PROCORE TECHNOLOGIES, INC. (PCOR) Risk Factors

Item 1A. Risk Factors.

Investing in our common stock involves a high degree of risk. You should carefully consider the risks and uncertainties described below, together with all of the other information contained in this Annual Report on Form 10-K, including our consolidated financial statements and the related notes thereto, before making a decision to invest in our common stock. The risks and uncertainties described below are not the only ones we face. Additional risks and uncertainties that we are unaware of, or that we currently believe are not material, may also become important factors that affect us. If any of such future risks or any of the following risks occur, our business, financial condition, results of operations, and prospects could be materially adversely affected. In that event, the price of our common stock could decline, and you could lose part or all of your investment.

Risks Related to Our Business and Industry

We have experienced rapid growth in prior periods, and such growth may not be indicative of our future performance. If we fail to properly manage future growth, our business, financial condition, results of operations, and prospects could be materially adversely affected.

We have experienced rapid growth in prior periods. Our revenue was $1.3 billion in 2025, $1.2 billion in 2024, and $1.0 billion in 2023. Our results of operations may fluctuate significantly, which could make our future results difficult to predict and could cause our results of operations to fall below expectations. You should not rely on the revenue growth of any prior period as an indication of our future performance. While our revenue has continued to increase, our revenue growth rate has declined and may continue to decline in the future as a result of a variety of factors, including our ability to effectively manage our growth and investments (including through our evolved GTM operating model), macroeconomic conditions, and the maturation of our business. Our overall revenue growth and results of operations depend on a number of factors, including many that are out of our control. These factors include our ability to do the following: attract new customers and retain and expand sales of subscriptions to our existing customers; increase sales to owners and specialty contractors, as well as monetize new stakeholders; develop new products and services, further improve our existing products, services, and platform, and evolve our App Marketplace with new offerings and purpose-built APIs; provide our customers and collaborators with support that meets their needs; invest financial and operational resources to support future growth in our customer, collaborator, and third-party relationships; expand our operations domestically and internationally; and retain and motivate existing personnel, and attract, integrate, and retain new personnel, particularly with respect to our sales and marketing and engineering and product development teams.

Our future growth also depends on changes in our customers’ IT budgets, the timing and success of new products and services introduced by us or our competitors, the pace of development of the construction management software industry, regulatory and macroeconomic conditions, and economic conditions and business practices within the construction industry, including construction spending in the public and private sectors. The overall sentiment in the construction industry continues to be uncertain, which presents challenges to our future growth. We expect this sentiment to continue at least for the short term as a result of macroeconomic factors.

If we are not able to maintain revenue growth or accurately forecast future growth, our business, financial condition, results of operations, and prospects could be materially adversely affected.

We have a history of losses and may not be able to achieve or sustain profitability in the future.

We have a history of losses, and we may not achieve or maintain profitability in the future. We incurred net losses of $100.8 million in 2025, $106.0 million in 2024, and $189.7 million in 2023. As of December 31, 2025, we had an accumulated deficit of $1.3 billion. We are not certain whether or when we will be able to achieve or sustain profitability in the future. We also expect our expenses to increase in future periods as we continue to invest in growth, which could negatively affect our future results of operations if our revenue does not correspondingly increase. In particular, we intend to continue to expend substantial financial and other resources on the following: expanding our sales and marketing and customer success teams to drive new subscriptions, increase the use of our products, services, and platform by existing customers, and support our international growth; developing our technology infrastructure, including systems architecture, scalability, availability, performance, and data security and privacy; investing in our engineering and product development teams and developing new products, services, and platform functionality; and pursuing strategic acquisition and investment opportunities.

15

Table of Contents

These expenditures may not result in increased revenue or profitable growth. Any failure to increase our revenue as we invest in our business, or to manage our costs, could prevent us from achieving or maintaining profitability or positive cash flow. We may also incur significant losses in the future for a number of reasons, including the other risks described in this Annual Report on Form 10-K, and unforeseen expenses, difficulties, complications, delays, and other unknown events. If we are unable to successfully address these risks and challenges, our business, financial condition, results of operations, and prospects could be materially adversely affected.

Our business has been, and may continue to be, significantly impacted by changes in the economy, in spending across the construction industry, and in the size and growth of our addressable market.

Our business has been, and may continue to be, affected by changes in the economy, especially those affecting the construction industry. The overall sentiment in the construction industry continues to be uncertain, which presents challenges to our future growth. We expect this sentiment to continue at least for the short term as a result of macroeconomic factors. If the construction industry experiences a decrease in overall construction volume, the amount our customers pay for our products could be reduced as we generally price our products based on a customer’s annual construction volume, which is the fixed aggregate dollar volume of construction work contracted to run on our platform annually. In times of unfavorable economic conditions, our revenue may decrease because customers may choose to purchase less construction software. Rising inflation may increase our vendor, employee, and facility costs, and further decrease demand for our products. Unfavorable or deteriorating market conditions, reductions in the rate of construction growth, reductions in government spending and funding of infrastructure or other construction projects, reduced demand for public projects, and any resulting effects on spending by our customers or prospective customers could also have an adverse impact on our business.

The construction industry is also cyclical and has experienced periods of economic expansion and contraction. Periods of economic contraction for the construction industry have been, and may continue to be, caused by a wide range of factors, including tightening of economic policies, financial and credit market fluctuations, tariffs on imported goods, weakening exchange rates, elevated inflation, interest rate increases and fluctuations, supply chain disruptions, labor shortages, commodity prices, and policies that reduce government spending. We cannot accurately predict the timing, strength, or duration of any economic slowdown, instability, or recovery, generally or within any particular industry, or how any such event may impact our business or the business of our customers. To the extent we do not effectively address these risks and challenges, our business, financial condition, results of operations, and prospects could be materially adversely affected.

Further, our addressable market size estimates and market growth forecasts for the construction industry are based on assumptions, estimates, and third-party data that may be inaccurate. The size of our total addressable market depends on a number of factors, including the economic factors mentioned above, digitization of the construction industry globally, customer demand among existing and new customers, construction volume, and overall IT spending, among many others. Even if our estimates and forecasts relating to the size and expected growth of our total addressable market are accurate, we may not be able to capture enough of that growth and our business may not grow in those markets at the rates we anticipate, if at all, which could materially adversely affect our business, financial condition, results of operations, and prospects.

The construction management software industry is evolving rapidly and may not develop in ways we expect. If we fail to respond adequately to changes in the industry, our business, financial condition, results of operations, and prospects could be materially adversely affected.

The construction management software industry is evolving rapidly. Widespread acceptance and use of construction management technology in general, and of our platform in particular, is critical to our future growth. While we believe that our construction management software addresses a significant market opportunity, demand for our products, services, and platform may develop more slowly than we expect. If that happens, our business, financial condition, results of operations, and prospects could be materially adversely affected.

Demand for construction management software in general, and for our products, services, and platform in particular, is affected by a number of factors, some of which are beyond our control. Some of these factors include: general awareness of construction management software; availability, functionality, and pricing and packaging of products and services that compete with ours; ease of adoption and use; the reliability, performance, or perceived performance of our products and platform, including interruptions to the use of our

16

Table of Contents

products and platform; the development and awareness of our brand; and how we sell our products, services, and platform. Even though we use internal data to assess the likelihood of success of introducing new products, services, pricing, and packaging or changes to existing products, services, pricing, and packaging, we may incorrectly calculate such risks or assume undue risks with respect to such products, services, pricing, and packaging. Competitors may also develop and introduce new products or entirely new technologies to replace our existing products, including through the use of AI, which could make our platform and products obsolete or otherwise materially adversely affect our business, financial condition, results of operations, and prospects. If our investments in engineering and product development do not accurately anticipate user demand or if we fail to develop products, features, or capabilities in a manner that satisfies customer needs in a timely and cost-effective manner, we may fail to retain our existing customers or increase demand for our products, which could materially adversely affect our business, financial condition, results of operations, and prospects.

Furthermore, our ability to grow our customer base and retain and increase revenue from customers depends on our ability to enhance and improve our products, services, and platform in response to changes in the construction management software industry and customer demand. In response to such shifts, we may introduce changes to our existing products and services or introduce new products and services, which may require significant expenditures in research and development and customer support, which may harm our results of operations. While we have designed our existing products for easy adoption, our customers depend on our customer success teams to provide implementation, training, and support services, especially when it comes to new products and features. If we do not provide effective ongoing support, our ability to sell additional products to existing and prospective customers could be adversely affected.

Additionally, we may experience difficulties with software development, design, or marketing that could delay or prevent our development, introduction, or implementation of new products, features, or capabilities. We have in the past experienced delays in our internally planned release dates of new products, features, and capabilities, and there can be no assurance that new products, features, or capabilities will be released according to schedule. Any delays could result in adverse publicity, loss of revenue or market acceptance, or claims by customers brought against us, all of which could materially adversely affect our business, financial condition, results of operations, and prospects.

Our business depends on a strong brand, and if we are not able to maintain and enhance our brand, our ability to retain and expand our customer base, attract investors, and recruit and retain qualified personnel may be impaired, and our business, financial conditions, results of operations, and prospects could be materially adversely affected.

We believe that our brand identity and brand awareness are critical to our sales and marketing efforts. We also believe that maintaining and enhancing our brand is critical to retaining and expanding our customer base, attracting investors, and recruiting and retaining qualified personnel, and, in particular, conveying to customers and collaborators that our platform offers capabilities that address the needs of the construction ecosystem throughout the project lifecycle. We anticipate that, as our market becomes increasingly competitive, maintaining and enhancing our brand may become increasingly difficult and expensive. If we experience difficulties with software development, customer service, or professional services that negatively impact new or existing products, we may experience negative publicity or lose market acceptance.

Any unfavorable publicity or negative perception of our products, services, or platform or the providers of construction management software generally, could adversely affect our reputation and our ability to attract and retain customers. If we fail to promote and maintain our brand, or if we incur increased expenses in this effort, our business, financial condition, results of operations, and prospects could be materially adversely affected.

Our ability to increase our customer base, expand existing customers’ use of our platform, and achieve broader market acceptance of our products, services, and platform will significantly depend on our ability to develop and expand our sales and marketing capabilities. Any failure to do so could materially adversely affect our business, financial condition, results of operations, and prospects.

Continuing and increasing sales of our products and services depends to a significant extent on our ability to expand our sales and marketing capabilities. It is difficult to predict customer demand, customer retention, and expansion rates, the size and growth rate of the market, the entry of competitive products and services, or the success of existing competitive products and services. Our sales and marketing efforts involve educating prospective customers about the uses and benefits of our products, services, and platform. We spend

17

Table of Contents

substantial time and resources on our sales and marketing efforts without any assurance that our efforts will result in a sale. We expect that we will continue to need intensive sales and marketing efforts to educate prospective customers about the uses and benefits of our construction management software and services, and we may have difficulty convincing prospective customers of the value of adopting our products and services. We plan to continue expanding our sales force, both domestically and internationally. Identifying, recruiting, and training qualified sales representatives is time-consuming and resource-intensive, and they may not be fully trained and productive for a significant amount of time following their hiring, if ever. In addition, the cost to acquire customers is high due to these considerable sales and marketing efforts. Our business will be harmed if our efforts do not generate a corresponding increase in revenue. Even if we are successful in convincing prospective customers of the value of our products and services, they may decide not to purchase our products and services for a variety of reasons, some of which are out of our control. The failure of our efforts to secure sales after investing resources in a lengthy sales process could materially adversely affect our business, financial condition, results of operations, and prospects.

In July 2024, we began to evolve our GTM operating model, by, among other things, transitioning to a general manager model, in order to deepen customer relationships and improve our operating efficiency by building nimble, customer-focused teams under empowered general managers. If we fail to realize the full benefits of our evolved GTM operating model over the long term or otherwise fail to acquire new customers, retain existing customers, or expand existing customers’ use of our products, services, and platform, our business, financial condition, results of operations, and prospects could be materially adversely affected.

Our failure to successfully incorporate AI into our products, services, and platform, as well as our business operations, or our failure to comply with laws, regulations, contractual obligations, or other requirements that now or in the future could apply to our use of AI, could materially adversely affect our business, financial condition, results of operations, and prospects.

We are increasingly building or incorporating AI tools (including generative and agentic AI tools) into our products, services, and platform. We also deploy AI tools in our business operations. We have used, and may continue to use, third parties to provide and support these tools. Our use of AI may present significant risks, uncertainties, and challenges that could materially adversely affect our business, financial condition, results of operations, and prospects.

Developing, testing, selling, deploying, and adopting resource-intensive AI capabilities has increased and will likely continue to increase our operating costs. We have invested, and expect to continue to invest, significant resources to develop AI tools. We may also face greater competition from general purpose AI solutions that rely on generic large language models, generative AI, and general purpose AI agents to address a broad range of business needs. If the integration of AI tools into our products, services, and platform fails to operate as anticipated, or as well as competing offerings, or otherwise does not meet customer needs, or if we are unable to bring AI-related offerings to market as effectively or as quickly as our competitors, we may fail to recoup our investments in AI, our competitive position may be harmed, and our business and reputation may be adversely impacted.

AI models may create flawed, inaccurate, or incomplete outputs, some of which may appear to be correct. This may happen if the inputs that an AI model relied on were flawed, inaccurate, incomplete (including if a bad actor “poisons” an AI model with bad inputs or logic), or if the logic of the AI model is flawed (a so-called hallucination). We, our customers or partners, or other third parties may use or rely on such outputs to our or their detriment, or such outputs may lead to adverse outcomes, including delays and errors, any of which may negatively impact our ability to attract and retain customers and to expand the use of our products, services, and platform, and expose us to brand or reputational harm, competitive risk, and legal liability. Social or ethical concerns about the use of AI, such as the risk of AI models creating discriminatory outcomes using biased information, may also hinder the use and adoption of AI by our customers, partners, and employees. As we expand the use of AI in our own business operations, there is a risk that we will experience such outcomes, which would harm our business and reputation.

If we use any third-party AI technologies that misuse or fail to protect the data that we or our employees, customers, partners, or vendors input, then that data (including confidential, competitive, proprietary, customer, or personal data) could be leaked, disclosed, or revealed to others. Additionally, where an AI model ingests sensitive data without appropriate safeguards, and makes connections using such data, the AI model may produce outputs that reveal other sensitive data generated by the AI model that was not intended to be

18

Table of Contents

revealed. Any such leak, disclosure, or revelation of data could harm our business, expose us to reputational harm and competitive risk, or result in legal or regulatory action against us. We could also experience an increased risk of litigation if any AI tools that we provide or use are alleged to produce outputs that infringe or violate third-party intellectual property rights.

The legal and regulatory landscape surrounding AI is rapidly evolving and uncertain. Several jurisdictions around the world, as well as several states and localities, have proposed, enacted, or are considering laws governing AI, including the European Union’s (“EU”) AI Act and the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (collectively, the “CCPA”) regulations on automated decision-making technology, and we expect that lawmakers and regulators will continue to maintain a heightened focus on AI and promulgate new legislation and regulations, which could impact our business and our actual or planned use of AI. Laws and regulations governing AI may apply in new, unpredictable ways, and differences in how jurisdictions choose to address issues related to AI may require us to navigate a complex web of different obligations. For example, the EU’s AI Act sets out a risk-based framework, subjecting certain AI technologies to numerous compliance obligations, including transparency, conformity, risk assessment, monitoring, and human oversight requirements. Under the EU’s AI Act, non-compliant companies may be subject to administrative fines of up to 35 million euros or 7% of such company’s total worldwide annual revenue for the preceding financial year, whichever is greater. We are subject to the EU’s AI Act. Depending on how the EU’s AI Act is implemented and interpreted, we may have to adapt our business practices, contractual arrangements, and current or planned products or services to comply with obligations imposed by the EU’s AI Act. Our use of AI technologies could also lead to regulatory investigations and consumer lawsuits. Certain privacy laws extend rights to consumers (such as the right to delete certain personal data) and regulate automated decision-making, which may complicate our use of AI, lead to regulatory fines or penalties, be incompatible with our use of AI, require us to change our business practices, retrain our AI, or prevent our use of AI. For example, the Federal Trade Commission has required other companies to turn over or disgorge valuable insights or trainings generated through the use of AI where they allege the company has violated privacy and consumer protection laws. Complying with applicable laws, rules, and regulations governing AI could increase our operating costs, require significant resources or technical modifications to our systems, change the way that we operate in certain jurisdictions, and impede our ability to offer AI in certain products or use AI in our business operations. Any of the above risks could materially adversely affect our business, financial condition, results of operations, and prospects.

Because we recognize revenue from subscriptions to access our products over the term of the subscription, downturns or upturns in new business will not be immediately reflected in our results of operations.

We generate substantially all of our revenue from subscriptions to access our products. We recognize revenue ratably over the term of the subscription, beginning on the date that access to our products is made available to the customer. Our subscriptions generally have annual or multi-year terms. As a result, the significant majority of our revenue is generated from subscriptions entered into during prior periods. Consequently, a decline in new or renewed subscriptions in any one quarter may not significantly reduce our revenue for that quarter, but could negatively affect our revenue in future periods. Accordingly, the effect of downturns or upturns in new sales and potential changes in our rate of renewals may not be fully reflected in our results of operations until future periods. Our revenue recognition model also makes it difficult for us to rapidly increase our revenue through new subscriptions in any period.

Our ability to recognize revenue may also be affected by the length and unpredictability of the sales cycle for our products, especially with respect to larger enterprises, owners, and governmental entities. Such customers typically undertake a significant evaluation and negotiation process due to their leverage, size, organizational structure, and regulatory and approval requirements, all of which can lengthen our sales cycle. Further, certain macroeconomic conditions or uncertainty related to the macroeconomic environment may cause such customers to take corresponding actions to manage costs, which can increase the length of sales cycles, reduce budgets, cause slowdowns in customer consumption, or cause customers to reduce their spend with us at renewal by running less construction volume on our platform, reducing the number of products purchased, or cancelling their subscriptions entirely. We may spend substantial time, effort, and money on sales efforts for such customers without any assurance that our efforts will produce any sales or that these customers will deploy our platform widely enough across their business to justify our substantial upfront investment. As a result, we anticipate increased sales to large enterprises, owners, and governmental entities will lead to higher

19

Table of Contents

upfront sales costs and greater unpredictability, which could materially adversely affect our business, results of operations, financial condition, and prospects.

In addition, as required by the revenue recognition standard under Accounting Standards Codification Topic 606, Revenue from Contracts with Customers, we disclose the transaction price allocated to remaining performance obligations (“RPO”). It is possible that analysts and investors could misinterpret our disclosure or that the terms of our customer subscriptions or other circumstances could cause our methods for calculating this disclosure to differ significantly from others, which could lead to inaccurate or unfavorable forecasts by analysts and investors that could negatively impact our business and prospects.

We are continuing to expand our operations outside the U.S., where we may be subject to increased business, regulatory, and economic risks (including fluctuations in currency exchange rates) that could materially adversely affect our business, financial condition, results of operations, and prospects.

We had customers running projects in approximately 160 countries as of December 31, 2025, and 15% of our revenue in 2025 was generated from customers outside the U.S. We expect to continue to expand our international presence, which may include opening offices in new jurisdictions and providing our products, services, and platform in additional languages. Any new markets or countries into which we attempt to sell our products or services may not be receptive to our efforts. For example, we may not be able to further expand our operations in some countries if we are not able to adapt our products, services, and platform to fit the needs of prospective customers in those countries or if we are unable to satisfy certain government- and industry-specific laws or regulations. In addition, our international operations and expansion efforts require considerable management attention and the investment of significant resources, while subjecting us to new risks and increasing certain risks that we already face, including risks associated with:

•providing our products, services, and platform in different languages and customizing them to support local requirements;

•compliance by us and our partners with applicable international laws and regulations, including laws and regulations with respect to anti-corruption, competition, import and export controls, tariffs, trade barriers, economic sanctions, employment, construction, privacy, data protection and sovereignty, consumer protection, and unsolicited communications, and the risk of penalties and fines against us and individual members of management or employees if our practices are deemed to be out of compliance;

•recruiting and retaining talented and capable employees outside the U.S., including employees who speak multiple languages and come from a wide variety of different cultural backgrounds and customs, and managing an employee base in jurisdictions with differing employment regulations;

•operating in jurisdictions that do not protect intellectual property rights to the same extent as the U.S. and navigating the practical enforcement of such intellectual property rights outside of the U.S.;

•political and economic instability, including as a result of the Russia-Ukraine war and other international conflicts, and a shifting and uncertain geopolitical landscape;

•generally longer payment cycles and greater difficulty in collecting accounts receivable; and

•higher costs of doing business internationally, including increased accounting, tax, travel, infrastructure, and legal compliance costs, and costs associated with fluctuations in currency exchange rates.

Compliance with laws and regulations applicable to our global operations substantially increases our cost of doing business. We may be unable to keep current with changes in laws and regulations as they occur, and there can be no assurance that we, our employees, contractors, partners, and agents will be able to maintain compliance. Any violations could result in enforcement actions, fines, civil and criminal penalties, damages, injunctions, or reputational harm. If we are unable to maintain compliance or manage the complexity of our global operations successfully, we may need to relocate or cease operations in certain foreign jurisdictions, which could materially adversely affect our business, financial condition, results of operations, and prospects.

Additionally, as we continue to expand our international operations, we will become more exposed to the effects of fluctuations in currency exchange rates. Although the majority of our cash generated from sales is

20

Table of Contents

denominated in U.S. Dollars, a small amount is denominated in foreign currencies, and our expenses are generally denominated in the currencies of the jurisdictions in which we conduct our operations. Because we conduct business in currencies other than U.S. Dollars but report our results of operations in U.S. Dollars, we also face remeasurement exposure to fluctuations in currency exchange rates. Any of these risks could hinder our ability to predict our future results and earnings. In addition, we do not currently maintain a program to hedge exposures to non-U.S. Dollar currencies.

We operate in a competitive market, and we must continue to compete effectively.

The market for our products and services is highly competitive and rapidly changing. Certain features of our current platform compete with a wide variety of products, including aggregated construction management tools (some of which integrate with our platform), accounting software vendors, point solution vendors in various categories (many of which integrate with our platform and are available in our App Marketplace), and in-house specialized tools or processes built by or for existing or prospective customers.

With the introduction of new products, services, and technologies by competitors, including through the use of AI, and the emergence of new market entrants in the construction management software industry, we expect competition to continue and intensify. Other companies may incorporate AI into their products more quickly or more successfully than us, which could impair our ability to compete effectively. Many of our competitors have competitive advantages over us, such as better name recognition, longer operating histories, larger marketing budgets, existing or more established relationships, greater third-party integrations, access to larger customer bases, greater financial, technical, pricing, packaging, and marketing strategies, and other resources. Some of our competitors may make acquisitions or enter into strategic relationships with third parties to offer a broader range of products and services than we do; others may have more effective sales and marketing strategies or may deploy those strategies in ways that enable them to acquire customers at a lower cost than we can. These combinations may make it more difficult for us to effectively compete. Further, the challenges and costs of recruiting and retaining qualified candidates with AI experience may negatively affect our ability to effectively develop and leverage AI technologies. Our market and the technology landscape in general will also be impacted by the continued adoption of AI in ways that are currently unforeseeable and that could have significant benefits for our competitors. Additionally, as we introduce new products and services in the market, we may face new or different competitors who may similarly have competitive advantages over us. Such competitive pressures may erode our market share and may hinder or slow our expansion into new markets. We expect these competitive dynamics to continue as competitors attempt to strengthen or maintain their market positions.

Many factors affect our pricing and packaging strategies, which we revisit from time to time. For example, the quality of our products and services allows us to sell them at a premium as compared to some of our competitors. Certain competitors offer, or may in the future offer, lower-priced or free products or services that compete with our products or may bundle and offer a broader range of products or services. We may not be able to compete at such lower price points or with such product configurations. There can be no assurance that we will not be forced to engage in price-cutting initiatives or other discounts, or to increase our marketing and other expenses, in order to attract and retain customers in response to competitive pressures, any of which could materially adversely affect our business, financial condition, results of operations, and prospects.

Interruptions or performance issues associated with or otherwise impacting our products, services, and platform, including the interoperability of our platform across devices, operating systems, and third-party applications, could materially adversely affect our business, financial condition, results of operations, and prospects.

We have experienced, and may in the future experience, service interruptions and other performance issues. Our future growth depends in part on the ability of our existing and prospective customers to rely on access to our products, services, and platform.

Increasing numbers of users on our platform and increasing bandwidth requirements may degrade the performance of our products or platform due to capacity constraints and other internet infrastructure limitations. Frequent or persistent interruptions, including those from increased usage, could cause existing or prospective users to believe that our platform is unreliable, leading them to switch to competitors, which could materially adversely affect our business, financial condition, results of operations, and prospects.

21

Table of Contents

Certain of our customer agreements contain specifications regarding the availability and performance of our platform. If we are unable to meet these service level commitments or if we suffer extended periods of poor performance, we may be contractually obligated to provide affected customers with service credits against existing subscriptions or, in certain cases, refunds. Any such performance issues could negatively impact our renewal rates and harm our ability to attract new customers.

One of the most important features of our platform is its broad interoperability with a range of devices, web browsers, operating systems, and integrations. Accessibility across this range is oftentimes out of our control, including as a result of reliance on third-party service providers or applications. Any third-party software-induced interruptions to our operations, such as software issues that affect our operating systems, could materially adversely affect our business, financial condition, results of operations, and prospects.

Integrations and products are constantly evolving, and we may not be able to modify our platform to assure its compatibility with such developments. In addition, some competitors may be able to disrupt the compatibility of our platform with their integrations, which some of our customers may rely upon. In other instances, the operability of our platform features relies on third-party service providers or partners that may be unable to accommodate our evolving service needs, choose to terminate or decline to renew agreements with us, or demand more favorable terms, among other things, any of which may cause service changes, interruptions, or delays for our customers. If our platform has operability or interoperability challenges with any of our integrations, customers may not adopt our platform, and our App Marketplace may not be useful to customers, which could materially adversely affect our business, financial condition, results of operations, and prospects.

Additionally, our products, services, and platform are inherently complex and may contain material defects or errors, particularly when new products or features are released. We have in the past found defects or errors in our products, services, and platform, and we may detect new defects or errors in the future. Any real or perceived failures or vulnerabilities in our products, services, or platform, or any real or perceived delay in resolving them, could result in negative publicity or lead to data security, access, retention, or performance issues. In addition, the costs incurred in correcting such defects or errors may be substantial. Any of these risks could materially adversely affect our business, financial condition, results of operations, and prospects.

We rely on third-party data centers, such as Amazon Web Services (“AWS”), to host and operate our platform, and any disruption of or interference with these resources may negatively affect our ability to maintain the performance and reliability of our platform, which could cause our business to suffer.

Our customers depend on the continuous availability of our platform, which relies in large part on third-party data centers. We currently host our platform and serve our customers primarily using AWS. Consequently, we may be subject to service disruptions as well as failures to provide adequate support for reasons that are outside of our control, including: the performance and availability of AWS and other third-party providers of cloud infrastructure services with the necessary speed, data capacity, and security for providing reliable services; decisions by AWS and other owners and operators of the data centers where our cloud infrastructure is deployed to terminate our subscriptions, discontinue services to us, shut down operations or facilities, increase prices, change service levels, limit bandwidth, declare bankruptcy, or prioritize the traffic of other parties; and cyberattacks, including denial of service attacks, targeted at us, our data centers, or the infrastructure of the internet.

The adverse effects of any service interruptions on our reputation, results of operations, and financial condition may be disproportionately heightened due to the nature of our business and the fact that our customers have a low tolerance for interruptions of any duration.

To meet the performance and other requirements of our customers, we intend to continue to make significant investments to increase capacity and to develop and implement new technologies in our cloud infrastructure operations. Any renegotiation or renewal of our agreement with AWS, or a new agreement with another provider of cloud-based services, may be on terms that are significantly less favorable to us than our current agreement. Additionally, these new technologies, which include databases, application and server optimizations, network strategies, and automation, are often advanced, complex, new, and untested, and we may not be successful in developing or implementing these technologies. It takes a significant amount of time to plan, develop, and test improvements to our technologies and cloud infrastructure, and we may not be able to accurately forecast demand or predict the results we will realize from such improvements. To the extent that we

22

Table of Contents

do not effectively scale our infrastructure to meet the needs of our growing customer base and maintain performance as our customers expand their use of our products, or if our cloud-based server costs were to increase, our business, financial condition, results of operations, and prospects could be materially adversely affected.

Sales to governmental entities, customers reliant on government funding, and other government contractors are subject to a number of additional challenges and risks.

We provide our products, services, and platform to federal, state, local, and non-U.S. governmental customers, which may occur through direct sales to governmental entities or through channel partners that may sell directly to governmental entities. We also provide our products, services, and platform to customers that may be reliant on funding derived from federal, state, local or non-U.S. governmental sources. We achieved U.S. Federal Risk and Authorization Management Program (“FedRAMP”) Moderate authorization for our Procore for Government solution in January 2026, which we believe will allow us to expand our ability to sell to U.S. federal government customers and contractors. Even with FedRAMP Moderate authorization of Procore for Government, selling to governmental entities, customers reliant on government funding, and other government contractors presents a number of unique challenges and risks, including the following:

•selling to governmental entities can be highly competitive, expensive, and time-consuming, often requiring significant upfront time and expense without any assurance that these efforts will generate a sale;

•governmental entities may have statutory, contractual, or other legal rights to terminate our contracts or contracts with channel partners for convenience or due to default;

•government certification or technical requirements for products and services may change, or we may be unable to achieve one or more government certifications, which may restrict our ability to sell into certain governmental entities until we have attained such certifications or technical requirements;

•contracts with governmental entities, customers reliant on government funding, and other government contractors, including channel partners in the government market, may contain terms that are less favorable than what we generally agree to in our standard commercial agreements, including terms that may be required by statute or regulation and/or maynot be negotiable with the customer;

•non-compliance with terms or conditions of government contracts, or with representations or certifications made in connection with government contracts, can result in significantly more adverse consequences than we typically would expect in the commercial market, including, depending on the circumstances, criminal liability, liability under the civil False Claims Act, and/or suspension or debarment from doing business with governmental entities;

•governmental entities routinely investigate and audit government contractors’ administrative processes, and any unfavorable audit could result in governmental entities refusing to continue buying our products and services, a loss of revenue, fines, and/or civil or criminal liability;

•negative publicity related to our contracts with governmental entities or with channel partners who sell to governmental entities or any proceedings surrounding them may damage our business and affect our competitive position;

•demand and payment for our products from governmental entities or other customers may be adversely impacted by, among other things, government shutdowns, changes in administrations, fiscal policies, contracting policies or requirements, efforts by government to evaluate and reduce overall government spending, budgetary cycles, and funding authorizations; and

•in January 2025, the U.S. presidential administration began issuing Executive Orders identifying new government policies and directing U.S. federal agencies to evaluate their current actions, including certain spending, to ensure that such actions are consistent with new administration priorities. Some of those Executive Orders are the subject of pending litigation, and there remains significant uncertainty about the ways in which agencies will implement the new Executive Orders. Such implementation could negatively affect our current and future business with U.S. government customers.

There is a risk that the costs of achieving and maintaining FedRAMP authorization will not be offset, in full or at all, by increased sales of our products and services. Though our current revenue impact from contracts with governmental entities is not significant, to the extent that we become more reliant on contracts with

23

Table of Contents

governmental entities, customers reliant on government funding, and/or other government contractors in the future, our exposure to such risks and challenges could increase, which in turn could materially adversely impact our business, financial condition, results of operations, and prospects.

Risks Related to Our Employees and Culture

If we lose key management personnel or if we are unable to retain or hire qualified personnel, we may not be able to achieve our strategic objectives and our business, financial condition, results of operations, and prospects could be materially adversely affected.

Our future success is substantially dependent on our ability to attract, retain, and motivate our executive officers, other members of our management team and other key personnel throughout our organization. Our U.S. employees, including our executive officers, the members of our management team, and other key personnel, work for us on an “at-will” basis, which means they may terminate their employment with us at any time. As previously disclosed, effective November 10, 2025, Craig F. Courtemanche, Jr., our founder, and former President and Chief Executive Officer, resigned as President and Chief Executive Officer of the Company, and Dr. Ajei S. Gopal was appointed as President and Chief Executive Officer. If Dr. Gopal or one or more other members of our management team or other key personnel resign or otherwise cease to provide us with their services, our business, financial condition, results of operations, and prospects could be materially adversely affected.

Our continued success is also dependent on our ability to attract and retain other qualified personnel possessing a broad range of skills and expertise. There is significant competition for personnel with the skills and technical knowledge that we require. To continue to enhance our products, services, and platform, develop new products and services, and add new and innovative functionality, it will be critical for us to continue to grow our research and development teams. We have in the past hired, and may in the future hire, employees from competitors or other companies. Their former employers have in the past, and may in the future, assert that we or these employees have breached such employee’s legal obligations, resulting in a diversion of our time and resources. If we fail to meet our hiring needs, at all or on the timeframes we expect, or if we fail to successfully integrate our new hires, our efficiency and ability to meet our forecasts and our employee morale, productivity, and retention could all suffer. Any of these factors could materially adversely affect our business, financial condition, results of operations, and prospects.

If we cannot maintain our company culture as we grow, we could lose the innovation, teamwork, passion, and focus on execution that we believe contribute to our success.

We believe that our corporate culture fosters innovation, teamwork, passion, and focus on execution and has contributed to our success. As we grow, we may find it difficult to maintain our corporate culture. Further, recent leadership changes may create uncertainty or shifts in priorities that could make it more challenging to preserve our culture. In addition, many of our employees work remotely and there is no guarantee that we will be able to maintain our corporate culture when much of our team is dispersed. Any failure to preserve our culture could harm our future success, including our ability to recruit and retain qualified personnel, innovate and operate effectively, and execute on our business strategies. In the past we have carried out, and we may in the future carry out, reductions in our workforce to ensure that our resources are aligned to our business strategy. Such reductions in our workforce could negatively impact our reputation as an employer and harm our company culture. If we experience any of these risks, our ability to attract new employees and retain existing employees could be impaired, which could materially adversely affect our business, financial condition, results of operations, and prospects.

24

Table of Contents

Risks Related to Our Regulatory and Legal Environment

We and the third parties with which we work are subject to stringent, changing, and potentially inconsistent laws, regulations, rules, policies, and obligations related to data privacy and security, both domestically and internationally. Our actual or perceived failure to comply with such obligations, or the failure or perceived failure of third parties with which we work to comply with such obligations, could lead to regulatory investigations or actions, litigation, fines and penalties, disruptions of our business operations, reputational harm, loss of revenue or profits, loss of customers or sales, and other adverse consequences, any of which could materially adversely affect our business, financial condition, results of operations, and prospects.

In the ordinary course of business, we collect, receive, store, generate, use, transfer, disclose, make accessible, protect, secure, dispose of, transmit, and share (collectively, “process”) proprietary, confidential, and sensitive information and data, including personal data, intellectual property, trade secrets, and sensitive third-party and customer data (collectively, “sensitive information”). For example, our customers store sensitive information on our platform, such as building plans and other information related to government works or projects for regulated industries, such as banks and healthcare facilities. Our data processing activities subject us to numerous data privacy and security obligations, such as various laws, regulations, guidance, industry standards, internal and external privacy and security policies, contracts (including with our customers and other third parties), and other obligations relating to data privacy and security.

In the U.S., federal, state, and local governments have enacted, and may in the future enact, numerous data privacy and security laws, including data breach notification laws, personal data privacy laws, consumer protection laws (e.g., Section 5 of the Federal Trade Commission Act), and other similar laws (e.g., wiretapping laws).

Numerous U.S. states, including California, have enacted, and may in the future enact, comprehensive privacy laws that impose certain obligations on covered businesses, including providing specific disclosures in privacy notices, affording residents with certain rights concerning their personal data, and stricter requirements for processing certain personal data. Such rights may include the right to access, correct, or delete personal data, and to opt out of certain data processing activities, such as targeted advertising, profiling, and automated decision-making. The exercise of these rights may impact our business and ability to provide our products and services. For example, the CCPA requires businesses to provide specific disclosures in privacy notices and honor requests of California residents to exercise certain privacy rights. The CCPA provides for administrative fines and allows private litigants affected by certain data breaches to recover significant statutory damages. Moreover, under various privacy laws and other obligations, we may be required to obtain certain consents to process personal data. Our inability or failure to obtain such consents could result in adverse consequences, including class action litigation and mass arbitration demands. Additional data privacy and security laws have also been proposed at the federal, state, and local levels in recent years, which could complicate compliance efforts.

As we continue to expand globally, our obligations related to data protection will increase. Outside the U.S., an increasing number of laws, regulations, and industry standards apply to data privacy and security. For example, the EU’s General Data Protection Regulation (the “EU’s GDPR”) and the United Kingdom’s (“U.K.”) General Data Protection Regulation (the “U.K.’s GDPR”) impose strict requirements for processing personal data. Under the EU’s GDPR and the U.K.’s GDPR, government regulators may impose temporary or definitive bans on data processing, as well as fines of up to the greater of (1) 20 million euros or 17.5 million pounds sterling, respectively, or (2) 4% of annual revenue. The application of the EU’s GDPR alongside the U.K.’s GDPR exposes us to two parallel regimes, each of which potentially authorizes similar fines and other potentially divergent enforcement actions for certain violations. In addition, data subject or consumer protection organizations (which are authorized by law to represent data subjects’ interests) may initiate litigation to represent their interests. There are also stringent local data protection requirements in Germany and cloud-server initiatives in France which may impact our operations in these countries. Furthermore, as our business continues to expand and evolve, the EU’s GDPR, the U.K.’s GDPR, and similar data protection regulations may apply additional obligations on us to further secure personal data, provide further rights to data subjects, and require additional reporting to regulators.

In Canada, the Personal Information Protection and Electronic Documents Act and various provincial laws, as well as Canada’s Anti-Spam Legislation, applies to our operations. Similarly, Australia’s Privacy Act 1988,

25

Table of Contents

Singapore’s Personal Data Protection Act, the UAE’s Federal Data Protection Law No. 45 of 2021, and Brazil’s General Data Protection Law (Lei Geral de Proteção de Dados Pessoais) (Law No. 13,709/2018), which also apply to our operations, impose compliance obligations and penalties that are comparable to those of the EU’s GDPR. In addition, India’s Digital Personal Data Protection Act and its implementing regulations, which provide for penalties of up to 2.5 billion Indian rupees for violations, may also apply to our operations.

We may also become subject to new laws that regulate non-personal data. For example, the EU’s Data Act imposes certain data and cloud service interoperability and switching obligations to enable users to switch between cloud service providers without undue delay or cost, as well as certain requirements concerning cross-border international transfers of, and governmental access to, non-personal data outside the European Economic Area (“EEA”). Depending on how this and similar laws are implemented and interpreted, we may have to adapt our business practices, contractual arrangements, products, and services to comply with such laws.

In the ordinary course of business, we transfer personal data from Europe and other jurisdictions to the U.S. or other countries. Europe and other jurisdictions have enacted laws requiring data to be localized or limiting the transfer of personal data to other countries. In particular, the EEA and the U.K. have significantly restricted the transfer of personal data to the U.S. and other countries whose privacy laws it generally believes are inadequate. Other jurisdictions may adopt or have already adopted similarly stringent data localization and cross-border data transfer laws. Although there are currently various mechanisms that may be used to transfer personal data from the EEA and the U.K. to the U.S. in compliance with law, these mechanisms are subject to legal challenges, and there is no assurance that we can satisfy these mechanisms to lawfully transfer personal data to the U.S.

If there is no lawful manner for us to transfer personal data from the EEA, the U.K., or other jurisdictions to the U.S., or if the requirements for a legally-compliant transfer are too onerous, we could face significant adverse consequences, including the interruption or degradation of our operations, the need to relocate part or all of our business or data processing activities to other jurisdictions at significant expense, increased exposure to regulatory actions, substantial fines and penalties, the inability to transfer data and work with partners, vendors, and other third parties, and injunctions against our processing or transferring of personal data necessary to operate our business. For example, in May 2023, the Irish Data Protection Commission determined that a major social media company’s use of standard contractual clauses to transfer personal data from Europe to the U.S. was insufficient and levied a 1.2 billion euro fine against the company and prohibited it from transferring personal data to the U.S.

We are bound by contractual obligations and laws related to data privacy and security, and our efforts to comply with such obligations and laws may not be successful. For example, certain privacy laws, such as the EU’s GDPR, the U.K.’s GDPR, and the CCPA, require our customers to impose specific contractual restrictions on their service providers. We also publish privacy policies, marketing materials, white papers, and other statements, such as compliance with certain certifications, standards, or self-regulatory principles, concerning data privacy, security, and AI. Regulators in the U.S. are increasingly scrutinizing these statements, and if any of these policies, materials, or statements are found by our customers or regulators to be overly broad, deficient, lacking in transparency, deceptive, unfair, or misrepresentative of our practices, we may be subject to investigation, enforcement actions by regulators, or other adverse consequences.

In addition, privacy advocates and industry groups have proposed, and may further propose, standards with which we are legally or contractually bound to comply. For example, we are subject to the Payment Card Industry Data Security Standard (the “PCI DSS”). The PCI DSS requires companies to adopt certain measures to ensure the security of cardholder information, including using and maintaining firewalls, adopting proper password protections for certain devices and software, and restricting data access. Noncompliance with the PCI DSS can result in penalties ranging from $5,000 to $100,000 per month by credit card companies, litigation, damage to our reputation, and loss of revenue. We also rely on vendors to process payment card data who may also be subject to the PCI DSS, and our business may be negatively impacted if our vendors are fined or suffer other consequences as a result of noncompliance with the PCI DSS.

Our obligations related to data privacy and security (and consumers’ data privacy and security expectations) are quickly changing in an increasingly stringent fashion. Although we endeavor to comply with all applicable data privacy and security obligations, we may at times fail, or be perceived to have failed, to do so.

26

Table of Contents

Moreover, despite our efforts, our personnel or third parties with which we work, such as vendors or developers, may fail to comply with such obligations, which could negatively impact our business operations and compliance posture. For example, any failure by a third-party processor to comply with applicable law, regulations or contractual obligations could result in adverse consequences for us, including our ability to, or interruption in our ability to, operate our business and proceedings against us by governmental entities or others. If we or the third parties with whom we work fail, or are perceived to have failed, to address or comply with data privacy and security obligations, we could face significant consequences, including government enforcement actions (e.g., investigations, audits, inspections, fines, and penalties), litigation (including class-related claims), additional reporting requirements and oversight, restrictions or bans on processing personal data, orders to destroy or not use personal data, the imprisonment of company officials, the inability to operate in certain jurisdictions, limited ability to develop or commercialize our products and services, loss of revenue or profits, loss of customers or sales (including a decline in customer subscription renewals), interruptions or stoppages in or modifications to our operations, negative publicity (including public statements against us by consumer advocacy groups or others), and reputational harm, any of which could materially adversely affect our business, financial condition, results of operations, and prospects.

If our IT systems or data, or those of third parties with which we work, are or were compromised, we could experience adverse consequences resulting from such compromise, including regulatory investigations or actions, litigation, fines and penalties, disruptions of our business operations, reputational harm, loss of revenue or profits, loss of customers or sales, and other adverse consequences, any of which could materially adversely affect our business, financial condition, results of operations, and prospects.

In the ordinary course of our business, we, and the third parties with which we work, process substantial amounts of sensitive information.

Cyberattacks, malicious internet-based activity, online and offline fraud, and other similar activities threaten the confidentiality, integrity, and availability of such sensitive information and IT systems, and those of the third parties on which we rely. Cloud-based platform providers of products and services have been targeted by such activities and are expected to continue to be targeted. The threats posed by such activities are prevalent and continue to grow, are increasingly difficult to detect, and come from a variety of sources, including traditional computer “hackers,” threat actors, “hacktivists,” organized criminal threat actors, personnel (such as through theft or misuse), sophisticated nation-states, and nation-state-supported actors. Further, our achievement of FedRAMP Moderate authorization for our Procore for Government solution, and heightened visibility as a provider of products and services to U.S. federal government customers and contractors, may increase the risk of threats from nation-state, and nation-state supported, and other threat actors.

We, the third parties with which we work, and our customers are subject to a variety of evolving threats, including social-engineering attacks (including through deep fakes, which may be increasingly difficult to identify as fake, and phishing attacks), malicious code (such as viruses and worms), malware (including as a result of advanced persistent threat intrusions), denial-of-service attacks (such as credential stuffing), credential harvesting, personnel misconduct or error, break-ins, ransomware attacks, supply chain attacks, software bugs, server malfunctions, software or hardware failures, loss of data or other IT assets, adware, telecommunications failures, attacks enhanced or facilitated by AI, and other similar threats. Our products and services may also be subject to fraudulent usage and schemes, including from third parties accessing customer accounts or viewing data from our platform. In addition, remote work has become more common and has increased risks to our IT systems and data, as more of our employees utilize network connections, computers, and devices outside our premises or network, including working at home, while in transit, and in public locations.

Some actors, including, without limitation, organized criminal threat actors and nation-state-supported actors, now engage and are expected to continue to engage in cyberattacks for geopolitical reasons and in conjunction with military conflicts and defense activities. During times of war and other major conflicts, we, the third parties with which we work, and our customers may be vulnerable to a heightened risk of these attacks, including retaliatory cyberattacks, that could materially disrupt our systems and operations, supply chain, and ability to produce, sell, and maintain the availability of our products, services, and platform. For example, individuals from sanctioned jurisdictions such as North Korea have illicitly and fraudulently sought employment at U.S. companies to get access to those companies’ sensitive information. If we were found to have willfully or knowingly employed any such individuals, we could face criminal liability.

27

Table of Contents

Ransomware attacks are becoming increasingly prevalent and severe and can lead to significant interruptions in our operations, loss of sensitive information and income, reputational harm, and diversion of funds. While extortion payments have the potential to alleviate the negative impact of a ransomware attack, we may be unwilling or unable to make such payments for a variety of reasons.

We employ a shared responsibility model where our customers are responsible for using, configuring, and otherwise implementing security measures related to our products, services, and platform in a manner that meets applicable cybersecurity standards, complies with laws, and addresses their information security risk. As part of this model, we make certain security features available to our customers that can be implemented at our customers’ discretion, or identify security areas or measures for which our customers are responsible. For example, depending on the product implementation, our customers are responsible for adding and enforcing multi-factor authentication to access their accounts. In certain cases where our customers choose not to implement, or incorrectly implement, such features or measures, misuse our services, or otherwise experience their own vulnerabilities, policy violations, credential exposure or security incidents, even if we or our platform are not the cause of any customer security issue or incident that may result, our customer relationships, reputation, and operating results may be adversely impacted.

It may be difficult and/or costly to detect, investigate, mitigate, contain, and remediate a security incident. Our efforts to do so may not be successful. Actions taken by us, or the third parties with which we work, to detect, investigate, mitigate, contain, and remediate a security incident could result in outages, data losses, and disruptions of our business. Threat actors may also gain access to other networks and systems after a compromise of our networks and systems. For example, threat actors may use an initial compromise of one part of our environment to gain access to other parts of our environment, or leverage a compromise of our networks or systems to gain access to the networks or systems of third parties with whom we work, such as through phishing or supply chain attacks.

We rely upon third-party developers, service providers, and technologies to operate critical business systems to process sensitive information in a variety of contexts, including, without limitation, third-party providers of cloud-based infrastructure, encryption and authentication technology, employee email, and other functions. We may also rely on third-party developers, service providers, and technologies to provide other products or services to operate our business. Our ability to monitor these third parties’ information security practices is limited, and these third parties may not have adequate information security measures in place. We may also share or receive sensitive information with or from third parties. If our third-party service providers experience a security incident or other interruption, we could experience adverse consequences. While we may be entitled to damages if our third-party service providers fail to satisfy their privacy or security-related obligations to us, any award may be insufficient to cover our damages or we may be unable to recover such award. In addition, supply chain attacks have increased in frequency and severity, and we cannot guarantee that third parties and infrastructure in our supply chain or our third-party partners’ supply chains have not been compromised or that they do not contain exploitable defects or bugs that could result in a breach of or disruption to our IT systems (including our products, services, and platform) or the third-party IT systems that support us and our services.

While we have implemented security measures designed to help protect against security incidents, there can be no assurance that these measures are or will be effective. Although we take certain steps to detect, mitigate, and remediate various vulnerabilities in our IT systems (such as our hardware and/or software, including that of third parties with which we work, and those used to operate our products), doing so takes significant time and resources and we are not able to detect, and have not been able to remediate, all vulnerabilities in our IT systems (including those that operate our products and those that are used to provide our services).

Additionally, our business depends upon the appropriate and successful implementation of our services by our customers. If our customers fail to use our service according to our specifications, our customers may suffer a security incident on their own systems or other adverse consequences. Even if such an incident is unrelated to our security practices, it could result in our incurring significant economic and operational costs in investigating, remediating, and implementing additional measures to further protect our customers from their own vulnerabilities, as well as in reputational harm.

28

Table of Contents

For several reasons, including the introduction of new vulnerabilities, resource constraints, competing business demands, dependence on third parties, and technological challenges, a large number of high unremediated vulnerabilities exist in our IT systems and will exist until our remediation efforts are completed. We have taken, and are taking, steps designed to mitigate these vulnerabilities in a prioritized manner based on our assessment of the risk posed by such vulnerabilities. Despite our efforts, there can be no assurance that these vulnerability mitigation measures will be effective. Moreover, we have experienced delays in developing and deploying remedial measures and patches designed to address any identified vulnerabilities. Vulnerabilities could be exploited and result in a security incident.

Any of the previously identified or similar threats could cause a security incident or other interruption. A security incident or other interruption could result in unauthorized, unlawful, or accidental acquisition, modification, destruction, loss, alteration, encryption, disclosure of, or access to our sensitive information or IT systems, or those of the third parties with which we work (including our customers). If we or third parties with which we work experience a security incident or are perceived to have experienced a security incident, which has previously occurred, we could experience significant consequences, including government enforcement actions (e.g., investigations, audits, inspections, fines, and penalties), litigation (including class-related claims), additional reporting requirements and oversight, restrictions or bans on processing sensitive information (including personal data and sensitive third-party and customer data), loss of revenue or profits, loss of customers or sales, interruptions or stoppages in or modifications to our operations (including availability of data), indemnification obligations, negative publicity, and reputational harm. Security incidents and attendant consequences may also cause customers to stop using our products, services, and platform (including by declining to renew their subscriptions), deter new customers from using our products, services, and platform, and negatively impact our ability to grow and operate our business.

In addition, business transactions, such as acquisitions or integrations, have exposed us to these same or additional cybersecurity risks and vulnerabilities, as our systems could be negatively affected by vulnerabilities present in acquired or integrated entities’ systems and technologies. Furthermore, in the past, we have discovered security issues that were not found during due diligence of such acquired or integrated entities, and it has been, and may continue to be, difficult to integrate companies into our IT environment and security program.

Applicable data privacy and security obligations, including data breach laws and contractual obligations to various customers, may require us to notify relevant stakeholders, including affected individuals, customers, regulators, and investors, of security incidents. For example, SEC rules require disclosure on Form 8-K of the material aspects of the nature, scope, and timing of any material cybersecurity incident and the material impact or reasonably likely material impact of such incident. Determining whether a cybersecurity incident is notifiable or material may not be straightforward, and any such disclosures could be costly and could lead to negative publicity, loss of customer or partner confidence in the effectiveness of our security measures, diversion of management’s attention, governmental investigations, and the expenditure of significant capital and other resources to respond to or alleviate problems caused by the actual or perceived security breach.

Our contracts may not contain indemnification, limitations of liability, or other protective provisions. Even where they do, there can be no assurance that indemnification clauses, limitations of liability, or other protective provisions in our contracts are applicable, enforceable, or sufficient to protect us from liabilities, damages, or claims related to our data privacy and security obligations. We cannot be sure that our general liability insurance coverage and coverage for cyber liability or errors or omissions will be adequate or sufficient to protect us from, or to mitigate liabilities arising out of, our data privacy and security practices, that such coverage will continue to be available on commercially reasonable terms or at all, or that such coverage will pay future claims. The successful assertion of one or more large claims against us that exceed available insurance coverage, or the occurrence of changes in our insurance policies, including premium increases or the imposition of large deductible or co-insurance requirements, could materially adversely affect our business, financial condition, results of operations, and prospects.

In addition to experiencing a security incident, third parties may gather, collect, or infer sensitive information about us from public sources, data brokers, or other means that reveal competitively sensitive details about our organization and could be used to undermine our competitive advantage. To the extent we do not effectively address these risks, our business, financial condition, results of operations, and prospects could be materially adversely affected.

29

Table of Contents

Our business is subject to a wide range of laws and regulations, many of which are evolving, and our failure to comply with such laws and regulations could materially adversely affect our business, financial condition, results of operations, and prospects.

We are subject to a number of laws and regulations in the U.S. and internationally that apply generally to businesses, including laws and regulations governing the internet and the marketing, sale, and delivery of services over the internet. These laws and regulations, which continue to evolve, cover, among other things, taxation, tariffs, data protection and privacy, data security, data governance, AI, pricing, content, copyrights, distribution, mobile and other communications, advertising practices, electronic contracts, sales procedures, automatic subscription renewals, credit card processing procedures, consumer protection, consumer financial protection, payment regulation, payment processing and settlement services, domestic and cross-border money transmission, foreign currency exchange, anti-money laundering, fraud detection, economic and trade sanctions, the design and operation of websites, and the characteristics and quality of products that are offered online. We cannot guarantee that we have been or will in the future be fully compliant with such laws and regulations in every jurisdiction, as it is not entirely clear in every jurisdiction how existing laws and regulations governing such areas apply or will be enforced. Moreover, as the regulatory landscape continues to evolve, increasing regulation and enforcement efforts by federal, state, and foreign authorities, and the prospects for private litigation claims, become more likely. In addition, the adoption of new laws or regulations, or the imposition of other legal requirements, that adversely affect our ability to market or sell our products and services could harm our ability to offer, or customer demand for, our products and services, which could impact our revenue, impair our ability to expand our products and services, and make us more vulnerable to competition. Future regulations, or changes in laws and regulations or their existing interpretations or applications, could also require us to change our business practices and raise compliance costs or other costs of doing business. For example, on May 7, 2024, the Federal Communications Commission re-adopted “network neutrality” rules in the U.S. These rules could affect the services we and our customers use by restricting the offerings made by internet service providers or reducing their incentives to invest in their networks. On January 2, 2025, the U.S. Court of Appeals for the Sixth Circuit vacated the rules. A petition for rehearing of the decision filed by proponents of network neutrality was denied on March 11, 2025, and the time for seeking Supreme Court review of the decision has expired. In addition, after a federal court judge denied a request for an injunction against California’s state-specific network neutrality law, California began enforcing that law on March 25, 2021. Other states could begin to enforce existing laws or adopt new network neutrality requirements. Several other states have adopted similar rules, including Washington, Oregon, Colorado, New Jersey, and Vermont. Many of the laws and regulations to which we are subject are still evolving and being tested in courts and could be interpreted in ways that could harm our business. The application and interpretation of these laws and regulations often are uncertain, particularly in the new and rapidly evolving industry in which we operate. Because global laws and regulations have continued to develop and evolve rapidly, it is possible that we may not be, or may not have been, compliant with each such applicable law or regulation.

Additionally, various federal, state, and foreign labor laws govern our relationships with our employees and affect operating costs. These laws include employee classifications as exempt or non-exempt, minimum wage requirements, unemployment tax rates, workers’ compensation rates, overtime, family leave, workplace health and safety standards, payroll taxes, citizenship requirements, and other laws and regulations.

In certain instances, we rely on third-party service providers or partners to facilitate certain features of our platform or products that are subject to laws and regulations that may be complex, wide-ranging, and evolving, and whose compliance practices and licensure we are unable to control. If such third parties or partners are unable to effectively manage their compliance and licensure obligations in connection with the services they provide to us, or choose not to renew agreements with us because of the costs or burden of compliance with such obligations or for any other reason, our users may experience service changes, interruptions, or delays. Furthermore, we may be unable to find new service providers or partners, or may need to obtain replacement services on less favorable terms. For example, we rely on payment partners to facilitate payments through Procore Pay.

Any claim, lawsuit, proceeding, investigation, inquiry, or request under any of the foregoing could: result in reputational harm, criminal sanctions, consent decrees, and orders preventing us from offering certain features, functionalities, products, or services; limit our access to credit; result in a modification or suspension of our business practices; require us to develop non-infringing or otherwise altered products or technologies; prompt ancillary claims, lawsuits, proceedings, investigations, inquiries, or requests; consume financial and other

30

Table of Contents

resources which may otherwise be utilized for other purposes, such as advancing other products and services on our platform; cause a breach or cancellation of certain contracts; or result in a loss of customers, investors, or partners. Any of the foregoing, or any significant additional laws or regulations, or our failure to comply with any laws and regulations that now or in the future could apply to our business, could materially adversely affect our business, financial condition, results of operations, and prospects.

We may become involved in litigation and other disputes that could materially adversely affect our business, financial condition, results of operations, and prospects.

As we face increasing competition and gain a higher profile, we have become, and may in the future become, a party to litigation, claims, investigations, inquiries, proceedings, and other disputes related to, among other things, our intellectual property, commercial matters, business or employment practices, regulatory compliance (including securities law compliance), products, services, and platform. Declines in stock price, which we have experienced and may experience from time to time, can increase the risk of securities class action litigation. Such litigation can be costly and time-consuming, divert the attention of management and key personnel from our business operations, and dissuade prospective customers from subscribing to our products or services.

We have become, and may in the future become, party to legal proceedings and claims alleging infringement or misappropriation of intellectual property or violations of employment laws and workplace regulations, whether with or without merit. These matters have been, and could continue to be, time-consuming to defend, and have resulted, and could continue to result, in costly litigation and diversion of resources. Such legal proceedings are unpredictable, and we could receive an unfavorable outcome in pending or future proceedings. If any such proceedings are successful, or if we need to settle disputes on terms that are unfavorable to us, we could be required to change our products, business practices, employment policies, indemnify our customers or business partners, pay substantial settlement costs, back wages, regulatory fines, or refund fees. For example, in 2024, Oracle America, Inc. and certain of its affiliates filed a lawsuit against us, one of our affiliates, and an employee in federal court alleging that we had misappropriated certain trade secrets. We are not able to estimate the extent of the damages that we would incur if we were to receive an unfavorable outcome in this lawsuit.

We may be subject to injunctive relief or ongoing government oversight that restricts our ability to manage our workforce effectively, or be required to seek a license to continue practices found to be in violation of third-party rights, which may not be available to us on reasonable terms or at all, any of which could materially impact our business.

Additionally, during the course of any litigation or dispute, we may make announcements regarding the results of hearings and motions and other interim developments. If securities analysts and investors consider these announcements negative, our stock price may decline. Any of the above could increase our operating expenses, and materially adversely affect our business, financial condition, results of operations, and prospects.

Increased government scrutiny of the technology industry generally or our operations specifically could negatively affect our business.

The technology industry is subject to intense media, political, and regulatory scrutiny, which may expose us to government investigations, legal actions, and penalties. Various regulatory agencies, including competition, consumer protection, and privacy authorities, have active proceedings and investigations concerning technology companies, some of which have offerings, like app marketplaces and collaboration tools, that are similar to services and features we offer. If proceedings or investigations targeted at other companies result in determinations that certain practices are unlawful, we could be required to change our products and services or alter our business operations, which could harm our business. Legislators and regulators also have proposed new laws and regulations intended to restrain the activities of some technology companies. If such laws or regulations are enacted, they could adversely impact us, even if they are not intended to affect our company. The increased scrutiny of acquisitions in the technology industry also could affect our ability to enter into strategic transactions or to acquire other businesses. Compliance with new or modified laws and regulations could increase the cost of conducting business, limit opportunities to increase our revenues, or prevent us from offering products or services.

31

Table of Contents

In addition, the introduction of new products and services, expansion of our activities in certain jurisdictions or with certain government customers, or other actions we may take may subject us to additional laws, rules, and regulations, or other government scrutiny. We may not always be able to accurately predict the scope or applicability of certain laws, rules, or regulations to our business, particularly as we expand into new areas of operations, such as Procore Pay, which could negatively affect our business and our ability to pursue future plans. Compliance with any such new laws and regulations will be costly, time consuming, and, as a global commercial organization, require expenditure of our limited resources to be in compliance with the various standards across the jurisdictions in which we operate. Failure to adequately meet these new and upcoming disclosure requirements may affect the manner and locations in which we choose to conduct our business and could adversely affect our operating results. In addition, any perceived or actual breach by us of applicable laws, rules, and regulations could have a significant impact on our reputation as a trusted brand and could cause us to lose customers in existing and emerging lines of business, prevent us from acquiring new customers, require us to expend significant resources to remedy issues caused by such breaches and to avert further breaches, and expose us to legal risk and potential liability.

Our liability for third-party content on our platform, such as content posted by customers and other users, currently is limited by Section 230 of the Communications Decency Act (the “CDA”). The U.S. Congress and federal agencies have proposed further changes or amendments to the CDA each year since 2019, including, among other things, proposals that would narrow CDA immunity, expand government enforcement power relating to content moderation concerns, or repeal the CDA altogether. In addition, some states have passed, and other states may adopt, laws intended to limit the protection afforded by Section 230 of the CDA. For example, laws passed by Florida and Texas related to Section 230 of the CDA are the subject of pending legal challenges. We expect that courts will continue to interpret the scope of Section 230 of the CDA in cases in which platforms seek to invoke its protections. Any changes to the protection afforded by Section 230 of the CDA could decrease or change our protections from liability for third-party content in the U.S. There are other cases pending before the judiciary that may result in changes to the protections Section 230 of the CDA affords to internet platforms. We could incur significant costs investigating and defending such claims and, if we are found liable, significant damages or license costs. We could also face fines or orders restricting or blocking our services in particular geographies as a result of content hosted on our services. If any of these events occur, we may incur significant costs or be required to make significant changes to our products, services, business practices, or operations and our business could be seriously harmed. We also could be harmed by government investigations, litigation, or changes in laws and regulations directed at our business partners or suppliers in the technology industry that have the effect of limiting our ability to do business with those entities. For example, the U.S. government recently has taken action against companies operating in China intended to limit their ability to do business in the U.S. or with U.S. companies.

We are currently subject to regulatory inquiries in the ordinary course of business, and may face additional inquiries in the future. Regulatory actions, even if unsuccessful, can be costly, distract us from our core business, and can lead to high defense costs, damage awards, injunctions, increased business costs, fines, or required changes to our business practices. These actions could also demand significant management attention and operational resources, harming our business.

Such government scrutiny of the technology industry, or the outcome of any investigation, inquiry, litigation, or changes to laws or regulations could materially adversely affect our business, financial conditions, results of operations, and prospects.

We are subject to governmental export and import controls that could impair our ability to compete in international markets and subject us to liability if we are not in compliance with applicable laws.

Our products, services, and platform are subject to various restrictions under U.S. export control and sanctions laws and regulations, including the U.S. Department of Commerce’s Export Administration Regulations, and various economic and trade sanctions regulations administered by the U.S. Department of the Treasury’s Office of Foreign Assets Control. The U.S. export control laws and U.S. economic sanctions laws include restrictions or prohibitions on the sale or supply of certain products and services to embargoed or sanctioned countries, governments, persons, and entities, identified by the U.S., and also require authorization for the export of certain encryption items. Furthermore, U.S. export control laws and economic sanctions prohibit the shipment of certain cloud-based solutions to countries, governments, and persons targeted by U.S. sanctions. In addition, various countries regulate the import of certain encryption technology, including through import permitting and licensing requirements, and have enacted or could enact laws that could limit our ability to

32

Table of Contents

make available or implement our platform in those countries. While we have implemented certain procedures to facilitate compliance with applicable laws and regulations in connection with the collection of this information, we cannot assure you that these procedures have been effective or that we, or third parties, many of whom we do not control, have complied with all laws or regulations in this regard. Failure by our customers, employees, representatives, contractors, partners, agents, intermediaries, or other third parties to comply with applicable laws and regulations in the collection of this information also could have negative consequences to us, including reputational harm, government investigations, and penalties.

Although we take precautions to prevent our information collection practices from being in violation of such laws, our information collection practices may have been in the past, and could in the future be, in violation of such laws. If we or our employees, representatives, contractors, partners, agents, intermediaries, or other third parties fail to comply with these laws and regulations, we could be subject to civil or criminal penalties, including the possible loss of export privileges and fines and penalties. We may also be adversely affected through other penalties, reputational harm, loss of access to certain countries, or otherwise. Obtaining the necessary authorizations, including any required license, for a particular transaction may be time-consuming, is not guaranteed and may result in the delay or loss of sales opportunities. While we are working to implement additional controls designed to prevent similar activity from occurring in the future, these controls may not be fully effective.

Changes in our platform, or changes in sanctions and import and export laws, may delay the introduction and sale of subscriptions to access our products or services internationally, prevent our customers with international operations from using our platform, or in some cases, prevent the access or use of our platform to and from certain countries, governments, persons, or entities altogether. Further, any change in export or import regulations, economic sanctions, or related laws, shift in the enforcement or scope of existing regulations, or change in the countries, governments, persons, or technologies targeted by such regulations could result in decreased use of our platform or in our decreased ability to export or sell subscriptions to use our platform to existing or prospective customers with international operations. Any decreased use of our platform or limitation on our ability to export or sell subscriptions to use our platform could materially adversely affect our business, financial condition, results of operations, and prospects.

We are also subject to the U.S. Foreign Corrupt Practices Act of 1977 (the “FCPA”), the U.K. Bribery Act 2010 (the “Bribery Act”), and other anti-corruption, sanctions, anti-bribery, anti-money laundering, and similar laws in the U.S. and other countries in which we conduct activities. Anti-corruption and anti- bribery laws, which have been enforced aggressively and are interpreted broadly, prohibit companies and their employees, agents, intermediaries, and other third parties from promising, authorizing, making, or offering improper payments or other benefits to government officials and others in the private sector. We leverage, and may continue to leverage, third parties, including intermediaries, agents, and partners, to conduct our business in the U.S. and abroad and to sell subscriptions. We and these third parties may have direct or indirect interactions with officials and employees of government agencies or state-owned or affiliated entities, and we may be held liable for the corrupt or other illegal activities of these third-party partners and intermediaries, our employees, representatives, contractors, partners, agents, intermediaries, and other third parties, even if we do not explicitly authorize such activities. While we have policies and procedures to facilitate compliance with the FCPA, the Bribery Act, and other anti-corruption, sanctions, anti-bribery, anti-money laundering, and similar laws, we cannot assure you that they will be effective, or that all of our employees, representatives, contractors, partners, agents, intermediaries, or other third parties have taken, or will not take actions, in violation of our policies and procedures and applicable law, for which we may be ultimately held responsible. As we increase our international sales and business, our risks under these laws may increase. Noncompliance with these laws could subject us to investigations, severe criminal or civil sanctions, settlements, prosecution, loss of export privileges, suspension or debarment from U.S. government contracts, other enforcement actions, disgorgement of profits, significant fines, damages, other civil and criminal penalties or injunctions, whistleblower complaints, adverse media coverage, and other consequences. Any investigations, actions, or sanctions could materially adversely affect our business, financial condition, results of operations, and prospects.

33

Table of Contents

Certain of our services subject us to complex and evolving laws and regulations regarding the unauthorized practice of law (“UPL”).

UPL generally refers to a person or entity that is not licensed to practice law but that gives legal advice or advertises its services as the practice of law. As a result of our acquisition of Express Lien, Inc. (d/b/a Levelset) (“Levelset”) in November 2021, certain lien rights management services that we now offer involve activities that could represent an alternative to traditional legal services and, as a result, may potentially subject us to UPL allegations. Our lien rights management business model includes the provision of document-processing services in connection with the filing of mechanic’s liens. In the past, various aspects of Levelset’s lien rights management offering have been subject to claims of UPL. We currently face, and may in the future continue to face, similar claims, actions, or proceedings.

The laws and regulations that define UPL, and the governing bodies that enforce UPL rules, differ among the various jurisdictions in which we operate, and the scope of these laws and regulations is often vague, broad, and evolving. As a result, the application and interpretation of these laws and regulations can be uncertain and conflicting. For example, regulation of legal document processing, a component of our lien rights management offering, varies among the jurisdictions in which we conduct business. Compliance with these disparate laws and regulations may require us to structure our business and services differently in certain jurisdictions, which could lead to operating inefficiencies. Maintaining compliance with UPL rules across various jurisdictions may cause us to incur significant expenses and may require that we dedicate significant management time to dealing with UPL issues, which could divert management’s attention from other matters.

As we continue to support our lien rights management offering or expand into new jurisdictions, we may face increased scrutiny and risk of additional UPL claims, actions, or proceedings. Any failure or perceived failure by us to comply with applicable UPL laws and regulations may subject us to regulatory inquiries, actions, lawsuits, or proceedings. Levelset has incurred in the past, and we expect to incur in the future, costs associated with responding to, defending, resolving, and settling UPL claims, actions, and proceedings. We can give no assurance that we will prevail in any such matters on commercially reasonable terms or at all. Responding to, defending, and settling regulatory inquiries, action, lawsuits, and proceedings may be time-consuming and divert management and financial resources or have other adverse effects on our business. A negative outcome in any of these proceedings may result in claims, actions, changes to or discontinuance of some of our services, potential liabilities, and additional costs that could materially adversely affect our business, financial condition, results of operations, and prospects.

Our Procore Pay payment solution is subject to a number of laws and regulations applicable to payment solutions, and our failure to comply with such laws and regulations could interfere with the success of Procore Pay.

Various laws and regulations govern the payments industry throughout the U.S. Procore Pay, our payment solution, holds licenses, or is applying to hold licenses, to operate as a money transmitter (or its equivalent) in the states, as well as in the District of Columbia and certain territories, where such licenses are required. Licensed money transmitters are subject to numerous requirements, including restrictions on the investment of customer funds, reporting requirements, bond requirements, and inspection by state regulatory agencies. If we fail to comply with applicable laws or regulations required to maintain money transmitter licenses for Procore Pay, we could be subject to investigations and resulting liability, including governmental fines, restrictions on our business, or other sanctions, or be forced to cease doing business with residents of certain states or territories, forced to change our business practices, required to change our product functionality, or required to obtain additional licenses or regulatory approvals, which could impose additional costs and harm our business. There can be no assurance that we will be able to obtain money transmitter licenses in all jurisdictions in which we wish to operate. Even if we are able to do so, there could be substantial costs and potential product changes involved in maintaining such licenses, which could materially adversely affect our business, financial condition, results of operations, and prospects.

In 2025, Procore Pay began processing payments in markets where Procore Payment Services, Inc. ("Procore Payment Services") is licensed as a money transmitter. In markets where Procore Payment Services is not currently licensed as a money transmitter, Procore Pay relies on payment partners to process payments. Local regulators may use their authority over such partners to prohibit, restrict, or limit us from doing business in their respective jurisdictions. Our payment partners may be subject to extensive compliance obligations as well as enforcement actions, fines, and litigation if found to violate any legal or regulatory requirements that apply to

34

Table of Contents

them. Our payment partners may choose not to renew their agreement with us for this or any other reason, or may seek to involve us in enforcement actions, fines, or litigation related to the services they provide. Any significant disruption in the services provided through Procore Pay could prevent transactions from being processed in a timely manner, or at all. If we or our payment partners experience delays or disruptions in services or other issues, including in networks or systems that result in the inability to process payment in a timely manner, or at all, we could become involved in enforcement actions, fines, or litigation.

Procore Pay is also subject to anti-money laundering (“AML”) laws and regulations. Although we have an AML program in place that is designed to help prevent Procore Pay from being used to facilitate money laundering, terrorist financing, and other illicit activities, or from doing business in countries or with persons and entities included on designated country or person lists promulgated by the U.S. Department of the Treasury’s Office of Foreign Assets Controls and equivalent authorities in other countries, there is no guarantee that our program will result in full compliance with applicable AML requirements, which can shift rapidly. Non-compliance with AML laws and regulations or economic and trade sanctions may subject us to significant fines, penalties, lawsuits, and enforcement actions, result in regulatory sanctions and additional compliance requirements, increase regulatory scrutiny of our business, restrict our operations, and damage our reputation and brands. Our compliance history may be considered by OFAC and other regulators as part of any potential future investigation of our sanctions regulation.

We maintain a fraud risk management policy and procedures to help manage fraud risk and minimize exposure to substantial losses, but the policy and procedures may not prevent all fraud or risk of loss. If these programs are not continuously monitored and improved, senders could potentially direct payments to the wrong recipients or bad actors within a customer’s organization could make fraudulent payments, which could harm our reputation and damage our brand, business, and operating results.

Risks Related to Our Intellectual Property

Our failure to protect our intellectual property rights and proprietary information could diminish our brand and other intangible assets and otherwise materially adversely affect our business, financial condition, results of operations, and prospects.

We primarily rely and expect to continue to rely on a combination of patent, copyright, trademark, and trade secret laws, as well as confidentiality procedures, licenses, and contractual restrictions, to establish and protect our intellectual property rights and proprietary information, all of which provide only limited protection. As of December 31, 2025, we had 107 issued patents in the U.S. and 90 pending patent applications in the U.S. Additionally, we had 13 issued patents in foreign countries, 28 pending patent applications in foreign countries, as well as 7 pending international patent applications that preserve our right to file additional foreign patent applications in the future. Our issued patents in the U.S. will expire between 2034 and 2046. We continually review our development efforts to assess the existence and patentability of new intellectual property.

We have devoted substantial resources to the development of our proprietary technologies and related processes. We make business decisions about when to seek patent protection for a particular technology and when to rely upon copyright or trade secret protection, and the approach we select may ultimately prove to be inadequate. Even when we seek patent protection, there is no assurance that the resulting patents will effectively protect every significant feature of our products, services, or platform. In addition, we believe that the protection of our trademark rights is an important factor in product recognition, protecting our brand, and maintaining goodwill. If we do not adequately protect our rights in our trademarks from infringement, misappropriation, and unauthorized use, any goodwill that we have developed in those trademarks could be lost or impaired, which could harm our brand and our business. In order to protect our proprietary technologies and processes, we rely in part on trade secret laws and confidentiality agreements with our employees, consultants, and third parties. These agreements may not effectively prevent disclosure of confidential information and may not provide an adequate remedy in the event of unauthorized disclosure of such information.

From time to time, we have been, and may continue to be, subject to claims of alleged infringement by us of the trademarks, copyrights, patents, and other intellectual property rights of third parties. Third parties may also knowingly or unknowingly infringe our proprietary rights. In any of these cases we may not be able to prevent infringement without incurring substantial expenses. Others may independently discover our trade secrets, in which case we would not be able to assert trade secret rights, or develop similar technologies and processes. Additionally, pending and future patent, trademark, and copyright applications may not be approved,

35

Table of Contents

and our issued patents may be contested, circumvented, found unenforceable, or invalidated. Further, laws in certain jurisdictions may afford little or no trade secret protection, and any changes in, or unexpected interpretations of, the intellectual property laws in any country in which we operate may compromise our ability to enforce our intellectual property rights. Costly and time-consuming litigation could be necessary to enforce and determine the scope of our intellectual property rights, protect our trade secrets, or determine the validity and scope of proprietary rights claimed by others. Any such litigation, regardless of outcome or merit, could result in substantial costs and diversion of management and technical resources, any of which could materially harm our business. If the protection of our proprietary rights is inadequate to prevent use or appropriation by third parties, the value of our products, services, platform, brand, and other intangible assets may be diminished, and competitors may be able to more effectively replicate our platform and its features. Any of these events could materially adversely affect our business, financial condition, results of operations, and prospects.

We license technology from third parties and our inability to maintain those licenses could materially adversely affect our business, financial condition, results of operations, and prospects.

We currently incorporate, and will in the future incorporate, technology that we license from third parties into our products, services, and platform. We cannot be certain that our licensors do not or will not infringe on the intellectual property rights of third parties or that our licensors have or will have sufficient rights to the licensed intellectual property in all jurisdictions where we may sell subscriptions to use our products, services, or platform. Some of our agreements with our licensors may be terminated by them for convenience or otherwise provide for a limited term. If we are unable to continue our license agreements or enter into new licenses on commercially reasonable terms, our ability to develop and sell subscriptions to use products or services containing that technology would be limited, and our business could be harmed. For example, if we are unable to license technology from third parties, such as technology that helps enable our products, services, or platform, we may be forced to acquire or develop alternative technology, which we may be unable to do in a commercially feasible manner or at all, which may require us to use alternative technology of lower quality or performance standards. This could limit or delay our ability to offer certain existing, new, or competitive products or services and may increase our costs. As a result, our business, financial condition, and results of operations could be materially adversely affected.

Our use of third-party open source software could negatively affect our ability to sell subscriptions to access our products and platform and subject us to possible litigation.

From time to time, companies that use third-party open source software have faced claims challenging the use of such open source software and compliance with the open source software license terms. Accordingly, we may be subject to lawsuits by parties claiming ownership of what we believe to be open source software or claiming non-compliance with the applicable open source licensing terms. Some open source software licenses require end-users, who distribute or make available across a network software and services that include open source software, to make publicly available or to license all or part of such software (which in some circumstances could include valuable proprietary code, such as modifications or derivative works created, based upon, incorporating, or using the open source software) under the terms of the particular open source license. While we employ practices designed to monitor our compliance with the licenses of third-party open source software and protect our valuable proprietary source code, we may inadvertently use third-party open source software in a manner that exposes us to claims of non-compliance with the terms of the applicable license, including claims of intellectual property rights infringement or for breach of contract. Furthermore, there exists today an increasing number of types of open source software licenses, almost none of which have been tested in courts of law to provide clarity on their proper legal interpretation. If we were to receive a claim of non-compliance with the terms of any of these open source licenses, we may be required to publicly release certain portions of our proprietary source code. We could also be required to expend substantial time and resources to re-engineer some or all of our software. Any of the foregoing could materially adversely affect our business, financial condition, results of operations, and prospects.

In addition, the use of third-party open source software typically exposes us to greater risks than the use of third-party commercial software because open source licensors generally do not provide warranties or controls on the functionality or origin of the software. Use of open source software may also present additional security risks because the public availability of such software may make it easier for hackers and other third parties to determine how to compromise our platform. Any of the foregoing could help competitors develop products and services that are similar to or better than ours and could materially adversely affect our business, financial condition, results of operations, and prospects.

36

Table of Contents

Our customers’ and other users’ violations of our policies or other misuse of our platform to transmit unauthorized, offensive, or illegal messages, spam, phishing scams, and website links to harmful applications or for other fraudulent or illegal activity could damage our reputation, and we may face a risk of litigation and liability for illegal activities on our platform and unauthorized, inaccurate, or fraudulent information distributed via our platform.

Despite our ongoing and substantial efforts to limit such use, certain customers or other users may use our platform to transmit unauthorized, offensive, or illegal messages, calls, spam, phishing scams, and website links to harmful applications, reproduce and distribute copyrighted material or the trademarks of others without permission, and report inaccurate or fraudulent data or information. These actions are in violation of our policies. Our efforts to defeat spamming attacks, illegal robocalls, and other fraudulent activity will not prevent all such attacks and activity. Such use of our platform could damage our reputation and we could face claims for damages, regulatory enforcement, copyright or trademark infringement, defamation, negligence, or fraud. Moreover, our customers’ and other users’ promotion of their products and services through our platform might not comply with federal, state, and foreign laws. We rely on contractual representations made to us by our customers that their use of our platform will comply with our policies and applicable law. Although we retain the right to verify that customers and other users are abiding by our policies, our customers and other users are ultimately responsible for compliance with our policies, and we do not systematically audit our customers or other users to confirm compliance with our policies. Although Section 230 of the CDA currently limits liability for third-party content posted on internet platforms, we cannot predict whether that protection will remain in effect. See the risk factor titled “Increased government scrutiny of the technology industry generally or our operations specifically could negatively affect our business.”

Risks Related to Our Acquisitions

We may be unsuccessful in making, integrating, and maintaining acquisitions, joint ventures, and strategic investments, which could materially adversely affect our business, financial condition, results of operations, and prospects.

We expect to continue to evaluate and complete a wide array of potential strategic transactions, including acquisitions of businesses, joint ventures, new technologies, services, products, and other assets, and other strategic investments. Any of these transactions could be material to our business, financial condition, results of operations, and prospects. However, we may not be able to find suitable acquisition, joint venture, and strategic investment candidates, and we may not be able to complete transactions on favorable terms or at all. In addition, transactions may be subject to regulatory scrutiny and the law related to such regulatory scrutiny is evolving, which creates uncertainty.

Even if we are able to complete these transactions, we may incur substantial costs and may not be able to realize the anticipated benefits of such transactions in the time frame expected or at all. In particular, if we are unable to successfully operate as a combined business after the completion of such transactions to achieve shared growth opportunities or combine reporting or other processes within the expected time frame, such delay may materially and adversely affect the benefits that we expect to achieve as a result of any such acquisition. For example, in October 2023, we ceased originations under our materials financing program, which we assumed pursuant to the Levelset acquisition. Such transactions may not ultimately strengthen our competitive position or achieve our strategic goals, and may disrupt our ongoing business, increase our expenses, and otherwise present risks not contemplated at the time of the transaction. In addition, we may inherit commitments, risks, and liabilities of companies that we acquire that we are unable to successfully mitigate and that may be amplified by our existing business. Further, valuations supporting our acquisitions and strategic investments could change rapidly. Following any such transaction, we could determine that such valuations have experienced impairments or other-than-temporary declines in fair value which could materially adversely affect our business, financial condition, operating results, and prospects through the write-off of goodwill and other impairment charges.

To finance such transactions, we may have to pay cash, incur debt, or issue securities, including equity-based securities, each of which could affect our financial condition or the value of our capital stock. The sale of equity to finance any such transaction could result in dilution to our stockholders. If we incur debt in connection with such a transaction, it would result in increased fixed obligations and could also subject us to covenants or other restrictions that would impede our ability to flexibly operate our business. Any of these factors could materially adversely affect our ability to consummate a transaction, and our business, financial condition, results of operations, and prospects.

37

Table of Contents

Risks Related to Tax Matters

We could be required to collect additional sales and use, value added, goods and services, business, gross receipts, and other indirect tax liabilities in various jurisdictions, which could materially adversely affect our business, financial condition, results of operations, and prospects.

We currently collect and remit applicable indirect taxes in jurisdictions where we, through our employees or economic activity, have a presence, or “nexus,” and where we have determined, based on applicable law, that sales of subscriptions to access our products, services, and platform are taxable. We do not currently collect and remit indirect taxes, including state and local excise, utility user, and ad valorem taxes, fees, and surcharges in jurisdictions where we believe we do not have sufficient nexus. There is uncertainty as to what constitutes sufficient nexus for a state or local jurisdiction to levy taxes, fees, and surcharges on sales made over the internet, and there is also uncertainty as to whether our characterization of our products, services, and platform as not taxable in certain jurisdictions will be accepted by state and local tax authorities.

Tax authorities may challenge our position that we do not have sufficient nexus in a taxing jurisdiction or that our products, services, and platform are not taxable in such jurisdiction and may decide to audit our business and operations with respect to indirect taxes, which could result in significant tax liabilities (including related penalties and interest) for us or our customers, which could materially adversely affect our business, financial condition, results of operations, and prospects.

The application of indirect taxes, such as sales and use, value added, goods and services, business, and gross receipts taxes, to businesses that transact online, such as ours, is a complex and evolving area. States and local jurisdictions in certain circumstances may levy sales and use taxes on sales of goods and services based on “economic nexus,” regardless of whether the seller has a physical presence in such jurisdiction. A number of states have begun requiring collection of sales and use taxes by online sellers. The details and effective dates of these collection requirements vary from state to state. As a result, it may be necessary for us to reevaluate whether our activities give rise to sales, use, and other indirect taxes as a result of any nexus in those states in which we are not currently registered to collect and remit taxes. Additionally, we may need to assess our potential tax collection and remittance obligations based on the requirements of existing or future economic nexus laws. There have been, and will continue to be, substantial ongoing costs associated with complying with the various indirect tax requirements in the numerous jurisdictions in which we conduct or may conduct business. If we are unsuccessful in collecting such taxes from our customers, we could be held liable for such obligations. The application of existing, or future indirect tax laws, whether in the U.S. or internationally, or the failure to collect and remit such taxes, could materially adversely affect our business, financial condition, results of operations, and prospects.

Our corporate structure and intercompany arrangements cause us to be subject to the tax laws of various jurisdictions, and we could be obligated to pay additional taxes, which could materially adversely affect our business, financial condition, results of operations, and prospects.

We are expanding our international operations and personnel to support our business internationally. We generally conduct our international operations through wholly-owned subsidiaries and are or may be required to report our taxable income in various jurisdictions worldwide based upon our business operations in those jurisdictions. Our intercompany relationships are subject to complex transfer pricing regulations administered by tax authorities in various jurisdictions. The amount of taxes we pay in different jurisdictions may depend on the application of the tax laws of such jurisdictions, including the U.S., to our international business activities, changes in tax rates, new or revised tax laws, or interpretations of existing tax laws and policies, and our ability to operate our business in a manner consistent with our corporate structure and intercompany arrangements. The taxing authorities of the jurisdictions in which we operate may challenge our methodologies for pricing intercompany transactions, which generally are required to be computed on an arm’s-length basis pursuant to intercompany arrangements, or may disagree with our determinations as to the income and expenses attributable to specific jurisdictions. If such a disagreement were to occur, and our position was not sustained, we could be required to pay additional taxes, interest, and penalties, which could result in one-time tax charges, higher effective tax rates, reduced cash flows, and lower overall profitability of our operations.

We are subject to federal, state, and local income, sales, and other taxes in the U.S. and income, withholding, transaction, and other taxes in numerous foreign jurisdictions. Evaluating our tax positions and our worldwide provision for taxes is complicated and requires the exercise of significant judgment. During the ordinary course of business, there are many activities and transactions for which the ultimate tax determination

38

Table of Contents

is uncertain. We may be audited in various jurisdictions, and such jurisdictions may assess additional taxes against us. Although we believe our tax estimates are reasonable, the final determination of any tax audits or litigation could differ materially from our historical tax provisions and accruals, which could have an adverse effect on our results of operations or cash flows in the period or periods for which a determination is made.

Our business could be materially adversely affected by changes to tax laws.

The tax regimes to which we are subject or under which we operate, including income and non-income taxes, are unsettled and may be subject to significant change. Changes in tax laws, regulations, or rulings, or changes in interpretations of existing laws and regulations, could materially adversely affect our business, financial condition, results of operations, and prospects. For example, the legislation commonly referred to as the One Big Beautiful Bill Act (the “OBBBA”) was recently signed into law, which, along with the Tax Cuts and Jobs Act (the “TCJA”), the Coronavirus Aid, Relief and Economic Security Act, and the Inflation Reduction Act (the “IRA”) resulted in significant changes to the taxation of business entities including, among other changes, the imposition of minimum taxes or surtaxes on certain types of income, changes to the taxation of income derived from international operations, changes in the deduction and amortization of research and development expenditures, and limitations on the deductibility of business interest. The IRA includes provisions that will impact the U.S. federal income taxation of certain corporations, including imposing a minimum tax on the book income of certain large corporations and a 1% excise tax on the value of certain corporate stock repurchases by publicly traded companies that would be imposed on the company repurchasing such stock. Regulatory or accounting guidance with respect to existing or future tax laws could materially affect our tax obligations and effective tax rate. It is uncertain if, and to what extent, various states will conform to current federal law or any newly enacted federal tax legislation.

In addition, many countries in Europe, as well as a number of other countries and organizations (including the Organization for Economic Cooperation and Development (the “OECD”) and the European Commission), have recently proposed, recommended, or (in the case of certain countries) enacted, or are in the process of enacting, changes to existing tax laws or new tax laws that could significantly increase our tax obligations in the countries where we do business or require us to change the manner in which we operate our business. In particular, the OECD is working on a two-pillar solution to address the tax challenges arising from the digitalization of the economy, commonly referred to as BEPS 2.0, which has made, and is expected to continue to make, significant changes to the international tax system, including by allocating taxing rights in respect of certain profits of multinational enterprises above a fixed profit margin to the jurisdictions within which they carry on business (subject to certain revenue threshold rules which we do not currently meet but may meet in the future), referred to as the Pillar One proposal, and imposing a minimum effective tax rate on certain multinational enterprises, referred to as the Pillar Two proposal. A number of countries within which we carry on our business have implemented, or are currently expected to implement, core elements of the Pillar Two proposal (with further provisions expected to be enacted in the future). Based on our current understanding of the minimum revenue thresholds contained in the Pillar Two rules, we came within their scope beginning in 2025, but do not expect them to have a material impact on us for fiscal year 2025. The OECD has issued, and continues to issue further, administrative guidance providing transition and safe harbor rules in relation to the implementation of the Pillar Two proposal and other rules. For example, on January 5, 2026, the OECD published details of a proposed “side-by-side” arrangement providing for, among other things, additional safe harbors for multinational groups headquartered in certain qualifying jurisdictions. We are monitoring developments and evaluating the potential impacts of the Pillar Two rules, including on our effective tax rates, and considering our eligibility to qualify for these safe harbor rules (including under the proposed “side-by-side” arrangement). Any of the foregoing could materially adversely affect our business, financial condition, results of operations, and prospects, and we may be required to incur additional material costs and expenditure to ensure compliance with any such rules in each of the relevant jurisdictions within which we carry on our business.

Our ability to use our net operating loss carryforwards (“NOL carryforwards”) and certain other tax attributes may be limited.

As of December 31, 2025, we had $913.9 million of U.S. federal and $660.9 million of state NOL carryforwards available to reduce taxable income that we may have in the future. It is possible that we will not generate taxable income sufficient to use certain of these NOL carryforwards. Under current law, our U.S. federal NOLs incurred in taxable years beginning after December 31, 2017 may be carried forward indefinitely, but the ability to utilize such federal NOL carryforwards to offset taxable income in a tax year is limited to 80% of the taxable income in such tax year. In addition, federal NOL carryforwards and certain tax credits may be

39

Table of Contents

subject to significant limitations under Section 382 and Section 383 of the Internal Revenue Code (the “IRC”), respectively. Under those sections of the IRC, if a corporation undergoes an “ownership change,” the corporation’s ability to use its pre-change NOL carryforwards and other pre-change tax attributes, such as research tax credits, to offset its post-change income or taxes may be limited. In general, an “ownership change” will occur if there is a cumulative change in our ownership by “5-percent shareholders” that exceeds 50 percentage points over a rolling three-year period. We have experienced ownership changes in the past, and may experience additional ownership changes in the future, as a result of shifts in our stock ownership, some of which may be outside of our control. Our ability to utilize our NOL carryforwards is conditioned upon generating future U.S. federal taxable income. Although we have generated U.S. federal taxable income in the past, we do not know whether we will continue to do so. Therefore, our NOL carryforwards generated prior to 2018 could expire unused. State NOL carryforwards and other state tax credits may be subject to similar limitations under state tax laws, and there may be periods during which the use of state NOL carryforwards is suspended or otherwise limited, which could accelerate or permanently increase state taxes owed. For example, California imposed limits on the usability of California state NOLs to offset taxable income in tax years beginning after 2023 and before 2027. If our ability to use our NOL carryforwards and tax credits is limited, or if our ability to utilize NOL carryforwards and certain tax credits is otherwise restricted by law, our business, financial condition, results of operations, and prospects could be materially adversely affected.

Risks Related to Capital Requirements, Our Marketable Securities Portfolio, and Liquidity

We may need to raise additional capital to grow our business, and such capital may not be available on terms acceptable to us, or at all, which could reduce our ability to compete and could materially adversely affect our business, financial condition, results of operations, and prospects.

We expect that our existing cash and cash equivalents will be sufficient to meet our anticipated cash needs for working capital and capital expenditures for at least the next 12 months. To support our business and operations, we will need sufficient capital to continue to make significant investments, and we may need to raise additional capital through equity or debt financings to fund such efforts. However, many factors, including recent economic volatility and interest rate changes, could adversely impact our ability to access additional capital. If such financing is not available on terms acceptable to us or at all, we may be unable to fund our growth or develop new business at the rate desired and our operating results may suffer. Debt financing increases expenses, may contain covenants that restrict the operation of our business, and must be repaid regardless of operating results. Equity financing, or debt financing that is convertible into equity, could result in dilution to our existing stockholders and a decline in our stock price.

Our inability to obtain adequate capital resources, whether in the form of equity or debt, to fund our future growth may require us to delay, scale back, or eliminate some or all of our operations or the expansion of our business, which could materially adversely affect our business, financial condition, results of operations, and prospects.

Our marketable securities portfolio is subject to credit, liquidity, market, and interest rate risks that could cause its value to decline significantly and materially adversely affect our business, financial condition, results of operations, and prospects.

We maintain a portfolio of marketable securities through a professional investment advisor. The investments in our portfolio are subject to our corporate investment policy, which focuses on preserving principal, maintaining liquidity, avoiding inappropriate concentration and credit risk, and capturing a market rate of return in accordance with the investment guidelines in the corporate investment policy. These investments are subject to general credit, liquidity, market, and interest rate risks. In particular, the value of our portfolio may decline due to changes in interest rates, instability in the global financial markets that reduces the liquidity of securities in our portfolio, and other factors, including unexpected or unprecedented events such as health epidemics or pandemics. As a result, we may experience a significant decline in value or loss of liquidity of our investments, which could materially adversely affect our business, financial condition, results of operations, and prospects. We attempt to mitigate these risks through diversification of our investments and continuous monitoring of our portfolio’s overall risk profile, but the value of our investments may nevertheless decline. To the extent that we increase the amount of our security investments in the future, these risks could be exacerbated.

40

Table of Contents

General Risks Related to Our Business and Investing in Our Common Stock

If we fail to maintain an effective system of disclosure controls and internal control over our financial reporting, including our acquired companies, our ability to produce timely and accurate financial statements or comply with applicable regulations could be impaired and our business, financial condition, results of operations, and prospects could be materially adversely affected.

As a public company, we are subject to the reporting requirements of the Exchange Act, the Sarbanes-Oxley Act, and the rules and regulations of the applicable listing standards of the New York Stock Exchange. Our management and other personnel devote a substantial amount of time to compliance with these requirements. We expect that the requirements of these laws, rules, and regulations will continue to increase our IT, legal, accounting, and financial compliance costs, make some activities more complex, time-consuming, and costly, and place significant strain on our personnel, systems, and resources. We cannot predict or estimate the totality of additional costs we incur as a public company or the specific timing of such costs.

The Sarbanes-Oxley Act requires, among other things, that we maintain effective disclosure controls and procedures and internal control over financial reporting. Failure to maintain effective disclosure controls could cause us to be required to restate our financial statements for prior periods, result in material misstatements in our financial statements, and cause us to fail to timely meet our periodic reporting obligations, among other outcomes. In addition, we are required, pursuant to Section 404 of the Sarbanes-Oxley Act (“Section 404”) to furnish a report by management on, among other things, the effectiveness of our internal control over financial reporting. This assessment includes disclosure of any material weaknesses identified by our management in our internal control over financial reporting. In addition, our independent registered public accounting firm is required to attest to the effectiveness of our internal control over financial reporting. Our continuing compliance with Section 404 will require that we incur substantial expenses and expend significant management efforts. We may need to hire additional accounting and financial staff with appropriate public company experience and technical accounting knowledge and compile the system and process documentation necessary to perform the evaluation needed to comply with Section 404.

Our current disclosure controls and procedures and internal control over financial reporting, and any new controls that we develop, may become inadequate because of changes in conditions in our business, including our acquisitions. Changes in accounting principles or interpretations could also challenge our controls and require that we establish new business processes, systems, and controls to accommodate such changes. If our current and new systems, controls, or standards and any associated process changes do not give rise to the benefits that we expect or do not operate as intended, our financial reporting systems and processes, our ability to produce timely and accurate financial reports or disclosures, or the effectiveness of our internal control over financial reporting could be adversely affected. Moreover, our business may be harmed if we experience problems with any new systems or controls that result in delays in their implementation or increased costs to correct any post-implementation issues that may arise. Our ability to manage our operations and growth through, for example, the integration of recently acquired businesses, the adoption of new accounting principles and tax laws, and our back office systems that, for example, support our revenue recognition processes, will require us to further develop our controls and reporting systems and implement or amend new or existing controls and reporting systems in those areas where the implementation and integration is still ongoing. All of these changes to our financial systems and the implementation and integration of acquisitions create an increased risk of deficiencies in our disclosure controls and procedures or internal controls over financial reporting.

During the evaluation and testing process of our internal controls, if we identify one or more material weaknesses in our disclosure controls and procedures and internal control over financial reporting, we will be unable to certify that our internal control over financial reporting is effective. We cannot assure you that there will not be material weaknesses or significant deficiencies in our internal control over financial reporting in the future. Any failure to maintain effective disclosure controls and procedures or internal control over financial reporting could severely inhibit our ability to accurately report our financial condition or results of operations. If we are unable to conclude that our internal control over financial reporting is effective, or if our independent registered public accounting firm determines that we have a material weakness in our internal control over financial reporting, we could lose investor confidence in the accuracy and completeness of our financial reports, the market price of our common stock could decline, and we could be subject to sanctions or investigations by the SEC or other regulatory authorities. Failure to remedy any material weaknesses or to maintain effective disclosure controls and internal control over financial reporting could adversely affect investor confidence in our

41

Table of Contents

company, causing a decline in our stock price, as well as restrict our future access to capital markets. Such failure could also materially adversely affect our business, financial condition, results of operations, and prospects.

Our business could be disrupted by macroeconomic factors, geopolitical events, or catastrophic occurrences.

Our platform and the infrastructure on which our platform relies are vulnerable to damage or interruption from macroeconomic factors and geopolitical events, including trends within the construction industry, inflation and responses by governments to address it, interest rate changes, tariffs and trade wars, bank failures, a shifting and uncertain geopolitical landscape, military conflicts or wars (such as the Russia-Ukraine war and other international conflicts), health epidemics or pandemics, and supply chain disruptions, or catastrophic occurrences, including earthquakes, floods, fires, other natural disasters, power loss, telecommunication failures, terrorist attacks, criminal acts, sabotage, and other intentional acts of vandalism and misconduct, or other similar events, each of which could materially adversely affect our business, financial condition, results of operations, and prospects, or the business of our customers, partners, vendors, or the economy as a whole. For example, our corporate headquarters are located near Santa Barbara, California, a region known for seismic activity and severe fires We also have an office and a sizable workforce in Austin, Texas, which may experience extreme weather events. A catastrophic event in one of these areas or in areas in which our other offices or sizable parts of our workforce are located could materially adversely affect our business, financial condition, results of operations, and prospects. Further, the impact of changes to our climate could result in an increase in the frequency or severity of such events. Climate-related events have the potential to disrupt our business, our third-party suppliers, and the business of our customers, may cause us to experience higher attrition, losses, and additional costs to maintain and resume operations, and may subject us to increased regulations, reporting requirements, standards, or expectations regarding the environmental impacts of our business.

Although we maintain incident management and disaster response plans, in the event of a major disruption, we may be unable to continue our operations and may experience system interruptions and reputational harm. All of the aforementioned risks may be further increased if our disaster recovery plans prove to be inadequate.

We cannot guarantee that our stock repurchase program will enhance stockholder value, and any stock repurchases we make could increase the volatility of our common stock and diminish the cash reserves we have available to fund working capital and other projects, and any failure to repurchase our common stock after we have announced our intention to do so may negatively affect the price of our common stock.

On November 3, 2025, our board of directors (our “Board”) authorized a stock repurchase program to repurchase up to $300.0 million of our outstanding common stock. Our Board previously authorized a previous stock repurchase program on October 29, 2024, to repurchase up to $300.0 million of our outstanding common stock, which expired on October 29, 2025. We intend to opportunistically repurchase shares of our common stock from time to time through the open market (including via pre-set trading plans) or through other transactions in accordance with applicable securities laws, in each case, subject to market conditions, applicable legal requirements, and other relevant factors. The timing of stock repurchases and the actual number of shares repurchased will depend on a variety of factors, including price, general business and market conditions, and alternative investment opportunities, and will be subject to the discretion of management within its authorization. The stock repurchase program will be funded using our working capital. The stock repurchase program does not obligate us to acquire any particular number of shares of our common stock, or any shares at all. The stock repurchase program expires on November 3, 2026, and may be suspended or discontinued at any time at our discretion and without notice.

Although our stock repurchase program is intended to enhance long-term stockholder value, there is no assurance that it will do so because the market price of our common stock may increase above the levels at which we deem it prudent to repurchase shares, and short-term stock price fluctuations could reduce our ability to properly manage the program and the overall effectiveness of the program. The stock repurchase program could also affect the price of our common stock and increase volatility. The existence of our stock repurchase program could cause our stock price to be higher than it otherwise would be and could potentially reduce the market liquidity for our stock. Repurchasing our common stock reduces the amount of cash we have available to fund working capital, capital expenditures, strategic acquisitions or investments, other business opportunities,

42

Table of Contents

and other general corporate projects. We cannot guarantee that the stock repurchase program will be fully or partially consummated. Any failure to repurchase stock after we have announced our intention to do so may negatively impact our reputation, investor confidence in us, or our stock price. In addition, as part of the IRA, the U.S. implemented a 1% excise tax on the value of certain stock repurchases by publicly traded companies. This tax could increase the costs to us of any stock repurchases under the program. For these and other reasons, we may fail to realize the anticipated value of the stock repurchase program or enhance long-term stockholder value as a result of the stock repurchase program.

The market price of our common stock may be volatile, and you could lose all or part of your investment.

The market price of our common stock has in the past been volatile, and is likely to be volatile again in the future. In light of macroeconomic factors and geopolitical events, the stock market in general has experienced significant volatility in recent years, which has often been unrelated to the operating performance of particular companies. The market price for our common stock may also be influenced by the following factors: actual or anticipated changes or fluctuations in our results of operations; the financial projections we may provide to the public, any changes in these projections, or our failure to meet these projections; repurchases or expectations with respect to repurchases by us of our common stock; announcements by us or competitors of new products or new or terminated significant contracts, commercial relationships, or capital commitments; changes in operating performance and stock market valuations of other technology companies generally, or those in our industry in particular; rumors and market speculation involving us and other companies in our industry; and actual or anticipated developments in our business, competitors’ businesses, or the competitive landscape generally. As a result of this volatility, you may not be able to sell your common stock at or above the price you paid for your shares. Additionally, the foregoing factors, along with other market and industry factors, may cause the market price and demand for our common stock to fluctuate substantially, regardless of our actual operating performance, which may limit or prevent investors from selling their shares at or above the price paid for the shares and may otherwise negatively affect the liquidity of our common stock.

If we experience excessive fraudulent activity or cannot meet evolving credit card association merchant standards, we could incur substantial costs and lose the right to accept credit cards for payment, which could cause our customer base to decline significantly and could materially adversely affect our business, financial condition, results of operations, and prospects.

Substantial losses due to fraud or our inability to accept credit card payments could cause our customer base to significantly decrease and would harm our business.

A significant portion of our customers authorize us to bill their credit card accounts directly for our products, and certain of our customers purchase from us directly and are required to keep their payment methods current for monthly billing purposes. Our customers provide us with credit card billing information online or over the phone, and we do not review the physical credit cards used in these transactions, which increases our risk of exposure to fraudulent activity. We have incurred charges, which we refer to as chargebacks, from credit card companies for claims that the customer did not authorize the credit card transaction for our products. We may be required to pay for unauthorized credit charges and expenses with no reimbursement from the customer. If the number of claims of unauthorized credit card transactions becomes excessive, we could be assessed substantial fines for excess chargebacks, and we could lose the right to accept credit cards for payment. Although we implement multiple fraud prevention and detection controls, we cannot assure you that these controls will be adequate to protect against fraud.

In addition, credit card issuers may change merchant standards, including data protection and documentation standards, required to utilize their services from time to time. If we fail to comply with such standards, the credit card associations could fine us or terminate their agreements with us, and we would be unable to accept credit cards as payment for our products.

Concentration of ownership of our common stock among our officers, directors, and principal stockholders may prevent new and other existing investors from influencing significant corporate decisions, including mergers, consolidations, or the sale of us or all or substantially all of our assets.

Our officers, directors, and stockholders who own more than 5% of our outstanding common stock, beneficially own, in the aggregate, a significant percentage of our outstanding common stock. Furthermore, one of our current directors is affiliated with one of our largest stockholders. As a result, such persons or their

43

Table of Contents

affiliates on our Board, if any, may have the ability to significantly influence matters submitted to our Board or stockholders for approval, including the appointment of our management, the election and removal of directors, and the approval of any significant transactions (including any merger, consolidation, or sale of all or substantially all of our assets), as well as our management and business affairs. This concentration of ownership may also have the effect of delaying, deferring, or preventing a change in control, impeding a merger, consolidation, takeover, or other business combination involving us, or discouraging a potential acquirer from making a tender offer or otherwise attempting to obtain control of our business, even if such a transaction would benefit other stockholders. In addition, it may result in the management of our company in ways with which other stockholders disagree. Further, this concentration of share ownership may adversely affect the trading price of our common stock because investors may perceive disadvantages in owning shares in a company with one or more significant stockholders.

Certain provisions in our organizational documents and under Delaware law could make an acquisition of our company more difficult, limit attempts by our stockholders to replace or remove members of our Board or current management, and adversely affect our stock price.

Our amended and restated certificate of incorporation and amended and restated bylaws contain provisions that could delay or prevent a change in control of our company. These provisions could also make it difficult for stockholders to elect directors that are not nominated by the current members of our Board or to take other corporate actions, including effecting changes in our management. These provisions include:

•a classified Board with three-year staggered terms, which could delay the ability of stockholders to change the membership of a majority of our Board;

•the denial of any right of our stockholders to remove members of our Board except for cause and, in addition to any other vote required by law, upon the approval of not less than two-thirds of the total voting power of all our outstanding voting stock then entitled to vote in the election of directors;

•the ability of our Board to issue shares of preferred stock and to determine the price and other terms of those shares, including preferences and voting rights, without stockholder approval, which could be used to significantly dilute the ownership of a hostile acquirer;

•the exclusive right of our Board to elect a director to fill a vacancy created by the expansion of our Board or the resignation, death, or removal of a director, which prevents stockholders from being able to fill vacancies on our Board;

•a prohibition on stockholder action by written consent, which forces stockholder action to be taken at an annual or special meeting of our stockholders;

•the requirement that a special meeting of stockholders may be called only by our Board acting pursuant to a resolution adopted by a majority of our Board, which could delay the ability of our stockholders to force consideration of a proposal or to take action, including the removal of directors;

•the requirement to obtain approval of two-thirds of the then-outstanding voting power of our capital stock in order to make certain amendments to our amended and restated certificate of incorporation; and

•advance notice procedures and disclosure requirements with which stockholders must comply to nominate candidates to our Board or to propose matters to be acted upon at a stockholders’ meeting, which may discourage or deter a potential acquirer from conducting a solicitation of proxies to elect the acquirer’s own slate of directors or otherwise attempting to obtain control of us.

These provisions may prohibit large stockholders, in particular those owning 15% or more of our outstanding voting stock, from merging or combining with us for a certain period of time.

44

Table of Contents

Our amended and restated certificate of incorporation designates the Court of Chancery of the State of Delaware and, to the extent enforceable, the federal district courts of the U.S., as the exclusive forums for certain disputes between us and our stockholders, which could limit our stockholders’ ability to choose the judicial forum for disputes with us or our directors, officers, or employees.

Our amended and restated certificate of incorporation provides that the Court of Chancery of the State of Delaware is, unless we consent in writing to the selection of an alternative forum, the sole and exclusive forum for the following types of actions or proceedings under Delaware statutory or common law: (1) any derivative action or proceeding brought on our behalf, (2) any action asserting a claim of breach of a fiduciary duty or other wrongdoing by any of our directors, officers, employees, or agents to us or our stockholders, (3) any action asserting a claim against us arising pursuant to any provision of the Delaware General Corporation Law, our amended and restated certificate of incorporation, or our amended and restated bylaws, (4) any action to interpret, apply, enforce, or determine the validity of our amended and restated certificate of incorporation or amended and restated bylaws, or (5) any action asserting a claim that is governed by the internal affairs doctrine (or, if the Court of Chancery does not have jurisdiction, the federal district court for the District of Delaware), in all cases subject to the court having jurisdiction over indispensable parties named as defendants. This provision would not apply to lawsuits brought to enforce a duty or liability created by the Securities Act, the Exchange Act, or any other claim for which the federal courts have exclusive jurisdiction.

In addition, to prevent having to litigate claims in multiple jurisdictions and the threat of inconsistent or contrary rulings by different courts, among other considerations, our amended and restated certificate of incorporation provides that the U.S. federal district courts will be the exclusive forum for resolving any complaint asserting a cause of action arising under the Securities Act. However, as Section 22 of the Securities Act creates concurrent jurisdiction for federal and state courts over all lawsuits brought to enforce any duty or liability created by the Securities Act, and an investor cannot waive compliance with the federal securities laws and the rules and regulations thereunder, there is uncertainty as to whether a court would enforce this provision. While the Delaware courts have determined that such choice of forum provisions are facially valid, a stockholder may nevertheless seek to bring a claim in a venue other than those designated in the exclusive forum provisions. In such an instance, we would expect to vigorously assert the validity and enforceability of the exclusive forum provisions of our amended and restated certificate of incorporation. This may require significant additional costs associated with resolving such action in other jurisdictions and there can be no assurance that the provisions will be enforced by a court in those other jurisdictions.

These exclusive forum provisions may limit a stockholder’s ability to bring a claim in a judicial forum that it finds favorable for disputes with us or our directors, officers, or other employees, which may discourage lawsuits against us and our directors, officers, and other employees. If a court were to find either exclusive forum provision in our amended and restated certificate of incorporation to be inapplicable or unenforceable in an action, we may incur further significant additional costs associated with resolving the dispute in other jurisdictions, all of which could seriously harm our business.

45

Table of Contents