qlys-20240630
0001107843--12-312024Q2false61111P3Yxbrli:sharesiso4217:USDiso4217:USDxbrli:sharesiso4217:EURiso4217:GBPiso4217:INRiso4217:CADxbrli:pureqlys:segment00011078432024-01-012024-06-3000011078432024-07-2600011078432024-06-3000011078432023-12-3100011078432024-04-012024-06-3000011078432023-04-012023-06-3000011078432023-01-012023-06-3000011078432022-12-3100011078432023-06-300001107843us-gaap:CommonStockMember2023-12-310001107843us-gaap:AdditionalPaidInCapitalMember2023-12-310001107843us-gaap:AccumulatedOtherComprehensiveIncomeMember2023-12-310001107843us-gaap:RetainedEarningsMember2023-12-310001107843us-gaap:RetainedEarningsMember2024-01-012024-03-3100011078432024-01-012024-03-310001107843us-gaap:AccumulatedOtherComprehensiveIncomeMember2024-01-012024-03-310001107843us-gaap:CommonStockMember2024-01-012024-03-310001107843us-gaap:AdditionalPaidInCapitalMember2024-01-012024-03-310001107843us-gaap:CommonStockMember2024-03-310001107843us-gaap:AdditionalPaidInCapitalMember2024-03-310001107843us-gaap:AccumulatedOtherComprehensiveIncomeMember2024-03-310001107843us-gaap:RetainedEarningsMember2024-03-3100011078432024-03-310001107843us-gaap:RetainedEarningsMember2024-04-012024-06-300001107843us-gaap:AccumulatedOtherComprehensiveIncomeMember2024-04-012024-06-300001107843us-gaap:CommonStockMember2024-04-012024-06-300001107843us-gaap:AdditionalPaidInCapitalMember2024-04-012024-06-300001107843us-gaap:CommonStockMember2024-06-300001107843us-gaap:AdditionalPaidInCapitalMember2024-06-300001107843us-gaap:AccumulatedOtherComprehensiveIncomeMember2024-06-300001107843us-gaap:RetainedEarningsMember2024-06-300001107843us-gaap:CommonStockMember2022-12-310001107843us-gaap:AdditionalPaidInCapitalMember2022-12-310001107843us-gaap:AccumulatedOtherComprehensiveIncomeMember2022-12-310001107843us-gaap:RetainedEarningsMember2022-12-310001107843us-gaap:RetainedEarningsMember2023-01-012023-03-3100011078432023-01-012023-03-310001107843us-gaap:AccumulatedOtherComprehensiveIncomeMember2023-01-012023-03-310001107843us-gaap:CommonStockMember2023-01-012023-03-310001107843us-gaap:AdditionalPaidInCapitalMember2023-01-012023-03-310001107843us-gaap:CommonStockMember2023-03-310001107843us-gaap:AdditionalPaidInCapitalMember2023-03-310001107843us-gaap:AccumulatedOtherComprehensiveIncomeMember2023-03-310001107843us-gaap:RetainedEarningsMember2023-03-3100011078432023-03-310001107843us-gaap:RetainedEarningsMember2023-04-012023-06-300001107843us-gaap:AccumulatedOtherComprehensiveIncomeMember2023-04-012023-06-300001107843us-gaap:CommonStockMember2023-04-012023-06-300001107843us-gaap:AdditionalPaidInCapitalMember2023-04-012023-06-300001107843us-gaap:CommonStockMember2023-06-300001107843us-gaap:AdditionalPaidInCapitalMember2023-06-300001107843us-gaap:AccumulatedOtherComprehensiveIncomeMember2023-06-300001107843us-gaap:RetainedEarningsMember2023-06-300001107843us-gaap:FairValueMeasurementsRecurringMemberus-gaap:FairValueInputsLevel1Member2024-06-300001107843us-gaap:FairValueInputsLevel2Memberus-gaap:FairValueMeasurementsRecurringMember2024-06-300001107843us-gaap:FairValueMeasurementsRecurringMember2024-06-300001107843us-gaap:FairValueMeasurementsRecurringMemberus-gaap:FairValueInputsLevel1Member2023-12-310001107843us-gaap:FairValueInputsLevel2Memberus-gaap:FairValueMeasurementsRecurringMember2023-12-310001107843us-gaap:FairValueMeasurementsRecurringMember2023-12-310001107843us-gaap:MoneyMarketFundsMemberus-gaap:CashEquivalentsMember2024-06-300001107843us-gaap:CashEquivalentsMemberus-gaap:CommercialPaperMember2024-06-300001107843us-gaap:CashEquivalentsMemberus-gaap:USGovernmentCorporationsAndAgenciesSecuritiesMember2024-06-300001107843us-gaap:CashEquivalentsMember2024-06-300001107843us-gaap:CommercialPaperNotIncludedWithCashAndCashEquivalentsMemberus-gaap:ShortTermInvestmentsMember2024-06-300001107843us-gaap:CorporateDebtSecuritiesMemberus-gaap:ShortTermInvestmentsMember2024-06-300001107843us-gaap:ShortTermInvestmentsMemberus-gaap:AssetBackedSecuritiesMember2024-06-300001107843us-gaap:USGovernmentAgenciesDebtSecuritiesMemberus-gaap:ShortTermInvestmentsMember2024-06-300001107843us-gaap:ShortTermInvestmentsMember2024-06-300001107843us-gaap:OtherLongTermInvestmentsMemberus-gaap:CorporateDebtSecuritiesMember2024-06-300001107843us-gaap:OtherLongTermInvestmentsMemberus-gaap:AssetBackedSecuritiesMember2024-06-300001107843us-gaap:OtherLongTermInvestmentsMemberus-gaap:USGovernmentAgenciesDebtSecuritiesMember2024-06-300001107843us-gaap:OtherLongTermInvestmentsMember2024-06-300001107843us-gaap:MoneyMarketFundsMemberus-gaap:CashEquivalentsMember2023-12-310001107843us-gaap:CashEquivalentsMemberus-gaap:USGovernmentCorporationsAndAgenciesSecuritiesMember2023-12-310001107843us-gaap:CashEquivalentsMember2023-12-310001107843us-gaap:CommercialPaperNotIncludedWithCashAndCashEquivalentsMemberus-gaap:ShortTermInvestmentsMember2023-12-310001107843us-gaap:CorporateDebtSecuritiesMemberus-gaap:ShortTermInvestmentsMember2023-12-310001107843us-gaap:USGovernmentAgenciesDebtSecuritiesMemberus-gaap:ShortTermInvestmentsMember2023-12-310001107843us-gaap:ShortTermInvestmentsMember2023-12-310001107843us-gaap:OtherLongTermInvestmentsMemberus-gaap:CorporateDebtSecuritiesMember2023-12-310001107843us-gaap:OtherLongTermInvestmentsMemberus-gaap:AssetBackedSecuritiesMember2023-12-310001107843us-gaap:OtherLongTermInvestmentsMemberus-gaap:USGovernmentAgenciesDebtSecuritiesMember2023-12-310001107843us-gaap:OtherLongTermInvestmentsMember2023-12-310001107843us-gaap:CommercialPaperNotIncludedWithCashAndCashEquivalentsMember2024-06-300001107843us-gaap:CorporateDebtSecuritiesMember2024-06-300001107843us-gaap:USGovernmentAgenciesDebtSecuritiesMember2024-06-300001107843us-gaap:CommercialPaperNotIncludedWithCashAndCashEquivalentsMember2023-12-310001107843us-gaap:AssetBackedSecuritiesMember2023-12-310001107843us-gaap:CorporateDebtSecuritiesMember2023-12-310001107843us-gaap:USGovernmentAgenciesDebtSecuritiesMember2023-12-3100011078432018-12-310001107843us-gaap:DesignatedAsHedgingInstrumentMemberus-gaap:ForeignExchangeContractMemberus-gaap:CashFlowHedgingMember2024-06-300001107843us-gaap:DesignatedAsHedgingInstrumentMemberus-gaap:ForeignExchangeContractMemberus-gaap:CashFlowHedgingMember2023-12-310001107843us-gaap:NondesignatedMemberus-gaap:ForeignExchangeContractMember2024-06-300001107843us-gaap:NondesignatedMemberus-gaap:ForeignExchangeContractMember2023-12-310001107843us-gaap:DesignatedAsHedgingInstrumentMember2024-06-300001107843us-gaap:DesignatedAsHedgingInstrumentMember2023-12-310001107843us-gaap:NondesignatedMember2024-06-300001107843us-gaap:NondesignatedMember2023-12-310001107843us-gaap:AccumulatedNetUnrealizedInvestmentGainLossMember2023-12-310001107843us-gaap:AccumulatedGainLossNetCashFlowHedgeParentMember2023-12-310001107843us-gaap:AccumulatedNetUnrealizedInvestmentGainLossMember2024-01-012024-03-310001107843us-gaap:AccumulatedGainLossNetCashFlowHedgeParentMember2024-01-012024-03-310001107843us-gaap:AccumulatedNetUnrealizedInvestmentGainLossMember2024-03-310001107843us-gaap:AccumulatedGainLossNetCashFlowHedgeParentMember2024-03-310001107843us-gaap:AccumulatedNetUnrealizedInvestmentGainLossMember2024-04-012024-06-300001107843us-gaap:AccumulatedGainLossNetCashFlowHedgeParentMember2024-04-012024-06-300001107843us-gaap:AccumulatedNetUnrealizedInvestmentGainLossMember2024-06-300001107843us-gaap:AccumulatedGainLossNetCashFlowHedgeParentMember2024-06-300001107843us-gaap:AccumulatedNetUnrealizedInvestmentGainLossMember2022-12-310001107843us-gaap:AccumulatedGainLossNetCashFlowHedgeParentMember2022-12-310001107843us-gaap:AccumulatedNetUnrealizedInvestmentGainLossMember2023-01-012023-03-310001107843us-gaap:AccumulatedGainLossNetCashFlowHedgeParentMember2023-01-012023-03-310001107843us-gaap:AccumulatedNetUnrealizedInvestmentGainLossMember2023-03-310001107843us-gaap:AccumulatedGainLossNetCashFlowHedgeParentMember2023-03-310001107843us-gaap:AccumulatedNetUnrealizedInvestmentGainLossMember2023-04-012023-06-300001107843us-gaap:AccumulatedGainLossNetCashFlowHedgeParentMember2023-04-012023-06-300001107843us-gaap:AccumulatedNetUnrealizedInvestmentGainLossMember2023-06-300001107843us-gaap:AccumulatedGainLossNetCashFlowHedgeParentMember2023-06-300001107843us-gaap:AccumulatedGainLossNetCashFlowHedgeParentMemberus-gaap:ReclassificationOutOfAccumulatedOtherComprehensiveIncomeMember2024-04-012024-06-300001107843us-gaap:AccumulatedGainLossNetCashFlowHedgeParentMemberus-gaap:ReclassificationOutOfAccumulatedOtherComprehensiveIncomeMember2023-04-012023-06-300001107843us-gaap:AccumulatedGainLossNetCashFlowHedgeParentMemberus-gaap:ReclassificationOutOfAccumulatedOtherComprehensiveIncomeMember2024-01-012024-06-300001107843us-gaap:AccumulatedGainLossNetCashFlowHedgeParentMemberus-gaap:ReclassificationOutOfAccumulatedOtherComprehensiveIncomeMember2023-01-012023-06-300001107843us-gaap:AccumulatedNetUnrealizedInvestmentGainLossMemberus-gaap:ReclassificationOutOfAccumulatedOtherComprehensiveIncomeMember2023-04-012023-06-300001107843us-gaap:AccumulatedNetUnrealizedInvestmentGainLossMemberus-gaap:ReclassificationOutOfAccumulatedOtherComprehensiveIncomeMember2023-01-012023-06-300001107843us-gaap:AccumulatedNetUnrealizedInvestmentGainLossMemberus-gaap:ReclassificationOutOfAccumulatedOtherComprehensiveIncomeMember2024-01-012024-06-300001107843us-gaap:AccumulatedNetUnrealizedInvestmentGainLossMemberus-gaap:ReclassificationOutOfAccumulatedOtherComprehensiveIncomeMember2024-04-012024-06-300001107843us-gaap:ComputerEquipmentMember2024-06-300001107843us-gaap:ComputerEquipmentMember2023-12-310001107843us-gaap:ComputerSoftwareIntangibleAssetMember2024-06-300001107843us-gaap:ComputerSoftwareIntangibleAssetMember2023-12-310001107843us-gaap:LeaseholdImprovementsMember2024-06-300001107843us-gaap:LeaseholdImprovementsMember2023-12-310001107843qlys:ScannerAppliancesMember2024-06-300001107843qlys:ScannerAppliancesMember2023-12-310001107843us-gaap:FurnitureAndFixturesMember2024-06-300001107843us-gaap:FurnitureAndFixturesMember2023-12-310001107843qlys:ScannerAppliancesAndOtherComputerEquipmentSubjectToSubscriptionMember2024-06-300001107843qlys:ScannerAppliancesAndOtherComputerEquipmentSubjectToSubscriptionMember2023-12-310001107843qlys:ScannerAppliancesAndOtherComputerEquipmentNotPlacedInServiceMember2024-06-300001107843qlys:ScannerAppliancesAndOtherComputerEquipmentNotPlacedInServiceMember2023-12-3100011078432024-07-012024-06-3000011078432025-01-012024-06-3000011078432026-01-012024-06-3000011078432027-01-012024-06-3000011078432028-01-012024-06-3000011078432029-01-012024-06-300001107843us-gaap:SalesChannelDirectlyToConsumerMember2024-04-012024-06-300001107843us-gaap:SalesChannelDirectlyToConsumerMember2023-04-012023-06-300001107843us-gaap:SalesChannelDirectlyToConsumerMember2024-01-012024-06-300001107843us-gaap:SalesChannelDirectlyToConsumerMember2023-01-012023-06-300001107843us-gaap:SalesChannelThroughIntermediaryMember2024-04-012024-06-300001107843us-gaap:SalesChannelThroughIntermediaryMember2023-04-012023-06-300001107843us-gaap:SalesChannelThroughIntermediaryMember2024-01-012024-06-300001107843us-gaap:SalesChannelThroughIntermediaryMember2023-01-012023-06-300001107843us-gaap:DevelopedTechnologyRightsMember2024-06-300001107843us-gaap:PatentsMember2024-06-300001107843qlys:AssembledWorkforceMember2024-06-300001107843qlys:IntangibleAssetsNotSubjectToAmortizationMember2024-06-300001107843us-gaap:DevelopedTechnologyRightsMember2023-12-310001107843us-gaap:PatentsMember2023-12-310001107843qlys:AssembledWorkforceMember2023-12-310001107843qlys:IntangibleAssetsNotSubjectToAmortizationMember2023-12-310001107843qlys:The2012EquityIncentivePlanMember2022-06-082022-06-080001107843qlys:The2012EquityIncentivePlanMember2024-06-122024-06-120001107843qlys:The2021EmployeeStockPurchasePlanMember2021-06-090001107843qlys:The2021EmployeeStockPurchasePlanMember2021-06-092021-06-090001107843srt:MinimumMemberqlys:The2021EmployeeStockPurchasePlanMember2021-06-092021-06-090001107843srt:MaximumMemberqlys:The2021EmployeeStockPurchasePlanMember2021-06-092021-06-090001107843qlys:The2021EmployeeStockPurchasePlanMember2024-01-012024-06-300001107843qlys:The2021EmployeeStockPurchasePlanMember2024-06-300001107843qlys:The2012EquityIncentivePlanMember2024-01-012024-06-3000011078432023-01-012023-12-310001107843srt:ExecutiveOfficerMemberqlys:PerformanceBasedRestrictedStockUnitsMember2024-01-012024-06-300001107843srt:MaximumMembersrt:ExecutiveOfficerMemberqlys:PerformanceBasedRestrictedStockUnitsMember2024-01-012024-06-300001107843srt:MinimumMembersrt:ExecutiveOfficerMemberqlys:PerformanceBasedRestrictedStockUnitsMember2024-01-012024-06-300001107843us-gaap:RestrictedStockUnitsRSUMember2023-12-310001107843us-gaap:RestrictedStockUnitsRSUMember2024-01-012024-06-300001107843us-gaap:RestrictedStockUnitsRSUMember2024-06-300001107843qlys:ExecutiveOfficer1Memberqlys:PerformanceBasedRestrictedStockUnitsMember2022-01-012022-12-310001107843qlys:ExecutiveOfficer1Memberqlys:PerformanceBasedRestrictedStockUnitsMember2021-01-012021-12-310001107843qlys:ExecutiveOfficer1Memberqlys:PerformanceBasedRestrictedStockUnitsMember2023-01-012023-12-310001107843qlys:PerformanceBasedRestrictedStockUnitsMemberqlys:ExecutiveOfficer2Member2021-01-012021-12-310001107843qlys:PerformanceBasedRestrictedStockUnitsMemberqlys:ExecutiveOfficer2Member2022-01-012022-12-310001107843qlys:PerformanceBasedRestrictedStockUnitsMemberqlys:ExecutiveOfficer2Member2023-01-012023-12-310001107843qlys:ExecutiveOfficer3Memberqlys:PerformanceBasedRestrictedStockUnitsMember2023-01-012023-12-310001107843qlys:ExecutiveOfficer3Memberqlys:PerformanceBasedRestrictedStockUnitsMember2022-01-012022-12-310001107843qlys:ExecutiveOfficer3Memberqlys:PerformanceBasedRestrictedStockUnitsMember2021-01-012021-12-310001107843qlys:PerformanceBasedRestrictedStockUnitsMemberqlys:ExecutiveOfficer4Member2024-01-012024-06-300001107843qlys:PerformanceBasedRestrictedStockUnitsMemberqlys:ExecutiveOfficer4Member2021-01-012021-12-310001107843qlys:PerformanceBasedRestrictedStockUnitsMemberqlys:ExecutiveOfficer4Member2022-01-012022-12-310001107843qlys:PerformanceBasedRestrictedStockUnitsMemberqlys:ExecutiveOfficer4Member2023-01-012023-12-310001107843us-gaap:CostOfSalesMember2024-04-012024-06-300001107843us-gaap:CostOfSalesMember2023-04-012023-06-300001107843us-gaap:CostOfSalesMember2024-01-012024-06-300001107843us-gaap:CostOfSalesMember2023-01-012023-06-300001107843us-gaap:ResearchAndDevelopmentExpenseMember2024-04-012024-06-300001107843us-gaap:ResearchAndDevelopmentExpenseMember2023-04-012023-06-300001107843us-gaap:ResearchAndDevelopmentExpenseMember2024-01-012024-06-300001107843us-gaap:ResearchAndDevelopmentExpenseMember2023-01-012023-06-300001107843us-gaap:SellingAndMarketingExpenseMember2024-04-012024-06-300001107843us-gaap:SellingAndMarketingExpenseMember2023-04-012023-06-300001107843us-gaap:SellingAndMarketingExpenseMember2024-01-012024-06-300001107843us-gaap:SellingAndMarketingExpenseMember2023-01-012023-06-300001107843us-gaap:GeneralAndAdministrativeExpenseMember2024-04-012024-06-300001107843us-gaap:GeneralAndAdministrativeExpenseMember2023-04-012023-06-300001107843us-gaap:GeneralAndAdministrativeExpenseMember2024-01-012024-06-300001107843us-gaap:GeneralAndAdministrativeExpenseMember2023-01-012023-06-300001107843qlys:PerformanceBasedRestrictedStockUnitsMember2024-04-012024-06-300001107843qlys:PerformanceBasedRestrictedStockUnitsMember2023-04-012023-06-300001107843qlys:PerformanceBasedRestrictedStockUnitsMember2024-01-012024-06-300001107843qlys:PerformanceBasedRestrictedStockUnitsMember2023-01-012023-06-300001107843us-gaap:EmployeeStockOptionMember2024-06-300001107843qlys:PerformanceBasedRestrictedStockUnitsMember2024-06-300001107843qlys:ESPPSharesMember2024-06-300001107843us-gaap:EmployeeStockOptionMember2024-01-012024-06-300001107843qlys:ESPPSharesMember2024-01-012024-06-3000011078432018-02-1200011078432018-10-3000011078432019-10-3000011078432020-05-0700011078432021-02-1000011078432021-11-0300011078432022-05-0400011078432023-02-0900011078432024-02-070001107843country:US2024-04-012024-06-300001107843country:US2023-04-012023-06-300001107843country:US2024-01-012024-06-300001107843country:US2023-01-012023-06-300001107843us-gaap:NonUsMember2024-04-012024-06-300001107843us-gaap:NonUsMember2023-04-012023-06-300001107843us-gaap:NonUsMember2024-01-012024-06-300001107843us-gaap:NonUsMember2023-01-012023-06-300001107843country:US2024-06-300001107843country:US2023-12-310001107843country:IN2024-06-300001107843country:IN2023-12-310001107843qlys:OtherGeographicAreasMember2024-06-300001107843qlys:OtherGeographicAreasMember2023-12-310001107843us-gaap:EmployeeStockOptionMember2024-04-012024-06-300001107843us-gaap:EmployeeStockOptionMember2023-04-012023-06-300001107843us-gaap:EmployeeStockOptionMember2024-01-012024-06-300001107843us-gaap:EmployeeStockOptionMember2023-01-012023-06-300001107843us-gaap:RestrictedStockUnitsRSUMember2024-04-012024-06-300001107843us-gaap:RestrictedStockUnitsRSUMember2023-04-012023-06-300001107843us-gaap:RestrictedStockUnitsRSUMember2024-01-012024-06-300001107843us-gaap:RestrictedStockUnitsRSUMember2023-01-012023-06-300001107843qlys:EmployeeStockPurchasePlanSharesMember2024-04-012024-06-300001107843qlys:EmployeeStockPurchasePlanSharesMember2023-04-012023-06-300001107843qlys:EmployeeStockPurchasePlanSharesMember2024-01-012024-06-300001107843qlys:EmployeeStockPurchasePlanSharesMember2023-01-012023-06-30
Table of Contents
UNITED STATES
SECURITIES AND EXCHANGE COMMISSION
Washington, D.C. 20549
__________________
FORM 10-Q
__________________
xQuarterly Report Pursuant to Section 13 or 15(d) of the Securities Exchange Act of 1934
For the Quarterly Period Ended June 30, 2024
oTransition Report Pursuant to Section 13 or 15(d) of the Securities Exchange Act of 1934
For the transition period from          to
Commission file number 001-35662
__________________
QUALYS, INC.
(Exact name of registrant as specified in its charter)
__________________
Delaware77-0534145
(State or other jurisdiction of
incorporation or organization)
(I.R.S. Employer
Identification Number)
919 E. Hillsdale Boulevard, 4th Floor, Foster City, California 94404
(Address of principal executive offices, including zip code)
(650) 801-6100
(Registrant’s telephone number, including area code)
__________________
Securities registered pursuant to Section 12(b) of the Act:
Title of each classTrading Symbol(s)Name of each exchange on which registered
Common stock, $0.001 par value per shareQLYSThe NASDAQ Stock Market LLC
Indicate by check mark whether the registrant (1) has filed all reports required to be filed by Section 13 or 15(d) of the Securities Exchange Act of 1934 during the preceding 12 months (or for such shorter period that the registrant was required to file such reports), and (2) has been subject to such filing requirements for the past 90 days.    Yes  x    No   o
Indicate by check mark whether the registrant has submitted electronically every Interactive Data File required to be submitted pursuant to Rule 405 of Regulation S-T (§232.405 of this chapter) during the preceding 12 months (or for such shorter period that the registrant was required to submit such files).    Yes  x    No o
Indicate by check mark whether the registrant is a large accelerated filer, an accelerated filer, a non-accelerated filer, a smaller reporting company or an emerging growth company. See the definitions of “large accelerated filer,” “accelerated filer,” “smaller reporting company” and "emerging growth company" in Rule 12b-2 of the Exchange Act.
Large accelerated filer
xAccelerated filero
Non-accelerated fileroSmaller reporting companyo
Emerging growth companyo
If an emerging growth company, indicate by check mark if the registrant has elected not to use the extended transition period for complying with any new or revised financial accounting standards provided pursuant to Section 13(a) of the Exchange Act. o
Indicate by check mark whether the registrant is a shell company (as defined in Rule 12b-2 of the Exchange Act).    Yes o    No  x
The number of shares of the registrant's common stock outstanding as of July 26, 2024 was 36,811,018.


Table of Contents
Qualys, Inc.
TABLE OF CONTENTS
Page
2

Table of Contents
RISK FACTOR SUMMARY
Our business is subject to significant risks and uncertainties that make an investment in us speculative and risky. Below we summarize what we believe are the principal risk factors but these risks are not the only ones we face, and you should carefully review and consider the full discussion of our risk factors in the section titled “Risk Factors,” together with the other information in this Quarterly Report on Form 10-Q. If any of the following risks actually occurs (or if any of those listed elsewhere in this Quarterly Report on Form 10-Q occur), our business, reputation, financial condition, results of operations, revenue, and future prospects could be seriously harmed. Additional risks and uncertainties that we are unaware of, or that we currently believe are not material, may also become important factors that adversely affect our business.

Our quarterly and annual operating results may vary from period to period, which could result in our failure to meet expectations with respect to operating results and cause the trading price of our stock to decline.
If we do not successfully anticipate market needs and opportunities or are unable to enhance our solutions and develop new solutions that meet those needs and opportunities on a timely or cost-effective basis, we may not be able to compete effectively and our business and financial condition may be harmed.
If we fail to continue to effectively scale and adapt our platform to meet the performance and other requirements of our customers, our operating results and our business would be harmed.
If we are unable to renew existing subscriptions for our IT, security and compliance solutions, sell additional subscriptions for our solutions and attract new customers, our operating results would be harmed.
Our current research and development efforts may not produce successful products or enhancements to our platform that result in significant revenue, cost savings or other benefits in the near future.
Our platform, website and internal systems may be subject to intentional disruption or other security incidents that could result in liability and adversely impact our reputation and future sales.
Our sales cycle can be long and unpredictable, and our sales efforts require considerable time and expense. As a result, revenues may vary from period to period, which may cause our operating results to fluctuate and could harm our business.
Adverse economic conditions or reduced IT spending may adversely impact our business.
Our IT, security and compliance solutions are delivered from 14 shared cloud platforms, and any disruption of service at these facilities would interrupt or delay our ability to deliver our solutions to our customers which could reduce our revenues and harm our operating results.
We face competition in our markets, and we may lack sufficient financial or other resources to maintain or improve our competitive position.
If our solutions fail to detect vulnerabilities or incorrectly detect vulnerabilities, our brand and reputation could be harmed, which could have an adverse effect on our business and results of operations.
If we are unable to continue the expansion of our sales force, sales of our solutions and the growth of our business would be harmed.
We rely on third-party channel partners to generate a substantial amount of our revenues, and if we fail to expand and manage our distribution channels, our revenues could decline and our growth prospects could suffer.
A significant portion of our customers, channel partners and employees are located outside of the United States, which subjects us to a number of risks associated with conducting international operations, and if we are unable to successfully manage these risks, our business and operating results could be harmed.
If the market for cloud solutions for IT, security and compliance does not evolve as we anticipate, our revenues may not grow and our operating results would be harmed.
Our business and operations have continued to grow since inception, and if we do not appropriately manage any future growth, or are unable to improve our systems and processes, our operating results may be negatively affected.
A portion of our revenues are generated by sales to government entities, which are subject to a number of challenges and risks.
Undetected software errors or flaws in our solutions could harm our reputation, decrease market acceptance of our solutions or result in liability.
Our solutions could be used to collect and store personal information of our customers’ employees or customers, and therefore privacy and other data handling concerns could result in additional cost and liability to us or inhibit sales of our solutions.
Our solutions contain third-party open source software components, and our failure to comply with the terms of the underlying open source software licenses could restrict our ability to sell our solutions.
We use third-party software and data that may be difficult to replace or cause errors or failures of our solutions that could lead to lost customers or harm to our reputation and our operating results.
Failure to protect our proprietary technology and intellectual property rights could substantially harm our business and operating results.
Assertions by third parties of infringement or other violations by us of their intellectual property rights could result in significant costs and harm our business and operating results.
3

Table of Contents
PART I. FINANCIAL INFORMATION
Item 1.                                 Financial Statements
Qualys, Inc.
CONDENSED CONSOLIDATED BALANCE SHEETS
(unaudited)
(in thousands, except per share data)
June 30,
2024
December 31,
2023
Assets
Current assets:
Cash and cash equivalents$281,205 $203,665 
Restricted cash 1,500 
Short-term marketable securities112,004 221,893 
Accounts receivable, net of allowance of $1,060 and $778 as of June 30, 2024 and December 31, 2023, respectively
109,584 146,226 
Prepaid expenses and other current assets31,266 26,714 
Total current assets534,059 599,998 
Long-term marketable securities162,058 56,644 
Property and equipment, net27,758 32,599 
Operating leases - right of use asset44,100 22,391 
Deferred tax assets, net70,433 62,761 
Intangible assets, net8,172 9,715 
Goodwill7,447 7,447 
Noncurrent restricted cash1,200 1,200 
Other noncurrent assets21,373 19,863 
Total assets$876,600 $812,618 
Liabilities and Stockholders’ Equity
Current liabilities:
Accounts payable$1,277 $988 
Accrued liabilities36,095 43,096 
Deferred revenues, current324,334 333,267 
Operating lease liabilities, current10,123 11,857 
Total current liabilities371,829 389,208 
Deferred revenues, noncurrent28,812 31,671 
Operating lease liabilities, noncurrent40,437 16,885 
Other noncurrent liabilities7,727 6,680 
Total liabilities448,805 444,444 
Commitments and contingencies (Note 8)
Stockholders’ equity:
Preferred stock: $0.001 par value; 20,000 shares authorized, no shares issued and outstanding as of June 30, 2024 and December 31, 2023
  
Common stock: $0.001 par value; 1,000,000 shares authorized, 36,846 and 36,909 shares issued and outstanding as of June 30, 2024 and December 31, 2023, respectively
37 37 
Additional paid-in capital623,939 597,921 
Accumulated other comprehensive loss(534)(1,704)
Accumulated deficit(195,647)(228,080)
Total stockholders’ equity427,795 368,174 
Total liabilities and stockholders’ equity$876,600 $812,618 
The accompanying notes are an integral part of these Condensed Consolidated Financial Statements.
4

Table of Contents
Qualys, Inc.
CONDENSED CONSOLIDATED STATEMENTS OF OPERATIONS
(unaudited)
(in thousands, except per share data)
Three Months Ended
June 30,
Six Months Ended
June 30,
2024202320242023
Revenues$148,708 $137,209 $294,513 $267,892 
Cost of revenues26,415 26,662 53,613 53,616 
Gross profit122,293 110,547 240,900 214,276 
Operating expenses:
Research and development27,119 27,424 54,649 55,219 
Sales and marketing32,146 26,241 61,554 51,869 
General and administrative14,960 14,055 31,868 29,183 
Total operating expenses74,225 67,720 148,071 136,271 
Income from operations48,068 42,827 92,829 78,005 
Other income (expense), net:
Interest income6,703 3,809 12,826 6,206 
Other expense, net(587)(959)(1,986)(1,175)
Total other income, net6,116 2,850 10,840 5,031 
Income before income taxes54,184 45,677 103,669 83,036 
Income tax provision10,412 10,295 20,166 18,549 
Net income$43,772 $35,382 $83,503 $64,487 
Net income per share:
Basic$1.19 $0.96 $2.26 $1.75 
Diluted$1.17 $0.95 $2.22 $1.72 
Weighted average shares used in computing net income per share:
Basic36,91536,84236,93536,954
Diluted37,46437,43537,59437,551
The accompanying notes are an integral part of these Condensed Consolidated Financial Statements.
5

Table of Contents
Qualys, Inc.
CONDENSED CONSOLIDATED STATEMENTS OF COMPREHENSIVE INCOME
(unaudited)
(in thousands)
Three Months Ended
June 30,
Six Months Ended
June 30,
2024202320242023
Net income$43,772 $35,382 $83,503 $64,487 
Other comprehensive income (loss), net of tax
Net change in unrealized gains (losses) on available-for-sale debt securities, net of tax(221)312 (628)1,443 
Net change in unrealized gains (losses) on cash flow hedges, net of tax694 (457)1,798 (1,212)
Other comprehensive income (loss), net of tax473 (145)1,170 231 
Comprehensive income$44,245 $35,237 $84,673 $64,718 
The accompanying notes are an integral part of these Condensed Consolidated Financial Statements.
6

Table of Contents
Qualys, Inc.
CONDENSED CONSOLIDATED STATEMENTS OF CASH FLOWS
(unaudited)
(in thousands)
Six Months Ended
June 30,
20242023
Cash flow from operating activities:
Net income$83,503 $64,487 
Adjustments to reconcile net income to net cash provided by operating activities:  
Depreciation and amortization expense10,019 14,446 
Provision for credit losses277 160 
Loss on non-marketable securities 533 
Stock-based compensation, net of amounts capitalized36,117 32,038 
Accretion of discount on marketable securities, net(3,520)(1,412)
Deferred income taxes(8,165)(9,122)
Changes in operating assets and liabilities:  
Accounts receivable36,365 (3,277)
Prepaid expenses and other assets(4,489)(7,450)
Accounts payable229 (813)
Accrued liabilities and other noncurrent liabilities(3,215)8,736 
Deferred revenues(11,792)20,002 
Net cash provided by operating activities135,329 118,328 
Cash flow from investing activities:
Purchases of marketable securities(191,812)(159,392)
Sales and maturities of marketable securities198,250 167,120 
Purchases of property and equipment(3,077)(5,455)
Net cash provided by investing activities3,361 2,273 
Cash flow from financing activities:
Repurchase of common stock(53,017)(108,817)
Proceeds from exercise of stock options5,970 7,148 
Payments for taxes related to net share settlement of equity awards(17,711)(9,494)
Proceeds from issuance of common stock through employee stock purchase plan3,608 2,988 
Payment of acquisition-related holdback(1,500) 
Net cash used in financing activities(62,650)(108,175)
Net increase in cash, cash equivalents and restricted cash76,040 12,426 
Cash, cash equivalents and restricted cash at beginning of period206,365 176,419 
Cash, cash equivalents and restricted cash at end of period$282,405 $188,845 
The accompanying notes are an integral part of these Condensed Consolidated Financial Statements.
7

Table of Contents
Qualys, Inc.
CONDENSED CONSOLIDATED STATEMENTS OF STOCKHOLDERS’ EQUITY
(unaudited)
(in thousands)
Common Stock
Additional
Paid-In
Capital
Accumulated
Other
Comprehensive
Income (Loss)
Accumulated
Deficit
Total
Stockholders’
Equity
SharesAmount
Balances at December 31, 202336,909$37 $597,921 $(1,704)$(228,080)$368,174 
Net income— — — 39,731 39,731 
Other comprehensive income, net of tax— — 697 — 697 
Issuance of common stock upon exercise of stock options46— 2,770 — — 2,770 
Repurchase of common stock(105)— (627)— (17,402)(18,029)
Issuance of common stock upon vesting of restricted stock units149— — — — — 
Taxes related to net share settlement of equity awards(66)— (11,808)— — (11,808)
Issuance of common stock through employee stock purchase plan29— 3,608 — — 3,608 
Stock-based compensation— 19,059 — — 19,059 
Balances at March 31, 202436,962$37 $610,923 $(1,007)$(205,751)$404,202 
Net income— — — 43,772 43,772 
Other comprehensive income, net of tax— — 473 — 473 
Issuance of common stock upon exercise of stock options61— 3,200 — — 3,200 
Repurchase of common stock(233)— (1,395)— (33,668)(35,063)
Issuance of common stock upon vesting of restricted stock units91— — — — — 
Taxes related to net share settlement of equity awards(35)— (5,903)— — (5,903)
Stock-based compensation— 17,114 — — 17,114 
Balances at June 30, 202436,846$37 $623,939 $(534)$(195,647)$427,795 
The accompanying notes are an integral part of these Condensed Consolidated Financial Statements.
Common Stock
Additional
Paid-In
Capital
Accumulated
Other
Comprehensive
Income (Loss)
Accumulated
Deficit
Total
Stockholders’
Equity
SharesAmount
Balances at December 31, 202237,362$37 $512,486 $(1,947)$(221,447)$289,129 
Net income— — — 29,105 29,105 
Other comprehensive income, net of tax— — 376 — 376 
Issuance of common stock upon exercise of stock options61— 2,328 — — 2,328 
Repurchase of common stock(584)— (7,014)— (60,018)(67,032)
Issuance of common stock upon vesting of restricted stock units108— — — — — 
Taxes related to net share settlement of equity awards(43)— (5,105)— — (5,105)
Issuance of common stock through employee stock purchase plan29— 2,988 — — 2,988 
Stock-based compensation— 16,033 — — 16,033 
Balances at March 31, 202336,933$37 $521,716 $(1,571)$(252,360)$267,822 
Net income— — — 35,382 35,382 
Other comprehensive loss, net of tax— — (145)— (145)
Issuance of common stock upon exercise of stock options101— 4,820 — — 4,820 
Repurchase of common stock(346)— (4,157)— (38,335)(42,492)
Issuance of common stock upon vesting of restricted stock units96— — — — — 
Taxes related to net share settlement of equity awards(38)— (4,389)— — (4,389)
Stock-based compensation— 16,020 — — 16,020 
Balances at June 30, 202336,746$37 $534,010 $(1,716)$(255,313)$277,018 
The accompanying notes are an integral part of these Condensed Consolidated Financial Statements.
8

Table of Contents
Qualys, Inc.
NOTES TO CONDENSED CONSOLIDATED FINANCIAL STATEMENTS
(unaudited)
NOTE 1.                              Description of Business and Summary of Significant Accounting Policies
Description of Business
Qualys, Inc. (the “Company”, "we", "us", "our") was incorporated in the state of Delaware on December 30, 1999. The Company is headquartered in Foster City, California and has wholly-owned subsidiaries throughout the world. The Company is a leading provider of cloud-based information technology ("IT"), security and compliance solutions that enable organizations to identify security risks to their IT infrastructures, help protect their IT systems and applications from ever-evolving cyber-attacks and achieve compliance with internal policies and external regulations. The Company’s cloud solutions address the growing security and compliance complexities and risks that are amplified by the dissolving boundaries between internal and external IT infrastructures and web environments, the rapid adoption of cloud computing and the proliferation of geographically dispersed IT assets. Organizations can use the Company’s integrated suite of solutions delivered on Qualys' Enterprise TruRisk Platform to cost-effectively obtain a unified view of their security and compliance posture across globally-distributed IT infrastructures.
Basis of Presentation
The accompanying unaudited condensed consolidated financial statements and condensed footnotes have been prepared in accordance with accounting principles generally accepted in the United States ("U.S. GAAP") for interim financial information as well as the instructions to Form 10-Q and the rules and regulations of the U.S. Securities and Exchange Commission ("SEC"). Certain information and disclosures normally included in the financial statements prepared in accordance with U.S. GAAP have been condensed or omitted pursuant to such rules and regulations. The condensed consolidated balance sheet as of December 31, 2023, included herein, was derived from the audited financial statements as of that date but does not include all disclosures, including notes required by U.S. GAAP. In the opinion of management, the accompanying unaudited condensed consolidated financial statements reflect all adjustments, which include only normal recurring adjustments, necessary for the fair statement of the financial position, results of operations and cash flows for the interim periods. The results of operations for the three and six months ended June 30, 2024 are not necessarily indicative of the results of operations expected for the entire year ending December 31, 2024 or for any other future annual or interim periods. These condensed consolidated financial statements should be read in conjunction with the consolidated financial statements and related notes included in the Company’s Annual Report on Form 10-K for the year ended December 31, 2023 filed with the SEC on February 22, 2024.
Use of Estimates
The preparation of the unaudited condensed consolidated financial statements in conformity with U.S. GAAP requires management to make certain estimates and assumptions that affect the reported amounts of assets and liabilities and disclosure of assets and liabilities at the date of the condensed consolidated financial statements and the reported results of operations during the reporting period. The Company’s management regularly assesses these estimates, which primarily affect revenue recognition, allowance for credit loss, the valuation of goodwill and intangible assets, leases, stock-based compensation and income tax provision. Actual results could differ from those estimates and such differences may be material to the accompanying unaudited condensed consolidated financial statements.
Recently Adopted Accounting Pronouncements
None.
9

Table of Contents
Recently Issued Accounting Pronouncements Not Yet Adopted
In November 2023, the Financial Accounting Standards Board ("FASB") issued Accounting Standards Update ("ASU") 2023-07 requiring enhanced segment disclosures. The ASU requires disclosure of significant segment expenses regularly provided to the chief operating decision maker ("CODM") included within segment operating profit or loss. Additionally, the ASU requires a description of how the CODM utilizes segment operating profit or loss to assess segment performance. The requirements of the ASU are effective for annual periods beginning after December 15, 2023, and interim periods within fiscal years beginning after December 15, 2024. The Company's annual reporting requirements will be effective for fiscal 2024 and interim reporting requirements will be effective beginning with the first quarter of fiscal 2025. Early adoption is permitted and retrospective application is required for all periods presented. The Company is in the process of analyzing the impact of the ASU on related disclosures.
In December 2023, the FASB issued ASU 2023-09 requiring improvements to income tax disclosures. The new ASU requires disclosure of disaggregated information about the effective tax rate and income taxes paid. The requirements of the ASU are effective for annual periods beginning after December 15, 2024 and are to be applied on a prospective basis The Company's annual reporting requirements will be effective for fiscal year 2025. Companies can choose to early adopt and apply the guidance retrospectively. The Company is in the process of analyzing the impact of the ASU on related disclosures.
There have been no material changes to the Company’s significant accounting policies set forth in "Note 1" of Notes to Consolidated Financial Statements included in the Company’s Annual Report on Form 10-K for the year ended December 31, 2023.
NOTE 2.                              Fair Value of Financial Instruments
Fair value is defined as the price that would be received to sell an asset or paid to transfer a liability in an orderly transaction between market participants at the measurement date. For certain of the Company’s financial instruments, including certain cash equivalents, accounts receivable, accounts payable and accrued liabilities, the carrying amounts approximate their fair values due to the relatively short maturity of these balances.
The Company measures and reports certain cash equivalents, marketable securities, derivative foreign currency forward contracts at fair value in accordance with the provisions of the authoritative accounting guidance that addresses fair value measurements. This guidance establishes a hierarchy for inputs used in measuring fair value that maximizes the use of observable inputs and minimizes the use of unobservable inputs by requiring that the most observable inputs be used when available. The hierarchy is broken down into three levels based on the reliability of inputs as follows:
Level 1 - Valuations based on quoted prices in active markets for identical assets or liabilities.
Level 2 - Valuations based on other than quoted prices in active markets for identical assets and liabilities, including quoted prices for identical assets or liabilities in less active or inactive markets, quoted prices for similar assets or liabilities in active markets, or inputs other than quoted prices that are observable for substantially the full term of the assets or liabilities.
Level 3 - Valuations based on inputs that are generally unobservable and typically reflect management’s estimates of assumptions that market participants would use in pricing the asset or liability.
The Company's financial instruments consist of assets and liabilities measured using Level 1 and 2 inputs. Level 1 assets include a highly liquid money market fund, which is valued using unadjusted quoted prices that are available in an active market for an identical asset. Level 2 assets include fixed-income U.S. Treasury and government agency securities, commercial paper, corporate bonds, asset-backed securities and derivative financial instruments consisting of foreign currency forward contracts. The securities, bonds and commercial paper are valued using prices from independent pricing services based on quoted prices of identical instruments in less active or inactive markets, quoted prices of similar instruments in active markets, or industry models using data inputs such as interest rates and prices that can be directly observed or corroborated in active markets. The foreign currency forward contracts are valued using observable inputs, such as quotations on forward foreign exchange points and foreign interest rates.
10

Table of Contents
The following table sets forth by level within the fair value hierarchy the fair value of the Company's financial assets and liabilities measured at fair value on a recurring basis:
June 30, 2024
Level 1Level 2Fair Value
(in thousands)
Money market funds$21,221 $ $21,221 
Commercial paper 24,106 24,106 
U.S. Treasury and government agencies 213,122 213,122 
Corporate bonds 112,049 112,049 
Asset-backed securities 10,203 10,203 
Foreign currency forward contracts 865 865 
Total assets$21,221 $360,345 $381,566 
Foreign currency forward contracts$ $461 $461 
Total liabilities$ $461 $461 
December 31, 2023
Level 1Level 2Fair Value
(in thousands)
Money market funds$87 $ $87 
Commercial paper 54,279 54,279 
U.S. Treasury and government agencies 208,536 208,536 
Corporate bonds 56,465 56,465 
Asset-backed securities 13,881 13,881 
Foreign currency forward contracts 111 111 
Total assets$87 $333,272 $333,359 
Foreign currency forward contracts$ $1,986 $1,986 
Total liabilities$ $1,986 $1,986 
There were no transfers between Level 1, Level 2 and Level 3 categories during the three and six months ended June 30, 2024 and 2023.
11

Table of Contents
Cash equivalent and investments
The Company's cash equivalents and marketable securities consist of the following:
June 30, 2024
Amortized CostUnrealized GainsUnrealized LossesFair Value
(in thousands)
Cash equivalents: (1)
Money market funds$21,221 $ $ $21,221 
Commercial paper3,957  (3)3,954 
U.S. Treasury and government agencies81,466  (2)81,464 
Total106,644  (5)106,639 
Short-term marketable securities:    
Commercial paper20,179  (27)20,152 
Corporate bonds31,859 1 (102)31,758 
Asset-backed securities42   42 
U.S. Treasury and government agencies60,098  (46)60,052 
Total112,178 1 (175)112,004 
Long-term marketable securities:
Corporate bonds80,606 34 (349)80,291 
Asset-backed securities10,094 67  10,161 
U.S. Treasury and government agencies71,701 12 (107)71,606 
Total162,401 113 (456)162,058 
Total$381,223 $114 $(636)$380,701 
(1)Excludes cash of $174.6 million.
12

Table of Contents
December 31, 2023
Amortized CostUnrealized GainsUnrealized LossesFair Value
(in thousands)
Cash equivalents: (2)
Money market funds$87 $ $ $87 
U.S. Treasury and government agencies54,620 4  54,624 
Total54,707 4  54,711 
Short-term marketable securities:
Commercial paper54,254 32 (7)54,279 
Corporate bonds23,013 1 (149)22,865 
U.S. Treasury and government agencies144,901 52 (204)144,749 
Total222,168 85 (360)221,893 
Long-term marketable securities:
Corporate bonds33,337 285 (22)33,600 
Asset-backed securities13,785 102 (6)13,881 
U.S. Treasury and government agencies9,116 49 (2)9,163 
Total56,238 436 (30)56,644 
Total$333,113 $525 $(390)$333,248 
(2)Excludes cash of $149.0 million.
The following table summarizes the gross unrealized losses and fair value of the Company's marketable securities that were in an unrealized loss position aggregated by length of time:
June 30, 2024
Less than 12 months12 months or longerTotal
Fair ValueGross Unrealized LossesFair ValueGross Unrealized LossesFair ValueGross Unrealized Losses
(in thousands)
Commercial paper$24,107 $(30)$ $ $24,107 $(30)
Corporate bonds85,389 (422)3,772 (29)89,161 (451)
U.S. Treasury and government agencies191,339 (136)11,903 (19)203,242 (155)
Total$300,835 $(588)$15,675 $(48)$316,510 $(636)
December 31, 2023
Less than 12 months12 months or longerTotal
Fair ValueGross Unrealized LossesFair ValueGross Unrealized LossesFair ValueGross Unrealized Losses
(in thousands)
Commercial paper$24,838 $(7)$ $ $24,838 $(7)
Asset-backed securities  1,485 (6)1,485 (6)
Corporate bonds  20,717 (171)20,717 (171)
U.S. Treasury and government agencies43,373 (18)18,172 (188)61,545 (206)
Total$68,211 $(25)$40,374 $(365)$108,585 $(390)
13

Table of Contents
The Company considered the extent to which any unrealized losses on its marketable securities were driven by credit risk and other factors, including market risk, and if it is more-likely-than-not that the Company would have to sell the security before the recovery of the amortized cost basis. At June 30, 2024 and December 31, 2023, the unrealized losses related to its marketable securities were due to rising market interest rates compared to when the investments were initiated. The Company does not believe the unrealized losses represent credit risk, and the Company does not intend to sell any of the securities in an unrealized loss position and it is not likely that the Company would be required to sell these securities before recovery of their amortized cost basis, which may be at maturity. Thus, no credit loss was recognized for the Company's marketable securities for the three and six months ended June 30, 2024 and 2023.
The following summarizes the fair value of marketable securities by contractual maturity:
June 30, 2024
Amortized CostFair Value
(in thousands)
Due within One Year$218,780 $218,601 
Due after One Year through Five Years152,307 151,897 
Asset-backed securities10,136 10,203 
Total$381,223 $380,701 
Non-Marketable Securities
During the fiscal year ended December 31, 2018, the Company invested $2.5 million in preferred stock of a privately-held company. The fair value of the investment is not readily available, and there are no quoted market prices for the investment. The Company accounts for the investment at cost less impairment and will measure the investment at fair value when the Company identifies observable price changes. The investment is assessed for impairment whenever events or changes in circumstances indicate that the fair value of the investment is less than carrying value. During the second quarter of 2023, the Company identified an observable price change in the investment and recognized an immaterial unrealized loss in other income (expense), net of the condensed consolidated statement of operations. The investment is included in other noncurrent assets on the condensed consolidated balance sheets. The Company has not received any dividends from the investment.
Derivative Financial Instruments
Designated cash flow hedges
The Company enters into foreign currency forward contracts to reduce the risk of variability in future cash flow due to foreign currency exchange rate fluctuation from certain forecasted subscription revenue orders billed in British Pound ("GBP") and Euro ("EUR") and operating expenses incurred in Indian Rupee ("INR"), which are designated as cash flow hedges. Hedge effectiveness is assessed at inception and at each reporting period utilizing regression analysis. Unrealized foreign exchange gains or losses related to those designated cash flow hedge contracts are recorded in accumulated other comprehensive income ("AOCI") and will be reclassified into revenues or operating expenses, respectively, in the same periods when the hedged transactions are recognized in earnings.
As of June 30, 2024, the Company had designated cash flow hedge forward contracts with notional amounts of €45.3 million, £16.9 million and Rs.4,138.0 million. As of December 31, 2023, the Company had designated cash flow hedge forward contracts with notional amounts of €48.5 million, £14.6 million and Rs.4,042.0 million.
As of June 30, 2024, an immaterial amount of net unrealized loss before tax on the foreign currency forward contracts for GBP and EUR reported in AOCI is expected to be reclassified into revenue within the next 12 months. As of June 30, 2024, an immaterial amount of net unrealized loss before tax on the foreign currency forward contracts for INR reported in AOCI is expected to be reclassified into operating expenses within the next 12 months.
14

Table of Contents
Non-designated forward contracts
The Company also uses foreign currency forward contracts to hedge certain foreign currency denominated assets or liabilities, which are not designated as cash flow hedges. Unrealized foreign exchange gain or losses related to the non-designated forward contracts are recorded in other income (expenses), net and offset the foreign exchange gain or loss on the underlying net monetary assets or liabilities.
As of June 30, 2024, the Company had non-designated forward contracts with notional amounts of €9.8 million, £5.5 million, Rs.1,065.0 million, and Canadian Dollar ("C$" or "CAD") 1.8 million. As of December 31, 2023, the Company had non-designated forward contracts with notional amounts of €19.2 million, £6.0 million, Rs.440.0 million, and C$1.0 million.
The following summarizes the fair value of derivative financial instruments as of June 30, 2024 and December 31, 2023:
June 30,
2024
December 31,
2023
(in thousands)
Assets
Foreign currency forward contracts designated as cash flow hedge$863 $63 
Foreign currency forward contracts not designated as hedging instruments2 48 
Total$865 $111 
Liabilities
Foreign currency forward contracts designated as cash flow hedge$385 $1,502 
Foreign currency forward contracts not designated as hedging instruments76 484 
Total$461 $1,986 
The Company presents its derivative assets and derivative liabilities at gross fair values in the condensed consolidated balance sheets. However, under the master netting agreements with the respective counterparties of the foreign exchange contracts, subject to applicable requirements, the Company is allowed to net settle transactions of the same currency with a single net amount payable by one party to the other. The potential offset to both assets and liabilities under the right of set-off associated with the Company's foreign currency exchange contracts are immaterial as of June 30, 2024 and December 31, 2023. The derivatives held by the Company are not subject to any credit contingent features negotiated with its counterparties. The Company is not required to pledge nor is entitled to receive cash collateral related to the above contracts. The counterparties to these derivatives are large, global financial institutions that the Company believes are creditworthy, and therefore, it does not consider the risk of counterparty nonperformance to be material.
The following summarizes the gains (losses) recognized from forward contracts and other foreign currency transactions in other income (expense), net in the condensed consolidated statements of operations:
Three Months Ended
June 30,
Six Months Ended
June 30,
2024202320242023
(in thousands)(in thousands)
Net gains (losses) from non-designated forward contracts$(73)$(109)$439 $150 
Other foreign currency transactions losses(518)(306)(2,459)(731)
Total foreign exchange losses, net$(591)$(415)$(2,020)$(581)
15

Table of Contents
NOTE 3.                              Accumulated Other Comprehensive Income (Loss)
The components and changes in accumulated other comprehensive income (loss) for the three and six months ended June 30, 2024 and 2023 were as follows:
Available-for-Sale Debt SecuritiesCash Flow HedgesTotal
(in thousands)
Balances at December 31, 2023$108 $(1,812)$(1,704)
Change in unrealized gains (losses) during the period(436)1,222 786 
Amount reclassified into income during the period 218 218 
Tax effect29 (336)(307)
Net change during the period(407)1,104 697 
Balances at March 31, 2024$(299)$(708)$(1,007)
Change in unrealized gains (losses) during the period(221)465 244 
Amount reclassified into income during the period 414 414 
Tax effect (185)(185)
Net change during the period(221)694 473 
Balances at June 30, 2024$(520)$(14)$(534)
Balances at December 31, 2022$(2,705)$758 $(1,947)
Change in unrealized gains (losses) during the period1,131 (443)688 
Amount reclassified into income during the period (534)(534)
Tax effect 222 222 
Net change during the period1,131 (755)376 
Balances at March 31, 2023$(1,574)$3 $(1,571)
Change in unrealized gains (losses) during the period312 65 377 
Amount reclassified into income during the period (665)(665)
Tax effect 143 143 
Net change during the period312 (457)(145)
Balances at June 30, 2023$(1,262)$(454)$(1,716)
The effects on income before income taxes of amounts reclassified from AOCI to the condensed consolidated statements of operations were as follows:
Three Months Ended
June 30,
Six Months Ended
June 30,
2024202320242023
(in thousands)(in thousands)
Reclassification of AOCI - Cash flow hedges
Revenues$(375)$1,061 $(654)$2,197 
Cost of revenues(9)(91)6 (230)
Research and development(24)(252)13 (635)
Sales and marketing(2)(16)1 (39)
General and administrative(4)(37)2 (94)
Total$(414)$665 $(632)$1,199 
There was no reclassification of AOCI to other income (expense), net related to Available-for-sale debt securities during the three and six months ended June 30, 2024 and 2023.
16

Table of Contents
NOTE 4.                              Property and Equipment, Net
Property and equipment, net, consists of the following:
June 30,
2024
December 31,
2023
(in thousands)
Computer equipment$181,204 $179,002 
Computer software26,154 26,133 
Leasehold improvements20,987 20,924 
Scanner appliances18,661 18,369 
Furniture, fixtures and equipment6,800 6,699 
Total property and equipment253,806 251,127 
Less: accumulated depreciation and amortization(226,048)(218,528)
Property and equipment, net$27,758 $32,599 
As of June 30, 2024 and December 31, 2023, physical scanner appliances and other computer equipment that are or will be subject to leases by customers had a net carrying value of $9.9 million and $10.1 million, respectively, including assets that had not been placed in service of $6.1 million and $6.4 million, respectively.
Depreciation and amortization expenses relating to property and equipment were $4.0 million and $6.1 million for the three months ended June 30, 2024 and 2023, respectively, and $8.5 million and $12.6 million for the six months ended June 30, 2024 and 2023, respectively, which were mainly recorded in cost of revenues in the condensed consolidated statements of operations.
NOTE 5.                              Revenue from Contracts with Customers
The Company records deferred revenue when cash payments are received or due in advance of its performance obligations offset by revenue recognized in the period. Revenues of $99.8 million and $86.4 million were recognized during the three months ended June 30, 2024 and 2023, respectively, and $229.6 million and $200.2 million were recognized during the six months ended June 30, 2024 and 2023, respectively, which amounts were included in the deferred revenue balances of $364.9 million and $317.2 million as of December 31, 2023 and 2022, respectively.
The Company's payment terms vary by the type and location of its customers. The term between invoicing and when payment is due is not significant. In certain circumstances, based on the credit quality of the customer, the Company requires payment before the products or services are delivered to the customer.
The following table sets forth the expected revenue from all remaining performance obligations as of June 30, 2024:
(in thousands)
2024 (remaining six months)$111,389 
2025160,431 
202678,439 
202713,341 
2028997 
2029 and thereafter272 
Total$364,869 
Revenues allocated to remaining performance obligations represents the transaction price of noncancelable orders for which service has not been performed, which include deferred revenue and the amounts that will be invoiced and recognized as revenues in future periods from open contracts and excludes unexercised renewals. The Company applied the
17

Table of Contents
short-term contract exemption to exclude the remaining performance obligations that are part of a contract that has an original expected duration of one year or less.
From time to time, the Company enters into contracts with customers that extend beyond one year, with certain of its customers electing to pay for more than one year of services upon contract execution. The Company concluded that these contracts did not contain a financing component.
Revenues by sales channel are as follows:
Three Months EndedSix Months Ended
June 30,June 30,
2024202320242023
(in thousands)(in thousands)
Direct$80,303 $78,818 $160,429 $153,911 
Partner68,405 58,391 134,084 113,981 
Total$148,708 $137,209 $294,513 $267,892 
The Company utilizes partners to enable and accelerate the adoption of its cloud platform by increasing its distribution capabilities and market awareness of its cloud platform as well as by targeting geographic regions outside the reach of its direct sales force. The Company's channel partners maintain relationships with their customers throughout the territories in which they operate and provide their customers with services and third-party solutions to help meet those customers’ evolving security and compliance requirements. As such, these partners may offer the Company's IT security and compliance solutions in conjunction with one or more of their own products or services and act as a conduit through which the Company can connect with these prospective customers to offer its solutions. For sales involving a channel partner, the channel partner engages with the prospective customer directly and involves the Company's sales team as needed to assist in developing and closing an order. When a channel partner secures a sale, the Company sells the associated subscription to the channel partner who in turn resells the subscription to the customer. Sales to channel partners are made at a discount and revenues are recorded at this discounted price over the subscription terms. The Company does not have any influence or specific knowledge of its partners' selling terms with their customers. See Note 11, "Segment and Geographic Area Information" for disaggregation of revenue by geographic area.
Deferred costs to obtain contracts are as follows:
June 30,
2024
December 31,
2023
(in thousands)
Current$6,301 $5,858 
Noncurrent$12,667 $11,844 
For the three months ended June 30, 2024 and 2023, the Company recognized $1.8 million and $1.5 million, respectively, of amortization expense relating to deferred costs to obtain contracts in sales and marketing expense in the condensed consolidated statements of operations. For the six months ended June 30, 2024 and 2023, the Company recognized $3.4 million and $2.9 million, respectively, of amortization expense relating to deferred costs to obtain contracts in sales and marketing expense in the condensed consolidated statements of operations. During the same periods, there was no impairment loss related to the deferred costs to obtain contracts.
As of December 31, 2022, the net carrying value of the Company’s accounts receivable, current deferred revenues, and noncurrent deferred revenues were $121.8 million, $293.7 million and $23.5 million, respectively.
NOTE 6.                              Intangible Assets, Net
Intangible assets consist primarily of developed technology and patent licenses acquired from business or asset acquisitions. Acquired intangibles are amortized on a straight-line basis over the respective estimated useful lives of the assets.
18

Table of Contents
The carrying values of intangible assets are as follows:
June 30, 2024
(in thousands)Weighted Average Life (Years)CostAccumulated AmortizationNet Book Value
Developed technology4.6$40,141 $(32,070)$8,071 
Patent licenses14.01,387 (1,371)16 
Assembled workforce2.0359 (314)45 
Total intangibles subject to amortization$41,887 $(33,755)$8,132 
Intangible assets not subject to amortization40 
Total intangible assets, net$8,172 
 December 31, 2023
(in thousands)Weighted Average Life (Years)CostAccumulated AmortizationNet Book Value
Developed technology4.6$40,141 $(30,667)$9,474 
Patent licenses14.01,387 (1,322)65 
Assembled workforce2.0359 (223)136 
Total intangibles subject to amortization$41,887 $(32,212)$9,675 
Intangible assets not subject to amortization40 
Total intangible assets, net$9,715 
Intangible asset amortization expense was $0.8 million and $0.8 million for the three months ended June 30, 2024 and 2023, respectively, and $1.5 million and $1.5 million for the six months ended June 30, 2024 and 2023, respectively. Intangible asset amortization expenses were primarily recorded in cost of revenues in the condensed consolidated statements of operations.
As of June 30, 2024, the Company expects amortization expense in future periods to be as follows:
(in thousands)
2024 (remaining six months)$1,361 
20252,556 
20262,477 
20271,738 
Total expected future amortization expense$8,132 
NOTE 7.                              Leases
The Company leases certain offices, computer equipment and its shared cloud platform facilities under non-cancelable operating leases for varying periods through 2030. While under the Company's lease agreements the Company has options to extend its certain leases, the Company has not included renewal options in determining the lease terms for calculating its lease liabilities, as these options are not reasonably certain of being exercised. Lease expense was $3.8 million and $4.2 million for the three months ended June 30, 2024 and 2023, respectively, and $7.6 million and $8.2 million for the six months ended June 30, 2024 and 2023, respectively.
19

Table of Contents
Supplemental cash flow information related to operating leases was as follows:
Six Months Ended
June 30,
20242023
(in thousands)
Cash payments included in the measurement of lease liabilities$7,073 $7,699 
Lease liabilities arising from obtaining right-of-use assets$27,822 $121 
The weighted average remaining lease term and the weighted average discount rate of the Company's operating leases were as follows:
June 30,
2024
December 31,
2023
Weighted average remaining lease term (years)4.53.1
Weighted average discount rate7.3 %5.2 %
Maturities of the Company's operating lease liabilities as of June 30, 2024 are as follows:
(in thousands)
2024 (remaining six months)$6,847 
202512,569 
202612,172 
202712,225 
20289,448 
2029 and thereafter7,313 
Total minimum lease payments60,574 
Less: interest(10,014)
Present value of net minimum lease payments$50,560 
NOTE 8.                              Commitments and Contingencies
Indemnifications
The Company from time to time enters into certain types of contracts that contingently require it to indemnify various parties against claims from third parties. These contracts primarily relate to (i) the Company's bylaws, under which it must indemnify directors and executive officers, and may indemnify other officers and employees, for liabilities arising out of their relationship, (ii) contracts under which the Company must indemnify directors and certain officers for liabilities arising out of their relationship, and (iii) contracts under which the Company may be required to indemnify customers or resellers from certain liabilities arising from potential infringement of intellectual property rights, as well as potential damages caused by limited product defects. To date, the Company has not incurred and has not recorded any liability in connection with such indemnifications.
The Company maintains director and officer insurance, which may cover certain liabilities arising from its obligation to indemnify its directors.
20

Table of Contents
NOTE 9.                              Stockholders' Equity and Stock-based Compensation
Equity Incentive Plans
Restated 2012 Equity Incentive Plan
On June 8, 2022 ("Effective Date"), the Company's stockholders approved the Amended and Restated 2012 Equity Incentive Plan (the "Restated 2012 Plan"). Under the Restated 2012 Plan, the Company is authorized to grant to eligible participants incentive stock options, nonstatutory stock options, restricted stock, restricted stock units ("RSUs"), stock appreciation rights, performance units and performance shares. Pursuant to the relevant plan provisions, 3,072 thousand shares were available for grant under the Restated 2012 Plan on the Effective Date. In addition, any outstanding awards or options granted under the previous version of the 2012 Equity Incentive Plan (“Previous 2012 Plan”) will be added back to the shares available for grant under the Restated 2012 Plan if they expire unexercised or are otherwise forfeited after the Effective Date. Any remaining shares available for grant under the Previous 2012 Plan as of the Effective Date were no longer available for future grants under the Restated 2012 Plan.
On June 12, 2024, the Company's stockholders approved an amendment and restatement to the Restated 2012 Plan to increase the number of shares of the Company's common stock reserved for issuance by 1,092 thousand shares.
As of June 30, 2024, 2,716 thousand shares were available for grant under the Restated 2012 Plan.
2021 Employee Stock Purchase Plan
On June 9, 2021, the Company’s stockholders approved the 2021 Employee Stock Purchase Plan (the “ESPP”). A total of 600 thousand shares were authorized for issuance to eligible participating employees upon adoption of the ESPP. The ESPP provides for consecutive 6-month offering periods beginning on or about August 16 and February 16 of each year. Eligible employees who elect to participate can contribute from 1% to 15% of their eligible compensation through payroll withholding. During any offering period, contribution rates cannot be changed. However, eligible employees may withdraw from the current offering period. Any contributions made prior to each purchase date in the case of withdrawal or termination of employment will be refunded. On each purchase date, eligible participating employees will purchase the shares at a price per share equal to 85% of the lesser of (i) the fair market value of the Company's stock on the first trading day of the offering period or (ii) the fair market value of the Company's stock on the purchase date (i.e., the last trading day of the offering period).
During the six months ended June 30, 2024, 29 thousand shares were issued in connection with the purchase of common stock by participating employees. As of June 30, 2024, 465 thousand shares were available for future purchases.
21

Table of Contents
Stock Options
Stock options granted under the Restated 2012 Plan and Previous 2012 Plan (collectively, the "Plans") generally vest based on continued service over four years and expire ten years from the date of grant.
A summary of the Company’s stock option activity during the six months ended June 30, 2024 is as follows:
Outstanding OptionsWeighted Average Exercise
Price
Weighted Average Remaining
Contractual Life
Aggregate Intrinsic Value
(in thousands)(Years)(in thousands)
Balance as of December 31, 20231,447$97.98 6.5$142,302 
Granted137$167.29 
Exercised(107)$55.74 
Canceled(46)$123.66 
Balance as of June 30, 20241,431$106.93 6.5$54,911 
Vested and expected to vest as of June 30, 20241,276$102.70 6.2$53,581 
Exercisable as of June 30, 2024791$81.61 4.9$48,263 
Restricted Stock Units
RSUs granted under the Plans generally only contain a service-based vesting condition that is typically satisfied over four years.
Performance-based Restricted Stock Units ("PRSUs") granted under the Plans contain both service-based and performance-based vesting conditions. In February 2024, the Company granted PRSUs to its executive officers and certain other members of its senior leadership team. The performance-based vesting condition is satisfied upon the achievement of certain Company annual performance targets, including revenue growth and adjusted EBITDA margin, set by the Compensation and Talent Committee of the board of directors of the Company. The target PRSUs are scheduled to vest in three equal annual installments over a three-year period. Each annual installments at 200% of the annual target will be considered granted when the performance targets for the corresponding performance year is determined and approved. The actual number of the PRSUs earned and eligible to vest ranges from 0% to 200% of the annual target number of PRSUs granted based on the weighted-average achievement of such Company annual performance metrics set for the corresponding annual performance period. The vesting and release of the first and second installment is capped at 100% of the target number at the end of the first and second year, respectively, with cumulative achievement over 100%, if any, to be vested and released at the end of the third year, together with the vesting of the third installment. For PRSUs granted
22

Table of Contents
under the Plans, any unvested PRSU award may be accelerated in part or in full upon the occurrence of certain events, such as death or disability, or a change in control, as defined in the grant agreement.
A summary of the Company’s RSU activity, inclusive of PRSU activity, during the six months ended June 30, 2024 is as follows:
Outstanding RSUsWeighted Average Grant Date Fair Value
Per Share
(in thousands)
Balance as of December 31, 20231,074(1)$133.60 
Granted233(2)$166.97 
Vested(240)(3)$127.56 
Forfeited(126)(4)$137.67 
Balance as of June 30, 2024941(5)$142.84 
Outstanding and expected to vest as of June 30, 2024712$139.13 
(1)Included 139 thousand PRSUs granted to certain executive officers in 2023, 2022 and 2021.
(2)Included 156 thousand PRSUs granted to certain executive officers in the six months ended June 30, 2024.
(3)Included 64 thousand PRSUs granted to certain executive officers in 2023, 2022 and 2021.
(4)Included 61 thousand PRSUs granted to certain executive officers in 2023, 2022 and 2021.
(5)Included 170 thousand PRSUs granted to certain executive officers in 2024, 2023, 2022 and 2021.
Stock-based Compensation
The following table shows a summary of the stock-based compensation expense included in the condensed consolidated statements of operations:
Three Months Ended
June 30,
Six Months Ended
June 30,
2024202320242023
(in thousands)(in thousands)
Cost of revenues$1,866 $1,717 $3,886 $3,309 
Research and development5,160 5,103 10,463 10,063 
Sales and marketing3,632 2,897 7,371 5,351 
General and administrative6,428 6,288 14,397 13,315 
Total stock-based compensation, net of amounts capitalized (1)$17,086 $16,005 $36,117 $32,038 
(1)Total stock-based compensation expense capitalized was de minimis during the three and six months ended June 30, 2024.
Of the total stock-based compensation expense in the table above, the Company recognized stock-based compensation expenses related to all PRSUs of $1.3 million and $1.2 million during the three months ended June 30, 2024 and 2023, respectively, and $4.1 million and $2.5 million for the six months ended June 30, 2024 and 2023, respectively.
As of June 30, 2024, the Company had unrecognized stock-based compensation expenses of $22.7 million, $78.0 million, $5.0 million, and $0.3 million related to options, RSUs, PRSUs, and ESPP purchase rights, respectively, which are expected to be recognized over weighted-average periods of 2.4 years, 2.5 years, 0.6 years, and 0.1 years, respectively.
23

Table of Contents
Share Repurchase Program
The Company's share repurchase program was authorized by the board of directors as follows:
Announcement DateAuthorized Dollar Value
(in millions)
February 12, 2018$100.0 
October 30, 2018100.0 
October 30, 2019100.0 
May 7, 2020100.0 
February 10, 2021100.0 
November 3, 2021200.0 
May 4, 2022200.0 
February 9, 2023100.0 
February 7, 2024200.0 
Total as of June 30, 2024$1,200.0 
Shares may be repurchased from time to time on the open market in accordance with Rule 10b-18 of the Exchange Act of 1934, including pursuant to a pre-set trading plan adopted in accordance with Rule 10b5-1 under the Exchange Act. All share repurchases have been made using cash resources. Repurchased shares are retired and reclassified as authorized and unissued shares of common stock. On retirement of the repurchased shares, common stock is reduced by an amount equal to the number of shares being retired multiplied by the par value. The excess amount that is retired over its par value is first allocated as a reduction to additional paid-in capital based on the original cost of additional paid-in capital per share of identified issuances. The remaining amount is allocated to accumulated deficit.
During the six months ended June 30, 2024 and 2023, the Company repurchased 337 thousand shares and 930 thousand shares of its common stock for approximately $53.0 million and $108.8 million, respectively. As of June 30, 2024, approximately $230.7 million remained available for share repurchases pursuant to the Company's share repurchase program.
Excise tax on stock repurchases net of issue was immaterial to the Company's financial results and cash flows for the six months ended June 30, 2024 and 2023 and the Company's financial position as of June 30, 2024 and December 31, 2023.
NOTE 10.                            Income Taxes
The Company's income tax provision for interim periods is determined using an estimate of its annual effective tax rate, adjusted for discrete items, if any, that arise during the period. Each quarter, the Company updates its estimate of the annual effective tax rate, and if the estimated annual effective tax rate changes, the Company makes a cumulative adjustment in such period.
The Company's quarterly tax provision, and estimate of its annual effective tax rate, is subject to variation due to several factors, including variability in pretax income (or loss), the mix of jurisdictions to which such income relates, changes in how the Company does business, tax law developments and possible outcomes of audits. The Company's estimated effective tax rate for the year differs from the U.S. statutory rate of 21% primarily due to non-deductible stock-based compensation expense, state taxes, the benefit of U.S. federal income tax credits, the impact of mandatory capitalization of research expenses for U.S. tax purposes, and the benefits related to foreign-derived intangible income deduction.
The Company recorded an income tax provision of $10.4 million and $10.3 million for the three months ended June 30, 2024 and 2023, respectively, resulting in an effective tax rate of 19.2% and 22.5%, respectively. The increase in income tax provision for the three months ended June 30, 2024 compared to the three months ended June 30, 2023, was primarily due to tax effect of an increase in pretax income, partially offset by lower net capitalization of research and development expenses for tax purposes.
24

Table of Contents
The Company recorded an income tax provision of $20.2 million and $18.5 million for the six months ended June 30, 2024 and 2023, respectively, resulting in an effective tax rate of 19.5% and 22.3%, respectively. The increase in income tax provision for the six months ended June 30, 2024 compared to the six months ended June 30, 2023, was primarily due to tax effect of an increase in pretax income, partially offset by an increase in excess tax benefits arising from stock-based compensation and lower net capitalization of research and development expenses for tax purposes.
As of June 30, 2024, the Company had unrecognized tax benefits of $12.7 million, of which $6.7 million, if recognized, would favorably impact the Company's effective tax rate. As of December 31, 2023, the Company had unrecognized tax benefits of $11.9 million, of which $6.1 million, if recognized, would favorably impact the Company's effective tax rate. The Company does not anticipate a material change in its unrecognized tax benefits in the next 12 months.
NOTE 11.                            Segment and Geographic Area Information
Under ASC 280 Segment Reporting, operating segments are defined as components of an entity about which separate financial information is evaluated regularly by the chief operating decision maker in deciding how to allocate resources and in assessing performance. The Company operates in one segment and has only one reportable segment. The Company’s chief operating decision maker is the Chief Executive Officer, who makes operating decisions, assesses performance and allocates resources on a consolidated basis. All of the Company’s principal operations and decision-making functions are located in the United States.
Revenue by geographic area, based on the customer's billing address, is as follows:
Three Months Ended
June 30,
Six Months Ended
June 30,
2024202320242023
(in thousands)(in thousands)
United States$86,940 $82,955 $173,376 $160,971 
Foreign61,768 54,254 121,137 106,921 
Total revenues$148,708 $137,209 $294,513 $267,892 
Long-lived assets, which consist of Property and equipment, net and Operating leases - right of use asset, by geographic area, are as follows:
June 30,
2024
December 31,
2023
(in thousands)
United States$51,258 $42,622 
India18,941 9,952 
Rest of world1,659 2,416 
Total Long-lived Assets$71,858 $54,990 
25

Table of Contents
NOTE 12.                            Net Income Per Share
The computations for basic and diluted net income per share are as follows:
Three Months Ended
June 30,
Six Months Ended
June 30,
2024202320242023
(in thousands, except per share data)(in thousands, except per share data)
Numerator:
Net income$43,772 $35,382 $83,503 $64,487 
Denominator:
Basic weighted average shares36,915 36,842 36,935 36,954 
Effect of potentially dilutive shares:
Stock options364 460 418 475 
Restricted stock units182 131 237 120 
Employee stock purchase plan3 2 4 2 
Diluted weighted average shares37,464 37,435 37,594 37,551 
Net income per share:
Basic$1.19 $0.96 $2.26 $1.75 
Diluted$1.17 $0.95 $2.22 $1.72 
Potentially dilutive shares not included in the calculation of diluted net income per share because doing so would be anti-dilutive are as follows:
Three Months Ended
June 30,
Six Months Ended
June 30,
2024202320242023
(in thousands)(in thousands)
Stock options5771,0224511,005
Restricted stock units4519223279
Employee stock purchase plan7
Total anti-dilutive shares6221,2144741,291
26

Table of Contents
Item 2.                                  Management's Discussion and Analysis of Financial Condition and Results of Operations
This Quarterly Report on Form 10-Q, including this Management’s Discussion and Analysis of Financial Condition and Results of Operations, should be read in conjunction with (1) our unaudited condensed consolidated financial statements and the related notes included elsewhere in this report, and (2) the audited consolidated financial statements and the related notes and section titled "Management’s Discussion and Analysis of Financial Condition and Results of Operations" included in our Annual Report on Form 10-K for the fiscal year ended December 31, 2023.
In addition to historical information, this Quarterly Report on Form 10-Q contains “forward-looking” statements within the meaning of Section 21E of the Securities Exchange Act of 1934, as amended, or the Exchange Act. Forward-looking statements generally relate to future events or our future financial or operating performance. In some cases, it is possible to identify forward-looking statements because they contain words such as “anticipates,” “believes,” “contemplates,” “continue,” “could,” “estimates,” “expects,” “future,” “intends,” “likely,” “may,” “plans,” “potential,” “predicts,” “projects,” “seek,” “should,” “target,” or “will,” or the negative of these words or other similar terms or expressions that concern our expectations, strategy, plans or intentions. Forward-looking statements contained in this Quarterly Report on Form 10-Q include, but are not limited to, statements about:
our financial performance, including our revenues, costs, expenditures, growth rates, operating expenses and ability to generate positive cash flow to fund our operations and sustain profitability;
anticipated technology trends, such as the use of cloud solutions;
our ability to adapt to changing market conditions;
economic and financial conditions, including volatility in foreign exchange rates, inflation concerns, rising interest rates, recessionary fears, financial institution failures and associated uncertainty, significant volatility of global markets, reduced spending and extended sales cycles, and geopolitical conflicts;
our ability to diversify our sources of revenues, including selling additional solutions to our existing customers and our ability to pursue new customers;
the effects of increased competition in our market;
our ability to innovate and enhance our cloud solutions and platform and introduce new solutions;
our ability to effectively manage our growth;
our anticipated investments in sales and marketing, our infrastructure, new solutions, research and development, and acquisitions;
maintaining and expanding our relationships with channel partners;
our ability to maintain, protect and enhance our brand and intellectual property;
costs associated with defending intellectual property infringement and other claims;
our ability to attract and retain qualified employees and key personnel, including sales and marketing personnel;
our ability to successfully enter new markets and manage our international expansion;
our expectations, assumptions and conclusions related to our income tax provision, our deferred tax assets and our effective tax rate;
our expectations regarding the performance of, and our future trading activity with respect to, the marketable securities we hold;
our expectations regarding our share repurchase program; and
other factors discussed in this Quarterly Report on Form 10-Q in the sections titled “Risk Factors” and “Management's Discussion and Analysis of Financial Condition and Results of Operations.”
We have based the forward-looking statements contained in this Quarterly Report on Form 10-Q primarily on our current expectations and projections about future events and trends that we believe may affect our business, financial condition, results of operations and prospects. The results, events and circumstances reflected in these forward-looking statements are subject to risks, uncertainties, assumptions, and other factors including those described in Part II, Item 1A (Risk Factors) of this Quarterly Report on Form 10-Q and those discussed in other documents we file with the U.S. Securities and Exchange Commission (SEC). Moreover, we operate in a very competitive and rapidly changing environment. New risks and uncertainties emerge from time to time, and it is not possible for us to predict all risks and uncertainties that could have an impact on the forward-looking statements used herein. We cannot provide assurance that the results, events, and circumstances reflected in the forward-looking statements will be achieved or occur, and actual results, events or circumstances could differ materially from those described in the forward-looking statements.
27

Table of Contents
Overview
We are a leading provider of a cloud-based platform delivering information technology (IT), security and compliance solutions that enable organizations to identify security risks to their IT infrastructures, help protect their IT systems and applications from ever-evolving cyber-attacks and achieve compliance with internal policies and external regulations. Our cloud platform addresses the growing security and compliance complexities and risks that are amplified by the dissolving boundaries between IT infrastructures and web environments, the rapid adoption of cloud computing, containers and serverless IT models, and the proliferation of geographically dispersed IT assets. Our integrated suite of IT, security and compliance solutions delivered on Qualys' Enterprise TruRisk Platform enables our customers to identify and manage their IT and operational technology (OT) assets, collect and analyze large amounts of IT security data, discover and prioritize vulnerabilities, quantify cyber risk exposure, recommend and implement remediation actions and verify the implementation of such actions. Organizations use our integrated suite of solutions to cost-effectively obtain a unified view of their internal and external IT and OT asset inventory as well as security and compliance posture across globally-distributed IT infrastructures as our solution offers a single platform for information technology, information security, application security, endpoint, developer security and cloud teams.
We were founded and incorporated in December 1999 with a vision of transforming the way organizations secure and protect their IT infrastructure and applications and initially launched our first cloud solution, Vulnerability Management (VM), in 2000. As VM gained acceptance, we introduced additional solutions to help customers manage increasing IT, security and compliance requirements. Today, the suite of solutions that we offer on our cloud platform and refer to as the Qualys Cloud Apps help our customers detect, measure, prioritize and remediate cyber risk spanning a range of assets across on-premises, endpoints, cloud, containers, and mobile environments.
We provide our solutions through a software-as-a-service model, primarily with renewable annual subscriptions. These subscriptions require customers to pay a fee in order to access each of our cloud solutions. We generally invoice our customers for the entire subscription amount at the start of the subscription term, and the invoiced amounts are treated as deferred revenues and are recognized ratably over the term of each subscription. We continue to experience revenue growth from our existing customers as they renew and purchase additional subscriptions, as well as from the addition of new customers to our cloud platform.
We market and sell our solutions to enterprises, government entities and small and medium-sized businesses across a broad range of industries, including education, financial services, government, healthcare, insurance, manufacturing, media, retail, technology and utilities. For the six months ended June 30, 2024 and 2023, approximately 59% and 60%, respectively, of our revenues were derived from customers in the United States based on our customers' billing addresses. We sell our solutions to enterprises and government entities primarily through our field sales force and to small and medium-sized businesses through our inside sales force. We generate a significant portion of sales through our channel partners, including managed security service providers, leading cloud providers, value-added resellers and consulting firms in the United States and internationally.
Impacts of Current Macroeconomic Environment
The uncertainty surrounding macroeconomic factors in the U.S. and globally characterized by the inflationary pressure, rising interest rates, financial institution failures and associated uncertainty, significant volatility of global markets, reduced spending and extended sales cycles, and geopolitical conflicts could have a material adverse effect on our long-term business and could lead to further economic disruption and expose us to greater risk as our current and potential customers may reduce or eliminate their overall spending on IT security. We will continue to evaluate the nature and extent of the impact to our business, financial position, results of operations and cash flows.
28

Table of Contents
Key Components of Results of Operations
Revenues
We derive revenues from the sale of subscriptions to our IT, security and compliance solutions, which are delivered on our cloud platform. Subscriptions to our solutions allow customers to access our cloud-based IT, security and compliance solutions through a unified, web-based interface. Customers generally enter into one-year renewable subscriptions. The subscription fee entitles the customer to an unlimited number of scans for a specified number of devices or web applications and, if requested by a customer as part of their subscription, a specified number of physical or virtual scanner appliances. Our physical and virtual scanner appliances are requested by certain customers as part of their subscriptions in order to scan IT infrastructures within their firewalls and do not function without, and are not sold separately from, subscriptions for our solutions. In some cases, we also provide certain computer equipment used to extend our cloud platform into our customers' private cloud environment. Customers are required to return physical scanner appliances and computer equipment if they do not renew their subscriptions.
We typically invoice our customers for the entire subscription amount at the start of the subscription term. Invoiced amounts are reflected on our condensed consolidated balance sheets as accounts receivable or as cash when collected, and as deferred revenues until earned and recognized ratably over the subscription period. Accordingly, deferred revenues represent the amount billed to customers that has not yet been earned or recognized as revenues, pursuant to subscriptions entered into in current and prior periods.
Cost of Revenues
Cost of revenues consists primarily of personnel expenses, comprised of salaries, benefits, performance-based compensation and stock-based compensation, for employees who operate our shared cloud platforms and provide support services to our customers. Other expenses include depreciation of shared cloud platform equipment, physical scanner appliances and computer hardware provided to certain customers as part of their subscriptions, expenses related to the use of shared cloud platforms, amortization of software and license fees, amortization of intangibles related to acquisitions, maintenance support, fees paid to contractors who supplement or support our operations center personnel and overhead allocations. We expect to continue to expand our shared cloud platform infrastructures and hire additional employees to support our operations, which in turn, is expected to increase the cost of revenues in absolute dollars.
Operating Expenses
Research and Development
Research and development expenses consist primarily of personnel expenses, comprised of salaries, benefits, performance-based compensation and stock-based compensation, for our research and development teams. Other expenses include third-party contractor fees, software and license fees, amortization of intangibles related to acquisitions and overhead allocations. We expect to continue to devote resources to research and development in an effort to continuously improve our existing solutions as well as develop new solutions and capabilities, which in turn, is expected to increase the research and development expenses in absolute dollars.
Sales and Marketing
Sales and marketing expenses consist primarily of personnel expenses, comprised of salaries, benefits, sales commissions, performance-based compensation and stock-based compensation for our worldwide sales and marketing teams. Other expenses include marketing and promotional events, lead-generation marketing programs, public relations, travel, software licenses and overhead allocations. Sales commissions related to new business and upsells are capitalized as an asset. We amortize the capitalized commission cost as a selling expense on a straight-line basis over a period of five years. We expense sales commissions related to contract renewals as incurred. Our new sales personnel are typically not immediately productive, and the resulting increase in sales and marketing expenses we incur when we add new personnel may not result in increased revenues if these new sales personnel fail to become productive. The timing of our hiring of sales personnel, or the participation in new marketing events or programs, and the rate at which these generate incremental revenues, may affect our future operating results. We expect to continue to invest in additional sales personnel worldwide and also in more marketing programs to support new solutions on our platform, which in turn, is expected to increase sales and marketing expenses in absolute dollars.
29

Table of Contents
General and Administrative
General and administrative expenses consist primarily of personnel expenses, comprised of salaries, benefits, performance-based compensation and stock-based compensation for our executive, finance and accounting, IT, legal and human resources teams, as well as professional services, fees, software licenses and overhead allocations. We expect to continue to add personnel and incur professional services to support our growth and compliance with legal and regulatory requirements, which in turn, is expected to increase general and administrative expenses in absolute dollars.
Other Income (Expense), Net
Our other income (expense), net consists primarily of interest and returns from our cash equivalent, short-term and long-term marketable securities, non-marketable securities gains and losses, and foreign exchange gains and losses.
Income Tax Provision
We are subject to federal, state and foreign income taxes for jurisdictions in which we operate, and we use estimates in determining our income tax provision and deferred tax assets. Earnings from our non-U.S. activities are subject to income taxes in the local countries at rates which are generally similar to the U.S. statutory tax rate. We regularly assess the realizability of our net deferred tax assets. As of June 30, 2024, valuation allowances remain in certain jurisdictions where we believe it is necessary to see further positive evidence, such as sustained achievement of sufficient profits, to meet a more likely than not stance that the valuation allowance should be reversed. If additional positive evidence becomes available in the foreseeable future, we may release all or a portion of the valuation allowance. The exact timing and amount of the valuation allowance release is subject to change based on the level of profitability achieved in future periods. Release of the valuation allowance would result in the recognition of deferred tax assets and a corresponding decrease to income tax expense in the period the release is recorded.
Results of Operations
The following table sets forth selected condensed consolidated statements of operations data for each of the periods presented as a percentage of revenues:
Three Months Ended
June 30,
Six Months Ended
June 30,
2024202320242023
Revenues100 %100 %100 %100 %
Cost of revenues18 19 18 20 
Gross profit82 81 82 80 
Operating expenses:
Research and development18 20 19 21 
Sales and marketing22 19 21 19 
General and administrative10 10 10 11 
Total operating expenses50 49 50 51 
Income from operations32 31 32 29 
Total other income, net
Income before income taxes36 33 35 31 
Income tax provision
Net income29 %26 %28 %24 %
30

Table of Contents
Comparison of Three and Six Months Ended June 30, 2024 and 2023
Revenues
Three Months Ended
June 30,
ChangeSix Months Ended
June 30,
Change
20242023$%20242023$%
(in thousands, except percentages)(in thousands, except percentages)
Revenues$148,708 $137,209 $11,499 %$294,513 $267,892 $26,621 10 %
Revenues increased by $11.5 million for the three months ended June 30, 2024 compared to the same period in 2023, driven by increased demand for our subscription services by our end customers. Of the total increase of $11.5 million in revenues, 94% was from revenues from customers existing prior to April 1, 2024, and the remaining 6% was from new customers added in the three months ended June 30, 2024. Of the total increase of $11.5 million, 35% was from customers in the United States and the remaining 65% was from customers in foreign countries. Of the total increase of $11.5 million, 13% was from direct customers and the remaining 87% was from partners. In the three months ended June 30, 2024, 54% of total revenue was direct and the remaining 46% was from partners.
Revenues increased by $26.6 million for the six months ended June 30, 2024 compared to the same period in 2023, driven by increased demand for our subscription services by our end customers. Of the total increase of $26.6 million in revenues, 88% was from revenues from customers existing prior to January 1, 2024, and the remaining 12% was from new customers added in the six months ended June 30, 2024. Of the total increase of $26.6 million, 47% was from customers in the United States and the remaining 53% was from customers in foreign countries. Of the total increase of $26.6 million, 24% was from direct customers and the remaining 76% was from partners. In the six months ended June 30, 2024, 54% of total revenue was direct and the remaining 46% was from partners.
With our strong market position driving further demand for our solutions, we expect revenue growth from new and existing customers to continue.
Cost of Revenues
Three Months Ended
June 30,
ChangeSix Months Ended
June 30,
Change
20242023$%20242023$%
(in thousands, except percentages)(in thousands, except percentages)
Cost of revenues$26,415 $26,662 $(247)(1 %)$53,613 $53,616 $(3)— %
Cost of revenues decreased by $0.2 million for the three months ended June 30, 2024 compared to the same period in 2023, due to a decrease in depreciation and amortization expense of $2.0 million resulting from certain of our assets becoming fully depreciated or amortized, partially offset by an increase in personnel costs, including stock-based compensation, of $1.0 million, driven by additional employees hired to support the growth of our business, and an increase in shared cloud platform cost of $0.8 million.
Cost of revenues was flat for the six months ended June 30, 2024 compared to the same period in 2023, due to a decrease in depreciation and amortization expense of $4.0 million resulting from certain of our assets becoming fully depreciated or amortized, partially offset by an increase in personnel costs, including stock-based compensation, of $2.1 million, driven by additional employees hired to support the growth of our business, and an increase in shared cloud platform cost of $1.9 million.
31

Table of Contents
Research and Development Expenses
Three Months Ended
June 30,
ChangeSix Months Ended
June 30,
Change
20242023$%20242023$%
(in thousands, except percentages)(in thousands, except percentages)
Research and development$27,119 $27,424 $(305)(1 %)$54,649 $55,219 $(570)(1 %)
Research and development expenses decreased by $0.3 million for the three months ended June 30, 2024 compared to the same period in 2023, primarily due to a decrease in overhead allocation, a decrease in depreciation and amortization in property and equipment, partially offset by an increase in personnel costs, including stock-based compensation, and an increase in shared cloud platform cost.
Research and development expenses decreased by $0.6 million for the six months ended June 30, 2024 compared to the same period in 2023, primarily due to a decrease in overhead allocation, a decrease in depreciation and amortization expense in property and equipment, partially offset by an increase in personnel costs, including stock-based compensation, and an increase in shared cloud platform cost.
Sales and Marketing Expenses
Three Months Ended
June 30,
ChangeSix Months Ended
June 30,
Change
20242023$%20242023$%
(in thousands, except percentages)(in thousands, except percentages)
Sales and marketing$32,146 $26,241 $5,905 23 %$61,554 $51,869 $9,685 19 %
Sales and marketing expenses increased by $5.9 million for the three months ended June 30, 2024 compared to the same period in 2023, primarily due to an increase in personnel costs, including stock-based compensation, of $3.7 million, driven by increased headcount, an increase in marketing expenses related to trade shows of $1.3 million, an increase in travel and entertainment cost of $0.6 million, and an increase in advertising expenses of $0.3 million.
Sales and marketing expenses increased by $9.7 million for the six months ended June 30, 2024 compared to the same period in 2023, primarily due to an increase in personnel costs, including stock-based compensation, of $7.2 million, driven by increased headcount, an increase in marketing expenses related to trade shows of $1.3 million, an increase in travel and entertainment cost of $0.6 million, an increase in advertising expenses of $0.3 million, and an increase in subscribed license and software costs of $0.3 million.
General and Administrative Expenses
Three Months Ended
June 30,
ChangeSix Months Ended
June 30,
Change
20242023$%20242023$%
(in thousands, except percentages)(in thousands, except percentages)
General and administrative$14,960 $14,055 $905 %$31,868 $29,183 $2,685 %
General and administrative expenses increased by $0.9 million for the three months ended June 30, 2024 compared to the same period in 2023, primarily due to an increase in personnel costs, including stock-based compensation, driven by increased headcount, an increase in professional service expense, and an increase in legal expense and other fees.
32

Table of Contents
General and administrative expenses increased by $2.7 million for the six months ended June 30, 2024 compared to the same period in 2023, primarily due to an increase in personnel costs, including stock-based compensation, driven by increased headcount and refresh grants to eligible employees and executives.
Total other income, net
Three Months Ended
June 30,
ChangeSix Months Ended
June 30,
Change
20242023$%20242023$%
(in thousands, except percentages)(in thousands, except percentages)
Total other income, net$6,116 $2,850 $3,266 115 %$10,840 $5,031 $5,809 115 %
Total other income, net increased by $3.3 million for the three months ended June 30, 2024, compared to the same periods in 2023, primarily due to an increase in interest income of $2.9 million driven by an increase in market interest rates, and a non-recurring unrealized loss of $0.5 million on a non-marketable equity security recognized during the three months ended June 30, 2023, partially offset by a $0.1 million increase in foreign currency loss.
Total other income, net increased by $5.8 million for the six months ended June 30, 2024, compared to the same periods in 2023, primarily due to an increase in interest income of $6.6 million driven by an increase in market interest rates, and a non-recurring unrealized loss of $0.5 million on a non-marketable equity security recognized during the six months ended June 30, 2023, partially offset by a $1.3 million increase in foreign currency loss.
Income tax provision
Three Months Ended
June 30,
ChangeSix Months Ended
June 30,
Change
20242023$%20242023$%
(in thousands, except percentages)(in thousands, except percentages)
Income tax provision$10,412 $10,295 $117 %$20,166 $18,549 $1,617 %
Income tax provision increased by $0.1 million for the three months ended June 30, 2024 compared to the same period in 2023 due to the tax effect of an increase in pretax income, partially offset by lower net capitalization of research and development expenses for tax purposes.
Income tax provision increased by $1.6 million for the six months ended June 30, 2024 compared to the same period in 2023 due to the tax effect of an increase in pretax income, partially offset by an increase in excess tax benefits arising from stock-based compensation and lower net capitalization of research and development expenses for tax purposes.
Key Operating and Non-GAAP Financial Performance Metrics
In addition to measures of financial performance presented in our condensed consolidated financial statements, we monitor the key metrics set forth below to help us evaluate growth trends, establish budgets, measure the effectiveness of our sales and marketing efforts and assess operational efficiencies.
Net Dollar Expansion Rate
We evaluate our ability to retain and grow existing customers by assessing our net dollar expansion rate on a last twelve months, or LTM, basis. This metric is used to appropriately manage resources and customer retention and expansion. We calculate the net dollar expansion rate on a foreign exchange neutral basis by dividing a numerator by a denominator, each defined as follows:
Denominator: To calculate our net dollar expansion rate as of the end of a reporting period, we first determine the annual recurring revenue, or ARR, from all active subscriptions as of the last day of the same reporting period in the prior
33

Table of Contents
year. This represents recurring payments that we expect to receive in the next 12-month period from the cohort of customers that existed on the last day of the same reporting period in the prior year.
Numerator: We measure the ARR for that same cohort of customers representing all active subscriptions as of the end of the reporting period, using the same foreign exchange rate from the prior year.
Our net dollar expansion rates were 102% and 108% as of June 30, 2024 and June 30, 2023, respectively.
Adjusted EBITDA
We monitor Adjusted EBITDA, a non-GAAP financial measure, to analyze our financial results and believe that it is useful to investors, as a supplement to U.S. GAAP measures, in evaluating our ongoing operational performance and enhancing an overall understanding of our past financial performance. We believe that Adjusted EBITDA helps illustrate underlying trends in our business that could otherwise be masked by the effect of the income or expenses that we exclude in Adjusted EBITDA. Furthermore, we use this measure to establish budgets and operational goals for managing our business and evaluating our performance. We also believe that Adjusted EBITDA provides an additional tool for investors to use in comparing our recurring core business operating results over multiple periods with other companies in our industry.
Adjusted EBITDA should not be considered in isolation from, or as a substitute for, financial information prepared in accordance with U.S. GAAP. We calculate Adjusted EBITDA as net income before (1) other (income) expense, net, which includes interest income, interest expense and other income and expense, (2) income tax provision (benefit), (3) depreciation and amortization of property and equipment, (4) amortization of intangible assets, (5) stock-based compensation and (6) non-recurring expenses that do not reflect ongoing costs of operating the business.
Adjusted EBITDA has limitations as an analytical tool and should not be considered in isolation from or as a substitute for the measures presented in accordance with U.S. GAAP. Some of these limitations are:
Adjusted EBITDA does not reflect certain cash and non-cash charges that are recurring;
Adjusted EBITDA does not reflect income tax payments that reduce cash available to us;
Adjusted EBITDA excludes depreciation and amortization of property and equipment and amortization of intangible assets, although these are non-cash charges, the assets being depreciated and amortized may have to be replaced in the future; and
Other companies, including companies in our industry, may calculate Adjusted EBITDA differently or not at all, which reduces its usefulness as a comparative measure.
Because of these limitations, Adjusted EBITDA should be considered alongside other financial performance measures, including revenues, net income, cash flows from operating activities and our financial results presented in accordance with U.S. GAAP. The following unaudited table presents the reconciliation of net income to Adjusted EBITDA for the three and six months ended June 30, 2024 and 2023:
Three Months Ended
June 30,
Six Months Ended
June 30,
2024202320242023
(in thousands, except percentages)
(in thousands, except percentages)
Net income$43,772 $35,382 $83,503 $64,487 
Net income as a percentage of revenues29 %26 %28 %24 %
Depreciation and amortization of property and equipment4,009 6,230 8,476 12,902 
Amortization of intangible assets771 772 1,543 1,544 
Income tax provision10,412 10,295 20,166 18,549 
Stock-based compensation17,086 16,005 36,117 32,038 
Total other income, net
(6,116)(2,850)(10,840)(5,031)
Adjusted EBITDA$69,934 $65,834 $138,965 $124,489 
Adjusted EBITDA as a percentage of revenues47 %48 %47 %46 %
34

Table of Contents
Liquidity and Capital Resources
As of June 30, 2024, our principal source of liquidity was cash, cash equivalents and marketable securities of $555.3 million, including $97.9 million of cash held outside of the United States. The following summary of cash flows for the periods indicated has been derived from our condensed consolidated financial statements included elsewhere in this report:
Six Months Ended
June 30,
20242023
(in thousands)
Net cash provided by operating activities$135,329 $118,328 
Net cash provided by investing activities3,361 2,273 
Net cash used in financing activities(62,650)(108,175)
Net increase in cash, cash equivalents and restricted cash$76,040 $12,426 
Operating Activities
During the six months ended June 30, 2024, we generated $118.2 million of cash from our net income, as adjusted for non-cash items mainly related to stock-based compensation expense, depreciation and amortization expense and deferred taxes, as compared to $101.1 million during the six months ended June 30, 2023. In addition, we also generated $17.1 million of cash from changes in working capital during the six months ended June 30, 2024, of which $24.6 million was primarily attributed to a combined result of decreases in accounts receivable and deferred revenue due to the timing of collections and billings, partially offset by a $4.5 million increase in prepaid expenses and a $3.0 million decrease in payables and accrued liabilities primarily driven by the timing of payments. During the six months ended June 30, 2023, we generated $17.2 million of cash from changes in working capital, of which $16.7 million was attributed to the combined result of increases in deferred revenue and accounts receivable due to the growth in billing and timing of collections, and an $8.0 million increase in payables and accrued liabilities, partially offset by a $7.5 million increase in prepaid expenses primarily driven by the timing of payments.
Investing Activities
During the six months ended June 30, 2024, we generated $6.4 million of cash from sales and maturities of marketable securities net of purchases, partially offset by $3.1 million of cash used in capital expenditures mainly related to purchases of computer equipment to support our growth and development, as compared to $7.7 million of cash provided by sales and maturity of marketable securities net of purchases, partially offset by $5.5 million of cash used in capital expenditures during the six months ended June 30, 2023.
Financing Activities
During the six months ended June 30, 2024, we used $53.0 million of cash for share repurchases, $17.7 million of cash in payment of employee withholding taxes upon vesting of restricted stock units and $1.5 million payment of cash held in escrow as part of the Blue Hexagon acquisition on October 4, 2022, partially offset by $6.0 million of proceeds from employee exercise of stock options and $3.6 million of proceeds from issuance of common stock through our ESPP, as compared to $108.8 million of cash used for share repurchases, and $9.5 million of cash used in payment of employee withholding taxes upon vesting of restricted stock units, partially offset by $7.1 million of proceeds from employee exercise of stock options and $3.0 million of proceeds from issuance of common stock through our ESPP during the six months ended June 30, 2023.
Material Cash Requirements
We believe our existing cash and cash equivalents, marketable securities and our expected cash flow generated from operations will be sufficient to fund our operations for the next twelve months and beyond. If we repatriate funds from our foreign subsidiaries, we could be subject to foreign withholding taxes.
35

Table of Contents
Operating lease obligations
Our material cash requirements include our operating lease obligations to make payments under our non-cancelable lease agreements for our facilities and shared cloud platforms. We had fixed operating lease payment obligations of $60.6 million as of June 30, 2024, with $14.0 million expected to be paid within the next 12 months.
Purchase Commitments
As of June 30, 2024, other than the changes described above in this section entitled "Liquidity and Capital Resources" in this Quarterly Report on Form 10-Q, there have been no other material changes to our cash requirements for purchase commitments as described in “Part II, Item 7. Management’s Discussion and Analysis of Financial Condition and Results of Operations” of our Annual Report on Form 10-K for the fiscal year ended December 31, 2023.
Share Repurchases
We expect to continue to use cash to repurchase shares in 2024 under our share repurchase program authorized by our board of directors on February 5, 2018. On February 7, 2024, we announced that our board of directors authorized an additional $200.0 million to the share repurchase program authorization, increasing the total amount of authorized repurchase to $1.2 billion. As of June 30, 2024, approximately $230.7 million remained available under our share repurchase program. Shares will be repurchased from time to time in privately negotiated transactions or on the open market in accordance with Rule 10b-18 of the Exchange Act of 1934, including pursuant to a pre-set trading plan adopted in accordance with Rule 10b5-1 under the Exchange Act.
Recent Accounting Pronouncements
See Note 1 to the unaudited condensed consolidated financial statements in Part I, Item 1 of this Quarterly Report on Form 10-Q for a discussion of recent accounting pronouncements.
Critical Accounting Estimates
There have been no material changes to our critical accounting estimates as described in our Annual Report on Form 10-K for the fiscal year ended December 31, 2023.
36

Table of Contents
Item 3.                                Quantitative and Qualitative Disclosures about Market Risk
We have domestic and international operations and we are exposed to market risks in the ordinary course of our business. These risks primarily include interest rate, foreign exchange and inflation risks, as well as risks relating to changes in the general economic conditions in the countries where we conduct business. To reduce certain of these risks, we monitor the financial condition of our large customers and limit credit exposure by collecting subscription fees in advance.
Foreign Currency Risk
Our results of operations and cash flows have been and will continue to be subject to fluctuations because of changes in foreign currency exchange rates, particularly changes in exchange rates between the U.S. Dollar and the EUR, GBP, INR and CAD, the currencies of countries where we currently have our most significant international operations. We enter into foreign currency forward contracts to reduce our exposure to foreign currency exchange rate fluctuations related to forecasted subscription revenue, operating expenses and foreign currency denominated assets or liabilities. As of June 30, 2024, we had designated cash flow hedge forward contracts with notional amounts of €45.3 million, £16.9 million and Rs.4,138.0 million and non-designated forward contracts with notional amounts of €9.8 million, £5.5 million, Rs.1,065.0 million and C$1.8 million. With our hedging strategy applied, the effect of an immediate 10% adverse change in foreign exchange rates would not be material to our financial condition, operating results or cash flows.
Interest Rate Sensitivity
We had $555.3 million in cash, cash equivalents and short-term and long-term marketable securities as of June 30, 2024. Our exposure to market risk for changes in interest rates primarily relates to our cash and cash equivalents and marketable securities. Our cash equivalents and marketable securities are held in money market funds, fixed-income U.S. Treasury and government agency securities, commercial paper, corporate bonds and asset-backed securities. The primary objectives of our investment activities are the preservation of principal and support of our liquidity requirements. We do not invest for trading or speculative purposes. Our marketable securities are subject to market risk due to changes in interest rates, which may affect the interest income we earn and the fair market value of our securities. As of June 30, 2024, a hypothetical 100 basis point increase in interest rate would not result in a material decrease in the fair value of our marketable securities.
Item 4.                                Controls and Procedures
Evaluation of Disclosure Controls and Procedures
Our management, with the participation of our Chief Executive Officer and Chief Financial Officer, evaluated the effectiveness of our disclosure controls and procedures as of June 30, 2024. The term “disclosure controls and procedures,” as defined in Rules 13a-15(e) and 15d-15(e) under the Exchange Act, means controls and other procedures of a company that are designed to ensure that information required to be disclosed by a company in the reports that it files or submits under the Exchange Act is recorded, processed, summarized and reported, within the time periods specified in the Securities and Exchange Commission’s rules and forms. Disclosure controls and procedures include, without limitation, controls and procedures designed to ensure that information required to be disclosed by a company in the reports that it files or submits under the Exchange Act is accumulated and communicated to the company’s management, including its principal executive and principal financial officers, as appropriate to allow timely decisions regarding required disclosure. Management recognizes that any controls and procedures, no matter how well designed and operated, can provide only reasonable assurance of achieving their objectives and management necessarily applies its judgment in evaluating the cost-benefit relationship of possible controls and procedures. Based on the evaluation of our disclosure controls and procedures as of June 30, 2024, our Chief Executive Officer and Chief Financial Officer concluded that, as of such date, our disclosure controls and procedures were effective at the reasonable assurance level.
Changes in Internal Control over Financial Reporting
There were no changes in our internal control over financial reporting identified in connection with the evaluation required by Rules 13a-15(d) and 15d-15(d) of the Exchange Act that occurred during the period covered by this report that have materially affected, or are reasonably likely to materially affect, our internal control over financial reporting.
37

Table of Contents
PART II. OTHER INFORMATION
Item 1.                                  Legal Proceedings
From time to time the Company may become involved in legal proceedings or be subject to claims arising in the ordinary course of our business. As of June 30, 2024, there has not been at least a reasonable possibility that the Company has incurred a material loss from any ongoing legal proceedings, individually or taken together. However, litigation is inherently unpredictable and is subject to significant uncertainties, some of which are beyond the Company's control. Should any of these estimates and assumptions change or prove to have been incorrect, the Company could incur significant charges related to legal matters which could have a material impact on its results of operations, financial position and cash flows.
Item 1A.                               Risk Factors
An investment in our common stock involves a high degree of risk. You should carefully consider the risks and uncertainties described below, and all other information contained in this Quarterly Report on Form 10-Q, including our condensed consolidated financial statements and the related notes, before making a decision to invest in our common stock. Our business, operating results, financial condition, or prospects could be materially and adversely affected by any of these risks and uncertainties. In that case, the trading price of our common stock could decline, and you might lose all or part of your investment. In addition, the risks and uncertainties discussed below are not the only ones we face. Our business, operating results, financial performance or prospects could also be harmed by risks and uncertainties not currently known to us or that we currently do not believe are material.
Risks Related to Our Business and Industry
Our quarterly and annual operating results may vary from period to period, which could result in our failure to meet expectations with respect to operating results and cause the trading price of our stock to decline.
Our operating results have historically varied from period to period, and we expect that they will continue to do so as a result of a number of factors, many of which are outside of our control, including:
the level of demand for our solutions, from both existing and new customers;
the extent to which customers subscribe for additional solutions;
changes in customer renewals of our solutions;
timing of deals signed within the applicable fiscal period;
seasonal buying patterns of our customers;
timely invoicing or changes in billing terms of customers;
the length of our sales cycle for our products and services;
price competition;
the timing and success of new product or service introductions by us or our competitors or any other changes in the competitive landscape of our industry, including consolidation among our competitors;
the introduction or adoption of new technologies that compete with our solutions;
decisions by potential customers to purchase IT, security and compliance products or services from other vendors;
general economic conditions, both domestically and in the foreign markets in which we sell our solutions;
changes in foreign currency exchange rates;
changes in the growth rate of the IT, security and compliance market;
actual or perceived security breaches and incidents, technical difficulties or interruptions with our service;
failure of our products and services to operate as designed;
publicity regarding security breaches and incidents generally and the level of perceived threats to IT security;
38

Table of Contents
the announcement or adoption of new regulations and policy mandates or changes to existing regulations and policy mandates;
the amount and timing of operating costs and capital expenditures related to the operations and expansion of our business;
pace and cost of hiring employees;
expenses associated with our existing and new products and services;
the timing of sales commissions relative to the recognition of revenues;
insolvency or credit difficulties confronting our customers, affecting their ability to purchase or pay for our solutions;
our ability to integrate any products or services that we have acquired or may acquire in the future into our product suite or migrate existing customers of any companies that we have acquired or may acquire in the future to our products and services;
future accounting pronouncements or changes in our accounting policies;
our effective tax rate, changes in tax rules, tax effects of infrequent or unusual transactions, and tax audit settlements;
the amount and timing of income tax that we recognize resulting from stock-based compensation;
the timing of expenses related to the development or acquisition of technologies, services or businesses; and
potential goodwill and intangible asset impairment charges associated with acquired businesses.
Further, the interpretation and application of international laws and regulations in many cases is uncertain, and our legal and regulatory obligations in foreign jurisdictions are subject to frequent and unexpected changes, including the potential for various regulatory or other governmental bodies to enact new or additional laws or regulations or to issue rulings that invalidate prior laws or regulations.
Each factor above or discussed elsewhere in this Quarterly Report on Form 10-Q or the cumulative effect of some of these factors may result in fluctuations in our operating results. This variability and unpredictability could result in our failure to meet expectations with respect to operating results, or those of securities analysts or investors, for a particular period. In addition, a significant percentage of our operating expenses are fixed in nature and based on forecasted trends in revenues. Accordingly, in the event of shortfalls in revenues, we are generally unable to mitigate the negative impact on margins in the short term by reducing our operating expenses. If we fail to meet or exceed expectations for our operating results for these or any other reasons, the trading price of our common stock could fall and we could face costly lawsuits, including securities class action suits.
If we do not successfully anticipate market needs and opportunities or are unable to enhance our solutions and develop new solutions that meet those needs and opportunities on a timely or cost-effective basis, we may not be able to compete effectively and our business and financial condition may be harmed.
The IT, security and compliance market is characterized by rapid technological advances, customer price sensitivity, short product and service life cycles, intense competition, changes in customer requirements, frequent new product introductions and enhancements and evolving industry standards and regulatory mandates. Any of these factors could create downward pressure on pricing and gross margins, and could adversely affect our renewal rates, as well as our ability to attract new customers. Our future success will depend on our ability to enhance existing solutions, introduce new solutions on a timely and cost-effective basis, meet changing customer needs, extend our core technology into new applications, and anticipate and respond to emerging standards and business models. We must also continually change and improve our solutions in response to changes in operating systems, application software, computer and communications hardware, networking software, shared cloud platform infrastructures, programming tools and computer language technology.
We may not be able to anticipate future market needs and opportunities or develop enhancements or new solutions to meet such needs or opportunities in a timely manner or at all. The market for cloud solutions for IT, security and compliance continues to evolve, and it is uncertain whether our new solutions will gain market acceptance.
39

Table of Contents
Our solution enhancements or new solutions could fail to attain sufficient market acceptance for many reasons, including:
failure to timely meet market demand for product functionality;
inability to identify and provide intelligence regarding the attacks or techniques used by cyber-attackers;
inability to inter-operate effectively with the database technologies, file systems or web applications of our prospective customers;
defects, errors or failures;
delays in releasing our enhancements or new solutions;
negative publicity about their performance or effectiveness;
introduction or anticipated introduction of products by our competitors;
poor business conditions, causing customers to delay IT, security and compliance purchases;
easing or changing of external regulations related to IT, security and compliance; and
reluctance of customers to purchase cloud solutions for IT, security and compliance.
Furthermore, diversifying our solutions and expanding into new IT, security and compliance markets will require significant investment and planning, require that our research and development and sales and marketing organizations develop expertise in these new markets, bring us more directly into competition with IT, security compliance providers that may be better established or have greater resources than we do, require additional investment of time and resources in the development and training of our channel partners and entail significant risk of failure.
If we fail to anticipate market requirements or fail to develop and introduce solution enhancements or new solutions to satisfy those requirements in a timely manner, such failure could substantially decrease or delay market acceptance and sales of our present and future solutions and cause us to lose existing customers or fail to gain new customers, which would significantly harm our business, financial condition and results of operations.
If we fail to continue to effectively scale and adapt our platform to meet the performance and other requirements of our customers, our operating results and our business would be harmed.
Our future growth depends to a significant extent on our ability to continue to meet the expanding needs of our customers as their use of our cloud platform grows. As these customers gain more experience with our solutions, the number of users and the number of locations where our solutions are being accessed may expand rapidly in the future. In order to ensure that we meet the performance and other requirements of our customers, we intend to continue to make significant investments to develop and implement new proprietary and third-party technologies at all levels of our cloud platform. These technologies, which include databases, applications and server optimizations, and network and hosting strategies, are often complex, new and unproven. We may not be successful in developing or implementing these technologies. To the extent that we do not effectively scale our platform to maintain performance as our customers expand their use of our platform, our operating results and our business may be harmed.
If we are unable to renew existing subscriptions for our IT, security and compliance solutions, sell additional subscriptions for our solutions and attract new customers, our operating results would be harmed.
We offer our cloud platform and integrated suite of solutions pursuant to a software-as-a-service model, and our customers purchase subscriptions from us that are generally one year in length. Our customers have no obligation to renew their subscriptions after their subscription period expires, and they may not renew their subscriptions at the same or higher levels or at all. As a result, our ability to grow depends in part on customers renewing their existing subscriptions and purchasing additional subscriptions and solutions. Our customers may choose not to renew their subscriptions to our solutions or purchase additional solutions due to a number of factors, including their satisfaction or dissatisfaction with our solutions, the prices of our solutions, the prices of products or services offered by our competitors, reductions in our customers’ spending levels due to the macroeconomic environment or other factors. If our customers do not renew their subscriptions to our solutions, renew on less favorable terms, or do not purchase additional solutions or subscriptions, our revenues may grow more slowly than expected or decline and our operating results would be harmed.
40

Table of Contents
In addition, our future growth depends in part upon increasing our customer base. Our ability to achieve significant growth in revenues in the future will depend, in large part, upon continually attracting new customers and obtaining subscription renewals to our solutions from those customers. If we fail to attract new customers, our revenues may grow more slowly than expected and our operating results would be harmed.
Our current research and development efforts may not produce successful products or enhancements to our platform that result in significant revenue, cost savings or other benefits in the near future.
We must continue to dedicate significant financial and other resources to our research and development efforts if we are to maintain our competitive position. However, developing products and enhancements to our platform is expensive and time consuming, and there is no assurance that such activities will result in significant new marketable products or enhancements to our platform, design improvements, cost savings, revenue or other expected benefits. If we spend significant resources on research and development and are unable to generate an adequate return on our investment, our business and results of operations may be materially and adversely affected.
Our platform, website and internal systems may be subject to intentional disruption or other security incidents that could result in liability and adversely impact our reputation and future sales.
We and our service providers face threats from a variety of sources, including attacks on our networks and systems from numerous sources, including traditional “hackers,” sophisticated nation-state and nation-state supported actors, other sources of malicious code (such as viruses and worms), ransomware, social engineering, denial of service attacks, and phishing attempts. We and our service providers could be a target of cyber-attacks or other malfeasance designed to impede the performance of our solutions, penetrate our network security or the security of our cloud platform or our internal systems, misappropriate proprietary information and/or cause interruptions to our services. We and our service providers have experienced and may continue to experience security incidents and attacks of varying degrees from time to time. We have incurred costs to respond to such incidents and may continue to incur costs to support our efforts to enhance our security measures. Additionally, due to political uncertainty and military actions in parts of Eastern Europe and the Middle East, we and our service providers are vulnerable to heightened risks of cybersecurity incidents and security and privacy breaches from or affiliated with nation-state actors, including attacks that could materially disrupt our systems, operations and services.
Our solutions, platforms, and system, and those of our service providers, may also suffer security incidents as a result of non-technical issues, including intentional or inadvertent acts or omissions by our employees or service providers. With the increase in personnel working remotely, at least part-time in our case, we and our service providers are at increased risk for security breaches and incidents. We have taken and intend to continue to take steps to monitor and enhance the security of our solutions, cloud platform, and other relevant systems, IT infrastructure, networks, and data; however, the unprecedented scale of remote work may require additional personnel and resources, which nevertheless cannot be guaranteed to fully safeguard our solutions, our cloud platform, or any systems, IT infrastructure networks, or data upon which we rely. Further, because our operations involve providing IT security solutions to our customers, we may be targeted for cyber-attacks and other security incidents. A breach in or incident impacting our data security, an attack against our service availability, or any breach, incident, or attack impacting our third-party service providers, could impact our networks or networks secured by our solutions, creating system disruptions or slowdowns and exploiting security vulnerabilities of our solutions, and the information stored on our networks or those of our third-party service providers could be accessed, used, publicly disclosed, altered, lost, or stolen, which could subject us to liability and cause us financial harm. If an actual or perceived disruption in the availability of our solutions or the breach or other compromise of our security measures or those of our service providers occurs, it could adversely affect the market perception of our solutions, result in a loss of competitive advantage, have a negative impact on our reputation, or result in the loss of customers, channel partners and sales, and it may expose us to the loss, unavailability or alteration of information, claims, demands and litigation, regulatory investigations, actions and other proceedings and possible liability. Any such actual or perceived security breach or incident or disruption could also divert the efforts of our technical and management personnel. We and our service providers may face difficulties or delays in identifying and responding to any security breach or incident. We also may incur significant costs and operational consequences of investigating, remediating, eliminating and putting in place additional tools and devices designed to prevent actual or perceived security incidents, as well as costs to respond to and otherwise address any breach or incident, including any to comply with any notification obligations resulting from any security incidents. In addition, any such actual or perceived security breach or incident could impair our ability to operate our business and provide solutions to our customers. If this happens, our reputation could be harmed, our revenues could decline and our business could suffer.
41

Table of Contents
Although we maintain insurance coverage that may be applicable to certain liabilities in the event of a security breach or other security incident, we cannot be certain that our insurance coverage will be adequate for liabilities that actually are incurred, that insurance will continue to be available to us on economically reasonable terms, or at all, or that any insurer will not deny coverage as to any future claim. The successful assertion of one or more large claims against us that exceed available insurance coverage or the occurrence of changes in our insurance policies, including premium increases or the imposition of large deductible or co-insurance requirements, could have a material and adverse effect on our business, including our financial condition, operating results and reputation.
Our sales cycle can be long and unpredictable, and our sales efforts require considerable time and expense. As a result, revenues may vary from period to period, which may cause our operating results to fluctuate and could harm our business.
The timing of sales of subscriptions for our solutions can be difficult to forecast because of the length and unpredictability of our sales cycle, particularly with large transactions and in the current macroeconomic environment. We sell subscriptions to our IT, security and compliance solutions primarily to IT departments that are managing a growing set of user and compliance demands, which has increased the complexity of customer requirements to be met and confirmed during the sales cycle and prolonged our sales cycle. Further, the length of time that potential customers devote to their testing and evaluation, contract negotiation and budgeting processes varies significantly, which has also made our sales cycle long and unpredictable. The length of the sales cycle for our solutions typically ranges from six to twelve months but can be more than eighteen months. In addition, we might devote substantial time and effort to a particular unsuccessful sales effort, and as a result we could lose other sales opportunities or incur expenses that are not offset by an increase in revenues, which could harm our business.
Adverse economic conditions or reduced IT spending may adversely impact our business.
Our business depends to a significant extent on the overall demand for IT and on the economic health of our current and prospective customers. Economic weakness, customer financial difficulties, change in interest rates, inflationary pressures and potential for a recession, and constrained spending on IT security, as well as longer sales cycles, which factors we have experienced in 2023 and into 2024, have resulted and may in the future result in decreased revenue and earnings. In addition, continued governmental budgetary challenges in the United States and Europe, inflationary pressures and potential for a recession, and geopolitical turmoil in many parts of the world, including the ongoing military conflicts in parts of Eastern Europe and the Middle East, and other disruptions to global and regional economies and markets in many parts of the world, as well as uncertainties related to changes in public policies such as domestic and international regulations, taxes or international trade agreements, have and may continue to put pressure on global economic conditions and overall spending on IT security and may further increase inflation, both in the U.S. and globally, which could increase our operating costs in the future and reduce overall spending on IT security. General economic weakness may also lead to longer collection cycles for payments due from our customers, an increase in customer bad debt, restructuring initiatives and associated expenses, and impairment of investments. Furthermore, the continued weakness and uncertainty in worldwide credit markets, including the sovereign debt situation in certain countries in the European Union, may adversely impact our European operations, as well as our current and potential customers' available budgetary spending, which could lead to delays or reductions in planned purchases of our solutions.
Uncertainty about future economic conditions also makes it difficult to forecast operating results and to make decisions about future investments. Future or continued economic weakness for us or our customers, failure of our customers and markets to recover from such weakness, customer financial difficulties, and reductions in spending on IT security could have a material adverse effect on demand for our platform and consequently on our business, financial condition and results of operations.
42

Table of Contents
Our IT, security and compliance solutions are delivered from 14 shared cloud platforms, and any disruption of service at these facilities would interrupt or delay our ability to deliver our solutions to our customers which could reduce our revenues and harm our operating results.
We currently host substantially all of our solutions from third-party shared cloud platforms located in the United States, Canada, Switzerland, the Netherlands, United Arab Emirates, Australia, United Kingdom, Italy, the Kingdom of Saudi Arabia and India. These facilities are vulnerable to damage or interruption from earthquakes, hurricanes, floods, fires, cybersecurity attacks, terrorist attacks, employee negligence, power losses, telecommunications failures and similar events. The facilities also could be subject to break-ins, sabotage, intentional acts of vandalism and other misconduct. The occurrence of a natural disaster, an act of terrorism or misconduct, a decision to close the facilities without adequate notice or other unanticipated problems could result in interruptions in our services.
Some of our shared cloud platforms are not currently redundant and we may not be able to rapidly move our customers from one shared cloud platform to another, which may increase delays in the restoration of our service for our customers if an adverse event occurs. We have added shared cloud platforms to provide additional capacity and to enable disaster recovery. We continue to build out these facilities; however, these additional facilities may not be operational in the anticipated time-frame and we may incur unplanned expenses.
Additionally, our existing shared cloud platform providers have no obligations to renew their agreements with us on commercially reasonable terms, or at all. If we are unable to renew our agreements with the facilities providers on commercially reasonable terms or if in the future we add additional shared cloud platform providers, we may experience costs or downtime in connection with the loss of an existing facility or the transfer to, or addition of, new facilities.
Any disruptions or other performance problems with our solutions could harm our reputation and business and may damage our customers’ businesses. Interruptions in our service delivery might reduce our revenues, cause us to issue credits to customers, subject us to potential liability and cause customers to terminate their subscriptions or not renew their subscriptions.
We face competition in our markets, and we may lack sufficient financial or other resources to maintain or improve our competitive position.
We compete with a large range of established and emerging vulnerability management vendors, compliance vendors and data security vendors in a highly fragmented and competitive environment. We face significant competition for each of our solutions from companies with broad product suites and greater name recognition and resources than we have, as well as from small companies focused on specialized security solutions.
We compete with large and small public companies, such as Broadcom (Symantec Enterprise Security), CrowdStrike, Palo Alto Networks, Rapid7, Tenable Holdings, as well as privately held security providers including Axonius, Checkmarx, Flexera, Invicti, Ivanti, Tanium, HelpSystems (Tripwire), Trustwave Holdings, Veracode and Wiz. We also seek to replace IT, security and compliance solutions that organizations have developed internally. As we continue to extend our cloud platform’s functionality by further developing IT, security and compliance solutions, such as Cybersecurity Asset Management and Patch Management, we expect to face additional competition in these new markets. Our competitors may also attempt to further expand their presence in the IT, security and compliance market and compete more directly against one or more of our solutions.
We believe that the principal competitive factors affecting our markets include product functionality, breadth of offerings, flexibility of delivery models, ease of deployment and use, total cost of ownership, scalability and performance, customer support and the extensibility of our platform. Many of our existing and potential competitors have competitive advantages, including:
greater brand name recognition;
larger sales and marketing budgets and resources;
broader distribution networks and more established relationships with distributors and customers;
access to larger customer bases;
greater customer support resources;
greater resources to make acquisitions;
43

Table of Contents
greater resources to develop and introduce products that compete with our solutions;
greater resources to meet relevant regulatory requirements; and
substantially greater financial, technical and other resources.
As a result, our competitors may be able to respond more quickly and effectively than we can to new or changing opportunities, technologies, standards or customer requirements. With the introduction of new technologies, the evolution of our service and new market entrants, we expect competition to intensify in the future.
In addition, some of our larger competitors have substantially broader product offerings and can bundle competing products and services with other software offerings. As a result, customers may choose a bundled product offering from our competitors, even if individual products have more limited functionality than our solutions. These competitors may also offer their products at a lower price as part of this larger sale, which could increase pricing pressure on our solutions and cause the average sales price for our solutions to decline. These larger competitors are also often in a better position to withstand any significant reduction in capital spending and will therefore not be as susceptible to economic downturns.
Furthermore, our current and potential competitors may establish cooperative relationships among themselves or with third parties that may further enhance their resources and product and services offerings in the markets we address. In addition, current or potential competitors may be acquired by third parties with greater available resources. As a result of such relationships and acquisitions, our current or potential competitors might be able to adapt more quickly to new technologies and customer needs, devote greater resources to the promotion or sale of their products and services, initiate or withstand substantial price competition, take advantage of other opportunities more readily or develop and expand their product and service offerings more quickly than we do. For all of these reasons, we may not be able to compete successfully against our current or future competitors.
The sales prices of our solutions are subject to competitive pressures and may decrease, which may reduce our gross profits and adversely impact our financial results.
The sales prices for our solutions may decline for a variety of reasons, including competitive pricing pressures, discounts, a change in our mix of solutions and subscriptions, anticipation of the introduction of new solutions or subscriptions, or promotional programs. Competition continues to increase in the market segments in which we participate, and we expect competition to further increase in the future, thereby leading to increased pricing pressures. Larger competitors with more diverse product and service offerings may reduce the price of products or subscriptions that compete with ours or may bundle them with other products and subscriptions. Additionally, although we price our products and subscriptions worldwide in U.S. Dollars, Euros, British Pounds, Canadian Dollars, Japanese Yen and Indian Rupee, currency fluctuations in certain countries and regions may negatively impact actual prices that partners and customers are willing to pay in those countries and regions, or the effective prices we realize in our reporting currency. We cannot assure you that we will be successful in developing and introducing new offerings with enhanced functionality on a timely basis, or that our new product and subscription offerings, if introduced, will enable us to maintain our prices and gross profits at levels that will allow us to maintain positive gross margins and profitability.
If our solutions fail to help our customers achieve and maintain compliance with regulations and industry standards, our revenues and operating results could be harmed.
We generate a portion of our revenues from solutions that help organizations achieve and maintain compliance with regulations and industry standards. For example, many of our customers subscribe to our IT, security and compliance solutions to help them comply with the security standards developed and maintained by the Payment Card Industry Security Standards Council, or the PCI Council, which apply to companies that store cardholder data. Industry organizations like the PCI Council may significantly change their security standards with little or no notice, including changes that could make their standards more or less onerous for businesses. Governments may also adopt new laws or regulations, or make changes to existing laws or regulations, which could impact the demand for or value of our solutions.
44

Table of Contents
If we are unable to adapt our solutions to changing regulatory standards in a timely manner, or if our solutions fail to assist with or expedite our customers’ compliance initiatives, our customers may lose confidence in our solutions and could switch to products offered by our competitors. In addition, if regulations and standards related to data security, vulnerability management and other IT, security and compliance requirements are relaxed or the penalties for non-compliance are changed in a manner that makes them less onerous, our customers may view government and industry regulatory compliance as less critical to their businesses, and our customers may be less willing to purchase our solutions. In any of these cases, our revenues and operating results could be harmed.
If our solutions fail to detect vulnerabilities or incorrectly detect vulnerabilities, our brand and reputation could be harmed, which could have an adverse effect on our business and results of operations.
If our solutions fail to detect vulnerabilities in our customers’ IT infrastructures, or if our solutions fail to identify and respond to new and increasingly complex methods of attacks, our business and reputation may suffer. There is no guarantee that our solutions will detect all vulnerabilities. Additionally, our IT, security and compliance solutions may falsely detect vulnerabilities or threats that do not actually exist. For example, some of our solutions rely on information on attack sources aggregated from third-party data providers who monitor global malicious activity originating from a variety of sources, including anonymous proxies, specific IP addresses, botnets and phishing sites. If the information from these data providers is inaccurate, the potential for false indications of security vulnerabilities increases. These false positives, while typical in the industry, may impair the perceived reliability or usability of our solutions and may therefore adversely impact market acceptance of our solutions and could result in negative publicity, loss of customers and sales, increased costs to remedy any incorrect information or problem, or claims by aggrieved parties. Similar issues may be generated by the misuse of our tools to identify and exploit vulnerabilities.
Further, our solutions sometimes are tested against other security products, and may fail to perform as effectively, or to be perceived as performing as effectively, as competitive products for any number of reasons, including misconfiguration. To the extent current or potential customers, channel partners, or others believe there has been an occurrence of an actual or perceived failure of our solutions to detect a vulnerability or otherwise to function as effectively as competitive products in any particular test, or indicates our solutions do not provide significant value, our business, competitive position, and reputation could be harmed.
In addition, our solutions do not currently extend to cover all mobile and personal devices that employees may bring into an organization. As such, our solutions would not identify or address vulnerabilities in all mobile and personal devices, and our customers’ IT infrastructures may be compromised by attacks that infiltrate their networks through such devices.
An actual or perceived security breach or incident or loss, theft, unavailability or other compromise of the sensitive data of one of our customers, regardless of whether the breach is attributable to the failure of our solutions, could adversely affect the market’s perception of our security solutions.
If we are unable to continue the expansion of our sales force, sales of our solutions and the growth of our business would be harmed.
We believe that our growth will depend, to a significant extent, on our success in recruiting and retaining a sufficient number of qualified sales personnel and their ability to obtain new customers, manage our existing customer base and expand the sales of our newer solutions. We plan to continue to expand our sales force and invest in our sales and marketing activities. Our recent hires and planned hires may not become as productive as quickly as we would like, and we may be unable to hire or retain sufficient numbers of qualified individuals in the future in the competitive markets where we do business. Competition for highly skilled personnel is frequently intense and we may not be able to compete for these employees. If we are unable to recruit and retain a sufficient number of productive sales personnel, sales of our solutions and the growth of our business may be harmed. Additionally, if our efforts do not result in increased revenues, our operating results could be negatively impacted due to the upfront operating expenses associated with expanding our sales force.
45

Table of Contents
We rely on third-party channel partners to generate a substantial amount of our revenues, and if we fail to expand and manage our distribution channels, our revenues could decline and our growth prospects could suffer.
Our success significantly depends to a significant extent on establishing and maintaining relationships with a variety of channel partners and we anticipate that we will continue to depend on these partners in order to grow our business. For the six months ended June 30, 2024, we derived approximately 46% of our revenues from sales of subscriptions for our solutions through channel partners, and the percentage of revenues derived from channel partners may increase in future periods. Our agreements with our channel partners are generally non-exclusive and do not prohibit them from working with our competitors or offering competing solutions, and many of our channel partners have more established relationships with our competitors. If our channel partners choose to place greater emphasis on products of their own or those offered by our competitors, do not effectively market and sell our solutions, or fail to meet the needs of our customers, then our ability to grow our business and sell our solutions may be adversely affected. In addition, the loss of one or more of our larger channel partners, who may cease marketing our solutions with limited or no notice, and our possible inability to replace them, could adversely affect our sales. Moreover, our ability to expand our distribution channels depends in part on our ability to educate our channel partners about our solutions, which can be complex. Our failure to recruit additional channel partners, or any reduction or delay in their sales of our solutions or conflicts between channel sales and our direct sales and marketing activities may harm our results of operations. Even if we are successful, these relationships may not result in greater customer usage of our solutions or increased revenues.
In addition, the financial health of our channel partners and our continuing relationships with them are important to our success. Some of these channel partners may be unable to withstand adverse changes in economic conditions, which could result in insolvency and/or the inability of such distributors to obtain credit to finance purchases of our products and services. In addition, weakness in the end-user market could negatively affect the cash flows of our channel partners who could, in turn, delay paying their obligations to us, which would increase our credit risk exposure. Our business could be harmed if the financial condition of some of these channel partners substantially weakened and we were unable to timely secure replacement channel partners.
A significant portion of our customers, channel partners and employees are located outside of the United States, which subjects us to a number of risks associated with conducting international operations, and if we are unable to successfully manage these risks, our business and operating results could be harmed.
We market and sell subscriptions to our solutions throughout the world and have personnel in many parts of the world. In addition, we have sales offices and research and development facilities outside the United States and we conduct, and expect to continue to conduct, a significant amount of our business with organizations that are located outside the United States, particularly in Europe and Asia. Therefore, we are subject to risks associated with having international sales and worldwide operations, including:
foreign currency exchange fluctuations;
trade and foreign exchange restrictions;
economic or political instability in foreign markets, including as a result of increasing tensions between India and China;
greater difficulty in enforcing contracts, accounts receivable collection and longer collection periods;
changes in regulatory requirements;
tax laws (including U.S. taxes on foreign subsidiaries);
difficulties and costs of staffing and managing foreign operations;
the uncertainty and limitation of protection for intellectual property rights in some countries;
costs of compliance with foreign laws and regulations and the risks and costs of non-compliance with such laws and regulations;
costs of complying with U.S. laws and regulations for foreign operations, including the Foreign Corrupt Practices Act, import and export control laws, tariffs, trade barriers, economic sanctions and other regulatory or contractual limitations on our ability to sell our solutions in certain foreign markets, and the risks and costs of non-compliance;
46

Table of Contents
heightened risks of unfair or corrupt business practices in certain geographies and of improper or fraudulent sales arrangements that may impact financial results and result in restatements of, and irregularities in, financial statements;
the potential for political unrest, acts of terrorism, hostilities or war;
management communication and integration problems resulting from cultural differences and geographic dispersion; and
multiple and possibly overlapping tax structures.
Some of our business partners also have international operations and are subject to the risks described above. Even if we are able to successfully manage the risks of international operations, our business may be adversely affected if our business partners are not able to successfully manage these risks.
Our business, including the sales of subscriptions of our solutions, may be subject to foreign governmental regulations, which vary substantially from country to country and change from time to time. Failure to comply with these regulations could adversely affect our business. Further, in many foreign countries it is common for others to engage in business practices that are prohibited by our internal policies and procedures or U.S. regulations applicable to us. Although we have implemented policies and procedures designed to ensure compliance with these laws and policies, there can be no assurance that all of our employees, contractors, channel partners and agents have complied or will comply with these laws and policies. Violations of laws or key control policies by our employees, contractors, channel partners or agents could result in delays in revenue recognition, financial reporting misstatements, fines, penalties or the prohibition of the importation or exportation of our solutions and could have a material adverse effect on our business and results of operations. If we are unable to successfully manage the challenges of international operations, our business and operating results could be adversely affected.
In addition, as of June 30, 2024, approximately 75% of our employees were located outside of the United States, with 67% of our employees located in Pune, India. Accordingly, we are exposed to changes in laws governing our employee relationships in various U.S. and foreign jurisdictions, including laws and regulations regarding wage and hour requirements, fair labor standards, employee data privacy, unemployment tax rates, workers’ compensation rates, citizenship requirements and payroll and other taxes which may have a direct impact on our operating costs. We may continue to expand our international operations and international sales and marketing activities. Expansion in international markets has required, and will continue to require, significant management attention and resources. We may be unable to scale our infrastructure effectively or as quickly as our competitors in these markets and our revenues may not increase to offset any increased costs and operating expenses, which would cause our results to suffer.
We are exposed to fluctuations in currency exchange rates, which could negatively affect our financial condition and results of operations.
Our reporting currency is the U.S. dollar and we generate a majority of our revenues in U.S. dollars. However, for the six months ended June 30, 2024, we incurred approximately 28% of our expenses in foreign currencies, primarily the Euro, British Pound, and Indian Rupee, principally with respect to salaries and related personnel expenses associated with our European and Indian operations. Additionally, for the six months ended June 30, 2024, approximately 24% of our revenues were generated in foreign currencies. Accordingly, changes in exchange rates may have a material adverse effect on our business, operating results and financial condition. The exchange rate between the U.S. dollar and foreign currencies has fluctuated substantially in recent years and may continue to fluctuate substantially in the future. We expect that a majority of our revenues will continue to be generated in U.S. dollars for the foreseeable future and that a significant portion of our expenses, including personnel costs, as well as capital and operating expenditures, will continue to be denominated in the Euro, British Pound and Indian Rupee. The result of our operations may be adversely affected by foreign exchange fluctuations.
We use derivative financial instruments to reduce our foreign currency exchange risks. We use foreign currency forward contracts to mitigate the impact of foreign currency fluctuations of certain non-U.S. dollar denominated net asset positions, to date primarily cash, accounts receivable and operating lease liabilities (non-designated), as well as to manage foreign currency fluctuation risk related to forecasted transactions (designated). However, we may not be able to purchase derivative instruments that are adequate to insulate ourselves from foreign currency exchange risks. Additionally, our hedging activities may contribute to increased losses as a result of volatility in foreign currency markets.
47

Table of Contents
If the market for cloud solutions for IT, security and compliance does not evolve as we anticipate, our revenues may not grow and our operating results would be harmed.
Our success depends to a significant extent on the willingness of organizations to increase their use of cloud solutions for their IT, security and compliance. Some organizations may be reluctant to use cloud solutions because they have concerns regarding the risks associated with the reliability or security of the technology delivery model associated with these solutions. If other cloud service providers experience security incidents, loss of customer data, disruptions in service delivery or other problems, the market for cloud solutions as a whole, including our solutions, may be negatively impacted. Moreover, organizations that have invested substantial personnel and financial resources to integrate on-premise software into their businesses may be reluctant or unwilling to migrate to a cloud solution. Organizations that use on-premise security products, such as network firewalls, security information and event management products or data loss prevention solutions, may also believe that these products sufficiently protect their IT infrastructure and deliver adequate security. Therefore, they may continue spending their IT security budgets on these products and may not adopt our IT, security and compliance solutions in addition to or as a replacement for such products.
If customers do not recognize the benefits of our cloud solutions over traditional on-premise enterprise software products, and as a result we are unable to increase sales of subscriptions to our solutions, then our revenues may not grow or may decline, and our operating results would be harmed.
Our business and operations have continued to grow since inception, and if we do not appropriately manage any future growth, or are unable to improve our systems and processes, our operating results may be negatively affected.
We have continued to grow over the last several years, with revenues increasing from $411.2 million in 2021 to $554.5 million in 2023, and headcount increasing from 1,498 employees at the beginning of 2021 to 2,269 employees as of June 30, 2024. We rely on information technology systems to help manage critical functions such as order processing, revenue recognition and financial forecasts. To manage any future growth effectively we must continue to improve and expand our IT systems, financial infrastructure, and operating and administrative systems and controls, and continue to manage headcount, capital and processes in an efficient manner. We may not be able to successfully implement improvements to these systems and processes in a timely or efficient manner.
Our failure to improve our systems and processes, or their failure to operate in the intended manner, may result in our inability to manage the growth of our business and to accurately forecast our revenues, expenses and earnings, or to prevent certain losses. In addition, as we continue to grow, our productivity and the quality of our solutions may also be adversely affected if we do not integrate and train our new employees quickly and effectively. Any future growth would add complexity to our organization and require effective coordination across our organization. Failure to manage any future growth effectively could result in increased costs, harm our results of operations and lead to investors losing confidence in our internal systems and processes.
We depend on the continued services and performance of our senior management and other key employees, the loss of any of whom could adversely affect our business, operating results and financial condition.
Our future performance depends to a significant extent on the continued services and continuing contributions of our senior management and other key employees, to execute on our business plan and to identify and pursue new opportunities and product innovations. We do not maintain key-man insurance for any member of our senior management team. Our senior management and key employees are generally employed on an at-will basis, which means that they could terminate their employment with us at any time. From time to time, there may be changes in our senior management team resulting from the termination or departure of executives. The loss of the services of our senior management or other key employees for any reason could significantly delay or prevent the achievement of our development and strategic objectives and harm our business, financial condition and results of operations.
48

Table of Contents
If we are unable to hire, retain and motivate qualified personnel, our business may suffer.
Our future success depends, in part, on our ability to continue to attract and retain highly skilled personnel. The loss of the services of any of our key personnel, the inability to attract or retain qualified personnel or delays in hiring required personnel, particularly in engineering and sales, may seriously harm our business, financial condition and results of operations. Any of our employees may terminate their employment at any time. Competition for highly skilled personnel is frequently intense, especially within our industry, and we may not be able to compete for such personnel.
We are required under accounting principles generally accepted in the United States (U.S. GAAP) to recognize compensation expense in our operating results for employee stock-based compensation under our equity grant programs, which may negatively impact our operating results and may increase the pressure to limit stock-based compensation that we might otherwise offer to current or potential employees, thereby potentially harming our ability to attract or retain highly skilled personnel. In addition, to the extent we hire personnel from competitors, we may be subject to allegations that they have been improperly solicited or divulged proprietary or other confidential information, which could result in a diversion of management's time and our resources.
A portion of our revenues are generated by sales to government entities, which are subject to a number of challenges and risks.
Government entities have historically been particularly concerned about adopting cloud-based solutions for their operations, including security solutions, and increasing sales of subscriptions for our solutions to government entities may be more challenging than selling to commercial organizations. Selling to government entities can be highly competitive, expensive and time-consuming, often requiring significant upfront time and expense without any assurance that we will win a sale. We have invested in the creation of a cloud offering certified under the Federal Information Security Management Act for government usage but we cannot be sure that we will continue to sustain or renew this certification, that the government will continue to mandate such certification or that other government agencies or entities will use this cloud offering. Government demand and payment for our solutions may be impacted by public sector budgetary cycles and funding authorizations, with funding reductions or delays adversely affecting public sector demand for our solutions. Government entities may have contractual or other legal rights to terminate contracts with our channel partners for convenience or due to a default, and any such termination may adversely impact our future results of operations. Governments routinely investigate and audit government contractors’ administrative processes, and any unfavorable audit could result in the government refusing to continue buying our solutions, a reduction of revenues or fines or civil or criminal liability if the audit uncovers improper or illegal activities. Any such penalties could adversely impact our results of operations in a material way.
Our success in acquiring and integrating other businesses, products or technologies could impact our financial position.
In order to remain competitive, we have in the past and may in the future seek to acquire additional businesses, products, services or technologies. For example, we acquired certain intellectual property of TotalCloud on August 19, 2021 and certain assets of Blue Hexagon on October 4, 2022. The environment for acquisitions in our industry is very competitive and acquisition candidate purchase prices may exceed what we would prefer to pay. Moreover, achieving the anticipated benefits of past and future acquisitions will depend in part upon whether we can integrate acquired operations, products and technology in a timely and cost-effective manner, and even if we achieve benefits from acquisitions, such acquisitions may still be viewed negatively by customers, financial markets or investors. The acquisition and integration process is complex, expensive and time-consuming, and may cause an interruption of, or loss of momentum in, product development and sales activities and operations of both companies, as well as divert the attention of management, and we may incur substantial cost and expense. We may issue equity securities which could dilute current stockholders’ ownership, incur debt, assume contingent or other liabilities and expend cash in acquisitions, which could negatively impact our financial position, stockholder equity and stock price. We may not find suitable acquisition candidates, and acquisitions we complete may be unsuccessful. If we consummate a transaction, we may be unable to integrate and manage acquired products and businesses effectively or retain key personnel. If we are unable to effectively execute acquisitions, our business, financial condition and operating results could be adversely affected.
49

Table of Contents
We rely on software-as-a-service vendors to operate certain functions of our business and any failure of such vendors to provide services to us could adversely impact our business and operations.
We rely on third-party software-as-a-service vendors to operate certain critical functions of our business, including financial management and human resource management. If these services become unavailable due to extended outages or interruptions or because they are no longer available on commercially reasonable terms or prices, our expenses could increase, our ability to manage our finances could be interrupted and our processes for managing sales of our solutions and supporting our customers could be impaired until equivalent services, if available, are identified, obtained and integrated, all of which could harm our business.
Incorrect or improper implementation or use of our solutions could result in customer dissatisfaction and harm our business and reputation.
If our customers are unable to implement our solutions successfully, customer perceptions of our platform and solutions may be impaired or our reputation and brand may suffer. Our customers have in the past inadvertently misused our solutions, which triggered downtime in their internal infrastructure until the problem was resolved. Additionally, any failure to implement and configure our solutions correctly may result in our solutions failing to detect vulnerabilities or compliance issues, or otherwise to perform effectively, and may result in disruptions to our customers’ IT environments and businesses. Any misuse of our solutions, including any failure to implement and configure them appropriately, could result in disruption to our customers’ businesses, customer dissatisfaction, negative impacts on the perceived reliability or effectiveness of our solutions, and claims and litigation, and may result in negative press coverage, negative effects on our reputation and competitive position, a loss of sales, customers, and channel partners, and harm our financial results.
We recognize revenues from subscriptions over the term of the relevant service period, and therefore any decreases or increases in bookings are not immediately reflected in our operating results.
We recognize revenues from subscriptions over the term of the relevant service period, which is typically one year. As a result, most of our reported revenues in each quarter are derived from the recognition of deferred revenues relating to subscriptions entered into during previous quarters. Consequently, a shortfall in demand for our solutions in any period may not significantly reduce our revenues for that period, but could negatively affect revenues in future periods. Accordingly, the effect of significant downturns in bookings may not be fully reflected in our results of operations until future periods. We may be unable to adjust our costs and expenses to compensate for such a potential shortfall in revenues. Our subscription model also makes it difficult for us to rapidly increase our revenues through additional bookings in any period, as revenues are recognized ratably over the subscription period.
Our business is subject to the risks of earthquakes, fire, power outages, floods and other catastrophic events, and to interruption by man-made problems such as terrorism.
A significant natural disaster, such as an earthquake, fire or a flood, or a significant power outage could have a material adverse impact on our business, operating results and financial condition. Our corporate headquarters and a significant portion of our operations are located in the San Francisco Bay Area, a region known for seismic activity. In addition, natural disasters could affect our business partners’ ability to perform services for us on a timely basis. In the event we or our business partners are hindered by any of the events discussed above, our ability to provide our solutions to customers could be delayed, resulting in our missing financial targets, such as revenues and net income, for a particular quarter. Further, if a natural disaster occurs in a region from which we derive a significant portion of our revenues, customers in that region may delay or forego subscriptions of our solutions, which may materially and adversely impact our results of operations for a particular period. In addition, war, acts of terrorism, pandemics or other health emergencies, or responses to these events could cause disruptions in our business or the business of our business partners, customers or the economy as a whole. All of the aforementioned risks may be exacerbated if the disaster recovery plans for us and our suppliers prove to be inadequate. To the extent that any of the above results in delays of customer subscriptions or commercialization of our solutions, our business, financial condition and results of operations could be adversely affected.
50

Table of Contents
Risks Related to Intellectual Property, Legal, Tax and Regulatory Matters
Undetected software errors or flaws in our solutions could harm our reputation, decrease market acceptance of our solutions or result in liability.
Our solutions may contain undetected errors or defects when first introduced or as new versions are released. We have experienced these errors or defects in the past in connection with new solutions and solution upgrades and we expect that these errors or defects will be found from time to time in the future in new or enhanced solutions after commercial release of these solutions. Since our customers use our solutions for IT, security and compliance reasons, any errors, defects, disruptions in service or other performance problems with our solutions, or any other failure of our solutions to detect vulnerabilities or compliance problems or otherwise to perform effectively, may result in disruptions or damage to the business of our customers, including security breaches or compliance failures. Additionally, any such issues, or the perception that they have occurred, whether or not relating to any actual or perceived error or defect in our solutions, could hurt our reputation and competitive position and we may incur significant costs, the attention of key personnel could be diverted, our customers may delay or withhold payment to us or elect not to renew, we could face a loss of sales, customers, and channel partners, and other significant problems with our relationships with customers and channel partners may arise. We may also be subject to liability claims for damages related to actual or perceived errors or defects in our solutions. A material liability claim or other occurrence that harms our reputation or decreases market acceptance of our solutions may harm our business, competitive and financial position, and operating results.
Although we maintain insurance coverage that may be applicable to certain liabilities in connection with these matters, we cannot be certain that our insurance coverage will be adequate for liabilities that actually are incurred, that insurance will continue to be available to us on economically reasonable terms, or at all, or that any insurer will not deny coverage as to any future claim. The successful assertion of one or more large claims against us that exceed available insurance coverage or the occurrence of changes in our insurance policies, including premium increases or the imposition of large deductible or co-insurance requirements, could have a material and adverse effect on our business, including our financial condition, operating results and reputation.
Our solutions could be used to collect and store personal information of our customers employees or customers, and therefore privacy and other data handling concerns could result in additional cost and liability to us or inhibit sales of our solutions.
We collect the names and email addresses of our customers in connection with subscriptions to our solutions. Additionally, the data that our solutions collect to help secure and protect the IT infrastructure of our customers may include additional personal or confidential information of our customers’ employees and their customers, and we may collect, store and otherwise process personal or confidential information more generally in connection with our business and operations. Personal privacy has become a significant issue in the United States and in many other countries where we offer our solutions. The regulatory framework for privacy issues worldwide is currently evolving and is likely to remain uncertain for the foreseeable future. Many federal, state and foreign government bodies and agencies have adopted or are considering adopting laws and regulations regarding the collection, use, disclosure and retention of personal information. In the United States, these include, for example, rules and regulations promulgated under the authority of the Federal Trade Commission, the Health Insurance Portability and Accountability Act of 1996, the Gramm-Leach-Bliley Act, and state breach notification laws. Internationally, virtually every jurisdiction in which we operate has established its own data security and privacy legal framework with which we or our customers must comply.
51

Table of Contents
These privacy, data protection and information security laws and regulations may result in ever-increasing regulatory and public scrutiny and escalating levels of enforcement and sanctions. Additionally, new laws and regulations relating to privacy and data protection continue to be proposed and enacted. For example, the European Union has adopted the Global Data Protection Regulation (“GDPR”). This regulation, which took effect in May of 2018, provides for substantial obligations relating to the handling, storage and other processing of data relating to individuals and administrative fines for violations, which can be up to four percent of the previous year’s annual revenue or €20 million, whichever is higher. The GDPR may be subject to new or changing interpretations by courts, and our interpretation of the law and efforts to comply with the rules and regulations of the law may be ruled invalid. Similarly, the California Consumer Privacy Act (“CCPA”) requires covered companies to, among other things, provide new disclosures to California consumers and affords such consumers new rights to opt-out of certain sales of personal information. The CCPA also creates a private right of action for statutory damages for certain breaches of information. Additionally, the California Privacy Rights Act (“CPRA”), was approved by voters in the November 3, 2020 election. The CPRA modified the CCPA significantly, creating obligations relating to consumer data beginning on January 1, 2022, with enforcement authorized as of July 1, 2023. In addition, other states have enacted or proposed legislation that regulates the collection, use, and sale of personal information, including, for example, Washington's My Health, My Data Act and legislation similar to the CCPA adopted in Virginia, Colorado, Utah, Connecticut, Iowa, Indiana, Montana, Tennessee, Oregon, Florida, Delaware, Texas, Kentucky, New Jersey, New Hampshire, Maryland, Minnesota, Nebraska, and Rhode Island. Aspects of the CCPA, CPRA, and these other new and evolving state laws, as well their interpretation and enforcement, remain uncertain. We cannot predict the impact of the CCPA, CPRA, or other evolving privacy and data protection obligations on our business or operations, but they may require us to modify our data processing practices and policies and incur substantial costs and expenses in an effort to comply.
The privacy, data protection, and information security laws and regulations we must comply with also are subject to change. For example, the United Kingdom has enacted a Data Protection Act, and has implemented legislation referred to as the “UK GDPR,” that substantially implement the GDPR in the United Kingdom following the United Kingdom’s exit from the European Union. This legislation provides for substantial penalties for noncompliance of up to the greater of £17.5 million or four percent of the previous year’s annual revenues. While the European Union has deemed the United Kingdom an “adequate country” to which personal data could be exported from the European Economic Area (“EEA”), this decision is required to be renewed after four years of being in effect and may be modified, revoked, or challenged in the interim, creating uncertainty regarding transfers of personal data to the United Kingdom from the EEA. It remains unclear how United Kingdom data protection laws or regulations will develop in the medium to longer term and how data transfers to and from the United Kingdom will be regulated. Additionally, we have self-certified under the EU-U.S. Data Privacy Framework and a related program, the Swiss-U.S. Data Privacy Framework, and have adopted certain standard contractual clauses approved by the European Commission (“SCCs”) as part of our data processing agreements with regard to certain transfers of personal data from the EEA to the U.S. Both the EU-U.S. Data Privacy Framework and SCCs have, however, been subject to legal challenge. In its July 16, 2020 opinion, the CJEU imposed additional obligations on companies when relying on SCCs to transfer personal data. The European Commission has published revised SCCs addressing the CJEU concerns on June 4, 2021, that are required to be implemented. The United Kingdom has adopted new standard contractual clauses (“UK SCCs”), that became effective as of March 21, 2022, and which also are required to be implemented. The EU-U.S. Data Privacy Framework, Swiss-U.S. Data Privacy Framework revised SCCs and UK SCCs, guidance and opinions of regulators, and other developments relating to cross-border data transfer may require us to implement additional contractual and technical safeguards for any personal data transferred out of Europe, which may increase compliance costs, lead to increased regulatory scrutiny or liability, and which may adversely impact our business, financial condition and operating results. We may be unsuccessful in maintaining legitimate means for our transfer and receipt of personal data from the EEA, United Kingdom, or Switzerland. We may experience reluctance or refusal by current or prospective European customers to use our products, and we and our customers may face a risk of enforcement actions by data protection authorities relating to personal data transfers to us and by us from the EEA, United Kingdom, and Switzerland. Any such enforcement actions could result in substantial costs and diversion of resources, distract management and technical personnel and negatively affect our business, operating results and financial condition. Some countries also are considering or have passed legislation requiring local storage and processing of data, or similar requirements, which could increase the cost and complexity of delivering our services.
52

Table of Contents
In addition to laws and regulations, privacy advocacy and industry groups or other private parties may propose new and different privacy standards that either legally or contractually apply to us. Because the interpretation and application of privacy and data protection laws, regulations, standards and contractual obligations are uncertain, it is possible that they may be interpreted and applied in a manner that is, or perceived to be, inconsistent with our data management practices or the features of our solutions. If so, in addition to the possibility of regulatory investigations and enforcement actions, fines, lawsuits and other claims, other forms of injunctive or operations-limiting relief, and damage to our reputations and loss of goodwill, we could be required to fundamentally change our business activities and practices or modify our solutions and may face limitations in our ability to develop new solutions and features, any of which could have an adverse effect on our business. Any inability to adequately address privacy concerns, even if unfounded, or any actual or perceived inability to comply with applicable privacy or data protection laws, regulations and privacy standards, could result in cost and liability to us, damage our reputation, inhibit sales of subscriptions and harm our business.
Furthermore, the costs of compliance with, and other burdens imposed by, the laws, regulations, and privacy standards that are applicable to the businesses of our customers may limit the use and adoption of, and reduce the overall demand for, our solutions. Privacy concerns, whether valid or not valid, may inhibit market adoption of our solutions particularly in certain industries and foreign countries.
We use AI/machine learning technologies in our solutions that could result in harm to our business and operating results.
We have incorporated and may continue to incorporate additional AI/machine learning solutions and features into our solutions, and these solutions and features may become more important to our operations or to our future growth over time. We expect to rely on AI/machine learning solutions and features to help drive future growth in our business, but there can be no assurance that we will realize the desired or anticipated benefits from AI/machine learning or at all. We may also fail to properly implement or market our AI/machine learning solutions and features. Our competitors or other third parties may incorporate AI/machine learning into their products, offerings, and solutions more quickly or more successfully than us, which could impair our ability to compete effectively and adversely affect our results of operations. Additionally, our offerings based on AI/machine learning may expose us to additional claims, demands and proceedings by private parties and regulatory authorities and subject us to legal liability as well as brand and reputational harm. The legal, regulatory, and policy environments around AI/machine learning are evolving rapidly, and we may become subject to new and evolving legal and other obligations. These and other developments may require us to make significant changes to our use of AI/machine learning, including by limiting or restricting our use of AI/machine learning, and which may require us to make significant changes to our policies and practices, which may necessitate expenditure of significant time, expense, and other resources, AI/machine learning also presents emerging ethical issues that could harm our reputation and business if our use of AI/machine learning becomes controversial.
Our solutions contain third-party open source software components, and our failure to comply with the terms of the underlying open source software licenses could restrict our ability to sell our solutions.
Our solutions contain software licensed to us by third-parties under so-called “open source” licenses, including the GNU General Public License, the GNU Lesser General Public License, the BSD License, the Apache License and others. From time to time, there have been claims against companies that distribute or use open source software in their products and services, asserting that such open source software infringes the claimants’ intellectual property rights. We could be subject to suits by parties claiming that what we believe to be licensed open source software infringes their intellectual property rights. Use and distribution of open source software may entail greater risks than use of third-party commercial software, as open source licensors generally do not provide warranties or other contractual protections regarding infringement claims or the quality of the code. In addition, certain open source licenses require that source code for software programs that are subject to the license be made available to the public and that any modifications or derivative works to such open source software continue to be licensed under the same terms. If we combine our proprietary software with open source software in certain ways, we could, in some circumstances, be required to release the source code of our proprietary software to the public. Disclosing the source code of our proprietary software could make it easier for cyber attackers and other third parties to discover vulnerabilities in or to defeat the protections of our solutions, which could result in our solutions failing to provide our customers with the security they expect from our services. This could harm our business and reputation. Disclosing our proprietary source code also could allow our competitors to create similar products with lower development effort and time and ultimately could result in a loss of sales for us. Any of these events could have a material adverse effect on our business, operating results and financial condition.
53

Table of Contents
Although we monitor our use of open source software in an effort both to comply with the terms of the applicable open source licenses and to avoid subjecting our solutions to conditions we do not intend, the terms of many open source licenses have not been interpreted by U.S. courts, and there is a risk that these licenses could be construed in a way that could impose unanticipated conditions or restrictions on our ability to commercialize our solutions. In this event, we could be required to seek licenses from third parties to continue offering our solutions, to make our proprietary code generally available in source code form, to re-engineer our solutions or to discontinue the sale of our solutions if re-engineering could not be accomplished on a timely basis, any of which could adversely affect our business, operating results and financial condition.
We use third-party software and data that may be difficult to replace or cause errors or failures of our solutions that could lead to lost customers or harm to our reputation and our operating results.
We license third-party software as well as security and compliance data from various third parties to deliver our solutions. In the future, this software or data may not be available to us on commercially reasonable terms, or at all. Any loss of the right to use any of this software or data could result in delays in the provisioning of our solutions until equivalent technology or data is either developed by us, or, if available, is identified, obtained and integrated, which could harm our business. In addition, any errors or defects in or failures of this third-party software or data could result in errors or defects in our solutions or cause our solutions to fail, which could harm our business and be costly to correct. Many of these providers attempt to impose limitations on their liability for such errors, defects or failures, and if enforceable, we may have additional liability to our customers or third-party providers that could harm our reputation and increase our operating costs.
We will need to maintain our relationships with third-party software and data providers, and to obtain software and data from such providers that do not contain any errors or defects. Any failure to do so could adversely impact our ability to deliver effective solutions to our customers and could harm our operating results.
Failure to protect our proprietary technology and intellectual property rights could substantially harm our business and operating results.
The success of our business depends in part on our ability to protect and enforce our trade secrets, trademarks, copyrights, patents and other intellectual property rights. We attempt to protect our intellectual property under copyright, trade secret, patent and trademark laws, and through a combination of confidentiality procedures, contractual provisions and other methods, all of which offer only limited protection.
We primarily rely on our unpatented proprietary technology and trade secrets. Despite our efforts to protect our proprietary technology and trade secrets, unauthorized parties may attempt to misappropriate, reverse engineer or otherwise obtain and use them. The contractual provisions that we enter into with employees, consultants, partners, vendors and customers may not prevent unauthorized use or disclosure of our proprietary technology or intellectual property rights and may not provide an adequate remedy in the event of unauthorized use or disclosure of our proprietary technology or intellectual property rights. Moreover, policing unauthorized use of our technologies, solutions and intellectual property is difficult, expensive and time-consuming, particularly in foreign countries where the laws may not be as protective of intellectual property rights as those in the United States and where mechanisms for enforcement of intellectual property rights may be weak. We may be unable to determine the extent of any unauthorized use or infringement of our solutions, technologies or intellectual property rights.
The process of obtaining patent protection is expensive and time-consuming, and we may not be able to prosecute all necessary or desirable patent applications at a reasonable cost or in a timely manner, if at all. We may choose not to seek patent protection for certain innovations and may choose not to pursue patent protection in certain jurisdictions.
Furthermore, it is possible that our patent applications may not result in granted patents, that the scope of our issued patents will be limited or not provide the coverage originally sought, that our issued patents will not provide us with any competitive advantages, or that our patents and other intellectual property rights may be challenged by others or invalidated through administrative processes or litigation. In addition, issuance of a patent does not guarantee that we have an absolute right to practice the patented invention. As a result, we may not be able to obtain adequate patent protection or to enforce our issued patents effectively.
54

Table of Contents
From time to time, legal action by us may be necessary to enforce our patents and other intellectual property rights, to protect our trade secrets, to determine the validity and scope of the intellectual property rights of others or to defend against claims of infringement or invalidity. Such litigation could result in substantial costs and diversion of resources and could negatively affect our business, operating results and financial condition. If we are unable to protect our intellectual property rights, we may find ourselves at a competitive disadvantage to others who need not incur the additional expense, time and effort required to create the innovative solutions that have enabled us to be successful to date.
Assertions by third parties of infringement or other violations by us of their intellectual property rights could result in significant costs and harm our business and operating results.
Patent and other intellectual property disputes are common in our industry. Some companies, including some of our competitors, own large numbers of patents, copyrights and trademarks, which they may use to assert claims against us. Third parties may in the future assert claims of infringement, misappropriation or other violations of intellectual property rights against us. They may also assert such claims against our customers or channel partners whom we typically indemnify against claims that our solutions infringe, misappropriate or otherwise violate the intellectual property rights of third parties. As the numbers of products and competitors in our market increase and overlaps occur, claims of infringement, misappropriation and other violations of intellectual property rights may increase. Any claim of infringement, misappropriation or other violation of intellectual property rights by a third party, even those without merit, could cause us to incur substantial costs defending against the claim and could distract our management from our business.
The patent portfolios of our most significant competitors are larger than ours. This disparity may increase the risk that they may sue us for patent infringement and may limit our ability to counterclaim for patent infringement or settle through patent cross-licenses. In addition, future assertions of patent rights by third parties, and any resulting litigation, may involve patent holding companies or other adverse patent owners who have no relevant product revenues and against whom our own patents may therefore provide little or no deterrence or protection. There can be no assurance that we will not be found to infringe or otherwise violate any third-party intellectual property rights or to have done so in the past.
An adverse outcome of a dispute may require us to:
pay substantial damages, including treble damages, if we are found to have willfully infringed a third party’s patents or copyrights;
cease making, licensing or using solutions that are alleged to infringe or misappropriate the intellectual property of others;
expend additional development resources to attempt to redesign our solutions or otherwise develop non-infringing technology, which may not be successful;
enter into potentially unfavorable royalty or license agreements in order to obtain the right to use necessary technologies or intellectual property rights; and
indemnify our partners and other third parties.
In addition, royalty or licensing agreements, if required or desirable, may be unavailable on terms acceptable to us, or at all, and may require significant royalty payments and other expenditures. Some licenses may also be non-exclusive, and therefore our competitors may have access to the same technology licensed to us. Any of the foregoing events could seriously harm our business, financial condition and results of operations.
Governmental export or import controls could subject us to liability if we violate them or limit our ability to compete in foreign markets.
Our solutions are subject to U.S. export controls, specifically, the Export Administration Regulations and economic sanctions enforced by the Office of Foreign Assets Control. We incorporate encryption technology into certain of our solutions. These encryption solutions and the underlying technology may be exported only with the required export authorizations, including by license, a license exception or other appropriate government authorizations. U.S. export controls may require submission of an encryption registration, product classification and/or annual or semi-annual reports. Governmental regulation of encryption technology and regulation of imports or exports of encryption products, or our failure to obtain required import or export authorization for our solutions, when applicable, could harm our international sales and adversely affect our revenues. Compliance with applicable regulatory requirements regarding the export of our solutions, including with respect to new releases of our solutions, may create delays in the introduction of our solutions in international markets, prevent our customers with international operations from deploying our solutions throughout their
55

Table of Contents
globally-distributed systems or, in some cases, prevent the export of our solutions to some countries altogether. In addition, various countries regulate the import of our appliance-based solutions and have enacted laws that could limit our ability to distribute solutions or could limit our customers’ ability to implement our solutions in those countries. Any new export or import restrictions, new legislation or shifting approaches in the enforcement or scope of existing regulations, or in the countries, persons or technologies targeted by such regulations, could result in decreased use of our solutions by existing customers with international operations, declining adoption of our solutions by new customers with international operations and decreased revenues. If we fail to comply with export and import regulations, we may be fined or other penalties could be imposed, including denial of certain export privileges.
If we are required to collect higher sales and use or other taxes on the solutions we sell, we may be subject to liability for past sales and our future sales may decrease.
Taxing jurisdictions, including state and local entities, have differing rules and regulations governing sales and use or other taxes, and these rules and regulations are subject to varying interpretations that may change over time. In particular, the applicability of sales taxes to our subscription services in various jurisdictions is unclear. It is possible that we could face sales tax audits and that our liability for these taxes could exceed our estimates as tax authorities could still assert that we are obligated to collect additional amounts as taxes from our customers and remit those taxes to those authorities. We could also be subject to audits with respect to state and international jurisdictions for which we may not have accrued tax liabilities. A successful assertion that we should be collecting additional sales or other taxes on our services in jurisdictions where we have not historically done so and do not accrue for sales taxes could result in substantial tax liabilities for past sales, discourage customers from purchasing our solutions or otherwise harm our business and operating results.
Changes in our income tax provision or adverse outcomes resulting from examination of our income tax returns could adversely affect our operating results. We could be subject to additional taxes.
We are subject to income taxes in the United States and various foreign jurisdictions, and our domestic and international tax liabilities are subject to the allocation of expenses in differing jurisdictions. Our tax rate is affected by changes in the mix of earnings and losses in countries with differing statutory tax rates, certain non-deductible expenses, excess tax benefits arising from stock-based compensation, other tax benefits and credits, and the valuation of deferred tax assets and liabilities. Increases in our effective tax rate could harm our operating results.
Additionally, significant judgment is required in evaluating our tax positions and our worldwide tax provisions. During the ordinary course of business, there are many activities and transactions for which the ultimate tax determination is uncertain. In addition, our tax obligations and effective tax rates could be adversely affected by changes in the relevant tax, accounting and other laws, regulations, principles and interpretations, including those relating to income tax nexus, by recognizing tax losses or lower than anticipated earnings in jurisdictions where we have lower statutory rates and higher than anticipated earnings in jurisdictions where we have higher statutory rates, by changes in foreign currency exchange rates, or by changes in the valuation of our deferred tax assets and liabilities. The Tax Cuts and Jobs Act of 2017 introduced a Base Erosion and Anti-Abuse Tax which imposes a minimum tax on adjusted income of corporations with average applicable gross receipt of at least $500 million for prior three tax years and that make certain payments to related foreign persons. While these rules do not impact our results of operations in the current year, these could impact our financial results in future periods. The Organization for Economic Cooperation and Development has issued model rules in connection with the Base Erosion and Profit Shifting integrated framework that determine multi-jurisdictional taxing rights (Pillar One) and the minimum rate of tax applicable to certain types of income (Pillar Two). Many countries have enacted legislation to apply the Pillar Two directive for tax years beginning in January 2024, which generally provides for a minimum effective tax rate of 15% on the income arising in each jurisdiction where the Company operates. We do not anticipate these rules to have an impact on our current year’s financial results. If applicable in the future, these could have an impact on our financial results, the extent of which is currently uncertain. We may be audited in various jurisdictions, and such jurisdictions may assess additional taxes, sales taxes and value-added taxes against us. Although we believe our tax estimates are reasonable, the final determination of any tax audits or litigation could be materially different from our historical tax provisions and accruals, which could have a material adverse effect on our operating results or cash flows in the period or periods for which a determination is made.
56

Table of Contents
Risks Related to Ownership of Our Common Stock
Market volatility may affect our stock price and the value of an investment in our common stock and could subject us to litigation.
The trading price of our common stock has been, and may continue to be, subject to significant fluctuations in response to a number of factors, most of which we cannot predict or control, including:
announcements of new solutions, services or technologies, commercial relationships, acquisitions or other events by us or our competitors;
fluctuations in stock market prices and trading volumes of securities of similar companies;
general market conditions and overall fluctuations in U.S. equity markets;
variations in our operating results, or the operating results of our competitors;
changes in our financial guidance or securities analysts’ estimates of our financial performance;
changes in accounting principles;
sales of large blocks of our common stock, including sales by our executive officers, directors and significant stockholders;
additions or departures of any of our key personnel;
announcements related to litigation;
changing legal or regulatory developments in the United States and other countries; and
discussion of us or our stock price by the financial press and in online investor communities.
In addition, the stock market in general, and the stocks of technology companies such as ours in particular, have experienced substantial price and volume volatility that is often seemingly unrelated to the operating performance of particular companies. These broad market fluctuations may cause the trading price of our common stock to decline. In the past, securities class action litigation has often been brought against a company after a period of volatility in the trading price of its common stock. We may become involved in this type of litigation in the future. Any securities litigation claims brought against us could result in substantial expenses and the diversion of our management’s attention from our business.
Our actual operating results may differ significantly from our guidance.
From time to time, we have released, and may continue to release, guidance in our quarterly earnings conference calls, quarterly earnings releases, or otherwise, regarding our future performance that represents our management's estimates as of the date of release. This guidance, which includes forward-looking statements, has been and will be based on projections prepared by our management. These projections are not prepared with a view toward compliance with published guidelines of the American Institute of Certified Public Accountants, and neither our registered public accountants nor any other independent expert or outside party compiles or examines the projections. Accordingly, no such person expresses any opinion or any other form of assurance with respect to the projections.
Projections are based upon a number of assumptions and estimates that, while presented with numerical specificity, are inherently subject to significant business, economic and competitive uncertainties and contingencies, many of which are beyond our control and are based upon specific assumptions with respect to future business decisions, some of which will change. We intend to state possible outcomes as high and low ranges which are intended to provide a sensitivity analysis as variables are changed but are not intended to imply that actual results could not fall outside of the suggested ranges. The principal reason that we release guidance is to provide a basis for our management to discuss our business outlook with analysts and investors. We do not accept any responsibility for any projections or reports published by any such third parties.
Guidance is necessarily speculative in nature, and it can be expected that some or all of the assumptions underlying the guidance furnished by us will not materialize or will vary significantly from actual results. Accordingly, our guidance is only an estimate of what management believes is realizable as of the date of release. Actual results may vary from our guidance and the variations may be material. In light of the foregoing, investors are urged not to rely upon our guidance in making an investment decision regarding our common stock.
57

Table of Contents
Any failure to successfully implement our operating strategy or the occurrence of any of the events or circumstances set forth in this “Risk Factors” section in this Quarterly Report on Form 10-Q could result in our actual operating results being different from our guidance, and the differences may be adverse and material.
Future sales of shares by existing stockholders could cause our stock price to decline.
The market price of shares of our common stock could decline as a result of substantial sales of our common stock, particularly sales by our directors, executive officers, employees and significant stockholders, a large number of shares of our common stock becoming available for sale, or the perception in the market that holders of a large number of shares intend to sell their shares. As of June 30, 2024, we had approximately 36.8 million shares of our common stock outstanding.
In addition, as of June 30, 2024, there were approximately 1.4 million options and 0.9 million restricted stock units outstanding. If such options are exercised and restricted stock units are released, these additional shares will become available for sale. As of June 30, 2024, we had an aggregate of 2.7 million shares of our common stock reserved for future issuance under our Restated 2012 Equity Incentive Plan and 0.5 million shares reserved for future purchase under our 2021 Employee Stock Purchase Plan, which can be freely sold in the public market upon issuance. If a large number of these shares are sold in the public market, the sales could reduce the trading price of our common stock.
We cannot guarantee that our share repurchase program will be fully consummated or that it will enhance stockholder value, and any share repurchases we make could affect the price of our common stock.
On February 12, 2018, we announced that our board of directors had authorized a $100.0 million repurchase program. On each of October 30, 2018, October 30, 2019, May 7, 2020, February 10, 2021 and February 9, 2023, we announced that our board of directors had authorized an increase of $100.0 million, and on each of November 3, 2021, May 4, 2022 and February 7, 2024, we announced that our board of directors had authorized an increase of $200.0 million to the share repurchase program, resulting in an aggregate authorization of $1.2 billion as of June 30, 2024. Although our board of directors authorized the share repurchase program, we are not obligated to repurchase any specific dollar amount or to acquire any specific number of shares. The share repurchase program could affect the price of our common stock, increase volatility and diminish our cash reserves. In addition, it may be suspended or terminated at any time, which may result in a decrease in the price of our common stock. Finally, our share repurchases in 2023 and 2024 were subject to the 1% excise tax introduced in the Inflation Reduction Act. The amount of share repurchases subject to the excise tax are reduced by the fair market value of any shares issued during the taxable year. This provision does not currently, nor do we expect it to in the future, have a material impact to our results of operations. During the six months ended June 30, 2024, we repurchased 0.3 million shares of our common stock for approximately $53.0 million. As of June 30, 2024, approximately $230.7 million remained available for share repurchases pursuant to our share repurchase program.
We do not intend to pay dividends on our common stock and therefore any returns will be limited to the value of our stock.
We have never declared or paid any cash dividend on our common stock. We currently anticipate that we will retain future earnings for the development, operation and expansion of our business and do not anticipate declaring or paying any cash dividends for the foreseeable future. Any return to stockholders will therefore be limited to the value of their stock.
Anti-takeover provisions in our charter documents and under Delaware law could make an acquisition of us, which may be beneficial to our stockholders, more difficult and may prevent attempts by our stockholders to replace or remove our current management.
Our amended and restated certificate of incorporation and amended and restated bylaws contain provisions that may delay or prevent an acquisition of us or a change in our management. These provisions include:
authorizing “blank check” preferred stock, which could be issued by our board of directors without stockholder approval and may contain voting, liquidation, dividend and other rights superior to our common stock, which would increase the number of outstanding shares and could thwart a takeover attempt;
a classified board of directors whose members can only be dismissed for cause;
the prohibition on actions by written consent of our stockholders;
58

Table of Contents
the limitation on who may call a special meeting of stockholders;
the establishment of advance notice requirements for nominations for election to our board of directors or for proposing matters that can be acted upon at stockholder meetings; and
the requirement of at least two-thirds of the outstanding capital stock to amend any of the foregoing second through fifth provisions.
In addition, because we are incorporated in Delaware, we are governed by the provisions of Section 203 of the Delaware General Corporation Law, which limits the ability of stockholders owning in excess of 15% of our outstanding voting stock to merge or combine with us. Although we believe these provisions collectively provide for an opportunity to obtain greater value for stockholders by requiring potential acquirers to negotiate with our board of directors, they would apply even if an offer rejected by our board of directors were considered beneficial by some stockholders. In addition, these provisions may frustrate or prevent any attempts by our stockholders to replace or remove our current management by making it more difficult for stockholders to replace members of our board of directors, which is responsible for appointing the members of our management.
General Risk Factors
Disruptive technologies could gain wide adoption and supplant our cloud-based IT, security and compliance solutions, thereby weakening our sales and harming our results of operations.
The introduction of products and services embodying new technologies could render our existing solutions obsolete or less attractive to customers. Our business could be harmed if new IT, security and compliance technologies are widely adopted. We may not be able to successfully anticipate or adapt to changing technology or customer requirements on a timely basis, or at all. If we fail to keep up with technological changes or to convince our customers and potential customers of the value of our solutions even in light of new technologies, our business could be harmed and our revenues may decline.
We may not maintain profitability in the future.
We may not be able to sustain or increase our growth or maintain profitability in the future. We plan to continue to invest in our infrastructure, new solutions, research and development and sales and marketing, and as a result, we cannot assure you that we will maintain profitability. We may incur losses in the future for a number of reasons, including without limitation, the other risks and uncertainties described in this Quarterly Report on Form 10-Q. Additionally, we may encounter unforeseen operating expenses, difficulties, complications, delays and other unknown factors that may result in losses in future periods. If our revenue growth does not meet our expectations in future periods, our financial performance may be harmed and we may not again achieve or maintain profitability in the future.
Forecasts of market growth may prove to be inaccurate, and even if the markets in which we compete achieve the forecasted growth, there can be no assurance that our business will grow at similar rates, or at all.
Growth forecasts relating to the expected growth in the market for IT, security and compliance and other markets are subject to significant uncertainty and are based on assumptions and estimates which may prove to be inaccurate. Even if these markets experience the forecasted growth, we may not grow our business at similar rates, or at all. Our growth is subject to many factors, including our success in implementing our business strategy, which is subject to many risks and uncertainties. Accordingly, forecasts of market growth should not be taken as indicative of our future growth.
Our financial results are based in part on our estimates or judgments relating to our critical accounting policies. These estimates or judgments may prove to be incorrect, which could harm our operating results and result in a decline in our stock price.
The preparation of financial statements in conformity with U.S. GAAP requires management to make estimates and assumptions that affect the amounts reported in the condensed consolidated financial statements and accompanying notes. We base our estimates on historical experience and on various other assumptions that we believe to be reasonable under the circumstances, as provided in the section titled “Part I, Item 2 - Management’s Discussion and Analysis of Financial Condition and Results of Operations,” the results of which form the basis for making judgments about the carrying values of assets, liabilities, equity, revenues and expenses that are not readily apparent from other sources. Our operating results may be adversely affected if our assumptions change or if actual circumstances differ from those in our assumptions, which
59

Table of Contents
could cause our operating results to fall below the expectations of securities analysts and investors, resulting in a decline in our stock price. Significant assumptions and estimates used in preparing our condensed consolidated financial statements include those related to revenue recognition, accounting for income taxes and stock-based compensation.
Changes in financial accounting standards may cause adverse and unexpected revenue fluctuations and impact our reported results of operations.
We prepare our financial statements in accordance with U.S. GAAP. These principles are subject to interpretation by the SEC and various bodies formed to interpret and create appropriate accounting principles. A change in these accounting standards or practices could harm our operating results and could have a significant effect on our reporting of transactions and reported results and may even retroactively affect previously reported transactions. New accounting pronouncements and varying interpretations of accounting pronouncements have occurred and may occur in the future. Changes to existing rules or the questioning of current practices may harm our operating results or require that we make significant changes to our systems, processes and controls or the way we conduct our business.
If we fail to maintain an effective system of internal control over financial reporting, our ability to produce timely and accurate financial statements or comply with applicable regulations could be impaired.
As a public company, we are subject to the reporting requirements of the Securities Exchange Act of 1934, or the Exchange Act, the Sarbanes-Oxley Act of 2002, or the Sarbanes-Oxley Act, and the rules and regulations of the NASDAQ Stock Market. To continue to comply with the requirements of being a public company, we may need to undertake various actions, such as implementing additional internal controls and procedures and hiring additional accounting or internal audit staff.
Our internal control over financial reporting is a process designed to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements in accordance with U.S. GAAP. Our current controls and any new controls that we develop may become inadequate because of changes in conditions in our business. Any failure to maintain effective controls, or any difficulties encountered in their improvement, could harm our operating results or cause us to fail to meet our reporting obligations. Any failure to maintain effective internal control over financial reporting also could adversely affect the results of periodic management evaluations regarding the effectiveness of our internal control over financial reporting that we are required to include in our periodic reports we file with the SEC under Section 404 of the Sarbanes-Oxley Act. While we were able to assert in our Annual Report on Form 10-K that our internal control over financial reporting was effective as of December 31, 2023, we cannot predict the outcome of our testing in future periods. If we are unable to assert in any future reporting period that our internal control over financial reporting is effective (or if our independent registered public accounting firm is unable to express an opinion on the effectiveness of our internal controls), investors may lose confidence in our operating results and our stock price could decline. In addition, if we are unable to continue to meet these requirements, we may not be able to remain listed on the NASDAQ Stock Market.
Item 2.                                  Unregistered Sales of Equity Securities and Use of Proceeds
A summary of our repurchases of common stock during the three months ended June 30, 2024 is as follows:

PeriodTotal Number of Shares PurchasedAverage Price Paid per Share
Total Number of Shares Purchased
as Part of Publicly Announced Plan
or Program (1)
Approximate
Dollar Value of
Shares that May
Yet Be Purchased under the Plan or
Program
April 1 - April 30, 202466,000$166.56 66,000$254,660,726 
May 1 - May 31, 202487,000$149.71 87,000$241,635,870 
June 1 - June 30, 202479,529$137.96 79,529$230,664,270 
Total232,529232,529 
(1) On February 12, 2018, we announced that our board of directors authorized a $100.0 million share repurchase program. On each of October 30, 2018, October 30, 2019, May 7, 2020, February 10, 2021 and February 9, 2023, we announced that our board of directors had authorized an increase of $100.0 million, and on each of November 3, 2021,
60

Table of Contents
May 4, 2022 and February 7, 2024, we announced that our board of directors had authorized an increase of $200.0 million to the share repurchase program, resulting in an aggregate authorization of $1.2 billion as of June 30, 2024. Shares may be repurchased from time to time on the open market in accordance with Rule 10b-18 of the Exchange Act of 1934. We have entered into a pre-set trading plan adopted in accordance with Rule 10b5-1 under the Exchange Act to effect repurchases under our share repurchase program. All share repurchases have been made using cash resources. Our share repurchase program does not have an expiration date.
Item 3.                                  Defaults upon Senior Securities
None.
Item 4.                                  Mine Safety Disclosures
None.
Item 5.                                  Other Information
Securities Trading Plans of Directors and Executive Officers
During the three months ended June 30, 2024, no director or officer, as defined in Rule 16a-1(f), adopted or terminated a “Rule 10b5-1 trading arrangement” or a "non-Rule 10b5-1 trading arrangement," each as defined in Regulation S-K Item 408.
61

Table of Contents
Item 6.                                  Exhibits
Exhibit NumberDescription
10.1*
10.2*
10.3*
31.1
31.2
32.1^
32.2^
101 INSInline XBRL Instance Document - the instance document does not appear in the interactive data file because its XBRL tags are embedded within the inline XBRL document.
101 SCHInline XBRL Taxonomy Extension Schema Document
101 CALInline XBRL Taxonomy Extension Calculation Linkbase Document.
101 DEFInline XBRL Taxonomy Extension Definition Linkbase Document.
101 LABInline XBRL Taxonomy Extension Labels Linkbase Document.
101 PREInline XBRL Taxonomy Extension Presentation Linkbase Document.
104Cover Page Interactive Data File - the cover page interactive data is embedded within the Inline XBRL document or included within Exhibit 101 attachments.
*    Indicates a management contract or compensatory plan or arrangement.
^Exhibits 32.1 and 32.2 are being furnished and shall not be deemed to be “filed” for purposes of Section 18 of the Securities Exchange Act of 1934, as amended (the “Exchange Act”), or otherwise subject to the liability of that section, nor shall such exhibits be deemed to be incorporated by reference in any registration statement or other document filed under the Securities Act of 1933, as amended, or the Exchange Act, except as otherwise specifically stated in such filing.
62

Table of Contents
SIGNATURES
Pursuant to the requirements of the Securities Exchange Act of 1934, the registrant has duly caused this report to be signed on its behalf by the undersigned, thereunto duly authorized, in the City of Foster City, State of California on August 6, 2024.
QUALYS, INC.
By:/s/ JOO MI KIM
Name: Joo Mi Kim
Title: Chief Financial Officer
(principal financial and accounting officer)
63
Document

Exhibit 10.2
QUALYS, INC.
2012 EQUITY INCENTIVE PLAN
STOCK OPTION AGREEMENT
Unless otherwise defined herein, the terms defined in the Qualys, Inc. 2012 Equity Incentive Plan (the “Plan”) will have the same defined meanings in this Stock Option Agreement, including the Notice of Stock Option Grant (the “Notice of Grant”), the Terms and Conditions of Stock Option Grant, attached hereto as Exhibit A, and the Appendix, attached hereto as Exhibit B (all together, the “Agreement”).
NOTICE OF STOCK OPTION GRANT
Participant:
Address:     

    
    
Participant has been granted an Option to purchase Common Stock of Qualys, Inc. (the “Company”), subject to the terms and conditions of the Plan and this Agreement, as follows:
Grant Number
Date of Grant
Vesting Commencement Date
Number of Shares Granted
Exercise Price per Share
Total Exercise Price
Type of Option [X] Nonstatutory Stock Option
Term/Expiration Date
Vesting Schedule: Subject to accelerated vesting as set forth below or in the Plan, this Option will be exercisable, in whole or in part, in accordance with the following schedule: [TBD]

Termination Period: This Option will be exercisable for three (3) months after Participant ceases to be a Service Provider, unless such termination is due to Participant’s death or Disability, in which case this Option will be exercisable for twelve (12) months after Participant ceases to be a Service Provider. Notwithstanding the foregoing sentence, in no event may this Option be exercised after the Term/Expiration Date as provided above (or in Exhibit B if a special Term/Expiration Date is required for Participant’s country) and may be subject to earlier termination as provided in Section 13(c) of the Plan.



By Participant’s signature and the signature of the Company’s representative below, Participant and the Company agree that this Option is granted under and governed by the terms and conditions of the Plan and this Agreement, all of which are made a part of this document. Participant has reviewed the Plan and this Agreement in their entirety, has had an opportunity to obtain the advice of counsel prior to executing this Agreement and fully understands all provisions of the Plan and Agreement. Participant hereby agrees to accept as binding, conclusive and final all decisions or interpretations of the Administrator upon any questions relating to the Plan and Agreement. Participant further agrees to notify the Company upon any change in the residence address indicated below.

QUALYS, INC PARTICIPANT
  




EXHIBIT A
TERMS AND CONDITIONS OF STOCK OPTION GRANT
1.Grant of Option. The Company hereby grants to the Participant named in the Notice of Grant (the “Participant”) an option (the “Option”) to purchase the number of Shares, as set forth in the Notice of Grant, at the exercise price per Share set forth in the Notice of Grant (the “Exercise Price”), subject to all of the terms and conditions in this Agreement and the Plan, which is incorporated herein by reference. Subject to Section 18(c) of the Plan, in the event of a conflict between the terms and conditions of the Plan and the terms and conditions of this Agreement, the terms and conditions of the Plan will prevail. For U.S. taxpayers, the Option will be designated as either an Incentive Stock Option (“ISO”) or a Nonstatutory Stock Option (“NSO”). If designated in the Notice of Grant as an ISO, this Option is intended to qualify as an ISO under Section 422 of the Internal Revenue Code of 1986, as amended (the “Code”). However, if this Option is intended to be an Incentive Stock Option, to the extent that it exceeds the $100,000 rule of Code Section 422(d) it will be treated as an NSO. Further, if for any reason this Option (or portion thereof) will not qualify as an ISO, then, to the extent of such nonqualification, such Option (or portion thereof) shall be regarded as a NSO granted under the Plan. In no event will the Administrator, the Company or any Parent or Subsidiary or any of their respective employees or directors have any liability to Participant (or any other person) due to the failure of the Option to qualify for any reason as an ISO.
For non-U.S. taxpayers, the Option will be designated as an NSO.
2.Vesting Schedule. Except as provided in Section 3, the Option awarded by this Agreement will vest in accordance with the vesting provisions set forth in the Notice of Grant. Shares scheduled to vest on a certain date or upon the occurrence of a certain condition will not vest in Participant in accordance with any of the provisions of this Agreement, unless Participant will have been continuously a Service Provider from the Date of Grant until the date such vesting occurs.
3.Administrator Discretion. The Administrator, in its discretion, may accelerate the vesting of the balance, or some lesser portion of the balance, of the unvested Option at any time, subject to the terms of the Plan. If so accelerated, such Option will be considered as having vested as of the date specified by the Administrator.
4.Exercise of Option.
(a)Right to Exercise. This Option may be exercised only within the term set out in the Notice of Grant, and may be exercised during such term only in accordance with the Plan and the terms of this Agreement.

(b)Method of Exercise. This Option is exercisable by delivery of an exercise notice, in the form attached as Exhibit C (the “Exercise Notice”) or in a manner and pursuant to such procedures as the Administrator may determine, which will state the election to exercise the Option, the number of Shares in respect of which the Option is being exercised (the “Exercised Shares”), and such other representations and agreements



as may be required by the Company pursuant to the provisions of the Plan. The Exercise Notice will be completed by Participant and delivered to the Company. The Exercise Notice will be accompanied by payment of the aggregate Exercise Price as to all Exercised Shares together and of any Tax-Related Items (as defined in Section 6(a)). This Option will be deemed to be exercised upon receipt by the Company of such fully executed Exercise Notice accompanied by the aggregate Exercise Price.

5.Method of Payment. Payment of the aggregate Exercise Price will be by any of the following, or a combination thereof, at the election of Participant:
(a)cash;
(b)check;
(c)consideration received by the Company under a formal cashless exercise program adopted by the Company in connection with the Plan; or

(d)if Participant is a U.S. employee, surrender of other Shares which have a Fair Market Value on the date of surrender equal to the aggregate Exercise Price of the Exercised Shares, provided that accepting such Shares, in the sole discretion of the Administrator, will not result in any adverse accounting consequences to the Company.
6.Tax Obligations.
(a)Withholding of Taxes. Notwithstanding any contrary provision of this Agreement, no certificate representing the Shares will be issued to Participant, unless and until satisfactory arrangements (as determined by the Administrator) will have been made by Participant with respect to the payment of income, employment, social insurance, payroll tax, fringe benefit tax, payment on account or other tax-related items related to Participant’s participation in the Plan and legally applicable to Participant (“Tax-Related Items”) which the Company determines must be withheld with respect to such Shares. If Participant is a non-U.S. employee, payment of Tax-Related Items may not be effectuated by surrender of other Shares with a Fair Market Value equal to the amount of any Tax-Related Items. To the extent determined appropriate by the Company in its discretion, it will have the right (but not the obligation) to satisfy any Tax-Related Items by reducing the number of Shares otherwise deliverable to Participant. If Participant fails to make satisfactory arrangements for the payment of any required Tax-Related Items hereunder at the time of the Option exercise, Participant acknowledges and agrees that the Company may refuse to honor the exercise and refuse to deliver the Shares if such amounts are not delivered at the time of exercise. Further, if Participant is subject to tax in more than one jurisdiction between the Date of Grant and the date of any relevant taxable or tax withholding event, as applicable, Participant acknowledges and agrees that the Company and/or Participant’s employer (the “Employer”), or former employer, as applicable, may be required to withhold or account for tax in more than one jurisdiction.




(b)Notice of Disqualifying Disposition of ISO Shares. If the Option granted to Participant herein is an ISO, and if Participant sells or otherwise disposes of any of the Shares acquired pursuant to the ISO on or before the later of (i) the date two (2) years after the Date of Grant, or (ii) the date one (1) year after the date of exercise, Participant will immediately notify the Company in writing of such disposition. Participant agrees that Participant may be subject to income tax withholding by the Company on the compensation income recognized by Participant.
(c)Code Section 409A. Under Code Section 409A, an option that vests after December 31, 2004 (or that vested on or prior to such date but which was materially modified after October 3, 2004) that was granted with a per share exercise price that is determined by the Internal Revenue Service (the “IRS”) to be less than the fair market value of a share on the date of grant (a “Discount Option”) may be considered “deferred compensation.” A Discount Option may result in (i) income recognition by Participant prior to the exercise of the option, (ii) an additional twenty percent (20%) federal income tax, and (iii) potential penalty and interest charges. The Discount Option may also result in additional state income, penalty and interest charges to Participant. Participant acknowledges that the Company cannot and has not guaranteed that the IRS will agree that the per Share Exercise Price of this Option equals or exceeds the Fair Market Value of a Share on the Date of Grant in a later examination. Participant agrees that if the IRS determines that the Option was granted with a per Share Exercise Price that was less than the Fair Market Value of a Share on the Date of Grant, Participant will be solely responsible for Participant’s costs related to such a determination.

7.Rights as Stockholder. Neither Participant nor any person claiming under or through Participant will have any of the rights or privileges of a stockholder of the Company in respect of any Shares deliverable hereunder unless and until certificates representing such Shares will have been issued, recorded on the records of the Company or its transfer agents or registrars, and delivered to Participant. After such issuance, recordation and delivery, Participant will have all the rights of a stockholder of the Company with respect to voting such Shares and receipt of dividends and distributions on such Shares.
8.No Guarantee of Continued Service. PARTICIPANT ACKNOWLEDGES AND AGREES THAT THE VESTING OF SHARES PURSUANT TO THE VESTING SCHEDULE HEREOF IS EARNED ONLY BY CONTINUING AS A SERVICE PROVIDER AT THE WILL OF THE COMPANY (OR THE PARENT OR SUBSIDIARY EMPLOYING OR RETAINING PARTICIPANT) AND NOT THROUGH THE ACT OF BEING HIRED, BEING GRANTED THIS OPTION OR ACQUIRING SHARES HEREUNDER. PARTICIPANT FURTHER ACKNOWLEDGES AND AGREES THAT THIS AGREEMENT, THE TRANSACTIONS CONTEMPLATED HEREUNDER AND THE VESTING SCHEDULE SET FORTH HEREIN DO NOT CONSTITUTE AN EXPRESS OR IMPLIED PROMISE OF CONTINUED ENGAGEMENT AS A SERVICE PROVIDER FOR THE VESTING PERIOD, FOR ANY PERIOD, OR AT ALL, AND WILL NOT INTERFERE IN ANY WAY WITH PARTICIPANT’S RIGHT OR THE RIGHT



OF THE COMPANY (OR THE PARENT OR SUBSIDIARY EMPLOYING OR RETAINING PARTICIPANT) TO TERMINATE PARTICIPANT’S RELATIONSHIP AS A SERVICE PROVIDER AT ANY TIME, WITH OR WITHOUT CAUSE.
9.Nature of Grant. In accepting the Option, Participant acknowledges, understands and agrees that:
(a)the Plan is established voluntarily by the Company, it is discretionary in nature, and may be amended, suspended or terminated by the Company at any time, to the extent permitted by the Plan;

(b)the grant of the Option is voluntary and occasional and does not create any contractual or other right to receive future grants of options, or benefits in lieu of options, even if options have been granted in the past;

(c)all decisions with respect to future option or other grants, if any, will be at the sole discretion of the Company;

(d)Participant is voluntarily participating in the Plan;
(e)the Option and any Shares acquired under the Plan are not intended to replace any pension rights or compensation;

(f)the Option and Shares acquired under the Plan and the income and value of same, are not part of normal or expected compensation for purposes of calculating any severance, resignation, termination, redundancy, dismissal, end-of-service payments, bonuses, long-service awards, pension or retirement or welfare benefits or similar payments;

(g)unless otherwise agreed with the Company, the Option and the Shares subject to the Option, and the income and value of same, are not granted for, or in connection with, any service Participant may provide as a director of any Parent or Subsidiary of the Company;

(h)the future value of the Shares underlying the Option is unknown, indeterminable, and cannot be predicted with certainty;

(i)if the underlying Shares do not increase in value, the Option will have no value;
(j)if Participant exercises the Option and acquires Shares, the value of such Shares may increase or decrease in value, even below the Exercise Price;

(k)for purposes of the Option, Participant’s engagement as a Service Provider will be considered terminated as of the date Participant is no longer actively



providing services to the Company or any Parent or Subsidiary (regardless of the reason for such termination and whether or not later found to be invalid or in breach of employment laws in the jurisdiction where Participant is a Service Provider or the terms of Participant’s engagement agreement, if any), and unless otherwise expressly provided in this Agreement or determined by the Administrator, (i) Participant’s right to vest in the Option under the Plan, if any, will terminate as of such date and will not be extended by any notice period (e.g., Participant’s period of service would not include any contractual notice period or any period of “garden leave” or similar period mandated under employment laws in the jurisdiction where Participant is a Service Provider or Participant’s engagement agreement, if any, unless Participant is providing bona fide services during such time); and (ii) the period (if any) during which Participant may exercise the Option after such termination of Participant's engagement as a Service Provider will commence on the date Participant ceases to actively provide services and will not be extended by any notice period mandated under employment laws in the jurisdiction where Participant is employed or terms of Participant’s engagement agreement, if any; the Administrator shall have the exclusive discretion to determine when Participant is no longer actively providing services for purposes of his or her Option grant (including whether Participant may still be considered to be providing services while on a leave of absence);

(l)unless otherwise provided in the Plan or by the Company in its discretion, the Option and the benefits evidenced by this Agreement do not create any entitlement to have the Option or any such benefits transferred to, or assumed by, another company nor to be exchanged, cashed out or substituted for, in connection with any corporate transaction affecting the Shares; and
(m)the following provisions apply only if Participant is providing services outside the United States:
(i)the Option and the Shares subject to the Option are not part of normal or expected compensation or salary for any purpose;
(ii)neither the Company, the Employer, nor any Parent or Subsidiary shall be liable for any foreign exchange rate fluctuation between Participant’s local currency and the United States Dollar that may affect the value of the Option or of any amounts due to Participant pursuant to the exercise of the Option or the subsequent sale of any Shares acquired upon exercise; and
(iii)no claim or entitlement to compensation or damages shall arise from forfeiture of the Option resulting from the termination of Participant’s engagement as a Service Provider (for any reason whatsoever, whether or not later found to be invalid or in breach of employment laws in the jurisdiction where Participant is a Service Provider or the terms of Participant’s



engagement agreement, if any), and in consideration of the grant of the Option to which Participant is otherwise not entitled, Participant irrevocably agrees never to institute any claim against the Company, any Parent, any Subsidiary or the Employer, waives his or her ability, if any, to bring any such claim, and releases the Company, any Subsidiary and the Employer from any such claim; if, notwithstanding the foregoing, any such claim is allowed by a court of competent jurisdiction, then, by participating in the Plan, Participant shall be deemed irrevocably to have agreed not to pursue such claim and agrees to execute any and all documents necessary to request dismissal or withdrawal of such claim.

10.No Advice Regarding Grant. The Company is not providing any tax, legal or financial advice, nor is the Company making any recommendations regarding Participant’s participation in the Plan, or Participant’s acquisition or sale of the underlying Shares. Participant is hereby advised to consult with his or her own personal tax, legal and financial advisors regarding his or her participation in the Plan before taking any action related to the Plan.
11.Data Privacy. Participant hereby explicitly and unambiguously consents to the collection, use and transfer, in electronic or other form, of Participant’s personal data as described in this Agreement and any other Option grant materials by and among, as applicable, the Employer, the Company and any Parent or Subsidiary for the exclusive purpose of implementing, administering and managing Participant’s participation in the Plan.
Participant understands that the Company and the Employer may hold certain personal information about Participant, including, but not limited to, Participant’s name, home address and telephone number, email address, date of birth, social insurance number, passport or other identification number, salary, nationality, job title, any shares of stock or directorships held in the Company, details of all Options or any other entitlement to stock awarded, canceled, exercised, vested, unvested or outstanding in Participant’s favor (“Data”), for the exclusive purpose of implementing, administering and managing the Plan.
Participant understands that Data will be transferred to a stock plan service provider as may be selected by the Company in the future, which is assisting the Company with the implementation, administration and management of the Plan. Participant understands that the recipients of the Data may be located in the United States or elsewhere, and that the recipient’s country (e.g., the United States) may have different data privacy laws and protections than Participant’s country. Participant understands that he or she may request a list with the names and addresses of any potential recipients of the Data by contacting his or her local human resources representative. Participant authorizes the Company and any other possible recipients which may assist the Company (presently or in the future) with implementing, administering and managing the Plan to receive, possess, use, retain and transfer the Data, in electronic or other form, for the sole purposes of implementing, administering and managing Participant’s participation in the Plan. Participant understands that Data will be held only as long as is necessary to implement, administer and manage Participant’s participation in the Plan.



Participant understands that he or she may, at any time, view Data, request additional information about the storage and processing of Data, require any necessary amendments to Data or refuse or withdraw the consents herein, in any case without cost, by contacting in writing his or her local human resources representative. Further, Participant understands that he or she is providing the consents herein on a purely voluntary basis. If Participant does not consent, or if Participant later seeks to revoke his or her consent, his or her engagement as a Service Provider and career with the Employer will not be affected; the only consequence of refusing or withdrawing Participant’s consent is that the Company would not be able to grant Participant Options or other equity awards or administer or maintain such awards. Therefore, Participant understands that refusing or withdrawing his or her consent may affect Participant’s ability to participate in the Plan. For more information on the consequences of Participant’s refusal to consent or withdrawal of consent, Participant understands that he or she may contact his or her local human resources representative.

12.Address for Notices. Any notice to be given to the Company under the terms of this Agreement will be addressed to the Company at Qualys, Inc., 919 E. Hillsdale Blvd, 4th Floor, Foster City, CA 94404, or at such other address as the Company may hereafter designate in writing.
13.Non-Transferability of Option. This Option may not be transferred in any manner otherwise than by will or by the laws of descent or distribution and may be exercised during the lifetime of Participant only by Participant.
14.Binding Agreement. Subject to the limitation on the transferability of this grant contained herein, this Agreement will be binding upon and inure to the benefit of the heirs, legatees, legal representatives, successors and assigns of the parties hereto.
15.Additional Conditions to Issuance of Stock. If at any time the Company will determine, in its discretion, that the listing, registration, qualification or rule compliance of the Shares upon any securities exchange or under any state, federal or foreign law, the tax code and related regulations or the consent or approval of any governmental regulatory authority is necessary or desirable as a condition to the purchase by, or issuance of Shares to, Participant (or his or her estate) hereunder, such purchase or issuance will not occur unless and until such listing, registration, qualification, rule compliance, consent or approval will have been completed, effected or obtained free of any conditions not acceptable to the Company. The Company will make all reasonable efforts to meet the requirements of any such state, federal or foreign law or securities exchange and to obtain any such consent or approval of any such governmental authority or securities exchange. Assuming such compliance, for income tax purposes the Exercised Shares will be considered transferred to Participant on the date the Option is exercised with respect to such Exercised Shares.
16.Plan Governs. This Agreement is subject to all terms and provisions of the Plan. In the event of a conflict between one or more provisions of this Agreement and one or more provisions of the Plan, the provisions of the Plan will govern. Capitalized terms used and not defined in this Agreement will have the meaning set forth in the Plan.
17.Administrator Authority. The Administrator will have the power to interpret the Plan and this Agreement and to adopt such rules for the administration, interpretation and application of the Plan as are consistent therewith and to interpret or revoke any such rules (including, but not limited to, the



determination of whether or not any Shares subject to the Option have vested). All actions taken and all interpretations and determinations made by the Administrator in good faith will be final and binding upon Participant, the Company and all other interested persons. No member of the Administrator will be personally liable for any action, determination or interpretation made in good faith with respect to the Plan or this Agreement.

18.Electronic Delivery and Acceptance. The Company may, in its sole discretion, decide to deliver any documents related to Options awarded under the Plan or future options that may be awarded under the Plan by electronic means or request Participant’s consent to participate in the Plan by electronic means. Participant hereby consents to receive such documents by electronic delivery and agrees to participate in the Plan through any on-line or electronic system established and maintained by the Company or a third party designated by the Company.
19.Captions. Captions provided herein are for convenience only and are not to serve as a basis for interpretation or construction of this Agreement.
20.Language. If Participant has received this Agreement, or any other document related to the Option and/or the Plan translated into a language other than English and if the meaning of the translated version is different than the English version, the English version will control.
21.Agreement Severable. In the event that any provision in this Agreement will be held invalid or unenforceable, such provision will be severable from, and such invalidity or unenforceability will not be construed to have any effect on, the remaining provisions of this Agreement.
22.Amendment, Suspension or Termination of the Plan. By accepting this Award, Participant expressly warrants that he or she has received an Option under the Plan, and has received, read and understood a description of the Plan. Participant understands that the Plan is discretionary in nature and may be amended, suspended or terminated by the Company at any time.
23.Governing Law and Venue. This Agreement will be governed by the laws of California, without giving effect to the conflict of law principles thereof. For purposes of litigating any dispute that arises under this Option or this Agreement, the parties hereby submit to and consent to the exclusive jurisdiction of the State of California, and agree that such litigation will be exclusively conducted in the courts of San Mateo County, California, or the federal courts for the United States for the Northern District of California, and no other courts, where this Option is made and/or to be performed.
24.Appendix. Notwithstanding any provisions in this Agreement, the Option grant shall be subject to any special terms and conditions set forth in any appendix to this Agreement for Participant’s country (the “Appendix”). Moreover, if Participant relocates to one of the countries included in the Appendix, the special terms and conditions for such country will apply to Participant, to the extent the Company determines that the application of such terms and conditions is necessary or advisable for legal or administrative reasons. The Appendix constitutes part of this Agreement.
25.Modifications to the Agreement. This Agreement constitutes the entire understanding of the parties on the subjects covered. Participant expressly warrants that he or she is not accepting this Agreement in reliance on any promises, representations, or inducements other than those contained



herein. Modifications to this Agreement or the Plan can be made only in an express written contract executed by a duly authorized officer of the Company. Notwithstanding anything to the contrary in the Plan or this Agreement, the Company reserves the right to revise this Agreement as it deems necessary or advisable, in its sole discretion and without the consent of Participant, to comply with Code Section 409A or to otherwise avoid imposition of any additional tax or income recognition under Section 409A of the Code in connection with the Option.
26.Waiver. Participant acknowledges that a waiver by the Company of breach of any provision of this Agreement shall not operate or be construed as a waiver of any other provision of this Agreement, or of any subsequent breach by Participant or any other Participant.
27.Insider Trading Restrictions/Market Abuse Laws. Participant acknowledges that, he or she may be subject to insider trading restrictions and/or market abuse laws, which may affect Participant’s ability to acquire or sell Shares or rights to Shares (e.g., the Option) under the Plan during such times as Participant is considered to have “inside information” regarding the Company (as defined by the laws in Participant’s country). Any restrictions under these laws or regulations are separate from and in addition to any restrictions that may be imposed under any applicable Company insider trading policy. Participant is responsible for complying with any applicable restrictions and is advised to speak with his or her personal advisor on this matter.
28.Foreign Asset/Account Reporting; Exchange Control Requirements. Participant’s country may have certain foreign asset and/or foreign account reporting requirements and exchange controls which may affect Participant’s ability to acquire or hold Shares acquired under the Plan or cash received from participating in the Plan (including from any dividends paid on Shares acquired under the Plan) in a brokerage or bank account outside Participant’s country. Participant may be required to report such accounts, assets or transactions to the tax or other authorities in Participant’s country. Participant also may be required to repatriate sale proceeds or other funds received as a result of Participant’s participation in the Plan to Participant’s country through a designated bank or broker within a certain time after receipt. Participant acknowledges that he or she is responsible for complying with any applicable regulations, and that Participant is instructed to speak to his or her personal legal advisor for any details.



EXHIBIT B
APPENDIX TO STOCK OPTION AGREEMENT
Terms and Conditions
This Appendix to Stock Option Agreement (the “Appendix”) includes additional terms and conditions that govern the Option granted to Participant under the Plan if Participant resides and/or works in one of the countries listed below at the time of grant. Certain capitalized terms used but not defined in this Appendix have the meanings set forth in the Plan and/or the Agreement.
Notifications
This Appendix may also include information regarding exchange controls and certain other issues of which Participant should be aware with respect to participation in the Plan. The information is based on the securities, exchange control, and other laws in effect in the respective countries as of January 2021. Such laws are often complex and change frequently. As a result, the Company strongly recommends that Participant not rely on the information in this Appendix as the only source of information relating to the consequences of participation in the Plan because the information may be out of date at the time Participant exercises the Option or sells Shares acquired under the Plan.
In addition, the information contained herein is general in nature and may not apply to Participant’s particular situation, and the Company is not in a position to assure Participant of a particular result. Accordingly, Participant is advised to seek appropriate professional advice as to how the relevant laws in Participant’s country may apply to Participant’s situation.
Finally, if Participant is a citizen or resident of a country other than the one in which Participant is currently working, transfers employment or residency after the Option is granted, or is considered a resident of another country for local law purposes, the notifications contained herein may not be applicable to Participant, and the Company shall, in its discretion, determine to what extent the terms and conditions contained herein shall apply.
AUSTRALIA
Notifications
Exchange Control Information. Exchange control reporting is required for cash transactions exceeding AUD10,000 and for international fund transfers. If an Australian bank is assisting with the transaction, the bank will file the report on behalf of Participant.
Securities Law Information. If Participant acquires Shares under the Plan and offers the Shares for sale to a person or entity resident in Australia, the offer may be subject to disclosure requirements under Australian law. Participant should consult with his or her own legal advisor before making any such offer in Australia.



Tax Information. The Plan is a plan to which Subdivision 83A-C of the Income Tax Assessment Act 1997 (Cth) applies (subject to conditions in the Act).
BELGIUM
Terms and Conditions
Taxation of Option. The tax treatment of the Option will depend upon when Participant accepts it relative to the offer date. If Participant accepts the Option within 60 days from the offer date, Participant will be taxed at the time of offer. Based on the current interpretation of Belgian tax law by the Belgian Minister of Finance, if Participant accepts the option more than 60 days from the offer date, Participant will be taxed at the time of exercise. By accepting the Option, Participant acknowledges that neither the Employer, the Company nor any Parent or other Subsidiary may be held liable for damages, if any, that Participant may incur should the Minister of Finance’s interpretation not be upheld (with respect to taxation at exercise for options accepted more than 60 days following the offer date). Participant is advised to consult with his or her personal tax advisor prior to accepting the Option.
Notifications
Foreign Asset/Account Reporting Information. Belgium residents are required to report any securities held (including Shares) or bank or brokerage accounts opened and maintained outside Belgium on their annual tax returns. In a separate report, Belgium residents are also required to provide the National Bank of Belgium with the account details of any such foreign accounts. This report, as well as additional information on how to complete it, can be found on the website of the National Bank of Belgium, www.nbb.be, under Kredietcentrales / Centrales des crédits caption. Participant should consult his or her personal advisor to ensure compliance with applicable reporting obligations.
BRAZIL
Terms and Conditions
Compliance with Law. By accepting this Option, Participant agrees to comply with applicable Brazilian laws and to report and pay any and all applicable Tax-Related Items associated with the exercise of the Option, the receipt of any dividends, and the sale of Shares acquired under the Plan.
Labor Law Acknowledgment. By accepting and/or exercising the Option, Participant agrees that (i) Participant is making an investment decision, (ii) Participant may exercise the Option only if the vesting conditions are met and (iii) the value of the underlying Shares is not fixed and may increase or decrease in value without compensation.
Notifications
Exchange Control Information. If Participant is resident or domiciled in Brazil, Participant will be required to submit annually a declaration of assets and rights held outside of Brazil to the Central Bank of Brazil if the aggregate value of such assets and rights is equal to or greater than US$100,000. Assets and rights that must be reported include Shares.



Tax on Financial Transaction (IOF). Payments to foreign countries (including the payment of the exercise price) and repatriation of funds into Brazil and the conversion between BRL and USD associated with such fund transfers may be subject to the Tax on Financial Transactions. It is Participant’s responsibility to comply with any applicable Tax on Financial Transactions arising from his or her participation in the Plan. Participant should consult with his or her personal tax advisor for additional details.
CANADA
Terms and Conditions
Method of Payment. Due to regulatory considerations in Canada, Participant is prohibited from surrendering Shares that Participant already owns or attesting to the ownership of Shares to pay the Exercise Price or any Tax-Related Items in connection with the Option.
Termination of Continuous Service. The following provision supplements Section 9(k) of the Agreement and the Termination Period set forth in the Notice of Grant:
Participant’s active engagement as a Service Provider shall be considered terminated for vesting and other purposes as of the earlier of (a) the date that Participant receives notice of termination of Participant’s engagement as a Service Provider from the Company or the Employer; or (b) the date that Participant is no longer actively providing services to the Company or the Employer, regardless of any notice period or period of pay in lieu of such notice required under applicable employment law; the Administrator shall have the exclusive discretion to determine when Participant’s active provision of services is terminated for purposes of the Option (including whether Participant may still be considered actively employed while on a leave of absence).
Securities Law Information. Participant will not be permitted to sell or otherwise dispose of the Shares acquired upon exercise of the Option within Canada. Participant will be permitted to sell or dispose of such Shares only if such sale or disposal takes place outside of Canada through the facilities of the stock exchange on which the Shares are traded (i.e., the NASDAQ).
Foreign Asset/Account Reporting Information. If the total value of Participant’s foreign property exceeds C$100,000 at any time during the year, Participant must report all of his or her foreign property on Form T1135 (Foreign Income Verification Statement) by April 30 of the following year. Foreign property includes Shares acquired under the Plan as well as the Option itself. The Option must be reported--generally at a nil cost--if the C$100,000 cost threshold is exceeded because of other foreign property Participant holds. If Shares are acquired, their cost generally is the adjusted cost base (“ACB”) of the Shares. The ACB would normally equal the fair market value of the Shares at exercise, but if Participant owns other shares, this ACB may have to be averaged with the ACB of the other shares. Participant should speak with a personal tax advisor to determine the scope of foreign property that must be considered for purposes of this requirement.



The following provisions apply if Participant is a resident of Quebec:
Language Consent. The parties acknowledge that it is their express wish that the Agreement, as well as all documents, notices and legal proceedings entered into, given or instituted pursuant hereto or relating directly or indirectly hereto, be drawn up in English.
Consentement à la Langue Utilisée. Les parties reconnaissent avoir exigé la rédaction en anglais de la convention, ainsi que de tous documents, avis et procédures judiciaires, exécutés, donnés ou intentés en vertu de, ou liés directement ou indirectement à, la présente convention.
Data Privacy Notice and Consent. This provision supplements Section 11 of the Agreement:
Participant hereby authorizes the Company and the Company’s representatives to discuss with and obtain all relevant information from all personnel, professional or not, involved in the administration and operation of the Plan. Participant further authorizes the Company and any Subsidiary and the Plan administrators to disclose and discuss the Plan with their advisors and to record all relevant information and keep such information in Participant’s employee file.
COLOMBIA
Terms and Conditions
Nature of the Grant. This provision supplements Section 9 of the Agreement:
Pursuant to Article 128 of the Colombian Labor Code, amended by Articile 15 Law 50, 1990, the Plan and related benefits do not constitute a component of “salary” for any legal purpose.
Notifications
Securities Law Information. The Shares are not and will not be registered with the Colombian registry of publicly traded securities (Registro Nacional de Valores y Emisores) and therefore the Shares may not be offered to the public in Colombia. Nothing in this Agreement should be construed as the making of a public offer of securities in Colombia.
Foreign Asset/Account Reporting Information. Foreign investments held abroad (including Shares received upon exercise of the Option or any dividends paid on such Shares) must be registered with the Central Bank (Banco de la República) if Participant’s aggregate investments (as of December 31 of the applicable calendar year) equal or exceed the equivalent of US$500,000. Further, upon the sale of any Shares that Participant has registered with the Central Bank, Participant must cancel the registration by March 31 of the following year.
CZECH REPUBLIC
Notifications
Exchange Control Information. The Czech National Bank may require Participant to fulfill certain notification duties in relation to the acquisition of Shares and the opening and maintenance of a foreign



account. However, because exchange control regulations change frequently and without notice, Participant should consult with his or her personal legal advisor prior to the exercise of the Option and the sale of Shares acquired at exercise to ensure compliance with current regulations. It is Participant’s responsibility to comply with any applicable Czech exchange control laws.
GERMANY
Notifications
Exchange Control Information. Cross-border payments in excess of €12,500 must be reported monthly to the German Federal Bank (Bundesbank). Participant is responsible for the reporting obligation and should file the report ("Allgemeine Meldeportal Statistik") electronically by the fifth day of the month following the month in which the payment is made. A copy of the form report can be accessed via the Bundesbank’s website at www.bundesbank.de and is available in both German and English.
HONG KONG
Terms and Conditions
Restriction on Sale of Shares. Shares received at exercise are accepted as a personal investment. Should any portion of the Option vest within six months of the Date of Grant, Participant agrees that Participant or his or her heirs or representatives will not offer to the public or otherwise dispose of the Shares acquired at exercise prior to the six-month anniversary of the Date of Grant.
Notifications
Securities Law Notice. WARNING: The contents of this document have not been reviewed by any regulatory authority in Hong Kong. Participant is advised to exercise caution in relation to the offer. If Participant is in any doubt about any of the contents of this document, he or she should obtain independent professional advice. The Options offered and any Shares acquired under the Plan do not constitute a public offering of securities under Hong Kong law and are available only to employees of the Company and any Subsidiary. The Plan, the Agreement, including this Appendix, and any other incidental communication materials distributed in connection with the Plan have not been prepared in accordance with and are not intended to constitute a “prospectus” for a public offering of securities under the applicable securities legislation in Hong Kong. The Option is intended only for the personal use of Employees of the Company and any Subsidiary and may not be distributed to any other person.
Nature of Scheme. The Company specifically intends that the Plan will not be an occupational retirement scheme for purposes of the Occupational Retirement Schemes Ordinance.
INDIA
Terms and Conditions
Method of Exercise. Notwithstanding anything to the contrary in the Plan or the Agreement, due to legal restrictions in India, Participant will not be permitted to pay the exercise price by a “sell-to-cover”



exercise (i.e., where some of the Shares subject to the Option will be sold immediately upon exercise and the proceeds of the sale will be remitted to the Company to cover the exercise price for the purchased shares and any Tax-Related Items withholding). The Company reserves the right to permit this method of payment depending on the development of local law.
Repatriation of Proceeds of Sale. Participant agrees to repatriate to India all proceeds received from the sale of Shares within ninety (90) days of receipt and any dividends paid on such Shares within one hundred and eighty (180) days of receipt. Participant must maintain the foreign inward remittance certificate (“FIRC”) received from the bank where the foreign currency is deposited in the event that the Reserve Bank of India or the Company requests proof of repatriation. It is Participant’s responsibility to comply with applicable exchange control laws in India.
Notifications
Foreign Asset/Account Reporting Information. Participant is required to declare any foreign bank accounts and any foreign financial assets (including Shares held outside India) in Participant’s annual tax return. Participant is responsible for complying with this reporting obligation and is advised to confer with his or her personal tax advisor in this regard.
ITALY
Terms and Conditions
Form of Exercise / Method of Payment. The following provision supplements Section 4(b) and Section 5 of the Agreement:
Notwithstanding anything to the contrary in the Agreement, Participant may pay the aggregate Exercise Price solely by consideration received by the Company under a formal cashless exercise whereby all Exercise Shares are sold immediately upon exercise (i.e. a “same-day sale”) and the sales proceeds, less the Exercise Price, any Tax-Related Items and broker’s fees or commissions, are remitted to Participant. The Company reserves the right to provide Participant with additional methods of payment in the future.
Data Privacy Notice. This provision replaces Section 11 of the Agreement in its entirety:
Participant understands that the Employer, the Company and any Parent or Subsidiary may hold certain personal information about Participant, including Participant’s name, home address, email address and telephone number, date of birth, social insurance number, passport or other identification number, salary, nationality, job title, any Shares or directorships that Participant holds in the Company, details of all options or any other entitlement to Shares or equivalent benefits awarded, canceled, purchased, exercised, vested, unvested or outstanding in Participant’s favor (“Data”), for the exclusive purpose of implementing, administering and managing Participant’s participation in the Plan.
Participant also understands that providing the Company with Data is necessary for the performance of the Plan and that Participant’s refusal to provide Data would make it impossible for the Company to perform its contractual obligations and may affect Participant’s ability to participate in the Plan. The Controller of personal data processing is Qualys, Inc., with its principal operating offices at 919



E. Hillsdale Blvd., 4th Floor, Foster City, CA 94404 U.S.A., and its representative in Italy is Qualys Technologies S.A., Maison de la Défense, 7 Place de la Défense, 92400 Courbevoie, France.
Participant understands that Data will not be publicized, but it may be transferred to banks, other financial institutions or brokers involved in the management and administration of the Plan. Participant further understands that the Employer, the Company and any Parent or Subsidiary will transfer Data amongst themselves as necessary for the purpose of implementation, administration and management of Participant’s participation in the Plan, and that the Company and any Parent or Subsidiary may each further transfer Data to third parties assisting the Company in the implementation, administration and management of the Plan, including any requisite transfer to a broker or another third party with whom Participant may elect to deposit any Shares acquired under the Plan. Such recipients may receive, possess, use, retain and transfer the Data in electronic or other form, for the purposes of implementing, administering and managing Participant’s participation in the Plan. Participant understands that these recipients may be located in the European Economic Area, or elsewhere, such as the United States. Should the Company exercise its discretion in suspending all necessary legal obligations connected with the management and administration of the Plan, Participant understands that the Company will delete Participant’s Data as soon as it has accomplished all of the necessary legal obligations connected with the management and administration of the Plan.
Participant understands that Data-processing related to the purposes specified above shall take place under automated or non-automated conditions, anonymously when possible, that comply with the purposes for which Data are collected and with confidentiality and security provisions as set forth by applicable laws and regulations, with specific reference to Legislative Decree no. 196/2003.
The processing activity, including communication, the transfer of Participant’s Data abroad, including outside of the European Economic Area, as herein specified and pursuant to applicable laws and regulations, does not require Participant’s consent thereto as the processing is necessary to performance of contractual obligations related to implementation, administration and management of the Plan. Participant understands that, pursuant to Section 7 of the Legislative Decree no. 196/2003, he or she has the right, without limitation to access, delete, update, ask for rectification of the Data and cease, for legitimate reason, any processing of the Data. Furthermore, Participant is aware that the Data will not be used for direct marketing purposes. In addition, the Data provided may be reviewed and questions or complaints can be addressed by contacting Participant’s local human resources department.
Plan Document Acknowledgment. In accepting the grant of the Option, Participant acknowledges that he or she has received a copy of the Plan and the Agreement, has reviewed the Plan and the Agreement, including this Appendix, in their entirety and fully understands and accepts all provisions of the Plan and the Agreement, including this Appendix.
Participant acknowledges that he or she has read and specifically and expressly approves the following Sections of the Agreement: Section 2 (Vesting Schedule); Section 4 (Exercise of Option) (as supplemented by the provision above in this Appendix); Section 6 (Tax Obligations); Section 8 (No Guarantee of Continued Service); Section 9 (Nature of Grant); Section 20 (Language); Section 23



(Governing Law and Venue); Section 27 (Insider Trading Restrictions/Market Abuse Laws); and the Data Privacy Notice for Italy, each included in this Country Addendum.
Notifications
Foreign Asset/Account Reporting Information. If Participant is an Italian resident and, during any fiscal year, holds investments or financial assets outside of Italy (e.g., cash, Shares) which may generate income taxable in Italy, Participant is required to report such investments or assets on his or her annual tax return (on UNICO Form, RW Schedule, or on a special form if Participant is not required to file a tax return). These reporting obligations will apply to Participant if he or she is the beneficial owner of foreign financial assets, even if Participant does not directly hold investments abroad or foreign assets.
Foreign Asset Tax Information. The value of the financial assets held outside of Italy by Italian residents is subject to a foreign asset tax. Such tax is currently levied at an annual rate of 2 per thousand (0.2%). The taxable amount will be the fair market value of the financial assets (e.g., Shares acquired under the Plan) assessed at the end of the calendar year. No tax payment duties arise if the amount of the foreign assets tax calculated on all financial assets held abroad does not exceed €12.
JAPAN
Notifications
Exchange Control Information. If Participant pays more than ¥30,000,000 for the purchase of Shares in any one transaction, Participant must file an ex post facto Payment Report with the Ministry of Finance (the “MOF”) through the Bank of Japan or the bank carrying out the transaction. The precise reporting requirements vary depending on whether the relevant payment is made through a bank in Japan. If Participant intends to acquire Shares with a value in excess of ¥100,000,000 in a single transaction, Participant must also file an ex post facto Report Concerning Acquisition of Shares with the Ministry of Finance through the Bank of Japan within 20 days of acquiring the Shares. The forms to make these reports may be acquired at the Bank of Japan.
A Payment Report is required independently of a Report Concerning Acquisition of Securities. Consequently, if the total amount that you pay on a one-time basis at exercise of the Option exceeds ¥100,000,000, you must file both a Payment Report and a Report Concerning Acquisition of Securities.
Foreign Asset/Account Reporting Information. Participant is required to report details of any assets held outside of Japan (including Shares acquired under the Plan) as of December 31st, to the extent such assets have a total net fair market value exceeding ¥50 million. Such report will be due by March 15th each year. Participant should consult with his or her personal tax advisor to determine if the reporting obligation applies to Participant’s personal situation.



LITHUANIA
There are no country-specific provisions.
LUXEMBOURG
There are no country-specific provisions.
MEXICO
Terms and Conditions
No Entitlement or Claims for Compensation/Policy Statement. In accepting the Option, Participant expressly recognizes that the Company, with offices at 919 E. Hillsdale Blvd., 4th Floor, Foster City, CA 94404, U.S.A., is solely responsible for the administration of the Plan and that participation in the Plan and acquisition of Shares does not constitute an employment relationship between Participant and the Company since Participant is participating in the Plan on a wholly commercial basis and Participant’s sole employer is Qualys Mexico (“Qualys-Mexico”), not the Company in the United States. Based on the foregoing, Participant expressly recognizes that the Plan and the benefits that Participant may derive from participation in the Plan do not establish any rights between Participant and the Employer, Qualys-Mexico, and do not form part of the employment conditions and/or benefits provided by Qualys-Mexico and any modification of the Plan or its termination shall not constitute a change or impairment of the terms and conditions of Participant’s employment.
Participant further understand that participation in the Plan is as a result of a unilateral and discretionary decision of the Company; therefore, the Company reserves the absolute right to amend and/or discontinue participation at any time without any liability to Participant.
Finally, Participant hereby declares that he or she does not reserve any action or right to bring any claim against the Company for any compensation or damages regarding any provision of the Plan or the benefits derived under the Plan, and Participant therefore grants a full and broad release to the Company and any Subsidiary, its shareholders, officers, agents or legal representatives with respect to any claim that may arise.
Aceptando este Opción de Compra de Acciones, el participante reconoce que la Compañía y sus oficinas registradas en 919 E. Hillsdale Blvd., 4th Floor, Foster City, CA 94404, U.S.A., es el único responsable de la administración del Plan y que la participación del participante en el mismo y la adquisicion de Acciones no constituye de ninguna manera una relación laboral entre el participante y la Compañía, toda vez que la participación del participante en el Plan deriva únicamente de una relación comercial con la Compañía, reconociendo expresamente que el único empleador del participante lo es Qualys Mexico (“Qualys-Mexico”), no es la Compañía en los Estados Unidos. Derivado de lo anterior, el participante expresamente reconoce que el Plan y los beneficios que pudieran derivar del mismo no establecen ningún derecho entre el participante y su empleador, Qualys-México, y no forman parte de las condiciones laborales y/o prestaciones otorgadas por Qualys-México, y expresamente el participante reconoce que cualquier modificación el Plan o la terminación del mismo de manera alguna podrá ser interpretada como una modificación de los condiciones de trabajo del participante.



Asimismo, el participante entiende que su participación en el Plan es resultado de la decisión unilateral y discrecional de la Compañía, por lo tanto, la Compañía. Se reserva el derecho absoluto para modificar y/o terminar la participación del participante en cualquier momento, sin ninguna responsabilidad para el participante.
Finalmente, el partícipant en este acto manifiesta que no se reserva ninguna acción o derecho para interponer una demanda o reclamación en contra de la Compañía por cualquier compensación o daño o perjuicio en relación con cualquier disposición del Plan o los beneficios derivados del Plan y, en consecuencia, otorga un amplio y total finiquito a la Compañía, sus Afiliadas, sucursales, oficinas de representación, accionistas, directores, funcionarios, agentes y representantes con respecto a cualquier demanda o reclamación que pudiera surgir.
NETHERLANDS
There are no country-specific provisions.
PHILIPPINES
NOTIFICATIONS
Securities Law Information. This offering is subject to exemption from the requirements of securities registration with the Philippines Securities and Exchange Commission, under Section 10.1(k) of the Philippine Securities Regulation Code.
THE SECURITIES BEING OFFERED OR SOLD HAVE NOT BEEN REGISTERED WITH THE SECURITIES AND EXCHANGE COMMISSION UNDER THE SECURITIES REGULATION CODE. ANY FURTHER OFFER OR SALE THEREOF IS SUBJECT TO REGISTRATION REQUIREMENTS UNDER THE CODE UNLESS SUCH OFFER OR SALE QUALIFIES AS AN EXEMPT TRANSACTION.
For further information on risk factors impacting the Company’s business that may affect the value of the Shares, Participant may refer to the risk factors discussion in the Company's Annual Report on Form 10-K and Quarterly Reports on Form 10-Q, which are filed with the U.S. Securities and Exchange Commission and are available online at www.sec.gov, as well as on the Company's website at https://investor.qualys.com/. In addition, Participant may receive, free of charge, a copy of the Company's Annual Report, Quarterly Reports or any other reports, proxy statements or communications distributed to the Company's stockholders by contacting Investor Relations, 919 E. Hillsdale Boulevard, 4th Floor, Foster City, California 94404, USA
Participant acknowledges he or she is permitted to dispose or sell Shares acquired under the Plan provided the offer and resale of such shares takes place outside the Philippines through the facilities of a stock exchange on which the Shares are listed. The Shares are currently listed on the Nasdaq Global Select Market in the United States of America.
POLAND
Notifications




Exchange Control Information. Participant is required to file quarterly reports to the National Bank of Poland with information on transactions and balances regarding Participant’s rights to Shares (such as Options) and Shares if the total value (calculated individually or together with other assets and liabilities possessed abroad) exceeds PLN 7 million. Participant is also required to transfer funds through a bank account in Poland if the transferred amount in any single transaction exceeds a specified threshold (currently €15,000). Participant is required to retain documents connected with foreign exchange transactions for a period of five years from the date the exchange transaction was made.
RUSSIA
Terms and Conditions
U.S. Transaction. Participant understands that the acceptance of the Option results in an agreement between Participant and the Company that is completed in the United States and that the Agreement is governed by the laws of the State of California, without giving effect to the conflict of law principles thereof.
Notifications
Securities Law Information. Participant acknowledges that the Option, the Notice of Grant, the Agreement, the Plan and all other materials that Participant may receive regarding participation in the Plan do not constitute advertising or an offering of securities in Russia. The Shares acquired pursuant to the Plan have not and will not be registered in Russia and therefore, neither the Option nor the Shares may be used for offering or public circulation in Russia. Participant acknowledges that he or she may hold Shares acquired upon exercise of the Option in an account with the Company’s third party broker/administrator in the U.S. However, in no event will Shares issued to Participant under the Plan be delivered to Participant in Russia. Further, Participant is not permitted to sell Shares directly to other Russian individuals.
Foreign Asset/Account Reporting Information. Under current exchange control regulations in Russia, Participant is required to repatriate certain cash amounts he or she receives with respect to the Options, including any dividends and proceeds from the sale of Shares that may be issued to Participant pursuant to the Shares, from his or her U.S. brokerage account to Russia as soon as Participant intends to use those cash amounts for any purpose, including reinvestment. Unless an exception exists, such funds must initially be credited to Participant through a foreign currency account at an authorized bank in Russia. After the funds are initially received in Russia, they may be further remitted to foreign banks in accordance with Russian exchange control laws.
Participant is required to report the opening, closing or change of details of any foreign bank account to Russian tax authorities within one month of opening, closing or change of details of such account. Participant also is required to report (i) the beginning and ending balances in such a foreign bank account each year and (ii) transactions related to such a foreign account during the year to the Russian tax authorities, on or before June 1 of the following year. The tax authorities can require Participant to provide appropriate supporting documents related to transactions in a foreign bank account.



Participant should consult with his or her personal legal advisor to determine the applicability of these reporting requirements to any brokerage account opened in connection with Participant’s participation in the Plan.
Anti-Corruption Notification. Anti-corruption laws prohibit certain public servants, their spouses and their dependent children from owning any foreign source financial instruments (e.g., Shares of foreign companies such as the Company). Accordingly, Participant should inform the Company if he or she is covered by these laws because Participant should not hold Shares acquired under the Plan.
Labor Law Information. If Participant continues to hold Shares acquired at exercise of the Option after an involuntary termination of Participant’s engagement as a Service Provider, Participant will not be eligible to receive unemployment benefits in Russia.
SINGAPORE
Notifications
Securities Law Information. The grant of the Option under the Plan is being made pursuant to the
“Qualifying Person” exemption” under section 273(1)(f) of the Securities and Futures Act (Chapter 289, 2006 Ed.) (“SFA”). The Plan has not been lodged or registered as a prospectus with the Monetary Authority of Singapore. Participant should note that the Option is subject to section 257 of the SFA and that Participant will not be able to make (i) any subsequent sale of the Shares in Singapore or (ii) any offer of such subsequent sale of the Shares subject to the Option in Singapore, unless such sale or offer is made (i) after six months from the Date of Grant or (ii) pursuant to the exemptions under Part XIII Division (1) Subdivision (4) (other than section 280) of the SFA (Chapter 289, 2006 Ed.).
Chief Executive Officer and Director Notification Obligation. If Participant is a chief executive officer, director, associate director or shadow director of a Subsidiary in Singapore, he or she subject to certain notification requirements under the Singapore Companies Act. Among these requirements is an obligation to notify the Singaporean corporation in writing when Participant receives an interest (e.g., an Option, Shares) in the Company or any related companies. In addition, Participant must notify the Singapore employer when Participant sells Shares or shares of any related company (including when Participant sell Shares acquired under the Plan). These notifications must be made within two business days of acquiring or disposing of any interest in the Company or any related company. In addition, a notification must be made of Participant’s interests in the Company or any related company within two business days of becoming a chief executive officer or director.
SOUTH AFRICA
Terms and Conditions
Securities Law Acknowledgement. In compliance with South African Securities Law, Participant acknowledges that he or she has been notified that the documents listed below are available for review online as follows:
1.a copy of the Company’s most recent Annual Report (Form 10-K) –



2.a copy of the Company’s most recent Plan Prospectus
Participant acknowledges that he or she may have copies of the above documents provided to him or her, at no charge, on request on the Company’s website at: https://investor.qualys.com/.
Tax Requirements. The following provisions supplement Section 6 of the Agreement:
By accepting the grant of the Option, Participant agrees to notify or the Employer of the amount of any gain realized upon the exercise of the Option. Participant understands that if he or she fails to advise the Employer of the gain realized at exercise, Participant may be liable for a fine. Participant will be responsible for paying the difference between the actual tax liability and the amount withheld.
Notifications
Exchange Control Information. Under current South African exchange control policy, Participant understands that if he or she is a South African resident, Participant may invest a maximum of ZAR11,000,000 per annum in offshore investments, including in Shares. This limit does not apply to non-resident employees. The first ZAR1,000,000 annual discretionary allowance requires no prior authorization but Participant understand that he or she must obtain tax clearance for the next ZAR10,000,000. It is Participant’s responsibility to ensure that he or she does not exceed this limit and obtains the necessary tax clearance for remittances exceeding ZAR1,000,000. This limit is a cumulative allowance; therefore, Participant’s ability to remit funds for the exercise of Options will be reduced if Participant’s foreign investment limit is utilized to make a transfer of funds offshore that is unrelated to the Plan. Participant acknowledges that if the ZAR11,000,000 limit will be exceeded as a result of a purchase under the Plan, Participant may still participate in the Plan; however, Participant will be required to immediately sell the Shares purchased on his or her behalf under the Plan and repatriate the proceeds to South Africa in order to ensure that Participant does not hold assets outside South Africa with a value in excess of the permitted offshore investment allowance amount.
SPAIN
Terms and Conditions
Nature of Grant. The following provision supplements Section 9 of the Agreement:
In accepting the grant of the Option, Participant consents to participation in the Plan and acknowledges that he or she has received a copy of the Plan.
Participant understands that the Company has unilaterally, gratuitously and discretionally decided to grant stock options under the Plan to individuals who may be employees of the Company or its Subsidiaries throughout the world. This decision is a limited decision that is entered into upon the express assumption and condition that any grant will not bind the Company or any of its Subsidiaries over and above the specific terms of the Plan. Consequently, Participant understands that the Option is granted on the assumption and condition that the Option and any Shares acquired upon exercise of the Option are not a part of any employment contract (either with the Company or any Subsidiary of the Company) and shall not be considered a mandatory benefit, salary for any purposes (including severance compensation) or any other right whatsoever.



Further, Participant understands and agrees that, unless otherwise expressly provided for by the Company or set forth in the Agreement, the Option will be cancelled without entitlement to any Shares if Participant ceases to be a Service Provider for any reason, including, but not limited to: resignation, disciplinary dismissal adjudged to be with cause, disciplinary dismissal adjudged or recognized to be without good cause (i.e., subject to a “despido improcedente”), material modification of the terms of employment under Article 41 of the Workers’ Statute, relocation under Article 40 of the Workers’ Statute, Article 50 of the Workers’ Statute, or under Article 10.3 of Royal Decree 1382/1985. The Administrator shall have the exclusive discretion to determine the date when Participant’s status as a Service Provider has terminated for purposes of the Option.
In addition, Participant understands that this grant would not be made to Participant but for the assumptions and conditions referred to above; thus, Participant acknowledges and freely accepts that should any or all of the assumptions be mistaken or should any of the conditions not be met for any reason, then any grant of, or right to, the Option shall be null and void.
Notifications
Securities Law Information. No “offer of securities to the public,” as defined under Spanish law, has taken place or will take place in the Spanish territory in connection with the Option. The Agreement has not been, nor will it be, registered with the Comisión Nacional del Mercado de Valores, and does not constitute a public offering prospectus.
Exchange Control Information. Spanish residents who acquire Shares under the Plan must declare such acquisition to the Spanish Dirección General de Comercio e Inversiones (the “DGCI”), for statistical purposes. Because Participant will not purchase or sell the shares through the use of a Spanish financial institution, Participant must make the declaration himself or herself by filing a D-6 form with the DGCI. Generally, the D-6 form must be filed each January while the shares are owned.
When receiving foreign currency payments derived from the ownership of shares (i.e., cash dividends or sale proceeds) exceeding €50,000, Participant must inform the financial institution receiving the payment of the basis upon which such payment is made. Participant will need to provide the financial institution with the following information: (i) the Participant’s name, address and fiscal identification number; (ii) the name and corporate domicile of the Company; (iii) the amount of the payment; (iv) the currency used; (v) the country of origin; (vi) the reasons for the payment; and (vii) additional information that may be required. In addition, if Participant wishes to import the ownership title of any shares (i.e., share certificates) into Spain, he or she must declare the import of such securities to the DGCI.
Foreign Asset/Account Reporting Information. Spanish residents holding rights or assets (e.g., Shares, cash, etc.) in a bank or brokerage account outside of Spain with a value in excess of €50,000 per type of right or asset as of December 31 each year are required to report information on such rights and assets on his or her tax return for such year. Shares acquired under the Plan constitute securities for purposes of this requirement, but the Option (whether vested or unvested) is not considered an asset or right for purposes of this requirement.



Spanish residents are required to electronically declare to the Bank of Spain any securities accounts (including brokerage accounts held abroad), as well as the securities (including Shares acquired upon exercise of the Option) held in such accounts, and any transactions carried out with non-residents, if the value of the transactions for all such accounts during the prior tax year or the balances in such accounts as of December 31 of the prior tax year exceeds €1,000,000. More frequent reporting is required if such transaction value or account balance exceeds €100,000,000. If neither the total balances nor total transactions with non-residents during the relevant period exceed €50,000,000 a summarized form of declaration may be used.
SWEDEN
There are no country-specific terms and conditions.
SWITZERLAND
Notifications
Securities Law Information. The grant of the Option is considered a private offering in Switzerland and is therefore not subject to registration in Switzerland. Neither this document nor any other material related to the Option constitutes a prospectus as such term is understood pursuant to Article 652a of the Swiss Code of Obligations, and neither this document nor any other materials related to the Option may be publicly distributed or otherwise made publicly available in Switzerland.
UNITED ARAB EMIRATES
Notifications
Securities Law Information. The Plan, the Agreement, including this Appendix, and any other incidental communication materials are intended for distribution only to Participants for the purpose of an employee incentive scheme. Participant should conduct his or her own due diligence on the Option offered pursuant to the Agreement. If Participant does not understand the contents of the Plan and/or the Agreement, Participant should consult an authorized financial adviser. The Emirates Securities and Commodities Authority and the Dubai Financial Services Authority have no responsibility for reviewing or verifying any documents in connection with the Plan. Further, the Ministry of the Economy and the Dubai Department of Economic Development have not approved the Plan or the Agreement nor taken steps to verify the information set out therein, and have no responsibility for such documents.
UNITED KINGDOM
Terms and Conditions
Joint Election for Transfer of Liability for Employer National Insurance Contributions. As a condition of participation in the Plan and the exercise of the Option and all other stock options granted under the Plan, Participant agrees to accept any liability for secondary Class 1 National Insurance contributions that may be payable by the Company, the Employer or any Subsidiary in connection with the exercise and any event giving rise to Tax-Related Items (the “Employer NICs”). Without prejudice to the foregoing, Participant agrees to execute a joint election with the Company, the form of such joint



election (the “Joint Election”) having been approved formally by Her Majesty’s Revenue and Customs (“HMRC”), and any other required consent or election prior to exercise of the Option or any other stock options granted under the Plan. Participant further agrees to execute such other joint elections as may be required between Participant and any successor to the Company, the Employer or any Subsidiary. Participant further agrees that the Company, the Employer or any Subsidiary may collect the Employer NICs from Participant by any of the means set forth in Section 6(a) of the Agreement.
If Participant does not enter into a Joint Election prior to the exercise of the Option or any other stock options granted under the Plan, he or she will not be entitled to exercise the Option or stock options unless and until he or she enters into a Joint Election, and no Shares will be issued to Participant under the Plan, without any liability to the Company, the Employer or any Subsidiary.
Withholding of Taxes. This provision supplements Section 6(a) of the Agreement:
If payment or withholding of the income tax due is not made within 90 days of the event giving rise to the liability or such other period specified in Section 222(1)(c) of the U.K. Income Tax (Earnings and Pensions) Act 2003 (the “Due Date”), the amount of any uncollected tax will constitute a loan owed by Participant to the Employer, effective on the Due Date. Participant agrees that the loan will bear interest at the then-current HMRC Official Rate, it will be immediately due and repayable, and the Company or the Employer may recover it at any time thereafter by any of the means referred to in Section 6(a) of the Agreement. Notwithstanding the foregoing, if Participant is a director or executive officer of the Company (within the meaning of Section 13(k) of the U.S. Securities Exchange Act of 1934, as amended), Participant will not be eligible for such a loan to cover the tax liability. In the event that Participant is a director or executive officer and the income tax due is not collected from or paid by Participant by the Due Date, the amount of any uncollected income tax will constitute a benefit to Participant on which additional income tax and national insurance contributions will be payable. Participant will be responsible for reporting and paying any income tax and national insurance contributions due on this additional benefit directly to HMRC under the self-assessment regime.




EXHIBIT C
QUALYS, INC.
2012 EQUITY INCENTIVE PLAN
EXERCISE NOTICE
Qualys, Inc.
919 E. Hillsdale Blvd., 4th Floor
Foster City, CA 94404
Attention: Stock Administration
1.Exercise of Option. Effective as of today, ________________, _____, the undersigned
(“Purchaser”) hereby elects to purchase ______________ shares (the “Shares”) of the Common Stock of Qualys, Inc. (the “Company”) under and pursuant to the 2012 Equity Incentive Plan (the “Plan”) and the Stock Option Agreement, dated ________ and including the Notice of Grant, the Terms and Conditions of Stock Option Grant and the Appendix (all together, the “Agreement”). The purchase price for the Shares will be $_____________, as required by the Agreement.

2.Delivery of Payment. Purchaser herewith delivers to the Company the full purchase price of the Shares and any Tax-Related Items (as defined in Section 6(a) of the Agreement) to be paid in connection with the exercise of the Option.
3.Representations of Purchaser. Purchaser acknowledges that Purchaser has received, read and understood the Plan and the Agreement and agrees to abide by and be bound by their terms and conditions.
4.Rights as Stockholder. Until the issuance (as evidenced by the appropriate entry on the books of the Company or of a duly authorized transfer agent of the Company) of the Shares, no right to vote or receive dividends or any other rights as a stockholder will exist with respect to the Shares subject to the Option, notwithstanding the exercise of the Option. The Shares so acquired will be issued to Purchaser as soon as practicable after exercise of the Option. No adjustment will be made for a dividend or other right for which the record date is prior to the date of issuance, except as provided in Section 13 of the Plan.
5.Tax Consultation. Purchaser understands that Purchaser may suffer adverse tax consequences as a result of Purchaser’s purchase or disposition of the Shares. Purchaser represents that Purchaser has consulted with any tax consultants Purchaser deems advisable in connection with the purchase or disposition of the Shares and that Purchaser is not relying on the Company for any tax advice.
6.Entire Agreement; Governing Law. The Plan and Agreement are incorporated herein by reference. This Exercise Notice, the Plan and the Agreement constitute the entire agreement of the parties with respect to the subject matter hereof and supersede in their entirety all prior undertakings and agreements of the Company and Purchaser with respect to the subject matter hereof, and may not be



modified adversely to the Purchaser’s interest except by means of a writing signed by the Company and Purchaser. This agreement is governed by the internal substantive laws, but not the choice of law rules, of California.
Submitted by:Accepted by:
PURCHASERQUALYS, INC.
SignatureBy
Print NameIts
Address:
Date Received


Document

Exhibit 10.3
QUALYS, INC.
2012 EQUITY INCENTIVE PLAN
RESTRICTED STOCK UNIT AGREEMENT
Unless otherwise defined herein, the terms defined in the Qualys, Inc. 2012 Equity Incentive Plan (the “Plan”) will have the same defined meanings in this Restricted Stock Unit Agreement, including the Notice of Restricted Stock Unit Grant (the “Notice of Grant”), the Terms and Conditions of Restricted Stock Unit Grant, attached hereto as Exhibit A, and any Appendix, attached hereto as Exhibit B (all together, the “Award Agreement”).

NOTICE OF RESTRICTED STOCK UNIT GRANT
              
Participant:     
Address:     

    
    
Participant has been granted the right to receive an Award of Restricted Stock Units, subject to the terms and conditions of the Plan and this Award Agreement, as follows:
Grant Number     
Date of Grant     
Vesting Commencement Date     
Number of Restricted Stock Units
    
Vesting Schedule:
Subject to any acceleration provisions contained in the Plan or set forth below, the Restricted Stock Units will vest in accordance with the following schedule: [TBD]
QUALYS, INC     PARTICIPANT





EXHIBIT A
TERMS AND CONDITIONS OF RESTRICTED STOCK UNIT GRANT
1.Grant. The Company hereby grants to the individual named in the Notice of Grant (the “Participant”) under the Plan an Award of Restricted Stock Units, subject to all of the terms and conditions in this Award Agreement and the Plan, which is incorporated herein by reference. Subject to Section 18(c) of the Plan, in the event of a conflict between the terms and conditions of the Plan and the terms and conditions of this Award Agreement, the terms and conditions of the Plan will prevail.
2.Company’s Obligation to Pay. Each Restricted Stock Unit represents the right to receive a Share on the date it vests. Unless and until the Restricted Stock Units will have vested in the manner set forth in Sections 3 or 4, Participant will have no right to payment of any such Restricted Stock Units. Prior to actual payment of any vested Restricted Stock Units, such Restricted Stock Units will represent an unsecured obligation of the Company, payable (if at all) only from the general assets of the Company. Any Restricted Stock Units that vest in accordance with Sections 3 or 4 will be paid to Participant (or in the event of Participant’s death, to his or her estate) in whole Shares, subject to Participant satisfying any obligations for Tax-Related Items (as defined in Section 7). Subject to the provisions of Section 4, such vested Restricted Stock Units shall be paid in whole Shares as soon as practicable after vesting, but in each such case within the period sixty (60) days following the vesting date. In no event will Participant be permitted, directly or indirectly, to specify the taxable year of the payment of any Restricted Stock Units payable under this Award Agreement.
3.Vesting Schedule. Except as provided in Section 4, and subject to Section 5, the Restricted Stock Units awarded by this Award Agreement will vest in accordance with the vesting provisions set forth in the Notice of Grant. Restricted Stock Units scheduled to vest on a certain date or upon the occurrence of a certain condition will not vest in Participant in accordance with any of the provisions of this Award Agreement, unless Participant will have been continuously a Service Provider from the Date of Grant until the date such vesting occurs.
4.Administrator Discretion. The Administrator, in its discretion, may accelerate the vesting of the balance, or some lesser portion of the balance, of the unvested Restricted Stock Units at any time, subject to the terms of the Plan. If so accelerated, such Restricted Stock Units will be considered as having vested as of the date specified by the Administrator. The payment of Shares vesting pursuant to this Section 4 shall in all cases be paid at a time or in a manner that is exempt from, or complies with, Section 409A.
Notwithstanding anything in the Plan or this Award Agreement to the contrary, if the vesting of the balance, or some lesser portion of the balance, of the Restricted Stock Units is accelerated in connection with Participant’s termination as a Service Provider (provided that such termination is a “separation from service” within the meaning of Section 409A, as determined by the Company), other than due to death, and if (x) Participant is a “specified employee” within the meaning of Section 409A at the time of such termination as a Service Provider and (y) the payment of such accelerated Restricted Stock Units will result in the imposition of additional tax under Section 409A if paid to Participant on or within the six (6) month period following Participant’s termination as a Service Provider, then the payment of such accelerated Restricted Stock Units will not be made until the date six (6) months and one (1) day following the date of Participant’s termination as a Service Provider, unless Participant dies
-2-


following his or her termination as a Service Provider, in which case, the Restricted Stock Units will be paid in Shares to Participant’s estate as soon as practicable following his or her death. It is the intent of this Award Agreement that it and all payments and benefits hereunder be exempt from, or comply with, the requirements of Section 409A so that none of the Restricted Stock Units provided under this Award Agreement or Shares issuable thereunder will be subject to the additional tax imposed under Section 409A, and any ambiguities herein will be interpreted to be so exempt or so comply. Each payment payable under this Award Agreement is intended to constitute a separate payment for purposes of Treasury Regulation Section 1.409A-2(b)(2). For purposes of this Award Agreement, “Section 409A” means Section 409A of the Code, and any final Treasury Regulations and Internal Revenue Service guidance thereunder, as each may be amended from time to time.
5.Forfeiture upon Termination of Status as a Service Provider. Notwithstanding any contrary provision of this Award Agreement, the balance of the Restricted Stock Units that have not vested as of the time of Participant’s termination as a Service Provider for any or no reason and Participant’s right to acquire any Shares hereunder will immediately terminate. The date of Participant’s termination as a Service Provider is detailed in Section 10(h).
6.Death of Participant. Any distribution or delivery to be made to Participant under this Award Agreement will, if Participant is then deceased, be made to Participant’s designated beneficiary, or if no beneficiary survives Participant, the administrator or executor of Participant’s estate. Any such transferee must furnish the Company with (a) written notice of his or her status as transferee, and (b) evidence satisfactory to the Company to establish the validity of the transfer and compliance with any laws or regulations pertaining to said transfer.
7.Withholding of Taxes. Notwithstanding any contrary provision of this Award Agreement, no certificate representing the Shares will be issued to Participant, unless and until satisfactory arrangements (as determined by the Administrator) will have been made by Participant with respect to the payment of income, employment, social insurance, payroll tax, fringe benefit tax, payment on account or other tax-related items related to Participant’s participation in the Plan and legally applicable to Participant (“Tax-Related Items”) which the Company determines must be withheld with respect to such Shares. Prior to vesting and/or settlement of the Restricted Stock Units, Participant will pay or make adequate arrangements satisfactory to the Company and/or Participant’s employer (the “Employer”) to satisfy all withholding and payment obligations of Tax-Related Items of the Company and/or the Employer. In this regard, Participant authorizes the Company and/or the Employer to withhold any Tax-Related Items legally payable by Participant from his or her wages or other cash compensation paid to Participant by the Company and/or the Employer or from proceeds of the sale of Shares. Alternatively, or in addition, if permissible under applicable local law, the Administrator, in its sole discretion and pursuant to such procedures as it may specify from time to time, may permit or require Participant to satisfy such tax withholding obligation, in whole or in part (without limitation) by (a) paying cash, (b) electing to have the Company withhold otherwise deliverable Shares having a Fair Market Value equal to the minimum amount required to be withheld, (c) selling a sufficient number of such Shares otherwise deliverable to Participant through such means as the Company may determine in its sole discretion (whether through a broker or otherwise) equal to the amount required to be withheld, or (d) if Participant is a U.S. employee, delivering to the Company already vested and owned Shares having a Fair Market Value equal to the amount required to be withheld. To the extent determined
-3-


appropriate by the Company in its discretion, it will have the right (but not the obligation) to satisfy any obligations for Tax-Related Items by reducing the number of Shares otherwise deliverable to Participant [and, until determined otherwise by the Company, this will be the method by which such tax withholding obligations are satisfied]. Further, if Participant is subject to tax in more than one jurisdiction between the Date of Grant and a date of any relevant taxable or tax withholding event, as applicable, Participant acknowledges and agrees that the Company and/or the Employer (or former employer, as applicable) may be required to withhold or account for tax in more than one jurisdiction. If Participant fails to make satisfactory arrangements for the payment of any Tax-Related Items hereunder at the time any applicable Restricted Stock Units otherwise are scheduled to vest pursuant to Sections 3 or 4 or Tax-Related Items related to Restricted Stock Units otherwise are due, Participant will permanently forfeit such Restricted Stock Units and any right to receive Shares thereunder and the Restricted Stock Units will be returned to the Company at no cost to the Company.
8.Rights as Stockholder. Neither Participant nor any person claiming under or through Participant will have any of the rights or privileges of a stockholder of the Company in respect of any Shares deliverable hereunder unless and until certificates representing such Shares will have been issued, recorded on the records of the Company or its transfer agents or registrars, and delivered to Participant. After such issuance, recordation and delivery, Participant will have all the rights of a stockholder of the Company with respect to voting such Shares and receipt of dividends and distributions on such Shares.
9.No Guarantee of Continued Service. PARTICIPANT ACKNOWLEDGES AND AGREES THAT THE VESTING OF THE RESTRICTED STOCK UNITS PURSUANT TO THE VESTING SCHEDULE HEREOF IS EARNED ONLY BY CONTINUING AS A SERVICE PROVIDER AT THE WILL OF THE COMPANY (OR THE PARENT OR SUBSIDIARY EMPLOYING OR RETAINING PARTICIPANT) AND NOT THROUGH THE ACT OF BEING HIRED, BEING GRANTED THIS AWARD OF RESTRICTED STOCK UNITS OR ACQUIRING SHARES HEREUNDER. PARTICIPANT FURTHER ACKNOWLEDGES AND AGREES THAT THIS AWARD AGREEMENT, THE TRANSACTIONS CONTEMPLATED HEREUNDER AND THE VESTING SCHEDULE SET FORTH HEREIN DO NOT CONSTITUTE AN EXPRESS OR IMPLIED PROMISE OF CONTINUED ENGAGEMENT AS A SERVICE PROVIDER FOR THE VESTING PERIOD, FOR ANY PERIOD, OR AT ALL, AND WILL NOT INTERFERE IN ANY WAY WITH PARTICIPANT’S RIGHT OR THE RIGHT OF THE COMPANY (OR THE PARENT OR SUBSIDIARY EMPLOYING OR RETAINING PARTICIPANT) TO TERMINATE PARTICIPANT’S RELATIONSHIP AS A SERVICE PROVIDER AT ANY TIME, WITH OR WITHOUT CAUSE.
10.Nature of Grant. In accepting the grant, Participant acknowledges, understands and agrees that:
(a)the Plan is established voluntarily by the Company, it is discretionary in nature and it may be modified, amended, suspended or terminated by the Company at any time, to the extent permitted by the Plan;
(b)the grant of the Restricted Stock Units is voluntary and occasional and does not create any contractual or other right to receive future grants of Restricted Stock Units, or
-4-


benefits in lieu of Restricted Stock Units, even if Restricted Stock Units have been granted in the past;
(c)all decisions with respect to future Restricted Stock Units or other grants, if any, will be at the sole discretion of the Company;
(d)Participant is voluntarily participating in the Plan;
(e)the Restricted Stock Units and the Shares subject to the Restricted Stock Units are not intended to replace any pension rights or compensation;
(f)the Restricted Stock Units and the Shares subject to the Restricted Stock Units, and the income and value of same, are not part of normal or expected compensation for purposes of calculating any severance, resignation, termination, redundancy, dismissal, end-of-service payments, bonuses, longservice awards, pension or retirement or welfare benefits or similar payments;
(g)the future value of the underlying Shares is unknown, indeterminable and cannot be predicted with certainty;
(h)for purposes of the Restricted Stock Units, Participant’s status as a Service Provider will be considered terminated as of the date Participant is no longer actively providing services to the Company or any Parent or Subsidiary (regardless of the reason for such termination and whether or not later to be found invalid or in breach of employment laws in the jurisdiction where Participant is a Service Provider or the terms of Participant’s service agreement, if any), and unless otherwise expressly provided in this Award Agreement or determined by the Administrator, Participant’s right to vest in the Restricted Stock Units under the Plan, if any, will terminate as of such date and will not be extended by any notice period (e.g., Participant’s period of service would not include any contractual notice period or any period of “garden leave” or similar period mandated under employment laws in the jurisdiction where Participant is a Service Provider or the terms of Participant’s service agreement, if any, unless Participant is providing bona fide services during such time); the Administrator shall have the exclusive discretion to determine when Participant is no longer actively providing services for purposes of the Restricted Stock Units grant (including whether Participant may still be considered to be providing services while on a leave of absence);
(i)unless otherwise provided in the Plan or by the Company in its discretion, the Restricted Stock Units and the benefits evidenced by this Award Agreement do not create any entitlement to have the Restricted Stock Units or any such benefits transferred to, or assumed by, another company nor be exchanged, cashed out or substituted for, in connection with any corporate transaction affecting the Shares; and
(j)the following provisions apply only if Participant is providing services outside the United States:
-5-


i.the Restricted Stock Units and the Shares subject to the Restricted Stock Units are not part of normal or expected compensation or salary for any purpose;
ii.Participant acknowledges and agrees that none of the Company, the Employer, or any Parent or Subsidiary shall be liable for any foreign exchange rate fluctuation between Participant’s local currency and the United States Dollar that may affect the value of the Restricted Stock Units or of any amounts due to Participant pursuant to the settlement of the Restricted Stock Units or the subsequent sale of any Shares acquired upon settlement; and
iii.no claim or entitlement to compensation or damages shall arise from forfeiture of the Restricted Stock Units resulting from the termination of Participant’s status as a Service Provider (for any reason whatsoever whether or not later found to be invalid or in breach of employment laws in the jurisdiction where Participant is a Service Provider or the terms of Participant’s service agreement, if any), and in consideration of the grant of the Restricted Stock Units to which Participant is otherwise not entitled, Participant irrevocably agrees never to institute any claim against the Company, any Subsidiary or the Employer, waives his or her ability, if any, to bring any such claim, and releases the Company, any Parent, any Subsidiary and the Employer from any such claim; if, notwithstanding the foregoing, any such claim is allowed by a court of competent jurisdiction, then, by participating in the Plan, Participant shall be deemed irrevocably to have agreed not to pursue such claim and agrees to execute any and all documents necessary to request dismissal or withdrawal of such claim.
11.No Advice Regarding Grant. The Company is not providing any tax, legal or financial advice, nor is the Company making any recommendations regarding Participant’s participation in the Plan, or Participant’s acquisition or sale of the underlying Shares. Participant is hereby advised to consult with his or her own personal tax, legal and financial advisors regarding his or her participation in the Plan before taking any action related to the Plan.
12.Data Privacy. Participant hereby explicitly and unambiguously consents to the collection, use and transfer, in electronic or other form, of Participant’s personal data as described in this Award Agreement and any other Restricted Stock Unit grant materials by and among, as applicable, the Employer, the Company and any Parent or Subsidiary for the exclusive purpose of implementing, administering and managing Participant’s participation in the Plan.
Participant understands that the Company and the Employer may hold certain personal information about Participant, including, but not limited to, Participant’s name, home address and telephone number, date of birth, social insurance number or other identification number, salary, nationality, job title, any shares of stock or directorships held in the Company, details of all Restricted Stock Units or any other entitlement to shares of stock awarded, canceled, exercised, vested, unvested or outstanding in Participant’s favor (“Data”), for the exclusive purpose of implementing, administering and managing the Plan.
-6-


Participant understands that Data will be transferred to a stock plan service provider as may be selected by the Company in the future, which is assisting the Company with the implementation, administration and management of the Plan. Participant understands that the recipients of the Data may be located in the United States or elsewhere, and that the recipients’ country (e.g., the United States) may have different data privacy laws and protections than Participant’s country. Participant understands that if he or she resides outside the United States, he or she may request a list with the names and addresses of any potential recipients of the Data by contacting his or her local human resources representative. Participant authorizes the Company, any stock plan service provider selected by the Company and any other possible recipients which may assist the Company (presently or in the future) with implementing, administering and managing the Plan to receive, possess, use, retain and transfer the Data, in electronic or other form, for the sole purpose of implementing, administering and managing his or her participation in the Plan. Participant understands that Data will be held only as long as is necessary to implement, administer and manage Participant’s participation in the Plan. Participant understands if he or she resides outside the United States, he or she may, at any time, view Data, request additional information about the storage and processing of Data, require any necessary amendments to Data or refuse or withdraw the consents herein, in any case without cost, by contacting in writing his or her local human resources representative. Further, Participant understands that he or she is providing the consents herein on a purely voluntary basis. If Participant does not consent, or if Participant later seeks to revoke his or her consent, his or her status as a Service Provider and career with the Employer will not be adversely affected; the only adverse consequence of refusing or withdrawing Participant’s consent is that the Company would not be able to grant Participant Restricted Stock Units or other equity awards or administer or maintain such awards. Therefore, Participant understands that refusing or withdrawing his or her consent may affect Participant’s ability to participate in the Plan. For more information on the consequences of Participant’s refusal to consent or withdrawal of consent, Participant understands that he or she may contact his or her local human resources representative.
13.Address for Notices. Any notice to be given to the Company under the terms of this Award Agreement will be addressed to the Company at Qualys, Inc., 919 E. Hillsdale Blvd., 4th Floor, Foster City, CA 94404, or at such other address as the Company may hereafter designate in writing.
14.Grant is Not Transferable. Except to the limited extent provided in Section 6, this grant and the rights and privileges conferred hereby will not be transferred, assigned, pledged or hypothecated in any way (whether by operation of law or otherwise) and will not be subject to sale under execution, attachment or similar process. Upon any attempt to transfer, assign, pledge, hypothecate or otherwise dispose of this grant, or any right or privilege conferred hereby, or upon any attempted sale under any execution, attachment or similar process, this grant and the rights and privileges conferred hereby immediately will become null and void.
15.Binding Agreement. Subject to the limitation on the transferability of this grant contained herein, this Award Agreement will be binding upon and inure to the benefit of the heirs, legatees, legal representatives, successors and assigns of the parties hereto.
16.Additional Conditions to Issuance of Stock. If at any time the Company will determine, in its discretion, that the listing, registration, qualification or rule compliance of the Shares upon any securities exchange or under any state, federal or foreign law, the tax code and related regulations or the
-7-


consent or approval of any governmental regulatory authority is necessary or desirable as a condition to the issuance of Shares to Participant (or his or her estate) hereunder, such issuance will not occur unless and until such listing, registration, qualification, rule compliance, consent or approval will have been completed, effected or obtained free of any conditions not acceptable to the Company. Where the Company determines that the delivery of the payment of any Shares will violate federal securities laws or other applicable laws, the Company will defer delivery until the earliest date at which the Company reasonably anticipates that the delivery of Shares will no longer cause such violation. The Company will make all reasonable efforts to meet the requirements of any such state, federal or foreign law or securities exchange and to obtain any such consent or approval of any such governmental authority or securities exchange.
17.Plan Governs. This Award Agreement is subject to all terms and provisions of the Plan. In the event of a conflict between one or more provisions of this Award Agreement and one or more provisions of the Plan, the provisions of the Plan will govern. Capitalized terms used and not defined in this Award Agreement will have the meaning set forth in the Plan.
18.Administrator Authority. The Administrator will have the power to interpret the Plan and this Award Agreement and to adopt such rules for the administration, interpretation and application of the Plan as are consistent therewith and to interpret or revoke any such rules (including, but not limited to, the determination of whether or not any Restricted Stock Units have vested). All actions taken and all interpretations and determinations made by the Administrator in good faith will be final and binding upon Participant, the Company and all other interested persons. No member of the Administrator will be personally liable for any action, determination or interpretation made in good faith with respect to the Plan or this Award Agreement.
19.Electronic Delivery and Acceptance. The Company may, in its sole discretion, decide to deliver any documents related to Restricted Stock Units awarded under the Plan or future Restricted Stock Units that may be awarded under the Plan by electronic means or request Participant’s consent to participate in the Plan by electronic means. Participant hereby consents to receive such documents by electronic delivery and agrees to participate in the Plan through any on-line or electronic system established and maintained by the Company or a third party designated by the Company.
20.Language. If Participant has received this Award Agreement or any other document related to the Plan translated into a language other than English and if the meaning of the translated version is different than the English version, the English version will control.
21.Captions. Captions provided herein are for convenience only and are not to serve as a basis for interpretation or construction of this Award Agreement.
22.Agreement Severable. In the event that any provision in this Award Agreement will be held invalid or unenforceable, such provision will be severable from, and such invalidity or unenforceability will not be construed to have any effect on, the remaining provisions of this Award Agreement.
23.Amendment, Suspension or Termination of the Plan. By accepting this Award, Participant expressly warrants that he or she has received an Award of Restricted Stock Units under the
-8-


Plan, and has received, read and understood a description of the Plan. Participant understands that the Plan is discretionary in nature and may be amended, suspended or terminated by the Company at any time.
24.Governing Law and Venue. This Award Agreement will be governed by the laws of California without giving effect to the conflict of law principles thereof. For purposes of litigating any dispute that arises under this Award of Restricted Stock Units or this Award Agreement, the parties hereby submit to and consent to the jurisdiction of the State of California, and agree that such litigation will be conducted in the courts of San Mateo County, California, or the federal courts for the United States for the Northern District of California, and no other courts, where this Award of Restricted Stock Units is made and/or to be performed.
25.Modifications to the Award Agreement. This Award Agreement constitutes the entire understanding of the parties on the subjects covered. Participant expressly warrants that he or she is not accepting this Award Agreement in reliance on any promises, representations, or inducements other than those contained herein. Modifications to this Award Agreement or the Plan can be made only in an express written contract executed by a duly authorized officer of the Company. Notwithstanding anything to the contrary in the Plan or this Award Agreement, the Company reserves the right to revise the Award Agreement as it deems necessary or advisable, in its sole discretion and without the consent of Participant, to comply with Section 409A or to otherwise avoid imposition of any additional tax or income recognition under Section 409A in connection to this Award of Restricted Stock.
26.Waiver. Participant acknowledges that a waiver by the Company of breach of any provision of this Award Agreement shall not operate or be construed as a waiver of any other provision of this Award Agreement, or of any subsequent breach by Participant or any other Participant.
-9-
Document

Exhibit 31.1
CERTIFICATION OF CHIEF EXECUTIVE OFFICER
PURSUANT TO RULE 13a-14(a) OR RULE 15d-14(a)
OF THE SECURITIES EXCHANGE ACT OF 1934
I, Sumedh S. Thakar, certify that:
1.I have reviewed this quarterly report on Form 10-Q of Qualys, Inc.;
2.Based on my knowledge, this report does not contain any untrue statement of a material fact or omit to state a material fact necessary to make the statements made, in light of the circumstances under which such statements were made, not misleading with respect to the period covered by this report;
3.Based on my knowledge, the financial statements, and other financial information included in this report, fairly present in all material respects the financial condition, results of operations and cash flows of the registrant as of, and for, the periods presented in this report;
4.The registrant’s other certifying officer and I are responsible for establishing and maintaining disclosure controls and procedures (as defined in Exchange Act Rules 13a-15(e) and 15d-15(e)) and internal control over financial reporting (as defined in Exchange Act Rules 13a-15(f) and 15d-15(f)) for the registrant and have:
(a)Designed such disclosure controls and procedures, or caused such disclosure controls and procedures to be designed under our supervision, to ensure that material information relating to the registrant, including its consolidated subsidiaries, is made known to us by others within those entities, particularly during the period in which this report is being prepared;
(b)Designed such internal control over financial reporting, or caused such internal control over financial reporting to be designed under our supervision, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles;
(c)Evaluated the effectiveness of the registrant’s disclosure controls and procedures and presented in this report our conclusions about the effectiveness of the disclosure controls and procedures, as of the end of the period covered by this report based on such evaluation; and
(d)Disclosed in this report any change in the registrant’s internal control over financial reporting that occurred during the registrant’s most recent fiscal quarter (the registrant’s fourth fiscal quarter in the case of an annual report) that has materially affected, or is reasonably likely to materially affect, the registrant’s internal control over financial reporting; and
5.The registrant's other certifying officer and I have disclosed, based on our most recent evaluation of internal control over financial reporting, to the registrant's auditors and the audit committee of the registrant's board of directors (or persons performing the equivalent functions):
(a)All significant deficiencies and material weaknesses in the design or operation of internal control over financial reporting which are reasonably likely to adversely affect the registrant's ability to record, process, summarize and report financial information; and
(b)Any fraud, whether or not material, that involves management or other employees who have a significant role in the registrant's internal control over financial reporting.
Date:
August 6, 2024
By:
/s/ SUMEDH S. THAKAR
Sumedh S. Thakar
President and Chief Executive Officer
(principal executive officer)
Qualys, Inc.

Document

Exhibit 31.2
CERTIFICATION OF CHIEF FINANCIAL OFFICER
PURSUANT TO RULE 13a-14(a) OR RULE 15d-14(a)
OF THE SECURITIES EXCHANGE ACT OF 1934
I, Joo Mi Kim, certify that:
1.I have reviewed this quarterly report on Form 10-Q of Qualys, Inc.;
2.Based on my knowledge, this report does not contain any untrue statement of a material fact or omit to state a material fact necessary to make the statements made, in light of the circumstances under which such statements were made, not misleading with respect to the period covered by this report;
3.Based on my knowledge, the financial statements, and other financial information included in this report, fairly present in all material respects the financial condition, results of operations and cash flows of the registrant as of, and for, the periods presented in this report;
4.The registrant's other certifying officer and I are responsible for establishing and maintaining disclosure controls and procedures (as defined in Exchange Act Rules 13a-15(e) and 15d-15(e)) and internal control over financial reporting (as defined in Exchange Act Rules 13a-15(f) and 15d-15(f)) for the registrant and have:
(a)Designed such disclosure controls and procedures, or caused such disclosure controls and procedures to be designed under our supervision, to ensure that material information relating to the registrant, including its consolidated subsidiaries, is made known to us by others within those entities, particularly during the period in which this report is being prepared;
(b)Designed such internal control over financial reporting, or caused such internal control over financial reporting to be designed under our supervision, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles;
(c)Evaluated the effectiveness of the registrant’s disclosure controls and procedures and presented in this report our conclusions about the effectiveness of the disclosure controls and procedures, as of the end of the period covered by this report based on such evaluation; and
(d)Disclosed in this report any change in the registrant’s internal control over financial reporting that occurred during the registrant’s most recent fiscal quarter (the registrant’s fourth fiscal quarter in the case of an annual report) that has materially affected, or is reasonably likely to materially affect, the registrant’s internal control over financial reporting; and
5.The registrant's other certifying officer and I have disclosed, based on our most recent evaluation of internal control over financial reporting, to the registrant's auditors and the audit committee of the registrant's board of directors (or persons performing the equivalent functions):
(a)All significant deficiencies and material weaknesses in the design or operation of internal control over financial reporting which are reasonably likely to adversely affect the registrant's ability to record, process, summarize and report financial information; and
(b)Any fraud, whether or not material, that involves management or other employees who have a significant role in the registrant's internal control over financial reporting.
Date:
August 6, 2024
By:/s/ JOO MI KIM
Joo Mi Kim
Chief Financial Officer
(principal financial and accounting officer)
Qualys, Inc.

Document

Exhibit 32.1
CERTIFICATION OF CHIEF EXECUTIVE OFFICER
PURSUANT TO RULE 13a-14(b) OR RULE 15d-14(b)
OF THE SECURITIES EXCHANGE ACT OF 1934 AND 18 U.S.C. SECTION 1350
In connection with the Quarterly Report of Qualys, Inc. (the “Company”) on Form 10-Q for the quarter ended June 30, 2024, as filed with the Securities and Exchange Commission on the date hereof (the “Report”), I, Sumedh S. Thakar, President and Chief Executive Officer of the Company, certify, pursuant to 18 U.S.C. § 1350, as adopted pursuant to § 906 of the Sarbanes-Oxley Act of 2002, that, to the best of my knowledge:
(1)The Report fully complies with the requirements of Section 13(a) or 15(d) of the Securities Exchange Act of 1934; and
(2)The information contained in the Report fairly presents, in all material respects, the financial condition and results of operations of the Company.
Date:
August 6, 2024
By:
/s/ SUMEDH S. THAKAR
Sumedh S. Thakar
President and Chief Executive Officer
(principal executive officer)
Qualys, Inc.

Document

Exhibit 32.2
CERTIFICATION OF CHIEF FINANCIAL OFFICER
PURSUANT TO RULE 13a-14(b) OR RULE 15d-14(b)
OF THE SECURITIES EXCHANGE ACT OF 1934 AND 18 U.S.C. SECTION 1350
In connection with the Quarterly Report of Qualys, Inc. (the “Company”) on Form 10-Q for the quarter ended June 30, 2024, as filed with the Securities and Exchange Commission on the date hereof (the “Report”), I, Joo Mi Kim, Chief Financial Officer of the Company, certify, pursuant to 18 U.S.C. § 1350, as adopted pursuant to § 906 of the Sarbanes-Oxley Act of 2002, that, to the best of my knowledge:
(1)The Report fully complies with the requirements of Section 13(a) or 15(d) of the Securities Exchange Act of 1934; and
(2)The information contained in the Report fairly presents, in all material respects, the financial condition and results of operations of the Company.
Date:
August 6, 2024
By:/s/ JOO MI KIM
Joo Mi Kim
Chief Financial Officer
(principal financial and accounting officer)
Qualys, Inc.