (“DORA”) in the EU, as contractually imposed on us, by customers that are financial institutions directly subject to DORA. Consequently, we have an increased compliance burden in this regard, which may require additional resources and incur costs, and non-compliance may result in breach of contract claims and possible loss of business from certain DORA regulated customers.
Although we work to comply with applicable laws, regulations and standards, our contractual obligations and other legal obligations, these requirements are evolving and may be modified, interpreted and applied in an inconsistent manner from one jurisdiction to another, and may conflict with one another or other legal obligations with which we must comply. Any failure or perceived failure by us or our employees, representatives, contractors, consultants, collaborators, or other third parties to comply with such requirements or adequately address privacy and security concerns, even if unfounded, could result in the imposition of significant civil and/or criminal penalties, damage in our reputation, private litigation, and restrictions on data processing.
Any unfavorable publicity or negative public perception of current data collection practices has in the past adversely impacted the price of our Class A Common Stock and could in the future harm our business, results of operations, financial condition and the price of our Class A Common Stock, including from additional regulations which may impact the effectiveness of our data cloud and platform.
The growth of the digital marketing industry has led to increased scrutiny from consumer groups, government agencies and news organizations. Negative publicity about the digital marketing industry as a whole or about an individual actor, regardless of the accuracy, could harm our business, results of operations and financial condition, and negatively affect the price of our Class A Common Stock. For example, in recent years, consumer advocates, mainstream media and elected officials have increasingly and publicly criticized the digital marketing industry for its collection, storage and use of data. Also, a short seller report published in November 2024 included claims about our data collection practices, adversely impacting the price of our Class A Common Stock. See “Risks Related to Public Reporting Matters and an Investment in Our Class A Common Stock–Short sellers of our stock may be manipulative and may drive down the market price of our Class A Common Stock, harm our brand and reputation, and negatively impact our business, operating results and financial condition.” Furthermore, government agencies have recently been, and may continue to be, more active in regulating and enforcing rules that relate to the collection, use, sharing and disclosure of data.
As we process transactions through our platform, we collect large amounts of data about consumers and advertisements that we place. We collect data on ad specifications (such as placement, size and format), pricing and auction activity (such as price floors, bid response behavior and clearing prices). Further, we collect data on consumers that does not directly identify the individual (although considered personal information under the CCPA and other U.S. laws, GDPR, and other laws), including browser, device location and characteristics, online browsing behavior, exposure to and interaction with advertisements, and inferential data about purchase intentions and preferences. Data providers also send us proprietary data, including data about consumers. We aggregate this data and analyze it in order to enhance our product, including the pricing, placement and scheduling of advertisements. Evolving regulatory standards could place restrictions on the collection, management, aggregation and use of the types of data we collect, which could result in a material increase in the cost of collecting or otherwise obtaining certain kinds of data and could limit the ways in which we may use or disclose data. In addition, regulations such as the GDPR permit data protection authorities to impose penalties for violations. Any new and unforeseen regulatory limitations on our operations could impair our ability to deliver effective solutions to our customers, which could adversely affect our business, operating results and financial condition.
An unauthorized or inadvertent disclosure or breach of confidential and/or personal information we process or control, or a security breach of our or our customers’, suppliers’, or other partners’ IT Systems could be detrimental to our business, reputation, financial performance and results of operations.
In addition to internal technology, including proprietary software, databases, and other intellectual property, we also rely on computer hardware purchased or leased from, software licensed from, content licensed from and services provided by a variety of third parties, which include databases, operating systems, virtualization software, tax requirement content and geolocation content and services (collectively, “IT Systems”). The nature of our business means that we process large databases of personal information, including maintaining and storing large databases of such information, not only on our own behalf, but also on our customers’ and others’ behalf. As a result, we face numerous and evolving cybersecurity risks that threaten the confidentiality, integrity and availability of our IT Systems, and personal and confidential information. Such risks include the misappropriation of data by diverse threat actors such as malicious insiders, state-sponsored organizations, opportunistic hackers or hacktivists or other unauthorized third parties, or other data breaches. Such parties could attempt to gain entry to our or our vendor’s IT Systems (including by gaining employment at Zeta) for the purpose of stealing data, including confidential information or personal information, or breaching our security systems or other IT Systems. In particular, we (and certain of our third-party providers), like other organizations, especially in the digital marketing industry and marketing technology industry, are routinely subject to attempts by such threat actors (e.g., cybersecurity threats, attempted data privacy breaches, or other incidents), which if successful, may result in either threatened or actual exposure leading to unauthorized access, disclosure and misuse of confidential information, personal information or other information regarding customers, suppliers, partners, vendors, employees, or our company and business. Cyberattacks are expected to accelerate on a global basis in frequency and magnitude as threat actors are becoming increasingly sophisticated in using techniques and tools, including AI, that circumvent security controls, evade detection and remove forensic evidence. As a result, we may be unable to detect, investigate, remediate or recover from future attacks or incidents, or to avoid a material adverse impact to our IT Systems or information.
Even where we have invested in security measures, a breach may be due to employee error, malfeasance, system errors or vulnerabilities, including vulnerabilities of our customers, vendors, suppliers, their products, or otherwise. Third parties may also attempt to fraudulently induce employees to disclose sensitive information or credentials that permit access to sensitive information through processes like social engineering or phishing. This includes disclosing data such as usernames, passwords or other information to gain access to our customers’ data or our data, including intellectual property and other confidential information. Employee-related risks are increased by remote and hybrid working arrangements at our company (and at third-party providers) which increase cybersecurity risks due to the challenges associated with managing remote computing assets and security vulnerabilities that are present in many non-corporate and home networks. Third parties and threat actors also may attempt to extort us through a ransomware or other similar form of attack by encrypting information IT Systems, rendering our IT Systems inoperable, or stealing intellectual property, confidential information, personal information, or other sensitive data, and demanding payment in return. Techniques used to obtain unauthorized access to, or sabotage IT Systems, change frequently, grow more complex over time, and often are not recognized until launched against a target. Additionally, any integration of AI in our or any third party’s operations, products or services is expected to pose new or unknown cybersecurity risks and challenges. Given the unpredictability of the timing, nature and scope of cybersecurity attacks and other security-related incidents, our technology may fail to adequately secure the data, including confidential information and personal information we maintain, and we cannot entirely eliminate the risk of improper or unauthorized access to or disclosure of such data, other security events that impact the integrity or availability of such data, or our IT Systems and operations and any data contained in such systems and operations. We may incur significant costs in protecting against or remediating such events, including cyber-attacks. Any security breach could result in operational disruptions that impair our ability to meet our customers’ requirements, which could result in decreased revenue. We carry insurance comparable to our industry. However, we cannot guarantee that our insurance coverage will be sufficient to cover all costs and liabilities incurred in relation to a security breach, or that applicable insurance will be available to us in the future on economically reasonable terms or at all.
Whether there is an actual or a perceived breach of our security, our reputation could suffer irreparable harm, causing our current and prospective customers to reject our products in the future, deterring data suppliers from supplying us data or customers from uploading their data on our platform, or changing customers’ behaviors and use of our technology. Further, we could be forced to expend significant resources in response to a security breach, including those expended in notifying individuals and providing mitigating solutions, repairing system damage, increasing cyber security protection costs by deploying additional personnel and protection technologies, and litigating and resolving legal claims (including class actions) or governmental inquiries and investigations, all of which could divert the attention of our management and key personnel away from our business operations.
We depend on third-party data centers, systems and technologies to operate our business, the disruption of which could adversely affect our business, operating results and financial condition.
Any damage to or failure of our IT Systems generally would prevent us from operating our business. We rely on data centers and third-party technology vendors in order to operate our business, and we host our company-owned infrastructure at third-party data centers. We are also dependent on third-party providers to provide industry standard protection against potential damages such as cyber intrusions, natural disasters, criminal acts and technical maintenance. In the event of damage or interruption to IT Systems, it is unlikely that we would be appropriately compensated for the reputational harm that such an interruption would create regardless of any damages we may recover from such third parties or any insurance policy in place. This would in turn reduce our revenue, subject us to liability and may cause us to lose customers, any of which could materially adversely affect our business.
Additionally, improving our platform’s infrastructure and expanding its capacity in anticipation of growth in new channels and formats, as well as implementing technological enhancements to our platform to improve its efficiency and cost-effectiveness are key components of our business strategy, and if our third-party data centers are unable to keep up with our growing needs for capacity, this could have an adverse effect on our business. Any changes in the service levels at our third-party data centers or any errors, service interruptions, defects, disruptions, or other performance problems could adversely affect our reputation, expose us to liability, cause us to lose customers, or otherwise adversely affect our business, operating results and financial condition. Any software and hardware errors, misconfigurations, bugs or defects in such IT Systems could result in errors or a failure of our solutions, which could harm our business. Additionally, we cannot ensure that these third-party leases or licenses, or support for such leased or licensed products and technologies, will continue to be available to us on commercially reasonable terms, if at all. We cannot be certain that our suppliers or licensors are not infringing the intellectual property rights of others or that our suppliers and licensors have sufficient rights to the technology in all jurisdictions in which we may operate. In the future, we might need to license other hardware, software, content or services to enhance our products and meet evolving customer requirements. Any inability to license or otherwise obtain such hardware or software could result in a reduction in functionality, or errors or failures of our products, until equivalent technology is either developed by us or, if available, is identified, obtained through purchase or license, and integrated into our solutions, any of which may reduce demand for our solutions and increase our expenses. In addition, third-party licenses may expose us to increased risks, including risks associated with the integration of new technology, the diversion of resources from the development of our own proprietary technology, and our inability to generate revenue from new technology sufficient to offset associated acquisition and maintenance costs, all of which may increase our expenses and harm our results of operations.
If we fail to detect or prevent fraud or malware intrusion on our platform, devices, or systems, or into the systems or devices of our customers and their consumers, publishers could lose confidence in our platform, and we could face legal claims and regulatory investigations, any of which could adversely affect our business, operating results and financial condition.
We may be the target of fraudulent or malicious activities undertaken by persons seeking to use our platform for improper purposes. For example, someone may attempt to divert or artificially inflate customer purchases through our platform or attempt to disrupt or divert the operation of the systems and devices of our publishers and their consumers in order to misappropriate information, generate fraudulent billings or stage cyberattacks, or other unauthorized or illicit purposes. Those activities could also introduce malware through our platform in order to commandeer or gain access to confidential information or personal information. We use third-party tools and proprietary technology to identify non-human traffic and malware, and we may reduce or terminate relationships with customers that we find to be engaging in such activities. However, there can be no assurance that our cybersecurity risk management program and processes, including our policies, controls or procedures, will be fully implemented, complied with or effective in protecting our systems and information. Perpetrators of fraudulent impressions and malware frequently change their tactics and may become more sophisticated over time, requiring both us and third parties to improve processes for assessing the quality of publisher inventory and controlling fraudulent activity. In the meantime, new or changing data privacy laws (in particular outside the EU, UK and the U.S.) could potentially interfere with the data collection required in order to detect fraud. If we fail to detect or prevent fraudulent or malicious activity of this sort, our reputation could be damaged, customers may contest payment, demand refunds or fail to give us future business, or we could face legal claims or investigations from customers or regulators. Even if we are not directly involved in fraud or malicious activity, any sustained failures of others in our industry to adequately detect and prevent fraud could generate the perception that digital marketing is unsafe and lead our customers to avoid digital marketing products like ours.
The standards that private entities and inbox service providers adopt in the future to regulate the use and delivery of email may interfere with the effectiveness of our platform and our ability to conduct business.
Our business is dependent on email services for promoting our customers’ brands, products and services. Other private entities often advocate standards of conduct or practices that significantly exceed current legal requirements and classify certain solicitations that comply with current legal requirements as impermissible “spam.” Some of these entities maintain “blacklists” of companies and individuals, and the websites, inbox service providers and IP addresses associated with those entities or individuals that do not adhere to those standards of conduct or practices for commercial solicitations that the blacklisting entity believes are appropriate. If a company’s IP addresses are listed by a blacklisting entity, emails sent from those addresses may be blocked if they are sent to any internet domain or internet address that subscribes to the blacklisting entity’s service or uses its blacklist.
From time to time, some of our IP addresses have become, and we expect will continue to be, listed with one or more blacklisting entities due to the messaging practices of our customers and other users. We may be at an increased risk of having our IP addresses blacklisted due to our scale and volume of emails processed, compared to our smaller competitors. While the overall percentage of such email solicitations that our individual customers send may be at or below reasonable standards, the total aggregate number of all emails that we process on behalf of our customers may trigger increased scrutiny from these blacklisting entities. There can be no guarantee that we will be able to successfully remove ourselves from those lists. Because we fulfill email delivery on behalf of our customers, blacklisting of this type could undermine the effectiveness of our customers’ transactional email, email marketing programs and other email communications, all of which could have a material negative impact on our business, financial condition and results of operations.
Inbox service providers can also block emails from reaching their users. While we continually improve our own technology and work closely with inbox service providers to maintain our deliverability rates, the implementation of new or more restrictive policies by inbox service providers may make it more difficult to deliver our customers’ emails, particularly if we are not given adequate notice of a change in policy or struggle to update our platform to comply with the changed policy in a reasonable amount of time. In addition, some inbox service providers categorize as “promotional” emails that originate from email service providers and, as a result, direct them to an alternate or “tabbed” section of the recipient’s inbox. If inbox service providers materially limit or halt the delivery of our customers’ emails, or if we fail to deliver our customers’ emails in a manner compatible with inbox service providers’ email handling or authentication technologies or other policies, or if the open rates of our customers’ emails are negatively impacted by the actions of inbox service providers to categorize emails, then customers may question the effectiveness of our platform and cancel their accounts.
Additionally, changes in the laws or regulations that limit our ability to send such communications or impose additional requirements upon us in connection with sending such communications would also materially adversely impact our business. For example, Canada’s Anti-Spam Legislation (“CASL”) prohibits email marketing without the recipient’s consent, with limited exceptions. In addition, electronic marketing and privacy requirements in the EU and UK are highly restrictive and differ greatly from those currently in force in the U.S., which could cause fewer individuals in the EU and UK to subscribe to our marketing messages and drive up our costs and risk of regulatory oversight and fines if we are found to be non-compliant. These restrictions could prevent us from obtaining enough data to produce effective marketing results for our customers in these markets. Our use of email and other messaging services to send communications to consumers may also result in legal claims against us, for which we may incur increased expenses, and if successful might result in fines and orders with costly reporting and compliance obligations or might limit or prohibit our ability to send emails or other messages. We also rely on social networking messaging services to send communications and to encourage consumers to send communications. Changes to the terms of these social networking services to limit promotional communications, any restrictions that would limit our ability or our customers’ ability to send communications through their services, disruptions or downtime experienced by these social networking services or decline in the use of or engagement with social networking services by our customers’ end consumers could materially and adversely affect our business, financial condition and operating results.
Failure to comply with industry self-regulation could adversely affect our business, operating results and financial condition.
In addition to complying with government regulations, we participate in trade associations and industry self-regulatory groups that promote best practices or codes of conduct addressing data privacy. We also have agreed to follow certain practices as contractual obligations to customers (e.g. marketing agencies). We are a member of the Digital Advertising Alliance’s (“DAA”) Self-Regulatory Principles for Online Behavioral Advertising in the U.S., as well as the Digital Advertising Alliance of Canada (“DAAC”) in Canada and the European Interactive Digital Advertising Alliance (“EDAA”) in Europe. Under the rules of these bodies, in addition to other compliance obligations, we are required to participate in the AdChoices program (and other similar programs), which provides consumers a single online interface to obtain information about and manage data collection by online third parties such as us. These bodies investigate non-compliance and report significant instances of non-compliance to regulatory authorities such as the FTC or data protection authorities in Europe. As new legislation comes into effect, self-regulatory programs may change their requirements based on such legislation, which adds complexity and costs for companies to maintain compliance. If we fail to keep up with or to properly implement such changes, we could become subject to regulatory investigations, fines and legally-mandated corrective actions.
Our intellectual property rights may be difficult to enforce and protect, which could enable others to copy or use aspects of our technology without compensating us, thereby eroding our competitive advantage and having an adverse effect on our business, operating results and financial condition.
Our success depends, in part, on our ability to protect the confidentiality of, and intellectual property rights in, our proprietary methods, technologies, and content that we develop or otherwise acquire, so that we can prevent others from using them. If we fail to protect such intellectual property rights adequately, or are otherwise required to disclose our proprietary methods, technologies and/or content, our competitors may gain access and our business might be adversely affected.
Policing unauthorized use of our technology is difficult and costly. In addition, the laws of some foreign countries may not be as protective of intellectual property rights as those of the U.S., and mechanisms for enforcement of our proprietary rights in such countries may be inadequate. If we are unable to protect our proprietary rights (including in particular, the proprietary aspects of our platform) we may find ourselves at a competitive disadvantage to others who have not incurred the same level of expense, time and effort to create, protect and enforce their intellectual property.
We rely upon a combination of trade secrets, third-party confidentiality and non-disclosure agreements, additional contractual protections including those in agreements with business partners and customers, and trademark, copyright, patent and other intellectual property laws to establish and protect our proprietary technology and intellectual property rights. Establishing, maintaining and enforcing intellectual property rights can be difficult, time consuming, and expensive and despite our efforts to establish and maintain our intellectual property, the applicable laws may provide only a limited scope of protection. It may be possible for unauthorized third parties to copy or reverse engineer aspects of our technology or otherwise obtain and use information that we regard as proprietary, or to develop technologies similar or superior to our technology or design around our proprietary rights, despite the steps we have taken to protect our proprietary rights. Our trade secrets, know-how and other proprietary information may be stolen, used in an unauthorized manner, or compromised through an intrusion by private parties or foreign actors into our computer systems. In addition, theft or misuse of our proprietary information could still occur by employees or contractors who have access to our technology despite the agreements we have in place with such employees and contractors that restrict the use and disclosure of our information and technology and although we enter into non-disclosure agreements with our customers, consultants, suppliers and other parties with whom we have strategic relationships and business alliances and enter into intellectual property assignment agreements with our consultants and suppliers, no assurance can be given that these agreements will not be breached.
While we have issued patents and have patent applications pending, we may be unable to obtain patent protection for the technology covered in our patent applications or such patent protection may not be obtained quickly enough to meet our business needs. Furthermore, the patent prosecution process is expensive, time-consuming and complex, and we may not be able to prepare, file, prosecute, maintain and enforce all necessary or desirable patent applications at a reasonable cost or in a timely manner. The scope of patent protection also can be reinterpreted after issuance and issued patents may be invalidated. Even if our patent applications do issue as patents, they may not issue in a form that is sufficiently broad to protect our technology, prevent competitors or other third parties from competing with us or otherwise provide us with any competitive advantage.
We may be subject to intellectual property rights claims by third parties, which are costly to defend, could require us to pay significant damages and could limit our ability to use our technology or intellectual property.
We operate in an industry with an extensive history of intellectual property litigation. There is a risk that our business, platform and solutions may infringe or be alleged to infringe the trademarks, copyrights, patents and other intellectual property rights of third parties, including patents held by our competitors or by non-practicing entities. We may also face allegations that our employees have misappropriated or divulged the trade secrets or other confidential information of their former employers or other third parties. Regardless of whether any of these claims have any merit, evaluating and defending these claims, including potentially challenging or attempting to invalidate the other party’s patents, is costly, time consuming, and diverts management attention and financial resources. Results of these litigation matters are difficult to predict, and we may not be successful in defending ourselves in such matters. If our defense is unsuccessful, or we are not successful in challenging or invalidating the patents of the third party claiming infringement, we may be required to stop offering some features, purchase licenses, which may not be available on favorable terms or at all, or modify our technology or our platform while we develop non-infringing substitutes, or incur significant settlement costs. Additionally, we may be obligated to indemnify our customers or inventory and data suppliers in connection with any such litigation. Any of these events could have an adverse effect on our business, operating results and financial condition.
Our failure to meet content and inventory standards and provide products that our customers and third-party suppliers trust, could harm our brand and reputation and negatively impact our business, operating results and financial condition.
We do not provide or control either the content of the advertisements we serve or that of the websites providing the inventory. Our customers provide the content and third-party suppliers provide the inventory. Both marketers and third-party suppliers are concerned about being associated with content they consider inappropriate, competitive or inconsistent with their brands, or illegal and they are hesitant to spend money without guaranteed brand security. Additionally, our customers may seek to display marketing campaigns in jurisdictions that do not permit such campaigns. Our customers and third-party suppliers will often include provisions in their contracts that restrict the type of content that can be run in marketing campaigns. Inadvertently, we may serve such restricted ad content, or the advertisements we serve may contain malware, which could harm our or our customers’ brand and reputation, harm our relationships with our inventory suppliers and negatively impact our business, financial condition and operating results. Accordingly, a part of our business strategy is our ability to convince our customers that their brand and image are safe within our ecosystem. While we have established rules and guidance on how our platform is to be used, including prohibiting the display of content that is illegal, and we also utilize third-party software that looks for malware in all of our marketing campaigns, we cannot guarantee that we will be able to capture all violating media before it is posted. It is therefore possible that our customers may run a campaign that does not conform to our standards. If this were to happen, we may be liable to the customer for damages and incur costs associated with remediating the issue. Further, if this were to happen it could harm our and/or our customers’ brand and reputation, and negatively impact our business, financial condition and operating results.
Additionally, marketing may result in litigation relating to copyright or trademark infringement, public performance royalties or other claims based on the nature and content of advertising that is distributed through our platform. Though we contractually require our customers to represent to us that they have the rights necessary to serve advertisements through our platform, we do not independently review or verify whether we are permitted to deliver, such advertisements. If any of our customers’ representations turn out to be inaccurate, we may be exposed to potential liability and our reputation may be damaged. While our customers are typically obligated to indemnify us, such indemnification may not fully cover us, or we may not be able to collect the amounts owed to us. In addition to settlement costs, we may be responsible for our own litigation costs, which can be extensive.
Our platform relies on third-party open source software components. Failure to comply with the terms of the underlying open source software licenses could expose us to liabilities, and the combination of open source software with code that we develop could compromise the proprietary nature of our platform.
Our platform utilizes software licensed to us by third-party authors under “open source” licenses, and we expect to continue to utilize open source software in the future. The use of open source software may entail greater risks than the use of third-party commercial software, as open source licensors generally do not provide warranties or other contractual protections regarding infringement claims or the quality of the code. To the extent that our platform depends upon the successful operation of the open source software we use, any undetected errors or defects in this open source software could prevent the deployment or impair the functionality of our platform, delay new solution introductions, result in a failure of our platform and harm our reputation. For example, undetected errors or defects in open source software could render it vulnerable to breaches or security attacks, and, in conjunction, make our systems more vulnerable to data breaches.
Furthermore, some open source licenses require that proprietary source code combined with, linked to or distributed with such open source software be released to the public, and may also prohibit charging fees for the use of the software. If we combine, link or distribute our proprietary software with open source software in a specific manner, we could, under some open source licenses, be required to release the source code of our proprietary software to the public. This could also preclude us from charging license fees. This would allow our competitors to create similar solutions with lower development effort and time and ultimately put us at a competitive disadvantage.
We may use and modify certain third party generative AI models that may be made available under an open source license. In certain cases, we may train our models for our generative AI Technologies on datasets that may be open source, and we may not be certain that some licensors of certain open source datasets had sufficient rights in the underlying data to be able to make them available under an open source license. Use of such open-source generative AI technologies or datasets could introduce inaccuracies or vulnerabilities that we may be unable to anticipate, detect, or control. If the licensor for such open-source generative AI technologies developed their models by training on data that was inaccurate, biased or for which it did not have the appropriate rights, we could be subject to claims or lawsuits, including for infringement of third-party intellectual property. Sophisticated attackers may exploit vulnerabilities in open-source generative AI technologies to obtain access to our sensitive data or alter the outputs or results. In addition, any usage of open-source generative AI technologies may, under some open source licenses, require us to license our data or intellectual property to third parties and limit our ability to protect our intellectual property rights or proprietary data.
Risks Related to the Use and Development of Artificial Intelligence
We leverage new technologies and platforms to improve business effectiveness, including the use of AI technologies.
We use AI, machine learning, and automated decision-making technologies, including proprietary AI and machine learning algorithms and models (collectively, “AI Technologies”), throughout our business, and are making significant investments in this area. For example, we use AI Technologies for internal business cases and also to develop and provide certain products, including as described in the section titled “Business—AI-Native Infrastructure at Enterprise Scale.”
We expect that increased investment will be required in the future to continuously improve our use of AI Technologies. As with many technological innovations, there are significant risks involved in developing, maintaining and deploying these technologies and there can be no assurance that the usage of our investments in such technologies will always enhance our products or services or be beneficial to our business, including our efficiency or profitability.
In particular, if the models underlying our AI Technologies are incorrectly designed or implemented; trained or reliant on incomplete, inadequate, inaccurate, biased or otherwise poor quality data, or on data to which we do not have sufficient rights or in relation to which we or the providers of such data have not implemented sufficient legal compliance measures; used without sufficient oversight and governance to ensure their responsible use; or adversely impacted by unforeseen defects, technical challenges, cybersecurity threats or material performance issues, the performance of our products, services and business, as well as our reputation and the reputations of our customers, could suffer, or we could incur liability resulting from the violation of laws or contracts to which we are a party or civil claims.
With respect to our products or services that incorporate AI Technologies, the market for such products and services is rapidly evolving, and important assumptions about the characteristics of targeted markets, pricing, sales cycles, cost, performance, and perceived value associated with our services or products may be inaccurate. We cannot be sure that the market will continue to grow or that it will grow in ways we anticipate. In addition, market acceptance of products and services that incorporate AI Technologies is uncertain. Our failure to successfully develop and commercialize our products or services involving AI Technologies could depress the market price of our stock and impair our ability to raise capital, expand our business, provide, improve and diversify our product offerings, continue our operations and efficiently manage our operating expenses, and respond effectively to competitive developments.
In addition to our proprietary AI Technologies, we use AI Technologies licensed from third parties in our technologies, including under our partnership with OpenAI, and our ability to continue to use such technologies at the scale we need may be dependent on access to specific third-party software and infrastructure. We cannot control the availability or pricing of such third-party AI Technologies, especially in a highly competitive environment, and we may be unable to negotiate favorable economic terms with the applicable providers. If any such third-party AI Technologies become incompatible with our solutions or unavailable for use, or if the providers of such models unfavorably change the terms on which their AI Technologies are offered or terminate their relationship with us, our solutions may become less appealing to our customers, and our business will be harmed. In addition, to the extent any third-party AI Technologies are used as a hosted service, any disruption, outage, or loss of information through such hosted services could disrupt our operations or solutions, damage our reputation, cause a loss of confidence in our solutions, or result in legal claims or proceedings for which we may be unable to recover damages from the affected provider.
Any actual or perceived failure to comply with evolving regulatory frameworks around the development and use of AI could adversely affect our business, results of operations, and financial condition.
The AI regulatory landscape is rapidly evolving, and we are or may become subject to numerous state, federal and foreign laws, requirements and regulations governing the use of AI. Implementation standards and enforcement practices are likely to remain uncertain for the foreseeable future, and we cannot yet determine the impact future laws, regulations, standards, or perception of their requirements may have on our business.
In the United States and internationally, AI is the subject of evolving review by various governmental and regulatory agencies, including the SEC and the FTC and amongst the states, and changes in laws, rules, directives and regulations governing the use of AI may adversely affect the ability of our business to use or rely on AI. For example, Congress has yet to enact meaningful AI legislation. Instead, federal policy on AI has been shaped by a series of executive orders that have shifted priorities and requirements substantially depending on the administration in power. Further, in October 2023, President Biden issued an executive order on the Safe, Secure and Trustworthy Development and Use of AI, which emphasized AI safety and security and addressed topics such as civil rights, privacy, consumer protection, and accountable federal use of AI. In January and July 2025, President Trump issued three executive orders on AI, one of which repealed President Biden’s 2023 Executive Order, shifting the focus towards removing regulatory barriers to the adoption of AI Technologies and accelerating AI deployment. In the absence of federal AI legislation, states have filled the void by enacting laws regulating different aspects of AI Technologies. For example, California has enacted laws and regulations related to AI safety protocols, reporting and transparency, among other AI-related topics. In addition, Colorado’s Artificial Intelligence Act will require developers and deployers of “high-risk” AI systems to implement certain safeguards against algorithmic discrimination (among other requirements), and the Texas Responsible Artificial Intelligence Governance Act prohibits the development and deployment of AI systems for certain purposes while establishing a regulatory sandbox. Numerous other states have enacted, passed, or are considering AI-focused legislation, creating a patchwork of regulations and a complex compliance challenge. However, the durability of these laws and the potential of additional state-level legislative activity faces uncertainty following President Trump’s December 2025 Executive Order “Ensuring a National Policy Framework for Artificial Intelligence.” This Executive Order establishes a federal policy favoring a uniform national AI regulatory framework designed to promote innovation and U.S. global competitiveness. The order directs federal agencies to identify, challenge, and potentially pre-empt state and local AI laws that are viewed as inconsistent with or burdensome to this national approach. It remains to be seen how agencies will effectuate this directive, and how states will approach AI legislation moving forward.
In Europe, the EU Artificial Intelligence Act (“EU AI Act”), entered into force establishing a comprehensive, risk-based governance framework for AI in the EU market. The majority of the substantive requirements will apply from August 2, 2026. The EU AI Act applies to companies that develop, use and/or provide AI in the EU and – dependent on the AI use case – includes requirements around transparency, conformity assessments and monitoring, risk assessments, human oversight, security, accuracy, general purpose AI and foundation models, and proposes fines for breach of up to 7% of worldwide annual turnover. In addition, the revised EU Product Liability Directive came into force in December 2024, to be implemented into EU member state national law by December 2026. This Directive extends the EU’s existing strict product liability regime to AI and AI-enabled products, and facilitates civil claims in respect of harm caused by AI. Once fully applicable, the EU AI Act and the EU Product Liability Directive will have a material impact on the way AI is regulated in the EU, and together with developing guidance and/or decisions in this area, likely to affect our use of AI and our ability to provide and to improve our services, require additional compliance measures and changes to our operations and processes, result in increased compliance costs and potential increases in civil claims against us, and could adversely affect our business, operations and financial condition.
It is possible that further new laws and regulations will be adopted in the United States and in other non-U.S. jurisdictions, or that existing laws and regulations, including competition and antitrust laws, may be interpreted in ways that would limit our ability to use AI for our business, or require us to change the way we use AI in a manner that negatively affects the performance of our products, services, and business and the way in which we use AI. We may need to expend resources to adjust our products or services in certain jurisdictions if the laws, regulations, or decisions are not consistent across jurisdictions. Further, the cost to comply with such laws, regulations, or decisions and/or guidance interpreting existing laws, could be significant and would increase our operating expenses (such as by imposing additional reporting obligations regarding our use of AI). Such an increase in operating expenses, as well as any actual or perceived failure to comply with such laws and regulations, could adversely affect our business, financial condition and results of operations.
Risks Related to Our Indebtedness, Liquidity and Financial Position
Interest rate fluctuations may affect our results of operations and financial condition.
Because a substantial portion of our debt is variable-rate debt, fluctuations in interest rates could have a material effect on our business. We incur higher interest costs if interest rates increase. Interest rates were at historic lows during 2020 and 2021, when the United States Federal Reserve took several steps to protect the economy from the impact of the COVID-19 pandemic, including reducing interest rates to new historic lows. In 2022 and 2023, the United States Federal Reserve raised interest rates significantly in an effort to combat inflation. Beginning in September 2024, the Federal Reserve began reducing interest rates, though rates remain elevated compared to pre-2022 levels. Interest rates may fluctuate in the future depending on economic conditions, inflation, and Federal Reserve policy, and any increase in interest rates could have a material adverse impact on our financial condition and the levels of cash we maintain for working capital.
We may need additional capital in the future to meet our financial obligations and to pursue our business objectives. Additional capital may not be available on favorable terms, or at all, which could compromise our ability to meet our financial obligations and grow our business.
We may need to raise additional capital to fund operations in the future or to finance acquisitions or other business objectives. Such additional capital may not be available on favorable terms or at all. Lack of sufficient capital resources could significantly limit our ability to meet our financial obligations or to take advantage of business and strategic opportunities. Any additional capital raised through the sale of equity or convertible debt securities would dilute stock ownership, and any new equity securities we issue could have rights, preferences and privileges superior to those of holders of our Class A Common Stock. Any debt financing we secure in the future could involve restrictive covenants relating to our capital raising activities and other financial and operational matters, which may make it more difficult for us to obtain additional capital and to pursue business opportunities, including potential acquisitions. If we are unable to obtain adequate financing or financing on terms satisfactory to us when we require it, we may be required to delay, reduce the scope of, or eliminate material parts of our business strategy, including potential additional acquisitions or development of new technologies and geographic expansion.
Our loan agreement contains operating and financial covenants that may restrict our business and financing activities.
As of the date hereof, we have $200.0 million outstanding under our loan and security agreement (“Senior Secured Credit Facility”) with Bank of America, N.A., dated August 30, 2024. Borrowings under this agreement are secured by substantially all of our assets. For more information on our outstanding long-term borrowings, see “Note 11. Credit Facilities” to our consolidated financial statements. This Senior Secured Credit Facility also restricts our ability, without the lender’s written consent, to, among other things:
• dispose of or sell our assets;
• make material changes in our business or management;
• consolidate or merge with other entities;
• incur additional indebtedness;
• create liens on our assets;
• pay dividends;
• make investments;
• enter into transactions with affiliates; and
• pay off or redeem subordinated indebtedness.
In addition, our Senior Secured Credit Facility contains customary minimum quarterly financial maintenance covenants.
The operating and financial restrictions and covenants in the Senior Secured Credit Facility, as well as any future financing arrangements that we may enter into, may restrict our ability to finance our operations, engage in, expand, or otherwise pursue our business activities and strategies. Our ability to comply with these or other covenants may be affected by events beyond our control, and future breaches of these or other covenants could result in a default under the Senior Secured Credit Facility. If not waived, future defaults could cause all of the outstanding indebtedness under the Senior Secured Credit Facility to become immediately due and payable, and our access to further credit under the Senior Secured Credit Facility may terminate. If we do not have or are unable to generate sufficient cash to repay our debt obligations when they become due and payable, either upon maturity or in the event of a default, we would be required to obtain additional debt or equity financing, which may not be available on favorable terms, or at all, which may negatively impact our ability to operate and continue our business as a going concern.
Risks Related to Certain Tax Matters
Our tax liabilities may be greater than anticipated.
The U.S. and non-U.S. tax laws applicable to our business activities are subject to interpretation and are changing. We are subject to audit by the Internal Revenue Service and by taxing authorities of the state, local and foreign jurisdictions in which we operate. Our tax obligations are based in part on our corporate operating structure, including the manner in which we develop, value, use and hold our intellectual property, the jurisdictions in which we operate, how tax authorities assess revenue-based taxes such as sales and use taxes, the scope of our international operations, and the value we ascribe to our intercompany transactions. Taxing authorities may challenge our tax positions and methodologies for valuing developed technology or intercompany arrangements, regarding the collection of sales and use taxes, and determining the jurisdictions in which we are subject to taxes, any of which could expose us to additional taxes. Any adverse outcomes of such challenges to our tax positions could result in additional taxes for prior periods, interest and penalties, as well as higher future taxes.
Additionally, our future effective tax rates could be adversely affected by changes in tax laws (including tax treaties) or their interpretation. For example, the Inflation Reduction Act, passed on August 16, 2022, included a 15% corporate minimum tax applicable to tax years beginning after December 31, 2022 and a 1% excise tax on certain stock repurchases by U.S. corporations. We do not believe the corporate minimum tax will materially impact our effective tax rate or tax liability. The 1% excise tax is imposed on the repurchasing corporation itself, not its stockholders from which shares are repurchased. The amount of the excise tax is generally 1% of the fair market value of the shares repurchased at the time of the repurchase, subject to certain exceptions and netting rules. Further, on July 4, 2025, H.R. 1, the “One Big Beautiful Bill Act” (the “OBBBA”), was signed into law in the United States, which includes revisions to key business tax provisions such as the expansion of rules related to deductibility of executive compensation, the reinstatement of bonus depreciation deductions for qualified property, the restoration of EBITDA-based business interest expense limitation and the implementation of changes relating to the computation of certain taxes in respect of non-US activities. We are currently assessing the impact of the OBBBA on us.
Furthermore, over 140 member jurisdictions of the G20/Organization for Economic Co-operation and Development (“OECD”) have agreed to participate in an accord commonly referred to as “Pillar Two” to set a minimum global corporate tax rate of 15%. Although many member jurisdictions have advanced Pillar Two by enacting legislation and issuing additional guidance in connection with the implementation of Pillar Two, this initiative remains under negotiation and continues to evolve. For example, in response to concerns raised by the United States, the OECD recently released a “side-by-side” framework under which certain U.S.-parented multinational enterprises may be exempt from Pillar Two. However, the precise contours of this side-by-side arrangement, as well as the details about its implementation by specific jurisdictions, are uncertain, and it is unclear what impact, if any, adoption of Pillar Two guidelines (including the side-by-side framework) and their implementations may have on taxes applicable to us. We are continuing to evaluate Pillar Two and the side-by-side framework and to assess their potential impact on future periods.
We are currently unable to fully predict the ultimate impact of the Inflation Reduction Act, the OBBBA, and OECD requirements on our business, results of operations and financial condition. We cannot predict whether any governmental body or intergovernmental organization will enact new tax legislation, issue new regulations or guidance, or pursue other international initiatives, nor can we predict what effect such legislation, regulations, guidance, or international initiatives might have. Moreover, the determination of our provision for income taxes and other tax liabilities requires significant estimates and judgment by management, and the tax treatment of certain transactions is uncertain. Any changes, ambiguity, or uncertainty in taxing jurisdictions’ administrative interpretations, decisions, policies and positions, including the position of taxing authorities with respect to revenue generated by reference to certain digital services, could also materially impact our income tax liabilities. Although we believe we will make reasonable estimates and judgments, the ultimate outcome of any particular issue may differ from the amounts previously recorded in our financial statements and any such occurrence could adversely affect our business, results of operations and financial condition.
Our ability to use our net operating loss carryforwards and certain other tax attributes may be limited.
We have incurred substantial net operating losses (“NOLs”) during our history. Under the rules of Sections 382 and 383 of the Internal Revenue Code of 1986, as amended, if a corporation undergoes an “ownership change,” generally defined as a greater than 50 percentage point change (by value) in its equity ownership over a rolling three-year period, the corporation’s ability to use its pre-change NOLs and other pre-change tax attributes to offset its post-change taxable income may be limited. The applicable rules generally focus on changes in ownership among stockholders considered by the rules as owning, directly or indirectly, 5% or more of the stock of a corporation, as well as changes in ownership arising from new issuances of stock by the corporation. We may experience ownership changes in the future as a result of future changes in our stock ownership, some of which changes may be outside our control. Similar provisions of state tax law may also apply to our state NOLs. As a result, if we earn net taxable income, our ability to use our pre-change NOL carryforwards to offset post-change taxable income may be subject to limitations. For these reasons, we may not be able to utilize a material portion of our NOLs and other tax attributes, which could adversely affect our future cash flows.
Risks Related to Public Reporting Matters and an Investment in Our Class A Common Stock
We may issue additional equity or debt securities in the future in order to raise capital. Additional issuances of equity securities would dilute the investment of our current stockholders and could cause the market price of our Class A Common Stock to decline, and we may also expend substantial funds to satisfy a portion of our tax withholding and remittance obligations that arise upon the vesting and/or settlement of certain of our restricted stock awards, which may have an adverse effect on our financial condition and results of operations.
Issuing additional equity securities to finance future developments and acquisitions instead of incurring additional debt would dilute the interests of our existing stockholders. Further, sales of a substantial number of shares of our Class A Common Stock, particularly sales by our directors, executive officers and significant stockholders, or the perception that these sales might occur, could depress the market price of our Class A Common Stock and impair our ability to raise additional capital through the sale of equity. Our directors, executive officers, employees and, in certain instances, other service providers, hold outstanding options, time-based and performance-based restricted stock unit awards and restricted stock under our equity incentive plans. Those shares covered by these awards and the shares reserved for future issuance under our equity incentive plans are and will become eligible for sale in the public market, subject to certain legal and contractual limitations. We cannot be certain whether and how many restricted stock units will satisfy their performance-based vesting conditions. Further, certain holders of our common stock have rights, subject to certain conditions, to require us to file registration statements covering their shares or to include their shares in registration statements that we may file for ourselves or our stockholders. We are unable to predict the effect that such sales related to the foregoing may have on the prevailing market price of our Class A Common Stock.
In addition, on August 3, 2022, the Company’s board of directors authorized withholding shares as an alternative to market sales by executives to satisfy tax withholding requirements upon vesting of restricted stock awards (“RSAs”). As such, beginning in the third quarter of 2022, we have used and may continue to use corporate cash to make required tax payments associated with the vesting of certain executive RSAs and withhold a corresponding number of shares from such executives. We anticipate that if we continue to utilize the withholding alternative, we will spend substantial funds to satisfy tax withholding and remittance obligations when we settle executive RSAs, which may have an adverse effect on our financial condition and results of operations.
We cannot guarantee that our share repurchase program will be fully consummated or that it will enhance long-term stockholder value. Share repurchases could also increase the volatility of the trading price of our Class A Common Stock and could diminish our cash reserves.
In November 2024, our Board of Directors authorized a stock repurchase and withholding program (the “2024 SRP”) of up to $100.0 million in the aggregate for repurchases of the Company’s outstanding shares of Class A Common Stock through December 31, 2026. In July 2025, the Company’s Board of Directors authorized a new stock repurchase and withholding program (the “2025 SRP”) of up to $200.0 million in the aggregate for repurchase of the Company’s outstanding Class A Common Stock through December 31, 2027. The 2025 SRP supplements the 2024 SRP. Although our board of directors has authorized these repurchase programs, the programs do not obligate us to repurchase any specific dollar amount or to acquire any specific number of shares. The actual timing and amount of repurchases remain subject to a variety of factors, including our stock price, trading volume, market conditions and other general business considerations. In addition, the terms of our Senior Secured Credit Facility impose limitations on our ability to repurchase shares. The share repurchase programs may be modified, suspended, or terminated at any time, and we cannot guarantee that the programs will be fully consummated or will enhance long-term stockholder value. The programs could affect the trading price of our stock and increase volatility, and any announcement of a termination of these programs may result in a decrease in the trading price of our stock. In addition, these programs could diminish our cash and cash equivalents and marketable securities.
Short sellers of our stock may be manipulative and may drive down the market price of our Class A Common Stock, harm our brand and reputation, and negatively impact our business, operating results and financial condition.
Short selling is the practice of selling securities that the seller does not own, but rather has borrowed or intends to borrow from a third party with the intention of buying identical securities at a later date to return to the lender. A short seller hopes to profit from a decline in the value of the securities between the sale of the borrowed securities and the purchase of the replacement shares, as the short seller expects to pay less in that purchase than it received in the sale. It is therefore in the short seller’s interest for the price of the stock to decline, and some short sellers publish, or arrange for the publication of, opinions or characterizations regarding the relevant issuer, often involving misrepresentations of the issuer’s business prospects and similar matters calculated to create negative market momentum, which may permit them to obtain profits for themselves as a result of selling the stock short.
In November 2024, a short seller issued a short report regarding Zeta, resulting in a decrease in the price of our Class A Common Stock on the day the short report was issued. Subsequently, numerous lawsuits were filed against us, against which we are vigorously defending ourselves. We believe the claims made in the report are without merit. Regardless of the merit of such claims, defending against them could cost us a significant amount of time and money, result in negative publicity, and/or adversely affect the price of our Class A Common Stock. In addition, if any claims or proceedings are decided against us or we pay a settlement, our financial condition and results of operations could be adversely affected. For additional information, see Item 3 of this Annual Report on Form 10-K.
In addition, we may be the subject of additional concerted efforts by short sellers to spread negative information in order to gain a market advantage. In addition, the publication of misinformation may also result in the loss of customers or in further lawsuits, the uncertainty and expense of which could harm our brand and reputation and negatively impact our business, operating results and financial condition. There are no assurances that we will not face further short sellers’ efforts or similar tactics in the future, and the market price of our Class A Common Stock may decline as a result of their actions.
The nature of our business requires the application of accounting guidance that requires management to make estimates and assumptions. Reported results under GAAP may vary from key metrics used to measure our business. Additionally, changes in accounting guidance may cause us to experience greater volatility in our quarterly and annual results.
We prepare our consolidated financial statements to conform to United States Generally Accepted Accounting Principles (“GAAP”). These accounting principles are subject to interpretation by the SEC, Financial Accounting Standards Board (“FASB”), and various bodies formed to interpret and create accounting rules and regulations. Accounting standards, such as ASC 606—Revenue from Contracts with Customers or ASC 842—Leases, or the guidance relating to interpretation and adoption of standards could have a significant effect on our financial results and could affect our business. Additionally, the FASB and the SEC are focused on the integrity of financial reporting, and our accounting policies are subject to scrutiny by regulators and the public.
We cannot predict the impact of future changes to accounting principles or our related accounting policies on our financial statements going forward. In addition, were we to change our accounting estimates, including those related to the timing of revenue recognition and those used to allocate revenue between various performance obligations, our reported revenue and results of operations could be significantly impacted. If we are unsuccessful in adapting to the requirements of any new standard, then we may experience greater volatility in our quarterly and annual results, which may cause our stock price to decline.
In addition, GAAP requires management to make estimates and assumptions that affect the amounts reported in the consolidated financial statements. We base our estimates on historical experience and on various other assumptions that we believe to be reasonable under the circumstances. Such estimates and assumptions are, by their nature, subject to substantial risks and uncertainties and factors may arise over time that lead us to change our methods, estimates, and judgments. Changes in those methods, estimates, and judgments could significantly affect our results of operations.
If we fail to maintain an effective system of disclosure controls and internal control over financial reporting, our ability to produce timely and accurate financial statements or comply with applicable regulations could be impaired.
Ensuring that we have adequate internal financial and accounting controls and procedures in place to produce accurate financial statements on a timely basis is a costly and time-consuming effort that needs to be re-evaluated frequently. The rapid growth of our operations in recent years and our initial public offering in 2021 created a need for additional resources within the accounting and finance functions due to the increasing need to produce timely financial information and to ensure the level of segregation of duties customary for a U.S. public company. We continue to reassess the sufficiency of finance personnel in response to these increasing demands and expectations.
Our management is responsible for establishing and maintaining adequate internal control over financial reporting to provide reasonable assurance regarding the reliability of our financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles. Our management does not expect that our internal control over financial reporting will prevent or detect all errors and all fraud. A control system, no matter how well designed and operated, can provide only reasonable, not absolute, assurance that the control system’s objectives will be met. Because of the inherent limitations in all control systems, no evaluation of controls can provide absolute assurance that misstatements due to error or fraud will not occur or that all control issues and instances of fraud, if any, within our company will have been detected.
We may experience material weaknesses in our internal control over financial reporting in the future. Our failure to remediate these material weaknesses and maintain effective internal control over financial reporting could result in material misstatements in our financial statements, the inability to timely report our financial condition or results of operations, investors losing confidence in our reported financial information and our stock price being adversely affected.
We are a “controlled company” within the meaning of the NYSE rules and, as a result, expect to qualify for, and may rely on, exemptions from certain corporate governance requirements.
As of December 31, 2025, our Co-Founder and Chief Executive Officer, David Steinberg, beneficially owns a majority of the combined voting power of all classes of our outstanding voting stock. As a result, we continue to be a controlled company within the meaning of the applicable stock exchange corporate governance standards. Under the NYSE rules, a company of which more than 50% of the voting power is held by another person or group of persons acting together is a controlled company and may elect not to comply with certain corporate governance requirements, including the requirements that:
• a majority of the board of directors consist of independent directors as defined under the rules of the NYSE;
• the nominating and governance committee be composed entirely of independent directors with a written charter addressing the committee’s purpose and responsibilities; and
• the compensation committee be composed entirely of independent directors with a written charter addressing the committee’s purpose and responsibilities.
These requirements will not apply to us as long as we remain a controlled company. We have not elected to take advantage of the exemption from these requirements, but may elect to do so in the future so long as we remain a “controlled company.” If we choose to rely on these exemptions, you may not have the same protections afforded to stockholders of companies that are subject to all of the corporate governance requirements of the NYSE.
The dual class structure of our common stock has the effect of concentrating voting control with those stockholders who held our capital stock prior to the completion of our initial public offering, including our Co-Founder and Chief Executive Officer and his affiliates. This will limit or preclude your ability to influence corporate matters, including the election of directors, amendments to our organizational documents and any merger, consolidation, sale of all or substantially all of our assets, or other major corporate transaction requiring stockholder approval.
Our Class B Common Stock is entitled to ten votes per share, and our Class A Common Stock is entitled to one vote per share. The dual class structure of our common stock has the effect of concentrating voting control with our Co-Founder and Chief Executive Officer and his affiliates, which will limit your ability to influence the outcome of matters submitted to our stockholders for approval, including the election of our directors and the approval of any change in control transaction.
As of December 31, 2025, our Co-Founder and Chief Executive Officer, David Steinberg, and his affiliates held, in aggregate 52.1% of the voting power of our outstanding capital stock. As a result, these stockholders, acting together, will have control over most matters that require approval by our stockholders, including the election of directors and approval of significant corporate transactions. They may also have interests that differ from yours and may vote in a way with which you disagree and which may be adverse to your interests. Corporate action might be taken even if other stockholders oppose them. This concentration of ownership may have the effect of delaying, preventing or deterring a change of control or other liquidity event of our company, could deprive our stockholders of an opportunity to receive a premium for their shares of Class A Common Stock as part of a sale or other liquidity event and might ultimately affect the market price of our Class A Common Stock.
Anti-takeover provisions contained in our charter documents and Delaware law could prevent a takeover that stockholders consider favorable and could also reduce the market price of our stock.
Our amended and restated certificate of incorporation contains provisions that could delay or prevent a change in control of our company. These provisions could also make it more difficult for stockholders to elect directors and take other corporate actions. These provisions do the following:
• permit our board of directors to issue up to 200,000,000 shares of preferred stock, with any rights, preferences and privileges as they may designate;
• provide that the authorized number of directors may be changed only by resolution of our board of directors;
• provide that our board of directors will be classified into three classes of directors;
• limit the ability of stockholders to remove directors to permit removals only “for cause” once Class B Common Stock ceases to hold more than 50% of all our outstanding common stock;
• provide that all vacancies, except as otherwise required by law, be filled by the affirmative vote of a majority of directors then in office, even if less than a quorum;
• prohibit stockholder action by written consent, subject to the terms of any series of preferred stock, if the holders of shares of Class B Common Stock no longer hold at least a majority of the voting power of the outstanding shares of our common stock;
• require advance notice for nominations of directors by stockholders and for stockholders to include matters to be considered at our annual meetings;
• provide certain limitations on convening special stockholder meetings;
• so long as any shares of Class B Common Stock remain outstanding, require the prior affirmative vote of the holders of a majority of the outstanding shares of Class B Common Stock, voting as a separate class to consummate a Change of Control Transaction (as defined in our amended and restated certificate of incorporation);
• provide that the restrictions set forth in Section 203 of the Delaware General Corporation Law (“DGCL”) shall be applicable to us in the event that no holder of Class B Common Stock owns shares of our capital stock representing at least fifteen percent of the voting power of all the then outstanding shares of our capital stock; and
• not provide for cumulative voting rights in election of directors.
These and other provisions in our amended and restated certificate of incorporation and under Delaware law could discourage potential takeover attempts, reduce the price investors might be willing to pay in the future for shares of our Class A Common Stock and result in the market price of our Class A Common Stock being lower than it would be without these provisions.
Our amended and restated certificate of incorporation provides, subject to certain exceptions, that (i) the Court of Chancery of the State of Delaware is the sole and exclusive forum for certain stockholder litigation matters and (ii) the federal district courts of the United States of America are the exclusive forum for the resolution of any complaint asserting a cause of action under the Securities Act, which could limit our stockholders’ ability to obtain a favorable judicial forum for disputes with us or our directors, officers, employees or stockholders.
Our amended and restated certificate of incorporation provides that the Court of Chancery of the State of Delaware is, to the fullest extent permitted by law, the sole and exclusive forum for certain actions, including derivative actions, fiduciary duty claims, claims arising under the DGCL or our organizational documents, and claims governed by the internal-affairs doctrine. In addition, our amended and restated certificate of incorporation provides that, unless we consent in writing to the selection of an alternative forum, the federal district courts of the United States will be the exclusive forum for resolving any complaint asserting a cause of action arising under the Securities Act. These exclusive forum provisions do not apply to claims arising under the Exchange Act, which must be brought in federal court.
These provisions may limit a stockholder’s ability to bring a claim in a judicial forum that it finds favorable, which may discourage lawsuits against us and our directors, officers, and other employees. It is possible that a court could find these provisions inapplicable or unenforceable, in which case we may incur additional costs associated with resolving disputes in other jurisdictions. Our stockholders will not be deemed to have waived our compliance with the federal securities laws and the regulations promulgated thereunder.
Item 1B. Unresolved Staff Comments.
None.
Item 1C. Cybersecurity.
Cybersecurity Risk Management and Strategy
We have developed and implemented a cybersecurity risk management program intended to protect the confidentiality, integrity, and availability of our critical systems and information.
We design and assess our program based on multiple cybersecurity frameworks, such as the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) and ISO 27001. This does not imply that we meet any particular technical standards, specifications, or requirements, only that we use the NIST CSF, ISO 27001 and other frameworks as guides to help us identify, assess, and manage cybersecurity risks relevant to our business. Our program is assessed by third-party security auditors on a yearly basis through our SOC II Type 2 and SOX audit processes.
Our cybersecurity risk management program is integrated into our overall risk management program, and shares common methodologies, reporting channels and governance processes that apply across the risk management program to other legal, compliance, strategic, operational, and financial risk areas.
Key elements of our cybersecurity risk management program include but are not limited to the following:
•risk assessments designed to help identify material risks from cybersecurity threats to our critical systems and, information;
•a security team principally responsible for managing (1) our cybersecurity risk assessment processes, (2) our security controls, and (3) our response to cybersecurity incidents;
•the use of external service providers, where appropriate, to assess, test or otherwise assist with aspects of our security processes;
•the use of external service providers, where appropriate, to monitor our cybersecurity posture on a 24/7 basis in a co-managed Security Operations Center (SOC);
•the design and deployment of a Defense-In-Depth layered technical security implementation leveraging best-of-breed components;
•cybersecurity awareness training of our employees, including incident response personnel and senior management;
•a cybersecurity incident response plan that includes procedures for responding to cybersecurity incidents; and
•a third-party risk management process for key service providers, based on our assessment of their criticality to our operations and respective risk profile.
We have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. We face risks from cybersecurity threats that, if realized, are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. See “Risk Factors – An unauthorized or significant inadvertent disclosure or breach of confidential and/or personal information we process or control, or a security breach of our or our customers’, suppliers’, or other partners’ IT Systems could be detrimental to our business, reputation, financial performance and results of operations.”
Cybersecurity Governance
Our Board considers cybersecurity risk as part of its risk oversight function and has delegated to the Audit Committee (Committee) the oversight of cybersecurity risks, including management’s implementation of our cybersecurity risk management program.
The Committee receives regular reports from management on our cybersecurity risks. In addition, management updates the Committee, where it deems appropriate, regarding any cybersecurity incidents it considers to be significant or potentially significant.
The Committee reports to the full Board regarding its activities, including those related to cybersecurity. The full Board also receives periodic briefings from management on our cyber risk management program. Board members receive presentations on cybersecurity topics from our Chief Information Officer (CIO), internal security staff or external experts as part of the Board’s continuing education on topics that impact public companies.
Our management team, including our CIO, Chief Information Security Office (CISO) and General Counsel, is responsible for assessing and managing our material risks from cybersecurity threats. The team has primary responsibility for our overall cybersecurity risk management program and supervises both our internal cybersecurity personnel and our retained external cybersecurity consultants. Our CIO (to whom the CISO reports) regularly attends meetings of the Committee. Our management team’s experience includes decades of experience working in information security, advanced education, and information security certifications. Kurt Baumgarten, CISO, has a long history of successfully leading Information Security Programs across a diverse array of organizations such as Linedata SA, Indigo Ag, and Matterport. Kurt has multiple security certifications, such as CISA, CRISC, CDPSE, CGEIT, and has earned a master’s degree in information security from Norwich University as well as an MBA with a concentration in e-commerce. Dr. Jeffry Nimeroff, CIO, has a 25-year history of building technology groups and integrating Information Security programs at organizations ranging from startups like Hotsocket and Pet360 to established companies at various points in their lifecycle like CDnow, and Bertelsmann Music Group. Dr. Nimeroff has a PhD in Computer Science from the University of Pennsylvania.
Our management team takes steps to stay informed about and monitor efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, which may include briefings from internal security personnel; threat intelligence and other information obtained from governmental, public or private sources, including external consultants engaged by us; and alerts and reports produced by security tools deployed in our IT environment.
Item 2. Properties.
Our corporate headquarters is located in New York City, New York. It consists of approximately 46,000 square feet under a lease agreement that expires in June 2027. We have several offices in the U.S. and have operations in the UK, the EU, India, Australia and New Zealand as well as other locations. Our New York office focuses on our go-to-market strategy, customer success, shared services and infrastructure. Our San Francisco office serves as our innovation hub. The European, Australia and New Zealand offices focus on go-to-market and customer success. The India offices concentrate on innovation, infrastructure and shared services.
All our offices are leased, and we do not own any real property. We believe that our current facilities are sufficient to meet our present needs. As we grow, we expect that suitable additional space will be available to either expand existing offices or open new office locations.
Item 3. Legal Proceedings.
From time to time, we are involved in various legal proceedings arising from the normal course of business activities. We are not currently a party to any litigation the outcome of which, we believe, if determined adversely to us, would individually or taken together have a material adverse effect on our business, operating results, cash flows, or financial condition. Defending any such proceedings is costly and can impose a significant burden on management and employees. The results of any current or future litigation cannot be predicted with certainty, and regardless of the outcome, litigation can have an adverse impact on us because of defense and settlement costs, diversion of management resources, and other factors.
On November 22, 2024, a purported stockholder of the Company filed a putative class action lawsuit in the U.S. District Court for the Southern District of New York against the Company and the Company’s Chief Executive Officer, David A. Steinberg, and the Company’s Chief Financial Officer, Christopher Greiner, which is captioned In re Zeta Global Holdings Corporation Securities Litigation. On February 26, 2025, the Court appointed putative stockholders Amir Konigsberg and the Allegheny County Employees’ Retirement System as co-lead plaintiffs. The co-lead plaintiffs filed an Amended Class Action Complaint on May 12, 2025, which also named other officers of the Company. The Amended Complaint alleges, based in part on the report from Culper Research, that the defendants made false and misleading statements and omissions about the Company’s business, operations, and prospects between February 27, 2024 and March 10, 2025. We are vigorously defending ourselves against this lawsuit, and we believe the claims made in the report are without merit. The lawsuit seeks, among other things, damages in connection with the Company’s allegedly artificially inflated stock price between February 27, 2024 and March 10, 2025 as a result of those allegedly false and misleading statements and omissions, as well as interest, attorneys’ fees, and costs. The Company and the individual defendants moved to dismiss the Amended Complaint on July 11, 2025; briefing on that motion was completed on September 9, 2025. Discovery is stayed while the parties are awaiting a decision on the motion to dismiss. This matter is still in the early stages of the legal process, and as a result, the Company is not able to estimate a range of possible loss.
On December 11, 2024 and December 23, 2024, purported stockholders of the Company filed shareholder derivative complaints in the U.S. District Court for the Southern District of New York purportedly on the Company’s behalf against members of the Company’s board of directors and the Company as a nominal defendant, which have been consolidated into a single lawsuit captioned In re Zeta Global Holdings Corp. Stockholder Derivative Litigation, based on the same underlying allegations as in the securities class action described above. The complaints allege (i) violations of Section 14(a) of the Securities Exchange Act of 1934, (ii) breach of fiduciary duty, (iii) unjust enrichment, (iv) abuse of control, (v) gross mismanagement, (vi) waste of corporate assets, (vii) contribution under Section 10(b) and 21D of the Securities Exchange Act of 1934, and (viii) aiding and abetting. On March 4, 2025, the Court stayed the litigation through the resolution of the motion to dismiss in the securities class action. We intend to vigorously defend ourselves against this lawsuit, and we believe the claims made in the report are without merit. The Company’s board members are each party to an indemnification agreement with the Company that may require the Company to reimburse the board members for certain expenses and other costs related to this lawsuit. This matter is at the very early stages of the legal process, and as a result, the Company is not able to estimate a range of possible loss.
For a description of our legal proceedings, see “Note 12. Commitments and Contingencies” to our audited consolidated financial statements in the “Financial Statements and Supplementary Data” section of this Annual Report on Form 10-K.
Item 4. Mine Safety Disclosures.
Not applicable.
