MITEK SYSTEMS INC (MITK) Risk Factors

ITEM  1A.    RISK FACTORS.

Risk Factor Summary

Below is a summary of the principal factors that make an investment in our common stock speculative or risky. This summary does not address all of the risks that we face. Additional discussion of the risks summarized in this risk factor summary, and other risks that we face, can be found below and should be carefully considered, together with other information in this Annual Report on Form 10-K and our other filings with the Securities and Exchange Commission before making investment decisions regarding our common stock.

Risks Associated With Our Business and Operations

•We currently derive substantially all of our revenue from a few types of technologies. If these technologies and the related products do not achieve or continue to achieve market acceptance, our business, financial condition, and results of operations would be adversely affected.

•Our solutions depend on compatibility with third-party mobile operating systems and hardware. Changes in such systems could disrupt our business.

•We cannot predict the impact that the decline of the use of checks, changes in consumer behavior facilitated by advances in technologies, and the development of check alternatives, or the plateau of the penetration of active mobile banking users may have on our business.

•Claims that our products infringe upon the rights, or have otherwise utilized proprietary information, of third parties may give rise to costly litigation against us or our customers who we may be obligated to indemnify, and we could be prevented from selling those products, required to pay damages, and obligated to defend against litigation or indemnify our customers.

•If the patents we own or license, or our other intellectual property rights, do not adequately protect our technologies, brands or other intellectual property, we may lose market share to our competitors and be unable to operate our business profitably.

•We face competition from several companies that may have greater resources than we do, which could result in price reductions, reduced margins, or loss of market share.

•We must continue to engage in extensive research and development in order to remain competitive.

•Defects or malfunctions in our products could hurt our reputation, sales and profitability.

•Our lengthy sales cycles and the difficulty in predicting timing of sales or delays may impair our operating results.

•Our historical order flow patterns, which we expect to continue, have caused forecasting difficulties for us. If we do not meet our forecasts or analysts’ forecasts for us, the price of our common stock may decline.

•Entry into new lines of business, and our offering of new products and services may result in exposure to new risks.

•Adverse economic conditions or reduced spending on information technology solutions may adversely impact our revenue and profitability.

•We may be exposed to tariff policy changes that could negatively impact our financial results.

•We may need to raise additional capital to fund continuing operations and an inability to raise the necessary capital or the inability to do so on acceptable terms could threaten the success of our business.

•Our annual and quarterly results have fluctuated greatly in the past and will likely continue to do so, which may cause substantial fluctuations in our common stock price.

•Due to our operations in non-U.S. markets, we are subject to certain risks that could adversely affect our business, results of operations or financial condition.

•Our international operations may increase our exposure to potential liability under anti-corruption, trade protection, tax, and other laws and regulations.

•Fluctuations in foreign currency exchange and interest rates could adversely affect our results of operations.

•An “ownership change” could limit our ability to utilize our net operating loss and tax credit carryforwards, which could result in our payment of income taxes earlier than if we were able to fully utilize our net operating loss and tax credit carryforwards.

•Our cash and cash equivalents could be adversely affected if the financial institutions at which we hold our cash and cash equivalents fail.

•Our business could be adversely affected in the event we default under our debt agreements.

6

•Our revenues are dependent on our ability to maintain and expand existing customer relationships and our ability to attract new customers.

•The loss of one or more of our key customers could slow our revenue growth or cause our revenues to decline.

•We may incur goodwill and intangible asset impairment charges that adversely affect our operating results.

Risks Related to Privacy, Artificial Intelligence, and Cybersecurity

•Evolving domestic and international data privacy and AI laws and regulations may restrict our ability, and that of our customers, to solicit, collect, process, transfer, disclose and use personal information or may increase the costs of doing so, which could harm our business.

•Our ability to adopt and deploy AI and other new technologies may impact demand for our products and services and impact our internal operations.

•Fraudsters’ use of generative AI could create new attack vectors that we may be unable to effectively detect or prevent.

•Recent and proposed laws regarding the use of facial recognition technology and the processing of biometric data could increase compliance costs or otherwise make it harder for us to conduct our business, require us to change our business practices, lead to regulatory investigations or actions, and have a material adverse effect on demand for certain of our products.

•Our business and operations are subject to a variety of regulatory requirements in the countries in which we operate or in which we offer our solutions, including, among other things, with respect to AI and ML technologies that may be difficult and expensive to comply with and that could negatively impact our business.

•Security breaches or cyberattacks could expose us to significant liability, cause our business and reputation to suffer and harm our competitive position.

Risks Related to Investing in Our Common Stock

•A potential proxy contest for the election of directors at our annual meeting could result in potential operational disruption, divert our resources, and could potentially result in adverse consequences under certain of our agreements.

•Our third amended and restated bylaws provide that a state or federal court located within in the State of Delaware will be the sole and exclusive forum for substantially all disputes between us and our stockholders, which could limit our stockholders’ ability to obtain a favorable judicial forum for disputes with us or our directors, officers or employees.

•We may not be able to maintain our listing on The Nasdaq Stock Market LLC (“Nasdaq”), or trading on the Nasdaq Capital Market may otherwise be halted or suspended, which may negatively impact the price of our common stock. If our common stock is delisted from Nasdaq, our business, financial condition, results of operations and share price could be adversely affected, and the liquidity of our common stock could be impaired.

Risks Related to Regulation and Compliance

•Although we have concluded that previously identified material weaknesses in our internal control over financial reporting have been remediated, if such remediation was not effective, or if we identify additional material weaknesses in internal control over financial reporting, our ability to produce timely and accurate financial statements or comply with applicable laws and regulations could be impaired.

General Risk Factors

•If we are unable to retain and recruit qualified personnel, or if any of our key executives or key employees discontinues his or her employment with us, it may have a material adverse effect on our business.

•Legislation and governmental regulations enacted in the U.S. and other countries that apply to us or to our customers may require us to change our current products and services and/or result in additional expenses, which could adversely affect our business and results of operations.

•Natural disasters or other catastrophic events may disrupt our business.

Risk Factors

The following risk factors and other information included in this Form 10-K should be carefully considered. The risks and uncertainties described below are not the only ones we face. Additional risks and uncertainties not presently known to us or that we presently deem less significant may also impair our business operations. If any of the following risks actually occur, our business, financial condition, results of operations, cash flows, projected results, and future prospects could be materially and adversely

7

affected. In these circumstances, the market price of our common stock could decline, and an investor could lose all or part of their investment or interest.

Risks Associated With Our Business and Operations

We currently derive substantially all of our revenue from a few types of technologies. If these technologies and the related products do not achieve or continue to achieve market acceptance, our business, financial condition, and results of operations would be adversely affected.

We currently derive substantially all of our revenue from license sales and services provided with our software products to customers incorporating our intelligent mobile imaging technology and software products. If we are unable to achieve or continue to achieve market acceptance of our core technologies or products incorporating such technologies, we will not generate significant revenue growth from the sale of our products.

Additionally, factors adversely affecting the pricing of or demand for our products and services, such as competition from other products or technologies, any decline in the demand for mobile image processing, negative publicity, or obsolescence of the software environments in which our products operate could adversely affect our business, financial condition, and results of operations.

Our solutions depend on compatibility with third-party mobile operating systems and hardware. Changes in such systems could disrupt our business.

We rely on the interoperability of our solutions with mobile operating systems such as iOS and Android. If these platform providers alter their operating systems, terms of service, or APIs—particularly regarding camera access, privacy permissions, or biometric data handling—we may be unable to maintain the functionality of our products, or we may be forced to incur significant R&D costs to adapt our software, which could result in a loss of customers.

We cannot predict the impact that the decline of the use of checks, changes in consumer behavior facilitated by advances in technologies, and the development of check alternatives, or the plateau of the penetration of active mobile banking users may have on our business.

The use of checks has declined in recent years as a result of advances in technologies that have enabled the development of check alternatives like Zelle and Venmo, which have caused certain changes in consumer behavior. Though we are developing and offering new technologies, many of our current product offerings center around solutions involving the use of checks by banking customers. As check alternatives become more widely accepted by consumers, the use of checks could continue to decline, which could have a negative effect on our business. In addition, as the mobile banking market matures, the growth of active mobile banking users is slowing, which may negatively impact our ability to grow our business, which therefore could adversely affect our financial condition and results of operations.

Claims that our products infringe upon the rights, or have otherwise utilized proprietary information, of third parties may give rise to costly litigation against us or our customers who we may be obligated to indemnify, and we could be prevented from selling those products, required to pay damages, and obligated to defend against litigation or indemnify our customers.

In the past, third parties have brought claims against us and against our customers who use our products asserting that certain technologies incorporated into our products infringe on their intellectual property rights. Although we have resolved past claims against us that we have infringed on third-party patents, there can be no assurance that we will not receive additional claims against us asserting that our products infringe on the intellectual property rights of third parties or that our products otherwise utilize such third parties’ proprietary information.

Since 2018, United Services Automobile Association (“USAA”) has filed suit against various parties alleging patent infringement concerning USAA-owned patents related to mobile deposits, including Wells Fargo Bank, N.A. (“Wells Fargo”) and PNC Bank. While these lawsuits do not name the Company as a defendant, given (among other factors) the Company’s prior history of litigation with USAA and the continued use of the Company’s products by its customers, on November 1, 2019, the Company filed a complaint in the U.S. District Court for the Northern District of California seeking declaratory judgment that its products do not infringe certain patents held by USAA (collectively, the “Subject Patents”), which USAA sought to dismiss for lack of standing. Following various appeals and transfers, on June 12, 2025, the U.S. Court of Appeals for the Federal Circuit affirmed the dismissal of the action for lack of standing, but did not address the merits of the case. The Company chose not to appeal this decision. The Company continues to believe that its products do not infringe the Subject Patents and will vigorously defend the right of its end-users to use its technology.

On January 28, 2025, USAA filed another patent infringement lawsuit against Regions Financial Corporation and Regions Bank (“Regions”) in the Eastern District of Texas. The lawsuit alleges infringement of U.S. Patent Nos. 11,023,719, 11,682,222, 12,159,310 (“the ’310 Patent”), and 12,211,095 (“the ’095 Patent”). The ’310 Patent and the ’095 Patent are related to two of the Subject Patents. The Company was not named as a defendant or mentioned in connection with any alleged infringement in the complaint. On March 13, 2025, Digital First Holdings d/b/a Candescent, the successor-in-interest of the digital banking business of NCR Voyix Corporation, sent the Company an indemnification demand relating to the lawsuit.

8

Furthermore, we may initiate other claims or litigation against parties for infringement of our intellectual property rights or to establish the validity of our intellectual property rights. Litigation, either as plaintiff or defendant, could result in significant expense to us, whether or not such litigation is resolved in our favor. Even if we were to prevail, any litigation could be costly and time-consuming and would divert the attention of our management and key personnel from our business operations.

If the patents we own or license, or our other intellectual property rights, do not adequately protect our technologies, brands or other intellectual property, we may lose market share to our competitors and be unable to operate our business profitably.

Our success depends significantly on our ability to protect our rights to the technologies used in our products, including Mobile Deposit®. We rely on trademark, trade secret, copyright, and patent law, as well as a combination of non-disclosure, confidentiality, and other contractual arrangements to protect our technology and rights in and to our intellectual property. However, these legal protections afford limited protection and may not adequately protect our rights or permit us to gain or maintain any competitive advantage.

In addition, we cannot be assured that any of our pending patent applications will result in the issuance of a patent. The Patent and Trademark Office (“PTO”) may deny or require significant narrowing of claims in our pending patent applications, and patents issued as a result of the pending patent applications, if any, may not provide us with significant commercial protection or may not be issued in a form that is advantageous to us. We could also incur substantial costs in proceedings before the PTO. Our issued and licensed patents and those that may be issued or licensed in the future may expire or may be challenged, invalidated, or circumvented, which could limit our ability to stop competitors from marketing technologies related to ours. Additionally, upon expiration of our issued or licensed patents, we may lose some of our rights to exclude others from making, using, selling or importing products using the technology based on the expired patents.

We also must rely on contractual provisions with the third parties that license technology to us and that obligate these third parties to protect our rights in the technology licensed to us. There is no guarantee that these third parties would be successful in attempting to protect our rights in any such licensed technology. There is no assurance that competitors will not be able to design around our patents or other intellectual property or any intellectual property or technology licensed to us.

We also rely on unpatented proprietary technology. We cannot assert that we can meaningfully protect all our rights in our unpatented proprietary technology or that others will not independently develop substantially equivalent proprietary technology or otherwise gain access to our unpatented proprietary technology. We seek to protect our know-how and other unpatented proprietary technology with confidentiality agreements and intellectual property assignment agreements with our employees, consultants, partners, and customers. However, such agreements may not be enforceable or may not provide meaningful protection for our proprietary information in the event of unauthorized use or disclosure or other breaches of the agreements or in the event that our competitors discover or independently develop similar or identical designs or other proprietary information.

In addition, we rely on the use of registered and unregistered common law trademarks with respect to the brand names of some of our products. Common law trademarks provide less protection than registered trademarks. Loss of rights in or infringement of our trademarks could adversely affect our business, financial condition, and results of operations.

Furthermore, the laws of foreign countries may not protect our intellectual property rights to the same extent as the laws of the U.S. If we cannot adequately protect our intellectual property rights in these foreign countries, our competitors may be able to compete more effectively against us, which could adversely affect our competitive position, as well as our business, financial condition, and results of operations.

We face competition from several companies that may have greater resources than we do, which could result in price reductions, reduced margins, or loss of market share.

We compete against numerous companies in the mobile imaging software market. Competition in this market may increase as a result of a number of factors, such as the entrance of new or larger competitors or alternative technologies. These competitors may have greater financial, technical, marketing and public relations resources, larger client bases, and greater brand or name recognition. These competitors could, among other things:

•announce new products or technologies that have the potential to replace our existing product offerings;

•force us to charge lower prices; or

•adversely affect our relationships with current clients.

We may be unable to compete successfully against our current and potential competitors and if we lose business to our competitors or are forced to lower our prices, our revenue, operating margins, and market share could decline. If our competitors offer deep discounts on certain products or services in an effort to recapture or gain market share or to sell other products or services, we may need to lower prices or offer other favorable terms in order to compete successfully. For these and other reasons, in the future we may choose to make changes to our pricing practices. Such changes could materially and adversely affect our margins, and our revenues may be negatively affected if our competitors are able to recapture or gain market share.

We must continue to engage in extensive research and development in order to remain competitive.

9

Our ability to compete effectively depends upon our ability to meet changing market conditions and develop enhancements to our products on a timely basis in order to maintain our competitive advantage. The markets for products incorporating mobile imaging and voice software technology and products are characterized by rapid advancements in technology and changes in user preferences. Our continued growth will ultimately depend upon our ability to develop additional technologies, enhance our existing applications to meet customers’ changing needs, and attract strategic alliances for related or separate products. When we develop a new offering or an enhanced version of an existing offering, we typically incur expenses and expend resources upfront to market, promote and sell the new offering. Therefore, when we develop or acquire new or enhanced offerings, their introduction must achieve high levels of market acceptance in order to justify the amount of our investment in developing and bringing them to market. There can be no assurance that we will be successful in developing and marketing product enhancements and additional technologies, that we will not experience difficulties that could delay or prevent the successful development, introduction and marketing of these products, or that our new products and product enhancements will adequately meet the requirements of the marketplace, will be of acceptable quality, or will achieve market acceptance.

Defects or malfunctions in our products could hurt our reputation, sales and profitability.

Our business and the level of customer acceptance of our products depend upon the continuous, effective, and reliable operation of our products. Our products are extremely complex and are continually being modified and improved, and as such may contain undetected defects or errors when first introduced or as new versions are released. To the extent that defects or errors cause our products to malfunction and our customers’ use of our products is interrupted, our reputation could suffer and our revenue could decline or be delayed while such defects are remedied. We may also be subject to liability for the defects and malfunctions of third-party technology partners and others with whom our products and services are integrated. In addition, our products are typically intended for use in applications that are critical to a customer’s business. As a result, we believe that our customers and potential customers have a greater sensitivity to product defects than the market for software products in general. There can be no assurance that, despite our testing, errors will not be found in new products or releases after commencement of commercial shipments, resulting in loss of revenues or delay in market acceptance, diversion of development resources, damage to our reputation, adverse litigation, or increased service and warranty costs, any of which would have a material adverse effect upon our business, operating results, and financial condition.

Our lengthy sales cycles and the difficulty in predicting timing of sales or delays may impair our operating results.

The long sales cycle and the implementation cycles for our software and services may cause operating results to vary significantly from period to period. The sales cycle for our products can be six months or more and varies substantially from customer to customer. Because we sell complex and deeply integrated solutions, the sale of our software and services may require a significant commitment of capital and other resources and it can take many months of customer education to secure sales and implement our product. Since our potential customers may evaluate our products before, if ever, executing definitive agreements, we may incur substantial expenses and spend significant management and legal effort in connection with a potential customer.

Our historical order flow patterns, which we expect to continue, have caused forecasting difficulties for us. If we do not meet our forecasts or analysts’ forecasts for us, the price of our common stock may decline.

Historically, a significant portion of our sales have resulted from orders during the last few weeks of the quarter from orders received in the final month of the applicable quarter. We do, however, base our expense levels, in significant part, on our expectations of future revenue. As a result, we expect our expense levels to be relatively fixed in the short term. Any concentration of sales at the end of the quarter may limit our ability to plan or adjust operating expenses. Therefore, if anticipated orders in any quarter do not occur or are delayed, expenditure levels could be disproportionately high as a percentage of sales, and our operating results for that quarter would be adversely affected. As a result, we believe that period-to-period comparisons of our results of operations are not and will not necessarily be meaningful, and an investor should not rely upon them as an indication of future performance. If our operating results for a quarter are below the expectations of public market analysts and investors, it could have a material adverse effect on the price of our common stock.

Entry into new lines of business, and our offering of new products and services may result in exposure to new risks.

New lines of business, products, or services could have a significant impact on the effectiveness of our system of internal controls and could reduce our revenues and potentially generate losses. New products and services, or entrance into new markets, may require substantial time, resources and capital, and profitability targets may not be achieved. Entry into new markets entails inherent risks associated with our inexperience, which may result in costly decisions that could harm our profit and operating results. There are material inherent risks and uncertainties associated with offering new products, and services, especially when new markets are not fully developed or when the laws and regulations regarding a new product are not mature. Factors outside of our control, such as developing laws and regulations, regulatory orders, competitive product offerings and changes in commercial and consumer demand for products or services may also materially impact the successful implementation of new products or services. Failure to manage these risks, or failure of any product or service offerings to be successful and profitable, could have a material adverse effect on our financial condition and results of operations.

10

Adverse economic conditions or reduced spending on information technology solutions may adversely impact our revenue and profitability.

Unpredictable and unstable changes in macroeconomic conditions both domestically and internationally, including a recession, inflation, changes in interest rates, changes to government policies, or other adverse market changes, may adversely affect our general business strategy. Any general weakening of, and related declining corporate confidence in, the global economy or the curtailment in corporate spending could cause current or potential customers to reduce or eliminate their information technology budgets and spending, which could cause customers to delay, decrease or cancel purchases of our products and services; cause customers not to pay us; or to delay payment for previously purchased products and services. In particular an economic downturn affecting small and medium sized businesses could significantly affect our business as many of our existing and target customers are in the small and medium sized business sector and these businesses are more likely to be significantly affected by economic downturns than larger, more established businesses. Additionally, these customers often have limited discretionary funds, which they may choose to spend on items other than our products and services, causing our revenue to decline.

We may be exposed to tariff policy changes that could negatively impact our financial results.

The current global trade environment is characterized by uncertainty and evolving tariff policies. Further imposition of increased tariffs, trade restrictions, or trade disputes between major economies could lead to broader economic instability, decreased global customer demand, and increased volatility in currency exchange rates. Higher prices for goods due to tariffs may reduce consumer spending, which could lead to decreased demand for our customers’ products, which may ultimately affect our revenue and profitability. These factors could negatively impact our business, financial condition, and results of operations.

We may need to raise additional capital to fund continuing operations and an inability to raise the necessary capital or the inability to do so on acceptable terms could threaten the success of our business.

We currently anticipate that our available capital resources and operating cash flows will be sufficient to meet our expected working capital and capital expenditure requirements for at least the next 12 months and the foreseeable future. However, such resources may not be sufficient to fund the long-term growth of our business. If we determine that it is necessary to raise additional funds, we may choose to do so through public or private equity or debt financings, a bank line of credit, strategic collaborations, licensing, or other arrangements. We cannot be sure that any additional funding, if needed, will be available on terms favorable to us, if at all. Furthermore, any additional equity or equity-related financing may be dilutive to our stockholders, new equity securities may have rights, preferences or privileges senior to those of existing holders of our shares of common stock, and debt or equity financing, if available, may subject us to restrictive covenants and significant interest costs. If we obtain funding through a strategic collaboration or licensing arrangement, we may be required to relinquish our rights to certain of our technologies, products or marketing territories. If we are unable to obtain the financing necessary to support our operations, we may be required to defer, reduce or eliminate certain planned expenditures or significantly curtail our operations.

Our annual and quarterly results have fluctuated greatly in the past and will likely continue to do so, which may cause substantial fluctuations in our common stock price.

Our annual and quarterly operating results have in the past, and may in the future, fluctuate significantly depending on factors including the timing of customer projects and purchase orders, new product announcements and releases by us and other companies, gain or loss of significant customers, price discounting of our products, the timing of expenditures, customer product delivery requirements, the availability and cost of components or labor, and economic conditions, both generally and in the information technology market. Revenues related to our licenses for mobile imaging software products are required to be recognized upon satisfaction of all applicable revenue recognition criteria. The recognition of future revenues from these licenses is dependent on a number of factors, including, but not limited to, the terms of our license agreements, the timing of implementation of our products by our channel partners and customers and the timing of any re-orders of additional licenses and/or license renewals by our channel partners and customers. Any unfavorable change in these or other factors could have a material adverse effect on our operating results for a particular quarter or year, which may cause downward pressure on our common stock price.

Historically, sales of licenses to our channel partners have comprised a significant part of our revenue. This is primarily attributable to the timing of the purchase or renewal of licenses and does not represent a dependence on any single channel partner. The loss of a channel partner relationship could adversely affect our operations which we would attempt to mitigate through the assignment of such business to another channel partner or through our own licensing of our products to the end-users that had purchased products from the channel partner we lost. However, in that case, we or another channel partner must establish a relationship with the end-users, which could take time to develop, if it develops at all.

We expect quarterly and annual fluctuations to continue for the foreseeable future. These fluctuations may result in volatility in our results of operations, have an adverse effect on the market price of our common stock, or both.

Due to our operations in non-U.S. markets, we are subject to certain risks that could adversely affect our business, results of operations or financial condition.

We generate revenue in markets outside of the U.S. The risks inherent in global operations include:

11

•lack of familiarity with, and unexpected changes in, foreign laws and legal standards, including employment laws, AI, and privacy laws, which may vary widely across the countries in which we sell our products;

•increased expense to comply with U.S. laws that apply to foreign corporations, including the Foreign Corrupt Practices Act (the “FCPA”);

•compliance with, and potentially adverse tax consequences of foreign tax regimes;

•fluctuations in currency exchange rates, currency exchange controls, price controls, and limitations on repatriation of earnings;

•local economic conditions;

•increased expense related to localization of products and development of foreign language marketing and sales materials;

•longer accounts receivable payment cycles and difficulty in collecting accounts receivable in foreign countries;

•increased financial accounting and reporting burdens and complexities;

•restrictive employment regulations;

•difficulties and increased expense in implementing corporate policies and controls;

•international intellectual property laws, which may be more restrictive or may offer lower levels of protection than U.S. law;

•compliance with differing and changing local laws and regulations in multiple domestic and international jurisdictions, including AI and data privacy laws, as well as compliance with U.S. laws and regulations where applicable in these jurisdictions; and

•limitations on our ability to enforce legal rights and remedies.

If we are unable to successfully manage these and other risks associated with managing and expanding our international business, the risks could have a material adverse effect on our business, results of operations, or financial condition. Further, operating in international markets requires significant management attention and financial resources. Due to the additional uncertainties and risks of doing business in foreign jurisdictions, international acquisitions tend to entail risks and require additional oversight and management attention that are typically not attendant to acquisitions made within the U.S. We cannot be certain that the investment and additional resources required to establish, acquire or integrate operations in other countries will produce desired levels of revenue or profitability.

Our international operations may increase our exposure to potential liability under anti-corruption, trade protection, tax, and other laws and regulations.

The FCPA and other anti-corruption laws and regulations (“Anti-Corruption Laws”) prohibit corrupt payments by our employees, vendors, or agents. From time to time, we may receive inquiries from authorities in the U.S. and elsewhere about our business activities outside of the U.S. and our compliance with Anti-Corruption Laws. While we have implemented policies, training, and internal controls designed to reduce the risk of corrupt payments, our employees, vendors, or agents may violate our policies. Our acquisitions of ID R&D, and HooYu may significantly increase our exposure to potential liability under Anti-Corruption Laws. ID R&D, and HooYu were not historically subject to the FCPA, the Sarbanes-Oxley Act of 2002 (“Sarbanes-Oxley”), or other laws, to which we are subject, and we may become subject to liability if in the past, ID R&D’s, and HooYu’s operations did not comply with such laws.

Our failure to comply with Anti-Corruption Laws could result in significant fines and penalties, criminal sanctions against us, our officers or our employees, prohibitions on the conduct of our business, and damage to our reputation. Operations outside of the U.S. may be affected by changes in trade protection laws, policies and measures, and other regulatory requirements affecting trade and investment.

The transfer of personal data from the European Union (“EU”) to the U.S. has become a significant area of potential operational and compliance risk. In 2023, the Data Privacy Framework was introduced as a new mechanism for companies to transfer data from EU member states, the United Kingdom, or Switzerland to the U.S after its predecessor, the Data Privacy Shield, was invalidated. We currently participate in the EU‑U.S. Data Privacy Framework and its UK Extension and Swiss‑U.S. Data Privacy Framework. The EU, the United Kingdom, and Switzerland also allow the use of Standard Contractual Clauses (SCCs), but some decisions have indicated that compliance with these transfer frameworks requires significant effort for companies to review and revise their procedures and current EU-U.S. data transfer agreements. NOYB, or the European Center for Digital Rights, and its founder Max Schrems, the parties responsible for initiating actions to invalidate the previous frameworks, have indicated it will bring similar challenges against the Data Privacy Framework. Because of the legal challenges presented by these court and data protection authority decisions, there is continuing uncertainty regarding the legal basis for data transfers to the U.S., which could require us to implement additional measures, limit or suspend certain transfers, or, in some cases, cease such transfers. The complex nature and evolving laws related to

12

EU-, UK-, and Switzerland-to-U.S. data transfers could cause operational interruptions, liabilities, and reputational harm. These and other requirements could increase the cost of compliance for us and our customers, restrict our and our customers’ ability to store and process data, negatively impact our ability to offer our solutions in certain locations and limit our customers’ ability to deploy our solutions globally. These consequences may be more significant in countries with legislation that requires data to remain localized “in country,” as this could require us or our customers to establish data storage in other jurisdictions or apply local operational processes that are difficult and costly to integrate with global processes.

If we fail to comply with such laws and regulations, we may be subject to significant fines, penalties or liabilities for noncompliance, thereby harming our business. For example, in 2016, the EU adopted the General Data Protection Regulation (“GDPR”), which establishes comprehensive requirements regarding the handling of personal data and which became effective in May 2018. Non-compliance with the GDPR may result in monetary penalties of up to the greater of €20 million or 4% of worldwide annual revenue, and materially similar penalties may apply under the UK GDPR.

Due to our international operations, we are subject to certain foreign tax regulations. Such regulations may not be clear, not consistently applied, and be subject to sudden change, particularly with regard to international transfer pricing. Our earnings could be reduced by the uncertain and changing nature of such tax regulations.

Fluctuations in foreign currency exchange and interest rates could adversely affect our results of operations.

Our business is generally conducted in U.S. dollars. However, we earn revenues, pay expenses, own assets and incur liabilities in countries using currencies other than the U.S. dollar. Because our consolidated financial statements are presented in U.S. dollars, we must translate revenues and expenses into U.S. dollars at the average exchange rate during each reporting period, as well as assets and liabilities into U.S. dollars at exchange rates in effect at the end of each reporting period. The costs of operating in The United Kingdom, France, the Netherlands, Spain and other European markets are subject to the effects of exchange fluctuations of the Euro and British pound sterling against the U.S. dollar. Therefore, increases or decreases in the value of the U.S. dollar against other major currencies will affect our net revenues, net income (loss), and the value of balance sheet items denoted in foreign currencies, and can adversely affect our operating results.

An “ownership change” could limit our ability to utilize our net operating loss and tax credit carryforwards, which could result in our payment of income taxes earlier than if we were able to fully utilize our net operating loss and tax credit carryforwards.

Federal and state tax laws impose restrictions on the utilization of net operating loss (“NOL”) and tax credit carryforwards in the event of an “ownership change” as defined by Section 382 of the Internal Revenue Code of 1986, as amended (“Section 382”). Generally, an “ownership change” occurs if the percentage of the value of the stock that is owned by one or more direct or indirect “five percent shareholders” increases by more than 50% over their lowest ownership percentage at any time during an applicable testing period (typically, three years). Under Section 382, if a corporation undergoes an “ownership change,” such corporation’s ability to use its pre-change NOL and tax credit carryforwards and other pre-change tax attributes to offset its post-change income may be limited. While no “ownership change” has resulted in annual limitations, future changes in our stock ownership, which may be outside of our control, may trigger an “ownership change.” In addition, future equity offerings or acquisitions that have equity as a component of the consideration could result in an “ownership change.” If an “ownership change” occurs in the future, utilization of our NOL and tax credit carryforwards or other tax attributes may be limited, which could potentially result in increased future tax liability to us.

Our cash and cash equivalents could be adversely affected if the financial institutions at which we hold our cash and cash equivalents fail.

Our cash and cash equivalents that we use to satisfy our working capital and operating expense needs are held in accounts at various financial institutions. The balance held in deposit accounts often exceeds the Federal Deposit Insurance Corporation (“FDIC”) deposit insurance limit or similar government deposit insurance schemes. Our cash and cash equivalents could be adversely impacted, including the loss of uninsured deposits and other uninsured financial assets, if one or more of the financial institutions in which we hold our cash or cash equivalents fails or is subject to other adverse conditions in the financial or credit markets.

We maintain a significant amount our cash and cash equivalents in Silicon Valley Bank, a division of First Citizens Bank (“SVB”), and our deposits at this institution exceeds insured limits. In March 2023, SVB failed and the FDIC took control of SVB. The Federal Reserve subsequently announced that account holders would be made whole and we were able to access all of our cash held at SVB. There is no guarantee that the Federal Reserve Board, the U.S. Treasury Department and the FDIC will provide access to uninsured funds in the future in the event of the closure of any other banks or financial institutions in a timely fashion or at all. Any inability to access or delay in accessing these funds could adversely affect our business, financial position, and liquidity.

If we do not effectively diversify our bank deposits and investment portfolio, the value and liquidity of our investments may fluctuate substantially which could affect our access to capital and results of operations in a material way. Furthermore, our access to our cash and cash equivalents in amounts adequate to finance our operations could be significantly impaired if the financial institutions with which we have arrangements directly face liquidity constraints or failures. Investor concerns regarding the U.S. or international financial systems could result in less favorable commercial financing terms, including higher interest rates or costs and tighter financial and operating covenants, or systemic limitations on access to credit and liquidity sources, thereby making it more

13

difficult for us to acquire financing on acceptable terms or at all. Any material decline in available funding or our ability to access our cash and cash equivalents could adversely impact our results of operations and liquidity.

Our business could be adversely affected in the event we default under our debt agreements.

In the event we default on any debt agreement, including those related to our convertible notes due 2026, our business, ability to make distributions, financial condition, results of operations and cash flows could be adversely affected. If we were unable to obtain a waiver of a default from the lenders or holders of that indebtedness, as applicable, those lenders or holders could accelerate repayment under that indebtedness. An acceleration could have a material adverse impact on our business, financial condition and results of operations.

Our ability to meet our payment obligations under our debt instruments depends on our ability to generate significant cash flows in the future. This, to some extent, is subject to market, economic, financial, competitive, legislative, and regulatory factors as well as other factors that are beyond our control. There can be no assurance that our business will generate cash flow from operations, or that additional capital will be available to us, in amounts sufficient to enable us to meet our debt payment obligations and to fund other liquidity needs.

Our revenues are dependent on our ability to maintain and expand existing customer relationships and our ability to attract new customers.

The continued growth of our revenues is dependent in part on our ability to expand the use of our solutions by existing customers and attract new customers. If we are unable to expand our customers’ use of our solutions, sell additional solutions to our customers, maintain our renewal rates for maintenance and subscription agreements and expand our customer base, our revenues may decline or fail to increase at historical growth rates, which could adversely affect our business and operating results. In addition, if we experience customer dissatisfaction with customers in the future, we may find it more difficult to increase use of our solutions within our existing customer base and it may be more difficult to attract new customers, or we may be required to grant credits or refunds, any of which could negatively impact our operating results and materially harm our business.

The loss of one or more of our key customers could slow our revenue growth or cause our revenues to decline.

A substantial portion of our total revenues in any given period may come from a relatively small number of customers. For the twelve months ended September 30, 2025, the Company derived revenue of $26.9 million from one customer, with such customer accounting for 15% of the Company’s total revenue. For the twelve months ended September 30, 2024, the Company derived revenue of $29.6 million from the same single customer, with such customer accounting for 17% of the Company's total revenue. For the twelve months ended September 30, 2023, the Company derived revenue of $27.7 million from the same single customer, with such customer accounting for 16% of the Company’s total revenue. We expect that we will continue to depend upon a relatively small number of customers for a significant portion of our total revenues for the foreseeable future. The loss of any of our significant customers or groups of customers for any reason, or a change of relationship with any of our key customers may cause a significant decrease in our total revenues. Additionally, mergers or consolidations among our customers could reduce the number of our customers and could adversely affect our revenues and sales. In particular, if our customers are acquired by entities that are not also our customers, that do not use our solutions or that have more favorable contract terms and choose to discontinue, reduce or change the terms of their use of our solutions, our business and operating results could be materially and adversely affected.

We may incur goodwill and intangible asset impairment charges that adversely affect our operating results.

As of September 30, 2025, we had $133.5 million of goodwill and $39.8 million of intangible assets, net, on our Consolidated Balance Sheet. We review our indefinite-lived intangible assets, including goodwill, for impairment on at least an annual basis or more frequently if an event or events indicate the potential for impairment. We assess as needed whether there have been impairments in our intangible assets. We make assumptions and estimates in our assessments that can be complex and subjective. In our assumptions and estimates we consider whether negative factors exist such as deteriorating economic conditions, disruptions to our business, inability to effectively integrate acquired businesses, intensified competition, market capitalization declines, or significant changes in use of the intangible assets. To the extent that such factors or other negative factors emerge, we may record non-cash impairment charges in the future that could negatively impact our financial condition and results of operations.

Risks Related to Privacy, Artificial Intelligence, and Cybersecurity

Evolving domestic and international data privacy and AI laws and regulations may restrict our ability, and that of our customers, to solicit, collect, process, transfer, disclose and use personal information or may increase the costs of doing so, which could harm our business.

Federal, state and foreign governments and supervising authorities have enacted, and may in the future enact, laws and regulations concerning the solicitation, collection, processing, disclosure, transfer and use of personal information. Such laws and regulations require or may in the future require us or our customers to implement additional and revise existing privacy and security policies and practices; permit individuals to access, correct or delete personal information stored or maintained by us or our customers; inform individuals of security breaches that affect their personal information; and, in some cases, obtain consent to use certain

14

personal information for certain purposes. Many of these laws also impose data minimization, purpose‑limitation, and security obligations; restrict certain types of automated decision‑making and profiling; and require data protection impact assessments, vendor diligence, and contractual controls. Other proposed laws and regulations could, if enacted, impose additional requirements and prohibit the use of specific technologies, such as those that track individuals' activities on web pages or record when individuals click on a link contained in an email message and systems reliant on such technologies. In addition, restrictions on cross‑border transfers of personal data (including requirements for standard contractual clauses, transfer impact assessments, or participation in certification mechanisms) may limit how we provide services across jurisdictions and increase compliance costs. Such laws and regulations could restrict our and our customers' ability to collect and use web browsing data and personal information, which may reduce our customers' demand for our solutions. The laws in this area are complex and developing rapidly. Non‑compliance can result in investigations, orders, suspension of processing, or significant administrative fines, as well as private litigation where available.

In the United States, many states have adopted legislation that regulates how businesses operate online, including measures relating to privacy, data security and data breaches. Laws in all states require businesses to provide notice to customers whose personal information has been disclosed as a result of a data breach. The laws are not identical, and compliance in the event of a widespread data breach is costly, as we must ensure our compliance with each individual state law. Further, states have continued adopting new laws or amending existing laws, requiring attention to frequently changing regulatory requirements. For example, California enacted the California Consumer Privacy Act (the “CCPA”) on June 28, 2018, which went into effect on January 1, 2020. The CCPA gives California residents expanded rights to access and delete their personal information, opt out of certain personal information sharing and receive detailed information about how their personal information is used by requiring covered companies to provide new disclosures to California consumers (as that term is broadly defined) and provides such consumers new ways to opt-out of certain sales of personal information. California regulations also require recognition of certain browser‑ or device‑based opt‑out signals (such as Global Privacy Control) and impose specific obligations for targeted advertising and “sharing” of personal information. The CCPA provides for civil penalties for violations, as well as a private right of action for data breaches that is expected to increase data breach litigation. The CCPA may increase our compliance costs and potential liability. The California Privacy Rights Act (the “CPRA”) revised and expanded the CCPA, adding additional data protection obligations on covered businesses, including additional consumer rights processes, limitations on data uses, new audit requirements for higher risk data, and opt outs for certain uses of sensitive data. It also created a new California data protection agency authorized to issue substantive regulations and could result in increased privacy and information security enforcement. The CPRA was in full effect as of January 1, 2023. Similar laws passed in Virginia, Colorado, Connecticut, and Utah took effect in 2023. Additionally, Delaware, Indiana, Iowa, Montana, Oregon, Tennessee, Texas, Kentucky, Maryland, Minnesota, Nebraska, New Hampshire, New Jersey, and Rhode Island have adopted privacy laws, which take effect at different dates through 2026. Many of these state laws include requirements regarding data protection assessments, processing of sensitive data, consumer appeals of automated decision‑making, universal opt‑out mechanisms, and restrictions on targeted advertising and profiling that may require us to modify products and operational practices. Additional U.S. states have enacted, or are considering, similar data privacy laws. We cannot fully predict the impact of these state laws on our business or operations, but it may require us to modify our data processing practices and policies and to incur substantial costs and expenses in an effort to comply. We expect that new legislation proposed or enacted in various other states will continue to shape the data privacy environment nationally. Certain state laws may be more stringent or broader in scope, or offer greater individual rights, with respect to confidential, sensitive and personal information than federal, international or other state laws, and such laws may differ from each other, which may complicate compliance efforts. In addition to the growing number of state-level privacy laws, the U.S. Congress has been actively considering a federal privacy law for some time which, if passed, would likely create a comprehensive national framework for data protection and privacy. This law could supersede many state privacy laws and establish uniform privacy protections across the country, addressing issues such as data security, AI governance and consumer rights. The final form, timeline, and effective date of a potential U.S. federal privacy law is uncertain at this time. We may need to build new processes to honor federal requirements that differ from, or preempt, state obligations.

Outside the United States, comprehensive data protection frameworks such as the European Union’s General Data Protection Regulation (GDPR) and the United Kingdom’s data protection laws impose stringent requirements on processing personal data, including legal bases for processing, transparency, data subject rights, security, vendor management, record‑keeping, and breach notification, and authorize substantial administrative fines. Rules governing international data transfers continue to evolve and may require additional contractual, technical, and organizational safeguards.

Changing industry standards and industry self-regulation regarding the collection, use and disclosure of data may have similar effects. Existing and future privacy and data protection laws and increasing sensitivity of consumers to unauthorized disclosures and use of personal information may also negatively affect the public's perception of our customers' sales practices. If our solutions are perceived to cause, or are otherwise unfavorably associated with, insecurity of personal information, whether or not illegal, we or our customers may be subject to public criticism. Public concerns regarding data collection, privacy and security may also cause some consumers to be less likely to visit our customers' websites or otherwise interact with our customers, which could limit the demand for our solutions and inhibit the growth of our business. Any failure on our part to comply with applicable privacy and data protection laws, regulations, policies and standards or any inability to adequately address privacy or security concerns associated with our solutions, even if unfounded, could subject us to liability, damage our reputation, impair our sales and harm our business. Furthermore, the costs to our customers of compliance with, and other burdens imposed by, such laws, regulations, policies and

15

standards may limit adoption of and demand for our solutions. In addition, changes by major platforms and browsers including restrictions on third‑party cookies, mobile advertising identifiers, and tracking technologies, as well as evolving email and anti‑spam rules may reduce the effectiveness of certain features or require product changes, engineering workarounds, and increased costs.

Our ability to adopt and deploy AI and other new technologies may impact demand for our products and services and impact our internal operations.

Our ability to timely and accurately implement AI and other emerging technologies in our products and in our internal operations is critical to our competitiveness. Failure to do so could materially and adversely affect our business, results of operations, financial condition, and prospects, and could also result in reputational harm or liability.

We currently incorporate AI into certain offerings and continue to develop these capabilities. AI may present risks, uncertainties, and potential unintended consequences, including bias, inaccuracy, data privacy or security issues, and other ethical, legal, or societal impacts. Ineffective development, deployment, or oversight—whether by us or third parties on which we rely—could impair customer trust, cause harm to individuals or society, or subject us to competitive harm, regulatory scrutiny, litigation, and reputational damage.

If we do not successfully adopt or integrate new technologies, including generative AI, our offerings may become unreliable or uncompetitive. Competitors may develop or commercialize AI-enabled technologies more quickly or effectively than we do. In addition, use of AI to support our internal operations carries risks, such as unauthorized transmission of sensitive information, flawed outputs due to inaccurate data, and operational vulnerabilities that may affect customers, partners, or suppliers. Because AI and other emerging technologies are complex and developing quickly, we cannot predict all related risks, which could materially and adversely affect our business.

Fraudsters’ use of generative AI could create new attack vectors that we may be unable to effectively detect or prevent.

Fraudsters are increasingly using generative AI to create more sophisticated, scalable, and difficult-to-detect fraud schemes. As these tools evolve, they may enable new attack vectors that circumvent or degrade the effectiveness of our products and services. We may be unable to timely identify, anticipate, or defend against AI-driven fraud techniques, or to update our solutions quickly enough to maintain their effectiveness. If our products fail to adequately detect or prevent such emerging threats, customers may lose confidence in our offerings, reduce their usage, or seek alternative solutions, which could materially and adversely affect demand for our products, our competitive position, and our business, results of operations, and financial condition.

Recent and proposed laws regarding the use of facial recognition technology and the processing of biometric data could increase compliance costs or otherwise make it harder for us to conduct our business, require us to change our business practices, lead to regulatory investigations or actions, and have a material adverse effect on demand for certain of our products.

Some of our solutions require the storage and transmission of proprietary and confidential information of our clients and their employees, including biometric data. “In limited cases, we may host and retain biometric templates or identifiers as instructed by our customers, and our ability to meet applicable retention, destruction, and security requirements depends on our customers’ configurations and instructions; any failure to adhere to required retention schedules or provide timely destruction upon request could increase our legal and operational risks.” Several jurisdictions have imposed legal and compliance requirements on biometric data that are more stringent than requirements on other classifications of personal data. For example, under GDPR, biometric data is considered “sensitive data” which requires special attention and technical and organizational measures to protect the biometric data against breaches of confidentiality, integrity, and availability. The processing of biometric data for such purposes is prohibited unless one of a very limited and specific set of conditions is satisfied (such as explicit consent of the data subject). Effective compliance in this area (including in the context of use of certain of our products) can be highly challenging, and we are reliant on our customers to ensure that such a condition is satisfied when they use our products to identify someone. In certain deployments, our customers act as controllers of biometric data and are responsible for providing notices, obtaining any required consents, and defining retention and deletion schedules; we may act as a processor and are dependent on our customers’ instructions to enable compliance. We may be unable to provide certain of our products in certain jurisdictions, in particular in Europe where provision of such technologies in compliance with the GDPR is highly challenging. If we or our customers fail to obtain valid consent or satisfy another lawful basis, or fail to meet requirements relating to purpose limitation, data minimization, retention, security, or cross‑border transfers, we could face investigations, enforcement actions, private claims where available, and substantial penalties.

Similarly, in the United States, the Illinois Biometric Information Privacy Act (“BIPA”) regulates the collection, use, safeguarding, and storage of biometric identifiers and information, requires informed consent before collection, imposes fines for non-compliance, and grants residents a private right of action over improper collection and mishandling of biometric data. BIPA provides for substantial penalties and statutory damages and has generated significant class action activity; the cost of litigating and settling any claims that we have violated the BIPA or similar laws could be significant. Several other states have passed or are considering passing similar laws, such as the Texas Collection and Use of Biometric Information (“CUBI”) Act and the Washington Biometric Data Act. Similarly, Québec's Act respecting the protection of personal data in the private sector (“Law 25” formerly known as “Bill 64”) introduces substantial changes to the privacy landscape in Quebec, enhancing protection for personal data and introducing new obligations for transparency and accountability in data processing activities, including those involving biometric data. In addition,

16

comprehensive state privacy laws in several U.S. jurisdictions impose obligations related to sensitive data, impact assessments, automated decision‑making, and consumer rights (such as access, deletion, and opt‑out rights) that can apply to biometric data and may require changes to our products and practices, additional contractual commitments with customers and vendors, and increased compliance costs. Evolving judicial interpretations and legislative amendments (including changes affecting the accrual of claims, available defenses, or the calculation of statutory damages) may increase or, in some cases, mitigate our exposure, but the overall legal risk environment for biometric technologies remains significant and uncertain.

Our business and operations are subject to a variety of regulatory requirements in the countries in which we operate or in which we offer our solutions, including, among other things, with respect to AI and ML technologies that may be difficult and expensive to comply with and that could negatively impact our business.

AI, automated decision making, and ML technologies are increasingly subject to regulatory scrutiny and oversight, for example, under the comprehensive legal framework governing the use of AI adopted by the European Parliament in the European Union (the “EU AI Act”). The EU AI Act imposes onerous obligations related to the development, deployment and use of AI/ML-related systems. The EU AI Act classifies certain AI systems as prohibited, imposes transparency requirements on other systems, and designates a broad set of applications as ‘high‑risk’ subject to numerous compliance obligations, including governance, transparency, conformity assessment, quality management, technical documentation, risk management, post‑market monitoring, incident reporting, and human oversight requirements. In particular, the EU AI Act is likely to designate certain AI technologies, including technologies used in an employment-related context (such as in relation to recruitment, placement of targeted job advertisements, and decision-making concerning promotion, termination and task allocation), as ‘high risk’ and subject to numerous onerous compliance obligations, including various transparency, conformity and risk assessment, monitoring and human oversight requirements. As our products and services develop, they may fall within one or more of these categories. Under the EU AI Act, non-compliant companies may be subject to administrative fines of up to 35 million Euros or 7% of a company’s total worldwide annual turnover for the preceding financial year, whichever is the higher. The EU AI Act has a phased implementation process over several years, with certain obligations taking effect earlier than others, and compliance timelines may accelerate if our products are used in contexts deemed high‑risk. The EU AI Act is likely to be fully effective by Spring 2026. Moreover, in the United Kingdom, the government has confirmed its position that existing regulators are to implement certain specific principles (safety, security and robustness; transparency and explainability; fairness; accountability and governance; contestability and redress), within those regulators’ existing remits, to guide and inform the responsible development and use of AI/ML within their relevant sectors / competences. Additionally, several United States jurisdictions have enacted measures related to the use of AI in products and services for their potentially discriminatory effects. For example, New York City passed a law to regulate the use of automated employment decision tools by employers and employment agencies. Other U.S. jurisdictions have adopted or are considering rules addressing profiling, automated decision‑making, audits or impact assessments, and transparency obligations. Certain of these laws may be materially unfavorable to our interests and/or inconsistent with our existing operations, policies, practices or plans (or may be interpreted as such). We expect other jurisdictions will adopt similar laws. If any of our offerings are used in employment‑related, credit, housing, insurance, access control, biometric identification, or other contexts that could be categorized as high‑risk, our compliance burden and associated costs could increase materially.

Additionally, certain privacy laws extend rights to consumers (such as the right to delete certain personal data) and regulate automated decision making, which may be incompatible with our use of AI (including generative AI) and ML technologies in our products and services. These obligations may make it harder for us to conduct our business using AI/ML, lead to regulatory fines or penalties, require us to change our business practices, retrain our AI/ML, or prevent or limit our use of AI/ML. For example, the FTC has required other companies to turn over (or disgorge) valuable insights or trainings generated through the use of AI/ML where they allege the company has violated privacy and consumer protection laws. If we cannot use AI/ML or that use is restricted, our business may be less efficient, or we may be at a competitive disadvantage. We may also be required to provide new disclosures, offer opt‑out rights, conduct impact assessments, or implement additional human review, which could reduce model performance, increase latency, or diminish product functionality. Some of our offerings are used in contexts that may be deemed ‘high‑risk’ under the EU AI Act, which would subject us and our customers to additional governance, documentation, testing, conformity assessment, and post‑market monitoring obligations, and could require material changes to our development and deployment processes.

Moreover, AI/ML models may create flawed, incomplete, or inaccurate outputs, some of which may appear correct. This may happen if the inputs that the model relied on were inaccurate, incomplete or flawed (including if a bad actor “poisons” the AI/ML with bad inputs or logic), or if the logic of the AI/ML is flawed (a so-called “hallucination”). We may use AI/ML outputs to make certain decisions. Due to these potential inaccuracies or flaws, the model could be biased and could lead us to make decisions that could bias certain individuals (or classes of individuals), and adversely impact their rights, employment, and ability to obtain certain pricing, products, services, or benefits. If outputs are later deemed unfair, discriminatory, or otherwise unlawful by regulators or courts, we could be required to modify, suspend, or withdraw affected features, provide remediation, or face enforcement actions or private litigation.

Furthermore, any sensitive information (including confidential, competitive, proprietary, or personal data) that we input into a third-party generative AI/ML platform could be leaked or disclosed to others, including if sensitive information is used to train the third party’s AI/ML model. Additionally, where such a model ingests personal data and makes connections using such data, those

17

technologies may reveal other personal or sensitive information generated by the model. Use of third‑party models may also trigger additional contractual obligations, intellectual property risks, and export control considerations.

Given that AI, automated decision making and ML technologies are core to our business, any increased regulation over these technologies, including the EU AI Act, could make it harder for us to conduct our business, significantly complicate our compliance efforts, increase legal risk and compliance costs for us, the third parties upon whom we rely, and our customers, increase our cost of doing business, impede or prevent our growth plans (including into Europe), require us to change our business operations at significant cost (such as retaining or rebuilding our AI/ML models), and reduce demand for our products. We may also need to implement new governance frameworks, allocate additional engineering and compliance resources, engage third‑party auditors or notified bodies, and limit or deprecate certain features to meet evolving requirements.

While we endeavor to implement policies, procedures, and systems designed to achieve compliance with these regulatory requirements, we cannot assure you that these policies, procedures, or systems will be adequate or that we or our personnel will not violate these policies and procedures or applicable laws and regulations. Violations of these laws or regulations may harm our reputation and deter government agencies and other existing or potential customers or partners from purchasing our solutions. Furthermore, non-compliance with applicable laws or regulations could result in fines, damages, criminal sanctions against us, our officers, or our employees, restrictions on the conduct of our business, and damage to our reputation. Even alleged non‑compliance can result in costly investigations, audits, delayed sales cycles, contract terminations, and diversion of management time.

Security breaches or cyberattacks could expose us to significant liability, cause our business and reputation to suffer and harm our competitive position.

We rely on information technology networks and systems, some of which are owned and operated by third parties, to collect, process, transmit, and store electronic information on behalf of our customers. We also depend on our information technology infrastructure for a variety of functions, including worldwide financial reporting, procurement, invoicing, and email communications. These systems are susceptible to outages due to hacking and cyberattacks. They are also vulnerable to human error, power loss, natural disasters, hardware or software defects, and other business continuity risks.

We have implemented security measures and controls intended to protect our information technology infrastructure, data centers and other systems and data against cyber-attacks. Despite our implementation of security measures and controls, our systems and those of third parties upon whom we rely are vulnerable to attack from numerous threat actors, including sophisticated nation-state and nation-state-supported actors. Threat actors have and may in the future be able to compromise our security measures or otherwise exploit vulnerabilities in our systems, including vulnerabilities that may have been introduced through the actions of our employees or contractors or defects in the design or manufacture of our products and systems or the products and systems that we procure from third parties. Our systems, and those of our third-party providers, have and could in the future become subject to cyberattacks, including using computer viruses, credential harvesting, dedicated denial of services attacks, malware, social engineering, and other means for obtaining unauthorized access to, or disrupting the operation of, our systems and those of our third-party providers. Exploits of third‑party or open‑source software components, zero‑day vulnerabilities, compromise of our software build pipeline or update mechanisms, and attacks on managed service providers or cloud infrastructure could also impact our systems or our customers.

In addition, threat actors are also increasingly using tools and techniques that circumvent controls, evade detection, and remove forensic evidence, which means that we and others may be unable to anticipate, detect, deflect, contain or recover from cyberattacks in a timely or effective manner. As AI capabilities improve and are increasingly adopted, we may see cyberattacks created through AI. These attacks could be crafted with an AI tool to directly attack IT systems with increased speed and/or efficiency than a human threat actor or create more effective phishing emails. Our network and storage applications, as well as those of our customers, business partners, and third-party providers, may be subject to unauthorized access by hackers or breached due to operator error, malfeasance or other system disruptions. Ransomware, data exfiltration, business email compromise, account takeover, and supply‑chain attacks can lead to business interruption, corruption or loss of data (including backups), and operational disruptions.

The number and scale of cyberattacks have continued to increase and the methods and techniques used by threat actors, including sophisticated “supply-chain” attacks, continue to evolve at a rapid pace. As a result, we may be unable to identify current attacks, anticipate future attacks or implement adequate security measures. We may also experience security breaches that may remain undetected for an extended period and, therefore, have a greater impact on our systems, our products, the proprietary data contained therein, our customers and ultimately, our business. Cyberattacks on our systems and “supply-chain” attacks on systems of third parties upon whom we rely, and any related operational disruptions, unauthorized access, or misappropriation of information (including personally identifiable information or personal data), could create costly litigation, significant financial liability, and a loss of confidence in our ability to serve customers and cause current or potential customers to choose another provider, all of which could have a material adverse effect on our business, financial condition, reputation, and results of operations. Such events could also trigger notification obligations to regulators, individuals, and counterparties; result in contractual claims, indemnity obligations, or liquidated damages; lead to regulatory inquiries, investigations, fines, or orders; and require us to incur significant costs for incident response, remediation, recovery, enhancements to our cybersecurity program, and credit monitoring or other remedies. Our cybersecurity insurance may be insufficient to cover all losses, may not cover certain types of claims, and may become more expensive or difficult to obtain.

18

Risks Related to Investing in Our Common Stock

A potential proxy contest for the election of directors at our annual meeting could result in potential operational disruption, divert our resources, and could potentially result in adverse consequences under certain of our agreements.

Our investors may launch a proxy contest to nominate director candidates for election to the Board at our annual meeting of stockholders. A proxy contest would require us to incur significant legal fees and proxy solicitation expenses and could result in potential operational disruption, including that the investor-nominated directors (if elected) may have a business agenda for our company that is different than the strategic and operational plans of the existing Board, which agenda may adversely affect our stockholders. Further, any perceived uncertainties as to our future direction and control could result in the loss of potential business opportunities and may make it more difficult to attract and retain qualified personnel and business partners, any of which could adversely affect our business and operating results and create increased volatility in our stock price.

Further, a change in a majority of the Board may, under certain circumstances, result in a change of control under certain employment agreements we have with our executive management and our equity plans and award agreements, and any equity based awards issued thereunder. Pursuant to the agreements and awards, certain payments and vesting provisions may be triggered following a change of control, conditioned upon a qualifying termination that occurs within 12 months of any such change of control.

Our third amended and restated bylaws provide that a state or federal court located within in the State of Delaware will be the sole and exclusive forum for substantially all disputes between us and our stockholders, which could limit our stockholders’ ability to obtain a favorable judicial forum for disputes with us or our directors, officers or employees.

Our third amended and restated bylaws provide that, unless we consent to an alternative forum, a state or federal court located within the state of Delaware will be the sole and exclusive forum for: (a) any derivative action or proceeding brought on our behalf; (b) any action asserting a claim of breach of a fiduciary duty owed by any director, officer or other employee to us or our stockholders, (c) any action asserting a claim arising pursuant to any provision of the Delaware General Corporation Law, or (d) any action asserting a claim governed by the internal affairs doctrine. Our Bylaws also provide that any person or entity purchasing or otherwise acquiring any interest in shares of our capital stock will be deemed to have notice of and consented to this choice of forum provision. The foregoing choice of forum provision is not intended to apply to any actions brought under the Securities Act or the Exchange Act. Section 27 of the Exchange Act creates exclusive federal jurisdiction over all suits brought to enforce any duty or liability created by the Exchange Act or the rules and regulations thereunder. As a result, the exclusive forum provision will not apply to suits brought to enforce any duty or liability created by the Exchange Act or any other claim for which the federal courts have exclusive jurisdiction. However, our Bylaws do not relieve us of our duties to comply with federal securities laws and the rules and regulations thereunder, and our stockholders will not be deemed to have waived our compliance with these laws, rules and regulations.

This choice of forum provision in our Bylaws may limit a stockholder’s ability to bring a claim in a judicial forum that it finds favorable for disputes with us or our directors, officers or other employees, which may discourage such lawsuits against us and our directors, officers and other employees. In addition, stockholders who do bring a claim in the state or federal courts in the State of Delaware could face additional litigation costs in pursuing any such claim, particularly if they do not reside in or near Delaware. Furthermore, the enforceability of similar choice of forum provisions in other companies’ governing documents has been challenged in legal proceedings, and it is possible that a court could find these types of provisions to be inapplicable or unenforceable. If a court were to find the choice of forum provision in our Bylaws to be inapplicable or unenforceable in an action, we may incur additional costs associated with resolving such action in other jurisdictions, which could adversely affect our business and financial condition.

We may not be able to maintain our listing on The Nasdaq Stock Market LLC (“Nasdaq”), or trading on the Nasdaq Capital Market may otherwise be halted or suspended, which may negatively impact the price of our common stock. If our common stock is delisted from Nasdaq, our business, financial condition, results of operations and share price could be adversely affected, and the liquidity of our common stock could be impaired.

We have in the past and may in the future fail to comply with the Nasdaq listing requirements, including the continued listing requirement to timely file all required periodic financial reports with the SEC. For example, on August 11, 2022, we were notified by Nasdaq that we were not in compliance with Nasdaq Listing Rule 5250(c)(1), which requires that a listed company timely file all required periodic financial reports with the SEC as a result of our failure to file our Quarterly Report on Form 10-Q for the period ended June 30, 2022. We received similar deficiency letters from Nasdaq in calendar year 2023 and 2024 as the Company was responding to various accounting matters, as previously disclosed. If our common stock ceases to be listed for trading on Nasdaq for any reason, it may harm our stock price, increase the volatility of our stock price, decrease the level of trading activity and make it more difficult for investors to buy or sell shares of our common stock. Our failure to maintain listing on Nasdaq may constitute an event of default under our outstanding indebtedness, including our convertible notes due 2026, and any future indebtedness, which would accelerate the maturity date of such debt or trigger other obligations. In addition, certain institutional investors that are not permitted to own securities of non-listed companies may be required to sell their shares adversely affecting the market price of our common stock. If we are not listed on Nasdaq, we will be limited in our ability to raise additional capital we may need.

19

While we have regained compliance with Nasdaq, if our common stock ceases to be listed for trading on Nasdaq, we expect that our common stock would be traded on the over-the-counter market, and that the value and liquidity of our stockholders’ investments would be materially impacted.

Risks Related to Regulation and Compliance

Although we have concluded that previously identified material weaknesses in our internal control over financial reporting have been remediated, if such remediation was not effective, or if we identify additional material weaknesses in internal control over financial reporting, our ability to produce timely and accurate financial statements or comply with applicable laws and regulations could be impaired.

As previously disclosed in our Annual Report on Form 10-K for the fiscal year ended September 30, 2024, we identified material weaknesses in our internal control over financial reporting. A material weakness is a deficiency, or combination of deficiencies, in internal control over financial reporting, such that there is a reasonable possibility that a material misstatement of the annual or interim financial statements will not be prevented or detected on a timely basis. We implemented remediation measures to address these material weaknesses, which we believe have resolved these previously-identified material weaknesses as of September 30, 2025. However, the policies, procedures, and controls implemented as part of the remediation plan may fail to have remediated these material weaknesses or we may fail to otherwise maintain effective controls over financial reporting in the future. See Part II, Item 9A “Controls and Procedures” for additional information about these previously-identified material weaknesses and our remediation efforts.

If we are unable to further implement and maintain effective internal control over financial reporting or disclosure controls and procedures, our ability to record, process and report financial information accurately, and to prepare financial statements within required time periods could be adversely affected, which could subject us to litigation or investigations requiring management resources and payment of legal and other expenses, negatively affect investor confidence in our financial statements and adversely impact our stock price. If we are unable to assert that our internal control over financial reporting is effective, or if our independent registered public accounting firm is unable to express an unqualified opinion as to the effectiveness of our internal control over financial reporting, investors may lose confidence in the accuracy and completeness of our financial reports, the market price of our common stock could be adversely affected and we could become subject to litigation or investigations by the stock exchange on which our securities are listed, the SEC or other regulatory authorities, which could require additional financial and management resources. Any failure to develop or maintain effective controls or any difficulties encountered in their implementation or improvement could harm our operating results or cause us to fail to meet our reporting obligations and may result in a restatement of our financial statements for prior periods.

Any failure to implement and maintain effective internal control over financial reporting could adversely affect the results of periodic management evaluations and annual independent registered public accounting firm attestation reports regarding the effectiveness of our internal control over financial reporting that we are required to include in our periodic reports that are filed with the SEC. Ineffective disclosure controls and procedures and internal control over financial reporting could also cause investors to lose confidence in our reported financial and other information, which would likely have a negative effect on the trading price of our common stock. In addition, if we are unable to continue to meet these requirements, we may not be able to remain listed on Nasdaq.

General Risk Factors

If we are unable to retain and recruit qualified personnel, or if any of our key executives or key employees discontinues his or her employment with us, it may have a material adverse effect on our business.

We are highly dependent on the key members of our management team and other key technical personnel. If we were to lose the services of one or more of our key personnel, or if we fail to attract and retain additional qualified personnel, it could materially and adversely affect our business. Furthermore, recruiting and retaining qualified highly skilled engineers involved in the ongoing development required to refine our technologies and introduce future products is critical to our success. We may be unable to attract, assimilate, and retain qualified personnel on acceptable terms given the competition within the high technology industry. We do not have any employment agreements providing for a specific term of employment with any member of our senior management. We do not maintain “key man” insurance policies on any of our officers or employees. We have granted and plan to grant restricted stock units or other forms of equity awards as a method of attracting and retaining employees, motivating performance and aligning the interests of employees with those of our stockholders. As of September 30, 2025, we had 2,804,358 shares of common stock available for issuance pursuant to future grants of equity awards under our existing equity compensation plans, which may limit our ability to provide equity incentive awards to existing and future employees. If we are unable to adopt, implement and maintain equity compensation arrangements that provide sufficient incentives, we may be unable to retain our existing employees and attract additional qualified candidates. If we are unable to retain our existing employees, including qualified technical personnel, and attract additional qualified candidates, our business and results of operations could be adversely affected.

20

Legislation and governmental regulations enacted in the U.S. and other countries that apply to us or to our customers may require us to change our current products and services and/or result in additional expenses, which could adversely affect our business and results of operations.

Legislation and governmental regulations including changes in legislation and governmental regulations impacting financial institutions, insurance companies, and mobile device companies, affect how our business is conducted. Globally, legislation and governmental regulations also influence our current and prospective customers’ activities, as well as their expectations and needs in relation to our products and services. Compliance with these laws and regulations may be onerous and expensive, and may be inconsistent from jurisdiction to jurisdiction, further increasing the cost of compliance. Any such increase in costs as a result of changes in these laws and regulations or in their interpretation could individually or in the aggregate make our products and services less attractive to our customers, delay the introduction of new products in one or more regions, cause us to change or limit our business practices or affect our financial condition and operating results.

Natural disasters or other catastrophic events may disrupt our business.

Our business operations are subject to interruption by natural disasters and other catastrophic events, such as fire, floods, earthquakes, climate change, power loss, telecommunications failure, cyberattack, war or terrorist attack, or epidemic or pandemic. To the extent such events impact our facilities or off-premises infrastructure, we may be unable to continue our operations and may endure system interruptions, reputational harm, delays in our software development, lengthy interruptions in our services, breaches of data security and loss of critical data, all of which could have an adverse effect on our future operating results.