SailPoint (SAIL) lifts revenue to $1.1B with AI-driven identity security platform
Filing Impact
Filing Sentiment
Form Type
10-K
Rhea-AI Filing Summary
SailPoint, Inc. reports strong expansion as a provider of adaptive identity security for large, complex organizations. Revenue grew from $699.6 million to $1.1 billion between the fiscal years ended January 31, 2024 and January 31, 2026, driven by its SaaS‑based SailPoint Platform and IdentityIQ offerings.
The company serves approximately 3,235 customers in more than 65 countries and generated 35% of revenue outside the United States in the year ended January 31, 2026. Its solutions govern human, machine, and AI agent identities using AI‑driven analytics, lifecycle management, and compliance tools built on a unified, multi‑tenant cloud architecture.
SailPoint emphasizes innovation, investing about $223.0 million in research and development in the year ended January 31, 2026, and relies heavily on a broad ecosystem of system integrators, resellers, and MSPs for over 90% of new customer transactions. Principal risks include intense competition, reliance on partner channels, rapid market and AI technology evolution, cybersecurity threats, and concentrated control by Thoma Bravo.
Positive
- None.
Negative
- None.
Table of Contents
UNITED STATES
SECURITIES AND EXCHANGE COMMISSION
Washington, D.C. 20549
________________________________________________________________
FORM 10-K
________________________________________________________________
(Mark One)
| ANNUAL REPORT PURSUANT TO SECTION 13 OR 15(d) OF THE SECURITIES EXCHANGE ACT OF 1934 | |||||
For the fiscal year ended January 31 , 2026
or
| TRANSITION REPORT PURSUANT TO SECTION 13 OR 15(d) OF THE SECURITIES EXCHANGE ACT OF 1934 | |||||
For the transition period from to
Commission file number 001-42522
________________________________________________________________
(Exact name of registrant as specified in its charter)
________________________________________________________________
(State or other jurisdiction of
incorporation or organization)
(Address of principal executive offices)
(I.R.S. Employer
Identification No.)
(Zip Code)
Registrant’s telephone number, including area code: (512 ) 346-2000
________________________________________________________________
Securities registered pursuant to Section 12(b) of the Act:
| Title of each class | Trading Symbol(s) | Name of each exchange on which registered | ||||||||||||
Securities registered pursuant to Section 12(g) of the Act: None
Indicate by check mark if the registrant is a well-known seasoned issuer, as defined in Rule 405 of the Securities Act. Yes ¨ No x
Indicate by check mark if the registrant is not required to file reports pursuant to Section 13 or Section 15(d) of the Act. Yes ¨ No x
Indicate by check mark whether the registrant (1) has filed all reports required to be filed by Section 13 or 15(d) of the Securities Exchange Act of 1934 during the preceding 12 months (or for such shorter period that the registrant was required to file such reports), and (2) has been subject to such filing requirements for the past 90 days. Yes x No ¨
Indicate by check mark whether the registrant has submitted electronically every Interactive Data File required to be submitted pursuant to Rule 405 of Regulation S-T (§232.405 of this chapter) during the preceding 12 months (or for such shorter period that the registrant was required to submit such files). Yes x No ¨
Indicate by check mark whether the registrant is a large accelerated filer, an accelerated filer, a non-accelerated filer, a smaller reporting company, or an emerging growth company. See the definitions of “large accelerated filer,” “accelerated filer,” “smaller reporting company,” and “emerging growth company” in Rule 12b-2 of the Exchange Act.
| Large accelerated filer | ☐ | Accelerated filer | ☐ | ||||||||
x | Smaller reporting company | ||||||||||
Emerging growth company | |||||||||||
If an emerging growth company, indicate by check mark if the registrant has elected not to use the extended transition period for complying with any new or revised financial accounting standards provided pursuant to Section 13(a) of the Exchange Act. ¨
Indicate by check mark whether the registrant has filed a report on and attestation to its management’s assessment of the effectiveness of its internal control over financial reporting under Section 404(b) of the Sarbanes-Oxley Act (15 U.S.C. 7262(b)) by the registered public accounting firm that prepared or issued its audit report. x
If securities are registered pursuant to Section 12(b) of the Act, indicate by check mark whether the financial statements of the registrant included in the filing reflect the correction of an error to previously issued financial statements. ¨
Indicate by check mark whether any of those error corrections are restatements that required a recovery analysis of incentive-based compensation received by any of the registrant's executive officers during the relevant recovery period pursuant to §240.10D-1(b). ¨
Indicate by check mark whether the registrant is a shell company (as defined in Rule 12b-2 of the Act). Yes ☐ No x
The aggregate market value of the stock of the registrant as of July 31, 2025 (based on a closing price of $22.34 per share) held by non-affiliates was approximately $1.5 billion.
The registrant had 563,803,428 shares of common stock outstanding as of March 13, 2026.
DOCUMENTS INCORPORATED BY REFERENCE
Portions of the registrant's definitive Proxy Statement relating to the 2026 Annual Meeting of Stockholders are incorporated herein by reference in Part III of this Annual Report on Form 10-K to the extent stated herein. Such Proxy Statement will be filed with the Securities and Exchange Commission within 120 days of the registrant's fiscal year ended January 31, 2026.
Table of Contents
SailPoint, Inc.
Annual Report on Form 10-K
Table of Contents
| Page | ||||||||
| Special Note About Forward-Looking Statements | 1 | |||||||
| Summary of Principal Risk Factors | 2 | |||||||
PART I | ||||||||
| Item 1. | Business | 3 | ||||||
| Item 1A. | Risk Factors | 17 | ||||||
| Item 1B. | Unresolved Staff Comments | 50 | ||||||
Item 1C. | Cybersecurity | 50 | ||||||
| Item 2. | Properties | 51 | ||||||
| Item 3. | Legal Proceedings | 51 | ||||||
| Item 4. | Mine Safety Disclosures | 52 | ||||||
PART II | ||||||||
| Item 5. | Market for Registrant’s Common Equity, Related Stockholder Matters and Issuer Purchases of Equity Securities | 53 | ||||||
| Item 6. | [Reserved] | 55 | ||||||
| Item 7. | Management’s Discussion and Analysis of Financial Condition and Results of Operations | 55 | ||||||
| Item 7A. | Quantitative and Qualitative Disclosures About Market Risk | 74 | ||||||
| Item 8. | Financial Statements and Supplementary Data | 76 | ||||||
| Item 9. | Changes in and Disagreements with Accountants on Accounting and Financial Disclosure | 113 | ||||||
| Item 9A. | Controls and Procedures | 113 | ||||||
| Item 9B. | Other Information | 113 | ||||||
| Item 9C. | Disclosure Regarding Foreign Jurisdictions that Prevent Inspections | 114 | ||||||
PART III | ||||||||
| Item 10. | Directors, Executive Officers and Corporate Governance | 115 | ||||||
| Item 11. | Executive Compensation | 115 | ||||||
| Item 12. | Security Ownership of Certain Beneficial Owners and Management and Related Stockholder Matters | 115 | ||||||
| Item 13. | Certain Relationships and Related Transactions, and Director Independence | 115 | ||||||
| Item 14. | Principal Accountant Fees and Services | 115 | ||||||
PART IV | ||||||||
| Item 15. | Exhibits and Financial Statement Schedules | 116 | ||||||
| Item 16. | Form 10-K Summary | 118 | ||||||
Signatures | 119 | |||||||
i
Table of Contents
SPECIAL NOTE ABOUT FORWARD-LOOKING STATEMENTS
This Annual Report on Form 10-K (this “Annual Report”) contains forward-looking statements within the meaning of, and we intend such forward-looking statements to be covered by, the safe harbor provisions of the Private Securities Litigation Reform Act of 1995. You can identify forward-looking statements by the fact that they do not relate strictly to historical or current facts, and these statements may include words such as “anticipate,” “estimate,” “expect,” “project,” “plan,” “intend,” “believe,” “may,” “will,” “should,” “can have,” “likely,” and other words and terms of similar meaning. For example, all statements we make relating to our estimated and projected costs, expenditures, cash flows, growth rates, and financial results or our plans and objectives for future operations, growth initiatives, or strategies are forward-looking statements.
Because forward-looking statements relate to the future, they involve substantial risks and uncertainties, and you should not rely upon forward-looking statements as predictions of future events or place undue reliance thereon. We derive many of our forward-looking statements from our operating budgets and forecasts, which are based on many detailed assumptions. While we believe that our assumptions are reasonable, we caution that it is very difficult to predict the impact of known factors, and it is impossible for us to anticipate all factors that could affect our actual results. Important factors that could cause actual results to differ materially from our expectations include the following:
•our ability to sustain historical growth rates;
•our ability to attract and retain customers and to deepen our relationships with existing customers;
•the growth in the market for identity security solutions;
•our ability to maintain successful relationships with our channel partners;
•the length and unpredictable nature of our sales cycle;
•our ability to compete successfully against current and future competitors;
•the increasing complexity of our operations;
•our ability to maintain and enhance our brand or reputation as an industry leader and innovator;
•unfavorable conditions in our industry or the global economy;
•our estimated market opportunity and forecasts of our market and market growth may prove to be inaccurate;
•our ability to hire, retain, train, and motivate our personnel and our ability to maintain our corporate culture;
•our ability to successfully introduce, use, and integrate artificial intelligence ("AI") with our solutions;
•breaches in our security, cyber attacks, or other cyber risks;
•interruptions, outages, or other disruptions affecting the delivery of our software as a service ("SaaS") solution or any of the third-party cloud-based systems that we use in our operations;
•our ability to adapt and respond to rapidly changing technology, industry standards, regulations, or customer needs, requirements, or preferences;
•real or perceived errors, failures, or disruptions in our platform or solutions;
•the ability of our platform and solutions to effectively interoperate with our customers’ existing or future information technology ("IT") infrastructures;
•our ability to comply with our privacy policy or related legal or regulatory requirements;
•the impact of various tax laws and regulations, including our failure to comply therewith; and
•other factors disclosed in the section titled “Risk Factors” and elsewhere in this Annual Report.
Any forward-looking statements made by us are based only on information available to us as of the date on which such statements are made and speaks only as of such date. We undertake no obligation to update any forward-looking statements made in this Annual Report to reflect events or circumstances after such date or to reflect new information or the occurrence of unanticipated events, except as required by law. Our forward-looking statements do not reflect the potential impact of any future acquisitions, mergers, dispositions, joint ventures or investments we may make.
All written and oral forward-looking statements attributable to us, or persons acting on our behalf, are expressly qualified in their entirety by these cautionary statements as well as other cautionary statements that are made from time to time in our other filings with the Securities and Exchange Commission (the “SEC”) and other public communications.
1
Table of Contents
SUMMARY OF PRINCIPAL RISK FACTORS
The following is a summary of the principal risk factors that could materially adversely affect our business, financial condition, and results of operations and, consequently, make an investment in us risky:
•We have experienced rapid growth in recent periods, and our recent growth rates may not be indicative of our future growth.
•Our future revenues and operating results will be harmed if we are unable to acquire new customers, if our customers do not renew their arrangements with us, if we are unable to expand sales to our existing customers, or if we are unable to develop new solutions that achieve market acceptance.
•If the market for identity security solutions does not grow, our ability to grow our business and our results of operations may be adversely affected.
•If we are unable to maintain successful relationships with our channel partners, our ability to market, sell, distribute, and implement our solutions will be limited, and our business, financial condition, and operating results would be adversely affected.
•Our quarterly results fluctuate significantly and may not fully reflect the underlying performance of our business.
•Our sales cycle is long and unpredictable, and our sales efforts require considerable time and expense.
•We face intense competition in our market, both from larger, well-established companies and from emerging companies and technologies, and we may lack sufficient financial and other resources to maintain and improve our competitive position.
•We anticipate that our operations will continue to increase in complexity as we grow, which will add additional challenges to the management of our business in the future.
•If we are not able to maintain and enhance our brand or reputation as an industry leader and innovator, our business and operating results may be adversely affected.
•Our success depends on the experience and expertise of our senior management team and key employees. If we are unable to hire, retain, train, and motivate our personnel, or to maintain our corporate culture, our business, operating results, and prospects may be harmed.
•Our introduction and use of AI, and the integration of AI with our solutions, may not be successful and may present business, compliance, and reputational challenges, which could lead to operational or reputational damage, competitive harm, legal and regulatory risk, and additional costs, any of which could adversely affect our business, financial condition, and results of operations.
•Our ability to introduce new identity security solutions and features is dependent on adequate research and development resources and our ability to successfully complete acquisitions. If we do not adequately fund our research and development efforts or complete acquisitions successfully, we may not be able to compete effectively, and our business and results of operations may be harmed.
•Cyber attacks or other cybersecurity breaches, incidents, or disruptions with respect to our networks, systems, or applications, including unauthorized access to, or disclosure or other processing of, our proprietary, confidential, or sensitive information, including personal information, could disrupt our operations, compromise sensitive information related to our business or personal information processed by us or on our behalf, and expose us to liability, which could harm our reputation and adversely affect our business, financial condition, and results of operations, and as we grow, we may become a more attractive target for cyber attacks.
•Interruptions, outages, or other disruptions affecting the delivery of our SaaS solution, or any of the third-party cloud-based systems that we use in our operations, may adversely affect our business, operating results, and financial condition.
•Real or perceived errors, failures or disruptions in our platform and solutions could adversely affect our customers’ satisfaction with our solutions and/or our industry reputation and business could be harmed.
•Thoma Bravo (as defined below) controls us, and its interests may conflict with ours or yours in the future.
We describe these and other material risks relating to an investment in us in greater detail under Part I, Item 1A, “Risk Factors.”
2
Table of Contents
PART I
ITEM 1. BUSINESS
Overview
SailPoint, Inc. (together with its consolidated subsidiaries, as appropriate, “SailPoint,” the “Company,” “our,” or “we”) delivers solutions to enable adaptive identity security for the enterprise. We do this via the SailPoint Platform that unifies identity data across systems and identity types, including employee identities, non-employee identities, machine identities, and AI agents for real-time governance. Our SaaS and customer-hosted offerings leverage intelligent analytics to provide organizations with critical visibility into which identities currently have access to which resources, which identities should have access to those resources, and how that access is being used. Our solutions enable organizations to establish, control, and automate policies that help them define and maintain a robust security posture and achieve regulatory compliance. Powered by AI, our solutions enable organizations to overcome the scale and complexity of managing identities in real-time across dynamic, complex IT environments.
The evolving threat landscape requires a more adaptive, context-aware identity security approach than ever before. The number of cyber attacks continues to increase at an accelerating rate, fueled in part by the adoption of AI by threat actors. This has lowered the barrier for sophisticated attacks and enabled threat actors to scale their efforts with unprecedented efficiency. The consequences are significant, and the attack surface has expanded dramatically with the rapid growth of non-human identities in recent years, which now vastly outnumber human identities. Every AI agent and automated process requires an identity to access data and systems, creating thousands of new potential targets for attackers that often operate outside of traditional security processes. These compromised identities, both human and non-human, enable attackers to access sensitive applications and data, presenting a significant and growing risk to organizations.
A fundamental shift, driven by the proliferation of AI, is reshaping the IT environment and expanding the complexity of digital identities organizations must manage. This complexity arises from the convergence of three dimensions: the identities themselves, the systems and data they access, and the risk level of that access. Identities have expanded beyond human users to include a rapidly growing number of non-human identities like AI agents and machines. These identities require access to sensitive data distributed across complex multi-cloud environments, and how they access these resources has become increasingly dynamic. This new reality makes traditional, static security insufficient. Instead, an adaptive security layer is needed that understands the context between every identity, data asset, and access attempt. These challenges, compounded by a widening cybersecurity skills gap and increasing regulatory pressures, create a clear demand for more effective identity security solutions.
We believe that providing this adaptive layer of identity security is fundamental to securing the modern enterprise. We pioneered the market for enterprise identity governance and have evolved our solutions to address these complex, converging dimensions of enterprise security. The SailPoint Platform is designed to deliver deep, rich, and real-time identity context, enabling organizations to effectively secure their business and data.
During our 20-year history, we have continuously evolved our offerings to address the most pressing challenges in identity security. We offer multiple identity solutions to meet the diverse needs of our customers across a full range of deployment options. The SailPoint Identity Security Cloud is built on our unified platform and enables organizations to consume our identity solution as a SaaS offering. It delivers the critical elements needed to build, maintain, and scale a strong enterprise-class identity security environment. IdentityIQ is our customer-hosted identity security solution and meets the needs of organizations that are not able or ready to implement a SaaS solution.
Together, our solutions address nearly all types of enterprise identities, including both human and non-human identities and their access to many types of enterprise resources, spanning data and applications. This enables smarter access decisions, improves business processes, and delivers a deeper understanding of identity and access across the enterprise.
Our solutions are underpinned by several key differentiators:
•The foundation: Deep identity context
3
Table of Contents
We map the complex relationships between different types of identities, including humans, machines, and AI agents and the applications, entitlements, and sensitive data they can access. This creates a single source of truth for identity, which we believe is the essential bedrock for building an effective security strategy.
•The intelligence layer: AI-driven governance
SailPoint enriches this foundational data with a powerful layer of artificial intelligence and decades of governance expertise. This transforms raw data into actionable security insights. Key capabilities include providing AI-driven recommendations to automate and improve access decisions.
•The outcome: Real-time & adaptive identity security
Building on the foundational context and AI-driven intelligence, SailPoint's vision is to deliver the next generation of identity security that not only manages identity but actively and autonomously defends the enterprise in real-time through advanced capabilities like securing modern AI and machine identities and integrating identity information directly with security operations.
Our customers include many of the world’s largest and most complex organizations, including large enterprises across all major verticals and governments. Our go-to-market approach consists primarily of tailored customer engagement strategies by market segment, which we believe is critical to ensuring successful implementation and ongoing customer success. Most new customers purchase one of our SaaS suites. We focus on expanding our customer relationships over time with significant up-selling and cross-selling opportunities, including suite upgrades and additional products.
Our Growth Strategy
Drive New Customer Growth
We believe we have a significant opportunity to accelerate the growth of our customer base as countless organizations still use a combination of legacy solutions and home-grown tools. We estimate that over 60% of organizations in our target market still have a fragmented identity experience or use a mostly manual process based on our internal research. To continue to grow our customer base, we intend to enhance our marketing efforts, increase our sales capacity and productivity, and expand and further leverage our use of channel partners.
Expand Existing Customer Relationships
Our customer base of approximately 3,235 organizations, as of January 31, 2026, provides significant expansion opportunities. The evolving threat landscape, increasing complexity of the IT environment, and number and scope of identities require a more comprehensive identity security approach than ever before. As our customers adopt new technologies such as AI, continue to add non-employee and machine identities, and implement more comprehensive identity security strategies, we see a substantial opportunity to increase our relationships with existing customers through the increased adoption of our solutions. We have invested in enhancing our solutions by organically and inorganically adding new capabilities, including securing and managing agents and machines, identity graphs for context, data access governance, and application onboarding and management.
Continue to Leverage and Expand Network of Partners and Alliances
Our go-to-market partners and alliances help us extend our reach, serve our customers more effectively, and expand our addressable market. We see a significant opportunity to increase the number of customers we can serve through our systems integrator and managed service provider ("MSP") partnerships. Additionally, our technology alliance partners help us extend our reach throughout a customer’s IT environment with integrations with products like Amazon Web Services ("AWS"), Proofpoint, SAP, and ServiceNow.
Expand our Global Footprint
Today, we offer our solutions in more than 65 countries. During the fiscal years ended January 31, 2026 and 2025, we generated 35% and 32%, respectively, of our revenue from outside of the United States. We believe there is a significant opportunity to deepen our existing global footprint and drive incremental sales and new client acquisitions in new territories by leveraging our existing relationships with global system integration and channel partners.
4
Table of Contents
Continue to Innovate and Expand Our Portfolio
As a recognized leader and innovator in identity security, we actively work to define the future of the market and deliver the next generation of identity security. We have strategically expanded our pioneering portfolio with the recent launch of innovative capabilities: agent identity security, observability and insights, and universal privilege features. Our commitment to innovation is further demonstrated by our significant investment in AI. This dual-pronged strategy enhances our own solutions with intelligent capabilities while simultaneously empowering our customers to adopt and secure their own AI initiatives with confidence.
Our Products
Identity Security Cloud
Identity Security Cloud is our cloud-based identity security solution, which allows organizations to centrally discover, manage, and secure all enterprise identity types, and the data and cloud infrastructure associated with them. This offering is built on the SailPoint Platform, our unified, extensible, multi-tenant SaaS platform. SailPoint Atlas is the intelligent foundation of the SailPoint Platform, engineered to unify identity, data, and security intelligence for comprehensive identity security. It provides the core services that connect every identity, entitlement, and risk signal across the enterprise. It powers Identity Security Cloud and its advanced capabilities by bringing together AI, automation, and a scalable architecture to centrally discover, manage, and secure all identity types across enterprise applications, data, and infrastructure.
The SailPoint Platform enables Identity Security Cloud to unify several capabilities into a single pane of glass and is extensible to allow for the development of new capabilities and modules over time. Throughout our SaaS transformation, we were intentional in taking a longer and more expensive path, decomposing logic that held key intellectual property and rebuilding those same components in a new scalable micro-services-based architecture, to ensure our ability to maximize customer value into the future.
The platform is designed to utilize AI to enable rapid development and easy integration into new capabilities, acquired technologies, and customer environments. After our significant investment, we have developed our Identity Security Cloud solution to meet the most stringent identity governance requirements and provide enterprise-grade service that meets our customers scalability, performance, availability, and security demands.
Our Identity Security Cloud features a set of fully integrated capabilities, including:
•Lifecycle Management: Automates the entire identity journey, from day one and beyond. We streamline access with Automated Provisioning based on user lifecycle events and roles, while our self-service portal allows users to request access with configurable approvals. To drive smarter, faster decisions, our platform provides AI-powered Access Recommendations based on peer group analysis and leverages generative AI to generate clear, easy-to-understand descriptions for technical entitlements. With our offerings, business users can actively change user access through automatic provisioning via a large library of direct connectors for thousands of applications such as Workday and SAP or synchronization with IT service management solutions such as ServiceNow.
•Compliance Management: Supports the improvement of compliance and audit performance while lowering costs related to compliance professionals and regulatory expenses. It provides user friendly access certifications and automated policy management controls, such as segregation of duty violation reporting, that are designed to simplify and streamline audit processes across all applications and data. With built-in audit reporting and analytics, IT, business, and audit teams now have critical visibility into, and management over, all compliance activities in the organization.
•Access Modeling: Enables customers to quickly create and implement enterprise roles to support a least privilege model, providing a smarter way to build, maintain, and optimize roles with continual adjustment of access across the organization. Through core features such as common access roles, role discovery and insights, and peer group analysis, our AI-based capability allows organizations to grant access on a strictly as-needed basis, developing effective access models that support appropriate business user access without compromising security.
•Analytics: Leverages AI to turn vast quantities of data including attributes, roles, and history into actionable insights to make better decisions faster, spot risky access sooner, and improve overall business security. In addition to tracking, reporting, and gauging the value of an organization’s identity security program, this capability provides an audit trail
5
Table of Contents
and complete visibility into access changes and historical information on entitlements, roles, and governance. With our analytics offering, customers can view activity data at the application level, compare usage with peers, and discover identities with access anomalies.
•Harbor Pilot suite of AI agents: Streamlines identity security operations by translating natural language into powerful actions. The Admin Search Agent enables administrators to ask complex questions and receive real-time insights about security risks and compliance within their environment. Similarly, the Documentation Agent allows any user to find precise answers instantly from a vast repository of documentation and policies. To accelerate automation, the Workflows Agent leverages simple prompts to expertly build sophisticated workflows, which administrators can then review and implement with ease.
In addition to the core integrated capabilities, organizations can extend the value of our Identity Security Cloud with additional products, including:
•SailPoint Agent Identity Security: Delivers comprehensive governance, compliance, and security outcomes for AI agents, enabling organizations to aggregate and discover identities from various platforms, assign ownership, and certify and govern those identities within a single platform. SailPoint Agent Identity Security (“AIS”) is designed to govern the new AI workforce from the ground up. With AIS, customers can gain the confidence to innovate, knowing that every identity, whether human, machine, or AI, is secured under one comprehensive identity platform.
•Machine Identity Security ("MIS"): Enables organizations to achieve governance, compliance, and security outcomes for machine accounts. With MIS, organizations can discover, classify, assign, certify, and oversee ownership of service accounts, bots, and other machine accounts with minimal configuration adjustments and without extensive manual processes. MIS consolidates the securing of machine accounts to allow for full lifecycle coverage and reduces the risk of orphaned or unmanaged accounts. With an intuitive interface, MIS can assign human owners, periodically and consistently review configuration, and enhance compliance across the IT infrastructure while safeguarding critical systems.
•SailPoint Observability & Insights: Enables enterprises to move from raw data to contextual insight, providing clarity into access relationships across the business. With advanced visualization, enriched metadata, and powerful analysis features, organizations can confidently govern identity access, reduce exposure, and respond faster to threats. SailPoint Observability & Insights delivers a continuous, interactive view of identities, entitlements, and access relationships. It helps organizations improve identity hygiene, spot risky access paths, and strengthen governance through graph visualization and contextual metadata. It bridges the gap between identity and security teams by providing clarity into who has access to what and how.
•SailPoint Accelerated Application Management: An intelligent, scalable solution for application governance that gives enterprises immediate visibility into application landscapes and reduces reliance on application owners and IT teams without long implementation cycles.
•Non-Employee Risk Management: Enables organizations to streamline the administration of non-employee identity lifecycles to enhance third-party security and data integrity and support regulatory compliance. Our Non-Employee Risk Management offering implements comprehensive risk-based identity access for all third-party non-employee identities, including contractors, partners, and vendors. SailPoint Non-Employee Risk Management extends advanced identity security controls to provide visibility and security into the complex and dynamic lifecycles of non-employee identities. The module features flexible workflows and customizable forms to streamline process and enable seamless collaboration between internal and external parties.
•Data Access Security: Secures access to the growing amount of unstructured data stored in cloud storage systems to empower organizations to discover, govern, and secure crucial unstructured data and protect it from critical security risks. Designed as an integrated SaaS solution with Identity Security Cloud, our Data Access Security offering delivers enhanced intelligence on critical data to improve data security posture, reduce risk, and streamline compliance efforts. With this offering, security teams are able to proactively uncover and remediate hidden data risks with automated data discovery and classification, built-in governance workflows, and out-of-the-box governance policies, increasing their productivity and radically improving their visibility into pivotal organization data.
•Password Management: Provides business users an intuitive, self-service experience for managing and resetting passwords from any device and from anywhere, reducing the reliance on IT and security staff, and enforcing greater
6
Table of Contents
password security. Our Password Management offering enforces consistent and secure password policies for all users across all systems from the cloud to the data center by detecting password changes initiated outside of the Identity Security Cloud and synchronizing them to maintain a stronger organization-wide password security posture. Offering a self-service model, business users are able to reset, change, or recover passwords, allowing them to stay connected and productive while enhancing the security of the broader organization.
•Access Risk Management: Enables organizations to eliminate fraud, optimize compliance processes, and ensure audit readiness by unifying identity security controls and Separation of Duties monitoring across enterprise resource planning ("ERP") and other apps in the business ecosystem. Our offering effectively centralizes access risk governance by providing seamless GRC integration and extensive enterprise visibility to forecast and prevent Separation of Duties violations across an organization’s ERP systems such as SAP. With Access Risk Management, organizations can automate access reviews, document risk mitigation controls, oversee emergency access, conduct proactive risk simulations, and effortlessly maintain compliance to reduce audit deficiencies and breaches.
•Cloud Infrastructure Entitlement Management ("CIEM"): Empowers organizations to extend identity security to their cloud infrastructure, including AWS, Google Cloud Platform, and Microsoft Azure, to ensure compliance and security throughout their entire technology ecosystem. CIEM enables customers to discover, manage, govern, and remediate enterprise cloud infrastructure access with a single approach, gaining deeper understanding of their cloud resources and better visibility into their business user’s cloud privileges. Leveraging AI, CIEM enables cloud resource entitlement permissioning, not only on an access level, but on an action level, determining a business users' ability to read, write, and administrate cloud data.
•Privileged Task Automation: Enables organizations to automate and delegate the execution of repeatable privileged tasks. Privileged task automation (“PTA”) allows users to execute common privileged tasks without sharing privileged credentials or the need for a privileged session by providing a centralized repository, low-code automation, and out-of-the-box templates for privileged task workflows. With PTA, organizations can reduce their reliance on advanced privileged access capabilities and empower general IT staff to provide better service, accelerate adoption, and improve productivity.
•SailPoint Application Onboarding: A capability for Identity Security Cloud that uses AI-driven recommendations to quickly apply core identity security functionality to enterprise applications.
IdentityIQ
IdentityIQ is our customer-hosted identity security solution providing large, complex customers, who are highly interested in data localization in territories where we do not host our cloud software, a unified and highly configurable identity security solution. While many organizations have migrated to a cloud hosted solution for the majority of their enterprise software needs, we recognize there is a limited set of customers who remain in need of a self-hosted solution and maintain our IdentityIQ solution to continue to provide service for those customers. IdentityIQ consistently applies business and security policies as well as role and risk models across applications and data on premises or hosted in the cloud. IdentityIQ allows organizations to empower users to request and gain access to enterprise applications and data while managing compliance using automated access certifications and policy management.
Similar to our Identity Security Cloud offering, we package and price IdentityIQ into capabilities with unique functionality, including:
•Lifecycle Manager
•Compliance Manager
•Connectors and Integrations: Provides organizations with the ability to connect to applications, mainframes, cloud infrastructure, and data sources from across a hybrid IT environment to centrally manage and control access, enforce consistent policies, and understand risks. Connectivity to additional mission-critical software and systems provides essential visibility into an organizations entire IT ecosystem and provides our IdentityIQ customers with the integrated functionality necessary to effectively address the vast number of applications incorporated into the modern enterprise stack.
7
Table of Contents
In addition to the core IdentityIQ capabilities, organizations can extend the value of the solutions with additional products, including:
•File Access Manager: Secures access to the growing amount of data stored in file servers, collaboration portals, mailboxes, and cloud storage systems to equip organizations with the ability to quickly identify and mitigate compliance and data risks. File Access Manager helps organizations identify where sensitive data resides, who has access to it, and how they are using it—and then puts effective controls in place to secure it. By augmenting identity data from structured systems with data from unstructured data targets, organizations can more quickly identify and mitigate risks, spot compliance issues, and make the right decisions when granting or revoking access to sensitive data. Packaged and priced by target storage system, our File Access Manager product provides core capabilities such as data discovery and classification, policy controls, risk remediation, and compliance automation.
•SailPoint AI: Proactively provides visibility at speed and scale to determine access needs and potential security breaches associated with risky access policy to optimize security management. Our SailPoint AI capability is built to provide our IdentityIQ customers with additional AI features, such as recommendations and role discovery, by leveraging elements of our platform to streamline management.
Technology
Our organization has invested significant time and effort to remain a pioneer in innovation, continually emphasizing sophisticated and differentiated solutions to provide the best outcome for our customers. Our team has been highly intentional in our approach in addressing customer needs and have leveraged our extensive knowledge in advanced technology to address these in a differentiated and optimized manner. As the regulatory conditions evolve, and the threat environment introduces new demands and requirements, we view our technology as fundamental to the competitive advantage we hold in the market and our ability to maintain this moat in the future.
The SailPoint Platform
SailPoint delivers a security platform engineered to unify identity, data, and security intelligence in real time. This integrated context is what enables adaptive identity with the ability to continuously adjust access and security decisions in response to threat signals, context, and business dynamics.
At its core, our vision for the SailPoint Platform embodies six design principles that we believe define modern identity security:
•Identity-first, data-first: Every access decision is informed by integrated identity and data context.
•Unified Context: A single platform where human and digital identities, policies, and data all interconnect through one data model and one graph as needed.
•AI as a Core Fabric: Machine learning drives entitlement classification, privilege definition, and informed decision making.
•Just-in-time and real-time: Access is dynamic, as needed, and risk-aware, shifting away from static, standing privilege.
•Security In-Line: Identity context flows directly into the security operations center for proactive detection and rapid response.
•Robust extensibility: SailPoint’s robust extensibility layer uses event triggers, APIs, and shared signals to automate access decisions, enforce policy, detect issues early, and reduce identity risk across systems.
SailPoint Atlas is the intelligent foundation of the SailPoint Platform, engineered to unify identity, data, and security intelligence for comprehensive identity security. It provides the core services that connect every identity, entitlement, and risk signal across the enterprise. It powers Identity Security Cloud and its advanced capabilities, enabling organizations to establish a robust and automated identity security posture.
By leveraging a unified data model, advanced AI services, and a powerful policy engine, Atlas provides the identity context necessary to move from static controls to dynamic, adaptive governance. It fortifies enterprises by strengthening access
8
Table of Contents
controls with unique insights and simplifying governance, ensuring security, efficiency, and adaptability in a dynamic digital landscape. Common services include:
•Connectivity: Connect the entire ecosystem with tens of thousands of integrations that extend identity context across hybrid environments, enabling centralized visibility, management, and control of access.
•Extensibility: Extends identity security across the ecosystem with SailPoint’s extensible framework—connecting HR, ITSM, IaaS, and SIEM systems through APIs and event triggers to automate workflows, enhance visibility, and strengthen the security posture.
•Data Model: Creates a connected data fabric that normalizes identity, entitlement, and risk data. This establishes a single source of truth for identity context, eliminating silos and powering AI-driven insights.
•AI Services: Embeds AI and machine learning to analyze patterns, provide entitlement descriptions, detect anomalies, and drive intelligent access recommendations, continuously improving governance accuracy.
•Workflow Infrastructure: Automates complex identity lifecycle processes, from onboarding to offboarding, through no-code, configurable workflows and adaptive, multi-step approvals.
•Security Infrastructure: Enables dynamic, real-time coordination between identity and security ecosystems. By integrating with SIEM, SOAR, and other security tools, it facilitates automated, identity-centric threat response actions.
•Privilege Infrastructure: Enables discovery and real-time control of privilege across all identities.
•Policy Engine: Enables consistent, dynamic enforcement of intuitively defined rules and conditions in real time across a wide variety of features including SoD, access request and approval, certifications, non-employee risk management, and privilege access including just-in-time access.
•Insights and Reporting: Turns identity data into actionable insights to make better decisions faster, spot risky access sooner, & maintain an optimized access model for better security.
Unified Data Model
The Identity Cube is a key element of our data layer, providing a 360-degree view on every identity. The Identity Cube provides a complete view of each identity, including attributes, entitlements, access rights, and risk scores. It is extensible by the customer to include data attributes that are relevant specifically to their organizations.
In an on-premise deployment scenario, the Identity Cube is a part of every IdentityIQ installation. As user data and other attributes are aggregated from enterprise HR systems, directories, and the like, the Identity Cube is populated. From there, core life cycle functions such as provisioning new accounts for users can be accomplished. The Identity Cube is an integral part of the product, not an add-on or optional module.
In a customer-hosted deployment scenario, the Identity Cube is also a part of every implementation and functions in the same way. The difference is architectural, with the Identity Security Cloud version of the Identity Cube being optimized for a multi-tenant, cloud native architecture. In addition, in the SaaS deployment scenario, there are additional data facilities available that, when combined with the Identity Cube, represent our unified data model.
In both scenarios, the Identity Cube utilizes insights of the complex dependencies between identities, applications, data, and activities to create specialized data models that understand the effective access of an identity, patterns, and the potential risk level, whether in the cloud or customer-hosted. The connective, scalable, configurable, and automated nature of our Identity Security Cloud and IdentityIQ solutions allows us to secure identities for the most complex global organizations across all industries with AI-based security tools that provide comprehensive, scalable, and fast identity security to solve the needs of modern organizations.
The operational data derived from the data layer is organized into structured tables that represent real-world entities and their relationships. SailPoint’s account correlation, orphan account management, and risk scoring capabilities allow security professionals and business managers to track who has access to what and how often they use it and to rectify risky or dated
9
Table of Contents
access. With the help of Identity Cube’s context and the data layer, operational and security systems can make informed decisions about access and perform key remediation and change requests on our identity platform via our standardized application program interfaces and software development kits.
Both our Identity Security Cloud and IdentityIQ offering leverage highly advanced technology, AI, and ML to maximize the value received by our customers and streamline their operations to provide a stronger identity security posture. We at SailPoint recognize the critical opportunity AI represents to the most scaled and complex enterprise organizations and are committed to partnering with our customers to continue to provide solutions incorporating these advanced technologies to improve identity security at enterprise scale. Our AI based solutions process petabytes of data daily and are scalable, adaptable, and cost-efficient and provide customers with enhanced detection, improved accuracy and efficiency, and an enhanced user experience that enable them to make better decisions faster. Our innovation and experience in this space is demonstrated not only by recently developed products, but by a track record of successful AI-based offerings brought to market over the course of the last several years. Four major areas of capabilities form our AI layer as well as several distinct AI-based applications:
•Recommendations: Our intelligent AI-based recommendations streamline account creation, access requests based on user roles and organizational policies, and access certifications. This functionality helps both requestors and approvers make better decisions and ensures access rights are regularly reviewed and validated, significantly reducing organizational risk.
•Discovery: Our discovery capabilities automatically identifies and creates roles based on the actual access patterns of users, simplifying role creation and identifies access patterns to highlight potential security risks or misconfigurations. Launched in 2020, our Access Modeling offering based on the discovery engine significantly reduces the time required to build an organization’s access model, and just as importantly, keep it up to date through role and peer group discovery, low similarity outlier analysis, and common access creation.
•Assistant: Our assistive technologies drive user engagement and seamless experiences with large language models. In 2023, we launched our generative AI entitlement descriptions, which address one of identity security’s pain points by automatically generating descriptions of application entitlements. Given the significant additional workload associated with description creation, many entitlements across the modern organization remain without a description, increasing the difficulty in determining the validity and necessity of requests or approvals.
•Automation: Our automation capabilities streamline the onboarding of new applications by provisioning access and managing compliance related activities. This functionality significantly reduces the amount of time required to onboard the “long tail” of applications onto the Identity platform, accelerating ROI, decreasing time to value for customers, and improving security posture at the same time.
Our AI layer utilizes a combination of open-source models that have been customized for our use cases, proprietary models, and third-party models hosted by third-party subprocessors. To mitigate potential risks of inaccuracy and algorithmic hallucinations resulting from our use of AI, we employ our ML platform to evaluate trained models against benchmark and real customer data prior to deployment and to monitor model predictions. We also incorporate human-in-the-loop into our processes, including with entitlement descriptions, to detect incorrect predictions and improve the model.
Extensibility and Low-Code/No-Code Automation
Our solutions provide flexible low-code workflows and no-code forms to extend our products. Customers have used our interactive drag-and-drop workflows to create processes that are executed millions of times a month to meet the unique needs of their business processes. For customers who need deeper customization, or bespoke integrations with other enterprise systems, our offerings provide a robust set of application programming interfaces ("APIs") and software development kits (“SDKs”), supported by a vibrant developer community and Developer Relations team. Customers can browse community-contributed extensions and add them to their existing solution.
Connector Library and Ecosystem
Our solutions offer connectivity to over 1,200 applications through their extensive connector library. In addition, customers have used this same library to connect to over 25,000 custom applications. Our solutions leverage AI technology to automatically map application data models to the SailPoint Identity Cube, dramatically reducing the “long tail” of application integration efforts that typically hinder identity deployments.
10
Table of Contents
Multitenant SaaS Architecture
Our microservices-based SaaS model, coupled with our low-code/no-code capabilities and our abstracted SDKs means that customers can customize the Identity Security Cloud while always running the latest code—without the need to test new versions or re-implement changes. Competitors who have deployed single-tenant models still require customers to schedule upgrade windows and delay code pushes, which drives total cost of ownership.
Customers
We have a diverse global customer base with approximately 3,235 organizations in more than 65 countries as of January 31, 2026. Our customers include leading organizations in a diverse set of industries including financial services, media, energy and utilities, technology, life sciences, and healthcare, as well as government agencies and public universities and represent 53% of the Fortune 500 and 29% of the Forbes Global 2000.
Our business is not dependent on any particular customer, and no customer accounted for more than 10% of our revenues for the year ended January 31, 2026, 2025, and 2024.
Research and Development
Innovation is one of our core values, and it is at the heart of how we think and do business. We believe ongoing and timely development of new products and features is imperative to maintaining our competitive position. We have taken a global approach to building a robust research and development team, with engineers and team members located in the United States as well as internationally across India, Mexico, Israel, the United Kingdom, and Canada. Along with our global approach, we also staff our research and development team with both experienced industry engineers and the next generation of talent well versed in advanced technology and AI development. As of the year ended January 31, 2026, 2025, and 2024, our research and development expenses totaled approximately $223.0 million, $169.7 million, and $180.8 million, respectively. Additionally, we have been, and will continue to be, deliberate and programmatic in leveraging technology acquisitions.
Sales and Marketing
Sales
We sell our solutions primarily through our direct sales organization, which is comprised of field and digital sales personnel, as well as through channel partners. Our sales force is structured by geography, customer size, status (customer or prospect), and industry verticals including healthcare, public sector, and government. Each segment is managed by specialized teams equipped with tailored strategies to meet unique customer needs. The sales team focuses on complex, high-value deals, often involving multi-layered decision-making processes. We service the market through a global sales force, utilizing both direct and indirect selling motions to maximize reach and effectiveness. Our direct sales teams engage with customers to deliver comprehensive identity security solutions, while our channel partners expand our market presence and provide additional value through localized expertise and support. Multiple routes to market enable us to effectively penetrate diverse markets and address varying customer needs.
Our market segmentation strategy is designed to align our selling capacity with the highest-value market opportunities. We focus on targeting segments that align with our ideal customer profiles, allowing us to deploy resources efficiently and effectively. This strategic alignment ensures that we concentrate our efforts on opportunities where our solutions provide the greatest impact, enhancing both customer satisfaction and our sales efficiency.
As part of our selling engagements, we employ a consultative, playbook-based selling approach that emphasizes understanding the unique value our solutions bring to each customer. Our sales process includes developing thorough business cases and proofs of value, providing customers with a clear and prescriptive path to successful implementation. This method is supported by overlay resources, including technical specialists and forward deployed engineers who assist in the sales process, ensuring that our solutions are presented with the necessary technical depth and clarity.
Identity security is regarded as essential business infrastructure and critical for securing complex identity environments. Customers initially invest in SailPoint to address their most pressing identity security use cases and expand their deployment over time to cover additional identity populations and use cases. This approach ensures that our solutions are integral to customers’ security strategies, fostering long-term relationships and continuous growth.
11
Table of Contents
Partners constitute an essential part of our selling model. We have established a model designed to create zero conflict, and typically include our partners in all of our training and enablement efforts. As a result, our indirect sales model, executed through our global and regional system integrators, technology partners, MSPs, and value-added resellers, is a key factor in our overall success.
This integrated approach highlights our commitment to understanding and addressing the specific needs of our customers, delivering high-value identity security solutions, and continuously expanding our market presence through both direct and indirect channels.
Marketing
Our marketing charter is to be an AI-first, data-driven, and customer-obsessed team that relentlessly accelerates our growth and innovation. Our strategy is focused on the following core areas: driving strong global brand awareness and differentiation for us, leveraging digital and AI marketing tools to engage potential buyers and create a strong and targeted pipeline for our sales force, and helping our customers accelerate their adoption and success as their trusted partner. Our data-driven digital approach to marketing is tightly aligned to the needs of our addressable market and provides agility to leverage market opportunities in a targeted and timely fashion.
Our marketing engine starts with developing a unique value proposition and differentiated messaging for our solutions to drive broad awareness, followed by activating demand and creating pipeline, all the way to accelerating adoption and time-to-value for our customers and driving renewals and advocacy:
•Our awareness and educational efforts focus on brand campaigns, digital and content marketing, public and analyst relations, social media engagement and influencer relations, and thought leadership such as our annual Horizons of Identity Security Report, market research, blogs, and bylines.
•Our pipeline generation and maturation efforts focus on efficiently engaging targeted accounts and maturing them through their buyer’s journey. Our programs include digital campaigns and webinars, Account Based Marketing (ABM), virtual/physical events such as Navigate and other conferences, and executive roundtables. We also work closely with our key partners to develop joint solutions, run joint go-to-market motions, and extend the reach to a broader spectrum of the targeted accounts and audience that our partners may have strong relationships with.
•Our customer engagement efforts include customer onboarding and education communications, customer reference development, executive advisory boards, and community development and engagement.
Our marketing programs are executed with a combination of centralized global initiatives and regional specific programs tailored to three major geographies: (i) the Americas, (ii) EMEA, and (iii) Asia-Pacific (“APAC”). Our typical audience includes IT and security professionals, including Chief Information Officers, Chief Information Security Officers ("CISOs"), and key identity decision makers, and has recently expanded to include key lines of business decision makers in finance, legal, HR, and accounting as identity security has become a greater strategic imperative. With the expansion of digital identities for agents and machines, we are also targeting new personas such as application owners and data and AI leaders.
Every year we host our flagship user conference, Navigate, followed by a global conference roadshow to demonstrate our strong commitment to enabling our global customers to succeed, while also serving as an opportunity to create pipeline for new sales to prospective customers and additional sales to existing customers. In an effort to extend our thought leadership in the space, we also participate in several industry events, including RSA and Black Hat.
Professional Services and Customer Support
Professional Services
We are focused on ensuring that our professional services partners, who perform most of the implementations for our customers, can implement our solutions successfully by developing and creating best practices. We provide “expert services” to partners and customers for complex implementation assistance. In certain cases, we lead direct customer implementations. We believe that our investment in professional services and in our partners drives increased adoption of our solutions.
Customer Success Management
12
Table of Contents
Our customer success strategy centers around our investment in, and ownership of, the post-sale experience for our customers. Every customer and MSP has access to our team of Customer Success Managers (“CSMs”), whose goal is to help customers, and the partners that support them, achieve their desired return on investment and business results. Through proactive and regular engagements, the CSM team endeavors to keep every customer satisfied and help them use their SailPoint products or services optimally. When necessary, the CSM coordinates cross-departmental resources to remove any barrier to success. In addition, our customer success team utilizes customer data to identify and present any cross-sell or up-sell solutions aligned to a customer’s business objectives, thereby contributing to revenue expansion and increased product penetration. By proactively managing customer relationships, our CSM team nurtures client advocates, who become a powerful asset in closing new business.
Customer Support
Our customer support organization includes experienced, trained engineers who provide 24x7x365 support for critical issues. Customers receive contractual response times, telephonic support, and access to online support portals. Our customer support organization has global capabilities, a deep expertise in our solutions, and, through select support partners, is able to deliver support in multiple languages.
Alliances and Strategic Relationships
As a core part of our strategy, we have cultivated strong relationships with partners to help us increase our reach. We have developed a large partner network consisting of technology partners, system integrators, value-added resellers, and MSPs. In the year ended January 31, 2026, greater than 90% of our new customer transactions involved our partner network. We believe that our extensive partnership network enables us to provide the most complete identity security solution to our customers.
Technology Partners
The SailPoint Technology Alliance Program is a technology partnering network that leverages familiar standards and methods that make it easy to share identity context and configure identity-specific policies across disparate systems. Program offerings include access to SailPoint SDKs and APIs, developer support, and cloud-based certification services. The program comprises over 130 technology and implementation partners.
We have partnered with industry leaders across a spectrum of technologies that enable organizations to integrate their entire security, mobility, cloud, and applications infrastructure into our platform so that breaches can be better identified, mitigated, and contained and operations can be streamlined. Solutions from companies such as AWS, Palo Alto Networks (CyberArk), Proofpoint, SAP, and ServiceNow that are plugged into our open identity platform through APIs provide our customers value-added capabilities to build an identity-aware enterprise.
System Integrators
We partner with many large and global system integrators including Accenture, Capgemini, Deloitte, KPMG, and PwC, as well as many regional system integrators. The focus of our system integrators program is to deliver pipeline growth and bookings, to help partners drive self-sufficiency, and to foster transparency and collaboration through shared assets and resources. We have implemented joint business controls and metrics that provide a platform for discussion and partnership development and help us optimize our program and unified value proposition.
Value-Added Resellers
Value-added resellers, such as CDW, GuidePoint, NetBR, Optiv, and Softcat, bring product expertise and implementation best practices to our customers globally. They provide vertical expertise and technical advice in addition to reselling or bundling our software. Many of our reseller partners have been trained to demonstrate and promote our identity platform. Our reseller channel ranges from large companies to regional resellers in our markets and territories. Our reseller program is designed to scale growth, help generate new opportunities, optimize customer experience, and increase profitability as well as sales efficiency.
Managed Security Service Providers
13
Table of Contents
We partner with a growing number of MSPs, including Accenture, Simeio, Kommando, and MajorKey, to expand the reach of our direct sales organization. Our MSP channel augments our reach in market segments and territories. Our MSP partners offer our solutions, both packaged with a managed service and without. While this channel represents a small portion of our new annual recurring revenue ("ARR") today, we believe continuing to build out this channel will be a driver of growth.
Employees, Culture, and Values
Our core values are more than words on our website. They are a constant reminder that what we do for our customers is important, but how we do things is also critical. We call that doing things “the SailPoint way.”
We strive to incorporate our “Four I” core values throughout the entire employee life cycle:
•Innovation: We develop creative solutions to real customer challenges;
•Integrity: We deliver on the commitments we make;
•Impact: We measure and reward results, not activity; and
•Individuals: We value every person.
As an organization that continues to rapidly grow and evolve, we look for feedback from our crew to stay on course. Our annual “Crew’s Views” global employee engagement survey gives us the data we need to focus on areas where we can make the most impact. Over each of the last four years that we conducted the survey, employee participation exceeded 80% and overall team member satisfaction exceeded 82%. Externally, we’ve been recognized as an employer of choice for parents and millennials. Since November 2021, we’ve been a certified “Great Place to Work,” and we’ve been listed as a Best Workplace in Texas six years in a row. We’ve also been noted as a Best Workplace in Technology the past three years and have been featured on several other “Best Places to Work” lists, including Fortune, Built In, and Glassdoor.
As we work to execute our growth strategy, we continue to invest in human capital resources that will sustain and fuel that growth. As of January 31, 2026, we had a total of 3,229 employees. While most organizations post-pandemic have reverted to requiring mandatory days in-office, we recognize that there’s no perfect one-size fits all solution. We have realized many benefits in allowing crew to continue working remotely, so we seek to provide them with flexibility and empower team leaders to get their crew members together when it makes sense. This approach supports crew wellbeing and reflects our commitment to providing an environment for all our team members to succeed and thrive.
Our training and development efforts, built around our core values, are another key part of our human capital strategy. Our leaders go through specific training to ensure they are leading their teams with our values at the forefront of the decisions they make. Our annual performance review process allows team members to engage in meaningful discussions with their managers about their performance and development goals, and we also conduct pay equity reviews during our merit planning process. Additionally, our managers assess the growth potential of each team member through a standardized evaluation process, which provides actionable outputs to help develop and retain our high-potential employees. Through these and other training efforts, we support the development of our crew members in a way that promotes our growth and innovation.
Our philanthropy committee comes up with innovative opportunities for crew to give back to the communities in which we work. For more than seven years, we have run an annual “Sailanthropitch” program, where charities deliver a Shark-Tank-style presentation about their organization. Crew members cast their votes for the organizations they connect to the most, and each organization walks away with a financial donation tied to the percentage of votes they received. Our SailPoint Cares program, which started as an opportunity to bring cross-functional crew together in different regions, has grown significantly in recent years, providing opportunities for teams to get together and donate their time and resources to support good causes across three core pillars: STEM & tech, crew engagement, and education. We also forge partnerships to increase our impact—whether through Path Forward, which supports caregivers who are returning to the workforce, SkillBridge, which connects returning service members to job training opportunities, or Code2College, which enables students who might not normally have access or exposure to exploring a career in STEM to gain hands-on experience in a paid internship.
While we always seek the best talent to join SailPoint, we are also committed to growing talent. Our Sail-U program brings early career talent to our organization, where we provide them with the environment to learn and grow via structured training opportunities, engagement with leaders across the organization, and peer networking. We also offer a wealth of on-demand resources via our company intranet, The Dock, to support growth and development and drive performance.
14
Table of Contents
Offering a competitive compensation and benefits package is another critical part of our effort to attract and retain top talent. In addition to competitive base salaries, we offer team members comprehensive health, welfare, income protection and long-term savings benefits, incentive equity compensation, and incentive cash plans for eligible team members. Total compensation is designed to align with SailPoint’s business objectives and financial goals, and pay is differentiated for individuals based on relevant experience, impact, relative internal value and company performance. Variable compensation delivers pay aligned with company and individual performance, with more pay at risk at more senior levels. Leadership regularly discusses compensation and benefits strategies with the compensation and nominating committee of our board of directors (our "Board").
Competition
We operate in a highly competitive market characterized by constant change and innovation. Our competitors include large public companies, such as IBM, Microsoft, and Oracle that offer identity solutions within their product portfolios, and identity centric solution providers, including Palo Alto Networks (CyberArk), Okta, and One Identity. There are also a number of smaller scale, regional, or specialist identity security solution providers that we compete with in certain situations, in addition to emerging technologies that leverage AI and agentic AI in an effort to compete in this market. We believe the principal competitive factors in our market include:
•Comprehensiveness of visibility to which identities have access to what across the IT environment;
•Reliability and effectiveness in defining and implementing identity security policies;
•Flexibility to deploy identity security and administration as a SaaS or customer-hosted solution;
•Adherence to government and industry regulations and standards;
•Comprehensiveness and interoperability of the solution with other IT and security solutions;
•Enterprise security, scalability, and performance;
•Ability to innovate, including the ability to leverage AI, and respond to customer needs rapidly;
•Quality and responsiveness of support organizations;
•Total cost of ownership;
•Ease of use; and
•Customer experience.
Some of our competitors have significantly greater financial, technical, and sales and marketing resources, as well as greater name recognition, in some cases within particular geographic regions, and more extensive geographic presence than we do. See Part I, Item 1A, “Risk Factors—Risks Related to Our Business and Industry—We face intense competition in our market, both from larger, well-established companies and from emerging companies and technologies, and we may lack sufficient financial and other resources to maintain and improve our competitive position.” However, we believe we compete favorably with our competitors based on all the factors above.
Intellectual Property
Our success depends in part on our ability to protect our intellectual property. We rely on copyrights and trade secret laws, confidentiality procedures, employment proprietary information, and inventions assignment agreements, trademarks, and to protect our intellectual property rights. We also license software from third parties for integration into our solutions, including open source software and other software available on commercially reasonable terms.
We control access to and use of our solutions and other confidential information through the use of internal and external controls, including contractual protections with employees, contractors, customers, and partners, and our software is protected by U.S. and international copyright and trade secret laws. As of January 31, 2026, we had 80 issued patents and 22 patent applications pending in the United States and no issued patents or patent applications pending internationally, in each
15
Table of Contents
case relating to certain aspects of our technology. Also as of January 31, 2026, the expiration dates of our issued patents ranged from 2026 to 2044. See Part I, Item 1A, “Risk Factors—Risks Related to Our Technology and Our Intellectual Property Rights—If we fail to obtain, maintain, protect, defend, or adequately enforce our intellectual property or proprietary rights, our competitive position could be impaired and we may lose valuable assets, generate reduced revenue, and incur costly litigation to protect our rights” for information regarding potential risks associated with our intellectual property and our ability to protect it.
Legal Proceedings
We are not currently a party to, nor is our property currently subject to, any material legal proceedings other than ordinary routine litigation incidental to the business, and we are not aware of any such proceedings contemplated by governmental authorities.
Facilities
Our corporate headquarters in Austin, Texas, consists of approximately 165,000 square feet of space under a lease that expires in April 2029. We also have additional office space under traditional leases in Pune, India; Tel Aviv, Israel; and London, United Kingdom and under coworking arrangements in various locations in North and South America, Europe, and Asia.
We believe that our facilities are adequate for our current needs and anticipate that suitable additional space will be readily available to accommodate any foreseeable expansion of our operations.
Government Regulations
We are subject to a wide variety of laws, rules, and regulations in the United States and abroad that involve matters central to our business, including those relating to data privacy and security. Many of these laws, rules, and regulations are continually evolving, and we expect that we will continue to become subject to new laws, rules, regulations, industry standards, contractual requirements, and other obligations in the United States, the European Union ("EU"), the United Kingdom (the "UK"), and other jurisdictions. A failure to comply with them could result in civil and criminal liabilities and enforcement actions, which could include fines, as well as claims for damages by customers and other affected individuals, damage to our reputation, and loss of goodwill (both in relation to existing customers and prospective customers), any of which could adversely affect our business, operating results, financial performance, and prospects. See Part I, Item 1A, “Risk Factors—Risks Related to Laws and Regulations” for a discussion of our regulatory risks.
Compliance and Certifications
We are committed to protecting critical business information belonging to SailPoint and the customers and partners we serve. In support of this commitment, we adhere to and maintain a number of security and privacy related certifications, attestations, and governance frameworks, which include the following:
•Information Security Management System (ISMS) in alignment with ISO/IEC 27001;
•Privacy Management System (PIMS) in accordance with ISO/IEC 27701;
•Controls defined in ISO/IEC 27017:2015 for cloud service security and ISO/IEC 27018:2019;
•Certification with the EU-U.S. Data Privacy Framework, the Swiss-U.S. Data Privacy Framework, and the UK Extension to the EU-U.S. Data Privacy Framework;
•Product assessments that include SOC 1 Type 2 reports and SOC 2 Type 2 reports;
•C5 (Cloud Computing Compliance Criteria Catalogue) Type 2 report;
•TISAX® (Trusted Information Security Assessment Exchange) Assessment Level AL3 and Assessment Level AL2.5;
•CSA STAR Level 2 certification under the Cloud Security Alliance’s Security, Trust, Assurance, and Risk (STAR) program;
•Assessment under Australia’s Information Security Registered Assessors Program (IRAP) at a PROTECTED level;
16
Table of Contents
•U.S. FedRAMP® (Federal Risk and Authorization Management Program) Moderate ATO (Authority to Operate) for our SaaS-based solution, Identity Security Cloud;
•GovRAMP™ (Government Risk and Authorization Management Program) authorization; and
•Common Criteria (CC) certification.
Collectively, these certifications, attestations, and governance frameworks demonstrate our continued investment in maintaining robust security controls, meeting evolving regulatory expectations, and strengthening the trust placed in us by customers, partners, and investors.
Corporate Information
Our principal executive offices are located at 11120 Four Points Drive, Suite 100, Austin, Texas 78726, and our telephone number at that address is (512) 346-2000. Our website address is www.sailpoint.com. Information contained on, or that can be accessed through, our website does not constitute part of this Annual Report and inclusions of our website address in this Annual Report are inactive textual references only.
The SailPoint design logo and our other registered or common law trademarks, service marks, or trade names appearing in this Annual Report are the property of SailPoint Technologies, Inc., our wholly-owned subsidiary. Other trademarks and trade names referred to in this Annual Report are the property of their respective owners.
Available Information
Our website is located at https://www.sailpoint.com, and our investor relations website is located at https://investors.sailpoint.com. The information posted on our website is not incorporated into this Annual Report. Our Annual Reports on Form 10-K, Quarterly Reports on Form 10-Q, Current Reports on Form 8-K, and amendments to reports filed or furnished pursuant to Sections 13(a) and 15(d) of the Securities Exchange Act of 1934, as amended (the “Exchange Act”), are available free of charge on our investor relations website as soon as reasonably practicable after we electronically file such material with, or furnish it to, the SEC. You may also access all of our public filings through the SEC’s website at https://www.sec.gov.
Investors and other interested parties should note that we use our media and investor relations website and our social media channels to publish important information about us, including information that may be deemed material to investors. We encourage investors and other interested parties to review the information we may publish through our media and investor relations website and the social media channels listed on our media and investor relations website, in addition to our SEC filings, press releases, conference calls, and webcasts.
ITEM 1A. RISK FACTORS
The nature of the business activities conducted by the Company subjects it to certain hazards and risks. A description of some of the material risk factors that make an investment in the Company speculative or risky is set forth below. Such description reflects the Company's beliefs and opinions as to factors that could materially harm the Company's business, financial condition, or results of operations and impair the Company's ability to implement business plans. References to past events are provided by way of example only and are not intended to be a complete listing or a representation as to whether or not such factors have occurred in the past or their likelihood of occurring in the future. In addition, other risks are described in Part I, Item 1. “Business—Competition,” Part II, Item 7. “Management’s Discussion and Analysis of Financial Condition and Results of Operations.—Liquidity and Capital Resources” and Part II, Item 7A. “Quantitative and Qualitative Disclosures About Market Risk.” These risks and those described below are not the only risks facing the Company. The Company’s business could also be affected by additional risks and uncertainties not currently known to the Company or that it currently deems to be immaterial.
Risks Related to Our Business and Industry
We have experienced rapid growth in recent periods, and our recent growth rates may not be indicative of our future growth.
We have experienced rapid growth in recent years. Our revenue grew from $699.6 million to $1.1 billion from the fiscal year ended January 31, 2024 to the fiscal year ended January 31, 2026. Our revenue growth may not continue at a level
17
Table of Contents
consistent with historical performance. We believe our revenue growth depends on a number of factors, including, but not limited to:
•our ability to attract new customers and retain and increase sales to existing customers;
•our ability to, and the ability of our channel partners to, successfully deploy and implement our solutions, increase our existing customers’ use of our solutions, and provide our customers with excellent customer support;
•our ability to hire and retain substantial numbers of marketing, research and development, and general and administrative personnel and expand our global operations;
•our ability to develop our existing solutions and introduce new solutions; and
•our ability to increase the number of our partners.
If we are unable to achieve any of these requirements, our revenue growth will be adversely affected.
Our future revenues and operating results will be harmed if we are unable to acquire new customers, if our customers do not renew their arrangements with us, if we are unable to expand sales to our existing customers, or if we are unable to develop new solutions that achieve market acceptance.
To continue to grow our business, it is important that we continue to acquire new customers to purchase and use our solutions. Our success in adding new customers depends on numerous factors, including our ability to (i) offer a compelling identity security platform and solutions, (ii) execute an effective sales and marketing strategy, (iii) attract, effectively train, and retain new sales, marketing, professional services, and support personnel in the markets we pursue, (iv) develop or expand relationships with channel partners, including system integrators, value-added resellers, technology partners, and MSPs, (v) expand into new geographies and vertical markets, (vi) deploy our platform and solutions for new customers, and (vii) provide quality customer support once deployed.
It is important to our continued growth that our customers renew their arrangements when existing contract terms expire. For Identity Security Cloud, our SaaS-based cloud solution, and IdentityIQ, our customer-hosted solution, our customers typically enter into three-year contracts with annual billing upfront. Our customers have no obligation to renew their maintenance and term subscriptions, and our customers may decide not to renew these agreements with a similar contract period, at the same prices and terms, or with the same or a greater number of identities. Our customer retention and expansion are difficult to accurately predict and may decline or fluctuate as a result of a number of factors. Our ability to increase revenue depends in large part on our ability to expand our customer relationships over time through up-selling and cross-selling opportunities including suite upgrades and additional products. Our ability to increase sales to existing customers depends on several factors, including their experience with implementing and using our solutions and the existing products they have implemented, their ability to integrate our solutions with existing technologies, and our pricing model.
If we are unable to successfully acquire new customers, retain our existing customers, expand sales to existing customers, or introduce new solutions, our business, financial condition, and operating results would be adversely affected. The adverse effect on our financial results may be particularly acute because of the significant research, development, marketing, sales, and other expenses we will have incurred in connection with the new solutions.
If our new solutions do not achieve adequate acceptance in the market, our competitive position could be impaired and our potential to generate new revenue or to retain existing revenue could be diminished. The adverse effect on our financial results may be particularly acute because of the significant research, development, marketing, sales, and other expenses we will have incurred in connection with the new solutions, and we may not have the ability to introduce compelling new solutions that address the requirements of our customers in light of the dynamic identity security market in which we operate.
Additionally, if the incidence of cyber attacks were to decline, or enterprises or governments perceive that the general level of cyber attacks has declined, our ability to attract new customers could be adversely affected. We may face additional difficulties in attracting organizations that use legacy products to purchase our solutions if they believe that these legacy products are more cost-effective or provide a level of security that is sufficient to meet their needs. Furthermore, the use of our solutions to manage identities and access is relatively new, and if we are unable to convince organizations of the benefits of our solutions, then we may be unable to acquire new customers or keep existing customers.
If the market for identity security solutions does not grow, our ability to grow our business and our results of operations may be adversely affected.
18
Table of Contents
We believe our future success will depend in large part on the growth, if any, in the market for identity security solutions. The market for identity security solutions, including our platform and identity security solutions, is rapidly evolving. Rapid advancement in AI technologies and capabilities further add to this state of evolution. As such, it is difficult to predict this market’s potential growth, if any, customer adoption and retention rates, customer demand for identity security platforms, or the success of competitive products. Any expansion in this market depends on a number of factors, including the cost, performance, and perceived value associated with our platform and identity security solutions and similar solutions of our competitors, including preference to manage security with existing infrastructure security tools alone, rather than investing in a platform-based identity security solution. The markets for some of our solutions are new, unproven, and evolving, and our future success depends on growth and expansion of these markets. If our platform and identity security solutions do not achieve widespread adoption or there is a reduction in demand for our platform and identity security solutions due to a lack of customer acceptance, technological challenges, competing products or solutions, privacy concerns, decreases in corporate spending, weakening economic conditions or otherwise, it could result in early terminations, reduced customer retention rates, or decreased revenue, any of which would adversely affect our business, financial condition, and results of operations.
If we are unable to maintain successful relationships with our channel partners, our ability to market, sell, distribute, and implement our solutions will be limited, and our business, financial condition, and operating results would be adversely affected.
We derive a significant portion of our revenue from sales influenced by, or made through, our channel partner network and expect these sales to continue to grow for the foreseeable future. Our channel partners provide implementation and other services to our customers in exchange for fees paid by those customers. We may not achieve anticipated revenue growth from our channel partners if we are unable to retain our existing channel partners and expand their sales or add additional motivated channel partners.
Our arrangements with our channel partners are generally non-exclusive, meaning they may offer customers the products of several different companies, including products that compete with our solutions and products. If our channel partners do not effectively market and sell our solutions, choose to use greater efforts to market and sell our competitors’ products or services, fail to meet the needs of our customers, or cease marketing our solutions or providing services to us, our ability to grow our business and sell our solutions may be adversely affected. Our channel partners may cease marketing our solutions with limited or no notice and with little or no penalty. In addition, certain of our channel partners are subject to independence requirements that have in the past or may in the future prevent them from providing services to us or cooperating with us in our go-to-market efforts if they also provide services for affiliates of our controlling stockholder, Thoma Bravo. If one or more of our channel partners determines that it is unable to both provide services to us or cooperate with us in our go-to-market efforts and also provide services to affiliates of our controlling stockholder, those channel partners may cease marketing our solutions or otherwise cease providing services to us or cooperating with us in our go-to-market efforts.
We also collaborate with adjacent technology vendors to offer comprehensive solutions to our customers. If we do not effectively collaborate with them, or if they elect to terminate their relationships with us or develop and market solutions that compete with our solutions, our growth would be adversely affected.
Our quarterly results fluctuate significantly and may not fully reflect the underlying performance of our business.
Our quarterly revenue and operating results tend to fluctuate from period-to-period, and we believe that our quarterly results may vary significantly in the future. Consequently, you should not rely on the results of any one quarter as an indication of future performance. Period-to-period comparisons of our revenue and operating results may not be meaningful and, as a result, may not fully reflect the underlying performance of our business.
Our quarterly operating results may fluctuate as a result of a variety of factors, including, but not limited to, those listed below, many of which are outside of our control:
•the mix of revenue and associated costs attributable to subscription and professional services, which may impact our gross margins and operating income;
•the mix of revenue attributable to larger transactions as opposed to smaller transactions and the associated volatility and timing of our transactions;
•the mix of SaaS subscriptions compared to term subscriptions, which affects how we recognize revenue and may result in a decrease in gross margins as well as impact the results of our operations;
19
Table of Contents
•the loss or deterioration of our channel partner and other relationships influencing our sales execution;
•the growth in the market for our solutions;
•our ability to attract new customers and retain and increase sales to existing customers;
•changes in customers’ budgets and in the timing of their purchasing decisions, including seasonal buying patterns for IT spending;
•the timing and success of new product introductions by our competitors and by us;
•changes in our pricing policies or those of our competitors;
•significant security breaches of, technical difficulties with, or interruptions to the delivery and use of our platform;
•changes in the legislative or regulatory environment;
•foreign exchange gains and losses related to expenses and sales (including operating metrics such as ARR) denominated in currencies other than the U.S. dollar or the functional currencies of our subsidiaries;
•increases in and timing of sales and marketing and other operating expenses that we may incur to grow and expand our operations and to remain competitive;
•costs related to the acquisition of businesses, talent, technologies, or intellectual property, including potentially significant amortization costs and possible write-downs;
•our ability to control costs, including our operating expenses;
•the collectability of receivables from customers and channel partners, which may be hindered or delayed if these customers or channel partners experience financial distress;
•economic conditions specifically affecting industries in which our customers participate;
•natural disasters or other catastrophic events; and
•litigation-related costs, settlements, or adverse litigation judgments.
Our sales cycle is long and unpredictable, and our sales efforts require considerable time and expense.
The length and unpredictability of the sales cycle for our offerings makes it difficult to identify a regular cadence to our sales and the related revenue recognition. We and our channel partners are often required to spend significant time and resources to better educate and familiarize potential customers with the value proposition of our platform and solutions. Customers often view the purchase of our solutions as a strategic decision and significant investment and, as a result, frequently require considerable time to evaluate, test, and qualify our platform and solutions prior to purchasing our solutions. During the sales cycle, we expend significant time and money on sales and marketing and contract negotiation activities, which ultimately may not result in a sale. Additional factors that may influence the length and variability of our sales cycle include:
•the discretionary nature of purchasing and budget cycles and decisions;
•lengthy purchasing approval processes;
•the evaluation of competing products during the purchasing process;
•time, complexity, and expense involved in replacing existing solutions;
•announcements or planned introductions of new products, features, or functionality by our competitors or of new solutions or modules by us;
20
Table of Contents
•the practice of large enterprises often driving their purchasing cycles based on internal factors rather than marketing cycles; and
•evolving functionality demands.
If our efforts in pursuing sales and customers are unsuccessful, or if our sales cycles lengthen, our revenue could be lower than expected, which would have an adverse effect on our business, operating results, and financial condition.
We recognize most of our revenue ratably over the term of our agreements with customers and, as a result, downturns or upturns in sales may not be immediately reflected in our operating results.
In recent years, we have transitioned our business to a subscription model. As we continue this shift, our business, financial condition, operating results, and prospects could be materially and adversely affected if we fail to successfully manage such shift, which depends upon our ability to, among other things, properly price our subscription-based arrangements, deliver SaaS, retain our customers, and further develop or acquire related technologies and infrastructure.
We recognize most of our revenue ratably over the terms of our agreements with customers. As a result, a portion of the revenue that we report in each period will be derived from the recognition of deferred revenue relating to agreements entered into during previous periods. Consequently, a decline in new subscription sales or renewals in any one period may not be immediately reflected in our revenue results for that period. This decline, however, will negatively affect our revenue in future periods. Accordingly, the effect of significant downturns in sales and market acceptance of our solutions and potential changes in our rate of renewals may not be fully reflected in our operating results until future periods.
We expect to continue to invest in research and development, sales and marketing, general and administrative functions, and other areas to grow our business. Such costs are generally expensed as incurred (with the exception of sales commissions and certain research and development costs), as compared to the corresponding revenue, substantially all of which is recognized ratably in future periods. We are likely to recognize the costs associated with these investments earlier than some of the anticipated benefits, and the return on these investments may develop more slowly, or may be lower, than we expect, which could adversely affect our operating results.
We expect our revenue mix and certain business factors to impact the amount of revenue recognized period to period, which could make period-to-period revenue comparisons not meaningful and difficult to predict.
Our subscription revenue includes revenue from sales of SaaS subscriptions, which is recognized ratably over the contract period, and revenue from sales of term subscriptions, a majority of which is recognized upfront when we transfer control of the license to the customer. Due to the proportion of our contracts trending from term subscriptions and maintenance to SaaS subscriptions, our revenue may fluctuate and period-to-period revenue comparisons may not be meaningful, and our past results may not be indicative of future performance. We cannot be certain how long these factors may persist. These factors make it challenging to forecast our revenue as the mix of solutions and services, as well as the size of contracts, are difficult to predict.
We face intense competition in our market, both from larger, well-established companies and from emerging companies and technologies, and we may lack sufficient financial and other resources to maintain and improve our competitive position.
The market for identity security solutions is intensely competitive and is characterized by constant change and innovation. We face competition from large, well-known enterprise software vendors that offer identity solutions within their product portfolios, pure play identity vendors (including new market entrants), vendors with whom we have not traditionally competed but who may either introduce new products or incorporate features into existing products that compete with our solutions, and various offerings utilizing AI and agentic AI. For example, our competitors include large public companies, such as IBM, Microsoft, and Oracle that offer identity solutions within their product portfolios, and identity centric solution providers, including Palo Alto Networks (CyberArk), Okta, and One Identity.
Many of our competitors are larger, have greater resources and existing customer relationships, and may be able to compete and respond more effectively than we can to new or changing opportunities, technologies, standards, or customer requirements. Our competitors may also seek to extend or supplement their existing offerings to provide identity security solutions that more closely compete with our offerings. Potential customers may also prefer to purchase, or incrementally add solutions, from their existing suppliers rather than a new or additional supplier regardless of product performance or features.
21
Table of Contents
In addition, merger and acquisition transactions in the technology industry continue to occur, particularly transactions involving cloud-based technologies. Accordingly, there is a greater likelihood that we will compete with other large technology companies in the future. Some of our competitors have made acquisitions or entered into strategic relationships to offer a more comprehensive product than they individually had offered. Companies and alliances resulting from these possible consolidations and partnerships may create more compelling product offerings and be able to offer more attractive pricing, making it more difficult for us to compete effectively. In addition, continued industry consolidation may adversely impact customers’ perceptions of the viability of small and medium-sized technology companies and consequently their willingness to purchase from those companies.
New start-up companies that innovate and competitors that are making significant investments in research and development may invent similar or superior products and technologies that compete with our solutions, including technologies that heavily utilize AI and agentic AI, and our business could be materially and adversely affected if such technologies or products are widely adopted. Conditions in our market could change rapidly and significantly as a result of technological advancements, partnering by our competitors, or continuing market consolidation. The development process for competitive offerings that leverage AI and agentic AI technologies in particular may be more condensed than ours, accelerating the time that it takes for such offerings to become available in the market to compete with existing offerings. These competitive pressures in our market or our failure to compete effectively may result in price reductions, fewer orders, reduced revenue, and gross margins, increased net losses, and loss of market share. Any failure to meet and address these factors would adversely affect our business, financial condition, and operating results.
We anticipate that our operations will continue to increase in complexity as we grow, which will add additional challenges to the management of our business in the future.
Our business has experienced significant growth and is becoming increasingly complex. We increased the number of our employees from 2,379 at January 31, 2024 to 3,229 at January 31, 2026 and the number of countries in which we have employees from 22 at January 31, 2024 to 24 at January 31, 2026. We have also experienced growth in the number of our customers from over 2,760 at January 31, 2024 to approximately 3,235 at January 31, 2026. We expect this growth to continue and for our operations to become increasingly complex. To effectively manage this growth, we have made, and plan to continue to make, substantial investments to improve our operational, financial, and management controls, as well as our reporting systems and procedures. Our success will depend in part on our ability to manage this complexity effectively without undermining our corporate culture, which we believe has been central to our success. If we are unable to manage this complexity, our business, operations, operating results, and financial condition may suffer.
As our customer base continues to grow, we likely will need to expand our professional services and other personnel, and maintain and enhance our existing partner network, to provide a high level of customer service. We also will need to effectively manage our direct and indirect sales processes as the number and type of our sales personnel and partner network continues to grow and become more complex and as we continue to expand into new geographies and vertical markets. This complexity is further driven by the various ways in which we sell our solutions, including on a per identity and per module basis through SaaS and other subscription offerings. If we do not effectively manage the increasing complexity of our business and operations, the quality of our solutions and customer service could suffer, and we may not be able to adequately address competitive challenges. These factors could impair our ability, and our channel partners’ ability, to attract new customers, retain existing customers, expand our customers’ use of existing solutions and adoption of more of our products, and continue to provide high levels of customer service, all of which would adversely affect our reputation, overall business, operations, operating results, and financial condition.
Seasonality may cause fluctuations in our sales, results of operations, and remaining performance obligations.
Historically, we have experienced seasonality in remaining performance obligations (“RPO”) and customer sales, as we typically sell a higher percentage of our solutions to new customers and renewal subscriptions with existing customers in the fourth quarter of our fiscal year. We believe that this results from the procurement, budgeting, and deployment cycles of many of our customers, particularly our enterprise customers. We expect that this seasonality will continue to affect our sales, RPO, and results of operations in the future and might become more pronounced as we continue to target larger enterprise customers.
Our failure to achieve and maintain an effective system of disclosure controls and internal control over financial reporting could adversely affect our financial position and lower our stock price.
22
Table of Contents
As a public company, we are subject to the reporting requirements of the Exchange Act, the Sarbanes-Oxley Act of 2002 (the “Sarbanes-Oxley Act”), and the rules and regulations of the applicable listing standards of the Nasdaq Global Select Market (“Nasdaq"). The requirements of these rules and regulations have increased our legal, accounting, and financial compliance costs, could make some activities more difficult, time-consuming, and costly, and could place significant strain on our personnel, systems, and resources. The Sarbanes-Oxley Act requires, among other things, that we maintain effective disclosure controls and procedures and internal control over financial reporting. In order to maintain and improve the effectiveness of our disclosure controls and procedures and internal control over financial reporting, we have expended, and anticipate that we will continue to expend, significant resources, including accounting- and technology-related costs and significant management oversight.
Our internal resources and personnel may in the future be insufficient to avoid accounting errors, and there can be no assurance that we will not have material weaknesses in the future. Any failure to develop or maintain effective controls or any difficulties encountered implementing required new or improved controls could harm our operating results or cause us to fail to meet our reporting obligations and may result in a restatement of our financial statements for prior periods. Any failure to implement and maintain effective internal control over financial reporting also could adversely affect the results of periodic management evaluations and annual independent registered public accounting firm attestation reports regarding the effectiveness of our internal control over financial reporting that we will eventually be required to include in our periodic reports that will be filed with the SEC. Ineffective disclosure controls and procedures and internal control over financial reporting could also cause investors to lose confidence in our reported financial and other information, which would likely have a negative effect on the trading price of our common stock. In addition, if we are unable to continue to meet these requirements, we may not be able to remain listed on Nasdaq.
Any failure to maintain effective disclosure controls and internal control over financial reporting could have an adverse effect on our business and operating results and could cause a decline in the price of our common stock.
If we are not able to maintain and enhance our brand or reputation as an industry leader and innovator, our business and operating results may be adversely affected.
We believe that maintaining and enhancing our reputation as a leader and innovator in the market for identity security solutions is critical to our relationship with our existing customers and our ability to attract new customers. The successful promotion of our brand attributes will depend on a number of factors, including our marketing efforts, our ability to continue to develop high-quality solutions, and our ability to successfully differentiate our platform and solutions from competitive products and services across a rapidly evolving market landscape, including changing buyer preferences, new technologies, and shifting channels through which customers discover and evaluate solutions. As our platform, product portfolio, and target markets continue to expand, we may face increased challenges in maintaining clear, consistent, and effective messaging regarding our value proposition, differentiation, and brand positioning. Our brand promotion activities may not be successful or yield increased revenue. Changes in digital marketing ecosystems, search engine algorithms, social media platforms, and AI-driven discovery tools or answer engines may also reduce the visibility, reach, or effectiveness of our content and brand messaging, which could adversely affect our ability to generate awareness, demand, and customer trust.
In addition, independent industry analysts often provide reports on our solutions, as well as those of our competitors, and perception of our solutions in the marketplace may be significantly influenced by these reports. If these reports are negative, or less positive as compared to those of our competitors, our reputation may be adversely affected. Our reputation may also be harmed by negative publicity, unfavorable social media commentary, misinformation, or other third-party statements, whether or not accurate, which can spread rapidly and be difficult to counteract. Additionally, the performance of our channel partners may affect our brand and reputation if customers do not have a positive experience with our solutions as implemented by our channel partners or with the implementation generally. The promotion of our brand requires us to make substantial expenditures, and we anticipate that the expenditures will increase as our market becomes more competitive, as we expand into new geographies and vertical markets, and as more sales are generated through our channel partners. To the extent that these activities yield increased revenue, this revenue may not offset the increased expenses we incur. If we do not successfully maintain and enhance our brand and reputation, our business and operating results may be adversely affected.
Sales to enterprise customers involve risks that may not be present or that are present to a lesser extent with respect to sales to smaller organizations.
We target our sales to enterprise customers and large organizations, which involves risks that may not be present or that are present to a lesser extent with sales to smaller customers, including the commercial customer segment. These risks include longer sales cycles and negotiations, more complex customer requirements (including audit and other requirements driven by such customers’ regulatory and industry contexts), substantial upfront sales costs, and less predictability in
23
Table of Contents
completing some of our sales. For example, enterprise customers may require considerable time to evaluate and test our platform and solutions and those of our competitors prior to making a purchase decision and placing an order or may need specialized security features to meet regulatory requirements. A number of factors influence the length and variability of our sales cycle, including the need to educate potential customers about the uses and benefits of our platform and solutions, the discretionary nature of purchasing and budget cycles, the macroeconomic uncertainty and challenges and resulting increased technology spending scrutiny, and the competitive nature of evaluation and purchasing approval processes. Since the processes for deployment, configuration, and management of our platform and solutions are complex, we are also often required to invest significant time and other resources to train and familiarize potential customers with our platform and solutions. Customers may engage in extensive evaluation, testing, and quality assurance work before making a purchase commitment, which increases our upfront investment in sales, marketing, and deployment efforts, with no guarantee that these customers will make a purchase or increase the scope of their subscriptions. In certain circumstances, an enterprise customer’s decision to use our platform and solutions may be an organization-wide decision, and therefore, these types of sales require us to provide greater levels of education regarding the use and benefits of our platform and solutions. As a result, the length of our sales cycle, from identification of the opportunity to deal closure, has varied, and may continue to vary, significantly from customer to customer, with sales to large enterprises and organizations typically taking longer to complete. Moreover, large enterprise customers often begin to deploy our platform and solutions on a limited basis but nevertheless demand configuration, integration services, and pricing negotiations, which increase our upfront investment in the sales effort with no guarantee that these customers will deploy our identity security solutions widely enough across their organization to justify our substantial upfront investment.
Given these factors, it is difficult to predict whether and when a sale will be completed and when revenue from a sale will be recognized due to the variety of ways in which customers may purchase our platform and solutions. This may result in lower than expected revenue in any given period, which would have an adverse effect on our business, financial condition, and results of operations.
Because our long-term success depends, in part, on our ability to expand the sales and marketing of our solutions to customers located outside of the United States, and we perform a significant portion of our development outside of the United States, our business will be susceptible to risks associated with international operations.
At January 31, 2026, we had customers in over 65 countries and employees in 24 countries, and we intend to continue expanding our international sales and marketing operations.
Conducting international operations subjects us to risks that we do not generally face in the United States. These risks include:
•encountering existing and new competitors with stronger brand recognition in the new markets;
•challenges developing, marketing, selling, and implementing our platform and solutions caused by language, cultural, and ethical differences, and the competitive environment;
•heightened risks of unethical, unfair, or corrupt business practices, actual or claimed, in certain geographies and of improper or fraudulent sales arrangements that may impact financial results and result in restatements of, and irregularities in, financial statements;
•global and domestic political instability, economic sanctions, terrorist activities, or international conflicts, including the conflicts in the Middle East (e.g., in Iran, Israel, and the surrounding areas) and between Russia and Ukraine, for example, which have in the past and may in the future impact the operations of our business or the businesses of our customers;
•currency fluctuations;
•the risks of currency hedging activities to limit the impact of exchange rate fluctuations, should we engage in such activities in the future;
•difficulties in managing systems integrators and technology providers;
•laws imposing heightened restrictions on data usage and increased penalties for failure to comply with applicable laws, particularly in the EU;
24
Table of Contents
•risks associated with trade restrictions and foreign import requirements, including the importation, certification, and localization of our solutions required in foreign countries, as well as changes in trade, tariffs, restrictions, or requirements;
•potentially different pricing environments, longer sales cycles, and longer accounts receivable payment cycles and collections issues;
•management communication and integration problems resulting from cultural differences and geographic dispersion;
•increased turnover of international personnel as compared to our domestic operations;
•potentially adverse tax consequences, including multiple and possibly overlapping tax structures, the complexities of foreign value added tax systems, restrictions on the repatriation of earnings, and changes in tax rates;
•greater difficulty in enforcing contracts, accounts receivable collection, and longer collection periods;
•the uncertainty and limitation of protection for intellectual property rights in some countries;
•increased financial accounting and reporting burdens and complexities; and
•lack of familiarity with local laws, customs, and practices, and laws and business practices favoring local competitors or commercial parties.
The occurrence of any one of these risks could harm our international business and, consequently, our operating results. Additionally, operating in international markets requires significant management attention and financial resources. We cannot be certain that the investment and additional resources required to operate in other countries will produce desired levels of revenue or net income.
Unfavorable conditions in our industry or the global economy, including those caused by the ongoing conflicts around the world, or reductions in technology spending, could limit our ability to grow our business and negatively affect our results of operations.
Global business activities face widespread macroeconomic uncertainties, and our results of operations may vary based on the impact of changes in our industry or the global economy on us or our customers and potential customers. Negative conditions in the general economy in the United States, Europe, or Asia and in the global economy, including conditions resulting from changes in gross domestic product growth, financial and credit market fluctuations, inflation and efforts to control further inflation, rising interest rates, bank failures, international trade relations, political turmoil (such as the conflicts in the Middle East (e.g., in Iran, Israel, and the surrounding areas) and between Russia and Ukraine, for example), potential U.S. federal government shutdowns, natural catastrophes, warfare, and terrorist attacks could cause a decrease in business investments by existing or potential customers, including spending on technology, and negatively affect the growth of our business. As an example, in the United States, capital markets have experienced and continue to experience volatility and disruption. Furthermore, inflation rates in the United States have recently increased to levels not seen in decades. Global economic and global and domestic political uncertainty may cause some of our customers or potential customers to curtail spending generally, or IT and identity security spending specifically, and may ultimately result in new regulatory and cost challenges to our international operations.
In addition to the foregoing, adverse developments that affect financial institutions, transactional counterparties, or other third parties, such as bank failures or concerns or speculation about any similar events or risks, could lead to market-wide liquidity problems, which in turn may cause third parties, including our customers, to become unable to meet their obligations under various types of financial arrangements as well as general disruptions or instability in the financial markets. Such economic volatility could adversely affect our business, financial condition, results of operations, and cash flows, and future market disruptions could negatively impact us. In particular, we have in the past experienced longer sales cycles and related negotiations for prospective customers and existing customer expansions, reduced contract sizes, or generally increased scrutiny on technology spending and budgets from existing and potential customers, due in part to the effects of macroeconomic uncertainty. These customer dynamics may again occur in the future, and to the extent there is a sustained general economic downturn, a recession, or another situation where technology budgets grow at a slower rate or contract, these customer dynamics may be exacerbated.
25
Table of Contents
We have employees and contractors in locations throughout the Middle East, Europe, and Asia, including in Israel. If the global effect of the ongoing conflict in Israel and the surrounding area or the ongoing conflict between Russia and Ukraine escalates or expands, our ability to conduct business in these regions could be adversely impacted, potentially resulting in delays to product development, sales and marketing, and other key business functions. Additionally, as a result of geopolitical conflicts, including in Russia and Iran, we may face a heightened risk of state-sponsored cyber attacks in the near term. Our competitors, many of whom are larger and have greater financial resources than we do, may respond to challenging market conditions by lowering prices in an attempt to attract our customers, which may require us to respond in kind and may negatively impact our existing customer relationships and new customer acquisition strategy. In addition, the increased pace of consolidation in certain industries may result in reduced overall spending on our identity security solutions. We cannot predict the timing, strength, or duration of any economic slowdown, instability, or recovery, generally or within any particular industry.
Any failure to offer high-quality customer support may adversely affect our relationships with our customers and our financial results.
We typically bundle customer support with arrangements for our solutions. In deploying and using our platform and solutions, our customers typically require the assistance of our support teams to resolve complex technical and operational issues. We may be unable to modify the nature, scope, and delivery of our customer support to compete with changes in product support services provided by our competitors. Increased customer demand for support, without corresponding revenue, could increase costs and adversely affect our operating results. We may also be unable to respond quickly enough to accommodate short-term increases in customer demand for support. Our sales are highly dependent on our reputation and on positive recommendations from our existing customers. Any failure to maintain high-quality customer support, or a market perception that we do not maintain high-quality product support, could adversely affect our reputation and our ability to sell our solutions to existing and new customers.
If we fail to meet contractual commitments related to response time, service level commitments, or quality of professional services, we could be obligated to provide credits for future service or face contract termination, which could adversely affect our business, operating results, and financial condition.
Depending on the solutions purchased, our customer agreements contain service level agreements, under which we guarantee specified availability of our platform and solutions. If we are unable to meet the stated service level commitments to our customers or suffer extended periods of unavailability of our SaaS solution or other subscription offerings, we may be contractually obligated to provide affected customers with service credits or customers could elect to terminate and receive refunds for prepaid amounts. In addition, if the quality of our professional services does not meet contractual requirements, we may be required to re-perform the services at our expense or refund amounts paid for the services. Any failure to meet these contractual commitments could adversely affect our revenue, operating results, and financial condition, and any failure to meet service level commitments or extended service outages of our SaaS solution or other subscription offerings could adversely affect our business and reputation as customers may elect not to renew and we could lose future sales.
Our business depends, in part, on sales to the public sector, which are subject to a number of challenges and risks, and significant changes in the contracting or fiscal policies of the public sector could have an adverse effect on our business.
We derived approximately 12% to 13% of our revenue from sales of our solutions to federal, state, local, and foreign governments and public universities in each of the last three fiscal years, and we believe that the success and growth of our business will continue to depend in part on our successful procurement of government and other public sector contracts. Factors that could impede our ability to maintain or increase the amount of revenue derived from the public sector include:
•changes in fiscal or contracting policies;
•decreases in available government funding;
•changes in government programs or applicable requirements;
•the adoption of new laws or regulations or changes to existing laws or regulations; and
•potential delays or changes in the government appropriations or other funding authorization processes.
26
Table of Contents
The occurrence of any of the foregoing could cause governments, governmental agencies, and others in the public sector to delay or refrain from purchasing our solutions or otherwise have an adverse effect on our business, operating results, and financial condition.
Additionally, the sale of our solutions to the public sector is tied to budget cycles, and there are government requirements and authorizations that we may be required to meet. Further, we may be subject to audits and investigations relating to the contracts we enter into with the public sector, and violations could result in penalties and sanctions, including contract termination, refunding or forfeiting payments, fines and suspension, or debarment from future public sector business. Selling to these entities can be highly competitive, expensive, and time consuming, often requiring significant upfront time and expense. Public sector entities often require contract terms that differ from our standard arrangements and impose additional compliance requirements, require increased attention to pricing practices, or are otherwise time consuming and expensive to satisfy. For example, some of our government entity customers contract with us on the basis of our authorization under FedRAMP, which has in the past and may in the future require us to undertake additional actions and expense to ensure compliance. Public sector entities may also have statutory, contractual, or other legal rights to terminate contracts with our partners for convenience, for lack of funding, or due to a default, and any such termination may adversely impact our future results of operations. If we represent that we meet certain standards, authorizations (such as FedRAMP), or requirements and do not meet them, or if such authorizations are suspended or revoked, we could be subject to increased liability from our customers, investigation by regulators, or termination rights. Even if we do meet them, the additional costs associated with providing our service to public sector entities could harm our margins. Moreover, changes in underlying regulatory requirements could be an impediment to our ability to efficiently provide our service to public sector customers and to grow or maintain our customer base. Any of these risks related to contracting with public sector entities could adversely impact our future sales and results of operations or make them more difficult to predict.
Our failure to raise additional capital or generate cash flows necessary to expand our operations and invest in new technologies in the future could reduce our ability to compete successfully and harm our operating results.
We may need to raise additional funds, and we may not be able to obtain additional debt or equity financing on favorable terms, if at all. If we raise additional equity financing, our security holders may experience significant dilution of their ownership interests. If we engage in debt financing, we may be required to accept terms that restrict our ability to incur additional indebtedness, force us to maintain specified liquidity or other ratios, or restrict our ability to pay dividends or make acquisitions. If we need additional capital and cannot raise it on acceptable terms, or at all, we may not be able to, among other things:
•develop and enhance our solutions;
•continue to expand our product development, sales, and marketing organizations;
•hire, train, and retain employees;
•respond to competitive pressures or unanticipated working capital requirements; or
•pursue acquisition opportunities.
We may acquire or invest in companies, which may divert our management’s attention and result in additional dilution to our stockholders. We may be unable to integrate acquired businesses and technologies successfully or achieve the expected benefits of such acquisitions, and acquisitions, particularly of development stage companies, may adversely affect our operating results and liquidity as well as our ability to meet expectations.
Our success will depend, in part, on our ability to expand our solutions and grow our business in response to changing technologies, customer demands, and competitive pressures. As we have in the past, we may in the future choose to do so through the acquisition of, or investment in, new or complementary businesses and technologies rather than through internal development. As a function of the industry in which we operate, we may acquire development stage companies that are not yet profitable, and that require continued investment, which could adversely affect our results of operations and liquidity as well as our ability to meet expectations, particularly if they were formulated prior to such acquisitions. Development stage companies generally involve a higher degree of risk and have not been proven, require additional capital to develop, and typically do not generate enough revenue to offset increased expenses associated therewith.
27
Table of Contents
The identification of suitable acquisition or investment candidates can be difficult, time-consuming, and costly, and we may not be able to successfully complete identified acquisitions or investments. The risks we face in connection with acquisitions and/or investments include:
•an acquisition may negatively affect our operating results because it may require us to incur charges or assume substantial debt or other liabilities, may cause adverse tax consequences or unfavorable accounting treatment, may expose us to claims and disputes by stockholders and third parties, including intellectual property claims and disputes, or may not generate sufficient financial return to offset additional costs and expenses related to the acquisition;
•we may encounter difficulties or unforeseen expenditures in integrating the business, technologies, products, personnel, or operations of any company that we acquire;
•an acquisition or investment may disrupt our ongoing business, divert resources, increase our expenses, and distract our management;
•an acquisition may result in a delay or reduction of customer purchases for both us and the company acquired due to customer uncertainty about continuity and effectiveness of service from either company;
•we may encounter difficulties in, or may be unable to, successfully sell any acquired products or effectively integrate them into or with our existing solutions;
•our use of cash to pay for acquisitions or investments would limit other potential uses for our cash;
•if we incur debt to fund any acquisitions or investments, such debt may subject us to material restrictions on our ability to conduct our business; and
•if we issue a significant amount of equity securities in connection with future acquisitions, existing stockholders may be diluted and earnings per share may decrease.
The occurrence of any of these risks could adversely affect our business, operating results, and financial condition.
If our estimates or judgments relating to our critical accounting policies prove to be incorrect, our operating results could be adversely affected.
The preparation of financial statements in conformity with U.S. generally accepted accounting principles (“GAAP") requires management to make estimates and assumptions that affect the amounts reported in our consolidated financial statements and accompanying notes. We base our estimates on historical experience and on various other assumptions that we believe to be reasonable under the circumstances, as provided in Part II, Item 7, “Management’s Discussion and Analysis of Financial Condition and Results of Operations.” The results of these estimates form the basis for making judgments about the carrying values of assets, liabilities, and equity and the amount of revenue and expenses that are not readily apparent from other sources. Significant assumptions and estimates used in preparing our consolidated financial statements include those related to the fair value allocation of multiple performance obligations in revenue recognition, the expected period of benefit of contract acquisition costs, the assumptions underlying the fair value used for equity-based compensation expense for awards prior to our IPO, and estimated useful lives and impairment of intangible assets and goodwill arising from business combinations and the assumptions underlying the fair value used for the redemption value of the redeemable convertible units issued prior to our IPO. Our operating results may be adversely affected if our assumptions change or if actual circumstances differ from those in our assumptions, which could cause our operating results to fall below the expectations of securities analysts and investors, resulting in a decline in the trading price of our common stock.
Changes in existing financial accounting standards or practices, or taxation rules or practices, may harm our operating results.
Changes in existing accounting or taxation rules or practices, new accounting pronouncements or taxation rules, or varying interpretations of current accounting pronouncements or taxation practice could harm our operating results or the manner in which we conduct our business. Further, such changes could potentially affect our reporting of transactions completed before such changes are effective.
GAAP is subject to interpretation by the Financial Accounting Standards Board (“FASB”), the SEC, and various bodies formed to promulgate and interpret appropriate accounting principles. A change in these principles or interpretations
28
Table of Contents
could have a significant effect on our reported financial results and could affect the reporting of transactions completed before the announcement of a change. Adoption of such new standards and any difficulties in implementation of changes in accounting principles, including the ability to modify our accounting systems, could cause us to fail to meet our financial reporting obligations, which could result in regulatory discipline and harm investors’ confidence in us.
We track certain business and operational metrics, which are subject to inherent challenges in measurement, and real or perceived inaccuracies in such metrics may harm our reputation and materially adversely affect our stock price, business, results of operations, and financial condition.
We track certain business and operational metrics, including metrics such as ARR, SaaS ARR, and dollar-based net retention rate, which may differ from estimates or similar metrics published by third parties due to differences in sources, methodologies, or the assumptions on which we rely. Our internal systems and tools are subject to a number of limitations, and our methodologies for tracking these metrics may change over time, which could result in unexpected changes to our metrics, including the metrics we publicly disclose. If the internal systems and tools we use to track these metrics undercount or overcount performance or contain algorithmic or other technical errors, the data we report may not be accurate.
If our solutions fail to help our customers achieve and maintain compliance with certain government regulations and industry standards, our business and operating results could be materially and adversely affected.
We believe we generate a portion of our revenues from our solutions because our customers use our solutions as part of their efforts to achieve and maintain compliance with certain government regulations and industry standards, and we expect that will continue for the foreseeable future. Examples of industry standards and government regulations include the Federal Information Security Management Act (FISMA) and associated National Institute for Standards and Testing ("NIST") Network Security Standards; the Sarbanes-Oxley Act; the Payment Card Industry Data Security Standard (PCI-DSS); Title 21 of the U.S. Code of Federal Regulations, which governs food and drug industries; the North American Electric Reliability Corporation Critical Infrastructure Protection Plan (NERC-CIP); the GDPR; the German Federal Financial Supervisory Authority (BaFin) Minimum Requirements for Risk Management; and the Monetary Authority of Singapore’s Technology Risk Management Notices. These industry standards may change with little or no notice, including changes that could make them more or less onerous for businesses. In addition, governments may also adopt new laws or regulations, or make changes to existing laws or regulations, that could affect whether our customers believe our solution assists them in maintaining compliance with such laws or regulations. If our solutions fail to expedite our customers’ compliance initiatives, our customers may lose confidence in our solutions and could switch to those offered by our competitors. In addition, if government regulations and industry standards related to IT security are changed in a manner that makes them less onerous, our customers may view compliance as less critical to their businesses, and our customers may be less willing to purchase our solutions. In either case, our sales and financial results would suffer.
Our success depends on the experience and expertise of our senior management team and key employees. If we are unable to hire, retain, train, and motivate our personnel, or to maintain our corporate culture, our business, operating results, and prospects may be harmed.
Our success has depended, and continues to depend, on the efforts and talents of our senior management team and key employees, including our Chief Executive Officer, leadership team, engineers, product managers, sales and marketing personnel, and professional services personnel. Our future success will also depend upon our continued ability to identify, hire, and retain additional skilled and highly qualified personnel, which will require significant time, expense, and attention.
The majority of our employees, including all of our officers and key employees, are employed on an at-will basis, which means that they could terminate their employment with us at any time. The loss of one or more members of our senior management team, particularly if closely grouped, could adversely affect our ability to execute our business plan and thus, our business, operating results, and prospects. We do not maintain key person insurance on any of our officers or key employees, and we may not be able to find adequate replacements.
Competition for well-qualified employees in all aspects of our business, including sales, professional services, and software engineering, is intense. We have from time to time experienced, and may in the future have, difficulty hiring and retaining employees with appropriate qualifications, and many of the companies with which we compete for experienced personnel have greater resources than we have. We may need to invest significant amounts of cash and equity to attract and retain new employees, and we may never realize returns on these investments.
29
Table of Contents
We believe that our corporate culture has been and will continue to be a key contributor to our success. The size of our workforce has grown significantly in recent years, and we expect headcount growth to continue for the foreseeable future. If we are not able to maintain our corporate culture as we grow, we may be unable to continue to foster the innovation, integrity, and collaboration we believe we need to support our growth, which could adversely affect our business.
We are exposed to fluctuations in currency exchange rates, which could negatively affect our results of operations.
Our platform and solutions are billed in multiple currencies, and therefore, a portion of our revenue (and, consequently, ARR) is subject to foreign currency risk. A strengthening of the U.S. dollar could increase the real cost of our platform and solutions to our customers outside of the United States, which could also adversely affect our results of operations. In addition, an increasing portion of our operating expenses are incurred outside the United States. These operating expenses are denominated in foreign currencies and are subject to fluctuations due to changes in foreign currency exchange rates. While we do not currently hedge against the risks associated with currency fluctuations, if our foreign currency risk increases in the future and we are not able to successfully hedge against the risks associated with currency fluctuations, our results of operations would be adversely affected.
Our business could be disrupted by catastrophic events.
Occurrence of any catastrophic event, including earthquake, fire, flood, tsunami, or other weather event, power loss, telecommunications failure, software or commodity appliance malfunction, cyber attack, war, military action, terrorist attack, explosion, or pandemic could impact our business. Our insurance coverage may not compensate us for losses that may occur in the event of a significant natural disaster. Additionally, we rely on third-party systems and enterprise applications, technology systems, and our website for our development, marketing, operational support, hosted services, and sales activities. In the event of a catastrophic event, we may be unable to continue our operations and may endure system interruptions, reputational harm, delays in our product development, lengthy interruptions in our identity security solutions, and breaches of data security, all of which could have an adverse effect on our results of operations. If we are unable to develop adequate plans to ensure that our business functions continue to operate during and after a disaster and to execute successfully on those plans in the event of a disaster or emergency, our business would be harmed.
Risks Related to Our Technology and Our Intellectual Property Rights
Our introduction and use of AI, and the integration of AI with our solutions, may not be successful and may present business, compliance, and reputational challenges, which could lead to operational or reputational damage, competitive harm, legal and regulatory risk, and additional costs, any of which could adversely affect our business, financial condition, and results of operations.
We have incorporated, and expect to continue to incorporate, AI in our solutions, and this incorporation of AI in our business and operations may become more significant over time. The use of generative AI, a relatively new and emerging technology in the early stages of commercial use, exposes us to additional risks, such as potential damage to our reputation, competitive position, and business, legal and regulatory risks, and additional costs. For example, generative AI has been known to produce false or “hallucinatory” inferences or output, and certain generative AI uses ML and predictive analytics, which can create inaccurate, incomplete, or misleading content, unintended biases, and other discriminatory or unexpected results, errors, or inadequacies, any of which may not be easily detectable by us or any of our related service providers. Accordingly, while AI systems may help provide more tailored or personalized user experiences, if the content, analyses, or recommendations that AI systems assist in producing in our solutions are, or are perceived to be, deficient, inaccurate, biased, unethical, or otherwise flawed, our reputation, competitive position, and business may be materially and adversely affected. In addition, new laws and regulations, or the interpretation of existing laws and regulations, in any of the jurisdictions we operate in may affect the use of our AI systems and our use of third-party AI tools and solutions and may expose us to government enforcement or civil suits.
As the legal and regulatory framework encompassing AI matures, it may result in increases in our operational and development expenses that impact our ability to earn revenue from or utilize any AI systems. Any of the foregoing and any similar issues, whether actual or perceived, could negatively impact our users’ experience and diminish the perceived quality and value of our offerings. This in turn could damage our brand, reputation, competitive position, and business. Additionally, if any of our employees, contractors, consultants, vendors, or service providers use any third-party AI-powered tools or solutions in connection with our business or the services they provide to us, it may lead to the inadvertent disclosure or incorporation of our confidential information into publicly available training sets, which may impact our ability to realize the benefit of, or adequately maintain, protect, and enforce our intellectual property or confidential information, harming our competitive position and business. Our ability to mitigate risks associated with disclosure of our confidential information, including in
30
Table of Contents
connection with AI systems, will depend on our implementation, maintenance, monitoring, and enforcement of appropriate technical and administrative safeguards, policies, and procedures governing the use of AI in our business.
Additionally, any output created by us using AI tools may not be subject to copyright protection, which may adversely affect our intellectual property rights in, or ability to commercialize or use, any such content. In the United States, a number of civil lawsuits have been initiated related to the foregoing and other concerns, any one of which may, among other things, require us to limit the ways in which our AI systems are trained and may affect our ability to develop our AI-powered solutions. For example, the output produced by AI tools may include information subject to certain privacy or right of publicity laws or constitute an unauthorized derivative work of the copyrighted material used in training the underlying AI model, any of which could also create a risk of liability for us, or adversely affect our business or operations. AI-related lawsuits to date have generally focused on AI service providers, which may increase our risks of liability. In addition, the use of AI has resulted in, and may in the future result in, cybersecurity breaches, incidents, or disruptions that implicate the personal information of clients of AI systems. To the extent that we do not have sufficient rights to use the data or other material or content used in or produced by the AI tools used in our business, or if we experience cybersecurity incidents in connection with our use of AI, it could adversely affect our reputation and expose us to legal liability or regulatory risk, including with respect to third-party intellectual property, privacy, data protection and cybersecurity, publicity, contractual, or other rights. Further, our competitors or other third parties may incorporate AI into their products more quickly or more successfully than us, which could impair our ability to compete effectively.
As the utilization of AI becomes more prevalent, we anticipate that it will continue to present new or unanticipated ethical, reputational, technical, operational, legal, competitive, and regulatory issues, among others. We expect that our incorporation of AI in our business will require additional resources, including the incurrence of additional costs, to develop and maintain our solutions and features to minimize potentially harmful or unintended consequences, to comply with applicable and emerging laws and regulations, to maintain or extend our competitive position and to address any ethical, reputational, technical, operational, legal, competitive, or regulatory issues which may arise as a result of any of the foregoing. As a result, the challenges presented with our use of AI could adversely affect our business, financial condition, and results of operations.
Our ability to introduce new identity security solutions and features is dependent on adequate research and development resources and our ability to successfully complete acquisitions. If we do not adequately fund our research and development efforts or complete acquisitions successfully, we may not be able to compete effectively, and our business and results of operations may be harmed.
To remain competitive, we must continue to offer new data security solutions and enhancements to our platform and existing solutions. This is particularly true as we further expand and diversify our capabilities. Maintaining adequate research and development resources, such as the appropriate personnel and development technology, to meet the demands of the market is essential. If we elect not to or are unable to develop solutions internally due to certain constraints, such as high employee turnover, lack of management ability, or a lack of other research and development resources, we may choose to expand into a certain market or strategy via an acquisition for which we could potentially pay too much or fail to successfully integrate into our operations. We may acquire or invest in companies, which may divert our management’s attention and result in additional dilution to our stockholders. For additional information about the risks we face in connection with acquisitions, see “—Risks Related to Our Business and Industry—We may acquire or invest in companies, which may divert our management’s attention and result in additional dilution to our stockholders. We may be unable to integrate acquired businesses and technologies successfully or achieve the expected benefits of such acquisitions, and acquisitions, particularly of development stage companies, may adversely affect our operating results and liquidity as well as our ability to meet expectations.” Further, many of our competitors expend a considerably greater amount of funds on their respective research and development programs, and those that do not may be acquired by larger companies that would allocate greater resources to our competitors’ research and development programs. Our failure to maintain adequate research and development resources or to compete effectively with the research and development programs of our competitors would give an advantage to such competitors, and our business, financial condition, and results of operations could be adversely affected. Moreover, there is no assurance that our research and development or acquisition efforts will successfully anticipate market needs and result in significant new marketable solutions or enhancements to our solutions, design improvements, cost savings, revenues, or other expected benefits. If we are unable to generate an adequate return on such investments, we may not be able to compete effectively, and our business and results of operations may be adversely affected.
Cyber attacks or other cybersecurity breaches, incidents, or disruptions with respect to our networks, systems, or applications, including unauthorized access to, or disclosure or other processing of, our proprietary, confidential, or sensitive information, including personal information, could disrupt our operations, compromise sensitive information related to our business or personal information processed by us or on our behalf, and expose us to liability, which could
31
Table of Contents
harm our reputation and adversely affect our business, financial condition, and results of operations, and as we grow, we may become a more attractive target for cyber attacks.
Our solutions analyze and otherwise process proprietary and confidential information, including personal information. Increasingly, companies in our industry are subject to a wide variety of attacks on their networks and systems. As a well-known provider of identity security solutions, we pose an attractive target for such attacks, and as our footprint grows larger, we may become an even more attractive target for cyber attacks. We have previously experienced, and may in the future experience, various attempts to access or disrupt our networks, systems, and applications. We face threats from a variety of sources, including sophisticated nation-state and nation-state supported actors, cyber criminals, terrorists, and politically motivated groups or individuals that pose risks to our internal networks, our platform, our third-party service providers, and our customers’ systems and the proprietary, confidential, or sensitive information, including personal information processed by us or on our behalf. We may face a heightened risk of state-sponsored cyber attacks in the near term as a result of geopolitical conflicts, including in Russia and Iran.
The nature of the attacks perpetrated against us may include theft of sensitive information, exploitation of our solutions as part of a supply chain attack against our customers, manipulation of data, ransomware, or others. Any of these attacks, if successful, can lead to significant interruptions in our operations, loss of sensitive data and income, reputational harm, and diversion of funds. In the case of ransomware, extortion payments may alleviate the negative impact of a ransomware attack, but we may be unwilling or unable to make such payments due to, for example, applicable laws or regulations prohibiting such payments. We do expend and may be required to expend significantly more capital and financial resources in the future to protect against any such threats or to alleviate problems caused by breaches in security.
Moreover, future or past business transactions (such as acquisitions or integrations) could expose us to additional cybersecurity risks and vulnerabilities, as our systems could be negatively affected by vulnerabilities present in acquired or integrated entities’ systems and technologies. Furthermore, we may discover security issues that were not found during due diligence of such acquired or integrated entities, and it may be increasingly difficult to integrate companies into our IT environment and security program successfully, or at all.
Despite significant efforts to create security barriers to safeguard against such threats, it is impossible for us to entirely mitigate these risks. Despite our security measures, our and our third-party service providers’ IT and infrastructure may be vulnerable to security risks, including unauthorized access to, use, or disclosure of customer data, theft of proprietary information, employee error or misconduct, denial of service attacks, loss or corruption of customer data, and computer hacking attacks or other cyber attacks subsequently originated from our infrastructure. The security measures we have integrated into our internal networks and platform, which are designed to detect unauthorized activity, protect our proprietary, confidential, or sensitive information, including personal information, prevent data loss and prevent or minimize security breaches, incidents, or disruptions, may not function as expected or may not be sufficient to protect our internal networks and platform against certain attacks. In addition, techniques used to sabotage or obtain unauthorized access to networks in which data is stored or through which data is transmitted change frequently, generally are not recognized until launched against a target, and may be difficult to discover for an extended period. Even if identified, we may be unable to adequately investigate or remediate incidents or breaches due to attackers increasingly using tools and techniques that are designed to circumvent controls, to avoid detection, and to remove or obfuscate forensic evidence. For example, threat actors may leverage emerging AI technologies to develop new hacking tools and attack vectors, exploit vulnerabilities, obscure their activities, and increase the difficulty of threat attribution and remediation. Such cyber attacks and other cybersecurity breaches, incidents, or disruptions may continue to evolve in frequency and sophistication, and as a result, we may be unable to anticipate these techniques or reasonably implement adequate preventative measures to prevent an electronic intrusion into our networks.
If an actual or perceived breach of our or our third-party service providers’ security occurs, whether as result of third-party action, employee error, malfeasance, or otherwise, the market perception of the effectiveness of our security measures could be harmed, our brand and reputation could be impacted, we could lose potential sales and existing customers, our ability to operate our business could be impaired, we could be subject to litigation, government enforcement actions, additional reporting requirements, and restrictions on data processing, and we may incur significant liabilities. Some of our contracts may not contain limitations of liability, and even where they do, there can be no assurance that any such limitations of liability are sufficient to protect us from liabilities, damages, or claims related to any such breaches. Additionally, while our insurance policies include liability coverage for certain breaches, subject to retention amounts that could be substantial, we cannot be sure that our insurance coverage will be sufficient to protect us from liabilities, damages, or claims related to any such breaches, that such coverage will continue to be available on commercially reasonable terms or at all or that such coverage will pay future claims. The successful assertion of one or more large claims against us that exceed available insurance coverage, or the occurrence of changes in our insurance policies, including premium increases or larger deductibles, could adversely affect our
32
Table of Contents
business, financial condition, and results of operations. Moreover, failure to maintain effective internal accounting controls related to identity security breaches and cybersecurity in general could impact our ability to produce timely and accurate financial statements and could subject us to regulatory scrutiny and/or government enforcement actions. Further, our solutions may be perceived as less desirable, which could negatively affect our business and damage our reputation. Our ability to retain existing customers, expand solutions, and use case penetration with existing customers and acquire new customers is dependent upon our reputation as a trusted intelligent security provider. The importance of our reputation in retaining existing business and acquiring new business is heightened by our focus on enterprise customers. In addition, we have a number of customers that operate in highly-regulated industries where our customers’ data is particularly sensitive, such as financial services and healthcare. A network or security breach could damage our relationships with customers, result in the loss of customers across one or more use case or solution, and make it more challenging to acquire new customers, and such damage would likely be heightened in the event a network or security breach occurred in the highly-regulated industries we serve. Because techniques used to obtain unauthorized access to, or sabotage, systems change frequently and may not be recognized until launched against a target, we and our customers may be unable to anticipate these techniques or implement adequate preventive measures.
Our operations involve analyzing and processing our customers’ and other third parties’ confidential and proprietary information, including, in some cases, personally identifiable information. We have legal and contractual obligations to protect the confidentiality and appropriate use of such information, including customer data. As a result, security incidents impacting our platform or the systems of our third-party service providers could result in a risk of loss or unauthorized access to or disclosure of the information we process on behalf of our customers. This, in turn, could require notification under applicable data privacy regulations and could lead to litigation, governmental audits and investigations, and possible liability, damage our relationships with our existing customers, trigger indemnification and other contractual obligations, cause us to incur investigation, mitigation, and remediation expenses, and have a negative impact on our ability to attract and retain new customers. Furthermore, any such incident, including a breach of our customers’ systems, could compromise our networks or networks secured by our solutions, creating system disruptions or slowdowns and exploiting security vulnerabilities of our or our customers’ networks, and the information stored on our or our customers’ systems could be accessed or disclosed without authorization, altered, lost, or stolen, which could subject us to liability and cause us financial harm. An actual or perceived breach of our networks, our customers’ networks, those of our third-party service providers or other networks secured by our solutions, whether or not due to a vulnerability in our platform, may also undermine confidence in our platform or our industry and result in expenditure of significant resources in efforts to analyze, correct, eliminate, or work around errors or defects, delayed or lost revenue, delay in the development or release of new solutions, an increase in collection cycles for accounts receivable, damage to our brand and reputation, negative publicity, loss of channel partners, customers and sales, increased costs to remedy any problem, increased insurance expense, and costly litigation.
In addition, if a high-profile security incident occurs with respect to another identity security solution provider, our customers and potential customers may lose trust in the value of the identity security solution business model generally, including the security of our solutions, which could adversely impact our ability to retain existing customers or attract new ones, potentially causing a negative impact on our business. Any of these negative outcomes could adversely impact market acceptance of our solutions and could adversely affect our business, results of operations, and financial condition.
Interruptions, outages, or other disruptions affecting the delivery of our SaaS solution, or any of the third-party cloud-based systems that we use in our operations, may adversely affect our business, operating results, and financial condition.
Our continued growth depends in part on the ability of our existing customers and new customers to consistently access our platform and solutions at any time and within an acceptable amount of time. In addition, our ability to access certain third-party SaaS solutions, including those of our service providers, is important to our operations and the delivery of our customer support and professional services. We have experienced, and may in the future experience, service disruptions, outages, and other performance problems both in the delivery of our SaaS solution and in third-party SaaS solutions we use due to a variety of factors, including infrastructure changes, malicious actors, human or software errors, or capacity constraints. In some instances, we may not be able to identify the cause or causes of these performance problems within an acceptable period of time. If our SaaS solution or the third-party SaaS solutions we depend on are unavailable or if our customers are unable to access features of our SaaS solution within a reasonable amount of time or at all, our business would be negatively affected.
We host our SaaS solution primarily using AWS data centers. Our related operations depend on protecting the virtual cloud infrastructure hosted in AWS by maintaining its configuration, architecture, features, and interconnection specifications, as well as the information stored in these virtual data centers and which third-party internet service providers transmit. Although we have disaster recovery plans that utilize multiple AWS locations, any incident affecting their infrastructure that may be caused by fire, flood, severe storm, earthquake, or other natural disasters, cyber attacks, terrorist, or other attacks, military
33
Table of Contents
actions, public health issues, or other similar events beyond our control have in the past, and could in the future, negatively affect our SaaS platform. For example, in October 2025, we experienced limited disruptions to our SaaS platform due to a widespread AWS outage. More recently, we experienced a limited disruption affecting our services hosted in the United Arab Emirates due to the conflict in the Middle East. Neither situation has had a significant impact on our business. A prolonged AWS service disruption affecting our SaaS platform for any of the foregoing or other reasons would negatively impact our ability to serve our customers and could damage our reputation with current and potential customers, expose us to liability, cause us to lose customers, or otherwise harm our business. We may also incur significant costs for using alternative equipment or taking other actions in preparation for, or in reaction to, events that damage the AWS services we use, which would also likely require significant investments of time. In addition, AWS may terminate our agreement for cause by providing 30 days’ prior written notice. In the event that our AWS service agreements are terminated, or there is a lapse of service, elimination of AWS services or features that we utilize, interruption of internet service provider connectivity, or damage to such facilities, we could experience interruptions in access to our platform as well as significant delays and additional expense in arranging or creating new facilities and services and/or re-architecting our SaaS solution for deployment on a different cloud infrastructure service provider, which may adversely affect our business, operating results, and financial condition.
We rely on third-party software to provide many essential financial and operational services to support our business. Some of these vendors are less established and have shorter operating histories than traditional software vendors. Moreover, many of these vendors, including Salesforce, NetSuite, Workday, and ServiceNow, provide their services to us via a cloud-based model instead of software that is installed on our premises. As a result, we depend upon these vendors to provide us with services that are always available and are free of errors or defects that could cause disruptions in our business processes. Interruptions, outages, or other disruptions affecting SaaS solutions that we rely on can significantly impact our business, operating results, and financial condition. Such disruptions could cause operational delays, inefficiencies, and customer dissatisfaction, which could result in increased customer churn, revenue loss, and increased mitigation costs and potential penalties for not meeting service-level agreements. Frequent or significant disruptions could damage our reputation, making it harder to attract and retain customers. Additionally, service disruptions can result in non-compliance with regulatory requirements, which could lead to legal penalties and increased scrutiny.
If we fail to adapt and respond effectively to rapidly changing technology, evolving industry standards, changing regulations, and changing customer needs, requirements, or preferences, our platform and solutions may become less competitive.
The market in which we compete is relatively new and subject to rapid technological change (including increasingly rapid advancement in AI technologies and capabilities), evolving industry standards, and changing regulations, as well as changing customer needs, requirements, and preferences. The success of our business will depend, in part, on our ability to adapt and respond effectively to these changes on a timely basis. In addition, as our customers’ technologies and business plans grow more complex, we expect them to face new and increasing challenges. Our customers require that our solution effectively identifies and responds to these challenges without disrupting the performance of our customers’ IT systems. As a result, we must continually modify and improve our solutions and introduce or acquire new solutions in response to changes in our customers’ IT infrastructures.
We may be unable to anticipate future market needs and opportunities or be able to develop enhancements to our platform or existing solutions or new solutions to meet such needs or opportunities in a timely manner, if at all. Even if we are able to anticipate, develop, and commercially introduce enhancements to our platform and existing solutions and new solutions, those enhancements and new solutions may not achieve widespread market acceptance. Our enhancements or new solutions could fail to attain sufficient market acceptance for many reasons, including:
•delays in releasing platform or solutions enhancements or new solutions;
•inability to interoperate effectively with existing or newly introduced technologies, systems, or applications of our existing and prospective customers;
•defects, errors, or failures in our platform or solutions;
•negative publicity about the performance or effectiveness of our platform or solutions;
•introduction or anticipated introduction of competing products by our competitors;
•installation, configuration, or usage errors by our customers or partners; and
34
Table of Contents
•changing of regulatory requirements related to security.
If we were unable to enhance our platform or existing solutions or develop new solutions that keep pace with rapid technological and industry change, our business, operating results, and financial condition could be adversely affected. If new technologies emerge that are able to deliver competitive products and services at lower prices, more efficiently, more conveniently, or more securely, such technologies could adversely impact our ability to compete effectively.
Real or perceived errors, failures, or disruptions in our platform and solutions could adversely affect our customers’ satisfaction with our solutions and/or our industry reputation and business could be harmed.
Our platform and solutions are very complex and have contained and may contain undetected defects, vulnerabilities, or errors, especially when solutions are first introduced or enhanced. Our platform and solutions are often used in connection with large-scale computing environments with different operating systems, system management software, equipment, and networking configurations, which may cause errors or failures of products, or other aspects of the computing environment into which our solutions are deployed. If our platform and solutions are not implemented or used correctly or as intended, inadequate performance and disruption of service may result. In addition, deployment of our platform and solutions into complicated, large-scale computing environments may expose errors, failures, or vulnerabilities in our solutions. Any such errors, failures, or vulnerabilities may not be found until after they are deployed to our customers. Some of our software and features are powered by ML and AI, which depend on datasets and algorithms that could be flawed, including through inaccurate, insufficient, outdated, or biased data. From time to time, we have experienced errors, failures, and bugs in our platform that have resulted in customer downtime, and we cannot assure you that we will be able to mitigate future errors, failures, vulnerabilities, or bugs in a quick or cost-effective manner.
We and certain of our third-party service providers have in the past experienced, and may in the future experience, performance issues due to a variety of factors, including infrastructure changes, human or software errors, website, or third-party hosting disruptions or capacity constraints due to a number of potential causes including technical failures, cyber attacks, security incidents, natural disasters, or fraud. We have also been the target of distributed denial of service attacks and other cybersecurity attacks that attempt to disrupt our services. If our or our third-party service providers’ products, solutions, or corporate security are compromised, our website, professional services, customer support, or SaaS solution is unavailable, or there are flaws in our ML and AI processes, our business could be negatively affected. Moreover, if our security measures or solutions or third-party service providers are subject to cyber attacks that degrade or deny the ability of users to access our website or other solutions, our solutions may be perceived as insecure, and we may incur significant legal and financial exposure. In particular, our cloud-based solutions may be especially vulnerable to interruptions, performance problems, or cyber attacks. Furthermore, our solutions may not help detect situations in which a valid user identity has been compromised, for example as part of a highly sophisticated cyber attack of the type described below. If we, our third-party service providers, our partners, or one or more customers were to suffer a highly publicized breach, even if our platform and solutions perform effectively, such a breach could cause our customers or potential customers to lose trust in our identity security solutions in general, which could cause us to suffer reputational harm, lose existing commercial relationships and customers, or deter them from purchasing additional products, and prevent new customers from purchasing our solutions. Highly publicized cybersecurity events have heightened consumer, legislative, and regulatory awareness of these kinds of cybersecurity risks, while further emboldening individuals or groups to target IT systems more aggressively, highlighting the vulnerability of IT supply chains.
We continue to invest in the personnel, infrastructure, and third-party best practice software solutions and services necessary to mitigate these risks. However, if we are unable to attract and retain personnel with the necessary cybersecurity expertise, or fail to implement sufficient safeguarding measures, we may not be able to prevent, detect, and mitigate potentially disruptive events which could occur in the future. In some instances, we may not be able to identify the cause or causes of these events within an acceptable period of time. Even with these investments, we may not be able to stop a complex and sophisticated cyber attack. Such attacks can be particularly difficult to prevent or fully mitigate when they occur in the supply chain. If we are or become a target of such an attack, we may not be able to prevent, detect, and mitigate such an attack, which could cause disruptions in service or other performance problems, hurt our reputation and our ability to attract new customers and retain existing customers, and damage our customers’ businesses.
Since our customers use our platform and solutions for important aspects of their security environment and operational business, any real or perceived errors, failures, or vulnerabilities in our solutions, or disruptions in service or other performance problems, could hurt our reputation and may damage our customers’ businesses. Furthermore, defects, errors, vulnerabilities, or failures in our platform or solutions may require us to implement design changes or software updates. Any defects, vulnerabilities, or errors in our platform or solutions, or the perception of such defects, vulnerabilities, or errors, could result in:
35
Table of Contents
(i) expenditure of significant financial and product development resources in efforts to analyze, correct, eliminate, or work around errors or defects; (ii) loss of existing or potential customers or channel partners; (iii) delayed or lost revenue; (iv) delay or failure to attain market acceptance; (v) delay in the development or release of new solutions; (vi) negative publicity, which will harm our reputation; (vii) an increase in collection cycles for accounts receivable or the expense and risk of litigation; and (viii) harm to our operating results.
The contractual protections we have in our standard terms and conditions of sale, such as warranty disclaimers and limitation of liability provisions, may not fully or effectively protect us from claims by customers, commercial relationships, or other third parties. Any insurance coverage we may have may not adequately cover all claims asserted against us or may cover only a portion of such claims. In addition, even claims that ultimately are unsuccessful could result in our expenditure of funds in litigation and the diverting of management’s time and other resources.
If our platform and solutions do not effectively interoperate with our customers’ existing or future IT infrastructure and applications, implementations could be delayed or cancelled, which would harm our business.
Our success depends on the interoperability of our platform and solutions with third-party applications and data that we have not developed and do not control. Any changes in such applications or data that degrade the functionality of our platform or solutions or give preferential treatment to competitive software could adversely affect the adoption and usage of our solutions. We may not be successful in adapting our platform or solutions to operate effectively with these applications or data. If it is difficult for our customers to access and use our platform or solutions, or if our platform or solutions cannot connect a broadening range of applications and data, then our customer growth and retention may be harmed, and our business and operating results could be adversely affected.
Incorrect or improper implementation or use of our platform and solutions could result in customer dissatisfaction and harm our business, financial condition, and results of operations.
Our platform and solutions are deployed in a wide variety of IT infrastructures, including large-scale, complex technology environments, and we believe our future success will depend, at least in part, on our ability to support such deployments. Implementations of our platform and solutions may be technically complicated, and it may not be easy to maximize the value of our platform and solutions without proper implementation, training, and support. Some of our customers have experienced difficulties implementing our platform and solutions in the past and may experience implementation difficulties in the future. If we or our customers are unable to implement our platform and solutions successfully, customer perceptions of our platform and solutions may be impaired, our reputation and brand may suffer, or customers may choose not to renew their subscriptions or purchase additional identity security solutions from us.
Any failure by customers to appropriately implement our platform and solutions or any failure of our platform and solutions to effectively integrate and operate within our customers’ data management infrastructure could result in customer dissatisfaction, impact the perceived reliability of our platform and solutions, result in negative press coverage, negatively affect our reputation, and harm our business, financial condition, and results of operations.
We use third-party licensed software, third-party licensed services, and cloud services subscriptions in or with our solutions, and the inability to maintain these licenses and subscriptions or issues with the software we license or services we leverage could result in increased costs or reduced service levels, which would adversely affect our business.
Our solutions include software or other intellectual property licensed from certain third parties, and we use certain software and other intellectual property licensed from third parties in our business. We anticipate that we will continue to rely on such third-party software and intellectual property in the future, and from time to time, we may be required to renegotiate our current third-party licenses or license additional technology from third parties to develop new solutions or enhancements thereto or to facilitate new business models. This exposes us to risks over which we may have little or no control. For example, the third-party software we currently license may not always be available (including as a result of periodic government restrictions on use and licensing), or available on commercially reasonable terms, and we may not have access to alternative third-party software in the event of any issues with such software. In addition, a third party may assert that we or our customers are in breach of the terms of applicable licenses, which could, among other things, force us to cease use of such software and give such third party the right to terminate the applicable license or seek damages from us, or both. Additionally, we may not have the right to control the maintenance, prosecution, preparation, filing, enforcement, defense, or litigation of intellectual property that we license from third parties and are reliant on our licensors to do so. We also cannot be certain that activities such as intellectual property protection, maintenance, prosecution, and enforcement by our licensors have been or will be conducted consistent with our best interests or in compliance with applicable laws and regulations or will result in valid and enforceable intellectual property rights. It is possible that our licensors’ infringement proceedings or defense activities may be
36
Table of Contents
less vigorous than had we conducted them ourselves or may not be conducted in accordance with our best interests. Furthermore, we cannot be certain that our licensors are not infringing, misappropriating, or otherwise violating the intellectual property rights of third parties or that our licensors have sufficient rights to the licensed intellectual property in all jurisdictions in which we may offer our solutions. Our inability to obtain or maintain certain licenses or other rights, to obtain or maintain such licenses or rights on favorable terms, or the need to engage in litigation or any other proceedings regarding these matters could result in delays in releases of new solutions and could otherwise disrupt our business, until equivalent technology can be identified, licensed, or developed, if at all. Also, to the extent that our platform and solutions depend upon the successful operation of third-party software in conjunction with our software, any undetected errors, vulnerabilities, compromises, or defects in such third-party software could prevent the deployment or impair the functionality of our solutions, delay new feature introductions, result in a failure of our platform, and injure our reputation. Any of the foregoing could materially adversely affect our business, financial condition, and results of operations.
If we fail to obtain, maintain, protect, defend, or adequately enforce our intellectual property or proprietary rights, our competitive position could be impaired, and we may lose valuable assets, generate reduced revenue, and incur costly litigation to protect our rights.
We regard the protection of our copyrights, proprietary software, trademarks, domain names, trade secrets, and other intellectual property rights as critical to our success. We rely and expect to continue to rely on a combination of copyright, trademark, patent, trade secret, and unfair competition laws, as well as confidentiality procedures and agreements, protective covenant agreements, and other contractual protections with our employees, independent contractors, advisers, channel partners, resellers, and customers to protect our trade secrets, proprietary information, and intellectual property rights.
We strive to protect our intellectual property rights by relying on foreign, federal, state, and common law rights, as well as certain contractual restrictions. However, the steps we take to protect our intellectual property and proprietary rights, including physical, operational, and managerial protections of our confidential information, contractual obligations of confidentiality, assignment agreements with our employees and contractors, license agreements, the prosecution, defense, enforcement, protection, and maintenance of registrations and applications for registration of intellectual property rights, and the defense and enforcement of common law rights require significant resources and may be inadequate. Effective trade secret, copyright, trademark, patent, and domain name protection is expensive to develop and maintain, both in terms of initial and ongoing registration requirements and expenses and the costs of defending and enforcing our rights. Given the costs and expenses of obtaining, maintaining, protecting, exploiting, defending, and enforcing our intellectual property rights, we may choose not to obtain, maintain, protect, exploit, defend, or enforce certain intellectual property rights that later turn out to be important. We cannot guarantee that our efforts to obtain, maintain, protect, exploit, defend, or enforce our intellectual property rights are adequate or that we have secured, or will be able to secure, appropriate permissions or protections for all of the intellectual property rights we use or rely on.
Our registered or unregistered trademarks, trade names, or other intellectual property rights may be challenged, infringed, diluted, circumvented, misappropriated, or otherwise violated or declared invalid or unenforceable or determined to be infringing on or dilutive of other marks. Our domain names and social media handles may also be misappropriated or otherwise misused. Further, at times, competitors may adopt trade names, trademarks, domain names, or social media handles similar to ours, thereby impeding our ability to build, maintain, or extend brand identity and possibly leading to market confusion or brand dilution. Furthermore, even if we are able to obtain intellectual property rights, any challenge to our intellectual property rights could result in them being narrowed in scope or declared invalid or unenforceable. Litigation may become necessary to enforce our intellectual property rights, protect our trade secrets, or determine the validity and scope of proprietary rights claimed by others. We may be unable to prevent the misappropriation or disclosure of our proprietary information or deter independent development of similar technologies by others, which may diminish the value of our brand and other intangible assets and allow competitors to more effectively mimic our solutions.
While it is our policy to require our employees, contractors, and other parties with whom we conduct business who may be involved in the conception or development of intellectual property for us to execute agreements assigning such intellectual property to us, we may be unsuccessful in executing such an agreement with each party who, in fact, conceives or develops intellectual property that we regard as our own. Additionally, any such assignment of intellectual property rights may not be self-executing or the assignment agreements may be breached, and we may be forced to bring claims against third parties, or defend claims that they may bring against us, to determine the ownership of what we regard as our intellectual property. Further, although it is our policy to enter into confidentiality agreements with employees and third parties to protect our trade secrets and other proprietary rights, we cannot guarantee that we have entered into such agreements with each party that has or may have had access to our trade secrets, confidential information, software, or other proprietary technology and, even if entered into, these agreements may otherwise fail to effectively prevent disclosure of our proprietary or confidential rights, information, or technologies, may be limited as to their term, or may not provide an adequate remedy in the event of
37
Table of Contents
unauthorized disclosure, misappropriation, use, or other violation of our trade secrets, confidential information, and other proprietary rights or technologies.
We pursue the registration or protection of our domain names and trademarks in the United States and in certain jurisdictions abroad. However, the laws of some foreign countries do not protect our intellectual property to the same extent as the laws of the United States, and effective intellectual property protection and enforcement mechanisms may not be available in those jurisdictions, which could make it difficult for us to stop the infringement, misappropriation, dilution, or other violation of our intellectual property or marketing of competing products or solutions in violation of our intellectual property rights generally. We may need to expend additional resources to defend our intellectual property in these countries. Any of the foregoing could adversely affect our business, financial condition, and results of operations.
We may be subject to intellectual property rights claims by third parties, including contractual counterparties, which may be costly to defend, result in damage to our reputation, and could require us to pay significant damages, limit our ability to use certain technologies, and adversely affect our business, financial condition, and results of operations.
Companies in the software and technology industries, including some of our current and potential competitors, own large numbers of patents, copyrights, trademarks, trade secrets, and other intellectual property rights and frequently enter into litigation based on allegations of infringement, misappropriation, or other violations of intellectual property rights. We have in the past and may in the future be subject to notices or claims that we have infringed, misappropriated, or misused the intellectual property of our competitors or other third parties, including third parties that may have significantly larger and more mature patent holdings than we do or are patent holding companies whose sole business is to assert such claims. To the extent we increase our visibility in the market, we face a higher risk of being the subject of intellectual property claims. Additionally, despite our efforts to ensure that our employees, contractors, consultants, vendors, and service providers do not use the intellectual property and other proprietary information or know-how of third parties in their work for us, intellectual property, including copyrighted materials, trade secrets, software code, or other proprietary information, we have been and could in the future be subject to claims that we, our employees, or our contractors, consultants, vendors, and service providers have inadvertently or otherwise used or disclosed intellectual property, copyrighted materials, trade secrets, or other proprietary information of our competitors, former employers, or other parties. Litigation may be necessary to defend against these claims. If we fail in defending against such claims, a court could order us to pay substantial damages and prohibit us from using technologies or features that are essential to our solutions, if such technologies or features are found to incorporate or be derived from the trade secrets or other proprietary information of these parties. In addition, we may lose valuable intellectual property rights or personnel. A loss of key personnel or their work product could hamper or prevent our ability to develop, market, and support potential solutions or enhancements, which could severely harm our business. Even if we are successful in defending against these claims, such litigation could result in substantial costs and be a distraction to management.
Our agreements with customers and other third parties may include indemnification provisions under which we agree to indemnify them or otherwise be liable for losses suffered or incurred as a result of claims of intellectual property infringement or misappropriation, damages caused by us to property or persons, or other liabilities relating to or arising from our platform, solutions, or other contractual obligations. See “—Indemnity provisions in various agreements potentially expose us to substantial liability for intellectual property infringement, misappropriation, or violation as well as other losses.”
Any intellectual property, indemnification, or wrongful use or disclosure claims, with or without merit, could be time-consuming and expensive, could require litigation, and could divert our management’s attention and other resources. These claims could also subject us to significant liability for damages, potentially including treble damages if we are found to have willfully infringed patents or copyrights. These claims could also result in our having to stop using technology found to be in violation of a third party’s rights. We might be required to seek a license for the intellectual property, which may not be available on reasonable terms or at all. Even if a license is available, we could be required to pay significant royalties, which would increase our operating expenses. As a result, we may be required to develop alternative non-infringing technology, which could require significant effort and expense. If we cannot license or develop technology for any aspect of our business that may ultimately be determined to infringe on or misappropriate the intellectual property rights of another party, we could be forced to limit or stop sales of licenses to our platform and solutions and may be unable to compete effectively. We could also lose valuable intellectual property rights or key personnel as a result of a wrongful disclosure dispute. Furthermore, we may be subject to indemnification obligations with respect to third-party intellectual property pursuant to our agreements with our channel partners or customers. Any of these results would adversely affect our business, operating results, and financial condition.
Indemnity provisions in various agreements potentially expose us to substantial liability for intellectual property infringement, misappropriation, or violation as well as other losses.
38
Table of Contents
Our agreements with customers and certain partners include indemnification provisions under which we agree to defend and indemnify such customer or partner for losses suffered or incurred as a result of third-party claims for intellectual property infringement or misappropriation of our solutions. The intellectual property infringement indemnity to such customers or partners is an uncapped liability for which we would be responsible, and intellectual property indemnity provisions survive termination or expiration of the applicable agreement.
From time to time, customers also require us to indemnify them for a third-party claim for a violation of law arising from our breach of obligations under the applicable agreement. The existence of such a dispute may have adverse effects on our customer relationship and reputation, and even if we contractually limit our liability with respect to such obligations, we may still incur substantial liability related to them. Any assertions by a third party, whether or not successful, with respect to any of these indemnification obligations could subject us to costly and time-consuming litigation, expensive remediation and licenses, divert management attention and financial resources, harm our relationship with that customer and other current and prospective customers, reduce demand for our platform and solutions, and harm our brand, business, operating results, and financial condition. Any dispute with a customer with respect to such obligations could have adverse effects on our relationship with that customer and other existing customers and new customers and adversely affect our business and operating results.
Our use of “open source” software could negatively affect our ability to sell our solutions and subject us to possible litigation.
Some aspects of our platform and solutions are built using open source software, and we intend to continue to use open source software in the future. From time to time, we contribute software source code to open source projects under open source licenses or release internal software projects under open source software licenses and anticipate doing so in the future. Open source software is generally freely accessible, usable, and modifiable. However, certain open source licenses may, in certain circumstances, require us to offer our solutions that incorporate the open source software for no cost, make available source code for modifications or derivative works we create based upon the open source software, incorporate or use the open source software, and/or license such modifications or derivative works under the terms of the particular open source license or otherwise unfavorable terms. The terms of certain open source licenses to which we are subject have not been interpreted by U.S. or foreign courts, and there is a risk that open source software licenses could be construed in a manner that imposes unanticipated conditions or restrictions on our ability to monetize our solutions. While we try to insulate our proprietary code from the effects of such open source license provisions, we cannot guarantee that we will be successful, that all open source software is reviewed prior to use in our solutions, that our developers have not incorporated open source software into our solutions in potentially disruptive ways, or that they will not do so in the future. Additionally, we may from time to time face claims from third parties claiming ownership of, or demanding release of, the open source software or derivative works that we developed using such software, which could include our proprietary source code, or otherwise seeking to enforce the terms of the applicable open source software license. These claims could result in costly litigation and could require us to make our software source code freely available, purchase a costly license, or cease offering the implicated solutions unless and until we can re-engineer them to avoid infringement or violation. This re-engineering process could require significant additional research and development resources, and we may not be able to complete it successfully. We could also be subject to suits by parties claiming ownership of what we believe to be open source software. In addition to risks related to license requirements, use of certain open source software can lead to greater risks than use of third-party commercial software, as open source licensors generally do not provide warranties or controls on the origin of software and, thus, may contain security vulnerabilities or broken code. Moreover, some open source projects have known security and other vulnerabilities and architectural instabilities, or are otherwise subject to security attacks due to their wide availability, and are provided on an “as-is” basis. There is typically no support available for open source software, and we cannot ensure that the authors of such open source software will implement or push updates to address security risks or will not abandon further development and maintenance. Further, our use of any AI tools that use, incorporate, or output any open source software may heighten the foregoing risks. Any of these risks could be difficult to eliminate or manage, and if not addressed, could have a negative effect on our business, operating results, and financial condition.
Risks Related to Indebtedness
We may incur significant indebtedness, which could reduce our strategic flexibility and liquidity and may have other adverse effects on our results of operations.
We are currently party to a credit agreement (the “2025 Credit Agreement”) that provides for a five-year $250.0 million senior secured revolving credit facility, including a letter of credit sub-facility up to $10.0 million (the “2025 Revolving Credit Facility”). While we have no outstanding borrowings or letters of credit under the 2025 Credit Agreement or 2025
39
Table of Contents
Revolving Credit Facility, we have historically relied on the availability of debt financing and we may incur significant indebtedness in the future under the Revolving Credit Facility or otherwise. We may also consider investments in joint ventures or acquisitions, which may increase our indebtedness. Our ability to meet our future debt service obligations, if any, will depend on our future performance, which is subject to economic, financial, competitive, and other factors beyond our control, including the factors described in this “Risk Factors” section. If we are unable to generate adequate cash flow to meet any such obligations, we may be required to adopt one or more alternatives, such as selling assets, restructuring debt, or obtaining additional equity capital on terms that may be onerous or highly dilutive. Prevailing economic conditions and global credit markets could adversely impact our ability to do so on terms acceptable to us, or at all. In addition, our existing 2025 Credit Agreement and any of our future debt agreements may contain restrictive covenants that prohibit us from adopting any of these alternatives. The amount and terms of any future indebtedness could also make us more vulnerable to economic downturns, less able to withstand competitive pressures, and less flexible in responding to changing business and economic conditions as well as require us to allocate more of our cash flow from operations to the payment of outstanding indebtedness, rather than research and development or business growth.
The terms, conditions, and restrictions contained in the 2025 Credit Agreement could expose us to risks that could adversely affect our liquidity and financial condition or otherwise adversely affect our operating results.
The 2025 Credit Agreement contains, and any future debt agreements may contain, various covenants that, among other things, limit our and certain of our subsidiaries’ abilities to:
•incur additional indebtedness or guarantee indebtedness of others;
•create additional liens on our assets;
•merge, consolidate, or dissolve;
•make loans or investments, including acquisitions;
•sell assets;
•engage in sale and leaseback transactions;
•pay dividends and make other distributions on our capital stock, and redeem and repurchase our capital stock; or
•enter into transactions with affiliates.
The 2025 Credit Agreement also contains, and any future debt agreements may also contain, numerous affirmative covenants, including financial covenants. Our failure to comply with these covenants could result in an event of default, which, if not cured or waived, could result in the acceleration of our then outstanding debt.
Interest rate fluctuations may have a material adverse effect on our business, results of operations, financial condition, and cash flows.
Indebtedness under the 2025 Revolving Credit Facility, if any, bears interest at variable rates, and we may incur additional variable interest rate indebtedness in the future. This exposes us to interest rate risk, and any interest rate swaps we enter into in order to reduce interest rate volatility may not fully mitigate our interest rate risk. If interest rates were to increase, our debt service obligations on the variable rate indebtedness would increase even if the amount borrowed remained the same, and our net income and cash flows, including cash available for servicing our indebtedness, would correspondingly decrease.
Risks Related to Laws and Regulations
We will face risks associated with the growth of our business with certain heavily regulated industry verticals.
We market and sell our platform and solutions to customers in heavily regulated industry verticals, including the banking, healthcare, and financial services industries. As a result, we face additional regulatory scrutiny, risks, and burdens from the governmental entities and agencies that regulate those industries. Entering new heavily regulated verticals and expanding in those verticals in which we are already operating will continue to require significant resources to address potential regulatory scrutiny, risks, and burdens, and there is no guarantee that such efforts will be successful or beneficial to us. If we are unable to successfully penetrate these verticals, maintain our market share in such verticals in which we already operate or cost-effectively comply with governmental and regulatory requirements applicable to our activities with customers in such verticals, our business, financial condition, and results of operations may be harmed.
40
Table of Contents
Any actual or perceived failure by us to comply with our privacy policy or legal or regulatory requirements, rules, industry standards, contractual requirements, and other obligations relating to privacy, data protection, and cybersecurity, in one or multiple jurisdictions could result in proceedings, actions, or penalties against us.
Our solutions analyze and otherwise process customer information, including personal information and other information supplied by our customers. Our standard customer agreement prohibits customers from sending to or storing sensitive customer data in our solutions, whether proprietary data, confidential data, sensitive personal data, or otherwise. However, we may enter into agreements with customers with unique terms that allow for certain sensitive customer data to be sent to and stored in our solutions. Further, our customers’ use of data concerning, among others, their employees, contractors, customers, and/or partners is essential to their use of our platform and solutions, and our solutions are not architected in a manner that prevents our customers from submitting or storing sensitive customer data. We have implemented various features intended to enable our customers to better secure their information and comply with applicable privacy and security requirements in their data governance, but these features do not ensure their compliance and may not be effective against all potential privacy and identity security concerns.
A wide variety of domestic and foreign laws, rules and regulations, and contractual requirements apply to the use and processing of proprietary, confidential, and sensitive information, including personal information. These laws, rules, regulations, industry standards, contractual requirements, and other obligations are constantly evolving, and we will continue to become subject to new proposed laws, rules, regulations, industry standards, contractual requirements, and other obligations in the United States, Europe, and other jurisdictions.
For example, in the United States, there are numerous federal, state, and local privacy, data protection, and cybersecurity laws, rules, and regulations governing the use and processing of personal data. At the federal level, we are subject to, among other laws, rules, and regulations, the rules and regulations promulgated under the authority of the Federal Trade Commission, which has the authority to regulate and enforce against unfair or deceptive acts or practices in or affecting commerce, including acts and practices with respect to privacy, data protection, and cybersecurity. Moreover, Congress has considered, and continues to consider, proposals for comprehensive national data privacy and cybersecurity legislation. As another example, at the state level, we are subject to laws, rules, and regulations, such as the California Consumer Privacy Act (as amended by the California Privacy Rights Act (collectively, “CCPA”)), which, amongst other things, requires businesses to provide specific disclosures in privacy notices, implement new operational practices, honor requests from California residents to exercise certain privacy rights (such as the right to access and request deletion of their personal information and to opt out of certain sharing and sales of personal information) and provides for civil penalties of up to $7,998 per violation, as well as a private right of action for certain data breaches that may increase the likelihood of and risks associated with data breach litigation. Many other states have also enacted, or are in the process of enacting, comprehensive privacy, data protection, and cybersecurity laws, rules, and regulations many of which share similarities with the CCPA, creating a patchwork of overlapping but different state laws. In addition, all 50 states have laws that require the provision of notification for security breaches of personal information to affected individuals, state officers, or others. Possible consequences for non-compliance with these various state laws include enforcement actions in response to rules and regulations promulgated under the authority of federal agencies, state attorneys general, and legislatures and consumer protection agencies.
Outside of the United States, an increasing number of laws, rules, regulations, and industry standards apply to privacy, data protection, and cybersecurity. For example, we are subject to the GDPR in the EU, and in the UK, we are subject to the UK’s Data Protection Act 2018 as supplemented by the GDPR as implemented into UK law (collectively, “UK GDPR”), both of which impose similar, stringent data protection requirements. The GDPR and UK GDPR are wide-ranging in scope and impose numerous additional requirements on companies that process personal data, including imposing special requirements in respect of the processing of personal data, requiring that consent of individuals to whom the personal data relates is obtained in certain circumstances, requiring additional disclosures to individuals regarding data processing activities, requiring that safeguards are implemented to protect the security and confidentiality of personal data, creating mandatory data breach notification requirements in certain circumstances, and requiring that certain measures (including contractual requirements) are put in place when engaging third-party processors. The GDPR and UK GDPR also provide individuals with various rights in respect of their personal data, including rights of access, erasure, portability, rectification, restriction, and objection. Failure to comply with the GDPR and the UK GDPR can result in significant fines and other liability, including fines of up to EUR 20 million (or GBP 17.5 million under the UK GDPR) or four percent of global revenue, whichever is greater. European data protection authorities have shown a willingness to impose significant fines and issue orders preventing the processing of personal data on non-compliant businesses and have imposed several fines for GDPR violations for hundreds of millions of Euros, and even one fine totaling 1.2 billion Euros. Europe's overlapping and yet divergent data protection regimes create increased compliance challenges, costs, and risks for affected businesses. Legal developments in the European Economic Area (“EEA”) and the UK, including rulings from the Court of Justice of the European Union (“CJEU”), have also created
41
Table of Contents
complexity and uncertainty regarding processing and transfers of personal data from the EEA and the UK to the United States and other so-called third countries outside the EEA and the UK that have not been determined by the relevant data protection authorities to provide an adequate level of protection for privacy rights. Case law from the CJEU indicates that reliance on the standard contractual clauses—a standard form of contract approved by the European Commission as an adequate personal data transfer mechanism—alone may not necessarily be sufficient in all circumstances and that transfers must be assessed on a case-by-case basis. In July 2023, the European Commission adopted an adequacy decision in relation to the EU-U.S. Data Privacy Framework (“DPF”) rendering the DPF effective as a GDPR transfer mechanism for personal data transferred from the EEA to the United States by U.S. entities self-certified under the DPF. In October 2023, the UK Extension to the DPF came into effect, as approved by the UK government, as a data transfer mechanism from the UK to U.S. entities self-certified under the DPF. While we have taken steps to mitigate the impact on us, such as implementing the European Commission’s standard contractual clauses, the efficacy and longevity of these mechanisms remains uncertain. Other jurisdictions outside the EU and the UK are similarly introducing or enhancing privacy, data protection, and cybersecurity laws, rules, and regulations, which increase our compliance costs and the risks associated with noncompliance. We cannot fully determine the impact these or future laws, rules, and regulations may have on our business or operations. These laws, rules, and regulations are often inconsistent from one jurisdiction to another, subject to differing interpretations, and may be interpreted to conflict with our practices. While we have implemented controls and procedures designed to comply with the requirements of the privacy, data protection, and cybersecurity laws, rules, and regulations of the jurisdictions in which we operate, such controls and procedures may not be effective in ensuring compliance or preventing unauthorized transfers of personal information. Failure to comply with such requirements could result in fines, sanctions, or other penalties, which could materially affect our reputation, business, financial condition, and results of operations.
These and other applicable data protection and privacy-related laws and regulations are evolving and may result in regulatory and public scrutiny and escalating levels of enforcement and sanctions. See Part I, Item 1, “Business—Government Regulations” for more information. Our failure to comply with contractual obligations or applicable laws and regulations, or to protect any personal or other customer data, could result in enforcement actions against us, including regulatory fines or other civil or criminal liability, as well as claims for damages, contractual or otherwise, by customers and other affected individuals, damage to our reputation, and loss of goodwill (both in relation to existing customers and prospective customers), any of which could adversely affect our business, operating results, financial performance, and prospects.
In addition, we are subject to certain contractual obligations and have made privacy commitments, including in privacy policies and customer data processing agreements, regarding our use and processing of personal data. As a company that supports customer privacy and security objectives, even the perception of a failure by us to comply with our privacy commitments, whether or not valid, may harm our reputation, inhibit adoption of our solutions by current and future customers, or adversely impact our ability to attract and retain workforce talent. Additionally, a failure or perceived failure to comply with privacy commitments could lead to regulator or civil claims if our commitments are found to be deceptive or otherwise misrepresentative of our actual policies and practices.
Loss, retention, or misuse of certain information and alleged violations of laws and regulations relating to privacy and data security, and any relevant claims, may expose us to potential liability and may require us to expend significant resources in responding to and defending such allegations and claims. Any failure or perceived failure by us or any third parties with which we do business to comply with laws, rules, regulations, industry standards, contractual requirements, or other actual or asserted obligations to which we or such third parties are or may become subject may result in significant liability, adverse publicity, inability to process data, and investigations, proceedings, and other legal actions against us by governmental entities and private claims, demands, and litigation. Any such action or other matter could be expensive to defend, may require the expenditure of substantial legal and other costs and substantial time and resources, may result in fines, penalties, or other liabilities, and likely would damage our reputation and adversely affect our business, financial condition, and results of operations. We have in the past and may in the future be party to privacy-related actions and disputes. In many jurisdictions, enforcement actions and consequences for non-compliance with privacy, data protection, and cybersecurity laws, rules, regulations, industry standards, contractual requirements, or other obligations are rising. Data subjects may also have a private right of action, as well as consumer associations, to lodge complaints with supervisory authorities, seek judicial remedies, and obtain compensation for damages resulting from violations of applicable privacy, data protection, and cybersecurity laws, rules, and regulations. In addition, privacy advocates and industry groups have regularly proposed, and may propose in the future, self-regulatory standards that may legally or contractually apply to us or be alleged to apply to us. If we fail or are alleged to fail to follow these standards, even if no personal information is compromised, we may incur significant fines or experience a significant increase in costs and face regulatory investigations and other proceedings or private claims, demands, and litigation. In addition, future laws, regulations, standards, and other obligations, and changes in the interpretation of existing laws, regulations, standards, and other obligations, could impair our customers’ ability to collect, use, or disclose data relating to individuals, which could decrease demand for our platform and solutions, increase our costs, and impair our ability to maintain and grow
42
Table of Contents
our customer base and increase our revenue. This includes evolutions in definitions of what constitutes “Personal Information” and “Personal Data” subject to privacy laws, especially relating to classification of intellectual property addresses, machine or device identification numbers, location data and other information. Changes in the law may limit or inhibit our ability to offer certain solutions or features, limit the growth of features and/or development of new solutions, including that supported by AI or ML, or limit our ability to operate or expand our business and develop technology alliance relationships that may involve the sharing of data.
Around the world, there are a number of lawsuits in process against various technology companies that process personal data. If more lawsuits are successful, it could increase the likelihood that our company may be exposed to liability for our own policies and practices concerning the processing of personal data and could hurt our business. Furthermore, the costs of compliance with, and other burdens imposed by laws, regulations, and policies concerning privacy and identity security that are applicable to the businesses of our customers may limit the use and adoption of our platform or solutions and reduce overall demand for them. Privacy concerns, whether or not valid, may inhibit market adoption of our solutions. Additionally, concerns about security or privacy may result in the adoption of new legislation that restricts the implementation of technologies like ours or requires us to make modifications to our solutions, which could significantly limit the adoption and deployment of our technologies or result in significant expense to modify our solutions.
We publicly post our privacy policies and practices concerning our processing, use, and disclosure of the personally identifiable information provided to us by our website visitors. Our publication of our privacy policies and other statements we publish that provide promises and assurances about privacy and security can subject us to potential state, federal, and international action if they are found to be incomplete or misrepresentative of our actual policies and practices or if our practices are found to be unfair.
Regulatory and legislative developments related to the use of AI could adversely affect our use of such technologies in our solutions and business.
We use AI throughout our business. As the regulatory framework for AI and automated decision making evolves, our business, financial condition, and results of operations may be adversely affected. The regulatory framework for AI and similar technologies and automated decision making is changing rapidly. It is possible that new laws and regulations will be adopted in the United States and in non-U.S. jurisdictions or that existing laws and regulations may be interpreted in ways that would affect the operation of our solutions and the way in which we use AI and similar technologies. We may not be able to adequately anticipate or respond to these evolving laws and regulations, and we may need to expend additional resources to adjust our offerings in certain jurisdictions if applicable legal frameworks are inconsistent across jurisdictions. In addition, because these technologies are themselves highly complex and rapidly developing, it is not possible to predict all of the legal or regulatory risks that may arise relating to our use of such technologies. Further, the cost to comply with such laws or regulations could be significant and could increase our operating expenses, which would adversely affect our business, financial condition, and results of operations.
For example, in August 2024, the EU Artificial Intelligence Act (the “AI Act”), which establishes broad obligations for the development and use of AI-based technologies in the EU based on their potential risks and level of impact, came into force. This framework categorizes AI systems, based on the risks associated with such AI systems’ intended purposes, as creating unacceptable or high risks, with all other AI systems being considered low risk. Furthermore, the AI Act includes requirements around transparency, conformity assessments and monitoring, risk assessments, human oversight, security, accuracy, general purpose AI, and foundation models, and provides for fines of up to the greater of €35 million or 7% of worldwide annual turnover for violations. There is a risk that our current or future AI-powered solutions may obligate us to comply with the applicable requirements of the AI Act, which may impose additional costs on us, increase our risk of liability, or adversely affect our business. For example, the AI Act prohibits certain uses of AI systems and places numerous obligations on providers and deployers of permitted AI systems, with heightened requirements based on AI systems that are considered high risk. This regulatory framework is expected to have a material impact on the way AI is regulated in the EU and beyond, and, together with developing regulatory guidance and judicial decisions in this area, may affect our use of AI and our ability to provide and to improve our solutions, require additional compliance measures and changes to our operations and processes, result in increased compliance costs and potential increases in civil claims against us, and could adversely affect our business, financial condition, and results of operations.
Failure to comply with anti-bribery, anti-corruption, and anti-money laundering laws could subject us to penalties and other adverse consequences.
43
Table of Contents
We are subject to the Foreign Corrupt Practices Act (the “FCPA”), the U.K. Bribery Act, and other anti-corruption, anti-bribery, and anti-money laundering laws in various jurisdictions both domestic and abroad. The FCPA prohibits any U.S. individual or business from paying, offering, authorizing payment, or offering anything of value, directly or indirectly, to any foreign official, political party, or candidate for the purpose of influencing any act or decision of the foreign entity in order to assist the individual or business in obtaining or retaining business. The U.K. Bribery Act is similar but even broader in scope in that it prohibits bribery of private (non-government) persons as well. The FCPA also obligates companies whose securities are listed in the United States to comply with certain accounting provisions requiring the company to maintain books and records that accurately and fairly reflect all transactions of the corporation, including international subsidiaries, and to devise and maintain an adequate system of internal accounting controls for international operations. Our sales model presents some risk under these laws. We leverage third parties, including channel partners, to sell our solutions and conduct our business abroad. We and our third-party intermediaries may have direct or indirect interactions with officials and employees of government agencies, state-owned or affiliated entities, and non-governmental commercial entities and may be held liable for the corrupt or other illegal activities of these third-party intermediaries, our employees, representatives, contractors, channel partners, and agents, even if we do not explicitly authorize such activities. While we have policies and procedures to address compliance with these laws, we cannot assure you that all of our employees and agents will not take actions in violation of our policies and applicable law, for which we may be ultimately held responsible. Noncompliance with these laws could subject us to investigations, sanctions, settlements, prosecution, other enforcement actions, disgorgement of profits, significant fines, damages, other civil and criminal penalties or injunctions, adverse media coverage, and other consequences. Any investigations, actions, or sanctions could adversely affect our business, operating results, and financial condition.
We are subject to governmental export controls and economic sanctions laws that could impair our ability to compete in international markets and subject us to liability if we are not in full compliance with applicable laws.
Our business activities are subject to various restrictions under U.S. export controls and trade and economic sanctions laws, including the U.S. Commerce Department’s Export Administration Regulations and economic and trade sanctions regulations maintained by the U.S. Treasury Department’s Office of Foreign Assets Control. The U.S. export control laws and U.S. economic sanctions laws include prohibitions on the sale or supply of certain products and services to U.S. embargoed or sanctioned countries, governments, persons, and entities and also require authorization for the export of encryption items. We are also subject to Israeli export controls on encryption technology for our platform and identity security solutions. If the applicable U.S. or Israeli requirements regarding export of encryption technology were to change or if we change the encryption means in our solutions, we may need to satisfy additional requirements in the United States or Israel. There can be no assurance that we will be able to satisfy any additional requirements under these circumstances in either the United States or Israel.
In addition, various countries regulate the import of certain encryption technology, including through import permitting and licensing requirements, and have enacted laws that could limit our ability to distribute our solutions or could limit our customers’ ability to implement our solutions in those countries. Although we take precautions to prevent our solutions from being provided in violation of such laws, our solutions may have been in the past, and could in the future be, provided inadvertently in violation of such laws, despite the precautions we take. If we fail to comply with these laws and regulations, we and certain of our employees could be subject to civil or criminal penalties, including the possible loss of export privileges and monetary penalties. Obtaining the necessary authorizations, including any required license, for a particular transaction may be time-consuming, is not guaranteed, and may result in the delay or loss of sales opportunities. Although we take precautions to prevent transactions with U.S. sanction targets, we could inadvertently provide our solutions to persons prohibited by U.S. sanctions. This could result in negative consequences to us, including government investigations, penalties, and harm to our reputation.
Our corporate structure and intercompany arrangements are subject to the tax laws of various jurisdictions, and we could be obligated to pay additional taxes, which would harm our operating results.
Based on our current corporate structure, we may be subject to taxation in several jurisdictions around the world with increasingly complex tax laws, the application of which can be uncertain. The amount of taxes we pay in these jurisdictions could increase substantially as a result of changes in the applicable tax principles, including increased tax rates, new tax laws, or revised interpretations of existing tax laws and precedents. In addition, the authorities in these jurisdictions could challenge our methodologies for valuing developed technology or intercompany arrangements, including our transfer pricing. The relevant taxing authorities may determine that the manner in which we operate our business does not achieve the intended tax consequences. If such a disagreement were to occur, and our position were not sustained, we could be required to pay additional taxes, interest, and penalties. Such authorities could claim that various withholding requirements apply to us or our subsidiaries
44
Table of Contents
or assert that benefits of tax treaties are not available to us or our subsidiaries. Any increase in the amount of taxes we pay or that are imposed on us could increase our worldwide effective tax rate and adversely affect our business and operating results.
Our ability to use net operating losses and other tax attributes to offset future taxable income may be subject to certain limitations.
Our U.S. federal and state net operating loss (“NOLs”) carryforwards and certain other tax credits may be subject to limitations under Section 382 and Section 383 of the Internal Revenue Code of 1986, as amended (the “Code”), respectively, and similar provisions of state law. Under those sections of the Code, a corporation that undergoes an “ownership change,” generally defined as a greater than 50% change (by value) in its equity ownership over a three-year period, is subject to limitations on its ability to utilize its pre-change NOLs and other pre-change tax attributes, such as research tax credits, to offset future taxable income or taxes. Our existing NOLs may be subject to limitations arising from previous ownership changes, and if we undergo an ownership change, our ability to utilize NOLs and other tax attributes could be further limited by Sections 382 and 383 of the Code. In addition, future changes in our stock ownership, many of which are outside of our control, could result in an ownership change under Sections 382 and 383 of the Code. “Ownership changes” that have occurred in the past or that may occur in the future could result in the imposition of an annual limit on the amount of pre-ownership change NOLs and other tax attributes we can use to reduce taxable income, potentially increasing and accelerating our liability for income taxes, and also potentially causing those tax attributes to expire unused.
We function as a HIPAA “business associate” or service provider for certain of our customers and, as such, are subject to strict privacy and data security requirements. If we fail to comply with any of these requirements, or applicable requirements under state health information laws, we could be subject to significant liability, which can adversely affect our business as well as our ability to attract and retain new customers.
The Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act (“HITECH”), and their respective implementing regulations (collectively referred to as “HIPAA”), imposes specified requirements relating to the privacy, security, and transmission of individually identifiable health information, including “protected health information” (“PHI”) under HIPAA. HIPAA requires, among other things, that “covered entities” and their business associates maintain reasonable and appropriate administrative, physical, and technical safeguards to protect PHI. Additionally, business associates are required to assist covered entities with various requirements under HIPAA, including reporting certain breaches, security incidents, or other unauthorized uses or disclosures of PHI to individuals, the Department of Health and Human Services Office for Civil Rights, and the media, depending on the extent of the disclosure. We may function as a business associate for certain of our customers that are HIPAA covered entities and service providers, and in that context we are regulated as a business associate for the purposes of HIPAA.
If we are unable to comply with our obligations under HIPAA as a business associate, we could face substantial civil or criminal liability or other regulatory action. HITECH also gave state attorneys general authority to file civil actions for damages or injunctions in federal courts to enforce the federal HIPAA laws and seek attorneys’ fees and costs associated with pursuing federal civil actions. Furthermore, the HIPAA-covered entities and service providers to which we provide solutions require us to enter into HIPAA-compliant business associate agreements with them. These agreements impose stringent data security obligations on us. If we are unable to meet the requirements of any of these business associate agreements, we could face contractual liability, as well as possible civil and criminal liability under HIPAA, all of which can have an adverse impact on our business and generate negative publicity, which, in turn, can have an adverse impact on our ability to attract and retain new customers.
In addition, many state laws govern the privacy and security of health information in certain circumstances, including having passed privacy legislation to cover consumer health data and sensitive data. These laws may differ from other state privacy requirements, including in the way such laws are interpreted and enforced by state regulatory authorities, and may be more stringent than HIPAA. Under these state laws, states may impose fines or penalties for violations and, depending on the state, may allow a private right of action for individuals who believe their information has been inappropriately used or disclosed, including from a security incident or breach. Additionally, many state attorneys general and the Federal Trade Commission have interpreted existing consumer protection laws to impose standards on the privacy, security, use, transfer, disclosure, disposal, and other treatment of an individual’s information, including health information.
Increased and complex scrutiny of environmental, social, governance, and sustainability (“ESG”) matters may require us to incur additional costs or otherwise adversely impact our business.
45
Table of Contents
Increased attention to climate change, diversity, equity, and inclusion, and other ESG issues, may result in increased costs (including but not limited to increased costs related to compliance, stakeholder engagement, and contracting), impact our reputation or otherwise affect our business performance. In addition, organizations that provide information to investors on corporate governance and related matters have developed ratings processes for evaluating companies on ESG matters. Such ratings are used by some investors to inform their investment or voting decisions and also by some customers and prospective customers to inform their purchasing decisions. Unfavorable ESG ratings could lead to negative investor sentiment toward us and/or our industry, which could have a negative impact on our access to and costs of capital, and could also cause customers and prospective customers to not purchase our solutions. To the extent ESG matters negatively impact our reputation, we may also not be able to compete as effectively to recruit or retain employees. We may take certain actions, including the establishment of ESG-related goals, to improve our ESG profile and/or respond to stakeholder demands, and such actions may be costly or be subject to numerous conditions that are outside our control, and we cannot guarantee that such actions will have the desired effect.
Moreover, while we may have and may continue to create and publish voluntary disclosures regarding ESG matters from time to time, many of the statements in those voluntary disclosures are based on hypothetical expectations and assumptions that may or may not be representative of current or actual risks or events or forecasts of expected risks or events, including the costs associated therewith. Such expectations and assumptions are necessarily uncertain and may be prone to error or subject to misinterpretation given the long timelines involved and the lack of an established single approach to identifying, measuring, and reporting on many ESG matters. Such disclosures may also be at least partially reliant on third-party information that we have not independently verified or cannot be independently verified. In addition, we expect there will likely be increasing levels of regulation, disclosure-related and otherwise, with respect to ESG matters, and increased regulation will likely lead to increased compliance costs as well as scrutiny that could heighten all of the risks identified in this risk factor. Such ESG matters may also impact our customers, which may adversely impact our business, financial condition, or results of operations.
Risks Related to Ownership of Our Common Stock
The trading price of our common stock could be volatile, which could cause the value of your investment to decline.
Our initial public offering (our "IPO") occurred in February 2025. Therefore, there has only been a public market for our common stock for a short period of time. Although our common stock is listed on the Nasdaq Global Select Market, an active trading market for our common stock may not develop or, if developed, be sustained. Technology stocks have historically experienced high levels of volatility. Since shares of our common stock were sold in our IPO in February 2025 at a price of $23.00 per share, our stock price has fluctuated significantly. The trading price of our common stock may fluctuate substantially in response to numerous factors, many of which are beyond our control. These fluctuations could cause you to lose all or part of your investment in our common stock. Factors that could cause fluctuations in the trading price of our common stock include the following:
•announcements of new solutions, products, or technologies, commercial relationships, acquisitions, or other events by us, our competitors, or other technology industry companies, including potential technology industry disruption as a result of AI and agentic AI advancements;
•changes in how customers perceive the benefits of our solutions;
•shifts in the mix of revenue attributable to SaaS subscriptions from quarter to quarter;
•departures of key personnel;
•price and fluctuations in the overall stock market from time to time;
•fluctuations in the trading volume of our shares or the size of our public float;
•sales of large blocks of our common stock;
•actual or anticipated changes or fluctuations in our operating results;
•whether our operating results meet the expectations of securities analysts or investors;
46
Table of Contents
•changes in actual or future expectations of investors or securities analysts;
•litigation involving us, our industry, or both;
•regulatory developments in the United States, foreign countries, or both;
•general economic conditions and trends;
•major catastrophic events in our domestic and foreign markets; and
•“flash crashes,” “freeze flashes,” or other glitches that disrupt trading on the securities exchange on which we are listed.
In addition, if the market for technology stocks or the stock market in general experiences a loss of investor confidence, the trading price of our common stock could decline, including for reasons unrelated to our business, operating results, or financial condition. The trading price of our common stock might also decline in reaction to events that affect other companies in our industry even if these events do not directly affect us. In the past, following periods of volatility in the trading price of a company’s securities, securities class action litigation has often been brought against that company. If our stock price is volatile, we may become the target of securities litigation. Securities litigation could result in substantial costs and divert our management’s attention and resources from our business. This could have an adverse effect on our business, operating results, and financial condition.
If securities analysts or industry analysts were to downgrade our stock, publish negative research or reports, or fail to publish reports about our business, our competitive position could suffer and our stock price and trading volume could decline.
The trading market for our common stock, to some extent, depends on the research and reports that securities or industry analysts publish about us or our business. We do not have any control over these analysts. If one or more of the analysts who cover us should downgrade our stock or publish negative research or reports, cease coverage of our company, or fail to regularly publish reports about our business, our competitive position could suffer and our stock price and trading volume could decline.
Our issuance of additional capital stock in connection with financings, acquisitions, investments, our stock incentive plans, or otherwise will dilute all other stockholders.
We may issue additional capital stock in the future that will result in dilution to all other stockholders. We may also raise capital through equity financings in the future. As part of our business strategy, we may acquire or make investments in complementary companies, products, or technologies and issue equity securities to pay for any such acquisition or investment. Any such issuances of additional capital stock may cause stockholders to experience significant dilution of their ownership interests and the per share value of our common stock to decline.
We do not intend to pay dividends on our common stock and, consequently, your ability to achieve a return on your investment will depend on appreciation in the price of our common stock.
We have never declared or paid any dividends on our common stock. We intend to retain any earnings to finance the operation and expansion of our business, and we do not anticipate paying any cash dividends in the foreseeable future. As a result, you may only receive a return on your investment in our common stock if the market price of our common stock increases.
Provisions of our corporate governance documents could make an acquisition of us more difficult and may prevent attempts by our stockholders to replace or remove our current management, even if beneficial to our stockholders.
Our certificate of incorporation and bylaws and the Delaware General Corporation Law (the “DGCL”) contain provisions that could make it more difficult for a third party to acquire us, even if doing so might be beneficial to our stockholders. Among other things:
47
Table of Contents
•these provisions allow us to authorize the issuance of undesignated preferred stock, the terms of which may be established and the shares of which may be issued without stockholder approval, and which may include supermajority voting, special approval, dividend, or other rights or preferences superior to the rights of stockholders;
•these provisions provide for a classified board of directors with staggered three-year terms;
•these provisions provide that, at any time when Thoma Bravo controls, in the aggregate, less than 40% in voting power of our stock entitled to vote generally in the election of directors, directors may only be removed for cause and only by the affirmative vote of holders of at least 66 2/3% in voting power of all the then-outstanding shares of our stock entitled to vote thereon, voting together as a single class;
•these provisions prohibit stockholder action by written consent from and after the date on which Thoma Bravo controls, in the aggregate, less than 35% in voting power of our stock entitled to vote generally in the election of directors;
•these provisions provide that for as long as Thoma Bravo controls, in the aggregate, at least 50% in voting power of our stock entitled to vote generally in the election of directors, any amendment, alteration, or repeal of our bylaws by our stockholders will require the affirmative vote of a majority in voting power of the outstanding shares of our capital stock and at any time when Thoma Bravo controls, in the aggregate, less than 50% in voting power of all outstanding shares of our stock entitled to vote generally in the election of directors, any amendment, alteration, or repeal of our bylaws by our stockholders will require the affirmative vote of the holders of at least 66 2/3% in voting power of all the then-outstanding shares of our stock entitled to vote thereon, voting together as a single class; and
•these provisions establish advance notice requirements for nominations for elections to our Board or for proposing matters that can be acted upon by stockholders at stockholder meetings; provided, however, at any time when Thoma Bravo controls, in the aggregate, at least 10% in voting power of our stock entitled to vote generally in the election of directors, such advance notice procedure will not apply to Thoma Bravo.
We have opted out of Section 203 of the DGCL, which generally prohibits a Delaware corporation from engaging in any of a broad range of business combinations with any interested stockholder for a period of three years following the date on which the stockholder became an interested stockholder. However, our certificate of incorporation contains a provision that provides us with protections similar to Section 203 and prevents us from engaging in a business combination with a person (excluding Thoma Bravo and any of their direct or indirect transferees and any group as to which such persons are a party) who acquires at least 15% of our common stock for a period of three years from the date such person acquired such common stock, unless board or stockholder approval is obtained prior to the acquisition. These provisions could discourage, delay, or prevent a transaction involving a change in control of our company. These provisions could also discourage proxy contests and make it more difficult for you and other stockholders to elect directors of your choosing and cause us to take other corporate actions you desire, including actions that you may deem advantageous, or negatively affect the trading price of our common stock. In addition, because our Board is responsible for appointing the members of our management team, these provisions could in turn affect any attempt by our stockholders to replace current members of our management team.
These and other provisions in our certificate of incorporation, bylaws, and Delaware law could make it more difficult for stockholders or potential acquirers to obtain control of our Board or initiate actions that are opposed by our then-current Board, including actions to delay or impede a merger, tender offer, or proxy contest involving our company. The existence of these provisions could negatively affect the price of our common stock and limit opportunities for you to realize value in a corporate transaction.
Thoma Bravo controls us, and its interests may conflict with ours or yours in the future.
As of January 31, 2026, investment entities affiliated with Thoma Bravo UGP, LLC (together with its affiliated entities, "Thoma Bravo") control approximately 85% of the voting power of our outstanding common stock, which means that, based on its percentage voting power, Thoma Bravo controls the vote of all matters submitted to a vote of our stockholders. This control enables Thoma Bravo to control the election of the members of the Board and all other corporate decisions. Even when Thoma Bravo ceases to control a majority of the total voting power, for so long as Thoma Bravo continues to own a significant percentage of our common stock, Thoma Bravo will still be able to significantly influence the composition of our Board and the approval of actions requiring stockholder approval. Accordingly, for such period of time, Thoma Bravo will have significant influence with respect to our management, business plans, and policies, including the appointment and removal of our officers, decisions on whether to raise future capital, and amending our charter and bylaws, which govern the rights attached to our common stock. In particular, for so long as Thoma Bravo continues to own a significant percentage of our
48
Table of Contents
common stock, Thoma Bravo will be able to cause or prevent a change of control of us or a change in the composition of our Board and could preclude any unsolicited acquisition of us. The concentration of ownership could deprive you of an opportunity to receive a premium for your shares of common stock as part of a sale of us and ultimately might affect the market price of our common stock.
In addition, we have entered into a director designation agreement (the “Director Designation Agreement”) with Thoma Bravo that provides it the right to designate: (i) all of the nominees for election to our Board for so long as Thoma Bravo beneficially owns 40% or more of the total number of shares of our common stock beneficially owned by Thoma Bravo upon completion of the IPO, as adjusted for any reorganization, recapitalization, stock dividend, stock split, reverse stock split, or similar changes in our capitalization (such number of shares as may be adjusted, the “Original Amount"); (ii) a number of nominees for election to our Board (rounded up to the nearest whole number) equal to 40% of the total directors for so long as Thoma Bravo beneficially owns at least 30% and less than 40% of the Original Amount; (iii) a number of nominees for election to our Board (rounded up to the nearest whole number) equal to 30% of the total directors for so long as Thoma Bravo beneficially owns at least 20% and less than 30% of the Original Amount; (iv) a number of nominees for election to our Board (rounded up to the nearest whole number) equal to 20% of the total directors for so long as Thoma Bravo beneficially owns at least 10% and less than 20% of the Original Amount; and (v) one nominee for election to our Board for so long as Thoma Bravo beneficially owns at least 5% of the Original Amount. The Director Designation Agreement also provides that Thoma Bravo may assign such right to an affiliate. The Director Designation Agreement prohibits us from increasing or decreasing the size of our Board without the prior written consent of Thoma Bravo. See Part III, Item 13, “Certain Relationships and Related Party Transactions, and Director Independence—Related Party Transactions—Director Designation Agreement” for more details with respect to the Director Designation Agreement.
Thoma Bravo and its affiliates engage in a broad spectrum of activities, including investments in our industry generally. In the ordinary course of their business activities, Thoma Bravo and its affiliates may engage in activities where their interests conflict with our interests or those of our other stockholders, such as investing in or advising businesses that directly or indirectly compete with certain portions of our business or are suppliers or customers of ours. Our certificate of incorporation provides that none of Thoma Bravo, any of its affiliates, or any director who is not employed by us (including any non-employee director who serves as one of our officers in both his or her director and officer capacities) or its affiliates will have any duty to refrain from engaging, directly or indirectly, in the same business activities or similar business activities or lines of business in which we operate. Thoma Bravo also may pursue acquisition opportunities that may be complementary to our business, and, as a result, those acquisition opportunities may not be available to us. In addition, Thoma Bravo may have an interest in pursuing acquisitions, divestitures, and other transactions that, in their judgment, could enhance their investment, even though such transactions might involve risks to you or may not prove beneficial.
We may issue preferred stock whose terms could adversely affect the voting power or value of our common stock.
Our charter authorizes us to issue, without the approval of our stockholders, one or more classes or series of preferred stock having such designations, preferences, limitations, and relative rights, including preferences over our common stock respecting dividends and distributions, as our Board may determine. The terms of one or more classes or series of preferred stock could adversely impact the voting power or value of our common stock. For example, we might grant holders of preferred stock the right to elect some number of our directors in all events or on the happening of specified events or the right to veto specified transactions. Similarly, the repurchase or redemption rights or liquidation preferences we might assign to holders of preferred stock could affect the residual value of our common stock.
Our charter designates the Court of Chancery of the State of Delaware as the sole and exclusive forum for certain types of actions and proceedings that may be initiated by our stockholders, which could limit our stockholders’ ability to obtain a favorable judicial forum for disputes with us or our directors, officers, employees, or agents.
Pursuant to our certificate of incorporation, unless we consent in writing to the selection of an alternative forum, the Court of Chancery of the State of Delaware will be the sole and exclusive forum for any claims in state court for (i) any derivative action or proceeding brought on our behalf, (ii) any action asserting a claim of breach of a fiduciary duty owed by any of our directors, officers, other employees, or stockholders to us or our stockholders, (iii) any action asserting a claim against us arising pursuant to any provision of the DGCL, our certificate of incorporation, or our bylaws, or (iv) any other action asserting a claim against us that is governed by the internal affairs doctrine; provided that for the avoidance of doubt, the forum selection provision that identifies the Court of Chancery of the State of Delaware as the exclusive forum for certain litigation, including any “derivative action,” will not apply to suits to enforce a duty or liability created by the Securities Act of 1933, as amended (the “Securities Act”) Securities Act, the Exchange Act, or any other claim for which the federal courts have exclusive jurisdiction. Our certificate of incorporation will also provide that, unless we consent in writing to the selection of an alternative forum, the federal district courts of the United States shall be the exclusive forum for the resolution of any complaint asserting a cause of action arising under the Securities Act. Our certificate of incorporation further provides that any person or entity
49
Table of Contents
purchasing or otherwise acquiring or holding any interest in shares of our capital stock is deemed to have notice of and consented to the provisions of our certificate of incorporation described above. The forum selection provisions in our certificate of incorporation may have the effect of discouraging lawsuits against us or our directors and officers and may limit our stockholders’ ability to obtain a favorable judicial forum for disputes with us. If the enforceability of our forum selection provisions were to be challenged, we may incur additional costs associated with resolving such challenge. While we currently have no basis to expect any such challenge would be successful, if a court were to find our forum selection provisions to be inapplicable or unenforceable with respect to one or more of these specified types of actions or proceedings, we may incur additional costs associated with having to litigate in other jurisdictions, which could have an adverse effect on our business, financial condition, results of operations, cash flows, and prospects and result in a diversion of the time and resources of our employees, management, and Board.
We are a controlled company within the meaning of the rules of Nasdaq and, as a result, qualify for and are relying on exemptions from certain corporate governance requirements.
Thoma Bravo beneficially owns, on a combined basis, a majority of the combined voting power of all classes of our outstanding voting stock. As a result, we are a controlled company within the meaning of the rules of Nasdaq. Under Nasdaq rules, a company of which more than 50% of the voting power is held by another person or group of persons acting together is a controlled company and may elect not to comply with certain Nasdaq corporate governance requirements, including the requirements that:
•a majority of the board of directors consist of independent directors as defined under the rules of Nasdaq;
•the nominating and governance committee be composed entirely of independent directors with a written charter addressing the committee’s purpose and responsibilities; and
•the compensation committee be composed entirely of independent directors with a written charter addressing the committee’s purpose and responsibilities.
These requirements will not apply to us as long as we remain a controlled company. We currently utilize some or all of these exemptions. Accordingly, our stockholders may not have the same protections afforded to stockholders of companies that are subject to all of the corporate governance requirements of Nasdaq.
Item 1B. Unresolved Staff Comments.
None.
Item 1C. Cybersecurity.
Cybersecurity Risk Management and Strategy
We engage with multiple teams across the business, including IT, Product, Engineering, DevOps, Legal, Human Resources, Compliance, and Sales, in an effort to address all aspects and phases of the cybersecurity risk lifecycle, including identification, assessment, treatment, monitoring, and reporting. We also engage with external independent partners on a regular basis to assess the maturity of our cybersecurity risk management program and to recommend improvements thereto, including with respect to third-party risk. We also conduct annual audits and control testing to evaluate the efficiency of our controls across the organization.
Key features of our cybersecurity risk management program include:
•A dedicated team of risk analysts who manage the program and associated activities, such as risk assessments, risk lifecycle management, control assessments, and risk reporting.
50
Table of Contents
•Risk assessments that are conducted by the risk team on a regular basis, which sometimes include emerging topics addressed through targeted risk assessments.
•Security incident response policies and procedures to investigate and respond to security incidents, including procedures to assess the threat of relevant vulnerabilities or security incidents, and to establish remediation and mitigation actions for events.
•Security awareness training campaigns assigned to our users at least twice a year covering a multitude of security and privacy topics.
•Management of third-party risk, including conducting cybersecurity assessments of vendors before onboarding them, followed by ongoing monitoring for compliance with standards.
Cybersecurity Governance
Item 2. Properties.
Our corporate headquarters in Austin, Texas consists of 165,000 square feet of space under a lease that expires in April 2029. We also have additional office space under traditional leases in Pune, India, Tel Aviv, Israel, and London, United Kingdom and under coworking arrangements in various locations in North and South America, EMEA, and APAC.
We believe that our facilities are adequate for our current needs and anticipate that suitable additional space will be readily available to accommodate any foreseeable expansion of our operations. For more information about our lease commitments, see also Note 7 “Leases” in our notes to our consolidated financial statements included in this Annual Report.
Item 3. Legal Proceedings.
51
Table of Contents
We are not currently a party to, nor is our property currently subject to, any material legal proceedings other than ordinary routine litigation incidental to the business, and we are not aware of any such proceedings contemplated by governmental authorities.
Item 4. Mine Safety Disclosures.
Not applicable.
52
Table of Contents
PART II
Item 5. Market for Registrant’s Common Equity, Related Stockholder Matters and Issuer Purchases of Equity Securities.
Market Information
Our common stock commenced trading on the Nasdaq Global Select Market on February 13, 2025 under the ticker symbol “SAIL.”
Holders of Record
As of March 13, 2026, there were approximately 1,960 stockholders of record of our common stock, and the closing price of our common stock was $15.45 per share as reported on the Nasdaq Global Select Market. Because many shares of our common stock are held by brokers and other institutions as record holders and on behalf of stockholders, we are unable to estimate the total number of stockholders represented by these record holders.
Dividend Policy
We have never declared or paid any cash dividends on our common stock. We currently intend to retain all of our earnings to finance the growth and development of our business, and we do not currently intend to pay any cash dividends in the foreseeable future. Any further determination to pay dividends on our common stock will be at the discretion of our Board, subject to applicable laws, and will depend on our financial condition, results of operations, capital requirements, general business conditions and other factors that our Board considers relevant. In addition, our 2025 Credit Agreement places restrictions on our ability to pay cash dividends. See Note 9 “Credit Agreement and Debt” in our notes to our consolidated financial statements included in this Annual Report for more information regarding terms and conditions of the 2025 Credit Agreement.
Stock Performance Graph
This performance graph shall not be deemed “soliciting material” or to be “filed” with the SEC for purposes of the Exchange Act, or otherwise subject to the liabilities under that Section, and shall not be deemed to be incorporated by reference into any of our filings under the Securities Act.
The following graph compares (i) the cumulative total stockholder return on our common stock from February 13, 2025 through January 31, 2026 with (ii) the cumulative total return of the Standard & Poor's 500 Index, Standard & Poor's Information Technology Index and the BVP NASDAQ Emerging Cloud Index over the same period, assuming the investment of $100 in our common stock and the reinvestment of dividends. The comparisons are based on historical data and are not indicative of, nor intended to forecast, future performance of our common stock.
53
Table of Contents
| Base Period | ||||||||||||||||||||||||||||||||||||||||||||
| Company/Index | 2/13/2025 | 2/25 | 3/25 | 4/25 | 5/25 | 6/25 | 7/25 | |||||||||||||||||||||||||||||||||||||
| SailPoint, Inc. | $ | 100.00 | $ | 109.09 | $ | 85.23 | $ | 78.00 | $ | 80.09 | $ | 103.91 | $ | 101.55 | ||||||||||||||||||||||||||||||
| S&P 500 | 100.00 | 98.70 | 93.13 | 92.50 | 98.33 | 103.33 | 105.64 | |||||||||||||||||||||||||||||||||||||
| S&P 500 Information Technology | 100.00 | 98.67 | 89.96 | 91.42 | 101.38 | 111.28 | 117.06 | |||||||||||||||||||||||||||||||||||||
| BVP NASDAQ Emerging Cloud | 100.00 | 90.09 | 79.81 | 81.37 | 88.36 | 89.15 | 86.36 | |||||||||||||||||||||||||||||||||||||
| Company/Index | 8/25 | 9/25 | 10/25 | 11/25 | 12/25 | 1/26 | ||||||||||||||||||||||||||||||||
| SailPoint, Inc. | $ | 93.82 | $ | 100.36 | $ | 98.55 | $ | 83.73 | $ | 91.95 | $ | 71.32 | ||||||||||||||||||||||||||
| S&P 500 | 107.79 | 111.72 | 114.34 | 114.62 | 114.69 | 116.35 | ||||||||||||||||||||||||||||||||
| S&P 500 Information Technology | 117.46 | 125.97 | 133.82 | 128.08 | 127.75 | 125.63 | ||||||||||||||||||||||||||||||||
| BVP NASDAQ Emerging Cloud | 88.31 | 86.80 | 88.42 | 83.73 | 86.57 | 74.50 | ||||||||||||||||||||||||||||||||
Recent Sales of Unregistered Securities
Set forth below is information regarding securities sold by us within the past three years that were not registered under the Securities Act (without giving effect to the Corporate Conversion (as defined below)). Also included is the consideration, if any, received by us for such securities and information relating to the section of the Securities Act, or rule of the SEC, under which exemption from registration was claimed.
Since January 31, 2023, we have made sales of the following unregistered securities:
•In March 2023, we issued employees and directors an aggregate of approximately 3,151,863.31 Class A Units of SailPoint Parent, LP ("Class A Units") and approximately 688,583.46 Class B Units of SailPoint Parent, LP ("Class B Units") for a total value of $51.7 million.
•From June 2023 through January 31, 2025, we granted directors and employees an aggregate of approximately 8,492,521.45 time-based restricted Class B Units, subject to certain participation thresholds, for a total value of $147.7 million.
•On December 23, 2024, we issued approximately 36,548,286.44 Class A Units and approximately 7,984,676.29 Class B Units to Thoma Bravo for an aggregate purchase price of $600.0 million.
•On January 7, 2025, we issued approximately 19,567.57 Class A Units and approximately 4,274.91 Class B Units to certain of our directors and other equityholders who exercised their preemptive rights under our partnership agreement in connection with Thoma Bravo’s purchase for an aggregate purchase price of approximately $0.3 million.
See Note 1 "Description of Business and Summary of Significant Accounting Policies Description of Business and Summary of Significant Accounting Policies" in the notes to our consolidated financial statements included in this Annual Report for more information regarding the conversion of the Class A Units and Class B Units in connection with our IPO. The offers and sales of the above securities were deemed to be exempt from registration under the Securities Act in reliance upon Section 4(a)(2) of the Securities Act or Regulation D promulgated thereunder, or Rule 701 promulgated under Section 3(b) of the Securities Act, as transactions by an issuer not involving any public offering or pursuant to benefit plans and contracts relating to compensation as provided under Rule 701. The recipients of the above securities represented their intentions to acquire the securities for investment only and not with a view to or for sale in connection with any distribution thereof.
Purchase of Equity Securities by the Issuer and Affiliated Purchasers
None.
Securities Authorized for Issuance under Equity Compensation Plans
54
Table of Contents
The information required by this item with respect to our equity compensation plans is incorporated by reference to our 2026 Annual Report to Stockholders, which includes our Proxy Statement for the 2026 Annual Meeting of Stockholders to be filed with the SEC within 120 days of the fiscal year ended January 31, 2026.
Use of Proceeds from Initial Public Offering of Common Stock
On February 12, 2025, the Registration Statement on Form S-1 (File No. 333-284339) relating to our IPO was declared effective by the SEC and we priced our IPO.
There has been no material change in the planned use of proceeds from our IPO as described in the related prospectus filed with the SEC pursuant to Rule 424(b)(4) under the Securities Act, except that in March 2025, we used $350.0 million to repay the remaining Term Loans in full.
Item 6. [Reserved]
Item 7. Management’s Discussion and Analysis of Financial Condition and Results of Operations
You should read the following discussion and analysis of our financial condition and results of operations together with our consolidated financial statements and the related notes included in Part II, Item 8 of this Annual Report.
Our fiscal year end is January 31, and our fiscal quarters end on April 30, July 31, October 31, and January 31. Our fiscal year ended January 31, 2026, January 31, 2025 and January 31, 2024 are referred to herein as "fiscal 2026", "fiscal 2025", and "fiscal 2024," respectively. This MD&A generally discusses fiscal 2026 and fiscal 2025 items and year-to-year comparisons between 2026 and 2025. Discussions of fiscal 2024 items and year-to-year comparisons between 2025 and 2024 that are not included in this Form 10-K can be found in the section titled “Management’s Discussion and Analysis of Financial Condition and Results of Operations” in our Annual Report on our Form 10-K for the fiscal year ended 2025.
Overview
We deliver solutions to enable adaptive identity security for the enterprise. We do this via the SailPoint Platform that unifies identity data across systems and identity types, including employee identities, non-employee identities, machine identities, and AI agents for real-time governance. Our SaaS and customer-hosted offerings leverage intelligent analytics to provide organizations with critical visibility into which identities currently have access to which resources, which identities should have access to those resources, and how that access is being used. Our solutions enable organizations to establish, control, and automate policies that help them define and maintain a robust security posture and achieve regulatory compliance. Powered by AI, our solutions enable organizations to overcome the scale and complexity of managing identities in real-time across dynamic, complex IT environments. Our solutions empower organizations to maintain a robust security posture and achieve regulatory compliance.
Today, we offer a range of solutions to meet the varied needs of our customers across a broad set of deployment options including: Identity Security Cloud, our SaaS-based cloud solution built on our unified SailPoint Platform, and IdentityIQ, our customer-hosted identity security solution. These solutions are designed to enable our customers to make more effective decisions regarding access, improve security processes, and provide them with a deeper understanding of identity and access.
SailPoint was founded in 2005 by industry experts to develop a new category of identity solutions, address emerging identity security challenges, and drive innovation in the identity market. After establishing leadership in on-premises identity solutions, SailPoint pioneered standalone identity governance and administration SaaS solutions with advanced analytics. Today, SailPoint delivers a robust, extensible SaaS platform for identity security that is ready for the AI age with modern data architecture and just-in-time access to critical data for advanced use cases.
In recent years, we have transitioned our business to a subscription model. This transition is substantially complete with subscription revenue, which consists primarily of SaaS, maintenance, and term subscriptions, comprising 94%, 92% and 89% of our total revenue for the year ended January 31, 2026, 2025 and 2024, respectively.
Our customers include many of the world’s largest and most complex organizations, including large enterprises across all major verticals and governments. Most new customers purchase one of our SaaS suites, Standard, Business, or Business Plus. We believe we deliver exceptional value to our customers and as a result benefit from high customer retention. Our go-to-
55
Table of Contents
market approach tends to result in a larger land, with future opportunities for expansion. We focus on expanding our customer relationships over time with significant up-selling and cross-selling opportunities, including suite upgrades and additional products. In recent years, our expansion motion has grown rapidly, demonstrating the growing value proposition of our solutions. For the last twelve months ending January 31, 2026, over 95% of new SaaS customers landed with a suite offering.
For Identity Security Cloud, our SaaS-based cloud solution, and IdentityIQ, our customer-hosted solution, our customers typically enter into three-year contracts, with annual billing upfront. For Identity Security Cloud, our pricing is tiered and based on the suite, with the option for the customer to purchase additional products and capabilities a-la-carte. We price our IdentityIQ term subscriptions based on a number of factors, including the number of digital identities governed with the solution. Customers also have the option to purchase additional products and capabilities.
Key Factors Affecting Our Performance
Our historical financial performance has been, and we expect our financial performance in the future to be, driven by our ability to:
Add New Customers within Existing Markets. Countless organizations still use a combination of legacy solutions and home-grown tools. Furthermore, we estimate that over 60% of organizations in our target market still have a fragmented identity experience or use a mostly manual process based on our internal research. As a result, we believe that there is a significant opportunity for us to accelerate the growth of our customer base by enhancing our marketing efforts, increasing our sales capacity and productivity, and expanding and further leveraging our use of channel partners, including managed service providers. Our ability to attract new customers depends on a number of factors, including the effectiveness and pricing of our solutions, our ability to drive awareness of them, and the offerings of our competitors.
Generate Additional Sales to Existing Customers. We believe that our existing customer base provides us with a significant opportunity to expand incremental sales. Most new customers initially purchase one of our SaaS suites (Standard, Business, or Business Plus). We focus on expanding our customer relationships over time through up-selling and cross-selling opportunities, including suite upgrades and additional products. Additionally, we are focused on continuing to migrate customers of our customer-hosted solution to our SaaS suites, which typically results in increased ARR because of the additional functionality that our SaaS suites offer. Our ability to increase sales to existing customers will depend on a number of factors, including our customers’ satisfaction with our products, competition, pricing, and overall changes in our customers’ spending levels.
Increase Share of Revenue Derived from SaaS. Our go-to-market motion is focused primarily on Identity Security Cloud, our SaaS offering. We define incremental ARR as the increase in ARR from the prior period to current period. While we expect that this increase in SaaS contracts will drive growth in ARR, it is also expected to have a near term negative impact on revenue growth, driven by differences in revenue recognition policies between SaaS subscriptions and term subscriptions, and gross margins, as we incur hosting costs for our SaaS offering. Our ability to increase our revenue from SaaS subscriptions will depend on a number of factors, including our customers’ specific circumstances, some of which necessitate their preference for our customer-hosted identity governance solution, IdentityIQ.
Deepen our Penetration in International Markets. We expect to continue to invest in our sales and marketing efforts and channel partner network to expand our reach and deepen our presence in existing geographies and to expand into new geographies. We believe that our global market opportunity is large and growing in response to the evolving IT and threat landscapes. We generated 65% of our revenue from the United States, 21% of our revenue from EMEA and 14% from the rest of the world, billed primarily in U.S. dollars, for the year ended January 31, 2026. Our ability to deepen our penetration in international markets will depend on a number of factors, including the competitiveness of our solutions, the efficacy of our channel partner network, and our sales and marketing efforts.
Sustain Technology Leadership Through Extending Identity Security Portfolio. We recently launched new offerings in non-employee risk management, data access security, access risk management, and cloud infrastructure entitlement management. We are thoughtfully investing in AI, both to increase the capabilities of our solutions, as well as to help our customers protect their organizations while adopting AI for their own use cases. We intend to continue investing to extend our position as the leader in identity security by developing or acquiring new products and technologies and extending our portfolio into additional identity security use cases. Our future success is dependent on our ability to successfully develop, identify, market, and sell existing and new products to both new and existing customers.
Impact of Current Economic Conditions
56
Table of Contents
Worldwide economic and political uncertainties and negative trends, including financial and credit market fluctuations, tariffs and increasing trade protectionism, changes in government spending levels, uncertainty in the banking sector, rising interest rates, inflation and other impacts from the macroeconomic environment have, and could continue to, adversely affect our business operations or financial results. As we continue to monitor the direct and indirect impacts of these circumstances, the broader implications of these macroeconomic and political events on our business, results of operations and overall financial position remain uncertain. See the section titled "Risk Factors'' included under Part I, Item 1A above for further discussion of the possible impact of these factors and other risks on our business.
Key Business Metrics
In addition to our financial information prepared in accordance with GAAP, we monitor the following key business metrics to help us measure and evaluate the effectiveness of our operations. Although we believe we have a reasonable basis for each of these metrics, we caution you that these metrics are based on a combination of assumptions that may prove to be inaccurate over time. Please see the section titled “Risk Factors” for more information.
Total Customers and Customers by ARR Level
The approximate number of customers at each ARR level are as follows:
| As of January 31, | |||||||||||||||||
| 2026 | 2025 | 2024 | |||||||||||||||
Customers | 3,235 | 2,975 | 2,760 | ||||||||||||||
Customers less than $250,000 in ARR | 2,000 | 1,995 | 1,980 | ||||||||||||||
Customers greater than $250,000 in ARR | 1,235 | 980 | 780 | ||||||||||||||
Customers greater than $1,000,000 in ARR | 215 | 160 | 90 | ||||||||||||||
As of January 31, 2026, the number of customers with $250,000 or more of ARR and with over $1,000,000 of ARR increased 26% and 34%, respectively, on a year-over-year basis. As of January 31, 2025, the number of customers with $250,000 or more of ARR and with over $1,000,000 of ARR increased 26% and 78%, respectively, on a year-over-year basis. We expect the increase in our overall customer count to continue as customers realize the growing value proposition of our solutions.
Annual Recurring Revenue
We believe ARR is a key metric to measure our business performance because it measures our ability to generate sales with new customers and to maintain and expand spend with existing customers. The way we define ARR normalizes the impact of revenue recognition differences between SaaS contracts and term subscription agreements. In recent years, ARR has grown faster than revenue, as a greater share of incremental ARR has been driven by SaaS contracts which have ratable revenue recognition compared to term subscription agreements where a portion of the contract value is recognized as revenue up-front.
We define ARR as the annualized value of SaaS, maintenance, term subscription, and other subscription contracts as of the measurement date. To the extent that we are actively negotiating a renewal or new agreement with a customer after the expiration of a contract, we continue to include that contract’s annualized value in ARR until the customer notifies us that it is not renewing its contract. The amount included in our ARR calculation related to these contracts was less than 1% as of the end of each period shown in the ARR table below. We calculate ARR by dividing the active contract value by the number of days of the contract and then multiplying by 365. ARR should be viewed independently of revenue, as ARR is an operating metric and is not intended to be combined with or to replace revenue. ARR is not a forecast of future revenue, which can be impacted by ASC 606 allocations, and ARR does not consider other sources of revenue that are not recurring in nature.
ARR does not have a standardized meaning and is not necessarily comparable to similarly titled measures presented by other companies. Our ARR has grown in each of the past three years, reflecting growth in new customers as well as expanded sales to existing customers. The following table presents our ARR as of the end of each period noted below (dollars in millions):
57
Table of Contents
| As of January 31, | |||||||||||||||||
| 2026 | 2025 | 2024 | |||||||||||||||
ARR | $ | 1,124.8 | $ | 876.7 | $ | 681.8 | |||||||||||
SaaS Annual Recurring Revenue
In recent years, we have transitioned our business to a SaaS-first subscription model. As a result of those efforts, our SaaS ARR has continued to show strong growth, and the share of SaaS ARR to total ARR has increased from 57% to 66% from January 31, 2024 to January 31, 2026. We believe the share of ARR generated by our SaaS solution will continue to increase over time.
We define SaaS ARR as the annualized value of SaaS contracts as of the measurement date. To the extent that we are actively negotiating a renewal or new agreement with a customer after the expiration of a contract, we continue to include that contract’s annualized value in SaaS ARR until the customer notifies us that it is not renewing its contract. The amount included in our ARR calculation related to these contracts was less than 1% as of the end of each period shown in the SaaS ARR table below. We calculate SaaS ARR by dividing the active SaaS contract value by the number of days of the contract and then multiplying by 365.
SaaS ARR should be viewed independently of subscription revenue as SaaS ARR is an operating metric and is not intended to be combined with or replace subscription revenue. SaaS ARR is not a forecast of future subscription revenue, which can be impacted by ASC 606 allocations and renewal rates and does not consider other sources of revenue that are not recurring in nature. The following table presents our SaaS ARR as of the end of each period noted below (dollars in millions):
| As of January 31, | |||||||||||||||||
| 2026 | 2025 | 2024 | |||||||||||||||
SaaS ARR | $ | 746.2 | $ | 540.3 | $ | 388.3 | |||||||||||
Dollar-Based Net Retention Rate
We define dollar-based net retention rate as the comparison of our ARR from our subscription customers against the same metric for those subscription customers from the prior year. For the purposes of calculating our dollar-based net retention rate, we define a subscription customer as a separate legal entity that has entered into a distinct subscription agreement. Our dollar-based net retention rate reflects customer expansion, contraction, and churn. We calculate our dollar-based net retention rate as of period end by starting with the ARR from all subscription customers as of 12 months prior to such period end, or prior period ARR. We then calculate the ARR from these same subscription customers as of the current period end, or current period ARR. We then divide the current period ARR by the prior period ARR to arrive at our dollar-based net retention rate. The dollar-based net retention rate at the end of any period is the weighted average of the dollar-based net retention rates as of the end of each of the trailing 4 quarters. The following table presents our dollar-based net retention rate as of the end of each period noted below:
| As of January 31, | |||||||||||||||||
| 2026 | 2025 | 2024 | |||||||||||||||
Dollar-based net retention rate | 113 | % | 114 | % | 114 | % | |||||||||||
Factors Affecting the Comparability of Our Results of Operations
Our historical results of operations may not be comparable from period to period or going forward.
On February 14, 2025, we closed the IPO and became a public company. We incur additional costs associated with operating as a public company as compared to periods prior to the IPO. The Sarbanes-Oxley Act, as well as rules adopted by the SEC and national securities exchanges, require public companies to implement specified corporate governance practices that were inapplicable to us as a private company. These additional rules and regulations increase our legal, regulatory, financial, and insurance compliance costs and make some activities more time-consuming and costly.
58
Table of Contents
We incurred a significant increase in equity-based compensation expense due to the conversion and vesting of equity awards issued prior to the IPO as well as the issuance of equity awards to certain employees in connection with the IPO. On January 31, 2025, the Board approved modifications to accelerate the vesting of certain incentive units, EARs, and cash settled awards subject to the pricing and closing of the IPO. Upon the IPO, the vested incentive units were considered redeemable. As a result of the modifications and the closing of the IPO during our fiscal year 2026, we recognized $113.8 million of equity-based compensation expense in the consolidated statement of operations, which was comprised of $61.5 million, $12.6 million, and $39.8 million of expense for the modified incentive units, EARs, and cash settled awards, respectively. During February 2025, we issued 16,483,859 RSUs primarily in connection with our IPO under the SailPoint, Inc. Omnibus Incentive Plan (the “Omnibus Plan”) to certain of our employees, including our executive officers, and directors of the Board. These RSUs will vest predominately over two to four years based on continued service. See Note 12 "Equity-Based Compensation" in the notes to our consolidated financial statements for additional information.
On February 12, 2025, in conjunction with the IPO, SailPoint Parent, LP converted into a Delaware corporation pursuant to a statutory conversion and changed its name to SailPoint, Inc. (the "Corporate Conversion"). In conjunction with the Corporate Conversion, all of our outstanding partnership units were converted into an aggregate of 499,060,464 shares of our common stock. The number of shares of common stock issuable to holders of Class A Units and holders of Class B Units in connection with the Corporate Conversion was determined pursuant to the applicable provisions of the plan of conversion.
Following the closing of the IPO, we no longer incur Thoma Bravo monitoring fees.
During the first quarter of fiscal year 2027, we issued 20,799,064 RSUs to certain of our employees, including executive officers. Stock-based compensation expense is estimated to be $289.7 million and will be recognized over four years based on continued service.
Components of Results of Operations
Revenue
Subscription Revenue
The majority of our revenue relates to subscription revenue which consists of (i) fees for access to, and related support for, the SaaS offerings, (ii) fees for term subscriptions, (iii) fees for ongoing maintenance and support of perpetual license solutions, and (iv) other subscription services such as cloud managed services, and certain professional services. Term subscriptions include the term licenses and ongoing maintenance and support. Maintenance and support agreements consist of fees for providing software updates on a when and if available basis and for providing technical support for software products for a specified term.
Subscription revenue, including support for term licenses, is recognized ratably over the term of the applicable agreement. Revenue related to term subscription performance obligations, excluding support for term subscriptions, is recognized upfront at the point in time when the customer has taken control of the software license.
Over time, we expect subscription revenue will increase as a percentage of total revenue as we continue to focus on increasing our subscription revenue, specifically our SaaS offering, as a key strategic priority.
Services and Other Revenue
Services and other revenue consist primarily of fees from professional services provided to customers and partners to configure and optimize the use of our solutions as well as non-subscription training services. Our professional services are structured on a time-and-materials or fixed priced basis, and the related revenue is recognized as the services are rendered.
Services and other revenue also consists of revenues from perpetual license performance obligations and is recognized upfront at the point in time when the customer has taken control of the software license. All perpetual license transactions include maintenance and support performance obligations which are included in subscription revenue. For the year ended January 31, 2026, the Company has begun presenting perpetual license revenue as part of services and other revenue due to amounts no longer being significant and has recast prior year amounts accordingly.
Over time, we expect our professional services revenue as a percentage of total revenue to decrease as we increasingly rely on partners to help our customers deploy our software and on our focus on increasing subscription revenue.
Cost of Revenue
59
Table of Contents
Cost of Subscription Revenue
Cost of subscription revenue consists primarily of third-party cloud-based hosting costs, software, amortization expenses for developed technology acquired, amortization expense for capitalized software development costs, equity-based compensation, employee-related costs (which we define as salaries, benefits, bonuses and allocated overhead) for providing subscriptions, third party royalties, facilities costs and contractor costs to supplement staff levels. We expect third-party cloud-based hosting costs to increase as our SaaS subscriptions continue to grow.
Cost of Services and Other Revenue
Cost of services and other revenue consists primarily of (1) employee-related costs of professional services and training organizations, equity-based compensation, travel-related costs, facilities costs and contractor costs to supplement staff levels; and (2) amortization expense for developed technology acquired and third-party royalties related to perpetual licenses. As of the year ended January 31, 2026, the Company has begun presenting cost of perpetual license revenue as part of cost of services and other revenue due to amounts no longer being significant and has recast prior year amounts accordingly.
Gross Profit and Gross Profit Margin
Gross profit is revenue less cost of revenue, and gross profit margin is gross profit as a percentage of total revenue. Gross profit has been and will continue to be affected by various factors, including the mix of our revenue, the costs associated with third-party cloud-based hosting services and software for our SaaS offering, and the extent to which we expand our customer support, professional services, and training organizations. We expect that our overall gross profit margin will fluctuate from period to period depending on the mix of these various factors.
Operating Expenses
Research and Development Expenses
Research and development expenses consist primarily of employee-related costs, equity-based compensation, software and hosting arrangement expenses, facilities costs, professional services expense, and amortization expense for acquired intangible assets.
We believe that continued investment in our offerings is vital to the growth of our business, and we intend to continue to invest in product development. We expect our research and development expenses to continue to increase on an absolute basis in the foreseeable future but to decrease as a percentage of revenue as our business grows.
Sales and Marketing Expenses
Sales and marketing expenses consist primarily of employee-related cost (which includes commissions), equity-based compensation, costs for events and travel, facilities costs, costs of general marketing and promotional activities, payment processing fees and amortization expense for acquired intangible assets, and contract acquisition costs.
We expect our sales and marketing expenses to increase on an absolute basis for the foreseeable future as we continue to invest in our sales force for expansion to new geographic and vertical markets. We expect sales and marketing expenses to continue to be our largest operating expense category.
General and Administrative Expenses
General and administrative expenses consist primarily of employee-related costs related to the corporate functions such as executive and internal administrative operations, as well as equity-based compensation, third-party professional fees, bad debt expense, travel, and facilities costs.
We expect our general and administrative expenses to increase on an absolute basis as a result of operating as a public company, including costs to comply with the rules and regulations applicable to companies listed on a national securities exchange, costs related to compliance and reporting obligations, and increased expenses for insurance, investor relations, and professional services. However, we expect that our general and administrative expense will decrease as a percentage of our revenue as our revenue grows over the longer term as our business grows.
We also expect to incur higher equity-based compensation as we operate as a public company, which will result in an increase in costs of revenue, research and development expenses, sales and marketing expenses, and general and administrative expenses.
60
Table of Contents
Other Income (Expense), Net
Other income (expense), net consists primarily of interest income and interest expense. Interest income consists primarily of interest received on cash equivalents, which we expect will fluctuate based on our cash balances and interest rates.
We expect interest expense to decrease due to the repayment of our Term Loans.
Income Tax Benefit (Expense)
Our income tax benefit (expense) consists of U.S. and state income taxes and income taxes in certain foreign jurisdictions in which we conduct business. Our income tax rate varies from the federal statutory rate due to state income taxes, differences in accounting and tax treatment of our equity-based compensation, research and development credits, and changes in the valuation allowance. We expect fluctuation in effective income tax rates, as well as its potential impact on our results of operations, to continue.
Seasonality
We generally experience seasonal fluctuations in demand for our products and services. Our quarterly sales are impacted by industry buying patterns. As a result, our sales have generally been highest in the fourth fiscal quarter and lowest in the first fiscal quarter. Although these seasonal factors are common in the technology industry, historical patterns should not be considered a reliable indicator of our future sales activity or performance.
61
Table of Contents
Results of Operations
The following table sets forth our results of operations for the periods presented and as a percentage of revenue (in thousands, except for percentages, units and per unit data). The period-to-period comparison of results is not necessarily indicative of results for future periods.
| Year Ended January 31 | |||||||||||||||||||||||||||||||||||
| 2026 | 2025 | 2024 | |||||||||||||||||||||||||||||||||
| Revenue | |||||||||||||||||||||||||||||||||||
| Subscription | $ | 1,010,198 | 94 | % | $ | 793,919 | 92 | % | $ | 622,830 | 89 | % | |||||||||||||||||||||||
| Services and other | 61,218 | 6 | 67,692 | 8 | 76,742 | 11 | |||||||||||||||||||||||||||||
| Total revenue | 1,071,416 | 100 | 861,611 | 100 | 699,572 | 100 | |||||||||||||||||||||||||||||
| Cost of revenue | |||||||||||||||||||||||||||||||||||
Subscription (2) | 302,367 | 28 | 236,581 | 28 | 205,053 | 29 | |||||||||||||||||||||||||||||
Services and other (2) | 78,258 | 7 | 69,152 | 8 | 71,582 | 10 | |||||||||||||||||||||||||||||
| Total cost of revenue | 380,625 | 36 | 305,733 | 35 | 276,635 | 40 | |||||||||||||||||||||||||||||
| Gross profit | 690,791 | 64 | 555,878 | 65 | 422,937 | 60 | |||||||||||||||||||||||||||||
| Operating expenses | |||||||||||||||||||||||||||||||||||
Research and development (2) (3) | 222,961 | 21 | 169,730 | 20 | 180,778 | 26 | |||||||||||||||||||||||||||||
Sales and marketing (2) (3) | 574,846 | 54 | 466,903 | 54 | 461,187 | 66 | |||||||||||||||||||||||||||||
General and administrative (2) | 200,470 | 19 | 107,979 | 13 | 113,701 | 16 | |||||||||||||||||||||||||||||
| Total operating expenses | 998,277 | 93 | 744,612 | 86 | 755,666 | 108 | |||||||||||||||||||||||||||||
| Loss from operations | (307,486) | (29) | (188,734) | (22) | (332,729) | (48) | |||||||||||||||||||||||||||||
| Other income (expense), net | |||||||||||||||||||||||||||||||||||
| Interest income | 10,790 | 1 | 4,158 | 1 | 10,658 | 2 | |||||||||||||||||||||||||||||
| Interest expense | (24,635) | (2) | (186,652) | (22) | (187,059) | (27) | |||||||||||||||||||||||||||||
| Other income (expense), net | (4,668) | — | (5,401) | (1) | (3,219) | 1 | |||||||||||||||||||||||||||||
| Total other income (expense), net | (18,513) | (2) | (187,895) | (22) | (179,620) | (26) | |||||||||||||||||||||||||||||
| Loss before income taxes | (325,999) | (30) | (376,629) | (44) | (512,349) | (73) | |||||||||||||||||||||||||||||
| Income tax benefit (expense) | 55,945 | 5 | 60,799 | 7 | 116,982 | 17 | |||||||||||||||||||||||||||||
| Net loss | $ | (270,054) | (25) | % | $ | (315,830) | (37) | % | $ | (395,367) | (57) | % | |||||||||||||||||||||||
| Class A yield | $ | (23,786) | $ | (764,549) | $ | (583,672) | |||||||||||||||||||||||||||||
| Net loss attributable to common stockholders and Class B unitholders | $ | (293,840) | $ | (1,080,379) | $ | (979,039) | |||||||||||||||||||||||||||||
Net loss per share attributable to common stockholders and Class B unitholders, basic and diluted (1) | $ | (0.54) | $ | (12.91) | $ | (12.13) | |||||||||||||||||||||||||||||
Weighted average Class B Units outstanding—basic and diluted (1) | 544,159 | 83,716 | 80,746 | ||||||||||||||||||||||||||||||||
Note: Certain percentages may not foot due to rounding.
(1) Amounts for the period during February 2025 prior to the Corporate Conversion have been retrospectively adjusted to give effect to the Corporate Conversion described in Note 1 in this Annual Report. These amounts do not consider the shares of common stock sold in our IPO or the Class A Units considered preferred shares that were converted into common stock and issued upon the closing of our IPO. We did not retrospectively adjust for the effect of the Corporate Conversion for periods prior to fiscal year 2026.
(2) Includes equity-based compensation expense as follows:
62
Table of Contents
| Year Ended January 31, | |||||||||||||||||
| 2026 | 2025 | 2024 | |||||||||||||||
| (In thousands) | |||||||||||||||||
Cost of revenue | |||||||||||||||||
| Subscription | $ | 19,754 | $ | 7,119 | $ | 6,675 | |||||||||||
| Services and other | 15,473 | 6,652 | 5,772 | ||||||||||||||
Operating expenses | |||||||||||||||||
| Research and development | 52,990 | 23,139 | 30,373 | ||||||||||||||
| Sales and marketing | 103,484 | 38,387 | 52,292 | ||||||||||||||
| General and administrative | 118,099 | 24,272 | 39,707 | ||||||||||||||
| Total equity-based compensation expense | $ | 309,800 | $ | 99,569 | $ | 134,819 | |||||||||||
(3) Includes amortization expense of acquired intangible assets as follows:
Year Ended January 31, | |||||||||||||||||
| 2026 | 2025 | 2024 | |||||||||||||||
| (In thousands) | |||||||||||||||||
Cost of revenue | |||||||||||||||||
| Subscription | $ | 106,476 | $ | 103,329 | $ | 100,820 | |||||||||||
Services and other | 2 | 154 | 2,147 | ||||||||||||||
Operating expenses | |||||||||||||||||
| Research and development | 443 | 380 | 32 | ||||||||||||||
| Sales and marketing | 95,147 | 126,445 | 154,030 | ||||||||||||||
| Total amortization expense | $ | 202,068 | $ | 230,308 | $ | 257,029 | |||||||||||
Comparison of the Years Ended January 31, 2026 and 2025
Revenue
| Year Ended January 31, | |||||||||||||||||||||||
| 2026 | 2025 | variance $ | variance % | ||||||||||||||||||||
| (In thousands, except percentages) | |||||||||||||||||||||||
| Revenue | |||||||||||||||||||||||
| Subscription | |||||||||||||||||||||||
| SaaS | $ | 602,149 | $ | 444,595 | $ | 157,554 | 35 | % | |||||||||||||||
| Maintenance and support | 150,879 | 154,351 | (3,472) | (2) | % | ||||||||||||||||||
| Term subscriptions | 229,292 | 173,917 | 55,375 | 32 | % | ||||||||||||||||||
| Other subscription services | 27,878 | 21,056 | 6,822 | 32 | % | ||||||||||||||||||
| Total subscription | 1,010,198 | 793,919 | 216,279 | 27 | % | ||||||||||||||||||
| Services and other | 61,218 | 67,692 | (6,474) | (10) | % | ||||||||||||||||||
| Total revenue | $ | 1,071,416 | $ | 861,611 | $ | 209,805 | 24 | % | |||||||||||||||
Subscription Revenue. Subscription revenue increased by $216.3 million, or 27%, for the year ended January 31, 2026 compared to the year ended January 31, 2025 primarily due to an increase in SaaS revenue and term subscription revenue from our focus on selling subscriptions to new customers and expanding our footprint with existing customers.
Services and Other Revenue. Services and other revenue decreased by $6.5 million, or 10%, for the year ended January 31, 2026 compared to the year ended January 31, 2025. This decrease is primarily a result of a shift toward selling a higher proportion of professional services and training on a subscription basis.
63
Table of Contents
Cost of Revenue
| Year Ended January 31, | |||||||||||||||||||||||
| 2026 | 2025 | variance $ | variance % | ||||||||||||||||||||
| (In thousands, except percentages) | |||||||||||||||||||||||
| Cost of revenue | |||||||||||||||||||||||
| Subscription | $ | 302,367 | $ | 236,581 | $ | 65,786 | 28 | % | |||||||||||||||
| Services and other | 78,258 | 69,152 | 9,106 | 13 | % | ||||||||||||||||||
| Total cost of revenue | $ | 380,625 | $ | 305,733 | $ | 74,892 | 24 | % | |||||||||||||||
Cost of Subscription Revenue. Cost of subscription revenue increased $65.8 million, or 28%, for the year ended January 31, 2026 compared to the year ended January 31, 2025 primarily due to an increase in employee-related costs of $25.5 million due to higher headcount and increased investments in personnel, an increase in software and hosting costs of $19.7 million from the increase in sales of SaaS subscriptions, an increase of $12.6 million related to acceleration of equity-based awards from the completion of our IPO and the issuance of new equity-based awards, an increase in amortization of intangibles of $3.1 million from the Savvy and Imprivata acquisitions, an increase in third-party royalties of $1.5 million from growth in our business, an increase in partner costs of $1.4 million from growth in our business, and an increase in amortization of capitalized software of $1.4 million due to overall increase in capitalizable projects when compared to the prior period.
Cost of Services and Other. Cost of services and other increased by $9.1 million, or 13%, for the year ended January 31, 2026 compared to the year ended January 31, 2025, primarily due to employee-related costs of $7.0 million from the acceleration of equity-based awards from the completion of our IPO and the issuance of new equity-based awards and an increase in partner costs of $2.1 million.
Gross Profit and Gross Margin
| Year Ended January 31, | |||||||||||||||||||||||
| 2026 | 2025 | variance $ | variance % | ||||||||||||||||||||
| (In thousands, except percentages) | |||||||||||||||||||||||
| Gross profit | |||||||||||||||||||||||
| Subscription | $ | 707,831 | $ | 557,338 | $ | 150,493 | 27 | % | |||||||||||||||
| Services and other | (17,040) | (1,460) | (15,580) | ** | |||||||||||||||||||
| Total gross profit | $ | 690,791 | $ | 555,878 | $ | 134,913 | 24 | % | |||||||||||||||
Year Ended January 31, | |||||||||||||||||||||||
| 2026 | 2025 | ||||||||||||||||||||||
| Gross profit margin | |||||||||||||||||||||||
| Subscription | 70 | % | 70 | % | |||||||||||||||||||
| Services and other | (28) | % | (2) | % | |||||||||||||||||||
| Total gross profit margin | 64 | % | 65 | % | |||||||||||||||||||
Subscription. Subscription gross profit increased by $150.5 million, or 27%, during the year ended January 31, 2026 compared to the year ended January 31, 2025. The increase was primarily due to the growth in subscription revenue. Subscription gross profit margin remained consistent with the prior period.
Services and Other. Services and other gross profit decreased by $15.6 million during the year ended January 31, 2026 compared to the year ended January 31, 2025. The decrease in gross profit is primarily due to an increase in employee-related costs and the acceleration of equity-based awards from the completion of our IPO and the issuance of new equity-based awards and lower revenue from professional services and training as a result of the shift toward selling these services on a subscription basis. Services and other gross profit margin was (28)% for the year ended January 31, 2026 and (2)% for the year ended January 31, 2025. The change was primarily due to employee-related costs related to acceleration of equity-based awards from the completion of our IPO and the issuance of new awards and the decrease in services and other revenue.
64
Table of Contents
Total gross profit increased by $134.9 million, or 24%, during the year ended January 31, 2026 compared to the year ended January 31, 2025. The increase is primarily due to the growth in total revenue. Total gross profit margin remained materially consistent with the prior period.
Operating Expenses
Year Ended January 31, | |||||||||||||||||||||||
| 2026 | 2025 | variance $ | variance % | ||||||||||||||||||||
| (In thousands, except percentages) | |||||||||||||||||||||||
| Operating expenses | |||||||||||||||||||||||
| Research and development | $ | 222,961 | $ | 169,730 | $ | 53,231 | 31 | % | |||||||||||||||
| Sales and marketing | 574,846 | 466,903 | 107,943 | 23 | % | ||||||||||||||||||
| General and administrative | 200,470 | 107,979 | 92,491 | 86 | % | ||||||||||||||||||
| Total operating expenses | $ | 998,277 | $ | 744,612 | $ | 253,665 | 34 | % | |||||||||||||||
Research and Development Expenses. Research and development expenses increased by $53.2 million, or 31%, for the year ended January 31, 2026 compared to the year ended January 31, 2025. This increase was primarily driven by a $29.9 million increase in equity-based compensation due to the acceleration of awards from the completion of our IPO and the issuance of new equity-based awards, a $14.6 million increase in employee-based costs due to continued investment in talent related to the development of our products and a $6.5 million increase in software and hosting costs from initiatives to continue to grow our business.
Sales and Marketing Expenses. Sales and marketing expenses increased by $107.9 million, or 23%, for the year ended January 31, 2026 compared to the year ended January 31, 2025. This increase was primarily driven by a $65.1 million increase in equity-based compensation due to the acceleration of awards from the completion of our IPO and the issuance of new equity-based awards, a $58.4 million increase in employee-based costs to support increased penetration into our existing customer base and expansion into new industry verticals and geographic markets, a $7.8 million increase in advertising and promotion costs from Navigate and other initiatives aimed at expanding the business, a $2.8 million increase in travel expenses from an increased headcount, a $1.9 million increase in software and hosting costs from initiatives to continue to grow our business, a $1.6 million increase for the fair value remeasurement of the contingent consideration related to the Imprivata acquisition, and a $1.2 million increase in professional services fees from consulting fees. This increase was partially offset by a $31.3 million decrease in intangible amortization attributable to certain intangible assets reaching full amortization.
General and Administrative Expenses. General and administrative expenses increased by $92.5 million, or 86%, for the year ended January 31, 2026 compared to the year ended January 31, 2025. This increase was primarily driven by a $93.8 million increase in equity-based compensation due to the acceleration of awards from the completion of our IPO and the issuance of new equity-based awards, a $6.0 million increase in employee-related costs due to higher headcount and increased investments in existing employees, a $3.3 million increase in provision for credit losses due to higher write offs based on higher accounts receivable balances throughout the year, a $2.1 million increase in software and hosting costs from initiatives to continue to grow our business, and a $1.0 million increase in travel expenses primarily related to the IPO. This increase was partially offset by a $14.9 million decrease in professional service fees primarily attributed to the termination of the advisory services agreement with Thoma Bravo upon the closing of our IPO.
65
Table of Contents
Other Income (Expense), Net
Year Ended January 31, | |||||||||||||||||||||||
| 2026 | 2025 | variance $ | variance % | ||||||||||||||||||||
| (In thousands, except percentages) | |||||||||||||||||||||||
| Other income (expense), net | |||||||||||||||||||||||
| Interest income | $ | 10,790 | $ | 4,158 | $ | 6,632 | 159 | % | |||||||||||||||
| Interest expense | (24,635) | (186,652) | 162,017 | (87) | % | ||||||||||||||||||
| Other income (expense), net | (4,668) | (5,401) | 733 | (14) | % | ||||||||||||||||||
| Total other income (expense), net | $ | (18,513) | $ | (187,895) | $ | 169,382 | (90) | % | |||||||||||||||
Total other income (expense) decreased by $169.4 million, or 90%, for the year ended January 31, 2026 compared to the year ended January 31, 2025. This decrease was primarily due to a $162.0 million net decrease in interest expense due to the full repayment of our Term Loans and termination of our 2022 Revolving Credit Facility, which includes $16.7 million for the extinguishment of debt related to the remaining balance of the deferred financing costs of our Term Loans and debt issuance costs for our 2022 Revolving Credit Facility, a $6.6 million increase in interest income due to an increase in our cash and cash equivalents, and a $0.7 million decrease in other expense related to foreign currency exchange loss.
Income Tax Benefit
| Year Ended January 31, | |||||||||||||||||||||||
| 2026 | 2025 | variance $ | variance % | ||||||||||||||||||||
| (In thousands, except percentages) | |||||||||||||||||||||||
| Income tax benefit | $ | 55,945 | $ | 60,799 | $ | (4,854) | (8) | % | |||||||||||||||
The Company recorded an income tax benefit of $55.9 million for the year ended January 31, 2026 compared to an income tax benefit of $60.8 million for the year ended January 31, 2025, leading to a net benefit decrease of $4.9 million, or 8%, year-over-year. The decrease is primarily due to certain non-deductible equity-based compensation and non-deductible executive officer compensation that is partially offset by the decrease in valuation allowance. For further information, refer to Note 14 “Income Taxes” in our notes to our consolidated financial statements included in this Annual Report.
We operate in several tax jurisdictions and are subject to taxes in each country or jurisdiction in which we conduct business. Earnings from our non-U.S. activities are subject to local country income tax and may be subject to U.S. income tax if such earnings are distributed to the U.S.
We consider the earnings of certain foreign subsidiaries to be permanently reinvested in foreign jurisdictions.
Non-GAAP Financial Measures
In addition to our financial information presented in accordance with GAAP, we use certain “non-GAAP financial measures” to clarify and enhance our understanding of past performance.
Our non-GAAP financial measures may not provide information that is directly comparable to that provided by other companies in our industry because they may calculate non-GAAP financial results differently. In addition, there are limitations in using non-GAAP financial measures because they are not prepared in accordance with GAAP and exclude expenses that may have a material impact on our reported financial results. In particular, interest expense, which is excluded from adjusted income from operations, has been a significant recurring expense in our business. The presentation of non-GAAP financial information is not meant to be considered in isolation or as a substitute for the directly comparable financial measures prepared in accordance with GAAP. We urge you to review the reconciliations of our non-GAAP financial measures to the comparable GAAP financial measures included below and not to rely on any single financial measure to evaluate our business.
We believe excluding items that do not reflect our ongoing, core operating or business performance, such as equity-based compensation, payroll taxes related to awards that were accelerated upon the closing of our IPO, payroll taxes related to RSUs, amortization of acquired intangible assets, and acquisition-related expenses (including fair value adjustments to acquisition-contingent consideration), enables management and investors to compare our underlying business performance from period-to-period. Accordingly, we believe these adjustments facilitate a useful evaluation of our current operating
66
Table of Contents
performance and comparison to our past operating performance and provide investors with additional means to evaluate cost and expense trends. In addition, we also believe these adjustments enhance comparability of our financial performance against those of other technology companies.
Adjusted Gross Profit and Adjusted Gross Profit Margin
We define adjusted gross profit and adjusted gross profit margin as excluding equity-based compensation expense, payroll taxes related to awards that were accelerated upon the closing of our IPO and payroll taxes related to RSUs, all of which were issued after the closing of the IPO, amortization of acquired intangible assets, acquisition related expenses and restructuring expenses.
The following table reflects the reconciliation of adjusted gross profit to gross profit and adjusted gross profit margin to gross profit margin:
| Year Ended January 31, | |||||||||||||||||
| 2026 | 2025 | 2024 | |||||||||||||||
| (In thousands, except percentages) | |||||||||||||||||
| GAAP gross profit | $ | 690,791 | $ | 555,878 | $ | 422,937 | |||||||||||
| GAAP gross profit margin | 64 | % | 65 | % | 60 | % | |||||||||||
| Equity-based compensation expense | 35,227 | 13,771 | 12,447 | ||||||||||||||
Payroll taxes for IPO-accelerated awards and RSUs | 1,192 | — | — | ||||||||||||||
| Amortization of acquired intangible assets | 106,478 | 103,483 | 102,967 | ||||||||||||||
Acquisition-related expenses | — | — | 58 | ||||||||||||||
| Restructuring | — | — | 94 | ||||||||||||||
| Adjusted gross profit | $ | 833,688 | $ | 673,132 | $ | 538,503 | |||||||||||
| Adjusted gross profit margin | 78 | % | 78 | % | 77 | % | |||||||||||
Our adjusted gross profit margin (adjusted gross profit as a percentage of revenue) has remained generally consistent in recent periods and reflects the high value-added nature of our offerings.
Adjusted Subscription Gross Profit and Adjusted Subscription Gross Profit Margin
We define adjusted subscription gross profit and adjusted subscription gross profit margin as excluding equity-based compensation expense, payroll taxes related to awards that were accelerated upon the closing of our IPO and payroll taxes related to RSUs, all of which were issued after the closing of the IPO, amortization of acquired intangible assets, which includes impairment, acquisition related expenses and restructuring expenses.
The following table reflects the reconciliation of adjusted subscription gross profit to subscription gross profit and adjusted subscription gross profit margin to subscription gross profit margin:
| Year Ended January 31, | |||||||||||||||||
| 2026 | 2025 | 2024 | |||||||||||||||
| (In thousands, except percentages) | |||||||||||||||||
| GAAP subscription gross profit | $ | 707,831 | $ | 557,338 | $ | 417,777 | |||||||||||
| GAAP subscription gross profit margin | 70 | % | 70 | % | 67 | % | |||||||||||
| Equity-based compensation expense | 19,754 | 7,119 | 6,675 | ||||||||||||||
| Payroll taxes for IPO-accelerated awards and RSUs | 683 | — | — | ||||||||||||||
| Amortization of acquired intangible assets | 106,476 | 103,329 | 100,820 | ||||||||||||||
Acquisition-related expenses | — | — | 58 | ||||||||||||||
| Restructuring | — | — | 85 | ||||||||||||||
| Adjusted subscription gross profit | $ | 834,744 | $ | 667,786 | $ | 525,415 | |||||||||||
| Adjusted subscription gross profit margin | 83 | % | 84 | % | 84 | % | |||||||||||
Our adjusted subscription gross profit margin (adjusted subscription gross profit as a percentage of subscription revenue) has remained generally consistent in recent periods and reflects the high value-added nature of our offerings.
67
Table of Contents
Adjusted Income from Operations and Adjusted Operating Margin
We define adjusted income from operations as income (loss) from operations excluding equity-based compensation expense, payroll taxes related to awards that were accelerated upon the closing of our IPO and payroll taxes related to RSUs, all of which were issued after the closing of the IPO, amortization of acquired intangible assets which includes impairment charges, benefit from amortization related to acquired contract acquisition costs, acquisition-related expenses (including fair value adjustments to acquisition-contingent consideration), Thoma Bravo monitoring fees (which were annual service-fees for consultation and advice related to corporate strategy, budgeting of future corporate investments, acquisition and divestiture strategies, and debt and equity financings as described in Note 10 “Related Party Transactions” in the notes to our consolidated financial statements), and restructuring expenses. The Thoma Bravo monitoring fees were incurred pursuant to a services agreement, and we do not expect to receive similar services in the future or enter into a similar arrangement again in the future.
The following table reflects the reconciliation of adjusted income (loss) from operations to operating income (loss):
| Year Ended January 31, | |||||||||||||||||
| 2026 | 2025 | 2024 | |||||||||||||||
| (In thousands, except percentages) | |||||||||||||||||
| GAAP income (loss) from operations | $ | (307,486) | $ | (188,734) | $ | (332,729) | |||||||||||
| GAAP income (loss) from operations margin | (29) | % | (22) | % | (48) | % | |||||||||||
| Equity-based compensation expense | 309,800 | 99,569 | 134,819 | ||||||||||||||
| Payroll taxes for IPO-accelerated awards and RSUs | 8,157 | — | — | ||||||||||||||
| Amortization of acquired intangible assets | 202,068 | 230,308 | 257,029 | ||||||||||||||
Amortization of acquired contract acquisition costs (1) | (20,476) | (25,682) | (28,461) | ||||||||||||||
| Acquisition-related expenses and Thoma Bravo monitoring fees | 2,192 | 17,283 | 20,051 | ||||||||||||||
| Restructuring | — | — | 3,541 | ||||||||||||||
Adjusted income from operations | $ | 194,255 | $ | 132,744 | $ | 54,250 | |||||||||||
| Adjusted operating margin | 18 | % | 15 | % | 8 | % | |||||||||||
(1) In accordance with U.S. GAAP reporting requirements, the Company has written off its contract acquisition costs at the time of its acquisition by Thoma Bravo in August 2022. Therefore, U.S. GAAP commissions expense related to contract acquisition costs after its acquisition by Thoma Bravo will not reflect the commissions expense that would have been reported if the contract acquisition costs were not written off. Accordingly, the Company believes that presenting the approximate amount of acquisition-related commission expenses (so that the full amount of commission expense is included) provides a more appropriate representation of commission expense in a given period and, therefore, provides readers of the Company’s financial statements with a more consistent basis for comparison across accounting periods.
Our adjusted income from operations and adjusted operating margin increased for the year ended January 31, 2026 compared to the year ended January 31, 2025, primarily due to the growth in our overall business and increased operating leverage.
Free Cash Flow
We define free cash flow as net cash provided by (used in) operating activities, less cash used for purchases of property and equipment, and capitalized software development costs. We use free cash flow as a measure of financial progress in our business, as it balances operating results, cash management, and capital efficiency. We believe information regarding free cash flow provides investors and others with an important perspective on the cash available to make strategic acquisitions and investments, to fund ongoing operations, and to fund other capital expenditures. Free cash flow can be volatile and is sensitive to many factors, including changes in working capital and timing of capital expenditures. Working capital at any specific point in time is subject to many variables including the discretionary timing of expense payments and fluctuations in foreign exchange rates.
68
Table of Contents
The following table summarizes our free cash flow for the periods presented:
| Year Ended January 31, | |||||||||||||||||
| 2026 | 2025 | 2024 | |||||||||||||||
| (in thousands) | |||||||||||||||||
GAAP net cash provided by (used in) operating activities | $ | 70,580 | $ | (106,391) | $ | (250,354) | |||||||||||
Less: Purchase of property and equipment | (5,980) | (5,362) | (2,577) | ||||||||||||||
Less: Capitalized software development costs | (12,850) | (8,219) | — | ||||||||||||||
Free cash flow | $ | 51,750 | $ | (119,972) | $ | (252,931) | |||||||||||
Our free cash flow for the year ended January 31, 2026 increased when compared to the year ended January 31, 2025, primarily due to higher revenue growth and a decrease in interest expense from the repayment of our Term Loans. Free cash flow for the year ended January 31, 2026 includes $78.5 million of cash paid to settle equity related awards, cash awards and their associated payroll taxes upon the closing of our IPO, $36.7 million in cash paid for interest expense related to our 2022 Credit Agreement and $9.3 million of cash paid for fees under our advisory services agreement with Thoma Bravo, which was terminated upon the closing of our IPO.
Liquidity, Capital Resources and Cash Requirements
We believe we have sufficient sources of funding to meet our business requirements for the next 12 months and in the longer term. Our primary sources of liquidity are cash flows from operations and proceeds from the IPO, which are supplemented by our undrawn 2025 Revolving Credit Facility. As of January 31, 2026, we had cash and cash equivalents totaling $358.1 million. Our primary uses of liquidity are operating expenses, working capital requirements, capital expenditures and acquisitions.
On February 14, 2025, the Company received net proceeds of approximately $1,248.2 million, net of the underwriting discounts, commissions and offering costs, upon the closing of its IPO. On February 19, 2025, we repaid $690.0 million of the Term Loans from the proceeds of the IPO. On March 3, 2025, we repaid the remaining balance of $350.0 million of the Term Loans.
Although cash flows from operations had been historically negative, for the year ended January 31, 2026, we had positive cash flows from operations. We expect to continue to incur positive cash flows from operations in the foreseeable future.
Our future capital requirements will depend on many factors, including but not limited to our revenue growth rate, timing of cash receipt and payments, and the timing and extent of spending to support strategic initiatives. We may also enter into arrangements to acquire or invest in complementary businesses, services, and technologies.
To the extent existing cash and cash equivalents are not sufficient to fund future activities, we may borrow under our 2025 Revolving Credit Facility or seek to raise additional funds through equity, equity-linked or debt financings. We may enter into agreements or letters of intent with respect to potential investments in, or acquisitions of, complementary businesses, services or technologies, which could also require us to seek additional equity financing, incur indebtedness or use cash resources. In the event that additional financing is required from outside sources, we may not be able to raise it on terms acceptable to us or at all. If we are unable to raise additional capital when desired, or if we cannot expand our operations or otherwise capitalize on our business opportunities because we lack sufficient capital, our business, operating results and financial condition would be adversely affected.
2025 Credit Agreement
On June 25, 2025, we entered into the 2025 Credit Agreement, which provides for a five-year $250.0 million secured revolving credit facility, including a letter of credit sub-facility of up to $10.0 million. The 2025 Revolving Credit Facility matures on June 25, 2030. Borrowings under the 2025 Revolving Credit Facility may be used to provide ongoing working capital as well as for other general corporate purposes of the Company. The Company had no outstanding 2025 Revolving Credit Facility balance and was in compliance with all applicable covenants as of January 31, 2026. See Note 9 “Credit
69
Table of Contents
Agreement and Debt” in the notes to our consolidated financial statements included in this Annual Report for more information regarding the terms and conditions of the 2025 Credit Agreement.
2022 Credit Agreement
On August 16, 2022, we entered into the 2022 Credit Agreement. The 2022 Credit Agreement provides for (i) a six-year $125.0 million senior secured Revolving Credit Facility, including a letter of credit subfacility of up to $5.0 million and (ii) the Term Loans. After the closing of the IPO, we fully repaid our Term Loans and recorded an extinguishment of debt related to the remaining balance of the associated deferred financing costs of $15.3 million. On June 25, 2025, the 2022 Credit Agreement was terminated upon the closing of the 2025 Credit Agreement. The remaining unamortized deferred financing costs for the 2022 Revolving Credit Facility of $1.4 million was recorded as a loss from extinguishment of debt for the year ended January 31, 2026. The extinguishment of debt associated with the Term Loans and with the 2022 Revolving Credit Facility is recorded within interest expense on the consolidated statements of operations.
Summary of Cash Flows
As of January 31, 2026, we had $358.1 million of cash and cash equivalents (of which $25.4 million was held in our foreign subsidiaries), $250.0 million of availability under the 2025 Credit Agreement, and $723.4 million in net working capital, which we define as current assets less current liabilities, excluding deferred revenue. As of January 31, 2025, we had $121.3 million of cash and cash equivalents (of which $11.6 million was held in our foreign subsidiaries), $125.0 million of availability under the 2022 Credit Agreement, and $350.7 million in net working capital. The increase in cash and cash equivalents and net working capital is due primarily to the proceeds received upon the closing of our IPO and increase in cash provided by operations.
The following table summarizes our cash flows for the periods presented:
| Year Ended January 31, | |||||||||||||||||
| 2026 | 2025 | 2024 | |||||||||||||||
| (in thousands) | |||||||||||||||||
| Net cash provided by (used in) operating activities | $ | 70,580 | $ | (106,391) | $ | (250,354) | |||||||||||
| Net cash used in investing activities | (35,556) | (28,944) | (12,664) | ||||||||||||||
| Net cash provided by financing activities | 201,972 | 41,257 | 50,432 | ||||||||||||||
| Net change in cash, cash equivalents and restricted cash | $ | 236,996 | $ | (94,078) | $ | (212,586) | |||||||||||
Cash Flows from Operating Activities
During the year ended January 31, 2026, cash provided by operating activities was $70.6 million, which consisted of a net loss of $270.1 million, adjusted by non-cash charges of $456.6 million and a net cash outflow of $115.9 million from changes in our net operating assets and liabilities. The non-cash charges are primarily comprised of equity-based compensation of $254.9 million, depreciation and amortization expense of $210.8 million, amortization of contract acquisition costs of $39.2 million, amortization of debt discount and issuance costs, including the early write-off of issuance costs related to the repayment of the Term Loans and termination of the 2022 Revolving Credit Facility of $17.4 million, provision for credit losses of $5.4 million and fair value adjustments to contingent consideration of $1.6 million, partially offset by deferred taxes of $72.7 million. The net cash outflow from changes in operating assets and liabilities was primarily a result of an increase in accounts receivable of $86.1 million due to the timing of receipts of payments from customers, an increase in deferred contract acquisition costs of $77.6 million due to an increase in our sales, a decrease in accrued expenses and other liabilities of $33.6 million due to the timing of cash disbursements primarily related to bonuses and commissions, the settlement of vested EARs and cash settled awards, and interest payments and fees paid to Thoma Bravo, an increase in contract assets of $19.7 million primarily due to growth in our revenue and the timing of invoices and payments, and an increase in prepayments and other current assets of $8.0 million due to our marketing efforts and initiatives to grow our business. The outflows were partially offset by an increase in deferred revenue of $105.4 million due to the increase in billings.
During the year ended January 31, 2025, cash used in operating activities was $106.4 million, which consisted of a net loss of $315.8 million, adjusted by non-cash charges of $237.9 million and a net cash outflow of $28.4 million from changes in our net operating assets and liabilities. The non-cash charges are primarily comprised of depreciation and amortization expense of $237.2 million, equity-based compensation of $31.7 million, amortization of contract acquisition costs of $24.9 million, amortization of debt discount and issuance costs of $12.7 million and provision for credit losses of $2.5 million, partially offset by deferred taxes of $71.2 million. The net cash outflow from changes in operating assets and liabilities was primarily a result of an increase in deferred contract acquisition costs of $71.7 million due to an increase in our sales, an increase in accounts receivable of $41.7 million due to the timing of receipts of payments from customers, an increase in contract assets of $11.7
70
Table of Contents
million primarily due to growth in our revenue and the timing of invoices and payments, an increase in prepayments and other current assets of $13.7 million primarily due to our marketing efforts, an increase of $6.0 million of other non-current assets due to the implementation of cloud computing arrangements and a decrease in accounts payable of $5.3 million primarily due to the timing of vendor invoices and payments. The outflows were offset by an increase in deferred revenue of $72.9 million due to an increase in billings for subscriptions and an increase in accrued expenses and other liabilities of $36.6 million due to the timing of cash disbursements primarily related to interest payments, commissions and fees due to Thoma Bravo.
Cash Flows used in Investing Activities
During the year ended January 31, 2026, cash used in investing activities was $35.6 million, consisting primarily of $16.7 million for asset acquisitions, $12.9 million for capitalized software development costs and $6.0 million in purchases of property and equipment.
During the year ended January 31, 2025, cash used in investing activities was $28.9 million, consisting primarily of $15.4 million in net cash paid for business acquisitions, $8.2 million for capitalized software development costs, and $5.4 million in purchases of property and equipment.
Cash Flows from Financing Activities
During the year ended January 31, 2026, cash provided by financing activities was $202.0 million primarily due to the proceeds from our IPO, net of underwriting discounts and commissions of $1,259.7 million, partially offset by the repayment of our Term Loans of $1,040.0 million, payments of deferred offering costs of $8.6 million, payments of holdback and contingent consideration of $6.4 million and payments of debt issuance costs related to our 2025 Credit Agreement of $2.7 million.
During the year ended January 31, 2025, cash used in financing activities was $41.3 million, primarily due to the issuance of Class A Units and Class B Units of $600.0 million to Thoma Bravo, offset by the repayment of our Term Loans of $550.0 million, payments of deferred offering costs of $2.9 million and the repurchase of Class A Units and Class B Units of $6.2 million.
Material Cash Commitments
As of January 31, 2026, the Company had in aggregate $196.3 million in contractual purchase commitments associated with agreements that are enforceable and legally binding, of which $113.4 million are due within the next 12 months. Included in the aggregate contractual purchase commitments as of January 31, 2026 is the remaining commitment with a cloud storage provider that has a term of July 2023 through June 2028. Under the terms of the contract, the Company committed to spend $54.0 million, $59.0 million, $62.0 million, $65.0 million, and $67.5 million in contract years one, two, three, four, and five, respectively, for a total of $307.5 million. If the Company does not meet the minimum purchase obligation during any of those years, it will be required to pay the difference. The Company met the minimum spend requirements for years one, two and three. As of January 31, 2026, the Company has made payments of $177.0 million under the agreement. On February 1, 2026, a new amendment to the agreement was entered into with the cloud storage provider, which terminated the previous arrangement. The new arrangement has a term of February 1, 2026 through January 31, 2031. Under the terms of the new arrangement, the Company committed to spend $107.0 million, $127.0 million, $147.0 million, $162.0 million and $178.0 million in contract years one, two, three, four and five, respectively, for a total of $721.0 million. If the Company does not meet the minimum purchase obligation during any of those years, it will be required to pay the difference.
As of January 31, 2026, we had in aggregate $18.1 million in future minimum lease payments for operating lease obligations, of which $6.7 million are due within the next 12 months.
We have restricted cash of $3.2 million as of January 31, 2026 primarily related to an unconditional standby letter of credit for our corporate headquarters.
We did not have any material off-balance sheet arrangements during the periods presented or as of January 31, 2026.
Critical Accounting Policies and Estimates
Our consolidated financial statements are prepared in accordance with GAAP. The preparation of these financial statements requires our management to make estimates and assumptions that affect the reported amounts of assets, liabilities, revenue, costs and expenses and related disclosures. Our estimates are based on our historical experience and on various other factors that we believe are reasonable under the circumstances, the results of which form the basis for making judgments about the carrying value of assets and liabilities that are not readily apparent from other sources. Actual results may differ from these judgments and estimates under different assumptions or conditions and any such differences may be material. We evaluate our
71
Table of Contents
assumptions, judgments, and estimates on a regular basis. To the extent that there are differences between our estimates and actual results, our future financial statement presentation, financial condition, results of operations and cash flows will be affected.
Our critical accounting policies are those that materially affect our consolidated financial statements and involve difficult, subjective, or complex judgments by management. The critical accounting estimates, assumptions, and judgments that we believe to have the most significant impact on our consolidated financial statements are described below. This discussion is provided to supplement the descriptions of our accounting policies contained in Note 1 “Description of Business and Summary of Significant Accounting Policies” in the notes to our consolidated financial statements.
Revenue Recognition
Revenue consists of fees for SaaS subscriptions and term licenses for our software products, post-contract customer support, and other subscription services and professional services including training and other revenue. Subscription, including support for term licenses, is recognized ratably over the term of the applicable agreement. Revenue related to term and perpetual license performance obligations is generally recognized upfront at the point in time when the customer has taken control of the software license. Revenue related to professional services is recognized as the services are rendered. The majority of our contracts with customers include various combinations of licenses, subscriptions, and professional services. Therefore, significant judgment is required to determine whether products and services are considered distinct performance obligations that should be accounted for separately or as a combined performance obligation.
We allocate the transaction price to each performance obligation in the contract on a relative standalone selling price (“SSP”) basis. Judgment is required to determine the SSP for each distinct performance obligation. We typically determine SSP based on observable prices for performance obligations when sold separately. When standalone sales and pricing information are not available, we estimate SSP based on pricing objectives, market conditions, and other factors, including customer size and geography, and product and service specific factors. We review the estimated SSP for our performance obligations periodically and update the estimates, if needed, to ensure that the methodology utilized reflects updated inputs such as observable prices and assumptions.
Business Combinations
We account for business combinations in accordance with the acquisition method of accounting. We allocate the fair value of purchase consideration to the tangible assets acquired, liabilities assumed, and intangible assets acquired based on their estimated acquisition-date fair values. The excess of the fair value of purchase consideration over the fair values of these identifiable assets and liabilities is recorded as goodwill.
Determining the fair value of the identifiable intangible assets requires management to make significant estimates and assumptions. We generally valued the identified intangible assets using an income or cost approach. Significant estimates in valuing certain intangible assets may include, but are not limited to, estimating future cash flows from the intangible assets and discount rates.
In addition, estimating the useful life of an intangible asset requires judgment. We determine useful life after analyzing all pertinent factors which include the period over which an intangible asset will contribute directly or indirectly to our cash flows and the expected use of the asset.
Recoverability of Goodwill and Long-Lived Assets
Goodwill is tested for impairment annually, or more often if and when events or circumstances indicate that an impairment may exist. We perform the annual impairment test in the fourth quarter of each fiscal year. The process of evaluating the potential impairment is highly subjective and requires the application of significant judgment. We first assess whether there are qualitative factors which would indicate that it is more likely than not that the fair value of a reporting unit is less than its carrying value. We consider events and circumstances such as, but not limited to, macroeconomic conditions, industry and market conditions, our overall financial performance, and other relevant entity-specific events.
If the qualitative assessment indicates that the fair value of the reporting unit is less than its carrying amount, a quantitative assessment is performed. We would estimate the fair value of the reporting unit and compare this amount to the carrying value of the reporting unit. If the carrying value of the reporting unit exceeds its fair value, an impairment charge is recorded. There were no impairments of goodwill recognized during the fiscal years ended January 31, 2026, 2025, and 2024.
72
Table of Contents
We evaluate long-lived assets, including finite-lived intangible assets, property and equipment, and other assets, for impairment whenever events or changes in circumstances indicate that the carrying amount of the assets or asset group may not be recoverable. Events or changes in circumstances that could result in an impairment review include, but are not limited to, significant underperformance relative to historical or projected future operating results, significant changes in the manner of use of the acquired assets or the strategy for our overall business, and significant negative industry or economic trends.
Determining whether a long-lived asset is impaired and the extent of an impairment requires various estimates and assumptions, including whether a triggering event occurred, the identification of asset groups, estimates of future cash flows, and the discount rate used to determine fair values. Recoverability of these assets or asset groups is measured by comparison of the carrying amount of each asset, or related asset group, to the future undiscounted cash flows the asset or asset group is expected to generate. If the undiscounted cash flows are less than the carrying amount, an impairment charge is recorded to reduce the carrying amount of the asset group to its fair value. If an event occurs that would cause us to revise our estimates and assumptions used in analyzing the fair value of our property and equipment or our finite-lived intangibles and other assets, that revision could result in a non-cash impairment charge that could have a material impact on our financial results.
Contract Acquisition Costs
Sales commissions paid to our sales force and the related employee costs, collectively “contract acquisition costs,” are considered incremental and recoverable costs of obtaining a contract with a customer. We typically pay sales commissions for both initial and follow-on sales of term subscriptions and SaaS subscriptions. Sales commissions paid for follow-on sales are typically not commensurate with those paid for initial sales. We capitalize incremental costs of obtaining a contract with a customer and amortize the costs over the expected period of benefit provided of five years.
We use significant judgment in determining the period of benefit of five years by taking into consideration customer contracts, customer turnover rates, our technology’s useful life, and other factors. We periodically review the estimated period of benefit. If a change is required in the estimated period of benefit, it could materially affect the amortization amounts of contract acquisition costs included in sales and marketing expense in the consolidated statements of operations.
Equity-Based Compensation
Since the IPO, the Company predominantly grants service-based restricted stock units (“RSUs”) to employees, directors, and nonemployees. The Company recognizes equity-based compensation expense for its awards on a straight-line basis over the requisite service period of the individual grants, which is generally the vesting period, based on the estimated grant date fair values. The fair value of RSUs is estimated on the date of grant based on the fair value of the Company’s common stock. The Company recognizes the effect of forfeitures in equity-based compensation expense based on actual forfeitures when they occur.
Prior to the IPO, we granted our employees equity-based incentive awards. We measure equity-based compensation expense for all equity-based awards granted based on the estimated fair value of those awards on the date of grant. The fair value of the incentive units at each grant date is determined using an option pricing method, as discussed further below. We recognize the impact of forfeitures in equity-based compensation expense when they occur.
Incentive Unit Valuations
Upon the completion of our IPO, we ceased issuing incentive equity units and all outstanding and unvested incentive equity units were converted to RSAs.
The fair value of our Class B Units underlying our equity-based awards was determined by our Board, with input from management and contemporaneous third-party valuations, as there was no public market for our Class B Units. We believe that our Board had the relevant experience and expertise to determine the fair value of our Class B Units. Given the absence of a public trading market of our Class B Units, and in accordance with the American Institute of Certified Public Accounting and Valuation Guide, Valuation of Privately-Held Company Equity Securities Issued as Compensation, our Board exercised reasonable judgment and considered numerous objective and subjective factors to determine the best estimate of the fair value of our Class B Units at each incentive unit grant date, including:
•contemporaneous independent third-party valuations of our units;
•our actual operating and financial performance;
73
Table of Contents
•current business conditions and projections;
•our stage of development and revenue growth;
•likelihood of achieving a liquidity event, such as an initial public offering, direct listing, a take-private transaction, or an acquisition given prevailing market conditions;
•the rights, preferences, and privileges of our units;
•the lack of marketability of our units;
•the market performance of comparable publicly traded companies; and
•the U.S. and global capital market conditions.
In valuing our Class B Units, the Board determined the value using both the income and the market approach valuation methods. The income approach estimates value based on the expectation of future cash flows that a company will generate. These future cash flows are discounted to their present values using a discount rate based on our weighted average cost of capital (“WACC”) or based on the venture capital rates of return from various published studies, adjusted to reflect the risks inherent in our cash flows. To derive our WACC, a cost of equity was developed using the Capital Asset Pricing Model (CAPM) and comparable company betas, and a cost of debt was determined based on our estimated cost of borrowing. The costs of debt and equity were then weighted based on our actual capital structure or were derived from a study of venture capital required rates of return. The market approach estimates value based on a comparison of our company to comparable publicly traded companies in a similar line of business and to acquisitions in the market. From the comparable companies, a representative market multiple is determined and subsequently applied to our historical and forecasted financial results to estimate our enterprise value. From the acquisitions analysis, a representative market multiple is determined and subsequently applied to our historical financial results to estimate our enterprise value.
Prior to January 2024, once we determined an equity value, we used the option-pricing method (“OPM”) to allocate value to each equity class, including incentive units. The OPM allows for the allocation of a company’s equity value among the various equity capital owners. The OPM uses unitholders’ liquidation preferences, participation rights, and dividend policy to determine how proceeds from a liquidity event shall be distributed among the various ownership classes at a future date.
Beginning in January 2024, we used a hybrid of the probability-weighted expected return method (“PWERM”) and OPM. The PWERM estimates the probability weighted value across multiple scenarios but uses OPM to estimate the allocation of value within one or more of those scenarios. Determining the fair value of the enterprise using the PWERM requires us to develop assumptions and estimates for both the probability of an initial public offering liquidity event and stay private outcomes, as well as the values we expect those outcomes could yield.
Where relevant, we also considered an appropriate discount adjustment to recognize the lack of marketability and liquidity due to the fact that unitholders of private companies do not have access to trading markets similar to stockholders of public companies. The discount for marketability was determined using various quantitative methods and assessed for reasonableness using relevant qualitative information. Application of these approaches involves the use of estimates, judgments, and assumptions that are highly complex and subjective, such as those regarding our expected future revenue, expenses, and future cash flows, discount rates, discount for lack of marketability, market multiples, the selection of comparable companies, and the probability of possible future events. Changes in any or all of these estimates and assumptions or the relationships between those assumptions impact our valuations as of each valuation date and may have a material impact on the valuation of our incentive units.
Recent Accounting Pronouncements
For a description of our recently adopted accounting pronouncements and recently issued accounting standards not yet adopted, see Note 1 “Description of Business and Summary of Significant Accounting Policies” in the notes to our consolidated financial statements.
Item 7A. Quantitative and Qualitative Disclosures About Market Risk
We are exposed to market risk in the ordinary course of our business. Market risk represents the risk of loss that may impact our financial position due to adverse changes in financial market prices and rates. Our market risk exposure is primarily a result of fluctuations in interest rates and foreign currency exchange rates. We do not hold or issue financial instruments for trading purposes.
74
Table of Contents
Interest Rate Risk
We had cash and cash equivalents and restricted cash of $361.4 million as of January 31, 2026, which are held in cash deposits and money market funds. The carrying amount of our cash equivalents reasonably approximates fair value due to the short maturities of these instruments. Our cash and cash equivalents consist primarily of bank demand deposits and money market funds. Our investments are made for capital preservation purposes, and we do not enter into investments for trading or speculative purposes.
We do not have material exposure to market risk with respect to our cash and cash equivalents, as these consist primarily of highly liquid investments purchased with original maturities of three months or less as of January 31, 2026. As of January 31, 2026, we do not believe a hypothetical 10% change in interest rates would have a material impact on the value of our cash equivalents.
As of January 31, 2026, the Company had no interest rate risk.
Foreign Currency Exchange Risk
As a global company, we face exposure to adverse movements in foreign currency exchange rates. We primarily conduct business in the United States and EMEA. Our exposure is the result of operating in foreign countries, including growing our international headcount, which results in incurring expenses in local currencies while most of our sales are generated in U.S. dollars.
Fluctuations in foreign currency exchange rates may cause us to recognize transaction gains and losses in our consolidated statements of operations. As the impact of foreign currency exchange rates has not been material to our historical operating results, to date we have not entered into derivative or hedging transactions; we may do so in the future if our exposure to foreign currency becomes more significant. As our international operations grow, we will continue to reassess our approach to managing our risk relating to fluctuations in foreign exchange rates.
As of January 31, 2026, our cash and cash equivalents included $25.4 million held in currencies other than the U.S. dollar. Decreases in the value of the U.S. dollar relative to other currencies may negatively affect our operating results as expressed in U.S. dollars. These amounts are included in other income (expense), net on our consolidated statements of operations.
We manage our foreign subsidiaries as integral direct components of our operations and determined that the U.S. dollar is our functional currency. We do not believe that a hypothetical 10% change in the value of the U.S. dollar relative to other currencies would have a material effect on our results of operations or cash flows, and to date, we have not engaged in any hedging strategies with respect to foreign currency transactions. As our international operations grow, we will continue to reassess our approach to managing our risk relating to fluctuations in currency rates.
75
Table of Contents
INDEX TO CONSOLIDATED FINANCIAL STATEMENTS
Page | |||||
Reports of Independent Registered Public Accounting Firm (PCAOB ID: | 77 | ||||
Consolidated Balance Sheets | 80 | ||||
Consolidated Statements of Operations | 81 | ||||
Consolidated Statements of Redeemable Convertible Units, Partners' Deficit and Stockholders' Equity | 82 | ||||
Consolidated Statements of Cash Flows | 83 | ||||
Notes to Consolidated Financial Statements | 85 | ||||
76
Table of Contents
REPORT OF INDEPENDENT REGISTERED PUBLIC ACCOUNTING FIRM
To the Shareholders and the Board of Directors of SailPoint, Inc.
Opinion on the Financial Statements
We have audited the accompanying consolidated balance sheets of SailPoint, Inc. and subsidiaries (the Company) as of January 31, 2026 and 2025, the related consolidated statements of operations, redeemable convertible units, partners’ deficit and stockholders’ equity and cash flows for each of the three years in the period ended January 31, 2026, and the related notes (collectively referred to as the “consolidated financial statements”). In our opinion, the consolidated financial statements present fairly, in all material respects, the financial position of the Company at January 31, 2026 and 2025, and the results of its operations and its cash flows for each of the three years in the period ended January 31, 2026, in conformity with U.S. generally accepted accounting principles.
We also have audited, in accordance with the standards of the Public Company Accounting Oversight Board (United States) (PCAOB), the Company's internal control over financial reporting as of January 31, 2026, based on criteria established in Internal Control—Integrated Framework issued by the Committee of Sponsoring Organizations of the Treadway Commission (2013 framework) and our report dated March 19, 2026 expressed an unqualified opinion thereon.
Basis for Opinion
These financial statements are the responsibility of the Company's management. Our responsibility is to express an opinion on the Company’s financial statements based on our audits. We are a public accounting firm registered with the PCAOB and are required to be independent with respect to the Company in accordance with the U.S. federal securities laws and the applicable rules and regulations of the Securities and Exchange Commission and the PCAOB.
We conducted our audits in accordance with the standards of the PCAOB. Those standards require that we plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of material misstatement, whether due to error or fraud. Our audits included performing procedures to assess the risks of material misstatement of the financial statements, whether due to error or fraud, and performing procedures that respond to those risks. Such procedures included examining, on a test basis, evidence regarding the amounts and disclosures in the financial statements. Our audits also included evaluating the accounting principles used and significant estimates made by management, as well as evaluating the overall presentation of the financial statements. We believe that our audits provide a reasonable basis for our opinion.
Critical Audit Matter
The critical audit matter communicated below is a matter arising from the current period audit of the financial statements that was communicated or required to be communicated to the audit committee and that: (1) relates to accounts or disclosures that are material to the financial statements and (2) involved our especially challenging, subjective or complex judgments. The communication of the critical audit matter does not alter in any way our opinion on the consolidated financial statements, taken as a whole, and we are not, by communicating the critical audit matter below, providing a separate opinion on the critical audit matter or on the accounts or disclosures to which it relates.
77
Table of Contents
Revenue Recognition
| Description of the Matter | As described in Note 1 of the consolidated financial statements, the Company recognizes revenue in order to depict the transfer of control of promised goods or services to customers in an amount that reflects the consideration the company expects to be entitled to in exchange for those goods or services. The Company enters into contracts with customers that include various combinations of licenses, subscriptions, and professional services. Judgment exists in determining the timing and amount of revenue recognition for these customer contracts, which include multiple performance obligations, including the estimation of standalone selling price for each distinct performance obligation, particularly for those goods and services that are not sold separately. Given these factors, auditing management’s recognition of revenue requires judgment because of the significant management estimates required in allocating standalone selling prices. | ||||
| How We Addressed the Matter in Our Audit | We obtained an understanding, evaluated the design and tested the operating effectiveness of controls over the Company’s process to identify performance obligations and allocate the transaction price to those performance obligations, including controls over determining standalone selling prices and management’s application of the revenue recognition accounting requirements. Our audit procedures included, among others, assessing the appropriateness of the methodology applied including the judgements and assumptions used to determine standalone selling price per service offering, testing the mathematical accuracy of the underlying data and calculations, and testing transactions to corroborate the data underlying the Company’s calculations. We also assessed the appropriateness of the related disclosures in the consolidated financial statements. | ||||
/s/ Ernst & Young LLP
We have served as the Company’s auditor since 2024.
March 19, 2026
78
Table of Contents
REPORT OF INDEPENDENT REGISTERED PUBLIC ACCOUNTING FIRM
To the Shareholders and the Board of Directors of SailPoint, Inc.
Opinion on Internal Control Over Financial Reporting
We have audited SailPoint, Inc. and subsidiaries’ internal control over financial reporting as of January 31, 2026, based on criteria established in Internal Control—Integrated Framework issued by the Committee of Sponsoring Organizations of the Treadway Commission (2013 framework) (the COSO criteria). In our opinion, SailPoint, Inc. and subsidiaries (the Company) maintained, in all material respects, effective internal control over financial reporting as of January 31, 2026, based on the COSO criteria.
We also have audited, in accordance with the standards of the Public Company Accounting Oversight Board (United States) (PCAOB), the consolidated balance sheets of the Company as of January 31, 2026 and 2025, the related consolidated statements of operations, redeemable convertible units, partners’ deficit and stockholders’ equity and cash flows for each of the three years in the period ended January 31, 2026, and the related notes and our report dated March 19, 2026 expressed an unqualified opinion thereon.
Basis for Opinion
The Company’s management is responsible for maintaining effective internal control over financial reporting and for its assessment of the effectiveness of internal control over financial reporting included in the accompanying Management’s Report on Internal Control over Financial Reporting. Our responsibility is to express an opinion on the Company’s internal control over financial reporting based on our audit. We are a public accounting firm registered with the PCAOB and are required to be independent with respect to the Company in accordance with the U.S. federal securities laws and the applicable rules and regulations of the Securities and Exchange Commission and the PCAOB.
We conducted our audit in accordance with the standards of the PCAOB. Those standards require that we plan and perform the audit to obtain reasonable assurance about whether effective internal control over financial reporting was maintained in all material respects.
Our audit included obtaining an understanding of internal control over financial reporting, assessing the risk that a material weakness exists, testing and evaluating the design and operating effectiveness of internal control based on the assessed risk, and performing such other procedures as we considered necessary in the circumstances. We believe that our audit provides a reasonable basis for our opinion.
Definition and Limitations of Internal Control Over Financial Reporting
A company’s internal control over financial reporting is a process designed to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles. A company’s internal control over financial reporting includes those policies and procedures that (1) pertain to the maintenance of records that, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the company; (2) provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and that receipts and expenditures of the company are being made only in accordance with authorizations of management and directors of the company; and (3) provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use, or disposition of the company’s assets that could have a material effect on the financial statements.
Because of its inherent limitations, internal control over financial reporting may not prevent or detect misstatements. Also, projections of any evaluation of effectiveness to future periods are subject to the risk that controls may become inadequate because of changes in conditions, or that the degree of compliance with the policies or procedures may deteriorate.
/s/ Ernst & Young LLP
March 19, 2026
79
Table of Contents
SAILPOINT, INC.
CONSOLIDATED BALANCE SHEETS
CONSOLIDATED BALANCE SHEETS
(In thousands, except share, per share and unit amounts)
| January 31, 2026 | January 31, 2025 | ||||||||||
| Assets | |||||||||||
| Current assets | |||||||||||
| Cash and cash equivalents | $ | $ | |||||||||
| Accounts receivable, net of allowance | |||||||||||
| Contract acquisition costs | |||||||||||
| Contract assets, net of allowance | |||||||||||
| Prepayments and other current assets | |||||||||||
| Total current assets | |||||||||||
| Property and equipment, net | |||||||||||
| Contract acquisition costs, non-current | |||||||||||
| Contract assets, non-current, net of allowance | |||||||||||
| Other non-current assets | |||||||||||
| Goodwill | |||||||||||
| Intangible assets, net | |||||||||||
| Total assets | $ | $ | |||||||||
Liabilities, redeemable convertible units, and stockholders' equity / partners' deficit | |||||||||||
| Current liabilities | |||||||||||
| Accounts payable | $ | $ | |||||||||
| Accrued expenses and other liabilities | |||||||||||
| Deferred revenue | |||||||||||
| Total current liabilities | |||||||||||
| Deferred tax liabilities, non-current | |||||||||||
| Other long-term liabilities | |||||||||||
| Deferred revenue, non-current | |||||||||||
| Long-term debt, net | |||||||||||
| Total liabilities | |||||||||||
Commitments and contingencies (Note 8) | |||||||||||
Redeemable convertible units, no par value, unlimited units authorized, | |||||||||||
Stockholders' equity / partners' deficit | |||||||||||
Preferred stock, par value of $ | |||||||||||
Common stock, par value of $ | |||||||||||
| Additional paid in capital | |||||||||||
| Accumulated deficit | ( | ( | |||||||||
Total stockholders' equity / partners' deficit | ( | ||||||||||
Total liabilities, redeemable convertible units, and stockholders' equity / partners' deficit | $ | $ | |||||||||
See accompanying notes to consolidated financial statements.
80
Table of Contents
SAILPOINT, INC.
CONSOLIDATED STATEMENTS OF OPERATIONS
(In thousands, except per share and per unit amounts)
| Year Ended January 31, | |||||||||||||||||
| 2026 | 2025 | 2024 | |||||||||||||||
| Revenue | |||||||||||||||||
| Subscription | $ | $ | $ | ||||||||||||||
| Services and other | |||||||||||||||||
| Total revenue | |||||||||||||||||
| Cost of revenue | |||||||||||||||||
| Subscription | |||||||||||||||||
| Services and other | |||||||||||||||||
| Total cost of revenue | |||||||||||||||||
| Gross profit | |||||||||||||||||
| Operating expenses | |||||||||||||||||
| Research and development | |||||||||||||||||
| Sales and marketing | |||||||||||||||||
| General and administrative | |||||||||||||||||
| Total operating expenses | |||||||||||||||||
| Loss from operations | ( | ( | ( | ||||||||||||||
| Other income (expense), net | |||||||||||||||||
| Interest income | |||||||||||||||||
| Interest expense | ( | ( | ( | ||||||||||||||
| Other income (expense), net | ( | ( | ( | ||||||||||||||
| Total other income (expense), net | ( | ( | ( | ||||||||||||||
| Loss before income taxes | ( | ( | ( | ||||||||||||||
| Income tax benefit | |||||||||||||||||
| Net loss | $ | ( | $ | ( | $ | ( | |||||||||||
| Class A yield | ( | ( | ( | ||||||||||||||
| Net loss attributable to common stockholders and Class B unitholders | ( | ( | ( | ||||||||||||||
| Net Loss per share attributable to common stockholders and Class B unitholders - basic and diluted | $ | ( | $ | ( | $ | ( | |||||||||||
Weighted average common shares and Class B Units outstanding, basic and diluted (1) | |||||||||||||||||
________________
(1) Amounts for the period during February 2025 prior to the Corporate Conversion have been retrospectively adjusted to give effect to the Corporate Conversion described in Note 1. These amounts do not consider the shares of common stock sold in the Company's IPO or the Class A Units considered preferred shares that were converted into common stock due to the Corporate Conversion. The Company did not retrospectively adjust for the effect of the Corporate Conversion for periods prior to fiscal year 2026.
See accompanying notes to consolidated financial statements.
81
Table of Contents
SAILPOINT, INC.
CONSOLIDATED STATEMENTS OF REDEEMABLE CONVERTIBLE UNITS, PARTNERS' DEFICIT AND STOCKHOLDERS' EQUITY
(In thousands)
| Redeemable Convertible Units | Common Stock | Additional paid in capital | Accumulated Deficit | Total Partners' Deficit / Stockholders' Equity | |||||||||||||||||||||||||||||||||||||
| Units | Amount | Shares | Amount | ||||||||||||||||||||||||||||||||||||||
| Balance at January 31, 2023 | $ | $ | $ | ( | $ | ( | |||||||||||||||||||||||||||||||||||
| Issuance of Class A Units | — | — | — | — | — | ||||||||||||||||||||||||||||||||||||
| Issuance of Class B Units | — | — | — | — | — | ||||||||||||||||||||||||||||||||||||
| Repurchase of Class A Units | ( | ( | — | — | ( | — | ( | ||||||||||||||||||||||||||||||||||
| Repurchase of Class B Units | ( | ( | — | — | — | — | — | ||||||||||||||||||||||||||||||||||
| Equity-based compensation expense | — | — | — | — | — | ||||||||||||||||||||||||||||||||||||
| Vesting of incentive units into Class B Units | — | — | — | — | — | — | |||||||||||||||||||||||||||||||||||
| Net loss | — | — | — | — | — | ( | ( | ||||||||||||||||||||||||||||||||||
| Balance at January 31, 2024 | ( | ( | |||||||||||||||||||||||||||||||||||||||
| Issuance of Class A Units | — | — | — | — | — | ||||||||||||||||||||||||||||||||||||
| Issuance of Class B Units | — | — | — | — | — | ||||||||||||||||||||||||||||||||||||
| Repurchase of Class A Units | ( | ( | — | — | ( | — | ( | ||||||||||||||||||||||||||||||||||
| Repurchase of Class B Units | ( | ( | — | — | ( | — | ( | ||||||||||||||||||||||||||||||||||
| Equity-based compensation expense | — | — | — | — | — | ||||||||||||||||||||||||||||||||||||
| Vesting of incentive units into Class B Units | — | — | — | — | — | — | |||||||||||||||||||||||||||||||||||
| Adjustment to reflect redemption value of redeemable convertible Class A Units | — | — | — | — | ( | ( | |||||||||||||||||||||||||||||||||||
| Adjustment to reflect redemption value of redeemable convertible Class B Units | — | — | — | ( | ( | ( | |||||||||||||||||||||||||||||||||||
| Adjustment to reflect redemption value of unvested incentive units | — | — | — | — | ( | ( | |||||||||||||||||||||||||||||||||||
| Net loss | — | — | — | — | — | ( | ( | ||||||||||||||||||||||||||||||||||
| Balance at January 31, 2025 | $ | $ | $ | ( | $ | ( | |||||||||||||||||||||||||||||||||||
| Vesting of incentive units into Class B Units | — | — | — | — | — | — | |||||||||||||||||||||||||||||||||||
| Adjustment to reflect redemption value of redeemable convertible Class A Units | — | — | — | — | ( | ( | |||||||||||||||||||||||||||||||||||
| Adjustment to reflect redemption value of redeemable convertible Class B Units | — | — | — | — | ( | ( | |||||||||||||||||||||||||||||||||||
| Equity-based compensation expense prior to Corporate Conversion | — | — | — | — | — | ||||||||||||||||||||||||||||||||||||
| Net loss prior to Corporate Conversion | — | — | — | — | — | ( | ( | ||||||||||||||||||||||||||||||||||
| Effect of Corporate Conversion | ( | ( | |||||||||||||||||||||||||||||||||||||||
| Issuance of common stock in connection with IPO, net of underwriters’ discounts and commissions and offering costs and tax effects | — | — | — | ||||||||||||||||||||||||||||||||||||||
| Equity-based compensation expense after Corporate Conversion | — | — | — | — | — | ||||||||||||||||||||||||||||||||||||
| Issuance of common stock upon vesting of restricted stock units and restricted stock | — | — | — | — | — | — | |||||||||||||||||||||||||||||||||||
| Net loss after Corporate Conversion | — | — | — | — | — | ( | ( | ||||||||||||||||||||||||||||||||||
| Balance at January 31, 2026 | $ | $ | $ | $ | ( | $ | |||||||||||||||||||||||||||||||||||
See accompanying notes to consolidated financial statements.
82
Table of Contents
SAILPOINT, INC
CONSOLIDATED STATEMENTS OF CASH FLOWS
(In thousands)
| Year Ended January 31, | |||||||||||||||||
| 2026 | 2025 | 2024 | |||||||||||||||
| Cash flows from operating activities | |||||||||||||||||
| Net loss | $ | ( | $ | ( | $ | ( | |||||||||||
| Adjustments to reconcile net loss to net cash used in operating activities: | |||||||||||||||||
| Depreciation and amortization expense | |||||||||||||||||
Amortization and write-off of debt issuance costs | |||||||||||||||||
| Amortization of contract acquisition costs | |||||||||||||||||
Loss (gain) on disposal of property and equipment | |||||||||||||||||
Adjustments to contingent consideration | |||||||||||||||||
| Provision for credit losses | |||||||||||||||||
Equity-based compensation expense, net of amounts capitalized | |||||||||||||||||
| Deferred taxes | ( | ( | ( | ||||||||||||||
Net changes in operating assets and liabilities, net of acquisitions | |||||||||||||||||
| Accounts receivable | ( | ( | ( | ||||||||||||||
| Contract acquisition costs | ( | ( | ( | ||||||||||||||
| Contract assets | ( | ( | ( | ||||||||||||||
| Prepayments and other current assets | ( | ( | ( | ||||||||||||||
| Other non-current assets | ( | ||||||||||||||||
| Operating leases, net | |||||||||||||||||
| Accounts payable | ( | ||||||||||||||||
| Accrued expenses and other liabilities | ( | ||||||||||||||||
| Deferred revenue | |||||||||||||||||
Net cash provided by (used in) operating activities | ( | ( | |||||||||||||||
| Cash flows from investing activities | |||||||||||||||||
| Purchase of property and equipment | ( | ( | ( | ||||||||||||||
| Proceeds from sale of property and equipment | |||||||||||||||||
| Capitalized software development costs | ( | ( | |||||||||||||||
Payments for asset acquisition | ( | ||||||||||||||||
Purchase of intangible assets | ( | ||||||||||||||||
| Business acquisitions, net of cash acquired | ( | ( | |||||||||||||||
| Net cash used in investing activities | ( | ( | ( | ||||||||||||||
| Cash flows from financing activities | |||||||||||||||||
| Proceeds from issuance of units | |||||||||||||||||
Proceeds from IPO, net of underwriting discounts and commissions | |||||||||||||||||
| Proceeds from revolving line of credit | |||||||||||||||||
| Repayments to revolving line of credit | ( | ||||||||||||||||
Repayment of Term Loans | ( | ( | |||||||||||||||
| Payment of debt issuance costs | ( | ||||||||||||||||
Payments of deferred offering costs, net | ( | ( | |||||||||||||||
Payments related to holdback and contingent consideration | ( | ||||||||||||||||
| Repurchase of units | ( | ( | |||||||||||||||
Net cash provided by financing activities | |||||||||||||||||
| Net change in cash, cash equivalents and restricted cash | ( | ( | |||||||||||||||
| Cash, cash equivalents and restricted cash, beginning of period | |||||||||||||||||
| Cash, cash equivalents and restricted cash, end of period | $ | $ | $ | ||||||||||||||
83
Table of Contents
| Year Ended January 31, | |||||||||||||||||
| 2026 | 2025 | 2024 | |||||||||||||||
| Supplemental cash flow information: | |||||||||||||||||
Cash paid for interest | $ | $ | $ | ||||||||||||||
Cash paid during the period for income taxes, net of refunds: | |||||||||||||||||
U.S. Federal | $ | $ | — | $ | — | ||||||||||||
U.S. State and local | — | — | |||||||||||||||
Foreign | — | — | |||||||||||||||
Total cash paid during the period for income taxes | $ | $ | — | $ | — | ||||||||||||
Cash paid during the period for income taxes(prior to ASU 2023-09) | $ | — | $ | $ | |||||||||||||
Individual jurisdictions equaling 5% or more of the total income taxes paid (net of refunds) for the year ended January 31, 2026 include Australia at $ | |||||||||||||||||
| Cash paid for amounts included in the measurement of lease liabilities: | |||||||||||||||||
| Operating cash flows from operating leases | $ | $ | $ | ||||||||||||||
| Supplemental disclosure of noncash investing and financing activities: | |||||||||||||||||
Effect of Corporate Conversion | $ | $ | $ | ||||||||||||||
Adjustment to reflect the redemption value of the redeemable convertible units | $ | $ | $ | ||||||||||||||
Capitalized equity-based compensation included in property and equipment, net | $ | $ | $ | ||||||||||||||
Contingent and holdback consideration included in accrued expenses and other liabilities | $ | $ | $ | ||||||||||||||
Deferred offering costs included in accounts payable and accrued expenses and other liabilities | $ | $ | $ | ||||||||||||||
Operating lease right of use assets obtained in exchange for lease liabilities | $ | $ | $ | ||||||||||||||
Reconciliation of cash, cash equivalents and restricted cash from the consolidated balance sheets to the consolidated statements of cash flows: | |||||||||||||||||
| Cash and cash equivalents | $ | $ | $ | ||||||||||||||
| Restricted cash within prepayments and other current assets | |||||||||||||||||
Total cash, cash equivalents, and restricted cash in the consolidated statements of cash flows | $ | $ | $ | ||||||||||||||
See accompanying notes to consolidated financial statements.
84
Table of Contents
SAILPOINT, INC
NOTES TO CONSOLIDATED FINANCIAL STATEMENTS
1. Description of Business and Summary of Significant Accounting Policies
Organization
On February 12, 2025, in connection with our initial public offering ("IPO"), SailPoint Parent, LP converted into a Delaware corporation pursuant to a statutory conversion and changed its name to SailPoint, Inc. (the "Corporate Conversion"). The purpose of the Corporate Conversion was to reorganize the Company's corporate structure so that the entity offering its securities to the public in the IPO would be a corporation rather than a limited partnership. References in this Annual Report on Form 10-K to “SailPoint,” the “Company,” “we,” “us” and “our” (i) for periods prior to the Corporate Conversion, refer to SailPoint Parent, LP and, where appropriate, its consolidated subsidiaries and (ii) for periods after the Corporate Conversion, refer to SailPoint, Inc. and, where appropriate, its consolidated subsidiaries.
In conjunction with the Corporate Conversion, all of the Company's outstanding partnership units were converted into an aggregate of 499,060,464 shares of our common stock. The number of shares of common stock issuable to holders of Class A Units of SailPoint Parent, LP ("Class A Units") and holders of Class B Units of SailPoint Parent, LP ("Class B Units") in connection with the Corporate Conversion were determined pursuant to the applicable provisions of the plan of conversion. The Company continues to be controlled by Thoma Bravo UGP, LLC (together with its affiliated entities, "Thoma Bravo") following the Corporate Conversion. After giving effect to the Corporate Conversion and the closing of the Company's IPO, Thoma Bravo controlled approximately 86.2 % of the voting power of the Company.
As a result of the Corporate Conversion, SailPoint, Inc. succeeded to all of the property and assets of SailPoint Parent, LP and succeeded to all of the debts, obligations and liabilities of SailPoint Parent, LP. SailPoint, Inc. is governed by a certificate of incorporation filed with the Delaware Secretary of State. The consolidated financial statements and footnotes give effect to the Corporate Conversion on a prospective basis as of the conversion date.
The Company conducts business as SailPoint and delivers solutions to enable comprehensive identity security for the enterprise.
Unit Split
On January 31, 2025, the Company effected a 60.91 -for-1 forward unit split and a 0.45 -for-1 reverse unit split of the Company’s Class A Units and Class B Units, respectively. All Class A Unit and Class B Unit and per unit information included in the accompanying consolidated financial statements and footnotes have been retroactively adjusted to reflect this unit split for all periods presented. Additionally, all incentive unit and per unit information in the consolidated financial statements and footnotes was adjusted to reflect the 0.45 -for-1 reverse unit split of the Company’s Class B Units.
Completion of Initial Public Offering
On February 14, 2025, the Company closed its IPO of 60.0 million shares of its common stock, of which 57.5 million shares were sold by the Company and 2.5 million shares were sold by certain selling stockholders, at an initial offering price to the public of $23.00 per share for an aggregate offering price of $1.4 billion. The Company received net proceeds of approximately $1.2 billion, net of approximately $62.8 million of underwriting discounts and commissions and approximately $11.5 million of offering costs, net. The Company also realized a tax benefit of $3.2 million and recorded it as part of additional paid-in capital in the consolidated balance sheets as of January 31, 2026.
Basis of Presentation
The accompanying consolidated financial statements, which include the accounts of the Company and its wholly owned subsidiaries, have been prepared in conformity with accounting principles generally accepted in the United States of America (“GAAP”) and applicable rules and regulations of the Securities and Exchange Commission (“SEC”). The consolidated financial statements include the accounts of SailPoint, Inc and its subsidiaries. All intercompany accounts and transactions have been eliminated in consolidation. For the year ended January 31, 2026, the Company has begun presenting "perpetual license revenue" and "cost of perpetual license revenue" as part of "revenue - services and other" and "cost of revenue - services and other", respectively, as the amounts were not material and has recast prior year amounts accordingly.
The Company has not entered into transactions that require presentation as other comprehensive income (loss). Total
comprehensive income (loss) is equal to net income (loss) for all periods presented.
85
Table of Contents
Segments
The Company reports segment information based on the management approach, which designates the internal reporting used by the Chief Operating Decision Maker (CODM) for making decisions and assessing performance as the source of our reportable segments. The measure used by our CODM for evaluating the Company's overall performance and inform resource allocation to support strategic priorities that is most consistent with GAAP is net loss. Significant expense categories regularly provided to the CODM are those disclosed in the consolidated financial statements and related notes.
Use of Estimates
The preparation of consolidated financial statements in conformity with GAAP requires management to make estimates and assumptions about future events that affect the reported amounts of assets and liabilities and disclosure of contingent assets and liabilities at the date of the financial statements and the reported amounts of revenue and expenses during the reporting period. Future events and their effects cannot be determined with certainty. On an ongoing basis, management evaluates these estimates judgments and assumptions.
The Company bases its estimates on historical and anticipated results and trends and on various other assumptions that the Company believes are reasonable under the circumstances, including assumptions as to future events. In particular, the Company makes estimates with respect to the fair value allocation of multiple performance obligations in revenue recognition, the expected period of benefit of contract acquisition costs, the assumptions underlying the fair value used for equity-based compensation expense for awards prior to the Company's IPO, and estimated useful lives and impairment of intangible assets and goodwill arising from business combinations and the assumptions underlying the fair value used for the redemption value of the redeemable convertible units issued prior to the Company's IPO. Appropriate adjustments, if any, to the estimates used are made prospectively based upon such periodic evaluation. Actual results could differ from those estimates.
Cash, Cash Equivalents and Restricted Cash
The Company considers all highly liquid investments with an original maturity of three months or less from date of purchase to be cash equivalents. The Company is required to maintain cash collateral for an unconditional standby letter of credit in the amount of $2.7 million related to the Company’s corporate headquarters lease, and this amount predominantly represents the Company's total restricted cash.
Fair Value of Financial Instruments
Assets and liabilities recorded at fair value in the financial statements are categorized based upon the level of judgment associated with the inputs used to measure their fair value. Hierarchical levels which are directly related to the amount of subjectivity associated with the inputs to the valuation of these assets or liabilities are as follows:
•Level 1: Observable inputs that reflect quoted prices (unadjusted) for identical assets or liabilities in active markets.
•Level 2: Observable inputs, other than Level 1 prices, such as quoted prices for similar assets or liabilities, quoted prices in markets that are not active or other inputs that are observable or can be corroborated by observable market data for substantially the full term of the assets or liabilities.
•Level 3: Unobservable inputs reflecting the Company’s own assumptions incorporated in valuation techniques used to determine fair value. These assumptions are required to be consistent with market participant assumptions that are reasonably available.
Concentration of Credit and Other Risks
Financial instruments that potentially subject the Company to concentrations of credit risk consist of cash and cash equivalents, accounts receivable, and contract assets. The Company maintains its cash in bank deposit accounts that exceeded federally insured limits as of January 31, 2026 and 2025. There was no concentration of credit risk for customers as of January 31, 2026 and 2025 as no individual entity represented more than 10% of accounts receivable and contract assets. No customer accounted for more than 10% of revenue during the year ended January 31, 2026, 2025 and 2024. The Company does not experience concentration of credit risk in foreign countries as no foreign country represents more than 10% of the Company’s consolidated revenues or net assets.
86
Table of Contents
The Company’s revenue by geographic region based on the customer’s location is presented in Note 15 “Segments and Geographic Information.”
Accounts Receivable and Allowance for Expected Credit Losses
The Company continuously assesses the collectability of outstanding customer balances and in doing so, the Company assesses the need to maintain an allowance for expected credit losses resulting from the non-collection of customer balances. The allowance for expected credit losses is a valuation account that is deducted from the financial asset’s amortized cost basis to present the net amount expected to be collected on contracts with customers. Accounts receivable and contract assets are written off when management believes the amount is not collectible. Recoveries of financial assets previously written off are recorded directly to earnings when received.
Property and Equipment
Property and equipment is stated at cost less accumulated depreciation. Depreciation is recorded using the straight-line method over the estimated useful lives of the respective assets, generally three years to five years . Leasehold improvements are depreciated over the shorter of the estimated useful life of the asset or the related lease term. Repairs and maintenance costs are expensed as incurred. Assets to be disposed of are reported at the lower of carrying value or net realizable value.
Goodwill
Goodwill represents acquisition costs in excess of the fair value of the identified net assets acquired. The Company has one reporting unit for goodwill impairment purposes. Goodwill is tested for impairment annually, or more often if and when events or circumstances indicate that an impairment may exist. The Company performs the annual impairment test in the fourth quarter of each fiscal year.
The Company first performs a qualitative assessment to determine whether it is more likely than not that the fair value of a reporting unit is less than its carrying value. If the assessment indicates that the fair value of the reporting unit is less than its carrying amount, a quantitative assessment is performed. The Company estimates the fair value of the reporting unit and compares this amount to the carrying value of the reporting unit. If the carrying value of the reporting unit exceeds its fair value, an impairment charge is recorded.
Intangible Assets
Long-Lived Assets
Periodically, the Company evaluates the recoverability of its long-lived assets, including property and equipment and intangible assets, for possible impairment whenever events or circumstances indicate that the carrying amount of such assets or asset groups may not be recoverable. Recoverability of these assets or asset groups is measured by comparison of the carrying amount of each asset, or related asset group, to the future undiscounted cash flows the asset or asset group is expected to generate. If the undiscounted cash flows are less than the carrying amount, an impairment charge is recorded to reduce the carrying amount of the asset group to its fair value.
Business Combinations
The Company allocates the fair value of purchase consideration to the tangible assets acquired, liabilities assumed, and intangible assets acquired based on their estimated acquisition-date fair values. The excess of the fair value of purchase
87
Table of Contents
consideration over the fair values of these identifiable assets and liabilities is recorded as goodwill. Such valuations require management to make significant estimates and assumptions, especially with respect to intangible assets. Significant estimates in valuing certain intangible assets may include, but are not limited to, future expected cash flows from acquired users, acquired technology, and trade names from a market participant perspective, useful lives, and discount rates. Management’s estimates of fair value are based upon assumptions believed to be reasonable, but which are inherently uncertain and unpredictable and, as a result, actual results may differ from estimates. During the measurement period, which is one year from the acquisition date, the Company may record adjustments to the assets acquired and liabilities assumed, with the corresponding offset to goodwill. Upon the conclusion of the measurement period, any subsequent adjustments are recorded to earnings.
Software Development Costs
Software development costs for products intended to be sold, leased or otherwise marketed are expensed as incurred until technological feasibility has been established, at which time such costs are capitalized until the product is available for general release to customers. Technological feasibility is established when a product design and working model have been completed and the completeness of the working model and its consistency with the product design have been confirmed by testing. To date, the establishment of technological feasibility of the Company’s products and general release of such software have substantially coincided. As a result, the Company has not capitalized any software development costs through January 31, 2026 and all such costs have been recorded as research and development expenses as incurred in the consolidated statements of operations.
Internal Use Software Development Costs
Costs to develop software internally related to the Company's products are capitalized and recorded as a component of property and equipment, net. The Company capitalizes qualifying costs associated with internally-developed software incurred during the application development stage. Costs incurred during the preliminary project and post-implementation stages, including training and maintenance, are expensed as incurred. Capitalized costs are amortized on a project-by-project basis using the straight-line method over an estimated useful life of six years and is recorded as cost of subscription revenue in the consolidated statements of operations. The Company capitalized internal use software development costs of $15.1 million and $8.2 million for the year ended January 31, 2026 and 2025, respectively. Amortization expense was $1.7 million and $0.4 million for the years ended January 31, 2026 and 2025, respectively, and is included in cost of subscription revenue in the consolidated statements of operations. There was no amount recorded for amortization expense for the year ended January 31, 2024.
Capitalized Implementation Costs
Costs to implement cloud computing hosting arrangements are capitalized and amortized using the straight-line method over the expected term of the arrangement, including periods which are reasonably expected to be renewed. Costs include direct costs for third-party consulting services supporting the implementation. Software maintenance and training costs are expensed in the period in which the services are received. Capitalized costs, net of accumulated amortization, are included in prepayments and other non-current assets. The Company capitalized implementation costs of $1.3 million and $5.8 million for the year ended January 31, 2026 and 2025, respectively. Amortization expense was $1.7 million and $1.4 million for the year ended January 31, 2026 and 2025, respectively. Amortization expense for the year ended January 31, 2024 was not material.
Deferred Offering Costs
Revenue Recognition
The Company recognizes revenue in order to depict the transfer of promised goods or services to customers in an amount that reflects the consideration the Company expects to be entitled in exchange for those goods or services. To achieve this, the following steps are applied:
•Identify the contract with a customer
•Identify the performance obligations in the contract
•Determine the transaction price
•Allocate the transaction price to the performance obligations in the contract
88
Table of Contents
•Recognize revenue when or as performance obligations are satisfied
Revenue consists of fees for software-as-a-service (“SaaS”) subscriptions, perpetual and term licenses for the Company’s software products, post-contract customer support (referred to as maintenance and support) and other subscription services and professional services including training and other revenue. The Company recognizes revenue net of any applicable value added or sales tax.
Subscription Revenue
Subscription revenue consists of (i) fees for access to, and related support for, the SaaS offerings, (ii) fees for term subscriptions to the Company’s software solutions, (iii) fees for ongoing maintenance and support of perpetual licensed solutions and (iv) other subscription services, which includes cloud managed services, and certain professional services.
Term subscriptions include the term licenses and ongoing maintenance and support. Maintenance and support agreements consist of fees for providing software updates on a when and if available basis and for providing technical support for software products for a specified term.
Subscription revenue, including support for term licenses, is recognized straight-line over the term of the applicable agreement. Revenue related to term license performance obligations is generally recognized upfront at the point in time when the customer has taken control of the software license.
Subscription arrangements generally have a term of three years and are non-cancellable. The Company typically invoices the customer in advance and in annual installments.
Services and Other Revenue
Services and other revenue consist primarily of fees from professional services provided to customers and partners to configure and optimize the use of the Company’s solutions as well as non-subscription training services. The Company’s professional services are structured on a time-and-materials or fixed priced basis and the related revenue is recognized as the services are rendered. For time-and-material contracts, as the invoiced amount corresponds directly with the value to the customer, the Company applied the practical expedient to recognize revenue in the amount for which it has the right to invoice. For fixed price contracts, the Company uses a cost-based input method as the measure of progress toward satisfying the performance obligation.
Services and other revenue also consists of perpetual licenses that provide customers with the same functionality as term licenses but differs primarily in duration of the license. Revenues from license performance obligations are generally recognized upfront at the point in time when the customer has taken control of the software license. All license transactions include maintenance and support performance obligations, which are recognized as subscription revenue. For the year ended January 31, 2026, the Company has begun presenting perpetual license revenue as part of services and other revenue due to amounts no longer being significant and has recast prior year amounts accordingly.
Contracts with Multiple Performance Obligations
The majority of the Company’s contracts with its customers include various combinations of licenses, subscriptions and professional services. The Company accounts for individual performance obligations separately if they are distinct from other promises in the contract. If not considered distinct, the promised goods or services are combined with other goods or services and accounted for as a combined performance obligation. The transaction price is allocated to the separate performance obligations on a relative standalone selling price (“SSP”) basis.
Judgment is required to determine the SSP for each distinct performance obligation. The Company typically determines SSP based on observable prices for performance obligations when sold separately. When such observable prices are not available, the Company estimates SSP based on pricing objectives, market conditions and other factors, including customer size and geography, and product and service specific factors.
Contract Balances
The timing of revenue recognition may differ from the timing of invoicing to customers. The Company records a receivable when revenue is recognized prior to invoicing and payment will become due solely based on the passage of time. A contract asset results when revenue is recognized prior to invoicing and payment is contingent upon transfer of control of another separate performance obligation. Deferred revenue is recorded when payment is received prior to the recognition of revenue. Contract assets and deferred revenue that will be realized during the succeeding 12-month period is recorded as current, and the remaining balance of deferred revenue is recorded as non-current.
89
Table of Contents
Payment terms and conditions vary by contract type, although terms generally include a requirement of payment within 30 days from the date of invoice. In instances where the timing of revenue recognition differs from the timing of invoicing, the Company has determined its contracts generally do not include a significant financing component.
Contract Acquisition Costs
Sales commissions paid to the Company’s sales force and the related employer payroll taxes, collectively “contract acquisition costs,” are considered incremental and recoverable costs of obtaining a contract with a customer. The Company defers these costs and amortizes them over the expected period of benefit provided. The Company typically pays sales commissions for both initial and follow-on sales of term subscriptions and SaaS subscriptions. Commissions for subscriptions are amortized over the expected period of benefit which the Company has determined to be five years. Commissions for renewals of subscription offerings are amortized over each renewal’s expected period of benefit. The Company determines the period of benefit by taking into consideration customer contracts, customer turnover rates, the life of the Company’s technology and other factors.
The portion of contract acquisition costs that the Company anticipates will be recognized within twelve months is recorded as current contract acquisition costs and the remaining portion is recorded as non-current contract acquisition costs in the consolidated balance sheets. Amortization of contract acquisition costs is included in sales and marketing expenses in the accompanying consolidated statements of operations.
Cost of Revenue
Cost of Subscription Revenue. Cost of subscription revenue consists primarily of employee-based costs (which consists of salaries, benefits, bonuses, and equity-based compensation and allocated overhead) of the customer support organization, contractor costs to supplement staff levels, amortization expense for developed technology acquired, amortization expense for capitalized software development costs, third party royalties, facilities costs and third-party cloud-based hosting costs.
Cost of Services and Other Revenue. Cost of services and other revenue consists primarily of (1) employee-based costs of professional services and training organizations, travel-related costs, facilities costs and contractor costs to supplement staff levels; and (2) amortization expense for developed technology acquired, and third-party royalties related to perpetual licenses. For the year ended January 31, 2026, the Company has begun presenting cost of perpetual license revenue as part of cost of services and other revenue due to amounts no longer being significant and has recast prior year amounts accordingly.
Research and Development Expenses
Research and development expenses consist primarily of employee-based costs, software and hosting arrangement expenses, professional services expense, and amortization expense for acquired intangible assets.
Sales and Marketing Expenses
Sales and marketing expenses consist primarily of personnel costs (which includes commissions) and the related overhead costs to support the Company’s staff, costs for events and travel, costs of general marketing and promotional activities, payment processing fees, and allocated facilities and overhead costs.
General and Administrative Expenses
General and administrative expenses consist primarily of personnel costs and the related overhead costs to support the Company’s staff across the corporate functions of executive, finance, human resources, information technology, internal operations and legal, as well as third-party professional fees, bad debt expense, travel and facilities costs.
Advertising Expenses
Redeemable Convertible Units
The Class A and Class B Units are classified as mezzanine equity and outside of Partners’ deficit because they include a redemption provision upon a sale or reorganization, which are deemed liquidation events that are considered outside of the Company’s control. The Class A and Class B Units were recorded at the original issue price. The Company adjusted the carrying values of the Class A and Class B Units to the redemption value that represents the fair value associated with such
90
Table of Contents
deemed liquidation events as the closing of the IPO was considered probable as of January 31, 2025. See Note 12 for additional information.
Equity-Based Compensation
Post-IPO
Since the IPO, the Company predominantly grants service-based restricted stock units (“RSUs”) to employees, directors, and nonemployees. The Company recognizes equity-based compensation expense for its awards on a straight-line basis over the requisite service period of the individual grants, which is generally the vesting period, based on the estimated grant date fair values. The fair value of RSUs is estimated on the date of grant based on the fair value of the Company’s common stock. The Company recognizes the effect of forfeitures in equity-based compensation expense based on actual forfeitures when they occur.
Pre-IPO
During the years ended January 31, 2025 and 2024, service-based and performance based incentive units were granted to employees, directors, and non-employees. Equity-based compensation costs for granted units are recognized as expense on a straight-line basis over the requisite service period, which is generally the vesting period for awards with only a service condition. For units subject to performance conditions, the Company records expense based on the accelerated attribution method when the performance condition becomes probable. The Company recognizes the effect of forfeitures in equity-based compensation expense based on actual forfeitures when they occur.
The fair value of the units underlying the incentive awards had been determined by the Board of Managers (the “Board”), with input from management and contemporaneous third-party valuations, as there was no public market for the Company’s units. Given the absence of a public trading market, and in accordance with the American Institute of Certified Public Accountants Practice Aid, Valuation of Privately Held Company Equity Securities Issued as Compensation, the Board exercised reasonable judgment and considered numerous objective and subjective factors to determine the best estimate of the fair value of the units at each option grant date using an option pricing method. The Company makes assumptions to determine the fair value of the units, including the value of the Company, expected time to liquidity, and expected volatility.
The Company adjusted the carrying value of the vested and unvested incentive units to the redemption value as the closing of the IPO was considered probable as of January 31, 2025. The redemption value is equal to the fair value of the Class B Units for the proportion of service provided for the award as of January 31, 2025. Increases to the carrying value of the incentive units are charged to retained earnings, or in the absence of retained earnings, to additional paid in capital, or in the absence of additional paid in capital, to accumulated deficit.
Foreign Currency
Income Taxes
The Company accounts for income taxes under the asset and liability method. Under this method, deferred tax assets and liabilities are recognized for expected future tax consequences of temporary differences between the carrying amounts and the tax bases of assets and liabilities.
91
Table of Contents
Deferred income tax assets are reduced by a valuation allowance when, considering all sources of taxable income, in the opinion of management, it is more likely than not that some portion or all of the deferred income tax assets will not be realized. Accordingly, the need to establish such allowance is assessed periodically by considering matters such as future reversals of existing taxable temporary differences, projected future taxable income, tax planning strategies, and results of recent operations. The evaluation of recoverability of the deferred tax assets requires the Company to weigh all positive and negative evidence to reach a conclusion that it is more likely than not that all or some portion of the deferred tax assets will not be realized. The weight given to the evidence is commensurate with the extent to which it can be objectively verified. Deferred income tax assets and liabilities are adjusted for the effects of changes in tax laws and rates on the date of enactment.
The Company accounts for uncertainty of income taxes based on a “more-likely-than-not” threshold for the recognition and de-recognition of tax positions, which includes the accounting for interest and penalties relating to tax positions. The Company recognizes the tax benefit of an uncertain tax position only if it is more likely than not that the position is sustainable upon examination by the taxing authority, solely based on its technical merits. The tax benefit recognized is measured as the largest amount of benefit which is greater than 50 percent likely to be realized upon settlement with the taxing authority.
Leases
The Company accounts for a contract as a lease when it has the right to control the asset for a period of time while obtaining substantially all of the assets’ economic benefits. The Company’s non-cancelable operating lease agreements are primarily for facilities.
Right-of-use (“ROU”) assets and lease liabilities are recognized upon lease commencement at the present value of future lease payments. ROU assets represent the right to use an underlying asset for the lease term, and lease liabilities represent the obligation to make lease payments arising from the lease. ROU assets include adjustments related to lease incentives, and upfront lease payments. ROU assets are subject to evaluation for impairment or disposal on a basis consistent with other long-lived assets.
The implicit rates within the operating leases are generally not determinable and therefore the Company uses the incremental borrowing rate at the lease commencement date to determine the present value of lease payments. The lease term includes the non-cancelable period of the lease plus any additional periods covered by an option to extend that the Company is reasonably certain to exercise. Lease expense is recognized on a straight-line basis over the lease term. The Company does not recognize right-of-use assets and lease liabilities for leases with a term of twelve months or less.
Net Loss Per Share/Unit Attributable to Common Stockholders
Basic net loss per share attributable to common stockholders is computed by dividing the net loss attributable to common stockholders by the weighted-average number of common shares outstanding during the period, without the consideration of potential dilutive common shares.
For purposes of calculating net loss per share attributable to common stockholders for the year ended January 31, 2026 (during which a portion of the period preceded the IPO), the Company retrospectively applied the effects of the Corporate Conversion to the Class B Units. The Class B Units were included in the net loss per share calculations. For the periods that preceded the IPO and Corporate Conversion, the weighted-average number of common shares / units outstanding excludes the common stock sold in the IPO and the Class A Units outstanding. The Company calculated the net loss attributable to common stockholders by adjusting the net loss to include the yield earned by the Class A Units through the Corporate Conversion. The Company did not retrospectively adjust for the effect of the Corporate Conversion for periods prior to fiscal year 2026.
For the year ended January 31, 2025, the Class A yield included $644.2 million of yield earned during the period and a deemed dividend of $120.4 million. The deemed dividend primarily represents the difference between the proceeds received by the Company and the fair value of the units issued to Thoma Bravo in December 2024. Refer to Note 11 for further details regarding the Class A yield.
Dilutive net loss per share and per unit is computed by giving effect to all of the Company’s potential common shares outstanding to the extent the potential shares are dilutive. Basic and diluted net loss per share and per unit was the same, and the inclusion of all potential shares and per unit of the Company’s common stock would have been anti-dilutive. As of January 31, 2026, there was 12.1 million of unvested restricted stock units and restricted stock that could have potentially diluted basic EPS in the future that were not included in the computation of diluted EPS. Prior to the Company's IPO and as of January 31, 2025
92
Table of Contents
and 2024, there were 3.9 million and 5.7 million, respectively, of unvested incentive units that would have potentially diluted basic EPS in the future that were not included in the computation of diluted EPS.
Recently Adopted Accounting Pronouncements
Accounting Standards Update 2023-09
In December 2023, the FASB issued ASU 2023-09, Income Taxes (Topic 740): Improvements to Income Tax Disclosures, (“ASU 2023-09”), which requires public business entities on an annual basis to disclose specific categories in a tabular rate reconciliation and provide additional information for reconciling items that meet a five percent quantitative threshold. Additionally, the ASU requires all entities to disclose the amount of income taxes paid disaggregated by federal, state, and foreign taxes, as well as individual jurisdictions where income taxes paid are equal to or greater than five percent of total income taxes paid. The Company adopted this standard on a prospective basis and it did not have a material impact on its consolidated financial statements other than expanded income tax disclosures.
Accounting Standards Update 2023-07
In November 2023, the FASB issued ASU-2023-07, Improvements to Reportable Segment Disclosures, (“ASU 2023-07”), which requires public entities to disclose information about their reportable segments’ significant expenses on an interim and annual basis. Public entities with a single reportable segment are required to apply the disclosure requirements in ASU 2023-07, as well as all existing segment disclosures and reconciliation requirements in ASC 280 on an interim and annual basis. ASU 2023-07 is effective for fiscal years beginning after December 15, 2023, and for interim periods within fiscal years beginning after December 15, 2024 with early adoption permitted. Adoption of ASU 2023-07 should be applied retrospectively to all prior periods presented in the financial statements. The Company adopted this standard on a retrospective basis and did not have a material impact on its consolidated financial statements or disclosures. Refer to Note 15 for further details.
Recently Issued Accounting Standards Not Yet Adopted
Accounting Standards Update 2025-06
In September 2025, the FASB issued ASU-2025-06, Intangibles—Goodwill and Other—Internal-Use Software (Subtopic 350-40): Targeted Improvements to the Accounting for Internal-Use Software ("ASU 2025-06"), which amends the guidance in ASC 350-40, Intangibles—Goodwill and Other—Internal-Use Software. The amendments modernize the recognition and disclosure framework for internal-use software costs, removing the previous “development stage” model and introducing a more judgment-based approach. ASU 2025-06 is effective for fiscal years beginning after December 15, 2027, and for interim periods within those annual reporting periods, with early adoption permitted. The Company is currently evaluating the impact of the new standard on its consolidated financial statements and related disclosures.
Accounting Standards Update 2025-05
In July 2025, the FASB issued ASU-2025-05, Financial Instruments—Credit Losses (Topic 326): Measurement of Credit Losses for Accounts Receivable and Contract Assets (“ASU 2025-05”), which amends Topic 326 to provide a practical expedient and an accounting policy election related to the estimation of expected credit losses for current accounts receivable and current contract assets that arise from transactions accounted for under ASC 606. Specifically, in developing reasonable and supportable forecasts as part of estimating expected credit losses, all entities may elect a practical expedient that assumes that current conditions as of the balance sheet date do not change for the remaining life of the asset. ASU 2025-05 is effective for annual reporting periods beginning after December 15, 2025, and interim reporting periods within those annual reporting periods, with early adoption permitted. Entities should apply the new guidance prospectively. The Company is currently evaluating the impact and does not expect the adoption of this standard to have a material impact on its consolidated financial statements or disclosures.
Accounting Standards Update 2024-03
In November 2024, the FASB issued ASU 2024-03, Income Statement - Reporting Comprehensive Income - Expense Disaggregation Disclosure (Subtopic 220-40): Disaggregation of Income Statement Expenses (“ASU 2024-03”), which requires disaggregated disclosures, in the notes to the financial statements, of certain categories of expenses that are included in expense line items on the face of the income statement. ASU 2024-03 is effective for annual periods beginning after December 15, 2026, and for interim periods within fiscal years beginning after December 15, 2027. Early adoption is permitted. ASU 2024-03 should be applied on a prospective basis, with a retrospective application permitted in the financial statements. The Company is currently evaluating the impact of the new standard on its consolidated financial statements and related disclosures.
93
Table of Contents
2. Revenue Recognition
Disaggregation of Revenue
The following table presents the Company’s revenue disaggregated by subscription product categories (in thousands):
| Year Ended January 31, | |||||||||||||||||
| 2026 | 2025 | 2024 | |||||||||||||||
| Subscription | |||||||||||||||||
| SaaS | $ | $ | $ | ||||||||||||||
| Maintenance | |||||||||||||||||
| Term subscriptions | |||||||||||||||||
| Other subscription services | |||||||||||||||||
| Total Subscription | |||||||||||||||||
| Services and other | |||||||||||||||||
| Total revenue | $ | $ | $ | ||||||||||||||
The following table summarizes the revenue the Company recognizes at a point in time and over time (in thousands):
| Year Ended January 31, | |||||||||||||||||
| 2026 | 2025 | 2024 | |||||||||||||||
| Revenue recognized at a point in time | $ | $ | $ | ||||||||||||||
| Revenue recognized over time | |||||||||||||||||
| Total revenue | $ | $ | $ | ||||||||||||||
Contract Acquisition Costs
A summary of the activity impacting contract acquisition costs is presented below (in thousands):
| Year Ended January 31, | |||||||||||||||||
| 2026 | 2025 | 2024 | |||||||||||||||
| Beginning Balance | $ | $ | $ | ||||||||||||||
| Additional contract acquisition costs | |||||||||||||||||
| Amortization of contract acquisition costs | ( | ( | ( | ||||||||||||||
| Ending Balance | $ | $ | $ | ||||||||||||||
There were no
Contract Balances
Contract liabilities consist of deferred revenue and include payments received in advance of revenue recognition under the Company’s contracts with customers. Revenue recognized during the reporting periods that was previously deferred was $413.7 million and $339.6 million, and $272.3 million, for the years ended January 31, 2026, 2025, and 2024, respectively.
Remaining Performance Obligations
The Company’s contracts with customers include amounts allocated to performance obligations that will be satisfied at a later date. These remaining performance obligations represent contract value that has not yet been recognized as revenue. Remaining performance obligations includes both invoices that have been issued to customers but have not been recognized as revenues and amounts that will be invoiced and recognized as revenue in future periods. As of January 31, 2026, remaining performance obligations were $1.8 billion, of which the Company expects to recognize $857.8 million as revenue over the next 12 months.
94
Table of Contents
3. Allowance for Expected Credit Losses
The following tables present the changes in the allowance for expected credit losses for accounts receivable measured at amortized cost (in thousands):
| January 31, | |||||||||||||||||
| 2026 | 2025 | 2024 | |||||||||||||||
| Beginning Balance | $ | $ | $ | ||||||||||||||
Provision for credit losses, net of recoveries | |||||||||||||||||
| Write-offs | ( | ( | ( | ||||||||||||||
| Ending Balance | $ | $ | $ | ||||||||||||||
The following tables present the changes in the allowance for expected credit losses for contract assets measured at amortized cost (in thousands):
| January 31, | |||||||||||||||||
| 2026 | 2025 | 2024 | |||||||||||||||
| Beginning Balance | $ | $ | $ | ||||||||||||||
| Provision for (reduction in) credit losses | ( | ||||||||||||||||
| Ending Balance | $ | $ | $ | ||||||||||||||
4. Fair Value Measurements
Assets and Liabilities Measured at Fair Value on a Recurring Basis
The following tables present information about the Company’s financial assets that are measured at fair value on a recurring basis (in thousands):
| January 31, 2026 | |||||||||||||||||||||||
| Level 1 | Level 2 | Level 3 | Total | ||||||||||||||||||||
| Assets: | |||||||||||||||||||||||
| Cash equivalents: | |||||||||||||||||||||||
| Money market funds | $ | $ | $ | $ | |||||||||||||||||||
| Total cash equivalents | $ | $ | $ | $ | |||||||||||||||||||
| January 31, 2025 | |||||||||||||||||||||||
| Level 1 | Level 2 | Level 3 | Total | ||||||||||||||||||||
| Assets: | |||||||||||||||||||||||
| Cash equivalents: | |||||||||||||||||||||||
| Money market funds | $ | $ | $ | $ | |||||||||||||||||||
| Total cash equivalents | $ | $ | $ | $ | |||||||||||||||||||
| Liabilities: | |||||||||||||||||||||||
| Contingent consideration | $ | $ | $ | $ | |||||||||||||||||||
| Total liabilities | $ | $ | $ | $ | |||||||||||||||||||
The Company’s carrying amounts of financial instruments, including cash, accounts receivable, accounts payable, and accrued expenses are considered Level 1 and approximate their fair values due to their short maturities as of January 31, 2026 and January 31, 2025 and are excluded from the fair value tables above. The carrying value of debt at January 31, 2025 is considered Level 1 and approximates fair value.
The Company measured the fair value of the contingent consideration associated with its Imprivata acquisition on a recurring basis using significant unobservable inputs, classified as Level 3. The Company recorded the contingent consideration at its fair value on the acquisition date. The Company determined the fair value of contingent consideration using a probability weighted discounted cash flow method. Each reporting period thereafter, the obligation is revalued and changes in its fair values are recorded within sales and marketing expenses within the consolidated statements of operations. Changes in the fair
95
Table of Contents
value of the contingent consideration can result from changes in assumed discount periods and rates and from changes pertaining to the estimated or actual achievement of the defined milestones. Significant judgment is employed in determining the appropriateness of these assumptions as of the acquisition date and for each subsequent period. Accordingly, future business and economic conditions, as well as changes in any of the assumptions described above, can materially impact the fair value and corresponding changes in fair value of the contingent consideration the Company records in any given period.
During the year ended January 31, 2026, the Company remeasured the fair value of the contingent consideration associated with the Imprivata acquisition of $5.7 million reported as of January 31, 2025. This remeasurement resulted in a $1.6 million increase to the obligation, with the additional expense recorded in sales and marketing expenses within the consolidated statements of operations for the year ended January 31, 2026. The fair value of the contingent consideration was determined using a 99 % probability of achievement with no additional discount rate due to the short-term expected timing of payment. The contingent consideration balance of $7.3 million was fully settled during August 2025.
The estimated fair value of the contingent consideration associated with the Imprivata acquisition was determined with the following key inputs:
| January 31, 2025 | |||||
Probability of achievement | % | ||||
Expected timing of payment | Fiscal 2026 | ||||
Discount rate | % | ||||
The estimated fair value of the contingent consideration of $0.2 million associated with the Savvy Security Ltd. acquisition was determined using a 100 % probability of achievement as of December 31, 2025 and as of the acquisition date. Prior to January 31, 2026, the contingency was satisfied and the liability was fully settled. See Note 5 for additional information on the Savvy acquisition.
5. Acquisitions
Asset Acquisitions
Security Savvy Ltd
On September 15, 2025, the Company acquired certain assets of Security Savvy Ltd, a third-party software as a service ("SaaS") security platform that helps organizations manage identity-related risks associated with their SaaS applications, for $18.4 million, which includes $0.5 million in direct transaction costs that were capitalized as a component of the consideration transferred. The transaction was accounted for as an asset acquisition and substantially all of the acquired assets consisted of developed technology. The purchase price includes a holdback amount of $1.8 million to be paid 12 months from the date of closing subject to the resolution of certain indemnities. The purchase price also includes a contingent consideration of $0.2 million, which the Company was required to pay if it were to obtain the assignment of a specific customer contract by December 31, 2025. See Note 4 for additional information on the fair value of the contingent consideration as of the acquisition date. On October 31, 2025, the Company obtained the assignment of the remaining customer contract and satisfied the contingency. During November 2025, the Company fully settled a liability of $0.2 million, associated with the acquisition.
The purchase price consideration was allocated to a developed technology intangible asset of $18.2 million based on the replacement cost method and assembled workforce intangible of $0.5 million, with useful lives of 6 years and 3 years, respectively. Approximately $0.3 million was allocated to deferred revenue, current and $0.1 million to accounts receivable.
Business Combinations
Imprivata
On December 13, 2024, the Company acquired the Identity Governance and Administration business of Imprivata, a digital identity company for life- and mission-critical industries that is majority owned by Thoma Bravo, for a cash payment at closing of $10.7 million and up to an additional cash amount of $7.4 million related to contingent consideration subject to the achievement of certain customer contract assignments or migrations. The contingent consideration was initially recorded in the
96
Table of Contents
consolidated balance sheets in accrued expenses and other liabilities at a fair value of $5.7 million. The revised fair value of the contingent consideration of $7.3 million was settled in August 2025. See Note 4 “Fair Value Measurements” for additional information on the fair value of the contingent consideration.
The following table summarizes the purchase price allocation as of the date of acquisition (in thousands):
| Accounts receivable | $ | ||||
| Goodwill | |||||
| Intangible assets | |||||
| Deferred revenue | ( | ||||
| Total fair value of assets acquired and liabilities assumed | $ | ||||
The fair value estimates and assumptions regarding certain tangible assets acquired and liabilities assumed and the valuation of intangible assets acquired are subject to change as additional information is obtained during the measurement period. The goodwill arising from the acquisition is deductible for tax purposes.
The fair value of the developed technology was estimated using a market approach. The fair value of customer relationships was estimated using the excess earnings method. The following table presents the fair values and useful lives of the identifiable intangible assets acquired:
| Amount | Estimated Useful Life | ||||||||||
| (In thousands) | (In years) | ||||||||||
| Developed technology | $ | ||||||||||
| Customer relationships | |||||||||||
| Total identifiable intangible assets | $ | ||||||||||
Double Zero
On April 9, 2024 (“Acquisition Date”), the Company acquired all of the outstanding stock of Double Zero Security, Inc. (“Double Zero”), a third-party provider of digital-identity threat detection and response for secure enterprise access. The aggregate consideration transferred in connection with this acquisition was $5.4 million, net of cash acquired, and $0.8 million was related to certain indemnities (the "Holdback Consideration"). The Company paid $0.1 million of the Holdback Consideration 60 days after the Acquisition Date and the remaining Holdback Consideration of $0.7 million was paid in April 2025.
The following table summarizes the purchase price allocation as of the date of acquisition (in thousands):
| Cash and cash equivalents | $ | ||||
| Accounts receivable | |||||
| Prepayments and other current assets | |||||
| Deferred tax assets, non-current | |||||
| Goodwill | |||||
| Intangible assets | |||||
| Accounts payable | ( | ||||
| Accrued expenses and other liabilities | ( | ||||
| Deferred revenue | ( | ||||
| Total fair value of assets acquired and liabilities assumed | $ | ||||
97
Table of Contents
The fair value of the developed technology was estimated using a market approach. The following table presents the estimated fair values and useful lives of the identifiable intangible assets acquired:
| Amount | Estimated Useful Life | ||||||||||
| (In thousands) | (In years) | ||||||||||
| Developed technology | $ | ||||||||||
Osirium
On October 30, 2023, the Company acquired all of the outstanding stock of Osirium Technologies PLC (“Osirium”), a SaaS company delivering privileged access management, privileged endpoint management, and IT process automation solutions. The aggregate consideration paid in connection with this acquisition was $8.2 million, net of cash acquired.
The following table summarizes the purchase price allocation as of the date of acquisition (in thousands):
| Cash and cash equivalents | $ | ||||
| Accounts receivable | |||||
| Prepayments and other current assets | |||||
| Goodwill | |||||
| Intangible assets | |||||
| Accounts payable | ( | ||||
| Accrued expenses and other liabilities | ( | ||||
| Deferred tax liabilities, non-current | ( | ||||
| Deferred revenue | ( | ||||
| Total fair value of assets acquired and liabilities assumed | $ | ||||
The fair value of the developed technology was estimated using a market approach.
The following table presents the fair values and useful lives of the identifiable intangible assets acquired:
| Amount | Estimated Useful Life | ||||||||||
| (In thousands) | (In years) | ||||||||||
| Developed technology | $ | ||||||||||
Additional Business Combination Related Information
The operating results of the acquired companies are included in the Company’s consolidated statements of operations from the respective dates of acquisition. Pro forma results of operations have not been presented because the effects of these acquisitions, individually and in the aggregate, were not material to the Company’s consolidated statements of operations.
The Company believes that for each business combination, the acquired companies will provide opportunities for growth through investing in additional products and capabilities, among other factors. This contributed to a purchase price in excess of the estimated fair value of each acquired company’s net identifiable assets acquired and, as a result, goodwill was recorded in connection with each acquisition. Unless otherwise noted above, goodwill arising from these acquisitions is not deductible for tax purposes.
98
Table of Contents
6. Goodwill and Intangible Assets
Goodwill
As of January 31, 2026 and 2025, goodwill was $5.2 No No
Intangible Assets
Total cost and amortization of intangible assets comprised of the following:
| January 31, 2026 | Weighted Average Useful Life | January 31, 2025 | Weighted Average Useful Life | ||||||||||||||||||||
| Intangible assets, net | (In thousands) | (In years) | (In thousands) | (In years) | |||||||||||||||||||
| Customer relationships | $ | $ | |||||||||||||||||||||
| Developed technology | |||||||||||||||||||||||
| Trade names | |||||||||||||||||||||||
| Other | |||||||||||||||||||||||
| Total intangible assets | |||||||||||||||||||||||
| Less: accumulated amortization | ( | ( | |||||||||||||||||||||
| Total intangible assets, net | $ | $ | |||||||||||||||||||||
Total accumulated amortization of intangible assets is comprised of the following (in thousands):
| Accumulated amortization | January 31, 2026 | January 31, 2025 | |||||||||
| Customer relationships | $ | ( | $ | ( | |||||||
| Developed technology | ( | ( | |||||||||
| Trade names | ( | ( | |||||||||
| Other | ( | ( | |||||||||
| Total accumulated amortization | $ | ( | $ | ( | |||||||
There were no
Amortization expense for the periods presented was as follows (in thousands):
| Year Ended January 31, | |||||||||||||||||
| 2026 | 2025 | 2024 | |||||||||||||||
Cost of revenue | |||||||||||||||||
| Subscription | $ | $ | $ | ||||||||||||||
Services and other | |||||||||||||||||
Operating expenses | |||||||||||||||||
| Research and development | |||||||||||||||||
| Sales and marketing | |||||||||||||||||
| Total amortization expense | $ | $ | $ | ||||||||||||||
99
Table of Contents
The total estimated future amortization expense of intangible assets as of January 31, 2026 is as follows (in thousands):
| Year Ending January 31, | |||||
| 2027 | $ | ||||
| 2028 | |||||
| 2029 | |||||
| 2030 | |||||
| 2031 | |||||
| Thereafter | |||||
| Total amortization expense | $ | ||||
7. Leases
As of January 31, 2026, the Company’s leases, primarily relating to office leases, have remaining lease terms of less than 1 year to 4 years. Certain leases include early termination and/or extension options; however, exercises of these options are at the Company’s sole discretion. As of January 31, 2026, the Company determined it is not reasonably certain it will exercise the options to extend its leases or terminate them early. The Company’s lease agreements do not contain any material residual value guarantees or material restrictive covenants. As of January 31, 2026 and 2025, the Company had no financing leases.
The Company measures its lease liabilities at the net present value of the remaining lease payments. The Company’s incremental borrowing rate is estimated to approximate the interest rate on similar terms and payments and in economic environments where the leased asset is located.
As of January 31, 2026 and 2025, the Company’s weighted-average discount rate was 9.15 %, and 9.26 %, respectively.
As of January 31, 2026 and 2025, the Company’s weighted-average remaining lease term was 3.2 years and 4.1 years, respectively.
Operating lease costs for the periods presented were as follows (in thousands):
| January 31, | |||||||||||||||||
| 2026 | 2025 | 2024 | |||||||||||||||
| Lease cost | |||||||||||||||||
| Operating lease cost | $ | $ | $ | ||||||||||||||
| Variable lease cost | |||||||||||||||||
| Short-term lease cost | |||||||||||||||||
| Total lease cost | $ | $ | $ | ||||||||||||||
Year Ending January 31, | |||||
| 2027 | $ | ||||
| 2028 | |||||
| 2029 | |||||
| 2030 | |||||
| Total minimum lease payments | |||||
| Less: interest | ( | ||||
| Total present value of operating lease liabilities | $ | ||||
8. Commitments and Contingencies
As of January 31, 2026, the Company had in aggregate $196.3 million in contractual purchase commitments associated with agreements that are enforceable and legally binding, of which $113.4 million are due within the next 12 months.
100
Table of Contents
Such amounts do not include obligations under contracts that the Company can cancel without significant penalty or purchase orders as the purchase orders represent authorizations to purchase rather than binding agreements.
Included in the aggregate contractual purchase commitments as of January 31, 2026 is the remaining commitment with a cloud storage provider that has a term of July 2023 through June 2028. Under the terms of the agreement, the Company committed to spend $54.0 million, $59.0 million, $62.0 million, $65.0 million, and $67.5 million in contract years one, two, three, four, and five, respectively, for a total of $307.5 million. If the Company does not meet the minimum purchase obligation during any of those years, it will be required to pay the difference. The Company met the minimum spend requirements for years one, two and three, As of January 31, 2026, the Company has made payments of $177.0 million under the agreement. On February 1, 2026, a new amendment to the agreement was entered with the cloud storage provider, which terminated the previous arrangement. The new arrangement has a term of February 1, 2026 through January 31, 2031. Under the terms of the new arrangement the Company committed to spend $107.0 million, $127.0 million, $147.0 million, $162.0 million and $178.0 million in contract years one, two, three, four and five, respectively, for a total of $721.0 million. If the Company does not meet the minimum purchase obligation during any of those years, it will be required to pay the difference.
Indemnification Arrangements
In the ordinary course of business, the Company enters into contractual arrangements under which it agrees to provide indemnification of varying scope and terms to customers, business partners and other parties with respect to certain matters, including, losses arising out of the breach of such agreements, intellectual property infringement claims made by third parties, and other liabilities with respect to the Company’s products and services and business. In these circumstances, payment may be conditional on the other party making a claim pursuant to the procedures specified in a particular contract. The Company includes service level commitments to the Company’s cloud customers warranting certain levels of uptime reliability and performance and permitting those customers to receive credits in the event that the Company fails to meet those levels.
To date, the Company has not incurred any material costs as a result of these commitments, and the Company expects the time between any potential claims and issuance of the credits to be short. As a result, the Company has not accrued any liabilities related to these commitments in the Company’s consolidated financial statements.
Litigation Claims and Assessments
The Company is subject to claims and suits that may arise from time to time in the ordinary course of business. In addition, some legal actions, claims and governmental inquiries may be instituted or asserted in the future against the Company and its subsidiaries. Although the outcome of these legal proceedings cannot be predicted with certainty and no assurances can be provided, based upon current information, the Company does not believe the liabilities, if any, which may ultimately result from the outcome of such matters, individually or in the aggregate, will have a material adverse impact on the Company’s consolidated financial statements.
9. Credit Agreement and Debt
2025 Credit Agreement
On June 25, 2025, the Company entered into a credit agreement (the "2025 Credit Agreement") that provides for a five -year $250.0 million secured revolving credit facility, including a letter of credit sub-facility of up to $10.0 million (the "2025 Revolving Credit Facility"). The 2025 Revolving Credit Facility matures on June 25, 2030. The Company incurred deferred financing costs of $2.7 million related to the issuance of the 2025 Credit Agreement, which are included in other non-current assets on the accompanying consolidated balance sheets. These costs are being amortized to interest expense over the life of the 2025 Credit Agreement on a straight-line basis. Amortization of deferred financing costs related to the 2025 Credit Agreement was $0.3 million for the year ended January 31, 2026.
Pursuant to the 2025 Credit Agreement, the Company can obtain base rate loans, which bear interest at a Base Rate (as defined in the 2025 Credit Agreement) plus a margin ranging from 0.50 % to 1.50 %, depending on the First Lien Net Leverage Ratio (as defined in the 2025 Credit Agreement), or term SOFR loans, which bear interest at a rate equal to Term SOFR (as defined in the 2025 Credit Agreement) plus a margin ranging from 1.50 % to 2.50 %, depending on the First Lien Net Leverage Ratio. The Company will incur commitment fees at rates ranging from 0.175 % to 0.375 % per annum, depending on the First Lien Net Leverage Ratio, on the unused portion of the lender commitments. The Company will also pay customary letter of credit fees, including a fronting fee equal to 0.125 % per annum of the daily maximum amount then available to be drawn under
101
Table of Contents
such letters of credit, as well as customary issuance and administration fees. The fees were $0.3 million for the year ended January 31, 2026 and are recorded as interest expense on the consolidated statements of operations.
The 2025 Credit Agreement contains customary representations and warranties, events of default, and various affirmative and negative covenants, including financial reporting requirements and limitations on liens, investments (including acquisitions), indebtedness, mergers, consolidations, liquidations and dissolutions, sales of assets, dividends and other restricted payments and transactions with affiliates. The Company is subject to quarterly financial covenants relating to maintaining a Total Net Leverage Ratio (as defined in the 2025 Credit Agreement) of generally not more than 4.00 to 1.00 (which may be increased to 4.50 to 1.00 for a limited period in the event a material acquisition is consummated). The Company was in compliance with all applicable covenants as of January 31, 2026.
All obligations under the 2025 Revolving Credit Facility are unconditionally guaranteed by the Company and each Restricted Subsidiary other than any Excluded Subsidiary (each, as defined in the 2025 Credit Agreement) and are supported by a security interest in substantially all of the borrowers' and guarantors' tangible and intangible assets (subject to permitted liens).
The Company may voluntarily repay and reborrow outstanding loans under the 2025 Revolving Credit Facility at any time without a premium or a penalty. The Company had no outstanding 2025 Revolving Credit Facility balance as of January 31, 2026.
2022 Credit Agreement
On August 16, 2022, the Company entered into a Credit Agreement (the "2022 Credit Agreement") that provides for (i) a six-year $125.0 million senior secured revolving credit facility, including a letter of credit sub-facility of up to $5.0 million (the “2022 Revolving Credit Facility”) and (ii) a seven-year $1.59 billion term loan facility (the “Term Loans”). The 2022 Revolving Credit Facility had a maturity date in August 2028, and the Term Loans had a maturity date in August 2029. After the closing of the IPO, the Company fully repaid its Term Loans and recorded an extinguishment of debt related to the remaining balance of its deferred financing costs of $15.3 million, which is recorded within interest expense on the consolidated statement of operations.
On June 25, 2025, the 2022 Credit Agreement was terminated upon the closing of the 2025 Credit Agreement. The remaining unamortized deferred financing costs of $1.4 million for the 2022 Revolving Credit Facility was recorded as a loss from extinguishment of debt and included in interest expense on the consolidated statements of operations. Amortization of debt issuance costs, excluding the loss from extinguishment of debt, was $0.5 million, $4.4 million, and $4.2 million for the years ended January 31, 2026, 2025, and 2024, respectively.
The net carrying amount of the Term Loans is presented as follows (in thousands):
| January 31, 2026 | January 31, 2025 | ||||||||||
| Principal | $ | $ | |||||||||
| Unamortized issuance costs | ( | ||||||||||
| Net carrying amount | $ | $ | |||||||||
Total interest expense recognized related to the Term Loans for the year ended January 31, 2026, 2025, and 2024 was $22.3 million, $186.2 million, and $186.6 million, respectively, consisting of contractual interest expense of $6.7 million, amortization of debt issuance costs of $0.2 million and $15.3 million loss from the extinguishment of debt for the year ended January 31, 2026, contractual interest expense of $174.0 million, amortization of debt issuance costs of $3.9 million and $8.3 million loss from the extinguishment of debt for the year ended January 31, 2025, and contractual interest expense of $182.9 million and amortization of debt issuance costs of $3.7 million for the year ended January 31, 2024.
10. Related Party Transactions
The Company is an affiliate of Thoma Bravo. The Company engaged in ordinary sales transactions of $2.0 million, $0.8 million, and $1.0 million and ordinary purchase transactions of $2.7 million, $2.1 million and $2.1 million for the years ended January 31, 2026, 2025, and 2024, respectively, with entities affiliated with Thoma Bravo.
The Company made payments of $9.3 million, $7.5 million, and $11.3 million under its advisory services agreement with Thoma Bravo for consultation and advice related to corporate strategy, budgeting of future corporate investments, acquisition and divestiture strategies, and debt and equity financings during the years ended January 31, 2026, 2025, and 2024, respectively. The Company expensed $0.6 million, $15.0 million, and $15.0 million during the years ended January 31, 2026,
102
Table of Contents
2025, and 2024 respectively, which is included in general and administrative expenses in the Company’s consolidated statements of operations. In conjunction with the closing of the IPO, the Company settled all outstanding fees of $9.3 million payable to Thoma Bravo and its advisory services agreement was terminated.
On December 13, 2024, the Company acquired Imprivata, which is majority owned by Thoma Bravo, See Note 5 for additional information.
On December 23, 2024, SailPoint Parent, LP entered into a purchase agreement with Thoma Bravo, pursuant to which Thoma Bravo purchased Class A Units and Class B Units for an aggregate purchase price of $600.0 million. In addition, on January 7, 2025, in connection with Thoma Bravo’s purchase, certain of the Company’s directors and other equityholders exercised their preemptive rights under our partnership agreement and purchased Class A Units and Class B Units for an aggregate purchase price of approximately $0.3 million. The Company used $575.0 million of the proceeds from such transaction to repay $550.0 million and $25.0 million of the Term Loan and Revolving Credit Facility (which was drawn down by the Company on November 8, 2024), respectively, with the remainder planned for general corporate purposes.
Under the terms of the 2022 Credit Agreement, an entity affiliated with Thoma Bravo provided $50.0 million of the Term Loans as part of the syndicate of lenders on August 16, 2022. As a result, the Company made interest payments of $1.2 million, $4.8 million, and $5.7 million for the years ended January 31, 2026, 2025, and 2024, respectively, and incurred interest expense of $0.7 million, $5.9 million, and $5.9 million to the affiliate of Thoma Bravo for the years ended January 31, 2026, 2025, and 2024, respectively. The remaining principal balance owed to the affiliate of Thoma Bravo was fully repaid upon the repayment of the Company's Term Loans.
11. Stockholders' Equity / Partners' Deficit
Stockholders’ Equity
As a result of the Corporate Conversion, the Company succeeded to all of SailPoint, Inc's property, assets, debt, and obligations. The Company’s authorized capital stock consists of 1,750,000,000 shares of common stock, par value $0.0001 per share, and 50,000,000 shares of undesignated preferred stock, par value $0.0001 per share. The issued and outstanding shares of common stock disclosed on the consolidated balance sheet include all legally outstanding shares, including restricted stock awards ("RSAs").
Each outstanding share of common stock is entitled to one vote on all matters submitted to a vote of stockholders. Holders of shares of our common stock have no cumulative voting rights and are not entitled to dividends unless declared by the Board of Directors (the “Board”). The Company’s common stock is neither convertible nor redeemable.
Partners’ Equity
The Company operated under the terms and conditions of the Second Amended and Restated Limited Partnership Agreement of SailPoint Parent, LP dated December 23, 2024 (the “Partnership Agreement”). Excluding the effects of the Corporate Conversion, there were no significant changes to the Partnership Agreement and terms related to the Class A Units and Class B Units since January 31, 2025. In conjunction with the Corporate Conversion, all of the Company's outstanding partnership units were converted into shares of common stock. The Corporate Conversion is discussed further in Note 1.
Redeemable Convertible Units
There are no redeemable convertible units outstanding as of January 31, 2026. Redeemable convertible units consisted of the following as of January 31, 2025:
103
Table of Contents
| January 31, 2025 | ||||||||||||||||||||
| Units issued and outstanding | Aggregate liquidation preference | Net carrying value | ||||||||||||||||||
| (In thousands) | ||||||||||||||||||||
| Class A Units | $ | $ | ||||||||||||||||||
Class B Units (1) | ||||||||||||||||||||
| Total redeemable convertible units | $ | $ | ||||||||||||||||||
(1) The net carrying value includes the redemption value of unvested incentive units that will convert to Class B Units.
The cumulative unpaid Class A yield earned was $1.5 billion as of January 31, 2025. The cumulative unpaid Class A yield earned per unit was $3.66 as of January 31, 2025.
The cumulative Class A yield earned upon the Corporate Conversion was $1.5 billion as of the date of the Corporate Conversion. The cumulative unpaid Class A yield earned per unit was $3.72 as of the date of the Corporate Conversion.
The issued and outstanding units disclosed on the consolidated balance sheet includes all legally outstanding units, which are different from the number of units considered outstanding in the table above. The number of units outstanding in the table above excludes unvested incentive units, which are not outstanding under GAAP until the vesting condition is met.
The following are the relevant terms related to the Class A and Class B Units:
Class A Yield
The Class A unitholders were entitled to a cumulative preferred return at the per annum rate of 9 % (“Class A Yield”), compounded on a quarterly basis, on the sum of unpaid yield (“Unpaid Yield”) plus unreturned capital (“Unreturned Capital”). Unpaid Yield represented the amount equal to the excess of the aggregate Class A Yield accrued on such Class A Units for all prior periods, over the aggregate amount of prior distributions made by the Company related to such Class A Yield. Unreturned Capital is the aggregate contributions made in exchange for Class A Units reduced by distributions made by the Company to such unitholders for all prior periods.
At each reporting date, the Company evaluated whether the Class A Units were considered currently redeemable or probable of becoming redeemable upon a deemed liquidation event. The Company did not record the cumulative yield in the consolidated financial statements until the Company determined that such units were probable of becoming redeemable. As of January 31, 2025, the Class A and Class B Units were currently redeemable as the deemed liquidation events that would give rise to the redemption of the units were considered probable. The Board had the ability, in its discretion, to make distributions at any time or from time to time.
Class B Yield
The Class B unitholders are not entitled to any yield or dividend.
Liquidation Rights
The Class A unitholders were entitled to liquidation preference over Class B unitholders. The distribution would first be made to settle Unpaid Yield, and then to settle Unreturned Capital. Any remaining amounts was to be distributed pro rata among holders of Class B Units based on the outstanding Class B Units held at the time of such distribution. Therefore, all Class A unitholders had first priority with regard to any distributions made by the Company to its unitholders. The Class B unitholders then had the residual interests in the Company.
Redemption Rights
In accordance with the terms and conditions of the Partnership Agreement, the Class A and Class B Units were contingently redeemable upon occurrence of a sale or reorganization, which were deemed liquidation events that were considered outside of the Company’s control. Upon redemption, each Class A and Class B unitholder would receive in exchange for each unit, the same cash value of consideration and the same portion of the aggregate consideration as if a liquidation event occurred and a distribution was made pursuant to the liquidation rights. As of January 31, 2025, the Class A Units and Class B Units were considered redeemable as the closing of the IPO was considered probable. The Company
104
Table of Contents
recognized the increase to the redemption value of both Class A and Class B units as a charge to its additional paid in capital and accumulated deficit.
Repurchase Rights
In accordance with the terms and conditions of certain investor agreements, Co-Invest Agreements, or other incentive unit agreements entered into between the Company and its unitholders, the Class A and Class B Units were subject to repurchase at the election of the Company, Thoma Bravo, or another related party upon the unitholder’s termination or in connection with a sale of the Company. The repurchase price for each Class A Unit was the fair market value of such unit as of the date of repurchase; provided, however, that if the unitholder was terminated for cause, the repurchase price shall be the lesser of the unitholder’s original cost for such unit and the fair market value of such unit. The repurchase price for each Class B Unit was the fair market value of such unit as of the date of repurchase.
Conversion Rights
The Class A and Class B Units were contingently convertible upon occurrence of a reorganization in anticipation of a public offering. In connection with such event, the Board would determine what securities or other property the units would be converted to or exchanged for.
Voting Rights
The majority of the Class A and Class B Units were owned by funds managed by Thoma Bravo (“TB Funds”). TB Funds had control of the Board through their election rights, and the TB Funds also had certain approval rights as defined within Partnership Agreement including, but not limited to authorizing any distributions upon any securities of the Company and authorizing the issuance of any notes or debt securities.
12. Equity-Based Compensation
SailPoint Parent, LP Incentive Equity Plan
Prior to the IPO, the Company had the SailPoint Parent, LP Incentive Equity Plan (the “Plan”) and the SailPoint Parent, LP Co-Invest Agreement (the “Co-Invest Agreement”) to incentivize employees and to align the employees and management with the owners of the business.
The Plan provided for the grant of options, profits interest, equity appreciation rights and other forms of awards to employees and non-employees granted or denominated in units of SailPoint Parent, LP. Under the Plan, 10,972 million Class B Units (“Incentive Units”) were reserved for issuance. The Plan allowed for awards to generally vest over four years based on continued service to the Company and/or its affiliates. Equity-based compensation costs for granted units were recognized as expense on a straight-line basis over the requisite service period as the services performed.
The Co-Invest Agreement offered employees the one-time opportunity to co-invest in the Company by purchasing units directly from the Company for cash. Under the Co-Invest Agreement, the purchase price was $16.42 for one Class A Unit and a number of Class B Units, based on a ratio of one Class A Unit to 0.2185 Class B Units. The Company determined the Co-Invest Agreement was not compensatory in nature as the terms are no more favorable than those available to all holders of the same class of equity, therefore it did not give rise to recognizable compensation cost.
As of January 31, 2025, the Incentive Units were considered redeemable as the closing of the IPO was considered probable. The Company also granted equity appreciation rights awards under the Plan that are required to be settled in cash. The awards were classified as liabilities and were remeasured each reporting period. The liability is included in other long-term liabilities on the consolidated balance sheets and is included in the consolidated statement of operations as equity-based compensation expense.
Cash-Settled Awards
As of January 31, 2025, the total unrecognized compensation expense related to non-vested cash-settled awards granted is $41.7 million and is expected to be recognized over a weighted average period of 1.1 years.
Impact of the IPO
On January 31, 2025, the Board approved modifications to accelerate the vesting of certain incentive units, equity appreciation rights (“EARs”), and cash settled awards subject to the pricing and closing of the IPO. Prior to the Corporate
105
Table of Contents
Conversion, the Company modified 3,036,888 incentive units and 377,077 EARs. Upon the IPO, the vested incentive units were considered redeemable. As a result of the modifications and the closing of the IPO, the Company recognized $113.8 million of equity-based compensation expense in the consolidated statement of operations, which was comprised of $61.5 million, $12.6 million, and $39.8 million of expense for the modified incentive units, EARs, and cash settled awards, respectively. Additionally, the Company settled the vested EARs and cash settled awards, paying $75.2 million. As of January 31, 2026, the outstanding cash awards remaining to be settled were not significant.
In addition, the Company cancelled and replaced the unvested incentive units and EARs with grants of RSAs and RSUs, respectively. The Company granted 1,253,536 RSAs and 232,168 RSUs, which are governed by the SailPoint, Inc. Omnibus Incentive Plan (the “Omnibus Plan”). As a result of granting the RSUs, the Company reclassified an insignificant amount for the unvested EARs from other long-term liabilities on the consolidated balance sheets to additional paid in capital.
As of January 31, 2026, there were no outstanding awards under the SailPoint Parent, LP Incentive Equity Plan.
Omnibus Plan
On February 12, 2025, the shareholders and Board approved the Omnibus Plan, which then became effective. The Omnibus Plan provides for the grant of stock options, stock appreciation rights, restricted stock, RSUs, stock awards, dividend equivalents, other stock-based awards, cash awards, and substitute awards intended to align the interests of award holders with those of the Company’s stockholders.
The aggregate number of shares of common stock that may be issued pursuant to the Omnibus Plan is 61,083,763 , which shall increase on February 1 of each fiscal year, equal to the lesser of (a) 5 % of the aggregate number of shares of common stock outstanding on January 31 of the immediately preceding fiscal year and (b) such smaller number of shares as determined by the Board.
The Omnibus Plan primarily allows for awards to vest based on continued service to the Company and/or its affiliates. Equity-based compensation costs for granted awards are recognized as an expense on a straight-line basis over the requisite service period as the services are performed.
Capitalized equity-based compensation expense is recorded as part of property and equipment, net on the consolidated balance sheets and is amortized on a project-by-project basis using the straight-line method.
During the year ended January 31, 2026, the Company granted 19,753,701 RSUs that vest ratably predominantly over to four years based on continued service to the Company.
As of January 31, 2026, there were a total of 40.8 million shares of common stock available for grant under the Omnibus Plan.
Restricted stock and RSU activity under the Omnibus Plan for the year ended January 31, 2026 was as follows:
| Restricted Stock Units | Restricted Stock | ||||||||||||||||||||||
| Number of Shares | Weighted Average Grant Date Fair Value | Number of Shares | Weighted Average Grant Date Fair Value | ||||||||||||||||||||
| (In thousands) | (Per unit) | (In thousands) | (Per unit) | ||||||||||||||||||||
| February 13, 2025 | $ | $ | |||||||||||||||||||||
Granted | |||||||||||||||||||||||
Vested | ( | ( | |||||||||||||||||||||
| Forfeited | ( | ( | |||||||||||||||||||||
Unvested balance at January 31, 2026 | $ | $ | |||||||||||||||||||||
The total grant date fair value for vested restricted stock and RSUs were $172.3 million the year ended January 31, 2026. As of January 31, 2026, the total unrecognized stock-based compensation expense related to restricted stock and RSUs was $231.3 million that is expected to be recognized over a weighted-average period of 1.7 years.
During the first quarter of fiscal year 2027, we issued 20,799,064 RSUs to certain of our employees, including executive officers. Stock-based compensation expense is estimated to be $289.7 million and will be recognized over four years based on continued service.
106
Table of Contents
Equity-based Compensation Expense
A summary of the Company’s equity-based compensation expense by award type is presented below (in thousands):
| Year Ended January 31, | |||||||||||||||||
| 2026 | 2025 | 2024 | |||||||||||||||
| Incentive equity units | $ | $ | $ | ||||||||||||||
| Equity appreciation rights | |||||||||||||||||
| Restricted stock awards | |||||||||||||||||
| Restricted stock units | |||||||||||||||||
| Cash-settled awards | |||||||||||||||||
| Total equity-based compensation expense | $ | $ | $ | ||||||||||||||
A summary of the Company’s equity-based compensation expense as recognized in the consolidated statements of operations is presented below (in thousands):
| Year Ended January 31, | |||||||||||||||||
| 2026 | 2025 | 2024 | |||||||||||||||
| Cost of revenue - subscription | $ | $ | $ | ||||||||||||||
| Cost of revenue - services and other | |||||||||||||||||
| Research and development | |||||||||||||||||
| Sales and marketing | |||||||||||||||||
| General and administrative | |||||||||||||||||
| Total equity-based compensation expense, net of amounts capitalized | $ | $ | $ | ||||||||||||||
| Capitalized equity-based compensation | |||||||||||||||||
| Total equity-based compensation expense | $ | $ | $ | ||||||||||||||
13. Balance Sheet Related Items
Property and Equipment
The cost and accumulated depreciation of property and equipment are as follows (in thousands):
| January 31, 2026 | January 31, 2025 | ||||||||||
| Computer equipment | $ | $ | |||||||||
| Capitalized software development costs | |||||||||||
| Furniture and fixtures | |||||||||||
| Leasehold improvements | |||||||||||
| Other | |||||||||||
| Total property and equipment | |||||||||||
| Less: accumulated depreciation and amortization | ( | ( | |||||||||
| Total property and equipment, net | $ | $ | |||||||||
Depreciation and amortization expense was $8.7 million, $6.6 million, and $6.6 million for the years ended January 31, 2026, 2025, 2024, respectively.
107
Table of Contents
Prepayments and Other Current Assets and Other Non-Current Assets
Prepayments and other current assets consisted of the following (in thousands):
| January 31, 2026 | January 31, 2025 | ||||||||||
| Prepaid expenses | $ | $ | |||||||||
| Restricted cash | |||||||||||
| Income tax receivables | |||||||||||
| Deferred offering costs | |||||||||||
| Other | |||||||||||
| Total prepayments and other current assets | $ | $ | |||||||||
Other non-current assets consisted of the following (in thousands):
| January 31, 2026 | January 31, 2025 | ||||||||||
| Prepaid expenses | $ | $ | |||||||||
| Deferred tax assets, non-current | |||||||||||
| Other | |||||||||||
| Total other non-current assets | $ | $ | |||||||||
Accrued Expenses and Other Liabilities
Accrued expenses and other liabilities consisted of the following (in thousands):
| January 31, 2026 | January 31, 2025 | ||||||||||
| Commissions | $ | $ | |||||||||
| Bonus | |||||||||||
| Payroll and related benefits | |||||||||||
| Cash-settled awards | |||||||||||
| Interest payable | |||||||||||
| Income taxes payable | |||||||||||
| Thoma Bravo advisory fees | |||||||||||
| Other | |||||||||||
| Total accrued expenses and other liabilities | $ | $ | |||||||||
Other Long-Term Liabilities
Other long-term liabilities consisted of the following (in thousands):
| January 31, 2026 | January 31, 2025 | ||||||||||
| $ | $ | ||||||||||
EARs | |||||||||||
| Total other long-term liabilities | $ | $ | |||||||||
14. Income Taxes
Provision for income taxes consists of U.S. and state income taxes and income taxes in certain foreign jurisdictions in which the Company conducts business.
108
Table of Contents
The following table presents consolidated loss before income taxes (in thousands):
| Year Ended January 31, | |||||||||||||||||
| 2026 | 2025 | 2024 | |||||||||||||||
| Domestic | $ | ( | $ | ( | $ | ( | |||||||||||
| Foreign | |||||||||||||||||
| Total loss before income taxes | $ | ( | $ | ( | $ | ( | |||||||||||
The provision (benefit) expense for income taxes consisted of the following (in thousands):
| Year Ended January 31, | |||||||||||||||||
| 2026 | 2025 | 2024 | |||||||||||||||
| Current | |||||||||||||||||
| Federal | $ | $ | $ | ||||||||||||||
| State | |||||||||||||||||
| Foreign | |||||||||||||||||
| Total current | |||||||||||||||||
| Deferred | |||||||||||||||||
| Federal | ( | ( | ( | ||||||||||||||
| State | ( | ( | ( | ||||||||||||||
| Foreign | ( | ( | |||||||||||||||
| Total deferred | ( | ( | ( | ||||||||||||||
| Provision (benefit) expense for income taxes | $ | ( | $ | ( | $ | ( | |||||||||||
The significant components of the Company’s deferred taxes are as follows (in thousands):
| January 31, 2026 | January 31, 2025 | ||||||||||
| Deferred tax assets: | |||||||||||
| Research and development and other credits | $ | $ | |||||||||
| Capitalized research expenditures | |||||||||||
| Net operating loss carryforward | |||||||||||
| Disallowed interest carryforward | |||||||||||
| Deferred revenue | |||||||||||
| Stock compensation | |||||||||||
| Operating lease liabilities | |||||||||||
| Accrued expenses | |||||||||||
| Other | |||||||||||
| Total deferred tax assets | |||||||||||
| Less valuation allowance for deferred tax assets | ( | ( | |||||||||
| Net deferred tax asset | |||||||||||
| Deferred tax liabilities: | |||||||||||
| Fixed assets | ( | ( | |||||||||
| Operating lease ROU assets | ( | ( | |||||||||
| Capitalized commissions | ( | ( | |||||||||
| Intangible assets | ( | ( | |||||||||
| Total deferred tax liabilities | ( | ( | |||||||||
| Net deferred tax (liabilities) assets | $ | ( | $ | ( | |||||||
As of January 31, 2026, the Company has federal, state and foreign net operating loss carryforwards of $227.3 million, $205.1 million and $31.5 million, respectively. Approximately $0.2 million of the federal net operating loss
109
Table of Contents
carryforwards will begin to expire in 2037 and $227.1 million do not expire. The state net operating loss carryforwards will begin to expire in 2029, if not utilized. The foreign net operating losses do not expire.
As of January 31, 2026, the Company has federal and state research and development credit carryforwards of $30.4 million and $8.6 million, respectively. The federal and state research and development credits will begin to expire in 2027 and 2033, respectively, if not utilized.
The Company assessed all available positive and negative evidence to determine whether it expects that sufficient future taxable income will be generated to allow it to realize its existing deferred tax assets. The Company determined that it is more likely than not to realize a portion of the benefits of its U.S. federal and state interest expense carryforward. The Company decreased the valuation allowance to $20.3 million from $32.3 million as of January 31, 2026 and 2025, respectively.
The following table reconciles the Company's effective tax rate to the federal statutory tax rate under the updated requirements of ASU 2023-09.
| Year Ended January 31, 2026 | |||||||||||
$ | % | ||||||||||
| U.S. federal taxes at statutory rate | $ | ( | % | ||||||||
State and local income taxes, net of federal benefit (1) | ( | ||||||||||
| Foreign tax effects | |||||||||||
| Brazil | ( | ||||||||||
| Other | ( | ||||||||||
| Effects of changes in tax laws or rates enacted in the current period | |||||||||||
| Effect of cross-border tax laws: | ( | ||||||||||
| Tax credits: | |||||||||||
| Research and development credits | ( | ||||||||||
| Non-taxable or non-deductible items: | |||||||||||
| Equity compensation | ( | ||||||||||
| Non-deductible officer compensation | ( | ||||||||||
Other | ( | ||||||||||
| Changes in valuation allowances | ( | ||||||||||
| Change in unrecognized tax benefits | ( | ||||||||||
| Other | ( | ||||||||||
| Total tax provision and effective tax rate | $ | ( | % | ||||||||
(1) State taxes in California, New Jersey, Illinois, New York, New York City and District of Columbia made up the majority (greater than 50%) of the tax effect in this category
As previously disclosed for the years January 31, 2025 and 2024, prior to the adoption of ASU 2023-09, the following table reconciles the Company’s effective tax rate to the federal statutory tax rate:
| Year Ended January 31, | |||||||||||
| 2025 | 2024 | ||||||||||
| U.S. federal taxes at statutory rate | % | % | |||||||||
State and local income taxes, net of federal benefit | |||||||||||
| Foreign tax rate differentials | ( | ( | |||||||||
| Foreign tax on earnings | ( | ( | |||||||||
| Research and development credits | |||||||||||
| Equity-based compensation | ( | ( | |||||||||
| Change in valuation allowance | ( | ||||||||||
| Change in unrecognized tax benefits | ( | ( | |||||||||
| Other | ( | ( | |||||||||
| Total | % | % | |||||||||
110
Table of Contents
Judgment is required in evaluating the Company’s uncertain tax positions and determining the Company’s provision for income taxes. The reconciliation of unrecognized tax benefits is as follows (in thousands):
As of January 31, | |||||||||||||||||
| 2026 | 2025 | 2024 | |||||||||||||||
| Beginning Balance | $ | $ | $ | ||||||||||||||
| Additions based on tax positions related to prior year | |||||||||||||||||
| Reductions based on tax positions related to prior year | ( | ||||||||||||||||
| Additions based on tax positions related to current year | |||||||||||||||||
Settlements | ( | ||||||||||||||||
| Ending Balance | $ | $ | $ | ||||||||||||||
Included in the balance of unrecognized tax benefits as of January 31, 2026, 2025, and 2024 is $49.5 million, $48.7 million and $48.6 million, respectively, of tax benefits that, if recognized, would affect the Company’s effective tax rate.
The Company’s policy is to recognize interest and/or penalties related to income tax matters in income tax expense. During the years ended January 31, 2026, 2025 and 2024, the Company did no
The Company files income tax returns in U.S. federal, state, and foreign jurisdictions. The Company has net operating loss carryforwards and tax credits for the U.S. federal and certain state jurisdictions allowing the statute of limitations to remain open for all years. The foreign jurisdiction’s statute of limitations is closed for tax years before 2022.
Deferred income taxes have not been recognized on the excess of the amount for financial reporting over the tax basis of investments in foreign subsidiaries that are indefinitely reinvested outside the U.S. Determination of the unrecognized deferred tax liability related to the outside basis difference in investments in the foreign subsidiaries is not practicable. If the Company repatriated its foreign earnings, any deferred income taxes for the estimated U.S. income tax, foreign income tax, and applicable withholding taxes is not material.
15. Segments and Geographic Information
Operating segments are defined as components of an entity for which separate financial information is available and that is regularly reviewed by the Chief Operating Decision Maker, or CODM. The CODM is comprised of the Company's Chief Executive Officer, Chief Financial Officer and President. The Company's CODM reviews financial information presented on a consolidated basis for the purposes of making operating decisions, allocating resources, and evaluating financial performance. Accordingly, the Company determined that it operates in one reportable segment. The CODM utilizes GAAP and non-GAAP measures of profit and loss for evaluating the Company's overall performance and inform resource allocation to support strategic priorities. The profit and loss measure most consistent with GAAP used by the CODM is net loss. Significant expense categories regularly provided to the CODM are those disclosed in the consolidated financial statements and related notes.
The following is a summary of consolidated revenues within geographic areas determined by the billing address of the customer for the periods presented (in thousands):
| Year Ended January 31, | |||||||||||||||||
| 2026 | 2025 | 2024 | |||||||||||||||
| United States | $ | $ | $ | ||||||||||||||
| EMEA | |||||||||||||||||
| Rest of the World | |||||||||||||||||
| Total revenue | $ | $ | $ | ||||||||||||||
No single country other than the United States represented more than 10% of the Company's revenue or total long-lived assets.
Substantially all of the Company’s long-lived assets were held in the United States as of January 31, 2026 and 2025.
111
Table of Contents
16. Employee Benefit Plans
The Company has established a defined contribution savings plan under Section 401(k) of the Internal Revenue Code (the “401(k) Plan”). The 401(k) Plan covers substantially all employees who meet minimum age and service requirements and allows participants to defer a percentage of their annual compensation as defined in the 401(k) Plan. The Company matches portions of employees’ voluntary contributions. Additional employer contributions may also be made at the Company’s discretion. The Company recorded expense of $8.4 million, $7.1 million, and $6.4 million, for the years ended January 31, 2026, 2025, and 2024, respectively, for matching contributions to the 401(k) Plan.
112
Table of Contents
Item 9. Changes in and Disagreements with Accountants on Accounting and Financial Disclosure
None.
Item 9A. Controls and Procedures
Evaluation of Disclosure Controls and Procedures
Our disclosure controls and procedures (as defined in Rules 13a-15(e) and 15d-15(e) under the Exchange Act) are designed to ensure that information required to be disclosed in the reports that we file or submit under the Exchange Act is recorded, processed, summarized, and reported within the time periods specified in the rules and forms of the SEC and to ensure that information required to be disclosed is accumulated and communicated to management, including our principal executive officer (“PEO”) and principal financial officer (“PFO”), to allow timely decisions regarding disclosure. Our management, with the participation of our PEO and PFO, has evaluated the effectiveness of our disclosure controls and procedures as of January 31, 2026 and, based on such evaluation, our PEO and PFO have concluded that our disclosure controls and procedures were effective as of such date.
Management’s Report on Internal Control over Financial Reporting
Our management is responsible for establishing and maintaining adequate internal control over financial reporting (as defined in Rule 13a-15(f) under the Exchange Act). Management conducted an assessment of the effectiveness of our internal control over financial reporting based on the criteria set forth in Internal Control-Integrated Framework issued by the Committee of Sponsoring Organizations of the Treadway Commission (2013 framework). Based on the assessment, management has concluded that its internal control over financial reporting was effective as of January 31, 2026 to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements in accordance with U.S. GAAP. Our independent registered public accounting firm, Ernst & Young LLP, has issued an audit report with respect to our internal control over financial reporting, which appears in Part II, Item 8 of this Annual Report on Form 10-K.
Changes in Internal Control over Financial Reporting
There were no changes in the Company’s internal control over financial reporting as defined in Exchange Act Rule 13a-15(d) and 15d-15(d) during the quarter ended January 31, 2026 that materially affected, or are reasonably likely to materially affect, our internal control over financial reporting.
Item 9B. Other Information
Insider Trading Arrangements
During the three months ended January 31, 2026, none of the Company’s directors or officers (as defined in Rule 16a-1(f) of the Exchange Act) informed us of the adoption or termination
Name and Title | Action | Date of Adoption or Termination | Character of Trading Arrangement(1) | Aggregate Number of Shares of Common Stock to be Purchased or Sold Pursuant to Trading Arrangement | Duration | ||||||||||||
Rule 10b5-1 trading arrangement | Up to | ||||||||||||||||
Rule 10b5-1 trading arrangement | Indeterminable number of shares to be sold(3) | ||||||||||||||||
(1) Each trading arrangement listed as a “Rule 10b5-1 trading arrangement” is intended to satisfy the affirmative defense of Rule 10b5-1(c) of the Exchange Act (the “Rule”) and, among other things, only permits transactions upon expiration of the applicable mandatory cooling-off period under the Rule.
(2) This trading arrangement permits transactions through and including the earliest to occur of (a) the completion of all sales of shares subject to the arrangement, (b) the date listed in the “Duration” column, and (c) the occurrence of such other termination event as specified in the arrangement.
113
Table of Contents
Date of 2026 Annual Meeting of Stockholders
Our board of directors has determined that our 2026 Annual Meeting of Stockholders (the “2026 Annual Meeting”) will be held virtually on June 4, 2026. More detailed information regarding the 2026 Annual Meeting will be set forth in the Company’s Definitive Proxy Statement on Schedule 14A to be filed with the SEC.
For any proposal to be considered for inclusion in the Company’s proxy statement and form of proxy relating to the 2026 Annual Meeting, it must be submitted in writing and comply with the requirements of Rule 14a-8 of the Exchange Act. Generally, such proposals are due 120 days before the anniversary of the date the Company released the proxy materials for the prior year; however, if the date of the annual meeting has been changed by more than 30 days from the date of the previous year’s meeting, then the deadline is a reasonable time before we begin to print and send our proxy materials. Because we did not hold an annual meeting last year due to the timing of our IPO, we have determined that Rule 14a-8 stockholder proposals must be received by the Company at its principal executive offices no later than the close of business on March 31, 2026, unless otherwise announced by the Company prior to the 2026 Annual Meeting.
In accordance with our bylaws, stockholder proposals and director nominations that are not intended to be included in the Company’s proxy statement must be received, in writing, by the Secretary of the Company at the principal executive offices of the Company not later than the close of business on the 90th day nor earlier than the close of business on the 120th day prior to the first anniversary of the prior year’s annual meeting to be properly brought before an annual meeting of stockholders; provided, however, that in the event that the date of the annual meeting is more than 30 days before or more than 70 days after such anniversary date, or if no annual meeting was held in the preceding year, notice by the stockholder must be so delivered not earlier than the close of business on the 120th day prior to such annual meeting and not later than the close of business on the later of the 90th day prior to such annual meeting or the 10th day following the day on which public announcement of the date of such meeting is first made by the Company. Thus, if the Company does not receive notice of such a proposal or nomination by March 31, 2026, it will be considered “untimely,” and the presiding officer at the 2026 Annual Meeting may properly use his or her discretionary authority to declare that such proposal or nomination was not properly brought before the meeting and therefore shall not be transacted. Any matter so submitted must comply with the other provisions of our bylaws. In addition, to comply with the universal proxy rules, stockholders who intend to solicit proxies in support of director nominees other than the Company’s nominees must satisfy the requirements set forth in Rule 14a-19 of the Exchange Act, including providing notice to the Company that sets forth the information required by Rule 14a-19 under the Exchange Act. For the 2026 Annual Meeting, such notice must be postmarked or transmitted electronically to the Company at its principal executive office no later than March 31, 2026, which is the tenth day following the day on which public announcement of the date of the 2026 Annual Meeting of shareholders is first made by the Company.
Item 9C. Disclosure Regarding Foreign Jurisdictions that Prevent Inspections
Not applicable.
114
Table of Contents
PART III
Item 10. Directors, Executive Officers and Corporate Governance
The information required by this item is incorporated by reference to our Proxy Statement relating to our 2026 Annual Meeting of Stockholders. The Proxy Statement will be filed with the SEC within 120 days of the fiscal year ended January 31, 2026.
Item 11. Executive Compensation
The information required by this item is incorporated by reference to our Proxy Statement relating to our 2026 Annual Meeting of Stockholders. The Proxy Statement will be filed with the SEC within 120 days of the fiscal year ended January 31, 2026.
Item 12. Security Ownership of Certain Beneficial Owners and Management and Related Stockholder Matters
The information required by this item is incorporated by reference to our Proxy Statement relating to our 2026 Annual Meeting of Stockholders. The Proxy Statement will be filed with the SEC within 120 days of the fiscal year ended January 31, 2026.
Item 13. Certain Relationships and Related Transactions, and Director Independence
The information required by this item is incorporated by reference to our Proxy Statement relating to our 2026 Annual Meeting of Stockholders. The Proxy Statement will be filed with the SEC within 120 days of the fiscal year ended January 31, 2026.
Item 14. Principal Accountant Fees and Services
The information required by this item is incorporated by reference to our Proxy Statement relating to our 2026 Annual Meeting of Stockholders. The Proxy Statement will be filed with the SEC within 120 days of the fiscal year ended January 31, 2026.
115
Table of Contents
PART IV
Item 15. Exhibits and Financial Statement Schedules
(a) The following documents are filed as part of this Annual Report:
1. Financial Statements
Our consolidated financial statements are listed in the “Index to Consolidated Financial Statements” under Part II, Item 8 of this Annual Report.
2. Financial Statement Schedules
All schedules have been omitted as the required information is either included in the consolidated financial statements or notes thereto, or not required, or not applicable.
3. See Item 15(b)
(b) Exhibits:
| Exhibit Number | Description | |||||||
| 3.1 | Certificate of Incorporation of SailPoint, Inc. (incorporated by reference to Exhibit 3.1 to the Current Report on Form 8-K filed by the Company on February 19, 2025). | |||||||
| 3.2 | Bylaws of SailPoint, Inc. (incorporated by reference to Exhibit 3.2 to the Current Report on Form 8-K filed by the Company on February 19, 2025). | |||||||
| 4.1 | Registration Rights Agreement, dated August 16, 2022, by and among SailPoint Parent LP, Thoma Bravo and the other parties thereto (incorporated by reference to Exhibit 4.1 to Amendment No. 3 to the Company’s Registration Statement on Form S-1, filed with the SEC on February 12, 2025). | |||||||
4.2 | Description of Common Stock (incorporated by reference to Exhibit 4.2 to the Annual Report on Form 10-K filed by the Company on March 27, 2025). | |||||||
10.1*** | Credit Agreement, dated as of June 25, 2025, among SailPoint Technologies, Inc., SailPoint Technologies Intermediate Holdings, LLC, Morgan Stanley Senior Funding, Inc., as administrative agent, collateral agent, lender and letter of credit issuer, and the other lenders party thereto (incorporated by reference to Exhibit 10.1 to the Current Report on Form 8-K filed by the Company on June 26, 2025). | |||||||
10.2 | Lease, dated October 2, 2017, by and between BDN Four Points Land LP and SailPoint Technologies, Inc. (incorporated by reference to Exhibit 10.24 to the Registration Statement on Form S-1 filed by SailPoint Technologies Holdings, Inc. on October 20, 2017). | |||||||
10.3*** | First Amendment to Lease, dated March 27, 2019, by and between BDN Four Points Land LP and SailPoint Technologies, Inc. (incorporated by reference to Exhibit 10.4 to Amendment No. 3 to the Company’s Registration Statement on Form S-1, filed with the SEC on February 12, 2025). | |||||||
10.4 | Director Designation Agreement, dated as of February 12, 2025, by and among SailPoint, Inc. and the stockholders party thereto (incorporated by reference to Exhibit 10.1 to the Current Report on Form 8-K filed by the Company on February 19, 2025). | |||||||
10.5+ | SailPoint, Inc. Omnibus Incentive Plan (incorporated by reference to Exhibit 10.3 to the Current Report on Form 8-K filed by the Company on February 19, 2025). | |||||||
10.6+* | Form of Restricted Stock Unit Grant Notice and Award Agreement (Executive Officers) under the SailPoint, Inc. Omnibus Incentive Plan. | |||||||
10.7+ | Form of Restricted Stock Unit Grant Notice and Award Agreement (Non-employee Directors) under the SailPoint, Inc. Omnibus Incentive Plan (incorporated by reference to Exhibit 10.8 to Amendment No. 3 to the Company’s Registration Statement on Form S-1, filed with the SEC on February 12, 2025). | |||||||
116
Table of Contents
| Exhibit Number | Description | |||||||
10.8+ | SailPoint, Inc. Executive Change in Control and Severance Plan and Form of Participation Agreement (incorporated by reference to Exhibit 10.7 to the Quarterly Report on Form 10-Q filed by the Company on June 12, 2025). | |||||||
10.9+ | Form of Indemnification Agreement between SailPoint, Inc. and each of its directors and executive officers (incorporated by reference to Exhibit 10.9 to the Company’s Registration Statement on Form S-1, filed with the SEC on January 17, 2025). | |||||||
10.10+ | Amended and Restated Senior Management and Restricted Stock Agreement, dated November 5, 2017, by and among SailPoint Technologies Holdings, Inc., SailPoint Technologies, Inc., and Mark McClain (incorporated by reference to Exhibit 10.12 to Amendment No. 3 to the Registration Statement on Form S-1 filed by SailPoint Technologies Holdings, Inc. on November 14, 2017). | |||||||
10.11+ | Amendment No. 1 to Amended and Restated Senior Management and Restricted Stock Agreement, dated as of April 2, 2019, by and among SailPoint Technologies Holdings, Inc., SailPoint Technologies, Inc., and Mark McClain (incorporated by reference to Exhibit 10.1 to the Quarterly Report on Form 10-Q filed by SailPoint Technologies Holdings, Inc. on August 6, 2019). | |||||||
10.12+ | Offer Letter, dated August 19, 2019, by and between SailPoint Technologies, Inc. and Matt Mills (incorporated by reference to Exhibit 10.1 to the Quarterly Report on Form 10-Q filed by SailPoint Technologies Holdings, Inc. on November 6, 2019). | |||||||
10.13+ | Offer Letter, dated December 2, 2022, by and between SailPoint Technologies, Inc. and Brian Carolan (incorporated by reference to Exhibit 10.13 to the Company’s Registration Statement on Form S-1, filed with the SEC on January 17, 2025). | |||||||
10.14+ | Offer Letter, dated February 1, 2017, by and between SailPoint Technologies, Inc. and Chris Schmitt (incorporated by reference to Exhibit 10.35 to the Annual Report on Form 10-K filed by SailPoint Technologies Holdings, Inc. on February 28, 2022 for the year ended December 31, 2021). | |||||||
10.15+ | Offer Letter, dated October 7, 2011, by and between SailPoint Technologies, Inc. and Abby Payne (incorporated by reference to Exhibit 10.15 to the Company’s Registration Statement on Form S-1, filed with the SEC on February 12, 2025). | |||||||
10.16+ | Non-Employee Director Compensation Policy (incorporated by reference to Exhibit 10.17 to the Annual Report on Form 10-K filed by the Company on March 27, 2025). | |||||||
19.1 | ||||||||
| 21.1* | List of Subsidiaries of SailPoint, Inc. | |||||||
23.1* | Consent of Ernst & Young LLP | |||||||
| 31.1* | Certification of Principal Executive Officer Pursuant to Rules 13a-14(a) and 15d-14(a) under the Securities Exchange Act of 1934, as Adopted Pursuant to Section 302 of the Sarbanes-Oxley Act of 2002. | |||||||
| 31.2* | Certification of Principal Financial Officer Pursuant to Rules 13a-14(a) and 15d-14(a) under the Securities Exchange Act of 1934, as Adopted Pursuant to Section 302 of the Sarbanes-Oxley Act of 2002. | |||||||
| 32.1** | Certification of Principal Executive Officer Pursuant to 18 U.S.C. Section 1350, as Adopted Pursuant to Section 906 of the Sarbanes-Oxley Act of 2002. | |||||||
| 32.2** | Certification of Principal Financial Officer Pursuant to 18 U.S.C. Section 1350, as Adopted Pursuant to Section 906 of the Sarbanes-Oxley Act of 2002. | |||||||
97 | Clawback Policy of SailPoint, Inc. adopted February 12, 2025 (incorporated by reference to Exhibit 97 to the Annual Report on Form 10-K filed by the Company on March 27, 2025). | |||||||
* Filed herewith.
** Furnished herewith (such certification shall not be deemed “filed” for purposes of Section 18 of the Exchange Act, except to the extent that the Company specifically incorporates it by reference).
*** Certain schedules and exhibits have been omitted in accordance with Item 601(a)(5) of Regulation S-K. A copy of any omitted schedule and/or exhibit will be furnished to the SEC on request.
+ Management contract or compensatory plan or arrangement.
117
Table of Contents
Item 16. Form 10-K Summary
None.
118
Table of Contents
SIGNATURES
Pursuant to the requirements of Section 13 or 15(d) of the Securities Exchange Act of 1934, the registrant has duly caused this report to be signed on its behalf by the undersigned, thereunto duly authorized.
SailPoint, Inc., | ||||||||
| | ||||||||
Date: March 19, 2026 | By: | /s/ Mark McClain | ||||||
| Mark McClain Chief Executive Officer and Director | ||||||||
| | ||||||||
Date: March 19, 2026 | By: | /s/ Brian Carolan | ||||||
Brian Carolan Chief Financial Officer | ||||||||
Pursuant to the requirements of the Securities Exchange Act of 1934, this report has been signed below by the following persons on behalf of the registrant and in the capacities and on the dates indicated.
119
Table of Contents
| Name | Title | Date | ||||||||||||
| /s/ Mark McClain | Chief Executive Officer and Director (Principal Executive Officer) | March 19, 2026 | ||||||||||||
| Mark McClain | ||||||||||||||
/s/ Brian Carolan | Chief Financial Officer (Principal Financial Officer) | March 19, 2026 | ||||||||||||
Brian Carolan | ||||||||||||||
/s/ Mitra Rezvan | Chief Accounting Officer (Principal Accounting Officer) | March 19, 2026 | ||||||||||||
Mitra Rezvan | ||||||||||||||
/s/ Andrew Almeida | Director | March 19, 2026 | ||||||||||||
Andrew Almeida | ||||||||||||||
/s/ William Bock | Director | March 19, 2026 | ||||||||||||
William Bock | ||||||||||||||
/s/ Seth Boro | Director | March 19, 2026 | ||||||||||||
Seth Boro | ||||||||||||||
/s/ Ronald Green | Director | March 19, 2026 | ||||||||||||
Ronald Green | ||||||||||||||
/s/ James (Jim) Hagan | Director | March 19, 2026 | ||||||||||||
James (Jim)Hagan | ||||||||||||||
/s/ Nabil Hamade | Director | March 19, 2026 | ||||||||||||
Nabil Hamade | ||||||||||||||
/s/ Sacha May | Director | March 19, 2026 | ||||||||||||
Sacha May | ||||||||||||||
/s/ Tracey Newell | Director | March 19, 2026 | ||||||||||||
Tracey Newell | ||||||||||||||
120
FAQ
What does SailPoint, Inc. (SAIL) do?
SailPoint provides identity security solutions that help enterprises control which human, machine, and AI identities can access applications and data. Its SailPoint Platform and IdentityIQ products use AI, automation, and policy-based governance to support security, regulatory compliance, and visibility across complex hybrid and multi-cloud IT environments.
How fast is SailPoint (SAIL) growing its revenue?
SailPoint’s revenue increased from $699.6 million to $1.1 billion between fiscal years ended January 31, 2024 and January 31, 2026. This growth reflects increasing adoption of its SaaS Identity Security Cloud, expansion of existing customers, and a broader portfolio that includes AI-driven analytics and specialized identity security modules.
How large and global is SailPoint’s (SAIL) customer base?
SailPoint serves approximately 3,235 organizations across more than 65 countries as of January 31, 2026. Its customers span financial services, technology, healthcare, public sector, and other industries, including a significant share of Fortune 500 and Forbes Global 2000 companies seeking enterprise-scale identity security.
What role does AI play in SailPoint’s identity security solutions?
AI underpins SailPoint’s identity security, powering access recommendations, role discovery, anomaly detection, and generative entitlement descriptions. The SailPoint Atlas foundation and Harbor Pilot AI agents use machine learning and large language models to automate decisions, streamline workflows, and manage complex human, machine, and AI agent identities at scale.
How important are international markets for SailPoint (SAIL)?
International markets are significant for SailPoint, contributing 35% of revenue in the fiscal year ended January 31, 2026. The company offers solutions in more than 65 countries and uses global system integrators, channel partners, and certifications like ISO 27001 and FedRAMP to support regulated and multinational customers.
Who controls SailPoint, Inc. (SAIL), and why does it matter?
Thoma Bravo controls SailPoint, and the company notes that Thoma Bravo’s interests may conflict with those of other stockholders. This ownership structure can influence strategic direction, partner relationships, and governance decisions, forming one of the principal risk factors highlighted for potential investors.
What are key business risks identified by SailPoint (SAIL) in its 10-K?
Key risks include slower customer growth or renewals, reliance on channel partners, intense competition from large vendors and specialists, evolving AI and security threats, long and unpredictable sales cycles, and regulatory and data privacy requirements. The company also highlights cybersecurity incidents and Thoma Bravo’s control as material risks.
SailPoint Parent, LP
NASDAQ:SAIL
SAIL Rankings
SAIL Latest News
SAIL Latest SEC Filings
Mar 18, 2026
[8-K] SailPoint, Inc. Reports Material Event